Tianze Wang1,2 and Dongdai Lin1
1 SKLOIS, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
2 Graduate University of Chinese Academy of Sciences, Beijing 100149, China wtziscas@hotmail.com, ddlin@is.iscas.ac.cn
Abstract. The enumeration of isomorphism of polynomials (IP) prob-lem is first introduced in [1], which consists of counting the number of solutions for an instance of IP problem and counting the number of dif-ferent equivalence classes. In this paper we give a method to find all the polynomial equivalence classes under the IP with one secret problem for the cases of even characteristic ground field exceptF2. We fist identify a rough classification according to matrix equivalence relation then in each matrix equivalence class we get finer classification according to the linearly equivalence relation. The given method is much more effective than exhaustive search algorithm and feasible for smallnandq.
Keywords: Enumerative Problem, Isomorphism of Polynomials, Equiv-alence Class, Equivalent Keys
1 Introduction
Multivariate public key schemes dates back to the mid eighties with the design of MI scheme [2], from then on there are many papers on this direction. The security is based on the problem of solving system of nonlinear multivariate equations over a finite field which was proven to be NP-hard [3]. Since multivariate public key cryptography is proposed as the alternative to RSA cryptosystem and there is no quantum algorithms for that hard problem, it is of our interest.
In multivariate public key schemes it is usual to hide an easily inverted multi-variate polynomial systemaby composing two invertible affine transformations, say S and T, then the resulting polynomial system b = T◦a◦S is random-looking. And this is highly related to another hard and fundamental problem, namely the isomorphism of polynomials (IP) problem. The IP problem is recov-ering the secret transformationsS andT givena andb.
Recently Lin et. al. introduced the corresponding enumerative problem of IP problem in [1]. This problem has two meanings: one is to identify the num-ber of solutions of IP problem, which is equivalent to compute the numnum-ber of equivalent keys for a fixed system of polynomials as the central function of one scheme. As we know, the isomorphism of polynomials can induce an equivalence relation, hence we can get a partition of all polynomial systems according to this equivalence relation. Thus the other meaning is to identify all the equivalence
2
classes. Obviously not all system of nonlinear equations are hard to solve, and intuitively we think that the polynomial systems in the equivalence class con-taining some easy instance are also easily solved. Therefore we should avoid to use those instances.
Related works.The overwhelming majority of previous works are dedicated to find a solution of instances of IP with two secrets and IP with one secret problems, however they all neglect to consider the problem of identifying the number of the solutions of that problem which is related to the equivalent keys for a fixed central function and finding all equivalence classes.
In [4], the authors for the first time considered the equivalent keys of some multivariate public key schemes, such asC∗, HFE and oil-vinegar schemes. And they introduced some sustaining transformations, in which the “Big sustainer”
and “Frobenius sustainer” are used to analyze the SFLASH [5, 6] and subfield variant of HFE schemes [7]. However they did not consider the general case, that is they did not connect the problem of equivalent key with the polynomial isomorphism problem which is a fundamental hard problem in MPKC.
In [1], the authors introduced a new tool, namely finite geometry, to study the enumerative problem of IP. And they gave some lower-bounds of the number of IP classes. Then they applied this new tool on an generalized MPKC scheme, i.e. “MI-like” shceme, they got the conclusion that there are many “MI-like”
instances in HFE schemes which are insecure.
Our results. As we know, there is no algorithm for identifying all linearly equivalence classes from the set of all multivariate homogeneous quadratic poly-nomial systems. The interests of the researchers are of IP problem. But in this paper, we focus on the enumerative problem of equivalence classes and we will show how to find the complete classification of polynomials according to the clas-sification by friendly mappingΨ1. We give an heuristic algorithm to determine the number of equivalence classes under the problem of IP with one secret. This method that underlies the algorithms takes advantage the invariant properties of the “diagonal” polynomials under the actions of linear transformations.
We first define a equivalence relation, i.e. matrix equivalence, which is the necessary condition of linearly equivalence. Thus we get the rough classification according to the matrix equivalence relation. Then based on the rough classifi-cation and the stabilizer computed already we can get the finer classes, i.e. the linearly equivalence classes. Empirically the orders of the stabilizers are much less than the order of general linear group. Thus the efficiency of the given algorithm is higher than exhaustive search algorithm.
Organization of this paper. In section 2 we will move on to the basic ingredients that explain our techniques to solve the enumeration of IP problem.
Then, in section 3, we give the two implications of enumerative problem. In section 4, we give the mathematic principle and the algorithms for counting the number of equivalence classes under IP with one secret problem. And In section 5, we present an example to illustrate our method and analyze the results.
3
2 Preliminaries
In this section, we remind the definition of the IP problem first given by J.Patarin [8] and the univariate representation of a polynomial system [9] which is crucial to our method. Then we recall the definition of friendly mapping introduced in [1] and some basic properties.
2.1 Isomorphism of Polynomials
ByFq we denote a finite field withqelements and byFq[¯x] =Fq[x1, . . . , xn] the polynomial ring in the indeterminates ¯x = x1, . . . , xn over Fq where n > 1.
Let u > 1 be an integer and A, B ∈ Fq[¯x]u such that all polynomials in A = (a1(¯x), . . . , au(¯x)) and B = (b1(¯x), . . . , bu(¯x)) are of total degree 2. Then we say A and B are isomorphic if there are two invertible affine transforma-tions T = (TL, TC) ∈ GLu(Fq)×Fqu, S = (SL, SC) ∈ GLnFq ×Fqn satisfying (b1(¯x), . . . , bu(¯x)) = (a1(¯xSL+SC), . . . , au(¯xSL+SC))·TL+TC, i.e.B=T◦A◦S.
The IP problem can be stated as follows: given isomorphicA, B ∈Fq[¯x]u as above, find an isomorphism (T, S) fromAto B. More precisely, this problem is also known as IP with two secrets (IP2S). There is another problem called IP with one secret (IP1S) in which we only consider the action ofSand the degrees of polynomials inAandB may be greater than 2.
There are some variants according to the following parameters: the first one is that S and T are affine or linear; the second is that the polynomials in A andB are homogeneous or not; the third is that the number of indeterminates n equals to the number of polynomials u or not. These factors have influence on the difficulty of the IP problem to some degree. Note that the IP problem concerned in this paper is the linear, homogeneous andn=uvariant.
2.2 Univariate Representations
Isomorphism between Fqn and Fqn.Take g(x)∈Fq[x] to be an irreducible polynomial of degree n, then Fqn ∼ Fq[x]/g(x). It is well known that Fqn as vector space over Fq andFqn are isomorphic. Letφbe the standardFq−linear isomorphism betweenFqn andFqn given by
φ(α0+α1x+· · ·+αn−1xn−1) = (α1, α1,· · ·, αn−1)
Using this map we can “lift” the quadratic polynomial system and linear trans-formation onto the extension fieldFqn.
Quadratic polynomial systems.We denote all systems ofnhomogeneous quadratic polynomials in n indeterminates over the ground field Fq by P. Let P ∈ P, then the univariate representation ofP, ¯P =φ−1◦P◦φ, is of the form:
P(X¯ ) =
nX−1 i=0
Xi j=0
αijXqi+qj
4
for some αij ∈Fqn, ifq > 2. We note that for q = 2 the correspondence dose not hold.
This correspond was first given by Kipnis and Shamir in [9]. Then we use ¯P to denote the corresponding univariate polynomials inP.
Linear transformations. Let L be a linear transformation of Fq-vector spaceFqn, then ¯L=φ−1◦L◦φis of the form:
Then we denote the set of all invertible linear transformations over Fq by L and its corresponding univariate representation set by ¯L. In the sequel, we consider the IP problem over the extension fieldFqn using their univariate rep-resentations.
2.3 Friendly Mapping
In [1], Lin et. al. introduced the definition of friendly mapping which is the bridge connecting the univariate polynomial over the extension fieldFqnand the matrix over Fqn while converting the operation of composition of polynomials to the congruence transformation of matrices. Note that the composition of polynomials mentioned above means the composition of an univariate representation of a homogeneous quadratic polynomials system and an univariate representation of a linear transformation over the ground field Fq. Generally speaking, for the composition of any two univariate polynomials the friendly mapping does not have the property. And the definition of friendly mapping is given as follow:
Definition 1. Let Mn×n(Fqn) be the set of all n×n matrices over Fqn. A mapping Ψ from P¯ to Mn×n(Fqn) is called friendly mapping if for every L¯ ∈ L¯ and P¯ ∈ P¯, Ψ(P ◦L) = ˆ¯ LΨ(P) ˆL0, where “0” means the transpose of a matrix andLˆ is a matrix associated withL¯ over extension fieldFqn as follow
Lˆ =
The authors of [1] gave a candidate of friendly mapping. For any ¯P = Pn−1
5 Sometimes, we also callΨ1( ¯P) the matrix associated with ¯Por associated matrix to ¯P. And easily to check that for ¯P1,P¯2∈ P,Ψ1(P1+P2) =Ψ1(P1) +Ψ1(P2).