Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

Similar documents
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials

Zero-Knowledge for Multivariate Polynomials

From 5-pass MQ-based identification to MQ-based signatures

Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Hidden Field Equations

Cryptographical Security in the Quantum Random Oracle Model

On the Complexity of the Hybrid Approach on HFEv-

A Practical Multivariate Blind Signature Scheme

Lecture Notes 20: Zero-Knowledge Proofs

Cryptanalysis of the TTM Cryptosystem

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Multivariate Public Key Cryptography

Identity-Based Identification Schemes

New Directions in Multivariate Public Key Cryptography

Public Key Cryptography

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Simple Matrix Scheme for Encryption (ABC)

CPSC 467b: Cryptography and Computer Security

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

From 5-pass MQ-based identification to MQ-based signatures

1 Number Theory Basics

MI-T-HFE, a New Multivariate Signature Scheme

A New Identification Scheme Based on the Perceptrons Problem

RGB, a Mixed Multivariate Signature Scheme

Lecture 22: RSA Encryption. RSA Encryption

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Lecture 1: Introduction to Public key cryptography

Lecture 38: Secure Multi-party Computation MPC

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Oil-Vinegar signature cryptosystems

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 10: Zero-Knowledge Proofs

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Theory of Computation Chapter 12: Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

Notes on Zero Knowledge

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Simple Math: Cryptography

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Cryptographic Protocols Notes 2

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Lossy Trapdoor Functions and Their Applications

Multiparty Computation

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

MQ -IP: An Identity-based Identification Scheme without Number-theoretic Assumptions 1

Improved Cryptanalysis of HFEv- via Projection

The Shortest Signatures Ever

Computers and Electrical Engineering

Algorithmic Number Theory and Public-key Cryptography

Quantum-resistant cryptography

MQDSS signatures: construction

An Introduction to Quantum Information and Applications

Ming-Shing Chen Andreas Hülsing Joost Rijneveld Simona Samardjiska Peter Schwabe. MQDSS specifications

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Zero-knowledge authentication schemes from actions on graphs, groups, or rings

RSA RSA public key cryptosystem

Lecture 15 - Zero Knowledge Proofs

Question 1. The Chinese University of Hong Kong, Spring 2018

Introduction to Modern Cryptography. Benny Chor

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Security Implications of Quantum Technologies

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

LECTURE NOTES ON Quantum Cryptography

COS Cryptography - Final Take Home Exam

An Identification Scheme Based on KEA1 Assumption

Authentication schemes from actions on graphs, groups, or rings

Great Theoretical Ideas in Computer Science

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Cryptography and Security Final Exam

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Introduction to Modern Cryptography Lecture 11

Cryptanalysis of Simple Matrix Scheme for Encryption

Key Recovery on Hidden Monomial Multivariate Schemes

Commitment Schemes and Zero-Knowledge Protocols (2011)

A New NP-Complete Problem and Public-Key Identification

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

From 5-pass MQ-based identification to MQ-based signatures

Introduction to Elliptic Curve Cryptography. Anupam Datta

Zero Knowledge with Rubik s Cubes and Non-Abelian Groups

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

ASYMMETRIC ENCRYPTION

Lattice Reduction Attack on the Knapsack

Side-channel analysis in code-based cryptography

Public-Key Cryptosystems CHAPTER 4

Introduction to Cybersecurity Cryptography (Part 5)

CPSC 467b: Cryptography and Computer Security

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Hidden Pair of Bijection Signature Scheme

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

Lattice-Based Zero-Knowledge Arguments for Integer Relations

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

CPSC 467b: Cryptography and Computer Security

PAPER An Identification Scheme with Tight Reduction

Transcription:

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011

Motivation Finding a new alternative to current standard schemes(e.g., RSA) for public-key identification and digital signature Especially, we would like to provide an alternative based on a problem other than Factoring or DL Prior works are based on Permuted Kernel problem[shamir 89] Syndrome Decoding problem[stern 93] Lattice problem[micciancio and Vadhan 03]... We focus on an MQ problem

What is an MQ problem? Solving a Multivariate Quadratic equation system over a finite field F(x 1,,x n )= MQ function Given: coefficient a lij, b li, y l Find: a solution (x 1,,x n ) ij a 1ij x i x j + i b 1i x i = y 1 Advantage The MQ function can be efficiently implemented The MQ function can be used as a one-way function with very short output(e.g., 80 bits) The intractability of a random instance has been well examined Associated decision version of the MQ problem is NP-complete There is no known polynomial-time quantum algorithm to solve it ij a mij x i x j + i b mi x i = y m Multivariate Public Key Cryptography(MPKC) uses this form of functions. But, many existing schemes of MPKC have been already shown to be insecure. Why?

Existing design of Multivariate PKC Based on a trapdoor function from composition of easily invertible maps MI scheme[matsumoto and Imai 88], HFE scheme[patarin 96], UOV scheme[kipnis, Patarin, and Goubin 99] ij a 1ij x i x j + i b 1i x i = y 1 ij a mij x i x j + i b mi x i = y m The composite function P = T F S is a limited form of MQ function public secret Easily invertible map S Easily invertible map F Easily invertible map T i s 1i x i = z 1 ij α 1ij z i z j + i β 1i z i = w 1 i t 1i w i = y 1 i s mi x i = z m ij α mij z i z j + i β mi z i = w m i t mi w i = y m The key recovery problem is not an MQ problem, but another problem whose intractability is still controversial The problem is called Isomorphism of Polynomials(IP) problem In fact, some schemes of MPKC have been already shown to be insecure

Our design Based on a zero knowledge argument of knowledge for the MQ problem Especially, a non-trivial and efficient construction by using our original technique Note: It uses not a composite function, but a random instance of MQ function System parameter: coefficient a lij, b li Secret key: input (x 1,,x n ) Public key: output (y 1,,y n ) ij a 1ij x i x j + i b 1i x i = y 1 public key ij a mij x i x j + i b mi x i = y m commonly used by all users Advantage The key recovery problem is an MQ problem The security of our scheme can be reduced into the intractability of the MQ problem The size of a public key is very small(e.g., 80 bits)

Summary of introduction MQ problem is intractable and promising We introduce a different design than existing MPKC public secret Composite function P = T F S System parameter: coefficient a lij, b li Secret key: input (x 1,,x n ) Public key: output (y 1,,y n ) easily invertible map S i s 1i x i = z 1 easily invertible map F ij α 1ij z i z j + i β 1i z i = w 1 easily invertible map T i t 1i w i = y 1 ij a 1ij x i x j + i b 1i x i = y 1 ij a mij x i x j + i b mi x i = y m i s mi x i = z m ij α mij z i z j + i β mi z i = w m i t mi w i = y m (a random instance of MQ function) Existing design of MPKC Based on a trapdoor function from composition of easily invertible maps Our design Based on a zero knowledge argument of knowledge for the MQ problem

Outline Introduction Motivation What is an MQ problem Existing design of MPKC Our design New technique and construction Zero knowledge argument of knowledge Cut and Choose New technique using the polar form of MQ function Basic protocol Public-key identification scheme Efficiency Summary

Outline Introduction Motivation What is an MQ problem Existing design of MPKC Our design New technique and construction Zero knowledge argument of knowledge Cut and Choose New technique using the polar form of MQ function Basic protocol Public-key identification scheme Efficiency Summary

Zero knowledge argument of knowledge Alice(Prover) asserts that she has a solution of the MQ problem Bob(Verifier) checks whether the assertion is true or not through interaction with Alice secret key I have a solution x for the instance public key A common instance y of MQ problem Really? Alice (prover) interaction Bob (verifier) Security can be derived from two properties, zero knowledge and argument of knowledge

Cut-and-Choose approach 1. Alice(prover) divides her secret into shares 2. Bob(verifier) chooses which share he checks 3. She proves the correctness of the chosen share without revealing her secret itself secret key I have a solution x for the instance public key A common instance y of MQ problem Really? 1. divide x x share 0 share 1 interaction 2. choose i {0, 1} 3a. reveal the share i Alice (prover) Bob 3b. check the correctness (verifier) of the share i

Cut-and-Choose approach 1. Alice(prover) divides her secret into shares 2. Bob(verifier) chooses which share he checks 3. She proves the correctness of the chosen share without revealing her secret itself secret key I have a solution x for the instance public key A common instance y of MQ problem Really? 1. divide x x share 0 share 1 interaction For this approach, we should solve 2. choose i {0, 1} - How to divide a secret key into shares - How to check the correctness of each share 3a. reveal the share i A property of homomorphism Alice is useful(e.g., modular exponentiation) If a secret key x is (prover) divided into r 0 + r 1, then a public key g x is correspondingly divided into g r 0 * g r 1 Bob 3b. check the correctness (verifier) of the share i

New Cut-and-Choose technique For an MQ function F, consider a situation where Secret key: x Public key: y = F(x) A useful property The associated polar form G(x,y) of F(x) G(x,y) = F(x+y)- F(x)- F(y) is a bilinear function By using the useful property, divide a secret key into three shares: First, divide x = r 0 + r 1 Consequently, y is divided y = F(r 0 +r 1 )= G(r 0,r 1 )+ F(r 0 )+ F(r 1 ) Second, further divide r 0 = t 0 + t 1 and F(r 0 )= e 0 + e 1 Consequently, y = G(t 0,r 1 )+ e 0 + F(r 1 )+ G(t 1,r 1 )+ e 1 share0 and share2 share1 and share2 x r 0 t 0, e 0 t 1, e 1 r 1 r 1 share0 share1 share2 Note No information on the secret key x can be extracted from only two out of the three shares

Our basic protocol Secret key x Randomly pick r 0, t 0, e 0 r 1 x-r 0, t 1 r 0 -t 0, e 1 F(r 0 )-e 0 c 0 Com(r 1, G(t 0,r 1 )+e 0 ) c 1 Com(t 0, e 0 ) c 2 Com(t 1, e 1 ) (c 0,c 1,c 2 ) Commit these values If Ch=0 then σ=(r 0, t 1, e 1 ) If Ch=1 then σ=(r 1, t 1, e 1 ) If Ch=2 then σ=(r 1, t 0, e 0 ) Alice (prover) Ch σ Bob (verifier) share1 and share2 share0 and share2 Secret key: x Public key: y = F(x) Divide x into three shares x r 0 t 0, e 0 t 1, e 1 r 1 r 1 Randomly pick Ch {0,1,2} share0 and share1 share0 share1 share2 If Ch=0 then check c 1 = Com(r 0 -t 1, F(r 0 )-e 1 ), c 2 = Com(t 1, e 1 ) If Ch=1 then check c 0 = Com(r 1, y-f(r 1 )-G(t 1,r 1 )-e 1 ) c 2 = Com(t 1, e 1 ) If Ch=2 then check c 0 = Com(r 1, G(t 0,r 1 )+e 0 ), c 1 = Com(t 0, e 0 )

Our basic protocol Randomly pick r 0, t 0, e 0 r 1 x-r 0, t 1 r 0 -t 0, e 1 F(r 0 )-e 0 c 0 Com(r 1, G(t 0,r 1 )+e 0 ) c 1 Com(t 0, e 0 ) c 2 Com(t 1, e 1 ) (c 0,c 1,c 2 ) If Ch=0 then σ=(r 0, t 1, e 1 ) If Ch=1 then σ=(r 1, t 1, e 1 ) If Ch=2 then σ=(r 1, t 0, e 0 ) Theorem Secret key x Commit these values Alice (prover) Ch σ Bob (verifier) share1 and share2 Secret key: x Public key: y = F(x) Divide x into three shares x r 0 t 0, e 0 t 1, e 1 r 1 r 1 Randomly pick Ch {0,1,2} share0 and share1 share0 share1 share2 If Ch=0 then check c 1 = Com(r 0 -t 1, F(r 0 )-e 1 ), c 2 = Com(t 1, e 1 ) If Ch=1 then check c 0 = Com(r 1, y-f(r 1 )-G(t 1,r 1 )-e 1 ) c 2 = Com(t 1, e 1 ) If Ch=2 then check c 0 = Com(r 1, G(t 0,r 1 )+e 0 ), c 1 = Com(t 0, e 0 ) - This protocol is statistically zero knowledge when Com is statistically hiding. - This protocol is argument share0 and of knowledge share2 for the MQ problem with knowledge error 2/3 when Com is computationally binding.

Public-key identification schemes Sequential Composition Parallel Composition prover Cmt 1 Ch 1 verifier prover verifier Rsp 1 Cmt N Cmt 1,,Cmt N Ch 1,,Ch N Rsp 1,,Rsp N Ch N Rsp N Achieve the security against active attack interaction Achieve the security against passive attack interaction Attacker can interact with an honest prover eavesdropper

Public-key identification schemes Sequential Composition Parallel Composition prover Cmt 1 Ch 1 verifier prover verifier Rsp 1 Cmt N Cmt 1,,Cmt N Ch 1,,Ch N Rsp 1,,Rsp N Ch N Rsp N Achieve the security against active attack interaction Achieve the security against passive attack interaction If underlying MQ function is substantially compressing (e.g., a map from 160 bits to 80 bits), the parallel version Attacker can interact with prover eavesdropper also achieves the security against active attack

Efficiency Comparison with public-key identification schemes based on another problem whose associated decisional version is NP-complete The schemes from 3-pass zero knowledge argument of knowledge Problem Public key size for 80-bit security Communication data size Arithmetic operations SD [Stern 93] CLE [Stern 94] PP [Pointcheval 95] MQ [Ours] 350 bit 288 bit 245 bit 80 bit 7.5 KByte 5.7 KByte 12.6 KByte 3.7 KByte 2 24 / F 2 2 16 / F 257 2 22 / F 127 2 26 / F 2 Random S permutation 700 S 24 S 161,S 177 Not required In the case that the protocol is repeated until the impersonation probability is less than 2-30 ( < 1/one billion) [Stern 93] A New Identification Scheme Based on Syndrome Decoding, J. Stern. [Stern 94] Designing Identification Schemes with Keys of Short Size, J. Stern. [Pointcheval 95] New Identification Scheme Based on the Perceptrons Problem, D. Pointcheval.

Summary We proposed public-key identification schemes based on an MQ problem New design: different from existing MPKC Based on a zero knowledge argument of knowledge for the MQ problem Advantage: the security and the public key size The security can be reduced into the intractability of a random instance of MQ problem The size of a public key is very small (e.g., 80 bits) Another application Digital signature scheme

Thank you for your attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback