Multivariate Cryptography Part 1: Basics Albrecht Petzoldt - - PowerPoint PPT Presentation

multivariate cryptography part 1 basics
SMART_READER_LITE
LIVE PREVIEW

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt - - PowerPoint PPT Presentation

Sep 26, 2023 364 likes •622 views

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24 Multivariate Cryptography [DS06] MPKC:

slide-1
SLIDE 1

Multivariate Cryptography Part 1: Basics

Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 1 / 24

slide-2
SLIDE 2

Multivariate Cryptography [DS06]

MPKC: Multivariate Public Key Cryptosystem Public Key: System of nonlinear multivariate polynomials p(1)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(1)

ij

· xixj +

n

  • i=1

p(1)

i

· xi + p(1) p(2)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(2)

ij

· xixj +

n

  • i=1

p(2)

i

· xi + p(2) . . . p(m)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(m)

ij

· xixj +

n

  • i=1

p(m)

i

· xi + p(m) d := degree of the polynomials in the system m := # equations n := # variables

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 2 / 24

slide-3
SLIDE 3

Public Key Size

size public key = m · T field elements with T = # monomials of degree ≤ d. # monomials of degree d =

  • n + d − 1

d

  • # monomials of degree ≤ d =
  • n + d

d

  • ⇒ size public key = m ·
  • n + d

d

  • m≈n

∼ O(nd+1) ⇒ For d ≥ 2 the public key size gets very big ⇒ Most MPKCs use for efficiency reasons d = 2.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 3 / 24

slide-4
SLIDE 4

Security

The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p(1)(x), . . . , p(m)(x), find a vector ¯ x = (¯ x1, . . . , ¯ xn) such that p(1)(¯ x) = . . . = p(m)(¯ x) = 0. proven to be NP hard [GJ78] believed to be hard on average (both for classical and quantum conputers) [BB08] also known as the PoSSo Problem (especially for d > 2) However: no direct reduction

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 4 / 24

slide-5
SLIDE 5

Construction

Easily invertible quadratic map F : Fn → Fm Two invertible linear maps S : Fm → Fm and T : Fn → Fn Public key: P = S ◦ F ◦ T supposed to look like a random system Private key: S, F, T allows to invert the public key

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 5 / 24

slide-6
SLIDE 6

Isomorphism of Polynomials

Definition

Two polynomial systems G : Fn → Fm and H : Fn → Fm are called isomorphic ⇔ ∃linear (affine) maps L1 and L2 s.t. H = L1 ◦ G ◦ L2. ⇒ The central map F and the public key P of an MPKC are isomorphic.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 6 / 24

slide-7
SLIDE 7

Isomorphism of Polynomials (2)

Due to their construction, the security of MPKCs is also based on the Problem EIP (Extended Isomorphism of Polynomials): Given the public key P of a multivariate public key cryptosystem, find affine maps ¯ S and ¯ T as well as an easily invertible quadratic map ¯ F such that P = ¯ S ◦ ¯ F ◦ ¯ T . ⇒ Hardness of the problem depends heavily on the structure of the central map ⇒ In general, not much is known about the complexity ⇒ Security analysis of multivariate schemes is a hard task

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 7 / 24

slide-8
SLIDE 8

Encryption Schemes (m ≥ n)

Encryption: Given message z ∈ Fn, compute the ciphertext w ∈ Fm by w = P(z). Decryption: Given ciphertext w ∈ Fm, compute recursively x = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The condition (m ≥ n) guarantees that F is more or less injective, i.e. we do not get too many possible plaintexts. Important Schemes PMI+, IPHFE+ ZHFE ( → this conference) Simple Matrix (→ this conference)

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 8 / 24

slide-9
SLIDE 9

Signature Schemes (m ≤ n)

Signature Generation: Given message d, use a hash function H : {0, 1}⋆ → Fm to compute w = H(d) ∈ Fm. Compute recursively x = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The signature of the message d is z ∈ Fn. The condition (m ≤ n) is needed for the surjectivity of the map F, i.e. every message has a signature. Signature Verification: To check the authenticity of a signature z ∈ Fn for a message d, compute w ∈ H(d) ∈ Fm and w′ = P(z) ∈ Fm. If w′ = w holds, the signature is accepted, otherwise rejected. Important Schemes UOV, Rainbow HFEv-, Gui MQDSS pFLASH ( → this conference), TTS

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 9 / 24

slide-10
SLIDE 10

Signature Schemes (m ≤ n)

Signature Generation: Given message d, use a hash function H : {0, 1}⋆ → Fm to compute w = H(d) ∈ Fm. Compute recursively x = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The signature of the message d is z ∈ Fn. The condition (m ≤ n) is needed for the surjectivity of the map F, i.e. every message has a signature. Signature Verification: To check the authenticity of a signature z ∈ Fn for a message d, compute w ∈ H(d) ∈ Fm and w′ = P(z) ∈ Fm. If w′ = w holds, the signature is accepted, otherwise rejected. Important Schemes UOV, Rainbow HFEv-, Gui MQDSS pFLASH (→ this conference), TTS

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 10 / 24

slide-11
SLIDE 11

Workflow

Decryption / Signature Generation w ∈ Fm

S−1 x ∈ Fm

F−1 y ∈ Fn

T −1 z ∈ Fn

P Encryption / Signature Verification

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 11 / 24

slide-12
SLIDE 12

Attacks

Direct Attacks: Try to solve the public equation P(z) = w as an instance

  • f the MQ-Problem

all algorithms have exponential running time (for m ≈ n)

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 12 / 24

slide-13
SLIDE 13

XL -Algorithm

Given: nonlinear polynomials f1, . . . , fm

1 eXtend multiply each polynomial f1, . . . , fm by every monomial of

degree ≤ D

2 Linear Algebra Step: Apply Gaussian Elimination on the extended

system to generate a univariate polynomial p

3 Solve: Use Berlekamps algorithm to solve the polynomial p. 4 Repeat: Substitute the solution of p into the system and continue

with the simplified system. many variations, e.g. FXL, MutantXL Complexity = 3 ·

  • n + dreg

dreg

2

·

  • n

2

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 13 / 24

slide-14
SLIDE 14

Gr¨

  • bner Bases Algorithms

find a “nice” basis of the ideal f1, . . . , fm first studied by B. Buchberger later improved by Faug` ere et al. (F4, F5) [Fa99] currently fastest algorithms to solve random systems (Hybrid F5 [BFP09]) Complexity(q, m, n) = mink qk · O

  • m ·
  • n − k + dreg − 1

dreg

ω

with 2 < ω ≤ 3.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 14 / 24

slide-15
SLIDE 15

Complexity of Direct Attacks

How many equations are needed to meet given levels of security? security number of equations level (bit) GF(16) GF(31) GF(256) 80 30 28 26 100 39 36 33 128 51 48 43 192 80 75 68 256 110 103 93

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 15 / 24

slide-16
SLIDE 16

Remark

Every cryptosystem can be represented as a set of nonlinear multivariate equations ⇒ Direct attacks are used in the cryptanalysis of many cryptographic schemes (in particular block and stream ciphers) ⇒ The MQ (or PoSSo) Problem can be seen as one of the central problems in cryptography

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 16 / 24

slide-17
SLIDE 17

Structural Attacks

Try to decompose the public key P into P = S ◦ F ◦ T by using the known structure of the central map F MinRank attack [CSV94]: For many multivariate schemes (certain) central equations have low rank ⇒ look for a linear combination of the public key polynomials of low rank ⇒ this linear combination corresponds to a central equation ⇒ this linear combination yields (parts) of an equivalent affine map S ⇒ further analysis: recover equivalent maps S, F and T

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 17 / 24

slide-18
SLIDE 18

MinRank Attack

Problem MinRank: Given m n × n matrices G1, . . . , Gm, find a linear combination H =

m

  • i=1

λiGi such that Rank(H) ≤ r. Complexity(MinorsModelling) = O

  • n + r

r

ω

with 2 < ω ≤ 3.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 18 / 24

slide-19
SLIDE 19

Other Attacks

HighRank Attack: Try to recover the linear transformation of the variables appearing the lowest time in the central equations. This yields information about the affine transformation T and therefore the private key. Differential Attacks: Look for invariants or symmetries of the differential G(x, y) = P(x + y) − P(x) − P(y) + P(0) These symmetries yield information about the private key.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 19 / 24

slide-20
SLIDE 20

Advantages

resistant against attacks with quantum computers very fast (much faster than RSA)

  • nly simple arithmetic operations required

⇒ can be implemented on low cost devices ⇒ suitable for security solutions for the IoT many practical signature schemes (UOV, Rainbow, HFEv-, . . . ) very short signatures (e.g. 120 bit signatures for 80 bit security)

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 20 / 24

slide-21
SLIDE 21

Disadvantages

large key sizes (public key size ∼ 10 − 100 kB) no security proofs But: Practical Security (attack complexities) follows closely theoretical estimations mainly restricted to digital signatures (and public key encryption)

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 21 / 24

slide-22
SLIDE 22

Lessons Learned

Multivariate Cryptography deals with systems of nonlinear (usually quadratic) multivariate polynomials

  • ne of the main candidates for post-quantum cryptosystems

very efficient signature schemes (e.g. Rainbow, HFEv-) with short signatures not so good for encryption schemes large public key sizes, no security proofs But: Theoretical Security estimates match very well with experimental data

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 22 / 24

slide-23
SLIDE 23

References

BB08 D.J. Bernstein, J. Buchmann, E. Dahmen (eds.): Post Quantum Cryptography. Springer, 2009. DG06 J. Ding, J. E. Gower, D. S. Schmidt: Multivariate Public Key

  • Cryptosystems. Springer, 2006.

GJ79 M. R. Garey and D. S. Johnson: Computers and Intractability: A Guide to the Theory of NP-Completeness.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 23 / 24

slide-24
SLIDE 24

References (2)

BF09 L. Bettale, L.C Faug` ere, L. Perret: Hybrid approach for solving multivariate systems over finite fields. Journal of Mathematical Cryptology 3, pp. 177-197 (2009). Fa99 J.C. Faug` ere: A new efficient algorithm for computing Gr¨

  • bner bases (F4). Journal of Pure and Applied Algebra

139, pp. 61-88 (1999). CS94 D. Coppersmith, J. Stern, S. Vaudenay: Attacks on the Birational Signature Scheme. CRYPTO 1994, LNCS vol. 773, pp. 435 - 443. Springer, 1994.

  • A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 24 / 24