g e mss a gr e at multivariate short signature
play

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret - PowerPoint PPT Presentation

Dec 24, 2022 •282 likes •510 views

G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work with A. Casanova (CS), J.-C. Faugre (CryptoNext Security), G. Macario-Rat (Orange), J. Patarin (UVSQ) and J. Ryckeghem (SU/INRIA) The Second PQC

  1. G e MSS : A Gr e at Multivariate Short Signature Ludovic Perret (CryptoNext Security) joint work with A. Casanova (CS), J.-C. Faugère (CryptoNext Security), G. Macario-Rat (Orange), J. Patarin (UVSQ) and J. Ryckeghem (SU/INRIA) The Second PQC Standardization Conference 1 / 15

  2. Multivariate Cryptography : More than 30 Years of History T. Matsumoto and H. Imai. Classical candidate for “Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and post-quantum cryptography Message-Encryption”. Many schemes proposed (44 % EUROCRYPT ’88 . of second round signature J. Patarin. “Hidden Fields Equations ( HFE ) and candidates) Isomorphisms of Polynomials (IP): Two New HFE and variants have been Families of Asymmetric Algorithms”. EUROCRYPT’96. extensively studied ◮ NESSIE EU standardization J. Patarin, N. Courtois, L. Goubin. “ QUARTZ , 128-Bit Long Digital Signatures”. process (1999-2003). CT-RSA 2001. 2 / 15

  3. G e MSS Trapdoor – HFE Vinegar Jacques Patarin. “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms”. EUROCRYPT ’96 . HFEv polynomial Let D ∈ N . We define F ( X , v 1 . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. 3 / 15

  4. G e MSS Trapdoor – HFE Vinegar Jacques Patarin. “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms”. EUROCRYPT ’96 . HFEv polynomial Let D ∈ N . We define F ( X , v 1 . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. Guess vinegar variables ( v 1 , . . . , v v ) ∈ F v 2 : i , j X 2 i + 2 j + i X 2 i + C ′ ∈ F 2 n [ X ] . � � A ′ B ′ 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D 3 / 15

  5. Signature Generation HFE polynomial Let D ∈ N . i , j X 2 i + 2 j + i X 2 i + C ′ ∈ F 2 n [ X ] . � � A ′ B ′ F ( X ) = 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D Roots Finding (Las-Vegas) We can find all the roots of F ∈ F 2 n [ X ] in quasi-linear time : ˜ � � O n · D . J. von zur Gathen, J. Gerhard: Modern Computer Algebra (3. ed.). Cambridge University Press 2013. 4 / 15

  6. G e MSS KeyGen HFEv polynomial Let D ∈ N . We define F ( X , v 1 , . . . , v v ) ∈ F 2 n [ X , v 1 . . . , v v ] such that: A i , j X 2 i + 2 j + β i ( v 1 , . . . , v v ) X 2 i + γ ( v 1 , . . . , v v ) , � � 0 � i < j < n 0 � i < n 2 i + 2 j � D 2 i � D each β i : F v 2 → F 2 n is linear and γ ( v 1 , . . . , v v ) : F v 2 → F 2 n is quadratic. f 1 ( x 1 , . . . , x n + v ) Minus modifier. Only consider m < n equations. . F ( X , v 1 . . . , v v ) . �� n = � n . � F k = 1 θ k x k , v 1 , . . . , v v k = 1 θ k f k . f n ( x 1 , . . . , x n + v ) 5 / 15

  7. General Structure m < n : number of equations, n + v : number of variables Private-Key Public-Key f : ( F 2 ) n + v �→ ( F 2 ) m easy to p : ( F 2 ) n + v �→ ( F 2 ) m invert. p 1 ( x 1 , . . . , x n + v ) , f 1 ( x 1 , . . . , x n + v ) , . . . . . . . . . . . . p m ( x 1 , . . . , x n + v ) . f m ( x 1 , . . . , x n + v ) . p = T ◦ f ◦ S . ( S , T ) ∈ GL n+v ( F 2 ) × GL m ( F 2 ) . Verification : evaluation of Signature : Roots finding and polynomials, i.e. p ( s )= d . invertion of the matrices. 6 / 15

  8. Security Analysis J.-C Faugère, A. Joux. “Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Groebner Bases”. CRYPTO ’03 . p 1 = · · · = p m = 0 • B. Buchberger (1965) • D. Lazard (1983) • F 4 (J.-C. Faugère, 1999) �� � 2 � n • F 5 (J.-C. Faugère, 2002) O , Row-echelon form D reg • FGLM (J-.C. Faugère, P. Gianni, on matrices up to degree D reg D. Lazard, T. Mora, 1993) • . . . Signature 7 / 15

  9. Security Analysis J.-C Faugère, A. Joux. “Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Groebner Bases”. CRYPTO ’03 . Complexity is driven by the maximal degree D reg reached. p 1 = · · · = p m = 0 • B. Buchberger (1965) • D. Lazard (1983) • F 4 (J.-C. Faugère, 1999) �� � 2 � • F 5 (J.-C. Faugère, 2002) n , Row-echelon form O D reg • FGLM (J-.C. Faugère, P. Gianni, on matrices up to degree D reg D. Lazard, T. Mora, 1993) • . . . Signature 7 / 15

  10. Generic Techniques We can fix n + v − m variables Input. Non-linear public-key polynomials p 1 , . . . , p m ∈ F 2 [ x 1 , . . . , x n ] Question. Find ( z 1 , . . . , z m ) ∈ F m 2 such that: p 1 ( z 1 , . . . , z m ) = 0 , . . . , p m ( z 1 , . . . , z m ) = 0 . exhaustive search in 4 log 2 2 m [C. Bouillaguet, C.-Mou Cheng, T. Chou, R. Niederhagen, B-Y. Yang, SAC’2013] O ∗ ( 2 0 . 8765 m ) [D. Lokshtanov, R. Paturi, S. Tamaki, R. Williams, H. Yu, SODA’2017], no assumption BooleanSolve O ( 2 0 . 792 m ) [M. Bardet, J.-C. Faugère, B. Salvy, P-J. Spaenlehauer, Journal of Complexity, 2013], assumption on the input Minimal Condition λ : security parameter: m � 1 . 26 · λ. 8 / 15

  11. Message Recovery Attack : Nude HFE Upper bound [Faugère, Joux; L. Granboulan, A. Joux, J. Stern; V. Dubois, N. Gamma; J. Ding, T. Hodges] � � D reg ≈ O log 2 ( D ) . 9 / 15

  12. Message Recovery Attack : Nude HFE Experimental approximation D reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 9 / 15

  13. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 10 / 15

  14. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 3 modifiers allow to increase the degree of regularity of nude HFE by one (heuristic/experiment rule). 3 λ ∆ + v ≈ log 2 ( m 2 ) − 6 . 06 − 1 . 08 log 2 ( D ) . 10 / 15

  15. Setting Parameters λ : security parameter, number of equations m � 1 . 26 · λ . Solving a system of m = n − ∆ equations in n + v variables: � m � 2 � 2 λ . D reg Nude HFE D init reg ≈ 2 . 03 + 0 . 36 log 2 ( D ) . 3 modifiers allow to increase the degree of regularity of nude HFE by one (heuristic/experiment rule). 3 λ ∆ + v ≈ log 2 ( m 2 ) − 6 . 06 − 1 . 08 log 2 ( D ) . General formula for setting the parameters 2 SecRela ( n , ∆ , log 2 ( D ) , v ) � 2 λ . 10 / 15

  16. Parameters/Performance NIST Status Report on Round 1 Candidates “G e MSS offers some of the smallest signature lengths among all submissions. GeMSS also benefits from the fact that the HFEv- construction is one of the most studied signature primitives in the literature. Aside from signature size and verification time, other performance characteristics of G e MSS raise some concerns. The signing time is quite high and the public keys are quite large ; these properties may be features of G e MSS that are inherent to the HFEv- methodology. ” Decrease D and adapt the others parameters. Larger set of parameters : G e MSS, BlueG e MSS and RedG e MSS (faster signing and key-generation). 11 / 15

  17. Parameters/Performance scheme key gen. (MCycles) sign (MC) verify (KC) | pk | (KBytes) | sk | (KB) sign (bits) G e MSS128 38.5 750 82 352.19 13.44 258 BlueG e MSS128 39.3 106 111 363.61 13.70 270 RedG e MSS128 39.2 2.79 109 375.21 13.10 282 G e MSS192 175 2320 239 1237.96 34.07 411 BlueG e MSS192 172 331 252 1264.12 35.38 423 RedG e MSS192 171 8.38 255 1290.54 34.79 435 G e MSS256 532 3640 566 3040.70 75.89 576 G e MSS256 529 545 583 3087.96 71.46 588 G e MSS256 523 12.9 588 3135.59 71.89 600 Fastest implementation (AVX2), Intel Core i7-6600U, Skylake, 3,40 GHz. 11 / 15

  18. Multivariate Quadratic Software : MQsoft J.-C. Faugère, L. Perret and J. Ryckeghem “Software Toolkit for HFE -based Multivariate Schemes”. CHES’19 . Teaser An efficient C library exploiting SSE / AVX2 instructions set. Matsumoto-Imai-based schemes: QUARTZ , Gui, G e MSS, . . . Fast arithmetic in F 2 [ X ] , F 2 n and F 2 n [ X ] (with root finding), multivariate quadratic systems in F (evaluation, change of variables, ...), mostly constant-time implementation against timing attacks. https://www-polsys.lip6.fr/Links/NIST/MQsoft.html 12 / 15

  19. Speed-up sign. scheme sec. level key gen. sign. verif. G e MSS128 128 + 220% + 100% + 95% G e MSS192 192 + 220% + 57% + 84% G e MSS256 256 + 240% + 110% + 75% 128 + 1200% + 100% + 73% Gui-184 192 + 1600% + 95% + 56% Gui-312 256 + 2500% + 85% + 58% Gui-448 Improvement of MQsoft w.r.t. fastest first round implementations. 13 / 15

  20. Third-Party Analysis Quantum analysis J.-C Faugère, K. Horan, D. Kahrobaei, M. Kaplan, E. Kashefi, L. Perret. “Fast Quantum Algorithm for Solving Multivariate Quadratic Equations”. 2018, Under submission. D. J. Bernstein, B-Y. Yang. “Asymptotically faster quantum algorithms to solve multivariate quadratic equations”. PQCrypto 2018. 14 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai Ding, Bo-Yin Yang PQCrypto 2017 Utrecht, Netherlands A. Petzoldt HMFEv PQCrypto 2017 1 / 23 Outline Multivariate Cryptography 1 The HMFEv

575 views • 23 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Outline Multivariate Data 1

319 views • 7 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If

Advanced PHP Dr. Steven Bitner A/B and Multivariate testing Why use multivariate testing If your employer is interested in understanding how effective certain changes are, you may consider A/B or multivariate testing How to do it First,

372 views • 12 slides
Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building

Multivariate Normal Distribution Max Turgeon STAT 4690Applied Multivariate Analysis Building the multivariate density i random variable. Recall that its density is given by distributed, their joint density is 2 Let Z N (0 , 1) be a

382 views • 22 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation &amp; Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor How it all began Tom Beckett from West Sussex sent over 100,000 to Scammers Scam the Secret Crime Click on this link to play a short

324 views • 14 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Gamma for Phytosanitary Processing CARLO COPPOLA DIRECTOR, NORDION GAMMA CENTRE OF EXCELLENCE

Gamma for Phytosanitary Processing CARLO COPPOLA DIRECTOR, NORDION GAMMA CENTRE OF EXCELLENCE

Gamma for Phytosanitary Processing CARLO COPPOLA DIRECTOR, NORDION GAMMA CENTRE OF EXCELLENCE JUNE 14,2018 Discussion Topics Who is Nordion Why choose Gamma? Processing issues for Phytosanitary products Gamma Designs for

211 views • 10 slides
Loss Cost Modeling vs. Frequency and Severity Modeling 2010 CAS Ratemaking and Product Management

Loss Cost Modeling vs. Frequency and Severity Modeling 2010 CAS Ratemaking and Product Management

Loss Cost Modeling vs. Frequency and Severity Modeling 2010 CAS Ratemaking and Product Management Seminar March 21, 2011 New Orleans, LA Jun Yan Deloitte Consulting LLP Antitrust Notice The Casualty Actuarial Society is committed to adhering

815 views • 23 slides
NEWAGE -- A direction-sensitive dark matter search (New generation WIMP search with an advanced

NEWAGE -- A direction-sensitive dark matter search (New generation WIMP search with an advanced

NEWAGE -- A direction-sensitive dark matter search (New generation WIMP search with an advanced gaseous tracker experiment) Kentaro Miuchi Kyoto University) H. Nishimura T. Tanimori, H. Kubo, S. Kabuki, K. Tsuchiya, A.

538 views • 17 slides
Environmental and Geological Department Environmental, Earth, &amp; Atmospheric Sciences

Environmental and Geological Department Environmental, Earth, &amp; Atmospheric Sciences

Environmental and Geological Department Environmental, Earth, &amp; Atmospheric Sciences Applications of Instrumental Neutron Activation Analysis Department Environmental, Earth, &amp; Atmospheric Sciences Instrumental Neutron Activation

891 views • 47 slides
Velella Epsilon Project Pioneering Offshore Aquaculture in the Southeastern Gulf of Mexico

Velella Epsilon Project Pioneering Offshore Aquaculture in the Southeastern Gulf of Mexico

Tab S, No. 2(a) Exempted Fishing Permit (EFP) Application for the Velella Epsilon Project Pioneering Offshore Aquaculture in the Southeastern Gulf of Mexico April 19, 2018 GMFMC Meeting Velella Epsilon Project Purposes : 1. Validate the

427 views • 20 slides
New Zealand Commerce Commission RPI Conference 2014: Stability and Regulatory Coherence Sue Begg,

New Zealand Commerce Commission RPI Conference 2014: Stability and Regulatory Coherence Sue Begg,

New Zealand Commerce Commission RPI Conference 2014: Stability and Regulatory Coherence Sue Begg, Deputy Chair Overview The evolution of natural monopoly regulation in New Zealand Natural monopoly (Part 4) regulation and input

419 views • 27 slides
Fast GPU Monte Carlo Simulation for Radiotherapy, DNA Ionization and Beyond 2017 GPU Technology

Fast GPU Monte Carlo Simulation for Radiotherapy, DNA Ionization and Beyond 2017 GPU Technology

Fast GPU Monte Carlo Simulation for Radiotherapy, DNA Ionization and Beyond 2017 GPU Technology Conference Shogo Okada &lt;shogo@port.kobe-u.ac.jp&gt; Koichi Murakami &lt;koichi.murakami@kek.jp&gt; Nick Henderson

666 views • 50 slides
SESSION 1: IMPROVING QUALITY of LIFE PANEL 1.2: Nuclear technologies in industry, material

SESSION 1: IMPROVING QUALITY of LIFE PANEL 1.2: Nuclear technologies in industry, material

SESSION 1: IMPROVING QUALITY of LIFE PANEL 1.2: Nuclear technologies in industry, material sciences and beyond Special Adviser, Fluid Flow and Environmental Technology, Institute for Energy Technology (IFE) Tor Bjrnstad is Special Adviser at

303 views • 12 slides

More recommend