A Survey on the Algebraic Surface Cryptosystems
-
Upload
vincent-cabrera -
Category
Documents
-
view
24 -
download
2
description
Transcript of A Survey on the Algebraic Surface Cryptosystems
Copyright 2012, Toshiba Corporation.
A Survey on the Algebraic Surface Cryptosystems
Koichiro Akiyama ( TOSHIBA Corporation )Joint work with Prof. Yasuhiro Goto
2013/03/02
2
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
3
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
4
sHueLjOl8k7sHueLjOl8k7
Public key Cryptosystem ( Concept )
B’s Public Key
Ex. Integer Factorization
ComputationalHard Problem
Security of public key cryptosystem relies on thethe problem which is hard to compute.
Hello World
B’s Secret Key
Hello World
SenderA
ReceiverB
A Survey on the Algebraic Surface Cryptosystems
5
Motivation
• Want to construct public-key cryptosystems having following features– Resistant against known attacks by quantum computer.
( Not based on the factorization or discrete logarithm problems. )
– Fast in process time & compact in size.
– Based on a hard problem in algebraic geometry.
Our target is an algebraic surface
A Survey on the Algebraic Surface Cryptosystems
6
Comparison with other cryptosystems
RSAElliptic CurveCryptosystem
MultivariateCryptosystems
Fast & compact
Algebraic SurfaceCryptosystem
(1) Short Public key(2) Higher Dimensional
Equations
)( 3nOPublic key sizePublic key size )(nO
n: number of valuables
higher degree (>3) equations Quadratic equations
A Survey on the Algebraic Surface Cryptosystems
7
Easy for Quantum Computer
DesignEncryptionAlgorithm
Next talk
Construction for Public Key Cryptosystem
Selection ofHard
ProblemCall for Attack
Sta
rt
Definethe secure parameters
ElementaryAlgorithm
OptimizedAlgorithms
Practicalimplementation
ImprovementAttack Success!
Security Proof
Size of the parameterH
ardness
Security requirement
RSA Cryptosystem
N pq
,p q
Factoring Problem
EasyHard
Algebraic Surface Cryptosystem
Hard even for Quantum Computer
Easy
Section
Hard
The Section Finding Problem
AlgebraicSurface
(mod )em N m fs Xr
Secure parameter
A Survey on the Algebraic Surface Cryptosystems
8
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
9
Algebraic Surface
X
0552),,( 3435 tyttxytxxyytyxX
An algebraic surface (we use) is a 2-dimensional affine algebraic variety with fibration.
We consider algebraic surfaces defined over a finite field .qF
where is small enough to calculate, but need not be 2. )( qFchar
qF
A Survey on the Algebraic Surface Cryptosystems
10
Section Finding Problem ( SFP )
X
1D
2D3D
3 2 3 3 2( , , ) 3 ( 1)2 4 3 1 0X x y t tx y t xy t x y tx Algebraic Surface
( ( ), ( ), ) 0x yX u t u t t
( , , ) 0X x y t Algebraic Surface
( , , ) ( ( ), ( ), )x yx y t u t u t tsection
hard easy
A Survey on the Algebraic Surface Cryptosystems
11
General Solution of SFP
0101 )()( tttutttu ddy
ddx
To solve the SFP, we put the section as follows:
( are variables )dd ,,,,, 1010
Ikji
kjy
ixijkyx ttututtutuX
),,(
)()()),(),((
0),,,,,(0
00
hd
r
hdh tc
The SFP is reduced to multivariable equations
0),,,,,(
0),,,,,(
00
000
ddr
dd
c
c
}0|)max{(0
kji
uijk tyxkdjir
ijk
Substitute into , we obtain
0),,( tyxX( ), ( )x yu t u t
A Survey on the Algebraic Surface Cryptosystems
12
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
13
( are given )
Keys
1. System parameters– Size of finite field : prime
– Degree of section :
2. Public key– Algebraic surface
– Form of the plaintext polynomial
– Form of the divisor polynomial
3. Secret key– Section
pF p
deg ( ) deg ( ) x yd u t u t
( , )
( , , ) ( ) (mod )X
i jij
i j
X x y t c t x y p
( , , ) ( ( ), ( ), ) (mod )x yx y t u t u t t p
(example) 5p
( , )
( , , ) ( ) (mod )m
i jij
i j
m x y t m t x y p
( , )
( , , ) ( ) (mod )f
i jij
i j
f x y t f t x y p
,deg ( )m ijm t( are given )
,deg ( )f ijf t
* * *deg ( , , ) deg ( , , ) deg ( , , ) X x y t m x y t f x y t
A Survey on the Algebraic Surface Cryptosystems
* { , , } x y t
14
Form of the plaintext polynomial
( , )
( , , ) ( ) (mod )m
i jij
i j
m x y t m t x y p
m
For example,
{(3,0), (1,2), (0,0)}m
( ( , ) )mi j and deg ( )ijm t
30 12 00deg ( ) 2,deg ( ) 1,deg ( ) 0m t m t m t
Form described the formula as fllows:2 3 2( , , ) ( ) ( )m x y t t t x t xy
indicates an element of pF
are designated.
A Survey on the Algebraic Surface Cryptosystems
15
plaintext m embedded to m(x,y,t)
2 3 2( , , ) ( ) ( )m x y t t t x t xy
2FIn the case of(2)(101101)m
2 3 2( , , ) ( 1) 1m x y t t x txy
5FIn the case of plaintext must be divided into 2bits block
(2)(10 |11| 01|10 | 00 |10)m2 3 2( , , ) (2 3 1) 2 2m x y t t t x txy
So the plaintext described as
Therefore m embedded to m(x,y,t) as coefficients
A Survey on the Algebraic Surface Cryptosystems
16
Encryption
Random polynomial
( , , ), ( , , ) ( 1,2)i is x y t r x y t i Divisor polynomial
( , , )f x y t
),,( tyxX
Public Key : algebraic surface
Randomize( operations )
message M
embed
Message poly. ( , , )m x y t
1
2
1 1
2 2
( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )
( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )
F x y t m x y t f x y t x y t X x y t x y t
F x y t m x y t f x y t x y t X
s r
s x y t x y tr
Cipher text
A Survey on the Algebraic Surface Cryptosystems
17
Decryption
( ( ), ( ), )x yf u t u t t
: ( , , ) ( ( ), ( ), )x yD x y t u t u t tSecret key: Section
1 1 1( , , ( , , )) (( , , ) , ( , , ) ( , ,, ))F x y t s X x y tx y t rm x y xt f x y t y t
message polynomial( ( ), ( ), )x ym u t u t t
Cipher
1 2{ (( ( ( ), ( ), ) ( ( ), ( ), )) ) }, ( ),x x y x yy s u t uf u t u t t t t s v t v t t
factoring
Section substitute
message M
Public key
Plaintext Random
2 2 2( , , ( , , )) (( , , ) , ( , , ) ( , ,, ))F x y t s X x y tx y t rm x y xt f x y t y t
1( ( ), ( ), ) ( ( ), ( ), ) ( ( ), ( ), )x y x y x ym u t u t t f u t u s u t u tt t t
2( ( ), ( ), ) ( ( ), ( ), ) ( ( ), ( ), )x y x y x ym u t u t t f u t u s u t u tt t t
Solve linear equations
Random
A Survey on the Algebraic Surface Cryptosystems
18
Key generation
( , ) (0,0)00( , , ) (( ) 0)
X
i jij
i j
c t cX x y xt ty
Public key: algebraic surface
( )ijc t ( , ) (0,0)Xi j
Coefficients other than constant term
( , , ) ( ( ), ( ), )x yx y t u t u t tSecret key : section
Select randomly Select randomly
( , ) (0,0)00 ( ) ( ) ( )( )
X
i jij x y
i j
c tc t u t u t
Calculate the constant term
A Survey on the Algebraic Surface Cryptosystems
19
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
20
Rational point attack ( 1 )
11 1( ,( , , ) ( ,( , , ) ,, ) ( , ( , , ), ))sF x y t X x ym x x y t ry t f x y t x tt y
22 2( ,( , , ) ( ,( , , ) ,, ) ( , ( , , ), ))sF x y t X x ym x x y t ry t f x y t x tt y
( , , )F x y t ( , , )( , ( , )) , ( , ,, )f s x y t r xX x yt ty yx t
1 2( , , ) ( , , ) ( , , )s x y t s x y t s x y t 1 2( , , ) ( , , ) ( , , )r x y t r x y t r x y t
where1 2( , , ) ( , , ) ( , , )F x y t F x y t F x y t
subtractRemove the plaintextpolynomial
A Survey on the Algebraic Surface Cryptosystems
21
Rational point attack ( 2 )
( , , )F x y t ( , , )( , ( , )) , ( , ,, )f s x y t r xX x yt ty yx t
substitution
( , , )
( , ,( , , ) )g
i j kn n n ijk n n n
in
j kn ng x y t g x y t F x y t
( , , )
( , , ) ( )g
i j kijk ijk p
i j k
g x y t g x y t g F
=construct
( , , )g x y t
SolveLinear Equation
factoring (( ), ,, ,)sf xt yy txextra
ct( , , )f x y t
Success!
( , , )n n nx y t, )(( 0, )n n nX x y t
rational points
A Survey on the Algebraic Surface Cryptosystems
22
Rational point attack ( 3 )
11 1( ,( , , ) ( , , ) ( ,( , , ) ( , , )) ,, )sF x y t f x y t X x ym x y t rx t tt xy y
=( , , )
( , , )m
i j kijk
i j k
m x y t m x y t
( )ijk pf F
=
1( , , )
( , , )s
i j kijk
i j k
s x y t s x y t
( )ijk ps F
substitution
( , , ( , )) ,
( , , ) ( , , )sm
i jn n n
i j kijk n n n
i j
kijk n n n
in
jn
kn
k
sf x y t F x y tt yx xm y t
reconstruct
( , , )m x y t
Solve linear equations
( , , )n n nx y t, )(( 0, )n n nX x y t
rational points
A Survey on the Algebraic Surface Cryptosystems
23
which is in the same form of and satisfy .
0 0( ( , , ))g g x y t
0 0F g Xr 0r
f
r
If is a solution, there exists polynomial
For arbitrary which is in the same form of ,f
We can avoid the attack, when we select the form of which has enough polynomials not to be able to identify the correct one.
f
Counter measure against RPA
( , , )F x y t ( , , )( , ( , )) , ( , ,, )f s x y t r xX x yt ty yx t
( , , )g x y t
=
( , , )g x y t (( ), ,, ,)rX xt yy txand are in the same form
0 00 0( ( ))F g XXr rrg X r
This is also another solution
A Survey on the Algebraic Surface Cryptosystems
24
Ideal factorization attack
( ,( , , ) ( , ,( , , ) ( , , ), ) ( , ), ) ii isF x y t X x ym x x y t ry t f x y t x tt y ( 1,2)i
Cipher text
1 2 1 2( , )F F X I I Ideal Factoring
where 2 11 2( , )), ( ,II sX s Xf
1 2 1( , , ) ( , , )J F F I XmX f ( )
( , ) 0
( ) ( ) 0
mij
m
di j k
Jk
ki
jj
i JmNF NF x y tm
Solve Linear Eq.
( , , )m x y t
A Survey on the Algebraic Surface Cryptosystems
25
Sequence of events on ASCJan 2004 1st version was proposed in domestic conference
May 2006 1st version was presented
in international conference PQC2006 Jintai Ding pointed out a flaw in our system
Oct 2006 2nd version was presented in AMS conference.
. Jan 2007 Shigenori Uchiyama proposed an attack against 2nd version
. Apr 2007 Felipe Voloch proposed another attack against 2nd version
Jan 2008 3rd version was proposed in domestic conference.
Mar 2009 3rd was presented
in international conference PKC2009May 2010 Jean-Charles Faugere( INRIA )
proposed an attack against 3rd version.Now We are preparing 4th version
whose security is equivalent to SFP.
A Survey on the Algebraic Surface Cryptosystems
26
Contents
1. Introduction
Public key cryptosystem, Motivation
2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface
3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms
4. Known Attacks- Rational Point Attack
- Ideal Factorization Attack
5. Conclusion and Future Research
A Survey on the Algebraic Surface Cryptosystems
27
Conclusions
• We showed a new type of public-key cryptosystem using an algebraic surface.– We showed the algorithm for encryption, decryption and key
generation.
• Our contributions are– The public key size is O(n).
– Our cryptosystem is associated higher general equations than multivariate cryptosystems. ( contains equation which degree is more than 3)
A Survey on the Algebraic Surface Cryptosystems
28
Next Talk
• Construct a secure algorithm– We try to construct a provable secure cryptosystem
• Determine the recommendable parameter size – We developed an efficient algorithm to solve the SFP.
– Now we estimate computational complexity by computational experimentation.
Open Problems
( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )F x y t m x y t f x y t s x y t X x y t r x y t
A Survey on the Algebraic Surface Cryptosystems
29The Algebraic Surface Cryptosystem and its security