Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Similar documents
On the Complexity of the Hybrid Approach on HFEv-

Improved Cryptanalysis of HFEv- via Projection

Multivariate Public Key Cryptography

The Shortest Signatures Ever

Improved Cryptanalysis of HFEv- via Projection

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

MI-T-HFE, a New Multivariate Signature Scheme

Inoculating Multivariate Schemes Against Differential Attacks

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Simple Matrix Scheme for Encryption (ABC)

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

New Directions in Multivariate Public Key Cryptography

Hidden Field Equations

On the Security and Key Generation of the ZHFE Encryption Scheme

Oil-Vinegar signature cryptosystems

Key Recovery on Hidden Monomial Multivariate Schemes

New candidates for multivariate trapdoor functions

RGB, a Mixed Multivariate Signature Scheme

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

HFERP - A New Multivariate Encryption Scheme

Linearity Measures for MQ Cryptography

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

Public key cryptography using Permutation P-Polynomials over Finite Fields

Cryptanalysis of Simple Matrix Scheme for Encryption

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

Cryptanalysis of the TTM Cryptosystem

Efficient variant of Rainbow using sparse secret keys

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Algebraic Aspects of Symmetric-key Cryptography

Key Recovery on Hidden Monomial Multivariate Schemes

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Gröbner Bases Techniques in Post-Quantum Cryptography

From 5-pass MQ-based identification to MQ-based signatures

Multivariate Public Key Cryptography

Gröbner Bases in Public-Key Cryptography

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Differential Cryptanalysis for Multivariate Schemes

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Quadratic Equations from APN Power Functions

Cryptanalysis of the Tractable Rational Map Cryptosystem

Hidden Pair of Bijection Signature Scheme

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

Hybrid Approach : a Tool for Multivariate Cryptography

Comparison between XL and Gröbner Basis Algorithms

Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations

Lecture 1: Introduction to Public key cryptography

Introduction to Quantum Safe Cryptography. ENISA September 2018

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

How Fast can be Algebraic Attacks on Block Ciphers?

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

From 5-pass MQ-based identification to MQ-based signatures

Computational and Algebraic Aspects of the Advanced Encryption Standard

Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited

Algorithmic Number Theory and Public-key Cryptography

Cryptanalysis of the Oil & Vinegar Signature Scheme

Owen (Chia-Hsin) Chen, National Taiwan University

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Public Key Algorithms

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy

A variant of the F4 algorithm

Quantum-resistant cryptography

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture Notes, Week 6

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

On multivariate signature-only public key cryptosystems

Winter 2011 Josh Benaloh Brian LaMacchia

Algebraic attack on stream ciphers Master s Thesis

AES side channel attacks protection using random isomorphisms

Math-Net.Ru All Russian mathematical portal

On the Security of HFE, HFEv- and Quartz

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Diophantine equations via weighted LLL algorithm

A Practical Multivariate Blind Signature Scheme

The Hash Function JH 1

Solving Underdefined Systems of Multivariate Quadratic Equations

Post-Quantum Cryptography & Privacy. Andreas Hülsing

MaTRU: A New NTRU-Based Cryptosystem

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

CPSC 467b: Cryptography and Computer Security

1 Number Theory Basics

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Cryptography IV: Asymmetric Ciphers

Computers and Electrical Engineering

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467: Cryptography and Computer Security

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Transcription:

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 1 / 13

Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations p (1) (x 1,..., x n ) = p (2) (x 1,..., x n ) = p (m) (x 1,..., x n ) = n n i=1 j=i n n i=1 j=i n n i=1 j=i p (1) ij x i x j + p (2) ij x i x j + p (m) ij x i x j +. n i=1 n i=1 n i=1 p (1) i x i ( p (2) i x i ( p (m) i x i ( +p (1) ) 0 +p (2) ) 0 +p (m) ) 0 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations p (1) (x 1,..., x n ) = p (2) (x 1,..., x n ) = n n i=1 j=i n n i=1 j=i p (1) ij x i x j + p (2) ij x i x j + n i=1 n i=1 p (1) i x i ( p (2) i x i ( +p (1) ) 0 +p (2) ) 0 p (m) (x 1,..., x n ) = n n i=1 j=i p (m) ij x i x j +. n i=1 p (m) i x i ( ( ) n + d Public Key size = m at degree d, hence usually d = 2. d +p (m) ) 0 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

Security The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p (1) (x),..., p (m) (x), find a vector x = ( x 1,..., x n ) such that p (1) ( x) =... = p (m) ( x) = 0. NP hard believed to be hard on average even for quantum conputers: B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

Security The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p (1) (x),..., p (m) (x), find a vector x = ( x 1,..., x n ) such that p (1) ( x) =... = p (m) ( x) = 0. NP hard believed to be hard on average even for quantum conputers: suppose we have a probabilistic algorithm A and a subexponential function η, T terminates with an answer to a random instance from MQ(n, m = an,f q ) in time η(n) with probability negl(n). higher order versions (MP for Multivariate Polynomials or PoSSo for Polynomial System Solving) clearly no less hard However usually no direct reduction to MQ!! B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

Identification Scheme of Sakumoto et al and MQDSS An example 5-pass ID scheme depending only on MQ P be a random MQ instance Its polar form DP(x, y) := P(x + y) P(x) P(y) P(0) P(s) = p is the public key, s is the secret. Peter picks and commits random (r 0, t 0, e 0 ), sets r 1 = s r 0 and commits (r 1, DP(t 0, r 1 ) + e 0 ). Vera sends random α, Peter sets and sends t 1 := αr 0 t 0, e 1 := αp(r 0 ) e 0. Vera sends challenge Ch, Peter sends r Ch. Vera checks the commit of either (r 0, αr 0 t 1, αp(r 0 ) e 1 ) or (r 1, α(p P(r 1 )) DP(t 1, r 1 ) e 1 ). The Fiat-Shamir transform of this ID scheme is the MQDSS scheme. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 4 / 13

Bipolar Construction Easily invertible quadratic map Q : F n F m Two invertible linear maps T (: F m F m ) and S(: F n F n ) Public key: P = T Q S supposed to look random Private key: S, Q, T allows to invert the public key B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

Bipolar Construction Easily invertible quadratic map Q : F n F m Two invertible linear maps T (: F m F m ) and S(: F n F n ) Public key: P = T Q S supposed to look random Private key: S, Q, T allows to invert the public key Encryption Schemes (m n) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( broken cf. this conference) Simple Matrix ( cf. this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

Bipolar Construction Easily invertible quadratic map Q : F n F m Two invertible linear maps T (: F m F m ) and S(: F n F n ) Public key: P = T Q S supposed to look random Private key: S, Q, T allows to invert the public key Encryption Schemes (m n) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( broken cf. this conference) Simple Matrix ( cf. this conference) Signature Schemes (m n) Unbalanced Oil and Vinegar (Rainbow, TTS) HFEv- (QUARTZ/Gui) pflash ( this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

Workflow Decryption / Signature Generation z F m T 1 y F m Q 1 x F n S 1 w F n P Encryption / Signature Verification B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 6 / 13

Isomorphism of Polynomials Due to the bipolar construction, the security of MPKCs is also based on the Problem EIP (Extended Isomorphism of Polynomials): Given the public key P of a multivariate public key cryptosystem, find affine maps S and T as well as quadratic map Q in class C such that P = T Q S. Hardness of the problem depends heavily on the structure of the central map In general, not much is known about the complexity Security analysis of multivariate schemes is a hard task B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 7 / 13

Generic (Direct) Attacks Try to solve the public equation P(w) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m n) Known Best Generic Algorithms For larger q, FXL ( Hybridized XL ) For q = 2, smart enumerative methods B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

Generic (Direct) Attacks Try to solve the public equation P(w) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m n) Known Best Generic Algorithms For larger q, FXL ( Hybridized XL ) For q = 2, the Joux-Vitse Algorithm (an XL variant). Complexity of Direct Attacks How many equations are needed to meet given levels of security? security number of equations level (bit) F 2 * F 16 F 31 F 256 80 88 30 28 26 100 110 39 36 33 128 140 51 48 43 192 208 80 75 68 256 280 110 103 93 * depending on how we model the Joux-Vitse algorithm B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

XL Algorithm Given: nonlinear polynomials f 1,..., f m of degree d 1 extend multiply each polynomial f 1,..., f m by every monomial of degree D d 2 Linearize: Apply (sparse) linear algebra to solve the extended system Complexity = 3 ( ) 2 n + dxl d XL ( ) n d (for larger q) or 2 or Linearize and use an improved XL: Many variants... B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 9 / 13

XL Variants FXL XL with k variables guessed or hybridized if with k initial guesses / fixing / hybridization : Complexity = min k 3q k ( ) 2 ( ) n k + dxl n k. d d XL [generic method with the best asymptotic multiplicative complexity]. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

XL Variants FXL XL with k variables guessed or hybridized XL 1 extend: multiply each polynomial f 1,..., f m by monomials, up to total degree D 2 Linearize: Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n k such equations). 3 Enumerate over remaining n k variables. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

XL Variants FXL XL with k variables guessed or hybridized XL 1 extend: multiply each polynomial f 1,..., f m by monomials, up to total degree D 2 Linearize: Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n k such equations). 3 Enumerate over remaining n k variables. XL2 simplified F 4 1 extend: multiply each polynomial f 1,..., f m by monomials, up to total degree D 2 Linearize: Apply linear algebra to eliminate top level monomials 3 Multiply degree D 1 equations by variables, Eliminate Again. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

XL Variants FXL XL with k variables guessed or hybridized Joux-Vitse ( Hybridized XL-related method ) 1 extend: multiply each polynomial f 1,..., f m by monomials, up to total degree D 2 Linearize: Apply linear algebra to eliminate all monomials of total degree 2 in the first k variables (and get at least k such equations). 3 Fix n k variables, solve for the initial k in linear equations. XL2 simplified F 4 1 extend: multiply each polynomial f 1,..., f m by monomials, up to total degree D 2 Linearize: Apply linear algebra to eliminate top level monomials 3 Multiply degree D 1 equations by variables, Eliminate Again. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

More Advanced Gröbner Bases Algorithms find a nice basis of the ideal f 1,..., f m first studied by B. Buchberger later improved by Faugére et al. (F 4, F 5 ) With linear algebra constant 2 < ω 3. Complexity(q, m, n) = O (( ) ω ) n + dreg 1 d reg (for larger q) Hybridized : Complexity(q, m, n) = min k q k O (( ) ω ) n k + dreg 1 d reg Do not blithely set ω = 2 here Even if ω 2, there is a huge constant factor which cannot be neglected. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 11 / 13

Remarks Every cryptosystem can be represented as a set of nonlinear multivariate equations Direct attacks can be used in the cryptanalysis of other cryptographic schemes (in particular block and stream ciphers) The MQ (or PoSSo) Problem can be seen as one of the central problems in cryptography Post-Quantum-ness of MQ MQ is quantum-resistant: the best Grover-based quantum attack against n-bits of input takes 2 n 2 +1 n 3 time. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 12 / 13

Features of Multivariate Cryptosystems Advantages resistant against attacks with quantum computers very fast (much faster than RSA) only simple arithmetic operations required can be implemented on low cost devices suitable for security solutions for the IoT many practical signature schemes (UOV, Rainbow, HFEv-,... ) short signatures (e.g. 120 bit signatures for 80 bit security) Disadvantages large key sizes (public key size 10 100 kb) no security proofs mainly restricted to digital signatures B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 13 / 13

BB08 D.J. Bernstein, J. Buchmann, E. Dahmen (eds.): Post Quantum Cryptography. Springer, 2009. DG06 J. Ding, J. E. Gower, D. S. Schmidt: Multivariate Public Key Cryptosystems. Springer, 2006. GJ79 M. R. Garey and D. S. Johnson: Computers and Intractability: A Guide to the Theory of NP-Completeness. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 13 / 13

Multivariate Quadratic Public-Key Cryptography Part 2: Big Field Schemes Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 1 / 25

Big Field Schemes z F n T 1 y F n Q 1 x F n S 1 w F n Decryption / Signature Generation Y E Q 1 X E φ φ 1 Encryption / Signature Verification P B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 2 / 25

Extension Fields F q : finite field with q elements g(x) irreducible polynomial in F[X] of degree n F q n = F[X]/ g(x) finite field with q n elements isomorphism φ : F n q F q n, (a 1,..., a n ) n i=1 a i X i 1 Addition in F q n: Addition in F q [X] Multiplication in F q n: Multiplication in F q [X] modulo g(x) B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 3 / 25

The Matsumoto-Imai Cryptosystem (1988) [MI88] F q : finite field of characteristic 2 degree n extension field E = F q n isomorphism φ : F n q E MI parameter θ N with Key Generation gcd(q θ + 1, q n 1) = 1. central map Q : E E, X X qθ +1 Q is bijective choose 2 invertible linear or affine maps S, T : F n F n public key: P = T φ 1 Q φ S : F n F n quadratic multivariate map use the extended Euclidian algorithm to compute h N with private key: S, T h θ 1 mod q n 1 B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 4 / 25

Both Encryption and Signature Encryption or Verification Given: plaintext or signature w F n or Compute z F n by z = P(w). This is the ciphertext. Or the result to be matched against a hash digest. Decryption or Signing Given: ciphertext or hash digest z F n 1 Compute y = T 1 (z). 2 Compute Y = φ(y) E 3 Compute X = Q 1 (Y ) by X = Y h 4 Compute x = φ 1 (X) F n 5 Compute the plaintext or signature w F n by w = S 1 (x). B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 5 / 25

Linearization, a Message Recovery Attack [Pa95] Given public key P, z F n, find plaintext w F n, s.t. P(w ) = z Proposed by J. Patarin in 1995 Taking the q θ 1 st power of Y = X qθ +1 and multiplying with XY yields X Y qθ = X q2θ Y bilinear equation in X and Y, hence, same in w and z n n n n α ij w i z j + β i w i + γ j z j + δ = 0. i=1 j=1 i=1 j=1 ( ) 1 Compute N (n+1) (n+2) 2 pairs (z (k) /w (k) ) and substitute into ( ). 2 Solve the resulting linear system for the coefficients α ij, β i, γ j and δ. n bilinear equations in w 1,..., w n, z 1,..., z n 3 Substitute z into these bilinear equations and solve for w. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 6 / 25

C Schemes C schemes are C schemes with a truncated public key [PGC98] Construction of a C scheme (n, θ, r) are the parameters of the scheme 1 Generate a C with parameters (n, θ): Q(x) = x 1+qθ 2 Remove the last r polynomials from the public key p 1 (x 1,..., x n ). p 1 (x 1,..., x n ) Π T Q S =.. p n r (x 1,.., x n ) p n (x 1,..., x n ) = Π P B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 7 / 25

SFLASH=C (F 128,37,26) Signing 1 Append r random values µ to the message m to be signed 2 Find a preimage σ of (m, µ) by T Q S using S, T 3 Such a preimage always exists since a C monomial is bijective 4 σ is a valid signature since Π P(σ) = m Parameters (n, θ) must define a bijective C Q(x) = x 1+qθ Q is bijective when gcd(q θ + 1, q n 1) = 1 (q = 2 k ) This condition is equivalent to n/d odd where d = gcd(n, θ) B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 8 / 25

SFLASH=C (F 128,37,26) Signing 1 Append r random values µ to the message m to be signed 2 Find a preimage σ of (m, µ) by T Q S using S, T 3 Such a preimage always exists since a C monomial is bijective 4 σ is a valid signature since Π P(σ) = m Parameters (n, θ) must define a bijective C Q(x) = x 1+qθ Q is bijective when gcd(q θ + 1, q n 1) = 1 (q = 2 k ) This condition is equivalent to n/d odd where d = gcd(n, θ) q r 2 b to avoid a possible recomposing attack B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 8 / 25

Skew-Symmetry: C Attack by Dubois (2007) First attack requires d = gcd(n, θ) > 1, but isn t necessary Take any ζ (F q n), then DQ(ζa, x) + DQ(a, ζx) = L(ζ)DQ(a, x), implying that if M ζ = S 1 M ζ S, where M ζ means multiplying by ζ, then if H i are symmetric matrices of the public key polynomials p i, we should have span{m T ζ H i + H i M ζ : i = 1 n} = span{h i : i = 1 n}. Heuristic Argument by Shamir et al pick three random linear combinations n r i=1 b i(m T ζ H i + H i M ζ ) and demand that they fall in S = span{h i : i = 1 n r}, then 1 there is a good chance to find a nontrivial M ζ 2 this matrix really correspond to a multiplication by ζ in F q n; 3 the skew-symmetric action of this M ζ on the H i leads to matrices in span{h i : i = 1 n}\s. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 9 / 25

Net Result of Differential Attacks End of SFLASH The heuristic argument holds under comprehensive tests and SFLASH and in fact all C are comprehensively broken!! Later a slightly more complex but very similar argument was used to break the similar lir signature scheme (PKC 2008) by Fouque et al. A Defense In One Sentence When we restrict to a subspace H of F q n, the only maps that satisfy the symmetry properties (required of the differential attacks) happens to be the same ones in F q n that leaves H invariant. Projections block differential attacks All symmetry disappears from hyperplane-restricted C s. Differential Attacks verified not to work. This is further studied by Smith et al. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 10 / 25

Prefixed C signature scheme Natural restriction of Q to hyperplane = set coordinate to 0 Start from a C scheme with Q(x) = x 1+qθ with secret linear maps S and T. Let r and s be two integers between 0 and n. Let T be the projection of T on the last r coordinates and S be the restriction of S to the first n s coordinates. P = T Q S is the public key and S 1 and T 1 are used as the secret key. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 11 / 25

Prefixed C signature scheme Natural restriction of Q to hyperplane = set coordinate to 0 Start from a C scheme with Q(x) = x 1+qθ with secret linear maps S and T. Let r and s be two integers between 0 and n. Let T be the projection of T on the last r coordinates and S be the restriction of S to the first n s coordinates. P = T Q S is the public key and S 1 and T 1 are used as the secret key. Inversion To find P 1 (m) for m F n r q, the legitimate user first pads m with a random vector m of (F) r and compute the preimage of (m, m ) by T 1 Q 1 S 1. If this element has its last s coordinates to 0, then its n s first coordinates are a valid signature for m. Otherwise, he discards this element and tries with another m. When r > s, the process ends with probability 1 and costs on average q s inversions of Q. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 11 / 25

pflash (C p, prefixed C ) Choosing Parameters n, θ, r are chosen following the rationales for C schemes. As signing is q s times slower, we prefer s = 1 and q small. However, if q is chosen small, at constant blocksize this requires a larger value of n and therefore larger keys. Realistic 80-bit Parameters: pflash(f 16,62-1,40) As a possible trade-off, the original proposers suggested pflash with q = 2 4, n = 74, θ = 11, r = 22 and s = 1 (we call this pflash(f 16,74-1,56)). It has (as expected) a bigger secret key of 5.4kB and signs in line with expectations of 16 time of SFLASH. Currently Smith et al suggests pflash(f 16,62-1,40). One big plus for q = 2 4 is to compute over F 2 8 until the last step. Larger pflash Parameters at 128 and 256 bits We suggest pflash(f 16,96-1,64) and pflash(f 16,192-1,128). B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 12 / 25

The HFE Cryptosystem [Pa96] Hidden Field Equations, proposed by Patarin in 1995 BigField Scheme, can be used both for encryption and signatures finite field F, extension field E of degree n, isomorphism φ : F n E Original HFE central map Q : E E (not bijective, invert using Berlekamp Algorithm). Q(X) = q i +q j D 0 i j q i D α ij X qi +q j + Q = φ 1 Q φ : F n F n quadratic i=0 β i X qi + γ degree bound D needed for efficient decryption / signature generation linear maps S, T : F n F n public key: P = T Q S : F n F n private key: S, Q, T B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 13 / 25

Decryption and Signature Generation Signing message d 1 Use hash function H : {0, 1} F n to compute z = H(d) 2 Compute y = T 1 (z) F n and Y = φ(y) E 3 Solve Q(X) = Y over E via Berlekamp s algorithm 4 Compute x = φ 1 (X) F n and w = S 1 (x) Signature: w F n. Decryption proceeds similarly, but... Signature generation process does not output a signature for every input message need to append a counter to the message d Decryption is not unique need disambiguation in the plaintext. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 14 / 25

MinRank Attack against HFE Look in extemsion field E (Kipnis and Shamir [KS99]) the linear maps S and T relate to univariate maps S (X) = n 1 i=1 s i X qi amd T (X) = n 1 i=1 t i X qi, with s i, t i E. the public key P can be expressed as n 1 n 1 i=0 j=0 p ij X qi +q j = X P X T, Components of P can be found by polynomial interpolation. Solve MinRank problem over E. No need to look in E (Bettale et al) Perform the MinRank attack without recovering P HFE can be broken by using a MinRank problem over the base field F. Complexity MinRank = with 2 < ω 3 and r = log q (D 1) + 1. ( n + r B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 15 / 25 r ) ω

Direct Attacks J-C Faugère solved HFE Challenge 1 (HFE over GF2, d = 96) in 2002 Empirically HFE systems can be solved much faster than random Ding-Hodges Upper bound for d reg d reg { (q 1) (r 1) 2 + 2 q even and r odd, (q 1) r 2 + 2 otherwise., with r = log q (D 1) + 1. Basic version of HFE is not secure Variant Schemes Encryption Schemes IPHFE+ (inefficient), ZHFE (broken here). Signature Schemes HFEv- (QUARTZ/GUI), MHFEv- (talk here) B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 16 / 25

HFEvfinite field F, extension field E of degree n, isomorphism φ : F n E central map Q : F v E E, where the β i and γ are affine. Q(X) = q i +q j D 0 i j q i D α ij X qi +q j + i=0 β i (v 1,..., v v ) X qi + γ(v 1,..., v v ) Q = φ 1 Q (φ id v ) quadratic map: F n+v F n linear maps T : F n F n a and S : F n+v F n+v of maximal rank public key: P = T Q S : F n+v F n a private key: S, Q, T Signing Message digest z 1 Compute y = T 1 (z) F n and Y = φ(y) E 2 Choose random values for the vinegar variables v 1,..., v v Solve Q v1,...,v v (X) = Y over E via Berlekamps algorithm. Repeat this step until there is a unique solution. 3 Compute x = φ 1 (X) F n and signature w = S 1 (x v 1... v v ). B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 17 / 25

Security vs. Efficiency Main Attacks MinRank Attack Rank(F) ( = r + a + ) v ω n + r + a + v Compl MinRank = r + a + v Direct attack [DY13] d reg { (q 1) (r+a+v 1) 2 + 2 q even and r + a odd, (q 1) (r+a+v) 2 + 2 otherwise., with r = log q (D 1) + 1 and 2 < ω 3. Efficiency Rate determining step: solving X from a univariate equation of degree D. Complexity Berlekamp = O(D 3 + n D 2 ) B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 18 / 25

How to define a HFEv- like scheme over F 2 [PCY+15]? Collision Resistance of the hash function To cover a hash value of k bit, the public key of a pure HFEv- scheme has to contain at least k equations over F 2. public key > k 3 /2 bits security level 80 100 128 192 256 # equations 100 200 256 384 512 pubkey size (kb) >250 > 500 > 1000 > 3000 > 8000 QUARTZ standardized by Courtois, Patarin in 2002 HFEv with F = GF(2), n = 103, D = 129, a = 3 and v = 4 public key: quadratic map P = T Q S : GF(2) 107 GF(2) 100 Prevent birthday attacks Generate four HFEv signatures (for w, H(w 00), H(w 01) and H(w 11)) Combine them to a single signature of length (n a) + 4 (a + v) = 128 bit B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 19 / 25

GUI (Generalization of QUARTZ) Signature Generation Input: HFEv- private key (S, Q, T ) message d, repetition factor k Output: signature σ F 2 (n a)+k(a+v) 1: h SHA-256(d) 2: S 0 0 GF(2) n a 3: for i = 1 to k do 4: D i first n a bits of h 5: (S i, X i ) HFEv 1 (D i S i 1 ) 6: h SHA-256(h) 7: end for 8: σ (S k X k... X 1 ) 9: return σ Note that if the equation has zero or more than 2 equations, then we discard those vinegars and try again. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 20 / 25

Signature Verification Input: HFEv- public key P, message d, repetition factor k, signature σ F 2 (n a)+k(a+v) Output: TRUE or FALSE 1: h SHA-256(d) 2: (S k, X k,..., X 1 ) σ 3: for i = 1 to k do 4: D i first n a bits of h 5: h SHA-256(h) 6: end for 7: for i = k 1 to 0 do 8: S i P(S i+1 X i+1 ) D i+1 9: end for 10: if S 0 = 0 then 11: return TRUE 12: else 13: return FALSE 14: end if B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 21 / 25

Parameters for HFEv- (GUI) over F 2? Parameters are set by the complexity of MinRank and direct attacks For the complexity of the MinRank attack we have a concrete formula For the direct attack, we only have an upper bound on d reg. d reg { (q 1) (r+a+v 1) 2 + 2 q even and r + a odd, (q 1) (r+a+v) 2 + 2 otherwise. ( ) Experiments show that these estimate for d reg is reasonably tight. Parameter Choice of HFEv- over F 2 Efficiency Choose D as small as possible D = 5 r = log 2 (D 1) + 1 = 3 D = 9 r = log 2 (D 1) + 1 = 4 D = 17 r = log 2 (D 1) + 1 = 5 Increase a and v to reach the required security level Choose a and v as equal as possible, i.e. 0 v a 1. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 22 / 25

Quantum Attacks and Impact A determined multivariate system of m equations over F 2 can be solved using 2 m/2 2 m 3 operations using a quantum computer. This does not affect signatures in general because the hashes are typically twice as wide as the design security. Alas, this wipes out nearly all GUI s gains. very large public key size security level 80 100 128 192 256 min # equations 117 155 208 332 457 Minimal Conservative Quantum-Safe Parameters quantum security public key private key signature level (bit) size (kb) size (kb) size (bit) 80 Gui (F 2,120,9,3,3,2) 110.7 3.8 129 100 Gui (F 2,161,9,6,7,2) 271.8 7.5 181 128 Gui (F 2,219,9,11,11,2) 680.4 14.5 252 192 Gui (F 2,350,9,18,19,2) 2,781.6 40.9 406 256 Gui (F 2,483,9,26,26,2) 7,269.2 82.8 561 B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 23 / 25

HFEv- - Summary very short (pre-quantum) signatures security well respected conflict between security and efficiency restricted to very small fields, hence very large keys HMFEv- (Hidden Medium Field Equations vinegar minus) Central map is a random E k E k quadratic map. shown by J-C Faugère et al to act like a HFE with rank k basic scheme is breakable the same way. Can build HMFEv- just like HFEvkey size is roughly proportional to field size Please attend talk by Albrecht Petzoldt (shameless plug). B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 24 / 25

References KS99 A. Kipnis, A. Shamir: Cryptanalysis of the HFE Public Key Cryptosystem. CRYPTO 99, LNCS vol. 1666, pp. 19-30. Springer 1999. DDY+08 J. Ding, V. Dubois, B.-Y. Yang, C.-H. Chen, and C.-M. Cheng. Can SFLASH be Repaired?, ICALP 2008 - Part 2, LNCS 5126, pp. 691-701. PCY+15 A. Petzoldt, M.S. Chen, B.Y. Yang, C. Tao, J. Ding: Design Principles for HFEv- based Signature Schemes. ASIACRYPT 2015 - Part 1, LNCS vol. 9452, pp. 311-334. Springer, 2015. DY13 J. Ding, B.Y. Yang: Degree of regularity for HFEv and HFEv-. PQCrypto 2013, LNCS vol. 7932, pp. 52-66. Springer, 2013. B.-Y. Yang (Academia Sinica) pflash and QUARTZ/GUI PQC Exec. Summer School 25 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback