Rainbow Jintai Ding, Ming-Shing Chen, Albrecht Petzoldt, Dieter - - PowerPoint PPT Presentation

rainbow
SMART_READER_LITE
LIVE PREVIEW

Rainbow Jintai Ding, Ming-Shing Chen, Albrecht Petzoldt, Dieter - - PowerPoint PPT Presentation

Sep 17, 2022 128 likes •339 views

Rainbow Jintai Ding, Ming-Shing Chen, Albrecht Petzoldt, Dieter Schmidt, Bo Yin Yang The 2nd NIST Standardization Conference for Post-Quantum Cryptosystems Santa Barbara, USA 22.09.2019 Jintai Ding NIST Standardization Conference 1 / 17

slide-1
SLIDE 1

Rainbow

Jintai Ding, Ming-Shing Chen, Albrecht Petzoldt, Dieter Schmidt, Bo Yin Yang The 2nd NIST Standardization Conference for Post-Quantum Cryptosystems Santa Barbara, USA 22.09.2019

Jintai Ding NIST Standardization Conference 1 / 17

slide-2
SLIDE 2

Multivariate Cryptography

MPKC: Multivariate Public Key Cryptosystem Public Key: System of nonlinear multivariate polynomials p(1)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(1)

ij

· xixj +

n

  • i=1

p(1)

i

· xi + p(1) p(2)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(2)

ij

· xixj +

n

  • i=1

p(2)

i

· xi + p(2) . . . p(m)(x1, . . . , xn) =

n

  • i=1

n

  • j=i

p(m)

ij

· xixj +

n

  • i=1

p(m)

i

· xi + p(m)

Jintai Ding NIST Standardization Conference 2 / 17

slide-3
SLIDE 3

Construction

Easily invertible quadratic map F : Fn → Fm Two invertible affine (or linear) maps S : Fm → Fm and T : Fn → Fn Public key: P = S ◦ F ◦ T supposed to look like a random system and S, T are used to protect F Private key: S, F, T allows to invert the public key

Jintai Ding NIST Standardization Conference 3 / 17

slide-4
SLIDE 4

Signature Schemes (m ≤ n)

Signature Generation w ∈ Fm

S−1 x ∈ Fm

F−1 y ∈ Fn

T −1 z ∈ Fn

P Signature Verification Signature Generation: Given a document d ∈ {0, 1}⋆, use a hash function H to compute w = H(d) ∈ Fm, compute recursively x = S−1(w) ∈ Fm, y = F−1(x) ∈ Fn and z = T −1(y). The signature of the message d is z ∈ Fn. Signature Verification: Given signature z ∈ Fn, hash value w ∈ Fm, compute w′ = P(z) ∈ Fm. If w′ = w holds, the signature is accepted,

  • therwise rejected.

Jintai Ding NIST Standardization Conference 4 / 17

slide-5
SLIDE 5

Unbalanced Oil-vinegar (UOV) schemes

The design of Rainbow is based on the UOV by Patarin etc invented in 1999. F = (f1(x1, .., xo, x′

1, ..., x′ v), · · · , fo(x1, .., xo, x′ 1, ..., x′ v)).

Jintai Ding NIST Standardization Conference 5 / 17

slide-6
SLIDE 6

Unbalanced Oil-vinegar (UOV) schemes

The design of Rainbow is based on the UOV by Patarin etc invented in 1999. F = (f1(x1, .., xo, x′

1, ..., x′ v), · · · , fo(x1, .., xo, x′ 1, ..., x′ v)).

fl(x1, ., xo, x′

1, ., x′ v) =

  • alijxix′

j +

  • blijx′

i x′ j +

  • clixi +
  • dlix′

i +el.

Oil variables: x1, ..., xo. Vinegar variables: x′

1, ..., x′ v.

Jintai Ding NIST Standardization Conference 5 / 17

slide-7
SLIDE 7

How to invert OV map?

fl(x1, ., xo, x′

1, ., x′ v fix the values

) =

  • alijxix′

j +

  • blijx′

i x′ j +

  • clixi +
  • dlix′

i + el.

Jintai Ding NIST Standardization Conference 6 / 17

slide-8
SLIDE 8

How to invert OV map?

fl(x1, ., xo, x′

1, ., x′ v) =

  • alijxix′

j +

  • blijx′

i x′ j +

  • clixi +
  • dlix′

i + el.

This implies high efficiency in signing since the main cost is to solve a small linear system.

Jintai Ding NIST Standardization Conference 7 / 17

slide-9
SLIDE 9

How to invert OV map?

fl(x1, ., xo, x′

1, ., x′ v) =

  • alijxix′

j +

  • blijx′

i x′ j +

  • clixi +
  • dlix′

i + el.

F: linear in Oil variables: x1, .., xo. = ⇒ OV map: easy to invert. This implies high efficiency in signing since the main cost is to solve a small linear system.

Jintai Ding NIST Standardization Conference 7 / 17

slide-10
SLIDE 10

The Rainbow Signature Scheme

finite field F with q elements, integers 0 < v1 < v2 < · · · < vu < vu+1 = n set Vi = {1, . . . , vi} and Oi = {vi + 1, . . . , vi+1} (i = 1, . . . , u) ⇒ |Vi| = vi, |Oi| = vi+1 − vi := oi central map F consists of m := n − v1 polynomials f (v1+1), . . . , f (n)

  • f the form

f (k)(x1, . . . , xn) =

  • i,j∈Vℓ

α(k)

ij xixj+

  • i∈Vℓ,j∈Oℓ

β(k)

ij xixj+

  • i∈Vℓ∪Oℓ

γ(k)

i

xi+δ(k), where ℓ is the only integer such that k ∈ Oℓ. two invertible affine maps S : Fm → Fm and T : Fn → Fn Public Key: P = S ◦ F ◦ T : Fn → Fm Private Key: S, F, T

Jintai Ding NIST Standardization Conference 8 / 17

slide-11
SLIDE 11

Signature Generation

Given a document d ∈ {0, 1}⋆ to be signed, perform the following steps

1 Use a hash function H : {0, 1}⋆ → Fm to compute w = H(d). 2 Compute x = S−1(w) ∈ Fm. 3 The Vinegar variables are substituted by random values into the

polynomials f (v1+1), . . . , f (n).

4 for I:=1 to u do Solve the linear system provided by f (vi+1), . . . f (vi+1)

to get the values of yvi+1, . . . , yvi+1 and substitute them into the polynomials f (vi+1+1), . . . , f (n).

5 Set y = (y1, . . . , yn) ∈ Fn. 6 Compute the signature z ∈ Fn by z = T −1(y). Jintai Ding NIST Standardization Conference 9 / 17

slide-12
SLIDE 12

Signature Verification

Given a document d ∈ {0, 1}⋆ and a signature z ∈ Fn, compute w′ = P(z) ∈ Fm and w = H(d) ∈ Fm. If w′ = w holds, the signature is accepted; otherwise it is rejected.

Jintai Ding NIST Standardization Conference 10 / 17

slide-13
SLIDE 13

Security Analysis of Rainbow

Generic MQ problem – NP-hard Direct attacks do not work ( as hard as generic problem) Simple structure – simple, easy to implement and well understood attacks Main attacks: Algebraic attack, OV attack, Rank attacks and RainbowBand Separation attacks Practical attacks match closely to theoretical estimates. No substantial but incremental update of Rainbow cryptanalysis since 2008

Jintai Ding NIST Standardization Conference 11 / 17

slide-14
SLIDE 14

Rainbow - Highlights

Solid history: UOV 1999 and Rainbow 2004 existentially unforgeable under chosen message attacks very efficient signature generation and verification (signature generation at least 20 times faster than that of all competitors) easy to implement and naturally resist passive side channel attacks very short signatures ( 48 bytes for Level I, II) but relatively large PK size accepted as a 2nd round candidate for the NIST standardization process of post-quantum cryptosystems

Jintai Ding NIST Standardization Conference 12 / 17

slide-15
SLIDE 15

Changes to the first round submission

Reduction of the number of parameter sets We now have three parameter sets

◮ (GF(16),32,32,32) for NIST security category I and II, ◮ (GF(256),68,36,36) for NIST security category III and IV and ◮ (GF(256),92,48,48) for the NIST security category V and VI.

Inclusion of two other modes

◮ cyclic Rainbow

⇒ Reduction of the public key size by up to 70 %

◮ compressed Rainbow

⇒ Reduction of the public key size by up to 70 % ⇒ Private key is stored as a 64B seed ⇒ Slower signature generation and verification process

Jintai Ding NIST Standardization Conference 13 / 17

slide-16
SLIDE 16

Changes to the first round submission (2)

Speed up of the Key Generation algorithm

◮ use of homogeneous keys ◮ use of specially designed maps S and T (equivalent keys)

S =

  • 1o1×o1

S′

  • 1×o2

0o2×o1 1o2×o2

  • ,

T =    1v1×v1 T (1)

v1×o1

T (2)

v1×o2

0o1×v1 1o1×o1 T (3)

  • 1×o2

0o2×v1 0o2×o1 1o2×o2    ⇒ Key Generation can be performed using matrix vector products ⇒ Significant speed up of the key generation process

Jintai Ding NIST Standardization Conference 14 / 17

slide-17
SLIDE 17

Key Sizes

NIST security standard Rainbow cyclic Rainbow compressed Rainbow category |pk|KB |sk|KB |pk|KB |sk|KB |pk|KB |sk| I/II 149.0 93.0 58.1 93.0 58.1 64B III/IV 710.6 511.4 206.7 511.4 206.7 64B V/VI 1,705.5 1,227.1 491.9 1,227.1 491.9 64B Signature sizes: 48B, 140B, 184B

Jintai Ding NIST Standardization Conference 15 / 17

slide-18
SLIDE 18

Jintai Ding NIST Standardization Conference 16 / 17

slide-19
SLIDE 19

The End Thank you for your attention Questions?

Jintai Ding NIST Standardization Conference 17 / 17