A Ciphertext

Only Attack on Polly Two
Rainer Steinwandt
(Florida Atlantic University)
Algebraic Methods in Cryptography 2005
Polly Cracker
•
Conceptual public key encryption scheme
introduced by Fellows and Koblitz (‘94)
•
Basic idea over
F
q
[x]:=
F
q
[x
1
,…,x
n
] :
Public key:
finite basis of ideal I ≤
F
q
[x]
Secret key:
common root
ξ
V(I)
Encrypting m
F
q
:
choose representative of m+I
Decrypting c
F
q
[x]:
evaluate c at
ξ
Can we get an encryption scheme out of this?
Algebraic Methods in Cryptography 2005
Security of Polly Cracker
•
Polly Cracker by definition homomorphic
we
can’t expect IND

CCA
(S., Geiselmann: CCA easily reveals
ξ
)
•
IND

CPA has not been achieved
so far:
no security proofs for encryption, various
successful attacks, e.g.,
–
intelligent linear algebra (Lenstra)
–
differential attack (Hofheinz, S.)
–
improved diff. attack (Levy

dit

Vehel, Perret)
Can we obtain an efficient heuristic scheme?
Algebraic Methods in Cryptography 2005
A Proposal Resistant to Lin. Alg.
Levy

dit

Vehel, Perret ‘04:
“Reasonably efficient” Polly Cracker system
based on 3

SAT:
•
elaborate key generation
•
encryption procedure designed to resist
intelligent linear algebra attack
,
… but the authors note that
“the attack … and the improvement we have
described… apply to our system too.”
Algebraic Methods in Cryptography 2005
Polly Two
Ly (‘02) proposes a new related scheme
:
•
Domain parameters:
g
1
,…,g
t
F
q
[x] s.t.
kernel of
φ
:
F
q
[y]
F
q
[x]
y
i
g
i
can be computed easily (syzygies of the g
i
)
•
Public key:
sparse generators of I ≤
F
q
[y]
•
Secret key:
ξ
F
q
n
with (g
i
(
ξ
))
i
V(I) and
(g
1
∙…∙g
t
)(
ξ
)≠0
“Challenge example”:
n=4, t=11, q=2
23
, tdeg(g
i
)=2
Algebraic Methods in Cryptography 2005
Polly Two (cntd.)
Encrypting m
F
q
with public basis {f
1
,…,f
s
}:
1.
Fix random h
i
:=
α
i
∙y
η
i
with monomials in
c’’:=
Σ
h
i
f
i
getting canceled.
2. For each monomial of c’’
find a ker(
φ
)

element
canceling it. In
c’:=c’’+r (with r
ker(
φ
))
none of c’’ ‘s monomials should occur.
3.
Choose monomial
y
κ
in c’ to get ciphertext
c:=(c’+m
∙
y
κ
,
κ
)
Decryption:
evaluate at
g(
ξ
)
& divide by g(
ξ
)
κ
Algebraic Methods in Cryptography 2005
Design Rationale
•
sparse
high

degree public polynomials
impede
direct
Gröbner basis computation
(cf. ENROOT)
•
addition of ker(
φ
)

element
hampers linear
algebra attack
•
message expansion
more or less
acceptable
promising proposal to dodge known attacks
… is “the list” complete?
Grassl, S. ‘04: low

degree elements in radical of public ideal
allow to solve 1
st
challenge
Algebraic Methods in Cryptography 2005
“Challenge #2”
•
Domain param.:
11 quadratic binomials
over
F
2
23
•
Public basis:
4 trinomials, total deg. 128,
11 indeterminates
•
Ciphertext c:
126 terms, total deg. 256
(indermediate ciphertext c’’: ≤6 terms)
Goal of attack:
reconstruct encryption step
no recovery of secret (or equivalent) key
Algebraic Methods in Cryptography 2005
Recovering the ker(
φ
)

Part
All terms of the ker(
φ
)

elements
canceling
terms in
Σ
h
i
f
i
should occur in c
up to
–
the canceled term
(

a term involving y
κ
)
omit y
κ
–
term from ciphertext c
&
identify terms of the ≤6 ker(
φ
)

elements
How can we find the terms of a syzygy?
Algebraic Methods in Cryptography 2005
Choice of ker(
φ
)

Polynomials
Likely construction for ker(
φ
)

elements used
in encryption: multiply low

degree syzygy
with a term
α
∙y
η
fix a term
β
∙y
σ
of
y
κ
–
free ciphertext ĉ
and
compute multiset
{gcd(y
σ
, y
π
): y
π
≠y
σ
a monomial in
ĉ
}
high multiplicity (say >10) yields y
η

candidate
Challenge:
137 candidates for y
η
… only 22 after removing multiples
Algebraic Methods in Cryptography 2005
Finding the Terms of a Syzygy
Given a
y
η

candidate, we can find the terms
{
β
∙y
σ
:
β
∙y
σ
is a term of
ĉ divisible by
y
η
}.
… summing (almost) all of them up should
yield “a ker(
φ
)

element up to one term”.
How can we check whether a polynomial is
a “syzygy up to one term”?
Algebraic Methods in Cryptography 2005
Validating an “Almost Syzygy” r
… in principle:
evaluate r at g(x) &
check whether r(g
1
(x),…,g
t
(x)) is
(up to a const.) a power product of the g
i
… in practice:
specialize some x
j
’s to
constants before trial division.
In this way we find the missing term, too
(& can validate through repeated evaluation).
Algebraic Methods in Cryptography 2005
… Indeed It Works
Applying the idea to the challenge:
Candidate term sets have ≈20 terms &
adding one of these sets up
yields 1
st
syzygy
subtract syzygy from
ĉ
& iterate
Five syzygies can be found easily, leaving us
with a simplified
ĉ consisting of 27 terms.
Algebraic Methods in Cryptography 2005
Recovering the Secret Terms h
i
Tempting:
Apply “differential attack” of
Hofheinz and S. to simplified
ĉ
yields only one term h
2
… but a simple approach turns out to suffice:
Remaining public key polynomials contain term
with
only two multiples
in
simplified
ĉ.
recovery of all secret terms h
i
Algebraic Methods in Cryptography 2005
… Getting the Plaintext
Subtracting
Σ
h
i
f
i
+ found ker(
φ
)

part from
the ciphertext, yields (short) polynomial
that up to the term

m∙y
κ
is a syzygy.
Complete missing term as before to get m.
Plaintext underlying the example: 308834
Algebraic Methods in Cryptography 2005
Conclusion?
•
Ample
evidence
that
present form of
Polly Two not
cryptographically
secure
.
•
Do we want
Polly Two+ with a longer list
[…, linear algebra, differential attack, small
degree in radical, this attack]
?
•
Need the
assumptions underlying the
encryption
algorithm
to be clarified
?
Algebraic Methods in Cryptography 2005
Stronger Attacks?
Design of encryption algorithm:
hide c’’=
Σ
h
i
f
i
(by adding a syzygy)
This attack: “Playing with terms” reveals c’’
Better approaches, e.g.,interpolation?
•
c’’: sparse multivariate polynomial over
F
q
•
#terms in c’’ can be guessed
•
bounding tdeg(c’’) not implausible
Algebraic Methods in Cryptography 2005
Sparse Interpolation?
Evaluation of c’’+m
∙y
κ
:
possible on the variety parameterized by
the domain parameters g
1
,…,g
t
.
Question:
Under which assumptions is this kind of
interpolation problem feasible?
Comments 0
Log in to post a comment