Introduction To Multivariate Public Key Cryptography: Geovandro Carlos C. F. Pereira

Introduction to Multivariate Public
Key Cryptography
Geovandro Carlos C. F. Pereira
PhD advisor: Prof. Dr. Paulo S. L. M. Barreto
LARC - Computer Architecture and Networking Lab

Department of Computer Engineering and Digital Systems
Escola Politécnica
University of Sao Paulo
Slide 1
Agenda
• Motivation to Post-Quantum Crypto
• Introduction to MPKC
• Matsumoto-Imai Encryption
• UOV Signature
• Technique for Key Size Reduction
• Security Analysis
Slide 2
Motivation
Internet of Things (IoT)
Any object connected to the internet
Slide 3
Motivation
• Typical Platforms
Sensor node Arduino

Smartcard (Java Card)
Slide 4
Motivation
• Typical Platforms
Sensor node Arduino

Smartcard (Java Card)
• Resources
• Instruction set of 8, 16 or 32 bits
• Small amount of RAM(2-8 KiB) and ROM (32-128 KiB)
• Low clock: 5-40 MHz
• Energy is expensive
Slide 5
Motivation
• Symmetric Crypto: ok
Slide 6
Motivation
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
Slide 7
Motivation
“Complex” operations (e.g. multiple-precision arithmetic).
Slide 8
Motivation
Threats in medium and long-terms:
• Shor [1997]
Quantum algorithm for DLP e IFP
Slide 9
Motivation
• Shor [1997]
• Barbulescu, Joux,...[2013]
Conventional algorithms for DLP over binary fields in quase-polynomial time
End of pairings over binary fields (it was the most suitable for WSNs)
Slide 10
Motivation
• Shor [1997]
• Barbulescu, Joux,...[2013]
Conventional algorithms for DLP over binary fields in quase-polynomial time
End of pairings over binary fields (it was the most suitable for WSNs)
• Need for alternatives!
Slide 11
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Slide 12
Motivation
Main lines of research:
• Hash-based
• Very efficient, large signatures.
Slide 13
Motivation
• Hash-based
• Code-based
• Public Key Encryption schemes
• Singatures (one-time, large keys)
Slide 14
Motivation
• Hash-based
• Code-based
• Lattice-based
• Encryption, Digital signatures, FHE
Slide 15
Motivation
• Hash-based
• Code-based
• Lattice-based
• Encryption, Digital signatures, FHE
• Multivariate Quadratic (MQ)

• Some digital signature schemes are robust (original UOV, 14 years)
• Most of the encryption constructions were broken (Jintai has a new perspective about it)
Slide 16
Motivation
• Conventional Public Key Cryptography
• Need coprocessors in smartcards.
• Low flexibility for use or optimizations.
Slide 17
Motivation
• Advantages of MPKC
• Simplicity of Operations (matrices and vectors).
• Small fields avoid multiple-precision arithmetic.
• Long term security. (prevention against spying)
• Efficiency
Signature generation in 804 cycles by Ding [ASAP 2008].
Slide 18
Motivation
• Advantages of MPKC
• Simplicity of Operations (matrices and vectors).
• Small fields avoid multiple-precision arithmetic.
• Long term security. (prevention against spying)
• Efficiency
Signature generation in 804 cycles by Ding [ASAP 2008].
• Main Challenge
• Relatively large key sizes.
Slide 19
•MPKC Constructions
Slide 20
Multivariate Public Key Cryptography
• Basic Property:
• Cryptosystems whose public keys are a set of multivariate polynomials.
Slide 21
Multivariate Public Key Cryptography
• Basic Property:
• Cryptosystems whose public keys are a set of multivariate polynomials.
• Notation: the public key is given as:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = (𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , 𝑝2 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
Slide 22
MPKC Encryption
• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .
Slide 23
MPKC Encryption
• Ciphertext is simply a polynomial evaluation:
𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 24
MPKC Encryption
• Ciphertext is simply a polynomial evaluation:
𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
• To decrypt one needs to know a trapdoor so that it is

feasible to invert the quadratic map to find the plaintext:
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 𝑐1 , ⋯ , 𝑐𝑚
Slide 25
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
Slide 26
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
• Private Key: a trapdoor for computing 𝑃−1 .
Slide 27
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
• Sign: given a hash (ℎ1 , ⋯ , ℎ𝑚 ), compute
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
Slide 28
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚
Slide 29
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚
• All vars. and coeffs. are in the small field 𝑘.
Slide 30
Security
• Direct attack is to solve the set of equations:
𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 31
Security
• Solving a set of 𝑚 randomly chosen (nonlinear) equations

with 𝑛 variables is NP-complete.
Slide 32
Security
• Solving a set of 𝑚 randomly chosen (nonlinear) equations

with 𝑛 variables is NP-complete.
• But this does not necessarily ensure the security of the

systems.
Slide 33
Security
• Most of the schemes do not use exactly random maps.
Slide 34
Security

• Many systems have the structure
𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 35
Security

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
• 𝐹 is a quadratic map with certain structure. (central map)
Slide 36
Security

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.
Slide 37
Security

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.
• 𝐿1 and 𝐿2 are full-rank linear maps used to hide 𝐹.
Slide 38
Security
• MQ-Problem: Given a set of 𝑚 quadratic polynomials in 𝑛

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:
𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0
Slide 39
Security
• MQ-Problem: Given a set of 𝑚 quadratic polynomials in 𝑛

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:
𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0
• IP-Problem: Given two polynomial maps 𝐹1 , 𝐹2 : 𝐾 𝑛 ⟶ 𝐾 𝑚 .

The problem is to look for two linear transformations 𝐿1 and
𝐿2 (if they exist) s.t.:
𝐹1 (𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 40
Multivariate Quadratic
Construction
• MQ system with 𝑚 equations in 𝑛 vars, all coefs. in 𝔽𝑞 :
Polynomial notation:
𝑘 𝑘
𝑝𝑘 𝑥1 , … , 𝑥𝑛 ≔ 𝑃𝑖𝑗 𝑥𝑖 𝑥𝑗 + 𝐿𝑖 𝑥𝑖 + 𝑐 (𝑘)
𝑖,𝑗 𝑖
Vector notation:
𝑝𝑘 𝑥1 , … , 𝑥𝑛 = 𝑥𝑃 𝑘 𝑥 𝑇 + 𝐿(𝑘) 𝑥 + 𝑐 (𝑘)
Slide 41
(Pure) Quadratic Map
𝒫 𝑥 =ℎ ⇔
𝑥 𝑃(𝑘) 𝑥 𝑇 = ℎ𝑘 (𝑘 = 1, … , 𝑚)
𝑥𝑇
𝑥 ℎ𝑘
𝑃(𝑘) =
Slide 42
Matsumoto-Imai Cryptosystem
• Previously, many unsuccesfull attempts to construct an

encryption scheme.
• Small number of variables.
• Huge key sizes.
• In 1988, Matsumoto and Imai adopted a “Big” Field in their

C* construction.
Slide 43
• 𝑘 is a small finite field with 𝑘 = 𝑞.
Slide 44
• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.
Slide 45
• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
Slide 46
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
• Build a map 𝐹 over 𝐾 :
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where the 𝐿𝑖 are randomly chosen invertible maps over 𝑘 𝑛
Slide 47
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
• Build a map 𝐹 over 𝐾 :
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where the 𝐿𝑖 are randomly chosen invertible maps over 𝑘 𝑛

• Inversion of 𝐹 is related to the IP Problem
Slide 48
• The map 𝐹 adopted was:
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
Slide 49
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
• Let
𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
Slide 50
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
• Let
𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
• 𝐹𝑖 are quadratic polynomials because the map

𝑞 𝜃
𝑋⟼ 𝑋 is linear (it is the Frobenius automorphism of
order 𝜃).
Slide 51
• Encryption is done by the quadratic map over 𝑘 𝑛
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where 𝐿𝑖 are affine maps over 𝑘 𝑛 .
Slide 52
• Encryption is done by the quadratic map over 𝑘 𝑛
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where 𝐿𝑖 are affine maps over 𝑘 𝑛 .
• Decryption is the inverse process

𝐹 −1 = 𝐿−1
2 ∘𝜙∘𝐹
−1
∘ 𝜙 −1 ∘ 𝐿−1
1
Slide 53
• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1
to ensure the invertibility of the decryption map 𝐹 −1
Slide 54
• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1
to ensure the invertibility of the decryption map 𝐹 −1
• 𝐹 −1 𝑋 = 𝑋 𝑡 , 𝑋 ∈ 𝐾 where 𝑡 × 𝑞 𝜃 + 1 ≡ 1 𝑚𝑜𝑑(𝑞 𝑛 − 1).

• The public key includes 𝑘 and 𝐹 = (𝐹1 , ⋯ , 𝐹𝑛 )
• The private key includes 𝐿1 , 𝐿2 and 𝐾 .
Slide 55
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
Slide 56
UOV Signature
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
Slide 57
UOV Signature
• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )
vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
Slide 58
UOV Signature
• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )
vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =
𝑘 𝑘 𝑘 𝑘
= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)
𝑂×𝑉 𝑉×𝑉 𝑂 𝑉
Slide 59
UOV Signature
• Choose uniformly at random vinegars: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =
𝑘 𝑘 𝑘 𝑘
Slide 60
UOV Signature
• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘
𝑘 𝑘 𝑘 𝑘
• This becomes an 𝑜𝑥𝑜 system of linear equations.
Slide 61
UOV Signature
• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ =
𝑘 𝑘 𝑘 𝑘
• This becomes an 𝑜𝑥𝑜 system of linear equations.
• It has a solution with high probability (≈ 1 − 1/𝑞).
Slide 62
UOV Signature
• Oil variables not mixed.
Vinegar Oil
variables variables
𝒙𝟏 … 𝒙𝒗 … 𝒙𝒏
𝒙𝟏
𝐹 (𝑘) = ⋮ Vinegar variables
𝒙𝒗
0 ⋮ Oil variables
𝒙𝒏
Slide 63
Rainbow Signature
• Rainbow Quadratic Map
Slide 64
MQ Signatures
• UOV key sizes.
Scheme Public Key

(KiB)
113.4
99.4
77.7
66.7
14.5
11.0
10.2
Slide 65
•Technique for Key Size
Reduction
Slide 66
MQ Signatures - Cyclic UOV
• Technique for reduction of UOV public keys.
Slide 67
• Part of the public key with short representation.
Slide 68
• Part of the public key with short representation.
• Achieves a 6x reduction factor for 80-bit security.
Slide 69
Public matrix of coefficients 𝑀𝑃
𝑃(1)
𝑃(2) 𝑀𝑃 = ⋮
⋮
𝑚𝑥l ′
𝑃(𝑚)
𝑛 𝑛+1
l′ =
2
Slide 70
Public matrix of coefficients 𝑀𝑃
𝑀𝑃 = ⋮ = 𝐵 𝐶
𝑚𝑥l ′ 𝑚𝑥l ′
l l
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 71
Private matrix of coefficients 𝑀𝐹
1
𝐹
0 0
𝐹 2 𝑀𝐹 = ⋮
0
⋮ 0
𝑚𝑥l ′
l
𝑚
𝐹
0
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 72
Private matrix of coefficients 𝑀𝐹
0
𝑀𝐹 =
⋮
= 𝐹 0
0 𝑚𝑥l ′ 𝑚𝑥l ′
l l
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 73
• There is a linear relation between 𝐵 and 𝐹 which only depends
on 𝐵,𝐹 and 𝑆 [Petzoldt et. al, 2010]
𝐵 = 𝐹 ∙ 𝐴𝑈𝑂𝑉 (S)
𝑀𝑃 =
𝐵 𝐶 𝑟𝑠 𝑠𝑟𝑖 . 𝑠𝑠𝑖 , 𝑖=𝑗
𝑎𝑖𝑗 = 𝑠 .𝑠 + 𝑠 .𝑠 , 𝑖≠𝑗
𝑟𝑖 𝑠𝑗 𝑟𝑗 𝑠𝑖
l 𝑚𝑥l ′
1 ≤ 𝑖 ≤ 𝑣, 𝑖 ≤ 𝑗 ≤ 𝑛
1 ≤ 𝑟 ≤ 𝑣, 𝑟 ≤ 𝑠 ≤ 𝑛
𝑀𝐹 =
𝐹 0
l 𝑚𝑥l ′
Slide 74
By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:
• 𝐹 can be computed from 𝐵 and 𝐴−1

𝑈𝑂𝑉
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
Slide 75

𝑈𝑂𝑉
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
• Thus, the choice of 𝐵 becomes flexible.
Slide 76

𝑈𝑂𝑉
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉

• In particular:
𝐵 = 0 does not result in a valid F,
𝐵 = Identity blocks, reveals too much info of 𝐴−1
𝑈𝑂𝑉 ,
𝐵 circulant was adopted by [Petzoldt et. al, 2010]
Slide 77

𝑈𝑂𝑉
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉

• In particular:
𝐵 = 0 does not result in a valid F,
𝐵 = Identity blocks, reveals too much info of 𝐴−1
𝑈𝑂𝑉 ,
𝐵 circulant was adopted by [Petzoldt et. al, 2010]
Petzoldt et. al. showed by theorem that the choice of a

circulant 𝐵 provides consistent UOV signatures.
Slide 78
Adopting 𝐵 circulant:
𝑀𝑃 =
𝐵 𝐶
⋮
l 𝑚𝑥l ′
𝑚𝑥l ′
l
⋯
𝒃 = (𝑏1 , ⋯ , 𝑏l )
|𝑴𝑷 | = l + 𝑚(l ′ − l)
Slide 79
𝑘
Public matrices 𝑃
1
𝑃
Slide 80
𝑘
2
𝑃
Slide 81
𝑘
3
𝑃
Slide 82
𝑘
4
𝑃
Slide 83
𝑘
Slide 84
Equivalent Keys in UOV
• Idea: Find equivalent private keys that enables solving any

given public key system.
Slide 85

• A class of equivalent private keys with a simpler structure.
Slide 86

• A class of equivalent private keys with a simpler structure.
• Thus, private keys can be built using this short structure.
Slide 87
• UOV public key:
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚
Slide 88
• UOV public key:
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚
• Question: Are there classes of keys 𝑆 ′ and 𝐹′ s.t.
(𝑖) 𝑇
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 = 𝑆 ′ 𝐹 ′ 𝑆 ′ , 1 ≤ 𝑖 ≤ 𝑚
(𝑖)
where matrices 𝐹 ′ share with 𝐹 (𝑖) the same trapdoor
structure?
Slide 89
• Idea: Introduce a matrix Ω in 𝑃(𝑖) :
𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆
• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇
Slide 90
• Idea: Introduce a matrix Ω in 𝑃(𝑖) :
𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆
• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇
• We want Ω that keeps the original 𝐹 structure in 𝐹′:

𝑣 𝑚 𝑣 𝑚 𝑣 𝑚
𝑣
Ω1 Ω2 𝐹1 𝐹2 Ω1𝑇
𝑣 𝑣
Ω𝑇3
=
Ω3 Ω4 𝑚 𝐹3 0 Ω𝑇2 Ω𝑇4 𝑚
𝜌 𝑚
Ω 𝐹 (𝑖) ΩT 𝐹′(𝑖)
Slide 91
• From the previous equality we obtain:
𝜌 = Ω3 𝐹1 + Ω4 𝐹3 Ω𝑇3 + Ω3 𝐹2 Ω𝑇4 = 0
and Ω3 = 0 is a solution.
𝑣 𝑚
𝑣
Ω1 Ω2
Ω=
𝑚
0 Ω4
Slide 92
• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .
• Going back to definition

𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 (Ω𝐹 𝑖 Ω𝑇 )Ω𝑇 𝑆
Slide 93

𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆
Slide 94

𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆
• So, defining 𝑆 ′ ≔ 𝑆Ω−1 one finally gets:

𝑖
𝑃 = 𝑆 ′ 𝐹 ′(𝑖) 𝑆 ′𝑇
Slide 95
𝑣 𝑚
−1
ΩΩ1−1 −1 𝑣
Ω−1
𝑆1 𝑆2 1 Ω 2
2
𝑆 ′ = 𝑆Ω−1 =
−1
𝑆3 𝑆4 0 Ω−1 𝑚
Ω4
4
𝑆 Ω−1
• Note that Ω−1 has the same structure of Ω.
Slide 96
• By choosing suitable values of Ω𝑖−1 , it is possible to get:
𝑆1′ = 𝐼𝑣𝑥𝑣
𝑆2′ = 0𝑣𝑥𝑚
𝑆4′ = 𝐼𝑚𝑥𝑚
what implies
𝑆3′ = 𝑆3 𝑆1−1 𝑆 2 𝑆1−1 + 𝑆4 (𝑆4 − 𝑆3 𝑆1−1 𝑆2 )−1
Slide 97
• Structure of 𝑆′:
𝑚 𝑣
𝑚
𝑆′ =
𝑆3′ 𝑣
Slide 98
• Structure of 𝑆′:
𝑚 𝑣
𝑚
𝑆′ =
𝑆3′ 𝑣
(𝑖)
• So, the answer is yes, there exist equivalent 𝑆 ′ , 𝐹 ′ s.t.
(𝑖)
𝑆 ′ 𝐹 ′ (𝑆 ′ )𝑇 = (𝑆Ω−1 ) Ω𝐹 𝑖 Ω𝑇 𝑆Ω−1 𝑇 =𝑃 𝑖
(𝑖)
and 𝐹 ′ have the desired trapdoor structure.
Slide 99
Recap. MQ Schemes
Slide 100
Thanks!
Questions?
Slide 101

Introduction To Multivariate Public Key Cryptography: Geovandro Carlos C. F. Pereira

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Multivariate Public Key Cryptography: Geovandro Carlos C. F. Pereira

Uploaded by

Copyright:

Available Formats

Introduction to Multivariate Public

LARC - Computer Architecture and Networking Lab

Sensor node Arduino

Sensor node Arduino

• Need for alternatives!

• Multivariate Quadratic (MQ)

• Notation: the public key is given as:

• To decrypt one needs to know a trapdoor so that it is

• Private Key: a trapdoor for computing 𝑃−1 .

• Private Key: a trapdoor for computing 𝑃−1 .

• Sign: given a hash (ℎ1 , ⋯ , ℎ𝑚 ), compute

• Private Key: a trapdoor for computing 𝑃−1 .

• Sign: given a hash (ℎ1 , ⋯ , ℎ𝑚 ), compute

• Private Key: a trapdoor for computing 𝑃−1 .

• Sign: given a hash (ℎ1 , ⋯ , ℎ𝑚 ), compute

• All vars. and coeffs. are in the small field 𝑘.

• Direct attack is to solve the set of equations:

• Direct attack is to solve the set of equations:

• Solving a set of 𝑚 randomly chosen (nonlinear) equations

• Direct attack is to solve the set of equations:

• Solving a set of 𝑚 randomly chosen (nonlinear) equations

• But this does not necessarily ensure the security of the

• Most of the schemes do not use exactly random maps.

• Most of the schemes do not use exactly random maps.

• Most of the schemes do not use exactly random maps.

• 𝐹 is a quadratic map with certain structure. (central map)

• Most of the schemes do not use exactly random maps.

• 𝐹 is a quadratic map with certain structure. (central map)

• Most of the schemes do not use exactly random maps.

• 𝐹 is a quadratic map with certain structure. (central map)

• MQ-Problem: Given a set of 𝑚 quadratic polynomials in 𝑛

• MQ-Problem: Given a set of 𝑚 quadratic polynomials in 𝑛

• IP-Problem: Given two polynomial maps 𝐹1 , 𝐹2 : 𝐾 𝑛 ⟶ 𝐾 𝑚 .

• Previously, many unsuccesfull attempts to construct an

• In 1988, Matsumoto and Imai adopted a “Big” Field in their

• Build a map 𝐹 over 𝐾 :

where the 𝐿𝑖 are randomly chosen invertible maps over 𝑘 𝑛

• Build a map 𝐹 over 𝐾 :

where the 𝐿𝑖 are randomly chosen invertible maps over 𝑘 𝑛

• 𝐹𝑖 are quadratic polynomials because the map

• Decryption is the inverse process

• 𝐹 −1 𝑋 = 𝑋 𝑡 , 𝑋 ∈ 𝐾 where 𝑡 × 𝑞 𝜃 + 1 ≡ 1 𝑚𝑜𝑑(𝑞 𝑛 − 1).

• This becomes an 𝑜𝑥𝑜 system of linear equations.

• This becomes an 𝑜𝑥𝑜 system of linear equations.

• It has a solution with high probability (≈ 1 − 1/𝑞).

• Oil variables not mixed.

𝐹 (𝑘) = ⋮ Vinegar variables

• Rainbow Quadratic Map

Scheme Public Key

• Technique for reduction of UOV public keys.

• Technique for reduction of UOV public keys.

• Part of the public key with short representation.

• Technique for reduction of UOV public keys.

• Part of the public key with short representation.

• Achieves a 6x reduction factor for 80-bit security.

• 𝐹 can be computed from 𝐵 and 𝐴−1

• 𝐹 can be computed from 𝐵 and 𝐴−1

• Thus, the choice of 𝐵 becomes flexible.

• 𝐹 can be computed from 𝐵 and 𝐴−1

• Thus, the choice of 𝐵 becomes flexible.

• 𝐹 can be computed from 𝐵 and 𝐴−1

• Thus, the choice of 𝐵 becomes flexible.

Petzoldt et. al. showed by theorem that the choice of a