Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
|
|
- Shon Palmer
- 5 years ago
- Views:
Transcription
1 Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University of Kaiserslautern June 25, / 36
2 1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 2 / 36
3 General idea of public key cryptography complete key (set of data) 3 / 36
4 General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) 3 / 36
5 General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C 3 / 36
6 General idea of public key cryptography complete key (set of data) public key P (subset of complete key) private key Q (complete key \ public key) message M ciphertext C original message M 3 / 36
7 General idea of signature schemes original message M 4 / 36
8 General idea of signature schemes original message M hash function h: H = h(m) 4 / 36
9 General idea of signature schemes original message M hash function h: H = h(m) signature S = Q(H) with private key Q send tuple (M,S) 4 / 36
10 General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36
11 General idea of signature schemes compute hash H = h(m) of message M original message M hash function h: H = h(m) verify sender via testing H = H signature S = Q(H) with private key Q compute H = P(S) with public key P send tuple (M,S) 4 / 36
12 1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 5 / 36
13 Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions 6 / 36
14 Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. 6 / 36
15 Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. 6 / 36
16 Trapdoors of MPKC PKC depends on the existence of a class of trapdoor one-way functions Example Elliptic curve crypto depends on the elliptic curve group. NTRU depends on the structure of an integral lattice. In MPKC the trapdoor one-way function is of the form of a multivariate non-linear polynomial map over a finite field. Note Usually non-linear means quadratic. Thus people often speak about MQ systems referring to multivariate quadratic. 6 / 36
17 Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. 7 / 36
18 Basis of security of MPKC MQ Problem Given m quadratic polynomials p 1 (x 1,...,x n ),..., p m (x 1,...,x n ) in n variables x = x 1,...,x n over a finite field F q, find a vector x such that p 1 (x ) =... = p m (x ) = 0. Solving MQ polynomial systems is worst case NP-hard and in general doubly exponential over any finite field. 7 / 36
19 Construction of the MPKC F 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 8 / 36
20 Construction of the MPKC T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 8 / 36
21 Construction of the MPKC P = T F S 1. Get a trapdoor, e.g. non-linear function F : F n q F n q, easily invertible. 2. Represent F as multivariate polynomials F over F q. 3. Take invertible secret matrices S and T. 4. Distribute your public key P = T F S as polynomials P. 8 / 36
22 We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i 9 / 36
23 We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: 9 / 36
24 We use a MQ polynomial map over F q : P : F n q F m q P = ( p 1 (x),...,p m (x) ) with p k (x) = 1 i j n for x = (x 1,...,x n ), α ijk,β ik,γ k F q. Public keys of MPKC α ijk x i x j + β ik x i + γ k, i Note The constant and linear terms of the p k do not provide any further security, so we can neglect them in our discussion: p k (x) = 1 i j n α ijk x i x j, 9 / 36
25 Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T 10 / 36
26 Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T 10 / 36
27 Public keys of MPKC In other words: p k (n n) matrix P k (x 1,...,x n ) P k (x 1,...,x n ) T p k (x) = 1 i j n α ijk x i x j = xp k x T Clearly, P should be a random (mostly dense) system of MQ polynomial equations. But is it really? 10 / 36
28 Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. 11 / 36
29 Main ideas for attacking MPKC Try to retrieve secret S and T in order to get F. The used MPKC variant is known, thus try to exploit knowledge of general trapdoor / shape of private map. What are possible instantiations of MPKC? or What settings for F, S and T are used? 11 / 36
30 1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 12 / 36
31 Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. 13 / 36
32 Matsumoto-Imai scheme (MI or C ) 1988 In general: Utilize vector space and hidden field structure of (F q ) n. Instead of searching for invertible maps over the vector space (F q ) n Look for invertible maps on the extension field F q n (F ). Transform to an invertible map over (F q ) n applying secret S and T (P). A single univariate polynomial F over F q n is represented by n multivariate polynomials P = (p i (x 1,...,x n )) 1 i n over F q. Note For C let us assume q = 2 or q = 2 k for some k. Makes the following discussion easier, generalization is rather trivial. 13 / 36
33 Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. 14 / 36
34 Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). 14 / 36
35 Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. 14 / 36
36 Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. 14 / 36
37 Matsumoto-Imai scheme (MI or C ) 1988 In particular: E = F q [x]/g(x) for an irreducible polynomial g(x) F q [x] of degree n. φ : E (F q ) n an F q -linear isomorphism given by φ(a o + a 1 x + + a n 1 x n 1 ) = (a 0,...,a n 1 ). Choose 0 < θ < n such that gcd(q θ + 1,q n 1) = 1. Define map F in E[X] via F (X) = X 1+qθ. Choice of θ ensures F being invertible: ξ (1 + q θ ) 1 mod (q n 1) = F 1 (X) = X ξ. Go back to (F q ) n : P = φ F φ 1 (x 1,...,x n ) = (p 1 (x),...,p n(x)). Apply secret transformations S and T : P = T P S = T φ F φ 1 S. 14 / 36
38 Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. 15 / 36
39 Matsumoto-Imai scheme (MI or C ) 1988 Note 1 Raising X to a power of the form q i is linear in E. P is a system of MQ polynomials over F q. Note 2 There are not so many choices for θ thus we can assume θ to be publicly known. 15 / 36
40 Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): 16 / 36
41 Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. 16 / 36
42 Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = / 36
43 Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. 16 / 36
44 Matsumoto-Imai scheme (MI or C ) 1988 Broken by Patarin (1995): If Y = X qθ +1 XY qθ = X q2θ Y. From this one receives a system of equations of type α ij x i y j + β i x i + γ i y i + δ = 0. Taking enough cipher texts from the original system one can determine the coefficients. For a given y (cipher text) we can then solve the linear equations to get x (plain text). 16 / 36
45 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. 17 / 36
46 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? 17 / 36
47 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! 17 / 36
48 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? 17 / 36
49 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ / 36
50 (C ) or SFLASH Construction Remove r public polys: P = (p 1 (x),...,p n r (x)) = R T P S. How to attack this? (Dubious, Fouque, Shamir, Stern; 2007) T randomly samples linear space V spanned by the n quadratic equations generated via P S. Only n r of the n samples Recover the missing ones? Transform T : T = T A applying matrices A. Several samples of V, several different linearly independent equations! Only have the public polynomials How to compute T A? Multiply input of F by α multiply output by β := F (α) = α qθ + 1. Find matrix B such that R T A P S = R T P S B. 17 / 36
51 How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S 18 / 36
52 How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = / 36
53 How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = Not so many good choices for B. 18 / 36
54 How to get B? (C ) or SFLASH W = linear space spanned by all possible quadratic expressions V = linear space spanned by quadratic expressions of T P S V R = linear space spanned by quadratic expressions of R T P S Example: SFLASHv3 n = 67, r = 11 dim(v R ) = 56, dim(v) = 67, dim(w) = Not so many good choices for B. In particular q n2 possible matrices over F q but only q n elements in E. good matrices corresponding to extension field multiplication form tiny linear subspace. 18 / 36
55 (C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) 19 / 36
56 (C ) or SFLASH Last step Find good matrices using the fact that they preserve the membership of the output quadratic equations in V. ( Bad matrices are extremely unlikely to have this property as V is very sparse in W.) Either solve quadratic equations in n 2 variables, not so efficient. Or use the differential operator to get bivariate bilinear equations from univariate quadratic ones (working since F (X) = X qθ +1 ): DF (a,x) = F (a + X) F (a) F (X) + F (0) = ax qθ + a qθ X. 19 / 36
57 Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable) / 36
58 Other generalizations of C Generalize F to a univariate polynomial of a given degree d (HFE). F (X) = i,q θ i +q η i d Broken by Faugère and Joux in HFE with removing equations (HFE-). α i X qθ i +q η i Use more than one polynomial for F (multi-c, multi-hfe). Use intermediate field equations (IFS). Perturb polynomials or add some auxiliary variable Y (vinegar variable).... All those schemes are based on hidden fields and extensions. 20 / 36
59 1 Introduction to public key cryptography 2 Construction of MPKC 3 Examples of MPKC schemes: Hidden fields 4 Examples of MPKC schemes: Oil & Vinegar 21 / 36
60 In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) 22 / 36
61 In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. 22 / 36
62 In general: Oil and Vinegar scheme (OV) Trapdoor achieved by special structure of private polynomials, not by field extensions. Structure given by distinguishing set of variables: n = v + o variables, V := {u 1,...,u v } (vinegar) and O := {u v+1,...,u n } (oil) V and O are balanced: v = o, n = 2v = 2o. There are v = o private polynomials in F. Structure of private polynomials f k (u) = i V,j V i j α ijk u i u j + β ijk u i u j. i V,j O There are no quadratic terms in two oil variables. 22 / 36
63 Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m 23 / 36
64 Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. 23 / 36
65 Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. 23 / 36
66 Oil and Vinegar scheme (OV) In matrix representation the private polynomials look like the following: V V V O F k = for 1 k o O V O m m Having a message of length v we fix variables u 1,...,u v in F and receive linear equations in the remaining o variables. Those linear equations are invertible with high probability. Public polynomials Apply secret transformations S and T to receive P as random MQ polynomials. In this setting T does not add any further security, so we can assume the identity. 23 / 36
67 Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. 24 / 36
68 Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = / 36
69 Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space 24 / 36
70 Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. 24 / 36
71 Attacking OV (Kipnis, Shamir; 1998) Try to separate vinegar and oil variables in the public polynomials. Search for an equivalent representation F S = P = F S. Exploit balance between v and o: v = o. Due to this each F i maps the oil subspace u 1 =... = u v = 0 to the vinegar subspace u v+1 =... = u n = 0. If F j is invertible (high probability) then F i F 1 j on itself. maps the vinegar space Thus the image V of the vinegar subspace under S is a common eigenspace for each P i P 1 j, 1 i < j o. Efficient algorithms for computing eigenspaces by Kipnis and Shamir Get V, find O such that O + V = F n q (separating vinegar and oil). Get (F,S ) isomorphic to (F,S). 24 / 36
72 Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. 25 / 36
73 Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. 25 / 36
74 Unbalancing OV UOV This attack works due to v = o unbalance v and o: v > o. In general: n = v + o, m = n v, v > m, m polynomials. Be careful The previous attack works in a probabilistic fashion also for v > o. It has complexity O(q v m 1 m 4 ) = O(q n 2m 1 m 4 ). Thus one should take at least v 3m. Size problem Enlarging v and o the key sizes get, at some point, too big for practical applications. 25 / 36
75 Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. 26 / 36
76 Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) 26 / 36
77 Why do we need big values for v and o? Due to another attack by Kipnis and Shamir that we can interpret as a Minrank problem (NP-complete). Minrank (n, k, r) problem Given M 0,...,M k M n n (F q ), find (λ 1,...,λ k ) F k q such that rank ( k i=1λ i Mi M0 ) r. Often the rank of the matrices corresponding to F is restricted (e.g. in HFE via degree, in UOV by the choice of v and o.) rank ( m i=1λ i P i ) r. 26 / 36
78 Somewhere over the Rainbow... Try to improve security by using several layers of UOV 27 / 36
79 Somewhere over the Rainbow... Try to improve security by using several layers of UOV Rainbow scheme with L layers Defined by a tuple (q,v 1,...,v L+1 ) Preset 0 < v 1 < v 2 <... < v L+1 = n, # vinegar variables of the different layers. # oil variables o l = v l+1 v l for 1 l L. Each layer l consists of o l polynomials f vl v 1 +1,...,f vl+1 v 1 where we set m := L l=1 o l. For each such level we have vinegar variables V l = {u 1,...,u vl } and oil variables O l = {u vl +1,...,u vl+1 }. 27 / 36
80 Rainbow (q,6,12,17,22,33) 4-layered Rainbow with m = (12 6) + (17 12) + (22 17) + (33 22) = 27 polynomials. Classical Minrank attack 6 polynomials in first layer of rank r = 12. Prob(random vector in ker( m i=1 λ i P i )) = 1 q r. For such a vector w we have ( m i=1 λ i P i )w = 0. Linear in λ 1,...,λ m. Since n > m we can just use linear algebra. Complexity O(q r m 3 ) = O(q ). 28 / 36
81 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk =
82 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27
83 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 T
84 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = w1 = F1w T,...,w6 = F6w T T ˆ= Prob(w i linearly independent) = 5 i=0 (1 qi q 6 ) < 1 1 q.
85 Rainbow (q,6,12,17,22,33) Improved attack (Billet, Gilbert; 2006) 6 For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 Prob (( 6 i=1 λ if i ) w = 0 ) > 1 q. T (1 qi q 6 ) < 1 1 q.
86 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) 29 / 36
87 Improved attack (Billet, Gilbert; 2006) 6 Rainbow (q,6,12,17,22,33) For 1 k 6 : Fk = w = 6 27 w1 = F1w T,...,w6 = F6w T ˆ= 6 27 Prob(w i linearly independent) = 5 i=0 (1 qi < 1 1 q. (( Prob 6 i=1 λ ) ) if i w = 0 > 1 q. Prob(random vector of type w) = 1 q 6 ( Afterwards linear algebra as in standard Minrank attack: O 27 3) T q 6 ) O ( q ) 29 / 36
88 Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) 30 / 36
89 Rainbow (2 8,18,30,42) O18 12 F k = O12 12 O12 12 F k = O12 18 O12 12 O12 12 O12 12 for 1 k 12 (first layer) for 13 k 24 (second layer) Direct key recovery attack 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). Structure of F = System of polynomial equations in entries of S and T for corresponding zero coefficients. (v 1 + o 1 + o 2 ) 2 + (o 1 + o 2 ) 2 = = 2340 variables. (o 1 + o 2 ) O 2 O 2 + o 1 ( (V 1 O 1 ) O 2 )+ o 1 ( O 1 O 1 ) = 7128 (non-linear )equations. Complexity: O ( ) (or: forget it!) 30 / 36
90 Again idea of equivalent keys Rainbow (2 8,18,30,42) 31 / 36
91 Again idea of equivalent keys Rainbow (2 8,18,30,42) S = O T = O O12 18 O / 36
92 Again idea of equivalent keys Rainbow (2 8,18,30,42) S = O T = O O12 18 O Equivalent key attack (T F S = P = T F S ) 24 random public polynomials, need to find S Mat(42 42,F q ) and T Mat(24 24,F q ). v 1 o 1 + v 1 o 2 + o 1 o 2 + o 1 o 2 = 720 variables. # equations stays the same, but o 1 V 1 O 2 are no longer cubic, but quadratic (first v 1 variables in S are set!) 2592 quadratic (bihomogeneous in s ij and t kl ) and 4536 cubic equations. Complexity: O ( 2 374) (or: still, forget it!) 31 / 36
93 Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack 32 / 36
94 Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack O18 12 O O11 12 S n = O O12 11 T 1 = O O12 18 O / 36
95 Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack O18 12 O O11 12 S n = O O12 11 T 1 = O O12 18 O We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). 32 / 36
96 Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack O18 12 O O11 12 S n = O O12 11 T 1 = O O12 18 O We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 32 / 36
97 Rainbow (2 8,18,30,42) Remove information: good keys resp. Rainbow band separation attack O18 12 O O11 12 S n = O O12 11 T 1 = O O12 18 O We can only recover zero coefficients for xn 2 terms (for all private polynomials) and for x k x n terms (for 1 k n 1 and only for first private polynomial). (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 = 42 variables in 65 equations? 32 / 36
98 Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) 33 / 36
99 Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. 33 / 36
100 Rainbow (2 8,18,30,42) Metacryptography Not breaking a system, but breaking an attack :) We can recover zero coefficients for x 2 n terms only for the last o 2 private polynomials and for x k x n terms only for 1 k v 1 and only for the first private polynomial. (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 2 quadratic equations for o k o 1 + o 2 (k,n,1) v 1 quadratic equations for 1 k v 1 = 42 variables in 31 equations. 33 / 36
101 Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : 34 / 36
102 Rainbow (2 8,18,30,42) Fix attack by adding more rows to T : Minimal system received with 3 rows in T and S n. v 1 + o o 2 = 66 variables. 3 cubic equations, 66 quadratic equations. Complexity: Still O ( 2 231) (or: well, you know) 34 / 36
103 Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) 35 / 36
104 Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! 35 / 36
105 Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) 35 / 36
106 Rainbow (2 8,18,30,42) Metametacryptography Not breaking a system, but breaking the attack on an attack :) The Rainbow band separation attack is really working out! (v 1 + o 1 ) + o 2 = 42 variables (n,n,1) 1 cubic equation. (n,n,k) o 1 + o 2 1 quadratic equations for 2 k o 1 + o 2 (k,n,1) v 1 + o 1 + o 2 1 quadratic equations for 1 k n 1 65 equations in 42 variables ( Complexity: O 2 95) Still not feasible, but now we have new ideas. 35 / 36
107 References [1] Bettale, L., Faugère, J.-C., and Perret, L. Cryptanalysis of HFE, Multi-HFE and Variants for Odd and Even Characteristic, PKC 2011 [2] Billet, O. and Gilbert, H. Cryptanalysis of Rainbow, Security and Cryptography for Networks [3] Ding, J. and Schmidt, D. Rainbow, a new multivariable polynomial signature scheme, Conference on Applied Cryptography and Network Security [4] Ding, J. and Yang, B.-Y. Multivariate Public Key Cryptography, [5] Kipnis, A. and Shamir, A. Cryptanalysis of the Oil and Vinegar Signature Scheme, Crypto 1998 [6] Matsumoto, T. and Imai, H. Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, Eurocrypt 1988 [7] Patarin, J. Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, Crypto 1995 [8] Patarin, J. Hidden Field Equations (HFE) and Isomorphisms of Polynomials, Eurocrypt 1996 [9] Patarin, J. The Oil and Vinegar Algorithm for Signatures, presented at Dagstuhl workshop on Cryptography 1997 [10] Thomae, E. About the Security of Multivariate Quadratic Public Key Schemes, PhD thesis, Ruhr Universtiy Bochum, Germany [11] Wolf, C. and Preneel, B. Superfluous keys in Multivariate Quadratic asymmetric systems, PKC / 36
Inoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationHidden Pair of Bijection Signature Scheme
Hidden Pair of Bijection Signature Scheme Masahito Gotaishi and Shigeo Tsujii Research and Development Initiative, Chuo University, 1-13-27 Kasuga, Tokyo, Japan, 112-8551 gotaishi@tamaccchuo-uacjp http://wwwchuo-uacjp/chuo-u/rdi/index
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationOn Enumeration of Polynomial Equivalence Classes and Their Application to MPKC
On Enumeration of Polynomial Equivalence Classes and Their Application to MPKC Dongdai Lin a, Jean-Charles Faugère b, Ludovic Perret b, Tianze Wang a,c a SKLOIS, Institute of Software, Chinese Academy
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationRoots of Square: Cryptanalysis of Double-Layer Square and Square+
Roots of Suare: Cryptanalysis of Double-Layer Suare and Suare+ Full Version Enrico Thomae, Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum, 44780
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationDifferential Algorithms for the Isomorphism of Polynomials Problem
Differential Algorithms for the Isomorphism of Polynomials Problem Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S.
More informationTaxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations Christopher Wolf, and Bart Preneel {Christopher.Wolf, Bart.Preneel}@esat.kuleuven.ac.be chris@christopher-wolf.de
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationSolving Underdetermined Systems of Multivariate Quadratic Equations Revisited
Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited Enrico Thomae and Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationMXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy Mohamed Saied Emam Mohamed 1, Wael Said Abd Elmageed Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationComparison between XL and Gröbner Basis Algorithms
Comparison between XL and Gröbner Basis Algorithms Gwénolé Ars 1, Jean-Charles Faugère 2, Hideki Imai 3, Mitsuru Kawazoe 4, and Makoto Sugita 5 1 IRMAR, University of Rennes 1 Campus de Beaulieu 35042
More informationA Study of the Security of Unbalanced Oil and Vinegar Signature Schemes
1 A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes An Braeken, Christopher Wolf, and Bart Preneel K.U.Leuven, ESAT-COSIC http://www.esat.kuleuven.ac.be/cosic/ Kasteelpark Arenberg
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationA Public Key Block Cipher Based on Multivariate Quadratic Quasigroups
A Public Key Block Cipher Based on Multivariate Quadratic Quasigroups Danilo Gligoroski 1 and Smile Markovski 2 and Svein Johan Knapskog 3 1 Department of Telematics, Faculty of Information Technology,
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationOn the Security of HFE, HFEv- and Quartz
On the Security of HFE, HFEv- and Quartz Nicolas T. Courtois 1, Magnus Daum 2,andPatrickFelke 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP 45, 78430Louveciennes Cedex, France courtois@minrank.org
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationDifferential Security of the HF Ev Signiture Primitive
Differential Security of the HF Ev Signiture Primitive Ryann Cartor 1 Ryan Gipson 1 Daniel Smith-Tone 1,2 Jeremy Vates 1 1 University of Louisville 2 National Institute of Standards and Technology 25th
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationFaster Satisfiability Algorithms for Systems of Polynomial Equations over Finite Fields and ACC^0[p]
Faster Satisfiability Algorithms for Systems of Polynomial Equations over Finite Fields and ACC^0[p] Suguru TAMAKI Kyoto University Joint work with: Daniel Lokshtanov, Ramamohan Paturi, Ryan Williams Satisfiability
More informationSolving Underdefined Systems of Multivariate Quadratic Equations
Solving Underdefined Systems of Multivariate Quadratic Equations Nicolas Courtois 1, Louis Goubin 1, Willi Meier 2, and Jean-Daniel Tacier 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse,
More informationChapter 1 Vector Spaces
Chapter 1 Vector Spaces Per-Olof Persson persson@berkeley.edu Department of Mathematics University of California, Berkeley Math 110 Linear Algebra Vector Spaces Definition A vector space V over a field
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationNew Insight into the Isomorphism of Polynomial Problem IP1S and its Use in Cryptography
New Insight into the Isomorphism of Polynomial Problem IP1S and its Use in Cryptography Gilles Macario-Rat 1, Jérôme Plut 2, and Henri Gilbert 2 1 Orange Labs 38 40, rue du Général Leclerc, 92794 Issy-les-Moulineaux
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationAn Improved Affine Equivalence Algorithm for Random Permutations
An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,
More informationHidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith 2 Pairings in cryptography Elliptic curves have become an important tool in cryptography and pairings have
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationPIT problems in the light of and the noncommutative rank algorithm
PIT problems in the light of and the noncommutative rank algorithm Gábor Ivanyos MTA SZTAKI Optimization, Complexity and Invariant Theory, IAS, June 4-8, 2018. PIT problems in this talk Determinant: det(x
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More information