New Directions in Multivariate Public Key Cryptography

Similar documents
On the Complexity of the Hybrid Approach on HFEv-

Simple Matrix Scheme for Encryption (ABC)

Multivariate Public Key Cryptography

New candidates for multivariate trapdoor functions

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

The Shortest Signatures Ever

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

MI-T-HFE, a New Multivariate Signature Scheme

Hidden Field Equations

Efficient variant of Rainbow using sparse secret keys

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Inoculating Multivariate Schemes Against Differential Attacks

Improved Cryptanalysis of HFEv- via Projection

Oil-Vinegar signature cryptosystems

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Cryptanalysis of the TTM Cryptosystem

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Improved Cryptanalysis of HFEv- via Projection

Cryptanalysis of Simple Matrix Scheme for Encryption

RGB, a Mixed Multivariate Signature Scheme

HFERP - A New Multivariate Encryption Scheme

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Multivariate Public Key Cryptography

Quantum-resistant cryptography

Public key cryptography using Permutation P-Polynomials over Finite Fields

Algebraic Aspects of Symmetric-key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

On the Security and Key Generation of the ZHFE Encryption Scheme

Cryptanalysis of the Tractable Rational Map Cryptosystem

Hidden Pair of Bijection Signature Scheme

Hybrid Approach : a Tool for Multivariate Cryptography

Mathematics of Cryptography

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

Key Recovery on Hidden Monomial Multivariate Schemes

RSA RSA public key cryptosystem

Post-Quantum Cryptography

Lecture 1: Introduction to Public key cryptography

Introduction to Modern Cryptography. Benny Chor

MATH 158 FINAL EXAM 20 DECEMBER 2016

A variant of the F4 algorithm

Cryptanalysis of the Oil & Vinegar Signature Scheme

Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations

Introduction to Quantum Safe Cryptography. ENISA September 2018

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Comparison between XL and Gröbner Basis Algorithms

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Computers and Electrical Engineering

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Elliptic Curve Discrete Logarithm Problem

Gröbner Bases in Public-Key Cryptography

Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 9, No. 1 (2015)

Ti Secured communications

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

Math/Mthe 418/818. Review Questions

Lossy Trapdoor Functions and Their Applications

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

Gröbner Bases Techniques in Post-Quantum Cryptography

Errors, Eavesdroppers, and Enormous Matrices

Linearity Measures for MQ Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

On the Goubin-Courtois Attack on TTM

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture Notes, Week 6

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Public Key Algorithms

Lecture V : Public Key Cryptography

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Public-key Cryptography and elliptic curves

Quadratic Equations from APN Power Functions

Public-Key Encryption: ElGamal, RSA, Rabin

A new attack on RSA with a composed decryption exponent

Rank Analysis of Cubic Multivariate Cryptosystems

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

RSA. Ramki Thurimella

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

On the Security of HFE, HFEv- and Quartz

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

COMP4109 : Applied Cryptography

Key Recovery on Hidden Monomial Multivariate Schemes

Winter 2011 Josh Benaloh Brian LaMacchia

1 Number Theory Basics

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

On error distributions in ring-based LWE

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Sign of Permutation Induced by Nagata Automorphism over Finite Fields

Elliptic Curve Cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Transcription:

New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010.

1 Public Key Cryptography in a nutshell Existing Systems 2 Example: MFE Cryptosystem Searching for polynomial identities 3 A new polynomial Identity Our system Analysis Open questions

Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key.

Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key. One-way function: easy to evaluate, but hard to invert (on average). Trapdoor one-way function: easy to evaluate, but hard to invert without knowledge of some trapdoor.

Public Key Cryptography Public Key Cryptography in a nutshell Existing Systems Diffie and Hellman (1976) proposed the concept of public key cryptosystems with which users can communicate without sharing any prior secret key. One-way function: easy to evaluate, but hard to invert (on average). Trapdoor one-way function: easy to evaluate, but hard to invert without knowledge of some trapdoor. A public key cryptosystem consists of a family of trapdoor one-way functions.

Examples Public Key Cryptography in a nutshell Existing Systems Candidate one-way function: Polynomials are easy to evaluate but NP-hard to invert, however, its average complexity is not known.

Examples Public Key Cryptography in a nutshell Existing Systems Candidate one-way function: Polynomials are easy to evaluate but NP-hard to invert, however, its average complexity is not known. Univariate: Given α F q, and a sparse polynomial f (x) = t f i x d i i=1 F q [x] where q is large (say q = 2 5000 ), d i s are as big as q, and t is small (say t = 500). Then it is easy to compute f (α), but it is NP-complete to decide, for a given β F q and a sparse f F q [x], whether there exists α F q such that f (α) = β.

Examples Public Key Cryptography in a nutshell Existing Systems Candidate trapdoor one-way functions: RSA cryptosystem encryption: f (x) = x e (modn) where n is a product two primes and gcd(e, φ(n)) = 1. Trapdoor : the factorization of n, or an integer d such that ed 1(modφ(n)).

Examples Public Key Cryptography in a nutshell Existing Systems Candidate trapdoor one-way functions: RSA cryptosystem encryption: f (x) = x e (modn) where n is a product two primes and gcd(e, φ(n)) = 1. Trapdoor : the factorization of n, or an integer d such that ed 1(modφ(n)). Discrete log based cryptosystems: G is a cyclic group generated by α of order n. Pick a random integer k {1, 2,..., n 1} as a trapdoor and let β = α k be public. The encryption function is then f (x) = (x β r, α r ) where r {1, 2,..., n 1}is random for each x.

Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves.

Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves. Main Problem: Quantum computers, if built, can factor integers and solve discrete logs in polynomial time (Shor 1997).

Public key cryptosystems Public Key Cryptography in a nutshell Existing Systems Practical cryptosystems: RSA cryptosystem based on integer factorization and cryptosystems based on discrete log in finite fields and elliptic curves. Main Problem: Quantum computers, if built, can factor integers and solve discrete logs in polynomial time (Shor 1997). Possible alternatives: Lattice-based cryptography Code-based cryptography Hash-based cryptography Multivariate cryptography

Public Key Cryptography in a nutshell Existing Systems NP-complete problem: Given a system of quadratic polynomials F = (f 1,..., f m ) F q [X 1,..., X n ] m and a point y = (y 1,..., y m ) F m q, decide whether there exists a point x = (x 1,..., x n ) F n q such that F (x) = y. To build a multivariate cryptosystem, we hope to disguise a nice polynomial system as an arbitrary quadratic polynomial system.

MPKC: Structure Public Key Cryptography in a nutshell Existing Systems Let k = F q be a finite field with q elements. Public Key: F : k n k m given by F (x 1,..., x n ) = where f i k[x 1,..., x n ] are quadratic. f 1 (x 1,..., x n ). f m (x 1,..., x n ) T

MPKC: Encryption/Decryption Public Key Cryptography in a nutshell Existing Systems Encryption: Decryption: (x 1,..., x n ) F (y 1,..., y m ) (y 1,..., y m ) F 1 (x 1,..., x n )

MPKC: Public Key Construction Public Key Cryptography in a nutshell Existing Systems We build the trapdoor one-way function F as F = L 1 F L 2, where F is a multivariate map that can be easily inverted, and L 1, L 2 are invertible affine transformations, which are secret. Evaluation: Inversion: (x 1,..., x n ) F (y 1,..., y m ) (y 1,..., y m ) L 1 1 F 1 L 1 2 (x 1,..., x n )

MPKC: Security Public Key Cryptography in a nutshell Existing Systems Public Private F = L 1 F L 2 Security is dependent on the known difficulty of Solving quadratic multivariate systems over finite fields. Factoring multivariate maps.

MPKC: Efficiency Public Key Cryptography in a nutshell Existing Systems Encryption: polynomial evaluation Decryption: depends on the system public Key: coefficients of quadratic systems

Goal: Construct secure MPKC Public Key Cryptography in a nutshell Existing Systems Difficult problem: Invertibility, security, and efficiency are interrelated, and a good system must satisfy all three requirements at the same time. Some past success, but mostly with signature schemes.

Existing Cryptosystems Public Key Cryptography in a nutshell Existing Systems Matsumoto-Imai (1988): generalizes of RSA using monomials Hidden Field Equations (Patarin 1996) Oil-Vinegar (Patarin 1997) Triangular (Fell and Diffie 1985, Shamir 1993, Moh 1999, Yang and Chen 2004) Other systems: Rainbow (Ding and Schmidt 2005), MFE (Wang et al. 2006), l-ic (Ding et al. 2007) Jintai Ding, Jason Gower, and Deiter Schmidt, Multivariate Public Key Cryptosystems, Springer (2006).

Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) T

Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) Inversion: iteratively solve for each component. T

Triangular Systems Public Key Cryptography in a nutshell Existing Systems Central map: F (x 1,..., x n ) = x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) Inversion: iteratively solve for each component. Weakness: triangular structure (first polynomial is linear, next few are too simple). T

Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e.

Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e. Given a system of o oil-vinegar polynomials, F = (f 1,..., f o ), if we substitute field values for ˇx 1,..., ˇx v, the result is an o o linear system, which is linear in the oil variables x 1,..., x o.

Oil-Vinegar Systems (Patarin 1997) Public Key Cryptography in a nutshell Existing Systems Consider two sets of variables {ˇx 1,..., ˇx v } and {x 1,..., x o }. An oil-vinegar polynomial has the form aij ˇx i ˇx j + b ij ˇx i x j + c i ˇx i + d i x i + e. Given a system of o oil-vinegar polynomials, F = (f 1,..., f o ), if we substitute field values for ˇx 1,..., ˇx v, the result is an o o linear system, which is linear in the oil variables x 1,..., x o. Signature generation: Given a document (y 1,..., y o ), choose (ˇx 1,..., ˇx v ) k v at random, and solve the resulting linear system for x 1,..., x o. The signature is then (ˇx 1,..., ˇx v, x 1,..., x o ).

Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems.

Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes.

Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes. Achieve invertibility more generally, then address the issues of security and efficiency.

Example: MFE Cryptosystem Searching for polynomial identities We propose a new framework for constructing central maps that combines ideas from Triangular and Oil-Vinegar Systems. Benefits: Combine Triangular and Oil-Vinegar systems to build encryption schemes. Achieve invertibility more generally, then address the issues of security and efficiency. Introduce flexibility in construction.

x 1,..., x n y 11,..., y 1n x 1 x 2 + g 2 (x 1 ). x n 1 + g n 1 (x 1, x 2,..., x n 2 ) x n + g n (x 1, x 2,..., x n 2, x n 1 ) first oil-vinegar system vinegar variables: x 1,..., x n oil variables: y 11,..., y 1n lock polynomials from oil-vinegar systems hide triangular structure. y l 1,1,..., y l 1,n l-th oil-vinegar system vinegar variables: x 1,..., x n,..., y l 1,1,..., y l 1,n oil variables: y l1,..., y ln

Example: MFE Cryptosystem Searching for polynomial identities Example: MFE Cryptosystem (Wang et al. 2006) It is based on the following identity. Let ( ) ( X1 X A(X ) = det 3 Y1 Y, A(Y ) = det 3 X 4 X 2 Y 4 Y 2 ), and ( X1 X 3 X 4 X 2 ) ( Y1 Y 3 Y 4 Y 2 ) ( f1 f = 3 f 4 f 2 Taking determinants on both sides gives the identity A(X )B(Y ) = f 1 f 2 f 3 f 4. ).

Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1, X 2, X 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1, X 2, X 3 Y 1, Y 2, Y 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) A(X ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) A(Y )

Example: MFE Cryptosystem (Wang et al. 2006) X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) A(Z)

Example: MFE Cryptosystem (Wang et al. 2006) Input: (X 1, X 2, X 3, Y 1, Y 2, Y 3, Z 1, Z 2, Z 3 ) k 9 X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) h 1 h 2 s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) h 3 h 4 Output: A vector in k 15

Decryption Example: MFE Cryptosystem Searching for polynomial identities Decryption involves two steps: 1 Restoring the triangular structure and solving for the initial vinegar variables x 1,..., x n. 2 Iteratively solving the oil-vinegar systems for the remaining oil variables.

Decryption: Step 1 - Restore triangular structure X 1 + A(X ) X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4

Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) + A(Y ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4

Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) + A(Z) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) f 1 f (f1 2 +f f 23 +f f 4 1/2 3 f 4 )(h 1 h 2 +h 3 h 4 ) A(X ) g 1 g 2 +g 3 g 4

Decryption: Step 1 - Restore triangular structure X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z) ( ) 1/2 (f1 f 2 +f 3 f 4 )(h 1 h 2 +h 3 h 4 ) g 1 g 2 +g 3 g 4 g 1 g 2 +g 3 g 4 A(Y )

Decryption: Step 2 - Solve oil-vinegar systems X 1, X 2, X 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

Decryption: Step 2 - Solve oil-vinegar systems X 1, X 2, X 3 Y 1, Y 2, Y 3 X 1 X 2 + φ(x 1 ) X 3 + φ(x 1, X 2 ) f 1 f 2 s.t. f 1 f 2 + f 3 f 4 = A(X )A(Y ) f 3 f 4 g 1 g 2 g 3 g 4 h 1 h 2 h 3 h 4 s.t. g 1 g 2 + g 3 g 4 = A(Y )A(Z) s.t. h 1 h 2 + h 3 h 4 = A(X )A(Z)

Constructing Polynomial Identities Example: MFE Cryptosystem Searching for polynomial identities Goal: construct identities of the form A(X )B(Y ) = f 1 f 2 + + f m 1 f m over the polynomial ring k[x 1,..., X n, Y 1,..., Y n ]. Toolbox: 1 Parameterization 2 Gröbner Basis methods 3 Plücker coordinates 4 Matrix Determinants 5 Grassmann coordinates 6 Graph theory

A new polynomial Identity Our system Analysis Open questions Polynomial identity in k[x 1,..., X 8, Y 1,..., Y 8 ] A(X )B(Y ) = f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10, where A(X ) = X 1 X 2 + X 3 X 4 + X 5 X 6 + X 7 X 8 B(Y ) = Y 1 Y 2 + Y 3 Y 4 + Y 5 Y 6 + Y 7 Y 8 f 1 = X 4 Y 1 + X 8 Y 4 + (X 1 + X 4 )Y 5 + X 5 Y 8 f 2 = (X 2 + X 3 )Y 2 + X 7 Y 3 + X 2 Y 6 + X 6 Y 7 f 3 = X 8 Y 2 + X 4 Y 3 + X 5 Y 6 + (X 1 + X 4 )Y 7 f 4 = X 7 Y 1 + (X 2 + X 3 )Y 4 + X 6 Y 5 + X 2 Y 8 f 5 = X 2 Y 1 + X 6 Y 4 + (X 2 + X 3 )Y 5 + X 7 Y 8 f 6 = (X 1 + X 4 )Y 2 + X 5 Y 3 + X 4 Y 6 + X 8 Y 7 f 7 = X 6 Y 2 + X 2 Y 3 + X 7 Y 6 + (X 2 + X 3 )Y 7 f 8 = X 5 Y 1 + (X 1 + X 4 )Y 4 + X 8 Y 5 + X 4 Y 8 f 9 = Y 1 Y 7 + Y 2 Y 8 + Y 3 Y 5 + Y 4 Y 6 f 10 = X 1 X 7 + X 2 (X 5 + X 8 ) + X 3 X 5 + X 4 (X 6 + X 7 ).

Polynomial Identity A new polynomial Identity Our system Analysis Open questions We introduce the following notation: pxy ij = x i x j = x iy j x j y i, 1 i < j 4. y i y j Define Then xyzw = x 1 y 1 z 1 w 1 x 2 y 2 z 2 w 2 x 3 y 3 z 3 w 3 x 4 y 4 z 4 w 4. xyzw = p 12 xy p 34 zw p 13 xy p 24 zw + p 14 xy p 23 zw + p 23 xy p 14 zw p 24 xy p 13 zw + p 34 xy p 12 zw.

Polynomial Identity A new polynomial Identity Our system Analysis Open questions 0 = xyxw + xyxz + xyyw + xyyz + (1) zwxw + zwxz + zwyw + zwyz (2)

Polynomial Identity A new polynomial Identity Our system Analysis Open questions 0 = xyxw + xyxz + xyyw + xyyz + (1) zwxw + zwxz + zwyw + zwyz (2) Defining p ij = p ij xw + p ij xz + p ij yw + p ij yz, 1 i < j 4, (3) the four determinants of (1) can be regrouped as p 12 xy p 34 + p 13 xy p 24 + p 14 xy p 23 + p 23 xy p 14 + p 24 xy p 13 + p 34 xy p 12.

Polynomial Identity A new polynomial Identity Our system Analysis Open questions After performing a similar grouping for (2), we get the the identity 0 = (p 12 xy + p 12 zw )p 34 + (p 13 xy + p 13 zw )p 24 + (p 14 xy + p 14 zw )p 23 + (p 23 xy + p 23 zw )p 14 + (p 24 xy + p 24 zw )p 13 + (p 34 xy + p 34 zw )p 12. (4)

Polynomial Identity A new polynomial Identity Our system Analysis Open questions After performing a similar grouping for (2), we get the the identity 0 = (p 12 xy + p 12 zw )p 34 + (p 13 xy + p 13 zw )p 24 + (p 14 xy + p 14 zw )p 23 + (p 23 xy + p 23 zw )p 14 + (p 24 xy + p 24 zw )p 13 + (p 34 xy + p 34 zw )p 12. (4) After a slight modification and a change of variables, (4) becomes 0 = A(X )A(Y ) + f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10.

Our system A new polynomial Identity Our system Analysis Open questions A triangular system with 7 polynomials A chain of 7 oil-vinegar systems, each based on f 1, f 2, f 3, f 4, f 5, f 6, f 7, f 8 with f 9 and f 1 0 attached. Lock polynomials based on A(X ) and B(Y ).

Chain of Oil-Vinegar Systems A new polynomial Identity Our system Analysis Open questions The central map has input length 56: (X 1,..., X 24, Y 1,..., Y 32 ), and output length 74. Y 1,..., Y 8 1 3 4 X 9,..., X 16 X 1,..., X 8 2 Y 9,..., Y 16 5 Y 17,..., Y 24 6 X 17,..., X 24 7 Y 25,..., Y 32

Security Analysis A new polynomial Identity Our system Analysis Open questions Gröbner basis attacks: F 4 (Faugére 1999), F 5 (Faugére 2002, Barget et al 2005), XL algorithm (Courtois et al 2000), G 2 V (Gao, Guan and Volny 2010).

Security Analysis A new polynomial Identity Our system Analysis Open questions Gröbner basis attacks: F 4 (Faugére 1999), F 5 (Faugére 2002, Barget et al 2005), XL algorithm (Courtois et al 2000), G 2 V (Gao, Guan and Volny 2010). The total number of operations in k is about (( ) n + ω ) dreg O, n where ω is the exponent in Gaussian reduction and d reg is the degree of regularity of the ideal formed by the polynomials in the system.

Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Minrank attack (Kipnis and Shamir 1999, Goubin and Courtois 2000). Each quadratic form is associated with a symmetric matrix and the rank of a matrix does not change under linear transforms. This attack explores the fact that some polynomials in the central map may have low rank. The complexity of this attack to our system is q 74 56 8d = q 16d.

Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Minrank attack (Kipnis and Shamir 1999, Goubin and Courtois 2000). Each quadratic form is associated with a symmetric matrix and the rank of a matrix does not change under linear transforms. This attack explores the fact that some polynomials in the central map may have low rank. The complexity of this attack to our system is q 74 56 8d = q 16d. Dual rank attack (Yang and Chen 2004). While minrank succeeds when an equation has too few variables, the dual rank attack is effective when a variable appears in too few equations. The complexity of the attack is (56d) 3 q 6d.

Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Separation of oil and vinegar variables attack (Kipnis and Shamir 1998, Kipnis, Patarin and Goubin 1999). The goal of this attack is to find the transformed oil space, so separate the oil and vinegar variables. The complexity is 20 4 q 15d.

Security Analysis A new polynomial Identity Our system Analysis Open questions Attacks based on linear algebra: Separation of oil and vinegar variables attack (Kipnis and Shamir 1998, Kipnis, Patarin and Goubin 1999). The goal of this attack is to find the transformed oil space, so separate the oil and vinegar variables. The complexity is 20 4 q 15d. Linearization equations attack. (Patarin 1996, Ding et al 2007). Computations using Magma verify that there are no first order linearization equations. Ding et al broke MFE using second order linearization equations which comes from the associativity of determinant. Our system avoids determinants, so their method does not apply. But there still might be some other second order linearization equations!

Security Analysis A new polynomial Identity Our system Analysis Open questions Claimed Input Output Complexity Key Size [kbytes] Security [bits] [bits] F 5 Rank/UOV Public Private 2 113 896 1184 2 114 2 113 245 18 2 212 1792 2368 2 213 2 212 1907 70 2 114 1792 2368 2 114 2 209 490 36

Efficiency A new polynomial Identity Our system Analysis Open questions System Input Output Decryption Encryption [bits] [bits] Central Map Total MFE-1 768 960 52ms 2ms 2.7ms Our System 896 1184 94ms 1.4ms 2.3ms

Open Questions A new polynomial Identity Our system Analysis Open questions Find nontrivial solutions to the following equation: AB = CD + EF where A, B, C, D, E, F F 2 [x 1,..., x n, y 1,..., y n ] have degree two. MFE is based on solution with n = 4. Need solutions for 5 n 16.

Open Questions A new polynomial Identity Our system Analysis Open questions Find nontrivial solutions to the following equation: AB = CD + EF where A, B, C, D, E, F F 2 [x 1,..., x n, y 1,..., y n ] have degree two. MFE is based on solution with n = 4. Need solutions for 5 n 16. Can we characterize all quadratic solutions to the equations A(X )A(Y ) = CD + EF and A(X )A(Y ) = f 1 f 2 + f 3 f 4 + f 5 f 6 + f 7 f 8 + f 9 f 10?

Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework?

Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework? How to efficiently solve given systems of quadratic equations? G, Yinhua Guan, Frank Volny IV and Mingsheng Wang, A new algorithm for computing Grobner bases, which is both simpler and faster than F5.

Open Questions A new polynomial Identity Our system Analysis Open questions Using the tools from algebraic geometry and combinatorics, what other polynomial identities may be constructed to implement cryptosystems in the proposed framework? How to efficiently solve given systems of quadratic equations? G, Yinhua Guan, Frank Volny IV and Mingsheng Wang, A new algorithm for computing Grobner bases, which is both simpler and faster than F5. Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback