Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University

Symbolic Computations and Post-Quantum CryptographyOnline Seminar

Multivariate Public Key Cryptography

Jintai Ding

University of Cincinnati & Southern Chinese University of technology

Feb. 2, 2011

Outline

1 Introduction

2 Signature schemes

3 Encryption schemes

4 Challenges

Happy Chinese New Year!

Thank the organizers, in particular, (AlexMyasnikov)2.

Thank the generous support of the Charles PhelpsTaft Memorial Fund and the Taft Family.

Outline

1 Introduction

2 Signature schemes


4 Challenges

PKC and Quantum computer

25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

What is this number?


The number for Microsoft updates

Digital signature based on RSA


The number for Microsoft updates

Digital signature based on RSA


Mathematics behind: integer factorization

n = pq.

15 = 3× 5.

The concept behind:

Public key Cryptography


Mathematics behind: integer factorization

n = pq.

15 = 3× 5.

The concept behind:

Public key Cryptography


RSA – 2003 Turing prize

Diffie-Hellman – inventors of the idea ofPKC

PKC

What is PKC?

Traditionally the information is symmetric.

PKC is asymmetric

There are two sets of keys, one public and one private

Encryption: Public is for encryption and private for decryption

Digital Signature: Public is for verification and private forsigning

RSA: n is public and p,q is private.

One knows how to factor n, one can defeat RSA

PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric






PKC

What is PKC?


PKC is asymmetric







Quantum computer: using basic particles and quantummechanics principles to perform computations

R. Feynman

In 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.


Quantum computer: using basic particles and quantummechanics principles to perform computations

R. FeynmanIn 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.


Can quantum computer really work?

Isaac Chuang15 million dollars to show that

15 = 3× 5.

The problem of scalingPeople have different opinions.




15 = 3× 5.





15 = 3× 5.



PQC – to prepare for the future of quantum computer world

Ubiquitous computing world .


PQC – to prepare for the future of quantum computer world

Ubiquitous computing world .

PQC

Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.

1)Code-based public key cryptographyError correcting codes

2) Hash-based public key cryptographyHash-tree construction

3) Lattice-based public key cryptographyShortest and nearest vector problems

4) Multivariate Public Key Cryptography

PQC






PQC






PQC






PQC






What is a MPKC?

Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions

The public key is given as:

G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).

Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.

What is a MPKC?

Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions

The public key is given as:

G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).

Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.

Encryption

Any plaintext M = (x ′1, ..., x′n) has the ciphertext:

G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y

′m).

To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a

secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x

′n).

Encryption

Any plaintext M = (x ′1, ..., x′n) has the ciphertext:

G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y

′m).

To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a

secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x

′n).

Toy example

We use the finite field k = GF [2]/(x2 + x + 1) with 22

elements.

We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .

Toy example

We use the finite field k = GF [2]/(x2 + x + 1) with 22

elements.

We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .

A toy example

G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2

2

G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2

1

G2(x1, x2, x3) = 3x2 + x20 + 3x2

1 + x1x2 + 3x22

For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .

This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.

A toy example

G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2

2

G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2

1

G2(x1, x2, x3) = 3x2 + x20 + 3x2

1 + x1x2 + 3x22



A toy example

G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2

2

G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2

1

G2(x1, x2, x3) = 3x2 + x20 + 3x2

1 + x1x2 + 3x22



Theoretical Foundation

Direct attack is to solve the set of equations:

G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).

- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.

Theoretical Foundation

Direct attack is to solve the set of equations:

G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).

- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.

Quadratic Constructions

1) Efficiency considerations lead to mainly quadraticconstructions.

Gl(x1, ..xn) =∑i ,j

αlijxixj +∑

i

βlixi + γl .

2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.

x1x2x3 = 5,

is equivalent to

x1x2 − y = 0

yx3 = 5.

Quadratic Constructions

1) Efficiency considerations lead to mainly quadraticconstructions.

Gl(x1, ..xn) =∑i ,j

αlijxixj +∑

i

βlixi + γl .

2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.

x1x2x3 = 5,

is equivalent to

x1x2 − y = 0

yx3 = 5.

The view from the history of Mathematics(Diffie in Paris)

RSA – Number Theory – the 18th century mathematics

ECC – Theory of Elliptic Curves – the 19th centurymathematics

Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings









Early works

Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc

Fast development in the late 1990s.

Early works

Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc

Fast development in the late 1990s.

Outline

1 Introduction

2 Signature schemes


4 Challenges

Multivariate Signature schemes

Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).

Private key: a way to compute G−1.

Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .

Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).

k, a small finite field.










Signing a hash of a document:

(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .















A toy example over GF(3)

G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21

A signature: (x1, x2, x3) = (2, 0, 1)

G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0

G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1

G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1


G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21

A signature: (x1, x2, x3) = (2, 0, 1)

G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0

G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1

G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1


G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21

A signature: (x1, x2, x3) = (2, 0, 1)

G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0

G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1

G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1

Security: polynomial solving.

Signature for (y1, y2, y3) = (0, 0, 0)?

G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0

Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.



G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0




G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0

G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0

G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0


How to construct G?

A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)

G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .

How to construct G?

A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)

G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .

Unbalanced Oil-vinegar (uov) schemes

F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x

′v )).

fl(x1, ., xo , x ′1, ., x′v ) =

∑alijxix

′j+

∑blijx

′i x

′j+

∑clixi+

∑dlix

′i +el .

Oil variables: x1, ..., xo .

Vinegar variables: x ′1, ..., x′v .

Unbalanced Oil-vinegar (uov) schemes

F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x

′v )).

fl(x1, ., xo , x ′1, ., x′v ) =

∑alijxix

′j+

∑blijx

′i x

′j+

∑clixi+

∑dlix

′i +el .

Oil variables: x1, ..., xo .

Vinegar variables: x ′1, ..., x′v .

How to invert F?

fl(x1, ., xo , x ′1, ., x′v︸︷︷︸

fix the values

) =

∑alijxix

′j +

∑blijx

′i x

′j +

∑clixi +

∑dlix

′i + el .

How to invert F?

fl(x1, ., xo , x ′1, ., x′v ) =∑

alijxix′j +

∑blijx

′i x

′j +

∑clixi +

∑dlix

′i + el .

F : linear in Oil variables: x1, .., xo .

=⇒ F : easy to invert.

How to invert F?

fl(x1, ., xo , x ′1, ., x′v ) =∑

alijxix′j +

∑blijx

′i x

′j +

∑clixi +

∑dlix

′i + el .

F : linear in Oil variables: x1, .., xo .

=⇒ F : easy to invert.

Security analysis

v = o and v >> o not secure

v = 2o, 3o

Direct attacks does not work.

Security analysis


v = 2o, 3o


Security analysis


v = 2o, 3o


Security analysis

The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.

0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗

The problem above can also be transformed into solving a setof quadratic equations.

Security analysis

The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.

0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗

The problem above can also be transformed into solving a setof quadratic equations.

Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08

Make F ”small” without reducing security.

G = L1︸︷︷︸Hide the separation

◦ F ◦ L2︸︷︷︸Hide L1◦F

.

F = (F1,F2).

Rainbow(18,12,12) over GF(28).

F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.




◦ F ◦ L2︸︷︷︸Hide L1◦F

.

F = (F1,F2).


F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.




◦ F ◦ L2︸︷︷︸Hide L1◦F

.

F = (F1,F2).


F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.

Rainbow

Rainbow(18,12,12)

Signature 400 bits Hash 336 bits

Rainbow

Rainbow(18,12,12)

Signature 400 bits Hash 336 bits

Implementations

IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)

FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.

Implementations

IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)

FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.

Side channel attack on Rainbow

Natural Side channel attack resistance.

Further optimizations.

Real implementations — Yang and Cheng In Taiwan.

A good candidate for light-weight crypto for smalldevices like RFID.
















Security

UOV: not broken since 1999.

Rainbow – MinRank problem

Security

UOV: not broken since 1999.

Rainbow – MinRank problem

Pros and Cons

Computationally very efficient

Large public key size

Pros and Cons

Computationally very efficient

Large public key size

Outline

1 Introduction

2 Signature schemes


4 Challenges

Notation

k is a small finite field with |k| = q

K̄ = k[x ]/(g(x)), a degree n extension of k.

The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .

Notation




Notation




The idea of ”BIG” field

Proposed in 1988 by Matsumoto-Imai.

Build up a map F over K̄ :

F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.

where the Li are randomly chosen invertible affine maps overkn

The Li are used to “hide” F̄ .

IP problem.




F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.



IP problem.




F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.



IP problem.




F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.



IP problem.

Encryption

The MI construction:

F : X 7−→ X qθ+1.

Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).

The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?

X qθ+1 = X qθ × X .

Encryption


F : X 7−→ X qθ+1.



X qθ+1 = X qθ × X .

Encryption


F : X 7−→ X qθ+1.



X qθ+1 = X qθ × X .

Decryption

The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.

F−1(X ) = X t such that:

t × (qθ + 1) ≡ 1 (mod qn − 1).

The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.

The first toy example is produced by setting n = 3 and θ = 2.

This scheme is defeated by linearization equation method byPatarin 1995.

Decryption



t × (qθ + 1) ≡ 1 (mod qn − 1).




Decryption



t × (qθ + 1) ≡ 1 (mod qn − 1).




Decryption



t × (qθ + 1) ≡ 1 (mod qn − 1).




Decryption



t × (qθ + 1) ≡ 1 (mod qn − 1).




HFE by Patarin etc

The only difference from MI is that F is replaced by a newmap given by:

F (X ) =D∑

i ,j=0

aijXqi+qj

+D∑

i=0

biXqi

+ c .

Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.

D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.

HFE by Patarin etc


F (X ) =D∑

i ,j=0

aijXqi+qj

+D∑

i=0

biXqi

+ c .



HFE by Patarin etc


F (X ) =D∑

i ,j=0

aijXqi+qj

+D∑

i=0

biXqi

+ c .



Internal Perturbation

(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.

Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”


(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.

Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”


Let r be a small integer and

z1(x1, . . . , xn) =n∑

j=1

αj1xj + β1

...

zr (x1, . . . , xn) =n∑

j=1

αjrxj + βr

be a set of randomly chosen affine linear functions in the xi

over kn such that the zj − βj are linearly independent.

We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.


Let r be a small integer and

z1(x1, . . . , xn) =n∑

j=1

αj1xj + β1

...

zr (x1, . . . , xn) =n∑

j=1

αjrxj + βr

be a set of randomly chosen affine linear functions in the xi

over kn such that the zj − βj are linearly independent.

We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.

IP of MI

x1, . . . , xn

?

?

L1

F̃1, . . . , F̃n

-

?

z1, . . . , zr

f1, . . . , fn

�+

?L2

y1, . . . , yn

Figure: Structure of Perturbation of the Matsumoto-Imai System.

Decryption

We need to a search of size of qr , therefore slower.

We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.

Despite the cost of the search, it is still efficient.

Decryption




Decryption




Efficient schemes

PMI+

IPHFE+ (odd characteristics)

IPMHFE+ (odd characteristics)

Efficient schemes

PMI+



Efficient schemes

PMI+



Other works

Quartz – HFEV- – very short signature

MHFEv- short but much more efficinet schemes

MFE, TTM

Other works



MFE, TTM

Other works



MFE, TTM

Outline

1 Introduction

2 Signature schemes


4 Challenges

Direct attacks

New polynomial solving algorithms, MXL, MGB, ZZ.

Complexity analysis – recent work of Dubois, Gamma

SAT solver is not really a threat but needs more understanding

The connection with algebraic cryptanalysis of symmetricciphers

Quantum computer attacks?

Direct attacks






Direct attacks






Direct attacks






Direct attacks






Provable security

A very difficult question

Some new results are coming out.

Provable security

A very difficult question

Some new results are coming out.

New constructions

New algebraic structure to exploreHeindl, Gao – Diophantine Equations

Other structures

New constructions

New algebraic structure to exploreHeindl, Gao – Diophantine Equations

Other structures

The end

Thank you very much!

Questions?

Documents

Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University