Professional Documents
Culture Documents
DOI: 10.1049/ise2.12092
REVIEW
- -
Revised: 16 March 2022 Accepted: 17 August 2022
1
Institute of Mathematics for Industry, Kyushu Abstract
University, Nishi‐ku, Fukuoka, Japan
Multivariate public‐key cryptography (MPKC) is considered a leading candidate for post‐
2
Department of Liberal Arts and Basic Sciences, quantum cryptography (PQC). It is based on the hardness of the multivariate quadratic
Nihon University, Narashino, Chiba, Japan
3
polynomial (MQ) problem, which is a problem of finding a solution to a system of
Department of Mathematical Informatics, The
quadratic equations over a finite field. In this paper, we survey some recent progress in
University of Tokyo, Bunkyo‐ku, Tokyo, Japan
the security analysis of MPKC. Among various existing multivariate schemes, the most
Correspondence important one is the Rainbow signature scheme proposed by Ding et al. in 2005, which
Yasuhiko Ikematsu, Institute of Mathematics for was later selected as a finalist in the third round of the PQC standardization project by the
Industry, Kyushu University, 744, Motooka, Nishi‐ National Institute of Standards and Technology. Under the circumstances, some recent
ku, Fukuoka, Japan.
research studies in MPKC have focussed on the security analysis of the Rainbow scheme.
Email: ikematsu@imi.kyushu-u.ac.jp
In this paper, the authors first explain efficient algorithms for solving the MQ problem
Funding information and the research methodology for estimating their complexity in MPKC. Then, the au-
Core Research for Evolutional Science and thors survey some recent results related to the security analysis of the Rainbow scheme.
Technology, Grant/Award Number: JPMJCR2113; In particular, the authors provide a detailed description of the complexity analysis for
Japan Society for the Promotion of Science, Grant/
solving the bi‐graded polynomial systems studied independently by Nakamura et al. and
Award Numbers: JP19K20266, JP20K19802
Smith‐Tone et al., and then expound the rectangular MinRank attack against Rainbow
proposed by Beullens.
1 | INTRODUCTION MPKC has a relatively old history in PQC, and the first
multivariate scheme was proposed by Matsumoto and Imai in
By Shor's quantum algorithms [1] in 1994, it is known that widely 1988, called the MI scheme [6]. Subsequently, as a general-
used public‐key cryptosystems, such as RSA and ECC, can be isation of the MI scheme, the Hidden Field Equation (HFE)
broken if a large‐scale quantum computer is built. Thus, it is scheme was proposed in 1996 by Patarin [7]. There are
important to study public‐key cryptography that can potentially several signature schemes based on the HFE scheme such as
resist such quantum computer attacks, which is called post‐ GeMMS [8] and Gui [9]. Apart from that, the unbalanced oil
quantum cryptography (PQC) [2]. In 2016, the National Insti- and vinegar (UOV) signature scheme [10] is a well‐established
tute of Standards and Technology (NIST) announced a PQC signature scheme proposed by Kipnis et al. in 1999. As its
standardization project [3]. This project has now advanced to the efficient multilayer variant, the Rainbow scheme was pro-
third round, and PQC has been more actively researched. posed by Ding et al. [11] in 2005. Because of its good per-
Multivariate public‐key cryptography (MPKC) (cf., Ref. [4]) formance and security, the Rainbow scheme was selected as a
is a leading candidate for PQC and is constructed using multi- finalist in the third round of NIST PQC standardisation [12],
variate quadratic polynomial (MQ) maps P over a finite field Fq and its security analysis has become an important research
with a trap‐door structure. The security of MPKC is dependent topic of MPKC. In addition, as a multivariate scheme without
on the hardness of the multivariate quadratic polynomial (MQ) using any trap‐door of special algebraic structure, in 2011
problem, which is to find a solution to a system of quadratic Sakumoto et al. [13] proposed an identification scheme that is
equations over a finite field. The MQ problem is known to be proven to be secure purely under the hardness of the MQ
NP‐hard [5]. problem. In this way, further more multivariate schemes have
-
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is
properly cited.
© 2022 The Authors. IET Information Security published by John Wiley & Sons Ltd on behalf of The Institution of Engineering and Technology.
been proposed so far, and MPKC has become a major topic an important and fundamental tool to estimate the complexity
in the research of PQC. of various attacks in MPKC. Moreover, the Rainbow scheme
On the other hand, the security analysis of MPKC has also [11] is one of the most influential multivariate schemes owing to
been intensively developed along with the afore‐mentioned its selection as a finalist in the third round of the NIST PQC
progress in the explicit constructions of MPKC. In some standardisation project. Some recent progress in MPKC has
initial studies in the 90s, the MI scheme [6] was broken by Patarin been made via the security analysis of the Rainbow scheme.
[14] using the linearisation equation attack. Furthermore, the Oil Considering this situation, we mainly provide a survey on the
Vinegar (OV) scheme was broken in polynomial time by Kipnis– following topics: the state‐of‐the‐art approaches for solving
Shamir (KS) attack [15] and then improved to its unbalanced polynomial systems used in MPKC and two recently improved
variant, called the UOV scheme [15]. We stress that the linear- attacks on the Rainbow scheme, namely the Rainbow‐Band‐
isation attack and KS attack strongly depend on the special Separation (RBS) attack [28] using the bi‐graded polynomial
algebraic structures of MI and OV schemes, respectively. After system and the rectangular MinRank attack [29].
those studies, two types of more general attacks applicable to First, we explain the current knowledge on the direct attack.
various multivariate schemes have been proposed. As stated above, there are two main approaches for solving a
The first one is the direct attack wherein the system of system of equations in MPKC research, namely, the Gröbner
quadratic equations associated with a public key (quadratic basis approach and Wiedeman XL approach. The Gröbner basis
map) P and a ciphertext w (or signature) of PðxÞ ¼ w is approach is to compute a Gröbner basis of the ideal associated
directly solved. In MPKC research, two major methods are with the solved system PðxÞ ¼ w. The algorithms F4 [30] and
often considered to solve such a system, namely Gröbner basis F5 [16] are often used in MPKC research. The XL approach tries
approaches and Wiedemann extended linearisation (XL) to solve the linear system obtained from multiplying terms with
approach. For the F5 Gröbner basis algorithm [16] proposed a certain degree d by the solved system. The Wiedeman XL
by Faugère, the first HFE challenge [17] was solved in 2003 by approach efficiently obtains a solution using the Wiedemann
Faugère et al. [18]. However, it is a non‐trivial problem to algorithm [31] if the linear system mentioned above is sparse
evaluate the complexity of the direct attack. To study its ac- with a few solutions. Note that Ars et al. [32] shows that the XL
curate estimation, the degree of regularity dreg and the first fall algorithm is also a Gröbner basis algorithm that can be repre-
degree dff are extensively researched in Ref. [19–21] and so on. sented as a redundant variant of the Gröbner basis algorithm F4
The complexity of solving semi‐regular systems of quadratic [30]. The crucial point for complexity estimation is to determine
equations is accurately estimated by the degree of regularity. the appropriate degree d of the Macaulay matrix Md , inducing a
However, many quadratic systems appearing in MPKC are not correct solution of the solved system practically. We will explain
semi‐regular, and thus the analysis of the first fall degree is an how to estimate d in MPKC research.
important research topic in MPKC. It has been shown that the Second, we discuss recent studies on the bi‐graded poly-
first fall degree for the HFE scheme and its variants can be nomial systems. Though such systems do not appear in the
precisely estimated [20, 22, 23]. direct attack against general multivariate schemes, they appear
The second one is the MinRank attack, which exploits the in the analysis of a MinRank attack against Rainbow, called the
special algebraic structure of MPKC, which was initially applied RBS attack [28]. The bi‐graded system that appears in the RBS
to the HFE scheme in Ref. [24]. A public key P of quadratic attack was initially analysed under the assumption that the
polynomials in n variables corresponds to some symmetric system is semi‐regular. However, it is already known in Ref.
matrices of size n. The symmetric matrices corresponding to the [33] in 2012 that such a bi‐graded system does not behave like
public key P often generate a low‐rank matrix because of its trap‐ semi‐regular in some experiments. In 2020, Nakamura et al.
door structure. The MinRank attack tries to recover a secret key [34] and Smith‐Tone et al. [35] independently studied the bi‐
by finding such a low‐rank matrix. Moreover, the related prob- graded systems that appear in the RBS attack. Their studies
lem to find a low‐rank matrix by computing a linear combination can show more accurate estimation focussing on the bi‐graded
of given matrices over a finite field, called the MinRank problem, structure, and thus it affects the proposed parameters of the
is another important research in the security analysis of MPKC. Rainbow scheme. In our paper, following the work of Naka-
The MinRank problem is proven to be NP‐hard [25]. In general, mura [36], we will explain the bi‐graded version of semi‐
the MinRank problem can be solved by searching a hidden kernel regularity and degree of regularity, which can be seen as a
space using linear algebra or by reducing it to polynomial sys- generalisation of the work by Diem [37] and Bardet et al. [19].
tems. The latter method includes the minor modelling methods Moreover, following the way of Smith‐Tone et al. [35], we will
[26, 27] and the KS method [24], which require the polynomial explain how to estimate the computational complexity of the
system to be solved by algorithms used in the direct attack. bi‐graded systems. Furthermore, we will describe the RBS
attack [28], which is the motivation for the study of the bi‐
graded systems, and explain its complexity estimation using
1.1 | Contribution the above discussion.
Finally, we explain the rectangular MinRank attack [29]
In this paper, we survey some recent progress in the security against the Rainbow scheme proposed by Beullens. This attack
analysis of MPKC. The direct attack, which was initially devel- is carried out by deforming the MinRank problem associated
oped via the security analysis on the HFE scheme, has become with the Rainbow scheme to another MinRank problem and
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
212
- IKEMATSU ET AL.
solving it using the support minor modelling method proposed be easy‐to‐invert. This map is the core object because it de-
by Bardet et al. [26]. This attack affects the proposed param- termines properties (e.g. security and efficiency) of the multi-
eters of the Rainbow scheme. We will describe how to deform variate scheme constructed from the map.
the MinRank problem for the Rainbow scheme in terms of In general, a multivariate scheme is constructed as follows.
matrix representation, which was originally done in terms of First, choose an easy‐to‐invert map F : Fnq → Fm q . Next,
polynomial representation in Ref. [29]. By using matrix rep- randomly choose two invertible linear maps S : Fnq → Fnq and
resentation, we can provide another description of the rect- T : Fm m
q → Fq . Then a public key is given by the composite
angular MinRank attack. The system that appears in the
rectangular MinRank problem becomes a bi‐graded homoge- P ≔ T ◦ F ◦ S : Fnq → Fm
q
neous system. In Ref. [29], Beullens estimates the complexity
of solving the bi‐graded system based on the complexity
and the secret key is given by ðF ; T ; SÞ: Here, it is clear that
analysis of the support minor modelling method [26], under a
P : Fnq → Fm q is also a quadratic map.
generic assumption. We will explicitly describe the generic
The property of the easy‐to‐invert map F determines
assumption and explain the complexity estimation of the
whether the constructed scheme becomes an encryption
rectangular MinRank attack in Ref. [29]. We also state the
scheme or a signature scheme. In fact, if F is injective, then the
support minor modelling method [26] to solve the MinRank
constructed scheme becomes an encryption scheme. Then the
problem.
encryption process is performed by substituting
Our paper is organised as follows. In Section 2, we briefly
c ≔ PðmÞ ∈ Fm n
q for a message m ∈ Fq . The decryption pro-
recall a general construction of multivariate schemes and the
cess of c is performed by computing three inverses:
Rainbow signature scheme as an example. In addition, we
w1 ≔ T −1 ðcÞ; w2 ≔ F −1 ðw1 Þ, and m ¼ S −1 ðw2 Þ. Here, since
explain how the security of multivariate schemes relates to the
F is easy‐to‐invert, the decryptor can easily and efficiently
hardness of the MQ problem and the MinRank problem. In
compute the inverse F −1 ðw1 Þ. Namely, the decryption process
Section 3, we review some approaches to solve the MQ
is performed efficiently (See Figure 1).
problem. In Section 4, we discuss the complexity estimations
On the other hand, if F is surjective, then the constructed
of the MQ problem using the approaches in Section 3. In
scheme becomes a signature scheme. For a message m ∈ Fm q to
Section 5, we explain the definition of the bi‐graded systems
be signed, a signature s ∈ Fnq is generated by three inverses:
and their complexity analysis to solve them. In addition, we
w1 ≔ T −1 ðmÞ; w2 ≔ F −1 ðw1 Þ, and s ≔ S −1 ðw2 Þ. Here,
recall the RBS attack against the Rainbow scheme and explain
F −1 ðw1 Þ means an element of the pre‐image of the set {w1}
how its complexity is estimated. In Section 6, we explain the
under the surjective map F . The verification process is done
rectangular MinRank attack against the Rainbow scheme.
by checking whether PðsÞ ¼ m or not (See Figure 2).
Finally, we conclude our paper in Section 7.
The MI scheme, which was the first multivariate scheme, was
proposed in 1988 by Matsumoto and Imai [6]. The corre-
sponding easy‐to‐invert map F is constructed by using a
2 | MPKC CONSTRUCTION AND ITS
monomial map X ↦ X q þq on a large finite extension field of
ℓ1 ℓ2
SECURITY
Fq . As a generalisation, by extending such a monomial map to a
In this section, we recall a general construction of multivariate
schemes and describe the construction of the Rainbow
signature scheme [11] as an example. Subsequently, we review
the MQ and MinRank problems, which essentially determine
the security of MPKC.
P ℓj
polynomial map X ↦ i;j ai;j X q þq with low degree, the HFE
ℓi
f o1 þ1ðz0 ; z00 ; x3 Þ ¼ wo1 þ1; …; f o1 þo2 ðz0 ; z00 ; x3 Þ ¼ wm :
scheme was proposed by Patarin [7] in 1996. Thereafter, several
multivariate schemes have been proposed, such as UOV [10], 4. Let z ≔ ðz0 ; z00 ; z000 Þ ∈ Fnq , which is a solution to F ðxÞ ¼ w.
ABC [38], ZHFE [39], EFC [40], Gui [9], GeMMS [8], and
HFERP [41]. In the next subsection, we explain the Rainbow In this algorithm, if there is no solution of the system to
[11] signature scheme, which is a variant of UOV [10]. linear equations in Step 2 or 3, then go back to Step 1 or 2,
respectively. It is clear that this algorithm is efficient; in fact,
the complexity is given by O(n3) at most.
2.2 | Rainbow The Rainbow signature scheme [11] was proposed as an
improved version of the OV and UOV schemes. If we remove
In this subsection, we describe Rainbow, a multivariate signa- the parameter o2 (i.e. o2 = 0) and set v = o1 in the Rainbow
ture scheme that was proposed by Ding and Schmidt in 2005 signature scheme, then the obtained scheme becomes the OV
[11] as an efficient variant of the UOV scheme [10]. signature scheme [42], which was proposed by Patarin in 1997.
Fix positive integers v; o1 ; o2 ∈ N, and set n ≔ v + o1 + o2 However, it is broken by the OV attack [15] in polynomial time.
and m ≔ o1 + o2. Let x1 ¼ ðx1 ; …; xv Þ; x2 ¼ ðxvþ1 ; …; xvþo1 Þ, In 1999, Kipnis et al. proposed the Unbalanced OV (UOV)
and x3 ¼ ðxvþo1 þ1; …; xn Þ be three sets of variables, and x = scheme [10] by modifying the parameter (v, o1) as v > o1 (and
(x1, …, xn). An easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ : Fnq → Fm
q o2 = 0), which can resist the OV attack. Finally, in 2005, the
of Rainbow is defined by Rainbow scheme improved the efficiency of the UOV scheme
8 P P by adding a new parameter o2.
ð1Þ ð1Þ
>
> f1 ¼ aij xi xj þ aij xi xj ; The Rainbow scheme was selected as a finalist in the third
>
>
>
>
1≤i≤j≤v 1≤i≤v round of the NIST PQC standardisation [12]. Table 1 presents
>
>
>
> vþ1≤j≤vþo1 the proposed parameters. In this paper, we primarily focussed
>
>
>
> ⋮ on the RBS and Rectangular MinRank attacks against the
>
>
>
> P ðo Þ P ðo Þ Rainbow scheme in order to understand some recent progress
>
> f o1 ¼ aij 1 xi xj þ aij 1 xi xj ;
>
> in the security analysis of MPKC. Recently, Beullens proposed
>
> 1≤i≤j≤v 1≤i≤v
>
> a new attack, known as simple attack [43], in IACR ePrint. The
< vþ1≤j≤vþo1
parameters (Table 1) of the Rainbow scheme in the third round
> P ðo þ1Þ P ðo þ1Þ
>
>
> f o1 þ1 ¼ aij 1 xi xj þ aij 1 xi xj ; should be rescaled such that it is secure against the simple
>
> 1≤i≤j≤vþo1 attack [43].
>
> 1≤i≤vþo1
>
> vþ1≤j≤n
>
>
>
>
>
> ⋮
>
> 2.3 | MQ problem
>
> P ðmÞ P ðmÞ
> fm
>
> ¼ aij xi xj þ aij xi xj ;
>
> 1≤i≤j≤vþo1
>
: 1≤i≤vþo1 In this subsection, we describe the MQ problem, which is
vþ1≤j≤n strongly related to the security of multivariate schemes.
Clearly, by solving the equations PðxÞ − w ¼ 0 for a public
ðkÞ
where each coefficient aij is randomly chosen from Fq . For an key P and a ciphertext (or message) w ∈ Fm q , we obtain the
element w ¼ ðw1 ; …; wm Þ ∈ Fm q , the process of finding a so- message m (or a signature s). Thus, the following problem is
lution to the equations F ðxÞ ¼ w (namely, the computation of important for understanding the security of multivariate
F −1 ðwÞ) is as follows: schemes:
�
1. Randomly choose an element z0 ¼ z01 ; …; z0v ∈ Fvq .
2. Find a solution x2 ¼ z00 ∈ Foq1 to the system of linear 2.3.1 | Multivariate quadratic polynomial (MQ)
equations: problem
f 1 ðz0 ; x2 Þ ¼ w1 ; …; f o1 ðz0 ; x2 Þ ¼ wo1 : Given a system of m quadratic polynomial g1(x), …, gm(x) in n
variables, find a solution x ∈ Fnq to
3. Find a solution x3 ¼ z000 ∈ Fo2 to the system of linear
equations: g1 ðxÞ ¼ ⋯ ¼ gm ðxÞ ¼ 0:
This problem is proven to be NP‐hard for the binary field However, since S ⋅ Gup ⋅tS is not an upper triangular matrix
F2 [5]. Thus, it is considered to be difficult to solve a system of in general, the corresponding upper triangular matrix of
randomly chosen quadratic equations g1(x) = ⋯ = gm(x) = 0. g ◦ SðxÞ is not equal to S ⋅ Gup ⋅tS.
In MPKC research, since a public key P : Fnq → Fm q is To avoid this inequality, it is necessary to consider sym-
constructed using an easy‐to‐invert map F : Fnq → Fm q , which metric matrices. For the above quadratic polynomial g(x), we
has a special structure to realise an efficient inverting process, it define the following symmetric matrix:
is considered that the associated MQ problem PðxÞ − w ¼ 0
might be easier than the random MQ problem. G ≔ Gup þ t Gup :
It is important to study the precise computational cost of
solving a given system of equations g1(x) = ⋯ = gm(x) = 0, Then, the corresponding symmetric matrix of g ◦ SðxÞ is
since it directly affects the secure parameters of multivariate equal to
schemes. In Sections 3 and 4, we will discuss how the MQ
S ⋅ G⋅ t S:
problem is solved and how its complexity is estimated in
MPKC research. Thus, if (F1, …, Fm) and (P1, …, Pm) are the corresponding
symmetric matrices of the easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ
Remark 1 In general, it is difficult to prove a reduction of the and the public key P ¼ ðp1 ; …; pm Þ, then we have
security of multivariate schemes to the hardness of the MQ
problem. As an exception, MQDSS [44] is the only signature ðP 1 ; …; P m Þ ¼ ðSF1 t S; …; SFm t SÞ ⋅ T ;
scheme that uses multivariate polynomials such that it has
provably security to the MQ problem. MQDSS was a candidate where S, T are the corresponding matrices of size n, m to the
for the second round of NIST PQC standardisation [45] and is secret key S; T . As a result, it is considered that the symmetric
constructed based on the 5‐pass identification scheme pro- matrices of the public key P inherit some properties of the
posed by Sakumoto et al. [13]. Note that the construction of symmetric matrices of the easy‐to‐invert map F .
MQDSS does not follow the method in Section 2.1.
Remark 2 Since g(x) = x⋅tGup⋅tx, we have
In this subsection, we describe the MinRank problem, which is From this equality, it can be easily seen that if the characteristic
also strongly related to the security of multivariate schemes. of Fq is not 2, then the map g ↦ 12 G is a bijective map between
Before we state the MinRank problem, we recall a relation the set of homogeneous quadratic polynomials and the set of
between quadratic polynomials and matrices. symmetric matrices.
For a homogeneous quadratic polynomial
X For example, the form of symmetric matrices (F1, …, Fm)
gðxÞ ¼ gij xi xj ∈ Fq ½x�; of the Rainbow easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ in Sec-
1≤i≤j≤n
tion 2.2 is given as follows:
we define the upper triangular matrix Gup by 80 1
>
> ∗v�v ∗v�o1 0v�o2
0 1 >
> @ ∗o1 �v 0o1 �o1 0o1 �o2 A ð1 ≤ i ≤ o1 Þ;
g11 g12 ⋯ g1n >
>
>
< 0o2 �v
B 0 g22 ⋯ g2n C 0o2 �o1 0o2 �o2
G ≔B
up C ∈ Fn�n :
q
Fi ¼ 0 1
@ ⋮ ⋮ ⋱ ⋮ A >
> ∗ ∗v�o1 ∗v�o2
⋯ gnn > @ v�v
>
>
0 0 >
> ∗ o1 �v ∗o1 �o1 ∗o1 �o2 A ðo1 þ 1 ≤ i ≤ mÞ:
:
∗o2 �v ∗o2 �o1 0o2 �o2
Then, we obtain the following equality
Here, *k�l means a k‐by‐l matrix over Fq . Since the rank of Fi
gðxÞ ¼ x ⋅ Gup ⋅ t x; (1 ≤ i ≤ o1) is less than or equal to v + o1, we can generate a
linear combination of the matrices P1, …, Pm with rank
where tx denotes the transpose of x. It is clear that the map ≤v + o1. Once an attacker finds such a low‐rank matrix from
g↦Gup is a bijective map between the set of homogeneous the public key, the attacker can recover the secret key using the
quadratic polynomials in Fq ½x� and the set of upper trian- kernel of the low‐rank matrix.
gular (square) matrices of size n. Let S be a linear map on As stated in the Rainbow example, the problem of finding
Fnq , and let S be its corresponding matrix of size n. Then, a low‐rank matrix from linear combinations of the symmetric
we have matrices (P1, …, Pm) of the public key P is strongly related to
the security of multivariate schemes. As a result, the following
MinRank problem, which is a generalisation of this problem, is
g ◦ SðxÞ ¼ x ⋅ S ⋅ Gup ⋅ t S ⋅ t x: important for understanding the security of MPKC.
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
IKEMATSU ET AL.
- 215
2.4.1 | MinRank problem using FGLM [48] or other algorithms. Then, the Gröbner basis
Glex = {h1, …, hℓ} has the following form:
Given s matrices M1 ; …; Ms ∈ Ft�u
q integer r > 0, find a
and P
non‐trivial Fq ‐linear combination M ¼ si¼1 ai Mi with Rank h1 ðxn Þ ¼ 0;
(M) ≤ r, if it exists. h2 ðxn−1 ; xn Þ ¼ 0;
This is proven to be NP‐hard [25]. Thus, it is considered to ⋮
be difficult to solve a randomly chosen instance of the Min- hℓ ðx1 ; …; xn Þ ¼ 0:
Rank problem. In Section 6.1, we will explain the support
minor modelling [26] as a method to solve the MinRank Thus, by solving these equations in the order from top to
problem proposed by Bardet et al. in 2020. bottom, we can obtain a solution to g1 = ⋯ = gm = 0.
Remark 3 Originally, the first key recovery attack using the Remark 5 If the system of equations g1 = ⋯ = gm = 0 has
MinRank problem was proposed in Ref. [24] in a security finite solutions over an algebraic closure Fq , then the ideal I is
analysis against the HFE scheme [7]. said to be zero‐dimensional. The complexity of the FGLM
algorithm [48] is O(nD3), where D is the number of solutions
Remark 4 Since the MinRank problem is NP‐hard, it might be to the system with multiplicities. When the Gröbner basis
possible to construct a scheme based on the MinRank problem. approach is used in MPKC research, the case where the ideal
For example, a zero‐knowledge identification scheme based on of system g1 = ⋯ = gm = 0 is zero‐dimensional and D is low is
the MinRank problem was proposed by Courtois [46]. typically considered. Hence, in MPKC research, the complexity
of the FGLM algorithm is typically disregarded.
Lemma 1 ([19]). For a semi‐regular system g1, …, gm and dff can represent the minimum of degrees of ‘degree fall’ for a
d < dreg, the dimension dim Fq ½x�d =~I d is equal to the coeffi- given system g1 = ⋯ = gm = 0. Note that initially, the first fall
cient of degree d of the following power series degree was called the degree of regularity, for example, in Ref.
� [20, 22]. In general, it is difficult to compute the first fall degree
Πm 1 − t d i dff for a given polynomial system. Ding and Hodges [22] give an
HðtÞ ≔ i¼1 : ð1Þ
ð1 − tÞn upper bound for the first fall degree dff by constructing a non‐
trivial syzygy for the HFE scheme [7]. In addition, Verbel et al.
The degree of regularity dreg for a semi‐regular system can [52] construct non‐trivial syzygies of a quadratic system in the
be easily computed as the minimal degree with a non‐positive Kipnis–Shamir method [15] for the MinRank problem and give
coefficient in the power series H(t). an upper bound of the first fall degree dff.
The degree of regularity dreg is defined by Bardet et al. [19].
As shown from the definition, any element of the reduced
Gröbner basis of I is of degree dreg at the most. With this fact, 4.3 | Complexity estimation of solving MQ
it is expected that dmax and dfull might be estimated by the problem
degree of regularity dreg. In Section 4.3, we will discuss how
dreg is utilised to estimate dmax and dfull in MPKC research. In this subsection, we explain how to estimate the complexity
of solving a system of quadratic equations g1 = ⋯ = gm = 0
using the Gröbner basis approach or Wiedemann XL
4.2 | First fall degree approach. As stated in Section 3, we need to estimate dmax and
q q q q
dfull. This task is done using the degree of regularity or the first
Define B ≔ Fq ½x�=〈x1 ; …; xn 〉 and Bd ≔ Fq ½x�d =〈x1 ; …; xn 〉d fall degree. We will divide the system g1, …, gm into two cases:
for d ∈ N. Let g1 ; …; gm ∈ Fq ½x� be a polynomial system such (i) a semi‐regular quadratic system and (ii) a quadratic system
that ~g1 ; …; ~gm are of degree d 0 ∈ N. We denote by ~gi the associated with a public key P of a multivariate scheme.
image of ~gi ∈ Fq ½x�d0 in Bd0 . For a positive integer d, we Let dreg and dff be the degree of regularity and the first fall
consider the homomorphism degree for g1, …, gm, respectively. Moreover, let d ðn;mÞ
reg be the
degree of regularity for a semi‐regular system of m quadratic
Φd : B m g1 þ ⋯ þ bm~gm :
d−d 0 → Bd ; ðb1 ; …; bm Þ ↦ b1~ equations in n variables, which is efficiently computed by the
Then, we set power series H(t) in Equation (1).
(ii) Multivariate scheme case system. Then, the new system given by fixing k variables is also
considered to be semi‐regular. Therefore, the degree of regu-
We explain how to estimate the complexity of solving a larity d ðn−k;mÞ
reg is given by the smallest integer d for which the
system of quadratic equations PðxÞ − w ¼ 0 using the Gröb- m
coefficient of td in the power series ð1−t2 Þ
is non‐positive.
ner basis approach or Wiedemann XL approach. Here, ð1−tÞn−k
P ¼ ðp1 ; …; pm Þ is a public key for a multivariate scheme and As stated in (i) of Section 4.3, we have the following
w ¼ ðw1 ; …; wm Þ ∈ Fm q is a ciphertext or message to be complexity of the hybrid approach using the Gröbner basis
signed. Solving the system using such approaches is known as approach:
direct attack in MPKC. Put the system 0 1ω
ðn−k;mÞ
n − k þ d
min qk ⋅ @
reg
g1 ≔ p1 − w1 ; …; gm ≔ pm − wm : A :
ðn−k;mÞ
0≤k≤n d reg
We assume that n ≤ m; otherwise, we fix n − m variables
Moreover, we have the following complexity of the hybrid
in the system. Since the fixed system has m equations in m
approach using the Wiedemann XL approach:
variables, it has a solution with a high probability. Therefore,
we can always assume n ≤ m. 0 12
� �
First, we experimentally investigate whether the system g1, n − k þ d ðn−k;mÞ n−k
min qk ⋅ 3@
reg
A :
…, gm is semi‐regular or not. However, since it is not feasible 0≤k≤n ðn−k;mÞ
d reg 2
for P with a larger (i.e. practical) parameter, we need to
conduct some experiments for small parameters. If the systems
Remark 6 The complexity of the direct attack against the
g1, …, gm for P with small parameters behave as a semi‐regular
Rainbow scheme [11] in Section 2.2 is considered as follows.
system of the same size, then we consider that the systems g1,
First, since n > m, we fix n − m variables in x and obtain a
…, gm for P with large parameters are also semi‐regular. Then
system of m quadratic equations in m variables. Through ex-
its complexity is given as in the case (i).
periments, it is known that such systems behave as semi‐
Next, we consider that systems g1, …, gm for P with small
regular. In Ref. [12], the complexity of the direct attack
parameters do not behave as semi‐regular systems. For this
against the Rainbow scheme is estimated using the hybrid
case, we often have d reg > d ðn;mÞ
reg . However, it is known that a version of the Wiedemann XL approach as follows:
non‐semi‐regular system that appears in case (ii) can be solved
faster than a semi‐regular system with the same size. Thus, we 0 12
cannot use dreg to estimate the complexity of solving a non‐ ðm−k;mÞ � �
k
m − k þ d reg m−k
semi‐regular system. Instead, we try to use the first fall de- min q ⋅ 3@ A :
0≤k≤m ðm−k;mÞ
d reg 2
gree dff. This estimation method was initially applied to the
security analysis of the HFE scheme [7]. In the HFE scheme,
by constructing a non‐trivial syzygy of g1, …, gm, Ding et al.
[22] give an upper bound of the first fall degree dff and esti- 5 | BI‐GRADED POLYNOMIAL
mate dmax by using the upper bound of dff. They also exper- SYSTEMS AND RBS ATTACK
imentally confirmed that the upper bound of dff approximates
dmax for small parameters. As a result, dmax for a large In this section, we consider to solve bi‐graded polynomial
parameter of the HFE scheme is estimated by the upper bound systems. Such systems were mainly studied by Nakamura [36],
of dff. However, for schemes other than the HFE scheme and Nakamura et al. [34] and Smith‐Tone et al. [35] via the analysis
its variants, it is necessary to theoretically and experimentally of the RBS attack [28] against the Rainbow scheme [11].
analyse case‐by‐case whether dff can approximate dmax. In Section 5.1, following the work of Nakamura [36], we
Moreover, there is little research on whether dff correctly es- describe the bi‐degree of regularity, which is a generalisation of
timates dfull, and thus further research is required. the degree of regularity dreg. In Section 5.2, following the idea of
Smith‐Tone et al. [35], we explain a complexity estimation of bi‐
graded instances of the MQ problem. Based on these, in Sec-
4.4 | Hybrid approach and its complexity tion 5.3, we explain a new analysis of the RBS attack given by the
studies of Nakamura et al. [34] and Smith‐Tone et al. [35].
In Sections 3.1 and 3.2, we described two approaches for
solving a given quadratic equations g1 = ⋯ = gm = 0. As an
improvement, a hybrid approach [53] with the brute‐force 5.1 | Regularity for bi‐graded polynomial
search is often used, namely after fixing some variables in x systems
(i.e. substituting elements of Fq into some variables), we solve
the obtained equations by an approach discussed in Sec- In this subsection, we recall the definition of the bi‐graded
tions 3.1 or 3.2. Here, we assume that n ≤ m as in Section 4.3. polynomials and describe a generalisation of the degree of
Let 0 ≤ k ≤ n be the number of fixed variables. We consider regularity for them, following the work of Nakamura [36].
the case in which g1 = ⋯ = gm = 0 is a semi‐regular quadratic Let ⪯ be a relation on N2 defined by
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
IKEMATSU ET AL.
- 219
� �
∏m d i1 d i2
def
ða; bÞ ⪯ ðc; dÞ ⇔ a ≤ c; b ≤ d: i¼1 1 − t 1 t 2
H ðt1 ; t2 Þ ≔ : ð2Þ
We recall the definition of bi‐graded polynomials. We ð1 − t1 Þn1 ð1 − t2 Þn2
consider two variable sets x ¼ ðx1 ; …; xn1 Þ and y ¼ ðy1 ;
…; yn2 Þ. Put the polynomial ring As a result, for a bi‐graded semi‐regular system, any bi‐
degree of regularity (i.e. D) can be easily computed from bi‐
Fq ½x; y� ≔ Fq ½x1 ; …; xn1 ; y1 ; …; yn2 �: degrees of the coefficients in the two‐variable power series
Equation (2).
For polynomials g1 ; …; gm ∈ Fq ½x; y�, we denote their ho-
mogeneous parts of the highest degree by ~g1 ; …; ~gm . Set the
ideals 5.2 | Complexity estimation
~I ¼ ~I ðmÞ ≔ 〈~g ; …; ~g 〉 and ~I ðiÞ ¼ 〈~g ; …; ~g 〉; In this subsection, using the idea of Smith‐Tone et al. [35], we
1 m 1 i
estimate the complexity of solving bi‐graded instances of the
MQ problem. This task is done using the bi‐degrees of regu-
where i = 1, …, m − 1. For d ¼ ðd 1 ; d 2 Þ ∈ N2 , we define the larity in Section 5.1.
following: Let g1 ; …; gm ∈ Fq ½x; y� be a quadratic bi‐graded poly-
i j
nomial system. We consider how to solve such a quadratic bi‐
j
Fq ½x; y�d ≔ ⊕ Fq ⋅ xi11 ⋯xnn11 ⋅ y11 ⋯ynn22 ; graded system using the Wiedemann XL approach. This is
i1 þ⋯þin1 ¼d 1
done as in Section 3.2, namely by solving the linear system
j1 þ⋯þjn2 ¼d 2
associated with the bi‐graded Macaulay matrix. Here, the bi‐
~I ðiÞ ≔ ~I ðiÞ ∩ Fq ½x; y� : graded Macaulay matrix Md of bi‐degree d ∈ N2 with
d d
respect to g1, …, gm is defined as follows: For any bi‐graded
polynomial gðx; yÞ ∈ Fq ½x; y� of bi‐degree ⪯d, we denote by
If ~gi is in Fq ½x; y�d and gi ∈ ⊕d0 ⪯d Fq ½x; y�d0 , then gi is called
vg the row vector of coefficients of g(x, y). Then the matrix Md
a bi‐graded polynomial and we define bi‐deg gi ≔ d.
is defined by concatenating the row vectors vugi , where
Assume that each gi is bi‐graded and di ¼ ðd i1 ; d i2 Þ≔
1 ≤ i ≤ m and u runs in the set of terms with bi‐degree ⪯d − di.
bi ‐ deg gi ∈ N2 . Then, for D ∈ N2 , the polynomial system g1,
The number of terms of degree ⪯d is given as follows:
…, gm is said to be regular up to D [36] if it satisfies that for
any 1 ≤ i ≤ m − 1 and any d ⪯ D the following map is
Lemma 4 ([35]). The number of terms of degree ⪯d is equal to
injective
the coefficient Md ∈ Z of bi‐degree d of the following two‐
variable power series:
ðiÞ ðiÞ
Fq ½x; y�d−di =~I d−di ∋ h ↦ h ⋅ ~giþ1 ∈ Fq ½x; y�d =~I d :
1
:
ð1 − t1 Þn1 þ1 ð1 − t2 Þn2 þ1
5.1.1 | Bi‐degree of regularity
For bi‐graded quadratic polynomials g1 ; …; gm ∈ Fq ½x; y�, we Moreover, the number of terms of degree d is equal to the
~ d ∈ Z of bi‐degree d of the following two‐variable
coefficient M
define the following sets:
power series:
� �
D0 ≔ d ∈ N2 j Fq ½x; y�d ¼ ~I d ; 1
D ≔ fd ∈ D0 j d : minimum in D0 w:r:t ⪯g: :
ð1 − t1 Þ ð1 − t2 Þn2
n1
8� �
< n1 þ 1 þ n1 þ 1; ðm1 > 0Þ;
> of the easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ : Fnq → Fm
q , each
N1 ≔ 2 symmetric matrix corresponding to fi has the following form:
>
:
0; ðotherwiseÞ; 80 1
>
> ∗v�v ∗v�o1 0v�o2
� >@∗
ðn1 þ 1Þðn2 þ 1Þ; ðm2 > 0Þ; >
>
> o1 �v 0o1 �o1 0o1 �o2 A ð1 ≤ i ≤ o1 Þ;
N2 ≔ >
< 0o2 �v 0o2 �o1 0o2 �o2
0; ðotherwiseÞ;
8� � Fi ¼ 0 1
>
< n2 þ 1 þ n2 þ 1; ðm3 > 0Þ;
> >
> ∗v�v ∗v�o1 ∗v�o2
>
> @ ∗o �v
N3 ≔ 2 >
> ∗o1 �o1 ∗o1 �o2 A ðo1 þ 1 ≤ i ≤ mÞ:
: 1
>
: ∗o2 �v ∗o2 �o1 0o2 �o2
0; ðotherwiseÞ:
Similarly, the matrices corresponding to S and T can be
Then, the complexity of solving the system written as follows:
g1 = ⋯ = gm = 0 is estimated by
0 1
� � Iv 0v�o1 0v�o2
min 3 ⋅ M 2D ⋅ maxfN1 ; N2 ; N3 g : S ¼ @ ∗o1 �v Io1 0o1 �o2 A;
D∈D
∗o2 �v ∗o2 �o1 Io2 ð3Þ
Note that since a bi‐degree of regularity D is not unique � �
I 0o1 �o2
for g1,…,gm in general, we need to take the minimum in the T ¼ o1 :
∗o2 �o1 Io2
complexity estimation.
s ⋅ S ¼ ð0; …; 0; 1Þ:
5.3 | RBS attack and its new analysis
Then, for i = 1, …, m, we have
In this subsection, we describe the RBS attack [28] against the
Rainbow scheme [11]. As stated above, the complexity esti- s ⋅ SFi t S⋅t s ¼ ð0; …; 0; 1Þ ⋅ Fi ⋅t ð0; …; 0; 1Þ ¼ 0:
mation of solving bi‐graded polynomial systems is developed
via the analysis of the RBS attack. First, we explain the RBS Since each Pk is a linear combination of
attack. Then, based on Section 5.2, we explain a new
complexity estimation of the RBS attack following Smith‐Tone SF1 t S; …; SFm t S;
et al. [35].
we obtain the equations in λ1 ; …; λvþo1 :
Let (v, o1, o2) be the Rainbow parameter set described in By the form in Equation (3), there exists an m‐by‐1 vector
Section 2.2, and let n = v + o1 + o2 and m = o1 + o2. For a
Rainbow public key P ¼ ðp1 ; …; pm Þ, the RBS attack recovers
its secret key ðF ; T ; SÞ as follows: According to the definition t ¼ ð1; 0…; 0; λvþo1 þ1; …; λvþo1 þo2 Þ
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
IKEMATSU ET AL.
- 221
such that semi‐regular. However, it is known in Ref. [33] in 2012 that the
RBS dominant system does not behave as a semi‐regular sys-
T ⋅t t ¼ t ð1; 0; …; 0Þ: tem in some experiments.
In 2020, Nakamura et al. [34] and Smith‐Tone et al. [35]
Then, by multiplying Equation (4) by tt, we obtain independently analysed the RBS dominant system by focussing
on the bi‐graded structure. The following estimation is given
o2
X by Smith‐Tone et al. [35]. The RBS dominant system consists
P1 þ λvþo1 þiP o1 þi ¼ SF1 t S: of m polynomials with bi‐degree (2, 0) and n − 1 polynomials
i¼1
with bi‐degree (1, 1). Then the complexity of solving the RBS
dominant system can be estimated by
Moreover, multiplying this equation by s, we have
� �� � ��
mþ1
o2
X min 3 ⋅ M 2D ⋅ max þ m þ 1; ðm þ 1Þn :
s ⋅ P1 þ λvþo1 þis ⋅ P o1 þi ¼ s ⋅ SF1 t S ¼ ð0; …; 0Þ: D∈D 2
i¼1
Here D is computed using
Consequently, for k = 1, …, n − 1, we obtain the following
equations in λ1, …, λn: � n−1
∏m
i¼1 1 − t1 ∏i¼1 ð1 − t1 t2 Þ
2
o2
X ð1 − t1 Þvþo1 ð1 − t2 Þo2
t t
s ⋅ P 1 ⋅ ek þ λvþo1 þis ⋅ P o1 þi ⋅ ek ¼ 0; ð6Þ
i¼1 as in Lemma 3, and MD is given by Lemma 4 as n1 = v + o1
� and n2 = o2.
where ek is the n‐by‐1 vector 0; …; 0; 1k ; 0; …; 0 . Here, we
remove the case k = n because Equation (6) for k = n follows Remark 9 The two‐variable power series Equation (2) was
Equation (5). introduced by Nakamura et al. [34] and Smith‐Tone et al. [35]
Clearly, Equation (5) is a bi‐graded system with bi‐degree independently. Nakamura et al. [34] introduced Equation (2) as
(2, 0) and Equation (6) is a bi‐graded system with bi‐degree an analogy of the power series of Equation (1) in Lemma 1 and
(1, 1) with respect to fλ1 ; …; λvþo1 g, fλvþo1 þ1; …; λn g. Sys- confirmed that dmax of the RBS dominant system can be
tem Equations (5) and (6) consist of n + m − 1 quadratic bi‐ approximated using the power series in Equation (2). Subse-
graded equations in n variables. By solving the quadratic sys- quently, Nakamura [36] arranged the theoretical background of
tem, an attacker can recover a part of the secret key S and T, the power series in Equation (2) by extending the studies of
namely s and t, respectively. The RBS attack can recover S and Diem [37] and Bardet et al. [19], for example, by using the idea of
T by repeating a similar process (see Ref. [28] for details). bi‐graded semi‐regularity and so on. On the other hand, Smith‐
Because the complexity of the RBS attack is dominated by that Tone et al. [35] introduced the power series in Equation (2) based
of solving the bi‐graded quadratic system, it is sufficient to on two assumptions regarding maximal rank conjectures. It will
treat only the system. We refer to the quadratic system con- be necessary to study the relationship between bi‐graded semi‐
sisting of Equations (5) and (6) as the RBS dominant system. regularity and the two assumptions for further analysis. The
complexity estimation of the bi‐graded semi‐regular system in
this section follows the idea of Smith‐Tone et al. [35]. Since the
5.3.2 | Complexity estimation study of the bi‐graded systems and their complexities have just
begun, further research will be needed.
We first recall the complexity analysis of the RBS attack in the
second round submission [56] of the NIST PQC stand-
ardisation project regarding the Rainbow scheme. As seen 6 | RECTANGULAR MINRANK ATTACK
above, the RBS dominant system consists of n variables and
n + m − 1 quadratic equations. In Ref. [56], the complexity of In this section, we explain the rectangular MinRank attack [29]
solving the RBS dominant system was estimated using the against the Rainbow scheme proposed by Beullens. This attack
hybrid version of the Wiedemann XL approach in Section 4.4 is carried out by deforming the MinRank problem associated
as follows: with the Rainbow scheme to another MinRank problem and by
8 0 12 9 solving it using the support minor modelling method proposed
� �=
< n þ d ðn−k;nþm−1Þ n−k
by Bardet et al. [26].
qk ⋅ 3@
reg
min A : In Section 6.1, we briefly explain the support minor
0≤k≤n: d ðn−k;nþm−1Þ 2 ;
reg modelling method [26] that solves the MinRank problem. In
Section 6.2, we prepare some notations to explain the rect-
Namely, in Ref. [56] the complexity of the RBS dominant angular MinRank attack in terms of matrix representations. In
system was estimated without using the bi‐graded structure Section 6.3, we describe the rectangular MinRank attack using
and based on the assumption that the RBS dominant system is matrix representation. In Section 6.4, we explain the
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
222
- IKEMATSU ET AL.
rþ1
As stated in Section 2.4, the security of the Rainbow scheme is
X jþ1
cΔ;i ¼ ð−1Þ mi;δj ⋅ bΔnfδj g: reduced to an instance of the MinRank problem. The basic
j¼1 idea behind the rectangular MinRank attack [29] is to reveal
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
IKEMATSU ET AL.
- 223
another instance of the MinRank problem lurking in the Since F~ vþo1 þ1; …; F~ n are of rank ≤o2, we have another
Rainbow scheme, which is different from the instance stated in instance of the MinRank problem. Beullens [29] proposed a
Section 2.4. Beullens [29] explained this idea using the poly- key recovery attack based on this MinRank problem against the
nomial maps P and its polar forms. However, this idea can be Rainbow scheme. This is called the rectangular MinRank
explained in terms of the symmetric matrices of P. For this attack.
purpose, we prepare some notations and a lemma in this More precisely, this attack is slightly modified in Ref. [29] as
subsection. follows. With a high probability, there exists an n‐by‐1 vector
Let (Q1, …, Qm) be a set of n‐by‐n matrices over Fq , and
ðjÞ
qi denotes the j‐th column vector of Qi, namely, a ¼ ða1 ; …; avþo1 þ1; 0; …; 0Þ ∈ Fnq
� vþo1 �
� � zfflffl }|fflffl { zfflfflffl}o|ffl
2
fflffl{
Qi ¼ qð1Þ
i
ð2Þ
qi … qi
ðnÞ
∈ Fn�n
q :
such that a ⋅ S ¼ 0; …; 0 ; ∗; …; ∗ : Then, we show that
� � vþo
X 1 þ1 � � �
Then, we define the new set ~ ; …; Q
Q ~ of n‐by‐m ~i ¼ P
ai P ~ n ⋅t a ¼ SF~ 1 T ; …; SF~ n T ⋅t ða ⋅ SÞ
~ 1 ; …; P
1 n
matrices as follows: i¼1
� �
~ ≔ qð1Þ
Q1 1
ð1Þ
q2 … qð1Þ
m
; is a linear combination of SF~ vþo1 þ1T ; …; SF~ n T . Thus, since
� � this matrix is of rank ≤o
~ ≔ qð2Þ �2, the vector a �gives a solution to the
Q ð2Þ
q2 … qð2Þ ; ~ 1 ; …; P
~ vþo þ1 with the target rank
2 1 m MinRank problem for P 1
⋮ o2. Moreover, for i = 1, …, m, we have
� �
~ ≔ qðnÞ
Q ðnÞ
q2 … qðnÞ :
n 1 m
� � p1 ðaÞ ¼ ⋯ ¼ pm ðaÞ ¼ 0;
We call Q ~ ; …; Q
~ the matrix deformation of
1 n
(Q1, …, Qm). Then the following lemma can be easily proven: where P ¼ ðp1 ; …; pm Þ is a public key of the Rainbow scheme.
As a result, the vector a is a common solution of the
Lemma 5 Let S be an n‐by‐n matrix and T be an m‐by‐m following problems:
matrix. Then the matrix deformation of
ðSQ1 t S; …; SQm t SÞ ⋅ T is given by ðiÞ p1 ðaÞ ¼ ⋯ ¼ pm ðaÞ ¼ 0� for public key �
P ¼ ðp1 ; …; pm Þ;
� � ~ ~
ðiiÞ MinRank problem for P 1 ; …; P vþo þ1 with rank r ¼ o2 :
SQ ~ T ⋅t S:
~ T ; …; SQ 1
1 n
dim Fq ½a; b�ðd;1Þ =Jðd;1Þ Rainbow scheme is one of the most influential multivariate
schemes owing to its selection as a finalist in the third round of
� �� �
m v þ o1 þ d the NIST PQC standardisation project, and thus some recent
¼
o2 d progress in MPKC has been made via the security analysis of
� �� �� � the Rainbow scheme.
P m nþi−1 v þ o1 þ d − i
− di¼1 ð−1Þiþ1 ; Considering this situation, we mainly provided a survey on
o2 þ i i d−i the following topics: the state‐of‐the‐art approaches for solv-
ð7Þ ing a polynomial system used in MPKC and two recently
improved attacks on the Rainbow scheme, namely the RBS
attack using the bi‐graded polynomial system in the studies of
when the right‐hand side is ≥2. Otherwise, the coefficient is 1.
0 Nakamura et al. and Smith‐Tone et al. and the rectangular
Let d min be the smallest integer d such that the coefficient
MinRank attack proposed by Beullens.
of degree d of HJ0 (t) is 1. Under the following generic
In particular, we defined the semi‐regularity of the bi‐
assumption, we can compute HJ0 (t) and d 0min from HJ(t).
graded systems based on the work of Nakamura and
explained the complexity estimation for solving a bi‐graded
Lemma 6 For 1 ≤ i ≤ m, let J(i) be the ideal generated by J and
system based on the idea of Smith‐Tone et al. Moreover,
p1(a), …, pi(a). Assume that for any 1 ≤ i ≤ m − 1 and any
0 we provided another description for the rectangular MinRank
d < d min , the following map is injective:
attack, which was originally proposed by Beullens, based on a
ðiÞ ðiÞ matrix representation. By explicitly describing the generic
Fq ½a; b�ðd−2;1Þ =J ðd−2;1Þ ∋ h ↦ h ⋅ piþ1 ðaÞ ∈ Fq ½a; b�ðd;1Þ =J ðd;1Þ :
assumption for the bi‐graded system appearing in the rect-
angular MinRank attack, we reconfirmed the complexity
Then, we have estimation of solving the bi‐graded system of the attack.
� �m �þ
HJ 0 ðtÞ ¼ 1 − t2 ⋅ HJ ðtÞ ; ð8Þ We believe this survey will be useful for future de-
velopments in MPKC research.
�P �
i þ
P i
P i
where [ ⋅ ]+ means i ci t ≔ i<i0 ci t þ i≥i0 t and
i0 ≔ min{i | ci ≤ 1}. A C K N OWL E D G EM E N TS
This work was supported by JST CREST Grant Number
Thus, if the assumption of Lemma 6 is satisfied, then d min
0 JPMJCR2113 and JSPS KAKENHI Grant Number
is computed from the explicit Equation (8) of HJ0 (t) in JP19K20266, JP20K19802.
Lemma 6. This lemma follows from similar discussions of the
proofs for Lemmas 1 and 3 (see Refs. [19, 36]). C O N F L I C T O F I N TE R E S T
Then, by identifying each term in J 0ðd0 ;1Þ as a new vari- The authors declared that they have no conflicts of interest to
min this work.
able, we obtain a linear system with one‐dimensional solution
space. By applying the Wiedemann XL approach to the linear DATA AVAI L AB I LI TY S TAT E M E N T
system, we can find a common solution to problems (i) and (ii). Data sharing is not applicable to this article as no datasets were
Therefore, the complexity of the support minor modelling generated or analysed during the current study.
method is given by
!!2 O R CI D
� �
m v þ o1 þ d min
0
Yasuhiko Ikematsu https://orcid.org/0000-0002-9714-
3ðo2 þ 1Þðn þ o1 þ 1Þ : ð9Þ
o2 d 0min 2675
7. Patarin, J.: Hidden field equations (HFE) and isomorphisms of 30. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases
polynomials (IP): two new families of asymmetric algorithms. In: (F4). J. Pure Appl. Algebra. 139(1–3), 61–88 (1999). https://doi.org/10.
EUROCRYPT 1996, LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg 1016/s0022‐4049(99)00005‐5
(1996) 31. Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE
8. Casanova, A., et al.: GeMSS: A Great Multivariate Short Signature. Trans. Inf. Theory. 32(1), 54–62 (1986). https://doi.org/10.1109/tit.1986.
Specification document of NIST PQC 2nd round submission package 1057137
(2019) 32. Ars, G., et al.: Comparison between XL and Gröbner basis algorithms. In:
9. Ding, J., et al.: Gui. Technical report. National Institute of Standards and ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg
Technology. Post‐Quantum Cryptography. https://csrc.nist.gov/ (2004)
Projects/Post‐Quantum‐Cryptography/Round‐1‐submissions 33. Thomae, E.: A Generalization of the Rainbow Band Separation Attack
10. Kipnis, A., Patarin, L., Goubin, L.: Unbalanced oil and vinegar schemes. and Its Applications to Multivariate Schemes. IACR Cryptology ePrint
In: EUROCRYPT 1999, LNCS, vol. 1592, pp. 206–222. Springer, Hei- Archive (2012). https://eprint.iacr.org/2012/223. Accessed 22
delberg (1999) September 2020
11. Ding, J., Schmidt, D.S.: Rainbow, a new multivariate polynomial signature 34. Nakamura, S., et al.: New complexity estimation on the rainbow‐band‐
scheme. In: ACNS 2005, LNCS, vol. 3531, pp. 164–175. Springer, Hei- separation attack. Theor. Comput. Sci. 896, 1–8 (2021). https://doi.
delberg (2005) org/10.1016/j.tcs.2021.09.043
12. Ding, J., et al.: Rainbow. Technical report. National Institute of Standards 35. Smith‐Tone, D., Perlner, R.A.: Rainbow Band Separation Is Better Than
and Technology. Post‐Quantum Cryptography. https://csrc.nist.gov/ We Thought. IACR Cryptology ePrint Archive, 2020/702 (2020)
Projects/Post‐Quantum‐Cryptography/Round‐3‐submissions 36. Nakamura, S.: Formal Power Series on Algebraic Cryptanalysis. arXiv.org
13. Sakumoto, K., Shirai, T., Hiwatari, H.: Public‐key identification schemes e‐Print archive (30 July 2020). arXiv. https://arxiv.org/abs/2007.14729
based on multivariate quadratic polynomials. In: CRYPTO 2011, LNCS, 37. Diem, C.: Bound of regularity. J. Algebra. 423, 1143–1160 (2015). https://
vol. 6841, pp. 706–723. Springer, Heidelberg (2011) doi.org/10.1016/j.jalgebra.2014.09.029
14. Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of 38. Tao, C., et al.: Simple matrix scheme for encryption. In: PQCrypto 2013,
Eurocrypt 88. In: CRYPTO 1995, LNCS, vol. 963, pp. 248–261. Springer, LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013)
Heidelberg (1995) 39. Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key
15. Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature encryption scheme. In: PQCrypto 2014, LNCS, vol. 8772, pp. 229–245.
scheme. In: CRYPTO 98, LNCS, vol. 1462, pp. 257–266. Springer, Springer, Heidelberg (2014)
Heidelberg (1998) 40. Szepieniec, A., Ding, J., Preneel, B.: Extension field cancellation: a new
16. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases central trapdoor for multivariate quadratic systems. In: PQCrypto 2016,
without reduction to zero (F5). In: ISSAC 2002, pp. 75–83 (2002) LNCS, vol. 9606, pp. 182–196. Springer, Heidelberg (2016)
17. Patarin, J.: HFE first challenge. http://www.minrank.org/hfe/% 41. Ikematsu, Y., et al.: HFERP – a new multivariate encryption scheme. In:
23challenge (1996) PQCrypto 2018, LNCS, vol. 10786, pp. 396–416. Springer, Heidelberg
18. Faugére, J.C., Joux, A.: Algebraic cryptanalysis of hidden field equation (2018)
(HFE) cryptosystems using Gröbner bases. In: CRYPTO 2003, LNCS, 42. Patarin, J.: The oil and vinegar algorithm for signatures. In: Dagstuhl
vol. 2729, pp. 44–60 (2003) Workshop on Cryptography (September 1997)
19. Bardet, M., et al.: Asymptotic behavior of the index of regularity of 43. Beullens, W.: Breaking rainbow takes a weekend on a laptop. In: IACR
quadratic semi‐regular polynomial systems. In: 8th International Sympo- Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/214.pdf
sium on Effective Methods in Algebraic Geometry (MEGA), pp. 1–14 44. Chen, M.S., et al.: From 5‐pass MQ‐based identification to MQ‐based
(2005) signatures. In: ASIACRYPT 2016, LNCS, vol. 10032, pp. 135–165.
20. Dubois, V., Gamma, N.: The degree of regularity of HFE systems. In: Springer, Heidelberg (2016)
Asiacrypt 2010, LNCS, vol. 6477, pp. 557–576. Springer, Heidelberg 45. Chen, M.S., et al.: MQDSS. Technical report. National Institute of
(2010) Standards and Technology. Post‐Quantum Cryptography. https://csrc.
21. Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. In: nist.gov/Projects/Post‐Quantum‐Cryptography/Round‐3‐submissions
CRYPTO 2006, LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg 46. Courtois, N.T.: Efficient zero‐knowledge authentication based on a linear
(2006) algebra problem MinRank. In: ASIACRYPT 2001, LNCS, vol. 2248, pp.
22. Ding, J., Hodges, T.J.: Inverting HFE systems is quasi‐polynomial for all 402–421. Springer, Heidelberg (2001)
fields. In: CRYPTO 2011, LNCS, vol. 6841, pp. 724–742. Springer, 47. Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des
Heidelberg (2011) Restklassenrings nach einem nulldimensionalen Polynomideal. PhD
23. Ding, J., Yang, B.Y.: Degree of regularity for HFEv and HFEv‐. thesis. Universität Innsbruck (1965)
In: PQCrypto 2013, LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg 48. Faugére, J.C., et al.: Efficient computation of zero‐dimensional Gröbner
(2013) bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993).
24. Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem https://doi.org/10.1006/jsco.1993.1051
by relinearization. In: CRYPTO 99, LNCS, vol. 1666, pp. 19–30. Springer, 49. Courtois, N., et al.: Efficient algorithms for solving overdefined systems
Heidelberg (1999) of multivariate polynomial equations. In: EUROCRYPT 2000, LNCS, vol.
25. Buss, J., Frandsen, G., Shallit, J.: The computational complexity of some 1807, pp. 392–407 (2000)
problems of linear algebra. J. Comput. Syst. Sci. 58(3), 572–596 (1999). 50. Coppersmith, D.: Solving homogeneous linear equations over GF(2) via
https://doi.org/10.1006/jcss.1998.1608 block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994).
26. Bardet, M., et al.: Improvements of algebraic attacks for solving the rank https://doi.org/10.2307/2153413
decoding and MinRank problems. In: International Conference on the 51. Yang, B.Y., et al.: Analysis of QUAD. In: FSE 2007, LNCS, vol. 4593, pp.
Theory and Application of Cryptology and Information Security (2020) 290–308. Springer, Heidelberg (2007)
27. Faugère, J.C., Safey El Din, M., Spaenlehauer, P.J.: Computing loci of rank 52. Verbel, J.A., et al.: On the complexity of “superdetermined” MinRank
defects of linear matrices using Gröbner bases and applications to instances. In: PQCrypto 2019, LNCS, vol. 11505, pp. 167–186. Springer,
cryptology. In: ISSAC 2010, pp. 257–264 (2010) Heidelberg (2019)
28. Ding, J., et al.: New differential‐algebraic attacks and reparametrization of 53. Bettale, L., Faugère, J.C., Perret, L.: Hybrid approach for solving multi-
Rainbow. In: ACNS 2008, LNCS, vol. 5037, pp. 242–257. Springer, variate systems over finite fields. J. Math. Cryptol. 3, 177–197 (2009).
Heidelberg (2008) https://doi.org/10.1515/jmc.2009.009
29. Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: EURO- 54. Baena, J., Cabarcas, D., Verbel, J.: On the Complexity of Solving Generic
CRYPT 2021, LNCS, vol. 12696, pp. 348–373. Springer, Heidelberg Over‐Determined Bilinear Systems. arXiv:2006.09442. https://arxiv.org/
(2021) abs/2006.09442
17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
226
- IKEMATSU ET AL.
55. Faugère, J.C., Safey El Din, M., Spaenlehauer, P.J.: Gröbner bases of
bihomogeneous ideals generated by polynomials of bidegree (1, 1): al- How to cite this article: Ikematsu, Y., Nakamura, S.,
gorithms and complexity. J. Symb. Comput. 46(4), 406–437 (2011). Takagi, T.: Recent progress in the security evaluation
https://doi.org/10.1016/j.jsc.2010.10.014 of multivariate public‐key cryptography. IET Inf. Secur.
56. Ding, J., et al.: Rainbow. Technical report. National Institute of 17(2), 210–226 (2023). https://doi.org/10.1049/ise2.
Standards and Technology. Post‐Quantum Cryptography. https://
csrc.nist.gov/Projects/Post‐Quantum‐Cryptography/Round‐2‐submiss
12092
ions