Multivariate Quadratic Public-Key Cryptography Part 3: Small Field - PowerPoint PPT Presentation

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica Taipei, Taiwan Friday, 28.06.2018 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 1 / 27

Oil-Vinegar Polynomials [Patarin 1997] Let F be a (finite) field. For o , v ∈ N set n = o + v and define v v v n n � � � � � p ( x 1 , . . . , x n ) = α ij · x i · x j + β ij · x i · x j + γ i · x i + δ i =1 j = i i =1 j = v +1 i =1 � �� � � �� � � �� � v × v terms v × o terms linear terms x 1 , . . . , x v : Vinegar variables x v +1 , . . . , x n : Oil variables, no o × o terms. If we randomly set x 1 , . . . , x v , result is linear in x v +1 , . . . , x n v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 2 / 27

Oil-Vinegar Polynomials (2) Let ˜ p ( x 1 , . . . , x n ) be (Unbalanced) Oil-Vinegar matrix p the homogeneous quadratic part of p ( x 1 , . . . , x n ) can be written as ˜ p ( x ) = x T · M · x with quadratic form ˜ � � ∗ v × v ∗ o × v M = ∗ v × o 0 o × o where ∗ denotes arbitrary entries subject to symmetry. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 3 / 27

Inversion of the UOV central map Each central polynomial has the form v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 4 / 27

Inversion of the central map Each central polynomial has the form v × v terms v × o terms o × o terms v terms o terms quadratic quadratic 0 linear in v linear in o δ Choose random values for the Vinegar variables x 1 , . . . , x v v × v terms v × o terms o × o terms v terms o terms constant constant linear in o 0 linear in o δ ⇒ Linear equation in the o Oil variables B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 5 / 27

Inversion of the central map (2) Let each of o components of a UOV central map be a UOV polynomial. After guessing Vinegar variables When we guess the Vinegar variables x 1 , . . . , x v , we get o linear equations in the o Oil variables x v +1 , . . . , x n ⇒ recovered by (Gaussian) elimination If the system has no solution? Just choose other values for the Vinegar variables x 1 , . . . , x v and try again. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 6 / 27

Inversion of the central map (2) Let each of o components of a UOV central map be a UOV polynomial. After guessing Vinegar variables When we guess the Vinegar variables x 1 , . . . , x v , we get o linear equations in the o Oil variables x v +1 , . . . , x n ⇒ recovered by (Gaussian) elimination Toy Example in F = GF (7) with o = v = 2 Q = ( f (1) , f (2) ) with f (1) ( x ) = 2 x 2 1 + 3 x 1 x 2 + 6 x 1 x 3 + x 1 x 4 + 4 x 2 2 + 5 x 2 x 4 + 3 x 1 + 2 x 2 + 5 x 3 + x 4 + 6 , f (2) ( x ) = 3 x 2 1 + 6 x 1 x 2 + 5 x 1 x 4 + 3 x 2 2 + 5 x 2 x 3 + x 2 x 4 + 2 x 1 + 5 x 2 + 4 x 3 + 2 x 4 + 1 . Goal: Find a pre image Q − 1 ( y ), y = (3 , 4) Choose random values for x 1 and x 2 , e.g. ( x 1 , x 2 ) = (1 , 4) ˜ f (1) ( x 3 , x 4 ) = 4 x 3 + x 4 +4 = w 1 = 3 , ˜ f (2) ( x 3 , x 4 ) = 3 x 3 +4 x 4 = w 2 = 4 The pre image of y is x = (1 , 4 , 1 , 2). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 6 / 27

Operations of UOV Key Generation Take a UOV central map Q and invertible S : F n → F n . P = Q ◦ S . Signature Generation 1 Given: message d , take its hash y = H ( d ) under H : { 0 , 1 } ⋆ → F o . 2 Compute a pre-image x ∈ F n of y under the central map Q ◮ Choose random values for the Vinegar variables x 1 , . . . , x v and substitute them into the central map polynomials f (1) , . . . , f ( o ) ◮ Solve the resulting linear system for the Oil variables x v +1 , . . . , x n ◮ If the system has no solution, choose other values for the Vinegar variables and try again. 3 Compute the signature w ∈ F n by w = S − 1 ( x ). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 7 / 27

Operations of UOV Key Generation Take a UOV central map Q and invertible S : F n → F n . P = Q ◦ S . Signature Generation 1 Given: message d , take its hash y = H ( d ) under H : { 0 , 1 } ⋆ → F o . 2 Compute a pre-image x ∈ F n of y under the central map Q 3 Compute the signature w ∈ F n by w = S − 1 ( x ). Signature Verification Given: message d , signature w ∈ F n 1 Compute z = H ( d ). 2 Compute z ′ = P ( w ). Accept the signature ⇔ z = z ′ B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 7 / 27

Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . Common Subspaces Let H i be the matrix representing the homogeneous quadratic part of the i -th public polynomial. Then we have H i = S T · E i · S , i.e. S − 1 ( O ) is an invariant subspace of the matrix ( H − 1 · H i ), and we find S − 1 . j B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

Kipnis-Shamir OV attack when o = v { x ∈ F n : x 1 = . . . = x v = 0 } O := “ Oilspace ” { x ∈ F n : x v +1 = . . . = x n = 0 } V := “ Vinegarspace ” � � ⋆ ⋆ Let E , F be invertible “OV-matrices”, i.e. E , F = Then ⋆ 0 E · O ⊂ V . Since the two has the same rank, equality holds, so ( F − 1 · E ) · O = O , i.e. O is an invariant subspace of F − 1 · E . Common Subspaces Let H i be the matrix representing the homogeneous quadratic part of the i -th public polynomial. Then we have H i = S T · E i · S , i.e. S − 1 ( O ) is an invariant subspace of the matrix ( H − 1 · H i ), and we find S − 1 . j Summary of the Standard UOV Attack for v ≤ o , breaks the balanced OV scheme in polynomial time. For v > o the complexity of the attack is about q v − o · o 4 . ⇒ Choose v ≈ 2 · o (unbalanced Oil and Vinegar (UOV)) [KP99] B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

What happens when v > o ? Invariant Subspaces E · O ⊂ V , where E is a UOV matrix. If E − 1 exists then E − 1 V is a v -dimensional subspace containing O . If E , F are two invertible UOV matrices, then FE − 1 O is the same dimension as O and both lies in F − 1 V . So I = O ∩ F − 1 E O is dimension at least 2 o − v . I is mapped by F − 1 E into a subspace F − 1 E O , of dimension o . The probability for a non-zero vector to be mapped to its own multiple is ( q − 1) / ( q d − 1). The expected value is the number of non-zero vectors times this probability divided by q − 1 (since each eigenvector is counted q − 1 times), or ( q 2 o − v − 1) / ( q o − 1) ∼ q − ( v − o ) . So 1 out of ∼ q ( v − o ) , O contains an invariant subspace of F − 1 E . Choose an H i which is invertible and take an arbitrary linear combination H with probability q − ( v − o ) contains an invariant H = � i α i H i , H − 1 i subspace which is in S − 1 O . Repeat o times to obtain the entire S − 1 O . B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 9 / 27

Other Attacks 2 2 ℓ Collision Attack : o ≥ log 2 ( q ) for ℓ -bit security. Direct Attack : Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined ( n = 3 · m ) Result [Thomae]: A multivariate system of m equations in n = ω · m variables can be solved in the same time as a determined system of m − ⌊ ω ⌋ + 1 equations. ⇒ m has to be increased by 2. B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 10 / 27

Other Attacks 2 2 ℓ Collision Attack : o ≥ log 2 ( q ) for ℓ -bit security. Direct Attack : Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined ( n = 3 · m ) ⇒ m has to be increased by 2. UOV-Reconciliation attack : Try to find a linear transformation S (“good keys”) which transforms the public matrices H i into the form of UOV matrices � � � � ⋆ ⋆ 1 ⋆ ( S T ) − 1 · H i · S − 1 = , S = ⋆ 0 0 1 ⇒ Each Zero-term yields a quadratic equation in the elements of S . ⇒ S can be recovered by solving several MQ systems (the hardest with v variables, m equations). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 10 / 27

Reconciliation Attack for UOV Good Keys � � � � � � ∗ v × v ∗ v × o 1 v × v ∗ v × o ∗ v × v 0 v × o M S := = (1) ∗ o × v ∗ o × o 0 o × v 1 o × o ∗ o × v ∗ o × o � � 1 v × v ∗ v × o Only need M S = P := 0 o × v 1 o × o B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 11 / 27