Keywords

1 Introduction

In the 1990’s, Peter Shor developed a polynomial time algorithm to factor and compute discrete logarithms using a quantum computer. This discovery has changed the focus of the future of cryptography. With large scale quantum computing increasingly being viewed as an inevitability, as opposed to a mere possibility, research in the field of post-quantum cryptography is more important than ever.

A plethora of possible post-quantum cryptosystems have been proposed at this time, including (but not limited to) lattice-based cryptosystems, code-based cryptosystems, multivariate cryptosystems, and hash-based signatures. Each of these areas rely on mathematical problems for which there is no obvious quantum advantage. In this article, we focus on the application of multivariate cryptography to secure encryption.

1.1 Recent History of Multivariate Encryption

Multivariate encryption has had a complicated history, with an increase in activity in the recent past. These schemes are composed of systems of multivariate quadratic polynomials over a finite field \(\mathbb {F}\). The security of these schemes is based on the MQ-problem, the problem of solving systems of quadratic equations over a field, which is known to be NP-hard. This fact suggests that the problem remains hard even for quantum computers.

Recently we have seen new candidates and strategies emerge for multivariate encryption. Previously, multivariate schemes centered around bijective functions that map from vector spaces of size n back into a vector space of size n. The problem with this strategy is that there are not many bijective quadratic maps. Furthermore, of the maps that do exist, many of these functions were either too hard to invert, or too easy to invert. The common practice to try to overcome this downfall was to try to hide an easily invertible function by composing the bijective function with affine maps.

In 2013, Tao et al. proposed relaxing the bijective condition for the central function and replacing it with an injective map with a much larger codomain in [1]. In theory, this would make hiding the structure of the map while maintaining efficient inversion easier to accomplish. The recent resurgence of multivariate encryption is due primarily to this change in philosophy. Many schemes have been proposed along these apparently promising lines.

Some notable schemes that increase the codomain size of the central mappings include the ABC Simple Matrix scheme, see [1], which utilizes a large matrix algebra structure; ZHFE, see [2], which is similar to a high degree version of HFE with a single variable over the extension; and SRP, see [3], which combines the Square encryption scheme, Rainbow signature scheme, and Plus method. Although these schemes appear promising, many of these schemes have subsequently been the victims of surprising (if not disabling) cryptanalysis. The attacks on ABC from [4,5,6] work well if the base field is small, and both ZHFE and SRP were broken in [7] and [8], respectively.

1.2 Our Contribution

We propose a new encryption system, EFLASH, based on a primitive with strong security results. The scheme is a projected \(C^{*-}\) scheme with a parameterization effective for encryption. This scheme also follows the philosophy of increasing the size of the codomain to avoid ciphertext collision. We accomplish this increase in codomain size by replacing the traditional projection with an embedding into a larger space.

This construction introduces challenges that a projected \(C^{*-}\) signature scheme does not have to address. Since valid decryption requires a unique preimage, it is a requirement that there is a single assignment of the missing coordinates of the output of the central map corresponding to a valid input. Thus, for constant time implementations, every such assignment of coordinates must be computed. We introduce a new method of decryption satisfying these constraints in realistic amounts of time.

1.3 Organization of Paper

The paper is organized as follows. The section following the introduction introduces the idea of big field schemes and describes relevant big field schemes, namely \(C^*\), PFLASH and HFE. Then the subsequent section outlines the cryptanalytic techniques that have had the most success attacking big field schemes. After that, we introduce the algebraic structure of our scheme in Sect. 4 where we discuss the algebraic aspects of EFLASH and methods for encryption and decryption. Finally, we discuss the resistance to relevant attacks and parameter selection for EFLASH.

2 Big Field Schemes

EFLASH belongs to a family of multivariate cryptosystems known as “big field” schemes. These schemes rely on the multiplicative structure of a degree d extension \(\mathbb {F}_{q^d}\) of the finite field \(\mathbb {F}_q\). Let \(\phi :\mathbb {F}_q^d\rightarrow \mathbb {F}_{q^d}\) be a vector space isomorphism (we will also denote \(\mathbb {F}_{q^d}\) as \(\mathbb {K}\)). Notice that univariate monomials of the form \(X^{q^i+q^j}\) in \(\mathbb {F}_{q^d}[X]\) are the product of two Frobenius automorphisms over \(\mathbb {F}_q\), and hence are the product of two \(\mathbb {F}_q\)-linear functions. Thus \(\phi ^{-1}\circ X^{q^i+q^j}\circ \phi \) is coordinate-wise quadratic when expressed over \(\mathbb {F}_q\). Thus functions of the form

$$\begin{aligned} \sum _{0\le i,j<d}\alpha _{ij}X^{q^i+q^j} \end{aligned}$$

are said to be \(\mathbb {F}_q\)-quadratic.

To disguise the structure of the central map of such schemes one applies a morphism of polynomials, essentially choosing random linear maps mixing the input and output spaces of the central map. Formally, we define these morphisms as follows.

Definition 1

A polynomial morphism is a map between two systems of polynomials, \(F:\mathbb {F}_q^d\rightarrow \mathbb {F}_q^d\) and \(P:\mathbb {F}_q^n\rightarrow \mathbb {F}_q^m\) defined by a pair of affine maps \(T:\mathbb {F}_q^d\rightarrow \mathbb {F}_q^m\) and \(U:\mathbb {F}_q^n\rightarrow \mathbb {F}_q^d\) such that \(P=T\circ F\circ U\). If both T and U are invertible, then the morphism is said to be an isomorphism and F and P are said to be isomorphic.

The following diagram illustrates the entire construction utilizing the big field.

figure a

2.1 \(C^*\)

Matsumoto and Imai introduced the \(C^*\) scheme in [9] at Eurocrypt ‘88, effectively introducing the world to massively multivariate cryptography. The scheme uses a big field construction where the quadratic monomial map \(f:\mathbb {K}\rightarrow \mathbb {K}\) is defined by \(f(x)=x^{q^\theta +1}\) and is hidden by a polynomial isomorphism. The public key for the scheme is given by \(P=T\circ \phi ^{-1}\circ f\circ \phi \circ U\).

Encryption of a plaintext is accomplished by evaluating the public polynomials P at an encoding of the plaintext x, and is thus very efficient. Decryption is accomplished by inverting each of the three component maps individually. The inversion of \(v=f(u)\) is performed by solving \(h(q^\theta +1)=1(\) mod \(q^n-1)\), and calculating \(u=v^h\). This process can be cumbersome, depending on the degree of extension and the exponent \(\theta \).

2.2 PFLASH

Following the break of \(C^*\), efforts to modify the scheme to add security lead to the discovery of PFLASH, introduced in [10]. The PFLASH scheme is a specific parametrization of a projected \(C^{*-}\) scheme. Both the projection and minus modifiers were initially proposed in relation to \(C^*\) in [11]. The purpose of the projection modifier is to change the simplicity of the central map by fixing the value of d input variables. The composition of the projection and an affine map U create a projection onto a codimension d hyperplane. The minus modifier eliminates r equations from the public key. Note that the composition of the minus projection with the affine map T has corank r. The public key of PFLASH(qnrd) is given by \(P(\overline{x})=\pi _r\circ T\circ \phi ^{-1}\circ f\circ \phi \circ U\circ \pi _d(\overline{x})\).

The scheme works as a digital signature primitive. To verify a signature, an individual evaluates the public polynomials at the given signature. To create a signature, the signer finds a preimage of each of the private maps. In order to find a preimage of \(\pi _r\circ T\circ \phi ^{-1}\), randomly append r values to the message, then apply \(T^{-1}\) and \(\phi \). After inverting f, an element that is in the preimage of \(\phi \circ U\) and in the image of \(\pi _d\) is selected as the signature.

PFLASH has strong security arguments, including a proof of security against differential attacks that can be found in [12]. Due to the modifications of the scheme, the public key is not isomorphic to the private monomial function, but rather only a polynomial morphism exists between the central map and the public key. As shown in [13], the morphism of polynomials problem is NP-hard, which gives hope that the information lost to the public key may secure the scheme.

2.3 HFE

Another descendent of the \(C^*\) scheme is the Hidden Field Equation (HFE) scheme of [14]. HFE replaces the monomial map of the \(C^*\) scheme with a more general polynomial with a degree bound D.

Given \(\mathbb {K}\), the degree n extension of \(\mathbb {F}\), a quadratic polynomial \(f:\mathbb {K}\rightarrow \mathbb {K}\) with degree bound D is chosen. The function f has the following form:

$$\begin{aligned} f(x)=\sum _{\begin{array}{c} i\le j\\ q^i+q^j\le D \end{array}}\alpha _{i,j}x^{q^i+q^j}+\sum _{\begin{array}{c} i\\ q^i\le D \end{array}}\beta _ix^{q^i}+\gamma , \end{aligned}$$

where \(\alpha _{i,j},\beta _i,\gamma \in \mathbb {K}\). The public key is then constructed via the isomorphism:

$$\begin{aligned} P=T\circ \phi ^{-1}\circ f\circ \phi \circ U. \end{aligned}$$

Inversion for this scheme is achieved by taking a ciphertext \(\overline{y}=P(\overline{x})\) and computing \(v=\phi \circ T^{-1}(\overline{y})\). The next step is to solve \(v=f(u)\) for u via the Berlekamp algorithm, see [15], and finally recovering \(\overline{x}=U^{-1}\circ \phi ^{-1}(u)\).

3 Cryptanalyses of Big Field Schemes

There are three main cryptanalytic techniques that are applicable to big field multivariate cryptosystems. In a sense, all of these techniques are related to Q-rank. The MinRank key recovery attack has a complexity directly dependent on the Q-rank of the central map. The differential symmetry attack is relevant when the Q-rank of the central map is minimal in the relevant algebra. The direct algebraic attack has a complexity dependent on the degree of regularity of the public key which is usually a linear function of the Q-rank. We review each of these techniques.

3.1 MinRank

The first effective attack on HFE was presented in [16] and is now commonly called the Kipnis-Shamir (KS) attack. Their idea is to express the central polynomial as a single quadratic form on an a large representation of the extension field. Specifically, choose a representation \(\psi :\mathbb {K}\rightarrow \mathbb {A}\) of the form \(\psi (X)=(X,X^q,\ldots ,X^{d-1})\). Then one can choose a matrix representation \(\mathbf {F}\) of the central map f such that

$$\begin{aligned} f(X)=\left[ \begin{matrix}X&X^q&\cdots&X^{q^{d-1}}\end{matrix}\right] \mathbf {F}\left[ \begin{matrix}X&X^q&\cdots&X^{q^{d-1}}\end{matrix}\right] ^\top . \end{aligned}$$

As the reader easily notices, the degree bound on f implies that \(\mathbf {F}\) has only a small block of nonzero values and thus has low rank. We call the rank of this quadratic form the Q-rank of f.

The attack in [16] exploits this low Q-rank property by using interpolation to find a formula for the public key over the extension field, computing the matrix forms of all of the Frobenius powers of this map, and then finding a low rank linear combination of these matrices with coefficients chosen from \(\mathbb {K}\). The attack can be effective, but all of the algebra takes place in \(\mathbb {K}\) which can be cumbersome.

The KS attack was significantly improved for determined or slightly over-determined schemes in [17], where the authors introduce minors modeling. Whereas the modeling of the low rank property in the KS attack requires structures defined over \(\mathbb {K}\), the authors of [17] noticed that a \(\mathbb {K}\)-linear combination of the public quadratic forms defined over \(\mathbb {F}_q\) has low rank. Thus one may construct a system of equations over the small field, resolve this system via Gröbner bases over the small field, and finally recover the variety over the big field. Requiring the most intensive calculations to be performed over the base field provided a significant advantage.

PFLASH is algebraically equivalent to an HFE- scheme (with a more efficient inversion process), and though the MinRank problem is less over-defined, the technique can, in principle, still be applied. To see this equivalence, note that the removal of equations can be modeled as a projection whose minimal polynomial, see [18, Definition 1], has low degree. Thus, there is a basis in which one can compose a low degree linear map with the low Q-rank central map of PFLASH producing a low Q-rank composition. As shown in [12, 19], the Q-rank of the PFLASH public key is too large for this attack to be effective.

3.2 Differential Techniques

A second class of attacks that has proven effective against big field schemes is the family of differential attacks involving the recovery of a symmetric relation to remove the minus modifier, or as a tool for accessing a low Q-rank. The discrete differential of a function \(f:\mathbb {K}\rightarrow \mathbb {K}\) is the bivariate function

$$\begin{aligned} Df(a,x)=f(a+x)-f(a)-f(x)+f(0). \end{aligned}$$

The differential operation D is linear and acts in many ways like a derivative; e.g. the differential of a \(\mathbb {F}_q\)-quadratic map is \(\mathbb {F}_q\)-bilinear, the differential of a \(\mathbb {F}_q\)-cubic function is \(\mathbb {F}_q\)-bi-quadratic, etc. The operators \(D^2\), \(D_x\), and so on all work analogously as do \(\frac{d^2}{dx^2}\), \(\frac{\partial }{\partial x}\), etc.

Differential attacks have been the basis of several cryptanalyses, see [4,5,6, 8, 20, 21]. The two basic techniques are linear differential symmetry attacks and differential invariant attacks.

Linear differential symmetry attacks attempt to find linear maps L that “factor through” the differential of the central map in an interesting way. Specifically, the goal is to find maps L satisfying

$$\begin{aligned} Df(La,x)+Df(a,Lx)=\varLambda _LDf(a,x). \end{aligned}$$

If such a map can be found, it allows one to “remove” the minus modifier by discovering new linear combinations of the central maps that are linearly independent of the public key.

Such an attack is what broke SFLASH in [21]. If L represents multiplication by an element \(\sigma \in \mathbb {K}\), then one can factor out \(\sigma \) from the differential due to the fact that the central map f is multiplicative. This vulnerability is provably removed via projection as shown in [12]. Thus PFLASH is invulnerable to this attack.

The other differential attack model, the invariant attacks, use the low rank structure on a large subspace of the public key to enhance the linear algebra search version of MinRank. Specifically, if a large subspace of the public key have the property that the matrices representing the functions as quadratic form map a particular subspace V simultaneously into another subspace W of the same dimension, then any projection producing two full rank differentials \(Df_1\) and \(Df_2\) allow one an advantage in recovering V, since V is left invariant by \(Df_1Df_2^{-1}\). This attack has been applied to undermine some of the proposed parameters for ABC and cubic ABC in [4,5,6] and was used to break the balanced oil-vinegar scheme in [22]. This attack was shown to be useless against PFLASH in [19].

3.3 Algebraic Attacks

The most straightforward attack is to try to directly invert the public key via Gröbner bases. The complexity of solving such systems relies on the degree of regularity of the system, which can be defined as the smallest degree at which a nontrivial syzygy producing a degree fall is generated in the Gröbner basis algorithm.

As shown in [23], the degree of regularity for HFE- systems, with a equations removed, satisfies the bound

$$\begin{aligned} d_{reg}\le (q-1)\Big \lfloor \frac{\lceil log_q(D)\rceil +a}{2}\Big \rfloor +2. \end{aligned}$$

This upper bound is fairly tight for small fields and provides a fair estimate of the complexity of the direct algebraic attack on HFE-.

4 Description of EFLASH

Our scheme may be considered an atypical parameterization of a projected \(C^{*-}\), which introduces new challenges. The major difference major difference between our scheme and the previously studied PFLASH, is the size of the projection. The size of our projection \(\pi \) will be much larger. This modification produces a significantly different scheme with different security properties.

4.1 Algebraic Structure

We will let n be the number of variables and \(d>n\) be the degree of the extension field over \(\mathbb {F}_q\). We will let \(m\ge n\) be the number of equations (\(m<d\)) and denote the number of equations removed by \(a=d-m\). We will compose our central map \(f(x)=x^{q^{\theta }+1}\) with affine maps S and T from \((\mathbb {F}_q)^d\) to \((\mathbb {F}_q)^d\). We let \(\phi \) be a vector space isomorphism from \((\mathbb {F}_q)^d\) to \(\mathbb {F}_{q^d}\), \(\pi \) be a linear embedding from \((\mathbb {F}_q)^n\) to \((\mathbb {F}_q)^d\), and \(\tau \) be a linear projection from \((\mathbb {F}_q)^d\) to \((\mathbb {F}_q)^m\).

figure b

Our public equations P can be found by computing \(P=\tau \circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi \), where \(f(x)=x^{q^{\theta }+1}\).

4.2 Encryption and Decryption

To encrypt a message \(\overline{x}\), the sender would just compute \(P(\overline{x})=\tau \circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi (\overline{x})=\overline{y}\) to get ciphertext \(\overline{y}\). To decrypt the message we will take advantage of some of the weaknesses that an unmodified \(C^*\) scheme possesses.

To decrypt, we exploit the more efficient method of inversion Patarin developed in his linearization equations attack from [24]. Specifically, if \(\overline{v}=(\phi ^{-1}\circ f\circ \phi )(\overline{u})\) then there is a system of d polynomials of the form

$$\begin{aligned} \sum _{0\le i,j<d}\alpha _{i,j,\ell }u_iv_j+\sum _{0\le i<d}\beta _{i,\ell }u_i+\sum _{0\le i<d}\gamma _{i,\ell }v_i+\delta _\ell \end{aligned}$$

in the coefficients of \(\overline{u}\) and \(\overline{v}\) which are simultaneously zero. Composing the right inverse of \(S\circ \pi \) and T with \(\overline{u}\) and \(\overline{v}\), respectively, we obtain a bilinear relation between the plaintext \(\overline{x}\) and \(\overline{y}'=T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi (\overline{x})\). Given access to the private key (which includes the linearization equations) the calculation of this bilinear relation is immediate. Adding the linearization equations to the private key can be considered a drawback as it increases the private key size, but is an important aspect for our algorithm.

Inversion, given the ciphertext \(\overline{y}\), is then accomplished by concatenating every possible suffix \(\overline{y}_a\) to discover \(\overline{y}'=\overline{y}||\overline{y}_a\). Success is determined by solving the affine system in \(\overline{x}\) induced from the linearization equations upon input \(\overline{y}'\). If the affine system has a solution, \(\overline{x}\), we can be assured that \(P(\overline{x})=\overline{y}\).

4.3 Decryption Failure Rate

We want to find the probability that there are multiple preimages of y under \(\tau \), which would result in a decryption failure. Specifically, we want to compute the probability that \(x_1, x_2, y\in \mathbb {F}_q\) exists such that \(P(x_1)=P(x_2)=y\), given that \(P(x_1)=y\). Given our function \(P(x)=\tau \circ T\circ \phi ^{-1}\circ f\circ \phi \circ S \circ \pi (x)\), it is clear that the only part of this function that is not injective is \(\tau ,\) and that \(\pi \) is the only additional map that is not bijective. Thus we compute the probability of decryption failure under the simplifying heuristic that the central map \(\hat{P}(x)=T\circ \phi ^{-1}\circ f\circ \phi \circ S (x)\) is a random bijection. This assumption is obviously false as f is a quadratic map, but we believe this heuristic to be statistically useful. Let \(A=\text {image}(\pi )\), \(|A|=q^n\). We can consider B to be the preimage of y under \(\tau \), so under our simplifying heuristic B is a random set of \(q^a\) elements from \(\mathbb {F}_q^d\).

We will use Bernoulli trials to estimate the probability that y is the image of at least two distinct elements of \(\mathbb {F}_q^n\), given that it is the image of at least one. If \(Pr(\hat{P}(x)\in B:\hat{P}(x)\in A)=p\), then the probability of k elements in A being in B is \({q^n\atopwithdelims ()k}(1-p)^{(q^n-k)}p^k\).

The probability of \(\hat{P}(x)\in B\) is \(\frac{q^a}{q^d}=q^{-m}\), and the probability that \(\hat{P}(x)\) is not in B is \(1-q^{-m}\). Thus we compute:

$$\begin{aligned} Pr( |A\cap B|\ge 2\mid |A\cap B|\ge 1)&=\frac{Pr( |A\cap B|\ge 2)}{Pr( |A\cap B|\ge 1)}\\&=\frac{1 - \Big (Pr( |\mathbf {G}\cap \tau ^{-1}(y)|= 0)+Pr( |\mathbf {G}\cap \tau ^{-1}(y)|= 1)\Big )}{1 -Pr( |\mathbf {G}\cap \tau ^{-1}(y)|= 0)} \end{aligned}$$

Therefore we find \(Pr(|A\cap B|\ge 2 \mid |A\cap B|\ge 1)\) to be

$$\begin{aligned} p=\frac{1-(1-q^{-m})^{q^n}-q^{n-m}(1-q^{-m})^{q^n-1}}{1-(1-q^{-m})^{q^n}}. \end{aligned}$$

To find an upper bound for the probability p, we find an upper bound for the numerator, and a lower bound for the denominator.

Claim 1

\({a\atopwithdelims ()i+1}(q^{-(i+1)m})<{a\atopwithdelims ()i}(q^{-im})\) when \(a<q^m\)

Proof

Notice that \({a\atopwithdelims ()i+1}(q^{-(i+1)m})=\frac{a!}{(i+1)!(a-i-1)!q^{(i+1)m}}\) has the same numerator as \({a\atopwithdelims ()i}(q^{-im})=\frac{a!}{(i)!(a-i)!q^{im}}\), so we will prove the claim by showing the denominator of the left hand side is larger than the denominator of the right hand side.

Clearly \((i+1)!>i!\), and \(q^{(i+1)m}>q^{im}\) by a factor of \(q^m.\) We see that \((a-i-1)!<(a-i)!\) by a factor of \(a-i\), but we know that \(a-i<a<q^m.\) Thus we can conclude \((i+1)!(a-i-1)!q^{(i+1)m}>(i)!(a-i)!q^{im}\) and therefore \({a\atopwithdelims ()i+1}(q^{-(i+1)m})<{a\atopwithdelims ()i}(q^{-im})\) when \(a<q^m\).    \(\square \)

Bounding the numerator: \(\varvec{1-(1-q^{-m})^{q^n}-q^{n-m}(1-q^{-m})^{q^n-1}.}\)

Using binomial coefficients and the above claim, we see that:

$$\begin{aligned} (1-q^{-m})^{q^n}= (1-{q^n\atopwithdelims ()1}q^{-m}+{q^n\atopwithdelims ()2}q^{-2m}-\cdots )\ge 1-q^nq^{-m}. \end{aligned}$$

Thus \(1-(1-q^{-m})^{q^n}\le 1-(1-q^{n-m})\).

By the same argument, we are given:

$$\begin{aligned} (1-q^{-m})^{q^n-1}= (1-{q^n-1\atopwithdelims ()1}q^{-m}+{q^n-1\atopwithdelims ()2}q^{-2m}-\cdots ) \ge 1-(q^n-1)q^{-m} . \end{aligned}$$

Therefore, \(-q^{n-m}(1-q^{-m})^{q^n-1}\le -q^{n-m}(1-(q^n-1)q^{-m})\). Thus the numerator is bounded above by \(1-(1-q^{n-m})-q^{n-m}(1-(q^n-1)q^{-m})\).

Bounding the denominator: \(\varvec{1-(1-q^{-m})^{q^n}}\) Similar to our argument for bounding the numerator, we will use binomial coefficients and claim 1 to find:

$$\begin{aligned} (1-q^{-m})^{q^n}= (1-{q^n\atopwithdelims ()1}q^{-m}+{q^n\atopwithdelims ()2}q^{-2m}-\cdots )\le 1-{q^n\atopwithdelims ()1}q^{-m}+{q^n\atopwithdelims ()2}q^{-2m} \end{aligned}$$

Hence the denominator is bounded below by \(1-(1-q^{n-m}+\frac{q^nq^n-1}{2}q^{-2m})\).

Finding a bound for the probability, p

$$\begin{aligned} p&=\frac{1-(1-q^{-m})^{q^n}-q^{n-m}(1-q^{-m})^{q^n-1}}{1-(1-q^{-m})^{q^n}} \\&\le \frac{1-(1-q^{n-m})-q^{n-m}(1-(q^n-1)q^{-m})}{1-(1-q^{n-m}+\frac{q^nq^n-1}{2}q^{-2m})}\\&=\frac{1-1+q^{n-m}-q^{n-m}+q^{n-m}(q^n-1)q^{-m}}{1-1+q^{n-m}-\frac{q^n(q^n-1)}{2}q^{-2m}}=\frac{q^{n-m}(q^n-1)q^{-m}}{q^{n-m}-\frac{q^n(q^n-1)}{2}q^{-2m}}\\&=\frac{q^{n-m}(q^n-1)q^{-m}}{q^{n-m}-q^{n-m}(q^{-(n-m)}\frac{q^n(q^n-1)}{2}q^{-2m})}\\&=\frac{q^{n-m}-q^{-m}}{1-(\frac{q^{n-m-q^{-m}}}{2})} \end{aligned}$$

When \(q=2\), empirical evidence shows we can approximate this by \(2^{n-m-1}\). The data to support this claim are shown in Table 1.

Table 1. Probability of decryption failure for specific parameters of EFLASH.
Full size table

5 Resistance to Known Attacks

The security analysis of EFLASH is quite related to that of PFLASH because of the similar algebraic structure. There are three attack methods that must be considered. Since the scheme requires more equations than variables to ensure a low probability of decryption failure, we require a careful analysis of the direct algebraic attack to ensure that the degree of regularity of the scheme is not too low. Second, in light of the attack on HFE- schemes, see [25], we require a MinRank analysis. Finally, given the history of the lineage of the \(C^*\) family, we require an analysis of symmetric differential methods.

5.1 Algebraic Attack

The first relevant attack for EFLASH is the direct algebraic attack. Algebraically, EFLASH is a high degree projected HFE- scheme, in the sense that EFLASH has a low Q-rank like HFE. Applying a projection to the input variables cannot increase the Q-rank, so we analyze the Q-rank of the central map composed with the minus modifier.

The key observation is that, unlike the case of HFE in which removing one equation in general increases the Q-rank by one, since the quadratic form associated with the central map is so sparse, the removal of one equation in general increases the rank by two. To see this, note that the coefficients of the quadratic form associated with HFE are restricted to a square submatrix whose size is typically the Q-rank of the map. A codimension one projection allows these coefficients to bleed into another row and column, which increases the size of the square by one. In contrast, the size of the smallest square containing the nonzero values in the quadratic form of the EFLASH central map is usually much larger than the Q-rank of EFLASH; in fact, the codimension one projection can produce two elements in original rows and columns, see Fig. 1.

Fig. 1.
figure 1

The shape of the matrices representing the central maps of HFE- and \(C^{*-}\). The darkly shaded regions represent nonzero values of the central map without the minus modifier, the lightly shaded regions represent new nonzero values introduced by the removal of one equation. Unshaded areas have coefficients of zero.

Full size image

Thus, the central map of EFLASH has Q-rank \(2+2a\). By the formula provided in [23], we compute an upper bound on the degree of regularity,

$$\begin{aligned} d_{reg}\le (q-1)(a+1)+2. \end{aligned}$$
(1)

When q is small this bound is known to be fairly tight. The complexity of the algebraic attack on EFLASH is therefore estimated to be \(\mathcal {O}\left( {n+d_{reg}\atopwithdelims ()d_{reg}}^\omega \right) \), where \(2\le \omega \le 3\) is the linear algebra constant.

We conducted experiments on some small scale instances of EFLASH to study the behavior of the degree of regularity for values of n and \(m=d-a\) of a similar ratio to a full sized scheme with a low decryption failure rate. The results are shown in Table 2.

Table 2. The degree of regularity of small scale EFLASH parameters in comparison to that of random systems of the same size.
Full size table

The data show that the degree of regularity grows with the size of the system when a is fixed. Until our resource permissions were limited on the machine, each sufficiently large system exhibited a degree of regularity at most one less than that of a random system. We do not have a solid theoretical argument for why the degree of regularity should be bounded thusly; however, for the sizes of schemes necessary to achieve security, the upper bound provided by (1) is already strictly less than the degree of regularity of random systems of the same size.

5.2 MinRank Attack

We can denote the calculations used to find our public equations P as matrix multiplications. Let \(\mathbf {F^{*i}}\) be the matrix representation of the \(i^{th}\) Frobenius power of the central map f. Then the matrix \(\mathbf {F^{*0}}\) represents our central map f, and is the \(d\times d\) matrix with 1’s in the \((0,\theta )\) and \((\theta , 0)\) coordinates and zeros elsewhere. Matrices \(\mathbf {S}\) and \(\mathbf {T}\) are \(d\times d\) affine maps. We can also consider \(\pi \) as a linear embedding from \((\mathbb {F}_{q})^{n}\) to \((\mathbb {F}_{q})^{d}\), and \(\tau \) as a linear projection from \((\mathbb {F}_{q})^{d}\) to \((\mathbb {F}_{q})^{m}\). Let \(\sigma \) be a primitive element of the extension, and thus \(\{1,\sigma ,\sigma ^2,\ldots ,\sigma ^{d-1}\}\) is a basis vector over \(\mathbb {F}_{q}\). Then mappings of \(\phi \) and \(\phi ^{-1}\) can be represented as multiplication of \(M_{d}\) and \(M_{d}^{-1}\), respectively, where

$$\begin{aligned} M_{d}=\left( \begin{array}{cccc} 1&{} 1&{} \ldots &{} 1\\ \sigma &{} \sigma ^{q}&{} \ldots &{} \sigma ^{q^{d-1}}\\ \vdots &{} \vdots &{} \ldots &{} \vdots \\ \sigma ^{d-1}&{} \sigma ^{(d-1)q}&{} \ldots &{} \sigma ^{(d-1)q^{d-1}}\\ \end{array}\right) \end{aligned}$$

We can express the actions of \(\tau \) by the following \(d\times d\) matrix,

$$\begin{aligned} \tau ^*=\left[ \begin{array}{cc} I_{m}&{} 0_{m\times a}\\ 0_{a\times m}&{} 0_{a\times a}\\ \end{array}\right] . \end{aligned}$$

Notice that \(\tau ^*:(\mathbb {F}_q)^d\rightarrow (\mathbb {F}_q)^d\). We will call \(P^*:=\tau ^*\circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi \). P and \(P^*\) will be comprised of the same m public equations, but \(P^*\) will then have a rows of 0 appended to it.

Consider \(R=\phi \circ \tau ^*\circ T\circ \phi ^{-1}\). Then \(R:\mathbb {F}_{q^{d}}\rightarrow \mathbb {F}_{q^{d}}\) is \(\mathbb {F}_q\)-linear. If we let \(\widetilde{\tau }(x)=\varPi _{r\in \ker (R)}(x-r)\), then we know by proposition 2 in [18], there exists a nonsingular linear map \(\widetilde{R}\) from \(\mathbb {F}_{q^d}\) to \(\mathbb {F}_{q^d}\) such that \(Rx=\widetilde{R}\widetilde{\tau }x\). Let \(\widetilde{T}=\phi ^{-1}\circ \widetilde{R}\circ \widetilde{\tau }\circ \phi \). This brings us to the following claim.

Claim 2

\(P^*(x)= \tau ^*\circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi x=\widetilde{T}\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi x\)

Proof

$$\begin{aligned} \widetilde{T} \circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi&=\phi ^{-1}\circ \widetilde{R}\circ \widetilde{\tau }\circ \phi \circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi \\&=\phi ^{-1}\circ \widetilde{R}\circ \widetilde{\tau }\circ f\circ \phi \circ S\circ \pi \quad \qquad \qquad \qquad \,(*)\\&=\phi ^{-1}\circ R\circ f\circ \phi \circ S\circ \pi \\&=\phi ^{-1}\circ \phi \circ \tau ^*\circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi \\&=\tau ^*\circ T\circ \phi ^{-1}\circ f\circ \phi \circ S\circ \pi \\&= P^* \end{aligned}$$

   \(\square \)

Now, let us reconsider \((*)\). We know that our public key is equivalent to \((*)\), so we see that

$$\begin{aligned} P^*&=\phi ^{-1}\circ \widetilde{R}\circ \widetilde{\tau }\circ f\circ \phi \circ S\circ \pi \\&=\phi ^{-1}\circ \widetilde{R}\circ \phi \circ \phi ^{-1}\circ \widetilde{\tau }\circ f\circ \phi \circ S\circ \pi \\&=\widehat{T}\circ \phi ^{-1}\circ \hat{f}\circ \phi \circ S\circ \pi \end{aligned}$$

where \(\hat{f}\) is our new central map and \(\hat{f}=\widetilde{\tau }\circ f\) and \(\widehat{T}=\phi ^{-1}\circ \widetilde{R}\circ \phi \). We now consider \(\mathbf {\widehat{F}^{*i}}\) to be the \(i^{th}\) Frobenius power of the new central map \(\hat{f}=\widetilde{\tau }\circ f\). If we denote \(h=\phi ^{-1}\circ \hat{f}\circ \phi \), then we can find symmetric matrices \((\mathbf {H}_1, \ldots , \mathbf {H_{d}})\in (\mathbb {F}_{q})^{d}\) such that \(h_i=\overline{x}\mathbf {H_i}\overline{x}^{\top }\). As shown in [17] we see,

$$\begin{aligned} (\mathbf {H_1},\ldots ,\mathbf {H_{d}})=(\mathbf {M_{d}\widehat{F}^{*0}M_{d}^{\top }},\ldots , \mathbf {M_{d}\widehat{F}^{*(d-1)}M_{d}^{\top }})\mathbf {M_{d}^{-1}}. \end{aligned}$$
(2)

If we denote the public key by \(P=(g_1, g_2, \ldots , g_{m})^{\top }\), then we can consider the symmetric matrices \((\mathbf {G_1}, \mathbf {G_2}, \ldots , \mathbf {G_{m}})\) that correspond to the public polynomials, such that \(g_i=\overline{x}\mathbf {G_i}\overline{x}\). By analysis in [17] we find,

$$\begin{aligned} (\mathbf {G_1},\ldots ,\mathbf {G_{m}})=(\mathbf {\pi SM_{d}\widetilde{F}^{*0}M_{d}^{\top }S^{\top }\pi ^{\top }},\ldots , \mathbf {\pi S M_{d}\widetilde{F}^{*(d-1)}M_{d}^{\top }S^{\top }\pi ^{\top }})\mathbf {M_{d}^{-1}\widetilde{T}} \end{aligned}$$
(3)

When we consider our original central map, we saw that \(\mathbf {F^{*0}}\) has rank 2. Looking at our new central map \(\hat{f}\), we see that \(\widetilde{\tau }\) increases the rank. If we insist that \(\theta \) is between \(a+1\) and \(d-a-1\), then \(\mathbf {\widehat{F}}^{*0}\) has rank \(2(a+1)\), as discussed in Sect. 5.1.

Notice that the embedding \(\pi :(\mathbb {F}_{q})^{n}\rightarrow (\mathbb {F}_{q})^{d}\), and the affine map S will not increase the rank of the right hand side of (3), so it will not affect our MinRank attack. Applying \(\widehat{T}\) normally does increase the rank, but it does not increase the min-Q-rank because it just produces new linear combinations of these matrices.

Using these facts and the analysis from [17] we find that we are solving the MinRank problem:

$$\begin{aligned} \text {rank}\big (\sum _{k=0}^{m-1}\lambda _i\mathbf {G_i}\big )\le 2(a+1) \end{aligned}$$

By the analysis in [26] and [27], the complexity of solving MinRank with the given parameters is \(\mathcal {O}\big ({m+d_{reg}\atopwithdelims ()d_{reg}}^{\omega }\big )\), where \(d_{reg}\) is the degree of regularity of the minors system and \(\omega \) is the linear algebra constant. Treating EFLASH as a special case of HFE-, we may derive the degree of regularity of the minors system from [25, Conjecture 2] by using the Q-rank in place of the sum of the logarithm of the degree bound and the number of equations removed. Then we may estimate that the degree of regularity of the minors system is \(d_{reg}=2a+3\).

5.3 Discrete Differential Attack

In [12], it is shown that almost all parameters of PFLASH are secure against differential adversaries. The proof relies on the fact that the corank of the projection is relatively small. Since EFLASH uses a corank \(d-n\) projection, the security proof does not apply and so we must use other arguments.

By the symmetric argument to that in [25], we can express \(\pi \) under the appropriate basis as a polynomial in \(\mathbb {K}\) of degree \(q^{d-n}\). Thus, the central quadratic form can be considered a quadratic form in the \(d-n\) “variables” \(\pi (x)^{q^i}\), for \(0\le i\le d-n\). In characteristic two, there are at least as many linearly independent quadratic monomials as in GF(2); thus, there are at least \({d-n+1\atopwithdelims ()2}\) linearly independent quadratic monomials in \(\pi (x)^{q^i}\), for \(0\le i\le d-n\) over \(\mathbb {K}\).

We expect that the locus of stabilizing pairs of matrices is zero-dimensional over \(\mathbb {K}\), though it is necessarily positive dimensional over \(\mathbb {F}_q\) since scalar multiples induce symmetry for any map. We performed experiments and found that the solution space was zero-dimensional over \(\mathbb {K}\) in all cases. We conclude that the space of linear maps inducing symmetry on EFLASH is too small to be exploited like in the attack on SFLASH of [21].

6 Parameter Selection

In choosing parameters for EFLASH, we need to consider security against the direct algebraic attack, the MinRank attack, and fault attacks exploiting decryption failure. We address the constraints each of these attacks places on parameters, as well as efficiency concerns.

The complexity of both the direct attack and the MinRank attack is directly related to the Q-rank of the public key. In the case of very small fields, such as GF(2), the degree of regularity is little larger than the Q-rank, \(2a+2\); thus, several equations must be removed to achieve security. Over GF(2), each increase in a doubles decryption time while making the direct attack approximately n times harder and the MinRank attack approximately 2m times harder.

To address decryption failures, we note that the probability estimate of Sect. 4 is approximately \(q^{n-m}\). We set an reasonable bound \(2^{-B}\) on the probability of decryption failure and may set \(m=n+\frac{B}{lg(q)}\) to achieve this bound.

For larger q, the MinRank attack seems to be the most concerning. For efficiency reasons, it is impractical to have a large a; therefore, an instance with large q is vulnerable to MinRank. For this reason, we recommend the choice \(q=2\) with a and n sufficiently large to resist the algebraic attack. Our specific parameter selections for classical security levels are summarized in Table 3. It is important to note that our implementation is a proof of concept, and not at all optimized. This is a magma implementation, and we are only using one core.

Table 3. Parameters and unoptimized performance of EFLASH(qnda) at the 80-bit and 128-bit classical security levels.
Full size table

In principle, Grover search should affect the security of these schemes, but at this time we are not aware of a result that indicates a Grover search would be feasible for such large parameters. It is possible that Grover search could halve the dimension of the preimage search space. Thus, we may have to roughly double the size of the plaintext. To protect against the possible threat of Grover search we consider the parameter selections shown in Table 4.

On the other hand, we may consider the possibility of the cryptosystem being implemented on a quantum device so that the search step in decryption may be Groverized. Therefore Grover’s algorithm may, in fact, improve efficiency.

Table 4. Parameters and unoptomized performance of EFLASH(qnda) at the 80-bit and 128-bit quantum security levels.
Full size table

7 Conclusion

In this paper we propose a new multivariate encryption scheme, EFLASH, derived from the lineage of PFLASH. One can view EFLASH as a parameterized projected \(C^{*-}\) scheme, where the projection \(\pi \) may be viewed as an embedding that maps from a smaller field to a much larger field. Thus, EFLASH follows the recent trend of achieving encryption with injective expansion maps. A possible direction to improve this result is to handle decryption failures in a more clever way. It may be possible to handle decryption failures in a generic way, as in [28]. it may also be interesting to consider reaction attacks against the scheme. Our algorithm implementation is a proof-of-concept implementation and is not optimized. Some possible optimizations may include making it not constant time, which should halve the decryption time.

EFLASH inherits some of the solid security justification from its digital signature forebear, PFLASH, though some of the security arguments are weakened by the massive cokernel of the projection. Still, the analysis of the security of EFLASH against each of the primary modes of attack on big field schemes is straightforward and encouraging. In this sense, it makes sense to consider the scheme as a sort of “standard candle” for the advancement of big field multivariate cryptanalysis. If EFLASH is to be broken, it seems that a new technique will need to be discovered.