multivariate public key cryptosystems produced by
play

Multivariate Public Key Cryptosystems Produced by Quasigroups - PowerPoint PPT Presentation

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of


  1. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Mixed-field schemes C* C* [MI88] [MI88] 1990 1990 MIA and MIA and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, The95, [CSV93, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV OV [Pat97] [Pat97] Oil and Vinegar schemes OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Stepwise Triangular schemes Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Mixed schemes (UOV + STS) www.ntnu.no Simona Samardjiska, PhD defence

  2. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE [Pat96] HFE [Pat96] OV OV [Pat97] [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] PMI PMI [Din04] [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSE(2)PKC,RSSE(2)PKC [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  3. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA MIA [IM85] 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 MIA MIA and and C* C* [Pat95] [Pat95] Birational Permutation Birational Permutation Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] 1995 1995 HFE HFE [Pat96] [Pat96] OV [Pat97] OV [Pat97] OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] Sflash Sflash [PCG01a, [PCG01a, CGP03] CGP03] PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] [KS05a] PMI PMI [FGS05] [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  4. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Permutation Birational Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE [Pat96] HFE [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV [KS98] OV [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC [KS05a] RSSE(2)PKC [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash Sflash [DFSS07] [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  5. Thomae 13 13 MQ crypto MQ MQ Constructions Constructions Cryptanalysis Cryptanalysis Prime Time MIA [IM85] MIA 1985 1985 [IM85] Bad reputation due to break and patch history C* C* [MI88] [MI88] 1990 1990 But on the other hand... MIA MIA and and C* C* [Pat95] [Pat95] Birational Birational Permutation Permutation UOV, HFEv- signatures - Birational Birational Permutation Permutation [Sha93] [Sha93] [CSV93, [CSV93, The95, The95, CSV97] CSV97] non-broken variants of Patarin’s 1995 1995 HFE HFE [Pat96] [Pat96] schemes OV OV [Pat97] [Pat97] Provably secure identification OV OV [KS98] [KS98] UOV [KPG99] [KPG99] HFE [KS99, HFE scheme of Sakumoto et al. [KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11] 2000 2000 Quartz [PCG01b] [PCG01b] QUAD - Provably secure stream Sflash [PCG01a, Sflash [PCG01a, CGP03] CGP03] More scrutiny needed for cipher - Berbain et al. PMI [Din04] PMI [Din04] , RSE(2)PKC RSE(2)PKC [KS04] [KS04] RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04] [WBP04] RSSE(2)PKC RSSE(2)PKC [KS05a] understanding the security [KS05a] PMI [FGS05] PMI [FGS05] 2005 2005 Rainbow [DS05] [DS05] Sflash [DFSS07] Sflash [DFSS07] Interest seriously declines www.ntnu.no Simona Samardjiska, PhD defence

  6. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  7. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  8. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  9. 14 Crucial for the security of MQ schemes P o SS o ( p 1 , p 2 , . . . , p m ) - the underlying NP-hard problem Input: m polynomials p 1 , p 2 , . . . , p m ∈ F q [ x 1 , . . . , x n ] of degree d ≥ 2 Question: Find – if any – a vector ( u 1 , . . . , u n ) ∈ F n q such that  p 1 ( u 1 , . . . , u n ) = 0     p 2 ( u 1 , . . . , u n ) = 0 . . .     p m ( u 1 , . . . , u n ) = 0 NP-hard for m = O ( n ) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms: F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08] www.ntnu.no Simona Samardjiska, PhD defence

  10. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . www.ntnu.no Simona Samardjiska, PhD defence

  11. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation www.ntnu.no Simona Samardjiska, PhD defence

  12. 15 Solving P o SS o ( p 1 , p 2 , . . . , p m ) - F5 algorithm [Faugère ’02] ∃ ( u 1 , . . . , u n ) ∈ F n q such that for ( u 1 , . . . , u n ) it holds that   p 1 ( u 1 , . . . , u n ) = 0 b 1 ( u 1 , . . . , u n ) = 0     ⇔ . . . . . .     p m ( u 1 , . . . , u n ) = 0 b n ′ ( u 1 , . . . , u n ) = 0 where { b 1 , b 2 , . . . , b n ′ } is the Gröbner basis of the ideal � p 1 , p 2 , . . . , p m � . Complexity of F5 algorithm: �� n + d reg � ω � O d reg with 2 � ω � 3 - linear algebra constant d reg - maximum degree reached during computation If d reg - independent of n ⇒ Polynomial complexity !!! www.ntnu.no Simona Samardjiska, PhD defence

  13. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  14. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  15. 16 Crucial for the security of MQ schemes MinRank MR ( n, r , k, M 1 , . . . , M k ) Input : n, r , k ∈ N , and M 1 , . . . , M k ∈ M n ( F q ) . Question : Find – if any – a nonzero k -tuple ( λ 1 , . . . , λ k ) ∈ F k q s.t.: � k � � Rank λ i M i � r . i =1 [Kipnis, Shamir ’99], [Buss, Shallit ’99] NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier , even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank [Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08] www.ntnu.no Simona Samardjiska, PhD defence

  16. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables www.ntnu.no Simona Samardjiska, PhD defence

  17. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Relinearization [Kipnis & Shamir ’99] www.ntnu.no Simona Samardjiska, PhD defence

  18. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg www.ntnu.no Simona Samardjiska, PhD defence

  19. 17 Solving MinRank - Kipnis-Shamir modeling � k � k � � � � ≤ r ⇔ ∃ x (1) , . . . , x ( n − r ) ∈ Ker Rank λ i M i λ i M i i =1 i =1   x (1) x 1 1 . . . � k � r 1 � ... . .  . .   · λ i M i = 0 n × n . . .  i =1 x ( n − r ) x ( n − r ) 1 . . . r 1 n ( n − r ) quadratic (bilinear) equations in r ( n − r ) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] �� n + d reg � ω � F5 algorithm: O , d reg d reg � min( n X , n Y ) + 1 , for bilinear system in X , Y blocks of variables of sizes n X , n Y . www.ntnu.no Simona Samardjiska, PhD defence

  20. 18 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  21. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography www.ntnu.no Simona Samardjiska, PhD defence

  22. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroups in symmetric crypto: IDEA Block Cipher [Lai’91] Edon80 [Gligoroski et al.’08] Finalist (hardware) of eSTREAM CryptMT [Matsumoto et al.’08] Finalist (software) of eSTREAM Blue Midnight Wish (BMW) [Gligoroski et al.’09] Round 2 candidate of SHA-3 Edon-R [Gligoroski et al.’09] and NaSHA [Markovski & Mileva’08] Round 1 candidates of SHA-3 www.ntnu.no Simona Samardjiska, PhD defence

  23. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence

  24. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Left Quasigroup ( Q, q ) Example: L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 www.ntnu.no Simona Samardjiska, PhD defence

  25. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q Quadratic - algebraic degree 2 Quasigroup www.ntnu.no Simona Samardjiska, PhD defence

  26. 19 The MQQ family of cryptosystems A proposal to use quasigroups in MQ cryptography Quasigroup ( Q, q ) q : F 6 2 → F 3 Example: R q ,a : Q → Q , R q ,a ( x ) = q ( x, a ) 2 L q ,a : Q → Q , L q ,a ( x ) = q ( a, x ) q 0 1 2 3 4 5 6 7 0 2 3 6 7 0 1 5 4 are bijections for every a ∈ Q . 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 MQQ 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 Multivariate 6 5 4 1 0 6 7 3 2 - vectorial polynomial function 7 1 0 2 3 4 5 6 7 q = ( q 1 , . . . , q d ) : F 2 d q → F d q q 1 = x 1 + x 3 + x 5 + x 1 x 5 + x 1 x 6 , Quadratic q 2 = 1 + x 3 + x 1 x 5 + x 6 + x 1 x 6 , - algebraic degree 2 q 3 = x 2 + x 4 + x 1 x 5 + x 3 x 6 + x 5 x 6 . Quasigroup www.ntnu.no Simona Samardjiska, PhD defence

  27. 20 The MQQ family of cryptosystems MQQ Encryption scheme [GMK08] Over F 2 The internal mapping: Dobbertin permutation + Bilinear MQQs of order 2 5 Direct algebraic attack [Mohamed et al.’09, Faugère et al.’10] - XL algorithm, Gröbner bases www.ntnu.no Simona Samardjiska, PhD defence

  28. 20 The MQQ family of cryptosystems MQQ-SIG Signature scheme [GØJPFKM11] Over F 2 Security measure (against the previous attack) - n/ 2 equations removed Performance measures (Smaller key size, faster evaluation in SW, more compact in HW) - The internal mapping: One bilinear MQQ of order 2 8 - designed S and T using circulant matrices - signing with twice smaller key Fastest on (eBACS) SUPERCOP Recommended parameters: 2 96 2 112 2 128 2 80 Security n 160 192 224 256 www.ntnu.no Simona Samardjiska, PhD defence

  29. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence

  30. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective www.ntnu.no Simona Samardjiska, PhD defence

  31. 21 The central map of MQQ-SIG The private F q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 y 1 · · · y n/ 8 − 1 y n/ 8 MQQs: q ( x , y ) = z − bijective The MQQ of order 2 8 : q ( x , y ) = B · U ( x ) · A 2 · y + B · A 1 · x + c , where   U ( x ) = I 8 +  U 1 · A 1 · x U 2 · A 1 · x . . . U 7 · A 1 · x   .  0 www.ntnu.no Simona Samardjiska, PhD defence

  32. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ · · · y 1 y n/ 8 − 1 y n/ 8 www.ntnu.no Simona Samardjiska, PhD defence

  33. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . www.ntnu.no Simona Samardjiska, PhD defence

  34. 21 The central map of MQQ-SIG The inverse F − 1 q n/ 8 − 1 q 1 q 2 u x 1 · · · x n/ 8 − 1 x n/ 8 q 1 \ q 2 \ q n/ 8 − 1 \ y 1 · · · y n/ 8 − 1 y n/ 8 Parastrophe: q \ ( x , z ) = y . Solve the system of equations: q ( x , y ) = z in the unknown y . ( q \ not computed explicitly .) (Alternatively, a look up table can be used.) www.ntnu.no Simona Samardjiska, PhD defence

  35. 22 Signing and Verification in MQQ-SIG m ——— ——— ——— ——— m ——— ——— Signature E ( x 0 ) || E ( x 1 ) ——— ——— H ( m ) || h 0 h 1 H ( m ) h = h 0 || h 1 Compare y 0 = r 0 || h 1 y 1 = r 1 || h 1 h = h 0 || h 1 x 1 = D ( y 1 ) x 0 = D ( y 0 ) Signature = ( x 0 , x 1 ) www.ntnu.no Simona Samardjiska, PhD defence

  36. 23 Outline Motivation Research goals MQ cryptosystems The MQQ family and objectives Results The MQQ family - Construction of Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  37. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? www.ntnu.no Simona Samardjiska, PhD defence

  38. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? MQQ-SIG - 300–3,500 times faster in signing > 1,000 times larger public key than RSA or ECDSA. www.ntnu.no Simona Samardjiska, PhD defence

  39. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? www.ntnu.no Simona Samardjiska, PhD defence

  40. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Always a tradeoff Efficiency v.s. Security www.ntnu.no Simona Samardjiska, PhD defence

  41. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? www.ntnu.no Simona Samardjiska, PhD defence

  42. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? No diversity of efficient constructions www.ntnu.no Simona Samardjiska, PhD defence

  43. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? www.ntnu.no Simona Samardjiska, PhD defence

  44. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? Better MQQs neccessary for encryption scheme www.ntnu.no Simona Samardjiska, PhD defence

  45. 24 Emerging questions Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? What are the necessary steps that can lead to a solid security framework for MQ cryptography? www.ntnu.no Simona Samardjiska, PhD defence

  46. 25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. www.ntnu.no Simona Samardjiska, PhD defence

  47. 25 The research process Investigate: New constructions of MQQs Investigate: to benefit both Various cryptanalytic the performance and approaches against the security the MQQ cryptosystems. of the MQQ family. Research results I Construction of functions for MQ trapdoors II The MQQ family - design improvements and analysis III Security of MQ schemes www.ntnu.no Simona Samardjiska, PhD defence

  48. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence

  49. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields Simona Samardjiska, Yanling Chen and Danilo Gligoroski, JIAS, Vol. 7 (2012) Paper A1 I2 Left MQQs Whose Left Parastrophe is Also Quadratic Simona Samardjiska and Danilo Gligoroski, CMUC Vol. 53, 3 (2012) Paper I7 I3 Quadratic Permutation Polynomials, Complete Mappings and Mutually Orthogonal Latin Squares Simona Samardjiska and Danilo Gligoroski, under review in Mathematica Slovaca www.ntnu.no Simona Samardjiska, PhD defence

  50. 26 The three contribution areas II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors Paper I5 Paper I2 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Paper A1 Danilo Gligoroski and Simona Samardjiska, SCC 2012 I5 On the Strong and Weak Keys in MQQ-SIG Paper I7 Håkon Jacobsen, Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska and Enrico Thomae, PKC 2015 www.ntnu.no Simona Samardjiska, PhD defence

  51. 26 The three contribution areas I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Danilo Gligoroski and Simona Samardjiska, SCC 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems II The MQQ family - Design Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska improvements and analysis I Constructions of functions and Enrico Thomae, PKC 2015 I7 for MQ trapdoors Linearity Measures for Multivariate Public Key Cryptography Simona Samardjiska and Danilo Gligoroski, SECURWARE 2014 A1 Towards a Secure Multivariate Identity-Based Encryption Paper I5 Paper I2 Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 Paper I1 Paper I3 III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7 www.ntnu.no Simona Samardjiska, PhD defence

  52. 27 Motivation Research goals MQ cryptosystems The MQQ family and objectives Results Construction of The MQQ family - Security of design improvements functions MQ schemes for MQ trapdoors and analysis Conclusion www.ntnu.no Simona Samardjiska, PhD defence

  53. 28 I Constructions of functions for MQ trapdoors Paper I2 Paper I1 Paper I3 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I2 Left MQQs Whose Left Parastrophe is Also Quadratic I3 Quadratic Permutation Polynomials, Complete Mappings and Mutu- ally Orthogonal Latin Squares www.ntnu.no Simona Samardjiska, PhD defence

  54. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure www.ntnu.no Simona Samardjiska, PhD defence

  55. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Extension from F 2 to F p k . Bilinear MQQs Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  56. 29 Paper I1: Constructions of MQQs Results: Two new methods for constructing MQQs over arbitrary F p k . Superclass of the MQQ-SIG quasigroups! Extension from F 2 to F p k . Offer substantial efficiency Bilinear MQQs improvement to MQQ-SIG! Direct generalization of the construction used in MQQ-SIG MQQs from T-functions (T-MQQs) Using linear isotopy, no bilinear structure q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � p ( s ) 1 ( x s ) + p ( s ) α ( s ) β ( s ) q ( s ) ( x , y ) = 2 ( y s ) + i,j x i x j + i,j y i y j + i,j>s i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d i,j>s i>s i>s where p ( s ) 1 , p ( s ) 2 , s = 1 , . . . , d , - quadratic permutations over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  57. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 www.ntnu.no Simona Samardjiska, PhD defence

  58. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 q = ( q (1) , q (2) , . . . , q ( d ) ) : F 2 d p k → F d p k : � � α ( s ) β ( s ) q ( s ) ( x , y ) p ( s ) ( y s ) + = i,j x i x j + i,j y i y j + i,j i,j>s � � � γ ( s ) δ ( s ) ǫ ( s ) i y i + η ( s ) , + i,j x i y j + i x i + ∀ s = 1 , . . . , d j>s i>s where p ( s ) , s = 1 , . . . , d , - quadratic permutation over F p k . www.ntnu.no Simona Samardjiska, PhD defence

  59. 30 Paper I2: From MQQs to LMQQs Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor LMQQs reduce the unnecessary structure! Generalization of the construction from Paper I1 Additionally: A special subclass of LMQQs distinguished LMQQ whose left parastrophe is also LMQQ Used as a proof of concept of a new model for multivariate Identity Based Encryption in Paper A1 Two algorithms for construction: Backtracking Direct, deterministic, of a smaller class www.ntnu.no Simona Samardjiska, PhD defence

  60. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? www.ntnu.no Simona Samardjiska, PhD defence

  61. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? C ∗ scheme: f ( X ) = X 2 m +1 Linearization Attack! XY 2 m = X 2 2 m Y www.ntnu.no Simona Samardjiska, PhD defence

  62. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , www.ntnu.no Simona Samardjiska, PhD defence

  63. 31 Paper I3: From MQQ to MQ DO polynomials (HFE) Motivation: n − 1 Permutation behaviour? � a i,j X 2 i +2 j , f ( X ) = a i,j ∈ F 2 n . Affine non-equivalence to i,j =0 monomials? Blokhuis et al. ’01: We extend to : Bilinear permutations over F 2 n P ( X ) = X ( L 2 ( X ) + X · L 3 ( X )) P ( X ) = X · L ( X ) , 1. Exhaustive search for small fields n � 16 2. New classes of permutation polynomials recognized! www.ntnu.no Simona Samardjiska, PhD defence

  64. 32 Paper I3: From MQQ to MQ Results: Permutation binomials : For n � 16 , all ≡ monomials Permutation trinomials : For n � 10 , Two classes ≡ monomials Two classes ≡ weak permutations Three polynomials �≡ monomials www.ntnu.no Simona Samardjiska, PhD defence

  65. 32 Paper I3: From MQQ to MQ Results: An interesting class Permutation binomials : For n � 16 , all ≡ monomials n = kℓ , k > 1 is odd, a, b ∈ F 2 ℓ , Tr k l - trace from F 2 n to F 2 l Permutation trinomials : For n � 10 , Two classes ≡ monomials P ( X ) = X ( a Tr k ℓ ( X ) + aX + b ) Two classes ≡ weak permutations Three polynomials �≡ monomials b � = 0 ⇒ permutation polynomial b � = 0 , 1 ⇒ complete mapping New Constructions from the class: recursive construction of PP and CM over bigger fields Sets of Mutually Orthogonal Latin Squares Bent Vectorial Functions from Maiorana-McFarland class www.ntnu.no Simona Samardjiska, PhD defence

  66. 33 II The MQQ family - Design improvements and analysis Paper I5 Paper I1 Paper I4 Paper I6 I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC I5 On the Strong and Weak Keys in MQQ-SIG I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems www.ntnu.no Simona Samardjiska, PhD defence

  67. 34 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Extension from F 2 to any F p k ⇒ Reduction of the public key size of MQQ-SIG up to 58 times . = Size in Kbytes n GF (2) GF (2 2 ) GF (2 4 ) GF (2 8 ) 160 125.79 32.43 8.41 2.26 192 217.14 55.70 14.36 3.81 224 344.55 88.06 22.60 5.95 256 514.02 131.02 33.52 8.77 www.ntnu.no Simona Samardjiska, PhD defence

  68. 35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . www.ntnu.no Simona Samardjiska, PhD defence

  69. 35 Paper I1: Efficiency improvements of MQQ-SIG using the new constructions of MQQs Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q 0 ( x , y ) = A ( x ) · y + x = ⇒ New decryption algorithm with improved performance: From O ( d 3 ) to O ( d 2 ) . = ⇒ Reduction of the private key size Size in bytes d = 8 Bilinear MQQs MQQs from T-MQQs previous new previous new GF (2) 81 50 . 5 137 66 . 5 GF (2 k ) 81 k 50 . 5 k 153 k 75 . 5 k www.ntnu.no Simona Samardjiska, PhD defence

  70. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T www.ntnu.no Simona Samardjiska, PhD defence

  71. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h P c www.ntnu.no Simona Samardjiska, PhD defence

  72. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } r removed polynomials LMQQs of order 2 8 k Specially constructed matrices S and T h = H ( m || r ) m r h S q n/ 8 − 1 q 1 q 2 · · · u x 1 x n/ 8 − 1 x n/ 8 F P y 1 · · · y n/ 8 − 1 y n/ 8 T c www.ntnu.no Simona Samardjiska, PhD defence

  73. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed matrices S and T h = H ( m || r ) Accept if h = h ′ m r m ′ r ′ h ′ h S S − 1 F P F − 1 Try all values T T − 1 c c www.ntnu.no Simona Samardjiska, PhD defence

  74. 36 Paper I4: MQQ-ENC - a new encryption scheme Design choices: Properties: Over F 2 k , k ∈ { 1 , 2 , 4 , 8 } probabilistic encryption r removed polynomials negligible decryption error LMQQs of order 2 8 k IND-CCA under MQQ assumption Specially constructed parameters for 128 bits security matrices S and T field F 2 F 4 F 16 F 256 n 256 128 64 32 r 8 4 2 1 www.ntnu.no Simona Samardjiska, PhD defence

  75. 37 Paper I4: MQQ-ENC - a new encryption scheme The LMQQs of order 2 dk : q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c q 0 - T-LMQQ defined over F 2 k , D , D y - matrices, c , c y - vectors www.ntnu.no Simona Samardjiska, PhD defence

  76. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 6 4 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence

  77. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence

  78. 37 Paper I4: MQQ-ENC - a new encryption scheme Why LMQQs? The LMQQs of order 2 dk : Gröbner bases experiments: q ( x , y ) = D · q 0 ( x , D y · y + c y ) + c 14 q 0 - T-LMQQ defined over F 2 k , 12 D , D y - matrices, c , c y - vectors 10 8 The MQQs from MQQ-SIG are 6 too weak when small number 4 of polynomials removed! 2 0 24 32 40 48 56 64 72 80 88 96 Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl Strong implication that the internal structure of the MQQs is very important! www.ntnu.no Simona Samardjiska, PhD defence

Recommend


More recommend