Keywords

1 Introduction

Public key cryptosystems (PKCs), such as RSA, are essential in many communication scenarios. However, most number-theoretic PKCs are prone to quantum attacks, and will become obsolete once quantum supremacy is attained. Hence, it is important to devise PKCs whose hardness relies on problems that are hard to solve even with quantum computers at hand. One such problem that has gained increasing attention lately is solving a system of multivariate polynomial (usually quadratic) equations [22, 28], which is NP-hard in general [10]. PKCs whose hardness relies on solving multivariate polynomial equations are called Multivariate Public Key Cryptosystems (MPKCs).

Nearly all MPKCs in the literature were either cryptanalyzed or their efficiency was proved to be limited. Recently, the so-called ABC cryptosystem [28], that relies on simple matrix multiplication as the encryption scheme, seems to have been broken by [13]. Earlier works include the Hidden Field Equations (HFE) cryptosystem [22] that has been broken by a MinRank attack [15], and the TTM scheme [19] that experienced a similar fate [14]. In addition, some variants of the HFE scheme, such as ZHFE [25] and HFE- [7] were also successfully attacked by [23] and [30]. The MPKC of [27] was also broken by a MinRank attack. Additional candidates include the oil-and-vinegar scheme [16], Rainbow [8], and Gui [24]. In light of these recent advances, in this paper we propose a new MPKC which seems to be inherently robust against several natural attacks. This MPKC is based on a newly defined algebraic concept called Sidon spaces.

Let \(\mathbb {F}_q\) denote a finite field with q elements, and let \(\mathbb {F}_q^*\triangleq \mathbb {F}_q\setminus \{0\}\). For an integer n let \(\mathbb {F}_{q^n}\) be the algebraic extension of degree n of \(\mathbb {F}_q\), and let \([n]\triangleq \{1,2,\ldots ,n\}\). Simply put, a Sidon space V is a subspace of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\) such that the product of any two nonzero elements of V has a unique factorization over V, up to a constant multiplier from \(\mathbb {F}_q\). Sidon spaces were recently defined in [2] as a tool for studying certain multiplicative properties of subspaces, and their application to error correction in network coding, alongside several explicit constructions that are employed herein, were studied in [26].

In this paper we suggest the Sidon Cryptosystem, an MPKC based on Sidon spaces. In a nutshell, this cryptosystem enables the sender to transmit the product of two elements in a secret Sidon space V, without knowing its structure. The receiver uses the structure of V in order to factor the given product and obtain the plaintext efficiently. A malicious attacker, however, cannot extract the plaintext from the product due to insufficient knowledge about V. The suggested Sidon cryptosystem is based on a specific optimal construction of a Sidon space from [26], and yet, other Sidon spaces with comparable parameters can be used similarly. The security of the suggested system relies on the hardness of solving multivariate polynomial equations, and the hardness of the MinRank problem.

In the MinRank problem, which is believed to be hard even for quantum computers, one must find a low-rank target matrix in the linear span of matrices that are given as input; it arises in settings where one solves a quadratic system of equations via linearization. Cryptographic systems that are based on the MinRank attack are often broken by either of two attacks, the minor attack and the kernel attack (also known as the Kipnis-Shamir attack) [12]. In the minor attack, one formulates an equation system by setting all small minors of the target matrix to zero, and solves the resulting system (usually) by linearization. The kernel attack exploits the fact that vectors in the kernel of the target matrix give rise to linear equations in the coefficients of its combination; successfully guessing sufficiently many of those will break the system.

In the sequel we analyze the Sidon cryptosystem in the face of these two attacks, and both are proved to succeed only with exponentially small probability. We additionally analyze attacks that are specific to the Sidon cryptosystem and are not in either of those forms, and show that these require solving polynomial equations outside the range of feasibility. We emphasize that unfortunately, a rigorous proof of hardness that does not rely on a particular attack structure is yet to be found.

This paper is organized as follows. The definition of a Sidon space, alongside relevant constructions and their efficient factorization algorithm, are given in Sect. 2. The details of the Sidon cryptosystem are given in Sect. 3, and its efficiency is discussed. MinRank attacks, namely, the kernel attack and the minor attack, are discussed in Sect. 4. Attacks which are specifically designed for the Sidon cryptosystem are discussed in Sect. 5. Finally, experimental results are reported in Sect. 6, and concluding remarks are given in Sect. 7.

We adopt the following notational conventions. Scalars are denoted by \(a,b,\ldots \) or \(\alpha ,\beta ,\ldots \); matrices by \(\mathbf {A},\mathbf {B}\ldots \); sets by \(\mathcal {U},\mathcal {W},\ldots \); linear subspaces and polynomials by \(V,U,\ldots \); and vectors, all of which are row vectors, by \(\mathbf {v},\varvec{\nu },\ldots \).

2 Preliminaries

For integers k and n let \(\mathcal {G}_{q}\left( n,k\right) \) be the set of all k-dimensional subspaces of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\). Sidon spaces were recently defined in [2] as a tool for studying certain multiplicative properties of subspaces. As noted in [2], the term “Sidon space” draws its inspiration from a Sidon set. A set of integers is called a Sidon set if the sums of any two (possibly identical) elements in it are distinct; thus, Sidon spaces may be seen as a multiplicative and linear variant of Sidon sets. In the following definition, for \(a\in \mathbb {F}_{q^n}\), let \(a\mathbb {F}_{q}\triangleq \{\lambda a \vert \lambda \in \mathbb {F}_q \}\), which is the subspace over \(\mathbb {F}_q\) spanned by a.

Definition 1

([2, Sect. 1]). A subspace \(V\in \mathcal {G}_{q}\left( n,k\right) \) is called a Sidon space if for all nonzero \(a,b,c,d\in V\), if \(ab=cd\) then \(\{a\mathbb {F}_q,b\mathbb {F}_q \}=\{c\mathbb {F}_q,d\mathbb {F}_q \}\).

It is shown in [2, Thm. 18] and in [26, Prop. 3] that if \(V\in \mathcal {G}_{q}\left( n,k\right) \) is a Sidon space, then

$$\begin{aligned} 2k\le \dim (V^2)\le \left( {\begin{array}{c}k+1\\ 2\end{array}}\right) , \end{aligned}$$
(1)

where \(V^2\triangleq {{\,\mathrm{span}\,}}_{\mathbb {F}_q}\{u\cdot v\vert u,v\in V\}\), and consequently it follows that \(k\le n/2\). Sidon spaces which attain the upper bound are called max-span Sidon spaces, and are rather easy to construct; it is an easy exercise to verify that \({{\,\mathrm{span}\,}}_{\mathbb {F}_q}\{ \delta ^{n_i} \}_{i=1}^k\) is a max-span Sidon space in \(\mathbb {F}_{q^n}\) for \(n>2k^2(1+o_k(1))\), where \(\delta \) is a primitive element of \(\mathbb {F}_{q^n}\), and \(\{n_1,\ldots ,n_k\}\subseteq [\lfloor n/2 \rfloor ]\) is an optimal (i.e., largest) Sidon set [21]. Sidon spaces which attain the lower bound in (1) are called min-span Sidon spaces, and are paramount to our work; it will be shown in the sequel that having \(k=\varTheta (n)\) is essential to the security of the system. The cryptosystem which is given in this paper employs a min-span Sidon space whose construction is given in the remainder of this section.

Motivated by applications in network coding, constructions of Sidon spaces in several parameter regimes were suggested in [26]. In particular, the following construction provides a Sidon space \(V\in \mathcal {G}_{q}\left( rk,k\right) \) for any k and any \(r\ge 3\). A slightly more involved variant of this construction is shown in the sequel to provide a Sidon space in \(\mathcal {G}_{q}\left( 2k,k\right) \), which will be used in our cryptosystem.

Construction 1

[26, Const. 11]. For integers \(r\ge 3\), k, and q a prime power, let \(\gamma \in \mathbb {F}_{q^{rk}}^*\) be a root of an irreducible polynomial of degree r over \(\mathbb {F}_{q^k}\). Then, \(V\triangleq \{u+u^q\gamma \vert u\in \mathbb {F}_{q^k} \}\) is a Sidon space in \(\mathcal {G}_{q}\left( rk,k\right) \).

By choosing the element \(\gamma \) judiciously, a similar construction provides a Sidon space in \(\mathcal {G}_{q}\left( 2k,k\right) \) for any \(q\ge 3\) as follows. For any given nonnegative integer k, let \(\mathcal {W}_{q-1}\triangleq \{ u^{q-1}\vert u\in \mathbb {F}_{q^k} \}\) and \(\overline{\mathcal {W}}_{q-1}\triangleq \mathbb {F}_{q^k}\setminus \mathcal {W}_{q-1}\). The next construction requires an element \(\gamma \in \mathbb {F}_{q^{2k}}\) that is a root of an irreducible quadratic polynomial \(x^2+bx+c\) over \(\mathbb {F}_{q^k}\), where \(c\in \overline{\mathcal {W}}_{q-1}\). According to [26, Lemma 13], for any \(c\in \overline{\mathcal {W}}_{q-1}\) there exist many b’s in \(\mathbb {F}_{q^k}\) such that \(x^2+bx+c\) is irreducible over \(\mathbb {F}_{q^k}\), and hence such \(\gamma \) elements aboundFootnote 1.

Construction 2

[26, Const. 15]. For a prime power \(q\ge 3\) and a positive integer k, let \(n=2k\), and let \(\gamma \in \mathbb {F}_{q^n}^*\) be a root of an irreducible polynomial \(x^2+bx+c\) over \(\mathbb {F}_{q^k}\) with \(c\in \overline{\mathcal {W}}_{q-1}\). The subspace \(V\triangleq \{ u+u^q\gamma \vert u\in \mathbb {F}_{q^k} \}\) is a Sidon space in \(\mathcal {G}_{q}\left( 2k,k\right) \).

The Sidon space V of Construction 2 will be used in the sequel to devise an MPKC. This subspace admits the following efficient algorithm [26, Thm. 16] that for every nonzero a and b in V, factors ab to a and b up to constant factors from \(\mathbb {F}_q\); note that since \(ab=(\frac{1}{\lambda }a)(\lambda b)\) for any \(a,b\in V\) and any \(\lambda \in \mathbb {F}_q^*\), this algorithm is capable of identifying a and b only up to a multiplicative factor in \(\mathbb {F}_q\).

Given ab, denote \(a=u+u^q\gamma \) for some nonzero \(u\in \mathbb {F}_{q^k}\) and \(b=v+v^q\gamma \) for some nonzero \(v\in \mathbb {F}_{q^k}\). Notice that since \(\gamma \) is a root of \(x^2+bx+c\) it follows that

$$\begin{aligned} ab&=(u+u^q\gamma )(v+v^q\gamma )\\&=(uv-(uv)^qc)+(uv^q+u^qv-b(uv)^q)\gamma \;, \end{aligned}$$

and since \(\{ 1,\gamma \}\) is a basis of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_{q^k}\), it follows that one can obtain the values of \(q_0\triangleq uv-(uv)^qc\) and \(q_1\triangleq uv^q+u^qv-b(uv)^q\) by representing ab over this basis.

Since \(c\in \overline{\mathcal {W}}_{q-1}\), it follows that the linearized polynomial \(T(x)=x-cx^q\) is invertible on \(\mathbb {F}_{q^k}\). Hence, it is possible to extract uv from \(q_0=T(uv)\) by applying \(T^{-1}\).

Knowing uv, extracting \(uv^q+vu^q\) from \(q_1\) is possible by adding \(b(uv)^q\). Therefore, the polynomial \(uv+(uv^q+u^qv)x+(uv)^qx^2\) can be assembled, and its respective roots \(-1/u^{q-1}\) and \(-1/v^{q-1}\) can be found. Since these roots determine \(u\mathbb {F}_q\) and \(v\mathbb {F}_q\) uniquely, it follows that a and b are identified up to order and up to a multiplicative factor in \(\mathbb {F}_q\).

3 The Sidon Cryptosystem

In general, for a Sidon space \(V\in \mathcal {G}_{q}\left( n,k\right) \) and \(a,b\in V\), factoring ab to a and b requires knowledge about the structure of V, as can be seen from the factoring algorithm suggested above. This intuition leads to the following MPKC, called the Sidon Cryptosystem. The crux of devising this system is enabling Bob to encrypt his message into a product ab, without the need to know the precise construction of V by Alice. This is done by exploiting the bilinear nature of multiplication in finite field extensions.

To this end, we introduce the notion of a multiplication table of a subspace. For a given vector \(\mathbf {v}=(v_1,\ldots ,v_k)\in \mathbb {F}_{q^n}^k\) let \(\mathbf {M}(\mathbf {v})\triangleq \mathbf {v}^\intercal \mathbf {v}\). For an ordered basis \(\mathbf {b}=( b_1,b_2,\ldots ,b_{n} )\) of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\), express \(\mathbf {M}(\mathbf {v})\) as a linear combination of matrices over \(\mathbb {F}_q\), i.e.,

$$\begin{aligned} \mathbf {M}(\mathbf {v})&=b_1\mathbf {M}^{(1)}+b_2\mathbf {M}^{(2)}+\ldots +b_{n}\mathbf {M}^{(n)},\text { and let}\\ \mathbf {M}(\mathbf {v},\mathbf {b})&\triangleq (\mathbf {M}^{(1)},\mathbf {M}^{(2)},\ldots ,\mathbf {M}^{(n)}). \end{aligned}$$

The matrix \(\mathbf {M}(\mathbf {v})\) is called the multiplication table of \(\mathbf {v}\), and the entries of \(\mathbf {M}(\mathbf {v},\mathbf {b})\) are called the coefficient matrices of \(\mathbf {v}\) with respect to \(\mathbf {b}\). This notion will be of interest when \(\{v_1,\ldots ,v_k\}\) is a basis of a Sidon space.

The following cryptosystem relies on choosing a random Sidon space by Construction 2 (which amounts to randomly choosing a proper \(\gamma \)), fixing an arbitrary ordered basis \(\varvec{\nu }=(\nu _1,\ldots ,\nu _k )\) of V, and interpreting the product of two elements \(a\triangleq \sum _{i=1}^ka_i\nu _i\) and \(b\triangleq \sum _{i=1}^{k}b_i\nu _i\) in V as the bilinear form \(\mathbf {a}\mathbf {M}(\varvec{\nu })\mathbf {b}^\intercal \), where \(\mathbf {a}=(a_1,\ldots ,a_k)\in \mathbb {F}_q^k\) and \(\mathbf {b}=(b_1,\ldots ,b_k)\in \mathbb {F}_q^k\). Even though the suggested cryptosystem relies on Construction 2, any Sidon space for which an efficient factorization algorithm exists may be used similarly. A remark about the required ratio k/n is given shortly.

To describe the message set in the following cryptosystem, let \(\sim \) be an equivalence relation on \(\mathbb {F}_q^{k\times k}\) such that \(\mathbf {A}\sim \mathbf {B}\) if \(\mathbf {A}=\mathbf {B}^\intercal \), for any \(\mathbf {A},\mathbf {B}\in \mathbb {F}_q^{k\times k}\). Further, let \(\mathcal {Q}_k\) be the set of \(k\times k\) rank one matrices over \(\mathbb {F}_q\), modulo the equivalence relation \(\sim \). That is, \(\mathcal {Q}_k\) is a set of equivalence classes, each of which contains either one symmetric matrix of rank one, or two non-symmetric matrices of rank one, where one is the transpose of the other. It is shown in Lemma 3 in Appendix A that \(|\mathcal {Q}_k|=\frac{(q^k-1)(q^k-q)}{2(q-1)}+q^k-1\). In what follows, Alice chooses a random Sidon space V by Construction 2, and publishes its coefficient matrices according to a random basis of V and a random basis of \(\mathbb {F}_{q^n}\). Bob then sends Alice an encrypted message by exploiting the bilinear nature of multiplication in field extensions.

  • Parameters: An integer k and a field size \(q\ge 3\).

  • Private key: Alice chooses

    1. 1.

      A random representation of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\): i.e., a polynomial \(P_A(x)\in \mathbb {F}_q[x]\) of degree \(n=2k\) which is irreducible over \(\mathbb {F}_{q}\).

    2. 2.

      A random Sidon space by Construction 2: i.e., a random element \(c\in \overline{\mathcal {W}}_{q-1}\) and an element \(b\in \mathbb {F}_{q^k}\) such that \(P_{b,c}(x)\triangleq x^2+bx+c\) is irreducible over \(\mathbb {F}_{q^k}\), a \(\gamma \in \mathbb {F}_{q^n}^*\) such that \(P_{b,c}(\gamma )=0\); this \(\gamma \) defines the Sidon space \(V\triangleq \{ u+u^q\gamma \vert u\in \mathbb {F}_{q^k} \}\).

    3. 3.

      A random ordered basis \(\varvec{\nu }=( \nu _1,\ldots ,\nu _k )\) of V: which is equivalent to choosing a random invertible \(k\times k\) matrix over \(\mathbb {F}_q\).

    4. 4.

      A random ordered basis \(\varvec{\beta }= ( \beta _1,\ldots ,\beta _n )\) of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\): which is equivalent to choosing a random invertible \(n\times n\) matrix over \(\mathbb {F}_q\).

  • Public key: Alice publishes \(\mathbf {M}(\varvec{\nu },\varvec{\beta })=(\mathbf {M}^{(1)},\ldots ,\mathbf {M}^{(n)})\).

  • Encryption: The message to be encrypted is seen as an equivalence class in \(\mathcal {Q}_k\). Bob chooses arbitrary \(\mathbf {a}=(a_1,\ldots ,a_k)\) and \(\mathbf {b}=(b_1,\ldots ,b_k)\) that correspond to his message (i.e., such that \(\mathbf {a}^\intercal \mathbf {b}\) is in the corresponding equivalence class in \(\mathcal {Q}_k\)), and sends \(E(\mathbf {a},\mathbf {b})\triangleq \left( \mathbf {a}\mathbf {M}^{(i)} \mathbf {b}^\intercal \right) _{i=1}^n\) to Alice.

  • Decryption: Alice assembles

    $$\begin{aligned} \sum _{i=1}^{n}\mathbf {a}\mathbf {M}^{(i)} \mathbf {b}^\intercal \cdot \beta _i&=\mathbf {a}\mathbf {M}(\varvec{\nu }) \mathbf {b}^\intercal =\mathbf {a}\varvec{\nu }^\intercal \varvec{\nu }\mathbf {b}^\intercal =\left( \sum _{i=1}^{k}a_i\nu _i\right) \left( \sum _{i=1}^{k}b_i\nu _i\right) \triangleq ab\;. \end{aligned}$$

    Since a and b are in the Sidon space V, they can be retrieved from ab up to order and up to a multiplicative factor from \(\mathbb {F}_q\) (see Sect. 2). The respective \(\mathbf {a}\) and \(\mathbf {b}\) are then retrieved by representing a and b over \(\varvec{\nu }\). Since \(\mathbf {a}\) and \(\mathbf {b}\) correspond to a unique equivalence class in \(\mathcal {Q}_k\), it follows that they determine the message sent by Bob uniquely.

An alternative scheme which employs randomization is given in Appendix B. One clear advantage of the above system is that its information rate approaches 1 as k grows. The information rate is defined as the ratio between the number of bits in Bob’s message and the number of bits that are required to transmit the corresponding cyphertext. Due to the size of \(\mathcal {Q}_k\), given earlier, it follows that the number of information bits in Bob’s message approaches \(2k\log _2q\) as k grows; this is identical to the number of information bits in the cyphertext \(E(\mathbf {a},\mathbf {b})\).

On the other hand, a clear disadvantage is that the public key is relatively large in comparison with the size of the plaintext; due to the symmetry of the coefficient matrices, the public key contains \(k^2(k+1)\) elementsFootnote 2 in \(\mathbb {F}_q\), whereas the plaintext contains approximately 2k elements in \(\mathbb {F}_q\). This disadvantage is apparent in some other MPKCs as well. For instance, in the ABC cryptosystem [28, Sect. 3], to transmit a message of k field elements, 2k quadratic polynomials in k variables are evaluated. Hence, the information rate is \(\frac{1}{2}\), and in order to transmit k field elements, a public key of \(k^2(k+1)\) field elements is required. Our system suffers from a large public key as many other MPKCs, albeit at information rate which approaches 1.

Remark 1 (A note about performance)

Both encoding and decoding require only elementary operations over finite fields. Given \(\mathbf {a}\) and \(\mathbf {b}\), Bob encrypts by computing n bi-linear transforms in \(O(k^3)\). Given the cypertext, Alice obtains ab using \(O(k^2)\) operations, and follows the factorization algorithm from Sect. 2. This algorithm includes change-of-basis to \(\{1,\gamma \}\), which is equivalent to solving a linear equation, followed by applying a pre-determined linear transform \(T^{-1}\), solving a univariate quadratic polynomial over \(\mathbb {F}_{q^n}\), and finally two computation of inverse (e.g., by the extended Euclidean algorithm) and two extractions of \((q-1)\)’th root (e.g., by the \(O(k^3)\) algorithm of [4]). Overall, assuimg q is constant, both encoding and decoding require \(O(k^3)\) operations. Key generation can be done via a simple randomized process, and experimental results are given in Sect. 6.

Remark 2 (A note about parameters)

The fact that \(n=2k\) (or more generally, that \(k=\varTheta (n)\)) in the Sidon cryptosystem above seems to be essential to the security of the system. For example, using a max-span Sidon space [26, Sect. IV], in which the set \(\{\nu _i\nu _j\}_{i,j\in [k]}\) is linearly independent over \(\mathbb {F}_q\) and thus \(n\ge {k+1\atopwithdelims ()2}\), is detrimental to the security of the system—it is easy to verify that if V is a max-span Sidon space, then \({{\,\mathrm{span}\,}}_{\mathbb {F}_q}(\{\mathbf {M}^{(i)}\}_{i=1}^n)\) is the set of all \(k\times k\) symmetric matrices over \(\mathbb {F}_q\). Hence, given \(E(\mathbf {a},\mathbf {b})=( \mathbf {a}\mathbf {M}^{(i)}\mathbf {b}^\intercal )_{i=1}^n\), by using linear operations one can have \(( \mathbf {a}\mathbf {C}_{i,j}\mathbf {b}^\intercal )_{i,j\in [k]}\), where \(\mathbf {C}_{i,j}\) is a matrix which contains 1 in its (ij)-th entry, 1 in its (ji)-th entry, and zero elsewhere, and as a result the expressions \(\{ a_ib_i \}_{i=1}^k\) and \(\{ a_ib_j+a_jb_i \}_{i>j}\) are obtained. Clearly, these values are the coefficients of \(p_a\cdot p_b\), where

$$\begin{aligned} p_a(x_1,\ldots ,x_k)&\triangleq \sum _{i\in [k]}a_ix_i,&\text{ and } \qquad \quad p_b(x_1,\ldots ,x_k)\triangleq \sum _{i\in [k]}b_ix_i\;, \end{aligned}$$

and thus \(\mathbf {a}\) and \(\mathbf {b}\) could be identified by factoring \(p_a\cdot p_b\).

4 MinRank Attacks

In what follows, we consider several attacks that are based on the well-known NP-complete problemFootnote 3 MinRank [10]. In all of these attacks, it is shown that breaking the system requires solving some special case of MinRank, and the feasibility of success is discussed.

  • The MinRank problem.

  • Input: Integers knr and linearly independent matrices \(\mathbf {N}^{(0)},\mathbf {N}^{(1)},\ldots ,\mathbf {N}^{(n)}\) in \(\mathbb {F}^{k\times k}\) for some field \(\mathbb {F}\).

  • Output: A tuple \((\lambda _1,\ldots ,\lambda _n)\in \mathbb {F}^n\), not all zero, such that

    $$\begin{aligned} {{\,\mathrm{rank}\,}}_{\mathbb {F}}\left( \sum _{i=1}^{n}\lambda _i\mathbf {N}^{(i)}-\mathbf {N}^{(0)}\right) \le r. \end{aligned}$$

In this section, the purpose of the attacker Eve is to find an equivalent secret key \(V'\). That is, Eve begins by guessing an irreducible polynomial \(P_E(x)\) of degree \(n=2k\) to define \(F_E=\mathbb {F}_q[x]\bmod (P_E(x))=\mathbb {F}_{q^n}\), where \((P_E(x))\) is the ideal generated by \(P_E(x)\) in \(\mathbb {F}_q[x]\). Then, since there exists a field isomorphism \(f:F_A\rightarrow F_E\), and since \(\nu _s\nu _t=\sum _{i=1}^n(\mathbf {M}^{(i)})_{s,t}\beta _i\) by the definition of the system, it follows that

$$\begin{aligned} f(\nu _s\nu _t)=f(\nu _s)f(\nu _t)=f\left( \sum _{i=1}^{n}\mathbf {M}^{(i)}_{s,t}\beta _i\right) =\sum _{i=1}^{n}\mathbf {M}^{(i)}_{s,t}f(\beta _i). \end{aligned}$$
(2)

Namely, the tuple \((f(\beta _i))_{i=1}^n\) is a solution to the MinRank problem whose parameters are \(r=1\), \(\mathbf {N}^{(0)}=0\), \(n=2k\), \(\mathbb {F}=F_E\), and \(\mathbf {N}^{(i)}=\mathbf {M}^{(i)}\) for \(i\in [n]\). Then, factoring the resulting rank one matrix \(\sum _{i=1}^{n}\mathbf {M}^{(i)}f(\beta _i)\) to \(f(\varvec{\nu })^\intercal f(\varvec{\nu })\) enables Eve to find \(V'=f(V)\), i.e., the subspace in \(F_E\) which is isomorphic to V in \(F_A\). With f(V) at her disposal, Eve may break the cryptosystem.

To the best of the authors’ knowledge, this solution is not necessarily unique; furthermore, it is unclear if breaking the system is possible if a solution is found which is not a basis of \(F_E\) over \(\mathbb {F}_q\), or if the resulting \(V'\) is not a Sidon space. Nevertheless, we focus on the hardness of finding any solution. Moreover, due to (2), for convenience of notation we omit the isomorphism f from the discussion.

4.1 The Kernel Attack

The kernel formulation of MinRank relies on the fact that any nonzero vector \(\mathbf {v}\in \mathbb {F}_{q^n}^k\) in \(K\triangleq \ker _{\mathbb {F}_{q^n}}(\sum _{i\in [n]}\beta _i\mathbf {M}^{(i)})\) gives rise to k \(\mathbb {F}_{q^n}\)-linear equations in \(y_1,\ldots ,y_n\), namely, the k equations given by \((\sum _{i=1}^{n}y_i\mathbf {M}^{(i)} )\mathbf {v}^\intercal =0\). To find the correct \(y_1,\ldots ,y_n\in \mathbb {F}_{q^n}\), sufficiently many \(\mathbf {v}\)’s in K must be found. For example, finding \(\mathbf {v}_1\in K\) yields k equations in \(n=2k\) variables, and hence there are at least \((q^n)^k\) possible solutions, depending on the linear dependence of these equations. Finding an additional \(\mathbf {v}_2\in K\) adds another k equations, which are likely to reduce the number of possible values for \(y_1,\ldots ,y_n\) further. By repeating this process, the attacker wishes to reduce the dimension of the solution space sufficiently so that the solution \(y_1,\ldots ,y_n\) could be found.

Since K is unknown, the attacker resorts to uniformly random guesses of \(\mathbf {v}_1,\mathbf {v}_2\in \mathbb {F}_{q^n}^k\), hoping to get them both in K. However, since \(\dim K=k-1\), it follows that

$$\begin{aligned} \Pr _{\mathbf {v}\in \mathbb {F}_{q^n}^k}(\mathbf {v}\in K)=\frac{|K|}{|\mathbb {F}_{q^n}^k|}=\frac{(q^n)^{k-1}}{(q^n)^k}=\frac{1}{q^n}, \end{aligned}$$
(3)

and hence the probability of finding even a single \(\mathbf {v}\in K\) is exponentially small in the message length.

Remark 3 (Kernel attack over the base field)

Recall that \(\mathbf {M}(\varvec{\nu })=\sum _{i\in [n]}\beta _i\mathbf {M}^{(i)}\). In order to make the above attack feasible, one may suggest to guess nonzero vectors \(\mathbf {v}\in \mathbb {F}_q^k\) rather than \(\mathbf {v}\in \mathbb {F}_{q^n}^k\). However, it is easy to see that for any nonzero vector \(\mathbf {v}\in \mathbb {F}_q^k\) we have \(\mathbf {M}(\varvec{\nu }) \mathbf {v}\ne 0\), and in fact it is a vector with no nonzero entries. Indeed, \(\mathbf {M}(\varvec{\nu })\) is the multiplication table of \(\varvec{\nu }= (\nu _1,\ldots ,\nu _k)\), which is a basis of the Sidon space V. Hence, \(\mathbf {M}(\varvec{\nu })\mathbf {v}\) is a vector whose i’th coordinate equals \(\nu _i (\sum _{j\in [k]} v_j\nu _j)\). Since the \(\nu _j\)’s are linearly independent over \(\mathbb {F}_q\) and \(\mathbf {v}\) is nonzero, the second term in the product is nonzero, and hence so is the product.

Remark 4 (Kipnis-Shamir formulation)

In a variant of this attack, one guesses kernel vectors in a systematic form, rather than in a general form. That is, the system

$$\begin{aligned} \left( \sum _{i=1}^n y_i\mathbf {M}^{(i)} \right) \begin{pmatrix} 1 &{} 0 &{} \ldots &{} 0\\ 0 &{} 1 &{} \ldots &{} 0\\ \vdots &{} \vdots &{}\ddots &{}\vdots \\ 0 &{} 0 &{} \ldots &{} 1\\ z_1 &{} z_2 &{} \ldots &{} z_{k-1} \end{pmatrix}=0. \end{aligned}$$

has a solution with \(y_1,\ldots ,y_n,z_1,\ldots ,z_{k-1}\in \mathbb {F}_{q^n}\) (technically, the position of the non-unit row in the r.h.s matrix can be arbitrary; however, this can be amended by repeating the algorithm k times with different positions, or by random guessing). Similar to the attack above, one can guess two column vectors from the r.h.s matrix, and solve the resulting system, which is linear in the \(y_i\)’s. However, it is readily verified that the probability to guess each \(z_i\) correctly is \(q^{-n}\), and hence analysis similar to (3) applies. Alternatively, one can treat both the \(y_i\)’s and the \(z_i\)’s as variables over \(\mathbb {F}_{q^n}\), and solve the resulting quadratic system using Gröbner basis algorithms. Very recently [3, 31], it was shown that in some parameter regimes, such Gröbner basis algorithms admit an inherent structure that can be utilized to reduce the computation time, often significantly (e.g., for the HFE cryptosystem). Whether the Sidon cryptosystem admits a similar structure remains to be studied.

4.2 The Minor Attack

In the minor attack of MinRank, one considers the system of homogeneous quadratic equations given by setting all \(2\times 2\) minors of \(\sum _{i\in [n]}y_i\mathbf {M}^{(i)}\) to zero, and (usually) solves by linearization. That is, the system is considered as a linear one in the \(\left( {\begin{array}{c}n+1\\ 2\end{array}}\right) \) variables \(\{ z_{i,j} \}_{i\le j, i,j\in [n]}\), where \(z_{i,j}\) represents \(y_iy_j\) for every i and j. The resulting homogeneous linear system has a right kernel of dimension at least one; if it happens to be at most one, the attacker finds a nonzero solution \(\mathbf {w}=(w_{i,j})_{i\le j}\) and arranges it in a symmetric matrix

$$\begin{aligned} {{\,\mathrm{mat}\,}}(\mathbf {w})=\begin{pmatrix} w_{1,1} &{} w_{1,2} &{} \ldots &{} w_{1,n}\\ w_{1,2} &{} w_{2,2} &{} \ldots &{} w_{2,n}\\ \vdots &{} \cdots &{} \ddots &{} \vdots \\ w_{1,n} &{} w_{2,n} &{} \cdots &{} w_{n,n} \end{pmatrix}. \end{aligned}$$
(4)

Then, the attacker finds a rank one decomposition \((w_1,\ldots ,w_n)^\intercal (w_1,\ldots ,w_n)\) of (4) (which is guaranteed to exist, since the solution \(z_{i,j}=y_iy_j\) has a rank one decomposition, and the dimension of the kernel is one), which provides a solution.

In most systems the dimension of the kernel will indeed be at most one. Otherwise the attacker is left with yet another MinRank problem, that we call secondary, in which a “rank-one vector” (that is, a vector \(\mathbf {w}\) such that \({{\,\mathrm{mat}\,}}(\mathbf {w})\) is of rank one) must be found in the kernel. In what follows it is shown that this attack on the Sidon cryptosystem results in the latter scenario. That is, attempting to solve the minor attack via linearization results in a linear system with a large kernel. Moreover, it is shown that the secondary (and tertiary, etc.) attack suffers from the same effect.

Let \(\varvec{\Upomega }\) be the quadratic system which results from setting all \(2\times 2\) minors of \(\sum _{i\in [n]}y_i\mathbf {M}^{(i)}\) to zero. This system contains \(\left( {\begin{array}{c}k\\ 2\end{array}}\right) ^2\) equations, each is a linear combination over \(\mathbb {F}_q\) of the \(\left( {\begin{array}{c}n+1\\ 2\end{array}}\right) \) monomials \(y_1^2,\ldots ,y_n^2,y_1y_2,\ldots ,y_{n-1}y_{n}\). To break the cryptosystem, the values of \(y_1,\ldots ,y_{n}\) in a solution to \(\varvec{\Upomega }\) should form a basis to \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\), and as discussed earlier, it is unclear if the system can be broken otherwise. Yet, for generality we focus on the hardness of finding any solution.

Let \(\varvec{\Upomega }_{\text {lin}}\) be the matrix which results from linearizing \(\varvec{\Upomega }\). That is, each of the \(\left( {\begin{array}{c}n+1\\ 2\end{array}}\right) \) columns of \(\varvec{\Upomega }_{\text {lin}}\) is indexed by a monomial \(y_sy_t\), and each row is indexed by a minor \(((i,j),(\ell ,d))\) (i.e., the minor that is computed from the i’th and j’th rows and the \(\ell \)’s and d’th columns). The value of an entry in column \(y_sy_t\) and row \(((i,j),(\ell ,d))\) is the coefficient of \(y_sy_t\) in the equation for the \(2\times 2\) minor of \((\sum _{i\in [n]}y_i\mathbf {M}^{(i)})\) in rows i and j, and columns \(\ell \) and d. Note that a solution to \(\varvec{\Upomega }\) corresponds to a vector in the right kernel of \(\varvec{\Upomega }_{\text {lin}}\), but the inverse is not necessarily true.

We begin by discussing several aspects of \(\varvec{\Upomega }_{\text {lin}}\). First, since the matrices \(\mathbf {M}^{(i)}\) are symmetric, many rows in \(\varvec{\Upomega }_{\text {lin}}\) are identical; minor \(((i,j),(\ell ,d))\) identical to minor \(((\ell ,d),(i,j))\). Hence, the effective number of rows is at most

$$\begin{aligned} \left( {\begin{array}{c}\left( {\begin{array}{c}k\\ 2\end{array}}\right) +1\\ 2\end{array}}\right) . \end{aligned}$$
(5)

Second, \(\varvec{\Upomega }_{\text {lin}}\) is over \(\mathbb {F}_q\), while the required solution is in \(\mathbb {F}_{q^n}\). One way to circumvent this is by representing every \(y_i\) using n variables over \(\mathbb {F}_q\). The resulting linearized system can be described using Kronecker products. By using the fact that the rank of a Kronecker product is the product of the individual ranks, it can be easily shown that this system has a large kernel, and thus solving by linearization is not feasible. The full details of this approach are given in Appendix C.

More importantly, in contrast to Remark 3, one can simply find \(\ker _{\mathbb {F}_q}(\varvec{\Upomega }_{\text {lin}})\); since \({{\,\mathrm{rank}\,}}_{\mathbb {F}_q}(\varvec{\Upomega }_{\text {lin}})={{\,\mathrm{rank}\,}}_{\mathbb {F}_{q^n}}(\varvec{\Upomega }_{\text {lin}})\), it follows that the true solution \((z_{i,j})_{i\le j}=(\beta _i\beta _j)_{i\le j}\) lies in \({{\,\mathrm{span}\,}}_{\mathbb {F}_{q^n}}(\ker _{\mathbb {F}_q}(\varvec{\Upomega }_{\text {lin}}))\). Put differently, one can solve \(\varvec{\Upomega }\) via linearization over \(\mathbb {F}_q\) (i.e., obtain an \(\mathbb {F}_q\)-basis to \(\varvec{\Upomega }_{\text {lin}}\)’s right kernel), span it over \(\mathbb {F}_{q^n}\), and search for a rank one vector. However, in what follows it is shown that the rank of \(\varvec{\Upomega }_{\text {lin}}\) is low (specifically, \({{\,\mathrm{rank}\,}}(\varvec{\Upomega }_{\text {lin}})\le \left( {\begin{array}{c}n+1\\ 2\end{array}}\right) -n\)), and hence this approach is not feasible either. One might wonder if the secondary MinRank problem that emerges is itself solvable by linearization, for which we show that the answer is negative, and the proof is similar.

Bounding the Rank of \(\varvec{\Upomega }_{\text {lin}}\). Let \(\varvec{\nu }=(\nu _1,\ldots ,\nu _k)\) be the secret basis of V and let \(\mathbf {u}=(\nu _1,\ldots ,\nu _n)\) be an extension of \(\varvec{\nu }\) to a complete basis of \(\mathbb {F}_{q^n}\) over \(\mathbb {F}_q\). Let \(\varvec{\beta }=(\beta _1,\ldots ,\beta _n)\) be the secret basis of \(\mathbb {F}_{q^n}\). Therefore, we have that \(\mathbf {u}^\intercal \mathbf {u}=\sum _{i\in [n]}\beta _i\mathbf {N}^{(i)}\) for some matrices \(\mathbf {N}^{(i)}\in \mathbb {F}_q^{n\times n}\). It is readily verified that for every \(i\in [n]\), the upper left \(k\times k\) submatrix of \(\mathbf {N}^{(i)}\) is the public key coefficient matrix \(\mathbf {M}^{(i)}\). In addition, let \(\mathbf {E}\in \mathbb {F}_q^{n\times n}\) be the change-of-basis matrix such that \(\varvec{\beta }=\mathbf {u}\mathbf {E}\), and then

$$\begin{aligned} \varvec{\beta }^\intercal \varvec{\beta }=\mathbf {E}^\intercal \mathbf {u}^\intercal \mathbf {u}\mathbf {E}=\sum _{i\in [n]}\beta _i\mathbf {E}^\intercal \mathbf {N}^{(i)}\mathbf {E}. \end{aligned}$$
(6)

Construct a system \(\mathbf {\Gamma }\) of quadratic equations in the variables \(y_1,\ldots ,y_n\) by setting all the \(2\times 2\) minors of \(\sum _{i\in [n]}y_i\mathbf {N}^{(i)}\) to zero, and let \(\mathbf {\Gamma }_{\text {lin}}\) be the linearization of the set of equations in \(\mathbf {\Gamma }\), obtained by replacing each monomial \(y_iy_j\) by the variable \(z_{i,j}\). Notice that one obtains \(\varvec{\Upomega }_{\text {lin}}\) from \(\mathbf {\Gamma }_{\text {lin}}\) by omitting every row \(((i,j),(\ell ,d))\) of \(\mathbf {\Gamma }_{\text {lin}}\) with either one of \(i,j,\ell ,d\) larger than k. Therefore, it follows that \(\ker (\mathbf {\Gamma }_{\text {lin}})\subseteq \ker (\varvec{\Upomega }_{\text {lin}})\).

We claim that each matrix \(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E}, l\in [n]\) defines a valid solution to \(\mathbf {\Gamma }_{\text {lin}}\) simply by setting \(z_{i,j}=(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}=(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{j,i}\). Then, it will be shown that \(\{\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E}\}_{l\in [n]}\) are linearly independent, and thus so are the solutions they define. This would imply that the dimension of the solution space of \(\mathbf {\Gamma }_{\text {lin}}\) is at least n, and since \(\ker (\mathbf {\Gamma }_{\text {lin}})\subseteq \ker (\varvec{\Upomega }_{\text {lin}})\), it would also imply that the dimension of the solution space of \(\varvec{\Upomega }_{\text {lin}}\) is at least n.

For an element \(\alpha \in \mathbb {F}_{q^n}\) and \(i\in [n]\) let \((\alpha )_i\in \mathbb {F}_q\) be the coefficient of \(\beta _i\) in the expansion of \(\alpha \) as a linear combination of the \(\beta _j\)’s over \(\mathbb {F}_q\), i.e., \(\alpha =\sum _{i\in [n]}(\alpha )_i\beta _i\). Then, it follows from the definition of the \(\mathbf {N}^{(l)}\)’s that \(\mathbf {N}^{(l)}_{i,j}=(\nu _i\nu _j)_l\). Similarly, it follows from (6) that \((\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}=(\beta _i\beta _j)_l\).

Lemma 1

For every \(l\in [n]\) the assignment \(z_{i,j}=(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}\) is a solution for \(\mathbf {\Gamma }_{\text {lin}}\).

Proof

Let \(\begin{pmatrix} a &{} b \\ c &{} d \end{pmatrix}\in \mathbb {F}_{q^n}^{2\times 2}\) be an arbitrary \(2\times 2\) submatrix of \( \mathbf {u}^\intercal \mathbf {u}=\sum _{i\in [n]}\beta _i\mathbf {N}^{(i)}\). First, notice that the respective equation in \(\mathbf {\Gamma }\) is

$$\begin{aligned} \left( \sum _{i\in [n]}(a)_iy_i \right) \left( \sum _{i\in [n]}(d)_iy_i \right) -\left( \sum _{i\in [n]}(b)_iy_i \right) \left( \sum _{i\in [n]}(c)_iy_i \right) =0, \end{aligned}$$

which after linearization becomes

$$\begin{aligned} \sum _{i,j\in [n]}(a)_i(d)_jz_{i,j}-\sum _{i,j\in [n]}(b)_i(c)_jz_{i,j}=0. \end{aligned}$$
(7)

Second, since \(\mathbf {u}^\intercal \mathbf {u}\) is a rank one matrix, so is any of its \(2\times 2\) submatrices, and therefore \(ad-bc=0\). Since this implies that \((ad-bc)_l=0\) for every \(l\in [n]\), it follows that

$$\begin{aligned} 0&=(ad-bc)_l=(ad)_l-(bc)_l\\&=\left( \textstyle {\sum }_{i,j\in [n]}(a)_i(d)_j\beta _i\beta _j\right) _l-\left( \textstyle {\sum }_{i,j\in [n]}(b)_i(c)_j\beta _i\beta _j\right) _l\\&=\textstyle {\sum }_{i,j\in [n]}(a)_i(d)_j(\beta _i\beta _j)_l-\textstyle {\sum }_{i,j\in [n]}(b)_i(c)_j(\beta _i\beta _j)_l\\&=\textstyle {\sum }_{i,j\in [n]}(a)_i(d)_j(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}-\textstyle {\sum }_{i,j\in [n]}(b)_i(c)_j(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}.\\ \end{aligned}$$

Therefore, it follows from (7) that for every \(l\in [n]\), the assignments \(z_{i,j}=(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E})_{i,j}\) is a zero of \(\mathbf {\Gamma }_{\text {lin}}\), as needed.

Lemma 2

The n matrices \(\mathbf {E}^\intercal \mathbf {N}^{(l)}\mathbf {E},l\in [n]\) are linearly independent over \(\mathbb {F}_q\).

Proof

Since \(\mathbf {E}\) is invertible, the claim follows by showing that the matrices \(\{\mathbf {N}^{(l)}\}_{l\in [n]}\) are linearly independent over \(\mathbb {F}_q\). For \(l\in [n]\) let \(\mathbf {a}=(a_i)_{i\in [n]}\) and \(\mathbf {b}=(b_i)_{i\in [n]}\) be nonzero vectors in \(\mathbb {F}_q^n\) such that \((\sum _{i\in [n]} a_i\nu _i)(\sum _{j\in [n]} b_j\nu _j)=\beta _l\). Then, it follows that

$$\begin{aligned} \beta _l= \left( \textstyle {\sum }_{i\in [n]} a_i\nu \right) \left( \textstyle {\sum }_{j\in [n]} b_j\nu _j\right) =\mathbf {a}\mathbf {u}^\intercal \mathbf {u}\mathbf {b}^\intercal =\sum _{i\in [n]}\beta _i\mathbf {a}\mathbf {N}^{(i)}\mathbf {b}^\intercal , \end{aligned}$$

and hence

$$ \mathbf {a}\mathbf {N}^{(i)}\mathbf {b}^\intercal = {\left\{ \begin{array}{ll} 1 &{} i=l\\ 0 &{} i\ne l \end{array}\right. }.$$

This readily implies that every \(\mathbf {N}^{(l)}\) is linearly independent of the remaining matrices \(\{\mathbf {N}^{(j)}\}_{j\ne l}\); otherwise, a nontrivial linear combination \(\mathbf {N}^{(l)}=\sum _{j\ne l}\alpha _i\mathbf {N}^{(j)}\) would imply that \(1=0\) by multiplying from the left by \(\mathbf {a}\) and from the right by \(\mathbf {b}^\intercal \). Since this holds for every \(l\in [n]\), the claim follows.

Remark 5

We have experimentally verified for a wide range of q and n values that \({{\,\mathrm{rank}\,}}(\varvec{\Upomega }_{\text {lin}})=\left( {\begin{array}{c}n+1\\ 2\end{array}}\right) -2n\), namely, that \(\dim \ker (\varvec{\Upomega }_{\text {lin}})=2n\). In the above it is proved that \(\dim \ker (\varvec{\Upomega }_{\text {lin}})\ge n\), and the remaining n dimensions remain unexplained. One might conjecture that different extensions of \(\nu _1,\ldots ,\nu _k\) to \(\mathbf {u}\) might result in different kernels of \(\mathbf {\Gamma }_{\text {lin}}\), which might explain the missing n dimensions in \(\ker (\varvec{\Upomega }_{\text {lin}})\). However, it is shown in Appendix D that this is not the case, and all possible extensions of \(\nu _1,\ldots ,\nu _k\) to \(\varvec{\nu }\) result in identical \(\ker (\mathbf {\Gamma }_{\text {lin}})\).

Secondary Minor Attack. In the above it is shown that by attempting to solve the minor attack via linearization, one is left with yet another MinRank problem, which we call secondary. That is, in the secondary problem one must find a rank one vector in the \(\mathbb {F}_{q^n}\)-span of \(\ker (\varvec{\Upomega }_{\text {lin}})\) (i.e., a rank one matrix in \(\{{{\,\mathrm{mat}\,}}(\mathbf {y})\vert \mathbf {y}\in {{\,\mathrm{span}\,}}_{\mathbb {F}_{q^n}}(\ker _{\mathbb {F}_q}(\varvec{\Upomega }_{\text {lin}})) \}\), where \({{\,\mathrm{mat}\,}}(\cdot )\) is defined in (4)). To show the hardness of the primary minrank attack, it was shown earlier that it is not feasible to find a rank one matrix in the \(\mathbb {F}_{q^n}\)-span of \(\{\mathbf {N}^{(i)}\}_{i\in [n]}\) via linearization. According to Lemma 1, to show that hardness of the secondary attack it suffices to show that that it is not feasible to find a rank one matrix in the \(\mathbb {F}_{q^n}\)-span of \(\{ \mathbf {E}^\intercal \mathbf {N}^{(i)}\mathbf {E}\}_{i\in [n]}\). Since \(\mathbf {E}\) is invertible, it readily follows that a solution to the primary attack is also a solution to the secondary, and vice versa. Therefore, solving the secondary minor attack via linearization is not feasible either.

Moreover, in the secondary attack and in the subsequent ones (tertiary, quaternary, etc.), we observe the following intriguing circular phenomenon. Let \(\{\mathbf {B}^{(i)}\}_{i\in [n]}\subseteq \mathbb {F}_q^{n\times n}\) such that \(\varvec{\beta }^\intercal \varvec{\beta }=\sum _{i\in [n]}\beta _i\mathbf {B}^{(i)}\). Since \(\varvec{\beta }=\mathbf {u}\mathbf {E}\) and \(\mathbf {u}^\intercal \mathbf {u}=\sum _{i\in [n]}\beta _i\mathbf {N}^{(i)}\), it follows that

$$\begin{aligned} \mathbf {u}^\intercal \mathbf {u}=(\mathbf {E}^{-1})^\intercal \varvec{\beta }^\intercal \varvec{\beta }\mathbf {E}^{-1}=\sum _{i\in [n]}\beta _i(\mathbf {E}^{-1})^\intercal \mathbf {B}^{(i)}\mathbf {E}^{-1}=\sum _{i\in [n]}\beta _i\mathbf {N}^{(i)}, \end{aligned}$$

and hence \(\mathbf {E}^\intercal \mathbf {N}^{(i)}\mathbf {E}=\mathbf {B}^{(i)}\). That is, in the secondary attack one should find an \(\mathbb {F}_{q^n}\)-assignment to \(y_1,\ldots ,y_n\) so that \(\sum _{i\in [n]}y_i\mathbf {B}^{(i)}\) is of rank one. Then, one repeats the proof of hardness for \(\sum _{i\in [n]}y_i\mathbf {N}^{(i)}\) for the special case where \(\mathbf {u}=\varvec{\beta }\), i.e., where \(\mathbf {N}^{(i)}=\mathbf {B}^{(i)}\) and \(\mathbf {E}=\mathbf {I}\). Lemma 1 then implies that \(z_{i,j}=(\mathbf {B}^{(l)})_{i,j}\) is in the kernel of the linearized system, for every \(\ell \in [n]\). Consequently, while attempting to solve the secondary attack by linearization, one encounters a tertiary attack, where one should find an \(\mathbb {F}_{q^n}\) assignment to \(y_1,\ldots ,y_n\) so that \(\sum _{i\in [n]}y_i\mathbf {B}^{(i)}\) is of rank one. Clearly, this tertiary attack is identical to the secondary one. Moreover, by following the same arguments we have that all subsequent attacks (quaternary, quinary, etc.) are identical to the secondary one.

Remark 6

As mentioned earlier, we have verified experimentally for a wide range of q and k values over many randomized constructions, that \(\dim \ker (\varvec{\Upomega }_{\text {lin}})=2n\), but as of yet have not been able to explain that mathematically. In the context of the secondary attack, one might suggest to take a basis \(\mathbf {v}_1,\ldots ,\mathbf {v}_{2n}\) of \(\ker (\varvec{\Upomega }_{\text {lin}})\), and search for a rank one matrix in the \(\mathbb {F}_{q^n}\)-span of \(\{ {{\,\mathrm{mat}\,}}(\mathbf {v}_i) \}_{i\in [2n]}\), again using linearization. We have verified experimentally that the resulting system is of the same rank as \(\varvec{\Upomega }_{\text {lin}}\), hence not feasibly solvable via linearization, albeit having \(\left( {\begin{array}{c}2n+1\\ 2\end{array}}\right) \) columns rather than \(\left( {\begin{array}{c}n+1\\ 2\end{array}}\right) \).

5 Other Attacks

5.1 Finding a Structured Sidon Space

In this section we present an attack which is specific to the structure of the Sidon space V from Construction 2. By guessing an alternative construction of \(\mathbb {F}_{q^n}\), Eve may assemble a certain set of polynomial equations, which is guaranteed to have a solution. Each such solution defines a subspace \(V'\), most likely a Sidon space, whose coefficient matrices are identical to those of the secret Sidon space V, and hence, it can be used to break the system. However, the resulting equation set is only slightly underdetermined, and hence it is unlikely that a suitable polynomial algorithm exists.

In this attack, Eve guesses an irreducible polynomial \(P_E(x)\in \mathbb {F}_q[x]\) of degree n, and constructs \(\mathbb {F}_{q^n}\) as \(F_E\triangleq \mathbb {F}_q[x]\bmod (P_E(x))\), where \((P_E(x))\) denotes the ideal in \(\mathbb {F}_q[x]\) which is generated by \(P_E(x)\). Further, she guesses a basis \(\omega _1,\ldots ,\omega _n\) of \(F_E\) over \(\mathbb {F}_q\) such that \(\omega _1,\ldots ,\omega _k\) is a basis for \(G_E\), the unique subfield of size \(q^k\) of \(F_E\).

To find \(\varvec{\nu }'\triangleq (\nu _1',\ldots ,\nu _k')\in \mathbb {F}_{q^n}^k\) and \(\varvec{\beta }'\triangleq (\beta _1',\ldots ,\beta _n')\in \mathbb {F}_{q^n}^n\) such that \(\mathbf {M}(\varvec{\nu },\varvec{\beta })=\mathbf {M}(\varvec{\nu }',\varvec{\beta }')\), Eve defines variables \(\{ u_{i,j} \}_{i,j\in [k]}\), \(\{ b_{i,j} \}_{i,j\in [n]}\), and \(\{g_i\}_{i=1}^n\), all of which represent elements in \(\mathbb {F}_q\), and

$$\begin{aligned} \gamma '&\triangleq \sum _{j=1}^{n}g_j\omega _j\;,\\ \nu _i'&\triangleq \left( \sum _{j=1}^ku_{i,j}\omega _j \right) +\left( \sum _{j=1}^{n}g_j\omega _j \right) \left( \sum _{j=1}^ku_{i,j}\omega _j \right) ^q\\&= \left( \sum _{j=1}^ku_{i,j}\omega _j \right) +\left( \sum _{j=1}^{n}g_j\omega _j \right) \left( \sum _{j=1}^ku_{i,j}\omega _j^q \right) \text{ for } \text{ all } i\in [k], \text{ and } \end{aligned}$$
$$\begin{aligned} \beta _i'&\triangleq \sum _{j=1}^{n}b_{i,j}\omega _j \text{ for } \text{ all } i\in [n]\;. \end{aligned}$$

Eve then defines the following \({k+1\atopwithdelims ()2}\) equations over \(\mathbb {F}_{q^n}\),

$$\begin{aligned} \nu _s'\nu _t' = \sum _{i=1}^{n}M^{(i)}_{s,t}\beta _i' \text{ for } \text{ all } s,t\in [k],~s\ge t\;. \end{aligned}$$
(8)

Finally, by expressing each side of every equation as a linear combination of\(\{ \omega _i \}_{i\in [n]}\) and comparing coefficients, Eve obtains \(n\cdot {k+1\atopwithdelims ()2}=k^2(k+1)\) equations over \(\mathbb {F}_q\) in \(n^2+k^2+n=5k^2+2k\) variables. The left hand sides of these equations are polynomials in \(k^2+n=k^2+2k\) variables and degree four, and the right hand sides are linear polynomials in \(n^2=4k^2\) variables.

Since the isomorphism f exists (2), the system is guaranteed to have a solution. The resulting subspace \(V'\triangleq {{\,\mathrm{span}\,}}\{ \nu _i' \}_{i\in [n]}\) is a Sidon space if the corresponding \(\gamma '\) satisfies the conditions of Construction 2. However, it seems that the straightforward algorithms for obtaining a solution are infeasible.

Notice that the terms on the left hand side of (8) are of either of the forms

$$\begin{aligned} u_{s,t}u_{\ell ,r},~g_ju_{s,t}u_{\ell ,r}, \text{ or } g_ig_ju_{s,t}u_{\ell ,r}, \end{aligned}$$

for \(s,t,\ell ,r\in [k]\) and \(i,j\in [n]\). Hence, a straightforward reduction to the quadratic case includes replacing those terms by \(u_{s,t,\ell ,r}\), \(g_j\cdot u_{s,t,\ell ,r}\), and \(g_{i,j}u_{s,t,\ell ,r}\), respectively. In the resulting quadratic equation set, the number of equations remains \(e\triangleq k^2(k+1)\). The number of variables however, comprises of \(k^4\) variables of the form \(u_{s,t,\ell ,r}\), \(4k^2\) of the form \(g_{i,j}\), \(4k^2\) of the form \(b_{i,j}\), and 2k of the form \(g_j\). Thus, the overall number of variables is \(v\triangleq k^4+8k^2+2k\) and the equation set is underdetermined (\(e<v\)), with \(v=\varTheta (e^{4/3})\).

Algorithms for solving underdetermined systems of quadratic equations were studied in [6, 18, 29]. It is known that highly underdetermined systems (\(v=\varOmega (e^2)\)) and highly overdetermined systems (\(e=\varOmega (v^2)\)) are solvable in randomized polynomial time. On the other hand, if \(e=v\pm O(1)\) then the current state-of-the-art algorithms are exponential. The results in our case (\(v=\varTheta (e^{4/3})\)) seem inconclusive. In our experimental section it is shown that standard Gröbner basis algorithms are far from feasible for solving this system for \(k<10\).

5.2 Extracting the Message from the Cyphertext

It is readily verified that extracting \(\mathbf {a}\) and \(\mathbf {b}\) from \(E(\mathbf {a},\mathbf {b})=(\mathbf {a}\mathbf {M}^{(i)} \mathbf {b}^\intercal )_{i=1}^n\) and \(\mathbf {M}(\varvec{\nu },\varvec{\beta })=(\mathbf {M}^{(i)})_{i=1}^n\) is equivalent to solving the corresponding non-homogeneous bilinear system of 2k equations and 2k variables. It seems that the state-of-the-art algorithm for solving a bilinear system is given by [11, Cor. 3], whose complexity is

$$\begin{aligned} O\left( {n_a+n_b+\min (n_a+1,n_b+1) \atopwithdelims ()\min (n_a+1,n_b+1)}^\omega \right) , \end{aligned}$$

where \(n_a\) and \(n_b\) are the number of entries in \(\mathbf {a}\) and \(\mathbf {b}\), and \(\omega \) is the exponent of matrix multiplication. However, this specialized algorithm requires homogeneity, and in any case applying it to our problem requires \(O({3k+1\atopwithdelims ()k+1}^\omega )\), which is infeasible even for small values of k.

We also note that it is possible to apply algorithms that do not exploit the bilinear nature of the system, but rather only its quadratic one. However, evidence show that standard Gröbner basis algorithms for solving quadratic equations perform very poorly on quadratic equation sets in which the number of equations and the number of variables is equal. Following Remark 2, it should be noted that if one would employ a max-span Sidon space as the private key, the resulting bilinear system has \(\varTheta (k^2)\) equations and 2k variables, and hence it is easy to solve by [5, Sect. 6.5] and references therein.

6 Experiments

Experiments were run using a computer with an Intel i7-9750H CPU with 16 GB of RAM. Computations were done on an engineering cluster node with 2 Intel x86 E5 2650 processors with 64 gigabytes of RAM. For reproducibility, the code for all experiments is given [1]. Throughout this section we denote the number of equations by e and number of variables by v.

Before discussing attacks, we discuss the performance of the system itself. Encoding and decoding use simple finite field operations, and had marginal affect on run-times (see Remark 1). The significant part of the key generation algorithm is the choice of \(\gamma \), which defines the secret Sidon space; this amounts to choosing the quadratic polynomial \(P_{a,b}\) so that it is irreducible over \(\mathbb {F}_{q^k}\) with \(c\in \overline{\mathcal {W}}_{q-1}\). This was done at random, and mean success times for different k and q values over 10 trials are given in Fig. 1.

The easiest attack to implement seems to be the bilinear one (Sect. 5.2), due to the small size of the associated inhomogeneous bilinear system (\(v=e=2k\)). Specialized algorithms for improved performance on bilinear systems [11] are inapplicable, since they require homogeneity and have exponential complexity. We used the F4 algorithm from the FGb library [9] in combination with FGb_sage [32]. The system was homogenized before the Gröbner basis was computed. Attacks were efficiently carried out for \(k \le 10\) (i.e., \(v=21\) and \(e=20\)). The field size q was varied between \(q=3\) and \(q=65521\), but had marginal effect on running times. Past \(k=10\), the F4 algorithm exceeded the \(50\cdot 10^6\) bound on the dimension of the matrix. Average running times, that are given below in Fig. 2, are consistent with the exponential growth one would expect.

Fig. 1.
figure 1

Average running times of randomized key generation for various q values.

Full size image
Fig. 2.
figure 2

Average running times for the bilinear attack (Sect. 5.2) on randomly chosen Sidon cryptosystems. Standard deviations are given in light shaded area, which is barely visible.

Full size image

Next, executing the minor attack (Sect. 4.2) past \(k = 2\) proved difficult. The first class of algorithms considered for this attack were of the eXtended Linearization (XL) family [5], but were not promising for a number of reasons. First, XL algorithms require a unique solution, which is not the case in our systems. Second, complexity analysis shows poor asymptotic performance; XL algorithms are polynomial if \(\varepsilon \triangleq \frac{e}{v^2}\) is fixed, but are in general exponential otherwise. In our case \(\varepsilon \) approaches 0 as k increases, and thus we resorted to Gröbner basis algorithms.

Experimental evidence shows that while the attack generates \(\varTheta (k^5)\) Eq. (10), only \(2k^2(2k - 3)\) of them are independent (an upper bound of \(2k^2(2k+1)\) is given in (11)). Benchmarks for fast Gröbner basis algorithms [17] show that the \(k = 3\) system exists on the borderline of what has been computed, and that is supported by experimental evidence. Both implementations of F5 as well as the FGb library were used to try and compute Gröbner bases for this system, but neither performed well, with the FGb library quickly surpassing the \(50\cdot 10^6\) matrix bound and the F5 algorithm not terminating after several days of running. For \(k=4\) and \(k=5\) we were able to compute the degree of regularity, which was 8.

The structured attack in Sect. 5.1, which has \(v=\varTheta (k^2)\) and \(e=\varTheta (k^3)\) proved to be the least feasible, where \(k = 3\) (\(v=36\) and \(e=54\)) and up were completely unsolvable. The system can be reduced to a quadratic one with \(v=\varTheta (k^4)\) variables, which did not seem to accelerate the computation.

7 Discussion

In this paper the Sidon cryptosystem was introduced, and several straightforward attacks were given. These attacks were shown to induce instances of several problems for which it is unlikely that a polynomial algorithm exists. Nevertheless, a finer analysis of the algebraic nature of Sidon spaces might shed some light on the structure of these instances, and consequently, might prove the system insecure. On the other hand, a rigorous proof for the hardness of the Sidon cryptosystem, which has yet to be found, will be a significant achievement in post-quantum cryptography.

The first order of business in extending this work is finding the remaining n dimensions in the kernel of \(\varvec{\Upomega }_{\text {lin}}\), and we have verified experimentally that these additional n dimensions do not exist in \(\mathbf {\Gamma }_{\text {lin}}\). More broadly, we suggest that applications of Sidon spaces to cryptography extend beyond what is discussed in the paper. Other than using different constructions of Sidon spaces (e.g., [20]) in the framework described above, we suggest to study the following concepts in order to strengthen the resulting systems.

  • r-Sidon spaces. The Sidon spaces in this paper enable the product of every two elements to be factored uniquely (up to constants). This is a special case of r-Sidon spaces, in which the product of any r elements can be factored uniquely (see [26, Sect. VI]). This would extend the hardness of the system from solving bilinear systems to r-linear ones.

  • High rank multiplication table. Most of the susceptibility of the Sidon cryptosystem lies in the matrix \(\mathbf {M}(\varvec{\nu })\) (see Sect. 3) being of rank one. To remedy that, let \(U,V\in \mathcal {G}_{q}\left( 4k,k\right) \) be min-span Sidon spaces such that V is spanned by \(\varvec{\nu }=(\nu _i)_{i=1}^k\), U is spanned by \(\varvec{\upsilon }=(\upsilon _i)_{i=1}^k\) and \(U^2\cap V^2=\{0\}\). It is readily verified that Bob in able to decrypt the ciphertext even if the matrix \(\mathbf {M}(\varvec{\nu })=\varvec{\nu }^\intercal \varvec{\nu }\) is replaced by \(\varvec{\nu }^\intercal \varvec{\nu }+\varvec{\upsilon }^\intercal \varvec{\upsilon }\): Bob will begin by extracting \(\mathbf {a}\varvec{\nu }^\intercal \varvec{\nu }\mathbf {b}\) from the ciphertext, which is possible since \(U^2\cap V^2=\{0\}\), and continue similarly. If the vectors \(\varvec{\nu }\) and \(\varvec{\upsilon }\) are independent over \(\mathbb {F}_{q^n}\), the resulting matrix is of rank two, and hence the system’s resilience against MinRank attacks is increased.