 Hello everyone, my name is White Berlins and I'll be talking about the improved cryptanalysis of oil and vinegar and rainbow. So I'll start by explaining what oil and vinegar and rainbow are. They are multivariate signature algorithms and oil and vinegar was invented in 1997 by Paterin and then in the following years there was some cryptanalysis but after a couple years the IDs tried up and they have not really been any improvements since then. Oil and vinegar is quite good signature size, for example you could have 90 bytes signatures at NIS security level one but the public keys aren't large, for example 240 kilobytes and then there was a new signature scheme invented in 2005 by Ding and Schmidt and this is based on oil and vinegar scheme. In the sense that it's basically multiple layers of oil and vinegar combined and this makes the scheme a little bit more complicated so there has been more cryptanalysis and now rainbow is one of the finalists in the NIST standardization competition and it's a little bit more efficient than oil and vinegar for example you could have 70 bytes signatures instead of 90 bytes and also the public keys are a little bit smaller but still quite big and so in this talk I'll first tell you how oil and vinegar and rainbow work and then I'll tell you about new improved key recovery attacks on these signature schemes. Okay so I said oil and vinegar and rainbow are multivariate signature schemes and this means that they're based on a multivariate quadratic map and a multivariate quadratic map is just a sequence of homogeneous quadratic polynomials in a number of variables so this gives you a map from fq to the n to fq to the m and we use these maps because we believe they are one way because this this problem which you call the mq problem is believed to be hard and it says that if I give you a multivariate quadratic map p and a target t in the output space fq to the m then finding a pre-image s such that p of s is equal to t is a hard problem and we know that this problem is NP hard and we also think that it's exponentially hard even on average for quantum computers so it's a good problem to base post quantum cryptography on and our signature schemes are based on trapdoor multivariate maps this means that p looks random so if you don't know any better than computing pre-images is hard because we believe the mq problem is hard for random polynomial maps but actually there is some secret information and if you know the secret information then computing pre-images is actually easy and once you have such trapdoor functions then you can build signature schemes with the full domain hash approach this is also what RSA signatures use and so here the public key is just a description of your trapdoor function p the secret key is your travel information and then to create a signature for a message m you first hash the message into your output space and then you produce a pre-image for this hash so your signature will just be an input s such that p of s is equal to the hash of your message okay so to understand what a vinegar and rainbow you just need to understand how these trapdoors work but before I explain that I have to introduce some notation so we say that if p is a multivariate quadratic map then its pole form is this function p prime of two variables and it's just about defined as p of x plus y minus p of x minus p of y plus p of 0 but here the p is homogeneous so you can forget about p of 0 and it's easy to see that p of x and y is symmetric and by the linear so this is going to be useful and now we can explain how the on a vinegar trapdoor works so the trapdoor structure is actually very simple it's just a linear show space of your input space of dimension m where m is the dimension of the output space such that your map p vanishes on the space so this means for every vector all in the space of p of all is equal to 0 and yeah if you if you know such a space then it turns out that it's easy to compute pre-images how do you do that well the first step is to just pick a random input this is called the vinegar vector and then you solve for a vector all in your order space such that p of e plus o is equal to your target and this is easy because if you use our definition of the polar form you can rewrite p of e plus o as just p of e plus p of o plus a polar form of v and o but as you know p of o is 0 because p vanishes on the space o so what's left is just p of v that's some fixed value because we chose a fixed value for v and then something that's linear in all so actually to solve this for all is just a system of m linear equations in m variables so you can just find a solution with precaution and illumination and if it turns out that this system does not have any solutions which is unlikely but it happens it probability roughly 1 over q then you can just pick a different vinegar vector and try again so you just do this until you find a solution and then once you have a solution you just output p plus o okay so that's how the vinegar trapdoor works it's very simple it can explain it on one slide and if you turn it into a signature scheme then you can prove that the signature scheme is secure based on two assumptions the first assumption is this mq problem that I mentioned before and this seems like a very plausible assumption and the second assumption is that if you generate your your function p that vanishes on some random space o then when you get this indistinguishable from a uniformly random map p and this is a fun this is an assumption that has been analyzed since the invention of the vinegar scheme but yeah it's of course much more ad hoc than our first assumption and it's this assumption that we're going to try to attack in this in this paper in this work but before we try to break this assumption I'm first going to explain how the rainbow trapdoor works so with the rainbow the trapdoor structure is either a little bit more complicated so instead of just one one space o you now have a chain of subspaces from o one up to ok where case some some integer and it's also a chain of subspaces of the output space and then our trapdoor function p is chosen in such a way that it maps o one into w one or two into w two and so on so so yeah this property is just a generalization of the vinegar trapdoor because if you put k equals one then there's just one one o and p sends o into w one but w one is just the trivial space with only the zero vector so this is exactly the scenario that we were in in with u o v so just one space and p vanishes on that space but actually there's an additional property that we want and has to do with this polar form p p prime that we defined earlier and we want that p prime for any vector x if you plug in this x then you get a map from o two into w one from all three into w two and so on so oh I get sent into w i minus one and yeah this is an additional property that we need in order to make the trapdoor work so turns out that if you know this tribe was structured and you can efficiently find p images for your map p and I'm just going to explain how to do that in the case that k equals two because this is simpler but also because this is what the parameters for the nest submission use so in case k equals two you just have two o spaces so one and or two and there's one w space and we know that our map p sends or one into w p vanishes on or two and for every vector x we know that this differential maps or two into w right and if you know all this all these things then it's easy to find a pre-image so how do you do this well as in the u v case again you start by just picking a random v and then we're going to solve for no vector in or one but this time we're not going to try to get a solution immediately we're just going to find a solution that is correct up to a vector in this space w and again using this differential this comes down to solving a system of linear equations and then once you have this solution v plus or one that is correct up to w we're going to solve for a vector or two in the space or two that is now an exact solution and again we can just write this out you get something p of v plus or one which is fixed minus t this is something in w because that's what we guaranteed in the first the first step then we have this p of or two which finishes because p vanishes on what to and then we have this this linear thing so again this is just a linear equation in in w and we have the dimension of w degrees of freedom because dimension of or two is the same as the dimension of w so with large probability this will have a solution and you can can just find it with Gaussian elimination right so this is rainbow with two layers and there's two steps of course if you had a longer chain then you need more steps to to find a solution okay so at this point I've explained how or the vinegar and rainbow work now we'll move on to attacks so first I explain the existing attacks against or the vinegar then I'll explain a new attack against or the vinegar and then finally I'll very briefly summarize a new attack against rainbow and give the results of how efficient this no attack is okay so first the existing attacks against or the vinegar so the first attack was discovered a year after or the vinegar was proposed and this attack was discovered by Kipnitz and Shamir and it broke or the vinegar in polynomial time but only in this case where and the number of variables is two time the number of equations and I'm already in this paper they said that if you increase and beyond two times and then the scheme could still be secured and then a year later this attack was generalized to the end is larger than 2m case but now the attack has complexity which is q to the n minus 2m times something polynomial right so that attack really becomes fish inefficient very quickly once and starts to grow beyond 2m and this is today before this new attack was still the best attack so how does this Kipnitz-Shamir attack work well the attack is based on this observation so remember this this polyform this this gave us a lot of symmetric bilinear maps so of course we can represent these with the real symmetric matrix so for each component of our polyform we get the matrix mi such that pi of x comma y is equal to x transpose times mi times y and the observation is that if our map p banishes on some space all then this matrix mi sends all into its own complement so mi is orthogonal to all and yeah the proof is very easy so take a vector o1 in all and then we want to prove that mi times o1 is orthogonal to all so as we prove this you take a vector o2 in all and then we need to prove that this thing is zero but yeah by definition of mi this is just this polyform applied to o2 and o1 but yeah if you apply the definition of the polyform this is just this and we know that p vanishes on the space o and o1 and o2 are in all so pi vanishes on o1 o2 and also o1 plus o2 so this is just zero right so the proof is very simple but still this is a very powerful observation that will allow us to to attack okay so how does this lead to an attack well we first look at the case where n is equal to 2 times m because in this case the dimension of all which is m is equal to the dimension of all perp because the dimension of all perp is n minus m so 2 m minus m so these spaces have the same dimension so this means that if you have two of these matrix matrices m1 and m2 and they are invertible then like we know m1 times all sits inside all perp this was the lemma but if they have the same dimension then there must be equal right and the same thing for m2 m2 times all sits inside of all perp but they have the same dimension so they're equal and this means that all is an invariant subspace of m2 inverse times m1 and there's a polynomial time algorithm to find invariant subplaces of a matrix and m1 and m2 are public so you can just compute compute this invariant subspace and then you have your your secret keyhole right so the attack is is fairly simple once you have this this option okay so the case where n equals 2 m is easy and I want to generalize this to larger n and yeah the problem now is that m1 times all is no longer equal to m2 of all because our lemma just says that they're both subspaces of all perp but now all perp is is large enough that they don't have to be equal anymore right but still since they're both subspaces of all perp which is not too big m1, o and m2, o are forced to have a large intersection namely an intersection of dimension at least 3m minus n and because of this turns out that this matrix m1 inverse times m2 has eigenvectors in all with the reasonably large probability namely q to the 2m minus n and yeah once you know this you can you can do the following attack so you just look at matrices of this form you compute their eigenvectors and then you check if their eigenvectors are in all and you can do this by just evaluating p on these eigenvectors because you know p vanishes on all so if the vectors and if your eigenvector is in all then and p of the eigenvector will be zero yeah so for every for every matrix that you try there's this probability that you find an eigenvector in all to just repeat this until you have a basis for all and on average you have to try q to the n minus 2m matrices so the complexity of the attack is q to the n minus 2m times some polynomial work factor okay so that's the state of the art of the attacks against Orlan vinegar and now I'll explain the new attack okay so the new attack still uses this picture from the Kipnis-Chamir attack and now the idea is that we're gonna fix some k and we're going to look for a vector x in an intersection of k of these spaces so I'm one or two and k all and the way we're going to do this is we're going to build a system of equations and then we're just going to use a generic algorithm to find a solution of the system of equations and for example if we if we look at k equals 2 so we're looking at a vector in the intersection of two of these spaces then we have this system of equations where like this first set of equations is because like x is in m1 times o then m1 inverse times x sits in o and no p vanishes on o so p of this is equal to 0 and the same thing for p of m2 inverse times x and if m1 inverse times x and m2 inverse times x sit in o then also there's some sits in o so this gives you this extra set of you know the equations and yeah in general for general k we will have k plus 1 choose 2 m equations because every p gives you m equations over your field and the number of variables you would think it's n because x lives in fq to the m fq to the n but actually if you know this intersection has dimension d then you can just add d random linear equations to eliminate some variables and you know that with high probability you will still have a solution right so you can use is to reduce the number of variables which makes the attack more efficient right but yeah the attack will only work if this intersection is non-trivial of course and yeah if you do the analysis then turns out that this intersection is guaranteed to be non-trivial if this holds so it really depends on this ratio of n over m and yeah the the smaller this ratio is is the closer to 2 it is the the larger k can be and if k is larger then we get more equations in the same number of variables so this will make solving the system much easier and so this means that the closer n over m is equal to 2 the more efficient the attack will be okay so let's apply this attack to proposed parameter set that was in the literature so this one where q is 2 to 8 you have 104 variables and 44 equations so in this case n over m is 2.36 which means that we can choose k equals 3 and still expect your intersection to be non-zero and if we do the attack with k equals 3 then our system has 258 equations in 89 variables and it turns out that you can solve this with just generic algorithms with a complexity of 2 to the 95 multiplications and yeah this is much better than the expected strength of this parameter set because that is parameter set was chosen to have 128 bits of security okay so now we're done with u of e and we'll move on to rainbow yeah okay so and yeah so remember with rainbow we have this more complicated trapdoor structure and again we're going to focus on the case where k equals 2 so we got two o spaces and one w space and we're going to focus on this property that says that for whatever value x you plug into this differential you get a map from o2 to w because this will allow us to find find vectors in o2 so we're gonna look at these matrices so we got n matrices l1 and 2 ln and each matrix has n rows and m columns because every row is an evaluation of our differential and yeah the first slot is ej or j is the number of your row and the second slot is ei where i is this index of the matrix and we look at these matrices because it turns out that if y is a vector in o2 then the rank of this linear combination given by y is very low it's at most a dimension of w yeah why is this it's very simple because this differential is linear so these yi just go inside differential so you just have this matrix where every row is now in evaluation of a differential like this but yeah this property of the public key says that for any value x so in particular for e1 up to en if the second vector is something in o2 then it will spit out something in w right so every row of this matrix is a vector in w and therefore the rank of this matrix is at most dimension of w right so we're now in this situation where these matrices are public and we know that there's some linear combination of them that has an exceptionally low rank so all we need to do is find this this linear combination and once we find one of those linear combination then this will give us this vector y which sits in right and so this problem where you're given a number of matrices and you have to look for a linear combination of them with low rank is called the min-rank problem and this is a well-known problem in multivariate quadratic cryptography but also in code-based cryptography and so yeah you can just use algorithms that have been developed to solve this problem to find those linear combinations which gives you vectors in o2 and yeah once you know o2 it's it automatically gives you w and then you can find o1 so then everything yeah everything is is quite easy so you can just recover the entire secret key and then you can forge signatures of course but yeah in our case we don't want to use a generic min-rank algorithm because we have more information about this this linear combination right because this linear combination corresponds to a vector in o2 and we know that P will vanish on this on this vector right so it turns out we can tweak the existing min-rank algorithms a little bit to make use of this extra information and this makes the attack more efficient but yeah I'm not going to explain in this video how that works if you're interested in that you should look at the paper okay so I mentioned beginning that rainbow was one of the finalists in the NIST competition so let's now have a look at the parameters that were submitted to the competition so this first column of the table gives you the complexity of this intersection attack that I talked about in the context of UV but also can be made to work against rainbow and the second column is this new min-rank attack that I just talked about now and yeah you can see that for all the parameters either this intersection attack is the most efficient or this new min-rank attack is the most efficient and so yeah for every parameter we improve on the best known attacks like quite a bit for example for the security level one parameter it's a minute for the finals we improved the complexity of the best known attack by 20 bits and for higher security levels it's even 40 bits or more so yeah we give quite a substantial improvement in the complexity of the attacks okay so we made it to the conclusion so I talked about oil and vinegar which was this elegant signature scheme that's based on this problem where I give you a public key that vanishes on some secret subspace and the problem is to to find this secret subspace and I gave a new attack that's based on this idea of trying to find a vector in some intersection and it's new attack is more efficient than the previously known attacks for some parameters and then we also talked about rainbow which is one of the finalists for the NIST post quantum cryptography project and I also gave a new key recovery attack against rainbow that was based on this this min-rank problem and yeah the complexity of the new attack is 20 bits more efficient than the best known attacks for security level one and even even more for higher security levels so yeah that's all I wanted to say thank you very much