A new multivariate primitive from CCZ equivalence

Marco Calderini,Alessio Caminata,Irene Villa
2024-06-01
Abstract:Multivariate Cryptography is one of the main candidates for Post-quantum Cryptography. Multivariate schemes are usually constructed by applying two secret affine invertible transformations $\mathcal S,\mathcal T$ to a set of multivariate polynomials $\mathcal{F}$ (often quadratic). The secret polynomials $\mathcal{F}$ posses a trapdoor that allows the legitimate user to find a solution of the corresponding system, while the public polynomials $\mathcal G=\mathcal S\circ\mathcal F\circ\mathcal T$ look like random polynomials. The polynomials $\mathcal G$ and $\mathcal F$ are said to be affine equivalent. In this article, we present a more general way of constructing a multivariate scheme by considering the CCZ equivalence, which has been introduced and studied in the context of vectorial Boolean functions.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is that in the field of post - quantum cryptography, the existing multivariate cryptography schemes are vulnerable to linearization attacks and other attacks based on affine equivalence relations. Specifically: 1. **Limitations of Existing Schemes**: Traditional multivariate cryptosystems usually construct public polynomials \(G = S\circ F\circ T\) by applying two secret affine invertible transformations \(S\) and \(T\), where \(F\) is a set of quadratic polynomials that are relatively easy to invert. However, this construction method retains many structural features of the original system, allowing attackers to use these features to break the system. 2. **Introduction of CCZ Equivalence**: To overcome the above problems, the author proposes to use a broader equivalence relation - CCZ equivalence (Carlet - Charpin - Zinoviev equivalence). CCZ equivalence can not only change the algebraic structure of polynomials but also break the original linear relationships, thereby improving the security of the system. 3. **Specific Objectives**: The goal of the paper is to construct a multivariate cryptography scheme such that there is a CCZ equivalence relationship between the public polynomial \(G\) and the secret polynomial \(F\), rather than a simple affine or extended affine equivalence relationship. This ensures that the public polynomial does not inherit the "simple" structure of the secret polynomial, thereby enhancing the system's anti - attack ability. ### Formula Representation The definition of CCZ equivalence is as follows: Given two functions \(F, G:\mathbb{F}_q^n\rightarrow\mathbb{F}_q^m\), we say that they are CCZ - equivalent if there exists an affine bijection \(A\) acting on \(\mathbb{F}_q^{n + m}\) such that: \[G_G=A(G_F)\] where \(G_F=\{(x,F(x)):x\in\mathbb{F}_q^n\}\subseteq\mathbb{F}_q^n\times\mathbb{F}_q^m\) and \(G_G=\{(x,G(x)):x\in\mathbb{F}_q^n\}\subseteq\mathbb{F}_q^n\times\mathbb{F}_q^m\) are the graphs of \(F\) and \(G\) respectively. ### Conclusion By introducing CCZ equivalence, the author hopes to construct a new multivariate cryptography scheme to improve its security in the post - quantum environment and prevent the effectiveness of traditional attack methods.