HFERP - A New Multivariate Encryption Scheme

Abstract

In 2016, Yasuda et al. presented a new multivariate encryption technique based on the Square and Rainbow primitives and utilizing the plus modifier that they called SRP. The scheme achieved a smaller blow-up factor between the plaintext space and ciphertext space than most recent multivariate encryption proposals, but proved to be too aggressive and was completely broken by Perlner et al. in 2017. The scheme suffered from the same MinRank weakness that has allowed effective attacks on several notable big field multivariate schemes: HFE, multi-HFE, HFE-, for example.

We propose a related new encryption scheme retaining the desirable traits of SRP and patching its weaknesses. We call the scheme HFERP because it utilizes a similar construction as SRP with an HFE primitive replacing the Square polynomial. The effect of this substitution is to increase the Q-rank of the pubic key to such a degree that the MinRank attack is impossible. HFERP still retains the relatively small blow-up factor between the plaintext space and ciphertext space, and is thus a candidate for secure multivariate encryption without an essential doubling in size between plaintext and ciphertext.

The rights of this work are transferred to the extent transferable according to title 17 \(\S \) 105 U.S.C.

A Toy Example

The purpose of the following toy example is to help the reader understand the process of generating a public key for an instance of HFERP as well as an example of encryption and decryption. The parameters used are by no means secure and are soley for instructional purposes.

Parameters of this toy example are as follows: \(q=7,~d=o=r=2,~s=1, \text {and}~ l=0\). Then, construct \(\mathbb {E}\) a degree 2 extension field over \(\mathbb {F}_7\). The chosen HFE core map is \(f=\xi ^{12}X^{14}+\xi ^{6}X^8+\xi ^{29}X^2\) where \(\xi \in \mathbb {E}\). Let \(\mathcal {T}\) and \(\mathcal {U}\) be the following affine maps:

$$\begin{aligned}\begin{gathered} \mathcal {T}=\left[ \begin{matrix} 2&{}1&{}2&{}4&{}5&{}0&{}3\\ 1&{}1&{}3&{}3&{}4&{}4&{}4\\ 4&{}2&{}1&{}3&{}1&{}0&{}6\\ 0&{}1&{}0&{}1&{}5&{}5&{}5&{}\\ 5&{}5&{}3&{}6&{}4&{}2&{}4\\ 2&{}5&{}1&{}6&{}5&{}6&{}0\\ 1&{}1&{}2&{}2&{}6&{}4&{}3\\ \end{matrix}\right] ,\mathcal {U}=\left[ \begin{matrix} 4&{}6&{}6&{}4\\ 3&{}2&{}0&{}2\\ 1&{}1&{}6&{}5\\ 3&{}6&{}6&{}6\\ \end{matrix}\right] \end{gathered}\end{aligned}$$

With the parameters described above, \(\mathcal {F}\) can be represented as the following matrices over \(\mathbb {F}_7\)

$$\begin{aligned}\begin{gathered} F_1=\left[ \begin{matrix} 0&{}1&{}0&{}0\\ 4&{}0&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0\\ \end{matrix}\right] ,F_2=\left[ \begin{matrix} 0&{}3&{}0&{}0\\ 1&{}6&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}0&{}0\\ \end{matrix}\right] ,F_3=\left[ \begin{matrix} 3&{}1&{}6&{}1\\ 3&{}1&{}4&{}5\\ 3&{}4&{}0&{}0\\ 3&{}2&{}0&{}0\\ \end{matrix}\right] ,\\ F_4=\left[ \begin{matrix} 5&{}1&{}0&{}3\\ 0&{}5&{}0&{}3\\ 0&{}4&{}0&{}0\\ 6&{}1&{}0&{}0\\ \end{matrix}\right] ,F_5=\left[ \begin{matrix} 6&{}0&{}3&{}4\\ 6&{}2&{}4&{}2\\ 6&{}3&{}0&{}0\\ 0&{}3&{}0&{}0\\ \end{matrix}\right] ,F_6=\left[ \begin{matrix} 4&{}4&{}1&{}1\\ 3&{}0&{}0&{}3\\ 3&{}6&{}0&{}0\\ 1&{}2&{}0&{}0\\ \end{matrix}\right] ,F_7=\left[ \begin{matrix} 6&{}3&{}2&{}3\\ 4&{}4&{}0&{}6\\ 2&{}3&{}1&{}3\\ 6&{}4&{}0&{}6\\ \end{matrix}\right] \end{gathered}\end{aligned}$$

\(P_1\) and \(P_2\) represent the HFE component, \(P_3 \rightarrow P_6\) represent the rainbow component, and \(P_7\) represents the plus component. With the public key generated by \(\mathcal {P}=\mathcal {T}\circ \mathcal {F}\circ \mathcal {U}\), its matrix form over \(\mathbb {F}_7\) is:

$$\begin{aligned}\begin{gathered} P_1=\left[ \begin{matrix} 1&{}1&{}2&{}5\\ 1&{}2&{}3&{}2\\ 3&{}2&{}4&{}4\\ 3&{}3&{}0&{}3\\ \end{matrix}\right] ,P_2=\left[ \begin{matrix} 0&{}2&{}0&{}6\\ 4&{}5&{}2&{}0\\ 6&{}3&{}3&{}4\\ 3&{}1&{}2&{}2\\ \end{matrix}\right] ,P_3=\left[ \begin{matrix} 2&{}3&{}1&{}4\\ 4&{}5&{}4&{}5\\ 3&{}5&{}5&{}1\\ 5&{}1&{}0&{}6\\ \end{matrix}\right] ,\\ P_4=\left[ \begin{matrix} 0&{}6&{}0&{}2\\ 1&{}3&{}0&{}2\\ 5&{}1&{}5&{}1\\ 5&{}3&{}0&{}5\\ \end{matrix}\right] ,P_5=\left[ \begin{matrix} 4&{}3&{}2&{}3\\ 6&{}5&{}2&{}4\\ 4&{}3&{}1&{}5\\ 5&{}2&{}4&{}5\\ \end{matrix}\right] ,P_6=\left[ \begin{matrix} 1&{}4&{}2&{}2\\ 3&{}3&{}6&{}2\\ 5&{}4&{}0&{}0\\ 3&{}5&{}5&{}4\\ \end{matrix}\right] ,P_7=\left[ \begin{matrix} 1&{}3&{}6&{}0\\ 0&{}3&{}4&{}0\\ 1&{}2&{}4&{}2\\ 2&{}1&{}6&{}4\\ \end{matrix}\right] \end{gathered}\end{aligned}$$

Given the following plaintext, (2, 6, 1, 5), the resulting ciphertext is (0, 0, 1, 3, 0, 4, 0).

Decryption: Given a ciphertext (0, 0, 1, 3, 0, 4, 0), the following process is how you would obtain its corresponding plaintext.

Part of the secret key:

$$\begin{aligned}\begin{gathered} \mathcal {T}^{-1}=\left[ \begin{matrix} 1&{}6&{}4&{}2&{}2&{}2&{}5\\ 5&{}4&{}4&{}6&{}0&{}5&{}2\\ 5&{}3&{}5&{}2&{}3&{}2&{}4\\ 5&{}6&{}5&{}5&{}2&{}1&{}1\\ 2&{}5&{}4&{}2&{}1&{}5&{}2\\ 2&{}5&{}6&{}6&{}3&{}5&{}5\\ 1&{}2&{}5&{}4&{}4&{}0&{}5\\ \end{matrix}\right] ,\mathcal {U}^{-1}=\left[ \begin{matrix} 4&{}5&{}2&{}1\\ 3&{}1&{}3&{}1\\ 4&{}1&{}2&{}0\\ 5&{}6&{}1&{}1\\ \end{matrix}\right] \end{gathered}\end{aligned}$$

Feed the ciphertext through \(\mathcal {T}^{-1}\) to get

$$\begin{aligned} (0,6,2,6,0,4,6) \end{aligned}$$

(7)

The first \(d=2\) elements are the corresponding HFE outputs. Take these elements and adjust the HFE core map as follows:

$$ f:=f-0\xi ^{1-1}-6\xi ^{2-1}=\xi ^{12}X^{14}+\xi ^{6}X^8+\xi ^{29}X^2+\xi $$

Perform the Berlekamp algorithm to find the preimage of f. In doing so in this toy example, you get (0, 6). Next, construct the vector:

$$ \overline{u}=\left[ 0,6,u_1,u_2 \right] . $$

Construct equations of the form \(\overline{u}F_1\overline{u}^\top = x_i\) where \(x_i\) refers to the \(i^{th}\) element of (7), for \(i \in \{3,4,5,6\}\). This will result with the following equations:

$$ \left[ \begin{matrix} 6u_1+1\\ 3u_1+3u_2+5\\ 2u_2+2\\ u_1+2u_2\\ \end{matrix}\right] = \left[ \begin{matrix} 2\\ 6\\ 0\\ 4\\ \end{matrix}\right] $$

Solving this system of equations gives us \(u_1=6\) and \(u_2=6\). Thus,

$$ \overline{u}=\left[ 0,6,6,6 \right] . $$

Finally, feed this through \(\mathcal {U}^{-1}\) to get the plaintext, \(\left[ 2,6,1,5 \right] \).