A Ciphertext-Only Attack on Polly Two

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 27 days ago)

50 views

A Ciphertext
-
Only Attack on Polly Two

Rainer Steinwandt

(Florida Atlantic University)

Algebraic Methods in Cryptography 2005

Polly Cracker


Conceptual public key encryption scheme
introduced by Fellows and Koblitz (‘94)



Basic idea over
F
q
[x]:=
F
q
[x
1
,…,x
n
] :


Public key:
finite basis of ideal I ≤
F
q
[x]

Secret key:
common root
ξ

V(I)

Encrypting m

F
q
:
choose representative of m+I

Decrypting c

F
q
[x]:
evaluate c at
ξ



Can we get an encryption scheme out of this?

Algebraic Methods in Cryptography 2005

Security of Polly Cracker


Polly Cracker by definition homomorphic


we
can’t expect IND
-
CCA


(S., Geiselmann: CCA easily reveals
ξ
)



IND
-
CPA has not been achieved

so far:


no security proofs for encryption, various

successful attacks, e.g.,


intelligent linear algebra (Lenstra)


differential attack (Hofheinz, S.)


improved diff. attack (Levy
-
dit
-
Vehel, Perret)



Can we obtain an efficient heuristic scheme?

Algebraic Methods in Cryptography 2005


A Proposal Resistant to Lin. Alg.

Levy
-
dit
-
Vehel, Perret ‘04:

“Reasonably efficient” Polly Cracker system
based on 3
-
SAT:



elaborate key generation


encryption procedure designed to resist
intelligent linear algebra attack
,


… but the authors note that


“the attack … and the improvement we have
described… apply to our system too.”

Algebraic Methods in Cryptography 2005

Polly Two

Ly (‘02) proposes a new related scheme
:



Domain parameters:
g
1
,…,g
t

F
q
[x] s.t.
kernel of
φ
:
F
q
[y]


F
q
[x]


y
i


g
i


can be computed easily (syzygies of the g
i
)




Public key:
sparse generators of I ≤
F
q
[y]



Secret key:

ξ

F
q
n

with (g
i
(
ξ
))
i

V(I) and


(g
1
∙…∙g
t
)(
ξ
)≠0


“Challenge example”:


n=4, t=11, q=2
23
, tdeg(g
i
)=2

Algebraic Methods in Cryptography 2005

Polly Two (cntd.)

Encrypting m

F
q

with public basis {f
1
,…,f
s
}:


1.
Fix random h
i
:=
α
i
∙y
η
i

with monomials in


c’’:=
Σ
h
i
f
i


getting canceled.

2. For each monomial of c’’
find a ker(
φ
)
-
element

canceling it. In


c’:=c’’+r (with r

ker(
φ
))


none of c’’ ‘s monomials should occur.

3.
Choose monomial

y
κ

in c’ to get ciphertext


c:=(c’+m

y
κ
,
κ
)


Decryption:

evaluate at
g(
ξ
)

& divide by g(
ξ
)
κ

Algebraic Methods in Cryptography 2005

Design Rationale


sparse
high
-
degree public polynomials

impede

direct
Gröbner basis computation


(cf. ENROOT)


addition of ker(
φ
)
-
element
hampers linear
algebra attack


message expansion

more or less
acceptable



promising proposal to dodge known attacks


… is “the list” complete?


Grassl, S. ‘04: low
-
degree elements in radical of public ideal
allow to solve 1
st

challenge

Algebraic Methods in Cryptography 2005

“Challenge #2”


Domain param.:

11 quadratic binomials


over
F
2
23


Public basis:

4 trinomials, total deg. 128,


11 indeterminates



Ciphertext c:

126 terms, total deg. 256



(indermediate ciphertext c’’: ≤6 terms)



Goal of attack:

reconstruct encryption step



no recovery of secret (or equivalent) key

Algebraic Methods in Cryptography 2005

Recovering the ker(
φ
)
-
Part


All terms of the ker(
φ
)
-
elements

canceling

terms in
Σ
h
i
f
i

should occur in c

up to




the canceled term


(
-

a term involving y
κ

)



omit y
κ


term from ciphertext c


&


identify terms of the ≤6 ker(
φ
)
-
elements



How can we find the terms of a syzygy?

Algebraic Methods in Cryptography 2005


Choice of ker(
φ
)
-
Polynomials

Likely construction for ker(
φ
)
-
elements used
in encryption: multiply low
-
degree syzygy
with a term
α
∙y
η




fix a term
β
∙y
σ


of
y
κ


free ciphertext ĉ
and

compute multiset




{gcd(y
σ
, y
π
): y
π
≠y
σ

a monomial in

ĉ
}




high multiplicity (say >10) yields y
η
-
candidate




Challenge:
137 candidates for y
η




… only 22 after removing multiples

Algebraic Methods in Cryptography 2005

Finding the Terms of a Syzygy



Given a

y
η
-
candidate, we can find the terms



{
β
∙y
σ

:
β
∙y
σ

is a term of
ĉ divisible by
y
η
}.


… summing (almost) all of them up should
yield “a ker(
φ
)
-
element up to one term”.




How can we check whether a polynomial is


a “syzygy up to one term”?

Algebraic Methods in Cryptography 2005

Validating an “Almost Syzygy” r



… in principle:
evaluate r at g(x) &


check whether r(g
1
(x),…,g
t
(x)) is


(up to a const.) a power product of the g
i



… in practice:
specialize some x
j
’s to


constants before trial division.



In this way we find the missing term, too


(& can validate through repeated evaluation).



Algebraic Methods in Cryptography 2005

… Indeed It Works

Applying the idea to the challenge:


Candidate term sets have ≈20 terms &

adding one of these sets up

yields 1
st

syzygy



subtract syzygy from
ĉ

& iterate



Five syzygies can be found easily, leaving us

with a simplified
ĉ consisting of 27 terms.

Algebraic Methods in Cryptography 2005

Recovering the Secret Terms h
i


Tempting:
Apply “differential attack” of


Hofheinz and S. to simplified
ĉ


yields only one term h
2


… but a simple approach turns out to suffice:


Remaining public key polynomials contain term
with
only two multiples

in
simplified
ĉ.



recovery of all secret terms h
i


Algebraic Methods in Cryptography 2005

… Getting the Plaintext


Subtracting
Σ
h
i
f
i
+ found ker(
φ
)
-
part from
the ciphertext, yields (short) polynomial
that up to the term
-
m∙y
κ

is a syzygy.



Complete missing term as before to get m.




Plaintext underlying the example: 308834


Algebraic Methods in Cryptography 2005

Conclusion?



Ample
evidence

that

present form of


Polly Two not

cryptographically
secure
.



Do we want
Polly Two+ with a longer list

[…, linear algebra, differential attack, small
degree in radical, this attack]
?



Need the
assumptions underlying the
encryption

algorithm
to be clarified
?

Algebraic Methods in Cryptography 2005

Stronger Attacks?


Design of encryption algorithm:


hide c’’=
Σ
h
i
f
i
(by adding a syzygy)


This attack: “Playing with terms” reveals c’’



Better approaches, e.g.,interpolation?


c’’: sparse multivariate polynomial over
F
q


#terms in c’’ can be guessed


bounding tdeg(c’’) not implausible


Algebraic Methods in Cryptography 2005

Sparse Interpolation?


Evaluation of c’’+m
∙y
κ
:


possible on the variety parameterized by


the domain parameters g
1
,…,g
t
.


Question:


Under which assumptions is this kind of


interpolation problem feasible?