Attacks on signature schemes based on the FFI problem

Attacks on signature schemes based on the nite
eld isomorphism problem
Amshuman Hegde
IISER - Trivandrum
22/07/2019

Notation
We will follow the following notation -
q - a moderately sized prime

Notation
β - size parameter satisfying 1 ≤ β ≤ q/2

Notation
p - a prime much smaller than q

Notation
Fq - nite eld containing q elements

Notation
B - a closeness parameter

Notation
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n

Notation
X - the eld Fq [X]/ f (x)

Notation
Y - the eld Fq [Y]/ F(y)

Notation
φ - an isomorphism between X and Y

Notation
ψ = φ−1

Notation
ψ = φ−1
χβ - a distribution that produces samples with bounded length
less than β

Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:

A security parameter(k)- chosen by the user to create keys

A message space (M) - a set of messages to which the scheme
may be applied

may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)

may be applied
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S

may be applied
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S
A verication algorithm(V) - that tests whether σ(M, S) is a
valid signature for the message M with public key P

Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.

Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.

Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).

Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.

Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.
We will assume henceforth that both CFFI and DFFI are
computationally hard to solve.

Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm

a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i

a(x) = a0 + a1x + . . . + an−1xn−1
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk

a(x) = a0 + a1x + . . . + an−1xn−1
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk
Observation : Fix 1 ≤ β ≤ q/2, and sample f (x), F(y) from
the set of all n degree monic irreducible polynomials mod q.
Then the image in Y of polynomials in X sampled from χβ is
computationally hard to distinguish from a collection of
polynomials sampled uniformly at random from Y.

Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows

It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1

It works as follows
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.

It works as follows
with (p, q) = 1
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]

It works as follows
with (p, q) = 1
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]

It works as follows
with (p, q) = 1
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]

It works as follows
with (p, q) = 1
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β

It works as follows
with (p, q) = 1
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β
Compute h(x) = (pa(x))−1
b(x)(modf (x))

Compute H(y) = h(φ(y)), image of h(x) in Y

Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)

We use an invertible matrix U ∈ GLn (Fq ) and the relation
U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
where all the elements are bounded by β.

U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y

U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y
Output the signing key sk and verication key pk as follows
pk = {σ, F(y), H(y), C1(y), C2(y), . . . Cn (y)}
sk = {σ, f (x), φ, ψ, U, a(x), b(x), c1(x), c2(x), . . . cn (x)}

SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature

We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )

Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))

Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))
Finally output the signature pair σ = (δ, )

A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)

A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)
Now we provide an algorithm ( AL1 ) to nd the coecients
of s0(x), t0(x)

A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)

(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned

(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.

(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.
It has been shown that this algorithm has a high conclusion
rate for appropriately chosen parameters [3]

A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.

A long short-cut
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)

A long short-cut
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.

A long short-cut
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.

A long short-cut
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
|δ
(u)
j
| B and δ
(u)
j
Note that this method converges for the same reason that AL1
converges.

A long short-cut
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
|δ
(u)
j
| B and δ
(u)
j
Note that this method converges for the same reason that AL1
converges.
Hence we have constructed the required signature (δ, )

Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.

Our chosen scheme
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.

Our chosen scheme
algorithm.
First Hash(µ, pk) = (α, τ) is computed.

Our chosen scheme
algorithm.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y

Our chosen scheme
algorithm.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y
If all the three conditions are met the algorithm outputs
ACCEPT, else the output is REJECT

Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.

Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.

Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.

Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).

First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.

First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.
We will now outline an algorithm to nd these coecients:

Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).

(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))

(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.

(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
φ(t0(x)) = n
1
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.

(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
φ(t0(x)) = n
1
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.
Note that this algorithm converges at a high rate for similar
conditions as AL1 [3] Since we are working in a eld
isomorphic to the one in which AL1 was applied, the requisite
conditions remain the same and our algorithm also converges
with high probability.

Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)

u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.

u(x), v(x)
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))

u(x), v(x)
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))
Now we have a relation between u(x) and v(x), we can write
this explicitly as follows :
(
n
1
δ
(u)
j
Cj (y))H(y) =
n
1
δ
(v )
j
Cj (y) (0.3)

Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).

u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).

u(x).
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)

u(x).
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
(u)
j
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.

u(x).
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
(u)
j
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
values.
Note that this algorithm converges with a high probability for
appropriately chosen parameters, i.e if |B − pK
√
n| ∼ 0 where
K = max|aij |, aij are entries in the matrix U. [3]
We expect however that it will also converge for a wider range
of parameters, since we have a convergence probability of
∼ 0.835 for toy examples.

Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.

Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.
Hence we can construct an appropriate message µ, sign it with
a forged signature σ and the recepient cannot know the
dierence.

Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]

Future directions
The scheme used as the example here can be modied to be
secure against this attack

Future directions
The scheme has also not been implemented yet

Future directions
The scheme has also not been implemented yet
Schemes based on FFI appear to have the property of
homomorphic encryption [1] and this is precisely what our
attack relies on, the connection between homomorphic
encryption and susceptibility to this sort of attack can be
further explored.

References
Doröz, Y., Hostein, J., Pipher, J., Silverman, J. H., Sunar, B.,
Whyte, W., Zhang, Z. (2018, March). Fully homomorphic
encryption from the nite eld isomorphism problem. In IACR
International Workshop on Public Key Cryptography (pp.
125-155). Springer, Cham.
Goldwasser, S., Micali, S., Rivest, R. L. (1988). A digital
signature scheme secure against adaptive chosen-message
attacks. SIAM Journal on Computing, 17(2), 281-308..
Hostein, J., Silverman, J. H., Whyte, W., Zhang, Z.
(2018). A signature scheme from the nite eld isomorphism
problem. IACR Cryptology ePrint Archive, 2018, 675.
Couveignes, J. M., Lercier, R. (2013). Fast construction of
irreducible polynomials over nite elds. Israel Journal of
Mathematics, 194(1), 77-105.

References
Lenstra, H. W. (1991). Finding isomorphisms between nite
elds.
Brieulle, L., De Feo, L., Doliskani, J., Flori, J. P., Schost, É.
(2019). Computing isomorphisms and embeddings of nite
elds. Mathematics of Computation, 88(317), 1391-1426.
Hostein, J., Pipher, J., Schanck, J. M., Silverman, J. H.,
Whyte, W. (2014, October). Transcript secure signatures based
on modular lattices. In International Workshop on
Post-Quantum Cryptography (pp. 142-159). Springer, Cham.

Attacks on signature schemes based on the FFI problem

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Attacks on signature schemes based on the FFI problem

Similar to Attacks on signature schemes based on the FFI problem (20)

Recently uploaded

Recently uploaded (20)

Attacks on signature schemes based on the FFI problem