View
3
Download
0
Category
Preview:
Citation preview
Symbolic Computations and Post-Quantum CryptographyOnline Seminar
Multivariate Public Key Cryptography
Jintai Ding
University of Cincinnati & Southern Chinese University of technology
Feb. 2, 2011
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
Happy Chinese New Year!
Thank the organizers, in particular, (AlexMyasnikov)2.
Thank the generous support of the Charles PhelpsTaft Memorial Fund and the Taft Family.
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
PKC and Quantum computer
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
What is this number?
PKC and Quantum computer
The number for Microsoft updates
Digital signature based on RSA
PKC and Quantum computer
The number for Microsoft updates
Digital signature based on RSA
PKC and Quantum computer
Mathematics behind: integer factorization
n = pq.
15 = 3× 5.
The concept behind:
Public key Cryptography
PKC and Quantum computer
Mathematics behind: integer factorization
n = pq.
15 = 3× 5.
The concept behind:
Public key Cryptography
PKC and Quantum computer
RSA – 2003 Turing prize
Diffie-Hellman – inventors of the idea ofPKC
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
PKC and Quantum computer
Quantum computer: using basic particles and quantummechanics principles to perform computations
R. Feynman
In 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.
PKC and Quantum computer
Quantum computer: using basic particles and quantummechanics principles to perform computations
R. FeynmanIn 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
PKC and Quantum computer
PQC – to prepare for the future of quantum computer world
Ubiquitous computing world .
PKC and Quantum computer
PQC – to prepare for the future of quantum computer world
Ubiquitous computing world .
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x
′n).
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x
′n).
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑
i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑
i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s.
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s.
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:
(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x
′v )).
fl(x1, ., xo , x ′1, ., x′v ) =
∑alijxix
′j+
∑blijx
′i x
′j+
∑clixi+
∑dlix
′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x
′v )).
fl(x1, ., xo , x ′1, ., x′v ) =
∑alijxix
′j+
∑blijx
′i x
′j+
∑clixi+
∑dlix
′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
How to invert F?
fl(x1, ., xo , x ′1, ., x′v︸ ︷︷ ︸
fix the values
) =
∑alijxix
′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
How to invert F?
fl(x1, ., xo , x ′1, ., x′v ) =∑
alijxix′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
How to invert F?
fl(x1, ., xo , x ′1, ., x′v ) =∑
alijxix′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
Security analysis
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗
The problem above can also be transformed into solving a setof quadratic equations.
Security analysis
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗
The problem above can also be transformed into solving a setof quadratic equations.
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
Security
UOV: not broken since 1999.
Rainbow – MinRank problem
Security
UOV: not broken since 1999.
Rainbow – MinRank problem
Pros and Cons
Computationally very efficient
Large public key size
Pros and Cons
Computationally very efficient
Large public key size
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xi
over kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xi
over kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
IP of MI
x1, . . . , xn
?
?
L1
F̃1, . . . , F̃n
-
?
z1, . . . , zr
f1, . . . , fn
�+
?L2
y1, . . . , yn
Figure: Structure of Perturbation of the Matsumoto-Imai System.
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
Provable security
A very difficult question
Some new results are coming out.
Provable security
A very difficult question
Some new results are coming out.
New constructions
New algebraic structure to exploreHeindl, Gao – Diophantine Equations
Other structures
New constructions
New algebraic structure to exploreHeindl, Gao – Diophantine Equations
Other structures
The end
Thank you very much!
Questions?
Recommended