Cryptanalysis of a multivariate CCZ scheme

We consider the multivariate scheme Pesto, which was introduced by Calderini, Caminata, and Villa. In this scheme, the public polynomials are obtained by applying a CCZ transformation to a set of quadratic secret polynomials. As a consequence, the public key consists of polynomials of degree 4. In this work, we show that the public degree 4 polynomial system can be efficiently reduced to a system of quadratic polynomials. This seems to suggest that the CCZ transformation may not offer a significant increase in security, contrary to what was initially believed.

💡 Research Summary

The paper conducts a thorough cryptanalysis of the multivariate public‑key scheme Pesto, which was introduced by Calderini, Caminata, and Villa. Pesto’s secret map F consists of quadratic polynomials in n variables, and the public map is obtained by composing F with two random affine bijections A₁ and A₂ and, crucially, with a CCZ transformation T(x, y)=x+q(y), where q(y) is a quadratic map in the “oil” variables y. As a result, the public key G_pub = A₁ ∘ G ∘ A₂ contains polynomials of degree up to four, and the authors of the original scheme claimed that this degree increase should raise the difficulty of algebraic attacks.

The authors first recap the structure of Pesto. The central map is split into two parts: T, which adds the quadratic term q(y) to the “vinegar” variables x, and U, an Oil‑and‑Vinegar (OV) system of quadratic equations. After applying the inverse of T, the secret map becomes G = (x − q(y), U(x − q(y), y)). The public map is then obtained by the affine transformations A₁ and A₂. The paper notes that the first t equations of G retain an OV structure, while the remaining m − t equations become degree‑4 polynomials after the CCZ transformation.

The security analysis in the original proposal relied on two observations: (i) the degree‑4 part would raise the solving degree of a Gröbner‑basis computation, making algebraic attacks infeasible; (ii) the OV part could be protected by choosing parameters (t≈n/3, s>0) that keep the system unbalanced, thereby thwarting known OV attacks such as Kipnis‑Shamir.

The core contribution of this work is to demonstrate that the degree‑4 public system can be efficiently reduced back to a quadratic system, effectively nullifying the presumed security gain from the CCZ transformation. Two reduction techniques are presented:

1. Linear‑algebra based Gröbner‑basis reduction – By constructing the Macaulay matrix for degree 4 and analysing the space of constructible polynomials V_{F,4}, the authors prove (Lemma 1) that each degree‑4 equation of U(x − q(y), y) is congruent modulo V_{F,4} to the linear expression x − q(y) plus a quadratic remainder. Theorem 1 extends this congruence through the affine bijections A₁ and A₂, showing that the entire public system can be rewritten as a set of quadratic equations.

2. Higher‑Order Linearization Equations (HOLE) – This method introduces new auxiliary variables to replace all degree‑4 monomials, then derives linear relations among these auxiliaries and the original variables. By solving the resulting linear system, the original degree‑4 equations collapse to quadratic ones. The authors provide a complexity analysis indicating an O(n⁷) runtime when the number of equations m does not exceed the number of variables n, which is asymptotically faster than a naïve Gröbner‑basis approach.

Both methods are validated on a concrete toy instance over 𝔽₃ with parameters n=6, m=5, t=2, s=1. The public map originally consists of five dense quartic polynomials; after reduction, it becomes five quadratic polynomials. Standard quadratic‑solving techniques (generic Gröbner bases, OV‑specific solvers) can then recover pre‑images efficiently.

The implication is that the CCZ transformation does not hide the underlying quadratic structure of the secret map; the algebraic relationship survives and can be exposed by the presented reductions. Consequently, the security arguments based solely on degree elevation are insufficient. Even with the recommended parameter choices (t≈n/3, s>0), the scheme remains vulnerable because an attacker can first reduce the system to quadratic form and then apply well‑studied attacks on OV or generic quadratic systems.

In conclusion, the paper provides strong evidence that Pesto’s use of a CCZ transformation fails to deliver a meaningful security improvement. It calls for a reassessment of CCZ‑based multivariate constructions and suggests that future designs must incorporate deeper structural obfuscation beyond mere degree increase, possibly by employing alternative non‑linear transformations or by fundamentally redesigning the secret map to resist the type of reduction demonstrated here.