1 / 36

Summary

Summary. (very) short history of public key cryptography Multivariate crypto: Initial designs Multivariate crypto: Initial attacks The revival Noisy schemes Gröbner algorithms Conclusion. Bob. 1976-1978 From PKC to RSA. 1976: Invention of PKC (Public Key Cryptography) by Diffie, Hellman

birch
Download Presentation

Summary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Summary • (very) short history of public key cryptography • Multivariate crypto: Initial designs • Multivariate crypto: Initial attacks • The revival • Noisy schemes • Gröbner algorithms • Conclusion

  2. Bob 1976-1978 From PKC to RSA • 1976: Invention of PKC (Public Key Cryptography) by Diffie, Hellman • 1978: The RSA cryptosystem and signature scheme by Rivest, Shamir, Adlemany=xemod n E E D

  3. Bob PKC yields signatures • Apply D to message m to create signature • Verify using public key only • Grants non-repudiation D E

  4. Alternatives to RSA • El Gamal DSA (1985) • ECC Koblitz Miller(1985) • Others: • NTRU Hoffstein Pipher Silverman (1996) • Lattice-based (Goldreich Goldwasser Halevi 1996) • multivariate schemes (Shamir 1993, Matsumoto Imai 1988)

  5. Post-Quantum Crypto • May 24, 2036: RSA 2048 BROKENMost e-commerce sites are closing down due to lack of security in the SSL protocol, according to interviews by The Times.Slide Show: Frustration over the InternetComplete Coverage: Quantum computing and the CrisisInterview: Can MQ crypto save e-commerce?

  6. Why was RSA so successful? • It provided reasonably compact keys • It was reasonably efficient • It was related to a beautiful mathematical problem: factoring • Until the advent of Quantum Computers, the difficulty of this problem was well understood both in theory and by means of “challenges”

  7. What is the paradigm under MQ? • Multivariate schemes stem from the basic idea of replacing univariate modular equationy=xemod n by: • either a moderate # of modular equations of low degree modulo a large number • or by a large # of modular equations of low degree modulo a small number

  8. Bob The basic paradigm (2) • Start from a set of quadratic equations, which are “easy”, due to some specific underlying structure Y = F(X) ; Y =(y1,…,yk); X=(x1,…,xm); • “Hide” the underlying structure by using two linear (or affine) bijections T,S • Obtain public key by writing formulas for  = TFS • “quadratic” comes from practicality

  9. How does it work? • for PKC: encryption applies  = TFS; decryption solves “easy” equations by means of S,T • for signature: take inverse of h(m,i) under  = TFS by using T, S and solving “easy” equations

  10. When was it invented? • It was invented several times • Some believe that MQ crypto started with Shamir 93 • Others date it back to Matsumoto-Imai 88 • A few observe that trapdoor construction goes back to the early Mc Eliece 78 scheme • Many claim it would never have survived without the work of Patarin

  11. Shamir Birational (SB) Schemes • At CRYPTO 93, Shamir proposed two signature schemes: we look at 1st • Easy “sequentially linearized” equations: y1= x1 x2 mod n; n RSA integer;yi-1 = xii(x1,…,xi-1)+i(x1,…,xi-1);i=3,…,k+1 • i linear;i quadratic; • k equations in k+1 variables • solved step by step from chosen x1

  12. How did it look like? • Toy example from Shamir 93 • 2 equations 3 unknowns modulus 101 • secrety1= x1 x2y2= (29x1+43x2)x3+ (71x12+53x22+89x1x2) • public after mixing y1= 78x12+37x22+6x32+ 54x1x2 +19x1x3 +11x2x3y2= 84x12+71x22+48x32+ 44x1x2+33x1x3 +83x2x3

  13. Matsumoto Imai (MI) Scheme • AT EUROCRYPT88, M+I proposed a PK encryption scheme. • Easy equations come from quadratic polynomials in some finite binary field F(2n): Y=X with  = 2i + 2j • solved by using the inverse of  mod 2n -1

  14. How did it look like? • Toy example from MI 88: 8 variables

  15. Bob What about Cryptanalysis? • In conventional crypto: look for statistical invariants • In PK crypto look for algebraic invariants • Possible invariants: rank, invariant subspaces etc. ofmatrices

  16. Did the schemes survive? • Shamir Scheme was broken the same year 93 by Coppersmith, Stern, Vaudenay • Rank Invariants allowed to disclose hidden structure • MI scheme succumbed to an “algebraic” attack by Patarin 95 • In 95, MQ crypto was considered dead

  17. The Cryptanalysis of MI in short • Focus on  = 1 + 2i set  = 2i - 1 • Y= X • Y = X = X with = 22i - 1 • XY+1 = X+1Y •  + 1 and  + 1 are powers of two • This is a bilinear relation B(X,Y)=0 • Invariant by S,T:n independent B’s can be found by sampling and linear algebra

  18. Was there a revival? • moderate # of modular equations of low degree modulo a large number: extinct • large # of modular equations of low degree modulo a small number or more generally in a finite field: many additional species and variants(work of Patarin, Goubin, Courtois, Kipnis, Ding) • … and many cryptanalysis (Shamir, Kipnis, Faugère/Joux, Stern)

  19. for signature and encryption? • Some proposals such as HFE yield both signature and PK encryption • Others such as “oil & vinegar” - an idea pursuing Shamir’s sequentially linearized schemes-, are for signature only • Finally, Signatures allow to “discard” equations from public key : this is a way to rescue schemes as MI and turn them into new proposals (Flash)

  20. What is HFE? • Stands for Hidden Field Equation; derives from MI by replacing Y= X by more general quadratic polynomial equation of degree d: Y=  a[i,j] X[i,j] with [i,j] = 2i + 2j • Solve easy equation by Berlekamp • Requires d small

  21. Does this provide compact keys? • Private keys are OK • Public keys are over 100 kilobytes • This is a lot; but one could (maybe) live with it if RSA is broken!

  22. Is this efficient? • Encryption is very fast, even faster than RSA • Decryption is very slow: this would certainly hamper SSL-like environments • but one could (maybe) live with it if RSA is broken!

  23. Is this related to beautiful maths? • yes and no: HFE looks beautiful • however (personal view): all the variants using “perturbations” are rather ugly, at least for PK encryption • They yield 2r penalty at decryption time, where r is the “size” of the perturbation • Furthermore, removing the noise is different from the core problem

  24. How is noise added? • “minus” variants discard r equations • “plus” variants add r equations • Inner perturbations were invented by Ding at PKC 04 :replace easy F by F+H, with H quadratic over r linear functionals

  25. How is noise removed? • We take the example of Ding’s inner permutation • We try to disclose the kernelM of the r linear functionals on which R depends • This can be done by the method of differential cryptanalysis proposed by Fouque, Granboulan & Stern at Eurocypt 05

  26. What is Differential cryptanalysis? • Difference (x+k) - (x) is an affine map. Differential k is its linear part • rank of differential is “invariant” under S,T bijections • Can be used to remove noise provided distributions of ranks for “pure” and “noisy” systems can be distinguished • applied to break Ding’s perturbated MI: pure rank was n-8; noisy close to n

  27. Can you protect against DC? • Once you know DC you can try to finely tune parameters to stop statistics • This is along the lines of symmetric block cipher design • However (personal view), these intricacies make schemes ugly and loose relation to core problem

  28. Is core problem well understood? • Yes and no • For a long time proponents claimed public key indistinguishable from random • … And general problem of solving MQ equations NP complete • In 06, using DC, Granboulan, Stern, Vivien showed distinguisher for HFE • provable still mildly exponential O(n)dlog d

  29. Is there a general attack? • All multivariate schemes yield multivariate polynomial equations • Can be solved by so called Gröbner basis algorithms • These output low degree equations and/or univariate equations • Seems very hard (exp-space complete) • However may work in some cases

  30. Gröbner: how does it work? • uses  order on monomials (e.g.lexicographic) • Combines f,g into u.f - v.g to cancel leading monomials LM of f g • Reduces f by g, when LM(g) divides LM(f), by forming f-hg, g, with < LM • closes under both operations • Terminates but no efficient bound • More efficient algorithms F4, F5 based on lin al

  31. Was it invented by Gröbner? • It was invented by Buchberger in his 74 thesis • Gröbner was the thesis advisor! • In the early 80’s, French mathematician Lazard linked Gröbner algorithms and linear algebra (through Macaulay matrices) • XL algorithm independently found (rediscovered?) by CKPS at Eurocrypt 2000 • motivated by attack of HFE by Kipnis Shamir at Crypto 99, using low rank invariants

  32. Did it work against HFE? • Fist HFE challenge (degree 96; 80 variables) • Has been successfully cracked using GB algorithm F5 by Faugère and Joux 2003 • 2 days and 4 hrs • 7.65 Gbytes of RAM

  33. Was it simply “brute force”? • Hidden invariant: smallest integer m such that  degree 1 (linear) combination of terms xd ( - a) for any fixed awith d sum of at most m powers of 2 • m as small as 3 works for degree 80 • m as small as 4 works for degree up to 1280

  34. Is the complexity understood? • For a long time, complexity was unclear, e.g. in Kipnis-Shamir 99 • Work by Granboulan, Joux, Stern at Crypto 06 showed mildly exponential (heuristic) complexity O(nO(log d))

  35. Conclusion (back in may 2006) • Many algebraic objects and invariants floating around: • bilinear relations, low degree relations; • invariant subspaces, rank; • Noise appears weaker than core system (at least for PK encryption, signature may be ) • Large dimension systems may be secure • Complexity estimates close to “predictive” • Still time until Quantum Comuters are built

More Related