The multivariate candidate DME-Sign has three submitted parameter sets, q in {2^32,2^48,2^48} for NIST security targets I, III, and V. In the following discussion, I will concentrate on the "32-bit" level I version. We will describe a 2^-96 complexity forgery attack on it.
DME-Sign is built on a "trapdoor function" (in the style of RSA); there is a secret mapping from 256 bits to 256 bits (used for creating signatures) and a matching public mapping which is its inverse (for verifying signatures).
The file invert_demo.py demonstrates how to invert half of this mapping quickly; given a public key and a target for the first 128 bits of the "secret" side of the permutation, it selects 128 bits in the signature side that matches it.
The same public keys are generated as in the KAT test vectors. The first comment, "simplified mapping match," indicates that the simplified algebraic description (below) is working fine -- the final comment indicates that the first 128 bits of the result of "public key verification" are set to target value 000102..0e0f in the trapdoor function. This has also been verified against the reference C implementation.
Observation on invertibilityThe DME trapdoor function is based on computations in binary field Fq. Public mapping boils down to the evaluation of multivariate polynomials whose coefficients are defined by the public key. The input variables come from the signature.
The input and output for the public key mapping is a vector of eight 32-bit field elements. I prefer zero-based indexing, so I write the signature variables as (s[0], s[1], .. s[7]) and verification (message) variables as (m[0], m[1], .. m[7]). Apologies -- the technical specification document Implementation of DME-3rnds-8vars-32bits-sign.pdf indexes signature variables from x1 to x8.
We observe that setting signature words s[2]=0 and s[3]=0 (x3=x4=0 in the equations of the paper) causes a vast majority of the monomials in the public mapping to vanish, massively simplifying the mapping. There are other options with similar effects.
Let t(i) denote some power-of-2 exponentiation of signature word i -- s[i]^(2^f) for some power f defined the public key. Since this is a binary field, we have (x+y)^2 = x^2 + y^2, and squaring is bitwise linear (DME is "bitwise multilinear."). Hence t(i) is a constant linear combination of bits in s[i], defined by the public key.
With the setting t(2)=t(3)=0, the dependencies in the public mapping can be expressed as a function of a subset of multivariate polynomial coefficients a[], b[], c[], d[] in the public key and linear combinations of signature bits as:
m[0..1] = a[4]*t(6)*t(4)*t(0) + a[9]*t(7)*t(4)*t(0) + a[14]*t(6)*t(5)*t(0) + a[19]*t(7)*t(5)*t(0) + a[24]*t(0) + a[27]*t(6)*t(4)*t(1) + a[30]*t(7)*t(4)*t(1) + a[33]*t(6)*t(5)*t(1) + a[36]*t(7)*t(5)*t(1) + a[39]*t(1) + a[44]*t(6)*t(4) + a[49]*t(7)*t(4) + a[54]*t(6)*t(5) + a[59]*t(7)*t(5) + a[64]
m[2..3] = b[20]*t(6)*t(4) + b[21]*t(7)*t(4) + b[22]*t(6)*t(5) + b[23]*t(7)*t(5) + b[24]
m[4..5] = c[20]*t(6)*t(4) + c[21]*t(7)*t(4) + c[22]*t(6)*t(5) + c[23]*t(7)*t(5) + c[24]
m[6..7] = d[52]*t(6)*t(4) + d[53]*t(7)*t(4) + d[54]*t(6)*t(5)*t(4) + d[55]*t(7)*t(5)*t(4) + d[56]*t(4) + d[57]*t(6)*t(5) + d[58]*t(7)*t(5) + d[59]*t(5) + d[60]*t(6)*t(4) + d[61]*t(7)*t(4) + d[62]*t(6)*t(5) + d[63]*t(7)*t(5) + d[64]
Here m[0..1] means that the mapping for m[0] and m[1] is of the same form with the same input variables; the public key coefficients a[] for m[0] and m[1] are different. Similarly, for the other three word pairs m[2..3], m[4..5], m[6..7].
Each randomized trial for forgery of some "msg" under a given public key first proceeds just like the signing function:
Or forged signatures are of form [ s0, s1, 0, 0, s4, s5, s6, s7 ], with s[2] and s[3] set to zeros.
We first select s[4..7] so that m[2..5] will have the desired value. The demo forces only m[2..3] and treats s[6..7] as constants -- thereby turning a bilinear equation into a linear one and allowing an efficient solution. For this attack, we assume that with at most 2^96 offline effort (e.g., a table), we succeed in the 128-bit inversion with probability 2^-32.
We then treat m[6..7] as constants. Now the equations for m[0..1] are linearized as a function of s[0..1] (just like in the demo) and can be solved easily. Changing s[s..1] does not affect the already solved m[2..5] target values.
We have forced 192 bits to the target -- as much as one can hope with s[2] and s[3] set to zeros. Now we check for a match in m[6..7], which will occur with probability 2^-64. This gives the attack a total success probability of 2^-96, violating the Level-1 claims. There may be much better attacks (by solving the bilinear forms in step 1 algebraically rather than by brute force)
Note that the description of verification ("dme-open") in the document Implementation of DME-3rnds-8vars-32bits-sign.pdf only checks 128 bits of the w value (step 4); the attack would be more efficient in this case. The reference implementation further performs a consistency check of 8 bytes of g.
Best Regards,
- markku
Dear Markku,
According to the spec, the polynomial map (F_2^32)^8 -> (F_2^32)^8 is
bijective “almost everywhere”. More precisely, the paragraph right before Lemma
1.2 gives the domain D of the map D, thus one gets a bijection between D and the
image of D.
Lemma 1.2 gives estimation of the probability that a randomly
chosen “message” is outside of this domain.
If I understood correctly, the goal of the salt (or padding) r is not only to
randomize the signature algorithm but also to make sure that one does not end
with a signature outside of D.
While it is pretty clear throughout the specs that there are values that make
it impossible to get a bijection from (F_2^32)^8 -> (F_2^32)^8, the actual verification
algorithm page 7 makes it look like all signature of length 256 could be inputs,
not raising any error.
However, if we look carefully at the definition of dme-enc and at the bottom of
page 5 and the beginning of page 6 of the specs, it is said “It is easy to
verify that E […] do not have a zero entry”.
All this to say that if their reference/optimized implementations do not raise
error in that case, it is an issue and your attack is perfectly valid.
But an easy tweak to their implementations, to make them follow their specs, would make the signature resist to your attack ; in addition to this,
performance-wise, I do not think that these verifications are costly at all.
I do not mean that the scheme is secure, just that your attack seems to exploit what looks like an implementation mistake to me, not a flaw in the signature scheme.
Sincerely,
Maxime Bros
While it is pretty clear throughout the specs that there are values that make it impossible to get a bijection from (F_2^32)^8 -> (F_2^32)^8, the actual verification algorithm page 7 makes it look like all signature of length 256 could be inputs, not raising any error.
However, if we look carefully at the definition of dme-enc and at the bottom of page 5 and the beginning of page 6 of the specs, it is said “It is easy to verify that E […] do not have a zero entry”.
All this to say that if their reference/optimized implementations do not raise error in that case, it is an issue and your attack is perfectly valid.
But an easy tweak to their implementations, to make them follow their specs, would make the signature resist to your attack ; in addition to this, performance-wise, I do not think that these verifications are costly at all.
I do not mean that the scheme is secure, just that your attack seems to exploit what looks like an implementation mistake to me, not a flaw in the signature scheme.
Dears Markku and Maxime,
We would like to thank you for pointing out a missing check In our implementation of
the crypto_sign_open() function, and several unintentional omissions in the documentation of the algorithms.
To avoid the proposed attack, only the following line has to be added to the pseudo-code of the dme-open() function.
2. if the interpretation of s as a vector in (Fq2 )4 has a zero entry, return error,
The website has been updated with the revised code and a matching
specification.
Thanks again for your comments and interest,