Introduction to Multivariate Public Key Cryptography Geovandro - PowerPoint PPT Presentation

Security • Most of the schemes do not use exactly random maps. Many systems have the structure • 𝑄(𝑦 1 , ⋯ , 𝑦 𝑜 ) = 𝑀 1 ∘ 𝐺 ∘ 𝑀 2 (𝑦 1 , ⋯ , 𝑦 𝑜 ) 𝐺 is a quadratic map with certain structure. (central map) • This structure enables computing 𝐺 −1 easily. • Slide 37

Security • Most of the schemes do not use exactly random maps. Many systems have the structure • 𝑄(𝑦 1 , ⋯ , 𝑦 𝑜 ) = 𝑀 1 ∘ 𝐺 ∘ 𝑀 2 (𝑦 1 , ⋯ , 𝑦 𝑜 ) 𝐺 is a quadratic map with certain structure. (central map) • This structure enables computing 𝐺 −1 easily. • 𝑀 1 and 𝑀 2 are full-rank linear maps used to hide 𝐺 . • Slide 38

Security • MQ-Problem : Given a set of 𝑛 quadratic polynomials in 𝑜 variables x = (𝑦 1 , ⋯ , 𝑦 𝑜 ) , solve the system: 𝑞 1 𝑦 = ⋯ = 𝑞 𝑛 𝑦 = 0 Slide 39

Security • MQ-Problem : Given a set of 𝑛 quadratic polynomials in 𝑜 variables x = (𝑦 1 , ⋯ , 𝑦 𝑜 ) , solve the system: 𝑞 1 𝑦 = ⋯ = 𝑞 𝑛 𝑦 = 0 1 , 𝐺 2 : 𝐿 𝑜 ⟶ 𝐿 𝑛 . IP-Problem : Given two polynomial maps 𝐺 • The problem is to look for two linear transformations 𝑀 1 and 𝑀 2 (if they exist) s.t.: 1 (𝑦 1 , ⋯ , 𝑦 𝑜 ) = 𝑀 1 ∘ 𝐺 ∘ 𝑀 2 (𝑦 1 , ⋯ , 𝑦 𝑜 ) 𝐺 Slide 40

Multivariate Quadratic Construction MQ system with 𝑛 equations in 𝑜 vars, all coefs. in 𝔾 𝑟 : • Polynomial notation: 𝑙 𝑦 𝑗 𝑦 𝑘 𝑙 𝑦 𝑗 + 𝑑 (𝑙) 𝑞 𝑙 𝑦 1 , … , 𝑦 𝑜 ≔ 𝑄 + 𝑀 𝑗 𝑗𝑘 𝑗,𝑘 𝑗 Vector notation: 𝑞 𝑙 𝑦 1 , … , 𝑦 𝑜 = 𝑦𝑄 𝑙 𝑦 𝑈 + 𝑀 (𝑙) 𝑦 + 𝑑 (𝑙) Slide 41

(Pure) Quadratic Map 𝒬 𝑦 = ℎ ⇔ 𝑦 𝑄 (𝑙) 𝑦 𝑈 = ℎ 𝑙 (𝑙 = 1, … , 𝑛) 𝑦 𝑈 ℎ 𝑙 𝑦 𝑄 (𝑙) = Slide 42

Matsumoto-Imai Cryptosystem Previously, many unsuccesfull attempts to construct an • encryption scheme. Small number of variables. • Huge key sizes. • In 1988, Matsumoto and Imai adopted a “Big” Field in their • C* construction. Slide 43

Matsumoto-Imai Cryptosystem 𝑙 is a small finite field with 𝑙 = 𝑟 . • Slide 44

Matsumoto-Imai Cryptosystem 𝑙 is a small finite field with 𝑙 = 𝑟 . • = 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙 . 𝐿 • Slide 45

Matsumoto-Imai Cryptosystem 𝑙 is a small finite field with 𝑙 = 𝑟 . • = 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙 . 𝐿 • → 𝑙 𝑜 and 𝜚 −1 : 𝑙 𝑜 → 𝐿 . The linear map 𝜚: 𝐿 • 𝜚 𝑏 0 + 𝑏 1 𝑦 + ⋯ + 𝑏 𝑜−1 𝑦 𝑜−1 = (𝑏 0 , 𝑏 1 , ⋯ , 𝑏 𝑜−1 ) Slide 46

Matsumoto-Imai Cryptosystem 𝑙 is a small finite field with 𝑙 = 𝑟 . • = 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙 . 𝐿 • → 𝑙 𝑜 and 𝜚 −1 : 𝑙 𝑜 → 𝐿 . The linear map 𝜚: 𝐿 • 𝜚 𝑏 0 + 𝑏 1 𝑦 + ⋯ + 𝑏 𝑜−1 𝑦 𝑜−1 = (𝑏 0 , 𝑏 1 , ⋯ , 𝑏 𝑜−1 ) over 𝐿 : Build a map 𝐺 • = 𝑀 1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚 −1 ∘ 𝑀 2 𝐺 where the 𝑀 𝑗 are randomly chosen invertible maps over 𝑙 𝑜 Slide 47

Matsumoto-Imai Cryptosystem 𝑙 is a small finite field with 𝑙 = 𝑟 . • = 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙 . 𝐿 • → 𝑙 𝑜 and 𝜚 −1 : 𝑙 𝑜 → 𝐿 . The linear map 𝜚: 𝐿 • 𝜚 𝑏 0 + 𝑏 1 𝑦 + ⋯ + 𝑏 𝑜−1 𝑦 𝑜−1 = (𝑏 0 , 𝑏 1 , ⋯ , 𝑏 𝑜−1 ) over 𝐿 : Build a map 𝐺 • = 𝑀 1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚 −1 ∘ 𝑀 2 𝐺 where the 𝑀 𝑗 are randomly chosen invertible maps over 𝑙 𝑜 is related to the IP Problem Inversion of 𝐺 • Slide 48

Matsumoto-Imai Cryptosystem The map 𝐺 adopted was: • ⟶ 𝐿 𝐺 ∶ 𝐿 𝑌 ⟼ 𝑌 𝑟 𝜄 +1 Slide 49

Matsumoto-Imai Cryptosystem The map 𝐺 adopted was: • ⟶ 𝐿 𝐺 ∶ 𝐿 𝑌 ⟼ 𝑌 𝑟 𝜄 +1 • Let 𝑦 1 , ⋯ , 𝑦 𝑜 = 𝜚 ∘ 𝐺 ∘ 𝜚 −1 𝑦 1 , ⋯ , 𝑦 𝑜 = (𝐺 𝑦 1 , ⋯ , 𝑦 𝑜 , ⋯ , 𝐺 𝑛 (𝑦 1 , ⋯ , 𝑦 𝑜 )) 𝐺 1 Slide 50

Matsumoto-Imai Cryptosystem The map 𝐺 adopted was: • ⟶ 𝐿 𝐺 ∶ 𝐿 𝑌 ⟼ 𝑌 𝑟 𝜄 +1 • Let 𝑦 1 , ⋯ , 𝑦 𝑜 = 𝜚 ∘ 𝐺 ∘ 𝜚 −1 𝑦 1 , ⋯ , 𝑦 𝑜 = (𝐺 𝑦 1 , ⋯ , 𝑦 𝑜 , ⋯ , 𝐺 𝑛 (𝑦 1 , ⋯ , 𝑦 𝑜 )) 𝐺 1 are quadratic polynomials because the map • 𝐺 𝑗 𝑌 ⟼ 𝑌 𝑟 𝜄 is linear (it is the Frobenius automorphism of order 𝜄 ). Slide 51

Matsumoto-Imai Cryptosystem Encryption is done by the quadratic map over 𝑙 𝑜 • = 𝑀 1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚 −1 ∘ 𝑀 2 𝐺 where 𝑀 𝑗 are affine maps over 𝑙 𝑜 . Slide 52

Matsumoto-Imai Cryptosystem Encryption is done by the quadratic map over 𝑙 𝑜 • = 𝑀 1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚 −1 ∘ 𝑀 2 𝐺 where 𝑀 𝑗 are affine maps over 𝑙 𝑜 . • Decryption is the inverse process −1 = 𝑀 2 −1 ∘ 𝜚 ∘ 𝐺 −1 ∘ 𝜚 −1 ∘ 𝑀 1 −1 𝐺 Slide 53

Matsumoto-Imai Cryptosystem Requirement: G.C.D. 𝑟 𝜄 + 1, 𝑟 𝑜 − 1 = 1 • −1 to ensure the invertibility of the decryption map 𝐺 Slide 54

Matsumoto-Imai Cryptosystem Requirement: G.C.D. 𝑟 𝜄 + 1, 𝑟 𝑜 − 1 = 1 • −1 to ensure the invertibility of the decryption map 𝐺 • 𝐺 −1 𝑌 = 𝑌 𝑢 , 𝑌 ∈ 𝐿 where 𝑢 × 𝑟 𝜄 + 1 ≡ 1 𝑛𝑝𝑒(𝑟 𝑜 − 1) . = (𝐺 , ⋯ , 𝐺 ) • The public key includes 𝑙 and 𝐺 1 𝑜 . • The private key includes 𝑀 1 , 𝑀 2 and 𝐿 Slide 55

UOV Signature Trapdoor to invert 𝐺 [Patarin] • Slide 56

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • Slide 57

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • Split vars. into 2 sets: oil variables : O ≔ (𝑦 1 , ⋯ , 𝑦 𝑝 ) • vinegar variables: 𝑊 ≔ (𝑦 1 ′ , … , 𝑦 𝑤 ′ ) Slide 58

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • Split vars. into 2 sets: oil variables : O ≔ (𝑦 1 , ⋯ , 𝑦 𝑝 ) • vinegar variables: 𝑊 ≔ (𝑦 1 ′ , … , 𝑦 𝑤 ′ ) ′ , … , 𝑦 𝑤 ′ = ℎ 𝑙 = 𝑔 𝑙 𝑦 1 , ⋯ , x 𝑝 , 𝑦 1 𝑙 𝑦 𝑗 𝑦′ 𝑘 𝑙 𝑦′ 𝑗 𝑦′ 𝑘 𝑙 𝑦 𝑗 𝑙 𝑦′ 𝑗 + 𝑑 (𝑙) = 𝐺 𝑗𝑘 + 𝐺 𝑗𝑘 + 𝑀 𝑗 + 𝑀 𝑗 𝑃×𝑊 𝑊×𝑊 𝑃 𝑊 Slide 59

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • Choose uniformly at random vinegars: 𝑊 ≔ (𝑦 1 ′ , … , 𝑦 𝑤 ′ ) • ′ , … , 𝑦 𝑤 ′ = ℎ 𝑙 = 𝑔 𝑙 𝑦 1 , ⋯ , x 𝑝 , 𝑦 1 𝑙 𝑦 𝑗 𝑦′ 𝑘 𝑙 𝑦′ 𝑗 𝑦′ 𝑘 𝑙 𝑦 𝑗 𝑙 𝑦′ 𝑗 + 𝑑 (𝑙) = 𝐺 𝑗𝑘 + 𝐺 𝑗𝑘 + 𝑀 𝑗 + 𝑀 𝑗 𝑃×𝑊 𝑊×𝑊 𝑃 𝑊 Slide 60

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • ′ Fix vinegars: 𝑊 ≔ 𝑦 1 ′ , … , 𝑦 𝑤 • ′ , … , 𝑦 𝑤 ′ = ℎ 𝑙 𝑔 𝑙 𝑦 1 , ⋯ , x 𝑝 , 𝑦 1 𝑙 𝑦 𝑗 𝑦′ 𝑘 𝑙 𝑦′ 𝑗 𝑦′ 𝑘 𝑙 𝑦 𝑗 𝑙 𝑦′ 𝑗 + 𝑑 (𝑙) = 𝐺 𝑗𝑘 + 𝐺 𝑗𝑘 + 𝑀 𝑗 + 𝑀 𝑗 𝑃×𝑊 𝑊×𝑊 𝑃 𝑊 This becomes an 𝑝𝑦𝑝 system of linear equations. • Slide 61

UOV Signature Trapdoor to invert 𝐺 [Patarin] • ℎ = 𝐼𝑏𝑡ℎ(𝑁) • ′ Fix vinegars: 𝑊 ≔ 𝑦 1 ′ , … , 𝑦 𝑤 • ′ , … , 𝑦 𝑤 ′ = 𝑔 𝑙 𝑦 1 , ⋯ , x 𝑝 , 𝑦 1 𝑙 𝑦 𝑗 𝑦′ 𝑘 𝑙 𝑦′ 𝑗 𝑦′ 𝑘 𝑙 𝑦 𝑗 𝑙 𝑦′ 𝑗 + 𝑑 (𝑙) = 𝐺 𝑗𝑘 + 𝐺 𝑗𝑘 + 𝑀 𝑗 + 𝑀 𝑗 𝑃×𝑊 𝑊×𝑊 𝑃 𝑊 This becomes an 𝑝𝑦𝑝 system of linear equations. • It has a solution with high probability (≈ 1 − 1/𝑟) . • Slide 62

UOV Signature Trapdoor to invert 𝐺 [Patarin] • Oil variables not mixed. • Vinegar Oil variables variables 𝒚 𝟐 … 𝒚 𝒘 … 𝒚 𝒐 𝒚 𝟐 𝐺 (𝑙) = ⋮ Vinegar variables 𝒚 𝒘 0 ⋮ Oil variables 𝒚 𝒐 Slide 63

Rainbow Signature Rainbow Quadratic Map • Slide 64

MQ Signatures UOV key sizes. • Public Key Scheme (KiB) 113.4 99.4 77.7 66.7 14.5 11.0 10.2 Slide 65

• Technique for Key Size Reduction Slide 66

MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. • Slide 67

MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. • Part of the public key with short representation. • Slide 68

MQ Signatures - Cyclic UOV Technique for reduction of UOV public keys. • Part of the public key with short representation. • Achieves a 6x reduction factor for 80-bit security. • Slide 69

MQ Signatures - Cyclic UOV Public matrix of coefficients 𝑁 𝑄 𝑄 (1) 𝑁 𝑄 = ⋮ 𝑄 (2) ⋮ 𝑛𝑦 l ′ 𝑄 (𝑛) l ′ = 𝑜 𝑜 + 1 2 Slide 70

MQ Signatures - Cyclic UOV Public matrix of coefficients 𝑁 𝑄 𝐷 𝐶 = 𝑁 𝑄 = ⋮ 𝑛𝑦 l ′ 𝑛𝑦 l ′ l l l = 𝑤 𝑤 + 1 l ′ = 𝑜 𝑜 + 1 + 𝑛𝑤, 2 2 Slide 71

MQ Signatures - Cyclic UOV Private matrix of coefficients 𝑁 𝐺 𝐺 1 0 0 𝑁 𝐺 = ⋮ 𝐺 2 0 ⋮ 0 𝑛𝑦 l ′ l 𝐺 𝑛 0 l = 𝑤 𝑤 + 1 l ′ = 𝑜 𝑜 + 1 + 𝑛𝑤, 2 2 Slide 72

MQ Signatures - Cyclic UOV Private matrix of coefficients 𝑁 𝐺 0 𝐺 = 𝑁 𝐺 = 0 ⋮ 0 𝑛𝑦 l ′ 𝑛𝑦 l ′ l l l = 𝑤 𝑤 + 1 l ′ = 𝑜 𝑜 + 1 + 𝑛𝑤, 2 2 Slide 73

MQ Signatures - Cyclic UOV There is a linear relation between 𝐶 and 𝐺 which only depends • on 𝐶 , 𝐺 and 𝑇 [Petzoldt et. al, 2010] 𝐶 = 𝐺 ∙ 𝐵 𝑉𝑃𝑊 (S) 𝐶 𝐷 𝑁 𝑄 = 𝑠𝑡 = 𝑡 𝑠𝑗 . 𝑡 𝑡𝑗 , 𝑗 = 𝑘 𝑏 𝑗𝑘 𝑗 ≠ 𝑘 𝑡 𝑠𝑗 . 𝑡 𝑡𝑘 + 𝑡 𝑠𝑘 . 𝑡 𝑡𝑗 , 𝑛𝑦 l ′ l 1 ≤ 𝑗 ≤ 𝑤, 𝑗 ≤ 𝑘 ≤ 𝑜 1 ≤ 𝑠 ≤ 𝑤, 𝑠 ≤ 𝑡 ≤ 𝑜 𝐺 𝑁 𝐺 = 0 𝑛𝑦 l ′ l Slide 74

MQ Signatures - Cyclic UOV By choosing 𝐵 𝑉𝑃𝑊 (𝑇) invertible: −1 • 𝐺 can be computed from 𝐶 and 𝐵 𝑉𝑃𝑊 −1 𝐺 = 𝐶 ∙ 𝐵 𝑉𝑃𝑊 Slide 75

MQ Signatures - Cyclic UOV By choosing 𝐵 𝑉𝑃𝑊 (𝑇) invertible: −1 • 𝐺 can be computed from 𝐶 and 𝐵 𝑉𝑃𝑊 −1 𝐺 = 𝐶 ∙ 𝐵 𝑉𝑃𝑊 Thus, the choice of 𝐶 becomes flexible. • Slide 76

MQ Signatures - Cyclic UOV By choosing 𝐵 𝑉𝑃𝑊 (𝑇) invertible: −1 • 𝐺 can be computed from 𝐶 and 𝐵 𝑉𝑃𝑊 −1 𝐺 = 𝐶 ∙ 𝐵 𝑉𝑃𝑊 Thus, the choice of 𝐶 becomes flexible. • In particular: • 𝐶 = 0 does not result in a valid F , −1 , 𝐶 = Identity blocks, reveals too much info of 𝐵 𝑉𝑃𝑊 𝐶 circulant was adopted by [Petzoldt et. al, 2010] Slide 77

MQ Signatures - Cyclic UOV By choosing 𝐵 𝑉𝑃𝑊 (𝑇) invertible: −1 • 𝐺 can be computed from 𝐶 and 𝐵 𝑉𝑃𝑊 −1 𝐺 = 𝐶 ∙ 𝐵 𝑉𝑃𝑊 Thus, the choice of 𝐶 becomes flexible. • In particular: • 𝐶 = 0 does not result in a valid F , −1 , 𝐶 = Identity blocks, reveals too much info of 𝐵 𝑉𝑃𝑊 𝐶 circulant was adopted by [Petzoldt et. al, 2010] Petzoldt et. al. showed by theorem that the choice of a circulant 𝐶 provides consistent UOV signatures. Slide 78

MQ Signatures - Cyclic UOV Adopting 𝐶 circulant: 𝐶 𝐷 𝑁 𝑄 = ⋮ 𝑛𝑦 l ′ l 𝑛𝑦 l ′ l ⋯ 𝒄 = (𝑐 1 , ⋯ , 𝑐 l ) |𝑵 𝑸 | = l + 𝑛( l ′ − l ) Slide 79

MQ Signatures - Cyclic UOV Public matrices 𝑄 𝑙 𝑄 1 Slide 80

MQ Signatures - Cyclic UOV Public matrices 𝑄 𝑙 𝑄 2 Slide 81

MQ Signatures - Cyclic UOV Public matrices 𝑄 𝑙 𝑄 3 Slide 82

MQ Signatures - Cyclic UOV Public matrices 𝑄 𝑙 𝑄 4 Slide 83

MQ Signatures - Cyclic UOV Public matrices 𝑄 𝑙 ⋯ Slide 84

Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any • given public key system. Slide 85

Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any • given public key system. A class of equivalent private keys with a simpler structure. • Slide 86

Equivalent Keys in UOV Idea: Find equivalent private keys that enables solving any • given public key system. A class of equivalent private keys with a simpler structure. • Thus, private keys can be built using this short structure. • Slide 87

Equivalent Keys in UOV UOV public key: • 𝑄 (𝑗) = 𝑇𝐺 (𝑗) 𝑇 𝑈 , 1 ≤ 𝑗 ≤ 𝑛 Slide 88

Equivalent Keys in UOV UOV public key: • 𝑄 (𝑗) = 𝑇𝐺 (𝑗) 𝑇 𝑈 , 1 ≤ 𝑗 ≤ 𝑛 Question: Are there classes of keys 𝑇 ′ and 𝐺′ s.t. • 𝑄 (𝑗) = 𝑇𝐺 (𝑗) 𝑇 𝑈 = 𝑇 ′ 𝐺 ′(𝑗) 𝑇 ′𝑈 , 1 ≤ 𝑗 ≤ 𝑛 where matrices 𝐺 ′(𝑗) share with 𝐺 (𝑗) the same trapdoor structure? Slide 89

Equivalent Keys in UOV Idea: Introduce a matrix Ω in 𝑄 (𝑗) : • 𝑄 𝑗 = 𝑇Ω −1 Ω𝐺 𝑗 Ω 𝑈 Ω 𝑈−1 𝑇 𝑈 Define 𝐺 ′ 𝑗 ≔ Ω𝐺 (𝑗) Ω 𝑈 • Slide 90

Equivalent Keys in UOV Idea: Introduce a matrix Ω in 𝑄 (𝑗) : • 𝑄 𝑗 = 𝑇Ω −1 Ω𝐺 𝑗 Ω 𝑈 Ω 𝑈−1 𝑇 𝑈 Define 𝐺 ′ 𝑗 ≔ Ω𝐺 (𝑗) Ω 𝑈 • We want Ω that keeps the original 𝐺 structure in 𝐺′ : • 𝑤 𝑛 𝑤 𝑛 𝑤 𝑛 𝑤 Ω 1 Ω 2 𝑤 𝐺 𝑤 𝐺 2 𝑈 1 𝑈 Ω 1 Ω 3 = Ω 4 𝑈 Ω 3 0 𝑈 𝐺 3 Ω 2 𝑛 𝜍 Ω 4 𝑛 𝑛 𝐺 (𝑗) Ω Ω T 𝐺′ (𝑗) Slide 91

Equivalent Keys in UOV From the previous equality we obtain: • 𝑈 + Ω 3 𝐺 2 Ω 4 𝑈 = 0 𝜍 = Ω 3 𝐺 1 + Ω 4 𝐺 3 Ω 3 and Ω 3 = 0 is a solution. 𝑤 𝑛 𝑤 Ω 1 Ω 2 Ω = 𝑛 Ω 4 0 Slide 92

Equivalent Keys in UOV Thus, 𝐺′ (𝑗) = Ω𝐺 (𝑗) Ω 𝑈 has the same structure of 𝐺 𝑗 . • Going back to definition • 𝑄 𝑗 = 𝑇Ω −1 (Ω𝐺 𝑗 Ω 𝑈 )Ω 𝑈−1 𝑇 𝑈 Slide 93

Equivalent Keys in UOV Thus, 𝐺′ (𝑗) = Ω𝐺 (𝑗) Ω 𝑈 has the same structure of 𝐺 𝑗 . • Going back to definition • 𝑄 𝑗 = 𝑇Ω −1 (𝐺′ (𝑗) )Ω 𝑈−1 𝑇 𝑈 Slide 94

Equivalent Keys in UOV Thus, 𝐺′ (𝑗) = Ω𝐺 (𝑗) Ω 𝑈 has the same structure of 𝐺 𝑗 . • Going back to definition • 𝑄 𝑗 = 𝑇Ω −1 (𝐺′ (𝑗) )Ω 𝑈−1 𝑇 𝑈 So, defining 𝑇 ′ ≔ 𝑇Ω −1 one finally gets: • 𝑄 𝑗 = 𝑇 ′ 𝐺 ′(𝑗) 𝑇 ′𝑈 Slide 95

Equivalent Keys in UOV 𝑤 𝑛 −1 Ω 2 −1 −1 𝑤 Ω 1 −1 Ω 1 Ω 2 𝑇 1 𝑇 2 𝑇 ′ = 𝑇Ω −1 = −1 𝑇 3 Ω 4 −1 𝑇 4 𝑛 0 Ω 4 Ω −1 𝑇 Note that Ω −1 has the same structure of Ω . • Slide 96

Equivalent Keys in UOV −1 , it is possible to get: By choosing suitable values of Ω 𝑗 • ′ = 𝐽 𝑤𝑦𝑤 𝑇 1 ′ = 0 𝑤𝑦𝑛 𝑇 2 ′ = 𝐽 𝑛𝑦𝑛 𝑇 4 what implies ′ = 𝑇 3 𝑇 1 −1 + 𝑇 4 (𝑇 4 − 𝑇 3 𝑇 1 −1 𝑇 2 𝑇 1 −1 𝑇 2 ) −1 𝑇 3 Slide 97

Equivalent Keys in UOV Structure of 𝑇′ : • 𝑛 𝑤 𝑛 𝑇 ′ = ′ 𝑇 3 𝑤 Slide 98

Equivalent Keys in UOV Structure of 𝑇′ : • 𝑛 𝑤 𝑛 𝑇 ′ = ′ 𝑇 3 𝑤 So, the answer is yes , there exist equivalent 𝑇 ′ , 𝐺 ′(𝑗) s.t. • 𝑇Ω −1 𝑈 = 𝑄 𝑗 𝑇 ′ 𝐺 ′(𝑗) (𝑇 ′ ) 𝑈 = (𝑇Ω −1 ) Ω𝐺 𝑗 Ω 𝑈 and 𝐺 ′(𝑗) have the desired trapdoor structure. Slide 99

Recap. MQ Schemes Slide 100