Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka...
Transcript of Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka...
![Page 1: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/1.jpg)
Winter School, PQC 2016, Fukuoka
Multivariate Public Key Cryptography
Jintai Ding
University of Cincinnati
Feb. 22 2016
![Page 2: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/2.jpg)
Outline
![Page 3: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/3.jpg)
Outline
![Page 4: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/4.jpg)
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatepolynomials
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi (x1, ..., xn) are multivariate polynomials over afinite field.
![Page 5: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/5.jpg)
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatepolynomials
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi (x1, ..., xn) are multivariate polynomials over afinite field.
![Page 6: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/6.jpg)
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map: G−1
to find the plaintext (x ′1, ..., x′n).
M = (x ′1, ..., x′n) = G−1(y ′1, ..., y
′m).
![Page 7: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/7.jpg)
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map: G−1
to find the plaintext (x ′1, ..., x′n).
M = (x ′1, ..., x′n) = G−1(y ′1, ..., y
′m).
![Page 8: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/8.jpg)
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k , 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 · 3 = 1 . 2 · 2 = 3 and 3 · 3 = 2.
![Page 9: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/9.jpg)
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k , 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 · 3 = 1 . 2 · 2 = 3 and 3 · 3 = 2.
![Page 10: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/10.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 11: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/11.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 12: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/12.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 13: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/13.jpg)
Signature
To sign the document hash value (y ′1, ..., y′m), one needs to
know (the secret key), so that one can invert the public keymap: G−1 to find the signature (x ′1, ..., x
′n).
S = (x ′1, ..., x′n) = G−1(y ′1, ..., y
′m).
Given the pair:((x ′1, ..., x′n)(y ′1, ..., y
′m)), anyone can verify the
validity of the signature by checking if the following equalityholds:
G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
![Page 14: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/14.jpg)
Signature
To sign the document hash value (y ′1, ..., y′m), one needs to
know (the secret key), so that one can invert the public keymap: G−1 to find the signature (x ′1, ..., x
′n).
S = (x ′1, ..., x′n) = G−1(y ′1, ..., y
′m).
Given the pair:((x ′1, ..., x′n)(y ′1, ..., y
′m)), anyone can verify the
validity of the signature by checking if the following equalityholds:
G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
![Page 15: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/15.jpg)
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
![Page 16: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/16.jpg)
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
![Page 17: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/17.jpg)
A quick historic overview
Single variable quadratic equation – Babylonian around 1800to 1600 BC
Cubic and quartic equation – around 1500
Tartaglia Cardano
Multivariate system– 1964-1965Buchberger : Groobner BasisHironaka: Standard basis
![Page 18: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/18.jpg)
A quick historic overview
Single variable quadratic equation – Babylonian around 1800to 1600 BC
Cubic and quartic equation – around 1500
Tartaglia Cardano
Multivariate system– 1964-1965Buchberger : Groobner BasisHironaka: Standard basis
![Page 19: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/19.jpg)
A quick historic overview
Single variable quadratic equation – Babylonian around 1800to 1600 BC
Cubic and quartic equation – around 1500
Tartaglia Cardano
Multivariate system– 1964-1965Buchberger : Groobner BasisHironaka: Standard basis
![Page 20: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/20.jpg)
The hardness of the problem
Single variable case – Galois’s work.
Newton method – continuous systemBerlekamp’s algorithm – finite field and low degree
Multivariate case: NP- hardness of the generic systems.Numerical solvers – continuous systemsFinite field case
![Page 21: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/21.jpg)
The hardness of the problem
Single variable case – Galois’s work.
Newton method – continuous systemBerlekamp’s algorithm – finite field and low degree
Multivariate case: NP- hardness of the generic systems.Numerical solvers – continuous systemsFinite field case
![Page 22: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/22.jpg)
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
![Page 23: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/23.jpg)
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
![Page 24: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/24.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 25: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/25.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 26: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/26.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 27: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/27.jpg)
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s – Patarin’work as catalyst.
![Page 28: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/28.jpg)
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s – Patarin’work as catalyst.
![Page 29: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/29.jpg)
Outline
![Page 30: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/30.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 31: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/31.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 32: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/32.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:
(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 33: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/33.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 34: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/34.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 35: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/35.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 36: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/36.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 37: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/37.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 38: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/38.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 39: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/39.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 40: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/40.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 41: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/41.jpg)
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
![Page 42: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/42.jpg)
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
![Page 43: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/43.jpg)
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x′1, ..., x
′v ), · · · , fo(x1, .., xo , x
′1, ..., x
′v )).
fl(x1, ., xo , x′1, ., x
′v ) =
∑alijxix
′j+∑
blijx′i x′j+∑
clixi+∑
dlix′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
![Page 44: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/44.jpg)
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x′1, ..., x
′v ), · · · , fo(x1, .., xo , x
′1, ..., x
′v )).
fl(x1, ., xo , x′1, ., x
′v ) =
∑alijxix
′j+∑
blijx′i x′j+∑
clixi+∑
dlix′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
![Page 45: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/45.jpg)
How to invert F?
fl(x1, ., xo , x ′1, ., x′v︸ ︷︷ ︸
fix the values
) =
∑alijxix
′j +∑
blijx′i x′j +∑
clixi +∑
dlix′i + el .
![Page 46: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/46.jpg)
How to invert F?
fl(x1, ., xo , x′1, ., x
′v ) =∑
alijxix′j +∑
blijx′i x′j +∑
clixi +∑
dlix′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
![Page 47: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/47.jpg)
How to invert F?
fl(x1, ., xo , x′1, ., x
′v ) =∑
alijxix′j +∑
blijx′i x′j +∑
clixi +∑
dlix′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
![Page 48: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/48.jpg)
Security analysis
v ≤ o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
The problem above can also be transformed into solving a setof quadratic equations.
![Page 49: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/49.jpg)
Security analysis
v ≤ o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
The problem above can also be transformed into solving a setof quadratic equations.
![Page 50: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/50.jpg)
Security analysis
v ≤ o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
The problem above can also be transformed into solving a setof quadratic equations.
![Page 51: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/51.jpg)
Security analysis
v ≤ o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
The problem above can also be transformed into solving a setof quadratic equations.
![Page 52: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/52.jpg)
Security analysis
v ≤ o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
The problem above can also be transformed into solving a setof quadratic equations.
![Page 53: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/53.jpg)
Rainbow – Ding, Schmidtc –2005
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
![Page 54: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/54.jpg)
Rainbow – Ding, Schmidtc –2005
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
![Page 55: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/55.jpg)
Rainbow
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18. 12 OV polynomials:
F1 = (f1(x1, ..., x30), ..., f12(x1, ..., x30)).
x1, ...., x18︸ ︷︷ ︸Vinegar
, x19, ...., x30︸ ︷︷ ︸Oil
F2 : o2 = 12, v2 = 12 + 18 = 30. 12 OV polynomials:
F2 = (f31(x1, ..., x42), ..., f42(x1, ..., x42)).
x1, ..x18, x19..., x30︸ ︷︷ ︸Vinegar
, x31, ...., x42︸ ︷︷ ︸Oil
![Page 56: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/56.jpg)
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
![Page 57: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/57.jpg)
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
![Page 58: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/58.jpg)
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
![Page 59: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/59.jpg)
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
![Page 60: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/60.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — works done in Taiwan by Yang,Cheng.
![Page 61: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/61.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — works done in Taiwan by Yang,Cheng.
![Page 62: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/62.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — works done in Taiwan by Yang,Cheng.
![Page 63: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/63.jpg)
Security
UOV: not broken since 1999.
Rainbow – MinRank problemMinRank problem – find the (non zero) matrix of theminimum rank in the space spanned by a set of matrices.
![Page 64: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/64.jpg)
Security
UOV: not broken since 1999.
Rainbow – MinRank problemMinRank problem – find the (non zero) matrix of theminimum rank in the space spanned by a set of matrices.
![Page 65: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/65.jpg)
Outline
![Page 66: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/66.jpg)
Notation
k is a small finite field with |k | = q
K = k[x ]/(g(x)), a degree n extension of k and g(x)irreducible of degree n..
The standard k-linear invertible map φ : K −→ kn, andφ−1 : kn −→ K .
![Page 67: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/67.jpg)
Notation
k is a small finite field with |k | = q
K = k[x ]/(g(x)), a degree n extension of k and g(x)irreducible of degree n..
The standard k-linear invertible map φ : K −→ kn, andφ−1 : kn −→ K .
![Page 68: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/68.jpg)
Notation
k is a small finite field with |k | = q
K = k[x ]/(g(x)), a degree n extension of k and g(x)irreducible of degree n..
The standard k-linear invertible map φ : K −→ kn, andφ−1 : kn −→ K .
![Page 69: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/69.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K :
F = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F .
![Page 70: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/70.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K :
F = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F .
![Page 71: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/71.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K :
F = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F .
![Page 72: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/72.jpg)
Hidden Field Public Key Cryptosystems
KF−−−−→ K
φ−1
x φ
ykn {F1,...,Fn}−−−−−−→ kn
![Page 73: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/73.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F1, . . . , Fn).
The Fi = Fi (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 74: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/74.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F1, . . . , Fn).
The Fi = Fi (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 75: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/75.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F1, . . . , Fn).
The Fi = Fi (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 76: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/76.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k , θ andF = (F1, .., Fn). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme was defeated by linearization equation method byPatarin 1995.
![Page 77: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/77.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k , θ andF = (F1, .., Fn). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme was defeated by linearization equation method byPatarin 1995.
![Page 78: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/78.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k , θ andF = (F1, .., Fn). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme was defeated by linearization equation method byPatarin 1995.
![Page 79: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/79.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k , θ andF = (F1, .., Fn). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme was defeated by linearization equation method byPatarin 1995.
![Page 80: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/80.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k , θ andF = (F1, .., Fn). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme was defeated by linearization equation method byPatarin 1995.
![Page 81: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/81.jpg)
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =
qi+qj≤D∑i ,j=0
aijXqi+qj +
qi≤D∑i=0
biXqi + c .
Berlekamp-Massey algorithm to decrypt.The complexity O(Dω).
Patarin presented two challenges.
![Page 82: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/82.jpg)
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =
qi+qj≤D∑i ,j=0
aijXqi+qj +
qi≤D∑i=0
biXqi + c .
Berlekamp-Massey algorithm to decrypt.The complexity O(Dω).
Patarin presented two challenges.
![Page 83: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/83.jpg)
Direct Algebraic Attack
Use efficient Grobner basis (algebraic) algorithms to solve thesystem of equations:
F1(x1, . . . , xn) = y1
F2(x1, . . . , xn) = y2...
Fn(x1, . . . , xn) = yn
![Page 84: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/84.jpg)
Direct Algebraic Attack
Use efficient Grobner basis (algebraic) algorithms to solve thesystem of equations:
F1(x1, . . . , xn) = y1
F2(x1, . . . , xn) = y2...
Fn(x1, . . . , xn) = yn
![Page 85: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/85.jpg)
Direct Algebraic Attack
Algorithm terminates significantly quicker on HFE systems than onrandom systems. How does the restriction on the degree D of Paffect the complexity of algebraic solvers?
Faugere and Joux broke Challenge 1 with 80 variables andclaim Dreg is roughly logq(D).
Kipnis-Shamir Minrank attack.
Granboulan, Joux, Stern (Crypto 2006): If q = 2, complexityis quasi-polynomial.
![Page 86: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/86.jpg)
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
![Page 87: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/87.jpg)
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
![Page 88: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/88.jpg)
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xiover kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
![Page 89: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/89.jpg)
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xiover kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
![Page 90: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/90.jpg)
IP of MI
x1, . . . , xn
?
?
L1
F1, . . . , Fn
-
?
z1, . . . , zr
f1, . . . , fn
�+
?L2
y1, . . . , yn
Figure: Structure of Perturbation of the Matsumoto-Imai System.
![Page 91: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/91.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 92: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/92.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 93: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/93.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 94: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/94.jpg)
Standing schemes
PMI+
IPHFE+
HFE Systems of odd characteristics ( theoretical support fromthe view of degree of regularity )
![Page 95: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/95.jpg)
Standing schemes
PMI+
IPHFE+
HFE Systems of odd characteristics ( theoretical support fromthe view of degree of regularity )
![Page 96: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/96.jpg)
Standing schemes
PMI+
IPHFE+
HFE Systems of odd characteristics ( theoretical support fromthe view of degree of regularity )
![Page 97: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/97.jpg)
HFEv− - Key Generation
finite field F, extension field E of degree n
isomorphism φ−1 : Fn → E, φ(x1, . . . , xn) =∑n
i=1 xi · X i−1
central map F : E→ E,
F(X ) =
qi+qj≤D∑0≤i≤j
αijXqi+qj +
qi≤D∑i=0
βi (v1, . . . , vv )·X qi +γ(v1, . . . , vv )
where βi is a linear map from Fv to E and γ is quadratic
public key: P = S ◦ φ ◦ F ◦ φ−1 ◦ T with two affine (or linear)maps S : Fn → Fn−a and T : Fn+v → Fn+v of maximal rank
private key: S, F , T , φ
![Page 98: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/98.jpg)
Signature Generation
Given: message h ∈ Fn−a
1 Compute x = S−1(h) ∈ Fn and X = φ(x) ∈ E2 Choose random values for the vinegar variables v1, . . . , vv
Solve Fv1,...,vv (Y ) = X over E via Berlekamp’s algorithm
3 Compute y = φ−1(Y ) ∈ Fn and z = T −1(y||v1|| . . . ||vv )
The signature of the message h is z ∈ Fn+v .
![Page 99: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/99.jpg)
QUARTZ
standardized by Courtois, Patarin in 2002
HFEv− with F = GF(2), n = 103, D = 129, a = 3 and v = 4⇒ E = GF(2)103 = GF(2)[x ]/(x103 + x9 + 1]
F(X ) =
2i+2j≤129∑0≤i≤j
αijX2i+2j +
2i≤129∑i=0
βi (v1, . . . , v4)·X 2i +γ(v1, . . . , v4)
public key: quadratic map P : F107 → F100
To avoid birthday attacks, the signature generation step isperformed four times (for h, H(h|00), H(h|01) and H(h|11))⇒ signature length: (n − a) + 4 · (a + v) = 128 bit
![Page 100: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/100.jpg)
Main attacks
MinRank AttackRank(Q) = r + a + v⇒ ComplMinRank ≈ 2n·(r+a+v) · (n − a)3
Direct attackRecent breakthrough (result by Ding and Yang)
dreg ≤
{(q−1)·(r−1+a+v)
2 + 2 q even and r + a odd,(q−1)·(r+a+v)
2 + 2 otherwise.,
with r = blogq(D − 1)c+ 1.
![Page 101: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/101.jpg)
Efficiency
Signature generation time ≈ 10 seconds
Bottleneck: Inversion of the univariate polynomial equation
F(v1,...,vv )(Y ) = X (1)
of degree D over the extension field E by Berlekampsalgorithm: Complexity O(D3 + n · D2)
equation (1) solvable with probability ≈ 1e
we have to solve (1) for 4 different values of X ⇒ we have toperform Berlekamp’s algorithm about 11 times
![Page 102: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/102.jpg)
Research Questions
Is the upper bound on the degree of regularity given by Dingand Yang reasonably tight?
Can we decrease the degree D of the central HFEv−polynomial to speed up the scheme?
![Page 103: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/103.jpg)
How should we choose D?
D ∈ {2, 3} would lead to central maps of rank 2(Matsumoto-Imai case)
For D ∈ {5, 7} one can get central maps of rank 2 by lineartransformation
⇒ D ∈ {9, 17} (central maps of rank 4 and 6 respectively)
![Page 104: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/104.jpg)
Experiments
Experiments with HFEv− schemes with low degree centralmaps (D ∈ {9, 17})Implementation of HFEv− in MAGMA code
Fixing of a + v variables to create determined systems
Adding field equations
Systems were solved with F4 integrated in MAGMA
![Page 105: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/105.jpg)
Experiments (2)
D = 9
number of equations 20 25 30 32
a = v = 4
theoretical degree of regularity ≤ 7
(n,D,a,v) (24,9,4,4) (29,9,4,4) (34,9,4,4) (36,9,4,4)
dreg 5 6 6 6time (s) 2.7 244 31,537 102,321
a = v = 5
theoretical degree of regularity ≤ 8
(n,D,a,v) (25,9,5,5) (30,9,5,5) (35,9,5,5) (37,9,5,5)
dreg 5 6 6 7time (s) 2.8 255 32,481 ooM
for comparison: random system
dreg 5 6 6 7
time (s) 3.5 310 32,533 ooM
![Page 106: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/106.jpg)
Experiments (3)
D = 17
number of equations 20 25 30 32
a = v = 3
theoretical degree of regularity ≤ 7
(n,D,a,v) (23,17,3,3) (28,17,3,3) (33,17,3,3) (35,17,3,3)
dreg 5 6 6 6time (s) 2.4 245 28,768 87,726
a = v = 4
theoretical degree of regularity ≤ 8
(n,D,a,v) (24,17,4,4) (29,17,4,4) (34,17,4,4) (36,17,4,4)
dreg 5 6 6 7time (s) 2.4 248 31,911 ooM
for comparison: random system
dreg 5 6 6 7
time (s) 3.5 310 32,533 ooM
![Page 107: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/107.jpg)
Results
The theoretical result about the degree of regularity isrelatively tight(for a = v = 3 we can reach the upper bound both for D = 9and D = 17)
For the parameter sets (D, a, v) = (9, 5, 5) and(D, a, v) = (17, 4, 4) and n ≥ 32 we have dreg ≥ 7⇒ For n = 90 + a we get
Complexitydirect attack ≥ 3 ·(
n − a + 2
2
)·(
n − a + dreg
dreg
)2
= 3 ·(
92
2
)·(
97
7
)2
≥ 281
![Page 108: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/108.jpg)
New Designs - Gui - Asiacrypt 2015 - Petzoldt, Chen,Yang, Tao, Ding
We propose three versions of Gui
Gui-95 with (n,D, a, v) = (95, 9, 5, 5) providing a securitylevel of 80 bit
Gui-94 with (n,D, a, v) = (94, 17, 4, 4) providing a securitylevel of 80 bitand
Gui-127 with (n,D, a, v) = (127, 9, 4, 6) providing a securitylevel of 123 bit
![Page 109: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/109.jpg)
Avoiding birthday attacks
Input size of HFEv- maps is short (in our case 90 - 123 bit)⇒ Possibility of birthday attacks
Solution:
Sign k different hash values of the message m.Combine the k outputs to a single signature of size(n − a) + k · (a + v) bit.
In the case of Gui we set
k = 3 for Gui-95,k = 4 for Gui-94 and Gui-127.
![Page 110: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/110.jpg)
Gui-95
![Page 111: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/111.jpg)
Parameters and Key Sizes
security input signature public key private key
scheme level (bit) size (bit) size (bit) size (Bytes) size (Bytes)
Gui-95 80 90 120 60,600 3,053
Gui-94 80 90 122 58,212 2,943
Gui-127 123 123 163 142,576 5,350
QUARTZ 80 100 128 75,514 3,774
RSA-1024 80 1024 1024 128 128
RSA-2048 112 2048 2048 256 256
ECDSA P160 80 160 320 40 60
ECDSA P192 96 192 384 48 72
ECDSA P256 128 256 512 64 96
![Page 112: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/112.jpg)
Comparison
security signing time verifying timescheme level (bit) (k-cycles) (k-cycles)
Gui-95 80 1,479 / 1,186 325 / 230
Gui-94 80 4,945 / 5,421 357 / 253
Gui-127 123 1,966 / 1,249 707 / 427
QUARTZ 80 167,485 / 168,266 375 / 235
RSA-1024 80 2,080 / 2,115 74 / 64
RSA-2048 112 8,834 / 5,347 138 / 76
ECDSA P160 80 1,283 / 1,115 1,448 / 1,269
ECDSA P192 96 1,513 / 1,273 1, 715 / 1,567
ECDSA P256 128 1,830 / 1,488 2,111 / 1,920time on AMD Opteron 6212, 2.5 GHz / Intel Xeon E5-2620, 2.0GHz
![Page 113: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/113.jpg)
Why this name?
Gui
Chinese pottery fromLongshan period
more than 4000 years old
3 legs: one in front,2 in the back
front leg : HFE
back legs: Minus + Vinegar
![Page 114: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/114.jpg)
Key Points
Proposal of a new multivariate signature scheme Gui
Use of low degree HFEv- polynomials (D ∈ {9, 17})
⇒ very short signatures (120 bit)⇒ 150 times faster than QUARTZ⇒ Efficiency comparable to standard schemes (RSA, ECDSA)
![Page 115: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/115.jpg)
Outline
![Page 116: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/116.jpg)
Key Points
The Main Defect for insecurity for most of these MPKQ isthat some Quadratic Forms associated with their central mapsare of Low Rank.
Direct algebraic attack is easy to handle in general ( odd Char)Ding, Tao, Diene etc
![Page 117: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/117.jpg)
Idea of the Simple Matrix Schem for Encrypyion
Main Idea
Create some Matrices having high rank and use some SimpleMatrix Multiplication to get a Multivariate Publick Key Schemethat we denote in short by the ABC cryptosystem.
![Page 118: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/118.jpg)
Construction of the SM Cryptosystem
Let k = Fq be a finite field with q elements and p be thecharacteristic of k.
Let n,m be a integer, where n = s2,m = 2n.
The plaintext will be represented by (x1, x2, · · · , xn) ∈ kn.
The ciphertext will be represented by (y1, y2, · · · , ym) ∈ km.
![Page 119: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/119.jpg)
Construction of the SM Cryptosystem
Let L1 : kn → kn and L2 : km → km be 2 affinetransformations,L1(x) = L1x + u and L2(y) = L2y + νwhere L1 and L2 are respectively an n × n and m ×mmatrix with entries in k , x = (x1, x2, · · · , xn)t ,u = (u1, u2, · · · , un)t , y = (y1, y2, · · · , ym)t ,ν = (v1, v2, · · · , vm)t
![Page 120: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/120.jpg)
Construction of the SM Cryptosystem
Let
A =
x1 x2 · · · xs
xs+1 xs+2 · · · x2s...
.... . .
...x(s−1)s+1 x(s−1)s+2 · · · xs2
,
B =
b1 b2 · · · bs
bs+1 bs+2 · · · b2s...
.... . .
...b(s−1)s+1 b(s−1)s+2 · · · bs2
and
C =
c1 c2 · · · cs
cs+1 cs+2 · · · c2s...
.... . .
...c(s−1)s+1 c(s−1)s+2 · · · cs2
![Page 121: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/121.jpg)
Construction of the SM Cryptosystem
Central mapA, B, and C defined above are 3 s × s matrices with xi ∈ k
(i = 1, 2, · · · , n), bi and ci (i = 1, 2, · · · , n) are random linearcombinaisons of elements taken from the set {x1, x2, · · · , xn}.Let E1 = AB, E2 = AC ,we denote by f(i−1)s+j ∈ k[x1, x2, · · · , xn]the (i , j) element of E1 (i , j = 1, 2, · · · , s).fs2+(i−1)s+j ∈ k[x1, x2, · · · , xn]the (i , j) element of E2 (i , j = 1, 2, · · · , s).We define then
F(x1, · · · , xn) = (f1(x1, · · · , xn), f2(x1, · · · , xn), · · · , fm(x1, · · · , xn)).
![Page 122: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/122.jpg)
Construction of the SM Cryptosystem
The public key:
F = L2 ◦ F ◦ L1 = (f1, f2, · · · , fm),
The secret key is made of the following two parts:
The invertible affine transformations L1,L2.
The matrices B,C .
![Page 123: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/123.jpg)
Construction of the SM Cryptosystem
DecryptionApplying F−1 = L−11 ◦ F−1 ◦ L
−12 .
How to invert the central map:Since E1 = AB, E2 = AC and assume A is an s × snonsingular matrix, we consider the following cases:(i) If E1 is invertible, then BE−11 E2 = C . We have n linearequations with n unknowns xi , i = 1, 2, · · · , n.(ii) If E2 is invertible, but E1 is not invertible, thenCE−12 E1 = B. We also have n linear equations with nunknowns xi , i = 1, 2, · · · , n.(iii) If both E1 and E2 are not invertible, thenA−1E1 = B,A−1E2 = C . We interpret the elements of A−1 asthe new variables, then we have m linear equations with munknowns.
![Page 124: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/124.jpg)
Construction of the SM Cryptosystem
Decryption failureIf A is a singular matrix, we may decrypt failure. Theprobability of A is invertible is (1− 1
q )(1− 1q2
) · · · (1− 1qn ).
Therefore, the probability of decryption failure is1− (1− 1
q )(1− 1q2
) · · · (1− 1qn ) ≈ 1
q .
![Page 125: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/125.jpg)
Construction of the SM Cryptosystem
An exampleWe let k = GF (q) be a finite field of q = 127 elements andn = 64 . In this case, the plaintext consist of the message(x1, x2, · · · , x64) ∈ k64 . The public map is F : k64 → k128
and the central map is F : k64 → k128.
The public key consists of 128 quadratic polynomials with 64variables. The number of coefficients for the public keypolynomials is 128× 64× 65/2 = 266, 240, or about 2MB ofstorage.
The private key consists of two matrices B,C and two affinelinear transformations L1,L2. The total size is about162.5KB.
The size of document is 8n = 8× 64 = 512bits. The totalsize of the ciphertext is 1024bits.
![Page 126: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/126.jpg)
Security Analysis
Rank attack:For the rank attacks, we have that the MinRank is 16 and thecomplexity of MinRank attack against our scheme is lagerthan 2160.
Algebraic attack:For k = GF (3), we obtain the following results with a directattack using MAGAMA(2.12-16) on a 1.80GHz Intel(R)Atom(TM) CPU
n 9 16 25
time(s) 0.016 3.494 17588.380
memory(MB) 3.4 8.1 1111.7
degree of regularity 4 5 6
We can notice that the degree of regularity increases with nwhich tells us that the time and memory complexity areexponential.
![Page 127: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/127.jpg)
Construction of the SM Cryptosystem
EfficiencyThe decrytion is very efficient: only linera algebra opeations.
![Page 128: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/128.jpg)
Improved Conctructions
Rectangular construction
Degree three construction using random quadratic polynomials
Remove the decryptin fauilureDing, Petzolt, Wang
![Page 129: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/129.jpg)
Outline
![Page 130: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/130.jpg)
Key Attack Methods
To be ready for practical applications, we need a solidunderstanding of the attack complexities with both theoreticaland experimental support.The key attack methods are:
Direct algebraic attack
MinRank attack – which is also reduced to polynomial solvingproblem.
Differential analysis
![Page 131: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/131.jpg)
Key Attack Methods
To be ready for practical applications, we need a solidunderstanding of the attack complexities with both theoreticaland experimental support.The key attack methods are:
Direct algebraic attack
MinRank attack – which is also reduced to polynomial solvingproblem.
Differential analysis
![Page 132: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/132.jpg)
Key Attack Methods
To be ready for practical applications, we need a solidunderstanding of the attack complexities with both theoreticaland experimental support.The key attack methods are:
Direct algebraic attack
MinRank attack – which is also reduced to polynomial solvingproblem.
Differential analysis
![Page 133: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/133.jpg)
Direct Algebraic Attack
Use efficient Grobner basis (algebraic) algorithms (GB, F4, XL,Mutant XL) to solve the system of equations:
p1(x1, . . . , xn) = y1
p2(x1, . . . , xn) = y2...
pn(x1, . . . , xn) = yn
Sometime algorithm terminates significantly quicker for the MPKCsystems than on random systems.Why?
![Page 134: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/134.jpg)
Direct Algebraic Attack
Use efficient Grobner basis (algebraic) algorithms (GB, F4, XL,Mutant XL) to solve the system of equations:
p1(x1, . . . , xn) = y1
p2(x1, . . . , xn) = y2...
pn(x1, . . . , xn) = yn
Sometime algorithm terminates significantly quicker for the MPKCsystems than on random systems.Why?
![Page 135: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/135.jpg)
Degree of Regularity
Degree of Regularity: Lowest degree at which non-trivial “degreefalls” occur.
deg
(∑i
gipi
)< max{deg(gi ) + deg(pi )}
Trivial degree falls:
pq−1i pi = pq
i = pi , pjpi − pipj = 0
![Page 136: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/136.jpg)
Implication of Degree of Regularity
Grobner basis algorithms terminate shortly after thisdegree is reached.
At the degree of regularity, in general, Mutants areproduced, which accelerate the solving process.We need more precise mathematical concepts like, degree ofregularity, mutants etc to understand solidly how algorithmworks.
![Page 137: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/137.jpg)
Implication of Degree of Regularity
Grobner basis algorithms terminate shortly after thisdegree is reached.
At the degree of regularity, in general, Mutants areproduced, which accelerate the solving process.We need more precise mathematical concepts like, degree ofregularity, mutants etc to understand solidly how algorithmworks.
![Page 138: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/138.jpg)
Degree of Regularity of Leading Terms
Let phi be the highest degree part of pi considered as an element of
the truncated polynomial ring
phi ∈
F[x1, . . . , xn]⟨xq1 , . . . , x
qn
⟩
Degree of Regularity of ph1 , . . . , p
hn is first degree at which
non-trivial relations occur.
deg
(∑i
fiphi
)= 0
Trivial relations: (phi )q−1ph
i = 0, phj ph
i − phi ph
j = 0Then
Dreg(p1, . . . , pn) = Dreg(ph1 , . . . , p
hn)
![Page 139: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/139.jpg)
Degree of Regularity of Leading Terms
Let phi be the highest degree part of pi considered as an element of
the truncated polynomial ring
phi ∈
F[x1, . . . , xn]⟨xq1 , . . . , x
qn
⟩Degree of Regularity of ph
1 , . . . , phn is first degree at which
non-trivial relations occur.
deg
(∑i
fiphi
)= 0
Trivial relations: (phi )q−1ph
i = 0, phj ph
i − phi ph
j = 0
ThenDreg(p1, . . . , pn) = Dreg(ph
1 , . . . , phn)
![Page 140: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/140.jpg)
Degree of Regularity of Leading Terms
Let phi be the highest degree part of pi considered as an element of
the truncated polynomial ring
phi ∈
F[x1, . . . , xn]⟨xq1 , . . . , x
qn
⟩Degree of Regularity of ph
1 , . . . , phn is first degree at which
non-trivial relations occur.
deg
(∑i
fiphi
)= 0
Trivial relations: (phi )q−1ph
i = 0, phj ph
i − phi ph
j = 0Then
Dreg(p1, . . . , pn) = Dreg(ph1 , . . . , p
hn)
![Page 141: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/141.jpg)
Bounds on Degree of Regularity
Recently, we found a global upper bound on the degree ofregularity (in the sense of DG) of an HFE system.
Main Theorem.The degree of regularity of the system defined by P isbounded by
Rank(P0)(q − 1)
2+ 2 ≤
(q − 1)(blogq(D − 1)c+ 1)
2+ 2
if Rank(P0) > 1. Here Rank(P0) is the rank of the quadraticform P0.This explains why odd characteristics is good idea and whyq = 2 is different
These are universal bounds that require no additionalassumption.
![Page 142: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/142.jpg)
Bounds on Degree of Regularity
Recently, we found a global upper bound on the degree ofregularity (in the sense of DG) of an HFE system.
Main Theorem.The degree of regularity of the system defined by P isbounded by
Rank(P0)(q − 1)
2+ 2 ≤
(q − 1)(blogq(D − 1)c+ 1)
2+ 2
if Rank(P0) > 1. Here Rank(P0) is the rank of the quadraticform P0.This explains why odd characteristics is good idea and whyq = 2 is different
These are universal bounds that require no additionalassumption.
![Page 143: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/143.jpg)
Bounds on Degree of Regularity
Recently, we found a global upper bound on the degree ofregularity (in the sense of DG) of an HFE system.
Main Theorem.The degree of regularity of the system defined by P isbounded by
Rank(P0)(q − 1)
2+ 2 ≤
(q − 1)(blogq(D − 1)c+ 1)
2+ 2
if Rank(P0) > 1. Here Rank(P0) is the rank of the quadraticform P0.This explains why odd characteristics is good idea and whyq = 2 is different
These are universal bounds that require no additionalassumption.
![Page 144: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/144.jpg)
Bounds on Degree of Regularity for other systems
HFE- (Ding, Kleijung)
HFEv- (Ding, Yang)
Precise bound for Square systems. (Ding)
Lower bounds for general case?
MinRank is also closely related.
![Page 145: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/145.jpg)
Bounds on Degree of Regularity for other systems
HFE- (Ding, Kleijung)
HFEv- (Ding, Yang)
Precise bound for Square systems. (Ding)
Lower bounds for general case?
MinRank is also closely related.
![Page 146: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/146.jpg)
Bounds on Degree of Regularity for other systems
HFE- (Ding, Kleijung)
HFEv- (Ding, Yang)
Precise bound for Square systems. (Ding)
Lower bounds for general case?
MinRank is also closely related.
![Page 147: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/147.jpg)
Bounds on Degree of Regularity for other systems
HFE- (Ding, Kleijung)
HFEv- (Ding, Yang)
Precise bound for Square systems. (Ding)
Lower bounds for general case?
MinRank is also closely related.
![Page 148: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/148.jpg)
Bounds on Degree of Regularity for other systems
HFE- (Ding, Kleijung)
HFEv- (Ding, Yang)
Precise bound for Square systems. (Ding)
Lower bounds for general case?
MinRank is also closely related.
![Page 149: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/149.jpg)
MPKCs
MPKCs has a very solid foundation in terms of both designsand security analysis.
Efficient, simple and easy to implement; but large key size
Quantum computer attack
![Page 150: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/150.jpg)
MPKCs
MPKCs has a very solid foundation in terms of both designsand security analysis.
Efficient, simple and easy to implement; but large key size
Quantum computer attack
![Page 151: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/151.jpg)
MPKCs
MPKCs has a very solid foundation in terms of both designsand security analysis.
Efficient, simple and easy to implement; but large key size
Quantum computer attack
![Page 152: Multivariate Public Key Cryptography · 2016. 3. 3. · Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016](https://reader035.fdocuments.us/reader035/viewer/2022071507/6127a86a490b744bf94ddfd6/html5/thumbnails/152.jpg)
Acknowledgment
Many thanks for the organizer
Thank you and questions?