a survey on the algebraic surface cryptosystems

Copyright 2012, Toshiba Corporation.

A Survey on the Algebraic Surface Cryptosystems

Koichiro Akiyama ( TOSHIBA Corporation )Joint work with Prof. Yasuhiro Goto

2013/03/02

2

Contents

1. Introduction

Public key cryptosystem, Motivation

2. Section Finding ProblemA Computational Hard Problem on Algebraic Surface

3. Algebraic Surface Public-key CryptosystemEncryption/Decryption/Key Generation Algorithms

4. Known Attacks－ Rational Point Attack

－ Ideal Factorization Attack

5. Conclusion and Future Research


3

Contents

1. Introduction








4

sHueLjOl8k7sHueLjOl8k7

Public key Cryptosystem ( Concept )

B’s Public Key

Ex. Integer Factorization

ComputationalHard Problem

Security of public key cryptosystem relies on thethe problem which is hard to compute.

Hello World

B’s Secret Key

Hello World

SenderA

ReceiverB


5

Motivation

• Want to construct public-key cryptosystems having following features– Resistant against known attacks by quantum computer.

( Not based on the factorization or discrete logarithm problems. )

– Fast in process time & compact in size.

– Based on a hard problem in algebraic geometry.

Our target is an algebraic surface


6

Comparison with other cryptosystems

RSAElliptic CurveCryptosystem

MultivariateCryptosystems

Fast & compact

Algebraic SurfaceCryptosystem

(1) Short Public key(2) Higher Dimensional

Equations

)( 3nOPublic key sizePublic key size )(nO

n: number of valuables

higher degree (>3) equations Quadratic equations


7

Easy for Quantum Computer

DesignEncryptionAlgorithm

Next talk

Construction for Public Key Cryptosystem

Selection ofHard

ProblemCall for Attack

Sta

rt

Definethe secure parameters

ElementaryAlgorithm

OptimizedAlgorithms

Practicalimplementation

ImprovementAttack Success!

Security Proof

Size of the parameterH

ardness

Security requirement

RSA Cryptosystem

N pq

,p q

Factoring Problem

EasyHard

Algebraic Surface Cryptosystem

Hard even for Quantum Computer

Easy

Section

Hard

The Section Finding Problem

AlgebraicSurface

(mod )em N m fs Xr

Secure parameter


8

Contents

1. Introduction








9

Algebraic Surface

X

0552),,( 3435 tyttxytxxyytyxX

An algebraic surface (we use) is a 2-dimensional affine algebraic variety with fibration.

We consider algebraic surfaces defined over a finite field .qF

where is small enough to calculate, but need not be 2. )( qFchar

qF


10

Section Finding Problem ( SFP )

X

1D

2D3D

3 2 3 3 2( , , ) 3 ( 1)2 4 3 1 0X x y t tx y t xy t x y tx Algebraic Surface

( ( ), ( ), ) 0x yX u t u t t

( , , ) 0X x y t Algebraic Surface

( , , ) ( ( ), ( ), )x yx y t u t u t tsection

hard easy


11

General Solution of SFP

0101 )()( tttutttu ddy

ddx

To solve the SFP, we put the section as follows:

( 　　　　　　　　　　　　　　　　　　 are variables )dd ,,,,, 1010

Ikji

kjy

ixijkyx ttututtutuX

),,(

)()()),(),((

0),,,,,(0

00

hd

r

hdh tc

The SFP is reduced to multivariable equations

0),,,,,(

0),,,,,(

00

000

ddr

dd

c

c

}0|)max{(0

kji

uijk tyxkdjir

ijk

Substitute 　　　　　　　 into , we obtain 　　

0),,( tyxX( ), ( )x yu t u t


12

Contents

1. Introduction








13

（　　　　　　　　　　　　 are given ）

Keys

1. System parameters– Size of finite field : prime

– Degree of section :

2. Public key– Algebraic surface

– Form of the plaintext polynomial

– Form of the divisor polynomial

3. Secret key– Section

pF p

deg ( ) deg ( ) x yd u t u t

( , )

( , , ) ( ) (mod )X

i jij

i j

X x y t c t x y p

( , , ) ( ( ), ( ), ) (mod )x yx y t u t u t t p

(example) 5p

( , )

( , , ) ( ) (mod )m

i jij

i j

m x y t m t x y p

( , )

( , , ) ( ) (mod )f

i jij

i j

f x y t f t x y p

,deg ( )m ijm t( 　　　　　　　　　　　　 are given ）

,deg ( )f ijf t

* * *deg ( , , ) deg ( , , ) deg ( , , ) X x y t m x y t f x y t


* { , , } x y t

14

　　　　　　　　　

Form of the plaintext polynomial

( , )

( , , ) ( ) (mod )m

i jij

i j

m x y t m t x y p

m

For example,

{(3,0), (1,2), (0,0)}m

( ( , ) )mi j and deg ( )ijm t

30 12 00deg ( ) 2,deg ( ) 1,deg ( ) 0m t m t m t

Form described the formula as fllows:2 3 2( , , ) ( ) ( )m x y t t t x t xy

indicates an element of pF

are designated.


15

plaintext m embedded to m(x,y,t)

2 3 2( , , ) ( ) ( )m x y t t t x t xy

2FIn the case of(2)(101101)m

2 3 2( , , ) ( 1) 1m x y t t x txy

5FIn the case of plaintext must be divided into 2bits block

(2)(10 |11| 01|10 | 00 |10)m2 3 2( , , ) (2 3 1) 2 2m x y t t t x txy

So the plaintext described as

Therefore m embedded to m(x,y,t) as coefficients


16

Encryption

Random polynomial

( , , ), ( , , ) ( 1,2)i is x y t r x y t i Divisor polynomial

( , , )f x y t

),,( tyxX

Public Key ： algebraic surface

Randomize（ operations ）

message M

embed

Message poly. ( , , )m x y t

1

2

1 1

2 2

( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )

( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )

F x y t m x y t f x y t x y t X x y t x y t

F x y t m x y t f x y t x y t X

s r

s x y t x y tr

Cipher text


17

Decryption

( ( ), ( ), )x yf u t u t t

: ( , , ) ( ( ), ( ), )x yD x y t u t u t tSecret key: Section

1 1 1( , , ( , , )) (( , , ) , ( , , ) ( , ,, ))F x y t s X x y tx y t rm x y xt f x y t y t

message polynomial( ( ), ( ), )x ym u t u t t

Cipher

1 2{ (( ( ( ), ( ), ) ( ( ), ( ), )) ) }, ( ),x x y x yy s u t uf u t u t t t t s v t v t t

factoring

Section substitute

message M

Public key

Plaintext Random

2 2 2( , , ( , , )) (( , , ) , ( , , ) ( , ,, ))F x y t s X x y tx y t rm x y xt f x y t y t

1( ( ), ( ), ) ( ( ), ( ), ) ( ( ), ( ), )x y x y x ym u t u t t f u t u s u t u tt t t

2( ( ), ( ), ) ( ( ), ( ), ) ( ( ), ( ), )x y x y x ym u t u t t f u t u s u t u tt t t

Solve linear equations

Random


18

Key generation

( , ) (0,0)00( , , ) (( ) 0)

X

i jij

i j

c t cX x y xt ty

Public key: algebraic surface

( )ijc t ( , ) (0,0)Xi j

Coefficients other than constant term

( , , ) ( ( ), ( ), )x yx y t u t u t tSecret key : section

Select randomly Select randomly

( , ) (0,0)00 ( ) ( ) ( )( )

X

i jij x y

i j

c tc t u t u t

Calculate the constant term


19

Contents

1. Introduction








20

Rational point attack ( 1 )

11 1( ,( , , ) ( ,( , , ) ,, ) ( , ( , , ), ))sF x y t X x ym x x y t ry t f x y t x tt y

22 2( ,( , , ) ( ,( , , ) ,, ) ( , ( , , ), ))sF x y t X x ym x x y t ry t f x y t x tt y

( , , )F x y t ( , , )( , ( , )) , ( , ,, )f s x y t r xX x yt ty yx t

1 2( , , ) ( , , ) ( , , )s x y t s x y t s x y t 1 2( , , ) ( , , ) ( , , )r x y t r x y t r x y t

where1 2( , , ) ( , , ) ( , , )F x y t F x y t F x y t

subtractRemove the plaintextpolynomial


21



substitution

( , , )

( , ,( , , ) )g

i j kn n n ijk n n n

in

j kn ng x y t g x y t F x y t

( , , )

( , , ) ( )g

i j kijk ijk p

i j k

g x y t g x y t g F

=construct

( , , )g x y t

SolveLinear Equation

factoring (( ), ,, ,)sf xt yy txextra

ct( , , )f x y t

Success!

( , , )n n nx y t, )(( 0, )n n nX x y t

rational points


22


11 1( ,( , , ) ( , , ) ( ,( , , ) ( , , )) ,, )sF x y t f x y t X x ym x y t rx t tt xy y

=( , , )

( , , )m

i j kijk

i j k

m x y t m x y t

( )ijk pf F

=

1( , , )

( , , )s

i j kijk

i j k

s x y t s x y t

( )ijk ps F

substitution

( , , ( , )) ,

( , , ) ( , , )sm

i jn n n

i j kijk n n n

i j

kijk n n n

in

jn

kn

k

sf x y t F x y tt yx xm y t

reconstruct

( , , )m x y t

Solve linear equations

( , , )n n nx y t, )(( 0, )n n nX x y t

rational points


23

which is in the same form of and satisfy .

0 0( ( , , ))g g x y t

0 0F g Xr 0r

f

r

If is a solution, there exists polynomial

For arbitrary which is in the same form of ,f

We can avoid the attack, when we select the form of which has enough polynomials not to be able to identify the correct one.

f

Counter measure against RPA


( , , )g x y t

=

( , , )g x y t (( ), ,, ,)rX xt yy txand are in the same form

0 00 0( ( ))F g XXr rrg X r

This is also another solution


24

Ideal factorization attack

( ,( , , ) ( , ,( , , ) ( , , ), ) ( , ), ) ii isF x y t X x ym x x y t ry t f x y t x tt y ( 1,2)i

Cipher text

1 2 1 2( , )F F X I I Ideal Factoring

where 2 11 2( , )), ( ,II sX s Xf

1 2 1( , , ) ( , , )J F F I XmX f ( )

( , ) 0

( ) ( ) 0

mij

m

di j k

Jk

ki

jj

i JmNF NF x y tm

Solve Linear Eq.

( , , )m x y t


25

Sequence of events on ASCJan 2004 1st version was proposed in domestic conference

May 2006 1st version was presented

in international conference PQC2006 Jintai Ding pointed out a flaw in our system

Oct 2006 2nd version was presented in AMS conference.

. Jan 2007 Shigenori Uchiyama proposed an attack against 2nd version

. Apr 2007 Felipe Voloch proposed another attack against 2nd version

Jan 2008 3rd version was proposed in domestic conference.

Mar 2009 3rd was presented

in international conference PKC2009May 2010 Jean-Charles Faugere( INRIA )

proposed an attack against 3rd version.Now We are preparing 4th version

whose security is equivalent to SFP.


26

Contents

1. Introduction








27

Conclusions

• We showed a new type of public-key cryptosystem using an algebraic surface.– We showed the algorithm for encryption, decryption and key

generation.

• Our contributions are– The public key size is O(n).

– Our cryptosystem is associated higher general equations than multivariate cryptosystems. ( contains equation which degree is more than 3)


28

Next Talk

• Construct a secure algorithm– We try to construct a provable secure cryptosystem

• Determine the recommendable parameter size – We developed an efficient algorithm to solve the SFP.

– Now we estimate computational complexity by computational experimentation.

Open Problems

( , , ) ( , , ) ( , , ) ( , , ) ( , , ) ( , , )F x y t m x y t f x y t s x y t X x y t r x y t


29The Algebraic Surface Cryptosystem and its security

a survey on the algebraic surface cryptosystems

Documents