Multivariate Public Key Cryptosystems Produced by Quasigroups - - PowerPoint PPT Presentation
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of
PhD defence
Trondheim, June 22, 2015
Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of Science and Technology - NTNU, NORWAY
www.ntnu.no Simona Samardjiska, PhD defence
2
www.ntnu.no Simona Samardjiska, PhD defence
3
Quantum Computation and Quantum Communication Cryptographic Protocols and Their Applications Wireless Network Security New Encryption Techniques in Contemporary Cryptography
Håkon Jacobsen, “Classification of keys in MQQ-SIG”
TTM4135 Information security TTM4137 Wireless Network Security
www.ntnu.no Simona Samardjiska, PhD defence
4
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
4
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
5
www.ntnu.no Simona Samardjiska, PhD defence
5
www.ntnu.no Simona Samardjiska, PhD defence
6
www.ntnu.no Simona Samardjiska, PhD defence
7
Are we finally getting close to building a real quantum computer?
www.ntnu.no Simona Samardjiska, PhD defence
7
Are we finally getting close to building a real quantum computer?
www.ntnu.no Simona Samardjiska, PhD defence
8
Or... Is it the Recent Discrete Log breakthroughs?
Complexities
1 3 2 3
LQ
1
2
1
3
2006
Joux - Lercier - Smart - Vercauteren
2014
Barbulescu - Pierrot LQ(1/4) LQ(α + o(1)) when p = LQ(α)
Linear Sieve 1993
Adleman - Demarrais
Copper. 1984 Number Field Sieve Multiple Number Field Sieve Special Number Field Sieve 2013
Joux - Pierrot
Function Field Sieve 1999
Adleman Huang
2006
Joux Lercier
Joux 2013 Quasi- Polynomial 2013
Barbulescu Gaudry - Joux - Thomé
medium p high p small p fixed p Algorithms for Discrete Logarithm in Finite Fields up to 2014. We depict L (1/2)
Q
algorithms in red, LQ(1/3) in blue, and LQ(1/4) and quasi-polynomial in green. LQ(1/3, c) LQ(1/3, c) LQ(1/3, c) Joux et al. 14
www.ntnu.no Simona Samardjiska, PhD defence
9
Code-based cryptosystems
(McElliece [’78], Niederreiter [’86] encryption schemes)
Hash-based signatures
(Lamport [’79], Merkle [’79], Sphincs [Bernstein et al. ’15])
Lattice-based cryptosystems
(NTRU encryption scheme [Hoffstein et al. ’98], GGH encryption/signature [Goldreich et al. ’97] Ding et al. key agreement [’15])
Braid group key agreement protocols
([Anshel et al. ’99], [Ko et al. ’00])
Multivariate cryptosystems
(UOV [Kipnis et al.’99], HFE [Patarin’96] signature schemes Sakumoto et al. identification scheme [’12])
www.ntnu.no Simona Samardjiska, PhD defence
10
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
✍✌ ✎☞
linear
✍✌ ✎☞
quadratic
✍✌ ✎☞
linear
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
✍✌ ✎☞
linear
✍✌ ✎☞
quadratic
✍✌ ✎☞
linear
Public P p1(x1, . . . , xn) p2(x1, . . . , xn) . . . pm(x1, . . . , xn)
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
✍✌ ✎☞
linear
✍✌ ✎☞
quadratic
✍✌ ✎☞
linear
Public P Matrix form: p1(x1, . . . , xn) x⊺P1x p2(x1, . . . , xn) x⊺P2x . . . . . . pm(x1, . . . , xn) x⊺Pmx
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
✍✌ ✎☞
linear
✍✌ ✎☞
quadratic
✍✌ ✎☞
linear
Public P Matrix form: p1(x1, . . . , xn) x⊺P1x p2(x1, . . . , xn) x⊺P2x . . . . . . pm(x1, . . . , xn) x⊺Pmx Matrices representing the quadratic part
www.ntnu.no Simona Samardjiska, PhD defence
11
q → Fm q input x x = (x1, . . . , xn) x′ y′
private: S private: F private: T
public : P = T ◦ F ◦ S
✍✌ ✎☞
linear
✍✌ ✎☞
quadratic
✍✌ ✎☞
linear
Inverting P should be hard Underlying NP-hard problem PoSSo: Input: p1, p2, . . . , pm ∈ Fq[x1, . . . , xn] Question: Find - if any - (u1, . . . , un) ∈ Fn
q st.
p1(u1, . . . , un) = p2(u1, . . . , un) = . . . pm(u1, . . . , un) = 0
www.ntnu.no Simona Samardjiska, PhD defence
12
MQ schemes are naturally parallelizable! up to 1000s times faster than classical!
11,60548
mqqsig224
11,86264
mqqsig256
11,90839 14076
rainbowbinary256181212
13,77479 23284
tts6440
24808 62036
25 210 215 220 225 230
Cycles to sign 59 bytes
amd64; HW+AES (306c3); 2013 Intel Xeon E3-1275 V3; 4 x 3500MHz; titan0, supercop-20141124
http://bench.cr.yp.to www.ntnu.no Simona Samardjiska, PhD defence
12
MQ schemes are naturally parallelizable! up to 1000s times faster than classical!
11,60548
mqqsig224
11,86264
mqqsig256
11,90839 14076
rainbowbinary256181212
13,77479 23284
tts6440
24808 62036
25 210 215 220 225 230
Cycles to sign 59 bytes
amd64; HW+AES (306c3); 2013 Intel Xeon E3-1275 V3; 4 x 3500MHz; titan0, supercop-20141124
MQ algorithms MQQ-SIG fastest!!!
http://bench.cr.yp.to www.ntnu.no Simona Samardjiska, PhD defence
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
www.ntnu.no Simona Samardjiska, PhD defence
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
Mixed-field schemes Oil and Vinegar schemes Stepwise Triangular schemes Mixed schemes (UOV + STS)
www.ntnu.no Simona Samardjiska, PhD defence
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
www.ntnu.no Simona Samardjiska, PhD defence
Interest seriously declines
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
www.ntnu.no Simona Samardjiska, PhD defence
Interest seriously declines Bad reputation due to break and patch history
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
www.ntnu.no Simona Samardjiska, PhD defence
Interest seriously declines Bad reputation due to break and patch history But on the other hand...
UOV, HFEv- signatures - non-broken variants of Patarin’s schemes Provably secure identification scheme of Sakumoto et al. QUAD - Provably secure stream cipher - Berbain et al.
MIA MIA [IM85]
[IM85]
C* C* [MI88]
[MI88]
Birational Birational Permutation Permutation [Sha93]
[Sha93]
HFE HFE [Pat96]
[Pat96]
OV OV [Pat97]
[Pat97]
UOV [KPG99]
[KPG99]
Quartz [PCG01b]
[PCG01b]
Sflash Sflash [PCG01a,
[PCG01a, CGP03] CGP03]
Rainbow [DS05]
[DS05]
MIA MIA and and C* C* [Pat95]
[Pat95]
Birational Birational Permutation Permutation
[CSV93, [CSV93, The95, The95, CSV97] CSV97]
OV OV [KS98]
[KS98]
HFE HFE [KS99,
[KS99, FJ03, FJ03, GJS06, GJS06, DG10, DG10, DH11] DH11]
Sflash Sflash [DFSS07]
[DFSS07]
PMI PMI [FGS05]
[FGS05]
1985 1985 1990 1990 1995 1995 2000 2000 2005 2005
Constructions Constructions Cryptanalysis Cryptanalysis MQ MQ
Thomae 13
PMI PMI [Din04]
[Din04], RSE(2)PKC
RSE(2)PKC [KS04]
[KS04]
RSSE(2)PKC RSSE(2)PKC [KS05a]
[KS05a]
RSE(2)PKC,RSSE(2)PKC RSE(2)PKC,RSSE(2)PKC [WBP04]
[WBP04]
13
www.ntnu.no Simona Samardjiska, PhD defence
Interest seriously declines Bad reputation due to break and patch history But on the other hand...
UOV, HFEv- signatures - non-broken variants of Patarin’s schemes Provably secure identification scheme of Sakumoto et al. QUAD - Provably secure stream cipher - Berbain et al.
More scrutiny needed for understanding the security
14
Input: m polynomials p1, p2, . . . , pm ∈ Fq[x1, . . . , xn] of degree d ≥ 2 Question: Find – if any – a vector (u1, . . . , un) ∈ Fn
q such that
p1(u1, . . . , un) = p2(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 PoSSo(p1, p2, . . . , pm) - the underlying NP-hard problem NP-hard for m = O(n) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms:
F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08]
www.ntnu.no Simona Samardjiska, PhD defence
14
Input: m polynomials p1, p2, . . . , pm ∈ Fq[x1, . . . , xn] of degree d ≥ 2 Question: Find – if any – a vector (u1, . . . , un) ∈ Fn
q such that
p1(u1, . . . , un) = p2(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 PoSSo(p1, p2, . . . , pm) - the underlying NP-hard problem NP-hard for m = O(n) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms:
F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08]
www.ntnu.no Simona Samardjiska, PhD defence
14
Input: m polynomials p1, p2, . . . , pm ∈ Fq[x1, . . . , xn] of degree d ≥ 2 Question: Find – if any – a vector (u1, . . . , un) ∈ Fn
q such that
p1(u1, . . . , un) = p2(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 PoSSo(p1, p2, . . . , pm) - the underlying NP-hard problem NP-hard for m = O(n) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms:
F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08]
www.ntnu.no Simona Samardjiska, PhD defence
14
Input: m polynomials p1, p2, . . . , pm ∈ Fq[x1, . . . , xn] of degree d ≥ 2 Question: Find – if any – a vector (u1, . . . , un) ∈ Fn
q such that
p1(u1, . . . , un) = p2(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 PoSSo(p1, p2, . . . , pm) - the underlying NP-hard problem NP-hard for m = O(n) [KPG99] Directly invert the public key, but also Model other attacks as systems of equations! State of the art algorithms:
F4, F5 algorithms [Faugère ’99,’02] XL family of algorithms [Yang et al.’04, Mohamed et al.’08]
www.ntnu.no Simona Samardjiska, PhD defence
15
∃ (u1, . . . , un) ∈ Fn
q such that
for (u1, . . . , un) it holds that p1(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 ⇔ b1(u1, . . . , un) = . . . bn′(u1, . . . , un) = 0 where {b1, b2, . . . , bn′} is the Gröbner basis of the ideal p1, p2, . . . , pm.
www.ntnu.no Simona Samardjiska, PhD defence
15
∃ (u1, . . . , un) ∈ Fn
q such that
for (u1, . . . , un) it holds that p1(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 ⇔ b1(u1, . . . , un) = . . . bn′(u1, . . . , un) = 0 where {b1, b2, . . . , bn′} is the Gröbner basis of the ideal p1, p2, . . . , pm. Complexity of F5 algorithm: O n + dreg dreg ω with 2 ω 3 - linear algebra constant dreg - maximum degree reached during computation
www.ntnu.no Simona Samardjiska, PhD defence
15
∃ (u1, . . . , un) ∈ Fn
q such that
for (u1, . . . , un) it holds that p1(u1, . . . , un) = . . . pm(u1, . . . , un) = 0 ⇔ b1(u1, . . . , un) = . . . bn′(u1, . . . , un) = 0 where {b1, b2, . . . , bn′} is the Gröbner basis of the ideal p1, p2, . . . , pm. Complexity of F5 algorithm: O n + dreg dreg ω with 2 ω 3 - linear algebra constant dreg - maximum degree reached during computation If dreg - independent of n ⇒ Polynomial complexity !!!
www.ntnu.no Simona Samardjiska, PhD defence
16
Input: n, r, k ∈ N, and M1, . . . , Mk ∈ Mn(Fq). Question: Find – if any – a nonzero k-tuple (λ1, . . . , λk) ∈ Fk
q s.t.:
Rank k
λi Mi
MinRank MR(n, r, k, M1, . . . , Mk)
[Kipnis, Shamir ’99], [Buss, Shallit ’99]
NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank
[Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08]
www.ntnu.no Simona Samardjiska, PhD defence
16
Input: n, r, k ∈ N, and M1, . . . , Mk ∈ Mn(Fq). Question: Find – if any – a nonzero k-tuple (λ1, . . . , λk) ∈ Fk
q s.t.:
Rank k
λi Mi
MinRank MR(n, r, k, M1, . . . , Mk)
[Kipnis, Shamir ’99], [Buss, Shallit ’99]
NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank
[Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08]
www.ntnu.no Simona Samardjiska, PhD defence
16
Input: n, r, k ∈ N, and M1, . . . , Mk ∈ Mn(Fq). Question: Find – if any – a nonzero k-tuple (λ1, . . . , λk) ∈ Fk
q s.t.:
Rank k
λi Mi
MinRank MR(n, r, k, M1, . . . , Mk)
[Kipnis, Shamir ’99], [Buss, Shallit ’99]
NP-hard!!! [Courtois ’01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, ... and more Solving MinRank
[Kipnis-Shamir modeling ’99; Kernel method GC’00; Minors modeling FLP ’08]
www.ntnu.no Simona Samardjiska, PhD defence
17
Rank k
λi Mi
k
λi Mi
1 x1
1
. . . x(1)
r
... . . . . . . 1 x(n−r)
1
. . . x(n−r)
r
· k
λi Mi
n (n − r) quadratic (bilinear) equations in r (n − r) + k variables
www.ntnu.no Simona Samardjiska, PhD defence
17
Rank k
λi Mi
k
λi Mi
1 x1
1
. . . x(1)
r
... . . . . . . 1 x(n−r)
1
. . . x(n−r)
r
· k
λi Mi
n (n − r) quadratic (bilinear) equations in r (n − r) + k variables Relinearization [Kipnis & Shamir ’99]
www.ntnu.no Simona Samardjiska, PhD defence
17
Rank k
λi Mi
k
λi Mi
1 x1
1
. . . x(1)
r
... . . . . . . 1 x(n−r)
1
. . . x(n−r)
r
· k
λi Mi
n (n − r) quadratic (bilinear) equations in r (n − r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] F5 algorithm: O n + dreg dreg ω ,
www.ntnu.no Simona Samardjiska, PhD defence
17
Rank k
λi Mi
k
λi Mi
1 x1
1
. . . x(1)
r
... . . . . . . 1 x(n−r)
1
. . . x(n−r)
r
· k
λi Mi
n (n − r) quadratic (bilinear) equations in r (n − r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret ’08] F5 algorithm: O n + dreg dreg ω , dreg min(nX, nY ) + 1, for bilinear system in X, Y blocks of variables of sizes nX, nY .
www.ntnu.no Simona Samardjiska, PhD defence
18
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
Quasigroups in symmetric crypto: IDEA Block Cipher [Lai’91] Edon80 [Gligoroski et al.’08] Finalist (hardware) of eSTREAM CryptMT [Matsumoto et al.’08] Finalist (software) of eSTREAM Blue Midnight Wish (BMW)
[Gligoroski et al.’09]
Round 2 candidate of SHA-3 Edon-R [Gligoroski et al.’09] and NaSHA [Markovski & Mileva’08] Round 1 candidates of SHA-3
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
Rq,a : Q → Q, Rq,a(x) = q(x, a) Lq,a : Q → Q, Lq,a(x) = q(a, x) are bijections for every a ∈ Q. Quasigroup (Q, q) Example: q 0 1 2 3 4 5 6 7 2 3 6 7 0 1 5 4 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
Lq,a : Q → Q, Lq,a(x) = q(a, x) are bijections for every a ∈ Q. Left Quasigroup (Q, q) Example: q 0 1 2 3 4 5 6 7 2 3 6 7 0 1 5 4 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
Rq,a : Q → Q, Rq,a(x) = q(x, a) Lq,a : Q → Q, Lq,a(x) = q(a, x) are bijections for every a ∈ Q. Quasigroup (Q, q) Multivariate
q = (q1, . . . , qd) : F2d
q → Fd q
Quadratic
Quasigroup MQQ Example: q 0 1 2 3 4 5 6 7 2 3 6 7 0 1 5 4 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7
www.ntnu.no Simona Samardjiska, PhD defence
19
A proposal to use quasigroups in MQ cryptography
Rq,a : Q → Q, Rq,a(x) = q(x, a) Lq,a : Q → Q, Lq,a(x) = q(a, x) are bijections for every a ∈ Q. Quasigroup (Q, q) Multivariate
q = (q1, . . . , qd) : F2d
q → Fd q
Quadratic
Quasigroup MQQ Example: q : F6
2 → F3 2
q 0 1 2 3 4 5 6 7 2 3 6 7 0 1 5 4 1 6 7 5 4 2 3 0 1 2 3 2 7 6 1 0 4 5 3 7 6 4 5 3 2 1 0 4 4 5 0 1 7 6 2 3 5 0 1 3 2 5 4 7 6 6 5 4 1 0 6 7 3 2 7 1 0 2 3 4 5 6 7 q1 = x1 + x3 + x5 + x1x5 + x1x6, q2 = 1 + x3 + x1x5 + x6 + x1x6, q3 = x2 + x4 + x1x5 + x3x6 + x5x6.
www.ntnu.no Simona Samardjiska, PhD defence
20
Over F2 The internal mapping: Dobbertin permutation + Bilinear MQQs of order 25 Direct algebraic attack
[Mohamed et al.’09, Faugère et al.’10]
MQQ Encryption scheme [GMK08]
www.ntnu.no Simona Samardjiska, PhD defence
20
Over F2 Security measure (against the previous attack)
Performance measures (Smaller key size, faster evaluation in SW, more compact in HW)
Fastest on (eBACS) SUPERCOP Recommended parameters:
Security 280 296 2112 2128 n 160 192 224 256
MQQ-SIG Signature scheme [GØJPFKM11]
www.ntnu.no Simona Samardjiska, PhD defence
21
The private F
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1
www.ntnu.no Simona Samardjiska, PhD defence
21
The private F
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1 MQQs: q(x, y) = z − bijective
www.ntnu.no Simona Samardjiska, PhD defence
21
The private F
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1 MQQs: q(x, y) = z − bijective The MQQ of order 28: q(x, y) = B · U(x) · A2 · y + B · A1 · x + c, where U(x) = I8+
0
U1 · A1 · x U2 · A1 · x . . . U7 · A1 · x
.
www.ntnu.no Simona Samardjiska, PhD defence
21
The inverse F−1
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1 q1\ q2\ qn/8−1\
www.ntnu.no Simona Samardjiska, PhD defence
21
The inverse F−1
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1 q1\ q2\ qn/8−1\ Parastrophe: q\(x, z) = y.
www.ntnu.no Simona Samardjiska, PhD defence
21
The inverse F−1
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1 q1\ q2\ qn/8−1\ Parastrophe: q\(x, z) = y. Solve the system of equations: q(x, y) = z in the unknown y. (q\ not computed explicitly .) (Alternatively, a look up table can be used.)
www.ntnu.no Simona Samardjiska, PhD defence
22
m
——— ——— ——— ———
h = h0||h1 y0 = r0||h1 y1 = r1||h1 x0 = D(y0) x1 = D(y1) Signature = (x0, x1) H(m) h = h0||h1 H(m) E(x0) || E(x1) h0 h1 || Signature Compare
m
——— ——— ——— ———
www.ntnu.no Simona Samardjiska, PhD defence
23
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved?
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? MQQ-SIG - 300–3,500 times faster in signing > 1,000 times larger public key than RSA or ECDSA.
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security?
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Always a tradeoff Efficiency v.s. Security
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG?
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? No diversity of efficient constructions
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme?
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? Better MQQs neccessary for encryption scheme
www.ntnu.no Simona Samardjiska, PhD defence
24
Can the performance characteristics of MQQ-SIG be improved? How will the design tweaks that improve the performance, affect the security? Can we improve the construction of MQQs so that we gain on security in MQQ-SIG? Even more, Can this improvement lead to a design of an encryption scheme? What are the necessary steps that can lead to a solid security framework for MQ cryptography?
www.ntnu.no Simona Samardjiska, PhD defence
25
Investigate: New constructions of MQQs to benefit both the performance and the security
Investigate: Various cryptanalytic approaches against the MQQ cryptosystems.
www.ntnu.no Simona Samardjiska, PhD defence
25
Investigate: New constructions of MQQs to benefit both the performance and the security
Investigate: Various cryptanalytic approaches against the MQQ cryptosystems. Research results I Construction of functions for MQ trapdoors II The MQQ family - design improvements and analysis III Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
26
Paper I1 Paper I2 II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors III Security of MQ schemes Paper I3 Paper I5 Paper I4 Paper I6 Paper A1 Paper I7
www.ntnu.no Simona Samardjiska, PhD defence
26
Paper I1 Paper I2 II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors III Security of MQ schemes Paper I3 Paper I5 Paper I4 Paper I6 Paper A1 Paper I7
I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields Simona Samardjiska, Yanling Chen and Danilo Gligoroski, JIAS, Vol. 7 (2012) I2 Left MQQs Whose Left Parastrophe is Also Quadratic Simona Samardjiska and Danilo Gligoroski, CMUC Vol. 53, 3 (2012) I3 Quadratic Permutation Polynomials, Complete Mappings and Mutually Orthogonal Latin Squares Simona Samardjiska and Danilo Gligoroski, under review in Mathematica Slovaca
www.ntnu.no Simona Samardjiska, PhD defence
26
Paper I1 Paper I2 II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors III Security of MQ schemes Paper I3 Paper I5 Paper I4 Paper I6 Paper A1 Paper I7
I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Danilo Gligoroski and Simona Samardjiska, SCC 2012 I5 On the Strong and Weak Keys in MQQ-SIG Håkon Jacobsen, Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska and Enrico Thomae, PKC 2015
www.ntnu.no Simona Samardjiska, PhD defence
26
Paper I1 Paper I2 II The MQQ family - Design improvements and analysis I Constructions of functions for MQ trapdoors III Security of MQ schemes Paper I3 Paper I5 Paper I4 Paper I6 Paper A1 Paper I7
I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC Danilo Gligoroski and Simona Samardjiska, SCC 2012 I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère and Danilo Gligoroski and Ludovic Perret and Simona Samardjiska and Enrico Thomae, PKC 2015 I7 Linearity Measures for Multivariate Public Key Cryptography Simona Samardjiska and Danilo Gligoroski, SECURWARE 2014 A1 Towards a Secure Multivariate Identity-Based Encryption Simona Samardjiska and Danilo Gligoroski, ICT Innovations 2012
www.ntnu.no Simona Samardjiska, PhD defence
27
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
28
Paper I1 Paper I2 I Constructions of functions for MQ trapdoors Paper I3
I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I2 Left MQQs Whose Left Parastrophe is Also Quadratic I3 Quadratic Permutation Polynomials, Complete Mappings and Mutu- ally Orthogonal Latin Squares
www.ntnu.no Simona Samardjiska, PhD defence
29
Results: Two new methods for constructing MQQs over arbitrary Fpk. Extension from F2 to Fpk. Bilinear MQQs
Direct generalization of the construction used in MQQ-SIG
MQQs from T-functions (T-MQQs)
Using linear isotopy, no bilinear structure
www.ntnu.no Simona Samardjiska, PhD defence
29
Results: Two new methods for constructing MQQs over arbitrary Fpk. Extension from F2 to Fpk. Bilinear MQQs
Direct generalization of the construction used in MQQ-SIG
MQQs from T-functions (T-MQQs)
Using linear isotopy, no bilinear structure q = (q(1), q(2), . . . , q(d)) : F2d
pk → Fd pk:
q(s)(x, y) = p(s)
1 (xs) + p(s) 2 (ys) +
α(s)
i,j xixj +
β(s)
i,j yiyj +
+
γ(s)
i,j xiyj +
δ(s)
i xi +
ǫ(s)
i yi + η(s),
∀s = 1, . . . , d where p(s)
1 , p(s) 2 , s = 1, . . . , d, - quadratic permutations over Fpk.
www.ntnu.no Simona Samardjiska, PhD defence
29
Results: Two new methods for constructing MQQs over arbitrary Fpk. Extension from F2 to Fpk. Bilinear MQQs
Direct generalization of the construction used in MQQ-SIG
MQQs from T-functions (T-MQQs)
Using linear isotopy, no bilinear structure q = (q(1), q(2), . . . , q(d)) : F2d
pk → Fd pk:
q(s)(x, y) = p(s)
1 (xs) + p(s) 2 (ys) +
α(s)
i,j xixj +
β(s)
i,j yiyj +
+
γ(s)
i,j xiyj +
δ(s)
i xi +
ǫ(s)
i yi + η(s),
∀s = 1, . . . , d where p(s)
1 , p(s) 2 , s = 1, . . . , d, - quadratic permutations over Fpk.
Superclass of the MQQ-SIG quasigroups! Offer substantial efficiency improvement to MQQ-SIG!
www.ntnu.no Simona Samardjiska, PhD defence
30
Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor
LMQQs reduce the unnecessary structure!
Generalization of the construction from Paper I1
www.ntnu.no Simona Samardjiska, PhD defence
30
Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor
LMQQs reduce the unnecessary structure!
Generalization of the construction from Paper I1
q = (q(1), q(2), . . . , q(d)) : F2d
pk → Fd pk:
q(s)(x, y) = p(s)(ys) +
α(s)
i,j xixj +
β(s)
i,j yiyj +
+
γ(s)
i,j xiyj +
i xi +
ǫ(s)
i yi + η(s),
∀s = 1, . . . , d where p(s), s = 1, . . . , d, - quadratic permutation over Fpk.
www.ntnu.no Simona Samardjiska, PhD defence
30
Results: A method for constructing Left MQQs (LMQQs) In MQQ-SIG, only one parastrophe needed for the trapdoor
LMQQs reduce the unnecessary structure!
Generalization of the construction from Paper I1 Additionally: A special subclass of LMQQs distinguished
LMQQ whose left parastrophe is also LMQQ Used as a proof of concept of a new model for multivariate Identity Based Encryption in Paper A1
Two algorithms for construction:
Backtracking Direct, deterministic, of a smaller class
www.ntnu.no Simona Samardjiska, PhD defence
31
f(X) =
n−1
ai,jX2i+2j, ai,j ∈ F2n. DO polynomials (HFE) Motivation: Permutation behaviour? Affine non-equivalence to monomials?
www.ntnu.no Simona Samardjiska, PhD defence
31
f(X) =
n−1
ai,jX2i+2j, ai,j ∈ F2n. DO polynomials (HFE) Motivation: Permutation behaviour? Affine non-equivalence to monomials?
C∗ scheme: f(X) = X2m+1 Linearization Attack! XY 2m = X22mY
www.ntnu.no Simona Samardjiska, PhD defence
31
f(X) =
n−1
ai,jX2i+2j, ai,j ∈ F2n. DO polynomials (HFE) Motivation: Permutation behaviour? Affine non-equivalence to monomials?
Blokhuis et al. ’01: Bilinear permutations over F2n P(X) = X · L(X), We extend to: P(X) = X(L2(X) + X · L3(X))
www.ntnu.no Simona Samardjiska, PhD defence
31
f(X) =
n−1
ai,jX2i+2j, ai,j ∈ F2n. DO polynomials (HFE) Motivation: Permutation behaviour? Affine non-equivalence to monomials?
Blokhuis et al. ’01: Bilinear permutations over F2n P(X) = X · L(X), We extend to: P(X) = X(L2(X) + X · L3(X))
www.ntnu.no Simona Samardjiska, PhD defence
32
Results: Permutation binomials: For n 16, all ≡ monomials Permutation trinomials: For n 10, Two classes ≡ monomials Two classes ≡ weak permutations Three polynomials ≡ monomials
www.ntnu.no Simona Samardjiska, PhD defence
32
Results: Permutation binomials: For n 16, all ≡ monomials Permutation trinomials: For n 10, Two classes ≡ monomials Two classes ≡ weak permutations Three polynomials ≡ monomials n = kℓ, k > 1 is odd, a, b ∈ F2ℓ, Trk
l - trace from F2n to F2l
P(X) = X(a Trk
ℓ (X) + aX + b)
b = 0 ⇒ permutation polynomial b = 0, 1 ⇒ complete mapping New Constructions from the class: recursive construction of PP and CM over bigger fields Sets of Mutually Orthogonal Latin Squares Bent Vectorial Functions from Maiorana-McFarland class An interesting class
www.ntnu.no Simona Samardjiska, PhD defence
33
Paper I1 II The MQQ family - Design improvements and analysis Paper I5 Paper I4 Paper I6
I1 Algorithms for Construction of Multivariate Quadratic Quasigroups (MQQs) and Their Parastrophe Operations in Arbitrary Galois Fields I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC I5 On the Strong and Weak Keys in MQQ-SIG I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
www.ntnu.no Simona Samardjiska, PhD defence
34
Results: Extension from F2 to any Fpk = ⇒ Reduction of the public key size of MQQ-SIG up to 58 times.
Size in Kbytes n GF(2) GF(22) GF(24) GF(28) 160 125.79 32.43 8.41 2.26 192 217.14 55.70 14.36 3.81 224 344.55 88.06 22.60 5.95 256 514.02 131.02 33.52 8.77
www.ntnu.no Simona Samardjiska, PhD defence
35
Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q0(x, y) = A(x) · y + x = ⇒ New decryption algorithm with improved performance: From O(d3) to O(d2).
www.ntnu.no Simona Samardjiska, PhD defence
35
Results: Key Observation: MQQ-SIG uses MQQs linearly isotopic to T-MQQs of the form q0(x, y) = A(x) · y + x = ⇒ New decryption algorithm with improved performance: From O(d3) to O(d2). = ⇒ Reduction of the private key size Size in bytes d = 8
Bilinear MQQs MQQs from T-MQQs
previous new previous new
GF(2) 81 50.5 137 66.5 GF(2k) 81k 50.5k 153k 75.5k
www.ntnu.no Simona Samardjiska, PhD defence
36
Design choices: Over F2k, k ∈ {1, 2, 4, 8} r removed polynomials LMQQs of order 28k Specially constructed matrices S and T
www.ntnu.no Simona Samardjiska, PhD defence
36
Design choices: Over F2k, k ∈ {1, 2, 4, 8} r removed polynomials LMQQs of order 28k Specially constructed matrices S and T
P m r h h = H(m||r) c
www.ntnu.no Simona Samardjiska, PhD defence
36
Design choices: Over F2k, k ∈ {1, 2, 4, 8} r removed polynomials LMQQs of order 28k Specially constructed matrices S and T
P S F T m r h h = H(m||r) c
u x1 · · · xn/8−1 xn/8 y1 · · · yn/8−1 yn/8 q1 q2 qn/8−1
www.ntnu.no Simona Samardjiska, PhD defence
36
Design choices: Over F2k, k ∈ {1, 2, 4, 8} r removed polynomials LMQQs of order 28k Specially constructed matrices S and T Properties: probabilistic encryption negligible decryption error IND-CCA under MQQ assumption
P S F T S−1 F−1 T −1 Try all values m r h m′ r′ h′ Accept if h = h′ h = H(m||r) c c
www.ntnu.no Simona Samardjiska, PhD defence
36
Design choices: Over F2k, k ∈ {1, 2, 4, 8} r removed polynomials LMQQs of order 28k Specially constructed matrices S and T Properties: probabilistic encryption negligible decryption error IND-CCA under MQQ assumption parameters for 128 bits security
field F2 F4 F16 F256 n 256 128 64 32 r 8 4 2 1
www.ntnu.no Simona Samardjiska, PhD defence
37
The LMQQs of order 2dk: q(x, y) = D · q0(x, Dy · y + cy) + c
q0 - T-LMQQ defined over F2k, D, Dy - matrices, c, cy - vectors
www.ntnu.no Simona Samardjiska, PhD defence
37
The LMQQs of order 2dk: q(x, y) = D · q0(x, Dy · y + cy) + c
q0 - T-LMQQ defined over F2k, D, Dy - matrices, c, cy - vectors
Why LMQQs? Gröbner bases experiments:
2 4 6 8 10 12 14 24 32 40 48 56 64 72 80 88 96
Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl www.ntnu.no Simona Samardjiska, PhD defence
37
The LMQQs of order 2dk: q(x, y) = D · q0(x, Dy · y + cy) + c
q0 - T-LMQQ defined over F2k, D, Dy - matrices, c, cy - vectors
Why LMQQs? Gröbner bases experiments:
2 4 6 8 10 12 14 24 32 40 48 56 64 72 80 88 96
Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl
The MQQs from MQQ-SIG are too weak when small number
www.ntnu.no Simona Samardjiska, PhD defence
37
The LMQQs of order 2dk: q(x, y) = D · q0(x, Dy · y + cy) + c
q0 - T-LMQQ defined over F2k, D, Dy - matrices, c, cy - vectors
Why LMQQs? Gröbner bases experiments:
2 4 6 8 10 12 14 24 32 40 48 56 64 72 80 88 96
Dreg,rand Dreg,MQQ-ENC Dreg,MQQ-ENCbl
The MQQs from MQQ-SIG are too weak when small number
Strong implication that the internal structure of the MQQs is very important!
www.ntnu.no Simona Samardjiska, PhD defence
38
Results: Identified weak keys in MQQ-SIG w.r.t. Gröbner basis attacks Classification of different parameters in the scheme
dismantle the MQQ analysis of the linear isotopy classes
An enhanced key generation algorithm for MQQ-SIG
Stronger keys Faster Key Generation Algorithm
www.ntnu.no Simona Samardjiska, PhD defence
38
Results: Identified weak keys in MQQ-SIG w.r.t. Gröbner basis attacks Classification of different parameters in the scheme
dismantle the MQQ analysis of the linear isotopy classes
An enhanced key generation algorithm for MQQ-SIG
Stronger keys Faster Key Generation Algorithm
5 10 15 20 25 30 35 40 45 50 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 Experiment Time (sec) Original Tweaked
Gröbner basis attack for n = 56: Tweaked version v.s. original MQQ-SIG
www.ntnu.no Simona Samardjiska, PhD defence
38
5 10 15 20 25 30 35 40 45 50 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 Experiment Time (sec) Original Tweaked
Gröbner basis attack for n = 56: Tweaked version v.s. original MQQ-SIG
Experiments show: The matrices A1 and A2 (from the linear isotopy) - little or no influence on the security of MQQ-SIG; The condition on the rank
the specifications of MQQ-SIG - not relevant for the security of MQQ-SIG; It is better to use random invertible matrix S instead of a circulant one.
www.ntnu.no Simona Samardjiska, PhD defence
38
5 10 15 20 25 30 35 40 45 50 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 Experiment Time (sec) Original Tweaked
Gröbner basis attack for n = 56: Tweaked version v.s. original MQQ-SIG
Experiments show: The matrices A1 and A2 (from the linear isotopy) - little or no influence on the security of MQQ-SIG; The condition on the rank
the specifications of MQQ-SIG - not relevant for the security of MQQ-SIG; It is better to use random invertible matrix S instead of a circulant one. Strong indication of more serious security issues!
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key P = T
P = T ◦ Σ−1
P = T ′
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key P = T
P = T ◦ Σ−1
P = T ′
Essential structure preserved
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key Techniques: Min Rank + Good keys [Thomae & Wolf ’12]
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key Techniques: Min Rank + Good keys [Thomae & Wolf ’12] Step 1. Recover some structure (A good key) Step 2. Some more structure (Another good key) . . . Step n. All structure recovered (An equivalent key is found)
www.ntnu.no Simona Samardjiska, PhD defence
39
Results: Crucial Observation: All MQQ cryptosystems share a common algebraic structure that introduces a weakness Key recovery attack: Recovery of equivalent key Techniques: Simultaneous Min Rank + Good keys [Thomae & Wolf ’12] Step 1. Recover some structure (A good key) Step 2. Some more structure (Another good key) . . . Step n. All structure recovered (An equivalent key is found) Find t′
k1 ∈ Fq, 1 < k N −r+1, s.t.
Rank
k1P(1)
< N, and s′ ∈
k1P(1)
s, t give a good key.
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
Q(s) = x y d d
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
Q(s) = x y d d
P = T
[ˆ q = D · q(x, Dy · y + cy) + c]
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
Q(s) = x y d d
P = T
[ˆ q = D · q(x, Dy · y + cy) + c]
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
Q(s) = x y d d
P = T
[ˆ q = D · q(x, Dy · y + cy) + c]
Q(s) = x y d d − s
P = T · (I n
d ⊗ D) ◦ F′ ◦ (I n d ⊗ D−1
y ) · S
[q(D−1
y x, y) = ˜
q(x, y)]
www.ntnu.no Simona Samardjiska, PhD defence
40
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
Matrix notation of F
· · · · · · · · · . . . . . . . . . . . . f1 fd+1 f2d+1 f2 fd+2 f2d+2 fd f2d f3d fn−d+1 fn−d+2 fn
An equivalent central map F′
www.ntnu.no Simona Samardjiska, PhD defence
41
Input: n − r public polynomials P in n variables. for number of variables N := n down to r + 2 do Step N: Find a good key (S
′ N, T ′ N)
Transform the public key as P ← T
′ N ◦ P ◦ S ′ N,
end for; Output: An equivalent key S
′ = S ′ n ◦ S ′ n−1 ◦ · · · ◦ S ′ r+2 and T ′ = T ′ r+2 ◦ · · · ◦ T ′ n−1 ◦ T ′ n.
www.ntnu.no Simona Samardjiska, PhD defence
41
Input: n − r public polynomials P in n variables. for number of variables N := n down to r + 2 do Step N: Find a good key (S
′ N, T ′ N)
Transform the public key as P ← T
′ N ◦ P ◦ S ′ N,
end for; Output: An equivalent key S
′ = S ′ n ◦ S ′ n−1 ◦ · · · ◦ S ′ r+2 and T ′ = T ′ r+2 ◦ · · · ◦ T ′ n−1 ◦ T ′ n.
Essential structure preserved
www.ntnu.no Simona Samardjiska, PhD defence
41
Input: n − r public polynomials P in n variables. for number of variables N := n down to r + 2 do Step N: Find a good key (S
′ N, T ′ N)
Transform the public key as P ← T
′ N ◦ P ◦ S ′ N,
end for; Output: An equivalent key S
′ = S ′ n ◦ S ′ n−1 ◦ · · · ◦ S ′ r+2 and T ′ = T ′ r+2 ◦ · · · ◦ T ′ n−1 ◦ T ′ n.
Essential structure preserved The structure gradually revealed
www.ntnu.no Simona Samardjiska, PhD defence
41
Input: n − r public polynomials P in n variables. for number of variables N := n down to r + 2 do Step N: Find a good key (S
′ N, T ′ N)
Transform the public key as P ← T
′ N ◦ P ◦ S ′ N,
end for; Output: An equivalent key S
′ = S ′ n ◦ S ′ n−1 ◦ · · · ◦ S ′ r+2 and T ′ = T ′ r+2 ◦ · · · ◦ T ′ n−1 ◦ T ′ n.
Essential structure preserved The structure gradually revealed
www.ntnu.no Simona Samardjiska, PhD defence
42
Key Recovery MQQ-ENC
field n r Security Theoretical (ω = 2.7) F2 256 8 2128 256.3 F4 128 4 2128 248.2 F16 64 2 2128 240.3 F256 32 1 2128 232.5 Practical time 250.6 9.1 days
Key Recovery MQQ-SIG
n Security Theoretical (ω = 2.7) 160 280 250.8 192 296 252.9 224 2112 254.7 256 2128 256.2 Practical time 248.0 1.4 days Implemented in Magma 2.19-10 on 32 core Intel Xeon 2.27GHz, 1TB RAM.
www.ntnu.no Simona Samardjiska, PhD defence
43
III Security of MQ schemes Paper I4 Paper I6 Paper A1 Paper I7
I4 The Multivariate Probabilistic Encryption Scheme MQQ-ENC I6 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems I7 Linearity Measures for Multivariate Public Key Cryptography A1 Towards a Secure Multivariate Identity-Based Encryption
www.ntnu.no Simona Samardjiska, PhD defence
44
Results: Model MinRank as Simultaneous MinRank Over even characteristic the public matrices have always even rank! ⇒ Over Fq always q solutions!
www.ntnu.no Simona Samardjiska, PhD defence
44
Results: Model MinRank as Simultaneous MinRank Over even characteristic the public matrices have always even rank! ⇒ Over Fq always q solutions! Solving Simultaneous MinRank Find t
′ k1 ∈ Fq, 1 < k N − r + 1 such that
Rank
′ k1P(1)
< N, and s′ ∈
′ k1P(1)
www.ntnu.no Simona Samardjiska, PhD defence
44
Results: Model MinRank as Simultaneous MinRank Over even characteristic the public matrices have always even rank! ⇒ Over Fq always q solutions! Solving Simultaneous MinRank Find t
′ k1 ∈ Fq, 1 < k N − r + 1 such that
Rank
′ k1P(1)
< N, and s′ ∈
′ k1P(1)
q = O(n) Solve one MinRank and use exhaustion over Fq
www.ntnu.no Simona Samardjiska, PhD defence
44
Results: Model MinRank as Simultaneous MinRank Over even characteristic the public matrices have always even rank! ⇒ Over Fq always q solutions! Solving Simultaneous MinRank Find t
′ k1 ∈ Fq, 1 < k N − r + 1 such that
Rank
′ k1P(1)
< N, and s′ ∈
′ k1P(1)
q = O(n) Solve one MinRank and use exhaustion over Fq Any q Solve few of the MinRank(s) (directly find a unique solution)
www.ntnu.no Simona Samardjiska, PhD defence
45
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13]
www.ntnu.no Simona Samardjiska, PhD defence
45
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13] f - strongly (s, t)–linear ⇔ ∃ V ⊂ Fn
q with Dim(V ) = s,
W ⊂ Fm
q with Dim(W) = t, s.t.
∀ w ∈ W, V ⊂ Ker(w⊺ · f), or equv. For w ∈ W, Da(w⊺ · f) = const., ∀ a ∈ V .
www.ntnu.no Simona Samardjiska, PhD defence
45
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13] f - (s, t)–linear ⇔ ∃ V ⊂ Fn
q with Dim(V ) = s,
W ⊂ Fm
q with Dim(W) = t, s.t.
∀ w ∈ W, w⊺ · f is linear on all cosets of V , , or equv. For w ∈ W, Da,b(w⊺ · f) = 0, ∀ a, b ∈ V . f - strongly (s, t)–linear ⇔ ∃ V ⊂ Fn
q with Dim(V ) = s,
W ⊂ Fm
q with Dim(W) = t, s.t.
∀ w ∈ W, V ⊂ Ker(w⊺ · f), or equv. For w ∈ W, Da(w⊺ · f) = const., ∀ a ∈ V .
www.ntnu.no Simona Samardjiska, PhD defence
45
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13] Strong (s, t)–linearity ⇒ Strong (s − 1, t)–linearity ⇒ Strong (s, t − 1)–linearity (s, t)–linearity ⇒ (s − 1, t)–linearity ⇒ (s, t − 1)–linearity Strong (s, t)–linearity ⇒ (s, t)–linearity
www.ntnu.no Simona Samardjiska, PhD defence
45
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13] Linear attacks MinRank, Reconciliation attack on UOV, Rainbow band separation attack, Equivalent Keys/Good keys attacks linearity measures for MQ cryptography Generic attacks for separation of linear spaces Polynomial system modelling using Gröbner bases
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis n − s s Transform input space
t m − t
Transform output space
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis
[ Separate the spaces V , W ]
n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis
[ Separate the spaces V , W ]
n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
www.ntnu.no Simona Samardjiska, PhD defence
46
Simultaneous MinRank - Reveal strong (s, t) - linearity
Strongly (s, t)-linear w.r.t. unknown V , W
Strongly (s, t)-linear w.r.t. standard basis
[ Separate the spaces V , W ]
n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
Complexity - not polynomial in general!
www.ntnu.no Simona Samardjiska, PhD defence
47
Simultaneous MinRank - Improved analysis
n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
www.ntnu.no Simona Samardjiska, PhD defence
47
Simultaneous MinRank - Improved analysis
Find only c1 vectors from W Find only c2 vectors from V n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
www.ntnu.no Simona Samardjiska, PhD defence
47
Simultaneous MinRank - Improved analysis
Find only c1 vectors from W Find only c2 vectors from V Choose c1 and c2 s.t. the system has unique solution n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
First strong (c2, c1) - linearity then strong (c2, t) - linearity then strong (s, t) - linearity
www.ntnu.no Simona Samardjiska, PhD defence
47
Simultaneous MinRank - Improved analysis
Type of good key [Thomae-Wolf ’12] with “good enough” structure
Find only c1 vectors from W Find only c2 vectors from V Choose c1 and c2 s.t. the system has unique solution n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
First strong (c2, c1) - linearity then strong (c2, t) - linearity then strong (s, t) - linearity
www.ntnu.no Simona Samardjiska, PhD defence
47
Simultaneous MinRank - Improved analysis
Type of good key [Thomae-Wolf ’12] with “good enough” structure
Find only c1 vectors from W Find only c2 vectors from V Choose c1 and c2 s.t. the system has unique solution n − s s Transform input space
t m − t
Transform output space
basis of V basis of W
First strong (c2, c1) - linearity then strong (c2, t) - linearity then strong (s, t) - linearity
We obtain polynomial complexity!
www.ntnu.no Simona Samardjiska, PhD defence
48
Results: Linearity in MQ cryptography strong (s, t)-linearity for (n, m)-functions - based on [Nyberg ’92] (s, t)-linearity for (n, m)-functions [Boura & Canteaut ’13] Linear attacks MinRank, Reconciliation attack on UOV, Rainbow band separation attack, Equivalent Keys/Good keys attacks linearity measures for MQ cryptography Generic attacks for separation of linear spaces Polynomial system modelling using Gröbner bases For Strong (s, t)–linearity use condition Da(w⊺ · f) = const, ∀ a ∈ V, w ∈ W. For (s, t)–linearity use condition Da,b(w⊺ · f) = 0, ∀ a, b ∈ V, w ∈ W.
www.ntnu.no Simona Samardjiska, PhD defence
49
Results: IND-CCA conversion for encryption schemes with decryption error Based on Kobara-Imai conversion [’01] for McEliece scheme Can be applied to any MQ OWE
www.ntnu.no Simona Samardjiska, PhD defence
49
Results: IND-CCA conversion for encryption schemes with decryption error Based on Kobara-Imai conversion [’01] for McEliece scheme Can be applied to any MQ OWE
Results: Impossible to build secure IBE scheme against collusion over MQ construction Proof of concept that it is possible (in theory) to reduce the probability for collusion to negligible
www.ntnu.no Simona Samardjiska, PhD defence
50
MQ cryptosystems The MQQ family
The MQQ family - design improvements and analysis Construction of functions for MQ trapdoors Security of MQ schemes
www.ntnu.no Simona Samardjiska, PhD defence
51
For any advancement – major revision needed
We need to use prudent design principles similarly to the practice in symmetric cryptography
www.ntnu.no Simona Samardjiska, PhD defence
51
For any advancement – major revision needed
We need to use prudent design principles similarly to the practice in symmetric cryptography
www.ntnu.no Simona Samardjiska, PhD defence
51
For any advancement – major revision needed
We need to use prudent design principles similarly to the practice in symmetric cryptography
www.ntnu.no Simona Samardjiska, PhD defence
51
For any advancement – major revision needed
We need to use prudent design principles similarly to the practice in symmetric cryptography
www.ntnu.no Simona Samardjiska, PhD defence
52
www.ntnu.no Simona Samardjiska, PhD defence
52
www.ntnu.no Simona Samardjiska, PhD defence
52
www.ntnu.no Simona Samardjiska, PhD defence
www.ntnu.no Simona Samardjiska, PhD defence