Solving Systems of Quadratic Equations I General HFE

Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack Magnus Daum / Patrick Felke Solving Systems of Quadratic Equations, Part I

Overview of Part I 1) Review of HFE Systems: parameters, hidden polynomial 2) Solving by Using Buchberger Algorithm - special properties of HFE systems simulations: systems of arbitrary HFE systems quadratic equations 3) Number of solutions of HFE-Systems 12/12/2021 HFE polynomials general polynomials Solving Systems of Quadratic Equations, Part I

Review of HFE Systems Solving Systems of Quadratic Equations, Part I

Review: Parameters of an HFE System n – number of polynomials and variables blocklength field extension degree q – cardinality of the smaller finite field (fields: Fq and Fq n) d – degree of the hidden polynomial 12/12/2021 Solving Systems of Quadratic Equations, Part I public parameters

Review: Example + secret affine transformations public key 12/12/2021 Solving Systems of Quadratic Equations, Part I

Review: Example - Decryption Ciphertext: 0011 12/12/2021 Solving Systems of Quadratic Equations, Part I

Review: Example - Decryption Plaintext: with secret key: transform back to univariate polynomial of low degree 12/12/2021 ? ? ? without secret key: solve system directly OR find transformation to univariate polynomial of low degree Solving Systems of Quadratic Equations, Part I Ciphertext: 0011

Review: Hidden Polynomial • transformation from univariate HFE-polynomial f to HFE-System is always possible (construction of the public key) • transformation from system of quadratic equations to an univariate polynomial representing this system is always possible but: expected degree d= q 2(n-1) finding zeros is not feasible 12/12/2021 Solving Systems of Quadratic Equations, Part I

Review: Example - Decryption Plaintext: with secret key: transform back to univariate polynomial of low degree 12/12/2021 ? ? ? without secret key: try to solve system directly OR try to find transformation to univariate polynomial of low degree Solving Systems of Quadratic Equations, Part I Ciphertext: 0011

Solving HFE Systems Using Buchberger Algorithm Solving Systems of Quadratic Equations, Part I

General Approach : Example +1 0 0 12/12/2021 Solving Systems of Quadratic Equations, Part I

General Approach : Example Buchberger algorithm 12/12/2021 Solving Systems of Quadratic Equations, Part I

General Approach : Example 12/12/2021 Solving Systems of Quadratic Equations, Part I

General Approach: Problems • degree of output polynomials may get very big • Buchberger algorithm has exponential worst case complexity • compute all solutions in algebraic closure in general only feasible for up to 10 variables • … 12/12/2021 Solving Systems of Quadratic Equations, Part I

HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree 12/12/2021 Solving Systems of Quadratic Equations, Part I

HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree 12/12/2021 Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field solutions we are looking for fulfil Proposition: 12/12/2021 Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example Buchberger algorithm 12/12/2021 Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example 12/12/2021 Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example Buchberger algorithm Advantages: • we compute only informa-tion we need • degree of polynomials involved in this compu-tation is bounded 12/12/2021 Solving Systems of Quadratic Equations, Part I

HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree 12/12/2021 Solving Systems of Quadratic Equations, Part I

HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree 12/12/2021 Solving Systems of Quadratic Equations, Part I

Hidden Polynomial • Patarin / Courtois: if hidden polynomial is of low degree or special form there are many relations between the polynomials in the HFE system • one main idea of Buchberger algorithm is to make use of such relations in a sophisticated way 12/12/2021 Solving Systems of Quadratic Equations, Part I

HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial 12/12/2021 Solving Systems of Quadratic Equations, Part I

Simulations 96000 simulations • parameters: • HFE systems and random quadratic systems • in each simulation: • – generate system of quadratic equations (HFE or random) – add polynomials – solve by using Buchberger algorithm (with FGLM) 12/12/2021 Solving Systems of Quadratic Equations, Part I

Simulations: Dependency on n random 12/12/2021 Solving Systems of Quadratic Equations, Part I random

Simulations: Dependency on n q=3 d=12 q=2 d=20 log(time) q=3 d=30 q=3 d=90 n q=2 d=128 4, 00 6, 00 8, 00 10, 00 12, 00 14, 00 16, 00 18, 00 20, 00 5, 00 7, 00 9, 00 11, 00 13, 00 15, 00 17, 00 19, 00 • exponential time complexity • not feasible for n greater than about 30 -40 12/12/2021 Solving Systems of Quadratic Equations, Part I

Simulations: Dependency on d time depends on 12/12/2021 rather than on d Solving Systems of Quadratic Equations, Part I

Simulations: Dependency on logqd random if d is not too small (approx. ) HFE systems behave like systems of random quadratic equations (at least concerning Buchberger algorithm) 12/12/2021 Solving Systems of Quadratic Equations, Part I

Conclusion of this Section • Buchberger algorithm is not feasible for solving HFE systems of usual parameters (small q, , ) but: if d is very small, computation is much faster • HFE systems with usual parameters seem to be very similar to systems of random quadratic equations 12/12/2021 Solving Systems of Quadratic Equations, Part I

Number of Solutions of HFE Systems Solving Systems of Quadratic Equations, Part I

Distribution of Numbers of Solutions k 0 1 2 3 4 >4 number of systems with k solutions 27710 28012 13852 4565 1210 250 share 0, 3665 0, 3705 0, 1832 0, 0604 0, 0160 0, 0033 • very similar to Poisson distribution: k (k!e) 12/12/2021 -1 0 1 2 0, 3679 0, 1839 3 0, 0613 4 0, 0153 Solving Systems of Quadratic Equations, Part I

Hints Supporting this Assumption system’s number of solutions = hidden polynomial’s number of zeros • numbers of zeros of general polynomials are distributed according to the Poisson distribution • arithmetic mean and variance of the distribution of the numbers of zeros of HFE polynomials of bounded degree is very similar to that of a Poisson distribution 12/12/2021 Solving Systems of Quadratic Equations, Part I

Applications to HFE • gives another hint that we may consider HFE systems as systems of arbitrary quadratic equations • allows to estimate the probabilities that encryption or signing will fail and to compute the amount of redundancy needed 12/12/2021 Solving Systems of Quadratic Equations, Part I

Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack Solving Systems of Quadratic Equations, Part I

Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack Solving Systems of Quadratic Equations, Part I