g e mss a gr e at multivariate short signature
play

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret - PowerPoint PPT Presentation

Dec 24, 2022 •282 likes •510 views

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work with A. Casanova (CS), J.-C. Faugre (CryptoNext Security), G. Macario-Rat (Orange), J. Patarin (UVSQ) and J. Ryckeghem (SU/INRIA) The Second PQC

  1. G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work with A. Casanova (CS), J.-C. Faugère (CryptoNext Security), G. Macario-Rat (Orange), J. Patarin (UVSQ) and J. Ryckeghem (SU/INRIA) The Second PQC Standardization Conference 1 / 15

  2. Multivariate Cryptography : More than 30 Years of History T. Matsumoto and H. Imai. Classical candidate for “Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and post-quantum cryptography Message-Encryption”. Many schemes proposed (44 % EUROCRYPT ’88 . of second round signature J. Patarin. “Hidden Fields Equations ( HFE ) and candidates) Isomorphisms of Polynomials (IP): Two New HFE and variants have been Families of Asymmetric Algorithms”. EUROCRYPT’96. extensively studied ◮ NESSIE EU standardization J. Patarin, N. Courtois, L. Goubin. “ QUARTZ , 128-Bit Long Digital Signatures”. process (1999-2003). CT-RSA 2001. 2 / 15

  3. G e MSS Trapdoor – HFE Vinegar Jacques Patarin. “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms”. EUROCRYPT ’96 . HFEv polynomial Let D ∈ N . We define F ( X , v 1 . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. 3 / 15

  4. G e MSS Trapdoor – HFE Vinegar Jacques Patarin. “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms”. EUROCRYPT ’96 . HFEv polynomial Let D ∈ N . We define F ( X , v 1 . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. Guess vinegar variables ( v 1 , . . . , v v ) ∈ F v 2 : i , j X 2 i + 2 j + i X 2 i + C ′ ∈ F 2 n [ X ] . � � A ′ B ′ 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D 3 / 15

  5. Signature Generation HFE polynomial Let D ∈ N . i , j X 2 i + 2 j + i X 2 i + C ′ ∈ F 2 n [ X ] . � � A ′ B ′ F ( X ) = 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D Roots Finding (Las-Vegas) We can find all the roots of F ∈ F 2 n [ X ] in quasi-linear time : ˜ � � O n · D . J. von zur Gathen, J. Gerhard: Modern Computer Algebra (3. ed.). Cambridge University Press 2013. 4 / 15

  6. G e MSS KeyGen HFEv polynomial Let D ∈ N . We define F ( X , v 1 , . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. f 1 ( x 1 , . . . , x n + v ) Minus modifier. Only consider m < n equations. . F ( X , v 1 . . . , v v ) . �� n = � n . � F k = 1 θ k x k , v 1 , . . . , v v k = 1 θ k f k . f n ( x 1 , . . . , x n + v ) 5 / 15

  7. General Structure m < n : number of equations, n + v : number of variables Private-Key Public-Key f : ( F 2 ) n + v �→ ( F 2 ) m easy to p : ( F 2 ) n + v �→ ( F 2 ) m invert. p 1 ( x 1 , . . . , x n + v ) , f 1 ( x 1 , . . . , x n + v ) , . . . . . . . . . . . . p m ( x 1 , . . . , x n + v ) . f m ( x 1 , . . . , x n + v ) . p = T ◦ f ◦ S . ( S , T ) ∈ GL n+v ( F 2 ) × GL m ( F 2 ) . Verification : evaluation of Signature : Roots finding and polynomials, i.e. p ( s )= d . invertion of the matrices. 6 / 15

  8. Security Analysis J.-C Faugère, A. Joux. “Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Groebner Bases”. CRYPTO ’03 . p 1 = · · · = p m = 0 • B. Buchberger (1965) • D. Lazard (1983) • F 4 (J.-C. Faugère, 1999) �� � 2 � n • F 5 (J.-C. Faugère, 2002) O , Row-echelon form D reg • FGLM (J-.C. Faugère, P. Gianni, on matrices up to degree D reg D. Lazard, T. Mora, 1993) • . . . Signature 7 / 15

  9. Security Analysis J.-C Faugère, A. Joux. “Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Groebner Bases”. CRYPTO ’03 . Complexity is driven by the maximal degree D reg reached. p 1 = · · · = p m = 0 • B. Buchberger (1965) • D. Lazard (1983) • F 4 (J.-C. Faugère, 1999) �� � 2 � • F 5 (J.-C. Faugère, 2002) n , Row-echelon form O D reg • FGLM (J-.C. Faugère, P. Gianni, on matrices up to degree D reg D. Lazard, T. Mora, 1993) • . . . Signature 7 / 15

  10. Generic Techniques We can fix n + v − m variables Input. Non-linear public-key polynomials p 1 , . . . , p m ∈ F 2 [ x 1 , . . . , x n ] Question. Find ( z 1 , . . . , z m ) ∈ F m 2 such that: p 1 ( z 1 , . . . , z m ) = 0 , . . . , p m ( z 1 , . . . , z m ) = 0 . exhaustive search in 4 log 2 2 m [C. Bouillaguet, C.-Mou Cheng, T. Chou, R. Niederhagen, B-Y. Yang, SAC’2013] O ∗ ( 2 0 . 8765 m ) [D. Lokshtanov, R. Paturi, S. Tamaki, R. Williams, H. Yu, SODA’2017], no assumption BooleanSolve O ( 2 0 . 792 m ) [M. Bardet, J.-C. Faugère, B. Salvy, P-J. Spaenlehauer, Journal of Complexity, 2013], assumption on the input Minimal Condition λ : security parameter: m � 1 . 26 · λ. 8 / 15

  11. Message Recovery Attack : Nude HFE Upper bound [Faugère, Joux; L. Granboulan, A. Joux, J. Stern; V. Dubois, N. Gamma; J. Ding, T. Hodges] � � D reg ≈ O log 2 ( D ) . 9 / 15

  12. Message Recovery Attack : Nude HFE Experimental approximation D reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 9 / 15

  13. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 10 / 15

  14. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 3 modifiers allow to increase the degree of regularity of nude HFE by one (heuristic/experiment rule). 3 λ ∆ + v ≈ log 2 ( m 2 ) − 6 . 06 − 1 . 08 log 2 ( D ) . 10 / 15

  15. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 3 modifiers allow to increase the degree of regularity of nude HFE by one (heuristic/experiment rule). 3 λ ∆ + v ≈ log 2 ( m 2 ) − 6 . 06 − 1 . 08 log 2 ( D ) . General formula for setting the parameters 2 SecRela ( n , ∆ , log 2 ( D ) , v ) � 2 λ . 10 / 15

  16. Parameters/Performance NIST Status Report on Round 1 Candidates “G e MSS offers some of the smallest signature lengths among all submissions. GeMSS also benefits from the fact that the HFEv- construction is one of the most studied signature primitives in the literature. Aside from signature size and verification time, other performance characteristics of G e MSS raise some concerns. The signing time is quite high and the public keys are quite large ; these properties may be features of G e MSS that are inherent to the HFEv- methodology. ” Decrease D and adapt the others parameters. Larger set of parameters : G e MSS, BlueG e MSS and RedG e MSS (faster signing and key-generation). 11 / 15

  17. Parameters/Performance scheme key gen. (MCycles) sign (MC) verify (KC) | pk | (KBytes) | sk | (KB) sign (bits) G e MSS128 38.5 750 82 352.19 13.44 258 BlueG e MSS128 39.3 106 111 363.61 13.70 270 RedG e MSS128 39.2 2.79 109 375.21 13.10 282 G e MSS192 175 2320 239 1237.96 34.07 411 BlueG e MSS192 172 331 252 1264.12 35.38 423 RedG e MSS192 171 8.38 255 1290.54 34.79 435 G e MSS256 532 3640 566 3040.70 75.89 576 G e MSS256 529 545 583 3087.96 71.46 588 G e MSS256 523 12.9 588 3135.59 71.89 600 Fastest implementation (AVX2), Intel Core i7-6600U, Skylake, 3,40 GHz. 11 / 15

  18. Multivariate Quadratic Software : MQsoft J.-C. Faugère, L. Perret and J. Ryckeghem “Software Toolkit for HFE -based Multivariate Schemes”. CHES’19 . Teaser An efficient C library exploiting SSE / AVX2 instructions set. Matsumoto-Imai-based schemes: QUARTZ , Gui, G e MSS, . . . Fast arithmetic in F 2 [ X ] , F 2 n and F 2 n [ X ] (with root finding), multivariate quadratic systems in F (evaluation, change of variables, ...), mostly constant-time implementation against timing attacks. https://www-polsys.lip6.fr/Links/NIST/MQsoft.html 12 / 15

  19. Speed-up sign. scheme sec. level key gen. sign. verif. G e MSS128 128 + 220% + 100% + 95% G e MSS192 192 + 220% + 57% + 84% G e MSS256 256 + 240% + 110% + 75% 128 + 1200% + 100% + 73% Gui-184 192 + 1600% + 95% + 56% Gui-312 256 + 2500% + 85% + 58% Gui-448 Improvement of MQsoft w.r.t. fastest first round implementations. 13 / 15

  20. Third-Party Analysis Quantum analysis J.-C Faugère, K. Horan, D. Kahrobaei, M. Kaplan, E. Kashefi, L. Perret. “Fast Quantum Algorithm for Solving Multivariate Quadratic Equations”. 2018, Under submission. D. J. Bernstein, B-Y. Yang. “Asymptotically faster quantum algorithms to solve multivariate quadratic equations”. PQCrypto 2018. 14 / 15

Recommend

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai Ding, Bo-Yin Yang PQCrypto 2017 Utrecht, Netherlands A. Petzoldt HMFEv PQCrypto 2017 1 / 23 Outline Multivariate Cryptography 1 The HMFEv

575 views • 23 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Outline Multivariate Data 1

319 views • 7 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If your employer is interested in understanding how effective certain changes are, you may consider A/B or multivariate testing How to do it First,

372 views • 12 slides
Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building the multivariate density i random variable. Recall that its density is given by distributed, their joint density is 2 Let Z N (0 , 1) be a

382 views • 22 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation &amp; Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor How it all began Tom Beckett from West Sussex sent over 100,000 to Scammers Scam the Secret Crime Click on this link to play a short

324 views • 14 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
Finding Multivariate Outlier Applied Multivariate Statistics Spring 2012 Goals Concept:

Finding Multivariate Outlier Applied Multivariate Statistics Spring 2012 Goals Concept:

Finding Multivariate Outlier Applied Multivariate Statistics Spring 2012 Goals Concept: Detecting outliers with (robustly) estimated Mahalanobis distance and QQ-plot R: chisq.plot, pcout from package mvoutlier Appl.

442 views • 28 slides
Multivariate and Partially observed models Erik Lindstrm n T Briefly on multivariate models N

Multivariate and Partially observed models Erik Lindstrm n T Briefly on multivariate models N

Multivariate and Partially observed models Erik Lindstrm n T Briefly on multivariate models N n 1 n 1 N (2) 1 n X n X T 1 n 1 n Consider the Vector-AR(1) (VAR) process. 1 X T X n 1 n 1 N A Matrix Cookbook] Leads to Writing

725 views • 59 slides
Multivariate Analysis of Variance Max Turgeon STAT 4690Applied Multivariate Analysis Quick

Multivariate Analysis of Variance Max Turgeon STAT 4690Applied Multivariate Analysis Quick

Multivariate Analysis of Variance Max Turgeon STAT 4690Applied Multivariate Analysis Quick Overview What do we mean by Analysis of Variance? ANOVA is a collection of statistical models that aim to analyze and understand the difgerences

858 views • 36 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve signature metrics for each signature platform over a period of years. 3 Vision for Quality, Affordable Early Learning Strength, confidence,

291 views • 18 slides
Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background

Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background

Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background and Objectives To examine four key measures in the study to determine key segments Satisfaction with The Company Would Recommend The

600 views • 11 slides
Multivariate Data Analysis in Omics Research Diverging Alternative Splicing Fingerprints

Multivariate Data Analysis in Omics Research Diverging Alternative Splicing Fingerprints

Multivariate Data Analysis in Omics Research Diverging Alternative Splicing Fingerprints Identified in Thoracic Aortic Aneurysm Sanela Kjellqvist, PhD WABI RNAseq course 2017-11-08 Outline Why multivariate data analysis? Multivariate

567 views • 37 slides

More recommend