Extension Field Cancellation A New MQ Trapdoor Construction - - PowerPoint PPT Presentation

extension field cancellation
SMART_READER_LITE
LIVE PREVIEW

Extension Field Cancellation A New MQ Trapdoor Construction - - PowerPoint PPT Presentation

Sep 12, 2022 327 likes •591 views

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 , Jintai Ding 2 , Bart Preneel 1 1: KU Leuven, ESAT/COSIC first.secondname@esat.kuleuven.be 2: University of Cincinnati, jintai.ding@uc.edu 1/24

slide-1
SLIDE 1

1/24

Extension Field Cancellation

A New MQ Trapdoor Construction February 2016 Alan Szepieniec1, Jintai Ding2, Bart Preneel1

1: KU Leuven, ESAT/COSIC first.secondname@esat.kuleuven.be 2: University of Cincinnati, jintai.ding@uc.edu

slide-2
SLIDE 2

2/24

Outline

  • Introduction
  • Extension Field Cancellation
  • Basic Trapdoor
  • Frobenius Tail
  • Attacks and Defenses
  • Bilinear Attack
  • Algebraic Attack – Minus
  • Differential Symmetry – Projection
  • Security & Efficiency
  • Security Estimation
  • Implementation Results
  • Conclusion
slide-3
SLIDE 3

3/24

Multivariate Quadratic Cryptosystems

  • public key: P ∈ (Fq[x1, . . . , xn])m
  • public operation: evaluate in x ∈ Fn

q

  • secret key: (S, T, F) where

S ∈ GLn(Fq), T ∈ GLm(Fq), F ∈ (Fq[x1, . . . , xn])m such that P = T ◦ F ◦ S

  • private operation: invert S, F, T — all easy!

S F T P public knowledge private knowledge encryption or signature verification decryption or signature generation

slide-4
SLIDE 4

4/24

Single-Field Schemes

  • all arithmetic occurs in Fq
  • canonical example: UOV
  • Fi(o, v) =
  • T

vT Fi

  • v
  • =
  • T

vT    

  • v
  • invert F(o, v) = y:
  • fix v at random
  • solve F(o, v) = y for o
  • linear system!
slide-5
SLIDE 5

5/24

Mixed-Field Schemes

  • arithmetic occurs in Fq as well as in Fqn ∼

= Fq[z]/p(z)

  • canonical example: HFE
  • let ϕ(x) : Fn

q → Fqn : x → X = x0 + x1z + . . . xn−1zn−1

  • let f(X) =

i<d

  • j<d αi,jX qi+qj +

k<d βkX qk + γ

  • F(x) = ϕ−1 ◦ f ◦ ϕ(x)
  • or for simplicity: F(X) = f(X)
  • invert F(X) = Y:
  • factorize the polynomial F(X) − Y
  • choose a root Xr such that F(Xr) − Y = 0
slide-6
SLIDE 6

6/24

MQ Encryption Schemes

  • ZHFE
  • mixed-field
  • 2 high-degree polynomials F(X) and ˆ

F(X) linked to 1 low-degree polynomial Ψ(X)

  • inversion: factorize Ψ(X)
  • ABC / Simple Matrix Encryption
  • single-field, but embeds matrix algebra
  • reduces inversion to linear system solving
  • Extension Field Cancellation (EFC)
  • mixed-field
  • 2 high-degree polynomials
  • reduces inversion to linear system solving

!! All three are expanding maps Fn

q → F2n q

!!

slide-7
SLIDE 7

7/24

EFC: Basic Trapdoor

  • let ϕm : Fn

q → Fn×n q

map a vector x ∈ Fn

q to the matrix

representation of X ∈ Fqn.

  • let A, B ∈ Fn×n

q

be matrices and α(X) = ϕ(Ax), β(X) = ϕ(Bx)

  • Central map:

F = ϕm(Ax)x ϕm(Bx)x

  • =

α(X)X β(X)X

slide-8
SLIDE 8

8/24

EFC: Basic Trapdoor

Central map: F = ϕm(Ax)x ϕm(Bx)x

  • =

α(X)X β(X)X

  • How to invert?

F(X) = α(X)X β(X)X

  • =

D1 D2

  • Solution:

β(X)D1 − α(X)D2 = 0 i.e., solve for x: ϕm(Bx)d1 − ϕm(Ax)d2 = 0 which is a linear system.

slide-9
SLIDE 9

9/24

Enhanced Trapdoor

  • key idea: use Frobenius isomorphism
  • disadvantage: restricted to characteristic 2 only

E(X) = α(X)X + β(X)3 β(X)X + α(X)3

slide-10
SLIDE 10

10/24

Enhanced Trapdoor: Inversion

How to invert? E(X) = α(X)X + β(X)3 β(X)X + α(X)3

  • =

D1 D2

  • Solution: solve for X:

α(X)D2 − β(X)D1 = α(X)4 − β(X)4

  • r for x:

αm(x)d2 − βm(x)d1 = Q2(Ax − Bx) where Q2 ∈ Fn×n

q

is the matrix associated with the Frobenius transform X → X 4.

slide-11
SLIDE 11

11/24

Bilinear Attack

  • basic variant: F(X) =

α(X)X β(X)X

  • =

Y1 Y2

  • bilinear relation: β(X)Y1 = α(X)Y2
  • there exists coefficients Ki, Li ∈ Fqn such that

n−1

  • i=0

X qi(KiY1 + LiY2) = 0

  • attack:
  • generate many tuples (X, Y1, Y2)
  • compute Ki and Li using linear algebra
  • given a ciphertext Y = (Y1, Y2) and given the coefficients

Ki, Li, computing X is easy

slide-12
SLIDE 12

12/24

Other Attacks and Defenses

  • same basic idea
  • protect against Bilinear Attack: minus
  • protect against Algebraic Attack: more minus
  • protect against Differential Symmetry Attack: projection
  • EFC−

p , EFC− pt2

slide-13
SLIDE 13

13/24

Algebraic Attack

  • Algebraic Attack: decent Gr¨
  • bner bases algorithms (e.g. F4,

F5, MutantXL)

  • Running time depends on degree of regularity
  • Dreg depends on rank of quadratic form

F(X) = X TF1X X TF2X

  • where e.g.

X T = (X, X q, X q2 . . . X qn−1)

slide-14
SLIDE 14

14/24

Rank of Extension Field Quadratic Form

F1 = α(X)X ∼ rank = 2 F ◦ S ∼ rank = 2 (change of basis) T ◦ F ◦ S ∼ full rank T(X) = tiX qi T ◦ F(X) = ti

  • X TFX

qi

slide-15
SLIDE 15

15/24

Fast Gr¨

  • bner Basis

F4

  • F4 implicitly recovers T
slide-16
SLIDE 16

16/24

Minus

  • solution: drop a rows from T
  • F4 can only recover n − a rows of T

F4

  • rank r = 2 + a
  • drawback: guess a values during decryption
slide-17
SLIDE 17

17/24

Effect of Minus

  • fixed n = 35

1 4 16 64 256 1024 4096 16384 65536 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 time number of applications

slide-18
SLIDE 18

18/24

Decryption Errors

0.2 0.4 0.6 0.8 1 1 5 10 15 20 25 error rate n a = 0 a = 2 a = 4 a = 6 a = 8 a = 10 a = 12

slide-19
SLIDE 19

19/24

Differential Symmetry Attack

  • DF(x, y) = F(x + y) − F(x) − F(y) + F(0)
  • symmetry ⇔ ∃ Λ, L . DF(Lx, y) + DF(x, Ly) = ΛDF(x, y)
  • broke SFLASH
  • solution (pSFLASH): S must be singular and n prime
  • EFCp:
  • rank(A) = rank(B) = n − 1
  • n is prime
  • and ker(A) ∩ ker(B) = {0}
slide-20
SLIDE 20

20/24

Estimating Security

  • algebraic attack: Gaussian elimination in matrix with

T = n

Dreg

  • monomials
  • τ =

n

2

  • nonzero terms per row
  • complexity of Wiedemann algorithm: O(τT 2)
  • Dreg ≤ (q − 1)(r + a)

2 + 2 n q t2 a Dreg security 83 2 10 8 82 83 2 8 8 82 59 3 6 10 82

slide-21
SLIDE 21

21/24

Decryption Time as a Function of a

0.00390625 0.015625 0.0625 0.25 1 4 16 64 256 1 2 3 4 5 6 7 8 9 10 11 12 13 14 decryption time (seconds) a

slide-22
SLIDE 22

22/24

Algebraic Attack Time

  • implementation in Magma (has F4)

0.015625 0.0625 0.25 1 4 16 64 256 1024 4096 16384 65536 15 20 25 30 35 38 time n EFC−

p , a = 10

EFC−

pt2, a = 8

slide-23
SLIDE 23

23/24

Implementation Results

construction

  • sec. key
  • pub. key

ctxt. EFC−

p , q = 2, n = 83, a = 10

48.3 KB 509 KB 20 B EFC−

pt2, q = 2, n = 83, a = 8

48.3 KB 523 KB 20 B EFC−

p , q = 3, n = 59, a = 6

48.8 KB 375 KB 28 B construction key gen. enc. dec. EFC−

p , q = 2, n = 83, a = 10

2.45 s 0.004 s 9.074 s EFC−

pt2, q = 2, n = 83, a = 8

3.982 s 0.004 s 2.481 s EFC−

p , q = 3, n = 59, a = 6

2.938 s 0.004 s 12.359 s

slide-24
SLIDE 24

24/24

Conclusion

  • extension field cancellation (EFC)
  • MQ mixed field trapdoor construction
  • generate a pair of high-degree quadratic polynomials
  • uses commutativity of extension field to cancel the

polynomials’ complexity

  • end up with a linear system
  • modifiers
  • Frobenius Tail in char 2 (speed)
  • Minus (protects against Algebraic Attack)
  • Projection (destroys Differential Symmetry)
  • future work
  • get rid of Minus modifier
  • better security argument
  • shrink public keys
  • hardware implementation