A message recovery attack on multivariate polynomial trapdoor function

Rashid Ali; Muhammad Mubashar Hussain; Shamsa Kanwal; Fahima Hajjej; Saba Inam

doi:10.7717/peerj-cs.1521

A message recovery attack on multivariate polynomial trapdoor function

Rashid Ali¹, Muhammad Mubashar Hussain², Shamsa Kanwal ³, Fahima Hajjej⁴, Saba Inam³

1Department of Mathematics, Capital University of Science and Technology, Islamabad, Pakistan

2Department of Mathematics, University of Punjab, Jhelum, Pakistan

3Department of Mathematical Sciences, Fatima Jinnah Women University, Rawalpindi, Rawalpindi, Pakistan

4Department of Information Systems, College of Computer and Information Sciences, Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia

DOI: 10.7717/peerj-cs.1521

Published: 2023-08-28
Accepted: 2023-07-18
Received: 2023-02-07

Academic Editor: M Emilia Cambronero

Subject Areas: Cryptography, Security and Privacy, Theory and Formal Methods, World Wide Web and Web Science
Keywords: Multivariate polynomial system, Gröbner basis, Algebraic cryptanalysis, Public key cryptosystem

Copyright: © 2023 Ali et al.
Licence: This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, reproduction and adaptation in any medium and for any purpose provided that it is properly attributed. For attribution, the original author(s), title, publication source (PeerJ Computer Science) and either DOI or URL of the article must be cited.

Cite this article: Ali R, Hussain MM, Kanwal S, Hajjej F, Inam S. 2023. A message recovery attack on multivariate polynomial trapdoor function. PeerJ Computer Science 9:e1521 https://doi.org/10.7717/peerj-cs.1521

The authors have chosen to make the review history of this article public.

Abstract

Cybersecurity guarantees the exchange of information through a public channel in a secure way. That is the data must be protected from unauthorized parties and transmitted to the intended parties with confidentiality and integrity. In this work, we mount an attack on a cryptosystem based on multivariate polynomial trapdoor function over the field of rational numbers Q. The developers claim that the security of their proposed scheme depends on the fact that a polynomial system consisting of 2n (where n is a natural number) equations and 3n unknowns constructed by using quasigroup string transformations, has infinitely many solutions and finding exact solution is not possible. We explain that the proposed trapdoor function is vulnerable to a Gröbner basis attack. Selected polynomials in the corresponding Gröbner basis can be used to recover the plaintext against a given ciphertext without the knowledge of the secret key.

Introduction

The 21^st century is the century of information and technology. Because of the advancements in the field of information technology, the secure communication has become the most challenging task. Public key cryptography plays a vital role in this regard. The security of most of the public key cryptosystems being used is based on the intractability of certain mathematical problems which are considered to be hard. For instance, the security of RSA (Rivest, Shamir & Adleman, 1978) relies on the difficulty of integer factorization problem (IFP) and ElGamal (1985) is based on the hardness discrete logarithm problem (DLP). But these problems can be solved on quantum computers using Shor’s algorithm (Shor, 1997). It is believed that multivariate public key cryptography is a good alternative in post-quantum reign for better security and efficiency. The security of a multivariate public key cryptosystems (MPKCs) relies on the difficulty of solving a system of multivariate polynomial equations (Ding & Yang, 2009) or isomorphism problem (Tang & Xu, 2012). In this context, several MPKCs were designed e.g., Matsumoto-Imai multivariate quadratic polynomial scheme (Matsumoto & Imai, 1988), the Hidden Field Equation method (Patarin, 1996), the Oil-Vinegar scheme (Patarin, 1997), etc. However, almost all of these schemes have been broken through various attacks (Courtois, 2001; Faugère & Joux, 2003; Patarin, 1995). A survey article on these schemes was written by Wolf & Preneel (2005). Markovski, Mileva & Dimitrova (2014) have introduced a new multivariate polynomial trapdoor over the field of rational numbers.

Algebraic attacks (Faugère & Joux, 2003; Kreuzer & galore!, 2009) can be roughly divided into two categories. Firstly, the attacks which concentrate on specific variety and break it because of particular properties e.g., Kipnis & Shamir (1998) attack against Oil and Vinegar. The second category comprises of algorithms generally used to solve multivariate polynomial system of equations. Examples include the XL algorithm (Courtois et al., 2000), and the relinearization technique (Kipnis & Shamir, 1999). Buchberger (1965) laid down a solid foundation of modern computational algebra by introducing the idea of Gröbner bases to address the problem of solving an algebraic system of multivariate polynomial equations. The Gröbner basis method is a general and well established technique to solve polynomial system of equations (Buchberger, 1976). For some applications of Göbner bases we refer to Buchberger & Winkler (1998), Buchberger (0000) and Francis & Ambedkar (2018). and for the detailed theory on computation of Gröbner basis we refer to the comprehensive books (Cox, Little & O’shea, 1998; Kreuzer & Robbiano, 2000) on computational algebra. The Buchberger’s algorithm turns out to be very useful to mount an algebraic attack on any multivariate cryptosystem.

In this article, the cryptanalysis of a multivariate polynomial trapdoor function (Markovski, Mileva & Dimitrova, 2014) over the field of rational numbers is presented. The authors claimed that the proposed scheme is based on 2n multivariate polynomial equations in 3n unknowns and hence has infinitely many solutions to defeat an algebraic attack. Our cryptanalysis shows that the proposed multivariate scheme is vulnerable to Gröbner basis attack on the associated system of multivariate polynomial equations.

The rest of the article is organised as: ‘Introduction’ gives the brief description of the proposed scheme along with the necessary notations and definitions; ‘The Multivariate Cryptosystem SBIM(Q)’ illustrates the scheme with the example given in Markovski, Mileva & Dimitrova (2014); ‘Cryptanalysis’ presents the cryptanalysis of the proposed scheme.

The Multivariate Cryptosystem SBIM(ℚ)

The trapdoor function under consideration uses the multivariate polynomials, usually quadratic, over ℚ, the field of rational numbers. The public key of this trapdoor function mainly consists of 2 n multivariate polynomials in 3 n unknowns r₁, …, r_n, s₁, …, s_2n. The variables r_i; i=1 , …, n usually contain the information content, whereas the variables s_i; i=1 , …, 2n contain the redundant information. The redundant information is added for the security purpose. So, if we use a plaintext comprising of n rational numbers for the encryption purpose, we will get a ciphertext consisting of 2 n rational numbers. The quasigroup string transformations are used to construct the public key. These transformations are obtained from quasigroups represented in matrix form. The private key of this cryptosystem comprises of different 1 × n and n × n matrices over the field of rational numbers, and one 2n × 2n matrix.

Recall that a groupoid (G, f) having unique left as well as right inverses for each element in G with respect to the binary operation f is called a quasigroup. The binary operation f:G → G is then called a quasigroup bipermutation. From the binary operation f on the quasigroup G we can derive two new quasigroup bipermutation f⁽²³⁾ and f⁽¹³⁾ as follows: $f (x_{1}, x_{2}) = x_{3} \Leftrightarrow f^{(23)} (x_{1}, x_{3}) = x_{2} \Leftrightarrow f^{(13)} (x_{3}, x_{2}) = x_{1} .$

The next theorem gives a way to construct quasigroup bipermutation from matrices over a field 𝔽.

Theorem 2.1.

(Markovski, Mileva & Dimitrova, 2014) Consider two nonsingular square matrices A and B of order m over a field 𝔽. Let C be a row vector (1 × m matrix) over the field 𝔽. Then the following mapping is a quasigroup bipermutation on F^m. (1) $f (r_{1}, \dots, r_{m}; s_{1}, \dots, s_{m}) = (r_{1}, \dots, r_{m}) \cdot A + (s_{1}, \dots, s_{m}) \cdot B + C,$ where r_i, s_i ∈ F. The new quasigroup bipermutations f⁽¹³⁾ and f⁽²³⁾ are defined in the following way as: (2) $f^{(13)} (r_{1}, \dots, r_{m}; s_{1}, \dots, s_{m}) = (r_{1}, \dots, r_{m}) A^{- 1} + (s_{1}, \dots, s_{m}) (- B A^{- 1}) - C A^{- 1}, f^{(23)} (r_{1}, \dots, r_{m}; s_{1}, \dots, s_{m}) = (r_{1}, \dots, r_{m}) (- A B^{- 1}) + (s_{1}, \dots, s_{m}) B^{- 1} - C B^{- 1} .$

Note that, in the above representation, instead of elements r_i, s_i ∈ 𝔽, we can use polynomials X_i and r_i over 𝔽 as inputs for the mapping f, then the output f(X₁, …, X_n; r₁, …, r_n) will also be a polynomial.

Construction

In this section we describe the construction of the proposed trapdoor multivariate public key cryptosystem (Markovski, Mileva & Dimitrova, 2014). From now on the field 𝔽 is ℚ, the field of rational numbers. A positive integer n is used as a parameter of the scheme. The main global parameter is a multivariate polynomial ring in 3n indeterminates over the field of rational numbers ℚ. The construction is based on three algorithms. That is, a Key Generation algorithm, an encryption algorithm and the corresponding decryption algorithm as described in the next sections. The message space is the set of all n-tuples (a₁, …, a_n) ∈ ℚ.

Key generation

The key generation process comprises of the following steps:

Choosing Polynomials: Let r₁, …, r_n, s₁, …, s_2n denote the variables on ℚ. Choose n multivariate polynomials P₁, …, P_n over ℚ in n variables r₁, …, r_n in a way that the system of equations (3) $P_{1} (r_{1}, \dots, r_{n}) = b_{1}, P_{2} (r_{1}, \dots, r_{n}) = b_{2}, \dots \dots \dots P_{n} (r_{1}, \dots, r_{n}) = b_{n},$ has a unique solution r₁ = a₁, …, r_n = a_n; a_i ∈ ℝ for any b_i ∈ ℚ. Here, ℝ denotes the field of real numbers. Next, choose n more multivariate polynomials P_n+1, …, P_2n over ℚ with variables r₁, …, r_n, s₁, …, s_2n over ℚ.
Applying Transformation: First choose a random permutation τ on the set of integers {1, 2, …, 2n} and then apply it on P_i to obtain the new polynomials X_i such that X_i = P_τ(i) for all i ∈ {1, 2, …, 2n}. Use these polynomials to define the vectors x = (X₁, …, X_n) and y = (X_n+1, …, X_2n). Now t − and t′ −transformations are applied to obtain new polynomials as follows: These two t − and t′ − transformations are necessary. Continuing this way, we can define more pairs of t − , t′ − quasigroup bipermutations from y″ and x″ by choosing new leaders l_i ∈ ℚⁿ and n × n random matrices N_i, M_i in the same way as in the above Eqs. (4) and (5).
1. Define t −transformation: Choose a random vector l₁ = (ℓ₁₁, …, ℓ_1n) ∈ ℚⁿ known as leader and then define two quasigroup bipermutations f₁ and f₂ by randomly choosing non singular n × n matrices M_i, N_i (i = 1, 2) as follows: (4) $f_{1} (l_{1}; x) = l_{1} \cdot M_{1} + x \cdot N_{1}; f_{2} (x^{'}; y) = x^{'} \cdot M_{2} + y \cdot N_{2},$ where x′ = f₁(l₁; x) and set y′ = f₂(x′; y).
2. Define t′ −transformation: Use the vector y′ and another random leader l₂ ∈ ℚⁿ where l₂ = (ℓ₂₁, …, ℓ_2n) to define new quasigroup bipermutations f₃ and f₄ by randomly choosing non singular n × n matrices M_i, N_i (i = 3, 4) as follows: (5) $f_{3} (y^{'}; l_{2}) = y^{'} \cdot M_{3} + l_{2} \cdot N_{3}, f_{4} (x^{'}; y^{″}) = x^{'} \cdot M_{4} + y^{″} \cdot N_{4},$ where y″ = f₃(y′; l₂). Again set x″ = f₄(x′; y″).
The Public Key: Let the integer s ≥ 0 be the number of additional transformations applied. Note that the last transformation was accomplished by randomly chosen leader l_2+p and quasigroup bipermutations f_3+s and f_4+s applied on some n −tuples of multivariate polynomials v and w. When the last applied transformation was a t −transformation, we write f_3+s(l_2+s; v)≔(A₁, …, A_n) and f_4+s((A₁, …, A_n); w)≔(A_n+1, …, A_2n). Whereas if the last applied transformation was a t′ −transformation, we let f_3+s(w; l_2+s)≔(A₁, …, A_n) and f_4+s(v; (A₁, …, A_n))≔(A_n+1, …, A_2n). Finally, choose a random non singular matrix R over ℚ of order 2n × 2n and compute the public key, (Z₁, …, Z_2n), a new set of 2n polynomials as, $(Z_{1}, \dots, Z_{2 n}) = (A_{1}, \dots, A_{2 n}) \cdot R .$ Clearly, each polynomial Z_i = Z_i(r₁, …, r_n, s₁, …, s_2n) is a multivariate polynomial in the 3n variables.
The Private Key: The permutation τ, all the leaders l_i and all the matrices M_i, N_i, R, which were used to generate the public key, constitute the private key. Here we remark that all the leaders and the matrices are not necessarily required to be different but there should be at least two different leaders and at least four different matrices for defining the bipermutations.

Encryption

To encrypt a message M = (a₁, …, a_n) in ℚⁿ, first choose 2n random rational numbers b₁, …, b_2n and then evaluate all the public polynomials Z_i by setting r_j = a_j; j=1 , …, n and s_k = b_k; k=1 , …, 2n to compute the ciphertext c = (c₁, …, c_2n). That is, the components of the ciphertext c are the rational numbers computed as follows: (6) $c_{1} = Z_{1} (a_{1}, \dots, a_{n}, b_{1}, \dots, b_{2 n}), c_{2} = Z_{2} (a_{1}, \dots, a_{n}, b_{1}, \dots, b_{2 n}), \dots \dots \dots \dots c_{2 n} = Z_{2 n} (a_{1}, \dots, a_{n}, b_{1}, \dots, b_{2 n}) .$

Decryption

To decrypt a ciphertext c = (c₁, …, c_2n), the receiver will first compute the inverse of the private matrix R and compute the 2n-tuple (e₁, …, e_2n) = (c₁, …, c_2n)⋅R⁻¹ and split it into two halve to obtain C₁ = (e₁, …, e_n) and C₂ = (e_n+1, …, e_2n). Depending on how the polynomials s_i’s were obtained, the receiver has to then apply either a u − or u′ −transformation to undo the effect of t − and t^′−transformations:

u −transformation: If the last transformation was a t −transformation defined by a leader l_2+s and bipermutations f_3+s and f_4+s, then the receiver will apply a u −transformation defined by the parasstrophes $f_{3 + s}^{(23)}$ and $f_{4 + s}^{(23)}$ to obtain M₁, M₂ ∈ ℚⁿ as follows: $M_{1} = f_{3 + s}^{(23)} (l_{2 + s}; C_{1}), M_{2} = f_{4 + s}^{(23)} (C_{1}; C_{2}) .$
u′ −transformation: If the last transformation was a t′ −transformation defined by a leader l_2+s and bipermutations f_3+s and f_4+s, then the receiver will apply a u − transformation defined by the parasstrophes $f_{3 + s}^{(13)}$ and $f_{4 + s}^{(13)}$ to obtain M₁, M₂ ∈ ℚⁿ as follows: $M_{1} = f_{3 + s}^{(13)} (C_{2}; l_{2 + s}), M_{2} = f_{4 + s}^{(13)} (C_{1}; C_{2}) .$

Note that, we have to apply u − or u′ −transformations in the reverse order (from downward-up way). After each application of these transformations, we get n −tuples of rational numbers. In the end, instead of polynomial tuples x and y we get n −tuples of rational numbers p = (p₁, …, p_n) and q = (p_n+1, …, p_2n). Finally, the inverse permutation τ⁻¹ is applied on (p₁, p₂, …, p_2n) to get $(b_{1} = p_{τ^{- 1} (1)}, \dots, b_{2 n} = p_{τ^{- 1} (2 n)}) .$ Use the values of b₁, …, b_n in the system Eq. (3) to get polynomial system of n equations in n unknowns. Solve the obtained system to get the required message M = (a₁, …, a_n) ∈ ℚⁿ.

Remark 2.2. The trapdoor function described above takes plaintext in the form of n −tuple of rational numbers as input and returns the corresponding ciphertext in the form of 2n −tuple of rational numbers as output. For the further details we refer to Markovski, Mileva & Dimitrova (2014).

Cryptanalysis

The underlying hard problem in the above described multivariate trapdoor cryptosystem is that a polynomial system of equations consisting of 2n equations in 3n unknowns has infinite number of solutions. Therefore, finding the exact solution is not possible. For a given ciphertext (c₁, …, c_2n) the attacker can make the following system using the public key polynomials (s₁, …, s_2n). (7) $Z_{1} (r_{1}, \dots, r_{n}, s_{1}, \dots, s_{2 n}) = c_{1}, Z_{2} (r_{1}, \dots, r_{n}, s_{1}, \dots, s_{2 n}) = c_{2}, \dots \dots \dots Z_{2 n} (r_{1}, \dots, r_{n}, s_{1}, \dots, s_{2 n}) = c_{2 n} .$

The authors claim that, if the public key is produced by choosing suitable polynomials then the above system (Eq. (7)) has infinitely many solutions for the unknowns r₁, …, r_n and s₁, …, s_2n. Therefore, an attacker cannot find the actual plaintext in this way. They proposed that using quadratic polynomials for n = 4, a much secure key can be generated. Here, we try different attacks to check its security. First of all, it is obvious that the private key consists of several matrices over the field of rational numbers and certain quasigroup bipermutations which shows that the key space is infinite. So the brute force attack is not possible even if the degree of the polynomials is known. Before we introduce the Gröbner bases attack method on this trapdoor function, note that, an attacker is not interested in all 3n unknowns. To recover the message M = (a₁, …, a_n) the attacker is only interested in the values of unknowns r_i (i = 1, …, n) containing the information. That is, to recover the message we do not have to solve the entire system of 2n equations in 3n unknowns.

Gröbner bases method is based on the Buchberger’s algorithm (Buchberger, 1965) which is used to calculate Gröbner bases G for the ideal I generated by the polynomials in the system to be solved. Let 𝔽 be a field and I ⊂ 𝔽[r₁, …, r_n] be an ideal generated by the polynomials f₁, …, f_v ∈ 𝔽[r₁, …, r_n]. Then a set G = {g₁, …, g_k} ⊂ I will be a Gröbner bases for I with respect to some monomial ordering ≺ if the ideal generated by the leading terms of G is the same as the ideal generated by the leading terms of I. For a given monomial ordering, every ideal has a Gröbner bases (for details, see Cox, Little & O’shea, 1998; Kreuzer & Robbiano, 2000).

The Attack Model

As stated earlier, the attacker is not interested in the infinitely many solutions of a system of 2n polynomial equations in 3n unknowns. One can exploit the structure of the multivariate cryptosystem presented in Construction 2.1 to mount a Gröbner basis attack by extracting a system of n polynomials depending only in in n unknowns r₁, …, r_n from the resulting Gröbner basis.

To mount the proposed attack, set the working ring ℚ[r₁, …, r_n, s₁, …, s_2n] of 3n indeterminates defined over the field of rational numbers ℚ. After getting the public key polynomials Z₁, Z₂, …, Z_2n and the ciphertext C = (c₁, c₂, …, c_2n) ∈ ℚ²ⁿ, perform the steps in the following attack for the cryptanalysis of the cryptosystem described in Section 2.

Attack 3.1. (Message Recovery Attack)

Input: Public key polynomials Z₁, …, Z_2n ∈ ℚ[r₁, …, r_n, s₁, …, s_2n] and

Ciphertext C = (c₁, c₂, …, c_2n) ∈ ℚ²ⁿ.

Output: A system of n polynomial equations in n unknowns.

Create an ideal I ⊂ ℚ[r₁, …, r_n, s₁, …, s_2n] as $I = 〈 Z_{1} - c_{1}, Z_{2} - c_{2}, \dots, Z_{2 n} - c_{2 n} 〉 .$
Compute the reduced Gröbner basis G = {g₁, …, g_t} ⊂ ℚ[r₁, …, r_n, s₁, …, s_2n] of I.
Identify the polynomials G₁, …, G_n ∈ G depending only on the variables r₁, …, r_n. That is, G_i = g_j for some g_j ∈ G such that g_j ∈ ℚ[r₁, …, r_n].
Solve the polynomial system of n equations {G₁ = 0, …, G_n = 0} for the values of r₁, …, r_n to recover the message M.

Note that, the success of Attack heavily depends on the successful execution of Step 2 of the attack. We have already noticed that the construction of public polynomials is based on the constant multiples of the n secret polynomials P₁, …, P_n depending only on the variables r₁, …, r_n. Therefore, the resulting Gröbner basis will always contain polynomials depending only on these variables.

We now illustrate Attack 3.1 by mounting it first on the instance of the cryptosystem for n = 2 as given in [18, Section 4] and then for the case of n = 4.

Example 3.2 Using our notations and symbols given in Section Section 2, we use the information presented in encryption example of Markovski, Mileva & Dimitrova (2014) to mount the attack as follows. Here we have n = 2 and the resulting public key consists of the following 4 polynomials Z₁, …, Z₄ in 3n = 6 unknowns (r₁, r₂, s₁, s₂, s₃, s₄).

$Z_{1} = - 8 + 7 r_{1} + 13 r_{2} - 9 s_{1} - 9 s_{4} + 11 r_{1}^{3} + 9 r_{2}^{3} + 9 s_{1}^{3} + 27 r_{1} s_{4} + 18 r_{2} s_{2}$ $Z_{2} = 21 - 5 r_{1} + 4 r_{2} + 9 s_{1} - 3 s_{3} + 3 s_{4} - 9 r_{1}^{3} - 6 r_{2}^{3} - 6 s_{1}^{3} - 3 s_{2}^{4} - 18 r_{1} s_{4} - 3 r_{2} s_{1} - 12 r_{2} s_{2}$ $Z_{3} = - 10 - 5 r_{1} + r_{2} + 3 s_{1} + 3 s_{4} + r_{1}^{3} - 3 r_{2}^{3} - 3 s_{1}^{3} - 9 r_{1} s_{4} - 6 r_{2} s_{2}$ $Z_{4} = 13 - 9 r_{1} - 18 r_{2} + 12 s_{1} + 12 s_{4} - 16 r_{1}^{3} - 12 r_{2}^{3} - 12 s_{1}^{3} - 36 r_{1} s_{4} - 24 r_{2} s_{2} .$ This public key has been produced by the key generation process given in Section (2.2) with the following polynomials: $P_{1} = r_{1} - 2 r_{2},$ $P_{2} = r_{1}^{3} - 2,$ $P_{3} = r_{1}^{3} + r_{2}^{2} + s_{1}^{3} + 3 r_{1} s_{4} + 2 r_{2} s_{2} + r_{1} + r_{2} - s_{1} - s_{4},$ $P_{4} = - s_{2}^{4} - r_{2} s_{1} + 2 r_{1} + s_{1} - s_{3} - s_{4} .$ For the construction, the random permutation is taken as τ = (3, 2, 1, 4). The secret matrices involved in transformation Eqs. (4) and (5) are chosen as: $M_{1} = (\begin{matrix} 1 & - 1 \\ 2 & - 1 \end{matrix}), M_{2} = (\begin{matrix} - 1 & 0 \\ 1 & 1 \end{matrix}), M_{3} = (\begin{matrix} - 1 & 0 \\ 0 & - 1 \end{matrix}), M_{4} = (\begin{matrix} 1 & - 2 \\ 1 & 1 \end{matrix})$ $N_{1} = (\begin{matrix} 0 & 3 \\ 1 & 0 \end{matrix}), N_{2} = (\begin{matrix} 2 & 1 \\ - 1 & - 1 \end{matrix}), N_{3} = (\begin{matrix} 3 & 5 \\ 1 & 2 \end{matrix}), N_{4} = (\begin{matrix} 1 & 0 \\ 0 & 1 \end{matrix})$ The leaders involved are l₁ = (−1, 1) and l₂ = (2, − 1). Finally, a the invertible matrix R of order 2n = 4 is chosen as $R = (\begin{matrix} 2 & - 1 & 0 & - 3 \\ 1 & 2 & - 1 & - 1 \\ 0 & 3 & 2 & 0 \\ - 3 & - 1 & - 1 & 4 \end{matrix})$ .

The message M = (1, 1) ∈ ℚ² is encrypted by evaluating the public polynomials at r₁ = 1, r₂ = 1 and 4 randomly chosen rational numbers s₁ = s₂ = s₃ = 0, s₄ = 1. That is, the resulting ciphertext (c₁, c₂, c₃, c₄) is computed as: $c_{1} = Z_{1} (1, 1, 0, 0, 0, 1) = 50$ $c_{2} = Z_{2} (1, 1, 0, 0, 0, 1) = - 10$ $c_{3} = Z_{3} (1, 1, 0, 0, 0, 1) = - 22$ $c_{4} = Z_{4} (1, 1, 0, 0, 0, 1) = - 66$ With this ciphertext C = (50, − 10, − 22, − 66), we want to recover the corresponding plaintext M = (1, 1) without usin the secret key. For this purpose, we construct the following system of equations by using the public key polynomials Z₁, Z₂, Z₃ and Z₄ and the ciphertext. $Z_{1} - 50 = 0,$ $Z_{2} + 10 = 0,$ $Z_{3} + 22 = 0,$ $Z_{4} + 66 = 0 .$ To mount the Gröbner basis attack, let I = 〈Z₁ − c₁, Z₂ + c₂, Z₃ − c₃, Z₄ − c₄〉 be the ideal generated by the above system of multivariate polynomial system of equations.

We use the computer algebra system ApCoCoA (ApCoCoA Team, 2023) and the code given in Appendix A for calculating the reduced Gröbner bases G for the ideal I. The set G is found to contain the following four polynomials: $F_{1} = r_{1} - 2 r_{2} + 1,$ $F_{2} = s_{1}^{3} + \frac{3}{2} r_{2}^{2} + 2 r_{2} s_{2} + 6 r_{2} s_{4} + \frac{9}{4} r_{2} - s_{1} - 4 s_{4} - \frac{23}{4},$ $F_{3} = s_{2}^{4} + r_{2} s_{1} - 4 r_{2} - s_{1} + s_{3} + s_{4} + 3,$ $F_{4} = r_{2}^{3} - \frac{3}{2} r_{2}^{2} + \frac{3}{4} r_{2} - \frac{1}{4} .$ Recall that the variables r_i’s contain the information about the original message while s_i are the redundant variables. In the above computed Gröbner basis, we are only interested in polynomials F₁ and F₄ that are expressed in two required unknowns r₁ and r₂. Solving F₁ = 0 and F₄ = 0 simultaneously, the only real solution of F₄ = 0 is r₂ = 1, and F₁ = 0 then gives r₁ = 1. This shows that the plaintext M = (r₁, r₂) = (1, 1) has been successfully recovered without using the private key.

Remark 3.3. All computations are performed on the platform of Computer Algebra System ApCoCoA (ApCoCoA Team, 2023). For this purpose the Key Generation Algorithm 2.2 and the Encryption Algorithm 2.3 are implemented in the setting of ApCoCoA as given in Appendix A. The validity of the findings follows from the fact that our code generated the same public polynomials P₁, P₂, P₃, P₄ and the ciphertext C = (c₁, c₂, c₃, c₄) as given in Markovski, Mileva & Dimitrova (2014). Moreover, the computation of reduced Gröbner basis of the ideal I has been performed by the built-in function ReducedGBasis(I) available in ApCoCoA (ApCoCoA Team, 2023).

Example 3.4. For the case of n = 4, the multivariate ring over ℚ in 3n = 12 indeterminates is ℚ[r₁, …, r₄, s₁, …, s₈]. As per requitremnt of the cryptosystem presented in Markovski, Mileva & Dimitrova (2014) the following secret polynomials P_i1 ≤ i ≤ 8 are chosen such that the polynomial system {P₁ = 0, P₂ = 0, P₃ = 0, P₄ = 0} has unique solution (a₁, a₂, a₃, a₄) ∈ ℚ⁴. $P_{1} = 5 r_{1} + r_{2} + r_{3} + 2 r_{4} + 1$ $P_{2} = - r_{1}^{2} - r_{2} - r_{4}$ $P_{3} = - r_{1} + 3 r_{2} + 2$ $P_{4} = - r_{1} r_{3} + 2 r_{1} + r_{2} + 1$ $P_{5} = r_{1}^{2} + 5 r_{2}^{2} + s_{1}^{2} + 2 r_{2} s_{2} + 3 r_{1} s_{4} + r_{1} s_{5} + r_{2} s_{5} + r_{1} - r_{2} - s_{4} - s_{5}$ $P_{6} = 2 r_{1} r_{3} - 2 r_{2} s_{1} - r_{3} s_{1} - s_{2}^{2} + s_{2} s_{3} - s_{4} s_{5} + s_{5} s_{6} + r_{4} s_{7} - s_{8}^{2} + 3 s_{5} - s_{7} + s_{8}$ $P_{7} = - 2 r_{2} s_{2} + r_{3} s_{3} + s_{3}^{2} - 5 s_{4}^{2} + s_{5} s_{6} - 2 s_{5} s_{7} + r_{1} + 4 r_{4} + 2 s_{1} - s_{3} - s_{5} + s_{7} + s_{8} + 2$ $P_{8} = r_{2}^{2} + 5 r_{3}^{2} + 5 r_{1} s_{1} - 3 s_{2}^{2} - 3 r_{2} s_{4} + 2 r_{4} s_{4} + s_{4}^{2} + r_{2} s_{6} + r_{3} s_{7} + s_{7}^{2} + s_{8}^{2} + r_{2} - r_{3} + 2 r_{4} - s_{5} - s_{7}$ The random permutation is taken as τ = (3, 5, 1, 6, 8, 2, 4, 7) and for the transformations Eqs. (4) and (5), the secret matrices are taken as: $M_{1} = (\begin{matrix} 1 & - 1 & 2 & 1 \\ 2 & - 1 & 3 & 1 \\ 1 & 0 & 0 & - 1 \\ 2 & 1 & 0 & 0 \end{matrix}), M_{2} = (\begin{matrix} - 1 & 0 & 0 & 0 \\ 1 & 1 & 1 & 2 \\ 0 & 1 & - 1 & 0 \\ 0 & 0 & 1 & 2 \end{matrix}), M_{3} = (\begin{matrix} - 1 & 0 & 3 & 4 \\ 0 & - 1 & 0 & - 3 \\ 2 & 1 & 3 & 1 \\ 1 & 0 & 0 & 1 \end{matrix}), M_{4} = (\begin{matrix} 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 1 \\ 0 & 0 & - 1 & 0 \\ 0 & 0 & 0 & 1 \end{matrix}) .$ $N_{1} = (\begin{matrix} 1 & 3 & 0 & 3 \\ 1 & 0 & 1 & 0 \\ 2 & 1 & - 1 & 2 \\ 3 & 0 & 0 & 1 \end{matrix}), N_{2} = (\begin{matrix} 2 & 1 & 1 & - 1 \\ - 1 & - 1 & 3 & 4 \\ 1 & 0 & - 1 & 0 \\ 2 & 3 & 5 & 1 \end{matrix}), N_{3} = (\begin{matrix} 3 & 5 & 1 & - 1 \\ 1 & 2 & 1 & 0 \\ 0 & 0 & 2 & 0 \\ 2 & 0 & 3 & 0 \end{matrix}), N_{4} = (\begin{matrix} 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 \end{matrix}) .$ The leaders l₁, l₂ and random secret matrix R are $l_{1} = (- 1, 1, - 1, 1), l_{2} = (2, - 1, - 2, 2), and R = (\begin{matrix} 2 & - 1 & 0 & - 3 & 1 & 0 & - 1 & 3 \\ 1 & 2 & - 1 & - 1 & 1 & 5 & 0 & 0 \\ 0 & 3 & 2 & 0 & 0 & 0 & 3 & 2 \\ - 3 & - 1 & - 1 & 4 & 4 & 2 & 1 & - 1 \\ 1 & - 1 & 2 & - 2 & 3 & 1 & 4 & 5 \\ 1 & 4 & 5 & - 1 & 0 & 0 & 0 & - 2 \\ 0 & 1 & 0 & - 3 & - 3 & - 1 & 2 & 0 \\ 1 & 1 & - 1 & - 1 & 1 & - 1 & 2 & - 1 \end{matrix}) .$ The resulting public polynomials are: $Z_{1} = - 18 r_{1}^{2} + 42 r_{2}^{2} + 88 r_{1} r_{3} - 65 r_{3}^{2} - 65 r_{1} s_{1} - 88 r_{2} s_{1} - 44 r_{3} s_{1} + 11 s_{1}^{2} - 20 r_{2} s_{2} - 5 s_{2}^{2} + 21 r_{3} s_{3} + 44 s_{2} s_{3} + 21 s_{3}^{2} + 33 r_{1} s_{4} + 39 r_{2} s_{4} - 26 r_{4} s_{4} - 118 s_{4}^{2} + 11 r_{1} s_{5} + 11 r_{2} s_{5} - 44 s_{4} s_{5} - 13 r_{2} s_{6} + 65 s_{5} s_{6} - 13 r_{3} s_{7} + 44 r_{4} s_{7} - 42 s_{5} s_{7} - 13 s_{7}^{2} - 57 s_{8}^{2} + 158 r_{1} + 42 r_{2} + 67 r_{3} + 103 r_{4} + 42 s_{1} - 21 s_{3} - 11 s_{4} + 113 s_{5} - 10 s_{7} + 65 s_{8} + 187,$ $Z_{2} = - 64 r_{1}^{2} - 152 r_{2}^{2} - 72 r_{1} r_{3} + 190 r_{3}^{2} + 190 r_{1} s_{1} + 72 r_{2} s_{1} + 36 r_{3} s_{1} - 38 s_{1}^{2} - 232 r_{2} s_{2} - 78 s_{2}^{2} + 78 r_{3} s_{3} - 36 s_{2} s_{3} + 78 s_{3}^{2} - 114 r_{1} s_{4} - 114 r_{2} s_{4} + 76 r_{4} s_{4} - 352 s_{4}^{2} - 38 r_{1} s_{5} - 38 r_{2} s_{5} + 36 s_{4} s_{5} + 38 r_{2} s_{6} + 42 s_{5} s_{6} + 38 r_{3} s_{7} - 36 r_{4} s_{7} - 156 s_{5} s_{7} + 38 s_{7}^{2} + 74 s_{8}^{2} + 121 r_{1} + 287 r_{2} - 8 r_{3} + 422 r_{4} + 156 s_{1} - 78 s_{3} + 38 s_{4} - 186 s_{5} + 76 s_{7} + 42 s_{8} + 341,$ $Z_{3} = - 46 r_{1}^{2} - 34 r_{2}^{2} + 46 r_{1} r_{3} + 30 r_{3}^{2} + 30 r_{1} s_{1} - 46 r_{2} s_{1} - 23 r_{3} s_{1} - 8 s_{1}^{2} - 132 r_{2} s_{2} - 41 s_{2}^{2} + 58 r_{3} s_{3} + 23 s_{2} s_{3} + 58 s_{3}^{2} - 24 r_{1} s_{4} - 18 r_{2} s_{4} + 12 r_{4} s_{4} - 284 s_{4}^{2} - 8 r_{1} s_{5} - 8 r_{2} s_{5} - 23 s_{4} s_{5} + 6 r_{2} s_{6} + 81 s_{5} s_{6} + 6 r_{3} s_{7} + 23 r_{4} s_{7} - 116 s_{5} s_{7} + 6 s_{7}^{2} - 17 s_{8}^{2} + 207 r_{1} + 193 r_{2} + 60 r_{3} + 306 r_{4} + 116 s_{1} - 58 s_{3} + 8 s_{4} + 13 s_{5} + 29 s_{7} + 81 s_{8} + 347,$ $Z_{4} = 63 r_{1}^{2} - 7 r_{2}^{2} - 102 r_{1} r_{3} - 35 r_{3}^{2} - 35 r_{1} s_{1} + 102 r_{2} s_{1} + 51 r_{3} s_{1} + 194 r_{2} s_{2} + 72 s_{2}^{2} - 97 r_{3} s_{3} - 51 s_{2} s_{3} - 97 s_{3}^{2} + 21 r_{2} s_{4} - 14 r_{4} s_{4} + 478 s_{4}^{2} + 51 s_{4} s_{5} - 7 r_{2} s_{6} - 148 s_{5} s_{6} - 7 r_{3} s_{7} - 51 r_{4} s_{7} + 194 s_{5} s_{7} - 7 s_{7}^{2} + 44 s_{8}^{2} - 361 r_{1} + 362 r_{2} - 106 r_{3} - 513 r_{4} - 194 s_{1} + 97 s_{3} - 49 s_{5} - 39 s_{7} - 148 s_{8} - 616,$ $Z_{5} = - 87 r_{1}^{2} - 141 r_{2}^{2} + 18 r_{1} r_{3} - 30 r_{3}^{2} - 30 r_{1} s_{1} - 18 r_{2} s_{1} - 9 r_{3} s_{1} - 27 s_{1}^{2} - 54 r_{2} s_{2} + 9 s_{2}^{2} + 9 s_{2} s_{3} - 81 r_{1} s_{4} + 18 r_{2} s_{4} - 12 r_{4} s_{4} - 6 s_{4}^{2} - 27 r_{1} s_{5} - 27 r_{2} s_{5} - 9 s_{4} s_{5} - 6 r_{2} s_{6} + 9 s_{5} s_{6} - 6 r_{3} s_{7} + 9 r_{4} s_{7} - 6 s_{7}^{2} - 15 s_{8}^{2} + 255 r_{1} + 441 r_{2} + 86 r_{3} + 92 r_{4} + 27 s_{4} + 60 s_{5} - 3 s_{7} + 9 s_{8} + 386,$ $Z_{6} = - 44 r_{1}^{2} - 70 r_{2}^{2} + 22 r_{1} r_{3} - 25 r_{3}^{2} - 25 r_{1} s_{1} - 22 r_{2} s_{1} - 11 r_{3} s_{1} - 13 s_{1}^{2} - 32 r_{2} s_{2} + 4 s_{2}^{2} + 3 r_{3} s_{3} + 11 s_{2} s_{3} + 3 s_{3}^{2} - 39 r_{1} s_{4} + 15 r_{2} s_{4} - 10 r_{4} s_{4} - 20 s_{4}^{2} - 13 r_{1} s_{5} - 13 r_{2} s_{5} - 11 s_{4} s_{5} - 5 r_{2} s_{6} + 14 s_{5} s_{6} - 5 r_{3} s_{7} + 11 r_{4} s_{7} - 6 s_{5} s_{7} - 5 s_{7}^{2} - 16 s_{8}^{2} + 138 r_{1} + 186 r_{2} + 53 r_{3} + 57 r_{4} + 6 s_{1} - 3 s_{3} + 13 s_{4} + 48 s_{5} - 3 s_{7} + 14 s_{8} + 208,$ $Z_{7} = - 142 r_{1}^{2} - 248 r_{2}^{2} - 76 r_{1} r_{3} + 285 r_{3}^{2} + 285 r_{1} s_{1} + 76 r_{2} s_{1} + 38 r_{3} s_{1} - 61 s_{1}^{2} - 416 r_{2} s_{2} - 133 s_{2}^{2} + 147 r_{3} s_{3} - 38 s_{2} s_{3} + 147 s_{3}^{2} - 183 r_{1} s_{4} - 171 r_{2} s_{4} + 114 r_{4} s_{4} - 678 s_{4}^{2} - 61 r_{1} s_{5} - 61 r_{2} s_{5} + 38 s_{4} s_{5} + 57 r_{2} s_{6} + 109 s_{5} s_{6} + 57 r_{3} s_{7} - 38 r_{4} s_{7} - 294 s_{5} s_{7} + 57 s_{7}^{2} + 95 s_{8}^{2} + 404 r_{1} + 875 r_{2} + 55 r_{3} + 845 r_{4} + 294 s_{1} - 147 s_{3} + 61 s_{4} - 257 s_{5} + 128 s_{7} + 109 s_{8} + 929,$ $Z_{8} = - 79 r_{1}^{2} + 5 r_{2}^{2} + 136 r_{1} r_{3} - 136 r_{2} s_{1} - 68 r_{3} s_{1} + s_{1}^{2} - 198 r_{2} s_{2} - 68 s_{2}^{2} + 100 r_{3} s_{3} + 68 s_{2} s_{3} + 100 s_{3}^{2} + 3 r_{1} s_{4} - 500 s_{4}^{2} + r_{1} s_{5} + r_{2} s_{5} - 68 s_{4} s_{5} + 168 s_{5} s_{6} + 68 r_{4} s_{7} - 200 s_{5} s_{7} - 68 s_{8}^{2} + 479 r_{1} + 557 r_{2} + 151 r_{3} + 566 r_{4} + 200 s_{1} - 100 s_{3} - s_{4} + 103 s_{5} + 32 s_{7} + 168 s_{8} + 793 .$ The message M = (15, 10, 2, 3) ∈ ℚ⁴ is encrypted by evaluating the public key polynomials at r₁ = 15, r₂ = 10, r₃ = 2, r₄ = 3 and 8 randomly chosen rational numbers s₁ = 0, s₂ = 1, s₃ = 2, s₄ = 0, s₅ = − 10, s₆ = 2, s₇ = 5, s₈ = 1. The encryption scheme ?? resulted in the ciphertext (c₁, c₂, …, c₈) as given below: $c_{1} = Z_{1} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = 3258$ $c_{2} = Z_{2} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = - 6360$ $c_{3} = Z_{3} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = 585$ $c_{4} = Z_{4} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = - 8226$ $c_{5} = Z_{4} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = - 19001$ $c_{6} = Z_{4} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = - 9398$ $c_{7} = Z_{4} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = - 9244$ $c_{8} = Z_{4} (15, 10, 2, 3, 0, 1, 2, 0, - 10, 2, 5, 1) = 8465 .$ With this ciphertext C = (3258, − 6360, 585, − 8226, − 19001, − 9398, − 9244, 8465), we want to recover the corresponding plaintext M = (15, 10, 2, 3) without using the secret key. For this purpose, we construct the following system of equations by using the public key polynomials Z₁, Z₂, …, Z₈ and the ciphertext C. $Z_{1} - 3258 = 0, Z_{2} + 6360 = 0, Z_{3} - 585 = 0, Z_{4} + 8226 = 0, Z_{5} + 19001 = 0, Z_{6} + 9398 = 0, Z_{7} + 9244 = 0, Z_{8} - 8465 = 0 .$

To mount Attack 3.1, let I = 〈Z₁ − c₁, Z₂ + c₂, …, Z₈ − c₈〉 be the ideal generated by the above system of multivariate polynomial equations. Using the computer algebra system (ApCoCoA Team, 2023), the reduced Gröbner basis G of the ideal I is computed. The computed Gröbner basis G contains a total of 34 multivariate polynomials and of these polynomials, the following five polynomials are depending only on the variables of interest, that is, r₁, …, r₄. $G_{1} = r_{3}^{2} + \frac{8971}{24} r_{3} - \frac{15}{4} r_{4} - \frac{2221}{3},$ $G_{2} = r_{1} + \frac{3}{16} r_{3} + \frac{3}{8} r_{4} - \frac{33}{2},$ $G_{3} = r_{2} + \frac{1}{16} r_{3} + \frac{1}{8} r_{4} - \frac{21}{2},$ $G_{4} = r_{3} r_{4} - \frac{3713}{16} r_{3} - \frac{11}{24} r_{4} + \frac{919}{2},$ $G_{5} = r_{4}^{2} + \frac{27121}{288} r_{3} - \frac{11575}{144} r_{4} + \frac{1577}{36} .$ To recover the message M ∈ ℚ⁴, solve the system (8) $\{G_{1} = 0, G_{2} = 0, G_{3} = 0, G_{4} = 0, G_{5} = 0\} .$

Label the variables r₁, r₂, r₃, and r₄ by x, y, z, and w respectively and then use online polynomial system solver by Wolfram (available at https://www.wolframalpha.com/calculators/equation-solver-calculator). The only rational solution of the polynomial system Eq. (8) is given below: $r_{1} = x = 15, r_{2} = y = 10, r_{3} = z = 2, and r_{4} = w = 3 .$ Hence, the message M = (15, 10, 2, 3) is successfully recovered by mounting the attack.

Remark 3.5. We have observed that the proposed cryptosystem is vulnerable to the Gröbner bases attack. The bipermutations used to produce the public key are linear in which the polynomials are not multiplied with each other. This can be the weakest part of its construction. Because using linear bipermutations the Gröbner bases will contain the polynomials separately in the variables as were the starting polynomials. Among these, the polynomials in informative variables can be solved to get plaintext. The main cost in this attack is the Gröbner bases computation.

Complexity Analysis

As stated earlier that the success of Attack 3.1, depends on the computation of Gröbner basis of the ideal of interest. It is also known that the upper bound for the complexity of finding the solutions of a multivariate polynomial system with the help of the computation of Gröbner basis is a function of the degree of regularity d_reg, the maximum degree observed during the process of computation. In the worst case scenario, this complexity is known to be doubly exponential in number of variables n, for details see (Bardet, Faugère & Salvy, 2015) and the references therein. This means that, in general or random setting, finding Gröbner basis is not an easy job. However, in the present scenario, to leave a trapdoor for the multivariate polynomial cryptosystem under consideration, the polynomials {P₁, …, P_n} are special in the sense that the system of equations Eq. (3) should has a unique solution (r₁, …, r_n) = (a₁, …, a_n) ∈ ℚⁿ for all choices of the constants b_i’s.

Moreover, for the secure instances of the cryptosystem, the authors suggested that the value of n = 4 is safe to choose . Therefore, in any such instance, there will be 2n = 8 polynomials in 3n = 12 variables r₁, …, r₄, z₁, …, z₈. Out of these 8 polynomials, four polynomials P₁, …, P₄ are depending only on 4 variables r₁, …, r₄. For the required trapdoor in the construction presented in Construction 2.1, one has to start by choosing these four polynomials in such a way that the system (9) $P_{1} (r_{1}, \dots, r_{4}) = b_{1}, P_{2} (r_{1}, \dots, r_{4}) = b_{2}, P_{3} (r_{1}, \dots, r_{4}) = b_{3}, P_{4} (r_{1}, \dots, r_{4}) = b_{4},$ has a unique solution (r₁, r₂, r₃, r₄) = (a₁, a₂, a₃, a₄) ∈ ℚ⁴ for all choices of the constants b₁, b₂, b₃ and b₄. Later on, 4 more polynomials are constructed by involving all the 12 variables, making a system of 8 equations in 12 unknowns. The public key polynomials {Z₁, …, Z_3n} are then obtained by some random linear combinations of the polynomials {P₁, …, P_2n} by using bipermutations Eqs. (4) and (5). In the entire construction, only n variables r₁, …, r_n are basic (or informative) and rest of the 2n variables s₁, …, s_2n are redundant.

The requirement of the unique solution of the system Eq. (9) makes the system Eq. (7) of 2n polynomials quite special rather than a general and hence the worst case scenario of the complexity of Gröbner basis computation is not applicable here. Moreover, we are not interested in the infinitely many solutions of the system Eq. (7) containing the values of the redundant unknowns s₁, …, s_2n but only the unknowns r₁, …, r_n are required to recover the message M. It, therefore, follows that there is no need to compute the complete Gröbner basis of the ideal I = 〈Z₁ − c₁, Z₂ + c₂, …, Z₈ − c₈〉. One can terminate the Gröbner basis computation process when sufficient number of polynomials depending only on the basic variables are obtained. Again, the worst-case estimate of the complexity is not applicable.

This can also be achieved with the help of the well known application of the Gröbner basis, namely, the elimination theory. That is, just calculate the elimination ideal I∩ℚ[r₁, …, r₄] and then solve the system to recover the message.

Several instances of the multivariate cryptosystem as illustrated in Example 3.4 are computed for n = 4 and the message was successfully recovered by mounting Attack 3.1 and the Encryption Code (Appendix A) on the Dell laptop Latitude 3520 (11th Gen Intel(R) Core(TM) i5-1135G7 2.40 GHz, 8.0 GB Ram). For the computations involved in Example 3.4, the CPU time was recorded by ApCoCoA (ApCoCoA Team, 2023) as 7.2 sec. for the complete Gröbner basis computation. On the other hand, the total CPU time recorded as 285 millisecond by ApCoCoA in the computation of elimination ideal J = I∩ℚ[r₁, r₂, r₃, r₄] and then computation of Gröbner basis of J. In many other instances with the parameter n = 4, the recorded time for the reduced Gröbner basis computation was within 2 sec. Therefore, the multivariate cryptosystem presented in Section Construction 2.1 is not secure against Gröbner basis Attack.

Conclusion and Future Work

In this article, we studied the security of the multivariate polynomial trapdoor public key cryptosystem proposed by Markovski, Mileva & Dimitrova (2014). We found that although the public key consists of less polynomials than the number of variables which will result in infinite many solutions of the polynomial system, even then the cryptosystem does not seem to be secure. One can mount a Gröbner bases attack against the recommended parameter n = 2 and nonlinear multivariate polynomial system (Eq. (3)) to recover the message without the knowledge of the secret key. The attack successfully recovers the original message that was encrypted by this cryptosystem in Section 4 of Markovski, Mileva & Dimitrova (2014). Moreover, the successful cryptanalysis of several other instances of this cryptosystem reveals that this cryptosystem is vulnerable to Gröbner bases attack. Moreover, the starting step in the key generation algorithms is to choose suitable polynomials in a way that the system (Eq. (3)) should have a unique solution. Although a linear system to meet this requirement can be constructed trivially but the construction of a nonlinear system of polynomial equations for n ≥ 4 is not an easy task. Therefore, a concrete way should be provided to formulate a system having unique real solution to generate a strong public key; that is, a public key to produce a ciphertext which is secure against Gröbner bases attack. Hence, we conclude that there are many security flaws in the proposed multivariate cryptosystem.

Appendix A. Key Generation and Encryption Code

The following code is written in CoCoL language for the computer algebra system ApCoCoA (ApCoCoA Team, 2023). In the code below, the parameters are as stated below:

Parameter	Description with reference to Section Construction 2.1.
N	The value of n taken as 2 or 4
PolyYs	The seceret polynomials P₁, …, P_2n
Perm	The random permutation τ
MatAs	The matrices M₁, …, M₄
MatBs	The matrices N₁, …, N₄
Leads	The leaders l₁ and l₂
Rmat	The random matrix R of order 2n × 2n
PlainTxtZ	The 3n-tuple containing the message and the random 2n values of s₁, …, s_2n

Define SBIMPK(N, PolyYs, Perm, MatAs, MatBs, Leads, Rmat, PlainTxtZ)

PolyXs ≔ [];

For I ≔ 1 To 2*N Do

Append(PolyXs, PolyYs[Perm[I]]);

EndFor;

Vx ≔ [];Vy ≔ [];

For I ≔ 1 To N Do

Append(Vx, PolyXs[I]);

Append(Vy, PolyXs[I+N]);

EndFor;

Vx ≔ Mat([Vx]);Vy ≔ Mat([Vy]);

Fxy ≔ [];

For I ≔ 1 To 4 Do

Append(Fxy, Vx*MatAs[I]+Vy*MatBs[I]);

EndFor;

—1st e-transformation use L1, Vx, and Vy to get Xd, Yd

F1L1Vx ≔ Leads[1]*MatAs[1]+Vx*MatBs[1]; –called it x-dash to use in F2

F2f1Vx ≔ F1L1Vx*MatAs[2]+Vy*MatBs[2]; –Called it y-dash to use it in F3

—2nd e’-transformation use L2, x-dash, and y-dash

F3f2L2 ≔ F2f1Vx*MatAs[3]+Leads[2]*MatBs[3]; –Called it y-ddash

F4f1f3 ≔ F1L1Vx*MatAs[4]+F3f2L2*MatBs[4]; –called it x-ddash

Zmat ≔ []; –row vectro Z

For I ≔ 1 To N Do

Append(Zmat, F4f1f3[1][I]);

EndFor;

For I ≔ 1 To N Do

Append(Zmat, F3f2L2[1][I]);

EndFor;

Zmat ≔ Mat([Zmat]);

PU ≔ List(Zmat*Rmat);

Cipher ≔ Eval(PU, PlainTxtZ);

Return (PU[1],Cipher[1]);

EndDefine;

Additional Information and Declarations

Competing Interests

The authors declare that there are no competing interests.

Author Contributions

Rashid Ali conceived and designed the experiments, performed the computation work, authored or reviewed drafts of the article, and approved the final draft.

Muhammad Mubashar Hussain performed the experiments, analyzed the data, performed the computation work, prepared figures and/or tables, and approved the final draft.

Shamsa Kanwal analyzed the data, authored or reviewed drafts of the article, and approved the final draft.

Fahima Hajjej analyzed the data, prepared figures and/or tables, and approved the final draft.

Saba Inam performed the computation work, authored or reviewed drafts of the article, and approved the final draft.

Data Deposition

The following information was supplied regarding data availability:

No raw data was generated in this study.

Funding

This study was funded by the Princess Nourah bint Abdulrahman University Researchers Supporting Project number (PNURSP2023R236), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

References

ApCoCoA Team. 2023. ApCoCoA: Applied Computations in Commutative Algebra.
Bardet M, Faugère J-C, Salvy B. 2015. On the complexity of the F5 Gröbner basis algorithm. Journal of Symbolic Computation 70:49-70
Buchberger B. 0000. Gröbner bases: a short introduction for systems theorists. In: Moreno-Díaz R, Buchberger B, Luis Freire J, eds. Computer aided systems theory—EUROCAST 2001. EUROCAST 2001, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 2178
Buchberger B. 1965. An algorithm for finding the bases elements of the residue class ring modulo a zero dimensional polynomial ideal (German) PhD thesis, University of Innsbruck, Innsbruck, Austria thesis
Buchberger B. 1976. Some properties of Gröbner bases for polynomial ideals. ACM SIGSAM Bulletin 10(4):19-24
1998. Gröbner bases and applications, volume 251 of London Mathematical Society Series. In: Buchberger B, Winkler F, eds. Proceedings of the international conference 33 years of Groebner Bases. Cambridge. Cambridge University Press.
Courtois NT. 2001. The security of Hidden Field Equations (HFE) In: The cryptographers track at RSA conference 2001, 2020. 266-281
Courtois N, Shamir A, Patarin J, Klimov A. 2000. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel B, ed. Advances in Cryptology—EUROCRYPT 2000. EUROCRYPT 2000, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1807
Cox DA, Little J, O’shea D. 1998. Using algebraic geometry. New York: Springer-Verlag.
Ding JT, Yang BY. 2009. Multivariate public key cryptography. Berlin: Springer Heidelberg.
ElGamal T. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4):469-472
Faugère JC, Joux A. 2003. Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner Bases. In: Boneh D, ed. Advances in cryptology—CRYPTO 2003. CRYPTO 2003, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 2729
Francis M, Ambedkar D. 2018. On ideal lattices, Gröbner bases and generalized hash functions. Journal of Algebra and Its Applications 17(6):1850112
Kipnis A, Shamir A. 1998. Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk H, ed. Advances in cryptology—CRYPTO ’98. CRYPTO 1998, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1462
Kipnis A, Shamir A. 1999. Cryptanalysis of the HFE public key cryptosystem by relinearization. In Wiener, M, editor. In: Wiener M, ed. Advances in Cryptology—CRYPTO’99, CRYPTO 1999. Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1666
Kreuzer M. 2009. Algebraic attacks galore! Groups—Complexity—Cryptology 1(2):231-259
Kreuzer M, Robbiano L. 2000. Computational commutative algebra 1. Berlin, Heidelberg: Springer.
Markovski S, Mileva A, Dimitrova V. 2014. SBIM(Q)—a multivariate polynomial trapdoor function over the field of rational numbers. Cryptology ePrint Archive 2014:739
Matsumoto T, Imai H. 1988. Public quadratic polynomial-tuples for efficient signature verification and message encryption. In: Barstow D, ed. Advances in cryptology—EUROCRYPT’88. EUROCRYPT 1988, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 330
Patarin J. 1995. Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt 88’. In: Coppersmith D, ed. Advances in Cryptology—CRYPT0’ 95. CRYPTO 1995, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 963
Patarin J. 1996. Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Advances in Cryptology—EUROCRYPT ’96.
Patarin J. 1997. The oil and vinegar signature scheme. In: Dagstul Workshop on Cryptography.
Rivest RL, Shamir A, Adleman L. 1978. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21:120-126
Shor PW. 1997. Polynomial time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Scientific Computing 26(5):1484-1905
Tang S, Xu L. 2012. Proxy signature scheme based on isomorphisms of polynomials. In: Network and System Security. Berlin Heidelberg: Springer. 113-125
Wolf C, Preneel B. 2005. Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive 2005:077

[1] ApCoCoA Team. 2023. ApCoCoA: Applied Computations in Commutative Algebra.

[2] Bardet M, Faugère J-C, Salvy B. 2015. On the complexity of the F5 Gröbner basis algorithm. Journal of Symbolic Computation 70:49-70

[3] Buchberger B. 0000. Gröbner bases: a short introduction for systems theorists. In: Moreno-Díaz R, Buchberger B, Luis Freire J, eds. Computer aided systems theory—EUROCAST 2001. EUROCAST 2001, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 2178

[4] Buchberger B. 1965. An algorithm for finding the bases elements of the residue class ring modulo a zero dimensional polynomial ideal (German) PhD thesis, University of Innsbruck, Innsbruck, Austria thesis

[5] Buchberger B. 1976. Some properties of Gröbner bases for polynomial ideals. ACM SIGSAM Bulletin 10(4):19-24

[6] 1998. Gröbner bases and applications, volume 251 of London Mathematical Society Series. In: Buchberger B, Winkler F, eds. Proceedings of the international conference 33 years of Groebner Bases. Cambridge. Cambridge University Press.

[7] Courtois NT. 2001. The security of Hidden Field Equations (HFE) In: The cryptographers track at RSA conference 2001, 2020. 266-281

[8] Courtois N, Shamir A, Patarin J, Klimov A. 2000. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel B, ed. Advances in Cryptology—EUROCRYPT 2000. EUROCRYPT 2000, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1807

[9] Cox DA, Little J, O’shea D. 1998. Using algebraic geometry. New York: Springer-Verlag.

[10] Ding JT, Yang BY. 2009. Multivariate public key cryptography. Berlin: Springer Heidelberg.

[11] ElGamal T. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4):469-472

[12] Faugère JC, Joux A. 2003. Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner Bases. In: Boneh D, ed. Advances in cryptology—CRYPTO 2003. CRYPTO 2003, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 2729

[13] Francis M, Ambedkar D. 2018. On ideal lattices, Gröbner bases and generalized hash functions. Journal of Algebra and Its Applications 17(6):1850112

[14] Kipnis A, Shamir A. 1998. Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk H, ed. Advances in cryptology—CRYPTO ’98. CRYPTO 1998, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1462

[15] Kipnis A, Shamir A. 1999. Cryptanalysis of the HFE public key cryptosystem by relinearization. In Wiener, M, editor. In: Wiener M, ed. Advances in Cryptology—CRYPTO’99, CRYPTO 1999. Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 1666

[16] Kreuzer M. 2009. Algebraic attacks galore! Groups—Complexity—Cryptology 1(2):231-259

[17] Kreuzer M, Robbiano L. 2000. Computational commutative algebra 1. Berlin, Heidelberg: Springer.

[18] Markovski S, Mileva A, Dimitrova V. 2014. SBIM(Q)—a multivariate polynomial trapdoor function over the field of rational numbers. Cryptology ePrint Archive 2014:739

[19] Matsumoto T, Imai H. 1988. Public quadratic polynomial-tuples for efficient signature verification and message encryption. In: Barstow D, ed. Advances in cryptology—EUROCRYPT’88. EUROCRYPT 1988, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 330

[20] Patarin J. 1995. Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt 88’. In: Coppersmith D, ed. Advances in Cryptology—CRYPT0’ 95. CRYPTO 1995, Lecture notes in computer science. Berlin, Heidelberg: Springer. vol. 963

[21] Patarin J. 1996. Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Advances in Cryptology—EUROCRYPT ’96.

[22] Patarin J. 1997. The oil and vinegar signature scheme. In: Dagstul Workshop on Cryptography.