Multivariate Quadratic Public-Key Cryptography Part 3: Small Field - - PowerPoint PPT Presentation

Multivariate Quadratic Public-Key Cryptography Part 3: Small Field Schemes

Bo-Yin Yang

Academia Sinica

Taipei, Taiwan Friday, 28.06.2018

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 1 / 27

Oil-Vinegar Polynomials [Patarin 1997]

Let F be a (finite) field. For o, v ∈ N set n = o + v and define p(x1, . . . , xn) =

v

• i=1

v

• j=i

αij · xi · xj

• v×v terms

+

v

• i=1

n

• j=v+1

βij · xi · xj

• v×o terms

+

n

• i=1

γi · xi

• linear terms

+δ x1, . . . , xv: Vinegar variables xv+1, . . . , xn: Oil variables, no o × o terms. If we randomly set x1, . . . , xv, result is linear in xv+1, . . . , xn

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 2 / 27

Oil-Vinegar Polynomials (2)

Let ˜ p(x1, . . . , xn) be

(Unbalanced) Oil-Vinegar matrix

˜ p the homogeneous quadratic part of p(x1, . . . , xn) can be written as quadratic form ˜ p(x) = xT · M · x with M =

• ∗v×v

∗o×v ∗v×o 0o×o

• where ∗ denotes arbitrary entries subject to symmetry.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 3 / 27

Inversion of the UOV central map

Each central polynomial has the form

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 4 / 27

Inversion of the central map

Each central polynomial has the form

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

Choose random values for the Vinegar variables x1, . . . , xv

constant linear in o constant linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

⇒ Linear equation in the o Oil variables

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 5 / 27

Inversion of the central map (2)

Let each of o components of a UOV central map be a UOV polynomial.

After guessing Vinegar variables

When we guess the Vinegar variables x1, . . . , xv, we get o linear equations in the o Oil variables xv+1, . . . , xn ⇒ recovered by (Gaussian) elimination

If the system has no solution?

Just choose other values for the Vinegar variables x1, . . . , xv and try again.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 6 / 27

Inversion of the central map (2)

Let each of o components of a UOV central map be a UOV polynomial.

After guessing Vinegar variables

When we guess the Vinegar variables x1, . . . , xv, we get o linear equations in the o Oil variables xv+1, . . . , xn ⇒ recovered by (Gaussian) elimination

Toy Example in F = GF(7) with o = v = 2

Q = (f (1), f (2)) with

f (1)(x) = 2x 2

1 + 3x1x2 + 6x1x3 + x1x4 + 4x 2 2 + 5x2x4 + 3x1 + 2x2 + 5x3 + x4 + 6,

f (2)(x) = 3x 2

1 + 6x1x2 + 5x1x4 + 3x 2 2 + 5x2x3 + x2x4 + 2x1 + 5x2 + 4x3 + 2x4 + 1.

Goal: Find a pre image Q−1(y), y = (3, 4) Choose random values for x1 and x2, e.g. (x1, x2) = (1, 4) ˜ f (1)(x3, x4) = 4x3+x4+4 = w1 = 3, ˜ f (2)(x3, x4) = 3x3+4x4 = w2 = 4 The pre image of y is x = (1, 4, 1, 2).

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 6 / 27

Operations of UOV

Key Generation

Take a UOV central map Q and invertible S : Fn → Fn. P = Q ◦ S.

Signature Generation

1 Given: message d, take its hash y = H(d) under H : {0, 1}⋆ → Fo. 2 Compute a pre-image x ∈ Fn of y under the central map Q ◮ Choose random values for the Vinegar variables x1, . . . , xv and

substitute them into the central map polynomials f (1), . . . , f (o)

◮ Solve the resulting linear system for the Oil variables xv+1, . . . , xn ◮ If the system has no solution, choose other values for the Vinegar

variables and try again.

3 Compute the signature w ∈ Fn by w = S−1(x). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 7 / 27

Operations of UOV

Key Generation

Take a UOV central map Q and invertible S : Fn → Fn. P = Q ◦ S.

Signature Generation

1 Given: message d, take its hash y = H(d) under H : {0, 1}⋆ → Fo. 2 Compute a pre-image x ∈ Fn of y under the central map Q 3 Compute the signature w ∈ Fn by w = S−1(x).

Signature Verification

Given: message d, signature w ∈ Fn

1 Compute z = H(d). 2 Compute z′ = P(w).

Accept the signature ⇔ z = z′

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 7 / 27

Kipnis-Shamir OV attack when o = v

O := {x ∈ Fn : x1 = . . . = xv = 0} “Oilspace” V := {x ∈ Fn : xv+1 = . . . = xn = 0} “Vinegarspace” Let E, F be invertible “OV-matrices”, i.e. E, F =

• ⋆

⋆ ⋆

• Then

E · O ⊂ V. Since the two has the same rank, equality holds, so (F −1 · E) · O = O, i.e. O is an invariant subspace of F −1 · E.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

Kipnis-Shamir OV attack when o = v

O := {x ∈ Fn : x1 = . . . = xv = 0} “Oilspace” V := {x ∈ Fn : xv+1 = . . . = xn = 0} “Vinegarspace” Let E, F be invertible “OV-matrices”, i.e. E, F =

• ⋆

⋆ ⋆

• Then

E · O ⊂ V. Since the two has the same rank, equality holds, so (F −1 · E) · O = O, i.e. O is an invariant subspace of F −1 · E.

Common Subspaces

Let Hi be the matrix representing the homogeneous quadratic part of the i-th public polynomial. Then we have Hi = ST · Ei · S, i.e. S−1(O) is an invariant subspace of the matrix (H−1

j

· Hi), and we find S−1.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

Kipnis-Shamir OV attack when o = v

O := {x ∈ Fn : x1 = . . . = xv = 0} “Oilspace” V := {x ∈ Fn : xv+1 = . . . = xn = 0} “Vinegarspace” Let E, F be invertible “OV-matrices”, i.e. E, F =

• ⋆

⋆ ⋆

• Then

E · O ⊂ V. Since the two has the same rank, equality holds, so (F −1 · E) · O = O, i.e. O is an invariant subspace of F −1 · E.

Common Subspaces

Let Hi be the matrix representing the homogeneous quadratic part of the i-th public polynomial. Then we have Hi = ST · Ei · S, i.e. S−1(O) is an invariant subspace of the matrix (H−1

j

· Hi), and we find S−1.

Summary of the Standard UOV Attack

for v ≤ o, breaks the balanced OV scheme in polynomial time. For v > o the complexity of the attack is about qv−o · o4. ⇒ Choose v ≈ 2 · o (unbalanced Oil and Vinegar (UOV)) [KP99]

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 8 / 27

What happens when v > o?

Invariant Subspaces

E · O ⊂ V, where E is a UOV matrix. If E −1 exists then E −1V is a v-dimensional subspace containing O. If E, F are two invertible UOV matrices, then FE −1O is the same dimension as O and both lies in F −1V. So I = O ∩ F −1EO is dimension at least 2o − v. I is mapped by F −1E into a subspace F −1EO, of dimension o. The probability for a non-zero vector to be mapped to its own multiple is (q − 1)/(qd − 1). The expected value is the number of non-zero vectors times this probability divided by q − 1 (since each eigenvector is counted q − 1 times), or (q2o−v − 1)/(qo − 1) ∼ q−(v−o). So 1 out of ∼ q(v−o), O contains an invariant subspace of F −1E. Choose an Hi which is invertible and take an arbitrary linear combination H =

i αiHi, H−1 i

H with probability q−(v−o) contains an invariant subspace which is in S−1O. Repeat o times to obtain the entire S−1O.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 9 / 27

Other Attacks

Collision Attack: o ≥

22ℓ log2(q) for ℓ-bit security.

Direct Attack: Try to solve the public equation P(w) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined (n = 3 · m) Result [Thomae]: A multivariate system of m equations in n = ω · m variables can be solved in the same time as a determined system of m − ⌊ω⌋ + 1 equations. ⇒ m has to be increased by 2.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 10 / 27

Other Attacks

Collision Attack: o ≥

22ℓ log2(q) for ℓ-bit security.

Direct Attack: Try to solve the public equation P(w) = z as an instance of the MQ-Problem. The public systems of UOV behave much like random systems, but they are highly underdetermined (n = 3 · m) ⇒ m has to be increased by 2. UOV-Reconciliation attack: Try to find a linear transformation S (“good keys”) which transforms the public matrices Hi into the form

• f UOV matrices

(ST)−1 · Hi · S−1 =

• ⋆

⋆ ⋆

• ,

S =

• 1

⋆ 1

• ⇒ Each Zero-term yields a quadratic equation in the elements of S.

⇒ S can be recovered by solving several MQ systems (the hardest with v variables, m equations).

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 10 / 27

Reconciliation Attack for UOV

Good Keys

MS :=

• ∗v×v

∗v×o ∗o×v ∗o×o

• =
• 1v×v

∗v×o 0o×v 1o×o ∗v×v 0v×o ∗o×v ∗o×o

• (1)

Only need MS = P :=

• 1v×v

∗v×o 0o×v 1o×o

• B.-Y. Yang (Academia Sinica)

UOV and Rainbow PQC Mini School 11 / 27

Reconciliation Attack for UOV

Good Keys

Only need MS = P :=

• 1v×v

∗v×o 0o×v 1o×o

• = Pv+1Pv+2 · · · Pn, and

Pn = 1n +

            

· · · λ1 · · · λ2 . . . ... . . . . . . · · · λv · · · . . . ... . . . . . . · · ·

            

; Pn−1 = 1n +

            

· · · λ′

1

· · · λ′

2

. . . ... . . . . . . . . . · · · λ′

v

· · · . . . ... . . . . . . . . . · · ·

            

; · · ·

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 11 / 27

Reconciliation Attack for UOV

Good Keys

Only need MS = P :=

• 1v×v

∗v×o 0o×v 1o×o

• = Pv+1Pv+2 · · · Pn, and

Pn = 1n +

      

· · · λ1 · · · λ2 . . . ... . . . . . . · · · λv · · · . . . ... . . . . . . · · ·

      

; Pn−1 = 1n +

      

· · · λ′

1

· · · λ′

2

. . . ... . . . . . . . . . · · · λ′

v

· · · . . . ... . . . . . . . . . · · ·

      

; · · · 1 Perform basis change wi := w′

i − λiw′ n for i = 1 · · · v, wi = w′ i for

i = v + 1 · · · n. Evaluate z in w′.

2 Let all coefficients of (w′

n)2 be zero and solve for the λi. We may use

any method such as FXL (m equations in v = vu = n − ou unknowns).

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 11 / 27

Reconciliation Attack for UOV

Good Keys

Only need MS = P :=

• 1v×v

∗v×o 0o×v 1o×o

• = Pv+1Pv+2 · · · Pn, and

Pn = 1n +

      

· · · λ1 · · · λ2 . . . ... . . . . . . · · · λv · · · . . . ... . . . . . . · · ·

      

; Pn−1 = 1n +

      

· · · λ′

1

· · · λ′

2

. . . ... . . . . . . . . . · · · λ′

v

· · · . . . ... . . . . . . . . . · · ·

      

; · · · 1 Perform basis change wi := w′

i − λiw′ n for i = 1 · · · v, wi = w′ i for

i = v + 1 · · · n. Evaluate z in w′.

2 Let all coefficients of (w′

n)2 be zero and solve for the λi. We may use

any method such as FXL (m equations in v = vu = n − ou unknowns).

3 Set w′

i := w′′ i − λiw′′ n−1 for i = 1 · · · v, and set every (w′′ n−1)2 and

w′′

n w′′ n−1 term to zero (i.e., more equations in the system). We find

Pn−1 with 2m equations in v unknowns. Continue for Pn−2, . . . , Pv+1.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 11 / 27

Summary of UOV

Safe Parameters for UOV(F, o, v)

security public key private key hash size signature level (bit) scheme size (kB) size (kB) (bit) (bit) 80 UOV(F16,40,80) 144.2 135.2 160 480 UOV(F256,27,54) 89.8 86.2 216 648 100 UOV(F16,50,100) 280.2 260.1 200 600 UOV(F256, 34,68) 177.8 168.3 272 816 128 UOV(F16,64,128) 585.1 538.1 256 768 UOV(F256,45,90) 409.4 381.8 360 1,080 192 UOV(F16,96,192) 1,964.3 1,786.7 384 1,152 UOV(F256,69,138) 1,464.6 1,344.0 552 1,656 256 UOV(F16,128,256) 4,644.1 4,200.3 512 1,536 UOV(F256,93,186) 3,572.9 3,252.2 744 2,232

What we know today about UOV

unbroken since 1999 ⇒ high confidence in security not the fastest multivariate scheme very large keys, (comparably) large signatures

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 12 / 27

Rainbow Digital Signature

Ding and Schmidt, 2004

Patented by Ding May have had patent by T.-T. Moh (expired) TTS is its variant with sparse central map

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 13 / 27

Rainbow Digital Signature

Ding and Schmidt, 2004

Finite field F, integers 0 < v1 < · · · < vu < vu+1 = n. Set Vi = {1, . . . , vi}, Oi = {vi + 1, . . . , vi+1}, oi = vi+1 − vi. Central map Q consists of m = n − v1 polynomials f v1+1, . . . , f (n) of the form f (k) =

• i,j∈Vℓ

α(k)

ij xixj +

• i∈Vℓ,j∈Oℓ

β(k)

ij xixj +

• i∈Vℓ∪Oℓ

γ(k)

i

xi + δ(k), with coefficients α(k)

ij , β(k) ij , γ(k) i

and δ(k) randomly chosen from F and ℓ being the only integer such that k ∈ Oℓ. Choose randomly two affine (or linear) transformations T : Fm → Fm and S : Fn → Fn. public key: P = T ◦ Q ◦ S : Fn → Fm private key: T , Q, S

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 13 / 27

Idea of Rainbow

Inversion of the central map

Invert the single UOV layers recursively. Use the variables of the i-th layer as Vinegars of the i + 1-th layer.

Illustration: Rainbow with two layers

F (k) = v1 v2 n v1 v2 n F (k) = v1 v2 n v1 v2 n v1 + 1 ≤ k ≤ v2 v2 + 1 ≤ k ≤ n

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 14 / 27

Idea of Rainbow

Inversion of the central map

Invert the single UOV layers recursively. Use the variables of the i-th layer as Vinegars of the i + 1-th layer. Input: Rainbow central map Q = (f (v1+1), . . . , f (n)), vector y ∈ Fm. Output: vector x ∈ Fn with Q(x) = y.

1: Choose random values for the variables x1, . . . , xv1 and substitute

these values into the polynomials f (i) (i = v1 + 1, . . . n).

2: for ℓ = 1 to u do 3:

Perform Gaussian Elimination on the polynomials f (i) (i ∈ Oℓ) to get the values of the variables xi (i ∈ Oℓ).

4:

Substitute the values of xi (i ∈ Oℓ) into the polynomials f (i) (i = vℓ+1 + 1, . . . , n).

5: end for

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 14 / 27

Idea of Rainbow

Inversion of the central map

Invert the single UOV layers recursively. Use the variables of the i-th layer as Vinegars of the i + 1-th layer.

Signature Generation from message d

1 Use a hash function H : {0, 1} → Fm to compute z = H(d) ∈ Fm 2 Compute y = T −1(z) ∈ Fm. 3 Compute a pre-image x ∈ Fn of y under the central map Q 4 Compute the signature w ∈ Fn by w = S−1(x). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 14 / 27

Idea of Rainbow

Inversion of the central map

Invert the single UOV layers recursively. Use the variables of the i-th layer as Vinegars of the i + 1-th layer.

Signature Generation from message d

1 Use a hash function H : {0, 1} → Fm to compute z = H(d) ∈ Fm 2 Compute y = T −1(z) ∈ Fm. 3 Compute a pre-image x ∈ Fn of y under the central map Q 4 Compute the signature w ∈ Fn by w = S−1(x).

Signature Verification from message d, signature z ∈ Fn

1 Compute z = H(d). 2 Compute z′ = P(w).

Accept the signature z ⇔ w′ = w.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 14 / 27

Rainbow Schemes with two layers

The central map Q consists of quadratic polynomials of two types

0 ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 15 / 27

Rainbow Schemes with two layers

Step 1: Choose random values for the Vinegar variables x1, . . . , xv1 and substitute them into the central polynomials

⋆ ⋆ 0 ⋆ ⋆ ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 16 / 27

Rainbow Schemes with two layers

Step 2: Solve the o1 linear equations given by the polynomials of the first layer for xv1+1, . . . , xv2 and substitute into the polynomials of the second layer

⋆ ⋆ ⋆ ⋆ ⋆ ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 17 / 27

Rainbow Schemes with two layers

Step 3: Solve the o2 linear equations given by the o2 polynomials of the second layer for xv2+1, . . . , vn.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 18 / 27

Toy Example

F = GF(7), (v1, o1, o2) = (2, 2, 2) central map Q = (f (3), . . . , f (6)) with

f (3) = x 2

1 + 3x1x2 + 5x1x3 + 6x1x4 + 2x 2 2 + 6x2x3 + 4x2x4 + 2x2 + 6x3 + 2x4 + 5,

f (4) = 2x 2

1 + x1x2 + x1x3 + 3x1x4 + 4x1 + x 2 2 + x2x3 + 4x2x4 + 6x2 + x4,

f (5) = 2x 2

1 + 3x1x2 + 3x1x3 + 3x1x4 + x1x5 + 3x1x6 + 6x1 + 4x 2 2 + x2x3 + 4x2x4

+ x2x5 + 3x2x6 + 3x2 + 3x3x4 + x3x5 + 2x3x6 + 2x3 + 3x4x5 + x5 + 6x6, f (6) = 2x 2

1 + 5x1x2 + x1x3 + 5x1x4 + 5x1x6 + 6x1 + 5x 2 2 + 3x2x3 + 5x2x5 + 4x2x6

+ x2 + 3x 2

3 + 5x3x4 + 4x3x5 + 2x3x6 + 4x3 + x 2 4 + 6x4x5 + 3x4x6

+ 4x4 + 4x5 + x6 + 2.

Goal: Find pre image x ∈ F6 of y = (6, 2, 0, 5) under the map Q

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 19 / 27

Toy Example (2)

Choose random values for the Vinegar variables x1 and x2, e.g. (x1, x2) = (0, 1) and substitute them into the polynomials f (3), . . . , f (6).

˜ f (3) = 5x3 + 6x4 + 2, ˜ f (4) = x3 + 5x4, ˜ f (5) = 3x3x4 + x3x5 + 2x3x6 + 3x3 + 3x4x5 + 4x4 + 2x5 + 2x6, ˜ f (6) = 3x 2

3 + 5x3x4 + 4x3x5 + 2x3x6 + x 2 4 + 6x4x5 + 3x4x6 + 4x4 + 2x5 + 5x6 + 1.

Set ˜ f (3) = y1 = 6 and ˜ f (4) = y2 = 2 and solve for x3, x4 ⇒ (x3, x4) = (3, 4) Substitute into ˜ f (5) and ˜ f (6) ⇒ ˜ ˜ f (5) = 3x5 + x6 + 5, ˜ ˜ f (6) = 3x5 + 2x6 + 1 Set ˜ ˜ f (5) = y3 = 0 and ˜ ˜ f (6) = y4 = 5, solve for x5 and x6 ⇒ (x5, x6) = (0, 2) A pre image of y = (6, 2, 0, 5) is given by x = (0, 1, 3, 4, 0, 2).

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 20 / 27

Signature Generation

Given: message d

1 Use a hash function H : {0, 1} → Fm to compute w = H(d) ∈ Fm 2 Compute x = S−1(w) ∈ Fm. 3 Compute a pre-image y ∈ Fn of x under the central map Q 4 Compute the signature z ∈ Fn by z = T −1(y). B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 21 / 27

Signature Verification

Given: message d, signature z ∈ Fn

1 Compute w = H(d). 2 Compute w′ = P(z).

Accept the signature z ⇔ w′ = w.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 22 / 27

Security

Rainbow is an extension of UOV ⇒ All attacks against UOV can be used against Rainbow, too. Additional structure of the central map allows several new attacks MinRank Attack: Look for linear combinations of the matrices Hi of low rank HighRank Attack: Look for the linear representation of the variables appearing the lowest number of times in the central polynomials. Rainbow-Band-Separation Attack: Variant of the UOV-Reconciliation Attack using the additional Rainbow structure [DY08] Choosing Parameter Selection for Rainbow is interesting

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 23 / 27

MinRank Attack

Minors Version

Set all rank r + 1 minors of

i αiHi to 0.

Kernel Vector Guessing Version

Guess a vector v, let

i αiHiv = 0, hope to find a non-trivial solution.

(If m > n, guess ⌈ m

n ⌉ vectors.)

Takes qrm3/3 time to find a r-dimensional subspace.

Accumulation of Kernels and Effective Rank

In the first stage of Rainbow, there are o1 = v2 − v1 equations and v2

• variables. The rank should be v2. But if your guess corresponds to

x1 = x2 = · · · = xv1 = 0, then about 1/q of the time we find a kernel. The easy way to see this is that there are qo1−1 different kernels. We say that “effectively the rank is v1 + 1”.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 24 / 27

Rainbow Band Separation

Extension to UOV reconciliation to use the special Rainbow form.

n variables, n + m − 1 quadratic equations

1 Let wi := w′

i − λiw′ n for i ≤ v, wi = w′ i for i > v. Evaluate z in w′.

2 Find m equations by letting all (w′

n)2 terms vanish; there are v of λi’s.

3 Set all cross-terms involving w′

n in

z1 − σ(1)

1 zv+1 − σ(1) 2 zv+2 − · · · − σ(1)

• zm to be zero and find n − 1

more equations.

4 Solve m + n − 1 quadratic equations in o + v = n unknowns. 5 Repeat, e.g. next set w′

i := w′′ i − λiw′′ n−1 for i < v, and let every

(w′′

n−1)2 and w′′ n w′′ n−1 term be 0. Also set

z2 − σ(2)

1 zv+1 − σ(2) 2 zv+2 − · · · − σ(2)

• zm to have a zero second-to-last
• column. [2m + n − 2 equations in n unknowns.]

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 25 / 27

Rainbow - Summary

no weaknesses found since 2007 efficient, much faster than RSA suitable for low cost devices shorter signatures and smaller key sizes than UOV

Parameters

security parameters public key private key hash size signature level (bit) F, v1, o1, o2 size (kB) size (kB) (bit) (bit) 80 F16,20,20,20 33.4 22.3 160 228 F256,19,12,13 25.3 19.3 200 352 100 F16,25,25,25 65.9 43.2 200 288 F256, 27,16,16 57.2 44.3 256 472 128 F16,32,32,32 136.6 87.6 256 368 F31,28,28,28 123.2 74.5 280 420 F256,36,21,22 136.0 102.5 344 632 192 F16,48,48,48 475.9 301.8 384 564 F31,44,40,40 360.1 245.2 420 630 256 F16,64,64,64 1,194.4 763.9 512 776

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 26 / 27

References

Pa97 J. Patarin: The oil and vinegar signature scheme, presented at the Dagstuhl Workshop on Cryptography (September 97) KS98 A. Kipnis, A. Shamir: Cryptanalysis of the Oil and Vinegar Signature scheme. CRYPTO 1998, LNCS vol. 1462, pp. 257–266. Springer, 1988. KP99 A. Kipnis, J. Patarin, L. Goubin: Unbalanced Oil and Vinegar Schemes. EUROCRYPT 1999. LNCS vol. 1592, pp. 206–222 Springer, 1999. DS05 J. Ding, S. Schmidt: Rainbow, a new multivariate polynomial signature scheme. ACNS 2005. LNCS vol. 3531,

• pp. 164–175 Springer, 2005.

DY08 J. Ding, B.Y. Yang, C.H.O. Chen, M.S. Chen, C.M. Cheng: New Differential-Algebraic Attacks and Reparametrization of

• Rainbow. ACNS 2008, LNCS 5037, pp.242–257, Springer

2008.

B.-Y. Yang (Academia Sinica) UOV and Rainbow PQC Mini School 27 / 27

Multivariates Part 4: Implementation on Modern CPUs

Bo-Yin Yang

Academia Sinica

Taipei, Taiwan Thursday, 28.06.2018

Why are MPKCs Worth Studying?

Diversification Efficiency

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 2 / 24

Why are MPKCs Worth Studying?

Diversification: Future-proof against quantum computers. Efficiency: Faster than “traditional” PKCs.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 2 / 24

Why are MPKCs Worth Studying?

Diversification: Future-proof against quantum computers. Efficiency: Faster than “traditional” PKCs. ... Maybe.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 2 / 24

Rate-Determining Mechanisms for MPKCs

Key Generation

Evaluation of coefficients

Public Maps

Evaluating a generic set of quadratic polynomials in K = Fq

Private Maps

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 3 / 24

Rate-Determining Mechanisms for MPKCs

Key Generation

Evaluation of coefficients: Often as differentials of public map. Sometimes, by brute force!

Public Maps

Evaluating a generic set of quadratic polynomials in K = Fq

Private Maps

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 3 / 24

Rate-Determining Mechanisms for MPKCs

Key Generation

Evaluation of coefficients

Public Maps

Evaluating a generic set of quadratic polynomials in K = Fq usually as a matrix multiplying the vector of monomials

Private Maps

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 3 / 24

Rate-Determining Mechanisms for MPKCs

Key Generation

Evaluation of coefficients

Public Maps

Evaluating a generic set of quadratic polynomials in K = Fq

Private Maps

UOV Solving linear systems of equations in K = Fq Rainbow Like UOV plus mini “Public Map” C ∗ High powers in L = Fqn HFE Equation solving in L = Fqn (general arithmetic) kHFE Like HFE plus an elimination in L

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 3 / 24

Practical Side of Computing

Moore’s law

Transistor budget doubles every 18–24 months

Memory Latencies vs Clock Speeds

Year Hi-End CPU MHz DRAM 1979 Z80 2 500ns 1984 80286 10 400ns 1989 80486 40 300ns 1994 Pentium 100 250ns 1999 Athlon 750 200ns 2004 Pentium 4 3800 160ns 2009 Core i7 3200 130ns 2014 Core i7 3400 120ns

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 4 / 24

Are MPKCs Still Fast?

Progress in high-precision arithmetic

◮ In 80’s, CPUs computed one 32-bit integer product every 15–20 cycles ◮ In 2000, x86 CPUs computed one 64-bit product every 3–10 cycles ◮ Core i7’s today produces one 128-bit product every 1 cycle ◮ Marvelous for ECC (and RSA)

In contrast, progress in F2q arithmetic is slow

◮ 6502 or 8051: a dozen cycles via three table look-ups ◮ Modern x86: roughly same that many cycles

Moore’s law favors computation, not so much memories

◮ Memory access speed increased at a snail’s pace

Wang et al. made life even harder for MPKCs

◮ Forcing longer message digests ◮ RSA untouched B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 5 / 24

Questions We Want to Answer

Can all the extras on modern commodity CPUs help MPKCs as well? How have architectural changes affected implementation choices? If so, how do MPKCs compare to traditional PKCs today?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 6 / 24

*SSE*, the X86 Vector Instruction Set Extensions

As packed 8-, 16-, 32- or 64-bit operands Move xmm to/from xmm, memory (even unaligned), x86 registers Shuffle data and pack/unpack on vector data Bit-wise logical operations like AND, OR, NOT, XOR Shift left, right logical/arithmetic by units, or entire xmm byte-wise Add/subtract on 8-, 16-, 32- and 64-bits Multiply 16-bit and 32-bits in various ways VPSHUFB (32 nibble-to-byte lookup in 1 cycle) and PALIGNR (256-bit bytewise rotation) quite powerful

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 7 / 24

(V)PSHUFB

“Packed Shuffle Bytes”

◮ Source: (x0, . . . , x15) ◮ Destination: (y0, . . . , y15) ◮ Result: (yx0 mod 32, . . . , yx15 mod 32), treating y16, . . . , y31 as 0

VPSHUFB = two individual PSHUFBs

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 8 / 24

Speeding Up MPKCs over F16

TT : 16 × 16 table, with TTi,j = i ∗ j, 0 ≤ i, j < 16 To compute av, a ∈ F16, v ∈ (F16)16

◮ xmm ← a-th row of TT ◮ av ← PSHUFB xmm,v

Works similarly for a ∈ (F16)2, v ∈ (F16)32

◮ Need to unpack, do PSHUFBs, then pack

Delivers 2× performance over simple bit slicing in private map evaluation of rainbow and TTS Some other platforms also have similar instructions

◮ AMD’s SSE5: PPERM (superset of PSHUFB) ◮ IBM POWER AltiVec/VMX: PERMU ◮ ARM’s TBL B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 9 / 24

Speeding Up MPKCs over F256

Nibble Slicing

TL : 256 × 16 table, with TLi,j = i ∗ j, 0 ≤ i < 256, 0 ≤ j < 16 TH : 256 × 16 table, with THi,j = i ∗ (16j), 0 ≤ i < 256, 0 ≤ j < 16 To compute av, a ∈ F256, v ∈ (F256)16

◮ avi = a(16⌊vi/16⌋) + a(vi mod 16), 0 ≤ i < 16

v′

i ← a(16⌊vi/16⌋)

◮ v′

i ← ⌊vi/16⌋ (SHIFT)

◮ xmm ← a-th row of TH ◮ v′ ← PSHUFB xmm,v′

vi ← a(vi mod 16)

◮ vi ← vi mod 16 (AND) ◮ xmm ← a-th row of TL ◮ v ← PSHUFB xmm,v

av ← v + v′ (OR)

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 10 / 24

Arithmetic in F2k

PCLMULQDQ: F2[x]<64 × F2[x]<64 = F2[x]<128

Of course you use it if you can, sheesh.

Bit-Slicing Log/Exp Tables to a generator g Multiplication Tables in Memory (Parallel by VPSHUFB)

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 11 / 24

Arithmetic in F2k

PCLMULQDQ: F2[x]<64 × F2[x]<64 = F2[x]<128 Bit-Slicing

Highly parallel — 32/64/128 multiplies at the same time Often requires rearranging of data Parameters can result in awkward dimensions like 1 + (word size)

• nly good for F2 and F4.

Log/Exp Tables to a generator g Multiplication Tables in Memory (Parallel by VPSHUFB)

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 11 / 24

Arithmetic in F2k

PCLMULQDQ: F2[x]<64 × F2[x]<64 = F2[x]<128 Bit-Slicing Log/Exp Tables to a generator g

Compute xy as glogg x+logg y if neither is zero. log 0 needs to special (−42 for VPSHUFB) 3 lookups per mult, some logs can be pre-computed Time-constant but method of last choice.

Multiplication Tables in Memory (Parallel by VPSHUFB)

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 11 / 24

Arithmetic in F2k

PCLMULQDQ: F2[x]<64 × F2[x]<64 = F2[x]<128 Bit-Slicing Log/Exp Tables to a generator g Multiplication Tables in Memory (Parallel by VPSHUFB)

One VPSHUFB per many multiplications in F16 How do we do time-constant Table Lookups?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 11 / 24

Arithmetic in F2k

PCLMULQDQ: F2[x]<64 × F2[x]<64 = F2[x]<128 Bit-Slicing Log/Exp Tables to a generator g Multiplication Tables in Memory (Parallel by VPSHUFB)

Build Multiplication Tables by x0, x1, . . . on the Fly:

1 Have fixed tables 0×, 1×, 0x2×, 0x3×, . . . 2 VPSHUFB to get: 0 × [x0, x1, . . .], 1 × [x0, x1, . . .], 0x2 × [x0, x1, . . .], 3 Transpose, now we can multiply by x0, x1, . . . B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 11 / 24

Some Interesting Design Choices

System and Architecture-Dependent Stuff

Key Generation Matrix-to-Vector-Multiply and Evaluating Public Maps Tower Field Arithmetic System- and Equation-Solving

◮ Pre-scripted Gr¨

• bner Basis Computation

◮ Iterative Methods vs. Gaussian Eliminations ◮ Cantor-Zassenhaus vs. Berlekamp B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 12 / 24

Key Generation

Matsumoto-Imai’s notaton: zk :=

• i

wi

• Pik + Qikwi +
• j<i

Rijkwj

• .

Usual Way: as differentials of public map P = (p1, . . . , pm)

for q > 2, we choose any a = 0, 1 and get Qik := (a(a − 1))−1 (pk(avi) − apk(vi)) Pik := pk(vi) − Qik Rijk := pk(vi + vj) − Qik − Qjk − Pik − Pjk For F2, it becomes Pik := pk(vi) Rijk := pk(vi + vj) − Pik − Pjk (vi means the unit vector on the i-th direction)

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 13 / 24

Evaluating Public Maps

Naive Way (and on µP’s still)

zk =

i wi

• Pik + Qikwi +

i<j Rijkwj

• For better memory access pattern

1 c ← [wT, (wiwj)i≤j]T 2 z ← Pc, where P is the m × n(n + 3)/2 public-key matrix

How to do Matrix-to-Vector mults

Microcontrollers Naively Somewhat newer CPUs Bit-slicing for F2k With more cache Big look-up tables (with nibble-slicing) Newest architectures More or less naively, with SSE*

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 14 / 24

MPKCs over Odd Prime Fields

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 15 / 24

MPKCs over Odd Prime Fields

Are you out of your mind?

XOR is easy, addition mod q is not. How can it possibly be faster?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 15 / 24

MPKCs over Odd Prime Fields

Are you out of your mind?

XOR is easy, addition mod q is not. How can it possibly be faster?

It’s more than about speed

Good for defending against Gr¨

• bner basis attacks

◮ The field equation X q − X = 0 becomes much less useful

SSE* gives you parallel arithmetic on small integers,

◮ and you only need to parallelize 4 or 8 at a time.

Do you know how many 18-bit multipliers there are on an FPGA?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 15 / 24

Basic Building Blocks for Speeding Up Odd MPKCs

PMULHRSW

takes upper half in a rounded signed product of two 16-bit words, ⌈xy/215⌋, good for reduction mod q

VPMADDUSBW

Packed Multiply and Add, Unsigned and Signed Byte to Word

◮ Source: (x0, . . . , x31) Unsigned ◮ Destination: (y0, . . . , y31) Signed ◮ Result: (x0y0 + x1y1, x2y2 + x3y3, . . . , x30y30 + x31y31)

Helpful in evaluating z = Pc, piece by piece

◮ Let Q be a 16 × 2 submatrix of P ◮ dT be the corresponding 2 × 1 submatrix of c ◮ r1 ← (Q11, Q12, Q21, Q22, . . . , Q15,1, Q15,2) ◮ r2 ← (d1, d2, d1, d2, . . . , d1, d2) ◮ VPMADDUSBW r1, r2 computes Qd ◮ Continue in 16-bits until reduction modq needed.

Saves a few modq operations and delivers 1.5× performance

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 16 / 24

Big look-up tables for matrix multiplication

As suggested by Berbain et al, SAC 2006

Pre-compute av for each column v in any constant matrix Read off the appropriately offset vector as needed Can nibble-slice F16/F256 into F16/F4 Obviously minimizes the need for operations

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 17 / 24

Big look-up tables for matrix multiplication

As suggested by Berbain et al, SAC 2006

Pre-compute av for each column v in any constant matrix Read off the appropriately offset vector as needed Can nibble-slice F16/F256 into F16/F4 Obviously minimizes the need for operations

Unbelievably ...

Slower than SSE on any modern CPU!

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 17 / 24

Big look-up tables for matrix multiplication

As suggested by Berbain et al, SAC 2006

Pre-compute av for each column v in any constant matrix Read off the appropriately offset vector as needed Can nibble-slice F16/F256 into F16/F4 Obviously minimizes the need for operations

Unbelievably ...

Slower than SSE on any modern CPU!

When L2 isn’t fast enough

SSE instructions have a reverse throughput of 1 cycle today memory access is linear when using SSE L2 latency 20+ cycles; LUT reads not regular enough No way around this today :(

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 17 / 24

Remarks on Getting More Performance

Laziness often leads to optimality

Do not always need the tightest range The less reductions, the better! The less memory access, the better! The more regular memory access, the better! Packing Fq-blocks into binary can use more bits than necessary as long as the map is injective and convenient to compute

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 18 / 24

Wiedemann vs. Gauss Elimination modq

How to solve a medium-sized dense linear system?

◮ Wiedemann iterative solver for Ax = b ⋆ Compute zAib for some z ⋆ Compute minimal polynomial using Berlekamp-Massey ◮ Requires O(2n3) field multiplications ◮ Straightforward Gauss elimination requires O(n3/3)

However, Wiedemann involves much less reductions modulo q However, everything has to be constant-time At the moment Gaussian beats Wiedemann.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 19 / 24

To Solve Equation(s) in a Big Tower Field over Fq

Scripted Gr¨

• bner Basis Computation

From 3 quadratic equations in 3 variables, we in succession run Gaussian eliminations on matrices of dimensions 3 × 10, 11 × 19, 8 × 16, 5 × 13, with many coefficients that we know to be zero in advance, to reach a degree-8 equation. You can call this a tailored matrix-F4.

Cantor-Zassenhaus (instead of Berlekamp)

1 Replace u(X) by gcd(u(X), X qk − X) so that u splits in L. 1

Compute and tabulate X d mod u(X), . . . , X 2d−2 mod u(X).

2

Compute X q mod u(X) via square-and-multiply.

3

Compute and tabulate X qi mod u(X) for i = 2, 3, . . . , d − 1.

4

Compute X qi mod u(X) for i = 2, 3, . . . , k, then X qk mod u(X).

2 Do gcd

• v(X)(qk−1)/2 − 1, u(X)
• for random v(X) with

deg v < deg u, to find nontrivial factor ≥ 1

2 of the time; repeat as

needed.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 20 / 24

To Solve Equation(s) in a Big Tower Field over Fq

Scripted Gr¨

• bner Basis Computation

From 3 quadratic equations in 3 variables, we in succession run Gaussian eliminations on matrices of dimensions 3 × 10, 11 × 19, 8 × 16, 5 × 13, with many coefficients that we know to be zero in advance, to reach a degree-8 equation. You can call this a tailored matrix-F4.

Cantor-Zassenhaus (instead of Berlekamp)

1 Replace u(X) by gcd(u(X), X qk − X) so that u splits in L. 1

Compute and tabulate X d mod u(X), . . . , X 2d−2 mod u(X).

2

Compute X q mod u(X) via square-and-multiply.

3

Compute and tabulate X qi mod u(X) for i = 2, 3, . . . , d − 1.

4

Compute X qi mod u(X) for i = 2, 3, . . . , k, then X qk mod u(X).

2 Toss everything away and repeat unless there is a single solution. B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 20 / 24

Anything else New For F2k?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 21 / 24

Anything else New For F2k?

Not Really.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 21 / 24

Anything else New For F2k?

Not Really.

Ok, So we implemented some Additive-FFT based multiplication using (V)PSHUFB TRUNCATED Additive-FFT too

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 21 / 24

Performance on Xeon E3-1245v3 (Haswell) 3.4GHz

Table: 128-bit MPKCs on Intel Haswell.

schemes gen-key() sign() verify() M cycles k cycles k cycles Rainbow(16,32,32,32) 154.7 89.9 22.8 Rainbow(31,28,28,28) 93.4 77.4 70.8 Rainbow(256,28,20,20) 581.0 121.6 19.0 PFLASH(16,96-1,64) 78.8 226.0 22.6 GUI(2,240,9,16,16,3) 484.2 4,445.4 197.6 MQDSS-31-64 a 1.827 8,510.6 5,752.6 ECDSA(NIST P256) b 0.286 377.1 901.5 Ed25519 b 0.066 61.0 185.1 RSA-2048 b 233.7 5,240.2 66.4 RSA-3072 b 844.4 15,400.9 119.3

a on Core i7-4770K (Haswell) 3.5GHz. b eBACS on Xeon E3-1275 v3 (haswell) at 3.5GHz.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 22 / 24

Continued: Non-PCLMULQDQ CPUs

We also implemented without PCLMULQDQ, using additive FFT and (V)PSHUFB.

Table: Benchmark of 128-bit MPKCs on SSE-only Platforms schemes gen-key() sign() verify() M cycles k cycles k cycles PFLASH(16,96-1,64) 3,269 908.6 32.8 GUI(4,120,17,8,8,2) 510 121,287 1,583.6

Conclusions and Remarks

It is very important to tune to your architecture. MPKCs still competitive speedwise Intel’s new vector instruction set did double the MPKC throughput.

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 23 / 24

Thanks for Listening!

Questions or comments?

B.-Y. Yang (Academia Sinica) MPKCs on x86 64 PQC Mini School 24 / 24