0 views

Uploaded by HipMorsq

hello

- Hybrid Message-Embedded Cipher using Logistic Map
- Securing peer-to-peer mobile communications using public key cryptography: New security strategy
- blok cipher
- Question Paper of Cryptography and Network Security
- MA6151_Lecture_Notes_Solved_V+.pdf
- final paper.docx
- CLP-411_ZUC_LA_Core
- Improving Energy Efficiency of VANET Based Secure and Privacy Preserving Navigation Scheme using LTE
- IJETR022428
- Cryptography and Network Security Ppt
- Positive Quadratic Equation
- Network Security Using Quantum Cryptography
- Sp800!73!3 PART1 Piv Card Applic Namespace Date Model Rep
- C++ 2014 QUESTION
- Advance EMAP for Vehicular Ad Hoc Networks
- SecureAuth .NET Forms Guide
- rla-eindia-2011
- Location-Oblivious Data Transfer With Flying Entangled Qudits 1102.2816
- Timestamp Integrity
- IT LAB MANUAL 2018 - 19-1-1

You are on page 1of 101

Key Cryptography

Geovandro Carlos C. F. Pereira

PhD advisor: Prof. Dr. Paulo S. L. M. Barreto

Department of Computer Engineering and Digital Systems

Escola Politécnica

University of Sao Paulo

Slide 1

Agenda

• Motivation to Post-Quantum Crypto

• Introduction to MPKC

• Matsumoto-Imai Encryption

• UOV Signature

• Technique for Key Size Reduction

• Security Analysis

Slide 2

Motivation

Internet of Things (IoT)

Any object connected to the internet

Slide 3

Motivation

• Typical Platforms

Smartcard (Java Card)

Slide 4

Motivation

• Typical Platforms

Smartcard (Java Card)

• Resources

• Instruction set of 8, 16 or 32 bits

• Small amount of RAM(2-8 KiB) and ROM (32-128 KiB)

• Low clock: 5-40 MHz

• Energy is expensive

Slide 5

Motivation

• Symmetric Crypto: ok

Slide 6

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

Slide 7

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Slide 8

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

Slide 9

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

• Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time

End of pairings over binary fields (it was the most suitable for WSNs)

Slide 10

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

• Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time

End of pairings over binary fields (it was the most suitable for WSNs)

Slide 11

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Slide 12

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

Slide 13

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

Slide 14

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

• Lattice-based

• Encryption, Digital signatures, FHE

Slide 15

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

• Lattice-based

• Encryption, Digital signatures, FHE

• Some digital signature schemes are robust (original UOV, 14 years)

• Most of the encryption constructions were broken (Jintai has a new perspective about it)

Slide 16

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

Slide 17

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

• Advantages of MPKC

• Simplicity of Operations (matrices and vectors).

• Small fields avoid multiple-precision arithmetic.

• Long term security. (prevention against spying)

• Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

Slide 18

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

• Advantages of MPKC

• Simplicity of Operations (matrices and vectors).

• Small fields avoid multiple-precision arithmetic.

• Long term security. (prevention against spying)

• Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

• Main Challenge

• Relatively large key sizes.

Slide 19

•MPKC Constructions

Slide 20

Multivariate Public Key Cryptography

• Basic Property:

• Cryptosystems whose public keys are a set of multivariate polynomials.

Slide 21

Multivariate Public Key Cryptography

• Basic Property:

• Cryptosystems whose public keys are a set of multivariate polynomials.

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = (𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , 𝑝2 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

Slide 22

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

Slide 23

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

• Ciphertext is simply a polynomial evaluation:

𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

Slide 24

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

• Ciphertext is simply a polynomial evaluation:

𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

feasible to invert the quadratic map to find the plaintext:

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 𝑐1 , ⋯ , 𝑐𝑚

Slide 25

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

Slide 26

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

Slide 27

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

Slide 28

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚

Slide 29

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚

Slide 30

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

Slide 31

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

with 𝑛 variables is NP-complete.

Slide 32

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

with 𝑛 variables is NP-complete.

systems.

Slide 33

Security

Slide 34

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 35

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 36

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.

Slide 37

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.

• 𝐿1 and 𝐿2 are full-rank linear maps used to hide 𝐹.

Slide 38

Security

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:

𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0

Slide 39

Security

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:

𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0

The problem is to look for two linear transformations 𝐿1 and

𝐿2 (if they exist) s.t.:

𝐹1 (𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 40

Multivariate Quadratic

Construction

• MQ system with 𝑚 equations in 𝑛 vars, all coefs. in 𝔽𝑞 :

Polynomial notation:

𝑘 𝑘

𝑝𝑘 𝑥1 , … , 𝑥𝑛 ≔ 𝑃𝑖𝑗 𝑥𝑖 𝑥𝑗 + 𝐿𝑖 𝑥𝑖 + 𝑐 (𝑘)

𝑖,𝑗 𝑖

Vector notation:

𝑝𝑘 𝑥1 , … , 𝑥𝑛 = 𝑥𝑃 𝑘 𝑥 𝑇 + 𝐿(𝑘) 𝑥 + 𝑐 (𝑘)

Slide 41

(Pure) Quadratic Map

𝒫 𝑥 =ℎ ⇔

𝑥 𝑃(𝑘) 𝑥 𝑇 = ℎ𝑘 (𝑘 = 1, … , 𝑚)

𝑥𝑇

𝑥 ℎ𝑘

𝑃(𝑘) =

Slide 42

Matsumoto-Imai Cryptosystem

encryption scheme.

• Small number of variables.

• Huge key sizes.

C* construction.

Slide 43

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

Slide 44

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

Slide 45

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

Slide 46

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

Slide 47

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

• Inversion of 𝐹 is related to the IP Problem

Slide 48

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

Slide 49

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

• Let

𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

Slide 50

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

• Let

𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

𝑞 𝜃

𝑋⟼ 𝑋 is linear (it is the Frobenius automorphism of

order 𝜃).

Slide 51

Matsumoto-Imai Cryptosystem

• Encryption is done by the quadratic map over 𝑘 𝑛

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

where 𝐿𝑖 are affine maps over 𝑘 𝑛 .

Slide 52

Matsumoto-Imai Cryptosystem

• Encryption is done by the quadratic map over 𝑘 𝑛

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

where 𝐿𝑖 are affine maps over 𝑘 𝑛 .

𝐹 −1 = 𝐿−1

2 ∘𝜙∘𝐹

−1

∘ 𝜙 −1 ∘ 𝐿−1

1

Slide 53

Matsumoto-Imai Cryptosystem

• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1

to ensure the invertibility of the decryption map 𝐹 −1

Slide 54

Matsumoto-Imai Cryptosystem

• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1

to ensure the invertibility of the decryption map 𝐹 −1

• The public key includes 𝑘 and 𝐹 = (𝐹1 , ⋯ , 𝐹𝑛 )

• The private key includes 𝐿1 , 𝐿2 and 𝐾 .

Slide 55

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

Slide 56

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

Slide 57

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )

vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

Slide 58

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )

vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 59

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Choose uniformly at random vinegars: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 60

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 61

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 62

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

Vinegar Oil

variables variables

𝒙𝟏 … 𝒙𝒗 … 𝒙𝒏

𝒙𝟏

𝒙𝒗

0 ⋮ Oil variables

𝒙𝒏

Slide 63

Rainbow Signature

Slide 64

MQ Signatures

• UOV key sizes.

(KiB)

113.4

99.4

77.7

66.7

14.5

11.0

10.2

Slide 65

•Technique for Key Size

Reduction

Slide 66

MQ Signatures - Cyclic UOV

Slide 67

MQ Signatures - Cyclic UOV

Slide 68

MQ Signatures - Cyclic UOV

Slide 69

MQ Signatures - Cyclic UOV

Public matrix of coefficients 𝑀𝑃

𝑃(1)

𝑃(2) 𝑀𝑃 = ⋮

⋮

𝑚𝑥l ′

𝑃(𝑚)

𝑛 𝑛+1

l′ =

2

Slide 70

MQ Signatures - Cyclic UOV

Public matrix of coefficients 𝑀𝑃

𝑀𝑃 = ⋮ = 𝐵 𝐶

𝑚𝑥l ′ 𝑚𝑥l ′

l l

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 71

MQ Signatures - Cyclic UOV

Private matrix of coefficients 𝑀𝐹

1

𝐹

0 0

𝐹 2 𝑀𝐹 = ⋮

0

⋮ 0

𝑚𝑥l ′

l

𝑚

𝐹

0

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 72

MQ Signatures - Cyclic UOV

Private matrix of coefficients 𝑀𝐹

0

𝑀𝐹 =

⋮

= 𝐹 0

0 𝑚𝑥l ′ 𝑚𝑥l ′

l l

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 73

MQ Signatures - Cyclic UOV

• There is a linear relation between 𝐵 and 𝐹 which only depends

on 𝐵,𝐹 and 𝑆 [Petzoldt et. al, 2010]

𝐵 = 𝐹 ∙ 𝐴𝑈𝑂𝑉 (S)

𝑀𝑃 =

𝐵 𝐶 𝑟𝑠 𝑠𝑟𝑖 . 𝑠𝑠𝑖 , 𝑖=𝑗

𝑎𝑖𝑗 = 𝑠 .𝑠 + 𝑠 .𝑠 , 𝑖≠𝑗

𝑟𝑖 𝑠𝑗 𝑟𝑗 𝑠𝑖

l 𝑚𝑥l ′

1 ≤ 𝑖 ≤ 𝑣, 𝑖 ≤ 𝑗 ≤ 𝑛

1 ≤ 𝑟 ≤ 𝑣, 𝑟 ≤ 𝑠 ≤ 𝑛

𝑀𝐹 =

𝐹 0

l 𝑚𝑥l ′

Slide 74

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

Slide 75

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

Slide 76

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

• In particular:

𝐵 = 0 does not result in a valid F,

𝐵 = Identity blocks, reveals too much info of 𝐴−1

𝑈𝑂𝑉 ,

𝐵 circulant was adopted by [Petzoldt et. al, 2010]

Slide 77

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

• In particular:

𝐵 = 0 does not result in a valid F,

𝐵 = Identity blocks, reveals too much info of 𝐴−1

𝑈𝑂𝑉 ,

𝐵 circulant was adopted by [Petzoldt et. al, 2010]

circulant 𝐵 provides consistent UOV signatures.

Slide 78

MQ Signatures - Cyclic UOV

Adopting 𝐵 circulant:

𝑀𝑃 =

𝐵 𝐶

⋮

l 𝑚𝑥l ′

𝑚𝑥l ′

l

⋯

𝒃 = (𝑏1 , ⋯ , 𝑏l )

|𝑴𝑷 | = l + 𝑚(l ′ − l)

Slide 79

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

1

𝑃

Slide 80

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

2

𝑃

Slide 81

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

3

𝑃

Slide 82

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

4

𝑃

Slide 83

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

Slide 84

Equivalent Keys in UOV

given public key system.

Slide 85

Equivalent Keys in UOV

given public key system.

Slide 86

Equivalent Keys in UOV

given public key system.

Slide 87

Equivalent Keys in UOV

• UOV public key:

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚

Slide 88

Equivalent Keys in UOV

• UOV public key:

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚

(𝑖) 𝑇

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 = 𝑆 ′ 𝐹 ′ 𝑆 ′ , 1 ≤ 𝑖 ≤ 𝑚

(𝑖)

where matrices 𝐹 ′ share with 𝐹 (𝑖) the same trapdoor

structure?

Slide 89

Equivalent Keys in UOV

• Idea: Introduce a matrix Ω in 𝑃(𝑖) :

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆

• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇

Slide 90

Equivalent Keys in UOV

• Idea: Introduce a matrix Ω in 𝑃(𝑖) :

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆

• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇

𝑣 𝑚 𝑣 𝑚 𝑣 𝑚

𝑣

Ω1 Ω2 𝐹1 𝐹2 Ω1𝑇

𝑣 𝑣

Ω𝑇3

=

Ω3 Ω4 𝑚 𝐹3 0 Ω𝑇2 Ω𝑇4 𝑚

𝜌 𝑚

Ω 𝐹 (𝑖) ΩT 𝐹′(𝑖)

Slide 91

Equivalent Keys in UOV

𝜌 = Ω3 𝐹1 + Ω4 𝐹3 Ω𝑇3 + Ω3 𝐹2 Ω𝑇4 = 0

and Ω3 = 0 is a solution.

𝑣 𝑚

𝑣

Ω1 Ω2

Ω=

𝑚

0 Ω4

Slide 92

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (Ω𝐹 𝑖 Ω𝑇 )Ω𝑇 𝑆

Slide 93

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆

Slide 94

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆

𝑖

𝑃 = 𝑆 ′ 𝐹 ′(𝑖) 𝑆 ′𝑇

Slide 95

Equivalent Keys in UOV

𝑣 𝑚

−1

ΩΩ1−1 −1 𝑣

Ω−1

𝑆1 𝑆2 1 Ω 2

2

𝑆 ′ = 𝑆Ω−1 =

−1

𝑆3 𝑆4 0 Ω−1 𝑚

Ω4

4

𝑆 Ω−1

Slide 96

Equivalent Keys in UOV

• By choosing suitable values of Ω𝑖−1 , it is possible to get:

𝑆1′ = 𝐼𝑣𝑥𝑣

𝑆2′ = 0𝑣𝑥𝑚

𝑆4′ = 𝐼𝑚𝑥𝑚

what implies

Slide 97

Equivalent Keys in UOV

• Structure of 𝑆′:

𝑚 𝑣

𝑚

𝑆′ =

𝑆3′ 𝑣

Slide 98

Equivalent Keys in UOV

• Structure of 𝑆′:

𝑚 𝑣

𝑚

𝑆′ =

𝑆3′ 𝑣

(𝑖)

• So, the answer is yes, there exist equivalent 𝑆 ′ , 𝐹 ′ s.t.

(𝑖)

𝑆 ′ 𝐹 ′ (𝑆 ′ )𝑇 = (𝑆Ω−1 ) Ω𝐹 𝑖 Ω𝑇 𝑆Ω−1 𝑇 =𝑃 𝑖

(𝑖)

and 𝐹 ′ have the desired trapdoor structure.

Slide 99

Recap. MQ Schemes

Slide 100

Thanks!

Questions?

Slide 101

- Hybrid Message-Embedded Cipher using Logistic MapUploaded byijsptm
- Securing peer-to-peer mobile communications using public key cryptography: New security strategyUploaded byPradip Kumar
- blok cipherUploaded byParkerAllison
- Question Paper of Cryptography and Network SecurityUploaded byAnkita Dwivedi
- MA6151_Lecture_Notes_Solved_V+.pdfUploaded byaravindan476
- final paper.docxUploaded bys shuvalaxmi
- CLP-411_ZUC_LA_CoreUploaded bygame__over
- Improving Energy Efficiency of VANET Based Secure and Privacy Preserving Navigation Scheme using LTEUploaded byIJIRST
- IJETR022428Uploaded byerpublication
- Cryptography and Network Security PptUploaded byvinAY
- Positive Quadratic EquationUploaded byRana Vivek Singh
- Network Security Using Quantum CryptographyUploaded byseventhsensegroup
- Sp800!73!3 PART1 Piv Card Applic Namespace Date Model RepUploaded byrenebavard
- C++ 2014 QUESTIONUploaded byplouffle
- Advance EMAP for Vehicular Ad Hoc NetworksUploaded byIJCERT PUBLICATIONS
- SecureAuth .NET Forms GuideUploaded byZaman Khan
- rla-eindia-2011Uploaded byAnil Kumar Bhal
- Location-Oblivious Data Transfer With Flying Entangled Qudits 1102.2816Uploaded byforizsl
- Timestamp IntegrityUploaded byjasmincosic
- IT LAB MANUAL 2018 - 19-1-1Uploaded byRavindrareddy mule
- CURRICULUM AND SYLLABUSUploaded byRajesh Ganesan
- rfc1114Uploaded byNickyNET
- Paper-2 Generalized Hill Cipher Involving Multiple Keys, Mixing and Key Dependent SubstitutionUploaded byRachel Wheeler
- Lambros_D._Callimahos_Part_1Uploaded byJohn Greenewald
- 201408 Semester II MIT201 Operating SystemUploaded byDeepjeetSen
- ESUG'11: Native Or External? (Lessons learned in implementing cryptography for VisualWorks), by Martin KobeticUploaded byCincom Smalltalk
- B.Sc. Part I Semester I and II Mathematics Syllabus.pdfUploaded bysoundar
- Program10 Sign in Email YoutubeUploaded byroom live
- Privacy SchemeUploaded bytheboyisbobby
- 6th Sem SyllabusUploaded bydilipagarwal

- 3933265Uploaded byHipMorsq
- ArsUploaded byHipMorsq
- annexeIIUploaded byHipMorsq
- Audit ResUploaded byHipMorsq
- Contrôle Interne et système d'informationUploaded byHanae EL Khadiri
- audit comptable audit informatique.pdfUploaded byHipMorsq
- VLAN_WLAN_sec.pdfUploaded byHipMorsq
- 2637318Uploaded byHipMorsq
- 3252314.pptUploaded byHipMorsq
- 3252314.pptUploaded byHipMorsq
- 2017-2018-formulaire_m_r_pUploaded byHipMorsq
- 6-CERAMUploaded byAnouar Aleya
- [Goutam Paul; Subhamoy Maitra] RC4 Stream Cipher a(B-ok.xyz)Uploaded byHipMorsq
- SecUploaded byziko0007
- شبكات+الحاسوب+وفوائدها+4Uploaded byHipMorsq
- 4930614Uploaded byHipMorsq
- Session2k7.Analyse g2.Rapport MehariUploaded bypodolski90
- Packet SniffingUploaded byHipMorsq
- 1416Uploaded byHipMorsq
- 2016_DP_securite_616583.pdfUploaded byHipMorsq
- 2016_DP_securite_616583.pdfUploaded byHipMorsq
- 03 Telindus Permis de PhishingUploaded byHipMorsq
- 160025 Letters Template 16x9Uploaded bysongjihyo16111994
- AmblardUploaded byHipMorsq
- 141 - Polynomes Irreductibles a Une Indéterminee. Corps de Rupture. Applications.Uploaded byHipMorsq
- 1-Basics.pdfUploaded byHipMorsq
- 1-Basics.pdfUploaded byHipMorsq
- My PhishingUploaded byNilesh Kumar
- 586b89f91d375_1Uploaded byHipMorsq

- Advanced Features of Atmega8 Micro ControllerUploaded byvirilebuddy
- Krav-Maga-Pressure-Points-Martial-Combat-1Uploaded byanon-463221
- Be It Certified Oracle 1Z0-043 Free Questions DumpsUploaded bygr8ajay
- Experion ACEUploaded byNguyen Tuan Danh
- Quadratic Functions pptUploaded byMarlina Shafie
- 62 Aloha Labor Scheduler User Guide UeUploaded byFederico Franic
- h84_Vector_and_Parametric_Equations_of_a_Plane.pdfUploaded byJashandeep Singh Kochhar
- Teaching Distance Relay Using Matlab_Simulink Graphical User Interface _ Hafizi Idris - AcademiaUploaded byrajababudoniki
- Unit1Uploaded byAnil
- Sanskrit Project AbstractUploaded bySwarnava Maitra
- Quality CertificatesUploaded byashfaqmemon2001
- Manual Ecdis 74Uploaded bycaptainphihung
- ASR+User+GuideUploaded byManoj Babu G Nair
- Parallel Parking RC CarUploaded byazmyzuma
- ALI M5661 Firmware Programming GuideUploaded bylpy21
- putty logUploaded bydaniel werzner
- CompterpracticalfileUploaded bySiddharth Banyal
- Ashok[1]Uploaded bySwapna Ladhwe
- Syllabusi_ComputerArchitecture Shkencat Kompjuterike 4Uploaded byenco123enco
- Accenture Consumerization New World Business Opportunity TelcosUploaded bymroesch
- Impulse FuntionUploaded bySoumya Bhattacharya
- Consuming EJBs in Web Dynpro Java CE71Uploaded bySumeet Das
- Cisco Fast Secure RoamingUploaded bygreczynka
- outlook-2013-cheat-sheet.pdfUploaded byrettty15865
- The Relationship Between TPSUploaded byimran_nazir448687
- struts_01Uploaded byphani
- PHC PCIS E-LEARNING Training and Access Spring 2016Uploaded bybill jons
- Kumar (2014) Network Analysis Using GIS TechniquesUploaded byAndi Febrian Wahyudi
- Raid 6 Resync: Tests & TweaksUploaded byaidanlinz
- Parallel Computer ArchitectureUploaded byJeena Mol Abraham