Professional Documents
Culture Documents
Key Cryptography
Geovandro Carlos C. F. Pereira
PhD advisor: Prof. Dr. Paulo S. L. M. Barreto
Slide 1
Agenda
• Motivation to Post-Quantum Crypto
• Introduction to MPKC
• Matsumoto-Imai Encryption
• UOV Signature
• Technique for Key Size Reduction
• Security Analysis
Slide 2
Motivation
Internet of Things (IoT)
Any object connected to the internet
Slide 3
Motivation
• Typical Platforms
Slide 4
Motivation
• Typical Platforms
• Resources
• Instruction set of 8, 16 or 32 bits
• Small amount of RAM(2-8 KiB) and ROM (32-128 KiB)
• Low clock: 5-40 MHz
• Energy is expensive
Slide 5
Motivation
• Symmetric Crypto: ok
Slide 6
Motivation
• Symmetric Crypto: ok
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
Slide 7
Motivation
• Symmetric Crypto: ok
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
“Complex” operations (e.g. multiple-precision arithmetic).
Slide 8
Motivation
• Symmetric Crypto: ok
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
“Complex” operations (e.g. multiple-precision arithmetic).
Threats in medium and long-terms:
• Shor [1997]
Quantum algorithm for DLP e IFP
Slide 9
Motivation
• Symmetric Crypto: ok
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
“Complex” operations (e.g. multiple-precision arithmetic).
Threats in medium and long-terms:
• Shor [1997]
Quantum algorithm for DLP e IFP
• Barbulescu, Joux,...[2013]
Conventional algorithms for DLP over binary fields in quase-polynomial time
End of pairings over binary fields (it was the most suitable for WSNs)
Slide 10
Motivation
• Symmetric Crypto: ok
• Conventional Asymmetric Criptography: bottleneck
Security relies on a few computational problems.
“Complex” operations (e.g. multiple-precision arithmetic).
Threats in medium and long-terms:
• Shor [1997]
Quantum algorithm for DLP e IFP
• Barbulescu, Joux,...[2013]
Conventional algorithms for DLP over binary fields in quase-polynomial time
End of pairings over binary fields (it was the most suitable for WSNs)
Slide 11
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Slide 12
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Main lines of research:
• Hash-based
• Very efficient, large signatures.
Slide 13
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Main lines of research:
• Hash-based
• Very efficient, large signatures.
• Code-based
• Public Key Encryption schemes
• Singatures (one-time, large keys)
Slide 14
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Main lines of research:
• Hash-based
• Very efficient, large signatures.
• Code-based
• Public Key Encryption schemes
• Singatures (one-time, large keys)
• Lattice-based
• Encryption, Digital signatures, FHE
Slide 15
Motivation
• Post-Quantum Cryptography
Cryptosystems that resist to quantum algorithms.
Main lines of research:
• Hash-based
• Very efficient, large signatures.
• Code-based
• Public Key Encryption schemes
• Singatures (one-time, large keys)
• Lattice-based
• Encryption, Digital signatures, FHE
Slide 16
Motivation
• Conventional Public Key Cryptography
• Need coprocessors in smartcards.
• Low flexibility for use or optimizations.
Slide 17
Motivation
• Conventional Public Key Cryptography
• Need coprocessors in smartcards.
• Low flexibility for use or optimizations.
• Advantages of MPKC
• Simplicity of Operations (matrices and vectors).
• Small fields avoid multiple-precision arithmetic.
• Long term security. (prevention against spying)
• Efficiency
Signature generation in 804 cycles by Ding [ASAP 2008].
Slide 18
Motivation
• Conventional Public Key Cryptography
• Need coprocessors in smartcards.
• Low flexibility for use or optimizations.
• Advantages of MPKC
• Simplicity of Operations (matrices and vectors).
• Small fields avoid multiple-precision arithmetic.
• Long term security. (prevention against spying)
• Efficiency
Signature generation in 804 cycles by Ding [ASAP 2008].
• Main Challenge
• Relatively large key sizes.
Slide 19
•MPKC Constructions
Slide 20
Multivariate Public Key Cryptography
• Basic Property:
• Cryptosystems whose public keys are a set of multivariate polynomials.
Slide 21
Multivariate Public Key Cryptography
• Basic Property:
• Cryptosystems whose public keys are a set of multivariate polynomials.
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = (𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , 𝑝2 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
Slide 22
MPKC Encryption
• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .
Slide 23
MPKC Encryption
• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .
• Ciphertext is simply a polynomial evaluation:
𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 24
MPKC Encryption
• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .
• Ciphertext is simply a polynomial evaluation:
𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 𝑐1 , ⋯ , 𝑐𝑚
Slide 25
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
Slide 26
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
Slide 27
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
Slide 28
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚
Slide 29
MPKC Signature
• Public Key:
𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛
𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚
• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚
Slide 30
Security
𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 31
Security
𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 32
Security
𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )
Slide 33
Security
Slide 34
Security
𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 35
Security
𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 36
Security
𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 37
Security
𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 38
Security
𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0
Slide 39
Security
𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0
𝐹1 (𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )
Slide 40
Multivariate Quadratic
Construction
• MQ system with 𝑚 equations in 𝑛 vars, all coefs. in 𝔽𝑞 :
Polynomial notation:
𝑘 𝑘
𝑝𝑘 𝑥1 , … , 𝑥𝑛 ≔ 𝑃𝑖𝑗 𝑥𝑖 𝑥𝑗 + 𝐿𝑖 𝑥𝑖 + 𝑐 (𝑘)
𝑖,𝑗 𝑖
Vector notation:
𝑝𝑘 𝑥1 , … , 𝑥𝑛 = 𝑥𝑃 𝑘 𝑥 𝑇 + 𝐿(𝑘) 𝑥 + 𝑐 (𝑘)
Slide 41
(Pure) Quadratic Map
𝒫 𝑥 =ℎ ⇔
𝑥 𝑃(𝑘) 𝑥 𝑇 = ℎ𝑘 (𝑘 = 1, … , 𝑚)
𝑥𝑇
𝑥 ℎ𝑘
𝑃(𝑘) =
Slide 42
Matsumoto-Imai Cryptosystem
Slide 43
Matsumoto-Imai Cryptosystem
• 𝑘 is a small finite field with 𝑘 = 𝑞.
Slide 44
Matsumoto-Imai Cryptosystem
• 𝑘 is a small finite field with 𝑘 = 𝑞.
• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.
Slide 45
Matsumoto-Imai Cryptosystem
• 𝑘 is a small finite field with 𝑘 = 𝑞.
• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.
• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
Slide 46
Matsumoto-Imai Cryptosystem
• 𝑘 is a small finite field with 𝑘 = 𝑞.
• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.
• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
Slide 47
Matsumoto-Imai Cryptosystem
• 𝑘 is a small finite field with 𝑘 = 𝑞.
• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.
• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .
𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
Slide 48
Matsumoto-Imai Cryptosystem
• The map 𝐹 adopted was:
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
Slide 49
Matsumoto-Imai Cryptosystem
• The map 𝐹 adopted was:
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
• Let
𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
Slide 50
Matsumoto-Imai Cryptosystem
• The map 𝐹 adopted was:
𝐹 ∶𝐾⟶𝐾
𝜃 +1
𝑋 ⟼ 𝑋𝑞
• Let
𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))
Slide 51
Matsumoto-Imai Cryptosystem
• Encryption is done by the quadratic map over 𝑘 𝑛
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where 𝐿𝑖 are affine maps over 𝑘 𝑛 .
Slide 52
Matsumoto-Imai Cryptosystem
• Encryption is done by the quadratic map over 𝑘 𝑛
𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2
where 𝐿𝑖 are affine maps over 𝑘 𝑛 .
Slide 53
Matsumoto-Imai Cryptosystem
• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1
to ensure the invertibility of the decryption map 𝐹 −1
Slide 54
Matsumoto-Imai Cryptosystem
• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1
to ensure the invertibility of the decryption map 𝐹 −1
Slide 55
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
Slide 56
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
Slide 57
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )
vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
Slide 58
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )
vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =
𝑘 𝑘 𝑘 𝑘
= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)
𝑂×𝑉 𝑉×𝑉 𝑂 𝑉
Slide 59
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
• Choose uniformly at random vinegars: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =
𝑘 𝑘 𝑘 𝑘
= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)
𝑂×𝑉 𝑉×𝑉 𝑂 𝑉
Slide 60
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘
𝑘 𝑘 𝑘 𝑘
= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)
𝑂×𝑉 𝑉×𝑉 𝑂 𝑉
Slide 61
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
• ℎ = 𝐻𝑎𝑠ℎ(𝑀)
• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′
𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ =
𝑘 𝑘 𝑘 𝑘
= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)
𝑂×𝑉 𝑉×𝑉 𝑂 𝑉
Slide 62
UOV Signature
• Trapdoor to invert 𝐹 [Patarin]
Vinegar Oil
variables variables
𝒙𝟏 … 𝒙𝒗 … 𝒙𝒏
𝒙𝟏
𝒙𝒗
0 ⋮ Oil variables
𝒙𝒏
Slide 63
Rainbow Signature
Slide 64
MQ Signatures
• UOV key sizes.
Slide 65
•Technique for Key Size
Reduction
Slide 66
MQ Signatures - Cyclic UOV
Slide 67
MQ Signatures - Cyclic UOV
Slide 68
MQ Signatures - Cyclic UOV
Slide 69
MQ Signatures - Cyclic UOV
Public matrix of coefficients 𝑀𝑃
𝑃(1)
𝑃(2) 𝑀𝑃 = ⋮
⋮
𝑚𝑥l ′
𝑃(𝑚)
𝑛 𝑛+1
l′ =
2
Slide 70
MQ Signatures - Cyclic UOV
Public matrix of coefficients 𝑀𝑃
𝑀𝑃 = ⋮ = 𝐵 𝐶
𝑚𝑥l ′ 𝑚𝑥l ′
l l
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 71
MQ Signatures - Cyclic UOV
Private matrix of coefficients 𝑀𝐹
1
𝐹
0 0
𝐹 2 𝑀𝐹 = ⋮
0
⋮ 0
𝑚𝑥l ′
l
𝑚
𝐹
0
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 72
MQ Signatures - Cyclic UOV
Private matrix of coefficients 𝑀𝐹
0
𝑀𝐹 =
⋮
= 𝐹 0
0 𝑚𝑥l ′ 𝑚𝑥l ′
l l
𝑣 𝑣+1 𝑛 𝑛+1
l= + 𝑚𝑣, l′ =
2 2
Slide 73
MQ Signatures - Cyclic UOV
• There is a linear relation between 𝐵 and 𝐹 which only depends
on 𝐵,𝐹 and 𝑆 [Petzoldt et. al, 2010]
𝐵 = 𝐹 ∙ 𝐴𝑈𝑂𝑉 (S)
𝑀𝑃 =
𝐵 𝐶 𝑟𝑠 𝑠𝑟𝑖 . 𝑠𝑠𝑖 , 𝑖=𝑗
𝑎𝑖𝑗 = 𝑠 .𝑠 + 𝑠 .𝑠 , 𝑖≠𝑗
𝑟𝑖 𝑠𝑗 𝑟𝑗 𝑠𝑖
l 𝑚𝑥l ′
1 ≤ 𝑖 ≤ 𝑣, 𝑖 ≤ 𝑗 ≤ 𝑛
1 ≤ 𝑟 ≤ 𝑣, 𝑟 ≤ 𝑠 ≤ 𝑛
𝑀𝐹 =
𝐹 0
l 𝑚𝑥l ′
Slide 74
MQ Signatures - Cyclic UOV
By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
Slide 75
MQ Signatures - Cyclic UOV
By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
Slide 76
MQ Signatures - Cyclic UOV
By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
Slide 77
MQ Signatures - Cyclic UOV
By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:
𝐹 = 𝐵 ∙ 𝐴−1
𝑈𝑂𝑉
Slide 78
MQ Signatures - Cyclic UOV
Adopting 𝐵 circulant:
𝑀𝑃 =
𝐵 𝐶
⋮
l 𝑚𝑥l ′
𝑚𝑥l ′
l
⋯
𝒃 = (𝑏1 , ⋯ , 𝑏l )
|𝑴𝑷 | = l + 𝑚(l ′ − l)
Slide 79
MQ Signatures - Cyclic UOV
𝑘
Public matrices 𝑃
1
𝑃
Slide 80
MQ Signatures - Cyclic UOV
𝑘
Public matrices 𝑃
2
𝑃
Slide 81
MQ Signatures - Cyclic UOV
𝑘
Public matrices 𝑃
3
𝑃
Slide 82
MQ Signatures - Cyclic UOV
𝑘
Public matrices 𝑃
4
𝑃
Slide 83
MQ Signatures - Cyclic UOV
𝑘
Public matrices 𝑃
Slide 84
Equivalent Keys in UOV
Slide 85
Equivalent Keys in UOV
Slide 86
Equivalent Keys in UOV
Slide 87
Equivalent Keys in UOV
• UOV public key:
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚
Slide 88
Equivalent Keys in UOV
• UOV public key:
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚
(𝑖) 𝑇
𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 = 𝑆 ′ 𝐹 ′ 𝑆 ′ , 1 ≤ 𝑖 ≤ 𝑚
(𝑖)
where matrices 𝐹 ′ share with 𝐹 (𝑖) the same trapdoor
structure?
Slide 89
Equivalent Keys in UOV
• Idea: Introduce a matrix Ω in 𝑃(𝑖) :
𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆
• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇
Slide 90
Equivalent Keys in UOV
• Idea: Introduce a matrix Ω in 𝑃(𝑖) :
𝑖 −1 𝑇
𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆
• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇
𝑣
Ω1 Ω2 𝐹1 𝐹2 Ω1𝑇
𝑣 𝑣
Ω𝑇3
=
Ω3 Ω4 𝑚 𝐹3 0 Ω𝑇2 Ω𝑇4 𝑚
𝜌 𝑚
Ω 𝐹 (𝑖) ΩT 𝐹′(𝑖)
Slide 91
Equivalent Keys in UOV
𝜌 = Ω3 𝐹1 + Ω4 𝐹3 Ω𝑇3 + Ω3 𝐹2 Ω𝑇4 = 0
and Ω3 = 0 is a solution.
𝑣 𝑚
𝑣
Ω1 Ω2
Ω=
𝑚
0 Ω4
Slide 92
Equivalent Keys in UOV
• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .
Slide 93
Equivalent Keys in UOV
• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .
Slide 94
Equivalent Keys in UOV
• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .
Slide 95
Equivalent Keys in UOV
𝑣 𝑚
−1
ΩΩ1−1 −1 𝑣
Ω−1
𝑆1 𝑆2 1 Ω 2
2
𝑆 ′ = 𝑆Ω−1 =
−1
𝑆3 𝑆4 0 Ω−1 𝑚
Ω4
4
𝑆 Ω−1
Slide 96
Equivalent Keys in UOV
• By choosing suitable values of Ω𝑖−1 , it is possible to get:
𝑆1′ = 𝐼𝑣𝑥𝑣
𝑆2′ = 0𝑣𝑥𝑚
𝑆4′ = 𝐼𝑚𝑥𝑚
what implies
Slide 97
Equivalent Keys in UOV
• Structure of 𝑆′:
𝑚 𝑣
𝑚
𝑆′ =
𝑆3′ 𝑣
Slide 98
Equivalent Keys in UOV
• Structure of 𝑆′:
𝑚 𝑣
𝑚
𝑆′ =
𝑆3′ 𝑣
(𝑖)
• So, the answer is yes, there exist equivalent 𝑆 ′ , 𝐹 ′ s.t.
(𝑖)
𝑆 ′ 𝐹 ′ (𝑆 ′ )𝑇 = (𝑆Ω−1 ) Ω𝐹 𝑖 Ω𝑇 𝑆Ω−1 𝑇 =𝑃 𝑖
(𝑖)
and 𝐹 ′ have the desired trapdoor structure.
Slide 99
Recap. MQ Schemes
Slide 100
Thanks!
Questions?
Slide 101