multivariate quadratic public key cryptography part 1
play

Multivariate Quadratic Public-Key Cryptography Part 1: Basics - PowerPoint PPT Presentation

Jan 02, 2024 •468 likes •973 views

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec.

  1. Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 1 / 13

  2. Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations n n n p (1) p (1) � + p (1) � p (1) ( x 1 , . . . , x n ) = � � � · x i x j + · x i 0 ij i i =1 j = i i =1 n n n p (2) p (2) � + p (2) � p (2) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 . . . n n n p ( m ) p ( m ) � + p ( m ) � p ( m ) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

  3. Multivariate Cryptography MPKC: Multivariate (Quadratic) Public Key Cryptosystem Public Key: System of nonlinear multivariate equations n n n p (1) p (1) � + p (1) � p (1) ( x 1 , . . . , x n ) = � � � · x i x j + · x i 0 ij i i =1 j = i i =1 n n n p (2) p (2) � + p (2) � p (2) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 . . . n n n p ( m ) p ( m ) � + p ( m ) � p ( m ) ( x 1 , . . . , x n ) = � � � · x i x j + · x i ij i 0 i =1 j = i i =1 � � n + d Public Key size = m at degree d , hence usually d = 2. d B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 2 / 13

  4. Security The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0. NP hard believed to be hard on average even for quantum conputers: B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

  5. Security The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0. NP hard believed to be hard on average even for quantum conputers: suppose we have a probabilistic algorithm A and a subexponential function η , T terminates with an answer to a random instance from MQ ( n , m = an , F q ) in time η ( n ) with probability negl ( n ). higher order versions (MP for Multivariate Polynomials or PoSSo for Polynomial System Solving) clearly no less hard However usually no direct reduction to MQ !! B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 3 / 13

  6. Identification Scheme of Sakumoto et al and MQDSS An example 5-pass ID scheme depending only on MQ P be a random MQ instance Its “polar” form D P ( x , y ) := P ( x + y ) − P ( x ) − P ( y ) − P ( 0 ) P ( s ) = p is the public key, s is the secret. Peter picks and commits random ( r 0 , t 0 , e 0 ), sets r 1 = s − r 0 and commits ( r 1 , D P ( t 0 , r 1 ) + e 0 ). Vera sends random α , Peter sets and sends t 1 := α r 0 − t 0 , e 1 := α P ( r 0 ) − e 0 . Vera sends challenge Ch , Peter sends r Ch . Vera checks the commit of either ( r 0 , α r 0 − t 1 , α P ( r 0 ) − e 1 ) or ( r 1 , α ( p − P ( r 1 )) − D P ( t 1 , r 1 ) − e 1 ). The Fiat-Shamir transform of this ID scheme is the MQDSS scheme. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 4 / 13

  7. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  8. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key Encryption Schemes ( m ≥ n ) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( → broken cf. this conference) Simple Matrix ( → cf. this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  9. Bipolar Construction Easily invertible quadratic map Q : F n → F m Two invertible linear maps T (: F m → F m ) and S (: F n → F n ) Public key : P = T ◦ Q ◦ S supposed to look random Private key : S , Q , T allows to invert the public key Encryption Schemes ( m ≥ n ) TTM-related schemes (all broken) PMI+, IPHFE+ ZHFE ( → broken cf. this conference) Simple Matrix ( → cf. this conference) Signature Schemes ( m ≤ n ) Unbalanced Oil and Vinegar (Rainbow, TTS) HFEv- (QUARTZ/Gui) pFLASH ( → this conference) B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 5 / 13

  10. Workflow Decryption / Signature Generation T − 1 Q − 1 S − 1 ✲ ✲ ✲ z ∈ F m y ∈ F m x ∈ F n w ∈ F n ✻ P Encryption / Signature Verification B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 6 / 13

  11. Isomorphism of Polynomials Due to the bipolar construction, the security of MPKCs is also based on the Problem EIP (Extended Isomorphism of Polynomials): Given the public key P of a multivariate public key cryptosystem, find affine maps ¯ S and ¯ T as well as quadratic map ¯ Q in class C such that P = ¯ T ◦ ¯ Q ◦ ¯ S . ⇒ Hardness of the problem depends heavily on the structure of the central map ⇒ In general, not much is known about the complexity ⇒ Security analysis of multivariate schemes is a hard task B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 7 / 13

  12. Generic (Direct) Attacks Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m ≈ n ) Known Best Generic Algorithms For larger q , FXL (“Hybridized XL”) For q = 2, smart enumerative methods B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

  13. Generic (Direct) Attacks Try to solve the public equation P ( w ) = z as an instance of the MQ-Problem, all algorithms have exponential running time (for m ≈ n ) Known Best Generic Algorithms For larger q , FXL (“Hybridized XL”) For q = 2, the Joux-Vitse Algorithm (an XL variant). Complexity of Direct Attacks How many equations are needed to meet given levels of security? security number of equations level (bit) F 2 * F 16 F 31 F 256 80 88 30 28 26 100 110 39 36 33 128 140 51 48 43 192 208 80 75 68 256 280 110 103 93 * depending on how we model the Joux-Vitse algorithm B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 8 / 13

  14. XL Algorithm Given: nonlinear polynomials f 1 , . . . , f m of degree d 1 eXtend multiply each polynomial f 1 , . . . , f m by every monomial of degree ≤ D − d 2 Linearize : Apply (sparse) linear algebra to solve the extended system � 2 � � � n + d XL n Complexity = 3 · · (for larger q ) d XL d or 2 or Linearize and use an improved XL : Many variants. . . B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 9 / 13

  15. XL Variants FXL – XL with k variables guessed or “hybridized” if with k initial guesses / fixing / ”hybridization”: � 2 � � � n − k + d XL n − k k 3 q k · Complexity = min · . d XL d [generic method with the best asymptotic multiplicative complexity]. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

  16. XL Variants FXL – XL with k variables guessed or “hybridized” XL’ 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n − k such equations). 3 Enumerate over remaining n − k variables. B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

  17. XL Variants FXL – XL with k variables guessed or “hybridized” XL’ 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate all monomials involving the first k variables (and get at least n − k such equations). 3 Enumerate over remaining n − k variables. XL2 – simplified F 4 1 eXtend: multiply each polynomial f 1 , . . . , f m by monomials, up to total degree ≤ D 2 Linearize : Apply linear algebra to eliminate top level monomials 3 Multiply degree D − 1 equations by variables, Eliminate Again . B.-Y. Yang (Academia Sinica) Multivariate Cryptography PQC Exec. Summer School 10 / 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica Taipei, Taiwan Friday, 28.06.2018 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 1 / 27 Oil-Vinegar Polynomials [Patarin

1.38k views • 79 slides
Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC

978 views • 63 slides
Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24 Multivariate Cryptography [DS06] MPKC:

621 views • 24 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 34 Oil-Vinegar Polynomials [Pa97]

677 views • 34 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Friday, 23.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 53 Reminder:

831 views • 55 slides
Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor:

Introduction to Multivariate Public Key Cryptography Geovandro Carlos C. F. Pereira PhD advisor: Prof. Dr. Paulo S. L. M. Barreto LARC - Computer Architecture and Networking Lab Department of Computer Engineering and Digital Systems Escola

1.04k views • 101 slides
Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J. Bernstein, Bo-Yin Yang https://eprint.iacr.org/2017/1206.pdf Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel

702 views • 45 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic

A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic

A Semidefinite Relaxation Scheme for Multivariate Quartic Polynomial Optimization With Quadratic Constraints Zhi-Quan Luo Department of Electrical and Computer Engineering University of Minnesota Shuzhong Zhang Department of Systems

629 views • 34 slides
Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption

Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption

Cryptography Basics Part 1: Concepts Cryptology: Contents Cryptography goals Encryption principles Encryption quality Cryptography Public key cryptography The art of making Next week: Example algorithms DES, AES, AES

893 views • 78 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of

Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of

Mathematical Problems in Multivariate Public Key Cryptography Timothy Hodges University of Cincinnati January 15, 2015 Timothy Hodges (University of Cincinnati) Mathematical Problems in MPKC January 15, 2015 1 / 28 Overview Multivariate

1.05k views • 68 slides
Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in

Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in

Public Key Cryptography in Practice Eli Biham - May 3, 2005 c 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent slow speed of the public key

442 views • 14 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

421 views • 7 slides
Beam Test of Quartz Radiators for Mu2e Precision Timing Profile Monitor Mu2e Weak Force Decay

Beam Test of Quartz Radiators for Mu2e Precision Timing Profile Monitor Mu2e Weak Force Decay

Beam Test of Quartz Radiators for Mu2e Precision Timing Profile Monitor Mu2e Weak Force Decay (common) Direct Conversion (signal) Search for Charged Lepton Flavor Violation (CLFV) in the form of neutrino-less muon to electron conversion

437 views • 16 slides
Shaving the Black Hole Yogesh K. Srivastava Work with Dileep Jatkar and Ashoke Sen KEK

Shaving the Black Hole Yogesh K. Srivastava Work with Dileep Jatkar and Ashoke Sen KEK

Prologue String Theory Precision counting of microstates Black Hole Hair Analysis of the BMPV BH Entropy Analysis of the 4D BH Entropy Hair modes in Supergravity Regularity of Hair Modes Conclusion Shaving the Black Hole Yogesh K.

876 views • 54 slides
Digital Signal Processing Markus Kuhn Computer Laboratory

Digital Signal Processing Markus Kuhn Computer Laboratory

Digital Signal Processing Markus Kuhn Computer Laboratory http://www.cl.cam.ac.uk/Teaching/2005/DSP/ Michaelmas 2005 Part II Signals flow of information measured quantity that varies with time (or position) electrical signal

1.01k views • 100 slides
COSC 1020 The if Statement Yves Lesp erance The if statement is used to select which is to be

COSC 1020 The if Statement Yves Lesp erance The if statement is used to select which is to be

COSC 1020 The if Statement Yves Lesp erance The if statement is used to select which is to be per- formed among some alternative set of operations . There are several versions. The simplest one is used to perform a statement only if a condition

342 views • 8 slides
On the 1/f noise in ultra-stable quartz oscillators Enrico Rubiola and Vincent Giordano FEMTO-ST

On the 1/f noise in ultra-stable quartz oscillators Enrico Rubiola and Vincent Giordano FEMTO-ST

On the 1/f noise in ultra-stable quartz oscillators Enrico Rubiola and Vincent Giordano FEMTO-ST Institute, Besanon, France (CNRS and Universit de Franche Comt) Outline Amplifier noise Leeson effect Interpretation of S (f)

415 views • 14 slides
A Hoare Calculus for the Verification of Synchronous Languages Manuel Gesell, Klaus Schneider

A Hoare Calculus for the Verification of Synchronous Languages Manuel Gesell, Klaus Schneider

Introduction Preliminaries A Hoare Calculus for Quartz Conclusion A Hoare Calculus for the Verification of Synchronous Languages Manuel Gesell, Klaus Schneider http://es.cs.uni-kl.de Embedded Systems Group University of Kaiserslautern

769 views • 44 slides
Geant4 simulation of SpaCal (update ) Jelena Ilic 18/11/2014 Analysis of scint.photons

Geant4 simulation of SpaCal (update ) Jelena Ilic 18/11/2014 Analysis of scint.photons

Geant4 simulation of SpaCal (update ) Jelena Ilic 18/11/2014 Analysis of scint.photons Geometry 1) Calo block: 5 x 5 x 10 cm 2) 100 m air gap between W and quartz 3) 200 m Al mirror at the front of calo block 5 cm 5

410 views • 11 slides
Summary n Typical uses for time stamps n Alarms Timestamping n Logging n Post Mortem n GPS

Summary n Typical uses for time stamps n Alarms Timestamping n Logging n Post Mortem n GPS

16 April 2002 page 2 Summary n Typical uses for time stamps n Alarms Timestamping n Logging n Post Mortem n GPS Presentation to the Third LHC n Formats for time (text, Unix and Windows, Java, Oracle) Controls Project Workshop n How Computers

188 views • 6 slides

More recommend