Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 1 / 14
Oil-Vinegar Polynomials [Patarin 1997] Let F be a (finite) field. For o , v ∈ N set n = o + v and define v v v n n � � � � � p ( x 1 , . . . , x n ) = α ij · x i · x j + β ij · x i · x j + γ i · x i + δ i =1 j = i i =1 j = v +1 i =1 � �� � � �� � � �� � linear terms v × v terms v × o terms x 1 , . . . , x v : Vinegar variables x v +1 , . . . , x n : Oil variables, no o × o terms. If we randomly set x 1 , . . . , x v , result is linear in x v +1 , . . . , x n (Unbalanced) Oil-Vinegar matrix p the homogeneous quadratic part of p ( x 1 , . . . , x n ) can be written as ˜ p ( x ) = x T · M · x with quadratic form ˜ � � ∗ v × v ∗ o × v M = ∗ v × o 0 o × o where ∗ denotes arbitrary entries subject to symmetry. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 2 / 14
Inversion of the UOV central map Let each of o components of a UOV central map be a UOV polynomial. After guessing Vinegar variables When we guess the Vinegar variables x 1 , . . . , x v , we get o linear equations in the o Oil variables x v +1 , . . . , x n ⇒ recovered by (Gaussian) elimination If the system has no solution? Just choose other values for the Vinegar variables x 1 , . . . , x v and try again. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 3 / 14
Inversion of the UOV central map Let each of o components of a UOV central map be a UOV polynomial. After guessing Vinegar variables When we guess the Vinegar variables x 1 , . . . , x v , we get o linear equations in the o Oil variables x v +1 , . . . , x n ⇒ recovered by (Gaussian) elimination Toy Example in F = GF (7) with o = v = 2 Q = ( f (1) , f (2) ) with f (1) ( x ) = 2 x 2 1 + 3 x 1 x 2 + 6 x 1 x 3 + x 1 x 4 + 4 x 2 2 + 5 x 2 x 4 + 3 x 1 + 2 x 2 + 5 x 3 + x 4 + 6 , f (2) ( x ) = 3 x 2 1 + 6 x 1 x 2 + 5 x 1 x 4 + 3 x 2 2 + 5 x 2 x 3 + x 2 x 4 + 2 x 1 + 5 x 2 + 4 x 3 + 2 x 4 + 1 . Goal: Find a pre image Q − 1 ( y ), y = (3 , 4) Choose random values for x 1 and x 2 , e.g. ( x 1 , x 2 ) = (1 , 4) ˜ f (1) ( x 3 , x 4 ) = 4 x 3 + x 4 +4 = w 1 = 3 , ˜ f (2) ( x 3 , x 4 ) = 3 x 3 +4 x 4 = w 2 = 4 The pre image of y is x = (1 , 4 , 1 , 2). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 3 / 14
Operations of UOV Key Generation Take a UOV central map Q and invertible S : F n → F n . P = Q ◦ S . Signature Generation 1 Given: message d , take its hash y = H ( d ) under H : { 0 , 1 } ⋆ → F o . 2 Compute a pre-image x ∈ F n of y under the central map Q ◮ Choose random values for the Vinegar variables x 1 , . . . , x v and substitute them into the central map polynomials f (1) , . . . , f ( o ) ◮ Solve the resulting linear system for the Oil variables x v +1 , . . . , x n ◮ If the system has no solution, choose other values for the Vinegar variables and try again. 3 Compute the signature w ∈ F n by w = S − 1 ( x ). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 4 / 14
Operations of UOV Key Generation Take a UOV central map Q and invertible S : F n → F n . P = Q ◦ S . Signature Generation 1 Given: message d , take its hash y = H ( d ) under H : { 0 , 1 } ⋆ → F o . 2 Compute a pre-image x ∈ F n of y under the central map Q 3 Compute the signature w ∈ F n by w = S − 1 ( x ). Signature Verification Given: message d , signature w ∈ F n 1 Compute z = H ( d ). 2 Compute z ′ = P ( w ). Accept the signature ⇔ z = z ′ B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 4 / 14
Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 5 / 14
Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . Common Subspaces Let H i be the matrix representing the homogeneous quadratic part of the i -th public polynomial. Then we have H i = S T · E i · S , i.e. TS − 1 ( O ) is an invariant subspace of the matrix ( H − 1 · H i ), and we find S − 1 . j B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 5 / 14
Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . Common Subspaces Let H i be the matrix representing the homogeneous quadratic part of the i -th public polynomial. Then we have H i = S T · E i · S , i.e. TS − 1 ( O ) is an invariant subspace of the matrix ( H − 1 · H i ), and we find S − 1 . j Summary of the Standard UOV Attack for v ≤ o , breaks the balanced OV scheme in polynomial time. For v > o the complexity of the attack is about q v − o · o 4 . ⇒ Choose v ≈ 2 · o (unbalanced Oil and Vinegar (UOV)) [KP99] B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 5 / 14
Other Attacks 2 2 ℓ Collision Attack : o ≥ log 2 ( q ) for ℓ -bit security. Direct Attack : Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined ( n = 3 · m ) Result [Thomae]: A multivariate system of m equations in n = ω · m variables can be solved in the same time as a determined system of m − ⌊ ω ⌋ + 1 equations. ⇒ m has to be increased by 2. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 6 / 14
Other Attacks 2 2 ℓ Collision Attack : o ≥ log 2 ( q ) for ℓ -bit security. Direct Attack : Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined ( n = 3 · m ) ⇒ m has to be increased by 2. UOV-Reconciliation attack : Try to find a linear transformation S (“good keys”) which transforms the public matrices H i into the form of UOV matrices � � � � ⋆ ⋆ 1 ⋆ ( S T ) − 1 · H i · S − 1 = , S = ⋆ 0 0 1 ⇒ Each Zero-term yields a quadratic equation in the elements of T . ⇒ T can be recovered by solving several MQ systems (the hardest with v variables, m equations). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 6 / 14
Summary of UOV Safe Parameters for UOV( F , o , v ) security public key private key hash size signature level (bit) scheme size (kB) size (kB) (bit) (bit) UOV( F 16 ,40,80) 144.2 135.2 160 480 80 UOV( F 256 ,27,54) 89.8 86.2 216 648 UOV( F 16 ,50,100) 280.2 260.1 200 600 100 UOV( F 256 , 34,68) 177.8 168.3 272 816 UOV( F 16 ,64,128) 585.1 538.1 256 768 128 UOV( F 256 ,45,90) 409.4 381.8 360 1,080 UOV( F 16 ,96,192) 1,964.3 1,786.7 384 1,152 192 UOV( F 256 ,69,138) 1,464.6 1,344.0 552 1,656 UOV( F 16 ,128,256) 4,644.1 4,200.3 512 1,536 256 UOV( F 256 ,93,186) 3,572.9 3,252.2 744 2,232 What we know today about UOV unbroken since 1999 ⇒ high confidence in security not the fastest multivariate scheme very large keys, (comparably) large signatures B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 7 / 14
Rainbow Digital Signature Ding and Schmidt, 2004 Patented by Ding May have had patent by T.-T. Moh (expired) TTS is its variant with sparse central map B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 8 / 14
Rainbow Digital Signature Ding and Schmidt, 2004 Finite field F , integers 0 < v 1 < · · · < v u < v u +1 = n . Set V i = { 1 , . . . , v i } , O i = { v i + 1 , . . . , v i +1 } , o i = v i +1 − v i . Central map Q consists of m = n − v 1 polynomials f v 1 +1 , . . . , f ( n ) of the form f ( k ) = � � � α ( k ) β ( k ) γ ( k ) x i + δ ( k ) , ij x i x j + ij x i x j + i i , j ∈ V ℓ i ∈ V ℓ , j ∈ O ℓ i ∈ V ℓ ∪ O ℓ and δ ( k ) randomly chosen from F with coefficients α ( k ) ij , β ( k ) ij , γ ( k ) i and ℓ being the only integer such that k ∈ O ℓ . Choose randomly two affine (or linear) transformations T : F m → F m and S : F n → F n . public key : P = T ◦ Q ◦ S : F n → F m private key : T , Q , S B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Exec. Summer School 8 / 14
Recommend
More recommend
