Hidden Field Equations

Last updated July 26, 2023

Hidden Fields Equations (HFE), also known as HFE trapdoor function, is a public key cryptosystem which was introduced at Eurocrypt in 1996 and proposed by (in French) Jacques Patarin following the idea of the Matsumoto and Imai system. It is based on polynomials over finite fields $\mathbb {F} _{q}$ of different size to disguise the relationship between the private key and public key. HFE is in fact a family which consists of basic HFE and combinatorial versions of HFE. The HFE family of cryptosystems is based on the hardness of the problem of finding solutions to a system of multivariate quadratic equations (the so-called MQ problem) since it uses private affine transformations to hide the extension field and the private polynomials. Hidden Field Equations also have been used to construct digital signature schemes, e.g. Quartz and Sflash.^[1]

Mathematical background

One of the central notions to understand how Hidden Field Equations work is to see that for two extension fields $\mathbb {F} _{q^{n}}$ $\mathbb {F} _{q^{m}}$ over the same base field $\mathbb {F} _{q}$ one can interpret a system of $m$ multivariate polynomials in $n$ variables over $\mathbb {F} _{q}$ as a function $\mathbb {F} _{q^{n}}\to \mathbb {F} _{q^{m}}$ by using a suitable basis of $\mathbb {F} _{q^{n}}$ over $\mathbb {F} _{q}$ . In almost all applications the polynomials are quadratic, i.e. they have degree 2.^[2] We start with the simplest kind of polynomials, namely monomials, and show how they lead to quadratic systems of equations.

Consider a finite field $\mathbb {F} _{q}$ , where $q$ is a power of 2, and an extension field $K$ . Let $0<h<q^{n}$ such that $h=q^{\theta }+1$ for some $\theta$ and gcd $(h,q^{n}-1)=1$ . The condition gcd $(h,q^{n}-1)=1$ is equivalent to requiring that the map $u\to u^{h}$ on $K$ is one to one and its inverse is the map $u\to u^{h'}$ where $h'$ is the multiplicative inverse of $h\ {\bmod {q}}^{n}-1$ .

Take a random element $u\in \mathbb {F} _{q^{n}}$ . Define $w\in \mathbb {F} _{q^{n}}$ by

w=u^{h}=u^{q^{\theta }}u\ \ \ \ (1)

Let $\beta _{1},...,\beta _{n}$ to be a basis of $K$ as an $\mathbb {F} _{q}$ vector space. We represent $u$ with respect to the basis as $u=(u_{1},...,u_{n})$ and $w=(w_{1},...,w_{n})$ . Let $A^{(k)}={a_{ij}^{(k)}}$ be the matrix of the linear transformation $u\to u^{q^{k}}$ with respect to the basis $\beta _{1},...,\beta _{n}$ , i.e. such that

\beta _{i}^{q^{k}}=\sum _{j=1}^{n}a_{ij}^{k}\beta _{j},\ \ a_{ij}^{k}\in \mathbb {F} _{q}

for $1\leq i,k\leq n$ . Additionally, write all products of basis elements in terms of the basis, i.e.:

\beta _{i}\beta _{j}=\sum _{l=1}^{n}m_{ijl}\beta _{l},\ \ m_{ijl}\in \mathbb {F} _{q}

for each $1\leq i,j\leq n$ . The system of $n$ equations which is explicit in the $w_{i}$ and quadratic in the $u_{j}$ can be obtained by expanding (1) and equating to zero the coefficients of the $\beta _{i}$ .

Choose two secret affine transformations $S$ and $T$ , i.e. two invertible $n\times n$ matrices $M_{S}=\{S_{ij}\}$ and $M_{T}=\{T_{ij}\}$ with entries in $\mathbb {F} _{q}$ and two vectors $v_{S}$ and $v_{T}$ of length $n$ over $\mathbb {F} _{q}$ and define $x$ and $y$ via:

u=Sx=M_{S}x+v_{S}\ \ \ \ w=Ty=M_{T}y+v_{T}\ \ \ \ (2)

By using the affine relations in (2) to replace the $u_{j},w_{i}$ with $x_{k},y_{l}$ , the system of $n$ equations is linear in the $y_{l}$ and of degree 2 in the $x_{k}$ . Applying linear algebra it will give $n$ explicit equations, one for each $y_{l}$ as polynomials of degree 2 in the $x_{k}$ .^[3]

Multivariate cryptosystem

The basic idea of the HFE family of using this as a multivariate cryptosystem is to build the secret key starting from a polynomial $P$ in one unknown $x$ over some finite field $\mathbb {F} _{q^{n}}$ (normally value $q=2$ is used). This polynomial can be easily inverted over $\mathbb {F} _{q^{n}}$ , i.e. it is feasible to find any solutions to the equation $P(x)=y$ when such solution exist. The secret transformation either decryption and/or signature is based on this inversion. As explained above $P$ can be identified with a system of $n$ equations $(p_{1},...,p_{n})$ using a fixed basis. To build a cryptosystem the polynomial $(p_{1},...,p_{n})$ must be transformed so that the public information hides the original structure and prevents inversion. This is done by viewing the finite fields $\mathbb {F} _{q^{n}}$ as a vector space over $\mathbb {F} _{q}$ and by choosing two linear affine transformations $S$ and $T$ . The triplet $(S,P,T)$ constitute the private key. The private polynomial $P$ is defined over $\mathbb {F} _{q^{n}}$ .^[1]^[4] The public key is $(p_{1},...,p_{n})$ . Below is the diagram for MQ-trapdoor $(S,P,T)$ in HFE

{\text{input}}x\to x=(x_{1},...,x_{n}){\overset {{\text{secret}}:S}{\to }}x'{\overset {{\text{secret}}:P}{\to }}y'{\overset {{\text{secret}}:T}{\to }}{\text{output}}y

HFE polynomial

The private polynomial $P$ with degree $d$ over $\mathbb {F} _{q^{n}}$ is an element of $\mathbb {F} _{q^{n}}[x]$ . If the terms of polynomial $P$ have at most quadratic terms over $\mathbb {F} _{q}$ then it will keep the public polynomial small.^[1] The case that $P$ consists of monomials of the form $x^{q^{s_{i}}+q^{t_{i}}}$ , i.e. with 2 powers of $q$ in the exponent is the basic version of HFE, i.e. $P$ is chosen as

P(x)=\sum c_{i}x^{q^{s_{i}}+q^{t_{i}}}

The degree $d$ of the polynomial is also known as security parameter and the bigger its value the better for security since the resulting set of quadratic equations resembles a randomly chosen set of quadratic equations. On the other side large $d$ slows down the deciphering. Since $P$ is a polynomial of degree at most $d$ the inverse of $P$ , denoted by $P^{-1}$ can be computed in $d^{2}(\ln d)^{O(1)}n^{2}\mathbb {F} _{q}$ operations.^[5]

Encryption and decryption

The public key is given by the $n$ multivariate polynomials $(p_{1},...,p_{n})$ over $\mathbb {F} _{q}$ . It is thus necessary to transfer the message $M$ from $\mathbb {F} _{q^{n}}\to \mathbb {F} _{q}^{n}$ in order to encrypt it, i.e. we assume that $M$ is a vector $(x_{1},...,x_{n})\in \mathbb {F} _{q}^{n}$ . To encrypt message $M$ we evaluate each $p_{i}$ at $(x_{1},...,x_{n})$ . The ciphertext is $(p_{1}(x_{1},...,x_{n}),p_{2}(x_{1},...,x_{n}),...,p_{n}(x_{1},...,x_{n}))\in \mathbb {F} _{q}^{n}$ .

To understand decryption let us express encryption in terms of $S,T,P$ . Note that these are not available to the sender. By evaluating the $p_{i}$ at the message we first apply $S$ , resulting in $x'$ . At this point $x'$ is transferred from $\mathbb {F} _{q^{n}}\to \mathbb {F} _{q^{n}}$ so we can apply the private polynomial $P$ which is over $\mathbb {F} _{q^{n}}$ and this result is denoted by $y'\in \mathbb {F} _{q^{n}}$ . Once again, $y'$ is transferred to the vector $(y_{1}',...,y_{n}')$ and the transformation $T$ is applied and the final output $y\in \mathbb {F} _{q^{n}}$ is produced from $(y_{1},...,y_{n})\in \mathbb {F} _{q}^{n}$ .

To decrypt $y$ , the above steps are done in reverse order. This is possible if the private key $(S,P,T)$ is known. The crucial step in the deciphering is not the inversion of $S$ and $T$ but rather the computations of the solution of $P(x')=y'$ . Since $P$ is not necessary a bijection, one may find more than one solution to this inversion (there exist at most d different solutions $X'=(x_{1}',...,x_{d}')\in \mathbb {F} _{q^{n}}$ since $P$ is a polynomial of degree d). The redundancy denoted as $r$ is added at the first step to the message $M$ in order to select the right $M$ from the set of solutions $X'$ .^[1]^[3]^[6] The diagram below shows the basic HFE for encryption.

M{\overset {+r}{\to }}x{\overset {{\text{secret}}:S}{\to }}x'{\overset {{\text{secret}}:P}{\to }}y'{\overset {{\text{secret}}:T}{\to }}y

HFE variations

Hidden Field Equations has four basic variations namely +,-,v and f and it is possible to combine them in various way. The basic principle is the following:

01. The + sign consists of linearity mixing of the public equations with some random equations.

02. The - sign is due to Adi Shamir and intends to remove the redundancy 'r' of the public equations.

03. The f sign consists of fixing some

f

input variables of the public key.

04. The v sign is defined as a construction and sometimes quite complex such that the inverse of the function can be found only if some v of the variables called vinegar variables are fixed. This idea is due to Jacques Patarin.

The operations above preserve to some extent the trapdoor solvability of the function.

HFE- and HFEv are very useful in signature schemes as they prevent from slowing down the signature generation and also enhance the overall security of HFE whereas for encryption both HFE- and HFEv will lead to a rather slow decryption process so neither too many equations can be removed (HFE-) nor too many variables should be added (HFEv). Both HFE- and HFEv were used to obtain Quartz.

For encryption, the situation is better with HFE+ since the decryption process takes the same amount of time, however the public key has more equations than variables.^[1]^[2]

HFE attacks

There are two famous attacks on HFE:

Recover the Private Key (Shamir-Kipnis): The key point of this attack is to recover the private key as sparse univariate polynomials over the extension field $\mathbb {F} _{q^{n}}$ . The attack only works for basic HFE and fails for all its variations.

Fast Gröbner Bases (Faugère): The idea of Faugère's attacks is to use fast algorithm to compute a Gröbner basis of the system of polynomial equations. Faugère broke the HFE challenge 1 in 96 hours in 2002, and in 2003 Faugère and Joux worked together on the security of HFE.^[1]

Related Research Articles

In mathematics, a quadric or quadric surface (quadric hypersurface in higher dimensions), is a generalization of conic sections (ellipses, parabolas, and hyperbolas). It is a hypersurface (of dimension D) in a (D + 1)-dimensional space, and it is defined as the zero set of an irreducible polynomial of degree two in D + 1 variables; for example, D = 1 in the case of conic sections. When the defining polynomial is not absolutely irreducible, the zero set is generally not considered a quadric, although it is often called a degenerate quadric or a reducible quadric.

In mathematics, the adele ring of a global field is a central object of class field theory, a branch of algebraic number theory. It is the restricted product of all the completions of the global field and is an example of a self-dual topological ring.

<span class="mw-page-title-main">Quartic equation</span> Polynomial equation

In mathematics, a quartic equation is one which can be expressed as a quartic function equaling zero. The general form of a quartic equation is

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

In mathematics, the classical orthogonal polynomials are the most widely used orthogonal polynomials: the Hermite polynomials, Laguerre polynomials, Jacobi polynomials.

In transcendental number theory, the Lindemann–Weierstrass theorem is a result that is very useful in establishing the transcendence of numbers. It states the following:

In algebraic geometry, motives is a theory proposed by Alexander Grothendieck in the 1960s to unify the vast array of similarly behaved cohomology theories such as singular cohomology, de Rham cohomology, etale cohomology, and crystalline cohomology. Philosophically, a "motif" is the "cohomology essence" of a variety.

In field theory, the primitive element theorem is a result characterizing the finite degree field extensions that can be generated by a single element. Such a generating element is called a primitive element of the field extension, and the extension is called a simple extension in this case. The theorem states that a finite extension is simple if and only if there are only finitely many intermediate fields. An older result, also often called "primitive element theorem", states that every finite separable extension is simple; it can be seen as a consequence of the former theorem. These theorems imply in particular that all algebraic number fields over the rational numbers, and all extensions in which both fields are finite, are simple.

<span class="mw-page-title-main">Tschirnhaus transformation</span> Mathematical term; type of polynomial transformation

In mathematics, a Tschirnhaus transformation, also known as Tschirnhausen transformation, is a type of mapping on polynomials developed by Ehrenfried Walther von Tschirnhaus in 1683.

This article describes periodic points of some complex quadratic maps. A map is a formula for computing a value of a variable based on its own previous value or values; a quadratic map is one that involves the previous value raised to the powers one and two; and a complex map is one in which the variable and the parameters are complex numbers. A periodic point of a map is a value of the variable that occurs repeatedly after intervals of a fixed length.

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

In commutative algebra and field theory, the Frobenius endomorphism is a special endomorphism of commutative rings with prime characteristic $p$ , an important class which includes finite fields. The endomorphism maps every element to its $p$ -th power. In certain contexts it is an automorphism, but this is not true in general.

In mathematics, the resultant of two polynomials is a polynomial expression of their coefficients that is equal to zero if and only if the polynomials have a common root, or, equivalently, a common factor. In some older texts, the resultant is also called the eliminant.

Non-linear least squares is the form of least squares analysis used to fit a set of m observations with a model that is non-linear in n unknown parameters (m ≥ n). It is used in some forms of nonlinear regression. The basis of the method is to approximate the model by a linear one and to refine the parameters by successive iterations. There are many similarities to linear least squares, but also some significant differences. In economic theory, the non-linear least squares method is applied in (i) the probit regression, (ii) threshold regression, (iii) smooth regression, (iv) logistic link regression, (v) Box–Cox transformed regressors ( $).$

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field $. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.$

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

In cryptography, Learning with errors (LWE) is a mathematical problem that is widely used in cryptography to create secure encryption algorithms. It is based on the idea of representing secret information as a set of equations with errors. In other words, LWE is a way to hide the value of a secret by introducing noise to it. In more technical terms, it refers to the computational problem of inferring a linear $-ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus to be useful in cryptography.$

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

In coding theory, list decoding is an alternative to unique decoding of error-correcting codes in the presence of many errors. If a code has relative distance $, then it is possible in principle to recover an encoded message when up to fraction of the codeword symbols are corrupted. But when error rate is greater than , this will not in general be possible. List decoding overcomes that issue by allowing the decoder to output a short list of messages that might have been encoded. List decoding can correct more than fraction of errors.$

In number theory, Berlekamp's root finding algorithm, also called the Berlekamp–Rabin algorithm, is the probabilistic method of finding roots of polynomials over a field $. The method was discovered by Elwyn Berlekamp in 1970 as an auxiliary to the algorithm for polynomial factorization over finite fields. The algorithm was later modified by Rabin for arbitrary finite fields in 1979. The method was also independently discovered before Berlekamp by other researchers.$

References

Nicolas T. Courtois, Magnus Daum and Patrick Felke, On the Security of HFE, HFEv- and Quartz
Andrey Sidorenko, Hidden Field Equations, EIDMA Seminar 2004 Technische Universiteit Eindhoven
Yvo G. Desmet, Public Key Cryptography-PKC 2003, ISBN 3-540-00324-X

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[autogenerated2-1] 1 2 3 4 5 6 Christopher Wolf and Bart Preneel, Asymmetric Cryptography: Hidden Field Equations

[autogenerated1-2] 1 2 Nicolas T. Courtois On Multivariate Signature-only public key cryptosystems

[autogenerated4-3] 1 2 Ilia Toli Hidden Polynomial Cryptosystems

[autogenerated3-4] Jean-Charles Faugère and Antoine Joux, Algebraic Cryptanalysis of Hidden Field Equations (HFE) Cryptosystems Using Gröbner Bases Archived 2008-11-11 at the Wayback Machine

[5] Nicolas T. Courtois, "The Security of Hidden Field Equations"

[6] Jacques Patarin, Hidden Field Equations (HFE) and Isomorphic Polynomial (IP): two new families of asymmetric algorithm

[1]

[2]

[3]

[4]

[5]

[6]