Supposedly Hard Problems In Multivariate Cryptography Charles - PowerPoint PPT Presentation

Introduction The MQ Problem Polynomial Equivalence Problems Supposedly Hard Problems In Multivariate Cryptography Charles Bouillaguet Université de Versailles Saint-Quentin Versailles, France Séminaire CARAMEL 20 janvier 2012

Introduction The MQ Problem Polynomial Equivalence Problems The Hard Problem Underlying Multivariate Cryptography ◮ RSA Encryption : y = x e mod N , with x , y ∈ Z / N Z ◮ Multivariate Quadratic Encryption : = x 12 + x 1 x 3 + x 2 x 3 + x 2 x 4 + x 32 + x 3 x 4 + 1 y 1 = x 12 + x 1 x 2 + x 1 x 3 + x 22 + x 2 x 4 + x 32 + x 42 + 1 y 2 = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x 32 + x 3 x 4 + x 42 y 3 = x 1 x 2 + x 1 x 3 + x 22 + x 2 x 3 + x 3 x 4 y 4 � � n with x , y ∈ F q Rationale Solving MQ Polynomial Systems is NP -hard over any field

Introduction The MQ Problem Polynomial Equivalence Problems Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations ψ A Common Construction: Obfuscation � n → � � � n 1 Non-linear function ψ : F q F q ◮ easily invertible, sometimes public (as in SFLASH) � � n 2 Express it as multivariate polynomials over F q 3 Obfuscate ψ : compose with secret matrices S and T 4 PK = T ◦ ψ ◦ S (the obfuscated representation of ψ )

Introduction The MQ Problem Polynomial Equivalence Problems Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations ◦ ψ ◦ T S A Common Construction: Obfuscation � n → � � � n 1 Non-linear function ψ : F q F q ◮ easily invertible, sometimes public (as in SFLASH) � � n 2 Express it as multivariate polynomials over F q 3 Obfuscate ψ : compose with secret matrices S and T 4 PK = T ◦ ψ ◦ S (the obfuscated representation of ψ )

Introduction The MQ Problem Polynomial Equivalence Problems Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations PK = A Common Construction: Obfuscation � n → � � � n 1 Non-linear function ψ : F q F q ◮ easily invertible, sometimes public (as in SFLASH) � � n 2 Express it as multivariate polynomials over F q 3 Obfuscate ψ : compose with secret matrices S and T 4 PK = T ◦ ψ ◦ S (the obfuscated representation of ψ )

Introduction The MQ Problem Polynomial Equivalence Problems Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way ◮ Even though ψ is not ◮ Hardness of (a special case of) MQ 2 Retrieving S and T must be (very) hard ◮ Hardness of Polynomial Linear Equivalence ✓ ciphertext plaintext ✗

Introduction The MQ Problem Polynomial Equivalence Problems Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way ◮ Even though ψ is not ◮ Hardness of (a special case of) MQ 2 Retrieving S and T must be (very) hard ◮ Hardness of Polynomial Linear Equivalence ✓ ciphertext plaintext ✗ ψ T S

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) 3 H idden M atrix   x 11 · · · x 1 n . . ... ψ ( M ) = M 2 ,  . .  M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures 5 M ultivariate Q uadratic Q uasigroups 6 ℓ -IC signatures 7 . . .

Introduction The MQ Problem Polynomial Equivalence Problems The Golden Age of Multivariate Cryptography : 1996–2007 H S A L F S s H e t S o A m L o F r S P s t E n c F g e ∗ H i j s o C e s r d P n s k g E . a i l s a I e S e r t S d B e E n n N n i i i r r r s a a a ’ t t U t a a a P P E P 1995 2000 2005 2010

Introduction The MQ Problem Polynomial Equivalence Problems The Golden Age of Multivariate Cryptography : 1996–2007 H S A L F S s H e n t S e o A k m o L o r F b r S P e s t E g n c n F g e ∗ H e i j s o l C e l s a r d P n h s k g c E . a i l s a E I e S e r t F S d B e H E n n N n t i i i i r r b r s a a a - ’ t t U t 0 a a a P P 8 E P 1995 2000 2005 2010

Introduction The MQ Problem Polynomial Equivalence Problems The Golden Age of Multivariate Cryptography : 1996–2007 H S A L F S s H e n t S e o A k m o L o r F b r S P e s t E g n c n F g e ∗ H e i j s o l C e l n s a r d P e n h s k k g c E . o a i l s a E I r e S e b r t F S d B e H E H n n N n t S i i i i r r b A r s a a a - ’ L t t U t 0 a a F a P P 8 E P S 1995 2000 2005 2010

Introduction The MQ Problem Polynomial Equivalence Problems Examples of Constructions 1 C ∗ [Broken in 1995 !] ψ ( X ) = X 1 + q θ over F q n , but quadratic over � � n F q 2 SFLASH (truncated C ∗ ) [Broken in 2007 !] 3 H idden M atrix [Broken in 2010!]   · · · x 11 x 1 n . . ... ψ ( M ) = M 2 ,   . . M = . .   x n 1 · · · x nn 4 T ractable R ational M aps S ignatures [Broken in 2004 !] 5 M ultivariate Q uadratic Q uasigroups [Broken in 2009] 6 ℓ -IC signatures [Broken in 2009] 7 . . . [They are all broken]

Introduction The MQ Problem Polynomial Equivalence Problems Why this Fiasco ? Problems with MQ : the case of HFE ◮ MQ equations much easier to solve than random ones w/ Gröbner Basis algorithms (subexponential) ◮ Problem : non-random MQ instances ◮ consequence of the structure of the trapdoor ◮ Secure parameters exist though. Problems with PLE : the case of SFLASH ◮ non-linear function ψ ( X ) = X 1 + q θ is special ◮ Ad Hoc algo. solve these particular PLE instances in PTIME ◮ Problem : non-random PLE instances ◮ consequence of the structure of the trapdoor

Introduction The MQ Problem Polynomial Equivalence Problems Two Options Option A 1 Pick Your favorite multivariate scheme 2 Study the particular MQ and PLE instances it defines 3 Design special algorithms for the scheme → If you break schemes, you’re a dangerous cryptanalyst ! Option B 1 Study MQ and PLE in general (random instances) 2 Design generic algorithms that always work 3 Necessarily less efficient than their specialized counterparts → Are you a harmless computer scientist ?

Introduction The MQ Problem Polynomial Equivalence Problems Two Options Option A 1 Pick Your favorite multivariate scheme 2 Study the particular MQ and PLE instances it defines 3 Design special algorithms for the scheme → If you break schemes, you’re a dangerous cryptanalyst ! Option B 1 Study MQ and PLE in general (random instances) 2 Design generic algorithms that always work 3 Necessarily less efficient than their specialized counterparts → Are you a harmless computer scientist ? I’m not completely harmless