multivariate public key cryptography · 2011-02-01 · symbolic computations and post-quantum...
TRANSCRIPT
![Page 1: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/1.jpg)
Symbolic Computations and Post-Quantum CryptographyOnline Seminar
Multivariate Public Key Cryptography
Jintai Ding
University of Cincinnati & Southern Chinese University of technology
Feb. 2, 2011
![Page 2: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/2.jpg)
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
![Page 3: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/3.jpg)
Happy Chinese New Year!
![Page 4: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/4.jpg)
Thank the organizers, in particular, (AlexMyasnikov)2.
Thank the generous support of the Charles PhelpsTaft Memorial Fund and the Taft Family.
![Page 5: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/5.jpg)
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
![Page 6: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/6.jpg)
PKC and Quantum computer
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
What is this number?
![Page 7: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/7.jpg)
PKC and Quantum computer
The number for Microsoft updates
Digital signature based on RSA
![Page 8: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/8.jpg)
PKC and Quantum computer
The number for Microsoft updates
Digital signature based on RSA
![Page 9: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/9.jpg)
PKC and Quantum computer
Mathematics behind: integer factorization
n = pq.
15 = 3× 5.
The concept behind:
Public key Cryptography
![Page 10: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/10.jpg)
PKC and Quantum computer
Mathematics behind: integer factorization
n = pq.
15 = 3× 5.
The concept behind:
Public key Cryptography
![Page 11: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/11.jpg)
PKC and Quantum computer
RSA – 2003 Turing prize
Diffie-Hellman – inventors of the idea ofPKC
![Page 12: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/12.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 13: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/13.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 14: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/14.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 15: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/15.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 16: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/16.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 17: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/17.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 18: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/18.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 19: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/19.jpg)
PKC
What is PKC?
Traditionally the information is symmetric.
PKC is asymmetric
There are two sets of keys, one public and one private
Encryption: Public is for encryption and private for decryption
Digital Signature: Public is for verification and private forsigning
RSA: n is public and p,q is private.
One knows how to factor n, one can defeat RSA
![Page 20: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/20.jpg)
PKC and Quantum computer
Quantum computer: using basic particles and quantummechanics principles to perform computations
R. Feynman
In 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.
![Page 21: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/21.jpg)
PKC and Quantum computer
Quantum computer: using basic particles and quantummechanics principles to perform computations
R. FeynmanIn 1995, Peter Shor at IBM showed theoretically that it cansolve a family of mathematical problems including factoring.
![Page 22: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/22.jpg)
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
![Page 23: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/23.jpg)
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
![Page 24: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/24.jpg)
PKC and Quantum computer
Can quantum computer really work?
Isaac Chuang15 million dollars to show that
15 = 3× 5.
The problem of scalingPeople have different opinions.
![Page 25: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/25.jpg)
PKC and Quantum computer
PQC – to prepare for the future of quantum computer world
Ubiquitous computing world .
![Page 26: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/26.jpg)
PKC and Quantum computer
PQC – to prepare for the future of quantum computer world
Ubiquitous computing world .
![Page 27: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/27.jpg)
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
![Page 28: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/28.jpg)
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
![Page 29: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/29.jpg)
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
![Page 30: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/30.jpg)
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
![Page 31: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/31.jpg)
PQC
Post-quantum cryptographyPublic key cryptosystems that potentially could resist thefuture quantum computer attacks. Currently there are 4 mainfamilies.
1)Code-based public key cryptographyError correcting codes
2) Hash-based public key cryptographyHash-tree construction
3) Lattice-based public key cryptographyShortest and nearest vector problems
4) Multivariate Public Key Cryptography
![Page 32: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/32.jpg)
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.
![Page 33: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/33.jpg)
What is a MPKC?
Multivariate Public Key Cryptosystems- Cryptosystems, whose public keys are a set of multivariatefunctions
The public key is given as:
G (x1, ..., xn) = (G1(x1, ..., xn), ...,Gm(x1, ..., xn)).
Here the Gi are multivariate (x1, ..., xn) polynomials over afinite field.
![Page 34: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/34.jpg)
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x
′n).
![Page 35: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/35.jpg)
Encryption
Any plaintext M = (x ′1, ..., x′n) has the ciphertext:
G (M) = G (x ′1, ..., x′n) = (y ′1, ..., y
′m).
To decrypt the ciphertext (y ′1, ..., y′n), one needs to know a
secret (the secret key), so that one can invert the map tofind the plaintext (x ′1, ..., x
′n).
![Page 36: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/36.jpg)
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .
![Page 37: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/37.jpg)
Toy example
We use the finite field k = GF [2]/(x2 + x + 1) with 22
elements.
We denote the elements of the field by the set {0 , 1 , 2 , 3} tosimplify the notation.Here 0 represent the 0 in k, 1 for 1, 2 for x , and 3 for 1 + x .In this case, 1 + 3 = 2 and 2 ∗ 3 = 1 .
![Page 38: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/38.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 39: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/39.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 40: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/40.jpg)
A toy example
G0(x1, x2, x3) = 1 + x2 + 2x0x2 + 3x21 + 3x1x2 + x2
2
G1(x1, x2, x3) = 1 + 3x0 + 2x1 + x2 + x20 + x0x1 + 3x0x2 + x2
1
G2(x1, x2, x3) = 3x2 + x20 + 3x2
1 + x1x2 + 3x22
For example, if the plaintext is: x0 = 1 , x1 = 2 , x2 = 3 , thenwe can plug into G1,G2 and G3 to get the ciphertext y0 = 0 ,y1 = 0 , y2 = 1 .
This is a bijective map and we can invert it easily. Thisexample is based on the Matsumoto-Imai cryptosystem.
![Page 41: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/41.jpg)
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
![Page 42: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/42.jpg)
Theoretical Foundation
Direct attack is to solve the set of equations:
G (M) = G (x1, ..., xn) = (y ′1, ..., y′m).
- Solving a set of n randomly chosen equations (nonlinear)with n variables is NP-complete, though this does notnecessarily ensure the security of the systems.
![Page 43: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/43.jpg)
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑
i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
![Page 44: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/44.jpg)
Quadratic Constructions
1) Efficiency considerations lead to mainly quadraticconstructions.
Gl(x1, ..xn) =∑i ,j
αlijxixj +∑
i
βlixi + γl .
2) Mathematical structure consideration: Any set of highdegree polynomial equations can be reduced to a set ofquadratic equations.
x1x2x3 = 5,
is equivalent to
x1x2 − y = 0
yx3 = 5.
![Page 45: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/45.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 46: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/46.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 47: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/47.jpg)
The view from the history of Mathematics(Diffie in Paris)
RSA – Number Theory – the 18th century mathematics
ECC – Theory of Elliptic Curves – the 19th centurymathematics
Multivariate Public key cryptosystem – Algebraic Geometry –the 20th century mathematicsAlgebraic Geometry – Theory of Polynomial Rings
![Page 48: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/48.jpg)
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s.
![Page 49: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/49.jpg)
Early works
Early attempts by Diffie, Fell, Tsujii, Matsumoto, Imai, Ong,Schnorr, Shamir etc
Fast development in the late 1990s.
![Page 50: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/50.jpg)
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
![Page 51: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/51.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 52: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/52.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 53: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/53.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:
(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 54: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/54.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 55: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/55.jpg)
Multivariate Signature schemes
Public key:G (x1, . . . , xn) = (g1(x1, . . . , xn), . . . , gm(x1, . . . , xn)).
Private key: a way to compute G−1.
Signing a hash of a document:(x1, . . . , xn) ∈ G−1(y1, . . . , ym) .
Verifying: (y1, . . . , ym)?= G (x1, . . . , xn).
k, a small finite field.
![Page 56: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/56.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 57: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/57.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 58: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/58.jpg)
A toy example over GF(3)
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 Hash:
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 (y1, y2, y3) = (0, 1, 1).
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21
A signature: (x1, x2, x3) = (2, 0, 1)
G1(2, 0, 1) = 1 + 1 + 2× 0 + 1 = 0
G2(2, 0, 1) = 2 + 2 + 2× 0× 1 + 0 = 1
G3(2, 0, 1) = 1 + 0 + 2× 1 + 1 = 1
![Page 59: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/59.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 60: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/60.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 61: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/61.jpg)
Security: polynomial solving.
Signature for (y1, y2, y3) = (0, 0, 0)?
G1(x1, x2, x3) = 1 + x3 + x1x2 + x23 = 0
G2(x1, x2, x3) = 2 + x1 + 2x2x3 + x2 = 0
G3(x1, x2, x3) = 1 + x2 + x1x3 + x21 = 0
Direct attack: difficulty of solving a set of nonlinearpolynomial equations over a finite field.
![Page 62: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/62.jpg)
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
![Page 63: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/63.jpg)
How to construct G?
A scheme by Kipnis, Patarin and Goubin 1999. (Eurocrypt1999)
G = F ◦ L.F : nonlinear, easy to compute F−1.L: invertible linear, to hide the structure of F .
![Page 64: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/64.jpg)
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x
′v )).
fl(x1, ., xo , x ′1, ., x′v ) =
∑alijxix
′j+
∑blijx
′i x
′j+
∑clixi+
∑dlix
′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
![Page 65: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/65.jpg)
Unbalanced Oil-vinegar (uov) schemes
F = (f1(x1, .., xo , x ′1, ..., x′v ), · · · , fo(x1, .., xo , x ′1, ..., x
′v )).
fl(x1, ., xo , x ′1, ., x′v ) =
∑alijxix
′j+
∑blijx
′i x
′j+
∑clixi+
∑dlix
′i +el .
Oil variables: x1, ..., xo .
Vinegar variables: x ′1, ..., x′v .
![Page 66: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/66.jpg)
How to invert F?
fl(x1, ., xo , x ′1, ., x′v︸ ︷︷ ︸
fix the values
) =
∑alijxix
′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
![Page 67: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/67.jpg)
How to invert F?
fl(x1, ., xo , x ′1, ., x′v ) =∑
alijxix′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
![Page 68: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/68.jpg)
How to invert F?
fl(x1, ., xo , x ′1, ., x′v ) =∑
alijxix′j +
∑blijx
′i x
′j +
∑clixi +
∑dlix
′i + el .
F : linear in Oil variables: x1, .., xo .
=⇒ F : easy to invert.
![Page 69: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/69.jpg)
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
![Page 70: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/70.jpg)
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
![Page 71: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/71.jpg)
Security analysis
v = o and v >> o not secure
v = 2o, 3o
Direct attacks does not work.
![Page 72: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/72.jpg)
Security analysis
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗
The problem above can also be transformed into solving a setof quadratic equations.
![Page 73: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/73.jpg)
Security analysis
The mathematical problem to find equivalent secret keys —find the common null subspace spaces of a set of quadraticforms.
0 .. 0 ∗ .. ∗. . 0 ∗ .. ∗. . 0 ∗ .. ∗. . . ∗ .. ∗0 .. 0 ∗ .. ∗∗ .. ∗ ∗ .. ∗∗ .. ∗ ∗ .. ∗
The problem above can also be transformed into solving a setof quadratic equations.
![Page 74: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/74.jpg)
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
![Page 75: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/75.jpg)
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
![Page 76: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/76.jpg)
Rainbow – Ding, Schmidt, Yang etc – ACNS 05,06,07,08
Make F ”small” without reducing security.
G = L1︸︷︷︸Hide the separation
◦ F ◦ L2︸︷︷︸Hide L1◦F
.
F = (F1,F2).
Rainbow(18,12,12) over GF(28).
F1 : o1 = 12, v1 = 18.F2 : o2 = 12, v2 = 12 + 18 = 30.
![Page 77: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/77.jpg)
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
![Page 78: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/78.jpg)
Rainbow
Rainbow(18,12,12)
Signature 400 bits Hash 336 bits
![Page 79: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/79.jpg)
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
![Page 80: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/80.jpg)
Implementations
IC for Rainbow: 804 cyclesA joint work of Cincinnati and Bochum.(ASAP 2008)
FPGA implementation by the research group of Professor Paarat Bochum (CHES 2009)Beat ECC in area and speed.
![Page 81: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/81.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
![Page 82: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/82.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
![Page 83: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/83.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
![Page 84: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/84.jpg)
Side channel attack on Rainbow
Natural Side channel attack resistance.
Further optimizations.
Real implementations — Yang and Cheng In Taiwan.
A good candidate for light-weight crypto for smalldevices like RFID.
![Page 85: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/85.jpg)
Security
UOV: not broken since 1999.
Rainbow – MinRank problem
![Page 86: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/86.jpg)
Security
UOV: not broken since 1999.
Rainbow – MinRank problem
![Page 87: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/87.jpg)
Pros and Cons
Computationally very efficient
Large public key size
![Page 88: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/88.jpg)
Pros and Cons
Computationally very efficient
Large public key size
![Page 89: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/89.jpg)
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
![Page 90: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/90.jpg)
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
![Page 91: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/91.jpg)
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
![Page 92: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/92.jpg)
Notation
k is a small finite field with |k| = q
K̄ = k[x ]/(g(x)), a degree n extension of k.
The standard k-linear invertible map φ : K̄ −→ kn, andφ−1 : kn −→ K̄ .
![Page 93: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/93.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
![Page 94: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/94.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
![Page 95: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/95.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
![Page 96: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/96.jpg)
The idea of ”BIG” field
Proposed in 1988 by Matsumoto-Imai.
Build up a map F over K̄ :
F̄ = L1 ◦ φ ◦ F ◦ φ−1 ◦ L2.
where the Li are randomly chosen invertible affine maps overkn
The Li are used to “hide” F̄ .
IP problem.
![Page 97: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/97.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 98: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/98.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 99: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/99.jpg)
Encryption
The MI construction:
F : X 7−→ X qθ+1.
Let F̃ (x1, . . . , xn) = φ ◦ F ◦ φ−1(x1, . . . , xn) = (F̃1, . . . , F̃n).
The F̃i = F̃i (x1, . . . , xn) are quadratic polynomials in nvariables. Why quadratic?
X qθ+1 = X qθ × X .
![Page 100: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/100.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
![Page 101: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/101.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
![Page 102: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/102.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
![Page 103: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/103.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
![Page 104: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/104.jpg)
Decryption
The condition: gcd (qθ + 1, qn − 1) = 1, ensures theinvertibility of the map for purposes of decryption.It requires that k must be of characteristic 2.
F−1(X ) = X t such that:
t × (qθ + 1) ≡ 1 (mod qn − 1).
The public key includes the field structure of k, θ andF̄ = (F̄1, .., F̄n). The secret keys are L1 and L2.
The first toy example is produced by setting n = 3 and θ = 2.
This scheme is defeated by linearization equation method byPatarin 1995.
![Page 105: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/105.jpg)
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
![Page 106: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/106.jpg)
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
![Page 107: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/107.jpg)
HFE by Patarin etc
The only difference from MI is that F is replaced by a newmap given by:
F (X ) =D∑
i ,j=0
aijXqi+qj
+D∑
i=0
biXqi
+ c .
Due to the work of Kipnis and Shamir, Faugere, Joux, Dcannot be too small. Therefore, the system is much slower.
D can not too large due to the inversion of using Berlakempalgorithms of solving one variable equations.
![Page 108: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/108.jpg)
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
![Page 109: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/109.jpg)
Internal Perturbation
(Internal) Perturbation was introduced at PKC 2004 as ageneral method to improve the security of multivariate publickey cryptosystems.
Construction – small-scale “noise” is added to the system in acontrolled way so as to not fundamentally alter the mainstructure, but yet substantially increase the “entropy.”
![Page 110: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/110.jpg)
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xi
over kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
![Page 111: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/111.jpg)
Internal Perturbation
Let r be a small integer and
z1(x1, . . . , xn) =n∑
j=1
αj1xj + β1
...
zr (x1, . . . , xn) =n∑
j=1
αjrxj + βr
be a set of randomly chosen affine linear functions in the xi
over kn such that the zj − βj are linearly independent.
We can use these linear functions to create quadratic”perturbation” in HFE (including MI) systems.
![Page 112: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/112.jpg)
IP of MI
x1, . . . , xn
?
?
L1
F̃1, . . . , F̃n
-
?
z1, . . . , zr
f1, . . . , fn
�+
?L2
y1, . . . , yn
Figure: Structure of Perturbation of the Matsumoto-Imai System.
![Page 113: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/113.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 114: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/114.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 115: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/115.jpg)
Decryption
We need to a search of size of qr , therefore slower.
We need to use Plus Method, Adding random polynomial,to help it to resist differential attacks.
Despite the cost of the search, it is still efficient.
![Page 116: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/116.jpg)
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
![Page 117: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/117.jpg)
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
![Page 118: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/118.jpg)
Efficient schemes
PMI+
IPHFE+ (odd characteristics)
IPMHFE+ (odd characteristics)
![Page 119: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/119.jpg)
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
![Page 120: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/120.jpg)
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
![Page 121: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/121.jpg)
Other works
Quartz – HFEV- – very short signature
MHFEv- short but much more efficinet schemes
MFE, TTM
![Page 122: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/122.jpg)
Outline
1 Introduction
2 Signature schemes
3 Encryption schemes
4 Challenges
![Page 123: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/123.jpg)
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
![Page 124: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/124.jpg)
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
![Page 125: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/125.jpg)
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
![Page 126: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/126.jpg)
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
![Page 127: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/127.jpg)
Direct attacks
New polynomial solving algorithms, MXL, MGB, ZZ.
Complexity analysis – recent work of Dubois, Gamma
SAT solver is not really a threat but needs more understanding
The connection with algebraic cryptanalysis of symmetricciphers
Quantum computer attacks?
![Page 128: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/128.jpg)
Provable security
A very difficult question
Some new results are coming out.
![Page 129: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/129.jpg)
Provable security
A very difficult question
Some new results are coming out.
![Page 130: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/130.jpg)
New constructions
New algebraic structure to exploreHeindl, Gao – Diophantine Equations
Other structures
![Page 131: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/131.jpg)
New constructions
New algebraic structure to exploreHeindl, Gao – Diophantine Equations
Other structures
![Page 132: Multivariate Public Key Cryptography · 2011-02-01 · Symbolic Computations and Post-Quantum Cryptography Online Seminar Multivariate Public Key Cryptography Jintai Ding University](https://reader034.vdocuments.net/reader034/viewer/2022042201/5ea131eb5bfd71171d0f631c/html5/thumbnails/132.jpg)
The end
Thank you very much!
Questions?