 Hi, my name is Morten and this talk will focus on the dub encroaching scheme, so we'll see how to estimate the grief opal normials, and then we will propose a new attack that breaks this scheme. So the techniques that we present here will also be relevant to other multivariate constructions, and particularly the big field schemes. So this has been a joint work with Patrick Felke and H. H. R. Adem. So first we'll introduce multivariate encryption schemes, we'll focus on the dub encryption scheme. So typically you will have a system of quadratic polynomial equations, and we'll let the field be gf2 in this case. So to encrypt you simply evaluate your polynomial system on the plaintext you have, which gives you this hypertext. For decryption you have to solve this resulting system. Essentially inverting this to recover your plaintext. So the benefits are post-quantum security, efficient encryption, and typically small hypertexts. The drawbacks however are could be large public keys, decryption are often inefficient depending on the scheme, and the security is also very hard to get right, especially for multivariate encryption schemes. So this is sort of the standard setup for big field encryption schemes. So you choose two invertible matrices, and then you have your extension field isomorphism. So you start by kind of applying one of your matrices, then you go up to the extension field, now you apply some sort of simple function, polynomial over your extension field, and this is chosen such that it's easy to invert, then you go down again and apply your last matrix. So composing everything from left to right will give you your public key, and these polynomials will now be quadratic if you have chosen your f to be, yeah if you have chosen your f properly. So the idea for Macquario-Ra and Patara was to choose the double team polynomial, double team permutation for f, and you may note that sort of this polynomial in and of itself will have a high degree, but what the authors show is that you can find kind of given the the ciphertext you are able to find a polynomial equation with low degree, which you can then use for decryption, so where it's easy to sort of find roots. So that means that all of these maps in this construction are invertible, and sort of inverting it piecewise will be how you decrypt. Now if you take f kind of, if you use this as is and take f as your public key, then this would have been insecure. So it's unfortunately it's like an unavoidable consequence when you are choosing f like this, that there are degreeful polynomials as they called. So in this case they will be the degreeful polynomials at degree three, meaning that there are combinations where we take our quadratic public key, df's, multiply it with certain linear forms, and you'd a priori expect this to be of degree three, however this is actually of degree two, and this is, this makes it that much more vulnerable to ground the basis attacks, which is essentially, essentially how you are able to solve this as an attacker. So in order to kind of avoid this or hide these degreeful polynomials, you typically modify it. So we'll talk about the two types of modifiers that's used in the Dover encryption scheme. First one is the internal perturbation IP. So now you choose k linear forms, v i's, and then you sort of add quadratic combinations of them to your public key. So sort of if f is your old public key, you add quadratic combinations and this leaves you with kind of the new modified public key. The other modifier which is used in conjunction with the IP is q plus. So now you choose t random quadratic polynomials, the q's, and now you add linear combinations of them to the public key much in the same way as you did above. And these modifiers will be secret only known to the owner of the secret key. And how you decrypt now is that you sort of guess correct values for these linear forms as well as these quadratic polynomials. So for each such guess, you essentially end up with kind of your f system again, and we saw how to decrypt that in the previous slide. So that also means that you can choose too many of the modifiers because this definitely increases your decryption time. And also if an attacker is able to somehow retrieve the modifiers, that would have broken the system. So the modifiers doesn't, ah yes, and just to give you an idea of the suggested 8-bit parameters, they choose sort of d to be 129 and t and k. So that's your linear forms and quadratic polynomials are to be 6. So adding these modifiers, I mean it doesn't completely remove the degree faults from the system, but it typically sort of forces them to appear at a higher degree. So the idea is that if you add enough of them, the degree faults will only appear at such a high degree that it's infeasible to compute. So now we sort of go into trying to estimate how many of these degree fault polynomials there will be. So first of all, we'll estimate when they will appear, at which degree they will appear, which is typically known as the first fault degree. But we'll also go a bit further and kind of estimate the total number that we expect to find. So since you only care about the degree fault polynomials now, we'll work with homogeneous ideals and graded rings. We'll kill off all the squares and sort of for any polynomial, we'll just consider the leading form. So that's the highest degree part. And then we'll define sort of the ideal of the public key. So that's the quadratic parts of all these public polynomials. And we also define the modifier ideal, which could then be both the IP combinations and Q plus combinations, only the quadratic parts. And then PL will denote the degree part of the ideals. So for example, P3 will be sort of the quadratic public keys as well as any linear combinations of them. So let's kind of recall how we actually defined our public key. So we had, then again, now we kind of only care about this, the quadratic part of it. So we do have this original public key, the unmodified public key fi. And now we add kind of combinations that are kind of random coming from Q plus and IP. And this is how you get your modified public key. So we recall a kind of, there were a lot of these degree fault polynomials. So we know that there are these combinations where you can kind of multiply with the F polynomials that will sum to zero, since we're only caring about the highest degree part. So if you do take these combinations, these G combinations, and now put P in place of F here, that will get us something. So by definition, the F parts sums to zero and we're left with something that's only, depending on the, that's depending on the modifiers that I would be in the modifier ideal. So sort of a first observation is that if you have a lot of these degree fault polynomials and the dimension of your modifier ideal at a certain degree is not that high, then you would still kind of expect to see the degree fault polynomials even in the modified system. So this is sort of the intuition we have for this sort of first formula estimating these degree fault polynomials. So for a degree new, we kind of look at S and F, which will be sort of the non-trivial sysgis of the degree fault polynomials in the unmodified systems, we count them first. M is the modifier ideal, so that I mentioned there. And then P and M is sort of a correction component as we've written here. So we don't want to count things twice and at some degrees there will be some overlap between M and P. So that's that sort of things. But the main idea is sort of that at least the smaller degrees, all of these components can be computed. So this can be computed by looking at this sort of simple description over the extension field of the double-timp polynomial. And M is also relatively easy to compute because you assume, because the modifiers are randomly chosen, so you can assume some generosity of them on them. Right. So this is not the only estimate we can sort of think of. Up to now we kind of assumed that all of these original degree fault polynomials plays a part, but we can also have an estimate where we only consider certain subsets of them. So the kind of benefit to this is that now we don't have to remove everything from the modifier ideal, but kind of only certain subideals of that. And sometimes that is a good trade-off. So just to mention that, then we'll kind of denote them with kind of different numbers here and kind of see the paper for more information. So essentially at kind of at each degree you get a finite amount of these estimates that we saw an example of on the last slide. And then we take kind of at each degree the largest of these estimates is what we expect to be, the degree fault polynomials that we'll find. And if all of them are negative, then we simply expect there to be no one. So to give you an example, this is how it looks for degree three. So this is kind of the estimate where we count everything. So then we do have 2D degree fault polynomials in the unmodified system, and this is how the modifier ideal looks like. So this is the contribution from IP and this is the contribution from Q+. If you go up to degree four, things look a little bit more messy, but it's still kind of reasonable. So this part sort of mostly grows by a factor N. The modifier ideal gets a little bit more complicated, but you still have kind of clearly defined this is the contribution from Q+, from IP, and now we sort of have to not count things twice, essentially. And at this degree, we also get some of this extra component. We actually didn't get that degree three. But here this will be D. In this case, this will be the number of public polynomials. And T plus Q choose two will be the number of kind of quadratic modifier polynomials. So it's actually just multiplying those polynomials together. And we kind of come back to this, this part later, this will be important. So we can see that, like, how does this actually look in reality, are they, are these formulas capturing it? The answer seems to be yes. So here each row is an experiment. These four first row columns will be different parameters. This is what we predict from our formulas. So we have kind of written out these formulas up to degree five. And kind of this is the number that we predict. And this is the number that we get from kind of running these experiments. And so the first observation is that these numbers always agree with each other. And another observation, and I also mentioned that kind of this is not just these few experiments we've actually run. I think we have almost four pages full of tables like this in the extended version of the paper. So like for all the experiments we run, these formulas are actually exact. So here we also see that different kind of formulas, different of these estimates become dominating, depending on the parameters. And lastly, we also note that we have D, which is the number of public polynomials, as well as the degree of the field extension. But we also have N, which will be the number of variables. And now in the dub encryption scheme, these are the same. But we do allow for N to be smaller than D, as we can see here. So that would mean that an attacker kind of guesses the values of some of the variables, which is known as a sort of hybrid attack. So here we see that kind of, and kind of guessing values like this changes the number of the griffel polynomials. But we see that our formulas are still exact, even in these cases. Right. So after this point, we have kind of categorized the number of degree of polynomials, at least up to degree five. And we also have categorized this for the hybrid method, this kind of guess and then when Grubbner basis algorithm. And already this is kind of enough to say something about how easy it is to run these Grubbner basis attacks. But we'll go a bit further and kind of use all this knowledge to propose a new attack on this scheme. So recall at degree four, we had this formula here. And we also had this kind of correction component, which was said was this or the number of public polynomials D times the number of quadratic modifier polynomials. But what happens if we add a randomly chosen quadratic polynomials PR to the system? So then we actually expect this D part to grow with one. And this is actually, this is both what we expect kind of from the theory. And this is what we are seeing in practice as well. Because this means the kind of, since we've added this to the system, then we also kind of get these combinations, all the quadratic modifier polynomials times this new polynomial. So in some sense, this cancels out from this dimension, because it's all very available in the system. And what that means is that now we can kind of do the computations, go up to compute the Griffel polynomials. And then we'll look at how does this new sort of random element contribute in making these the Griffel polynomials. And it turns out that kind of, because from what we discussed, this will be kind of, it's multiplied with these modifier polynomials. So essentially, if you are able to go up and compute the Griffel polynomials, you do learn something about these secret modifiers. Now, this is a slight simplification. You also get like trivial CCGs, but we'll deal with that kind of in more, more detail in the paper. So we do learn something about the secret modifiers. However, it's kind of, this might still be quite difficult to compute directly, because it's a high, maybe a high degree, a large number of variables and all that sort of stuff. So our solution to that is actually setting some of the variables to zero, just to zero. So let's make it easier. I mean, there's less variables. And from our formulas, we also saw that this can sometimes mean that the first full degree is smaller. And the idea is that kind of, we do have these set of variables, we set all of them to zero. So that's what this notation mean. So that's just the polynomial GI or everything. All of these are set to zero. And we see that the same observation really holds. So we kind of get these, the Griffel polynomials, even in this projected system, we do have the same thing. So we learn, we still learn something about kind of these local polynomials, these secret modifier polynomials that's been projected. So if we can kind of do this for different variable sets, we are able to kind of glue together these different local polynomials and kind of get the global modifier polynomial, which is what we wanted in the first place. So instead of kind of doing everything at once, we are projecting along sort of much smaller sets, and we are able to kind of glue together and recover these polynomial. So for more details on how we actually do that, you can look up in the paper. And this is really saving a lot of time and memory. So for example, for the 80-bit suggested 80-bit parameters, we're actually able to set over half the variables to zero, kind of using these ideas. So this is a very, very simplified overview of the pack. You do choose certain variable sets after some rules. You kind of form this extended system by adding this randomly chosen polynomial. Now for each of these sets, you kind of project, you set all the variables here to zero, and then you kind of go up, compute the griffel polynomials, which will give you these sort of local and projected modifiers. And now once you've collected all of them from all the different variable sets, you kind of glue them all together to find the quadratic form of these secret modifiers. What we find is that for the IP modifier, we are able to recover everything, even like the linear forms. So we are completely breaking that sort of modifier. For the Q plus, we actually only learn the quadratic part, but we don't learn the linear part of it. So in a sense, you could say that we learn the most important part, but not quite everything. So how does this look for the suggested 80-bit parameters? So we call that this, here they are. So we are able to kind of run the attack described on the previous slide, kind of retrieve this quadratic form of the modifiers after using 2 to the power of 63 operations. And kind of using this information, we sort of, using a naive method, we kind of guess values for the modifiers, and then you sort of do add them to your system and then run Grubner basis. This will require about kind of, in between this, between 2 to the power of 67 and 2 to the power of 77 operations. So that depends on how fast you're able to do your linear algebra. And the reason why it still takes a little bit of time is that it's kind of, you lack this linear part of the Q plus modifier. So that's the only thing holding us back. So we don't write anything more about this in the paper, but this might presumably be even more improved, say for example, using rank techniques or something like that. So I do really think that 2 to the power of 63 is sort of the security that this system actually has. Right, so concluding. The attack that we do have break the suggested parameters for the dub encryption scheme. And I'm not really sure how to kind of make things, change things, tweak things such that it's secure and efficient. So I mean, you could obviously just apply, you know, a lot more modifiers, but that really ruins your decryption time. So as I briefly mentioned in the beginning, the ideas could also be applied to other central maps, typically a C star and the HV, for example, and other modifiers where minus vinegar and projection are very popular ones. So this is all very effective against multivariate encryption schemes, but signature schemes or signature big field schemes can easily be sort of protected against this for here. So here you can, for example, choose the significant amount of minus without while still being effective. So that is one way to do it. And that was it.