[PPT] - Introduction to Multivariate Public Key Cryptography Geovandro PowerPoint Presentation

SLIDE 1

Slide 1

Introduction to Multivariate Public Key Cryptography

Geovandro Carlos C. F. Pereira

PhD advisor: Prof. Dr. Paulo S. L. M. Barreto

LARC - Computer Architecture and Networking Lab Department of Computer Engineering and Digital Systems Escola Politécnica University of Sao Paulo

SLIDE 2

Slide 2

Agenda

Motivation to Post-Quantum Crypto
Introduction to MPKC
Matsumoto-Imai Encryption
UOV Signature
Technique for Key Size Reduction
Security Analysis

SLIDE 3

Slide 3

Motivation

Internet of Things (IoT) Any object connected to the internet

SLIDE 4

Slide 4

Motivation

Typical Platforms

Smartcard (Java Card) Sensor node Arduino

SLIDE 5

Slide 5

Motivation

Typical Platforms
Resources
Instruction set of 8, 16 or 32 bits
Small amount of RAM(2-8 KiB) and ROM (32-128 KiB)
Low clock: 5-40 MHz
Energy is expensive

Smartcard (Java Card) Sensor node Arduino

SLIDE 6

Slide 6

Motivation

Symmetric Crypto: ok

SLIDE 7

Slide 7

Motivation

Symmetric Crypto: ok
Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

SLIDE 8

Slide 8

Motivation

Symmetric Crypto: ok
Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems. “Complex” operations (e.g. multiple-precision arithmetic).

SLIDE 9

Slide 9

Motivation

Symmetric Crypto: ok
Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems. “Complex” operations (e.g. multiple-precision arithmetic). Threats in medium and long-terms:

Shor [1997]

Quantum algorithm for DLP e IFP

SLIDE 10

Slide 10

Motivation

Symmetric Crypto: ok
Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems. “Complex” operations (e.g. multiple-precision arithmetic). Threats in medium and long-terms:

Shor [1997]

Quantum algorithm for DLP e IFP

Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time End of pairings over binary fields (it was the most suitable for WSNs)

SLIDE 11

Slide 11

Motivation

Symmetric Crypto: ok
Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems. “Complex” operations (e.g. multiple-precision arithmetic). Threats in medium and long-terms:

Shor [1997]

Quantum algorithm for DLP e IFP

Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time End of pairings over binary fields (it was the most suitable for WSNs)

Need for alternatives!

SLIDE 12

Slide 12

Motivation

Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

SLIDE 13

Slide 13

Motivation

Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms. Main lines of research:

Hash-based
Very efficient, large signatures.

SLIDE 14

Slide 14

Motivation

Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms. Main lines of research:

Hash-based
Very efficient, large signatures.
Code-based
Public Key Encryption schemes
Singatures (one-time, large keys)

SLIDE 15

Slide 15

Motivation

Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms. Main lines of research:

Hash-based
Very efficient, large signatures.
Code-based
Public Key Encryption schemes
Singatures (one-time, large keys)
Lattice-based
Encryption, Digital signatures, FHE

SLIDE 16

Slide 16

Motivation

Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms. Main lines of research:

Hash-based
Very efficient, large signatures.
Code-based
Public Key Encryption schemes
Singatures (one-time, large keys)
Lattice-based
Encryption, Digital signatures, FHE
Multivariate Quadratic (MQ)
Some digital signature schemes are robust (original UOV, 14 years)
Most of the encryption constructions were broken (Jintai has a new perspective about it)

SLIDE 17

Slide 17

Motivation

Conventional Public Key Cryptography
Need coprocessors in smartcards.
Low flexibility for use or optimizations.

SLIDE 18

Slide 18

Motivation

Conventional Public Key Cryptography
Need coprocessors in smartcards.
Low flexibility for use or optimizations.
Advantages of MPKC
Simplicity of Operations (matrices and vectors).
Small fields avoid multiple-precision arithmetic.
Long term security. (prevention against spying)
Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

SLIDE 19

Slide 19

Motivation

Conventional Public Key Cryptography
Need coprocessors in smartcards.
Low flexibility for use or optimizations.
Advantages of MPKC
Simplicity of Operations (matrices and vectors).
Small fields avoid multiple-precision arithmetic.
Long term security. (prevention against spying)
Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

Main Challenge
Relatively large key sizes.

SLIDE 20

Slide 20

MPKC Constructions

SLIDE 21

Slide 21

Multivariate Public Key Cryptography

Basic Property:
Cryptosystems whose public keys are a set of multivariate polynomials.

SLIDE 22

Slide 22

Multivariate Public Key Cryptography

Basic Property:
Cryptosystems whose public keys are a set of multivariate polynomials.
Notation: the public key is given as:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = (𝑞1 𝑦1, ⋯ , 𝑦𝑜 , 𝑞2 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛(𝑦1, ⋯ , 𝑦𝑜))

SLIDE 23

Slide 23

MPKC Encryption

Given a plaintext 𝑁 = 𝑦1, ⋯ , 𝑦𝑜 .

SLIDE 24

Slide 24

MPKC Encryption

Given a plaintext 𝑁 = 𝑦1, ⋯ , 𝑦𝑜 .
Ciphertext is simply a polynomial evaluation:

𝑄 𝑁 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜 = (𝑑1, ⋯ , 𝑑𝑛)

SLIDE 25

Slide 25

MPKC Encryption

Given a plaintext 𝑁 = 𝑦1, ⋯ , 𝑦𝑜 .
Ciphertext is simply a polynomial evaluation:

𝑄 𝑁 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜 = (𝑑1, ⋯ , 𝑑𝑛)

To decrypt one needs to know a trapdoor so that it is

feasible to invert the quadratic map to find the plaintext:

𝑦1, ⋯ , 𝑦𝑜 = 𝑄−1 𝑑1, ⋯ , 𝑑𝑛

SLIDE 26

Slide 26

MPKC Signature

Public Key:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜

SLIDE 27

Slide 27

MPKC Signature

Public Key:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜

Private Key: a trapdoor for computing 𝑄−1.

SLIDE 28

Slide 28

MPKC Signature

Public Key:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜

Private Key: a trapdoor for computing 𝑄−1.
Sign: given a hash (ℎ1, ⋯ , ℎ𝑛), compute

𝑦1, ⋯ , 𝑦𝑜 = 𝑄−1 ℎ1, ⋯ , ℎ𝑛

SLIDE 29

Slide 29

MPKC Signature

Public Key:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜

Private Key: a trapdoor for computing 𝑄−1.
Sign: given a hash (ℎ1, ⋯ , ℎ𝑛), compute

𝑦1, ⋯ , 𝑦𝑜 = 𝑄−1 ℎ1, ⋯ , ℎ𝑛

Verify: ℎ1, ⋯ , ℎ𝑜 = 𝑄 𝑦1, ⋯ , 𝑦𝑛

SLIDE 30

Slide 30

MPKC Signature

Public Key:

𝑄 𝑦1, ⋯ , 𝑦𝑜 = 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜

Private Key: a trapdoor for computing 𝑄−1.
Sign: given a hash (ℎ1, ⋯ , ℎ𝑛), compute

𝑦1, ⋯ , 𝑦𝑜 = 𝑄−1 ℎ1, ⋯ , ℎ𝑛

Verify: ℎ1, ⋯ , ℎ𝑜 = 𝑄 𝑦1, ⋯ , 𝑦𝑛
All vars. and coeffs. are in the small field 𝑙.

SLIDE 31

Slide 31

Security

Direct attack is to solve the set of equations:

𝑄 𝑁 = 𝑄 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜 = (𝑑1, ⋯ , 𝑑𝑛)

SLIDE 32

Slide 32

Security

Direct attack is to solve the set of equations:

𝑄 𝑁 = 𝑄 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜 = (𝑑1, ⋯ , 𝑑𝑛)

Solving a set of 𝑛 randomly chosen (nonlinear) equations

with 𝑜 variables is NP-complete.

SLIDE 33

Slide 33

Security

Direct attack is to solve the set of equations:

𝑄 𝑁 = 𝑄 𝑞1 𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝑞𝑛 𝑦1, ⋯ , 𝑦𝑜 = (𝑑1, ⋯ , 𝑑𝑛)

Solving a set of 𝑛 randomly chosen (nonlinear) equations

with 𝑜 variables is NP-complete.

But this does not necessarily ensure the security of the

systems.

SLIDE 34

Slide 34

Security

Most of the schemes do not use exactly random maps.

SLIDE 35

Slide 35

Security

Most of the schemes do not use exactly random maps.
Many systems have the structure

𝑄(𝑦1, ⋯ , 𝑦𝑜) = 𝑀1 ∘ 𝐺 ∘ 𝑀2(𝑦1, ⋯ , 𝑦𝑜)

SLIDE 36

Slide 36

Security

Most of the schemes do not use exactly random maps.
Many systems have the structure

𝑄(𝑦1, ⋯ , 𝑦𝑜) = 𝑀1 ∘ 𝐺 ∘ 𝑀2(𝑦1, ⋯ , 𝑦𝑜)

𝐺 is a quadratic map with certain structure. (central map)

SLIDE 37

Slide 37

Security

Most of the schemes do not use exactly random maps.
Many systems have the structure

𝑄(𝑦1, ⋯ , 𝑦𝑜) = 𝑀1 ∘ 𝐺 ∘ 𝑀2(𝑦1, ⋯ , 𝑦𝑜)

𝐺 is a quadratic map with certain structure. (central map)
This structure enables computing 𝐺−1 easily.

SLIDE 38

Slide 38

Security

Most of the schemes do not use exactly random maps.
Many systems have the structure

𝑄(𝑦1, ⋯ , 𝑦𝑜) = 𝑀1 ∘ 𝐺 ∘ 𝑀2(𝑦1, ⋯ , 𝑦𝑜)

𝐺 is a quadratic map with certain structure. (central map)
This structure enables computing 𝐺−1 easily.
𝑀1 and 𝑀2 are full-rank linear maps used to hide 𝐺.

SLIDE 39

Slide 39

Security

MQ-Problem: Given a set of 𝑛 quadratic polynomials in 𝑜

variables x = (𝑦1, ⋯ , 𝑦𝑜), solve the system: 𝑞1 𝑦 = ⋯ = 𝑞𝑛 𝑦 = 0

SLIDE 40

Slide 40

Security

MQ-Problem: Given a set of 𝑛 quadratic polynomials in 𝑜

variables x = (𝑦1, ⋯ , 𝑦𝑜), solve the system: 𝑞1 𝑦 = ⋯ = 𝑞𝑛 𝑦 = 0

IP-Problem: Given two polynomial maps 𝐺

1, 𝐺2: 𝐿𝑜 ⟶ 𝐿𝑛.

The problem is to look for two linear transformations 𝑀1 and 𝑀2 (if they exist) s.t.: 𝐺

1(𝑦1, ⋯ , 𝑦𝑜) = 𝑀1 ∘ 𝐺 ∘ 𝑀2(𝑦1, ⋯ , 𝑦𝑜)

SLIDE 41

Slide 41

Multivariate Quadratic Construction

MQ system with 𝑛 equations in 𝑜 vars, all coefs. in 𝔾𝑟:

Polynomial notation: Vector notation: 𝑞𝑙 𝑦1, … , 𝑦𝑜 = 𝑦𝑄 𝑙 𝑦𝑈 + 𝑀(𝑙)𝑦 + 𝑑(𝑙)

𝑞𝑙 𝑦1, … , 𝑦𝑜 ≔ 𝑄

𝑗𝑘 𝑙 𝑦𝑗𝑦𝑘 𝑗,𝑘

+ 𝑀𝑗

𝑙 𝑦𝑗 𝑗

+ 𝑑(𝑙)

SLIDE 42

Slide 42

(Pure) Quadratic Map

𝑄(𝑙) 𝑦 𝑦𝑈 = ℎ𝑙 𝒬 𝑦 = ℎ ⇔ 𝑦 𝑄(𝑙) 𝑦𝑈 = ℎ𝑙 (𝑙 = 1, … , 𝑛)

SLIDE 43

Slide 43

Matsumoto-Imai Cryptosystem

Previously, many unsuccesfull attempts to construct an

encryption scheme.

Small number of variables.
Huge key sizes.
In 1988, Matsumoto and Imai adopted a “Big” Field in their

C* construction.

SLIDE 44

Slide 44

Matsumoto-Imai Cryptosystem

𝑙 is a small finite field with 𝑙 = 𝑟.

SLIDE 45

Slide 45

Matsumoto-Imai Cryptosystem

𝑙 is a small finite field with 𝑙 = 𝑟.
𝐿

= 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙.

SLIDE 46

Slide 46

Matsumoto-Imai Cryptosystem

𝑙 is a small finite field with 𝑙 = 𝑟.
𝐿

= 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙.

The linear map 𝜚: 𝐿

→ 𝑙𝑜 and 𝜚−1: 𝑙𝑜 → 𝐿 .

𝜚 𝑏0 + 𝑏1𝑦 + ⋯ + 𝑏𝑜−1𝑦𝑜−1 = (𝑏0, 𝑏1, ⋯ , 𝑏𝑜−1)

SLIDE 47

Slide 47

Matsumoto-Imai Cryptosystem

𝑙 is a small finite field with 𝑙 = 𝑟.
𝐿

= 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙.

The linear map 𝜚: 𝐿

→ 𝑙𝑜 and 𝜚−1: 𝑙𝑜 → 𝐿 .

𝜚 𝑏0 + 𝑏1𝑦 + ⋯ + 𝑏𝑜−1𝑦𝑜−1 = (𝑏0, 𝑏1, ⋯ , 𝑏𝑜−1)

Build a map 𝐺
ver 𝐿

:

𝐺 = 𝑀1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚−1 ∘ 𝑀2

where the 𝑀𝑗 are randomly chosen invertible maps over 𝑙𝑜

SLIDE 48

Slide 48

Matsumoto-Imai Cryptosystem

𝑙 is a small finite field with 𝑙 = 𝑟.
𝐿

= 𝑙 𝑦 /(𝑕(𝑦)) a degree 𝑜 extension of 𝑙.

The linear map 𝜚: 𝐿

→ 𝑙𝑜 and 𝜚−1: 𝑙𝑜 → 𝐿 .

𝜚 𝑏0 + 𝑏1𝑦 + ⋯ + 𝑏𝑜−1𝑦𝑜−1 = (𝑏0, 𝑏1, ⋯ , 𝑏𝑜−1)

Build a map 𝐺
ver 𝐿

:

𝐺 = 𝑀1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚−1 ∘ 𝑀2

where the 𝑀𝑗 are randomly chosen invertible maps over 𝑙𝑜

Inversion of 𝐺

is related to the IP Problem

SLIDE 49

Slide 49

Matsumoto-Imai Cryptosystem

The map 𝐺 adopted was:

𝐺 ∶ 𝐿 ⟶ 𝐿 𝑌 ⟼ 𝑌𝑟𝜄+1

SLIDE 50

Slide 50

Matsumoto-Imai Cryptosystem

The map 𝐺 adopted was:

𝐺 ∶ 𝐿 ⟶ 𝐿 𝑌 ⟼ 𝑌𝑟𝜄+1

Let

𝐺 𝑦1, ⋯ , 𝑦𝑜 = 𝜚 ∘ 𝐺 ∘ 𝜚−1 𝑦1, ⋯ , 𝑦𝑜 = (𝐺

1

𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝐺

𝑛(𝑦1, ⋯ , 𝑦𝑜))

SLIDE 51

Slide 51

Matsumoto-Imai Cryptosystem

The map 𝐺 adopted was:

𝐺 ∶ 𝐿 ⟶ 𝐿 𝑌 ⟼ 𝑌𝑟𝜄+1

Let

𝐺 𝑦1, ⋯ , 𝑦𝑜 = 𝜚 ∘ 𝐺 ∘ 𝜚−1 𝑦1, ⋯ , 𝑦𝑜 = (𝐺

1

𝑦1, ⋯ , 𝑦𝑜 , ⋯ , 𝐺

𝑛(𝑦1, ⋯ , 𝑦𝑜))

𝐺𝑗

are quadratic polynomials because the map 𝑌 ⟼ 𝑌𝑟𝜄 is linear (it is the Frobenius automorphism of

rder 𝜄).

SLIDE 52

Slide 52

Matsumoto-Imai Cryptosystem

Encryption is done by the quadratic map over 𝑙𝑜

𝐺 = 𝑀1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚−1 ∘ 𝑀2

where 𝑀𝑗 are affine maps over 𝑙𝑜.

SLIDE 53

Slide 53

Matsumoto-Imai Cryptosystem

Encryption is done by the quadratic map over 𝑙𝑜

𝐺 = 𝑀1 ∘ 𝜚 ∘ 𝐺 ∘ 𝜚−1 ∘ 𝑀2

where 𝑀𝑗 are affine maps over 𝑙𝑜.

Decryption is the inverse process

𝐺 −1 = 𝑀2

−1 ∘ 𝜚 ∘ 𝐺−1 ∘ 𝜚−1 ∘ 𝑀1 −1

SLIDE 54

Slide 54

Matsumoto-Imai Cryptosystem

Requirement: G.C.D. 𝑟𝜄 + 1, 𝑟𝑜 − 1 = 1

to ensure the invertibility of the decryption map 𝐺

−1

SLIDE 55

Slide 55

Matsumoto-Imai Cryptosystem

Requirement: G.C.D. 𝑟𝜄 + 1, 𝑟𝑜 − 1 = 1

to ensure the invertibility of the decryption map 𝐺

−1

𝐺−1 𝑌 = 𝑌𝑢, 𝑌 ∈ 𝐿

where 𝑢 × 𝑟𝜄 + 1 ≡ 1 𝑛𝑝𝑒(𝑟𝑜 − 1).

The public key includes 𝑙 and 𝐺

= (𝐺

1

, ⋯ , 𝐺

𝑜

)

The private key includes 𝑀1, 𝑀2 and 𝐿

.

SLIDE 56

Trapdoor to invert 𝐺 [Patarin]

Slide 56

UOV Signature

SLIDE 57

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)

Slide 57

UOV Signature

SLIDE 58

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)
Split vars. into 2 sets: oil variables: O ≔ (𝑦1, ⋯ , 𝑦𝑝)

vinegar variables: 𝑊 ≔ (𝑦1

′, … , 𝑦𝑤 ′)

Slide 58

UOV Signature

SLIDE 59

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)
Split vars. into 2 sets: oil variables: O ≔ (𝑦1, ⋯ , 𝑦𝑝)

vinegar variables: 𝑊 ≔ (𝑦1

′, … , 𝑦𝑤 ′)

Slide 59

UOV Signature

𝑔

𝑙 𝑦1, ⋯ , x𝑝, 𝑦1 ′, … , 𝑦𝑤 ′ = ℎ𝑙 =

= 𝐺𝑗𝑘

𝑙 𝑦𝑗𝑦′𝑘 𝑃×𝑊

+ 𝐺𝑗𝑘

𝑙 𝑦′𝑗𝑦′𝑘 𝑊×𝑊

+ 𝑀𝑗

𝑙 𝑦𝑗 𝑃

+ 𝑀𝑗

𝑙 𝑦′𝑗 𝑊

+ 𝑑(𝑙)

SLIDE 60

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)
Choose uniformly at random vinegars: 𝑊 ≔ (𝑦1

′, … , 𝑦𝑤 ′)

Slide 60

UOV Signature

𝑔

𝑙 𝑦1, ⋯ , x𝑝, 𝑦1 ′, … , 𝑦𝑤 ′ = ℎ𝑙 =

= 𝐺𝑗𝑘

𝑙 𝑦𝑗𝑦′𝑘 𝑃×𝑊

+ 𝐺𝑗𝑘

𝑙 𝑦′𝑗𝑦′𝑘 𝑊×𝑊

+ 𝑀𝑗

𝑙 𝑦𝑗 𝑃

+ 𝑀𝑗

𝑙 𝑦′𝑗 𝑊

+ 𝑑(𝑙)

SLIDE 61

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)
Fix vinegars: 𝑊 ≔ 𝑦1

′, … , 𝑦𝑤 ′

This becomes an 𝑝𝑦𝑝 system of linear equations.

Slide 61

UOV Signature

𝑔

𝑙 𝑦1, ⋯ , x𝑝, 𝑦1 ′, … , 𝑦𝑤 ′ = ℎ𝑙

= 𝐺𝑗𝑘

𝑙 𝑦𝑗𝑦′𝑘 𝑃×𝑊

+ 𝐺𝑗𝑘

𝑙 𝑦′𝑗𝑦′𝑘 𝑊×𝑊

+ 𝑀𝑗

𝑙 𝑦𝑗 𝑃

+ 𝑀𝑗

𝑙 𝑦′𝑗 𝑊

+ 𝑑(𝑙)

SLIDE 62

Trapdoor to invert 𝐺 [Patarin]
ℎ = 𝐼𝑏𝑡ℎ(𝑁)
Fix vinegars: 𝑊 ≔ 𝑦1

′, … , 𝑦𝑤 ′

This becomes an 𝑝𝑦𝑝 system of linear equations.
It has a solution with high probability (≈ 1 − 1/𝑟).

Slide 62

UOV Signature

𝑔

𝑙 𝑦1, ⋯ , x𝑝, 𝑦1 ′, … , 𝑦𝑤 ′ =

= 𝐺𝑗𝑘

𝑙 𝑦𝑗𝑦′𝑘 𝑃×𝑊

+ 𝐺𝑗𝑘

𝑙 𝑦′𝑗𝑦′𝑘 𝑊×𝑊

+ 𝑀𝑗

𝑙 𝑦𝑗 𝑃

+ 𝑀𝑗

𝑙 𝑦′𝑗 𝑊

+ 𝑑(𝑙)

SLIDE 63

Trapdoor to invert 𝐺 [Patarin]
Oil variables not mixed.

Slide 63

UOV Signature

𝐺(𝑙) =

Vinegar variables Oil variables

𝒚𝟐 … 𝒚𝒘 … 𝒚𝒐 𝒚𝟐 ⋮ 𝒚𝒘 𝒚𝒐 ⋮

Vinegar variables Oil variables

SLIDE 64

Slide 64

Rainbow Signature

Rainbow Quadratic Map

SLIDE 65

UOV key sizes.

Slide 65

MQ Signatures

Scheme

Public Key (KiB)

113.4 99.4 77.7 66.7 14.5 11.0 10.2

SLIDE 66

Slide 66

Technique for Key Size

Reduction

SLIDE 67

Technique for reduction of UOV public keys.

Slide 67

MQ Signatures - Cyclic UOV

SLIDE 68

Technique for reduction of UOV public keys.
Part of the public key with short representation.

Slide 68

MQ Signatures - Cyclic UOV

SLIDE 69

Technique for reduction of UOV public keys.
Part of the public key with short representation.
Achieves a 6x reduction factor for 80-bit security.

Slide 69

MQ Signatures - Cyclic UOV

SLIDE 70

Public matrix of coefficients 𝑁𝑄

Slide 70

MQ Signatures - Cyclic UOV

𝑄(1) 𝑄(2)

𝑁𝑄 =

⋮ ⋮

𝑛𝑦l ′ l ′ = 𝑜 𝑜 + 1 2 𝑄(𝑛)

SLIDE 71

Public matrix of coefficients 𝑁𝑄

Slide 71

MQ Signatures - Cyclic UOV

𝑁𝑄 =

⋮

𝑛𝑦l ′

𝐶 𝐷

l

=

𝑛𝑦l ′ l l = 𝑤 𝑤 + 1 2 + 𝑛𝑤, l ′ = 𝑜 𝑜 + 1 2

SLIDE 72

Private matrix of coefficients 𝑁𝐺

Slide 72

MQ Signatures - Cyclic UOV

𝐺 1 𝐺 2 𝐺 𝑛

𝑁𝐺 =

⋮ ⋮

𝑛𝑦l ′ l ′ = 𝑜 𝑜 + 1 2

l

l = 𝑤 𝑤 + 1 2 + 𝑛𝑤,

SLIDE 73

Private matrix of coefficients 𝑁𝐺

Slide 73

MQ Signatures - Cyclic UOV

𝑁𝐺 =

𝐺

l = 𝑤 𝑤 + 1 2 + 𝑛𝑤,

=

𝑛𝑦l ′ l l ′ = 𝑜 𝑜 + 1 2

⋮

𝑛𝑦l ′ l

SLIDE 74

There is a linear relation between 𝐶 and 𝐺 which only depends
n 𝐶,𝐺 and 𝑇 [Petzoldt et. al, 2010]

Slide 74

MQ Signatures - Cyclic UOV

𝑁𝐺 =

𝐺

𝑛𝑦l ′

𝑁𝑄 =

𝐶 𝐷

𝑛𝑦l ′

𝐶 = 𝐺 ∙ 𝐵𝑉𝑃𝑊(S)

𝑏𝑗𝑘

𝑠𝑡 = 𝑡𝑠𝑗. 𝑡𝑡𝑗,

𝑗 = 𝑘 𝑡𝑠𝑗. 𝑡𝑡𝑘 + 𝑡𝑠𝑘. 𝑡𝑡𝑗, 𝑗 ≠ 𝑘

1 ≤ 𝑗 ≤ 𝑤, 𝑗 ≤ 𝑘 ≤ 𝑜 1 ≤ 𝑠 ≤ 𝑤, 𝑠 ≤ 𝑡 ≤ 𝑜

l l

SLIDE 75

By choosing 𝐵𝑉𝑃𝑊(𝑇) invertible:

𝐺 can be computed from 𝐶 and 𝐵𝑉𝑃𝑊

−1

Slide 75

MQ Signatures - Cyclic UOV

𝐺 = 𝐶 ∙ 𝐵𝑉𝑃𝑊

−1

SLIDE 76

By choosing 𝐵𝑉𝑃𝑊(𝑇) invertible:

𝐺 can be computed from 𝐶 and 𝐵𝑉𝑃𝑊

−1

Thus, the choice of 𝐶 becomes flexible.

Slide 76

MQ Signatures - Cyclic UOV

𝐺 = 𝐶 ∙ 𝐵𝑉𝑃𝑊

−1

SLIDE 77

By choosing 𝐵𝑉𝑃𝑊(𝑇) invertible:

𝐺 can be computed from 𝐶 and 𝐵𝑉𝑃𝑊

−1

Thus, the choice of 𝐶 becomes flexible.
In particular:

𝐶 = 0 does not result in a valid F, 𝐶 = Identity blocks, reveals too much info of 𝐵𝑉𝑃𝑊

−1 ,

𝐶 circulant was adopted by [Petzoldt et. al, 2010]

Slide 77

MQ Signatures - Cyclic UOV

𝐺 = 𝐶 ∙ 𝐵𝑉𝑃𝑊

−1

SLIDE 78

By choosing 𝐵𝑉𝑃𝑊(𝑇) invertible:

𝐺 can be computed from 𝐶 and 𝐵𝑉𝑃𝑊

−1

Thus, the choice of 𝐶 becomes flexible.
In particular:

𝐶 = 0 does not result in a valid F, 𝐶 = Identity blocks, reveals too much info of 𝐵𝑉𝑃𝑊

−1 ,

𝐶 circulant was adopted by [Petzoldt et. al, 2010]

Slide 78

MQ Signatures - Cyclic UOV

𝐺 = 𝐶 ∙ 𝐵𝑉𝑃𝑊

−1

Petzoldt et. al. showed by theorem that the choice of a circulant 𝐶 provides consistent UOV signatures.

SLIDE 79

Adopting 𝐶 circulant:

Slide 79

MQ Signatures - Cyclic UOV

𝑁𝑄 =

𝐶 𝐷

𝑛𝑦l ′

|𝑵𝑸| = l + 𝑛(l ′ − l)

𝒄 = (𝑐1, ⋯ , 𝑐l)

⋮

𝑛𝑦l ′

l

⋯

l

SLIDE 80

Public matrices 𝑄 𝑙

Slide 80

MQ Signatures - Cyclic UOV

𝑄 1

SLIDE 81

Public matrices 𝑄 𝑙

Slide 81

MQ Signatures - Cyclic UOV

𝑄 2

SLIDE 82

Public matrices 𝑄 𝑙

Slide 82

MQ Signatures - Cyclic UOV

𝑄 3

SLIDE 83

Public matrices 𝑄 𝑙

Slide 83

MQ Signatures - Cyclic UOV

𝑄 4

SLIDE 84

Public matrices 𝑄 𝑙

Slide 84

MQ Signatures - Cyclic UOV

⋯

SLIDE 85

Idea: Find equivalent private keys that enables solving any

given public key system.

Slide 85

Equivalent Keys in UOV

SLIDE 86

Idea: Find equivalent private keys that enables solving any

given public key system.

A class of equivalent private keys with a simpler structure.

Slide 86

Equivalent Keys in UOV

SLIDE 87

Idea: Find equivalent private keys that enables solving any

given public key system.

A class of equivalent private keys with a simpler structure.
Thus, private keys can be built using this short structure.

Slide 87

Equivalent Keys in UOV

SLIDE 88

UOV public key:

𝑄(𝑗) = 𝑇𝐺(𝑗)𝑇𝑈, 1 ≤ 𝑗 ≤ 𝑛

Slide 88

Equivalent Keys in UOV

SLIDE 89

UOV public key:

𝑄(𝑗) = 𝑇𝐺(𝑗)𝑇𝑈, 1 ≤ 𝑗 ≤ 𝑛

Question: Are there classes of keys 𝑇′and 𝐺′ s.t.

𝑄(𝑗) = 𝑇𝐺(𝑗)𝑇𝑈 = 𝑇′𝐺′(𝑗)𝑇′𝑈, 1 ≤ 𝑗 ≤ 𝑛 where matrices 𝐺′(𝑗) share with 𝐺(𝑗) the same trapdoor structure?

Slide 89

Equivalent Keys in UOV

SLIDE 90

Idea: Introduce a matrix Ω in 𝑄(𝑗):

𝑄 𝑗 = 𝑇Ω−1Ω𝐺 𝑗 Ω𝑈Ω𝑈−1𝑇𝑈

Define 𝐺′ 𝑗 ≔ Ω𝐺(𝑗)Ω𝑈

Slide 90

Equivalent Keys in UOV

SLIDE 91

Idea: Introduce a matrix Ω in 𝑄(𝑗):

𝑄 𝑗 = 𝑇Ω−1Ω𝐺 𝑗 Ω𝑈Ω𝑈−1𝑇𝑈

Define 𝐺′ 𝑗 ≔ Ω𝐺(𝑗)Ω𝑈
We want Ω that keeps the original 𝐺 structure in 𝐺′:

Slide 91

Equivalent Keys in UOV

Ω1 Ω2 Ω3 Ω4 𝐺

1

𝐺2 𝐺3

=

𝐺′(𝑗) 𝐺(𝑗)

𝜍

Ω1

𝑈

Ω3

𝑈

Ω2

𝑈

Ω4

𝑈

𝑤 𝑛 𝑤 𝑛 𝑤 𝑛 𝑤 𝑛 𝑤 𝑛 𝑤 𝑛

Ω ΩT

SLIDE 92

From the previous equality we obtain:

𝜍 = Ω3𝐺

1 + Ω4𝐺3 Ω3 𝑈 + Ω3𝐺2Ω4 𝑈 = 0

and Ω3 = 0 is a solution.

Slide 92

Equivalent Keys in UOV

Ω1 Ω2 Ω4

Ω =

𝑤 𝑛 𝑤 𝑛

SLIDE 93

Thus, 𝐺′(𝑗) = Ω𝐺(𝑗)Ω𝑈 has the same structure of 𝐺 𝑗 .
Going back to definition

𝑄 𝑗 = 𝑇Ω−1(Ω𝐺 𝑗 Ω𝑈)Ω𝑈−1𝑇𝑈

Slide 93

Equivalent Keys in UOV

SLIDE 94

Thus, 𝐺′(𝑗) = Ω𝐺(𝑗)Ω𝑈 has the same structure of 𝐺 𝑗 .
Going back to definition

𝑄 𝑗 = 𝑇Ω−1(𝐺′(𝑗))Ω𝑈−1𝑇𝑈

Slide 94

Equivalent Keys in UOV

SLIDE 95

Thus, 𝐺′(𝑗) = Ω𝐺(𝑗)Ω𝑈 has the same structure of 𝐺 𝑗 .
Going back to definition

𝑄 𝑗 = 𝑇Ω−1(𝐺′(𝑗))Ω𝑈−1𝑇𝑈

So, defining 𝑇′ ≔ 𝑇Ω−1 one finally gets:

𝑄 𝑗 = 𝑇′𝐺′(𝑗)𝑇′𝑈

Slide 95

Equivalent Keys in UOV

SLIDE 96

Note that Ω−1 has the same structure of Ω.

Slide 96

Equivalent Keys in UOV

Ω1

−1

𝑇′ = 𝑇Ω−1 = 𝑇1 𝑇2 𝑇3 𝑇4

Ω2

−1

Ω4

−1

𝑤 𝑛 𝑤 𝑛

Ω−1 𝑇

Ω1

−1 Ω2 −1

Ω4

−1

SLIDE 97

By choosing suitable values of Ω𝑗

−1, it is possible to get:

𝑇1

′ = 𝐽𝑤𝑦𝑤

𝑇2

′ = 0𝑤𝑦𝑛

𝑇4

′ = 𝐽𝑛𝑦𝑛

what implies 𝑇3

′ = 𝑇3𝑇1 −1𝑇2𝑇1 −1 + 𝑇4(𝑇4 − 𝑇3𝑇1 −1𝑇2)−1

Slide 97

Equivalent Keys in UOV

SLIDE 98

Structure of 𝑇′:

Slide 98

Equivalent Keys in UOV

𝑇′ = 𝑇3

′

𝑛 𝑤 𝑛 𝑤

SLIDE 99

Structure of 𝑇′:
So, the answer is yes, there exist equivalent 𝑇′, 𝐺′(𝑗) s.t.

𝑇′𝐺′(𝑗)(𝑇′)𝑈 = (𝑇Ω−1) Ω𝐺 𝑗 Ω𝑈 𝑇Ω−1 𝑈 = 𝑄 𝑗 and 𝐺′(𝑗) have the desired trapdoor structure.

Slide 99

Equivalent Keys in UOV

𝑇′ = 𝑇3

′

𝑛 𝑤 𝑛 𝑤

SLIDE 100

Slide 100

Recap. MQ Schemes

SLIDE 101

Slide 101