introduction to multivariate public
play

Introduction to Multivariate Public Key Cryptography Geovandro - PowerPoint PPT Presentation

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor: Prof. Dr. Paulo S. L. M. Barreto LARC - Computer Architecture and Networking Lab Department of Computer Engineering and Digital Systems Escola


  1. Security โ€ข Most of the schemes do not use exactly random maps. Many systems have the structure โ€ข ๐‘„(๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) = ๐‘€ 1 โˆ˜ ๐บ โˆ˜ ๐‘€ 2 (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) ๐บ is a quadratic map with certain structure. (central map) โ€ข This structure enables computing ๐บ โˆ’1 easily. โ€ข Slide 37

  2. Security โ€ข Most of the schemes do not use exactly random maps. Many systems have the structure โ€ข ๐‘„(๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) = ๐‘€ 1 โˆ˜ ๐บ โˆ˜ ๐‘€ 2 (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) ๐บ is a quadratic map with certain structure. (central map) โ€ข This structure enables computing ๐บ โˆ’1 easily. โ€ข ๐‘€ 1 and ๐‘€ 2 are full-rank linear maps used to hide ๐บ . โ€ข Slide 38

  3. Security โ€ข MQ-Problem : Given a set of ๐‘› quadratic polynomials in ๐‘œ variables x = (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) , solve the system: ๐‘ž 1 ๐‘ฆ = โ‹ฏ = ๐‘ž ๐‘› ๐‘ฆ = 0 Slide 39

  4. Security โ€ข MQ-Problem : Given a set of ๐‘› quadratic polynomials in ๐‘œ variables x = (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) , solve the system: ๐‘ž 1 ๐‘ฆ = โ‹ฏ = ๐‘ž ๐‘› ๐‘ฆ = 0 1 , ๐บ 2 : ๐ฟ ๐‘œ โŸถ ๐ฟ ๐‘› . IP-Problem : Given two polynomial maps ๐บ โ€ข The problem is to look for two linear transformations ๐‘€ 1 and ๐‘€ 2 (if they exist) s.t.: 1 (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) = ๐‘€ 1 โˆ˜ ๐บ โˆ˜ ๐‘€ 2 (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ ) ๐บ Slide 40

  5. Multivariate Quadratic Construction MQ system with ๐‘› equations in ๐‘œ vars, all coefs. in ๐”พ ๐‘Ÿ : โ€ข Polynomial notation: ๐‘™ ๐‘ฆ ๐‘— ๐‘ฆ ๐‘˜ ๐‘™ ๐‘ฆ ๐‘— + ๐‘‘ (๐‘™) ๐‘ž ๐‘™ ๐‘ฆ 1 , โ€ฆ , ๐‘ฆ ๐‘œ โ‰” ๐‘„ + ๐‘€ ๐‘— ๐‘—๐‘˜ ๐‘—,๐‘˜ ๐‘— Vector notation: ๐‘ž ๐‘™ ๐‘ฆ 1 , โ€ฆ , ๐‘ฆ ๐‘œ = ๐‘ฆ๐‘„ ๐‘™ ๐‘ฆ ๐‘ˆ + ๐‘€ (๐‘™) ๐‘ฆ + ๐‘‘ (๐‘™) Slide 41

  6. (Pure) Quadratic Map ๐’ฌ ๐‘ฆ = โ„Ž โ‡” ๐‘ฆ ๐‘„ (๐‘™) ๐‘ฆ ๐‘ˆ = โ„Ž ๐‘™ (๐‘™ = 1, โ€ฆ , ๐‘›) ๐‘ฆ ๐‘ˆ โ„Ž ๐‘™ ๐‘ฆ ๐‘„ (๐‘™) = Slide 42

  7. Matsumoto-Imai Cryptosystem Previously, many unsuccesfull attempts to construct an โ€ข encryption scheme. Small number of variables. โ€ข Huge key sizes. โ€ข In 1988, Matsumoto and Imai adopted a โ€œBigโ€ Field in their โ€ข C* construction. Slide 43

  8. Matsumoto-Imai Cryptosystem ๐‘™ is a small finite field with ๐‘™ = ๐‘Ÿ . โ€ข Slide 44

  9. Matsumoto-Imai Cryptosystem ๐‘™ is a small finite field with ๐‘™ = ๐‘Ÿ . โ€ข = ๐‘™ ๐‘ฆ /(๐‘•(๐‘ฆ)) a degree ๐‘œ extension of ๐‘™ . ๐ฟ โ€ข Slide 45

  10. Matsumoto-Imai Cryptosystem ๐‘™ is a small finite field with ๐‘™ = ๐‘Ÿ . โ€ข = ๐‘™ ๐‘ฆ /(๐‘•(๐‘ฆ)) a degree ๐‘œ extension of ๐‘™ . ๐ฟ โ€ข โ†’ ๐‘™ ๐‘œ and ๐œš โˆ’1 : ๐‘™ ๐‘œ โ†’ ๐ฟ . The linear map ๐œš: ๐ฟ โ€ข ๐œš ๐‘ 0 + ๐‘ 1 ๐‘ฆ + โ‹ฏ + ๐‘ ๐‘œโˆ’1 ๐‘ฆ ๐‘œโˆ’1 = (๐‘ 0 , ๐‘ 1 , โ‹ฏ , ๐‘ ๐‘œโˆ’1 ) Slide 46

  11. Matsumoto-Imai Cryptosystem ๐‘™ is a small finite field with ๐‘™ = ๐‘Ÿ . โ€ข = ๐‘™ ๐‘ฆ /(๐‘•(๐‘ฆ)) a degree ๐‘œ extension of ๐‘™ . ๐ฟ โ€ข โ†’ ๐‘™ ๐‘œ and ๐œš โˆ’1 : ๐‘™ ๐‘œ โ†’ ๐ฟ . The linear map ๐œš: ๐ฟ โ€ข ๐œš ๐‘ 0 + ๐‘ 1 ๐‘ฆ + โ‹ฏ + ๐‘ ๐‘œโˆ’1 ๐‘ฆ ๐‘œโˆ’1 = (๐‘ 0 , ๐‘ 1 , โ‹ฏ , ๐‘ ๐‘œโˆ’1 ) over ๐ฟ : Build a map ๐บ โ€ข = ๐‘€ 1 โˆ˜ ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 โˆ˜ ๐‘€ 2 ๐บ where the ๐‘€ ๐‘— are randomly chosen invertible maps over ๐‘™ ๐‘œ Slide 47

  12. Matsumoto-Imai Cryptosystem ๐‘™ is a small finite field with ๐‘™ = ๐‘Ÿ . โ€ข = ๐‘™ ๐‘ฆ /(๐‘•(๐‘ฆ)) a degree ๐‘œ extension of ๐‘™ . ๐ฟ โ€ข โ†’ ๐‘™ ๐‘œ and ๐œš โˆ’1 : ๐‘™ ๐‘œ โ†’ ๐ฟ . The linear map ๐œš: ๐ฟ โ€ข ๐œš ๐‘ 0 + ๐‘ 1 ๐‘ฆ + โ‹ฏ + ๐‘ ๐‘œโˆ’1 ๐‘ฆ ๐‘œโˆ’1 = (๐‘ 0 , ๐‘ 1 , โ‹ฏ , ๐‘ ๐‘œโˆ’1 ) over ๐ฟ : Build a map ๐บ โ€ข = ๐‘€ 1 โˆ˜ ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 โˆ˜ ๐‘€ 2 ๐บ where the ๐‘€ ๐‘— are randomly chosen invertible maps over ๐‘™ ๐‘œ is related to the IP Problem Inversion of ๐บ โ€ข Slide 48

  13. Matsumoto-Imai Cryptosystem The map ๐บ adopted was: โ€ข โŸถ ๐ฟ ๐บ โˆถ ๐ฟ ๐‘Œ โŸผ ๐‘Œ ๐‘Ÿ ๐œ„ +1 Slide 49

  14. Matsumoto-Imai Cryptosystem The map ๐บ adopted was: โ€ข โŸถ ๐ฟ ๐บ โˆถ ๐ฟ ๐‘Œ โŸผ ๐‘Œ ๐‘Ÿ ๐œ„ +1 โ€ข Let ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ = ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ = (๐บ ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ , โ‹ฏ , ๐บ ๐‘› (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ )) ๐บ 1 Slide 50

  15. Matsumoto-Imai Cryptosystem The map ๐บ adopted was: โ€ข โŸถ ๐ฟ ๐บ โˆถ ๐ฟ ๐‘Œ โŸผ ๐‘Œ ๐‘Ÿ ๐œ„ +1 โ€ข Let ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ = ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ = (๐บ ๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ , โ‹ฏ , ๐บ ๐‘› (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘œ )) ๐บ 1 are quadratic polynomials because the map โ€ข ๐บ ๐‘— ๐‘Œ โŸผ ๐‘Œ ๐‘Ÿ ๐œ„ is linear (it is the Frobenius automorphism of order ๐œ„ ). Slide 51

  16. Matsumoto-Imai Cryptosystem Encryption is done by the quadratic map over ๐‘™ ๐‘œ โ€ข = ๐‘€ 1 โˆ˜ ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 โˆ˜ ๐‘€ 2 ๐บ where ๐‘€ ๐‘— are affine maps over ๐‘™ ๐‘œ . Slide 52

  17. Matsumoto-Imai Cryptosystem Encryption is done by the quadratic map over ๐‘™ ๐‘œ โ€ข = ๐‘€ 1 โˆ˜ ๐œš โˆ˜ ๐บ โˆ˜ ๐œš โˆ’1 โˆ˜ ๐‘€ 2 ๐บ where ๐‘€ ๐‘— are affine maps over ๐‘™ ๐‘œ . โ€ข Decryption is the inverse process โˆ’1 = ๐‘€ 2 โˆ’1 โˆ˜ ๐œš โˆ˜ ๐บ โˆ’1 โˆ˜ ๐œš โˆ’1 โˆ˜ ๐‘€ 1 โˆ’1 ๐บ Slide 53

  18. Matsumoto-Imai Cryptosystem Requirement: G.C.D. ๐‘Ÿ ๐œ„ + 1, ๐‘Ÿ ๐‘œ โˆ’ 1 = 1 โ€ข โˆ’1 to ensure the invertibility of the decryption map ๐บ Slide 54

  19. Matsumoto-Imai Cryptosystem Requirement: G.C.D. ๐‘Ÿ ๐œ„ + 1, ๐‘Ÿ ๐‘œ โˆ’ 1 = 1 โ€ข โˆ’1 to ensure the invertibility of the decryption map ๐บ โ€ข ๐บ โˆ’1 ๐‘Œ = ๐‘Œ ๐‘ข , ๐‘Œ โˆˆ ๐ฟ where ๐‘ข ร— ๐‘Ÿ ๐œ„ + 1 โ‰ก 1 ๐‘›๐‘๐‘’(๐‘Ÿ ๐‘œ โˆ’ 1) . = (๐บ , โ‹ฏ , ๐บ ) โ€ข The public key includes ๐‘™ and ๐บ 1 ๐‘œ . โ€ข The private key includes ๐‘€ 1 , ๐‘€ 2 and ๐ฟ Slide 55

  20. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข Slide 56

  21. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข Slide 57

  22. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข Split vars. into 2 sets: oil variables : O โ‰” (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘ ) โ€ข vinegar variables: ๐‘Š โ‰” (๐‘ฆ 1 โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ ) Slide 58

  23. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข Split vars. into 2 sets: oil variables : O โ‰” (๐‘ฆ 1 , โ‹ฏ , ๐‘ฆ ๐‘ ) โ€ข vinegar variables: ๐‘Š โ‰” (๐‘ฆ 1 โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ ) โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ = โ„Ž ๐‘™ = ๐‘” ๐‘™ ๐‘ฆ 1 , โ‹ฏ , x ๐‘ , ๐‘ฆ 1 ๐‘™ ๐‘ฆ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆโ€ฒ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆ ๐‘— ๐‘™ ๐‘ฆโ€ฒ ๐‘— + ๐‘‘ (๐‘™) = ๐บ ๐‘—๐‘˜ + ๐บ ๐‘—๐‘˜ + ๐‘€ ๐‘— + ๐‘€ ๐‘— ๐‘ƒร—๐‘Š ๐‘Šร—๐‘Š ๐‘ƒ ๐‘Š Slide 59

  24. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข Choose uniformly at random vinegars: ๐‘Š โ‰” (๐‘ฆ 1 โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ ) โ€ข โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ = โ„Ž ๐‘™ = ๐‘” ๐‘™ ๐‘ฆ 1 , โ‹ฏ , x ๐‘ , ๐‘ฆ 1 ๐‘™ ๐‘ฆ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆโ€ฒ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆ ๐‘— ๐‘™ ๐‘ฆโ€ฒ ๐‘— + ๐‘‘ (๐‘™) = ๐บ ๐‘—๐‘˜ + ๐บ ๐‘—๐‘˜ + ๐‘€ ๐‘— + ๐‘€ ๐‘— ๐‘ƒร—๐‘Š ๐‘Šร—๐‘Š ๐‘ƒ ๐‘Š Slide 60

  25. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข โ€ฒ Fix vinegars: ๐‘Š โ‰” ๐‘ฆ 1 โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ข โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ = โ„Ž ๐‘™ ๐‘” ๐‘™ ๐‘ฆ 1 , โ‹ฏ , x ๐‘ , ๐‘ฆ 1 ๐‘™ ๐‘ฆ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆโ€ฒ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆ ๐‘— ๐‘™ ๐‘ฆโ€ฒ ๐‘— + ๐‘‘ (๐‘™) = ๐บ ๐‘—๐‘˜ + ๐บ ๐‘—๐‘˜ + ๐‘€ ๐‘— + ๐‘€ ๐‘— ๐‘ƒร—๐‘Š ๐‘Šร—๐‘Š ๐‘ƒ ๐‘Š This becomes an ๐‘๐‘ฆ๐‘ system of linear equations. โ€ข Slide 61

  26. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข โ„Ž = ๐ผ๐‘๐‘กโ„Ž(๐‘) โ€ข โ€ฒ Fix vinegars: ๐‘Š โ‰” ๐‘ฆ 1 โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ข โ€ฒ , โ€ฆ , ๐‘ฆ ๐‘ค โ€ฒ = ๐‘” ๐‘™ ๐‘ฆ 1 , โ‹ฏ , x ๐‘ , ๐‘ฆ 1 ๐‘™ ๐‘ฆ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆโ€ฒ ๐‘— ๐‘ฆโ€ฒ ๐‘˜ ๐‘™ ๐‘ฆ ๐‘— ๐‘™ ๐‘ฆโ€ฒ ๐‘— + ๐‘‘ (๐‘™) = ๐บ ๐‘—๐‘˜ + ๐บ ๐‘—๐‘˜ + ๐‘€ ๐‘— + ๐‘€ ๐‘— ๐‘ƒร—๐‘Š ๐‘Šร—๐‘Š ๐‘ƒ ๐‘Š This becomes an ๐‘๐‘ฆ๐‘ system of linear equations. โ€ข It has a solution with high probability (โ‰ˆ 1 โˆ’ 1/๐‘Ÿ) . โ€ข Slide 62

  27. UOV Signature Trapdoor to invert ๐บ [Patarin] โ€ข Oil variables not mixed. โ€ข Vinegar Oil variables variables ๐’š ๐Ÿ โ€ฆ ๐’š ๐’˜ โ€ฆ ๐’š ๐’ ๐’š ๐Ÿ ๐บ (๐‘™) = โ‹ฎ Vinegar variables ๐’š ๐’˜ 0 โ‹ฎ Oil variables ๐’š ๐’ Slide 63

  28. Rainbow Signature Rainbow Quadratic Map โ€ข Slide 64

  29. MQ Signatures UOV key sizes. โ€ข Public Key Scheme (KiB) 113.4 99.4 77.7 66.7 14.5 11.0 10.2 Slide 65

  30. โ€ข Technique for Key Size Reduction Slide 66

  31. MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. โ€ข Slide 67

  32. MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. โ€ข Part of the public key with short representation. โ€ข Slide 68

  33. MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. โ€ข Part of the public key with short representation. โ€ข Achieves a 6x reduction factor for 80-bit security. โ€ข Slide 69

  34. MQ Signatures - Cyclic UOV Public matrix of coefficients ๐‘ ๐‘„ ๐‘„ (1) ๐‘ ๐‘„ = โ‹ฎ ๐‘„ (2) โ‹ฎ ๐‘›๐‘ฆ l โ€ฒ ๐‘„ (๐‘›) l โ€ฒ = ๐‘œ ๐‘œ + 1 2 Slide 70

  35. MQ Signatures - Cyclic UOV Public matrix of coefficients ๐‘ ๐‘„ ๐ท ๐ถ = ๐‘ ๐‘„ = โ‹ฎ ๐‘›๐‘ฆ l โ€ฒ ๐‘›๐‘ฆ l โ€ฒ l l l = ๐‘ค ๐‘ค + 1 l โ€ฒ = ๐‘œ ๐‘œ + 1 + ๐‘›๐‘ค, 2 2 Slide 71

  36. MQ Signatures - Cyclic UOV Private matrix of coefficients ๐‘ ๐บ ๐บ 1 0 0 ๐‘ ๐บ = โ‹ฎ ๐บ 2 0 โ‹ฎ 0 ๐‘›๐‘ฆ l โ€ฒ l ๐บ ๐‘› 0 l = ๐‘ค ๐‘ค + 1 l โ€ฒ = ๐‘œ ๐‘œ + 1 + ๐‘›๐‘ค, 2 2 Slide 72

  37. MQ Signatures - Cyclic UOV Private matrix of coefficients ๐‘ ๐บ 0 ๐บ = ๐‘ ๐บ = 0 โ‹ฎ 0 ๐‘›๐‘ฆ l โ€ฒ ๐‘›๐‘ฆ l โ€ฒ l l l = ๐‘ค ๐‘ค + 1 l โ€ฒ = ๐‘œ ๐‘œ + 1 + ๐‘›๐‘ค, 2 2 Slide 73

  38. MQ Signatures - Cyclic UOV There is a linear relation between ๐ถ and ๐บ which only depends โ€ข on ๐ถ , ๐บ and ๐‘‡ [Petzoldt et. al, 2010] ๐ถ = ๐บ โˆ™ ๐ต ๐‘‰๐‘ƒ๐‘Š (S) ๐ถ ๐ท ๐‘ ๐‘„ = ๐‘ ๐‘ก = ๐‘ก ๐‘ ๐‘— . ๐‘ก ๐‘ก๐‘— , ๐‘— = ๐‘˜ ๐‘ ๐‘—๐‘˜ ๐‘— โ‰  ๐‘˜ ๐‘ก ๐‘ ๐‘— . ๐‘ก ๐‘ก๐‘˜ + ๐‘ก ๐‘ ๐‘˜ . ๐‘ก ๐‘ก๐‘— , ๐‘›๐‘ฆ l โ€ฒ l 1 โ‰ค ๐‘— โ‰ค ๐‘ค, ๐‘— โ‰ค ๐‘˜ โ‰ค ๐‘œ 1 โ‰ค ๐‘  โ‰ค ๐‘ค, ๐‘  โ‰ค ๐‘ก โ‰ค ๐‘œ ๐บ ๐‘ ๐บ = 0 ๐‘›๐‘ฆ l โ€ฒ l Slide 74

  39. MQ Signatures - Cyclic UOV By choosing ๐ต ๐‘‰๐‘ƒ๐‘Š (๐‘‡) invertible: โˆ’1 โ€ข ๐บ can be computed from ๐ถ and ๐ต ๐‘‰๐‘ƒ๐‘Š โˆ’1 ๐บ = ๐ถ โˆ™ ๐ต ๐‘‰๐‘ƒ๐‘Š Slide 75

  40. MQ Signatures - Cyclic UOV By choosing ๐ต ๐‘‰๐‘ƒ๐‘Š (๐‘‡) invertible: โˆ’1 โ€ข ๐บ can be computed from ๐ถ and ๐ต ๐‘‰๐‘ƒ๐‘Š โˆ’1 ๐บ = ๐ถ โˆ™ ๐ต ๐‘‰๐‘ƒ๐‘Š Thus, the choice of ๐ถ becomes flexible. โ€ข Slide 76

  41. MQ Signatures - Cyclic UOV By choosing ๐ต ๐‘‰๐‘ƒ๐‘Š (๐‘‡) invertible: โˆ’1 โ€ข ๐บ can be computed from ๐ถ and ๐ต ๐‘‰๐‘ƒ๐‘Š โˆ’1 ๐บ = ๐ถ โˆ™ ๐ต ๐‘‰๐‘ƒ๐‘Š Thus, the choice of ๐ถ becomes flexible. โ€ข In particular: โ€ข ๐ถ = 0 does not result in a valid F , โˆ’1 , ๐ถ = Identity blocks, reveals too much info of ๐ต ๐‘‰๐‘ƒ๐‘Š ๐ถ circulant was adopted by [Petzoldt et. al, 2010] Slide 77

  42. MQ Signatures - Cyclic UOV By choosing ๐ต ๐‘‰๐‘ƒ๐‘Š (๐‘‡) invertible: โˆ’1 โ€ข ๐บ can be computed from ๐ถ and ๐ต ๐‘‰๐‘ƒ๐‘Š โˆ’1 ๐บ = ๐ถ โˆ™ ๐ต ๐‘‰๐‘ƒ๐‘Š Thus, the choice of ๐ถ becomes flexible. โ€ข In particular: โ€ข ๐ถ = 0 does not result in a valid F , โˆ’1 , ๐ถ = Identity blocks, reveals too much info of ๐ต ๐‘‰๐‘ƒ๐‘Š ๐ถ circulant was adopted by [Petzoldt et. al, 2010] Petzoldt et. al. showed by theorem that the choice of a circulant ๐ถ provides consistent UOV signatures. Slide 78

  43. MQ Signatures - Cyclic UOV Adopting ๐ถ circulant: ๐ถ ๐ท ๐‘ ๐‘„ = โ‹ฎ ๐‘›๐‘ฆ l โ€ฒ l ๐‘›๐‘ฆ l โ€ฒ l โ‹ฏ ๐’„ = (๐‘ 1 , โ‹ฏ , ๐‘ l ) |๐‘ต ๐‘ธ | = l + ๐‘›( l โ€ฒ โˆ’ l ) Slide 79

  44. MQ Signatures - Cyclic UOV Public matrices ๐‘„ ๐‘™ ๐‘„ 1 Slide 80

  45. MQ Signatures - Cyclic UOV Public matrices ๐‘„ ๐‘™ ๐‘„ 2 Slide 81

  46. MQ Signatures - Cyclic UOV Public matrices ๐‘„ ๐‘™ ๐‘„ 3 Slide 82

  47. MQ Signatures - Cyclic UOV Public matrices ๐‘„ ๐‘™ ๐‘„ 4 Slide 83

  48. MQ Signatures - Cyclic UOV Public matrices ๐‘„ ๐‘™ โ‹ฏ Slide 84

  49. Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any โ€ข given public key system. Slide 85

  50. Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any โ€ข given public key system. A class of equivalent private keys with a simpler structure. โ€ข Slide 86

  51. Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any โ€ข given public key system. A class of equivalent private keys with a simpler structure. โ€ข Thus, private keys can be built using this short structure. โ€ข Slide 87

  52. Equivalent Keys in UOV UOV public key: โ€ข ๐‘„ (๐‘—) = ๐‘‡๐บ (๐‘—) ๐‘‡ ๐‘ˆ , 1 โ‰ค ๐‘— โ‰ค ๐‘› Slide 88

  53. Equivalent Keys in UOV UOV public key: โ€ข ๐‘„ (๐‘—) = ๐‘‡๐บ (๐‘—) ๐‘‡ ๐‘ˆ , 1 โ‰ค ๐‘— โ‰ค ๐‘› Question: Are there classes of keys ๐‘‡ โ€ฒ and ๐บโ€ฒ s.t. โ€ข ๐‘„ (๐‘—) = ๐‘‡๐บ (๐‘—) ๐‘‡ ๐‘ˆ = ๐‘‡ โ€ฒ ๐บ โ€ฒ(๐‘—) ๐‘‡ โ€ฒ๐‘ˆ , 1 โ‰ค ๐‘— โ‰ค ๐‘› where matrices ๐บ โ€ฒ(๐‘—) share with ๐บ (๐‘—) the same trapdoor structure? Slide 89

  54. Equivalent Keys in UOV Idea: Introduce a matrix ฮฉ in ๐‘„ (๐‘—) : โ€ข ๐‘„ ๐‘— = ๐‘‡ฮฉ โˆ’1 ฮฉ๐บ ๐‘— ฮฉ ๐‘ˆ ฮฉ ๐‘ˆโˆ’1 ๐‘‡ ๐‘ˆ Define ๐บ โ€ฒ ๐‘— โ‰” ฮฉ๐บ (๐‘—) ฮฉ ๐‘ˆ โ€ข Slide 90

  55. Equivalent Keys in UOV Idea: Introduce a matrix ฮฉ in ๐‘„ (๐‘—) : โ€ข ๐‘„ ๐‘— = ๐‘‡ฮฉ โˆ’1 ฮฉ๐บ ๐‘— ฮฉ ๐‘ˆ ฮฉ ๐‘ˆโˆ’1 ๐‘‡ ๐‘ˆ Define ๐บ โ€ฒ ๐‘— โ‰” ฮฉ๐บ (๐‘—) ฮฉ ๐‘ˆ โ€ข We want ฮฉ that keeps the original ๐บ structure in ๐บโ€ฒ : โ€ข ๐‘ค ๐‘› ๐‘ค ๐‘› ๐‘ค ๐‘› ๐‘ค ฮฉ 1 ฮฉ 2 ๐‘ค ๐บ ๐‘ค ๐บ 2 ๐‘ˆ 1 ๐‘ˆ ฮฉ 1 ฮฉ 3 = ฮฉ 4 ๐‘ˆ ฮฉ 3 0 ๐‘ˆ ๐บ 3 ฮฉ 2 ๐‘› ๐œ ฮฉ 4 ๐‘› ๐‘› ๐บ (๐‘—) ฮฉ ฮฉ T ๐บโ€ฒ (๐‘—) Slide 91

  56. Equivalent Keys in UOV From the previous equality we obtain: โ€ข ๐‘ˆ + ฮฉ 3 ๐บ 2 ฮฉ 4 ๐‘ˆ = 0 ๐œ = ฮฉ 3 ๐บ 1 + ฮฉ 4 ๐บ 3 ฮฉ 3 and ฮฉ 3 = 0 is a solution. ๐‘ค ๐‘› ๐‘ค ฮฉ 1 ฮฉ 2 ฮฉ = ๐‘› ฮฉ 4 0 Slide 92

  57. Equivalent Keys in UOV Thus, ๐บโ€ฒ (๐‘—) = ฮฉ๐บ (๐‘—) ฮฉ ๐‘ˆ has the same structure of ๐บ ๐‘— . โ€ข Going back to definition โ€ข ๐‘„ ๐‘— = ๐‘‡ฮฉ โˆ’1 (ฮฉ๐บ ๐‘— ฮฉ ๐‘ˆ )ฮฉ ๐‘ˆโˆ’1 ๐‘‡ ๐‘ˆ Slide 93

  58. Equivalent Keys in UOV Thus, ๐บโ€ฒ (๐‘—) = ฮฉ๐บ (๐‘—) ฮฉ ๐‘ˆ has the same structure of ๐บ ๐‘— . โ€ข Going back to definition โ€ข ๐‘„ ๐‘— = ๐‘‡ฮฉ โˆ’1 (๐บโ€ฒ (๐‘—) )ฮฉ ๐‘ˆโˆ’1 ๐‘‡ ๐‘ˆ Slide 94

  59. Equivalent Keys in UOV Thus, ๐บโ€ฒ (๐‘—) = ฮฉ๐บ (๐‘—) ฮฉ ๐‘ˆ has the same structure of ๐บ ๐‘— . โ€ข Going back to definition โ€ข ๐‘„ ๐‘— = ๐‘‡ฮฉ โˆ’1 (๐บโ€ฒ (๐‘—) )ฮฉ ๐‘ˆโˆ’1 ๐‘‡ ๐‘ˆ So, defining ๐‘‡ โ€ฒ โ‰” ๐‘‡ฮฉ โˆ’1 one finally gets: โ€ข ๐‘„ ๐‘— = ๐‘‡ โ€ฒ ๐บ โ€ฒ(๐‘—) ๐‘‡ โ€ฒ๐‘ˆ Slide 95

  60. Equivalent Keys in UOV ๐‘ค ๐‘› โˆ’1 ฮฉ 2 โˆ’1 โˆ’1 ๐‘ค ฮฉ 1 โˆ’1 ฮฉ 1 ฮฉ 2 ๐‘‡ 1 ๐‘‡ 2 ๐‘‡ โ€ฒ = ๐‘‡ฮฉ โˆ’1 = โˆ’1 ๐‘‡ 3 ฮฉ 4 โˆ’1 ๐‘‡ 4 ๐‘› 0 ฮฉ 4 ฮฉ โˆ’1 ๐‘‡ Note that ฮฉ โˆ’1 has the same structure of ฮฉ . โ€ข Slide 96

  61. Equivalent Keys in UOV โˆ’1 , it is possible to get: By choosing suitable values of ฮฉ ๐‘— โ€ข โ€ฒ = ๐ฝ ๐‘ค๐‘ฆ๐‘ค ๐‘‡ 1 โ€ฒ = 0 ๐‘ค๐‘ฆ๐‘› ๐‘‡ 2 โ€ฒ = ๐ฝ ๐‘›๐‘ฆ๐‘› ๐‘‡ 4 what implies โ€ฒ = ๐‘‡ 3 ๐‘‡ 1 โˆ’1 + ๐‘‡ 4 (๐‘‡ 4 โˆ’ ๐‘‡ 3 ๐‘‡ 1 โˆ’1 ๐‘‡ 2 ๐‘‡ 1 โˆ’1 ๐‘‡ 2 ) โˆ’1 ๐‘‡ 3 Slide 97

  62. Equivalent Keys in UOV Structure of ๐‘‡โ€ฒ : โ€ข ๐‘› ๐‘ค ๐‘› ๐‘‡ โ€ฒ = โ€ฒ ๐‘‡ 3 ๐‘ค Slide 98

  63. Equivalent Keys in UOV Structure of ๐‘‡โ€ฒ : โ€ข ๐‘› ๐‘ค ๐‘› ๐‘‡ โ€ฒ = โ€ฒ ๐‘‡ 3 ๐‘ค So, the answer is yes , there exist equivalent ๐‘‡ โ€ฒ , ๐บ โ€ฒ(๐‘—) s.t. โ€ข ๐‘‡ฮฉ โˆ’1 ๐‘ˆ = ๐‘„ ๐‘— ๐‘‡ โ€ฒ ๐บ โ€ฒ(๐‘—) (๐‘‡ โ€ฒ ) ๐‘ˆ = (๐‘‡ฮฉ โˆ’1 ) ฮฉ๐บ ๐‘— ฮฉ ๐‘ˆ and ๐บ โ€ฒ(๐‘—) have the desired trapdoor structure. Slide 99

  64. Recap. MQ Schemes Slide 100

Recommend


More recommend