1 Multivariate Digital Signature Schemes Jiun-Ming Chen jmchen.
-
Upload
erick-williamson -
Category
Documents
-
view
220 -
download
0
Transcript of 1 Multivariate Digital Signature Schemes Jiun-Ming Chen jmchen.
11
Multivariate Digital Multivariate Digital Signature SchemesSignature Schemes
Jiun-Ming ChenJiun-Ming Chen
http://www.math.ntu.edu.tw/~jmchenhttp://www.math.ntu.edu.tw/~jmchen
22
OutlineOutline
• Elements of Cryptography
• Applications of Public-Key Cryptography
• Multivariate Digital Signatures
• Tame Transformation Signature
• Performance and Cryptanalysis
33
BasicsBasics
• A cryptosystem consists of an algorithm, all possible keys, plaintexts, and ciphertexts.
• Its security is based on the privacy of its keys, not the privacy of its algorithm.
• In math language: the type of the function is known, but its parameters are secret.
44
Two Types of CryptosystemsTwo Types of Cryptosystems
• Symmetric Key Cryptosystems
(Secret Key)
• Public Key Cryptosystems
(Asymmetric Key)
55
Symmetric Key CryptosystemsSymmetric Key Cryptosystems
Encrypt Encrypt 加密加密 ↗ ▲ ↘ Plaintext 明文 Symmetric key Ciphertext 密
文 ↖ ▼ ↙ Decrypt Decrypt 解密解密
DES (Data Encryption Standard)
AES (Advanced Encryption Standard)— bytes are treated as elements of GF (28)
66
Public Key CryptosystemsPublic Key Cryptosystems
Public key ▼
Plaintext 明文 → Encrypt Encrypt 加密加密 ↖ ↘
Decrypt Decrypt 解密解密 ← Ciphertext 密文 ▲
Private key
The most famous and important PKC: RSA
(Ron Rivest – Adi Shamir – Len Adleman, 1977)
77
In Math Language …In Math Language …
Find a function f such that
1. f 1 exists but hard to find (computationally infeasible).
2. Given x , easy to compute y = f ( x ) with public f .
3. Given y , hard to find x = f 1 ( y ) , unless some secret information about f 1 is known.
Such f is called a trapdoor one-way function.
88
Digital Signatures Digital Signatures 數位簽章數位簽章
Private key 私鑰▼
Message → Sign Sign 簽章簽章 ↖ ↘
Verify Verify 驗章驗章 ← Signature
▲ Public key 公鑰
99
Public Key InfrastructurePublic Key Infrastructure
• CA (Certificate Authority) – 憑證管理中心RA (Registration Authority) – 憑證註冊中心
• Confidentiality ( 秘密性 ) Authentication ( 身份鑑別性 )
Integrity ( 完整性 ) Non-repudiation ( 不可否認性 )
• 數位簽章是公開金鑰基礎建設 ( PKI ) 的核心技術
1010
Two Major Categories of PKCTwo Major Categories of PKC
• Univariate 單變量 - many bytes are concatenated to represent an element in a huge algebraic structure (usually a group)
• Multivariate 多變量 - use compositions of mappings in multivariate polynomials over a small finite field (GF (28) is a natural choice)
• Miscellaneous - e.g. NTRU
1111
Univariate Univariate Digital Signature SchemesDigital Signature Schemes
• RSA-PSS (Probabilistic Signature Scheme)
• ECDSA (Elliptic Curve Digital Signature Algorithm)
– Discrete logarithm problem on Elliptic Curves
• DSA (Digital Signature Algorithm)
– DSS - Standard of US government
– Discrete logarithm problem • Find x to satisfy a x = b mod p
1212
Brief of RSABrief of RSA
• Encrypt or Verify:
c ≡ m e (public) mod n• Decrypt or Sign:
m ≡ c d (private) mod n• Widely used today: n = p q has 1024 bits
• Numbers of size ≈ 21024 are manipulated
1313
Multivariate Multivariate Digital Signature SchemesDigital Signature Schemes
• Shamir-Schnorr-Ong (1984)
• Imai-Matsumoto’s C* (1988)
• Shamir’s Birational Permutation Schemes (1993)
• Oil and Vinegar (1997)
• QUARTZ (2000)
• FLASH / SFLASH (2000)
• TTS - Tame Transformation Signatures
1414
Common DesignCommon Design
• Composition of mappings• Public quadratic polynomials• F1 and Fk are affine (Y = AX + B)
2. Encryption P ――――→ E ――――→ C easy↑ ↓hard
1. Generation P → F1 → F2 … → Fk → C ↓easy ↓easy easy↓
3. Decryption P ← D1 ← D2 … ← Dk ← C
1515
Signature Schemes in NESSIESignature Schemes in NESSIE
• Phase I : – ACE-SIGN, ECDSA, ESIGN, FLASH, SFLASH, QUARTZ, RSA-PSS.
• Phase II : – ECDSA, ESIGN, SFLASH, QUARTZ, RSA-PSS.
• Final selection:– ECDSA (Certicom Corp., USA and Canada) 160+ bits – RSA-PSS (RSA Laboratories, USA) 1536+ bits– SFLASH (Schlumberger, France)
1616
Why SWhy SFLASHFLASH??
• NESSIE’s comments on SFLASH : “…very efficient on low cost smart cards, where the size of the public key is not a constraint.”
• Facts: – TTS is even more efficient than SFLASH on low c
ost smart cards, and has smaller size of keys.– The size of the public key is NOT a constraint for
TTS, since keys can be generated on card easily.
1818
Comparison on Pentium III/500Comparison on Pentium III/500
Data of ECDSA, RSA-PSS, and SFLASH from NESSIE Performance Report
SchemeECDSA
(163 bits)
RSA-PSS
(1024 bits)
SFLASH
(26, 37)
TTS
(20,28)
Key Setup 1.6 ms 2.7 sec 1.5 sec 15.8 ms
Signing 1.9 ms 84 ms 2.8 ms 0.045 ms
Verifying 5.1 ms 2.0 ms 0.39 ms 0.25 ms
Signature Size 326 bits 1024 bits 259 bits 224 bits
Public Key Size 48 bytes 128 bytes 15.4 KB 8.6 KB
Private Key Size 24 bytes 320 bytes 2.4 KB 1.4 KB
1919
Comparison on Smart CardsComparison on Smart Cards
Scheme Platform (T number) Clock Pr. Key Code RAM Signing
TTS
(20,28)
Intel 8051AH (12T)
3.57
MHz
1.4 KB1.5 KB
128 B
144 ms
Winbond W77E58 (4T) 1.6 KB 64 ms
TTS
(24,32)
Intel 8051AH (12T)1.5 KB
1.5 KB 191 ms
Winbond W77E58 (4T) 1.6 KB 85 ms
SFLASH
(26,37)
Intel 8051AH (12T)2.4 KB 3.3 KB 344 B
1.07 sec
Infineon SLE66 (2T)
10 MHz
59 ms
RSA-PSS 1024 320 B
N/A > 1 KB
Many sec
Infineon SLE66 (2T)
(with co-processor)
5 MHz230 ms
RSA-PSS 2048 640 B 1.1 sec
ECDSA 191 10 MHz 24 B 180 msData of ECDSA, RSA-PSS, and SFLASH from the proceedings of PKC 2003
2020
Tame TransformationsTame Transformations
• Introduced from Algebraic Geometry by T. Moh.
Φ: K n ―→ K n is defined byy1 = x1
y2 = x2 + f 2 ( x1 )
y3 = x3 + f 3 ( x1 , x2 )
y4 = x4 + f 4 ( x1 , x2 , x3 )
… …
yn = xn + f n ( x1 , x2 , … , xn-1 )
f i's are polynomials, the indices of xi's can be permuted.
2121
Pre-images and InversesPre-images and Inverses
x1 = y1
x2 = y2 - f2 (x1)
x3 = y3 - f3 (x1 , x2) = y3 - f3 (y1 , y2 - f2 (y1))
x4 = y4 - f4 (x1 , x2 , x3) = y4 - f4 (y1 , y2 - f2 (y1) , y3 - f3 (y1, y2 - f2 (y1)))
… … … xn = yn - fn (x1 , x2 , … , xn-1)
= yn - fn (y1 , y2 - f2(y1) , … , yn-1 - fn-1(…))
2222
HistoryHistory
• Tame Transformations have a long and distinguished history in algebraic geometry. Thousands of papers have been published studying automorphism groups for affine spaces and embedding theory in mathematics.
• Question: Auto ( K N ) = Tame ( K N )?
Auto ( K 2 ) = Tame ( K 2 ), van der Kulk, 1953.
Still an open problem for N > 2.
2323
Factorization in Factorization in TameTame (( KK N N ))
• Given an element π Tame ( K N ) , N > 2. No known way to factor π= φt。。 φ1.
That is, no factorization theorem for N > 2.
• Nagata’s example, 1972:y1 = x1
y2 = x2 + x 1 ( x1 x3 + x22 )
y3 = x3 − x 2 ( x1 x3 + x22 ) − x1 ( x1 x3 + x2
2 )2
Is it in Tame ( K 3 )? Nobody can answer yet.
2424
TTSTTS (Tame Transformation (Tame Transformation Signature)Signature)
• Φ = φ3 。 φ2 。 φ1 is surjective (not bijective).
• φ1 and φ3 are affine maps.
• φ2 is a tame-like transformation.
• We use a little bit more complicated central maps to defend against Rank Attacks.
2525
Toy Example: Toy Example: GFGF (2)(2) 55 →→ GF GF (2)(2) 33
φ1 φ2 φ3
w ―――――→ x ―――――→ y ―――――→ zx = M1 w + c1 y2 = x2 + x0 x1 z = M3 y + c3
y3 = x3 + x1 x2
y4 = x4 + x2 x3
Private key: M1 1 , M3
1 , c1 , c3
Public key: z = Φ(w) = φ3 。 φ2 。 φ1 (w)
Signing: w =φ1 1 (φ2
1 (φ3 1 (z)))
Verifying: z ׳ = Φ(w), z ׳ = z ?
2626
Concrete Test ValuesConcrete Test Values
Public key: z0 = w0 + w1 + w2 + w3 + w0 w1 + w0 w2 + w1 w3 + w1 w4 + w2 w4 + w3 w4
z1 = w2 + w4 + w0 w3 + w1 w2 + w1 w3 + w1 w4 + w2 w3 + w2 w4 + w3 w4
z2 = w0 + w2 + w0 w2 + w0 w3 + w0 w4 + w1 w2 + w1 w3 + w1 w4 + w2 w3 + w3 w4
Note that wi2 = wi in GF (2).
1 0 0 1 1
1
1 1 0 1 0
1 1 1 1 0
M 1 = 1 0 1 0 0
, C 1 = 0 , M 3 = 1 0 1 , C 3 = 1
1 1 1 0 1
1 1 1 0 0
0 1 0 1 0
0
2727
Signing a Mini Message Signing a Mini Message (1/3)(1/3)
φ11
φ21 φ3
1
w ←――――― x ←――――― y ←――――― z
x = M1 w + c1 1 = y2 = x2 + x0 x1 z = M3 y + c3
1 = y3 = x3 + x1 x2 y = M31
(z c3)
1 = y4 = x4 + x2 x3
• Assume a mini message to sign: z = (1,1,0).
• Then y = M31 (z c3) = (1,1,1).
2828
Signing a Mini Message Signing a Mini Message (2/3)(2/3)
φ11
φ21 φ3
1
w ←――――― x ←――――― y ←――――― z
x = M1 w + c1 1 = y2 = x2 + x0 x1 z = M3 y + c3
1 = y3 = x3 + x1 x2 y = M31
(z c3)
1 = y4 = x4 + x2 x3
• Assigning values to x0 and x1 forces the rest.
– Randomly take x0 = 1, x1 = 0, then x2 = 1, x3 = 1, x4 = 0.
– All possible x : (0,0,1,1,0), (0,1,1,0,1), (1,0,1,1,0), (1,1,0,1,1).
2929
Signing a Mini Message Signing a Mini Message (3/3)(3/3)
φ11
φ21 φ3
1
w ←――――― x ←――――― y ←――――― z
x = M1 w + c1 y2 = x2 + x0 x1 z = M3 y + c3
w = M11
(x c1) y3 = x3 + x1 x2 y = M31
(z c3)
y4 = x4 + x2 x3
• x = (1,0,1,1,0) w = M11 (x c1) = (1,0,0,0,1) i
s a digital signature of z = (1,1,0).• All possible signatures form an algebraic variety.
3131
Central Map of TTS (24,32)Central Map of TTS (24,32)
• Central map:
• In current design of TTS, two systems of linear equations are solved by Gaussian eliminations or Lanczos method during signing processes.
3232
Related AttacksRelated Attacks
• Various Rank Attacks– Low rank attack– High rank attack (Dual rank attack)
– Separation of variables (Unbalanced Oil and Vinegar)
• System of Equations Solving Methods– Gröbner bases– Family of XL, XL, FXL, ...
3333
Forging a Digital SignatureForging a Digital Signature
• Given z = (z1, …, zm), forging a signature is equivalent to finding a solution w = (w1, …, wn) to the system of equations z = Φ(w). That is, zk = Σi <
j pi j k wi wj +Σqj k wj2 +Σrj k wj for every k.
• Fact: Solving a large system of multivariate quadratic equations over GF (q) is NP-hard.
3434
Gröbner BasesGröbner Bases
• Define a lexicographical order with w1 >…> wn , the Gröbner basis of z = Φ(w) usually contains
hn (wn),
wn-1 − hn-1 (wn),… …
w1 − h1 (wn).
• Set hn(wn) = 0 and solve it over GF (q) with Berlekamp algorithm. Then compute wn-1 …w1.
3535
AlgorithmsAlgorithms
• Buchberger (1965)
• Faugére’s F4 (1999)
• Faugére’s F5 (2002)
• HFE challenge 1 was broken by F5 / 2 in 2002.
(80 variables in 80 equations over GF (2) with special inner structure)
3636
XL at degree-XL at degree-DD
• Generate all products of arbitrary monomials of degree D − 2 or less with each zi. Linearize by considering every monomial as an variable.
• Perform Gaussian elimination, ordering the set of variables such that monomials in a given variable (say w0) are the last to go.
• Solve for w0 with Berlekamp algorithm. Repeat if any independent variable remains.
3737
Mathematics Connected to XLMathematics Connected to XL
• Combinatorics– Gives formulas for parameter D0 (minimal D neede
d by XL) for generic cases.
• Algebra– Gives results on behavior of non-generic system, i
ncluding Lemma of Operability. Of particular interest is Fröberg’s “Maximal Rank Conjecture”.
• Analysis– Gives asymptotic estimates for XL and variants.