multivariate public key cryptosystems produced by
play

Multivariate Public Key Cryptosystems Produced by Quasigroups - PowerPoint PPT Presentation

Mar 31, 2023 •925 likes •2.51k views

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

  1. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Mixed-field schemes C* C* [MI88] [MI88] 1990 1990 MIA and MIA and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, The95, [CSV93, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV OV [Pat97] [Pat97] Oil and Vinegar schemes OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Stepwise Triangular schemes Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Mixed schemes (UOV + STS) www.ntnu.no Simona Samardjiska, PhD defence

  2. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE [Pat96] HFE [Pat96] OV OV [Pat97] [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] PMI PMI [Din04] [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  3. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV [Pat97] OV [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  4. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE [Pat96] HFE [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  5. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Birational Permutation Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE HFE [Pat96] [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV OV [KS98] [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] More scrutiny needed for cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] understanding the security [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  6. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  7. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  8. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  9. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  10. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . www.ntnu.no Simona Samardjiska, PhD defence

  11. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation www.ntnu.no Simona Samardjiska, PhD defence

  12. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation If d reg - independent of n ⇒ Polynomial complexity !!! www.ntnu.no Simona Samardjiska, PhD defence

  13. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  14. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  15. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  16. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables www.ntnu.no Simona Samardjiska, PhD defence

  17. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Relinearization [Kipnis & Shamir ’99] www.ntnu.no Simona Samardjiska, PhD defence

  18. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg www.ntnu.no Simona Samardjiska, PhD defence

  19. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg d reg � min( n X , n Y ) + 1 , for bilinear system in X , Y blocks of variables of sizes n X , n Y . www.ntnu.no Simona Samardjiska, PhD defence

  20. 18 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  21. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography www.ntnu.no Simona Samardjiska, PhD defence

  22. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroups in symmetric crypto: IDEA Block Cipher [Lai’91] Edon80 [Gligoroski et al.’08] Finalist (hardware) of eSTREAM CryptMT [Matsumoto et al.’08] Finalist (software) of eSTREAM Blue Midnight Wish (BMW) [Gligoroski et al.’09] Round 2 candidate of SHA-3 Edon-R [Gligoroski et al.’09] and NaSHA [Markovski & Mileva’08] Round 1 candidates of SHA-3 www.ntnu.no Simona Samardjiska, PhD defence

  23. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence

  24. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Left Quasigroup ( Q, q ) Example: L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence

  25. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q Quadratic - algebraic degree 2 Quasigroup www.ntnu.no Simona Samardjiska, PhD defence

  26. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) q : F 6 2 → F 3 Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) 2 L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q q 1 = x 1 + x 3 + x 5 + x 1 x 5 + x 1 x 6 , Quadratic q 2 = 1 + x 3 + x 1 x 5 + x 6 + x 1 x 6 , - algebraic degree 2 q 3 = x 2 + x 4 + x 1 x 5 + x 3 x 6 + x 5 x 6 . Quasigroup www.ntnu.no Simona Samardjiska, PhD defence

  27. 20 The MQQ family of cryptosystems MQQ Encryption scheme [GMK08] Over F 2 The internal mapping: Dobbertin permutation + Bilinear MQQs of order 2 5 Direct algebraic attack [Mohamed et al.’09, Faugère et al.’10] - XL algorithm, Gröbner bases www.ntnu.no Simona Samardjiska, PhD defence

  28. 20 The MQQ family of cryptosystems MQQ-SIG Signature scheme [GØJPFKM11] Over F 2 Security measure (against the previous attack) - n/ 2 equations removed Performance measures (Smaller key size, faster evaluation in SW, more compact in HW) - The internal mapping: One bilinear MQQ of order 2 8 - designed S and T using circulant matrices - signing with twice smaller key Fastest on (eBACS) SUPERCOP Recommended parameters: 2 96 2 112 2 128 2 80 Security n 160 192 224 256 www.ntnu.no Simona Samardjiska, PhD defence

  29. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence

  30. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective www.ntnu.no Simona Samardjiska, PhD defence

  31. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective The MQQ of order 2 8 : q ( x , y ) = B · U ( x ) · A 2 · y + B · A 1 · x + c , where   U ( x ) = I 8 +  U 1 · A 1 · x U 2 · A 1 · x . . . U 7 · A 1 · x   .  0 www.ntnu.no Simona Samardjiska, PhD defence

  32. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ · · · y 1 y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence

  33. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . www.ntnu.no Simona Samardjiska, PhD defence

  34. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . Solve the system of equations: q ( x , y ) = z in the unknown y . ( q \ not computed explicitly .) (Alternatively, a look up table can be used.) www.ntnu.no Simona Samardjiska, PhD defence

  35. 22 Signing and Verification in MQQ-SIG m ——— ——— ——— ——— m ——— ——— Signature E ( x 0 ) || E ( x 1 ) ——— ——— H ( m ) || h 0 h 1 H ( m ) h = h 0 || h 1 Compare y 0 = r 0 || h 1 y 1 = r 1 || h 1 h = h 0 || h 1 x 1 = D ( y 1 ) x 0 = D ( y 0 ) Signature = ( x 0 , x 1 ) www.ntnu.no Simona Samardjiska, PhD defence

  36. 23 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  37. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? www.ntnu.no Simona Samardjiska, PhD defence

  38. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? MQQ-SIG - 300–3,500 times faster in signing > 1,000 times larger public key than RSA or ECDSA. www.ntnu.no Simona Samardjiska, PhD defence

  39. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? www.ntnu.no Simona Samardjiska, PhD defence

  40. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Always a tradeoff Efficiency v.s. Security www.ntnu.no Simona Samardjiska, PhD defence

  41. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? www.ntnu.no Simona Samardjiska, PhD defence

  42. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? No diversity of efficient constructions www.ntnu.no Simona Samardjiska, PhD defence

  43. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? www.ntnu.no Simona Samardjiska, PhD defence

  44. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? Better MQQs neccessary for encryption scheme www.ntnu.no Simona Samardjiska, PhD defence

  45. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? What are the necessary steps that can lead to a solid security framework for MQ cryptography? www.ntnu.no Simona Samardjiska, PhD defence

  46. 25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. www.ntnu.no Simona Samardjiska, PhD defence

  47. 25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. Research results I Construction of functions for MQ trapdoors II The MQQ family - design improvements and analysis III Security of MQ schemes www.ntnu.no Simona Samardjiska, PhD defence

  48. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence

  49. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields Simona Samardjiska, Yanling Chen and Danilo Gligoroski, JIAS, Vol. 7 (2012) Paper A1 I2 Left MQQs Whose Left Parastrophe is Also Quadratic Simona Samardjiska and Danilo Gligoroski, CMUC Vol. 53, 3 (2012) Paper I7 I3 Quadratic Permutation Polynomials, Complete Mappings and Mutually Orthogonal Latin Squares Simona Samardjiska and Danilo Gligoroski, under review in Mathematica Slovaca www.ntnu.no Simona Samardjiska, PhD defence

  50. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Paper A1 Danilo Gligoroski and Simona Samardjiska, SCC 2012 I5 On the Strong and Weak Keys in MQQ-SIG Paper I7 Håkon Jacobsen, Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska and Enrico Thomae, PKC 2015 www.ntnu.no Simona Samardjiska, PhD defence

  51. 26 The three contribution areas I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Danilo Gligoroski and Simona Samardjiska, SCC 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems II The MQQ family - Design Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska improvements and analysis I Constructions of functions and Enrico Thomae, PKC 2015 I7 for MQ trapdoors Linearity Measures for Multivariate Public Key Cryptography Simona Samardjiska and Danilo Gligoroski, SECURWARE 2014 A1 Towards a Secure Multivariate Identity-Based Encryption Paper I5 Paper I2 Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence

  52. 27 Motivation Research goals MQ cryptosystems The MQQ family and objectives Results Construction of The MQQ family - Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  53. 28 I Constructions of functions for MQ trapdoors Paper I2 Paper I1 Paper I3 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I2 Left MQQs Whose Left Parastrophe is Also Quadratic I3 Quadratic Permutation Polynomials, Complete Mappings and Mutu- ally Orthogonal Latin Squares www.ntnu.no Simona Samardjiska, PhD defence

  54. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure www.ntnu.no Simona Samardjiska, PhD defence

  55. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  56. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Superclass of the MQQ-SIG quasigroups! Extension from F 2 to F p k . Offer substantial efficiency Bilinear MQQs improvement to MQQ-SIG! Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  57. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 www.ntnu.no Simona Samardjiska, PhD defence

  58. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � α ( s ) β ( s ) q ( s ) ( x , y ) p ( s ) ( y s ) + = i,j x i x j + i,j y i y j + i,j i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d j>s i>s where p ( s ) , s = 1 , . . . , d , - quadratic permutation over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  59. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 Additionally: A special subclass of LMQQs distinguished LMQQ whose left parastrophe is also LMQQ Used as a proof of concept of a new model for multivariate Identity Based Encryption in Paper A1 Two algorithms for construction: Backtracking Direct, deterministic, of a smaller class www.ntnu.no Simona Samardjiska, PhD defence

  60. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? www.ntnu.no Simona Samardjiska, PhD defence

  61. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? C ∗ scheme: f ( X ) = X 2 m +1 Linearization Attack! XY 2 m = X 2 2 m Y www.ntnu.no Simona Samardjiska, PhD defence

  62. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , www.ntnu.no Simona Samardjiska, PhD defence

  63. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , 1. Exhaustive search for small fields n � 16 2. New classes of permutation polynomials recognized! www.ntnu.no Simona Samardjiska, PhD defence

  64. 32 Paper I3: From MQQ to MQ Results: Permutation binomials : For n � 16 , all ≡ monomials Permutation trinomials : For n � 10 , Two classes ≡ monomials Two classes ≡ weak permutations Three polynomials �≡ monomials www.ntnu.no Simona Samardjiska, PhD defence

  65. 32 Paper I3: From MQQ to MQ Results: An interesting class Permutation binomials : For n � 16 , all ≡ monomials n = kℓ , k > 1 is odd, a, b ∈ F 2 ℓ , Tr k l - trace from F 2 n to F 2 l Permutation trinomials : For n � 10 , Two classes ≡ monomials P ( X ) = X ( a Tr k ℓ ( X ) + aX + b ) Two classes ≡ weak permutations Three polynomials �≡ monomials b � = 0 ⇒ permutation polynomial b � = 0 , 1 ⇒ complete mapping New Constructions from the class: recursive construction of PP and CM over bigger fields Sets of Mutually Orthogonal Latin Squares Bent Vectorial Functions from Maiorana-McFarland class www.ntnu.no Simona Samardjiska, PhD defence

  66. 33 II The MQQ family - Design improvements and analysis Paper I5 Paper I1 Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC I5 On the Strong and Weak Keys in MQQ-SIG I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems www.ntnu.no Simona Samardjiska, PhD defence

  67. 34 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Extension from F 2 to any F p k ⇒ Reduction of the public key size of MQQ-SIG up to 58 times . = Size in Kbytes n GF (2) GF (2 2 ) GF (2 4 ) GF (2 8 ) 160 125.79 32.43 8.41 2.26 192 217.14 55.70 14.36 3.81 224 344.55 88.06 22.60 5.95 256 514.02 131.02 33.52 8.77 www.ntnu.no Simona Samardjiska, PhD defence

  68. 35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . www.ntnu.no Simona Samardjiska, PhD defence

  69. 35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . = ⇒ Reduction of the private key size Size in bytes d = 8 Bilinear MQQs MQQs from T-MQQs previous new previous new GF (2) 81 50 . 5 137 66 . 5 GF (2 k ) 81 k 50 . 5 k 153 k 75 . 5 k www.ntnu.no Simona Samardjiska, PhD defence

  70. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T www.ntnu.no Simona Samardjiska, PhD defence

  71. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h P c www.ntnu.no Simona Samardjiska, PhD defence

  72. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h S q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 F P y 1 · · · y n/ 8 − 1 y n/ 8 T c www.ntnu.no Simona Samardjiska, PhD defence

  73. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed matrices S and T h = H ( m || r ) Accept if h = h ′ m r m ′ r ′ h ′ h S S − 1 F P F − 1 Try all values T T − 1 c c www.ntnu.no Simona Samardjiska, PhD defence

  74. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed parameters for 128 bits security matrices S and T field F 2 F 4 F 16 F 256 n 256 128 64 32 r 8 4 2 1 www.ntnu.no Simona Samardjiska, PhD defence

  75. 37 Paper I4: MQQ-ENC - a new encryption scheme The LMQQs of order 2 dk : q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c q 0 - T-LMQQ defined over F 2 k , D , D y - matrices, c , c y - vectors www.ntnu.no Simona Samardjiska, PhD defence

  76. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 6 4 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence

  77. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence

  78. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl Strong implication that the internal structure of the MQQs is very important! www.ntnu.no Simona Samardjiska, PhD defence

Recommend

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate

587 views • 23 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2

Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2

Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus University, Denmark 3 University of Zurich,

423 views • 29 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Ironing, Sweeping, and Multivariate Majorization Optimal Mechanisms for Mass-Produced Goods (with

Ironing, Sweeping, and Multivariate Majorization Optimal Mechanisms for Mass-Produced Goods (with

Ironing, Sweeping, and Multivariate Majorization Optimal Mechanisms for Mass-Produced Goods (with Jacob Goeree (UNSW) and Ningyi Sun (UNSW)) Nick Bedard (WLU) Virtual MD Seminar, Oct. 26 Nick Bedard (WLU) Optimal Mechanisms for Mass-Produced

1.11k views • 86 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Outline Multivariate Data 1

319 views • 7 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

379 views • 33 slides
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec.

973 views • 49 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
Mack Energy Corporation Produced Water Pit PRODUCED WATER What is it? PRODUCED WATER

Mack Energy Corporation Produced Water Pit PRODUCED WATER What is it? PRODUCED WATER

Mack Energy Corporation Produced Water Pit PRODUCED WATER What is it? PRODUCED WATER What does the industry currently do with it? Pipelines Trucks Secondary Recovery Salt Water Disposals (SWD) PRODUCED WATER

509 views • 18 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor: Prof. Dr. Paulo S. L. M. Barreto LARC - Computer Architecture and Networking Lab Department of Computer Engineering and Digital Systems Escola

1.04k views • 101 slides
The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

715 views • 48 slides
Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If your employer is interested in understanding how effective certain changes are, you may consider A/B or multivariate testing How to do it First,

372 views • 12 slides
Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building the multivariate density i random variable. Recall that its density is given by distributed, their joint density is 2 Let Z N (0 , 1) be a

382 views • 22 slides

More recommend