An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces
description
Transcript of An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces
© 2013 Toshiba Corporation
An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces
Chiho Mihara (TOSHIBA Corp.)
2013/03/02
2© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
Main talk
3© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
4© 2013 Toshiba Corporation
Given , find such that
1. Section Finding Problem (SFP)Security of Algebraic Surface Cryptosystems(ASC) is based on the difficulty of Section Finding Problem(SFP)
Section Finding Problem(SFP)
),,( tyxX
C: Algebraic Surface (Public Key)
: Section on (Secret Key)
To find Section is Too difficult!!
Find
5© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
6© 2013 Toshiba Corporation
We can write down a section as
How to solve SFP(General solution)
degree of
And substitute these into
So the SFP is reduced to a multivariate equation system
(SME(*))
If you solve ,then you can get
(*)Section multivariate equations
7© 2013 Toshiba Corporation
Relation between MPKC and ASC
Quadratic multivariate equations1 1 2 1
1 2
( , , , )
( , , , )
n
m n m
c x x x y
c x x x y
which is MPKC based on.
MPKC
Difficulty of SFP on algebraic surface
More general multivariate equations
0),,,,,(
0),,,,,(
00
000
ddr
dd
c
c
which is ASC based on.
( , , ) 0X x y t
More 3 dimensionalpolynomials
Public key includes multi-variable equations implicitly
3( )O n
( )O n
ASC
8© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
Main talk
9© 2013 Toshiba Corporation
ASC Security parameters
),,( tyxX
),,( tyxX
C
How to solve SFP
cardinality of the base field
degree of the secret section
degree in of the public surface
Number of distinct monomials in
We propose a new security parameter!
(SME)
Gröbner basis (SME)
10© 2013 Toshiba Corporation
Example of NonRed_MonosHow to solve SFP
Algerbraic surface
SectionSolve
ASC security parameter
This example
p 11
d 1
w 3
NonRed_Monos 6
:grand fieldSample image
11© 2013 Toshiba Corporation
Complexity parameters in general caseThe Complexity of Solving Multivariable Polynomial Equations
The Complexity ( in general case ) : NP-hardParameters related to the complexity :1. Size of Finite Field : p Complexity 2. Number of variables : n Complexity 3. Number of equations : m Complexity 4. Sparseness “Sparseness” describe simplicity of equations. Complexity
0),,,(
0),,,(
21
211
nm
n
xxxf
xxxf
Multivariable Polynomial Equationover finite field
Parameterin general case
ASC security parameter
p p
n 2d+2
m wd+dc
Sparseness NonRed_Monos
12© 2013 Toshiba Corporation
“Sparseness” and NonRed_Monos“Dense” “Sparse”
hard
We consider that NonRed_Monos is a parameter of Sparseness.
19 7NonRed_Monos NonRed_Monos
easy
13© 2013 Toshiba Corporation
How to calculate “NonRed_Monos” from surface
Algebraic form
How to calculate “NonRed_Monos”
We can calculate “NonRed_Monos” from “Algebraic form”
If is max (full size),NonRed_Monos is also max.
Non
Red
_Mon
os
d
Maximal NonRed_Monos and d
(w=3:fix)
Data exist
14© 2013 Toshiba Corporation
Necessity of NonRed_Monos
For given 2 surfaces X1,X2,(same p,d,w)
which is more difficult to calculate Section?
Question
𝑋 1 (𝑥 , 𝑦 ,𝑡 )
𝐶1
𝑋 2 (𝑥 , 𝑦 ,𝑡 )𝐶2
We can answer this question,because we can calculate NonRed_Monos!
Even if p,d,w has been fixed,there are many surface variations….
15© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
16© 2013 Toshiba Corporation
Experiment
OS : centos(Linux) version 2.6CPU : AMD Opteron (tm) 848 (2.00GHz)Memory : 64GByte Software: Magma version 2.15-11
d = 2, 3, 4w = 3, 4, 5
= 40
size of finite field
Form of Algebraic surface(random generate)
p = 11degree of
17© 2013 Toshiba Corporation
Experimental result
log(time)
log(Mem
ory)
NonRed_Monos NonRed_Monos
Process time(left) & Memory use(right) to calculate Groebner basis of
w
18© 2013 Toshiba Corporation
log(time)
NonRed_Monos
d234
Regression formula
Prediction interval of 99.9999 % ( )★
Experimental result (statistical)
Prediction interval of 99.9999 % ( )★
=: BEST of Computational Complexity!
19© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
20© 2013 Toshiba Corporation
Key size estimation (Gröbner basis)
FIX
d
128bit securityPrediction interval of 99.9999 % ( )★
Securer Data
Non
Red
_Mon
os
1 2 3 4 5 6 7 8 9 10
Max NonRed_Monos
Data exist
We can choose secure data , d = 8, NonRed_Monos 29000≧
21© 2013 Toshiba Corporation
Key size estimation (Exaustive search)
• We estimate Computational Complexity of exhaustive search for (SME) / .
You can reduce to half of variables(by Ogura-Mihara) , so the number of variables in (SME) is d+1.
To satisfy 128bit security( = RSA(3072bit)), d>36 .
(SME(*))
Algorithms D w dc nx* Public Key SizeGröbner basis 8 5 5 20 640 bit
Ogura-Mihara 8 5 5 20 640 bit
Exhaustive search 37 5 5 20 1220 bit
(*)nx: number of terms of algebraic surface (Note: count full terms version in this table)
22© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
23© 2013 Toshiba Corporation
Conclusion• We propose new security parameter NonRed_Monos.
We express “Sparseness” as NonRed_Monos.
• We can derive an estimation of computational complexity for the Section Finding Problem on Algebraic Surfaces with high accuracy.
• Recommended Public Key Size of ASC is 1220 bit (128bit security = RSA 3072bit).
24© 2013 Toshiba Corporation
Last talk (my failure story)• When I saw the “section finding problem" for the first
time , I think this problem is easy to solve.
• So, we tried to develop a more efficient analysis (over Gröbner basis computation), named Ogura-Mihara algorithm.
• I introduce a concept of Ogura-Mihara algorithm.
25© 2013 Toshiba Corporation
Property of Section multivariate equations(SME )
CAT FACE!!
Proposition
26© 2013 Toshiba Corporation
Concept of Ogura-Mihara algorithm
Idea! : Reduce “number of valuables” by pseudo division
Vanish!
Vanish!
Gröbner basis
27© 2013 Toshiba Corporation
Failure and Conclusion• Indeed, the number of variables is reduced to half, and
in the small parameter, Ogura-Mihara algorithm solves faster than Gröbner basis computation.
• But we found that degrees of section and surface are higher and higher, Ogura-Mihara’ NonRed_Monos significantly bigger and bigger more than the original (SME)’s NonRed_Monos. So it’s not efficient algorithm.
• So when you want to estimate computational complexity such as using Gröbner basis, you need to see NonRed_Monos.
28© 2013 Toshiba Corporation