Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Mixed-field schemes C* C* [MI88] [MI88] 1990 1990 MIA and MIA and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, The95, [CSV93, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV OV [Pat97] [Pat97] Oil and Vinegar schemes OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Stepwise Triangular schemes Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Mixed schemes (UOV + STS) www.ntnu.no Simona Samardjiska, PhD defence
Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE [Pat96] HFE [Pat96] OV OV [Pat97] [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] PMI PMI [Din04] [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence
Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV [Pat97] OV [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence
Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE [Pat96] HFE [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence
Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Birational Permutation Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE HFE [Pat96] [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV OV [KS98] [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] More scrutiny needed for cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] understanding the security [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence
14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that p 1 ( u 1 , . . . , u n ) = 0 p 2 ( u 1 , . . . , u n ) = 0 . . . p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence
14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that p 1 ( u 1 , . . . , u n ) = 0 p 2 ( u 1 , . . . , u n ) = 0 . . . p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence
14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that p 1 ( u 1 , . . . , u n ) = 0 p 2 ( u 1 , . . . , u n ) = 0 . . . p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence
14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that p 1 ( u 1 , . . . , u n ) = 0 p 2 ( u 1 , . . . , u n ) = 0 . . . p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence
15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0 ⇔ . . . . . . p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . www.ntnu.no Simona Samardjiska, PhD defence
15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0 ⇔ . . . . . . p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation www.ntnu.no Simona Samardjiska, PhD defence
15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0 ⇔ . . . . . . p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation If d reg - independent of n ⇒ Polynomial complexity !!! www.ntnu.no Simona Samardjiska, PhD defence
16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence
16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence
16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence
17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1 x (1) x 1 1 . . . � k � r 1 � ... . . . . · λ i M i = 0 n × n . . . i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables www.ntnu.no Simona Samardjiska, PhD defence
17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1 x (1) x 1 1 . . . � k � r 1 � ... . . . . · λ i M i = 0 n × n . . . i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Relinearization [Kipnis & Shamir ’99] www.ntnu.no Simona Samardjiska, PhD defence
17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1 x (1) x 1 1 . . . � k � r 1 � ... . . . . · λ i M i = 0 n × n . . . i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg www.ntnu.no Simona Samardjiska, PhD defence
17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1 x (1) x 1 1 . . . � k � r 1 � ... . . . . · λ i M i = 0 n × n . . . i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg d reg � min( n X , n Y ) + 1 , for bilinear system in X , Y blocks of variables of sizes n X , n Y . www.ntnu.no Simona Samardjiska, PhD defence
18 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroups in symmetric crypto: IDEA Block Cipher [Lai’91] Edon80 [Gligoroski et al.’08] Finalist (hardware) of eSTREAM CryptMT [Matsumoto et al.’08] Finalist (software) of eSTREAM Blue Midnight Wish (BMW) [Gligoroski et al.’09] Round 2 candidate of SHA-3 Edon-R [Gligoroski et al.’09] and NaSHA [Markovski & Mileva’08] Round 1 candidates of SHA-3 www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Left Quasigroup ( Q, q ) Example: L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q Quadratic - algebraic degree 2 Quasigroup www.ntnu.no Simona Samardjiska, PhD defence
19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) q : F 6 2 → F 3 Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) 2 L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q q 1 = x 1 + x 3 + x 5 + x 1 x 5 + x 1 x 6 , Quadratic q 2 = 1 + x 3 + x 1 x 5 + x 6 + x 1 x 6 , - algebraic degree 2 q 3 = x 2 + x 4 + x 1 x 5 + x 3 x 6 + x 5 x 6 . Quasigroup www.ntnu.no Simona Samardjiska, PhD defence
20 The MQQ family of cryptosystems MQQ Encryption scheme [GMK08] Over F 2 The internal mapping: Dobbertin permutation + Bilinear MQQs of order 2 5 Direct algebraic attack [Mohamed et al.’09, Faugère et al.’10] - XL algorithm, Gröbner bases www.ntnu.no Simona Samardjiska, PhD defence
20 The MQQ family of cryptosystems MQQ-SIG Signature scheme [GØJPFKM11] Over F 2 Security measure (against the previous attack) - n/ 2 equations removed Performance measures (Smaller key size, faster evaluation in SW, more compact in HW) - The internal mapping: One bilinear MQQ of order 2 8 - designed S and T using circulant matrices - signing with twice smaller key Fastest on (eBACS) SUPERCOP Recommended parameters: 2 96 2 112 2 128 2 80 Security n 160 192 224 256 www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective The MQQ of order 2 8 : q ( x , y ) = B · U ( x ) · A 2 · y + B · A 1 · x + c , where U ( x ) = I 8 + U 1 · A 1 · x U 2 · A 1 · x . . . U 7 · A 1 · x . 0 www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ · · · y 1 y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . www.ntnu.no Simona Samardjiska, PhD defence
21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . Solve the system of equations: q ( x , y ) = z in the unknown y . ( q \ not computed explicitly .) (Alternatively, a look up table can be used.) www.ntnu.no Simona Samardjiska, PhD defence
22 Signing and Verification in MQQ-SIG m ——— ——— ——— ——— m ——— ——— Signature E ( x 0 ) || E ( x 1 ) ——— ——— H ( m ) || h 0 h 1 H ( m ) h = h 0 || h 1 Compare y 0 = r 0 || h 1 y 1 = r 1 || h 1 h = h 0 || h 1 x 1 = D ( y 1 ) x 0 = D ( y 0 ) Signature = ( x 0 , x 1 ) www.ntnu.no Simona Samardjiska, PhD defence
23 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? MQQ-SIG - 300–3,500 times faster in signing > 1,000 times larger public key than RSA or ECDSA. www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Always a tradeoff Efficiency v.s. Security www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? No diversity of efficient constructions www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? Better MQQs neccessary for encryption scheme www.ntnu.no Simona Samardjiska, PhD defence
24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? What are the necessary steps that can lead to a solid security framework for MQ cryptography? www.ntnu.no Simona Samardjiska, PhD defence
25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. www.ntnu.no Simona Samardjiska, PhD defence
25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. Research results I Construction of functions for MQ trapdoors II The MQQ family - design improvements and analysis III Security of MQ schemes www.ntnu.no Simona Samardjiska, PhD defence
26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence
26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields Simona Samardjiska, Yanling Chen and Danilo Gligoroski, JIAS, Vol. 7 (2012) Paper A1 I2 Left MQQs Whose Left Parastrophe is Also Quadratic Simona Samardjiska and Danilo Gligoroski, CMUC Vol. 53, 3 (2012) Paper I7 I3 Quadratic Permutation Polynomials, Complete Mappings and Mutually Orthogonal Latin Squares Simona Samardjiska and Danilo Gligoroski, under review in Mathematica Slovaca www.ntnu.no Simona Samardjiska, PhD defence
26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Paper A1 Danilo Gligoroski and Simona Samardjiska, SCC 2012 I5 On the Strong and Weak Keys in MQQ-SIG Paper I7 Håkon Jacobsen, Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska and Enrico Thomae, PKC 2015 www.ntnu.no Simona Samardjiska, PhD defence
26 The three contribution areas I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Danilo Gligoroski and Simona Samardjiska, SCC 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems II The MQQ family - Design Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska improvements and analysis I Constructions of functions and Enrico Thomae, PKC 2015 I7 for MQ trapdoors Linearity Measures for Multivariate Public Key Cryptography Simona Samardjiska and Danilo Gligoroski, SECURWARE 2014 A1 Towards a Secure Multivariate Identity-Based Encryption Paper I5 Paper I2 Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence
27 Motivation Research goals MQ cryptosystems The MQQ family and objectives Results Construction of The MQQ family - Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence
28 I Constructions of functions for MQ trapdoors Paper I2 Paper I1 Paper I3 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I2 Left MQQs Whose Left Parastrophe is Also Quadratic I3 Quadratic Permutation Polynomials, Complete Mappings and Mutu- ally Orthogonal Latin Squares www.ntnu.no Simona Samardjiska, PhD defence
29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure www.ntnu.no Simona Samardjiska, PhD defence
29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence
29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Superclass of the MQQ-SIG quasigroups! Extension from F 2 to F p k . Offer substantial efficiency Bilinear MQQs improvement to MQQ-SIG! Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence
30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 www.ntnu.no Simona Samardjiska, PhD defence
30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � α ( s ) β ( s ) q ( s ) ( x , y ) p ( s ) ( y s ) + = i,j x i x j + i,j y i y j + i,j i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d j>s i>s where p ( s ) , s = 1 , . . . , d , - quadratic permutation over F p k . www.ntnu.no Simona Samardjiska, PhD defence
30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 Additionally: A special subclass of LMQQs distinguished LMQQ whose left parastrophe is also LMQQ Used as a proof of concept of a new model for multivariate Identity Based Encryption in Paper A1 Two algorithms for construction: Backtracking Direct, deterministic, of a smaller class www.ntnu.no Simona Samardjiska, PhD defence
31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? www.ntnu.no Simona Samardjiska, PhD defence
31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? C ∗ scheme: f ( X ) = X 2 m +1 Linearization Attack! XY 2 m = X 2 2 m Y www.ntnu.no Simona Samardjiska, PhD defence
31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , www.ntnu.no Simona Samardjiska, PhD defence
31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , 1. Exhaustive search for small fields n � 16 2. New classes of permutation polynomials recognized! www.ntnu.no Simona Samardjiska, PhD defence
32 Paper I3: From MQQ to MQ Results: Permutation binomials : For n � 16 , all ≡ monomials Permutation trinomials : For n � 10 , Two classes ≡ monomials Two classes ≡ weak permutations Three polynomials �≡ monomials www.ntnu.no Simona Samardjiska, PhD defence
32 Paper I3: From MQQ to MQ Results: An interesting class Permutation binomials : For n � 16 , all ≡ monomials n = kℓ , k > 1 is odd, a, b ∈ F 2 ℓ , Tr k l - trace from F 2 n to F 2 l Permutation trinomials : For n � 10 , Two classes ≡ monomials P ( X ) = X ( a Tr k ℓ ( X ) + aX + b ) Two classes ≡ weak permutations Three polynomials �≡ monomials b � = 0 ⇒ permutation polynomial b � = 0 , 1 ⇒ complete mapping New Constructions from the class: recursive construction of PP and CM over bigger fields Sets of Mutually Orthogonal Latin Squares Bent Vectorial Functions from Maiorana-McFarland class www.ntnu.no Simona Samardjiska, PhD defence
33 II The MQQ family - Design improvements and analysis Paper I5 Paper I1 Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC I5 On the Strong and Weak Keys in MQQ-SIG I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems www.ntnu.no Simona Samardjiska, PhD defence
34 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Extension from F 2 to any F p k ⇒ Reduction of the public key size of MQQ-SIG up to 58 times . = Size in Kbytes n GF (2) GF (2 2 ) GF (2 4 ) GF (2 8 ) 160 125.79 32.43 8.41 2.26 192 217.14 55.70 14.36 3.81 224 344.55 88.06 22.60 5.95 256 514.02 131.02 33.52 8.77 www.ntnu.no Simona Samardjiska, PhD defence
35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . www.ntnu.no Simona Samardjiska, PhD defence
35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . = ⇒ Reduction of the private key size Size in bytes d = 8 Bilinear MQQs MQQs from T-MQQs previous new previous new GF (2) 81 50 . 5 137 66 . 5 GF (2 k ) 81 k 50 . 5 k 153 k 75 . 5 k www.ntnu.no Simona Samardjiska, PhD defence
36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T www.ntnu.no Simona Samardjiska, PhD defence
36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h P c www.ntnu.no Simona Samardjiska, PhD defence
36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h S q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 F P y 1 · · · y n/ 8 − 1 y n/ 8 T c www.ntnu.no Simona Samardjiska, PhD defence
36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed matrices S and T h = H ( m || r ) Accept if h = h ′ m r m ′ r ′ h ′ h S S − 1 F P F − 1 Try all values T T − 1 c c www.ntnu.no Simona Samardjiska, PhD defence
36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed parameters for 128 bits security matrices S and T field F 2 F 4 F 16 F 256 n 256 128 64 32 r 8 4 2 1 www.ntnu.no Simona Samardjiska, PhD defence
37 Paper I4: MQQ-ENC - a new encryption scheme The LMQQs of order 2 dk : q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c q 0 - T-LMQQ defined over F 2 k , D , D y - matrices, c , c y - vectors www.ntnu.no Simona Samardjiska, PhD defence
37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 6 4 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence
37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence
37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl Strong implication that the internal structure of the MQQs is very important! www.ntnu.no Simona Samardjiska, PhD defence
Recommend
More recommend