Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem [chapter]

Jean-Charles Faugère, Pierre-Jean Spaenlehauer
2010 Lecture Notes in Computer Science  
In this paper, we fully break the Algebraic Surface Cryptosystem (ASC for short) proposed at PKC'2009 [3]. This system is based on an unusual problem in multivariate cryptography: the Section Finding Problem. Given an algebraic surface X(x, y, t) ∈ Fp [x, y, t] such that deg xy X(x, y, t) = w, the question is to find a pair of polynomials of degree d, ux(t) and uy(t), such that X(ux(t), uy(t), t) = 0. In ASC, the public key is the surface, and the secret key is the section. This asymmetric
more » ... ption scheme enjoys reasonable sizes of the keys: for recommended parameters, the size of the secret key is only 102 bits and the size of the public key is 500 bits. In this paper, we propose a message recovery attack whose complexity is quasi-linear in the size of the secret key. The main idea of this algebraic attack is to decompose ideals deduced from the ciphertext in order to avoid to solve the section finding problem. Experimental results show that we can break the cipher for recommended parameters (the security level is 2 102 ) in 0.05 seconds. Furthermore, the attack still applies even when the secret key is very large (more than 10000 bits). The complexity of the attack is O(w 7 d log(p)) which is polynomial with respect to all security parameters. In particular, it is quasi-linear in the size of the secret key which is (2d + 2) log(p). This result is rather surprising since the algebraic attack is often more efficient than the legal decryption algorithm. be classified into three main categories: Multivariate cryptography, Code-based cryptography and Lattice-based cryptography. In this context, Akiyama, Goto, and Miyake propose a new multivariate publickey algorithm at PKC'2009: the Algebraic Surface Cryptosystem (ASC for short) [3] . Interestingly, its security is based on a difficult problem which is not common: Section Finding Problem (SFP). Given an algebraic surface defined by the polynomial X(x, y, t) ∈ F p [x, y, t] (where F p denotes the finite field of cardinality p), the question is to find two polynomials u As stated in [3] , this problem is computationally hard: the only algorithm known so far induces to find roots of a huge multivariate polynomial system. Hence the idea of ASC is to use the surface as public key and the knowledge of a section of this surface as the trapdoor. In comparison to HFE [15] or other multivariate systems, ASC has some interesting and unusual properties. In particular, the keys are unexpectedly short. The security of multivariate systems is usually related to the difficulty of finding a zero of a system of low degree polynomials (often quadratic) in a huge number of variables. For instance, in the case of HFE, the size of the public key is precisely the size of the multivariate system: 265680 bits for a security of 2 80 . In contrast with HFE, ASC enjoys a small public key of 500 bits for a security of 2 102 . More generally, for a security level of 2 d , the size of the public key of HFE is O(d 3 ). In comparison, the public key of ASC is a unique high degree polynomial in only three variables: its size is O(d) bits for a security of 2 d . Actually, the authors explains that the keys of ASC are among the shortest of known post-quantum cryptosystems. More precisely, let w denote the degree of the public surface X in x and y. For a security level of p 2d , the size of the secret key is 2d log(p) bits and the size of the public key is about wd log(p). The main observation is that the sizes of the keys are linear in d log(p), which is the logarithm of the security level. Although a completely different version of ASC [2] has been attacked by Ivanov and Voloch [11], by Uchiyama and Tokunaga [17] and by Iwami [12], the new version of ASC, presented at PKC'2009, is resistant to all known attacks. We would like to mention that the decryption algorithm raises some questions. Indeed, one step of this algorithm is to recover some factors of given degree D of a univariate polynomial. In order to find those factors, the designers propose to recombine the irreducible factors of the polynomial by solving a knapsack. However, this problem is known to be NP-hard [10] . Therefore, it is not clear if the cryptosystem remains practical for high security parameters. Main Results. In this paper, we describe a message recovery attack which can break ASC in polynomial time. One important step of the legal decryption algorithm is the factorization of a univariate polynomial. The key idea of the algebraic attack is to perform this factorization step implicitly by decomposing ideals deduced from the ciphertext. Indeed, decomposition of ideals can be seen as a generalisation of the standard factorization of polynomials. Hence, this technique allows us to bypass the Section Finding Problem, which is hard.
doi:10.1007/978-3-642-13013-7_3 fatcat:wirttnpnv5bxjcwrqvzgwbioa4