Multivariate Public Key Cryptography
|
|
- Corey Miller
- 5 years ago
- Views:
Transcription
1 Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb
2 Outline
3 Outline
4 What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems, whose public keys are a set of multivariate polynomials
5 What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems, whose public keys are a set of multivariate polynomials The public key is given as: G(x 1,..., x n ) = (G 1 (x 1,..., x n ),..., G m (x 1,..., x n )). Here the G i (x 1,..., x n ) are multivariate polynomials over a finite field.
6 Encryption Any plaintext M = (x 1,..., x n) has the ciphertext: G(M) = G(x 1,..., x n) = (y 1,..., y m).
7 Encryption Any plaintext M = (x 1,..., x n) has the ciphertext: G(M) = G(x 1,..., x n) = (y 1,..., y m). To decrypt the ciphertext (y 1,..., y n), one needs to know a secret (the secret key), so that one can invert the map: G 1 to find the plaintext (x 1,..., x n). M = (x 1,..., x n) = G 1 (y 1,..., y m).
8 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements.
9 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements. We denote the elements of the field by the set {0, 1, 2, 3} to simplify the notation. Here 0 represent the 0 in k, 1 for 1, 2 for x, and 3 for 1 + x. In this case, = 2 and 2 3 = = 3 and 3 3 = 2.
10 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2
11 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2 For example, if the plaintext is: x 0 = 1, x 1 = 2, x 2 = 3, then we can plug into G 1, G 2 and G 3 to get the ciphertext y 0 = 0, y 1 = 0, y 2 = 1.
12 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2 For example, if the plaintext is: x 0 = 1, x 1 = 2, x 2 = 3, then we can plug into G 1, G 2 and G 3 to get the ciphertext y 0 = 0, y 1 = 0, y 2 = 1. This is a bijective map and we can invert it easily. This example is based on the Matsumoto-Imai cryptosystem.
13 Signature To sign the document hash value (y 1,..., y m), one needs to know (the secret key), so that one can invert the public key map: G 1 to find the signature (x 1,..., x n). S = (x 1,..., x n) = G 1 (y 1,..., y m).
14 Signature To sign the document hash value (y 1,..., y m), one needs to know (the secret key), so that one can invert the public key map: G 1 to find the signature (x 1,..., x n). S = (x 1,..., x n) = G 1 (y 1,..., y m). Given the pair:((x 1,..., x n)(y 1,..., y m)), anyone can verify the validity of the signature by checking if the following equality holds: G(x 1,..., x n) = (y 1,..., y m).
15 Theoretical Foundation Direct attack is to solve the set of equations: G(M) = G(x 1,..., x n ) = (y 1,..., y m).
16 Theoretical Foundation Direct attack is to solve the set of equations: G(M) = G(x 1,..., x n ) = (y 1,..., y m). - Solving a set of n randomly chosen equations (nonlinear) with n variables is NP-complete, though this does not necessarily ensure the security of the systems.
17 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC
18 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC Cubic and quartic equation around 1500 Tartaglia Cardano
19 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC Cubic and quartic equation around 1500 Tartaglia Cardano Multivariate system Buchberger : Gröobner Basis Hironaka: Standard basis
20 The hardness of the problem Single variable case Galois s work. Newton method continuous system Berlekamp s algorithm finite field and low degree
21 The hardness of the problem Single variable case Galois s work. Newton method continuous system Berlekamp s algorithm finite field and low degree Multivariate case: NP- hardness of the generic systems. Numerical solvers continuous systems Finite field case
22 Quadratic Constructions 1) Efficiency considerations lead to mainly quadratic constructions. G l (x 1,..x n ) = i,j α lij x i x j + i β li x i + γ l.
23 Quadratic Constructions 1) Efficiency considerations lead to mainly quadratic constructions. G l (x 1,..x n ) = i,j α lij x i x j + i β li x i + γ l. 2) Mathematical structure consideration: Any set of high degree polynomial equations can be reduced to a set of quadratic equations. is equivalent to x 1 x 2 x 3 = 5, x 1 x 2 y = 0 yx 3 = 5.
24 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics
25 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics ECC Theory of Elliptic Curves the 19th century mathematics
26 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics ECC Theory of Elliptic Curves the 19th century mathematics Multivariate Public key cryptosystem Algebraic Geometry the 20th century mathematics Algebraic Geometry Theory of Polynomial Rings
27 Early works Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong, Schnorr, Shamir etc
28 Early works Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong, Schnorr, Shamir etc Fast development in the late 1990s Patarin work as catalyst.
29 Outline
30 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )).
31 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1.
32 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document:
33 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document: (x 1,..., x n ) G 1 (y 1,..., y m ).
34 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document: (x 1,..., x n ) G 1 (y 1,..., y m ). Verifying: (y 1,..., y m )? = G(x 1,..., x n ). k, a small finite field.
35 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1
36 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x3 2 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x1 2 A signature: (x 1, x 2, x 3 ) = (2, 0, 1)
37 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x3 2 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x1 2 A signature: (x 1, x 2, x 3 ) = (2, 0, 1) G 1 (2, 0, 1) = = 0 G 2 (2, 0, 1) = = 1 G 3 (2, 0, 1) = = 1
38 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)?
39 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)? G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 = 0 G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 = 0 G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1 = 0
40 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)? G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 = 0 G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 = 0 G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1 = 0 Direct attack: difficulty of solving a set of nonlinear polynomial equations over a finite field.
41 How to construct G? A scheme by Kipnis, Patarin and Goubin (Eurocrypt 1999)
42 How to construct G? A scheme by Kipnis, Patarin and Goubin (Eurocrypt 1999) G = F L. F : nonlinear, easy to compute F 1. L: invertible linear, to hide the structure of F.
43 Unbalanced Oil-vinegar (uov) schemes F = (f 1 (x 1,.., x o, x 1,..., x v ),, f o (x 1,.., x o, x 1,..., x v )).
44 Unbalanced Oil-vinegar (uov) schemes F = (f 1 (x 1,.., x o, x 1,..., x v ),, f o (x 1,.., x o, x 1,..., x v )). f l (x 1,., x o, x 1,., x v ) = a lij x i x j + b lij x i x j + c li x i + d li x i +e l. Oil variables: x 1,..., x o. Vinegar variables: x 1,..., x v.
45 How to invert F? f l (x 1,., x o, x 1,., x v }{{} fix the values ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l.
46 How to invert F? f l (x 1,., x o, x 1,., x v ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l.
47 How to invert F? f l (x 1,., x o, x 1,., x v ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l. F : linear in Oil variables: x 1,.., x o. = F : easy to invert.
48 Security analysis v o and v >> o not secure
49 Security analysis v o and v >> o not secure v = 2o, 3o
50 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work.
51 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work. The mathematical problem to find equivalent secret keys find the common null subspace spaces of a set of quadratic forms.
52 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work. The mathematical problem to find equivalent secret keys find the common null subspace spaces of a set of quadratic forms. The problem above can also be transformed into solving a set of quadratic equations.
53 Rainbow Ding, Schmidtc 2005 Make F small without reducing security.
54 Rainbow Ding, Schmidtc 2005 Make F small without reducing security. G = L }{{} 1 F L 2. }{{} Hide the separation Hide L 1 F F = (F 1, F 2 ).
55 Rainbow Rainbow(18,12,12) over GF(2 8 ). F 1 : o 1 = 12, v 1 = OV polynomials: F 1 = (f 1 (x 1,..., x 30 ),..., f 12 (x 1,..., x 30 )). x 1,..., x }{{ 18, x } 19,..., x }{{ 30 } Vinegar Oil F 2 : o 2 = 12, v 2 = = OV polynomials: F 2 = (f 31 (x 1,..., x 42 ),..., f 42 (x 1,..., x 42 )). x 1,..x 18, x 19..., x }{{ 30, x } 31,..., x }{{ 42 } Vinegar Oil
56 Rainbow Rainbow(18,12,12)
57 Rainbow Rainbow(18,12,12) Signature 400 bits Hash 336 bits
58 Implementations IC for Rainbow: 804 cycles A joint work of Cincinnati and Bochum.(ASAP 2008)
59 Implementations IC for Rainbow: 804 cycles A joint work of Cincinnati and Bochum.(ASAP 2008) FPGA implementation by the research group of Professor Paar at Bochum (CHES 2009) Beat ECC in area and speed.
60 Side channel attack on Rainbow Natural Side channel attack resistance.
61 Side channel attack on Rainbow Natural Side channel attack resistance. Further optimizations.
62 Side channel attack on Rainbow Natural Side channel attack resistance. Further optimizations. Real implementations works done in Taiwan by Yang, Cheng.
63 Security
64 Security UOV: not broken since Rainbow MinRank problem MinRank problem find the (non zero) matrix of the minimum rank in the space spanned by a set of matrices.
65 Outline
66 Notation k is a small finite field with k = q
67 Notation k is a small finite field with k = q K = k[x]/(g(x)), a degree n extension of k and g(x) irreducible of degree n..
68 Notation k is a small finite field with k = q K = k[x]/(g(x)), a degree n extension of k and g(x) irreducible of degree n.. The standard k-linear invertible map φ : K k n, and φ 1 : k n K.
69 The idea of BIG field Proposed in 1988 by Matsumoto-Imai.
70 The idea of BIG field Proposed in 1988 by Matsumoto-Imai. Build up a map F over K: F = L 1 φ F φ 1 L 2. where the L i are randomly chosen invertible affine maps over k n
71 The idea of BIG field Proposed in 1988 by Matsumoto-Imai. Build up a map F over K: F = L 1 φ F φ 1 L 2. where the L i are randomly chosen invertible affine maps over k n The L i are used to hide F.
72 Hidden Field Public Key Cryptosystems K φ 1 F φ K k n { F 1,..., F n} k n
73 Encryption The MI construction: F : X X qθ +1.
74 Encryption The MI construction: F : X X qθ +1. Let F (x 1,..., x n ) = φ F φ 1 (x 1,..., x n ) = ( F 1,..., F n ).
75 Encryption The MI construction: F : X X qθ +1. Let F (x 1,..., x n ) = φ F φ 1 (x 1,..., x n ) = ( F 1,..., F n ). The F i = F i (x 1,..., x n ) are quadratic polynomials in n variables. Why quadratic? X qθ +1 = X qθ X.
76 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2.
77 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1).
78 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2.
79 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2. The first toy example is produced by setting n = 3 and θ = 2.
80 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2. The first toy example is produced by setting n = 3 and θ = 2. This scheme was defeated by linearization equation method by Patarin 1995.
81 HFE by Patarin etc The only difference from MI is that F is replaced by a new map given by: F (X ) = q i +q j D i,j=0 q i D a ij X qi +q j + Berlekamp-Massey algorithm to decrypt. The complexity O(D ω ). i=0 b i X qi + c.
82 HFE by Patarin etc The only difference from MI is that F is replaced by a new map given by: F (X ) = q i +q j D i,j=0 q i D a ij X qi +q j + Berlekamp-Massey algorithm to decrypt. The complexity O(D ω ). Patarin presented two challenges. i=0 b i X qi + c.
83 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms to solve the system of equations: F 1 (x 1,..., x n ) = y 1 F 2 (x 1,..., x n ) = y 2 F n (x 1,..., x n ) = y n.
84 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms to solve the system of equations: F 1 (x 1,..., x n ) = y 1 F 2 (x 1,..., x n ) = y 2 F n (x 1,..., x n ) = y n.
85 Direct Algebraic Attack Algorithm terminates significantly quicker on HFE systems than on random systems. How does the restriction on the degree D of P affect the complexity of algebraic solvers? Faugere and Joux broke Challenge 1 with 80 variables and claim Dreg is roughly log q (D). Kipnis-Shamir Minrank attack. Granboulan, Joux, Stern (Crypto 2006): If q = 2, complexity is quasi-polynomial.
86 Internal Perturbation (Internal) Perturbation was introduced at PKC 2004 as a general method to improve the security of multivariate public key cryptosystems.
87 Internal Perturbation (Internal) Perturbation was introduced at PKC 2004 as a general method to improve the security of multivariate public key cryptosystems. Construction small-scale noise is added to the system in a controlled way so as to not fundamentally alter the main structure, but yet substantially increase the entropy.
88 Internal Perturbation Let r be a small integer and z 1 (x 1,..., x n ) = z r (x 1,..., x n ) =. n α j1 x j + β 1 j=1 n α jr x j + β r j=1 be a set of randomly chosen affine linear functions in the x i over k n such that the z j β j are linearly independent.
89 Internal Perturbation Let r be a small integer and n z 1 (x 1,..., x n ) = α j1 x j + β 1 j=1 z r (x 1,..., x n ) =. n α jr x j + β r j=1 be a set of randomly chosen affine linear functions in the x i over k n such that the z j β j are linearly independent. We can use these linear functions to create quadratic perturbation in HFE (including MI) systems.
90 IP of MI x 1,..., x n L 1 F 1,..., F n z 1,..., z r f 1,..., f n + L 2 y 1,..., y n Figure: Structure of Perturbation of the Matsumoto-Imai System.
91 Decryption We need to a search of size of q r, therefore slower.
92 Decryption We need to a search of size of q r, therefore slower. We need to use Plus Method, Adding random polynomial, to help it to resist differential attacks.
93 Decryption We need to a search of size of q r, therefore slower. We need to use Plus Method, Adding random polynomial, to help it to resist differential attacks. Despite the cost of the search, it is still efficient.
94 Standing schemes PMI+
95 Standing schemes PMI+ IPHFE+
96 Standing schemes PMI+ IPHFE+ HFE Systems of odd characteristics ( theoretical support from the view of degree of regularity )
97 HFEv - Key Generation finite field F, extension field E of degree n isomorphism φ 1 : F n E, φ(x 1,..., x n ) = n i=1 x i X i 1 central map F : E E, F(X ) = q i +q j D 0 i j q i D α ij X qi +q j + i=0 β i (v 1,..., v v ) X qi +γ(v 1,..., v v ) where β i is a linear map from F v to E and γ is quadratic public key: P = S φ F φ 1 T with two affine (or linear) maps S : F n F n a and T : F n+v F n+v of maximal rank private key: S, F, T, φ
98 Signature Generation Given: message h F n a 1 Compute x = S 1 (h) F n and X = φ(x) E 2 Choose random values for the vinegar variables v 1,..., v v Solve F v1,...,v v (Y ) = X over E via Berlekamp s algorithm 3 Compute y = φ 1 (Y ) F n and z = T 1 (y v 1... v v ) The signature of the message h is z F n+v.
99 QUARTZ standardized by Courtois, Patarin in 2002 HFEv with F = GF(2), n = 103, D = 129, a = 3 and v = 4 E = GF(2) 103 = GF(2)[x]/(x x 9 + 1] F(X ) = 2 i +2 j i j 2 i 129 α ij X 2i +2 j + i=0 public key: quadratic map P : F 107 F 100 β i (v 1,..., v 4 ) X 2i +γ(v 1,..., v 4 ) To avoid birthday attacks, the signature generation step is performed four times (for h, H(h 00), H(h 01) and H(h 11)) signature length: (n a) + 4 (a + v) = 128 bit
100 Main attacks MinRank Attack Rank(Q) = r + a + v Compl MinRank 2 n (r+a+v) (n a) 3 Direct attack Recent{ breakthrough (result by Ding and Yang) (q 1) (r 1+a+v) d reg q even and r + a odd, (q 1) (r+a+v) otherwise. with r = log q (D 1) + 1.,
101 Efficiency Signature generation time 10 seconds Bottleneck: Inversion of the univariate polynomial equation F (v1,...,v v )(Y ) = X (1) of degree D over the extension field E by Berlekamps algorithm: Complexity O(D 3 + n D 2 ) equation (1) solvable with probability 1 e we have to solve (1) for 4 different values of X we have to perform Berlekamp s algorithm about 11 times
102 Research Questions Is the upper bound on the degree of regularity given by Ding and Yang reasonably tight? Can we decrease the degree D of the central HFEv polynomial to speed up the scheme?
103 How should we choose D? D {2, 3} would lead to central maps of rank 2 (Matsumoto-Imai case) For D {5, 7} one can get central maps of rank 2 by linear transformation D {9, 17} (central maps of rank 4 and 6 respectively)
104 Experiments Experiments with HFEv schemes with low degree central maps (D {9, 17}) Implementation of HFEv in MAGMA code Fixing of a + v variables to create determined systems Adding field equations Systems were solved with F 4 integrated in MAGMA
105 Experiments (2) D = 9 number of equations theoretical degree of regularity 7 (n,d,a,v) (24,9,4,4) (29,9,4,4) (34,9,4,4) (36,9,4,4) a = v = 4 d reg time (s) , ,321 a = v = 5 theoretical degree of regularity 8 (n,d,a,v) (25,9,5,5) (30,9,5,5) (35,9,5,5) (37,9,5,5) d reg time (s) ,481 oom for comparison: random system d reg time (s) ,533 oom
106 Experiments (3) D = 17 number of equations theoretical degree of regularity 7 (n,d,a,v) (23,17,3,3) (28,17,3,3) (33,17,3,3) (35,17,3,3) a = v = 3 d reg time (s) ,768 87,726 a = v = 4 theoretical degree of regularity 8 (n,d,a,v) (24,17,4,4) (29,17,4,4) (34,17,4,4) (36,17,4,4) d reg time (s) ,911 oom for comparison: random system d reg time (s) ,533 oom
107 Results The theoretical result about the degree of regularity is relatively tight (for a = v = 3 we can reach the upper bound both for D = 9 and D = 17) For the parameter sets (D, a, v) = (9, 5, 5) and (D, a, v) = (17, 4, 4) and n 32 we have d reg 7 For n = 90 + a we get ( n a + 2 Complexity direct attack 3 2 ( ) 92 = 3 2 ) ( ) ( n a + dreg d reg ) 2
108 New Designs - Gui - Asiacrypt Petzoldt, Chen, Yang, Tao, Ding We propose three versions of Gui Gui-95 with (n, D, a, v) = (95, 9, 5, 5) providing a security level of 80 bit Gui-94 with (n, D, a, v) = (94, 17, 4, 4) providing a security level of 80 bit and Gui-127 with (n, D, a, v) = (127, 9, 4, 6) providing a security level of 123 bit
109 Avoiding birthday attacks Input size of HFEv- maps is short (in our case bit) Possibility of birthday attacks Solution: Sign k different hash values of the message m. Combine the k outputs to a single signature of size (n a) + k (a + v) bit. In the case of Gui we set k = 3 for Gui-95, k = 4 for Gui-94 and Gui-127.
110 Gui-95
111 Parameters and Key Sizes security input signature public key private key scheme level (bit) size (bit) size (bit) size (Bytes) size (Bytes) Gui ,600 3,053 Gui ,212 2,943 Gui ,576 5,350 QUARTZ ,514 3,774 RSA RSA ECDSA P ECDSA P ECDSA P
112 Comparison security signing time verifying time scheme level (bit) (k-cycles) (k-cycles) Gui ,479 / 1, / 230 Gui ,945 / 5, / 253 Gui ,966 / 1, / 427 QUARTZ ,485 / 168, / 235 RSA ,080 / 2, / 64 RSA ,834 / 5, / 76 ECDSA P ,283 / 1,115 1,448 / 1,269 ECDSA P ,513 / 1,273 1, 715 / 1,567 ECDSA P ,830 / 1,488 2,111 / 1,920 time on AMD Opteron 6212, 2.5 GHz / Intel Xeon E5-2620, 2.0 GHz
113 Why this name? Gui Chinese pottery from Longshan period more than 4000 years old 3 legs: one in front, 2 in the back front leg : HFE back legs: Minus + Vinegar
114 Key Points Proposal of a new multivariate signature scheme Gui Use of low degree HFEv- polynomials (D {9, 17}) very short signatures (120 bit) 150 times faster than QUARTZ Efficiency comparable to standard schemes (RSA, ECDSA)
115 Outline
116 Key Points The Main Defect for insecurity for most of these MPKQ is that some Quadratic Forms associated with their central maps are of Low Rank. Direct algebraic attack is easy to handle in general ( odd Char) Ding, Tao, Diene etc
117 Idea of the Simple Matrix Schem for Encrypyion Main Idea Create some Matrices having high rank and use some Simple Matrix Multiplication to get a Multivariate Publick Key Scheme that we denote in short by the ABC cryptosystem.
118 Construction of the SM Cryptosystem Let k = F q be a finite field with q elements and p be the characteristic of k. Let n, m be a integer, where n = s 2, m = 2n. The plaintext will be represented by (x 1, x 2,, x n ) k n. The ciphertext will be represented by (y 1, y 2,, y m ) k m.
119 Construction of the SM Cryptosystem Let L 1 : k n k n and L 2 : k m k m be 2 affine transformations, L 1 (x) = L 1 x + u and L 2 (y) = L 2 y + ν where L 1 and L 2 are respectively an n n and m m matrix with entries in k, x = (x 1, x 2,, x n ) t, u = (u 1, u 2,, u n ) t, y = (y 1, y 2,, y m ) t, ν = (v 1, v 2,, v m ) t
120 Construction of the SM Cryptosystem Let A = x 1 x 2 x s x s+1 x s+2 x 2s......, B = x (s 1)s+1 x (s 1)s+2 x s 2 b 1 b 2 b s b s+1 b s+2 b 2s and C = b (s 1)s+1 b (s 1)s+2 b s 2 c 1 c 2 c s c s+1 c s+2 c 2s c (s 1)s+1 c (s 1)s+2 c s 2
121 Construction of the SM Cryptosystem Central map A, B, and C defined above are 3 s s matrices with x i k (i = 1, 2,, n), b i and c i (i = 1, 2,, n) are random linear combinaisons of elements taken from the set {x 1, x 2,, x n }. Let E 1 = AB, E 2 = AC, we denote by f (i 1)s+j k[x 1, x 2,, x n ] the (i, j) element of E 1 (i, j = 1, 2,, s). f s 2 +(i 1)s+j k[x 1, x 2,, x n ] the (i, j) element of E 2 (i, j = 1, 2,, s). We define then F(x 1,, x n ) = (f 1 (x 1,, x n ), f 2 (x 1,, x n ),, f m (x 1,, x n )).
122 Construction of the SM Cryptosystem The public key: F = L 2 F L 1 = ( f 1, f 2,, f m ), The secret key is made of the following two parts: The invertible affine transformations L 1, L 2. The matrices B, C.
123 Construction of the SM Cryptosystem Decryption Applying F 1 = L 1 1 F 1 L 1 2. How to invert the central map: Since E 1 = AB, E 2 = AC and assume A is an s s nonsingular matrix, we consider the following cases: (i) If E 1 is invertible, then BE 1 1 E 2 = C. We have n linear equations with n unknowns x i, i = 1, 2,, n. (ii) If E 2 is invertible, but E 1 is not invertible, then CE 1 2 E 1 = B. We also have n linear equations with n unknowns x i, i = 1, 2,, n. (iii) If both E 1 and E 2 are not invertible, then A 1 E 1 = B, A 1 E 2 = C. We interpret the elements of A 1 as the new variables, then we have m linear equations with m unknowns.
124 Construction of the SM Cryptosystem Decryption failure If A is a singular matrix, we may decrypt failure. The probability of A is invertible is (1 1 q )(1 1 q 2 ) (1 1 q n ). Therefore, the probability of decryption failure is 1 (1 1 q )(1 1 q 2 ) (1 1 q n ) 1 q.
125 Construction of the SM Cryptosystem An example We let k = GF (q) be a finite field of q = 127 elements and n = 64. In this case, the plaintext consist of the message (x 1, x 2,, x 64 ) k 64. The public map is F : k 64 k 128 and the central map is F : k 64 k 128. The public key consists of 128 quadratic polynomials with 64 variables. The number of coefficients for the public key polynomials is /2 = 266, 240, or about 2MB of storage. The private key consists of two matrices B, C and two affine linear transformations L 1, L 2. The total size is about 162.5KB. The size of document is 8n = 8 64 = 512bits. The total size of the ciphertext is 1024bits.
126 Security Analysis Rank attack: For the rank attacks, we have that the MinRank is 16 and the complexity of MinRank attack against our scheme is lager than Algebraic attack: For k = GF (3), we obtain the following results with a direct attack using MAGAMA( ) on a 1.80GHz Intel(R) Atom(TM) CPU n time(s) memory(mb) degree of regularity We can notice that the degree of regularity increases with n which tells us that the time and memory complexity are exponential.
127 Construction of the SM Cryptosystem Efficiency The decrytion is very efficient: only linera algebra opeations.
128 Improved Conctructions Rectangular construction Degree three construction using random quadratic polynomials Remove the decryptin fauilure Ding, Petzolt, Wang
129 Outline
130 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack
131 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack MinRank attack which is also reduced to polynomial solving problem.
132 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack MinRank attack which is also reduced to polynomial solving problem. Differential analysis
133 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms (GB, F 4, XL, Mutant XL) to solve the system of equations: p 1 (x 1,..., x n ) = y 1 p 2 (x 1,..., x n ) = y 2. p n (x 1,..., x n ) = y n
134 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms (GB, F 4, XL, Mutant XL) to solve the system of equations: p 1 (x 1,..., x n ) = y 1 p 2 (x 1,..., x n ) = y 2. p n (x 1,..., x n ) = y n Sometime algorithm terminates significantly quicker for the MPKC systems than on random systems. Why?
135 Degree of Regularity Degree of Regularity: Lowest degree at which non-trivial degree falls occur. ( ) deg g i p i < max{deg(g i ) + deg(p i )} Trivial degree falls: i p q 1 i p i = p q i = p i, p j p i p i p j = 0
136 Implication of Degree of Regularity Gröbner basis algorithms terminate shortly after this degree is reached.
137 Implication of Degree of Regularity Gröbner basis algorithms terminate shortly after this degree is reached. At the degree of regularity, in general, Mutants are produced, which accelerate the solving process. We need more precise mathematical concepts like, degree of regularity, mutants etc to understand solidly how algorithm works.
138 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q
139 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q Degree of Regularity of p1 h,..., ph n is first degree at which non-trivial relations occur. ( ) deg f i pi h = 0 Trivial relations: (p h i )q 1 p h i = 0, p h j ph i p h i ph j = 0 i
140 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q Degree of Regularity of p1 h,..., ph n is first degree at which non-trivial relations occur. ( ) deg f i pi h = 0 Trivial relations: (p h i )q 1 p h i = 0, p h j ph i p h i ph j = 0 Then D reg (p 1,..., p n ) = D reg (p h 1,..., p h n) i
141 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system.
142 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system. Main Theorem. The degree of regularity of the system defined by P is bounded by Rank(P 0 )(q 1) (q 1)( log q(d 1) + 1) if Rank(P 0 ) > 1. Here Rank(P 0 ) is the rank of the quadratic form P 0. This explains why odd characteristics is good idea and why q = 2 is different
143 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system. Main Theorem. The degree of regularity of the system defined by P is bounded by Rank(P 0 )(q 1) (q 1)( log q(d 1) + 1) if Rank(P 0 ) > 1. Here Rank(P 0 ) is the rank of the quadratic form P 0. This explains why odd characteristics is good idea and why q = 2 is different These are universal bounds that require no additional assumption.
144 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung)
145 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang)
146 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding)
147 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding) Lower bounds for general case?
148 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding) Lower bounds for general case? MinRank is also closely related.
149 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis.
150 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis. Efficient, simple and easy to implement; but large key size
151 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis. Efficient, simple and easy to implement; but large key size Quantum computer attack
152 Acknowledgment Many thanks for the organizer Thank you and questions?
Simple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationHidden Pair of Bijection Signature Scheme
Hidden Pair of Bijection Signature Scheme Masahito Gotaishi and Shigeo Tsujii Research and Development Initiative, Chuo University, 1-13-27 Kasuga, Tokyo, Japan, 112-8551 gotaishi@tamaccchuo-uacjp http://wwwchuo-uacjp/chuo-u/rdi/index
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationCryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationComparison between XL and Gröbner Basis Algorithms
Comparison between XL and Gröbner Basis Algorithms Gwénolé Ars 1, Jean-Charles Faugère 2, Hideki Imai 3, Mitsuru Kawazoe 4, and Makoto Sugita 5 1 IRMAR, University of Rennes 1 Campus de Beaulieu 35042
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationMXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy Mohamed Saied Emam Mohamed 1, Wael Said Abd Elmageed Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationOn the Goubin-Courtois Attack on TTM
On the Goubin-Courtois Attack on TTM T. Moh and Jiun-Ming Chen Abstract In the paper [1] published in Asiacrypt 2000, L. Goubin and N.T. Courtois propose an attack on the TTM cryptosystem. In paper [1],
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationOdd-Char Multivariate Hidden Field Equations
Odd-Char Multivariate Hidden Field Equations Chia-Hsin Owen Chen 1, Ming-Shing Chen 1, Jintai Ding 2, Fabian Werner 3, and Bo-Yin Yang 2 1 IIS, Academia Sinica, Taipei, Taiwan, {by,owenhsin,mschen}@crypto.tw
More informationTaxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations Christopher Wolf, and Bart Preneel {Christopher.Wolf, Bart.Preneel}@esat.kuleuven.ac.be chris@christopher-wolf.de
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationA Public Key Block Cipher Based on Multivariate Quadratic Quasigroups
A Public Key Block Cipher Based on Multivariate Quadratic Quasigroups Danilo Gligoroski 1 and Smile Markovski 2 and Svein Johan Knapskog 3 1 Department of Telematics, Faculty of Information Technology,
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationOn the Security of HFE, HFEv- and Quartz
On the Security of HFE, HFEv- and Quartz Nicolas T. Courtois 1, Magnus Daum 2,andPatrickFelke 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP 45, 78430Louveciennes Cedex, France courtois@minrank.org
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationSolving Underdetermined Systems of Multivariate Quadratic Equations Revisited
Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited Enrico Thomae and Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum,
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationOn multivariate signature-only public key cryptosystems
On multivariate signature-only public key cryptosystems Nicolas T. Courtois 1,2 courtois@minrank.org http://www.minrank.org 1 Systèmes Information Signal (SIS), Université de Toulon et du Var BP 132, F-83957
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationOn Enumeration of Polynomial Equivalence Classes and Their Application to MPKC
On Enumeration of Polynomial Equivalence Classes and Their Application to MPKC Dongdai Lin a, Jean-Charles Faugère b, Ludovic Perret b, Tianze Wang a,c a SKLOIS, Institute of Software, Chinese Academy
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More informationRoots of Square: Cryptanalysis of Double-Layer Square and Square+
Roots of Suare: Cryptanalysis of Double-Layer Suare and Suare+ Full Version Enrico Thomae, Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum, 44780
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationOwen (Chia-Hsin) Chen, National Taiwan University
Analysis of QUAD Owen (Chia-Hsin) Chen, National Taiwan University March 27, FSE 2007, Luxembourg Work at Academia Sinica supervised by Dr. Bo-Yin Yang Jointly with Drs. Dan Bernstein and Jiun-Ming Chen
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOn the Existence of Semi-Regular Sequences
On the Existence of Semi-Regular Sequences Sergio Molina 1 joint work with T. J. Hodges 1 J. Schlather 1 Department of Mathematics University of Cincinnati DIMACS, January 2015 Sergio Molina (UC) Semi-Regular
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationA CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM
Philips J. Res. 35, 301-306, 1980 R J022 A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM by J.-M. GOETHALS and C. COUVREUR Abstract We present a method for finding the secret decryption key
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More information