280 likes | 402 Views
An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces. C hiho Mihara (TOSHIBA C orp.). 2013/03/02. Outline. Section Finding Problem(SFP) General Solution How to solve SFP, Relation between MPKC and ASC Security parameters
E N D
An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces Chiho Mihara (TOSHIBA Corp.) 2013/03/02
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion Main talk
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion
Section Finding Problem (SFP) Security of Algebraic Surface Cryptosystems(ASC) is based on the difficulty of Section Finding Problem(SFP) Section Finding Problem(SFP) Given , find such that :Algebraic Surface (Public Key) Find :Section on(Secret Key) To findSection is Too difficult!!
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion
How to solve SFP(General solution) We can write down a section as degree of And substitute these into So the SFP is reduced to a multivariate equation system If you solve , then you can get (SME(*)) (*)Section multivariate equations
Relation between MPKC and ASC More general multivariate equations which is ASC based on. MPKC Quadratic multivariate equations which is MPKC based on. ASC More 3 dimensional polynomials Public key includes multi- variable equations implicitly Difficulty of SFP on algebraic surface
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion Main talk
ASC Security parameters cardinality of the base field degree of the secret section How to solve SFP degree in of the public surface (SME) Number of distinct monomials in We propose a new security parameter! (SME) Gröbner basis
Example of NonRed_Monos Sample image How to solve SFP :grand field Algerbraic surface Solve Section
Complexity parameters in general case The Complexity of Solving Multivariable Polynomial Equations The Complexity ( in general case ) : NP-hard Parameters related to the complexity : 1. Size of Finite Field : p Complexity • Number of variables : n Complexity • Number of equations : m Complexity • Sparseness “Sparseness” describe simplicity of equations. Complexity Multivariable Polynomial Equation over finite field
“Sparseness” and NonRed_Monos “Dense” “Sparse” NonRed_Monos NonRed_Monos 19 7 easy hard We consider that NonRed_Monos is a parameter of Sparseness.
How to calculate “NonRed_Monos” from surface We can calculate “NonRed_Monos” from“Algebraic form” How to calculate “NonRed_Monos” Algebraic form If is max (full size), NonRed_Monos is also max. Maximal NonRed_Monos and d NonRed_Monos Data exist d (w=3:fix)
Necessity of NonRed_Monos Even if p,d,w has been fixed, there are many surface variations…. Question For given 2 surfaces X1,X2, (same p,d,w) which is more difficult to calculate Section? We can answer this question, because we can calculate NonRed_Monos!
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion
Experiment OS : centos(Linux) version 2.6 CPU : AMD Opteron (tm) 848 (2.00GHz) Memory : 64GByte Software: Magma version 2.15-11 p= 11 size of finite field degree of d= 2, 3, 4 w= 3, 4, 5 = 40 Form of Algebraic surface (random generate)
Experimental result Process time(left) & Memory use(right) to calculate Groebner basis of w log(Memory) log(time) NonRed_Monos NonRed_Monos
Experimental result (statistical) Regression formula d 2 3 4 Prediction interval of 99.9999%(★) log(time) =:BEST of Computational Complexity! NonRed_Monos Prediction interval of 99.9999%(★)
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion
Key size estimation (Gröbnerbasis) Prediction interval of 99.9999%(★) 128bit security FIX Securer Data Max NonRed_Monos Data exist NonRed_Monos We can choose secure data , d = 8, NonRed_Monos≧29000 1 2 3 4 5 6 7 8 9 10 d
Key size estimation (Exaustive search) • We estimate Computational Complexity of exhaustive search for (SME) / . • You can reduce to half of variables(by Ogura-Mihara) , so the number of variables in (SME) is d+1. • To satisfy 128bit security(=RSA(3072bit)), d>36 . (SME(*)) (*)nx: number of terms of algebraic surface (Note: count full terms version in this table)
Outline • Section Finding Problem(SFP) • General Solution • How to solve SFP, Relation between MPKC and ASC • Security parameters • ASC security parameters • Complexity parameters in general case • Experimental result • Key Size Estimation • Conclusion
Conclusion • We propose new security parameter NonRed_Monos. • We express “Sparseness” as NonRed_Monos. • We can derive an estimation of computational complexity for the Section Finding Problem on Algebraic Surfaceswith high accuracy. • Recommended Public Key Size of ASC is 1220 bit (128bit security = RSA 3072bit).
Last talk (my failure story) • When I saw the “section finding problem" for the first time , I think this problem is easy to solve. • So, we tried to develop a more efficient analysis (over Gröbner basis computation), named Ogura-Miharaalgorithm. • I introduce a concept of Ogura-Mihara algorithm.
Property of Section multivariate equations(SME ) Proposition CAT FACE!!
Concept of Ogura-Mihara algorithm Idea! : Reduce “number of valuables” by pseudo division Vanish! Vanish! Gröbner basis
Failure and Conclusion • Indeed, the number of variables is reduced to half, and in the small parameter, Ogura-Mihara algorithm solves faster than Gröbnerbasis computation. • But we found that degrees of section and surface are higher and higher, Ogura-Mihara’ NonRed_Monos significantly bigger and bigger more than the original (SME)’s NonRed_Monos. So it’s not efficient algorithm. • So when you want to estimate computational complexity such as using Gröbnerbasis, you need to see NonRed_Monos.