Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.

Published bySharyl Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick."— Presentation transcript:

1 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick Felke This talk is supported by STORK

2 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What is HFE? Solving HFE systems with Gröbner Bases Algorithms Results from Simulations Conclusion Overview

3 What is HFE?

4 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example

5 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example

6 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Verifying

7 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Basic HFE: Example Signing

8 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. „-“ (i.e. removing polynomials): Public Key

9 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure e.g. „v“ (i.e. adding variables): ( after „mixing“ with S and T) Public Key

10 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Perturbations Little changes on the multivariate side of the cryptosystem which are used to hide the underlying algebraic structure Perturbations can be combined, e.g. to HFEv- systems Quartz is a special instance of an HFEv- system

11 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Parameters of HFEv- qsize of smaller finite field K hextension degree of L (i.e. |L|=q h ) ddegree of hidden polynomial  rnumber of removed equations („-“) vnumber of added variables („v“) m=h-r number of equations in the public key n=h+v number of variables in the public key

12 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz –General Approach with Buchberger Algorithm –Characteristics of HFE systems –Faugère‘s Attack on HFE Challenge 1 What is HFE? Solving HFE systems with Gröbner Bases Algorithms Results from Simulations Conclusion Overview

13 General Approach

14 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Signing

15 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Buchberger Algorithm General Approach: Example

16 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach: Example Buchberger Algorithm Advantages: we compute only information we need degree of polynomials involved in this computation is bounded Buchberger Algorithm

17 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach In general Buchberger algorithm has exponential worst case complexity ) only feasible for very few unknowns But HFE systems are special: ) Optimized variants of Buchberger algorithm might be able to solve Basic HFE systems - very small finite field - quadratic polynomials - solutions in the base field F q - hidden polynomial

18 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz General Approach Best known Attack on Basic HFE: Faugère’s Algorithm F5/2 (April 2002) succesfully attacked HFE challenge 1 (n=80, d=96) in 96h on 833 MHz Alpha workstation On perturbated HFE systems: –No feasible attacks known, but –e.g. F5/2 can be applied to such systems –Complexity is not known

19 Simulations

20 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz simulations were done in SINGULAR using the stdfglm function Parameters: Finite Field K with HFE systems with and systems of random quadratic equations both with, equations unknowns Simulations

21 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements A perturbated system consists of equations and unkowns. The following steps speed up the computations: –Fix variables with values not chosen before. Apply stdfglm to the resulting system. –If the resulting system has no solution, repeat the above step until the resulting system has a solution.

22 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Improvements Number of tries is 1.6 on average. For our experiments we define Usually we have

23 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz What to Measure? Forging a signature of an HFEv- system means to solve a system of m quadratic equations in n un- knowns, i.e. to solve an instance of the MQ-Problem. The MQ-Problem seems to be hard on average. A randomly chosen system is hard to solve. Randomness Security We define (randomness). is the value of T obtained for random systems of quadratic equations.

24 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results ∙3∙3∙3∙3∙2 h=15, d=5, q=2

25 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Experimental Results R depends mainly on the total number v+r of perturbations. „-“ may decrease the total time. Use more „v“. If, for an unperturbated HFE-system, then The more, the more is the increase in the relative security when v+r is increased. –e.g. if, d the degree of the HFE polynomial, is small compared to h as in case of Quartz.

26 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz Faugère`s attack computes a Gröbner Basis, so applying our results to his attack gives: –For Quartz with d=129 and v+r=7 his attack will probably need. –For Quartz with d=257 we estimate a complexity of

27 Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology 07.11.2002Courtois, Daum, Felke: On the Security of HFE, HFEv- and Quartz Conclusions for Quartz The parameter d of Quartz probably needs to be increased from d=129 to d=257. Signatures with Quartz will then take 6 seconds on average (on PC with 2GHZ). Compared to other schemes slowness is currently the price to pay for short signatures.

Download ppt "Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick."

Similar presentations

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS.
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Generalization and Specialization of Kernelization Daniel Lokshtanov.

Generalization and Specialization of Kernelization Daniel Lokshtanov.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Experimental Design, Response Surface Analysis, and Optimization

Experimental Design, Response Surface Analysis, and Optimization
Stability of computer network for the set delay Jolanta Tańcula.

Stability of computer network for the set delay Jolanta Tańcula.
Center for Machine Perception Department of Cybernetics, Faculty of Electrical Engineering Czech Technical University in Prague MAKING MINIMAL SOLVERS.

Center for Machine Perception Department of Cybernetics, Faculty of Electrical Engineering Czech Technical University in Prague MAKING MINIMAL SOLVERS.
Convex Position Estimation in Wireless Sensor Networks

Convex Position Estimation in Wireless Sensor Networks
Introduction to Approximation Algorithms Lecture 12: Mar 1.

Introduction to Approximation Algorithms Lecture 12: Mar 1.
Content Based Image Clustering and Image Retrieval Using Multiple Instance Learning Using Multiple Instance Learning Xin Chen Advisor: Chengcui Zhang Department.

Content Based Image Clustering and Image Retrieval Using Multiple Instance Learning Using Multiple Instance Learning Xin Chen Advisor: Chengcui Zhang Department.
Computational problems, algorithms, runtime, hardness

Computational problems, algorithms, runtime, hardness
Computing the Rational Univariate Reduction by Sparse Resultants Koji Ouchi, John Keyser, J. Maurice Rojas Department of Computer Science, Mathematics.

Computing the Rational Univariate Reduction by Sparse Resultants Koji Ouchi, John Keyser, J. Maurice Rojas Department of Computer Science, Mathematics.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Introduction to Gröbner Bases for Geometric Modeling Geometric & Solid Modeling 1989 Christoph M. Hoffmann.

Introduction to Gröbner Bases for Geometric Modeling Geometric & Solid Modeling 1989 Christoph M. Hoffmann.
Continuum Crowds Adrien Treuille, Siggraph 2006 9557550 王上文.

Continuum Crowds Adrien Treuille, Siggraph 王上文.
Computability and Complexity 24-1 Computability and Complexity Andrei Bulatov Approximation.

Computability and Complexity 24-1 Computability and Complexity Andrei Bulatov Approximation.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Planning operation start times for the manufacture of capital products with uncertain processing times and resource constraints D.P. Song, Dr. C.Hicks.

Planning operation start times for the manufacture of capital products with uncertain processing times and resource constraints D.P. Song, Dr. C.Hicks.

Similar presentations

Ads by Google