Summary

1
(No Transcript)
2
Summary

1. (very) short history of public key cryptography
2. Multivariate crypto Initial designs
3. Multivariate crypto Initial attacks
4. The revival
5. Noisy schemes
6. Gröbner algorithms
7. Conclusion

3
1976-1978 From PKC to RSA

• 1976 Invention of PKC (Public Key Cryptography)
  by Diffie, Hellman
• 1978 The RSA cryptosystem and signature scheme
  by Rivest, Shamir, Adleman yxe mod n

E
E
D
4
PKC yields signatures

• Apply D to message m to create signature
• Verify using public key only
• Grants non-repudiation

D
E
5
Alternatives to RSA

• El Gamal DSA (1985)
• ECC Koblitz Miller(1985)
• Others
• NTRU Hoffstein Pipher Silverman (1996)
• Lattice-based (Goldreich Goldwasser Halevi 1996)
• multivariate schemes (Shamir 1993, Matsumoto Imai
  1988)

6
Post-Quantum Crypto

• May 24, 2036 RSA 2048 BROKEN Most e-commerce
  sites are closing down due to lack of security in
  the SSL protocol, according to interviews by The
  Times.Slide Show Frustration over the
  InternetComplete Coverage Quantum computing
  and the CrisisInterview Can MQ crypto save
  e-commerce?

7
Why was RSA so successful?

• It provided reasonably compact keys
• It was reasonably efficient
• It was related to a beautiful mathematical
  problem factoring
• Until the advent of Quantum Computers, the
  difficulty of this problem was well understood
  both in theory and by means of challenges

8
What is the paradigm under MQ?

• Multivariate schemes stem from the basic idea of
  replacing univariate modular equation yxe
  mod n by
• either a moderate of modular equations of low
  degree modulo a large number
• or by a large of modular equations of low
  degree modulo a small number

9
The basic paradigm (2)

• Start from a set of quadratic equations, which
  are easy, due to some specific underlying
  structure Y F(X) Y (y1,,yk)
  X(x1,,xm)
• Hide the underlying structure by using two
  linear (or affine) bijections T,S
• Obtain public key by writing formulas for ?
  T?F?S
• quadratic comes from practicality

10
How does it work?

• for PKC encryption applies ? T?F?S
  decryption solves easy equations by means of
  S,T
• for signature take inverse of h(m,i) under ?
  T?F?S by using T, S and solving easy equations

11
When was it invented?

• It was invented several times
• Some believe that MQ crypto started with Shamir
  93
• Others date it back to Matsumoto-Imai 88
• A few observe that trapdoor construction goes
  back to the early Mc Eliece 78 scheme
• Many claim it would never have survived without
  the work of Patarin

12
Shamir Birational (SB) Schemes

• At CRYPTO 93, Shamir proposed two signature
  schemes we look at 1st
• Easy sequentially linearized equations y1 x1
  x2 mod n n RSA integeryi-1 xi
  ?i(x1,,xi-1)?i(x1,,xi-1)i3,,k1
• ?i linear ?i quadratic
• k equations in k1 variables
• solved step by step from chosen x1

13
How did it look like?

• Toy example from Shamir 93
• 2 equations 3 unknowns modulus 101
• secrety1 x1 x2 y2 (29x143x2)x3
  (71x1253x2289x1x2)
• public after mixing y1 78x1237x226x32 54x1x2
  19x1x3 11x2x3 y2 84x1271x2248x32
  44x1x233x1x3 83x2x3

14
Matsumoto Imai (MI) Scheme

• AT EUROCRYPT88, MI proposed a PK encryption
  scheme.
• Easy equations come from quadratic polynomials in
  some finite binary field F(2n) YX? with ?
  2i 2j
• solved by using the inverse of ? mod 2n -1

15
How did it look like?

• Toy example from MI 88 8 variables

16
What about Cryptanalysis?

• In conventional crypto look for statistical
  invariants
• In PK crypto look for algebraic invariants
• Possible invariants rank, invariant subspaces
  etc. ofmatrices

17
Did the schemes survive?

• Shamir Scheme was broken the same year 93 by
  Coppersmith, Stern, Vaudenay
• Rank Invariants allowed to disclose hidden
  structure
• MI scheme succumbed to an algebraic attack by
  Patarin 95
• In 95, MQ crypto was considered dead

18
The Cryptanalysis of MI in short

• Focus on ? 1 2i set ? 2i - 1
• Y X?
• Y? X?? X? with ? 22i - 1
• XY?1 X?1Y
• ? 1 and ? 1 are powers of two
• This is a bilinear relation B(X,Y)0
• Invariant by S,Tn independent Bs can be found
  by sampling and linear algebra

19
Was there a revival?

• moderate of modular equations of low degree
  modulo a large number extinct
• large of modular equations of low degree modulo
  a small number or more generally in a finite
  field many additional species and variants(work
  of Patarin, Goubin, Courtois, Kipnis, Ding)
• and many cryptanalysis (Shamir, Kipnis,
  Faugère/Joux, Stern)

20
for signature and encryption?

• Some proposals such as HFE yield both signature
  and PK encryption
• Others such as oil vinegar - an idea pursuing
  Shamirs sequentially linearized schemes-, are
  for signature only
• Finally, Signatures allow to discard equations
  from public key ? this is a way to rescue
  schemes as MI and turn them into new proposals
  (Flash)

21
What is HFE?

• Stands for Hidden Field Equation derives from MI
  by replacing Y X? by more general quadratic
  polynomial equation of degree d Y ? ai,j
  X?i,j with ?i,j 2i 2j
• Solve easy equation by Berlekamp
• Requires d small

22
Does this provide compact keys?

• Private keys are OK
• Public keys are over 100 kilobytes
• This is a lot but one could (maybe) live with it
  if RSA is broken!

23
Is this efficient?

• Encryption is very fast, even faster than RSA
• Decryption is very slow this would certainly
  hamper SSL-like environments
• but one could (maybe) live with it if RSA is
  broken!

24
Is this related to beautiful maths?

• yes and no HFE looks beautiful
• however (personal view) all the variants using
  perturbations are rather ugly, at least for PK
  encryption
• They yield 2r penalty at decryption time, where r
  is the size of the perturbation
• Furthermore, removing the noise is different from
  the core problem

25
How is noise added?

• minus variants discard r equations
• plus variants add r equations
• Inner perturbations were invented by Ding at PKC
  04 replace easy F by FH, with H quadratic over
  r linear functionals

26
How is noise removed?

• We take the example of Dings inner permutation
• We try to disclose the kernel M of the r linear
  functionals on which R depends
• This can be done by the method of differential
  cryptanalysis proposed by Fouque, Granboulan
  Stern at Eurocypt 05

27
What is Differential cryptanalysis?

• Difference ?(xk) - ?(x) is an affine map.
  Differential ??k is its linear part
• rank of differential is invariant under S,T
  bijections
• Can be used to remove noise provided
  distributions of ranks for pure and noisy
  systems can be distinguished
• applied to break Dings perturbated MI pure rank
  was n-8 noisy close to n

28
Can you protect against DC?

• Once you know DC you can try to finely tune
  parameters to stop statistics
• This is along the lines of symmetric block cipher
  design
• However (personal view), these intricacies make
  schemes ugly and loose relation to core problem

29
Is core problem well understood?

• Yes and no
• For a long time proponents claimed public key
  indistinguishable from random
• And general problem of solving MQ equations NP
  complete
• In 06, using DC, Granboulan, Stern, Vivien showed
  distinguisher for HFE
• provable still mildly exponential O(n)dlog d

30
Is there a general attack?

• All multivariate schemes yield multivariate
  polynomial equations
• Can be solved by so called Gröbner basis
  algorithms
• These output low degree equations and/or
  univariate equations
• Seems very hard (exp-space complete)
• However may work in some cases

31
Gröbner how does it work?

• uses ? order on monomials (e.g.lexicographic)
• Combines f,g into u.f - v.g to cancel leading
  monomials LM of f g
• Reduces f by g, when LM(g) divides LM(f), by
  forming f-hg, g, with lt LM
• closes under both operations
• Terminates but no efficient bound
• More efficient algorithms F4, F5 based on lin al

32
Was it invented by Gröbner?

• It was invented by Buchberger in his 74 thesis
• Gröbner was the thesis advisor!
• In the early 80s, French mathematician Lazard
  linked Gröbner algorithms and linear algebra
  (through Macaulay matrices)
• XL algorithm independently found (rediscovered?)
  by CKPS at Eurocrypt 2000
• motivated by attack of HFE by Kipnis Shamir at
  Crypto 99, using low rank invariants

33
Did it work against HFE?

• Fist HFE challenge (degree 96 80 variables)
• Has been successfully cracked using GB algorithm
  F5 by Faugère and Joux 2003
• 2 days and 4 hrs
• 7.65 Gbytes of RAM

34
Was it simply brute force?

• Hidden invariant smallest integer m such that ?
  degree 1 (linear) combination of terms xd (? -
  a) for any fixed awith d sum of at most m
  powers of 2
• m as small as 3 works for degree 80
• m as small as 4 works for degree up to 1280

35
Is the complexity understood?

• For a long time, complexity was unclear, e.g. in
  Kipnis-Shamir 99
• Work by Granboulan, Joux, Stern at Crypto 06
  showed mildly exponential (heuristic) complexity
  O(nO(log d))

36
Conclusion (back in may 2006)

• Many algebraic objects and invariants floating
  around
• bilinear relations, low degree relations
• invariant subspaces, rank
• Noise appears weaker than core system (at least
  for PK encryption, signature may be ?)
• Large dimension systems may be secure
• Complexity estimates close to predictive
• Still time until Quantum Comuters are built