New complexity estimation on the Rainbow-Band-Separation attack

Nakamura, Shuhei; Ikematsu, Yasuhiko; Wang, Yacheng; Ding, Jíntai; Takagi, Tsuyoshi

doi:10.1016/j.tcs.2021.09.043

Cited by 4 publications

(17 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Polynomial systems solved in the Rainbow-Band-Separation attack and the MinRank attack with the Kipnis-Shamir modeling are multi-graded, and we further show that the condition for the order of a field in our results is satisfied in these attacks against multivariate cryptosystems proposed in NIST PQC 2nd round. In particular, our result gives a theoretical background for the precise security analysis in [22,23] since their values are specific cases of D Z s ≥0 . Consequently, under a reasonable condition for the order of a field, we clear a relation between the first fall degree and the degree of regularity and provide a theoretical method using a multivariate power series for cryptanalysis.…”

Section: Our Contributionmentioning

confidence: 87%

“…In particular, since q > d ff by Theorem 4.5, the assumption (3) holds and the second half of Theorem 4.5 holds. Namely, the value D Z 2 ≥0 in the paper [22] gives an upper bound for the first fall degree d ff . Furthermore, Perlner and Smith-Tone [26] propose a Gröbner basis algorithm that arranges polynomials arisen from the RBS dominant system with respect to a well-ordering on Z 2 ≥0 and further improves the complexity of the attack.…”

Section: Application To Multivariate Cryptographymentioning

confidence: 99%

“…For a semi-regular system, the degree of regularity D reg tightly approximates the solving degree. However, for a non-semi-regular system such as a multi-graded polynomial system, it is known that its Gröbner basis is computed within a smaller degree than the degree of regularity (for example [22]).…”

Section: Complexity Estimation For a Gröbner Basis Algorithmmentioning

confidence: 99%

“…The paper [22] experimentally shows that the solving degree of the RBS dominant system is tightly approximated by D Z 2 ≥0 in Definition 4.1 which is written as D bgd in [22]. According to [22], for the Rainbow parameters Ia and IIIc/Vc [12] proposed in NIST PQC 2nd round, the best complexities of the Rainbow-Based-Separation attack are given by D Z 2 ≥0 = 15 and 23/30, respectively. Since q = 16 and 256 for the parameter Ia and IIIc/Vc, it follows that q > D Z 2 ≥0 holds.…”

Section: Application To Multivariate Cryptographymentioning

confidence: 99%

See 3 more Smart Citations

Formal Power Series on Algebraic Cryptanalysis

Nakamura¹

2020

Preprint

Self Cite

View full text Add to dashboard Cite

In cryptography, attacks that utilize a Gröbner basis have broken several cryptosystems. The complexity of computing a Gröbner basis dominates the overall computing and its estimation is important for such cryptanalysis. The complexity is given by using the solving degree, but it is hard to decide this value of a large scale system arisen from cryptography. Thus the degree of regularity and the first fall degree are used as proxies for the solving degree based on a wealth of experiments. If a given system is semi-regular, the complexity is estimated by using the degree of regularity derived from a certain power series, otherwise, by using the first fall degree derived from a construction of a syzygy. The degree of regularity is also defined on a non-semi-regular system and is experimentally larger than the first fall degree, but those relation is not clear theoretically. Moreover, in contrast to the degree of regularity, the first fall degree has been investigated specifically for each cryptosystem and its discussion on generic systems is not given. In this paper, we show an upper bound for the first fall degree of a polynomial system over a sufficiently large field. In detail, we prove that this upper bound for a non-semi-regular system is the degree of regularity. Moreover, we prove that the upper bound for a multi-graded polynomial system is a certain value only decided by its multi-degree. Furthermore, we show that the condition for the order of a field in our results is satisfied in attacks against actual multivariate cryptosystems. Consequently, under a reasonable condition for the order of a field, we clear a relation between the first fall degree and the degree of regularity and provide a theoretical method using a multivariate power series for cryptanalysis.

show abstract

Section: Our Contributionmentioning

confidence: 87%

Section: Application To Multivariate Cryptographymentioning

confidence: 99%

Section: Complexity Estimation For a Gröbner Basis Algorithmmentioning

confidence: 99%

Section: Application To Multivariate Cryptographymentioning

confidence: 99%

See 2 more Smart Citations

Formal Power Series on Algebraic Cryptanalysis

Nakamura¹

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the KS method, although the bi-degree has been investigated [16], each KS system always has the multi-degree, and the solving complexity is influenced by this property. In this paper, in order to approximate the solving degree of each KS system, a theoretical value defined using its multi-degree is introduced, as a natural generalization of the theoretical value defined from bi-degrees in [20]. This theoretical value is also available for the hybrid approach [4], which, after fixing some variables, solves a given system, e.g.…”

Section: Our Contributionmentioning

confidence: 99%

A New Analysis of the Kipnis-Shamir Method Solving the MinRank Problem

Nakamura

WANG

Ikematsu

2023

IEICE Trans. Fundamentals

Self Cite

View full text Add to dashboard Cite

The MinRank problem is investigated as a problem related to rank attacks in multivariate cryptography and the decoding of rank codes in coding theory. The Kipnis-Shamir method is one of the methods to solve the problem, and recently, significant progress has been made in its complexity estimation by Verbel et al. As this method reduces the problem to an MQ problem, which asks for a solution to a system of quadratic equations, its complexity depends on the solving degree of a quadratic system deduced from the method. A theoretical value introduced by Verbel et al. approximates the minimal solving degree of the quadratic systems in the method although their value is defined under a certain limit for the system considered. A quadratic system outside their limitation often has a larger solving degree, but the solving complexity is not always higher because it has a smaller number of variables and equations. Thus, in order to discuss the best complexity of the Kipnis-Shamir method, a theoretical value is needed to approximate the solving degree of each quadratic system deduced from the method. A quadratic system deduced from the Kipnis-Shamir method always has a multi-degree, and the solving complexity is influenced by this property. In this study, we introduce a theoretical value defined by such a multi-degree and show that it approximates the solving degree of each quadratic system. Thus, the systems deduced from the method are compared, and the best complexity is discussed. As an application, for the MinRank attack using the Kipnis-Shamir method against the multivariate signature scheme Rainbow, we show a case in which a deduced quadratic system outside Verbel et al.'s limitation is the best. In particular, the complexity estimation of the MinRank attack using the KS method against the Rainbow parameter sets I, III and V is reduced by about 172, 140 and 212 bits, respectively, from Verbel et al.'s estimation.

show abstract

Recent progress in the security evaluation of multivariate public‐key cryptography

Ikematsu

Nakamura

Takagi

2022

IET Information Security

Self Cite

View full text Add to dashboard Cite

Multivariate public-key cryptography (MPKC) is considered a leading candidate for postquantum cryptography (PQC). It is based on the hardness of the multivariate quadratic polynomial (MQ) problem, which is a problem of finding a solution to a system of quadratic equations over a finite field. In this paper, we survey some recent progress in the security analysis of MPKC. Among various existing multivariate schemes, the most important one is the Rainbow signature scheme proposed by Ding et al. in 2005, which was later selected as a finalist in the third round of the PQC standardization project by the National Institute of Standards and Technology. Under the circumstances, some recent research studies in MPKC have focussed on the security analysis of the Rainbow scheme. In this paper, the authors first explain efficient algorithms for solving the MQ problem and the research methodology for estimating their complexity in MPKC. Then, the authors survey some recent results related to the security analysis of the Rainbow scheme. In particular, the authors provide a detailed description of the complexity analysis for solving the bi-graded polynomial systems studied independently by Nakamura et al. and Smith-Tone et al., and then expound the rectangular MinRank attack against Rainbow proposed by Beullens.This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

show abstract

New complexity estimation on the Rainbow-Band-Separation attack

Cited by 4 publications

References 21 publications

Formal Power Series on Algebraic Cryptanalysis

Formal Power Series on Algebraic Cryptanalysis

A New Analysis of the Kipnis-Shamir Method Solving the MinRank Problem

Recent progress in the security evaluation of multivariate public‐key cryptography

Contact Info

Product

Resources

About