multivariate quadratic public key cryptography part 1
play

Multivariate Quadratic Public-Key Cryptography Part 1: Basics - PowerPoint PPT Presentation

Jan 02, 2024 •468 likes •973 views

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec.

  1. Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 1 / 13

  2. Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations n n n p (1) p (1) � + p (1) � p (1) ( x 1 , . . . , x n ) = � � � · x i x j + · x i 0 ij i i =1 j = i i =1 n n n p (2) p (2) � + p (2) � p (2) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 . . . n n n p ( m ) p ( m ) � + p ( m ) � p ( m ) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

  3. Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations n n n p (1) p (1) � + p (1) � p (1) ( x 1 , . . . , x n ) = � � � · x i x j + · x i 0 ij i i =1 j = i i =1 n n n p (2) p (2) � + p (2) � p (2) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 . . . n n n p ( m ) p ( m ) � + p ( m ) � p ( m ) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 � � n + d Public Key size = m at degree d , hence usually d = 2. d B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

  4. Security The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0. NP hard believed to be hard on average even for quantum conputers: B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

  5. Security The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0. NP hard believed to be hard on average even for quantum conputers: suppose we have a probabilistic algorithm A and a subexponential function η , T terminates with an answer to a random instance from MQ ( n , m = an , F q ) in time η ( n ) with probability negl ( n ). higher order versions (MP for Multivariate Polynomials or PoSSo for Polynomial System Solving) clearly no less hard However usually no direct reduction to MQ !! B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

  6. Identification Scheme of Sakumoto et al and MQDSS An example 5-pass ID scheme depending only on MQ P be a random MQ instance Its “polar” form D P ( x , y ) := P ( x + y ) − P ( x ) − P ( y ) − P ( 0 ) P ( s ) = p is the public key, s is the secret. Peter picks and commits random ( r 0 , t 0 , e 0 ), sets r 1 = s − r 0 and commits ( r 1 , D P ( t 0 , r 1 ) + e 0 ). Vera sends random α , Peter sets and sends t 1 := α r 0 − t 0 , e 1 := α P ( r 0 ) − e 0 . Vera sends challenge Ch , Peter sends r Ch . Vera checks the commit of either ( r 0 , α r 0 − t 1 , α P ( r 0 ) − e 1 ) or ( r 1 , α ( p − P ( r 1 )) − D P ( t 1 , r 1 ) − e 1 ). The Fiat-Shamir transform of this ID scheme is the MQDSS scheme. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 4 / 13

  7. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  8. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key Encryption Schemes ( m ≥ n ) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( → broken cf. this conference) Simple Matrix ( → cf. this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  9. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key Encryption Schemes ( m ≥ n ) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( → broken cf. this conference) Simple Matrix ( → cf. this conference) Signature Schemes ( m ≤ n ) Unbalanced Oil and Vinegar (Rainbow, TTS) HFEv- (QUARTZ/Gui) pFLASH ( → this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  10. Workflow Decryption / Signature Generation T − 1 Q − 1 S − 1 ✲ ✲ ✲ z ∈ F m y ∈ F m x ∈ F n w ∈ F n ✻ P Encryption / Signature Verification B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 6 / 13

  11. Isomorphism of Polynomials Due to the bipolar construction, the security of MPKCs is also based on the Problem EIP (Extended Isomorphism of Polynomials): Given the public key P of a multivariate public key cryptosystem, find affine maps ¯ S and ¯ T as well as quadratic map ¯ Q in class C such that P = ¯ T ◦ ¯ Q ◦ ¯ S . ⇒ Hardness of the problem depends heavily on the structure of the central map ⇒ In general, not much is known about the complexity ⇒ Security analysis of multivariate schemes is a hard task B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 7 / 13

  12. Generic (Direct) Attacks Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m ≈ n ) Known Best Generic Algorithms For larger q , FXL (“Hybridized XL”) For q = 2, smart enumerative methods B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

  13. Generic (Direct) Attacks Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m ≈ n ) Known Best Generic Algorithms For larger q , FXL (“Hybridized XL”) For q = 2, the Joux-Vitse Algorithm (an XL variant). Complexity of Direct Attacks How many equations are needed to meet given levels of security? security number of equations level (bit) F 2 * F 16 F 31 F 256 80 88 30 28 26 100 110 39 36 33 128 140 51 48 43 192 208 80 75 68 256 280 110 103 93 * depending on how we model the Joux-Vitse algorithm B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

  14. XL Algorithm Given: nonlinear polynomials f 1 , . . . , f m of degree d 1 eXtend multiply each polynomial f 1 , . . . , f m by every monomial of degree ≤ D − d 2 Linearize : Apply (sparse) linear algebra to solve the extended system � 2 � � � n + d XL n Complexity = 3 · · (for larger q ) d XL d or 2 or Linearize and use an improved XL : Many variants. . . B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 9 / 13

  15. XL Variants FXL – XL with k variables guessed or “hybridized” if with k initial guesses / fixing / ”hybridization”: � 2 � � � n − k + d XL n − k k 3 q k · Complexity = min · . d XL d [generic method with the best asymptotic multiplicative complexity]. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

  16. XL Variants FXL – XL with k variables guessed or “hybridized” XL’ 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n − k such equations). 3 Enumerate over remaining n − k variables. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

  17. XL Variants FXL – XL with k variables guessed or “hybridized” XL’ 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n − k such equations). 3 Enumerate over remaining n − k variables. XL2 – simplified F 4 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate top level monomials 3 Multiply degree D − 1 equations by variables, Eliminate Again . B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

Recommend

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica Taipei, Taiwan Friday, 28.06.2018 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 1 / 27 Oil-Vinegar Polynomials [Patarin

1.38k views • 79 slides
Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC

978 views • 63 slides
Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24 Multivariate Cryptography [DS06] MPKC:

621 views • 24 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 34 Oil-Vinegar Polynomials [Pa97]

677 views • 34 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Friday, 23.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 53 Reminder:

831 views • 55 slides
Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor: Prof. Dr. Paulo S. L. M. Barreto LARC - Computer Architecture and Networking Lab Department of Computer Engineering and Digital Systems Escola

1.04k views • 101 slides
Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J. Bernstein, Bo-Yin Yang https://eprint.iacr.org/2017/1206.pdf Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel

702 views • 45 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic

A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic

A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic Constraints Zhi-Quan Luo Department of Electrical and Computer Engineering University of Minnesota Shuzhong Zhang Department of Systems

629 views • 34 slides
Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption

Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption

Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption principles Encryption quality Cryptography Public key cryptography The art of making Next week: Example algorithms DES, AES, AES

893 views • 78 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of

Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of

Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of Cincinnati January 15, 2015 Timothy Hodges (University of Cincinnati) Mathematical Problems in MPKC January 15, 2015 1 / 28 Overview Multivariate

1.05k views • 68 slides
Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in

Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in

Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent slow speed of the public key

442 views • 14 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

421 views • 7 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key Cryptography Lecture 8 Public-Key Encryption Diffie-Hellman Key-Exchange PKE scheme PKE scheme SKE: Syntax KeyGen outputs K K Enc: M K R

1.18k views • 104 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography Public Key Cryptography, RSA Public-Key

Outline CPSC 418/MATH 318 Introduction to Cryptography Public Key Cryptography, RSA Public-Key

Outline CPSC 418/MATH 318 Introduction to Cryptography Public Key Cryptography, RSA Public-Key Cryptography 1 Renate Scheidler The RSA Cryptosystem 2 Department of Mathematics & Statistics Department of Computer Science University of

372 views • 7 slides
Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption

296 views • 25 slides
Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de

Introduction The MQ Problem Polynomial Equivalence Problems Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Universit de Versailles Saint-Quentin Versailles, France Sminaire CARAMEL 20 janvier 2012

721 views • 59 slides
Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global

Code-Based Cryptography for FPGAs Dr. Ruben Niederhagen, February 8, 2018 Introduction Global Map public-key cryptography classic post-quantum lattice code multivariate hash isogenies . . . McEliece Niederreiter . . . GRS codes

1.04k views • 73 slides

More recommend