Multivariate Public Key Cryptography

Size: px

Start display at page:

Download "Multivariate Public Key Cryptography"

Corey Miller
5 years ago
Views:

1 Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb

2 Outline

3 Outline

4 What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems, whose public keys are a set of multivariate polynomials

5 What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems, whose public keys are a set of multivariate polynomials The public key is given as: G(x 1,..., x n ) = (G 1 (x 1,..., x n ),..., G m (x 1,..., x n )). Here the G i (x 1,..., x n ) are multivariate polynomials over a finite field.

6 Encryption Any plaintext M = (x 1,..., x n) has the ciphertext: G(M) = G(x 1,..., x n) = (y 1,..., y m).

7 Encryption Any plaintext M = (x 1,..., x n) has the ciphertext: G(M) = G(x 1,..., x n) = (y 1,..., y m). To decrypt the ciphertext (y 1,..., y n), one needs to know a secret (the secret key), so that one can invert the map: G 1 to find the plaintext (x 1,..., x n). M = (x 1,..., x n) = G 1 (y 1,..., y m).

8 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements.

9 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements. We denote the elements of the field by the set {0, 1, 2, 3} to simplify the notation. Here 0 represent the 0 in k, 1 for 1, 2 for x, and 3 for 1 + x. In this case, = 2 and 2 3 = = 3 and 3 3 = 2.

10 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2

11 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2 For example, if the plaintext is: x 0 = 1, x 1 = 2, x 2 = 3, then we can plug into G 1, G 2 and G 3 to get the ciphertext y 0 = 0, y 1 = 0, y 2 = 1.

12 A toy example G 0 (x 1, x 2, x 3 ) = 1 + x 2 + 2x 0 x 2 + 3x x 1x 2 + x 2 2 G 1 (x 1, x 2, x 3 ) = 1 + 3x 0 + 2x 1 + x 2 + x x 0x 1 + 3x 0 x 2 + x 2 1 G 2 (x 1, x 2, x 3 ) = 3x 2 + x x x 1x 2 + 3x 2 2 For example, if the plaintext is: x 0 = 1, x 1 = 2, x 2 = 3, then we can plug into G 1, G 2 and G 3 to get the ciphertext y 0 = 0, y 1 = 0, y 2 = 1. This is a bijective map and we can invert it easily. This example is based on the Matsumoto-Imai cryptosystem.

13 Signature To sign the document hash value (y 1,..., y m), one needs to know (the secret key), so that one can invert the public key map: G 1 to find the signature (x 1,..., x n). S = (x 1,..., x n) = G 1 (y 1,..., y m).

14 Signature To sign the document hash value (y 1,..., y m), one needs to know (the secret key), so that one can invert the public key map: G 1 to find the signature (x 1,..., x n). S = (x 1,..., x n) = G 1 (y 1,..., y m). Given the pair:((x 1,..., x n)(y 1,..., y m)), anyone can verify the validity of the signature by checking if the following equality holds: G(x 1,..., x n) = (y 1,..., y m).

15 Theoretical Foundation Direct attack is to solve the set of equations: G(M) = G(x 1,..., x n ) = (y 1,..., y m).

16 Theoretical Foundation Direct attack is to solve the set of equations: G(M) = G(x 1,..., x n ) = (y 1,..., y m). - Solving a set of n randomly chosen equations (nonlinear) with n variables is NP-complete, though this does not necessarily ensure the security of the systems.

17 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC

18 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC Cubic and quartic equation around 1500 Tartaglia Cardano

19 A quick historic overview Single variable quadratic equation Babylonian around 1800 to 1600 BC Cubic and quartic equation around 1500 Tartaglia Cardano Multivariate system Buchberger : Gröobner Basis Hironaka: Standard basis

20 The hardness of the problem Single variable case Galois s work. Newton method continuous system Berlekamp s algorithm finite field and low degree

21 The hardness of the problem Single variable case Galois s work. Newton method continuous system Berlekamp s algorithm finite field and low degree Multivariate case: NP- hardness of the generic systems. Numerical solvers continuous systems Finite field case

22 Quadratic Constructions 1) Efficiency considerations lead to mainly quadratic constructions. G l (x 1,..x n ) = i,j α lij x i x j + i β li x i + γ l.

23 Quadratic Constructions 1) Efficiency considerations lead to mainly quadratic constructions. G l (x 1,..x n ) = i,j α lij x i x j + i β li x i + γ l. 2) Mathematical structure consideration: Any set of high degree polynomial equations can be reduced to a set of quadratic equations. is equivalent to x 1 x 2 x 3 = 5, x 1 x 2 y = 0 yx 3 = 5.

24 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics

25 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics ECC Theory of Elliptic Curves the 19th century mathematics

26 The view from the history of Mathematics(Diffie in Paris) RSA Number Theory the 18th century mathematics ECC Theory of Elliptic Curves the 19th century mathematics Multivariate Public key cryptosystem Algebraic Geometry the 20th century mathematics Algebraic Geometry Theory of Polynomial Rings

27 Early works Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong, Schnorr, Shamir etc

28 Early works Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong, Schnorr, Shamir etc Fast development in the late 1990s Patarin work as catalyst.

29 Outline

30 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )).

31 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1.

32 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document:

33 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document: (x 1,..., x n ) G 1 (y 1,..., y m ).

34 Multivariate Signature schemes Public key: G(x 1,..., x n ) = (g 1 (x 1,..., x n ),..., g m (x 1,..., x n )). Private key: a way to compute G 1. Signing a hash of a document: (x 1,..., x n ) G 1 (y 1,..., y m ). Verifying: (y 1,..., y m )? = G(x 1,..., x n ). k, a small finite field.

35 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1

36 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x3 2 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x1 2 A signature: (x 1, x 2, x 3 ) = (2, 0, 1)

37 A toy example over GF(3) G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x3 2 Hash: G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 (y 1, y 2, y 3 ) = (0, 1, 1). G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x1 2 A signature: (x 1, x 2, x 3 ) = (2, 0, 1) G 1 (2, 0, 1) = = 0 G 2 (2, 0, 1) = = 1 G 3 (2, 0, 1) = = 1

38 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)?

39 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)? G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 = 0 G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 = 0 G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1 = 0

40 Security: polynomial solving. Signature for (y 1, y 2, y 3 ) = (0, 0, 0)? G 1 (x 1, x 2, x 3 ) = 1 + x 3 + x 1 x 2 + x 2 3 = 0 G 2 (x 1, x 2, x 3 ) = 2 + x 1 + 2x 2 x 3 + x 2 = 0 G 3 (x 1, x 2, x 3 ) = 1 + x 2 + x 1 x 3 + x 2 1 = 0 Direct attack: difficulty of solving a set of nonlinear polynomial equations over a finite field.

41 How to construct G? A scheme by Kipnis, Patarin and Goubin (Eurocrypt 1999)

42 How to construct G? A scheme by Kipnis, Patarin and Goubin (Eurocrypt 1999) G = F L. F : nonlinear, easy to compute F 1. L: invertible linear, to hide the structure of F.

43 Unbalanced Oil-vinegar (uov) schemes F = (f 1 (x 1,.., x o, x 1,..., x v ),, f o (x 1,.., x o, x 1,..., x v )).

44 Unbalanced Oil-vinegar (uov) schemes F = (f 1 (x 1,.., x o, x 1,..., x v ),, f o (x 1,.., x o, x 1,..., x v )). f l (x 1,., x o, x 1,., x v ) = a lij x i x j + b lij x i x j + c li x i + d li x i +e l. Oil variables: x 1,..., x o. Vinegar variables: x 1,..., x v.

45 How to invert F? f l (x 1,., x o, x 1,., x v }{{} fix the values ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l.

46 How to invert F? f l (x 1,., x o, x 1,., x v ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l.

47 How to invert F? f l (x 1,., x o, x 1,., x v ) = alij x i x j + b lij x i x j + c li x i + d li x i + e l. F : linear in Oil variables: x 1,.., x o. = F : easy to invert.

48 Security analysis v o and v >> o not secure

49 Security analysis v o and v >> o not secure v = 2o, 3o

50 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work.

51 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work. The mathematical problem to find equivalent secret keys find the common null subspace spaces of a set of quadratic forms.

52 Security analysis v o and v >> o not secure v = 2o, 3o Direct attacks does not work. The mathematical problem to find equivalent secret keys find the common null subspace spaces of a set of quadratic forms. The problem above can also be transformed into solving a set of quadratic equations.

53 Rainbow Ding, Schmidtc 2005 Make F small without reducing security.

54 Rainbow Ding, Schmidtc 2005 Make F small without reducing security. G = L }{{} 1 F L 2. }{{} Hide the separation Hide L 1 F F = (F 1, F 2 ).

55 Rainbow Rainbow(18,12,12) over GF(2 8 ). F 1 : o 1 = 12, v 1 = OV polynomials: F 1 = (f 1 (x 1,..., x 30 ),..., f 12 (x 1,..., x 30 )). x 1,..., x }{{ 18, x } 19,..., x }{{ 30 } Vinegar Oil F 2 : o 2 = 12, v 2 = = OV polynomials: F 2 = (f 31 (x 1,..., x 42 ),..., f 42 (x 1,..., x 42 )). x 1,..x 18, x 19..., x }{{ 30, x } 31,..., x }{{ 42 } Vinegar Oil

56 Rainbow Rainbow(18,12,12)

57 Rainbow Rainbow(18,12,12) Signature 400 bits Hash 336 bits

58 Implementations IC for Rainbow: 804 cycles A joint work of Cincinnati and Bochum.(ASAP 2008)

59 Implementations IC for Rainbow: 804 cycles A joint work of Cincinnati and Bochum.(ASAP 2008) FPGA implementation by the research group of Professor Paar at Bochum (CHES 2009) Beat ECC in area and speed.

60 Side channel attack on Rainbow Natural Side channel attack resistance.

61 Side channel attack on Rainbow Natural Side channel attack resistance. Further optimizations.

62 Side channel attack on Rainbow Natural Side channel attack resistance. Further optimizations. Real implementations works done in Taiwan by Yang, Cheng.

63 Security

64 Security UOV: not broken since Rainbow MinRank problem MinRank problem find the (non zero) matrix of the minimum rank in the space spanned by a set of matrices.

65 Outline

66 Notation k is a small finite field with k = q

67 Notation k is a small finite field with k = q K = k[x]/(g(x)), a degree n extension of k and g(x) irreducible of degree n..

68 Notation k is a small finite field with k = q K = k[x]/(g(x)), a degree n extension of k and g(x) irreducible of degree n.. The standard k-linear invertible map φ : K k n, and φ 1 : k n K.

69 The idea of BIG field Proposed in 1988 by Matsumoto-Imai.

70 The idea of BIG field Proposed in 1988 by Matsumoto-Imai. Build up a map F over K: F = L 1 φ F φ 1 L 2. where the L i are randomly chosen invertible affine maps over k n

71 The idea of BIG field Proposed in 1988 by Matsumoto-Imai. Build up a map F over K: F = L 1 φ F φ 1 L 2. where the L i are randomly chosen invertible affine maps over k n The L i are used to hide F.

72 Hidden Field Public Key Cryptosystems K φ 1 F φ K k n { F 1,..., F n} k n

73 Encryption The MI construction: F : X X qθ +1.

74 Encryption The MI construction: F : X X qθ +1. Let F (x 1,..., x n ) = φ F φ 1 (x 1,..., x n ) = ( F 1,..., F n ).

75 Encryption The MI construction: F : X X qθ +1. Let F (x 1,..., x n ) = φ F φ 1 (x 1,..., x n ) = ( F 1,..., F n ). The F i = F i (x 1,..., x n ) are quadratic polynomials in n variables. Why quadratic? X qθ +1 = X qθ X.

76 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2.

77 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1).

78 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2.

79 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2. The first toy example is produced by setting n = 3 and θ = 2.

80 Decryption The condition: gcd (q θ + 1, q n 1) = 1, ensures the invertibility of the map for purposes of decryption. It requires that k must be of characteristic 2. F 1 (X ) = X t such that: t (q θ + 1) 1 (mod q n 1). The public key includes the field structure of k, θ and F = ( F 1,.., F n ). The secret keys are L 1 and L 2. The first toy example is produced by setting n = 3 and θ = 2. This scheme was defeated by linearization equation method by Patarin 1995.

81 HFE by Patarin etc The only difference from MI is that F is replaced by a new map given by: F (X ) = q i +q j D i,j=0 q i D a ij X qi +q j + Berlekamp-Massey algorithm to decrypt. The complexity O(D ω ). i=0 b i X qi + c.

82 HFE by Patarin etc The only difference from MI is that F is replaced by a new map given by: F (X ) = q i +q j D i,j=0 q i D a ij X qi +q j + Berlekamp-Massey algorithm to decrypt. The complexity O(D ω ). Patarin presented two challenges. i=0 b i X qi + c.

83 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms to solve the system of equations: F 1 (x 1,..., x n ) = y 1 F 2 (x 1,..., x n ) = y 2 F n (x 1,..., x n ) = y n.

84 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms to solve the system of equations: F 1 (x 1,..., x n ) = y 1 F 2 (x 1,..., x n ) = y 2 F n (x 1,..., x n ) = y n.

85 Direct Algebraic Attack Algorithm terminates significantly quicker on HFE systems than on random systems. How does the restriction on the degree D of P affect the complexity of algebraic solvers? Faugere and Joux broke Challenge 1 with 80 variables and claim Dreg is roughly log q (D). Kipnis-Shamir Minrank attack. Granboulan, Joux, Stern (Crypto 2006): If q = 2, complexity is quasi-polynomial.

86 Internal Perturbation (Internal) Perturbation was introduced at PKC 2004 as a general method to improve the security of multivariate public key cryptosystems.

87 Internal Perturbation (Internal) Perturbation was introduced at PKC 2004 as a general method to improve the security of multivariate public key cryptosystems. Construction small-scale noise is added to the system in a controlled way so as to not fundamentally alter the main structure, but yet substantially increase the entropy.

88 Internal Perturbation Let r be a small integer and z 1 (x 1,..., x n ) = z r (x 1,..., x n ) =. n α j1 x j + β 1 j=1 n α jr x j + β r j=1 be a set of randomly chosen affine linear functions in the x i over k n such that the z j β j are linearly independent.

89 Internal Perturbation Let r be a small integer and n z 1 (x 1,..., x n ) = α j1 x j + β 1 j=1 z r (x 1,..., x n ) =. n α jr x j + β r j=1 be a set of randomly chosen affine linear functions in the x i over k n such that the z j β j are linearly independent. We can use these linear functions to create quadratic perturbation in HFE (including MI) systems.

90 IP of MI x 1,..., x n L 1 F 1,..., F n z 1,..., z r f 1,..., f n + L 2 y 1,..., y n Figure: Structure of Perturbation of the Matsumoto-Imai System.

91 Decryption We need to a search of size of q r, therefore slower.

92 Decryption We need to a search of size of q r, therefore slower. We need to use Plus Method, Adding random polynomial, to help it to resist differential attacks.

93 Decryption We need to a search of size of q r, therefore slower. We need to use Plus Method, Adding random polynomial, to help it to resist differential attacks. Despite the cost of the search, it is still efficient.

94 Standing schemes PMI+

95 Standing schemes PMI+ IPHFE+

96 Standing schemes PMI+ IPHFE+ HFE Systems of odd characteristics ( theoretical support from the view of degree of regularity )

97 HFEv - Key Generation finite field F, extension field E of degree n isomorphism φ 1 : F n E, φ(x 1,..., x n ) = n i=1 x i X i 1 central map F : E E, F(X ) = q i +q j D 0 i j q i D α ij X qi +q j + i=0 β i (v 1,..., v v ) X qi +γ(v 1,..., v v ) where β i is a linear map from F v to E and γ is quadratic public key: P = S φ F φ 1 T with two affine (or linear) maps S : F n F n a and T : F n+v F n+v of maximal rank private key: S, F, T, φ

98 Signature Generation Given: message h F n a 1 Compute x = S 1 (h) F n and X = φ(x) E 2 Choose random values for the vinegar variables v 1,..., v v Solve F v1,...,v v (Y ) = X over E via Berlekamp s algorithm 3 Compute y = φ 1 (Y ) F n and z = T 1 (y v 1... v v ) The signature of the message h is z F n+v.

99 QUARTZ standardized by Courtois, Patarin in 2002 HFEv with F = GF(2), n = 103, D = 129, a = 3 and v = 4 E = GF(2) 103 = GF(2)[x]/(x x 9 + 1] F(X ) = 2 i +2 j i j 2 i 129 α ij X 2i +2 j + i=0 public key: quadratic map P : F 107 F 100 β i (v 1,..., v 4 ) X 2i +γ(v 1,..., v 4 ) To avoid birthday attacks, the signature generation step is performed four times (for h, H(h 00), H(h 01) and H(h 11)) signature length: (n a) + 4 (a + v) = 128 bit

100 Main attacks MinRank Attack Rank(Q) = r + a + v Compl MinRank 2 n (r+a+v) (n a) 3 Direct attack Recent{ breakthrough (result by Ding and Yang) (q 1) (r 1+a+v) d reg q even and r + a odd, (q 1) (r+a+v) otherwise. with r = log q (D 1) + 1.,

101 Efficiency Signature generation time 10 seconds Bottleneck: Inversion of the univariate polynomial equation F (v1,...,v v )(Y ) = X (1) of degree D over the extension field E by Berlekamps algorithm: Complexity O(D 3 + n D 2 ) equation (1) solvable with probability 1 e we have to solve (1) for 4 different values of X we have to perform Berlekamp s algorithm about 11 times

102 Research Questions Is the upper bound on the degree of regularity given by Ding and Yang reasonably tight? Can we decrease the degree D of the central HFEv polynomial to speed up the scheme?

103 How should we choose D? D {2, 3} would lead to central maps of rank 2 (Matsumoto-Imai case) For D {5, 7} one can get central maps of rank 2 by linear transformation D {9, 17} (central maps of rank 4 and 6 respectively)

104 Experiments Experiments with HFEv schemes with low degree central maps (D {9, 17}) Implementation of HFEv in MAGMA code Fixing of a + v variables to create determined systems Adding field equations Systems were solved with F 4 integrated in MAGMA

105 Experiments (2) D = 9 number of equations theoretical degree of regularity 7 (n,d,a,v) (24,9,4,4) (29,9,4,4) (34,9,4,4) (36,9,4,4) a = v = 4 d reg time (s) , ,321 a = v = 5 theoretical degree of regularity 8 (n,d,a,v) (25,9,5,5) (30,9,5,5) (35,9,5,5) (37,9,5,5) d reg time (s) ,481 oom for comparison: random system d reg time (s) ,533 oom

106 Experiments (3) D = 17 number of equations theoretical degree of regularity 7 (n,d,a,v) (23,17,3,3) (28,17,3,3) (33,17,3,3) (35,17,3,3) a = v = 3 d reg time (s) ,768 87,726 a = v = 4 theoretical degree of regularity 8 (n,d,a,v) (24,17,4,4) (29,17,4,4) (34,17,4,4) (36,17,4,4) d reg time (s) ,911 oom for comparison: random system d reg time (s) ,533 oom

107 Results The theoretical result about the degree of regularity is relatively tight (for a = v = 3 we can reach the upper bound both for D = 9 and D = 17) For the parameter sets (D, a, v) = (9, 5, 5) and (D, a, v) = (17, 4, 4) and n 32 we have d reg 7 For n = 90 + a we get ( n a + 2 Complexity direct attack 3 2 ( ) 92 = 3 2 ) ( ) ( n a + dreg d reg ) 2

108 New Designs - Gui - Asiacrypt Petzoldt, Chen, Yang, Tao, Ding We propose three versions of Gui Gui-95 with (n, D, a, v) = (95, 9, 5, 5) providing a security level of 80 bit Gui-94 with (n, D, a, v) = (94, 17, 4, 4) providing a security level of 80 bit and Gui-127 with (n, D, a, v) = (127, 9, 4, 6) providing a security level of 123 bit

109 Avoiding birthday attacks Input size of HFEv- maps is short (in our case bit) Possibility of birthday attacks Solution: Sign k different hash values of the message m. Combine the k outputs to a single signature of size (n a) + k (a + v) bit. In the case of Gui we set k = 3 for Gui-95, k = 4 for Gui-94 and Gui-127.

110 Gui-95

111 Parameters and Key Sizes security input signature public key private key scheme level (bit) size (bit) size (bit) size (Bytes) size (Bytes) Gui ,600 3,053 Gui ,212 2,943 Gui ,576 5,350 QUARTZ ,514 3,774 RSA RSA ECDSA P ECDSA P ECDSA P

112 Comparison security signing time verifying time scheme level (bit) (k-cycles) (k-cycles) Gui ,479 / 1, / 230 Gui ,945 / 5, / 253 Gui ,966 / 1, / 427 QUARTZ ,485 / 168, / 235 RSA ,080 / 2, / 64 RSA ,834 / 5, / 76 ECDSA P ,283 / 1,115 1,448 / 1,269 ECDSA P ,513 / 1,273 1, 715 / 1,567 ECDSA P ,830 / 1,488 2,111 / 1,920 time on AMD Opteron 6212, 2.5 GHz / Intel Xeon E5-2620, 2.0 GHz

113 Why this name? Gui Chinese pottery from Longshan period more than 4000 years old 3 legs: one in front, 2 in the back front leg : HFE back legs: Minus + Vinegar

114 Key Points Proposal of a new multivariate signature scheme Gui Use of low degree HFEv- polynomials (D {9, 17}) very short signatures (120 bit) 150 times faster than QUARTZ Efficiency comparable to standard schemes (RSA, ECDSA)

115 Outline

116 Key Points The Main Defect for insecurity for most of these MPKQ is that some Quadratic Forms associated with their central maps are of Low Rank. Direct algebraic attack is easy to handle in general ( odd Char) Ding, Tao, Diene etc

117 Idea of the Simple Matrix Schem for Encrypyion Main Idea Create some Matrices having high rank and use some Simple Matrix Multiplication to get a Multivariate Publick Key Scheme that we denote in short by the ABC cryptosystem.

118 Construction of the SM Cryptosystem Let k = F q be a finite field with q elements and p be the characteristic of k. Let n, m be a integer, where n = s 2, m = 2n. The plaintext will be represented by (x 1, x 2,, x n ) k n. The ciphertext will be represented by (y 1, y 2,, y m ) k m.

119 Construction of the SM Cryptosystem Let L 1 : k n k n and L 2 : k m k m be 2 affine transformations, L 1 (x) = L 1 x + u and L 2 (y) = L 2 y + ν where L 1 and L 2 are respectively an n n and m m matrix with entries in k, x = (x 1, x 2,, x n ) t, u = (u 1, u 2,, u n ) t, y = (y 1, y 2,, y m ) t, ν = (v 1, v 2,, v m ) t

120 Construction of the SM Cryptosystem Let A = x 1 x 2 x s x s+1 x s+2 x 2s......, B = x (s 1)s+1 x (s 1)s+2 x s 2 b 1 b 2 b s b s+1 b s+2 b 2s and C = b (s 1)s+1 b (s 1)s+2 b s 2 c 1 c 2 c s c s+1 c s+2 c 2s c (s 1)s+1 c (s 1)s+2 c s 2

121 Construction of the SM Cryptosystem Central map A, B, and C defined above are 3 s s matrices with x i k (i = 1, 2,, n), b i and c i (i = 1, 2,, n) are random linear combinaisons of elements taken from the set {x 1, x 2,, x n }. Let E 1 = AB, E 2 = AC, we denote by f (i 1)s+j k[x 1, x 2,, x n ] the (i, j) element of E 1 (i, j = 1, 2,, s). f s 2 +(i 1)s+j k[x 1, x 2,, x n ] the (i, j) element of E 2 (i, j = 1, 2,, s). We define then F(x 1,, x n ) = (f 1 (x 1,, x n ), f 2 (x 1,, x n ),, f m (x 1,, x n )).

122 Construction of the SM Cryptosystem The public key: F = L 2 F L 1 = ( f 1, f 2,, f m ), The secret key is made of the following two parts: The invertible affine transformations L 1, L 2. The matrices B, C.

123 Construction of the SM Cryptosystem Decryption Applying F 1 = L 1 1 F 1 L 1 2. How to invert the central map: Since E 1 = AB, E 2 = AC and assume A is an s s nonsingular matrix, we consider the following cases: (i) If E 1 is invertible, then BE 1 1 E 2 = C. We have n linear equations with n unknowns x i, i = 1, 2,, n. (ii) If E 2 is invertible, but E 1 is not invertible, then CE 1 2 E 1 = B. We also have n linear equations with n unknowns x i, i = 1, 2,, n. (iii) If both E 1 and E 2 are not invertible, then A 1 E 1 = B, A 1 E 2 = C. We interpret the elements of A 1 as the new variables, then we have m linear equations with m unknowns.

124 Construction of the SM Cryptosystem Decryption failure If A is a singular matrix, we may decrypt failure. The probability of A is invertible is (1 1 q )(1 1 q 2 ) (1 1 q n ). Therefore, the probability of decryption failure is 1 (1 1 q )(1 1 q 2 ) (1 1 q n ) 1 q.

125 Construction of the SM Cryptosystem An example We let k = GF (q) be a finite field of q = 127 elements and n = 64. In this case, the plaintext consist of the message (x 1, x 2,, x 64 ) k 64. The public map is F : k 64 k 128 and the central map is F : k 64 k 128. The public key consists of 128 quadratic polynomials with 64 variables. The number of coefficients for the public key polynomials is /2 = 266, 240, or about 2MB of storage. The private key consists of two matrices B, C and two affine linear transformations L 1, L 2. The total size is about 162.5KB. The size of document is 8n = 8 64 = 512bits. The total size of the ciphertext is 1024bits.

126 Security Analysis Rank attack: For the rank attacks, we have that the MinRank is 16 and the complexity of MinRank attack against our scheme is lager than Algebraic attack: For k = GF (3), we obtain the following results with a direct attack using MAGAMA( ) on a 1.80GHz Intel(R) Atom(TM) CPU n time(s) memory(mb) degree of regularity We can notice that the degree of regularity increases with n which tells us that the time and memory complexity are exponential.

127 Construction of the SM Cryptosystem Efficiency The decrytion is very efficient: only linera algebra opeations.

128 Improved Conctructions Rectangular construction Degree three construction using random quadratic polynomials Remove the decryptin fauilure Ding, Petzolt, Wang

129 Outline

130 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack

131 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack MinRank attack which is also reduced to polynomial solving problem.

132 Key Attack Methods To be ready for practical applications, we need a solid understanding of the attack complexities with both theoretical and experimental support. The key attack methods are: Direct algebraic attack MinRank attack which is also reduced to polynomial solving problem. Differential analysis

133 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms (GB, F 4, XL, Mutant XL) to solve the system of equations: p 1 (x 1,..., x n ) = y 1 p 2 (x 1,..., x n ) = y 2. p n (x 1,..., x n ) = y n

134 Direct Algebraic Attack Use efficient Gröbner basis (algebraic) algorithms (GB, F 4, XL, Mutant XL) to solve the system of equations: p 1 (x 1,..., x n ) = y 1 p 2 (x 1,..., x n ) = y 2. p n (x 1,..., x n ) = y n Sometime algorithm terminates significantly quicker for the MPKC systems than on random systems. Why?

135 Degree of Regularity Degree of Regularity: Lowest degree at which non-trivial degree falls occur. ( ) deg g i p i < max{deg(g i ) + deg(p i )} Trivial degree falls: i p q 1 i p i = p q i = p i, p j p i p i p j = 0

136 Implication of Degree of Regularity Gröbner basis algorithms terminate shortly after this degree is reached.

137 Implication of Degree of Regularity Gröbner basis algorithms terminate shortly after this degree is reached. At the degree of regularity, in general, Mutants are produced, which accelerate the solving process. We need more precise mathematical concepts like, degree of regularity, mutants etc to understand solidly how algorithm works.

138 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q

139 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q Degree of Regularity of p1 h,..., ph n is first degree at which non-trivial relations occur. ( ) deg f i pi h = 0 Trivial relations: (p h i )q 1 p h i = 0, p h j ph i p h i ph j = 0 i

140 Degree of Regularity of Leading Terms Let pi h be the highest degree part of p i considered as an element of the truncated polynomial ring pi h F[x 1,..., x n ] x q 1,..., x n q Degree of Regularity of p1 h,..., ph n is first degree at which non-trivial relations occur. ( ) deg f i pi h = 0 Trivial relations: (p h i )q 1 p h i = 0, p h j ph i p h i ph j = 0 Then D reg (p 1,..., p n ) = D reg (p h 1,..., p h n) i

141 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system.

142 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system. Main Theorem. The degree of regularity of the system defined by P is bounded by Rank(P 0 )(q 1) (q 1)( log q(d 1) + 1) if Rank(P 0 ) > 1. Here Rank(P 0 ) is the rank of the quadratic form P 0. This explains why odd characteristics is good idea and why q = 2 is different

143 Bounds on Degree of Regularity Recently, we found a global upper bound on the degree of regularity (in the sense of DG) of an HFE system. Main Theorem. The degree of regularity of the system defined by P is bounded by Rank(P 0 )(q 1) (q 1)( log q(d 1) + 1) if Rank(P 0 ) > 1. Here Rank(P 0 ) is the rank of the quadratic form P 0. This explains why odd characteristics is good idea and why q = 2 is different These are universal bounds that require no additional assumption.

144 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung)

145 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang)

146 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding)

147 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding) Lower bounds for general case?

148 Bounds on Degree of Regularity for other systems HFE- (Ding, Kleijung) HFEv- (Ding, Yang) Precise bound for Square systems. (Ding) Lower bounds for general case? MinRank is also closely related.

149 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis.

150 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis. Efficient, simple and easy to implement; but large key size

151 MPKCs MPKCs has a very solid foundation in terms of both designs and security analysis. Efficient, simple and easy to implement; but large key size Quantum computer attack

152 Acknowledgment Many thanks for the organizer Thank you and questions?

Simple Matrix Scheme for Encryption (ABC)

Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31