0302:cs0302037/cs0302037

1: \documentclass[12pt,a4paper,leqno]{amsart}

2: \usepackage{latexsym, amsfonts, amsthm, amsmath, color, amssymb,

3:                                 %bbold %for numbers as \mathbb{F}

4:   graphicx, epsfig, float}

5: \usepackage[mathscr]{euscript}

6: \newtheorem{teo}{Theorem}[section]

7: \newtheorem{rem}[teo]{Remark}

8: \usepackage[bookmarks,bookmarksopen,colorlinks]{hyperref}

9: %\usepackage{thumbpdf}

10: %\usepackage{showkeys}

11: %\theoremstyle{plain}

12: % \newtheorem{Theorem}{Theorem}[section]

13: % \newtheorem{Definition}[Theorem]{Definition}

14: % \newtheorem{Proposition}[Theorem]{Proposition}

15: % \newtheorem{Lemma}[Theorem]{Lemma}

16: % \newtheorem{Corollary}[Theorem]{Corollary}

17: % \newtheorem{Remark}[Theorem]{Remark}

18: % \newtheorem{Example}[Theorem]{Example}

19: % \newtheorem{Hypothesis}[Theorem]{Hypothesis}

20:  \makeatletter

21:  \newif\ifmsbmloaded@

22: %\newtheorem{teo}{Theorem}[section]

23: \newtheorem{hyp}[teo]{Hypothesis}

24: \newtheorem{lem}[teo]{Lemma}

25: \newtheorem{prop}[teo]{Proposition}

26: \newtheorem{cor}[teo]{Corollary}

27: \newtheorem{defi}[teo]{Definition}

28: %\theoremstyle{definition}

29: %\newtheorem{rem}[teo]{Remark}

30: \newtheorem{esempi}[teo]{Examples}

31:

32: % \@addtoreset{equation}{section}

33: % \def\theequation{\thesection.\arabic{equation}}

34: % \makeatother

35:

36: \input{scrload}

37:

38: %     macro       \refer

39: %     sintassi    \refer{autori:}{titolo,}{rivista,}{vol}{(anno), pag.}

40: %

41:

42: %\newcommand{\refer}[5]{{\sc #1}{\ #2}{\em\ #3}{\bf\ #4}{\ #5}}

43:

44: %     macro       \refbook

45: %     sintassi    \refer{autori:}{titolo,}{editore,  (anno).}

46:

47:

48: \hyphenation{o-ver-view}

49: \newcommand{\refbook}[3]{{\sc #1}{\em\ #2}{\ #3}}

50:

51: \title{Hidden Polynomial(s) Cryptosystems}

52: \author{Ilia Toli}

53: \address{Dipartimento di Matematica

54:   {\it Leonida Tonelli}\\ via F. Buonarroti 2,\newline 56127 Pisa\\

55:   Italy. {\tt toli@posso.dm.unipi.it} }

56: \date{}

57: \begin{document}

58: \keywords{Public key cryptography, hidden monomial

59: cryptosystems, hidden field equations, tame transformation

60: method, differential algebra, probabilistic encryption.}

61: \subjclass{Primary: 11T71; Secondary: 12H05}

62: \begin{abstract}We propose variations of the class of hidden monomial

63:   cryptosystems in order to make it resistant to all known attacks.

64: We use identities built upon a single bivariate polynomial equation with

65:   coefficients in a finite field. Indeed, it can

66:   be replaced by a ``small'' ideal, as well. Throughout, we set up

67:   probabilistic encryption protocols, too. The same ideas

68:   extend to digital signature algorithms, as well. Our schemes work as

69:   well on differential fields of positive characteristic, and

70:   elsewhere.\end{abstract}

71: \maketitle

72: \section{Introduction}

73: This paper focuses on Hidden Monomial Cryptosystems, a class of

74: public key cryptosystems first proposed by Imai and

75: Matsumoto \cite{imai1}.  In this class, the

76: public key is a set of polynomial nonlinear equations. The private key

77: is the set of parameters that the user chooses to construct the equations.

78: Before we discuss our variation, we review

79: briefly a simplified version of the original cryptosystem, better

80: described in \cite{koblitz}.

81: The characters  met throughout this paper are:

82: \begin{itemize}

83: \item Alice who wants to receive secure messages;

84: \item Bob who wants to send her secure messages;

85: \item Eve, the eavesdropper. \end{itemize}

86:

87: Alice takes two finite fields $\mathbb{F}_q<\mathbb{K}$, $q$ a power of

88: $2$, and $\beta_1, \beta_2, \ldots , \beta_n$ a basis of

89: $\mathbb{K}$ as an $\mathbb{F}_q$-vector space. Next she takes $0<h<q^n$

90: such that $h=q^{\theta}+1$, and $gcd(h,q^n-1)=1$. Then she takes two

91: generic vectors ${\bf

92:   u}=(u_1,\ldots,u_n)$ and ${\bf v}=(v_1,\ldots,v_n)$ upon $\mathbb{F}_q$, and

93: puts\footnote{In this paper we reserve {\bf boldface}

94:    to the

95:   elements of $\mathbb{K}$ thought as vectors upon $\mathbb{F}_q$ in

96:   the fixed private basis. They are considered vectors or field

97:   elements, as convenient, without further

98:   notice. This shift in practice takes a Chinese Remainder Theorem. In

99:   order to avoid boring repetitions, {\it

100:     Cryptosystem} and {\it Scheme} are used like synonyms.}:

101: \begin{equation}{\bf

102:   v=u}^{q^{\theta}} {\bf u}.\label{vuu}\end{equation}

103:

104:  The condition $gcd(h,q^n-1)=1$ is equivalent to requiring that the map ${\bf

105:   u}\longmapsto~{\bf u}^h$ on $\mathbb{K}$ is  ${\it

106:   1\!\!\leftrightarrow\!\!1}$;

107:   its inverse

108:   is the map ${\bf u}\longmapsto {\bf u}^{h'},$ where $h'$ is the

109:   inverse multiplicative of $h$ modulo $q^n-1$.

110:

111: In addition, Alice chooses two secret affine transformations, i.e.,

112: two invertible matrices $A=\{A_{ij}\}$ and $B=\{B_{ij}\}$ with entries

113: in $\mathbb{F}_q$, and two constant vectors ${\bf c}=(c_1,\ldots,c_n)$

114: and ${\bf d}=(d_1,\ldots,d_n)$.

115:

116: Now she sets:

117: \begin{equation}{\bf u}=A{\bf x+c}\qquad and \qquad {\bf v}=B{\bf

118:     y+d}.\label{aff}\end{equation}

119:

120:  Recall that the operation of raising to the

121: $q^k$-th power in $\mathbb{K}$ is an $\mathbb{F}_q$-linear

122: transformation.

123: Let $P^{(k)}=\{p_{ij}^{(k)}\}$ be the matrix of this

124: linear transformation in the basis $\beta_1, \beta_2, \ldots ,\beta_n$, i.e.:

125: \begin{equation}

126: \beta_i^{q^k}=\sum_{j=1}^n p_{ij}^{(k)}\beta_j, \qquad

127: p_{ij}^{(k)}\in\mathbb{F}_q , \label{id1}

128: \end{equation}

129: for $1\leq i,k\leq n$. Alice also writes all products of basis elements

130: in terms of the basis, i.e.:

131: \begin{equation}

132: \beta_i\beta_j=\sum_{\ell=1}^n m_{ij\ell}\beta_{\ell}, \qquad m_{ij\ell}\in

133: \mathbb{F}_q,

134: \label{id2}\end{equation}

135: for each $1\leq i,j\leq n$.

136: Now she expands the equation (\ref{vuu}). So she obtains a system of

137: equations, explicit in the $v$, and quadratic in the $u$. She uses now

138: her affine relations (\ref{aff}) to replace the $u,v$ by the

139: $x,y$. So she obtains $n$ equations, linear in the $y$, and of degree

140: $2$ in the $x$. Using linear algebra, she can get $n$ explicit

141: equations, one for each $y$ as polynomials of degree $2$ in the $x$.

142:

143: Alice makes these equations public. Bob to send her a message $(x_1,

144: x_2, \ldots ,x_n)$,

145: substitutes it into the public equations. So he obtains a linear system of

146: equations in the $y$. He solves it, and sends  ${\bf y}=(y_1,

147: y_2,\ldots,y_n)$ to Alice.

148:

149: To eavesdrop, Eve has to substitute

150: $(y_1,y_2, \ldots ,y_n)$ into the public equations, and solve the

151: nonlinear system of equations for the unknowns $x$.

152:

153: When Alice receives {\bf y}, she decrypts:

154: \begin{eqnarray*}&y_1, y_2,\ldots,y_n&\\

155: &\Downarrow&\\

156: &{\bf v}=B{\bf y+d}&\\

157: &\Downarrow&\\

158: &{\bf v}=\sum v_i\beta_i &\\

159: &\Downarrow&\\

160: &{\bf u=v}^{h'}&\\

161: &\Downarrow&\\

162: &{\bf x}=A^{-1}({\bf u-c}).&

163: \end{eqnarray*}

164:

165: In Eurocrypt $'88$ \cite{imai2}, Imai and Matsumoto proposed a digital

166: signature algorithm for their cryptosystem.

167: At Crypto $'95$, Jacques Patarin \cite{Patarin95} showed how to break this

168: cryptosystem. He noticed that if one takes the equation  ${\bf

169:   v=u}^{q^{\theta}  +1}$, raises both sides on the $(q^{\theta}-~1)$-th

170: power, and multiplies both sides by ${\bf uv}$, he gets the equation ${\bf

171:   u v}^{q^{\theta}}={\bf u}^{q^{2\theta}} {\bf v}$ that

172: leads to equations in the $x$, $y$, linear in both sets of

173: variables. Essentially the equations do not suffice to identify uniquely

174: the message, but now even an exhaustive search will be

175: feasible. The system was definitively insecure and breakable, but its

176: ideas inspired a whole class of public key cryptosystems and digital

177: signatures based on structural identities for finite field operations

178: \cite{HFE, moh, koblitz, Patarin96, patarin96hidden, gou-pat1}.

179:

180: Actually, the security of this class lies on the difficulty of the

181: problem of solving systems of polynomial equations. This problem is

182: hard iff the equations are randomly chosen. All manipulations aim to

183: make equations seem like that. If they really were random, the problem

184: is hard to Alice, too.

185:

186: Our paper is organized as follows. In the next section we develop our

187:   own, new cryptosystem. Alice builds her public key by manipulations

188:   as above, starting from a certain bivariate polynomial. All of

189:   Alice's manipulations are meant to hide from Eve this polynomial. It

190:   is the most important part of the private key. Its knowledge reduces

191:   decryption to the practically easy problem of solving a single

192:   univariate polynomial.

193:

194: In the third we discuss some security issues. There we explain that

195: practically all bivariate nonlinear

196: polynomials are good to us to give raise to a public key. This

197: plentitude of choices is an important security parameter.

198:

199: In the fourth section we provide our cryptosystem with a digital

200: signature algorithm.

201: In the fifth one we provide one more encryption protocol, now a

202: probabilistic one, in the sense that to the same cleartext correspond

203: zero, one, or more cyphertexts.

204:

205: In the sixth one we discuss some more variations. Essentially, we

206: replace the single bivariate polynomial by an ideal of a small size.

207:

208: In the seventh section we mention what Shannon

209:   \cite{stinson} calls {\it

210:   Unconditionally Secure Cryptosystems.} Actually, this class of

211:   cryptosystems is considered an exclusive domain of private key

212:   cryptography. This is due mostly to the unhappy state of art of

213:   public key cryptography.

214:

215: In the eighth one we extend our constructions to differential fields

216: of positive characteristic. We hope they are the suitable environment

217: for unconditionally secure public key cryptosystems.

218: \section{A New Cryptosystem}

219: \subsection{Key Generation}

220: Alice chooses two finite fields

221:  $\mathbb{F}_q <\mathbb{K}$,

222:  and a basis $\beta_1, \beta_2,\ldots, \beta_n $  of

223:  $\mathbb{K}$ as an  $\mathbb{F}_q$-vector space. Next she

224: takes a generic (for now) randomly chosen bivariate polynomial:

225: \begin{equation}f(X,Y)=\sum_{ij}{{\bf a}_{ij}X^iY^j\label{poly1}}\end{equation}

226: in $\mathbb{K}[X,Y]$, such that she is able to find {\bf all} its roots in

227: $\mathbb{K}$ with respect to $X$; $\forall$ $Y \in \mathbb{K}$, if any.

228: For the range of $i$ employed, this is nowadays considered a relatively

229: easy problem. Further, $f(X,Y)$ is subject to other few constraints, that

230:  we make clear at the opportune moment.

231:

232: In transforming cleartext into ciphertext message, Alice will work

233: with two intermediate vectors, ${\bf u}=(u_1,\ldots,u_n)$ and ${\bf

234:   v}=(v_1,\ldots,v_n)$; ${\bf u, v \in \mathbb{K}}$.

235: She sets:

236: \begin{equation}

237: \sum_{ij}{{\bf a}_{ij}{\bf u}^i{\bf

238:       v}^j}=0. \label{poly} \end{equation}

239:

240: For ${\bf a}_{ij} \neq 0$, she sets somehow:

241:  \begin{equation}

242: i=\sum_{k=1}^{n_{i}} q^{\theta_{ik}},\qquad

243: j=\sum_{k=1}^{n_{j}} q^{\theta_{jk}},

244: \label{equal}\end{equation}

245: where $\theta_{ik}, \theta_{jk} n_{i}, n_j,\in\mathbb{N}_*$.

246: Here {\it somehow} means that (\ref{equal}) {\bf need not} be the $q$-ary

247: representation of $i$, $j$. Indeed, there is no reason for it to be. We

248: allow to each $i$ both opportunities: to be or not to be. Doing so we

249: increase our choices, whence the random-looking of the public key. In

250: any fashion, what we are dealing with, are nothing but identities.

251:

252: Next Alice substitutes the (\ref{equal}) to the exponents in

253: (\ref{poly}), obtaining:

254: \begin{equation}

255: \sum_{ij}({{\bf a}_{ij} exp({\bf u},{\sum_{k=1}^{n_i}

256:   q^{\theta_{ik}}}) exp({\bf

257:   v},{\sum_{k=1}^{n_0}

258:   q^{\theta_{jk}}})})=0;

259: \end{equation}

260: that is:

261: \begin{equation}

262: \sum_{ij}({{\bf a}_{ij} \prod_{k=1}^{n_i}{\bf u}^{

263:   q^{\theta_{ik}}}}\prod_{k=1}^{n_j}{\bf v}^{

264:   q^{\theta_{jk}}}) =0.

265: \label{prod}\end{equation}

266:

267:

268: {\bf Recall that the operation of raising to the

269: $q^k$-th power in $\mathbb{K}$ is an $\mathbb{F}_q$-linear

270: transformation.}

271: Let $P^{(k)}=\{p_{\ell m}^{(k)}\}$ be the matrix of this

272: linear transformation in the basis $\beta_1, \beta_2, \ldots ,\beta_n$, i.e.:

273: \begin{equation}

274: \beta_{i}^{q^k}=\sum_{j=1}^n p_{ij}^{(k)}\beta_j, \qquad

275: p_{ij}^{(k)}\in\mathbb{F}_q ; \label{id3}

276: \end{equation}

277: for $1\leq i,\,j\leq n$. Alice also writes all products of basis elements

278: in terms of the basis, i.e.:

279: \begin{equation}

280: \beta_{i}\beta_j=\sum_{k=1}^n m_{ijk}\beta_{k}, \qquad

281: m_{ijk}\in\mathbb{F}_q;

282: \label{id4}\end{equation}

283: for $1\leq i,\,j\leq n$.

284:

285: Now she  substitutes ${\bf u}=(u_1, u_2,\ldots,u_n)$, ${\bf a}_{ij}=(a_{ij1},

286: a_{ij2},\ldots,a_{ijn})$,

287: ${\bf v}=(v_1,v_2,\ldots,v_n)$, and the

288: identities (\ref{id3}), (\ref{id4}) to (\ref{prod}), and

289: expands. So she

290: obtains a system of $n$ equations of degree $t$ in

291: the $u$, $v$, where:

292: \begin{equation}t\ =\ max \  \{n_{i}+n_j\ \ :\ \

293:    {\bf a}_{ij}\neq 0\}.\label{set}\end{equation}

294:

295: Every term under $\Sigma$ in (\ref{equal}) contributes by one to the degree

296: in the $u$ of the polynomials.

297:

298: Here we pause to give some constraints on the range of $i$, $j$ in

299: (\ref{poly}). The

300: aim of this section is to generate a set of polynomials; linear in a

301: set of variables, and nonlinear in another one. For that purpose, we

302: relate (\ref{poly}) and (\ref{equal}): ${\bf a}_{ij}\neq 0

303: \Rightarrow$ $\{n_i>1$, $n_j=1\}$.

304:

305: On the other side, the size of public key will be

306: $\mathcal{O}((2n)^{t+1})$. So, it grows polynomially with $n$, and

307: exponentially with $t$. Therefore, we are interested to keep $t$

308: rather modest, e.g., $t=2,3$ or so. So, we

309: have to choose $i$, $j$ in (\ref{poly1}), (\ref{equal})  in order to

310: keep $t$ under a forefixed bound.

311:

312: Next, Alice chooses $A=\{A_{ij}\}, B=\{B_{ij}\}\in GL(\mathbb{F}_q)$,

313: ${\bf c}, {\bf d}\in\mathbb{K}$, and sets:

314: \begin{equation}

315: {\bf u}=A{\bf x+c},   \qquad {\bf v}=B{\bf y+d}, \label{matrix}

316: \end{equation}

317: where ${\bf x}=(x_1,x_2,\ldots,x_n)$, ${\bf y}=(y_1,y_2,\ldots,y_n)$ are

318: vectors of variables.

319:

320: Now she substitutes  (\ref{matrix}) to the equations in the $u$,

321: $v$ above, and expands. So she

322: obtains a system of $n$ equations of degree $t$ in the $x$, $y$;

323: linear in the $y$, and nonlinear in the $x$.

324:

325: After the affine transformation, in each equation appear terms of each degree,

326: from zero to $t$; before not. This is its use; to shuffle terms coming

327: from different monomials of (\ref{prod}).

328:

329: At this point, we are ready to define the cryptosystem.

330: \subsection{The Protocol}With the notations adopted above, we define

331: the {\bf HPE

332:   Cryptosystem} (Hidden Polynomial Equations) as the public

333:   key cryptosystem such that:

334: \begin{itemize}

335: \item The public key is:

336: \begin{itemize}\item The set of the polynomial

337:     equations in the $x$, $y$ as above;

338: \item The field $\mathbb{F}_q$;

339: \item The alphabet: a set of elements of $\mathbb{F}_q$.

340: \end{itemize}

341: \item The private key is: \begin{itemize}

342: \item The polynomial (\ref{poly1});

343: \item $A$, $B$, ${\bf c}$, ${\bf d}$ as in (\ref{matrix});

344: \item The identities (\ref{poly}) to (\ref{id4});

345: \item The field $\mathbb{K}$.

346: \end{itemize}

347: \item Encryption:\par Bob separates the cleartext $M$ by every $n$

348: letters. If needed, he

349: completes the last string with empty spaces. Next he takes an $n$-tuple

350: ${\bf x}=(x_1,x_2,\ldots,x_n)$ of $M$, substitutes it to the $x$ in the

351: public equations, solves with respect to the $y$, and sends ${\bf

352:   y}=(y_1,y_2,\ldots,y_n)$ to Alice. We assume here that the

353: solutions exist, and postpone the case they do not.

354: \item  Decryption: \par Alice substitutes

355:   ${\bf v}=B^{-1}({\bf y-d})\in\mathbb{K}>\mathbb{F}_q$ in

356: (\ref{poly}), and finds {\bf all} solutions within $\mathbb{K}$.

357: There is at least one. Indeed, if ${\bf x}$ is Bob's cleartext, ${\bf

358:   u}$ as in (\ref{matrix}) is one.

359: For each solution ${\bf u}$, she solves:

360:   \begin{equation}{\bf x}=A^{-1}({\bf u-c}),

361:   \label{expl}\end{equation}and represents all solutions in the basis

362:   $\beta_1, \beta_2,\ldots, \beta_n $. It takes a Chinese Remainder

363:   Theorem. With probability $\approx 1$, all

364: results but one, Bob's $(x_1,x_2,\ldots,x_n)$, are gibberish, or even stretch

365: out of the alphabet.

366: \end{itemize}

367: \subsection{Remarks}\subsubsection{}The risc of uncertain decryption

368:   is quite virtual. It equals

369:   the probability that another sensate combination of letters ${\bf

370:   x}$ satisfies (\ref{expl}) for any root ${\bf u}$ of (\ref{poly})

371:   for Bob's ${\bf y}$, besides the good one that always

372:   does. Afterwards, the undesired solution has to join well with the other

373:   parts of the decrypted message.

374: \subsubsection{}The main suspended question is that of existence of

375:   solutions. Well, Bob succeeds to encrypt a certain message {\bf x}

376:   iff Alice's equation (\ref{poly}) has solutions for {\bf u} as in

377:   (\ref{matrix}) for that {\bf x}. Alice's polynomial is a random

378:   one. It is a well-known fact from algebra that the

379: probability that a random polynomial of degree $m$ with coefficients upon a

380: field $\mathbb{F}_{q^n}$ has a root in it is about

381: $1-\frac{1}{e}\approx 63.2\%$ \cite{koblitz, marcus}.

382: \label{remedy}

383: Now the remedy is probabilistic. Alice renders the alphabet public

384: with letters being sets of $\mathbb{F}_q$. Bob writes down a plaintext

385: and gives start to encryption. If he fails, he substitutes a letter of

386: the cleartext with another one of the same set, and retries.

387:

388: After $s$ trials, the probability

389: he does not succeed is $\approx \frac{1}{e^s}$; sufficiently small for

390: the algorithm to be trusted to succeed.

391: \subsubsection{}The other problem is that Alice may have to

392: distinguish the right solution among a great number of them. Here we

393: propose a first remedy. Her number of solution is bounded above by the

394: degree in $X$ of $f$. So, it is beter to her to keep this degree

395: moderate. Later in this paper in other settings, there will be other

396: remedies, too.

397:

398: There are no bounds on the degree in $Y$. It can be taken

399: whatsoever huge.

400: \subsubsection{}Solving univariate polynomial equations is used by

401:   Pa\-ta\-rin, too \cite{patarin96hidden, Wolf:02:Thesis}. He takes a

402:   univariate polynomial:

403:   $$f(x)=\sum_{i,j}\beta_{ij}x^{q^{\theta_{ij}}+q^{\varphi_{ij}}}+

404:   \sum_i\alpha_ix^{q^{\xi_i}}+\mu_0,$$

405: and with manipulations like ours, both the same as Imai-Matsumoto

406:   \cite{imai1}, he gets his public key; a set of

407:   quadratic equations. He uses two

408:   affine transformations to shuffle the equations. We claim that the

409:   first one adds nothing to the security.

410:

411: The bigger the degree of $f$ is, the more the public key resembles a

412:   randomly chosen set of quadratic equations. So, it is a security

413:   parameter.  On the other side, it slows down decryption, principally

414:   by adding a

415:   lot of undesired solutions. To face that second problem, to the

416:   public key are added other, randomly chosen, equations. This is its

417:   {\it Achilles' heel}. It

418:   makes the public key overdefined, therefore subject to certain

419:   facilities to solve \cite{ckps}. So, it weakens the trapdoor

420:   problem.

421:

422: We do not add equations to discard

423: undesired solutions.

424: So, we are not subject to overdefined stuff. If in certain variations

425: we do add, we need to add less equations, however.

426: We label {\it wrong solutions} those

427:   that after decrypted do not make sense, or stretch out of the

428:   alphabet.

429:

430: Afterall, all decrypted texts will howsoever be in a

431:   comprehensible language (to someone or some wedget). As $n$ grows,

432:   it is less possible to have more than one meaningful

433:   solution. Besides, any monkey solution that appears to Alice,

434:   appears to Eve, too. Furthermore, Eve may have more meaningful solutions.

435: If desired,

436:   other tests

437:   can be introduced for that purpose. There is no need, however. The

438:   solutions, the good one and the bad ones, are very few; no more than $m$.

439:

440: A big advantage

441:   of our settings is that we need a lower degree

442:   polynomial in $X$. So, we make the presence of

443:   undesired solutions virtual. Decryption is a pure

444:   linear algebra matter.

445:

446: What is most important, we have now a practically infinite range of choices of

447: $f$. This is not Patarin's case. There the choices are bounded below

448: because of being easy to attack cases, and above because of being impractical

449: to legitimate users.

450:

451: The only few constraints we put on its monomials aim to:

452: \begin{itemize}

453: \item keep public key equations linear in the $y$;

454: \item have less undesired solutions in decryption process;

455: \item keep the  size of public key moderate;

456: \item keep {\bf all} public key equations nonlinear in th $x$.

457: \end{itemize}\label{bivar}

458:

459:  We can

460:   take the degree in {\bf y} unreasonably high. It

461:   gives no trouble to us. It suffices that all the powers of {\bf y}

462:   that appear in the monomials of $f$ are powers of $q$, so the

463:   public equations come linear with respect to the $y$.

464:

465: A new facility now is that we can take lower degree in {\bf x},

466: as {\it multiple linear attack} does not anymore apply, hopingly.

467:

468: The constraint that {\bf all} public key equations {\bf must} be

469: nonlinear in the $x$ is the only non-negotiable one. Indeed, if Alice

470: violates it, the trapdoor problem becomes fatally easy to Gr\"obner

471: techniques.

472:

473: Back to the degree in the $y$ of the public key. Assume that the public

474: key equations are not linear in the $y$. Once Bob substitutes the

475: $x$ in the public equations, he now {\bf is not} challenged to solve a

476: nonlinear

477: system of equations. He is only required to {\bf find one solution of

478:   it}. This can be done within polynomial time with respect to the

479: total degree of the system. Later we give settings to keep public key

480: nonlinear of modest degree in the $y$.

481:

482: Each of such solutions (if any) is encryption to the same cleartext. So

483: we have set up a probabilistic encryption protocol. To a single cleartext

484: may correspond zero, one, or more ciphertexts.

485:

486: So, in conclusion, Alice is allowed to take for the construction of

487: her public key {\bf any damned bivariate polynomial}. Indeed, we later

488: argue that $f$ can quite well be a multivariate polynomial.

489:

490: We hope this plentitude of choices is a spoil-sport to Eve.

491: \section{Security Issues}

492: Apparently, the only things Eve knows, are the system of public

493: equations, and the

494: order of extension. By brute force, she has to take

495: $(y_1,y_2,\ldots,y_n)$, to substitute it in the public key equations, to

496: solve in $\mathbb{Z}$, or maybe $\mathbb{Z}[\alpha]$, and to take the sensate

497: solution. Almost surely,

498: there is only one good solution among those that she finds.

499:  She has to find it among $t^n$ of them. However, the  main difficulty

500:  to her is just

501:  solving the system. Supposedly, it will pass through the complete

502:  computation

503:  of Gr\"obner basis. It is a well-known hard problem. The

504:  complexity of computations upon a field grows at most twice

505:  exponentially with respect to the

506:  number of variables, and in the average case, exponentially.

507:

508: So, it is better to take

509: $n$ huge. This diminishes the probability that Alice confuses decryption,

510: however close to zero, and, what is most important, this renders Eve's

511: task harder.

512:

513:  Alice and Bob will have to solve sets of bigger systems of

514:  linear equations, and face Chinese Remainder Theorem for bigger $n$.

515:

516: There exist well-known facilities \cite{ckps} to solve overdefined systems of

517: equations. Unlike most of the rest, our public key is irrendundant, so

518: it is not subject to such facilities.

519:

520: Now, by exhaustive search we mean that Eve substitutes the ${\bf y}$ in the

521: public equations, and tries to solve it by substituting values to

522: ${\bf x}$.

523:

524: If we have $d$ letters each of them being represented by a single

525: element of $\mathbb{F}_q$, the complexity of an exhaustive search is

526: $\mathcal{O}(d^n)$. It is easy for Alice to render exhaustive search

527: more cumbersome than

528: Gr\"obner attack. The last one seems to be the only choice to Eve.

529:

530:

531: We did not find any {\it Known Cleartext Attack} to our cryptosystem.

532:

533: Eve may engineer {\it

534:   cleartext$\,\leftrightarrow\,$ciphertext

535:   analyses}, seeking for invariants or regularities there, helpful for an

536: attack \cite{patarin96hidden}. All the identities we use, mean to%cite Faugere

537: tousle any such regularity,

538: and to disguise from Eve any hint on $i$, $j$, and on the entries of

539: $A$, $B$, ${\bf c}$, ${\bf d}$, and the ${\bf a}_{ij}$; that she may

540:   use for such an attack.

541:

542: The complexity of the trapdoor problem is $\mathcal{O}(t^n)$,

543: the size of public key $\mathcal{O}(n^{t+1})$. This fully suggests the

544: values of parameters. $n=100$, $t=2,3,4$ would be quite good choices.

545:

546: Obviously, infinitely many bivariate polynomials give raise to the same public

547: key. Indeed, fixed the ground field, the degree of extension $n$, and

548: the degree of public key equations, we have a finite number of public

549: keys. On the other hand, there are infinitely many bivariate polynomials that

550: can be used like private keys.

551:

552: On how does it happen, nothing is known. If ever found, any such

553: regularity will only weaken the trapdoor problem.

554:

555: \section{A Digital Signature Algorithm}\label{sign}

556: Assume that we are publicly given a set of hash functions that send

557: cleartexts to strings of integers of fixed length $n_B$. For the only

558: purpose of signing messages for Alice, Bob builds a cryptosystem as above

559: with $q_B$

560: prime, and $[\mathbb{K}_B:~\mathbb{F}_{q_B}]=n_B$.

561: He to sign a message $M$:

562: \begin{itemize}

563: \item calculates

564: $H(M)=(y_1,y_2,\ldots,y_{n_B})={\bf y}\in \mathbb{K}_B $;

565: \item finds one solution (if any; otherwise, see section

566:   \ref{remedy}.) {\bf u} of

567:   $f_B({\bf u})={\bf y}$ in $\mathbb{K}_B$.

568: \item calculates ${\bf x}=B^{-1}({\bf u-c}_B)$;

569: \item appends ${\bf x}=(x_1,x_2,\ldots,x_{n_B})$ to $M$, encrypts,

570:  and sends it

571:  to Alice.  $(x_1,x_2,\ldots,x_{n_B})$ is a signature to $M$.\end{itemize}

572:

573: To authenticate, Alice first decrypts, then she:

574: \begin{itemize}

575: \item calculates $H(M)=(y_1,y_2,\ldots,y_{n_B})$;

576: \item substitutes $(x_1,x_2,\ldots,x_{n_B})$, $(y_1,y_2,\ldots,y_{n_B})$ to

577:   Bob's public equations;

578: \item so she gets an $n_B$-tuple of integers. If they all reduce to

579:   zero modulo $q_B$,  she accepts the message; otherwise she

580: knows that Eve has been causing trouble.

581: \end{itemize}

582:

583: If Eve tries to impersonate Bob and send to Alice her own message with hash

584: value ${\bf y}=(y_1,y_2,\ldots,y_{n_B})$, then to find a signature

585: $(x_1,x_2,\ldots,x_{n_B})$, she may try to find one solution of Bob's system

586: of equations for {\bf y}.

587: We trust on the hardness of this problem for the security of

588: authentication.

589:

590: \section{A Probabilistic Encryption Protocol}

591: With the ideas described above, we are going to set up now a

592: probabilistic protocol such that only the legitimate users can send

593: messages to which-another. Mean, the message is meaningful iff there

594: are no intruders. Its being meaningful is the signature itself.

595:

596: Here is the shortest possible description. Let $F_A$ and $F_B$ be

597: Alice's and Bob's public keys functions respectively, where $n_A=n_B$. To send

598: a message {\bf x} to Alice, Bob sends her a random (this randomness is

599: the probabilistic pattern) element of

600: $F_A(F^{-1}_B({\bf x}))$,

601: that she can decrypt by calculating

602: $F_B(F^{-1}_A(F_A(F^{-1}_B({\bf x}))))$. So if $F_A(F^{-1}_B({\bf

603:   x}))\neq \emptyset$. Otherwise, the approach is probabilistic, as in

604: the previous section.

605:

606: Here is the extended description. Each (English, e.g.)

607: letter (or some of them, only) is represented by a set of few

608: (two, e.g.) elements of the field, or

609: strings of them. For ease of explanation, Bob's public equations are

610: linear in the $x$, and of higher degree in the $z$.

611:

612: Bob writes down the cleartext ${\bf  x}$ and finds one

613:     solution of:\begin{equation} {\bf x}={\bf b}_r{\bf  z}^r+{\bf

614:     b}_{r-1}{\bf

615:     z}^{r-1}+\cdots+{\bf b}_0 .\label{polyB}\end{equation}

616:

617: If there are no solutions, Bob changes a

618: representant of a letter, and retries. Probability issues are discussed

619: in the previous section.

620:

621: Now Bob takes the solution {\bf z} of (\ref{polyB}), and applies:

622: \begin{equation}{\bf y'}=B^{-1}({\bf z-c}_B).

623: \label{explB}\end{equation}

624:

625: Next he takes ${\bf y'}$, substitutes in Alice's public

626: equations. So he obtains a tuple {\bf y}, that he sends to Alice. This

627: is the ciphertext.

628:

629: Each of other solutions of (\ref{polyB}) give

630: raise to other encryptions of the same cleartext.

631:

632: Alice now to decrypt, solves her equation for {\bf y} within her

633: field $\mathbb{K}$. There is at least one solution. Next she applies

634: her inverse affine transformation to all (few)

635: solutions, and substitutes them all on Bob's public equations. Of that

636: procedure all, Alice now discards all meaningless solutions, and takes the

637: meaningful one.

638:

639: What is the trapdoor problem now?

640: Well, on authentication matter, nothing new. Eve has the same chances

641: to forge here that she had before. Recall that this kin of signatures

642: is already best with respect to the other ones.

643:

644: On security, instead, there is a very good improvement. By brute

645: force, Eve has to take the

646: ciphertext, substitute on Alice's public key, find all solutions, and

647: substitute them all on Bob's public key; then take the sensate

648: ones. This is worse than exhaustive search of previous

649: cryptosystems.

650:

651: Now, what does here really mean {\it exhaustive search}? Eve now has

652: to search through all the elements of the common public ground field,

653: not just through all the alphabet. So, opting for this protocol, we

654: can put a lot of constraints on alphabet,

655: in order to discard far easier the undesired solutions, without

656: rendering the public key overdefined.

657:

658: She sets up such $n$-tuples, checks whether

659: they are solutions of Alice's public key for Bob's ciphertext

660: {\bf y} substituted to the variables $y$. If yes, she substitutes to

661: Bob's public key, and checks whether does it make sense.

662:

663: What can {\it linear multiple attack} or {\it quadratic attack}

664: \cite{patarin96hidden} do in these new settings?

665:

666: Apart all, we save space and calculi. We do not need any more the

667: calculi and space of signature.

668:

669: This protocol can be used for multiple encryption, too.

670:

671: Let us suppose that the letters are strings of a fixed length. Well,

672: here Alice can impose that not all strings are letters. So, in

673: decryption she discards a priori the solutions that contain

674: non-letters. Doing so, she actually has a single good solution of her

675: polynomial, and saves herself the effort of appealing to other

676: tricks. In all the other schemes throughout, such a trick fatally

677: weakens the exhaustive search.

678: \section{Hidden Ideal Equations}Instead of a single bivariate polynomial,

679: Alice may choose to employ an ideal of a very modest size. She separates

680: the variables she

681: employs into two sets, $\{X_i\}$, $\{Y_j\}$; one for encryption, one

682: for decryption. She may decide to leave one of the equations employed

683: of higher degree in the $\{Y_j\}$ after manipulations, so she gives raise to a

684: probabilistic encryption protocol.

685: Alice's parameters are:

686: \begin{itemize}

687: \item $n=[\mathbb{K}:\mathbb{F}_q]$;

688: \item the number $s_1$, $s_2$ of variables $\{X_i\}$, $\{Y_j\}$, respectively;

689: \item the number $r$ of private equations.

690: \end{itemize}

691:

692: So, the number of public key equations is $n\cdot r$. The number of the

693: variables $x_{ij}$ is $n\cdot s_1$, and that of the $y_{kl}$ is

694: $n\cdot s_2$.

695:

696: Alice's number of variables, the $\{X_i\}$, is insignificant so far, so she is

697: supposed to be able to appeal to Gr\"obner stuff in order to solve her

698: system of equations within the field of coefficients for Bob's

699: $\{Y_j\}$.

700:

701: What is most important here and throughout, if

702: Bob succeeds to encrypt, Alice does always succeed to decrypt.

703:

704: For ease of treatment, assume now that Alice does not apply affine

705: transformations to her variables. Bob fails encryption for a certain

706: cleartext $(X_1,\dots X_{s_1})$ iff Alice's private ideal has no solutions

707: in the $Y$ for such an $(X_1,\dots X_{s_1})$. Alice's private ideal is a

708: random one. If she takes $r\leq s_2$, the probability that it has no

709: solutions is $\approx 0$, and $\approx 1$ for $r> s_2$. So, it

710: suffices that Alice takes $r\leq s_2$. The critical cases that

711: may supervene are faced simply changing alphabet.

712:

713: With slight changes, this reasoning holds in the case that Alice

714: applies affine transformations, too.

715:

716: The real problem is indeed that the solutions to Alice may be too many; and in

717: any case finitely many, as the base field is finite. The best remedy

718: to that is that Alice takes $r=s_1$. So, the ideal that she obtains

719: after substitution of Bob's ciphertext is zerodimensional (quite easy

720: to cause it happen), and the number of solutions is bounded

721: above by the total degree of the system. So, she can contain the

722: number of solutions by taking the total degree in the $\{X_i\}$

723: modest, and however each of them nonlinear.

724:

725: Alice can take all equations of

726: very low degree in the $X$, and then transform that basis of the ideal

727: they generate to another one of very high degrees in the $X$. So she

728: has a low Bezout number of the ideal, and higher degrees in the $X$,

729: and transformations as above can take place.

730: If she takes the first basis linear, the number of solutions of her

731: equations reduce to one: Bob's cleartext.

732:

733: As soon as $r>s_1$, the public key becomes overdefined.

734:

735: Alice applies a permutation to the equations and a renumeration to the

736: variables before publishing her key, so Eve does not know how are they

737: related. She may apply

738: affine transformations, or may not, or may apply to only some of the

739: $X_i$, $Y_j$; at her discretion.

740:

741: If $s_1< s_2$, the size of the ciphertext is

742: bigger than that of cleartext, and nothing else wrong. By this case,

743: encryption is practically always probabilistic. Indeed, even when the

744: equations are linear with respect to the $y_{kl}$, since there are more

745: variables than equations, the solutions exist, and are not unique.

746:

747: Actually, Alice can take $s_2$ rather huge. She may choose to

748: manipulate some of the $Y_j$ within a subfield of $\mathbb{K}$, rather than

749: within $\mathbb{K}$. Doing so, she allows herself a big $s_2$, and a

750: contained size of the ciphertext. The number of the variables $y_{kl}$

751: now is no more $n\cdot s_2$.

752: \subsection{}Now the size of the public key is

753: $\mathcal{O}(s_1(n)^{t+1})$, and the complexity of the

754: trapdoor problem is $\mathcal{O}(t^{n\cdot s_1})$.

755:

756: It is true that throughout the size of public key grows polynomially with

757: $n$, but before $n$ becomes interesting, the public key is already

758: quite cumbersome.

759: So, opting for the choices of this section we have reasonable security with

760: much smaller values of $n$. $n=20$, or so, actually are quite good. We

761: are allowed some more values of $t$, too.

762:

763: \subsection{}There exist classes of ideals called {\it with doubly

764:   exponential ideal membership property} \cite{swanson}. These are the

765:   ideals for

766:   which the calculus of a Gr\"obner basis cannot be done within

767:   exponential time on the number of variables, i.e., it can be done

768:   within doubly exponential time on the number of variables. It is very

769:   interesting to know whether can we employ them in some fashion in

770:   this class of cryptosystems. In any fashion, this is the theoretical

771:   limit for employing solving of polynomial systems of equations in

772:   public key cryptography.

773:

774: \section{Some Considerations}

775: The idea of public key cryptography was

776: first proposed by Diffie and Hellman \cite{pkc}. Since then, it has

777: seen several vicissitudes \cite{odlyzko}.

778:

779: A trapdoor function is a map from cleartext units to ciphertext

780: units that can be feasibly computed by anyone having the

781: public key, but whose inverse function cannot be

782: computed without knowledge of the private key:\begin{itemize}

783: \item either because (at present, publicly)

784:   there is no theory to do it;

785:

786: \item or the theory exists, but the amount of calculations is

787:   deterring.\end{itemize}

788:

789: Cryptosystems with trapdoor problems of

790: the first kin are what Shannon \cite{stinson} calls {\it

791:   Unconditionally Secure Cryptosystems}.

792:

793: Actually, the aim is to make trapdoor problems be equivalent to

794:   time-honoured hard

795:   mathematical problems. However, being of a problem hard or

796:   undecidable implies

797:   nothing about the security of the cryptosystem \cite{barkee, odlyzko}.

798: Recall that of all schemes ever invented, only two of

799:   them, $RSA$ \cite{rsa} and {\it ECDL} \cite{koblitz},

800:   are going to be broken (or, at least, are going to become

801:   impractical) by solving the hard problems they lie upon. The rest

802:   of them have been broken with theories

803:   of no use to solve their hard problem. So, once

804:   more, it may happen

805:   to be proved that solving systems of differential\&integral equations

806:   is undecidable, nevertheless several cryptosystems

807:   built upon them may be easy to break rather than secure.

808:

809: The author is very fond of the idea of public key cryptography, and

810: believes howsoever in new developments that will make it fully suffice

811: for all purposes.

812:

813: Actually, one tendency is that of investigating {\it poor

814:   structures}, mean, structures with less operations, like groups,

815: semigroups with cryptosystems upon the {\it word problem}

816:   \cite{anshel, yamamura, hughes}. Yamamura's paper \cite{yamamura}

817:   can be considered pioneering on secure

818:   schemes. Unfortunately, its scheme is still uneffective.

819:

820: William Sit and the author are investigating cryptosystems upon

821: other algebraic structures. We are investigating among other things whether

822: is it possible to build effective secure schemes upon

823: differential fields of positive characteristic. We

824: hope that cryptography will arouse new interests on differential and

825: universal algebra, too, as it did in number theory and arithmetic

826: geometry. One reason of optimism is that in universal algebra one can

827: go on further with new structures and hard or undecidable problems

828: forever. Until now we have appealed

829: to only the unary and binary arithmetic operations.

830: \section{Generalizations on Differential Fields}

831: Differential algebra is born principally due to the efforts of Ritt

832: \cite{ritt} to handle differential equations by means of

833: algebra. Actually, a differential field is a field with a set of unary

834: operations $'$ called derivatives that replace an element of the field

835: with another one such that $(a+b)'=a'+b'$ and $(ab)'=ab'+a'b$.

836:

837: Good references in the topic are \cite{kolchin, sit2, ritt, sadik,

838:   kaplansky}. Kaplansky's book is probably the best introduction in

839:   the topic.

840:

841:

842: It is possible\footnote{Most of considerations given in this section are

843:   suggestions of professor Sit through private communications.} to

844:   generalize the schemes given throughout using

845: differential polynomials instead of (\ref{poly1}). Take

846: $\mathbb{K}$ to be a finite

847: differential field extension of a differential field

848: $\mathbb{F}$ of positive characteristic\footnote{In zero

849:   characteristic numerical analysis tools seriously affect security,

850:   or at least constrain us to more careful choices. We shall

851:   not dwell on this topic here.}.

852: Any such $\mathbb{K}$ is defined by a system of linear homogeneous

853: differential equations, and there are structural constants defining

854: the operations for the derivations (one matrix for each derivation),

855: as well for multiplication.

856:

857: One can now replace (\ref{poly1}) with a

858: differential polynomial. The scheme works

859: verbatim. One can take (\ref{poly1}) to be of higher order and degree,

860: that is ok too, just like the algebraic case.

861: Euler, Clairaut, or any of other well-studied classes of  equations,

862: or their compositions; each of them fully suffice.

863:

864: The techniques described above for polynomials, if

865: applied to differential polynomials, will definitely make it much harder

866: to attack any protocol developed. Any affine transformation (by this is

867: meant a linear combination of the differential indeterminates with

868: not-necessarily constant coefficients, and this linear combination is

869: then substituted  {\it differentially}  in place of the differential

870: indeterminates) will not only even out the degrees, but also the orders

871: of the various partials, and making the resulting differential

872: polynomial very dense.

873:

874: However, there is one thing to caution about:

875: any time one specifies these structural matrices, they have to satisfy

876: compatibility equations. In the algebraic case, it is the relations

877: between $P^k=\{{p_{ij}}^{(k)}\}$ in (\ref{id3}) and

878: $M_{\ell}=\{m_{ij\ell}\}$ in (\ref{id4}). The $P^k$ are simply determined

879: uniquely by $M_{\ell}$, given the choices implicitely defined in (\ref{id4}).

880:

881: It is very interesting to know in the algebraic case whether the

882: system of equations Alice obtains is invariant under a change of

883: basis, all other settings being equal. There is probably some group of

884: matrices in $GL(n, q)$ that can do that. Such a knowledge may be used to

885: build attacks to all schemes of $HFE$ class.

886:

887: In the differential case there is a similar action called Loewy

888: action, or the gauge transformation. For ordinary differential

889: equations, two matrices $A$, $B$ are Loewy similar if there is an

890: invertible matrix $K$ such that $A=\delta K\cdot

891: K^{-1}+KBK^{-1}$. Using this action, one can classify the different

892: differential vector space structures of a finite dimensional vector

893: space. There is also a cyclic vector algorithm to find a special basis,

894: so that the differential linear system defining the vector space

895: becomes equivalent to a single linear $ODE$.

896:

897: If no other problems arise for the differential

898: algebraic schemes, there is however

899: one caution more for them to be unconditionally secure. We have to avoid the

900: exhaustive search. For that, Alice has to publish a finite alphabet

901: where each letter is represented by an infinite set, disjoint sets for

902: different letters. This is possible in differential fields, as

903: they are infinite. Alice renders the sets public parametrically, as

904: differential algebraic functions of elements of the base differential

905: field, and parameters, e.g., in $\mathbb{Z}$. Bob

906: chooses a letter, gives random values to parameters, obtains one

907: representant of the letter, and proceeds as above. In any case, if

908: $\mu$ is the order of public equations, any two elements $\Xi$, $\Theta

909: \in \mathbb{F}$ such that $(\Xi - \Theta)^{(\mu )}=0$ must represent

910: the same letter, if any.

911:

912: The main care for Alice is that the public key

913: equations must not fall into tractable classes by well-known means,

914: such as linear algebra.

915:

916: In the algebraic case such constructions do not make sense. Eve can

917: anyway appeal to Gr\"obner attack. Besides, in any fashion

918: such data enable her to guess $q$.

919:

920: The size of the public key now is actually $\mathcal{O}(n^{to+1})$,

921: where $o$ is the order of public key equations. Quite

922: explosive. However, a first tool to contain it is the low

923: characteristic of the field. So, we see a lot of monomials reduce to

924: zero. The best consolation is that we do not have to go far away with

925: parameters. The trapdoor problem is simply undecidable.

926: $n=20$ would fully suffice. Such a value is needed

927:   more in order to avoid uncertain decryption, however less probable in

928:   differential fields, as the range of solutions is infinite, than for growing

929:   security.  Besides, if there was found some attack for  the $HDPE$

930: (Hidden Differential Polynomial Equations) scheme, it will work better

931: with $HPE$. As of now, $HDPE$ trapdoor problem seems undecidable, and the

932: scheme effective. The author is working to come up with concrete

933: examples of this kind of cryptosystems. Unfortunately,

934: everything in the topic is still handmade, and therefore rather time-consuming.

935: % Keep present Sit's observations on the ansatz matrix. How do Alice

936: % decrypt? What is A^{-1}?

937: \subsection*{Acknowledgments.}

938: The author would like to thank Don Coppersmith, Patrizia

939: Gianni, Teo Mora, Massimiliano Sala, and Barry Trager for

940: many suggestions and fruitful discussions. The author is particularly

941: indebted to William Sit for several comments and improvements on earlier

942: drafts, and to his advisor, Carlo Traverso.

943:

944:

945:

946: \addcontentsline{toc}{section}{Bibliography}

947: \bibliographystyle{alpha}

948: \bibliography{biblio}

949: \nocite{HFE, Patarin95, gathen, odlyzko, barkee, koblitz,

950:   marcus, moh, imai1, imai2, sit,  patarin96hidden, pkc, sadik,

951:   kolchin, sit2, ritt, hughes, anshel, yamamura, gathen, stinson,

952:   ckps, patarin96hidden, Wolf:02:Thesis, menezes, swanson}

953:

954:

955:

956:

957:

958:

959:

960:

961:

962:

963:

964:

965:

966:

967:

968:

969:

970:

971: \end{document}

972: