1 / 17

TWO-FACE New Public Key Multivariate Schemes

AfricaCrypt 2018. TWO-FACE New Public Key Multivariate Schemes. Jacques Patarin Gilles Macario-Rat. Motivations.

battsr
Download Presentation

TWO-FACE New Public Key Multivariate Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AfricaCrypt 2018 TWO-FACENew Public KeyMultivariate Schemes Jacques Patarin Gilles Macario-Rat

  2. Motivations • Search for new multivariate schemes for post-quantum cryptography, particularly for encryption. (At present multivariate public key schemes are more efficient in signature than in encryption). • Perturbed HFE and UOV still valid • Search for new multivariate quadratic permutations

  3. Generic scheme for Quadratic Multivariate Cryptography • Trapdoor • P : multivariate quadratic polynomial • P(x) = y Efficient way to solve in x • Secret structure • T,S linear • Public = T o P o S • Set of quadratic multivariate equations

  4. Two-Face : Basic Idea • Trapdoor • Face n° 1 • E1(x) = y : Multivariate quadratic polynomial • Not efficient for solving (high degree in x) • Public = T o E1 o S • Set of quadratic multivariate equations • Face n° 2 • E2(x,y) = 0 Efficient way to solve in x • Not quadratic (high degree in y) • E1 and E2 are of course related • ( E1(x) = y ) => ( E2(x,y) = 0 )

  5. Two-Face, initial Flavor: Dob • Dobbertin Permutation Polynomial is a simple 2Face ! This is the original family from which we imagined the Two-face public key schemes. Dobbertin in 1999 proved that for any integer m, and with n = 2m -1, the polynomial P(x) = x2 m + 1 + x3 + x is a permutation over GF(2n). Moreover, from (Face 1): y = E1(x) = x2m + 1 + x3 + x (1) we can get this equation (Face 2): E2(x,y) = x9 + x6 y + x4 y + x5 + x3 y2m+ x3 y2 + x y2 + y3 = 0 (2) From (2), when y is given, we can easily find x by solving this equation of degree only 9.

  6. Cryptanalysis of the “nude Dob” If we used directly (1) into a “nude Dob” scheme, i.e. without any perturbation, we would get a weak scheme, totally broken by Gröbner basis computations. More precisely the degree of regularity obtained in a Gröbner basis attack is always only 3 in the experiments we conducted. (The degree of regularity is the highest degree that must be used in order to the Gröbner basis computation to succeed). However, with adequate perturbations the modified scheme resists so far all the attacks we know.

  7. Examples of perturbations, examples of parameters for Dob+ Some perturbations are better for signatures, ans some are better for encryption. For encryption with Dob, we suggest to use the two perturbations: + and . +: we mix the public key with a small number r of random secret quadratic equations in all the n variables. : we mix the public key with n random secret quadratic equations in a small number s of variables. Example of parameters for Dob+ For example the parameters n = 129, r = s = 6 give a very efficient multivariate public key encryption scheme. Decryption costs 212 root computations of a 9 degree polynomial. At present our best known attacks require 280 computations, or more.

  8. Two-Face, first Variant: Simple PAT • Deriving new relations E1/E2 • E1(x) = x^{1+q^m} + Q(x) = y ; over GF(qn)with n = 2m - 1 • New Inner relation between x and y by introducing a new variable z • z = x^{q^m} • Elimination of z between • E1(x) - y and (E1(x) - y)^{q^m} • E2(x,y) is the Resultant • The degree of E2 in x is ≤ ( the degree of Q)²

  9. Examples of Simple PAT Example 1. (Face 1): y = E1(x) = x2m + 1 + x5 + x3 (1) (Face 2): E2(x,y) = x25 + x23 + x20 y + x13 + x9 + x8 y + x7y2 + x6y + x5y4 + x5y2+ x5 y2m+ x3 y4 + x2 y3 + y5 = 0 (2) Example 2. (Face 1): y = E1(x) = x2m + 1 + x6 + x5 (1) (Face 2): E2(x,y) = x36 + x34 + x32 + x31 + x27 + x26+ x25 y + x24y2 + x21y+ x20y2 + x13 + x12y4 + x12 + x10y4 + x7y4 + x7y + x6y4 + x6 y2m+ xy5 + y6 = 0 (2)

  10. Simple PAT versus HFE(Nude) Simple PAT(Nude) HFE

  11. Two-Face, next Variant: General PAT • Deriving new relations E1/E2 • More complex expressions but with a similar pattern • E1(x) = B(x,x^{2^m})= y ; over GF(2n) with n=2m-1 • Again z = x^{2^m} • Elimination of z between B(x,z)-y and (B(x,z)-y)^{2^m} • E2(x,y) is the Resultant its degree is bounded by the degree of B

  12. General PAT versus HFE(Nude) General PAT(Nude) HFE

  13. Two-Face, Need for perturbations • All nude Two-Face schemes are weak (sub exponential attacks), same as for HFE • Circle Plus, Plus, Minus, Circle v : Suitable perturbations (only known exponential attacks) • Generally require a small amount qk of exhaustive search • Some are suitable for encryption and or signature • The perturbations should be considered as a fundamental part of the schemes

  14. Two-Face, Variant: MAC • We have found 7 new families of Multivariate Quadratic Permutation Polynomials! • E1(x) = B(x,z) with z = x^{q^m} • Exhaustive search on B. • Open problem : Are multivariate permutation polynomials more suitable for Multivariate Quadratic schemes?

  15. Examples of MAC Example 1. Let z = x2m and t = y2m (Face 1): y = E1(x) = x2 z2 + x2z + xz (1) (Face 2): E2(x,y) = x4y2 + x4y + x4t + x3y+ x2 t+ xy + xt + y2 + t2 + t= 0 (2) Example 2. Let z = x2m and t = y2m (Face 1): y = E1(x) = x4 z2 + x2z + xz (1) (Face 2): E2(x,y) = x8y + x8t2 + x8t + x7t + x6y+ x6 t+ x5 y + x4 y + x3y2+ x3 y + x2y2 + x2 y + xy + y4 + y2 + t= 0 (2)

  16. Conclusions, Perspectives, Open Questions • Degree of regularity seems behave as much as like in HFE case. Why? This is not clear yet. • We have found 7 new families of multivariate quadratic permutations. Why did we found so many new families by looking for 2Faces properties? This is not clear yet. Is it possible to find more families (non isomorphic)? • Why permutations generally have much smaller degree of regularity ? • Undergoing work on cubic schemes (instead of quadratic)

  17. Thank you

More Related