gr bner bases in public key cryptography
play

Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA - PowerPoint PPT Presentation

Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6 INRIA ludovic.perret@lip6.fr


  1. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis L. Perret Gröbner Bases in Public-Key Cryptography

  2. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Gröbner Bases in Cryptography ? C.E. Shannon “Breaking a good cipher should require as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type.” Communication Theory of Secrecy Systems, 1949. L. Perret Gröbner Bases in Public-Key Cryptography

  3. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Algebraic Cryptanalysis Principle Convert a cryptosystem into an algebraic set of equations Try to solve this system ⇒ Gröbner bases L. Perret Gröbner Bases in Public-Key Cryptography

  4. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Why Using Gröbner Bases ? Based on an elegant and rich mathematical theory ⇒ Buchberger’s talk Most efficient method for solving algebraic systems Efficient implementations available Buchberger’s algorithm (Singular, Gb, . . . ) F 4 algorithm (Magma, Maple 10, Fgb, . . . ) L. Perret Gröbner Bases in Public-Key Cryptography

  5. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Efficient Algebraic Cryptanalysis ? Convert a cryptosystem into an algebraic set of equations a particular attention to the way of constructing the system exploit all the properties of the cryptosystem Try to solve the simplified system L. Perret Gröbner Bases in Public-Key Cryptography

  6. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Efficient Algebraic Cryptanalysis ? Convert a cryptosystem into an algebraic set of equations a particular attention to the way of constructing the system exploit all the properties of the cryptosystem Try to solve the simplified system ⇒ Minimize the number of variables/degree ⇒ Maximize the number of equations L. Perret Gröbner Bases in Public-Key Cryptography

  7. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Efficient Algebraic Cryptanalysis ? Convert a cryptosystem into an algebraic set of equations a particular attention to the way of constructing the system exploit all the properties of the cryptosystem Simplify the system Try to solve the simplified system ⇒ Minimize the number of variables/degree ⇒ Maximize the number of equations L. Perret Gröbner Bases in Public-Key Cryptography

  8. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Algebraic Cryptanalysis in Practice Block Ciphers ( ⇒ Cid’s talk) Stream Ciphers ( ⇒ Johansson/Canteaut ’s talk & Cid’s talk) . . . L. Perret Gröbner Bases in Public-Key Cryptography

  9. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Outline Algebraic Cryptanalysis of HFE 1 Isomorphism of Polynomials (IP) 2 Description of the Problem An Algorithm for Solving IP The Functional Decomposition Problem 3 2R/2R − and FDP Solving FDP Conclusion 4 L. Perret Gröbner Bases in Public-Key Cryptography

  10. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion The HFE scheme [J. Patarin, Eurocrypt 1996] Secret key : ( S , U ) ∈ GL n ( K ) × GL n ( K ) θ ′ i , j ∈ K ′ [ X ] , with K ′ ⊃ K , q = Char ( K ) i , j β i , j X q θ i , j + q A = � � � ∈ K [ x 1 , . . . , x n ] u a = a 1 ( x 1 , . . . , x n ) , . . . , a n ( x 1 , . . . , x n ) Public key : � � � � b 1 ( x ) , . . . , b n ( x ) = a 1 ( x S ) , . . . , a n ( x S ) U , with x = ( x 1 , . . . , x n ) . � � Encryption : To enc. m ∈ K n , c = b 1 ( m ) , . . . , b n ( m ) . Signature : To sig. m ∈ K n , find s ∈ K n s.t. b ( s ) = m . L. Perret Gröbner Bases in Public-Key Cryptography

  11. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Message Recovery Attack – (I) � � ∈ K n . Find z ∈ K n , such that : Given c = b 1 ( m ) , . . . , b n ( m ) b 1 ( z ) − c 1 = 0 , . . . , b n ( z ) − c n = 0 . In Theory . . . PoSSo is NP-Hard � n ω · d reg � Complexity of F 5 for semi-reg. sys. : O , with : � � � − α + 1 2 + 1 � 2 α 2 − 10 α − 1 + 2 ( α + 2 ) d reg ∼ α ( α + 2 ) n , 2 ⇒ For a quadratic system of 80 variables : d reg = 11. ≈ 2 83 L. Perret Gröbner Bases in Public-Key Cryptography

  12. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Message Recovery Attack – (II) In Practice . . . Complexity of F 5 : 2 O ( log ( n ) 2 ) . J.-C. Faugère, A. Joux. Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems using Gröbner Bases. CRYPTO 2003. L. Granboulan, A. Joux, J. Stern. Inverting HFE is Quasipolynomial. CRYPTO 2006. L. Perret Gröbner Bases in Public-Key Cryptography

  13. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion Outline Algebraic Cryptanalysis of HFE 1 Isomorphism of Polynomials (IP) 2 Description of the Problem An Algorithm for Solving IP The Functional Decomposition Problem 3 2R/2R − and FDP Solving FDP Conclusion 4 L. Perret Gröbner Bases in Public-Key Cryptography

  14. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion “Key Recovery Attack" 2PLE Given : a = ( a 1 , . . . , a u ) , and b = ( b 1 , . . . , b u ) ∈ K [ x 1 , . . . , x n ] u . Question : Find ( S , U ) ∈ GL n ( K ) × GL u ( K ) , s. t. : � � � � b 1 ( x ) , . . . , b n ( x ) = a 1 ( x S ) , . . . , a n ( x S ) U , denoted by b ( x ) = a ( x S ) U , with x = ( x 1 , . . . , x n ) . J. Patarin. Hidden Fields Equations (HFE) and Isomorphism of Polynomials (IP): two new families of Asymmetric Algorithms. EUROCRYPT 1996. L. Perret Gröbner Bases in Public-Key Cryptography

  15. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion A Basic Problem – (I) HFE and related schemes ( C ∗ , SFLASH, ...) A = X 1 + q θ ∈ K ′ [ X ] , with K ′ ⊃ K , and q = Char ( K ) signature/authentication schemes J. Patarin. Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP) : two new families of Asymmetric Algorithms. EUROCRYPT 1996. Traitor Tracing schemes O. Billet, H. Gilbert. A Traceable Block Cipher. ASIACRYPT 2003. L. Perret Gröbner Bases in Public-Key Cryptography

  16. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion A Basic Problem – (II) Code Equivalence (CE) Given : two matrices G 1 , and G 2 ∈ M k , n ( F q ) . Find : – if any – S ∈ GL k ( F q ) , and a permutation σ ∈ S n , s.t. : G 2 = SG 1 P σ , where : � ( P σ ) i , j = 1 , if σ ( i ) = j , and ( P σ ) i , j = 0 , otherwise . L. Perret Gröbner Bases in Public-Key Cryptography

  17. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion A Basic Problem – cont’d McEliece’s Cryptosystem (1978) Secret key : S ∈ GL k ( F 2 ) , a permutation σ on { 1 , . . . , n } . Public data : G ∈ M k , n ( F 2 ) Public key : G ′ = SGP σ , where : � ( P σ ) i , j = 1 , if σ ( i ) = j , and ( P σ ) i , j = 0 , otherwise . Encryption : To encrypt m ∈ F k 2 , compute: c = mG ′ + e , with e ∈ F n 2 , s.t. w H ( e ) = t . L. Perret Gröbner Bases in Public-Key Cryptography

  18. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion A Basic Problem – cont’d Graph Isomorphism Problem Given : G 1 = ( V 1 , E 1 ) , G 2 = ( V 2 , E 2 ) Question : Find – if any – a bijection p : V 1 → V 2 , such that: � � ( i , j ) ∈ E 1 if, and only if, p ( i ) , p ( j ) ∈ E 2 . L. Perret Gröbner Bases in Public-Key Cryptography

  19. Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) Description of the Problem The Functional Decomposition Problem An Algorithm for Solving IP Conclusion Hard Problems ? N. Sendrier. Finding the permutation between equivalent codes: the Support Splitting Algorithm. IEEE Transactions on Information Theory, July 2000. L. Babai. Automorphism groups, isomorphism, reconstruction. Handbook of combinatorics. L. Perret Gröbner Bases in Public-Key Cryptography

Recommend


More recommend