Security and Communication Networks

Volume 2017 (2017), Article ID 9289410, 6 pages

https://doi.org/10.1155/2017/9289410

## Building Secure Public Key Encryption Scheme from Hidden Field Equations

^{1}School of Information Engineering, Xuchang University, Xuchang 461000, China^{2}Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China^{3}State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China

Correspondence should be addressed to Baocang Wang

Received 4 April 2017; Accepted 5 June 2017; Published 10 July 2017

Academic Editor: Dengpan Ye

Copyright © 2017 Yuan Ping et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose a new variant of the HFE scheme by considering the special equation defined over the finite field when . We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size.

#### 1. Introduction

Public key cryptography [1] built from the NP-hardness of solving multivariate quadratic equations over finite filed [2, 3] was conceived as a plausible candidate to traditional factorization and discrete logarithm based public key cryptosystems due to its high performance and the resistance to quantum attacks [4]. The hidden field equations (HFE) scheme [5] may be the most famous cryptosystem amongst all multivariate public key cryptographic schemes. The HFE scheme firstly defines a univariate map over an extension field :where the degree bound chosen cannot be very large in order that the user can use the Berlekamp algorithm [6] to efficiently compute the roots of . Then two invertible affine transformations are applied to hide the special structure of the central map [2, 5]. However, the central map can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7–9]. So some modifications are needed to repair the basic HFE scheme [10–14]. However, all known modification methods only can impose partial nonlinear transformation on the special structure of the HFE central map, and hence they are still vulnerable to some attacks [15–17].

We consider the HFE scheme over finite fields with characteristic 3. We impose some restrictions on the plaintext space and can use the restriction to merge the coefficients of the linear part and the square part. By doing this, we can impose a fully nonlinear transformation on the central map of the HFE encryption scheme. Performance analysis shows that the modification can save the public key storage by bits and reduces the encryption costs by about bit operations. It is shown that the modification can defend the known attacks including the MinRank attack, the linearization equations attack, and the direct algebraic attacks.

#### 2. Proposal

##### 2.1. Notations

Let be a -order finite field with being a prime power. Let be an irreducible polynomial with degree over ; then forms a degree- extension field. The construction admits a standard isomorphism between the extension field and the vector space ; namely, for an element , we have . We denote the inverse of map as . Note that the Frobenius maps for defined over are -linear; namely, when expressed in the base field , will be -dimensional linear functions over .

##### 2.2. Description

The encryption scheme consists of three subalgorithms: key generation, encryption, and decryption.

*Key Generation*. The system parameters consist of an irreducible polynomial with degree over , the extension field , and the isomorphism between and . Firstly, we define an HFE map in (1) and randomly choose two invertible affine transformations and . Then we compute their inverses and and the -variable quadratic polynomials . For , we set where all the coefficients are in for . Then we merge the coefficients of the square and linear terms of , that is, for , and get the public key of the modified HFE scheme, namely, quadratic polynomials , where, for , The secret key consists of , , and .

*Encryption*. The plaintext space is . For a plaintext , we just compute as the ciphertext.

*Decryption*. Given a ciphertext , we compute and , and we use the Berlekamp algorithm [6] to compute all the preimages such that , and, for each , we compute . Finally, we compute . If ; then we output as the plaintext. If we fail to derive a vector in form all the preimages , we output the symbol designating an invalid ciphertext.

*Why Decryption Works*. We just observe that , so . Hence, for , So . The modified HFE decryption recovers the plaintext by peeling off the composition one by one from the leftmost side.

*Remarks*. The original HFE scheme [5] works on any field and its extension . In fact, the quadratic polynomial map is exactly the public key of the original HFE scheme, and the secret key of the original scheme also consists of , , and . The encryption of the original HFE scheme is just to compute , where the plaintext is in but not necessarily in . The decryption algorithm of the modified HFE scheme is exactly the original HFE decryption.

##### 2.3. Performance and Comparisons

To make a comparison between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over and its extension field . It can be easily seen that both the modified and the original HFE schemes share a common secret key and decryption algorithm. So both schemes have the same secret key sizes and decryption costs. In the modified scheme, the public key is , and hence we need not to store the coefficients of the square terms of the public key . So the proposed scheme reduces the public key size by bits. During encryption, the proposed modification HFE scheme does not need to do the square computations, so the proposed encryption reduces the computational costs by bit operations.

#### 3. Security

We analyze the security of the proposed HFE modified encryption scheme. We first review the basic idea of known attacks and then illustrate why the proposal is secure against these attacks.

##### 3.1. Linearization Equations Attack

*Basic Idea*. Linearization equations attack [18] was found by Patarin on the Matsumoto-Imai scheme [19]. In the Matsumoto-Imai scheme, a permutation over with characteristic 2 is defined such that , then using two invertible affine transformations and to disguise the central map into a quadratic map over , namely, The basic idea of the attack is as follows. Note that implies . By setting we can express as bilinear equations about input and output of function : where and . Given a ciphertext , we want to recover the corresponding plaintext . Note that (, resp.) is an affine transformation (, resp.) on the input (output, resp.) of the function . So and satisfy the following equations derived from the bilinear equations, namely, where and all the coefficients in . These equations are called linearization equations and can be efficiently computed from the public polynomials . It was shown that the linearization equations have a rank of at least [20]. So given a ciphertext , we only need to solve the linearization equations to obtain the corresponding plaintext .

*Why the Proposal Is Secure against the Linearization Equations Attack*. We first note that the HFE scheme [5] was proposed by Patarin to thwart the linearization equations attack and no known evidence was reported on the existence of linearization equations in the HFE scheme. So the HFE scheme is secure against linearization equations attack. As far as the proposed HFE modification scheme is concerned, we just note that, for any plaintext , is a valid ciphertext for both the original FHE scheme and the proposed modification HFE scheme. Therefore, we cannot hope to derive linearization equations from the modified HFE scheme.

##### 3.2. MinRank Attacks

*Basic Idea*. Without loss of generality, we assume that the two invertible affine transformations and are linear [21] and define the terms of in in (1). We then can look at as a quadratic form about then we associate with a symmetric -dimensional square matrix such that The symmetric matrix is of low rank, and it is the special structure of the symmetric matrix that makes the original HFE scheme insecure. We recall , and denote the smallest integer smaller than or equal to as , and we will find that all the elements of the last columns (rows, resp.) of are zero. So the rank of the symmetric matrix is at most . Loosely speaking, when we apply two linear transformations on the input and output of the map , the rank of the corresponding matrix remains at most . We define the quadratic part of as , namely, for , Note that can be expressed as homogeneous quadratic polynomials over the base field ; then the application of two linear transformations on the input and output of will also give homogeneous quadratic polynomials over the base field . That is to say Or equivalently, The above equation says that we can lift the quadratic part of the public key to the extension field under some unknown linear transformations to derive and hence . Kipnis and Shamir noted [7] that, by lifting the quadratic part of the public key of the HFE scheme to the extension field , they can find a collection of matrices. The matrix is then determined by finding a linear combination of these matrices such that has a minimum rank (at most ). Thus by solving the MinRank problem we can determine the matrix and the coefficients of the linear transformation . Though the MinRank problem is proven to be NP-complete [22, 23], the reduction to the MinRank problem does impose a serious security threat on the security of the HFE scheme [7, 8].

*Why the Proposal Is Secure against the MinRank Attack*. To illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [7, 8], we just need to show that when lifted to the extension field , the quadratic part of the public key is not connected with a low-rank matrix. We set the quadratic part of the public key as with for . If we lift to the extension field and find that the corresponding matrix is not of low rank, we can claim our proposal is secure against the MinRank attack [7, 8]. So we define Now we show that the corresponding matrix is of not necessarily low rank. We define with for , and It is obvious that . Thus we can easily verify that So we get . In this matrix equation, we only know that is of low rank (at most ). However, the rank of the matrix is unknown, and hence the rank of the matrix is not necessarily low. So the adversary cannot derive from the publicly known map a low-rank matrix. So the MinRank attack does not apply to cryptanalyzing the proposed HFE modification scheme.

##### 3.3. Algebraic Attacks

*Basic Idea*. One straightforward way to attack multivariate public key cryptosystems is to directly solve the multivariate quadratic equations by utilizing some algorithms to compute the Gröbner basis of some ideals. Given the ciphertext , we want to solve the plaintext from the quadratic equations: The algebraic or the direct attacks can use some Gröbner basis algorithms such as [24] and the XL [25] algorithms to solve the generators for the ideal generated by . It is observed [26] that the field equations for will be useful to simplify the computations, so we also can add the field equations to the generators; namely, we solve the Gröbner basis of the ideal *Why the Proposal Is Secure against the Algebraic Attack*. In the proposed modification HFE encryption scheme, we impose some restrictions on the plaintext space. The plaintext space is but not . Thus we have some additional equations that associate with the plaintext ; namely, for , we have . The plaintext block also satisfies the field equation . However, we can derive the field equations from the equations . So in the proposed modification encryption scheme, we need to find the Gröbner basis for the ideal To evaluate the difficulty of the Gröbner basis algorithms to recover the plaintext, we can use the degree of regularity of the quadratic equations [27] to estimate the computational costs. The computational costs are at least bit operations, according to the results given on page 219 in [2]. Under the suggested parameters and , the degree of regularity of the quadratic equations is . So the computational overhead is about bit operations. So under the algebraic attacks, the proposed modification HFE encryption scheme can obtain a security level of 80 bits under the suggested parameters.

##### 3.4. Suggested Parameters

Considering the aforementioned discussions, we suggest choosing and . We can see from the security analysis that the proposed HFE modification encryption scheme can obtain a security level of 80 bits under the suggested parameters.

#### 4. Conclusions

In this paper, we proposed a novel modified HFE encryption scheme. The proposed HFE modification has the following features:(i)*Universal padding scheme for multivariate public key encryptions*: the proposed HFE variant can merge the square and linear terms by imposing some restrictions on the plaintext space. The proposed method is a universal padding scheme and hence can be used to other multivariate cryptographic constructions.(ii)*Fully nonlinear transformation on the central map*: the proposed method can remove all the square terms in the public multivariate quadratic polynomials and thus impose a nonlinear transformation on all the polynomials.(iii)*Security against known attacks*: we illustrated that the proposed HFE modification encryption scheme is secure against known attacks including the linearization equation attack, the MinRank attack, and the algebraic attacks.(iv)*More efficient encryption and smaller public key size*: the proposed modification encryption scheme does not store the square terms in the public key and hence can reduce the encryption costs by bit operations and saves the public key storage by bits.As a new multivariate public key encryption, the security of the proposal needs to be furthered. So we encourage the readers to examine the security of the proposal.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by National Natural Science Foundation of China (Grants nos. 61572390, 61303232, and 61540049), National Key Research and Development Program of China (no. 2017YFB0802002), Natural Science Foundation in Ningbo of China (no. 201601HJ-B01382), Program for Science & Technology Innovation Talents in Universities of Henan Province (no. 18HASTIT022), Foundation of Henan Educational Committee (Grants nos. 16A520025 and 18A520047), Foundation for University Key Teacher of Henan Province (no. 2016GGJS-141), Open Foundation of Key Laboratory of Cognitive Radio and Information Processing, Ministry of Education (Guilin University of Electronic Technology) (no. CRKL160202), and Outstanding Young Teacher Project of Xuchang University.

#### References

- N. Koblitz and A. J. Menezes, “A survey of public-key cryptosystems,”
*SIAM Review*, vol. 46, no. 4, pp. 599–634, 2004. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - J. Ding, J. E. Gower, and D. S. Schmidt,
*Multivariate Public Key Cryptosystems*, vol. 25 of*Advances in Information Security*, Springer, New York, Berlin, Germany, 2006. View at MathSciNet - Y. Zou, W. Ma, Z. Ran, and S. Wang, “New multivariate hash function quadratic polynomials multiplying linear polynomials,”
*IET Information Security*, vol. 7, no. 3, pp. 181–188, 2013. View at Publisher · View at Google Scholar · View at Scopus - P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,”
*SIAM Journal on Computing*, vol. 26, no. 5, pp. 1484–1509, 1997. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - J. Patarin, “Hidden fields equations (HFE) and isomorphism of polynomials (IP): two new families of asymmetric algorithms,” in
*Proceedings of Advances in Cryptology-Eurocrypt 1996*, vol. 1070, pp. 33–48, Springer-Verlag, Saragossa, Spain, 1996. - E. R. Berlekamp, “Factoring polynomials over finite fields,”
*The Bell System Technical Journal*, vol. 46, pp. 1853–1859, 1967. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - A. Kipnis and A. Shamir, “Cryptanalysis of the HFE public key cryptosystem by relinearization,” in
*Proceedings of the Advances in Cryptology-Crypto 1999*, vol. 1666, pp. 19–30, Springer, Berlin, Santa Barbara, CA, USA, 1999. View at Publisher · View at Google Scholar · View at MathSciNet - J. C. Faugère and A. Joux, “Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases,” in
*Proceedings of the Advances in Cryptology-Crypto 2003*, vol. 2729, pp. 44–60, Springer-Verlag, Santa Barbara, USA, 2003. View at Publisher · View at Google Scholar · View at MathSciNet - N. Courtois, “The security of Hidden Field Equations (HFE),” in
*Proceedings of the Topics in Cryptology-CT-RSA 2001*, vol. 2020, pp. 266–281, Springer-Verlag, San Francisco, CA, USA. - J. Patarin, N. Courtois, and L. Goubin, “QUARTZ, 128-bit long digital signatures,” in
*Proceedings of the Topics in Cryptology-CT-RSA 2001*, vol. 2020, pp. 282–297, Springer-Verlag, San Francisco, CA, USA. View at Publisher · View at Google Scholar · View at MathSciNet - O. Billet, J. Patarin, and Y. Seurin, “Analysis of intermediate field systems,” 2013, http://eprint.iacr.org/2009/542.
- C. Chen, M. S. Chen, and J. Ding, “Odd-char multivariate hidden field equations,” 2013, http://eprint.iacr.org/2008/543.
- J. Ding, D. Schmidt, and F. Werner, “Algebraic attack on HFE revisited,” in
*Proceedings of the International Conference on Information Security-ISC 2008*, vol. 5222, pp. 215–227, Springer-Verlag, Taipei, China, 2008. - C. Wolf and B. Preneel, “Taxonomy of public key schemes based on the problem of multivariate quadratic equations,” 2013, https://eprint.iacr.org/2005/077.
- N. T. Courtois, M. Daum, and P. Felke, “On the security of HFE, HFEv- and Quartz,” in
*Proceedings of the International Conference on Practice and Theory in Public Key Cryptography-PKC 2003*, vol. 2567, pp. 337–350, Springer-Verlag, Miami, Fl, USA, 2003. - L. Bettale, J. C. Faugère, and L. Perret, “Cryptanalysis of HFE, Multi-HFE and variants for odd and even characteristic,”
*Designs, Codes and Cryptography*, vol. 69, no. 1, pp. 1–52, 2013. View at Publisher · View at Google Scholar · View at MathSciNet - L. Bettale, J.-C. Faugère, and L. Perret, “Cryptanalysis of multivariate and odd-characteristic hfe variants,” in
*Proceedings of the International Conference on Practice and Theory in Public Key Cryptography-PKC 2011*, vol. 6571, pp. 441–458, Springer, Heidelberg. View at Publisher · View at Google Scholar · View at MathSciNet - J. Patarin, “Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt '88,” in
*Advances in cryptology-CRYPTO '95*, vol. 963, pp. 248–261, Springer, Berlin, Santa Barbara, CA, USA, 1995. View at Publisher · View at Google Scholar · View at MathSciNet - T. Matsumoto and H. Imai, “Public quadratic polynomial-tuples for efficient signature-verification and message-encryption,” in
*Advances in cryptology-EUROCRYPT '88*, vol. 330, pp. 419–453, Springer, Berlin, Davos, Switzerland, 1988. View at Publisher · View at Google Scholar · View at MathSciNet - A. Diene, J. Ding, J. E. Gower, T. J. Hodges, and Z. Yin, “Dimension of the linearization equations of the Matsumoto-Imai cryptosystems,” in
*Proceedings of the International Workshop on Coding and Cryptography-WCC 2005*, vol. 3969, pp. 242–251, Springer-Verlag, Bergen, Norway, 2005. - L. Perret, “A fast cryptanalysis of the isomorphism of polynomials with one secret problem,” in
*Proceedings of the Advances in Cryptology-Eurocrypt 2005*, vol. 3494, pp. 354–370, Springer-Verlag, Aarhus, Denmark, 2005. View at MathSciNet - J. F. Buss, G. S. Frandsen, and J. O. Shallit, “The computational complexity of some problems of linear algebra (extended abstract),” in
*Proceedings of the Symposium on Theoretical Aspects of Computer Science-STACS 1997*, vol. 1200, pp. 451–462, Springer-Verlag, Lübeck, Germany, 1997. View at MathSciNet - J.-C. Faugère, M. S. El Din, and P.-J. Spaenlehauer, “On the complexity of the generalized MinRank problem,”
*Journal of Symbolic Computation*, vol. 55, no. 1, pp. 30–58, 2013. View at Publisher · View at Google Scholar · View at MathSciNet - J.-C. Faugère, “A new efficient algorithm for computing Gröbner bases without reduction to zero (F5),” in
*Proceedings of the 2002 International Symposium on Symbolic And Algebraic Computation-ISSAC 2002*, pp. 75–83, ACM Press, New York, NY, USA, 2002. View at Publisher · View at Google Scholar · View at MathSciNet - N. Courtois, A. Klimov, J. Patarin et al., “Efficient algorithms for solving overdefined systems of multivariate polynomial equations,” in
*Proceedings of the Advances in Cryptology-Eurocrypt 2000*, vol. 1807, pp. 392–407, Springer-Verlag, Bruges, Belgium, 2000. View at Publisher · View at Google Scholar · View at MathSciNet - N. T. Courtois and J. Patarin, “About the XL algorithm over GF(2),” in
*Proceedings of the Topics in Cryptology-CT-RSA 2003*, vol. 2612, pp. 141–157, Springer-Verlag, San Francisco, CA, USA, 2003. View at MathSciNet - V. Dubois and N. Gama, “The degree of regularity of HFE systems,” in
*Proceedings of the Advances in Cryptology-Asiacrypt 2010*, vol. 6477, pp. 557–576, Springer-Verlag, Singapore, 2010. View at MathSciNet