Presentation is loading. Please wait.

Presentation is loading. Please wait.

TWO-FACE New Public Key Multivariate Schemes

Published byMoris Davidson Modified over 5 years ago

Similar presentations

Presentation on theme: "TWO-FACE New Public Key Multivariate Schemes"— Presentation transcript:

1 TWO-FACE New Public Key Multivariate Schemes
AfricaCrypt 2018 Jacques Patarin Gilles Macario-Rat

2 Motivations Search for new multivariate schemes for post-quantum cryptography, particularly for encryption. (At present multivariate public key schemes are more efficient in signature than in encryption). Perturbed HFE and UOV still valid Search for new multivariate quadratic permutations

3 Generic scheme for Quadratic Multivariate Cryptography
Trapdoor P : multivariate quadratic polynomial P(x) = y Efficient way to solve in x Secret structure T,S linear Public = T o P o S Set of quadratic multivariate equations

4 Two-Face : Basic Idea Trapdoor Face n° 1
E1(x) = y : Multivariate quadratic polynomial Not efficient for solving (high degree in x) Public = T o E1 o S Set of quadratic multivariate equations Face n° 2 E2(x,y) = 0 Efficient way to solve in x Not quadratic (high degree in y) E1 and E2 are of course related ( E1(x) = y ) => ( E2(x,y) = 0 )

5 Two-Face, initial Flavor: Dob
Dobbertin Permutation Polynomial is a simple 2Face ! This is the original family from which we imagined the Two-face public key schemes. Dobbertin in 1999 proved that for any integer m, and with n = 2m -1, the polynomial P(x) = x2 m x3 + x is a permutation over GF(2n). Moreover, from (Face 1): y = E1(x) = x2m x3 + x (1) we can get this equation (Face 2): E2(x,y) = x9 + x6 y + x4 y + x5 + x3 y2m + x3 y2 + x y2 + y3 = 0 (2) From (2), when y is given, we can easily find x by solving this equation of degree only 9.

6 Cryptanalysis of the “nude Dob”
If we used directly (1) into a “nude Dob” scheme, i.e. without any perturbation, we would get a weak scheme, totally broken by Gröbner basis computations. More precisely the degree of regularity obtained in a Gröbner basis attack is always only 3 in the experiments we conducted. (The degree of regularity is the highest degree that must be used in order to the Gröbner basis computation to succeed). However, with adequate perturbations the modified scheme resists so far all the attacks we know.

7 Examples of perturbations, examples of parameters for Dob+
Some perturbations are better for signatures, ans some are better for encryption. For encryption with Dob, we suggest to use the two perturbations: + and . +: we mix the public key with a small number r of random secret quadratic equations in all the n variables. : we mix the public key with n random secret quadratic equations in a small number s of variables. Example of parameters for Dob+ For example the parameters n = 129, r = s = 6 give a very efficient multivariate public key encryption scheme. Decryption costs 212 root computations of a 9 degree polynomial. At present our best known attacks require 280 computations, or more.

8 Two-Face, first Variant: Simple PAT
Deriving new relations E1/E2 E1(x) = x^{1+q^m} + Q(x) = y ; over GF(qn) with n = 2m - 1 New Inner relation between x and y by introducing a new variable z z = x^{q^m} Elimination of z between E1(x) - y and (E1(x) - y)^{q^m} E2(x,y) is the Resultant The degree of E2 in x is ≤ ( the degree of Q)²

9 Examples of Simple PAT Example 1.
(Face 1): y = E1(x) = x2m x5 + x3 (1) (Face 2): E2(x,y) = x25 + x23 + x20 y + x13 + x9 + x8 y + x7y2 + x6y + x5y4 + x5y2+ x5 y2m + x3 y4 + x2 y3 + y5 = (2) Example 2. (Face 1): y = E1(x) = x2m x6 + x5 (1) (Face 2): E2(x,y) = x36 + x34 + x32 + x31 + x27 + x26+ x25 y + x24y2 + x21y + x20y2 + x13 + x12y4 + x12 + x10y4 + x7y4 + x7y + x6y4 + x6 y2m + xy5 + y6 = 0 (2)

10 Simple PAT versus HFE (Nude) Simple PAT (Nude) HFE
dreg 9 81 39 4 10 100 5 12 144 23 20 400 25 24 576 32 1024 33 1089 6 34 1156 d n dreg 36 25 4 32 41 81 128 129 5 257 513 6

11 Two-Face, next Variant: General PAT
Deriving new relations E1/E2 More complex expressions but with a similar pattern E1(x) = B(x,x^{2^m})= y ; over GF(2n) with n=2m-1 Again z = x^{2^m} Elimination of z between B(x,z)-y and (B(x,z)-y)^{2^m} E2(x,y) is the Resultant its degree is bounded by the degree of B

12 General PAT versus HFE (Nude) General PAT (Nude) HFE
dreg 9 162 25 5 10 200 14 17 578 6 18 648 20 800 30 1152 33 50 4608 7 d n dreg 36 25 4 129 5 257 513 6 1025 32 2049 33 3072 4097 7

13 Two-Face, Need for perturbations
All nude Two-Face schemes are weak (sub exponential attacks), same as for HFE Circle Plus, Plus, Minus, Circle v : Suitable perturbations (only known exponential attacks) Generally require a small amount qk of exhaustive search Some are suitable for encryption and or signature The perturbations should be considered as a fundamental part of the schemes

14 Two-Face, Variant: MAC We have found 7 new families of Multivariate Quadratic Permutation Polynomials! E1(x) = B(x,z) with z = x^{q^m} Exhaustive search on B. Open problem : Are multivariate permutation polynomials more suitable for Multivariate Quadratic schemes?

15 Examples of MAC Example 1. Let z = x2m and t = y2m
(Face 1): y = E1(x) = x2 z2 + x2z + xz (1) (Face 2): E2(x,y) = x4y2 + x4y + x4t + x3y+ x2 t + x y + x t + y2 + t2 + t = 0 (2) Example 2. (Face 1): y = E1(x) = x4 z2 + x2z + xz (1) (Face 2): E2(x,y) = x8y + x8t2 + x8t + x7t + x6y+ x6 t + x5 y + x4 y + x3y2+ x3 y + x2y2 + x2 y + xy + y4 + y2 + t = (2)

16 Conclusions, Perspectives, Open Questions
Degree of regularity seems behave as much as like in HFE case. Why? This is not clear yet. We have found 7 new families of multivariate quadratic permutations. Why did we found so many new families by looking for 2Faces properties? This is not clear yet. Is it possible to find more families (non isomorphic)? Why permutations generally have much smaller degree of regularity ? Undergoing work on cubic schemes (instead of quadratic)

17 Thank you

Download ppt "TWO-FACE New Public Key Multivariate Schemes"

Similar presentations

Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.

Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Rational Root Theorem. Finding Zeros of a Polynomial Function Use the Rational Zero Theorem to find all possible rational zeros. Use Synthetic Division.

Rational Root Theorem. Finding Zeros of a Polynomial Function Use the Rational Zero Theorem to find all possible rational zeros. Use Synthetic Division.
Asymptotic Techniques

Asymptotic Techniques
Prerequisites: Fundamental Concepts of Algebra

Prerequisites: Fundamental Concepts of Algebra
7.5 Zeros of Polynomial Functions Objectives: Use the Rational Root Theorem and the Complex Conjugate Root Theorem. Use the Fundamental Theorem to write.

7.5 Zeros of Polynomial Functions Objectives: Use the Rational Root Theorem and the Complex Conjugate Root Theorem. Use the Fundamental Theorem to write.
Multivariate Signature Scheme using Quadratic Forms Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)

Multivariate Signature Scheme using Quadratic Forms Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)
Multivariate Signature Scheme using Quadratic Forms Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)

Multivariate Signature Scheme using Quadratic Forms Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.

Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
MTH 065 Elementary Algebra II Chapter 6 – Polynomial Factorizations and Equations Section 6.1 – Introduction to Polynomial Factorizations and Equations.

MTH 065 Elementary Algebra II Chapter 6 – Polynomial Factorizations and Equations Section 6.1 – Introduction to Polynomial Factorizations and Equations.
Solving Polynomial Equations by Factoring Factoring by grouping Ex. 1. Solve:

Solving Polynomial Equations by Factoring Factoring by grouping Ex. 1. Solve:
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptography Deffie hellman. organization Foundations Symmetric key Symmetric key weaknesses Assymmetric key Deffie hellman – key exchange RSA – public.

Cryptography Deffie hellman. organization Foundations Symmetric key Symmetric key weaknesses Assymmetric key Deffie hellman – key exchange RSA – public.
Kerimbekova M.S. MF-12 Equation. Equation is In mathematics, an equation is an equality containing one or more variables. The first use of an equals sign,

Kerimbekova M.S. MF-12 Equation. Equation is In mathematics, an equation is an equality containing one or more variables. The first use of an equals sign,
Public Key Cryptography. Asymmetric encryption is a form of cryptosystem in which Encryption and decryption are performed using the different keys—one.

Public Key Cryptography. Asymmetric encryption is a form of cryptosystem in which Encryption and decryption are performed using the different keys—one.
Various Problem Solving Approaches. Problem solving by analogy Very often problems can be solved by looking at similar problems. For example, consider.

Various Problem Solving Approaches. Problem solving by analogy Very often problems can be solved by looking at similar problems. For example, consider.
Chapter 11 Polynomial Functions

Chapter 11 Polynomial Functions

Similar presentations

Ads by Google