 Hi, my name is Joshua Guiden, and in this video, I'll be presenting the nested subset differential attack, a practical direct attack against LUV, which forged the signature within 210 minutes. This is a joint work by Gentai Ding, Myself, Vashaka, and Bo-Yun Yang, and I'll be turning off the webcam so you can properly see the slides. First, I'll talk about the general construction of multivariate signature schemes. Then we'll look at the oil and vinegar signature scheme in particular. Then we'll look at the lifted and balanced oil and vinegar scheme, which is what we attack in our paper. Then we'll look at the subfield differential attack, which is our original attack against the lifted and balanced oil and vinegar scheme. Then we'll finally look at our new contribution, the nested subset differential attack. Multivariate signature schemes. In the multivariate signature scheme, the public key P is an m tuple of multivariate polynomials over a finite field. The private key is a way to compute P inverse, by which we do not necessarily mean that P is invertible, but we have a way of finding pre-images. The method of signing a hash of a document is finding one of these pre-images X of a hash Y. The verification process is simply noting that Y is the output P of X. The theoretical foundation for these schemes is that solving a set of n randomly chosen equations, which are non-linear, with n variables is NP-complete, with this not necessarily ensure the security of the systems, because P will have some heat and structure which you can attack. For efficiency, we mainly look at quadratic constructions, and this can be justified mathematically as any set of high degree polynomial equations can be reduced to a set of quadratic equations, as in the following example. The Oil and Vinegar Signature Scheme The Oil and Vinegar Signature Scheme was introduced by Padron in 1997. It is both simple and efficient. It was inspired by the linearization attack to the Matsu and Mai cryptosystem. Here P, the public key, is the composition of two maps, F and T. F is quadratic, but it is easy to compute F inverse, and again that means finding pre-images. T is inviolable in linear, it is used to hide the structure of F. We see that X is equal to P inverse of Y can be found by first computing F inverse of Y is equal to W, and then T inverse of W is equal to X. Let FQ be the finite field besides Q, and M times M and V be natural numbers, and set N is equal to M plus V. The map F is called the central map, and it is an M tuple of quadratic polynomials in N variables. We divide the variables into two types. The first is the vinegar variables, which is X1, X2, up to XV. The second is the oil variables, XV plus 1, XV plus 2, up to XN. For convenience, we have the following two index sets. V, which is 1, 2, up to V, and O, which is V plus 1, V plus 2, up to N. This means that XI is a vinegar variable if I is in V, and XI is an oil variable if I is in O. Each central map polynomial, FK, is in the following oil and vinegar form. Here, we're going to have vinegar times vinegar variables, vinegar times oil variables, vinegar by itself, oil by itself, and a constant, where each of the coefficients comes from the finite field. Notice that there are no oil times oil terms. Thus, by guessing for each of the vinegar variables, say XI is equal to new I for I in V, we have a linear polynomial in M variables. Here, this will become a constant. This will become linear. This will become a constant. This will stay linear, and this will stay a constant. Thus, we have a simple and efficient way of finding a preimage of Y, which is an FQ to the M. First, randomly guess for the vinegar variables for each quadratic equation and F of X is equal to Y. Then, attempt to solve the resulting M linear equations in M variables, say per Gaussian elimination. If the solution exists, then you have found the preimage. And the very unlikely event that one does not simply charges another guess for the vinegar variables. The reason that the different variable types are called oil and vinegar comes from salad dressing. Or the oil and vinegar involved are not fully mixed. By the composition of T, we see the public key P of X is equal to F composed of T of X. Seems to be a random quadratic system as the oil and vinegar structure is now hidden. There are some broken parameters for oil and vinegar schemes. The first is when V was equal to M, which is now called balanced oil and vinegar. This was defeated by Kipmuss and Shamir using invariant subspaces in 1998. Also broken is when V is less than M. And this can be broken by guessing for some of the variables as this can turn it into a balanced oil and vinegar system where V is equal to M. And then again, you can defeat it by the method of Kipmuss and Shamir. If V is much greater than M, then finding a solution is generally easy for all quadratic systems. So the usable parameters for oil and vinegar schemes is V is equal to two times O, three times O of similar ratios. The ratio used for L, U of V is slightly larger. This is called unbalanced oil and vinegar, U of V. And the direct attacks against it do not work as the complexity is the same as the solving of a random system. Beyond the direct attack, there are attacks that make use of the U of V structure like the intersection attack by word bullions, which must be accounted for in picking parameters. This is less efficient as the number of variables increases, as now the signature is at least twice the size of a document when you have it being twice M or thrice M and so on. There are developments from basic U of V to improve the efficiency of the scheme. Importantly, one is the rainbow signature scheme by Gentai Nying of the Tishmet in 2005, which is a multi-layer version of U of V. It is a NIST post-quantum cryptography standardization finalist. Never is L, U of V, which we'll now discuss. Lifted unbalanced oil and vinegar. L, U of V was around two in this candidate, the zone by word bullions at all in 2017. It is a variant of U of V that implements two previous refinements of U of V, as well as the lifting modification for which it's named. The two previously known refinements will not be important for our attack. We'll only briefly describe them here. The first, original by Peter Syswick, is to choose the affine transformation T in the following shape. Here, one sub V is the V times V identity matrix, one sub M is the M times M identity matrix, and T is a V times M matrix with randomly chosen coefficients. The second, originally by Albrecht Pitstult, is to use a seed and a pseudo-random number generator to generate both the private key and the public key. The third modification from which L, U, V gets its name is the focus of our attack. L, U, V takes an oil and vinegar private key over a small field and lifts it to an extension field from which it signs its signatures. This allows more efficient storage of the public and private keys. Let F to the R be the extension field of F2 of degree R, and N is equal to V plus M. The central map F will take F to the R to the N and each of these polynomials, Fk, takes the oil and vinegar form. However, the coefficients A, B, C will only be in F2, so either 0 or 1. We also choose T in the following shape, where T is the V times M matrix, whose entries are also from the small field F2. From the third modification, we see the public key P of X is equal to F composed of T of X, also has coefficients only in F2, but maps F to the R to the N to F to the R to the M. We will call such polynomials lifted. In 2019, Dengert L published the subfield differential attack, SDA, against L, U, V, which broke the parameter sets proposed. In response, the authors of L, U, V proposed new parameters, which in particular made the degree of the extension field prime, which protects against SDA. Here's a table of the six new parameter sets. Our attack in SDA is against the three cases of an R is equal to 7, and it breaks these completely. Subfield differential attack. None of this described the original attack against L, U, V, and which is the inspiration for our new attack, which is called the subfield differential attack. It is a direct attack against L, U, V, meaning we will try to forge a signature X for a given message Y, but directly solving P of X is equal to Y. SDA relies on the quotient ring representation of finite fields. If we take a base field F2 and an extension field F to the R, we can write F to the R as the following quotient ring, where D divides R in G of T is an irreducible polynomial of degree R divided by D. Thus, elements in F to the R can be represented by degree R divided by D minus 1 polynomials in the polynomial ring over F2 to the D. It is more efficient to solve a quadratic system over F to the D than over the extension field F to the R. So the goal of SDA and later in SDA is to attend the problem solving over F to the R to solving over F to the D. SDA achieved this by selecting a random differential X prime and then finding a new map P tilde of X bar, which takes F to the D to the N to F to the R to the M. So X bar is assumed to be an F to the D to the N, where F to the D is a subfield of F to the R. As each quadratic NP has coefficients only in F2, and X prime is a vector of random degree of polynomials of random degree R divided by D minus 1 polynomials from that quotient ring by multiplying out P tilde of X bar and collecting terms by the powers of T, we have the following. A random quadratic system Q0 of X bar of M equations for when T is raised to the power of 0, which is just 1. An R divided by D minus 1 linear systems, Li of X bar, each of M equations for Ti, i is equal to 1, 2, and so on, to R divided by D minus 1. So in SDA, to put a signature for a given message Y, which we will decompose into the sum Y0 plus Y1T all the way to Y R divided by D minus 1, T to the R divided by D minus 1, for each i, Y sub i is in the vector space F2 to the D to the M, that's over that intermediate field. We first find the solution space to the system of R divided by D minus 1 times M linear equations Li of X bar is equal to Yi over F2 to D, and then over the solution space we'll try to find the solution to the M quadratic equations Q0 of X bar is equal to Y0. However, with the choice of prime R, even with just having R is equal to 7, the only available subsfield is F2, which is too small to find the solution in all of these equations for the chosen prime of the sets. Now to visualize this, this is what we will look at, the original public P looked like. P was taking a very large domain into a relatively small range, and so you would always expect to have at least one solution. However, in the SDA attack, we were limiting what our domain was to what's highlighted in green, and this right here is smaller than the range. We would not expect a solution to exist. Nested subset differential attack. The nested subset differential attack in SDA will solve this issue by utilizing a larger subset of the domain to search for a signature N, and we will search in a more systematic manner than simply randomly choosing a differential. Now first, we'll define S truncation. For S, which is going to be in between 0 and R-1, we define the S truncation of an element A to be just when we limit the powers of T to be S. So originally they could go up to R-1, and now we'll limit them to being S. And we define the S truncation of a polynomial to be term by term S truncations of its coefficients, and a system of polynomials to be S truncation of each polynomial individually. The subset we will search in will be the following, e to the power of N, where each of the polynomials will be truncated to the third power. Now if you look on this set, the domain is much larger than the range again. Now let's look at a lemma on lifted polynomials. We let F, which takes F to the R to the N, to F to the R be a lifted quadratic with it being in the following form. And we let A0, A1 up to AL-1 be elements of F2 to the N. We have that for F of A0 plus A1T plus so on AL-1T to the L minus 1 plus X to the L, that this is true. All the quadratic terms will be coefficients of T to the power of 2 times L. The linear terms are coefficients of T to the power of L, T to the power of L plus 1, and T to the power of 2 times L minus 1. And the coefficients of T to the power of H depends only on what the original coefficients are, alpha and beta. And the AK for K is less than or equal to H. And when we have that K is going to be greater than H, they'll also depend on X. This can be shown by simply expanding out and collecting the powers of T for this polynomial here. Using the previous lemma, we will construct a signature for Y is equal to, and here again we're decomposing it into the following sum, which of these Y sub-i's are going to be the coefficients of the sub-fields vector space, piece by piece using differentials. However, instead of choosing the differentials randomly like an SEA, we'll instead solve them one after the other. For R is equal to 7, this can be done in four steps. For our attack to be efficient, we want to always solve no more than M quadratic equations over F2 for at least as many variables as equations. Throughout, X bar will be an independent point in F2 to the power of N. First, we construct the following system of equations where we've taken the 0th location of P at X bar, and each of the Q's is a quadratic polynomial over F2. And we're going to let A not be a solution, the Q, and this right here is the term of Y sub-not. So we just solve this following quadratic equation, the system of quadratic equations over F2. Second, we look at the one truncation of P bar of A not plus X bar T, which takes the following form where each of the L's are linear equations. And we'll let A1 be a solution to that linear system. Third, we construct the two truncation of P of A not plus A1T plus X bar T to the power of 2, and we solve this linear system here. Let me let A2 be a solution to that linear system. Finally, we set capital A is equal to A not plus A1T plus A2T squared, and construct P of A plus X bar T to the power of 3, and we try to find a solution for all of this over F2 to the N. And we do this by finding the solutions place S for the system of linear equations first, and then we let A3 be a solution to the set of quadratic systems over this solution space. We then have that P of A not plus A1T plus A2T squared plus A3T to the power of 3 is equal to Y. Now, in this day will be successful, provided each of the systems of equations we tried to solve do have solutions. As the four steps quadratic system is the one with the least amount of variables, having first solved the three times in linear equations, its probability of success is what we estimate treating the quadratic system as a random function. We see that for the premise given, we'll find the solution, and the way that we estimate this probability of success is found in our paper. Now, the most cautious part of NSDA is solving the quadratic system in step one and the quadratic system in step four. As these will be undetermined systems over F2, a rest estimate of the complexity required is log base 2N to the power of N plus 2 field multiplications for each system using exhaustive such method, for here N is the number of equations involved. This is far below the necessary complexity for each level. In fact, the complexity for the level one parameter set is so low that a practical attack is possible against it. We ran experimental attack against a public key with level one parameters, and we were able to forge a signature in 210 minutes. For four details, please refer to our paper. Conclusion. We have proposed a modified version of the subfield differential attack called nested subset differential attack, which fully breaks half the parameter sets put forward by the round two version of lifted and balanced order of vinegar. We reduce attacking these parameter sets, the problem solving quadratic equations over the prime field F2. This makes our attack effective enough to be formed practically. Thank you for watching the video. We would like to show our appreciation for the support by the TAF fund, NIST, and the NSF. Please have a good one.