Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case

Size: px

Start display at page:

Download "Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case"

Penelope Cain
5 years ago
Views:

1 1 / 27 Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case Marta Conde Pena 1 Jean-Charles Faugère 2,3,4 Ludovic Perret 3,2,4 1 Spanish National Research Council (CSIC) 2 Sorbonne Universités, UPMC Univ Paris 06 3 INRIA 4 CNRS

2 Motivation 2 / 27 Contents 1 Motivation 2 Modeling 3 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d Heuristic Randomized Polynomial-time Algorithm for HSP 2 4 Conclusions and Open Problems

3 Motivation 3 / 27 Cash from a Classical vs Quantum Perspective Classical Physics In principle, it is impossible to make money uncopyable. No-cloning Theorem in Quantum Mechanics An unknown quantum state cannot be cloned. Can this be used to make unforgeable cash?

4 Motivation 4 / 27 Quantum Money S. Wiesner. Conjugate Coding. ACM SIGACT News, 15(1):78 88, Wiesner s Idea for Quantum Money A quantum banknote has a serial number and t photons. No Forging Probability of successful forging exponentially small on t.

5 Motivation 5 / 27 A Step Forward: Public-key Quantum Money Ideally, anyone should be able to verify the validity of money. Public-key quantum money. E. Farhi et al. Quantum Money from Knots. ITCS S. Aaronson and P. Christiano. Quantum Money from Hidden Subspaces. STOC Quantum Money Scheme of Aaronson-Christiano Security under a classical (non-quantum) hardness assumption.

6 Motivation 6 / 27 Hardness Assumption Hidden Subspaces Problem (HSP q ) Input : p 1,..., p m, q 1,..., q m F q [x 1,..., x n ] of degree d. d 3. n m 2n. Find : n/2-dimensional subspace A F q n s.t p i (A) = 0 and q i (A ) = 0 i {1,..., m}. Secret key: A. Public key: p 1,..., p m, q 1,..., q m. The subspace and the polynomials are chosen uniformly at random from the appropriate sets.

7 Motivation 7 / 27 Security of the Scheme Aaronson-Christiano (STOC 2012) Their scheme relies on HSP 2. Open Question (STOC 2012) Extension of the scheme to F q for any q 2. Challenge Is HSP q really a hard problem?

Motivation 8 / 27 Contributions Our Contributions Randomized polynomial-time algorithm for HSP q, q > d. Heuristic randomized polynomial-time algorithm for HSP 2.

8 Motivation 8 / 27 Contributions Our Contributions Randomized polynomial-time algorithm for HSP q, q > d. Heuristic randomized polynomial-time algorithm for HSP 2. Experimentally verified and efficient in practice. Technique Algebraic cryptanalysis using Gröbner bases. We solve the challenge and master the complexity of solving.

9 Motivation 9 / 27 Algebraic Cryptanalysis 1 Solution of a problem Solution of a multivariate polynomial system. 2 Solve the system in practice and/or control the complexity of solving. Our Case (HSP q ) Algebraic modeling that allows to master the complexity. Similar modeling to the one used for IP in J.-C. Faugère, L. Perret. Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. EUROCRYPT 2006.

10 Motivation 10 / 27 Gröbner Bases F 5 Algorithm (J.-C.Faugère, 2002) Computation of a Gröbner basis of f 1,..., f r F q [x 1,..., x n ] equivalent to succesive reductions to row echelon form of M d = k i monomials of degree d k 1... k l t 1 f i t 2 f i , deg(t j f ij ) d. until for big enough d =d reg, the row echelon form of M dreg contains a GB.

11 Motivation 10 / 27 Gröbner Bases F 5 Algorithm (J.-C.Faugère, 2002) Computation of a Gröbner basis of f 1,..., f r F q [x 1,..., x n ] equivalent to succesive reductions to row echelon form of M d = k i monomials of degree d k 1... k l t 1 f i t 2 f i , deg(t j f ij ) d. until for big enough d =d reg, the row echelon form of M dreg contains a GB. Complexity Analysis Complexity of O(n ωdreg ), 2 ω 3 linear algebra constant. d reg difficult to estimate in general. In our case we can bound it.

12 Modeling 11 / 27 Contents 1 Motivation 2 Modeling 3 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d Heuristic Randomized Polynomial-time Algorithm for HSP 2 4 Conclusions and Open Problems

13 Modeling 12 / 27 First Approach Toy Example ( ) a1,1... a (p 1 = x 1 x 2 + x 1 + x 2 x 4 + x 4, p 2, p 3, p 4, q 1,..., q 4 ), A = 1,4 a 2,1... a 2,4 matrix of size 2 4. Let (y 1, y 2 ) be formal variables over F 2. p 1 ((y 1, y 2 )A) = 0 = (a 1,1 a 2,2 + a 2,1 a 1,2 + a 1,2 a 2,4 + a 2,2 a 1,4 ) y 1 y 2 + +(a 1,1 a 1,2 +a 1,2 a 1,4 +a 1,1 +a 1,4 ) y 1 +(a 2,1 a 2,2 +a 2,2 a 2,4 +a 2,1 +a 2,4 ) y 2 =

14 Modeling 13 / 27 First Approach Toy Example ( ) a1,1... a (p 1 = x 1 x 2 + x 1 + x 2 x 4 + x 4, p 2, p 3, p 4, q 1,..., q 4 ), A = 1,4 a 2,1... a 2,4 matrix of size 2 4. Let (y 1, y 2 ) be formal variables over F 2. p 1 ((y 1, y 2 )A) = 0 = (a 1,1 a 2,2 + a 2,1 a 1,2 + a 1,2 a 2,4 + a 2,2 a 1,4 ) y 1 y 2 + +(a 1,1 a 1,2 +a 1,2 a 1,4 +a 1,1 +a 1,4 ) y 1 +(a 2,1 a 2,2 +a 2,2 a 2,4 +a 2,1 +a 2,4 ) y 2 = Coeff(p 1, y 1 y 2 )y 1 y 2 + Coeff(p 1, y 1 )y 1 + Coeff(p 1, y 2 )y 2 = Coeff(p 1, y 1 y 2 ) = Coeff(p 1, y 1 ) = Coeff(p 1, y 2 ) = 0.

15 Modeling 14 / 27 First Approach Toy Example ( ) a1,1... a (p 1 = x 1 x 2 + x 1 + x 2 x 4 + x 4, p 2, p 3, p 4, q 1,..., q 4 ), A = 1,4 matrix a 2,1... a 2,4 of size 2 4. Let (y 1, y 2 ) be formal variables over F 2. p 1 ((y 1, y 2 )A) = 0 = (a 1,1 a 2,2 + a 2,1 a 1,2 + a 1,2 a 2,4 + a 2,2 a 1,4 ) y 1 y 2 + +(a 1,1 a 1,2 +a 1,2 a 1,4 +a 1,1 +a 1,4 ) y 1 +(a 2,1 a 2,2 +a 2,2 a 2,4 +a 2,1 +a 2,4 ) y 2 = Coeff(p 1, y 1 y 2 )y 1 y 2 + Coeff(p 1, y 1 )y 1 + Coeff(p 1, y 2 )y 2 = Coeff(p 1, y 1 y 2 ) = Coeff(p 1, y 1 ) = Coeff(p 1, y 2 ) = 0. Naive Model i {1,..., m}, t M ( F q [y 1,..., y n/2 ] ), SysNaive HSPq = { Coeff(p i, t) = 0, Coeff(q i, t) = 0.

16 Modeling 15 / 27 Optimizing the Model Key Observation If A is a solution of HSP q, for any S GL n/2 (F q ), SA is also a solution. Naive Model Has Many Equivalent Solutions. Not optimal. Canonical Form of the Solution of HSP q With probability n/2 γ q (n/2) = (1 1q ) i 1 1 q, A admits a basis in systematic form (I G), G = (g i,j ) is an n/2 n/2 matrix. i=1

17 Modeling 16 / 27 Our Model Optimizing the Model Naive system with A in systematic form. Our Model i {1,..., m}, t M ( F q [y 1,..., y n/2 ] ), Sys HSPq = { Coeff(p i, t) = 0, Coeff(q i, t) = 0.

18 Our Contributions 17 / 27 Contents 1 Motivation 2 Modeling 3 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d Heuristic Randomized Polynomial-time Algorithm for HSP 2 4 Conclusions and Open Problems

19 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d 18 / 27 HSP q, with q > d Linear Equations For all i {1,..., m}, j {1,..., n}, denoting by p i (1) = n λ p i,j x j, q (1) i = j=1 n λ q i,j x j, λ p i,j, λq i,j F q, j=1 i {1,..., m}, k {1,..., n/2}, the following equations are linear: n/2 Coeff(p i, y k ) = λ p i,k + λ p i,j+n/2 g k,j, j=1 n/2 Coeff(q i, y k ) = λ q i,k+n/2 λ q i,j g j,k. j=1

20 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d 19 / 27 HSP q, with q > d Matrix of Coefficients of Size mn n 2 /4 Has the Following Shape λ p i,n/ λ p i,n λ p i,n/ λ p i,n λ p i,n/ λ p i,n λ q j, λ q j, λ q j,n/ λ q j, λ q j, λ q j,n/ Full Rank of the Coefficient Matrix with Overwhelming Probability The probability is γ q(m) γ q(m n/2), m number of p i s.

21 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d 20 / 27 Randomized Polynomial-time Algorithm for HSP q Input: p 1,..., p m, q 1,..., q m F q [x 1,..., x n ] of degree d 3, n m 2n. 1 Construct the linear system {Coeff(p i, y k ), Coeff(q i, y k ), i {1,..., m}, j {1,..., n/2}}. 2 Solve it. Return this solution. Complexity O(n 2ω ), 2 ω 3 linear algebra constant. Success probability γ q (n/2)γ q (m) γ q (m n/2).

22 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d 21 / 27 Some Benchmarks for HSP q, q > d Table : Experiments performed for m = n with MAGMA v.19 d= 3 d= 4 n # Variables #Eqs q Exh. search Time O ( 2 576) 0.00s 0.00s O ( ) 0.02s 0.02s HSP q for big q is insecure!

23 22 / 27 Our Contributions Heuristic Randomized Polynomial-time Algorithm for HSP 2 HSP 2 Sys HSP2 No linear equations: all equations are of degree d with overwhelming probability. Reductions modulo the field equations. Very Overdetermined Non-Linear System The number of equations is at least [( ) ( )] n/2 n/2 2n n 2 /4. 1 d Behaviour when computing a Gröbner basis?

24 23 / 27 Our Contributions Heuristic Randomized Polynomial-time Algorithm for HSP 2 Some Benchmarks for HSP 2 Table : Experiments performed for m = n with MAGMA v.19 d = 3 n # Variables #Eqs d reg Exh. search Time O ( 2 49) 136s O ( 2 49) 2.30min O ( 2 81) 2h20 d = 4 n # Variables #Eqs d reg Exh. search Time O ( 2 36) 38s O ( 2 49) 66min

25 24 / 27 Our Contributions Heuristic Randomized Polynomial-time Algorithm for HSP 2 HSP 2 Structural Symmetries in Our Model If we order in increasing lexicographic order the monomials of degree d m i F 2 [ xn/2+1,..., x n ], m i F 2 [ x1,..., x n/2 ], and ti F 2 [ y1,..., y n/2 ], then Coeff ( m i, t j ) (d) = Coeff ( m j, t i ) (d).

26 24 / 27 Our Contributions Heuristic Randomized Polynomial-time Algorithm for HSP 2 HSP 2 Structural Symmetries in Our Model If we order in increasing lexicographic order the monomials of degree d m i F 2 [ xn/2+1,..., x n ], m i F 2 [ x1,..., x n/2 ], and ti F 2 [ y1,..., y n/2 ], then Coeff ( m i, t j ) (d) = Coeff ( m j, t i ) (d). Low Degree Equations Coeff(p, t j )+Coeff(q, t i )+ Coeff(q, t k )+ Coeff(p, t l ) = 0 {k i α k 0} {l j β l 0} is of degree d 1 and is a linear combination of the equations of Sys HSP2.

27 25 / 27 Our Contributions Heuristic Randomized Polynomial-time Algorithm for HSP 2 HSP 2 Behaviour of Sys HSP2 Degree falls not typically occurring in a random system of equations. Heuristically the degree of regularity is bounded by d + 1. Heuristic Randomized Polynomial-time Algorithm for HSP 2 Input: p 1,..., p m, q 1,..., q m F q [x] of degree d 3, n m 2n. 1 Compute a Gröbner basis J of Sys HSP2. Return the variety of J. Complexity O(n 2ω(d+1) ), 2 ω 3 linear algebra constant. Success probability γ 2 (n/2).

28 Conclusions and Open Problems 26 / 27 Contents 1 Motivation 2 Modeling 3 Our Contributions Randomized Polynomial-time Algorithm for HSP q, with q > d Heuristic Randomized Polynomial-time Algorithm for HSP 2 4 Conclusions and Open Problems

29 Conclusions and Open Problems 27 / 27 Conclusions and Open Problems Conclusions HSP q for big q is easy. Randomized polynomial-time algorithm for HSP q for big q. HSP 2 conjectured to be easy. Heuristic randomized polynomial-time algorithm for HSP 2. Open Problems 1 Noise-free version if the polynomials are not random but more structured (e.g., homogeneous of degree d)? 2 Noisy version?

Hybrid Approach : a Tool for Multivariate Cryptography

Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6