A message recovery attack on multivariate polynomial trapdoor function

Cybersecurity guarantees the exchange of information through a public channel in a secure way. That is the data must be protected from unauthorized parties and transmitted to the intended parties with confidentiality and integrity. In this work, we mount an attack on a cryptosystem based on multivariate polynomial trapdoor function over the field of rational numbers Q. The developers claim that the security of their proposed scheme depends on the fact that a polynomial system consisting of 2n (where n is a natural number) equations and 3n unknowns constructed by using quasigroup string transformations, has infinitely many solutions and finding exact solution is not possible. We explain that the proposed trapdoor function is vulnerable to a Gröbner basis attack. Selected polynomials in the corresponding Gröbner basis can be used to recover the plaintext against a given ciphertext without the knowledge of the secret key.


INTRODUCTION
The 21 st century is the century of information and technology.Because of the advancements in the field of information technology, the secure communication has become the most challenging task.Public key cryptography plays a vital role in this regard.The security of most of the public key cryptosystems being used is based on the intractability of certain mathematical problems which are considered to be hard.For instance, the security of RSA (Rivest, Shamir & Adleman, 1978) relies on the difficulty of integer factorization problem (IFP) and ElGamal (1985) is based on the hardness discrete logarithm problem (DLP).But these problems can be solved on quantum computers using Shor's algorithm (Shor, 1997).It is believed that multivariate public key cryptography is a good alternative in post-quantum reign for better security and efficiency.The security of a multivariate public key cryptosystems (MPKCs) relies on the difficulty of solving a system of multivariate polynomial equations (Ding & Yang, 2009) or isomorphism problem (Tang & Xu, 2012).In this context, several MPKCs were designed e.g., Matsumoto-Imai multivariate quadratic polynomial scheme (Matsumoto & Imai, 1988), the Hidden Field Equation method (Patarin, 1996), the Oil-Vinegar scheme (Patarin, 1997), etc.However, almost all of these schemes have been broken through various attacks (Courtois, 2001;Faugère & Joux, 2003;Patarin, 1995).A survey article on these schemes was written by Wolf & Preneel (2005).Markovski, Mileva & Dimitrova (2014) have introduced a new multivariate polynomial trapdoor over the field of rational numbers.
Algebraic attacks (Faugère & Joux, 2003;Kreuzer & galore!, 2009) can be roughly divided into two categories.Firstly, the attacks which concentrate on specific variety and break it because of particular properties e.g., Kipnis & Shamir (1998) attack against Oil and Vinegar.The second category comprises of algorithms generally used to solve multivariate polynomial system of equations.Examples include the XL algorithm (Courtois et al., 2000), and the relinearization technique (Kipnis & Shamir, 1999).Buchberger (1965) laid down a solid foundation of modern computational algebra by introducing the idea of Gröbner bases to address the problem of solving an algebraic system of multivariate polynomial equations.The Gröbner basis method is a general and well established technique to solve polynomial system of equations (Buchberger, 1976).For some applications of Göbner bases we refer to Buchberger & Winkler (1998), Buchberger (0000) and Francis & Ambedkar (2018).and for the detailed theory on computation of Gröbner basis we refer to the comprehensive books (Cox, Little & O'shea, 1998;Kreuzer & Robbiano, 2000) on computational algebra.The Buchberger's algorithm turns out to be very useful to mount an algebraic attack on any multivariate cryptosystem.
In this article, the cryptanalysis of a multivariate polynomial trapdoor function (Markovski, Mileva & Dimitrova, 2014) over the field of rational numbers is presented.The authors claimed that the proposed scheme is based on 2n multivariate polynomial equations in 3n unknowns and hence has infinitely many solutions to defeat an algebraic attack.Our cryptanalysis shows that the proposed multivariate scheme is vulnerable to Gröbner basis attack on the associated system of multivariate polynomial equations.
The rest of the article is organised as: 'Introduction' gives the brief description of the proposed scheme along with the necessary notations and definitions; 'The Multivariate Cryptosystem SBIM(Q)' illustrates the scheme with the example given in Markovski, Mileva & Dimitrova (2014); 'Cryptanalysis' presents the cryptanalysis of the proposed scheme.

THE MULTIVARIATE CRYPTOSYSTEM SBIM(Q)
The trapdoor function under consideration uses the multivariate polynomials, usually quadratic, over Q, the field of rational numbers.The public key of this trapdoor function mainly consists of 2 n multivariate polynomials in 3 n unknowns r 1 ,...,r n ,s 1 ,...,s 2n .The variables r i ;i=1 ,...,n usually contain the information content, whereas the variables s i ;i=1 ,...,2n contain the redundant information.The redundant information is added for the security purpose.So, if we use a plaintext comprising of n rational numbers for the encryption purpose, we will get a ciphertext consisting of 2 n rational numbers.The quasigroup string transformations are used to construct the public key.These transformations are obtained from quasigroups represented in matrix form.The private key of this cryptosystem comprises of different 1 × n and n × n matrices over the field of rational numbers, and one 2n × 2n matrix.
Recall that a groupoid (G,f ) having unique left as well as right inverses for each element in G with respect to the binary operation f is called a quasigroup.The binary operation f : G → G is then called a quasigroup bipermutation.From the binary operation f on the quasigroup G we can derive two new quasigroup bipermutation f (23) and f (13) as follows: The next theorem gives a way to construct quasigroup bipermutation from matrices over a field F. Theorem 2.1.(Markovski, Mileva & Dimitrova, 2014) Consider two nonsingular square matrices A and B of order m over a field F. Let C be a row vector (1 × m matrix) over the field F. Then the following mapping is a quasigroup bipermutation on F m .
where r i ,s i ∈ F .The new quasigroup bipermutations f (13) and f (23) are defined in the following way as: Note that, in the above representation, instead of elements r i ,s i ∈ F, we can use polynomials X i and r i over F as inputs for the mapping f , then the output f (X 1 ,...,X n ;r 1 ,...,r n ) will also be a polynomial.

Construction
In this section we describe the construction of the proposed trapdoor multivariate public key cryptosystem (Markovski, Mileva & Dimitrova, 2014).From now on the field F is Q, the field of rational numbers.A positive integer n is used as a parameter of the scheme.The main global parameter is a multivariate polynomial ring in 3n indeterminates over the field of rational numbers Q.The construction is based on three algorithms.That is, a Key Generation algorithm, an encryption algorithm and the corresponding decryption algorithm as described in the next sections.The message space is the set of all n-tuples (a 1 ,...,a n ) ∈ Q.

Key generation
The key generation process comprises of the following steps: 1. Choosing Polynomials: Let r 1 ,...,r n ,s 1 ,...,s 2n denote the variables on Q. Choose n multivariate polynomials P 1 ,...,P n over Q in n variables r 1 ,...,r n in a way that the system of equations P n (r 1 ,...,r n ) = b n , has a unique solution r 1 = a 1 ,...,r n = a n ; a i ∈ R for any b i ∈ Q.Here, R denotes the field of real numbers.Next, choose n more multivariate polynomials P n+1 ,...,P 2n over Q with variables r 1 ,...,r n ,s 1 ,...,s 2n over Q.

Applying Transformation:
First choose a random permutation τ on the set of integers {1,2,...,2n} and then apply it on P i to obtain the new polynomials X i such that X i = P τ (i) for all i ∈ {1,2,...,2n}.Use these polynomials to define the vectors x = (X 1 ,...,X n ) and y = (X n+1 ,...,X 2n ).Now t − and t −transformations are applied to obtain new polynomials as follows: (a) Define t −transformation: Choose a random vector l 1 = ( 11 ,..., 1n ) ∈ Q n known as leader and then define two quasigroup bipermutations f 1 and f 2 by randomly choosing non singular n × n matrices M i ,N i (i = 1,2) as follows: ) where x = f 1 (l 1 ;x) and set y = f 2 (x ;y).(b) Define t −transformation: Use the vector y and another random leader l 2 ∈ Q n where l 2 = ( 21 ,..., 2n ) to define new quasigroup bipermutations f 3 and f 4 by randomly choosing non singular n × n matrices M i ,N i (i = 3,4) as follows: where y = f 3 (y ;l 2 ).Again set x = f 4 (x ;y ).These two t − and t − transformations are necessary.Continuing this way, we can define more pairs of t −,t − quasigroup bipermutations from y and x by choosing new leaders l i ∈ Q n and n × n random matrices N i ,M i in the same way as in the above Eqs.( 4) and ( 5). 3. The Public Key: Let the integer s ≥ 0 be the number of additional transformations applied.Note that the last transformation was accomplished by randomly chosen leader l 2+p and quasigroup bipermutations f 3+s and f 4+s applied on some n−tuples of multivariate polynomials v and w.When the last applied transformation was a t −transformation, we write f 3+s (l 2+s ;v) :− (A 1 ,...,A n ) and f 4+s ((A 1 ,...,A n );w) :− (A n+1 ,...,A 2n ).Whereas if the last applied transformation was a t −transformation, we let f 3+s (w;l 2+s ) :− (A 1 ,...,A n ) and f 4+s (v;(A 1 ,...,A n )) :− (A n+1 ,...,A 2n ).Finally, choose a random non singular matrix R over Q of order 2n × 2n and compute the public key, (Z 1 ,...,Z 2n ), a new set of 2n polynomials as, (Z 1 ,...,Z 2n ) = (A 1 ,...,A 2n ) • R. Clearly, each polynomial Z i = Z i (r 1 ,...,r n ,s 1 ,...,s 2n ) is a multivariate polynomial in the 3n variables.4. The Private Key: The permutation τ , all the leaders l i and all the matrices M i , N i , R, which were used to generate the public key, constitute the private key.Here we remark that all the leaders and the matrices are not necessarily required to be different but there should be at least two different leaders and at least four different matrices for defining the bipermutations.

Encryption
To encrypt a message M = (a 1 ,...,a n ) in Q n , first choose 2n random rational numbers b 1 ,...,b 2n and then evaluate all the public polynomials Z i by setting r j = a j ;j=1 ,...,n and s k = b k ; k=1 ,...,2n to compute the ciphertext c = (c 1 ,...,c 2n ).That is, the components of the ciphertext c are the rational numbers computed as follows:

Decryption
To decrypt a ciphertext c = (c 1 ,...,c 2n ), the receiver will first compute the inverse of the private matrix R and compute the 2n-tuple (e 1 ,...,e 2n ) = (c 1 ,...,c 2n ) • R −1 and split it into two halve to obtain C 1 = (e 1 ,...,e n ) and C 2 = (e n+1 ,...,e 2n ).Depending on how the polynomials s i 's were obtained, the receiver has to then apply either a u− or u −transformation to undo the effect of t − and t − transformations: 1. u−transformation: If the last transformation was a t −transformation defined by a leader l 2+s and bipermutations f 3+s and f 4+s , then the receiver will apply a u−transformation defined by the parasstrophes f (23)  3+s and f (23)  4+s to obtain M 1 ,M 2 ∈ Q n as follows: If the last transformation was a t −transformation defined by a leader l 2+s and bipermutations f 3+s and f 4+s , then the receiver will apply a u− transformation defined by the parasstrophes f (13)  3+s and f (13)  4+s to obtain Note that, we have to apply u− or u −transformations in the reverse order (from downward-up way).After each application of these transformations, we get n−tuples of rational numbers.In the end, instead of polynomial tuples x and y we get n−tuples of rational numbers p = (p 1 ,...,p n ) and q = (p n+1 ,...,p 2n ).Finally, the inverse permutation τ −1 is applied on (p 1 ,p 2 ,...,p 2n ) to get Use the values of b 1 ,...,b n in the system Eq.(3) to get polynomial system of n equations in n unknowns.Solve the obtained system to get the required message M = (a 1 ,...,a n ) ∈ Q n .
Remark 2.2.The trapdoor function described above takes plaintext in the form of n−tuple of rational numbers as input and returns the corresponding ciphertext in the form of 2n−tuple of rational numbers as output.For the further details we refer to Markovski, Mileva & Dimitrova (2014).

CRYPTANALYSIS
The underlying hard problem in the above described multivariate trapdoor cryptosystem is that a polynomial system of equations consisting of 2n equations in 3n unknowns has infinite number of solutions.Therefore, finding the exact solution is not possible.For a given ciphertext (c 1 ,...,c 2n ) the attacker can make the following system using the public key polynomials (s 1 ,...,s 2n ).
The authors claim that, if the public key is produced by choosing suitable polynomials then the above system (Eq.( 7)) has infinitely many solutions for the unknowns r 1 ,...,r n and s 1 ,...,s 2n .Therefore, an attacker cannot find the actual plaintext in this way.They proposed that using quadratic polynomials for n = 4, a much secure key can be generated.Here, we try different attacks to check its security.First of all, it is obvious that the private key consists of several matrices over the field of rational numbers and certain quasigroup bipermutations which shows that the key space is infinite.So the brute force attack is not possible even if the degree of the polynomials is known.Before we introduce the Gröbner bases attack method on this trapdoor function, note that, an attacker is not interested in all 3n unknowns.To recover the message M = (a 1 ,...,a n ) the attacker is only interested in the values of unknowns r i (i = 1,...,n) containing the information.That is, to recover the message we do not have to solve the entire system of 2n equations in 3n unknowns.
Gröbner bases method is based on the Buchberger's algorithm (Buchberger, 1965) which is used to calculate Gröbner bases G for the ideal I generated by the polynomials in the system to be solved.Let F be a field and I ⊂ F[r 1 ,...,r n ] be an ideal generated by the polynomials f 1 ,...,f v ∈ F[r 1 ,...,r n ].Then a set G = {g 1 ,...,g k } ⊂ I will be a Gröbner bases for I with respect to some monomial ordering ≺ if the ideal generated by the leading terms of G is the same as the ideal generated by the leading terms of I .For a given monomial ordering, every ideal has a Gröbner bases (for details, see Cox, Little & O'shea, 1998;Kreuzer & Robbiano, 2000).

THE ATTACK MODEL
As stated earlier, the attacker is not interested in the infinitely many solutions of a system of 2n polynomial equations in 3n unknowns.One can exploit the structure of the multivariate cryptosystem presented in Construction 2.1 to mount a Gröbner basis attack by extracting a system of n polynomials depending only in in n unknowns r 1 ,...,r n from the resulting Gröbner basis.
Step 3. Identify the polynomials G 1 ,...,G n ∈ G depending only on the variables r 1 ,...,r n .That is, G i = g j for some g j ∈ G such that g j ∈ Q[r 1 ,...,r n ].
Step 4. Solve the polynomial system of n equations {G 1 = 0,...,G n = 0} for the values of r 1 ,...,r n to recover the message M .Note that, the success of Attack heavily depends on the successful execution of Step 2 of the attack.We have already noticed that the construction of public polynomials is based on the constant multiples of the n secret polynomials P 1 ,...,P n depending only on the variables r 1 ,...,r n .Therefore, the resulting Gröbner basis will always contain polynomials depending only on these variables.
We now illustrate Attack 3.1 by mounting it first on the instance of the cryptosystem for n = 2 as given in [18, Section 4] and then for the case of n = 4. Example 3.2 Using our notations and symbols given in Section Section 2, we use the information presented in encryption example of Markovski, Mileva & Dimitrova (2014) to mount the attack as follows.Here we have n = 2 and the resulting public key consists of the following 4 polynomials Z 1 ,...,Z 4 in 3n = 6 unknowns (r 1 ,r 2 ,s 1 ,s 2 ,s 3 ,s 4 ).
This public key has been produced by the key generation process given in Section (2.2) with the following polynomials: For the construction, the random permutation is taken as τ = (3,2,1,4).The secret matrices involved in transformation Eqs. ( 4) and ( 5) are chosen as: The leaders involved are l 1 = (−1,1) and l 2 = (2,−1).Finally, a the invertible matrix R of .
To mount the Gröbner basis attack, let be the ideal generated by the above system of multivariate polynomial system of equations.
We use the computer algebra system ApCoCoA (ApCoCoA Team, 2023) and the code given in Appendix A for calculating the reduced Gröbner bases G for the ideal I .The set G is found to contain the following four polynomials: Recall that the variables r i 's contain the information about the original message while s i are the redundant variables.In the above computed Gröbner basis, we are only interested in polynomials F 1 and F 4 that are expressed in two required unknowns r 1 and r 2 .Solving F 1 = 0 and F 4 = 0 simultaneously, the only real solution of F 4 = 0 is r 2 = 1, and F 1 = 0 then gives r 1 = 1.This shows that the plaintext M = (r 1 ,r 2 ) = (1,1) has been successfully recovered without using the private key.
Remark 3.3.All computations are performed on the platform of Computer Algebra System ApCoCoA (ApCoCoA Team, 2023).For this purpose the Key Generation Algorithm 2.2 and the Encryption Algorithm 2.3 are implemented in the setting of ApCoCoA as given in Appendix A. The validity of the findings follows from the fact that our code generated the same public polynomials P 1 ,P 2 ,P 3 ,P 4 and the ciphertext C = (c 1 ,c 2 ,c 3 ,c 4 ) as given in Markovski, Mileva & Dimitrova (2014).Moreover, the computation of reduced Gröbner basis of the ideal I has been performed by the built-in function ReducedGBasis(I) available in ApCoCoA (ApCoCoA Team, 2023).
To mount Attack 3.1, let I = Z 1 − c 1 ,Z 2 + c 2 ,...,Z 8 − c 8 be the ideal generated by the above system of multivariate polynomial equations.Using the computer algebra system (ApCoCoA Team, 2023), the reduced Gröbner basis G of the ideal I is computed.The computed Gröbner basis G contains a total of 34 multivariate polynomials and of these polynomials, the following five polynomials are depending only on the variables of interest, that is, r 1 ,...,r 4 .To recover the message M ∈ Q 4 , solve the system Label the variables r 1 ,r 2 ,r 3 , and r 4 by x,y,z, and w respectively and then use online polynomial system solver by Wolfram (available at https://www.wolframalpha.com/calculators/equation-solver-calculator).The only rational solution of the polynomial system Eq.( 8) is given below: Hence, the message M = (15,10,2,3) is successfully recovered by mounting the attack.
Remark 3.5.We have observed that the proposed cryptosystem is vulnerable to the Gröbner bases attack.The bipermutations used to produce the public key are linear in which the polynomials are not multiplied with each other.This can be the weakest part of its construction.Because using linear bipermutations the Gröbner bases will contain the polynomials separately in the variables as were the starting polynomials.Among these, the polynomials in informative variables can be solved to get plaintext.The main cost in this attack is the Gröbner bases computation.

COMPLEXITY ANALYSIS
As stated earlier that the success of Attack 3.1, depends on the computation of Gröbner basis of the ideal of interest.It is also known that the upper bound for the complexity of finding the solutions of a multivariate polynomial system with the help of the computation of Gröbner basis is a function of the degree of regularity d reg , the maximum degree observed during the process of computation.In the worst case scenario, this complexity is known to be doubly exponential in number of variables n, for details see (Bardet, Faugère & Salvy, 2015) and the references therein.This means that, in general or random setting, finding Gröbner basis is not an easy job.However, in the present scenario, to leave a trapdoor for the multivariate polynomial cryptosystem under consideration, the polynomials {P 1 ,...,P n } are special in the sense that the system of equations Eq. ( 3) should has a unique solution (r 1 ,...,r n ) = (a 1 ,...,a n ) ∈ Q n for all choices of the constants b i 's.
Moreover, for the secure instances of the cryptosystem, the authors suggested that the value of n = 4 is safe to choose .Therefore, in any such instance, there will be 2n = 8 polynomials in 3n = 12 variables r 1 ,...,r 4 ,z 1 ,...,z 8 .Out of these 8 polynomials, four polynomials P 1 ,...,P 4 are depending only on 4 variables r 1 ,...,r 4 .For the required trapdoor in the construction presented in Construction 2.1, one has to start by choosing these four polynomials in such a way that the system P 4 (r 1 ,...,r 4 ) = b 4 , has a unique solution (r 1 ,r 2 ,r 3 ,r 4 ) = (a 1 ,a 2 ,a 3 ,a 4 ) ∈ Q 4 for all choices of the constants b 1 ,b 2 ,b 3 and b 4 .Later on, 4 more polynomials are constructed by involving all the 12 variables, making a system of 8 equations in 12 unknowns.The public key polynomials {Z 1 ,...,Z 3n } are then obtained by some random linear combinations of the polynomials {P 1 ,...,P 2n } by using bipermutations Eqs. ( 4) and ( 5).In the entire construction, only n variables r 1 ,...,r n are basic (or informative) and rest of the 2n variables s 1 ,...,s 2n are redundant.
The requirement of the unique solution of the system Eq.(9) makes the system Eq.( 7) of 2n polynomials quite special rather than a general and hence the worst case scenario of the complexity of Gröbner basis computation is not applicable here.Moreover, we are not interested in the infinitely many solutions of the system Eq.( 7) containing the values of the redundant unknowns s 1 ,...,s 2n but only the unknowns r 1 ,...,r n are required to recover the message M .It, therefore, follows that there is no need to compute the complete Gröbner basis of the ideal I = Z 1 − c 1 ,Z 2 + c 2 ,...,Z 8 − c 8 .One can terminate the Gröbner basis computation process when sufficient number of polynomials depending only on the basic variables are obtained.Again, the worst-case estimate of the complexity is not applicable.
This can also be achieved with the help of the well known application of the Gröbner basis, namely, the elimination theory.That is, just calculate the elimination ideal I ∩ Q[r 1 ,...,r 4 ] and then solve the system to recover the message.
Several instances of the multivariate cryptosystem as illustrated in Example 3.4 are computed for n = 4 and the message was successfully recovered by mounting Attack 3.1 and the Encryption Code (Appendix A) on the Dell laptop Latitude 3520 (11th Gen Intel(R) Core(TM) i5-1135G7 2.40 GHz, 8.0 GB Ram).For the computations involved in Example 3.4, the CPU time was recorded by ApCoCoA (ApCoCoA Team, 2023) as 7.2 sec.for the complete Gröbner basis computation.On the other hand, the total CPU time recorded as 285 millisecond by ApCoCoA in the computation of elimination ideal J = I ∩ Q[r 1 ,r 2 ,r 3 ,r 4 ] and then computation of Gröbner basis of J .In many other instances with the parameter n = 4, the recorded time for the reduced Gröbner basis computation was within 2 sec.Therefore, the multivariate cryptosystem presented in Section Construction 2.1 is not secure against Gröbner basis Attack.

CONCLUSION AND FUTURE WORK
In this article, we studied the security of the multivariate polynomial trapdoor public key cryptosystem proposed by Markovski, Mileva & Dimitrova (2014).We found that although the public key consists of less polynomials than the number of variables which will result in infinite many solutions of the polynomial system, even then the cryptosystem does not seem to be secure.One can mount a Gröbner bases attack against the recommended parameter n = 2 and nonlinear multivariate polynomial system (Eq.( 3)) to recover the message without the knowledge of the secret key.The attack successfully recovers the original message that was encrypted by this cryptosystem in Section 4 of Markovski, Mileva & Dimitrova (2014).Moreover, the successful cryptanalysis of several other instances of this cryptosystem reveals that this cryptosystem is vulnerable to Gröbner bases attack.Moreover, the starting step in the key generation algorithms is to choose suitable polynomials in a way that the system (Eq.( 3)) should have a unique solution.Although a linear system to meet this requirement can be constructed trivially but the construction of a nonlinear system of polynomial equations for n ≥ 4 is not an easy task.Therefore, a concrete way should be provided to formulate a system having unique real solution to generate a strong public key; that is, a public key to produce a ciphertext which is secure against Gröbner bases attack.Hence, we conclude that there are many security flaws in the proposed multivariate cryptosystem.