software toolkit for hfe based multivariate schemes
play

Software Toolkit for HFE -based Multivariate Schemes J-C. Faugre 1 , - PowerPoint PPT Presentation

Jun 24, 2023 •134 likes •641 views

Software Toolkit for HFE -based Multivariate Schemes J-C. Faugre 1 , 2 , L. Perret 1 , 2 , Jocelyn Ryckeghem 2 1 CryptoNext Security 2 Sorbonne Universit, CNRS, INRIA, LIP6, quipe PolSys, F-75005 Paris, France CHES, Atlanta, August 26, 2019

  1. Software Toolkit for HFE -based Multivariate Schemes J-C. Faugère 1 , 2 , L. Perret 1 , 2 , Jocelyn Ryckeghem 2 1 CryptoNext Security 2 Sorbonne Université, CNRS, INRIA, LIP6, Équipe PolSys, F-75005 Paris, France CHES, Atlanta, August 26, 2019 1/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  2. MQsoft 1 : Multivariate Quadratic Software Motivations 11/2017 and 01/2019: beginning of the 1 st and 2 nd rounds of the NIST post-quantum cryptography standardization process. Signature: 4 second round candidates over 9 are multivariate. Libraries: code [McBits, CHES’2013, ...], lattice [NFLlib, CT RSA’16, ...], but no library for the multivariate-based schemes! 1 https://www-polsys.lip6.fr/Links/NIST/MQsoft.html 2/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  3. MQsoft 1 : Multivariate Quadratic Software Motivations 11/2017 and 01/2019: beginning of the 1 st and 2 nd rounds of the NIST post-quantum cryptography standardization process. Signature: 4 second round candidates over 9 are multivariate. Libraries: code [McBits, CHES’2013, ...], lattice [NFLlib, CT RSA’16, ...], but no library for the multivariate-based schemes! Our contribution: MQsoft An efficient C library exploiting SSE and AVX2 instructions set. Matsumoto-Imai-based schemes: QUARTZ , Gui , G e MSS. Fast arithmetic in F 2 [ X ] , F 2 n and F 2 n [ X ] (with root finding), multivariate quadratic systems in F 2 (evaluation, change of variables, ...), constant-time implementation against timing attacks (as often as possible). 1 https://www-polsys.lip6.fr/Links/NIST/MQsoft.html 2/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  4. Matsumoto-Imai-based schemes Matsumoto-Imai [EUROCRYPT ’88] Public-key: a multivariate quadratic system. � x 1 x 2 + x 2 x 3 + x 1 + 1 Example in F 2 : p ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 1 x 3 + x 1 Verifying process: evaluation of the public-key. Signing process: affine transformations + inversion of the private map. 3/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  5. Matsumoto-Imai-based schemes Matsumoto-Imai [EUROCRYPT ’88] Public-key: a multivariate quadratic system. � x 1 x 2 + x 2 x 3 + x 1 + 1 Example in F 2 : p ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 1 x 3 + x 1 Verifying process: evaluation of the public-key. Signing process: affine transformations + inversion of the private map. HFE -based signature schemes [Patarin, EUROCRYPT ’96] Signing process: to find the roots of a univariate polynomial. Schemes: QUARTZ (2001), Gui (2015), G e MSS (2017), DualModeMS (2017), BlueG e MSS (2019), RedG e MSS (2019). 3/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  6. Performance QUARTZ (a NESSIE submission) In 2001: 4 s to generate the keys, 10 s to sign, 900 µ s to verify. With MQsoft (new hardware + new library): 2 . 0 ms to generate the keys, 20 ms to sign, 6 . 4 µ s to verify. 4/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  7. Performance QUARTZ (a NESSIE submission) In 2001: 4 s to generate the keys, 10 s to sign, 900 µ s to verify. With MQsoft (new hardware + new library): 2 . 0 ms to generate the keys, 20 ms to sign, 6 . 4 µ s to verify. sign. scheme sec. level key gen. sign. verif. + 220% + 100% + 95% G e MSS128 128 + 220% + 57% + 84% G e MSS192 192 G e MSS256 256 + 240% + 110% + 75% 128 + 1200% + 100% + 73% Gui-184 192 + 1600% + 95% + 56% Gui-312 256 + 2500% + 85% + 58% Gui-448 Speed-up (best first round implementations compared to MQsoft ), Haswell processor. Speed-up of 100 % for the signing process, and between 60 % and 100 % for the verifying process. 4/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  8. MQsoft : architecture for HFE Keypair generation Signing process Verifying process Compute the inner Evaluation of a multi- Root finding in F 2 n [ X ] secret key polynomial variate quadratic system Frobenius map in F 2 n [ X ] GCD in F 2 n [ X ] Multiplication in F 2 n Squaring in F 2 n Multi-squaring in F 2 n Modular reduction in Squaring in F 2 [ X ] Multiplication in F 2 [ X ] F 2 [ X ] 5/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  9. Efficient arithmetic in F 2 n Software and libraries for number theory Magma , a computer algebra software. NTL , A Library for Doing Number Theory (in C++ ). FLINT , Fast Library for Number Theory, less efficient in F 2 n ! gf2x ( C library), specialized for the multiplication in F 2 [ X ] . Implementations for specific fields Elliptic curves [BluGue13]: F 2 163 , F 2 233 , F 2 283 , . . . Gui [mpkc-128bit, gui-pq-submission]: F 2 184 , F 2 240 , F 2 312 , . . . MQsoft Arithmetic in F 2 n for n ≤ 576, in C using AVX2 instructions set. Especially efficient on Skylake processors (6 th generation), but also efficient on Haswell processors (4 th generation). 6/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  10. Constant-time product in F 2 n = F 2 [ X ] / f ( x ) Code using SSE (128 bits) or AVX2 (256 bits) instructions sets. Multiplication Squaring Linear operation in char. 2: The most important operation! ( ax + b ) 2 = a 2 x 2 + b 2 . 1 School-book algorithm by 1 Table lookups of square block of 64 bits ( PCLMULQDQ ). ( PSHUFB , VPSHUFB ). 2 Karatsuba algorithm, the base 2 Squaring of each 64-bit case depends on the processor. block ( PCLMULQDQ ). n Magma NTL MQsoft 252 558 169 36-40 n Magma NTL MQsoft 511 761 320 91-92 252 455 128 15-24 511 510 174 24-27 Multiplication in F 2 n in cycles, Skylake processor. Squaring in F 2 n in cycles, Skylake processor. 7/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  11. Representation of multivariate quadratic systems ( m equations, n variables) Representation "equation by equation" The equations are stored one by one. � x 1 x 2 + x 2 x 3 + x 1 + 1 ( 1 ) Example in F 2 : p ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 1 x 3 + x 1 ( 2 ) 8/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  12. Representation of multivariate quadratic systems ( m equations, n variables) Representation "equation by equation" The equations are stored one by one. � x 1 x 2 + x 2 x 3 + x 1 + 1 ( 1 ) Example in F 2 : p ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 1 x 3 + x 1 ( 2 ) Representation "coefficient by coefficient" The system is stored as an equation in the big field F 2 m . Example in F 2 : let F 4 = F 2 [ X ] / ( α 2 + α + 1 ) , p ( x 1 , x 2 , x 3 ) = 1 × ( 1 ) + α × ( 2 ) = ( α + 1 ) x 1 x 2 + α x 1 x 3 + x 2 x 3 + ( α + 1 ) x 1 + 1 This representation is used in [Berbain, Billet, Gilbert, Efficient Implementations of Multivariate Quadratic Systems] and MQsoft . 8/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  13. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 x 2 x 3 x 4 x 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  14. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 x 2 x 3 x 4 x 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  15. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 x 2 x 3 x 4 x 1 = 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  16. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 = 1 x 2 x 3 x 4 x 1 = 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  17. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 = 1 x 2 x 3 x 4 x 1 = 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst + p 1 , 1 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  18. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 = 1 x 2 = 0 x 3 x 4 x 1 = 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst + p 1 , 1 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

  19. Evaluation in variable-time p ∈ F 2 m [ x 1 , . . . , x n ] is stored as a quadratic form in the row-major order. Example: p . cst x 1 = 1 x 2 = 0 x 3 x 4 x 1 = 1 p 1 , 1 p 1 , 2 p 1 , 3 p 1 , 4 x 2 p 2 , 2 p 2 , 3 p 2 , 4 x 3 p 3 , 3 p 3 , 4 x 4 p 4 , 4 p ( x 1 = 1 , x 2 = 0 , x 3 = 1 , x 4 = 0 ) = p . cst + p 1 , 1 9/18 J-C. Faugère, L. Perret, Jocelyn Ryckeghem CHES 2019

Recommend

TOOLKIT Designing and managing international relations, educational projects and mobility schemes

TOOLKIT Designing and managing international relations, educational projects and mobility schemes

TOOLKIT Designing and managing international relations, educational projects and mobility schemes in Asian Universities Erasmus+ KA102 UNIVERSITY OF YANGON 1 Myanmar Mandalay Bagan Shwedagon Pagoda Inle Lake Founded in 1920 University

531 views • 16 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica Taipei, Taiwan Friday, 28.06.2018 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 1 / 27 Oil-Vinegar Polynomials [Patarin

1.38k views • 79 slides
Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC

978 views • 63 slides
TOOLKIT Designing and managing international relations, educational projects and mobility schemes

TOOLKIT Designing and managing international relations, educational projects and mobility schemes

TOOLKIT Designing and managing international relations, educational projects and mobility schemes in Asian Universities Erasmus+ KA102 National University of Laos National University of Laoss FACTS and FIGURES The National University of

790 views • 13 slides
Multilingual App Toolkit Standards and multilingual software development 29, April 2015 Jan

Multilingual App Toolkit Standards and multilingual software development 29, April 2015 Jan

2015-04-03 Multilingual App Toolkit Standards and multilingual software development 29, April 2015 Jan Anders Nelson Microsoft Corporation OSGS Overview Multilingual App Toolkit Workflow Enable MAT on

289 views • 12 slides
The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified

The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified

The Toolkit for Accurate Scientific Software Stephen F. Siegel, Timothy Zirkel, Yi Wei Verified Software Laboratory Department of Computer and Information Sciences University of Delaware Newark, DE, USA Third International Workshop on

498 views • 33 slides
Configuration Strategies of an AR Toolkit-based Wide Area Tracker The Second IEEE International

Configuration Strategies of an AR Toolkit-based Wide Area Tracker The Second IEEE International

Configuration Strategies of an AR Toolkit-based Wide Area Tracker The Second IEEE International AR Toolkit Workshop Martin Wagner, Felix Loew Lehrstuhl fr Angewandte Softwaretechnik Institut fr Informatik Technische Universitt Mnchen

618 views • 26 slides
Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Outline Multivariate Data 1

319 views • 7 slides
Lean Software Development Lean Software Development is an Agile practice that is based on the

Lean Software Development Lean Software Development is an Agile practice that is based on the

Lean Software Development Lean Software Development is an Agile practice that is based on the principles of Lean Manufacturing Lean Software Development comes from the book "Lean Software Development: An Agile Toolkit" by Mary

789 views • 65 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Spatial-Temporal Explanations for Storage Failure Predictions based on Multivariate Telemetry

Spatial-Temporal Explanations for Storage Failure Predictions based on Multivariate Telemetry

Spatial-Temporal Explanations for Storage Failure Predictions based on Multivariate Telemetry Sensors Ioana Giurgiu, Anika Schumann IBM Research Zurich Goal Explain predicted failures in large-scale real world storage environments based

478 views • 16 slides
An extension of the MoreauJean scheme based on the generalized schemes for the numerical

An extension of the MoreauJean scheme based on the generalized schemes for the numerical

An extension of the MoreauJean scheme based on the generalized schemes for the numerical time integration of flexible dynamical systems with contact and An extension of the MoreauJean scheme based on the generalized schemes for

1.16k views • 87 slides
C 3D Kernel Geometric Modeling Toolkit For 2D & 3D Software Developers 2012 KOMPAS-3D

C 3D Kernel Geometric Modeling Toolkit For 2D & 3D Software Developers 2012 KOMPAS-3D

C 3D Kernel Geometric Modeling Toolkit For 2D & 3D Software Developers 2012 KOMPAS-3D most popular 3D-CAD in Russia 70 000 seats The mathematical division of ASCON became a separate company C3D Labs to develop and promote kernel 2

256 views • 24 slides
Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no

Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, January 23, 2012 www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies 2 / 22 Outline [Ch. 1] Introduction [Ch. 2] Constructing Cryptographic Schemes Based

519 views • 22 slides
Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format: Title I-A Directors Handbook Webinars Concise, informational, 5-10 minutes Covering critical topics in ESSA Viewers select the topic,

636 views • 25 slides
The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March,

The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March,

Processes Run as Root Piping and Redirection Useful TUI/CLI software Managing software SSH Version control Backup Epilogue The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March, 2019 Alexander

913 views • 42 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
W HAT IS GNU R ADIO ? An open-source software toolkit Design & Implementation of Radio

W HAT IS GNU R ADIO ? An open-source software toolkit Design & Implementation of Radio

GNU R ADIO mehdi sajjadi hdi jj di 1 1 Summer 2009 W HAT IS GNU R ADIO ? An open-source software toolkit Design & Implementation of Radio systems Two main set of tools: 2 W HAT IS GNU R ADIO ? Radio system designer Signal

229 views • 18 slides
The Bioeconomy Strategy and the role for schemes and labels Final Workshop (web-based) 28.04.2020

The Bioeconomy Strategy and the role for schemes and labels Final Workshop (web-based) 28.04.2020

Sustainability Transition Assessment and Research of Bio-based Products Grant Agreement Number 727740 The Bioeconomy Strategy and the role for schemes and labels Final Workshop (web-based) 28.04.2020 Mathilde Crpy (ECOS) www.STAR-ProBio.eu

188 views • 6 slides
Continuous Optimization Sanzheng Qiao Department of Computing and Software McMaster University

Continuous Optimization Sanzheng Qiao Department of Computing and Software McMaster University

Intro Golden Section Multivariate Functions Least Squares Nonlinear Least Squares Software Continuous Optimization Sanzheng Qiao Department of Computing and Software McMaster University March, 2009 Intro Golden Section Multivariate

3.15k views • 47 slides
David Gruber NRCS Natural Resources Database Specialist Customer Service Toolkit Module 8A -

David Gruber NRCS Natural Resources Database Specialist Customer Service Toolkit Module 8A -

David Gruber NRCS Natural Resources Database Specialist Customer Service Toolkit Module 8A - 2013 Customer Service Toolkit 1 Customer Service Toolkit Official software used to: Record conservation planning activities Report

954 views • 57 slides
Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible online: www.washington.edu/diversity/staffdiv/hiringtoolkit/ A resource for HR Directors and

322 views • 8 slides
Exploring Visual Comparison of Multivariate Runtime Statistics Hagen Tarner, Veit Frick, Martin

Exploring Visual Comparison of Multivariate Runtime Statistics Hagen Tarner, Veit Frick, Martin

9TH SYMPOSIUM ON SOFTWARE PERFORMANCE 2018 Exploring Visual Comparison of Multivariate Runtime Statistics Hagen Tarner, Veit Frick, Martin Pinzger, and Fabian Beck Motivation Performance data is multivariate VIS o ff ers techniques for this

400 views • 29 slides

More recommend