Oil-Vinegar signature cryptosystems

Transcription

1 Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science and Technology 1

2 1. Introduction 2. The Oil-Vinegar signature schemes ( balanced and unbalanced ) 3. The attacks 4. The generalizations 2

3 1 Introduction Multivariable public key signature cryptosystems: The public key - verifier is given as: G(x 1,..., x n ) = (G 1 (x 1,..., x n ),..., G m (x 1,..., x n )), which is the public key. Any document (its hash value) D = (y 1,..., y m ) has a signature S = (x 1,..., x n), and accpet it only if G(S) = D. The secret key is something that allows one to find S once we are given D. 3

4 The first one of Ong-Schnorr-Shamir ( OSS ) 1985: b the message ot its hash. y 2 ax 2 = b mod(p 1 p 2 ) But it is defeated in 1987 by Pollard-Schnorr. 4

5 The origin of Oil-Vinegar. The inspiration is from the linearization equations (LEs) satisfied by the MI system: aij x i y j + b i x i + c i y j + d = 0, where (x 1,..., x n ) is the plaintext, and (y 1,..., y n ) the ciphertext. Patarin transformed an attack method into a method to build cryptosystems. 5

6 2 Oil-Vinegar Oil-Vinegar is a design for signatures Oil and Vinegar construction (Patarin, Kipnis, Goubin) uses the idea that certain quadratic equations can be easily solved if we are allowed to guess a few variables like the case of LE attack. 6

7 Let k be a finite field. The key construction is a map F from k o+v to k o : F (x 1,.., x o, x 1,.., x v ) = (F 1 (x 1,.., x o, x 1,.., x v),..., F o (x 1,.., x o, x 1,.., x v)), and each F l is in the form: 7

8 F l (x 1,..., x o, x 1,..., x v) = al,i,j x i x j + b l,i,j x i x j + c l,i x i + d l,j x j + e l where x i, i = 1,..., o, are the Oil variables and x j, j = 1,..., v, are the Vinegar variables in the finite field k. 8

9 We call such a type of polynomial an Oil and Vinegar polynomial. The reason that it is called Oil and Vinegar scheme is due to the fact that in the quadratic terms the Oil and Vinegar variables are not fully mixed (like oil and vinegar). 9

10 This allows us to find one solution easily for any equation of the form F (x 1,..., x o, x 1,..., x v) = (y 1,..., y o ), when (y 1,..., y o ) is given. To find one solution, one just needs to randomly choose values for the Vinegar variables and plug them into the equations above, which will produce a set of o linear equations with o variables. 10

11 This should, with a good probability, give us a solution. If it does not, one can try again by selecting different values for the Vinegar variables, until one succeeds in finding a solution. Roughly the probability is near 1 1/q, but bigger in general. 11

12 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements. We denote the elements of the field by the set {0, 1, 2, 3 } to simplify the notation. Here 0 represent the 0 in k, 1 for 1, 2 for x, and 3 for 1 + x. In this case, = 2 and 2 3 = 1. 12

13 F 1 (x 1, x 2, x 1, x 2) = 1 + x 1 + x x 1 x x 1x 2 + x 2 2 F 2 (x 1, x 2, x 1, x 2) = x x x 1 x 2 + x 2 x 2 + x 1x 2 + x 2 1 Let x 1 = 0, x 2 = 1 : F 1 = 3 x F 2 = x x 1 13

14 This family of cryptosystems is designed specifically for signature schemes, where we need only to find one solution for a given set of equations and not a unique solution. 14

15 Once we have this map F, we hide it by composing it from the left and the right sides by two invertible affine linear maps L 1 and L 2, in the same way as it was done in the construction of MI cryptosystem. Since L 1 is on k o and L 2 on k o+v, this generates a quadratic map F = L 1 F L 2 from k o+v to k o ( means composition of two maps). L 1 is not necessary due to randomness of F. The pubic key F = F L 15

16 3 Attack The balanced Oil and Vinegar scheme is characterized by o = v, but it was defeated by Kipnis and Shamir using matrices related to the bilinear forms defined by quadratic polynomials. For the unbalanced Oil and Vinegar scheme, v > o, it was shown (Kipnis, Patarin, Goubin) that a specific attack has a complexity of roughly q v o 1 o 4, when v o. This means, that if o is not too large (< 100) and a given fixed field of size q, then v o should be large enough, but also not too large, to ensure the security of the scheme. 16

17 3.1 Balanced case, o=v The basis idea: Given any quadratic polynomial, we can associate a symmetric matrix. Let f(x 1,..., x n ) = a ij x i x j +... H = (a ij ). H = H + H t. For casesa that is not of characteristic 2, 2f(x 1,..., x n ) = (x 1,..., x n )H(x 1,..., x n ) t. 17

18 Base change If f (x 1,..., x n ) = f L(x 1,.., x n ), L(x 1,..., x n ) = (x 1,..., x n ) T, then H = T HT t, wher H is the matrix for f. 18

19 To simplify the exposition, let s assume that k to be a field of odd characteristic and the case of characteristic 2 is essentially the same, but subtle. Let s now assume that an attacker has the public key, namely the set of polynomials F i, i = 1,..., v with 2v variables, z 1,..., z 2v and the field structure of k. Let Z = (z 1,..., z 2v ) be the 2v dimensional vector. 19

20 For each F i, let s look at its quadratic part, which we denote by F i 0. We know that there exists an unique 2v 2v symmetric square matrix M i such that where Z t is the transpose of Z. F 0 i (Z) = Z M i Z t, For each F i, we will denote its quadratic part by F 0 i. Similarly we have F 0 i (Z) = Z M i Z t. where z 1,..., z v are the Oil variables, z v+1,..., z 2v are the Vinegar variables and M i as a matrix is in the special form: M i = ( 0 B i1 B t i1 B i2 ), where 0 here is a v v zero matrix and B ij are v v matrices. 20

21 Let u 1 and u 2 be any two vectors in O = {(z 1,.., z v, 0,.., 0)}, the Oil-space, then u 1 M i u t 2 = 0. V = {(0,..., 0, z v+1,.., z 2v )} 21

22 Let L(Z) = Z A + a, where A is a 2v 2v matrix and a a vector in k 2v. The matrix relations F 0 i (Z) = Z M i Z t = F 0 i (L(Z)) = Z A M i A t Z t, which implies that M i = A M i A t. Therefore M i = A 1 M i (A 1 ) t. The M i are all known, this implies that we break the system, essentially if we can find this matrix A 1 such that we can change all the M i into the form just like M i, where the submatrix consisting elements of all the first v rows and columns are all zero. 22

23 Let U be an invertible linear map on k 2v such that Then we have that U(Z) = Z ( U 11 0 U 21 U 22 ). F 0 i (U(Z)) = Z U M i U t Z t, and clearly we can compute to derive that U M i U t = ( 0 C i1 C t i1 C i2 ). This tells that there does not just exist one such A 1 ( or its constant multiples) which we gives what we need to break the system but rather there are a large family of them and we need only to find one of them. 23

24 . The problem. If we have a set of symmetric 2v 2v matrices M i, i = 1,.., v, how do we find a matrix Ā such that all Ā MĀt are in the form of ( 0 ). The key property of U is that O is an invariant subspace of U, therefore what we need to do is to find a v dimensional subspace such that any two vectors u 1 and u 2 satisfies the property u 1 Mi u t 2 = 0 as the O space, which as we know is the image subspace of O under the action of A 1. 24

25 Let M be the linear subspace of matrices spanned by M i. Because each M i are randomly chosen, if we randomly choose an element W 1 in M, we have roughly a probability (1 1/q) to derives a nonsingular matrix. Let s assume that we have choose two such elements W i, i = 1, 2. Let Ŵ = W 2 ( W 1 ) 1 This is the key operator we will use. 25

26 Definition For the vector space k n, let H be a linear map over V. A linear subspace S of the space is called invariant under H if for any s S, H(s) S. If we choose a basis in the form s 1,.., s m, v 1,..., v l, where s 1,..., s m is a basis of S, then the corresponding matrix for H is in the form of ( 0 ). 26

27 Let E be a (v + v) v + v matrix such that E = ( 0 E 12 E 2,1 E 22 ), where 0 is the v v zero matrix and E 22 is an v v matrix. 27

28 Lemma For any matrix E 1, and E 2 as in the form defined above, as a linear operator acting on a the row space k v+v, we have that a) E i maps the Oil subspace into the Vinegar subspace and if the matrix E 1 i exists, it maps the Oil subspace into the Vinegar subspace; b) If the matrix Ei 1 exists, then the image of the Vinegar subspace by Ei 1 is eaxctly the Oil subspace in; c) The Oil subspace is invariant under the action of E 1 E

29 The random assumption tells that we have a very good probability that a random element in M is invertible. Let Ŵ i be a elements in the set of elements like W 29

30 Assume we have a number of such Ŵi, i = 1,...l < v 2. Let ω be the linear space spanned by Ŵi. It is clear that all elements in ω shares the same v dimensional invariant subspace. From linear algebra, we know that to find such a A t is equivalent to finding a v dimension subspace I v such that it is invariant under the action of all the Ŵi, which in this case should be unique once we have enough W i. The attack becomes a problem finding the common invariant subspace of Ŵ i, which can be solved. 30

31 There exists a matrix Ā such that ĀŴiĀ 1 = ( 0 ). Given W, the basic way to find the invariant subspace is give as Kernel(r(W )), where r(x) is a factor of the characteristic polynomial of W. W r(w ) = r(w )w. 31

32 An example. W = ( ). (1, 0) is the basis of the kernel of W 2I. An algorithm using the fact that a randomly chosen irreducible polynomial over a finite field of degree n is roughly 1/n. 32

33 Let D = ( D 1 0 D 3 D2 ), where D i and 0 are v v matrices, then f(λ) = f 1 (λ)f 2 (λ), where f is the characteristic polynomial of D, and f 1, f 2 are the characteristic polynomials of D 1, D 2. Assume that one of the f i is irreducible and f 1 f 2, then O = kernel(f 1 (D)). 33

34 1. The attack steps. 2. Step 1. For each F i, we find it associated symmetric matrix M i, then we choose randomly any two matrix W 1 and W 2, which are both nonsingular. 3. Step 2. We calculate Ŵ = W 2 ( W 1 ) 1, compute its characteristic polynomials C(x). 4. Step 3. We factor C(x) into irreducible components. If one of the factors, which we call C 1 (x) is an irreducible polynomial, we move to the next step; otherwise we go back to Step 1. 34

35 5. Step 4 Let C 2 (x) = C(x) C 1 (x). Calculate C 1(Ŵ ) and C 2(Ŵ ). For each of these two matrix, we find a basis of the kernel of the linear operator acting through a right multiplication on a row vector. Then we establish a basis of the whole space of dimension v where the first v vector are the basis of either of the kernel. 6. Step 5 Then we apply a change of basis using either of the two basis we derived above to see which one will change the basis into the polynomials into a set of Oil-vinegar polynomials. 7. Step 6 An attacker then can use the same method as the legitimate user to forge a signature that will be accepted as a valid signature. 35

36 3.2 Unbalanced case The attack idea is very similar, but more subtle with a more probabilistic argument. The complexity relies on q v 0, which is probabilistic. 36

37 When v too large ( o 2 ), it is not secure for the reason that the real O space is actually much bigger. Other related results (Wolf, etc. Groebner basis analysis and linear approximation) 37

38 The document to be signed is a vector in k o and the signature is a vector in k o+v. This means that the signature is at least twice the size of the document and with a large v + o the system becomes less efficient. The next step? 38

39 4 Generalizations HFEv Rainbow TTS TRMS 39

40 Thanks and questions 40