The SimpleMatrix Encryption scheme Jintai Ding, Albrecht Petzoldt, - PowerPoint PPT Presentation

Multivariate Cryptography The basic Scheme Improvements Parameters The SimpleMatrix Encryption scheme Jintai Ding, Albrecht Petzoldt, Lih-Chung Wang DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University, New Jersey, USA 15.01.2015

Multivariate Cryptography The basic Scheme Improvements Parameters Outline 1 Multivariate Cryptography 2 The Simple Matrix Encryption Scheme 3 Improvements Decreasing the probability of decryption failures 1 Increasing the security of the scheme 2 Reducing the blow up factor between plain and ciphertext size 3 4 Parameters 5 Conclusion

Multivariate Cryptography The basic Scheme Improvements Parameters Multivariate Cryptography n n n p (1) p (1) · x i + p (1) p (1) ( x 1 , . . . , x n ) = � � � · x i x j + ij i 0 i =1 j = i i =1 n n n p (2) p (2) · x i + p (2) p (2) ( x 1 , . . . , x n ) = � � � · x i x j + ij i 0 i =1 j = i i =1 . . . n n n p ( m ) p ( m ) · x i + p ( m ) p ( m ) ( x 1 , . . . , x n ) = � � � · x i x j + ij i 0 i =1 j = i i =1 The security of multivariate schemes is based on the Problem MQ : Given m multivariate quadratic polynomials p (1) ( x ) , . . . , p ( m ) ( x ), find a vector ¯ x = (¯ x 1 , . . . , ¯ x n ) such that p (1) (¯ x ) = . . . = p ( m ) (¯ x ) = 0.

Multivariate Cryptography The basic Scheme Improvements Parameters Multivariate Cryptography (2) Advantages Resistant against attacks with quantum computers Very fast Modest computational requirements ⇒ can be implemented on low cost devices

Multivariate Cryptography The basic Scheme Improvements Parameters Multivariate Cryptography (3) Drawbacks Relatively young field of research ⇒ Security is not so well understood No explicit parameter choices to meet given security levels known Large size of the public and private keys Many practical signature schemes (UOV, Rainbow, HFEv-, . . . ), but hardly any efficient and secure encryption schemes

Multivariate Cryptography The basic Scheme Improvements Parameters Multivariate Cryptography (4) Construction Easily invertible quadratic map F : F n → F m Two invertible affine (or linear) maps S : F m → F m and T : F n → F n Public key : P = S ◦ F ◦ T supposed to look like a random system Private key : S , F , T allows to invert the public key

Multivariate Cryptography The basic Scheme Improvements Parameters Multivariate Cryptography (5) Encryption Schemes P ✲ d ∈ F n c ∈ F m ✻ T − 1 S − 1 ❄ ✛ F − 1 y ∈ F n z ∈ F m Encryption : Given: message d ∈ F n . Compute c = P ( d ) ∈ F m . Decryption : Given c ∈ F m . Compute recursively z = S − 1 ( c ), y = F − 1 ( z ) and d = T − 1 ( y ).

Multivariate Cryptography The basic Scheme Improvements Parameters Key Generation Three s × s matrices A , B and C   x 1 ... x s b 1 ... b s c 1 ... c s � � � � . . . . . .  , C = A = . . , B = . . . . . . . . . . .  x ( s − 1) · s +1 ... x n c ( s − 1) · s +1 ... c n b ( s − 1) · s +1 ... b n b 1 , . . . , b n and c 1 , . . . , c n : randomly chosen linear combinations of x 1 , . . . , x n . E 1 = A · B , E 2 = A · C . central map F : m components of E 1 and E 2 . Public key : P = S ◦ F ◦ T : F n → F m Private key : B , C , S and T .

Multivariate Cryptography The basic Scheme Improvements Parameters Encryption Given: message d ∈ F n . Compute c = P ( d ) ∈ F m .

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption Given: ciphertext c ∈ F m . Step 1. Compute z = S − 1 ( c ) and define z n +1 ... z n + s z 1 ... z s � � � � . . . . ¯ , ¯ E 1 = . . E 2 = . . . . . . . z ( s − 1) · s +1 ... z n z n +( s − 1) · s +1 ... z m

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption (cont.) Step 2. Find a vector y = ( y 1 , . . . , y n ) such that F ( y ) = z . Assume ¯ A = A ( y ) to be invertible A − 1 · ¯ A − 1 · ¯ Consider the relations ¯ E 1 − B = 0 and ¯ E 2 − C = 0. A − 1 as new variables w 1 , . . . , w n ⇒ Interpret the elements of ¯ m linear equations in the m variables w 1 , . . . , w n , y 1 , . . . , y n . Step 3. Compute the plaintext by d = T − 1 ( y 1 , . . . , y n ). The linear systems in step 2 of the decryption process often have multiple solutions. In this case one has to test which of the possible plaintexts corresponds to the given ciphertext.

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption failure rate If the matrix ¯ A from step 2 of the encryption process is not invertible, there occurs a decryption failure. A not invertible ) = 1 − (1 − 1 q s − 1 ) · · · (1 − 1 1 q ) ≈ 1 pr (¯ q s )(1 − q . ⇒ pr ( decryption failure ) ≈ 1 q

Multivariate Cryptography The basic Scheme Improvements Parameters Improvements 1 Decreasing the probability of decryption failures ⇒ Rectangular Simple Matrix 2 Increasing the security of the scheme further ⇒ Cubic Simple Matrix 3 Reducing the blow up factor between plain and ciphertext size ⇒ Triangular Simple Matrix (work in progress)

Multivariate Cryptography The basic Scheme Improvements Parameters Decreasing the probability of decryption failures ⇒ Rectangular Simple Matrix Parameters: finite field F with q elements integers n , r , s , u with r ≤ s set m = 2 · su

Multivariate Cryptography The basic Scheme Improvements Parameters Key Generation Three rectangular matrices A , B and C of the form a 11 a 12 ... a 1 s b 11 b 12 ... b 1 u c 11 c 12 ... c 1 u       a 21 a 22 ... a 2 s c 21 c 22 ... c 2 u b 21 b 22 ... b 2 u  , B =  , C =  . . . . ... . . . ... . . A = . . ... . . . . . . . .   . . .  . . . . . . a r 1 a r 2 ... a rs c s 1 c s 2 ... c su b s 1 b s 2 ... b su The elements a ij , b ij and c ij are randomly chosen linear combinations of x 1 , . . . , x n . E 1 = A · B , E 2 = A · C central map F : m components of E 1 and E 2 . Choose randomly two invertible linear maps S : F m → F m and T : F n → F n . Public key : P = S ◦ F ◦ T : F n → F m Private key : A , B , C , S and T .

Multivariate Cryptography The basic Scheme Improvements Parameters Encryption Given: message d ∈ F n . Compute c = P ( d ) ∈ F m .

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption Given: ciphertext c ∈ F m . Step 1. Compute z = ( z 1 , z 2 , . . . , z m ) = S − 1 ( c ) and set z 1 z 2 z u   ... z u +1 z u +2 ... z 2 u ¯  ∈ F s × u ; . . ... . E 1 = . . .  . . . z ( s − 1) u +1 z ( s − 1) u +2 ... z su z su +1 z su +2 ... z ( s +1) · u   z ( s +1) · u z ( s +1) · u +2 ... z ( s +3) · u ¯  ∈ F s × u . E 2 = . . . ...   . . .  . . . z (2 s − 1) · u +1 z (2 s − 1) · u +2 ... z 2 su

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption (cont.) Step 2. Find y ∈ F n such that F ( y ) = z . Set ¯ A = A ( y ). A ) = r ⇒ ∃ W ∈ F r × s with W · ¯ Rank (¯ A = I . Consider the relations W · ¯ E 1 = B and W · ¯ E 2 = C . Interpret the elements of W as new variables w 1 , . . . w rs . ⇒ 2 ru linear equations in sr + n unknowns. ⇒ Eliminate the elements of W from the system ⇒ r · (2 u − s ) linear equations in the variables y 1 , y 2 , ..., y n ⇒ Substitute these equations into F ⇒ Quadratic system of m equations in a very small number of variables. ⇒ System can be solved by Relinearization

Multivariate Cryptography The basic Scheme Improvements Parameters Decryption (cont.) Step 3. Compute the plaintext by d = T − 1 ( y ).

Multivariate Cryptography The basic Scheme Improvements Parameters Probability of decryption failures Decryption failure occurs ⇔ Rank (¯ A ) < r A ) < r ) = 1 − (1 − 1 1 1 1 Pr ( Rank (¯ q s )(1 − q s − 1 ) · · · (1 − q s − r +1 ) ≈ q s − r +1 , ⇒ By choosing r and s in an appropriate way it is possible to decrease the probability of decryption failures to a negligible value.

Multivariate Cryptography The basic Scheme Improvements Parameters Reducing the probability of decryption failures Other methods use a public bijective map Q over the ring Z / q Z encrypt messages d and Q ( d ) ⇒ Pr ( decr . fails ) ≈ 1 q 2 use messages d of length n − 1 plus extra variable x ∈ F encrypt messages x 1 || d and x 2 || d ⇒ Pr ( decr . fails ) ≈ 1 q 2

Multivariate Cryptography The basic Scheme Improvements Parameters Increasing the security ⇒ Cubic Simple Matrix Parameters: finite field F with q elements integer s set n = s 2 and m = 2 · n

Multivariate Cryptography The basic Scheme Improvements Parameters Key Generation Three s × s matrices A , B and C   a 1 ... a s c 1 ... c s b 1 ... b s � � � � . . . . . .  , C = . . . . A = , B = . . . . . . . .  a ( s − 1) · s +1 ... a n c ( s − 1) · s +1 ... c n b ( s − 1) · s +1 ... b n a 1 , . . . , a n : random quadratic polynomials in x 1 , . . . , x n b 1 , . . . , b n and c 1 , . . . , c n : randomly chosen linear combinations of x 1 , . . . , x n . E 1 = A · B , E 2 = A · C . central map F : m components of E 1 and E 2 . Public key : P = S ◦ F ◦ T : F n → F m Private key : A , B , C , S and T .

Multivariate Cryptography The basic Scheme Improvements Parameters En- and Decryption just as for the original scheme.