 Welcome to my talk on efficient key recovery attacks for all HFE signature variants. My name is Albrecht Petzold and I'm presenting here a joint work together with Chen Dong Tao and Qin Tai Ding. In our paper we work over the field of multivariate cryptography, which is one of the main candidates for post quantum cryptography. And the public key of a multivariate cryptosystem is just a system of multivariate cryptographic polynomials as shown here. And the security is based on the so-called MQ problem where we are supposed to find a vector x bar such that all of these polynomials evaluate to zero. The MQ problem was proven to be NP-hard and it is believed to be hard on average for both quantum and classical computers. Of course we have to ensure that the owner of the private key can invert the system efficiently and one of the ideas to do this is the so-called big field approach where we have an extension field fq to the n, an isomorphism phi between the vector space fq to the n and the extension field. We have an easily invertible univariate map f over the extension field, which is called the central map. And due to the special structure of this central map, the map f bar, which is defined as phi to the minus one zhark f zhark phi, is a great predict map over the vector space fq to the n. To hide the structure of the central map in the public key, we choose to invert the linear maps t and s over the vector space fq to the n and define the public key sp is t zhark f bar zhark f, which is a great predict map over the vector space fq to the n. It is supposed to look like a random system and therefore hard to invert. The private key consists of the three maps f and t and therefore allows to invert the public key. On this slide, you see a graphical illustration of the general workflow of multivariate big field signature schemes. So for signature generation, we are given a message m as a string of arbitrary lengths and the private key consisting of the three maps f and t. We first compute the hash value w of the message m, then we invert the first affine map t to get this x. We lift x to the extension field and invert the univariate central map to get y in fq to the n. Finally, we move the result down to the vector space again and invert the second affine map y to get the signature set in fq to the n. For signature verification, we are given again the message m as a string of arbitrary lengths, a signature set in fq to the n and the public key and we just have to check if p of set is equal to h of m. If this is fulfilled, then the signature is accepted and otherwise it is rejected. An important example for such a big field signature scheme is an hfev minus signature scheme which combines the idea of big field signature schemes with a minus modification and the miniature variation. The central map f of the scheme is a map from fq to the v times the extension field fq to the n to the extension field fq to the n and it has this special structure here. So the important thing here is that the degree of this polynomial f of x is bounded by big d and we have here a linear map beta i in the so-called miniature variables v1 to vv and here we have a quadratic map y in the miniature variable and due to the special structure of this map f and the for Pinias isomorphism, the map f bar which is defined as phi to the minus one third f third phi is a quadratic map over the vector space fq to the n. To hide the structure of the central map in the public key we choose two linear maps t as a map fq to the n to fq to the n minus a and f fq to the n plus v to fq to the n plus v of maximal rank. The public p is given as a the composed map t third f bar third f which is a quadratic map from fq to the n plus v to fq to the n minus a and the private key consists of the three maps ff and t and therefore allows to invert the public key. For the signage generation we are given a message as a string of arbitrary lengths as well as a private key ff and t. We compute the hash value of the message in fq to the n minus a then we compute a pre-match x of this vector w in fq to the n under the affine map t and lift the result to the extension field fq to the n. Then we choose random values for the miniature variables v1 to vv and so the parametrized map fv of y is equal to x over the extension field fq to the n via barely comes out within. Finally we move the result down to vector space again append the miniature variables v1 to vv and invert the second affine map f to get the signature set of the document in fq to the n plus v. For the signature verification we are given again a message m as a string of arbitrary lengths the signature set in fq to the n plus v and the public key p we compute first the hash value of the message w in fq to the n minus a and we evaluate the public key at the signature points to get this vector w prime in fq to the n minus a and we accept the signature set if and only if w prime is equal to w and in part against the hfev minus scheme there exist basically two attack scenarios the first one is a so-called direct attack which is a signature forgery attack and in a number of papers it was found out that the degree of regularity of this attack is bounded from above by the formula here where d is the base two logarithm of the degree bound of the hfe polynomial the second attack scenario is a so-called min rank attack which is a key recovery attack and mostly this attack considered the min q rank which can be seen as a degree of the public key as a credit form over the extension field and it was found out that the min q rank of the of the min rank attack is bounded by d plus a plus v and therefore if we solve the min rank problem using the so-called minus approach the complexity of the attack can be estimated by this formula here in our paper we propose a min rank style attack against the hfev minus scheme whose complexity is given by this formula here and we see that a doesn't appear in the complexity at all and v only appears in the first row this means that the complexity of our attack is completely independent of the number of minus equations a and is polynomial in the number of miniature variables v and therefore our attack is much faster than previous min rank attacks against hfe variants to describe our attack we need some preliminaries first we use the so-called matrix representation of the hfe central map namely we can write the hfe central map as a quadratic form using a matrix f star zero with which is given by this formula here and we can compute from this f star zero the Frobenius maps f u to the k similarly as quadratic forms using matrices f star k when the matrix f star k can be derived easily from the matrix f star zero next we need also a matrix representation of our isomorphism and we find that the matrix representing the isomorphism is given as a matrix of the van der one type a verb use theta as our generator of the extension field f q to the n and by doing so we find that the isomorphism applied to an element v of the extension field is given as a vector v to v q to the n minus one times m to the minus one as a vector of the vector space f q to the n and five to the minus one applied on a vector of the vector space f q to the n is the first component of v one to v n times m in our paper we have to cover the miniature variables and to do this we define a matrix m tilde which is a block matrix containing the matrix m of our isomorphism and the identity matrix of size v and by doing so we get the following equation mapping elements of the vector space to elements of the extension field furthermore if we let f and t be the matrices representing the linear paths of the affine maps f and t and we let f have you write f again as a quadratic form using a matrix f star zero then we find that the the following relation between the matrices representing the public polynomials and their matrices f star zero to f star n minus one and if we denote in this equation m tilde to the minus one times s to the minus one by u and m to the minus one times t by w then we find the this equation here and this equation plays a major role in the remainder of the talk and therefore i denote it by the fundamental equation so let t how to recover the first affine with s so let a i be the first row of the matrix f star i for i is zero to n minus one and then we can show the following lemma the rank of the matrix q is w transpose times matrix containing the vectors a as row vectors is at most d w here is a matrix from our fundamental equation and in particular we find that this row matrix from a zero to a n minus one is a block matrix containing two blocks a one and a two and a several blocks in the middle and from the lemma we directly follow a theorem if we denote by u the first row of the matrix q from our fundamental equation and b i is the vector u times the matrix p i representing the i's public polynomial then we define a matrix set whose row vectors are these vectors b i and the rank of set is at most d and first of all we get another lemma let a be an m times n matrix over the field fq and b be the matrix m to the minus one times a where m is a matrix representing our isomorphism then we have b ij is bi minus one j to the q for all ij and this means that the matrix b is completely determined by its first row so let's sum up how to recover f since we have u is m tilde to the minus one times s not to the minus one and m tilde is known it is enough to find u and we can recover as easily from u and due to the previous lemma we only have to find the first row of u to get the first n rows of the matrix u then we denote the first row of the matrix u by the vector u and since we only have to find one of the many equivalent keys we can assume that the first component of this vector is equal to one since the rank of the matrix set is smaller or equal to d we can find the unknown elements of the vector u by solving a min-rank problem over the base field and the remaining rows of u can be chosen at random such that the matrix u which is a n plus v times n plus v matrix is invertible so here we have the algorithm how to recover s so we are given the hfd parameters q and v d and a as well as the matrices representing the public polynomials and the matrix m tilde of our isomorphism and the output is one of the equivalent linear transformations s so we set b i if the vector consisting of a one and the element u one to n plus v times n plus v minus one times p i where p i is a matrix representing the i's public polynomial and u one to u n plus v minus one are unknowns then we construct a matrix set whose row vectors are these p i and solve a min-rank problem for this matrix set to find the unknowns u one to n plus v minus one then we define the matrix u as flows so the first n rows of this matrix u are given by the vector u or by the solutions of the min-rank problem and the remaining v rows are just chosen randomly in such a way that the whole matrix is invertible then we compute s tilde is m tilde to m tilde u to the minus one and return s prime as equivalent linear transformation and having found this equivalent linear transformation s the remainder of the attack is relatively easy we can show that as soon as the matrix u is known we can recover the matrix f star 0 by solving a determined linear system with n minus a minus one variables d plus a times n plus v additional linear equations in at most d plus v variables and two truths from v plus one univariate polynomial equations of degree at most q to the d and after we have found this matrix f star 0 we can easily compute all the other matrices f star i and having found these matrices f star i then we can recover the map t by solving n minus a linear equations in n variables so let's come to the complexity of our attack the most costly step of our attack is a solution of the min-rank problem we need to recover the matrix u for this there are basically two possibilities the first one is a minus modeling we find that the degree of regularity of the for algorithm is d plus one and this leads to the following complexity of our attack second possibility is to solve the min-rank problem by the support minus modeling and in in in comparison to rainbow we don't have a unique solution of the min-rank problem here which means that we can't solve the system by the medium one algorithm but we have to solve it by a four and our experiments seem to show that the degree of regularity of the a four algorithm is always three which leads to the following complexity of our attack however we don't have a theoretical confirmation that the degree of regularity is three and therefore the give the complexity of our attack using the minus modeling this table here shows how we can apply our attack against the g e m s m s system which is a third round candidate in the list standardization process of post quantum signature schemes and we see here that the proposed parameters for this scheme don't meet the mystery security requirements especially for higher levels of security so as I said the proposed parameters for g e m m s don't reach the required security levels first of all we find that speeding up the signature generation process of the scheme by decreasing d while increasing a and b is not possible which means that modifications as done in blue games and red games are not possible and first of all we find that for high levels of security we need very high levels of the h of e degree bound for example for the next security level three we need small d is greater or equal to 20 or big d is greater or equal to 2 to the 19 plus 1 is 524 000 and this leads to a drastically slow down of the signature generation process therefore we come to the conclusion that the techniques used in the games scheme don't suffice to create an h of e a signature scheme which is both efficient and reaches high levels of security to conclude in our paper we proposed a new mindoring style attack against the h of e signature variants and the complexity of our attack is exponential in d but polynomial in v the number of integer variables and independent of the number of spinous equation a some consequences so we see that we can't speed up the scheme by increasing by decreasing d while increasing a and b as it is done in blue games and red games and for high levels of security we need a very large value of small d which brings down the efficiency of this scheme and therefore there arises a question if we can build an h of e based signature scheme which is both efficient and offers a high level of security thank you for your attention