 Hi, my name is Joshua Diden, and here in this video, I'll briefly summarize our paper, a cryptanalysis of LUV, using the subfield differential attack. This is a joint work by Jim Tygin, myself, Kurt Schmidt, Bishaka, and Zhong Zhang, and we're all from the University of Cincinnati. I'm sorry if I missed pronouncing those names in this video, and I'm going to turn off the webcam so you all can properly see the slides. So in our paper, we attack the scheme called Lifted Unbalanced Oil and Vinegar, which is a multivariate signature scheme based on the Oil and Vinegar's linear scheme. So to start off with, we will describe what that means. Then we'll look into the Lifted Unbalanced Oil and Vinegar scheme itself, and then I'll work on the subfield differential attack. Introduction. A signature scheme is a mathematical scheme for verifying the authenticity of digital messages or documents. We need a method for key generation to create private key, public key pairs, a method for assigning a message given a private key to produce a signature, and a method of giving a message, a public key, and a potential signature of determining whether it was legitimately generated or not. The security of modern schemes rely on the harness of certain mathematical problems, listed below are the three families that we largely use today, as well as the mathematical problem they are based on. Here recently, there's been great developments on quantum computers, which use basic particles and quantum mechanic principles to perform calculation. Peter Schroes' algorithm shows that the previous family is a vulnerable to a sufficiently large quantum computer. So, in August 2015, the NSA declared that post-quantum criticisms were needed. In December 2016, NIST called for proposals of new post-quantum cryptosystems, and they had three criteria, security, cost, algorithm and implementation characteristics. LUV was the round two candidate. As of August 2020, there are three signature schemes left in round three, crystals deletion, falcon, and rainbow. Multivariate signature schemes. In the multivariate signature scheme, the public key P is an M tuple of multivariate polynomials over a finite field. The private key is a way to compute P inverse. By P inverse, we do not necessarily mean that P is an invaluable function, merely that we have a way of generating pre-images. And then something, a hash of a document is just finding a pre-image of a hash. The verification comes in plugging in the signature and getting the hash back. The direct attack is to solve the set of equations P is equal to Y. Solving the set of n randomly chosen equations with n variables is NP-complete. So, this is a theoretical foundation of why this multivariate problem would be good for a signature scheme. But this does not necessarily ensure the security of the systems. Now, for efficiency, we largely look only at quadratic constructions. And we can justify this mathematically because any set of high-degree polynomial equations can be reduced to a set of quadratic equations. As in this example, we just essentially declare X1 times X2 to be Y, and then we'll lead to the following quadratic system. The oil and vinegar signature scheme. The oil and vinegar signature scheme, which is the inspiration for the scheme that we're attacking, was introduced by Patterin in 1997. Oil and vinegar is both simple and efficient. It was inspired by the linearization attack to the Matsumoto micrypto system. Here, the public EP is the composition of two maps, F and T. F is quadratic, but it's easy to compute F's inverse or finite pre-images. T is invertible in linear. It is used to hide the structure of F. We then see that X is equal to the P inverse of Y can be found by first computing F inverse of Y is equal to W, and then T inverse of W is equal to X. Let Q be the finite field to size Q, and O and V be natural numbers, and N is equal to O plus V. The central map, which is what we call F, is an O tuple of quadratic polynomials and N variables. We divide the variables into two types. The vinegar variables, which is X1 to XV, and the oil variables, which is XV plus 1 to XN. For convenience, we have the index set. V is 1 to V, and O is the V plus 1 to N. So that XI is a vinegar variable if I is in V, and XI is an oil variable if I is in O. Each central map polynomial, FK, is in the following oil and vinegar form. And here we see that we have vinegar times vinegar, vinegar times oil, vinegar by itself, oil by itself plus a constant. Notice that there are no oil times oil terms. Thus, by guessing for each of the vinegar polynomials, to either XI is equal to new I for I and V, we have a linear polynomial in oil variables. So here's us plugging in that guess, and we see that the first sum is constant. The second is linear in the oil variables. The third sum is constant, and the fourth sum is linear. Thus, we have a simple and efficient way of finding a preimage of Y in FQ to the O. First, ran the guess for the vinegar variables for each quadratic equation, and Fx is equal to Y. Then, attempt to solve the resulting O linear equations in O variables, say by Gaussian elimination. If a solution exists, then you find the preimage, and the very unlikely event that one does not, simply try another guess for the vinegar variables. The reason that the different variable types are called oil and vinegar comes from salad dressing, where the oil and vinegar involved are not fully mixed. By the composition of T, we see that a public key, P is equal to F composed of T, seems to be a random quadratic system, as the oil and vinegar structure is now hidden. So, there's some broken parameters for oil and vinegar schemes. The original parameter suggested was V is equal to O, which was called balanced oil and vinegar. This is defeated by Kips and Schmier using invariant subspaces. If V is less than O, then by guessing some variables, it has the potential to become balanced oil and vinegar again, which I think can be easily broken. If V is much greater than O, then finding a solution is generally easy as well. Now, the user parameters is going to be something like V is equal to twice O, thrice O, a similar ratios. This is called unbalanced oil and vinegar. The direct attack does not work. The complexity is the same as if solving a random system. Beyond the direct attack, there is the reconciliation attack, which uses the structure of UV systems. It looks for equivalent maps of a special form. Complexity becomes solving a system of all quadratic equations in V variables. Now, choosing V is equal to 2O or something similar is less efficient. The signature is at least twice the size of the document. Therefore, there are many developments in basic UV to improve the efficiency of the scheme. Importantly, one is the round three finalists, Rainbow by Jim Tyding, the D. Deschmitte in 2005. It's a multi-layer version of UV, and it reduces the number of variables in the public key to get smaller key sizes and smaller signatures. Another is LUV, which we will now discuss. Lifted unbalanced oil and vinegar. LUV is a round two in this candidate, designed by Ward Bullions at all in 2017. It is a variant of UV that implements two previous refinements of UV as well as the lifting modification for which it is named. The two previously known refinements will not be important for our attack. We will only briefly discuss them here. The first, originally by Peter Sysbeck, is to choose the affine transformation T in the shape which is follows. Well, one sub V is the identity matrix whose diagonal is length V, and similar for once at O. The second, originally by Albrecht Pentstalt, is to use a seed and a pseudo random number generator to generate both the private key and the public key. The third, from which LUV gets its name for the modification, is the focus of our attack. LUV takes an oil and vinegar private key over a small field and lifts it to an extension field from which it's signed to signatures. This allows more efficient storage at the public and private keys. So to be explicit, let F to the R be the extension of F2 of degree R, and N is equal to V plus O. The central map F still is an oil and vinegar form. Except now, each of the coefficients is going to be chosen in an F2, so either 0 or 1. Further, we choose that linear map T to be in the form where each of the entries are also from the small field F2. From the third modification, we see that the public key P is equal to F composed of T also has coefficients only in F2, but maps F to the R to the N to F to the R to the O. We will call such polynomials lifted. Subfield differential attack. Now let's describe the subfield differential attack, SDA itself. It is a direct attack against LUV, meaning we will try to forge a signature X for a given message Y by directly solving P of X is equal to Y. We first note that the design of LUV makes the domain F to the R to the N with a public key P much larger than the range F to the R to the O. Thus, we can try searching through some large enough subset D of the domain to find the preimage X for Y. D needs to be much more, needs to be much more, needs to be more efficient to find preimages N. Otherwise, there's little point in strengthening ourselves. We thus look for subsets with structure that can be exploited. For SDA, we choose to set F to the D to the N plus X prime, for F to the D is a subfield of F to the R, and X prime is an element of F to the R to the N. Then, the preimage X will be in the form of X bar plus X prime, where X bar is an element of F to the D to the N. This leads to the idea behind the attack. With a differential, we will do solving the original equations over F to the R to new equations over F to the D. The latter will be more efficient to solve. It will be shown that we will only rely on the listed structure of the public key and the availability of a large enough subfield of F to the R. So, let P be an LUV public key and F to the D of subfield of F to the R. We first randomly select a differential X prime and F to the R to the N and X bar will be in the term of F to the D to the N. Then we define a map P bar is equal to P value we did at X bar plus X prime. And this maps F to the D to the N to F to the R to the O. So we've shrunk our domain. We will solve P bar is equal to Y using the quotient ring representation of F to the R. Now to remind us what that is, if I take a base field F2 and extension field F2 to the R, there will always exist an intermediary field F2 to the D whenever D divides R. Now F to the R is isomorphic to the following quotient ring where G of T is an irreducible polynomial of degree S is equal to R divided by D. Elements in F to the R can thus be represented by degree S minus 1 polynomials in the polynomial ring over F to the D. So when we look at the form of P bar is equal to Y, in particular the cave component, we see it's going to, by definition, be Fk tilde evaluated at X prime plus X bar. Now rearranging this and separating out the quadratic terms, it will be in this form. And we see that the quadratic terms are coefficient alpha inside F2, so either 0 or 1. And the linear terms coefficients are random degree S minus 1 polynomials in T, because X prime I is randomly selected. So we can write this again as Fk tilde divided by the X prime plus X bar is equal to some sum of some random linear functions over F2 to the D with a number multiplied to T for all the powers of T from 1 to S minus 1. Plus a single quadratic equation which is not multiplied to T. And we set this equal to Y sub k, which can also decompose into the powers of T. Thus, we can solve P bar is equal to Y by first finding the solution space S to minus 1 times O linear equations. A is equal to Lik X bar is equal to Yik. Now we have S minus 1 times O linear equations because we have S minus 1 powers of T, no T to the power of 1 up to T to the power of S minus 1 to solve. And we have O polynomials and P bar to do this with. Then we attempt to solve a set of all quadratic equations. B is equal to Q sub k is equal to Y0k over S. With high probability the mention of S is equal to N minus S minus 1 times O. If a solution X bar to the above system is found, then the forward signature is X bar plus X prime. Now that we have described the form of the attack, we need to see if there's an appropriate sub field we can use for the parameters used by LUV. Depending on the parameters, there are many subfields of F to the R that we could select. For instance, here's the largest diagram of F to the AD subfields. And F to the AD is one of the choices that the LU, one of the finite fields of the LUV off is used in the initial submission. And we see in this case, we're spoiled for choice which subfield we could pick. Now the most efficient choice is the smallest subfield which the solution is likely to exist. Theoretically, P bar acts as a random map. So we can use the following lima. Let A and B be two finite sets and Q which takes A to B be a random map. For each B and B, the probability that Q inverse of B is not empty is approximately 1 minus E to the power of negative size of A divided by size of B. Here are the smallest usable choices of F to the D for the parameters originally submitted for the second round. And in this table, we see that D is always much smaller than R and our probability of success is almost one in each case. Complexity of SDA. Now we are ready to compute the complexity of SDA for the pros parameters. As the cost of solving the linear equations is small, we will estimate only solving the undetermined final quadratic system of N minus S minus O variables in our equations over F to the D. We'll have more variables in equations. So we will first use the method of timeline wolf which can be found in the following paper solving undetermined systems of multivariate quadratic equations revisited. The method is to use a changer basis which can be found by solving a relatively small linear system to reduce the undetermined system to a determined system. Then the system of O equations and N minus S minus 1 times O variables is reduced to a system of M equations and N variables where M is equal to O minus the floor of N minus S minus 1 times O divided by O. Now after applying this method, we generally lose one or two equations and this is in the following table. To solve these atomic quadratic systems, we will use what is called a hybrid method. We will randomly guess K of the variables and then attempt to solve the new over determined systems of M equations and N minus K variables with an algorithm like VMXL or F4. The exact number of variables to be guessed for depends on the algorithm used and the parameters. Generally, the smaller the field, the more variables to be guessed for. If no solution is found, we change our guess and try it again until we succeed. We will follow yet another analysis in solving these types over determined systems and choose to use read them in Excel in our complexity estimates. For details, see operating degrees for Excel versus F4 slash F5 for generic MQ with number of equations linear and that of variables. The complexity of Excel largely depends on the constant D0 known as the operating degree. Generally, when solving a quadratic system of M equations in the variables of FQ, D0 is equal to this expression. With this notation means the coefficient of t to the D in the power series representation of this function. However, for small fields, when D0 is greater than Q, we can use the field equations XQ is equal to X to reduce this to D0 is equal to this expression. Taken to account the potential K guesses, denoting the operating degree for each choice by D0 to K and using the vehement algorithm, we estimate the complexity in solving the term systems as CXL is approximate to this expression. In the following table, we record how CXL compares to the classical complexity requirements of LU of E. And we see in each case that CXL is smaller than this requirements. So summarizing LU of E as was proposed fails to meet the security level requirements. Two schemes, which claim to be of level two security, do not even satisfy the level one security of two to the power of 143. A possible response and immaculability of SDA do non-lifted schemes. Earlier, we saw that we wanted to choose the smallest possible subfield in which it is likely to find a signature. This depends heavily on the chosen parameters. If we choose R prime and the only subfield of FG of the R is F2, which is too small to use for the SDA we present here. The offers of LUV have put forth parameters which use a prime for R. We and Bo Yan Yang from Tomkin University have made progress in this area of improving SDA to attack fully half of these new parameters. The level one security can be broken in a practical 210 minutes. The extension is called nested subset differential attack, whose E print was submitted in early August. The paper is called invested sub differential attack, a practical direct attack against LUV, which forges a signature within 210 minutes. Before we conclude, let us discuss why SDA does not apply to UV, rainbow or any multivariate scheme which does not use the lifted structure of LUV. The reason for this is that in suppressing out the linear system A in the quadratic terms, it was necessary for the coefficients of the quadratic terms to only be in the subfield F2 to the D. Below is the kth component of P bar again. And we see that if the alphas are random elements of F to the R, then the quadratic terms of coefficients for all powers of T up to S minus 1. Then we would be solving O times S quadratic equations over F to the D and not gain any efficiency. Conclusion. We have seen that though LUV is an interesting development of UV, which reduces the public key size. However, given its newness, we have found an attack which we call SDA, which breaks all the parameters originally submitted for this competition. SDA is based on the elementary representation of field extensions and thus has potential for more complex development. As SDA relies only on the lifted structure of LUV, it will need to be considered if any future schemes want to use the lifted structure. Thanks for watching the video. We'd like to show state our appreciation for the support of the TAF fund, NIST and the NSA. Have a good one.