1 / 38

Multivariate Digital Signature Schemes

Multivariate Digital Signature Schemes. Jiun-Ming Chen http://www.math.ntu.edu.tw/~jmchen. Outline. Elements of Cryptography Applications of Public-Key Cryptography Multivariate Digital Signatures Tame Transformation Signature Performance and Cryptanalysis. Basics.

irenelee
Télécharger la présentation

Multivariate Digital Signature Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multivariate Digital Signature Schemes Jiun-Ming Chen http://www.math.ntu.edu.tw/~jmchen

  2. Outline • Elements of Cryptography • Applications of Public-Key Cryptography • Multivariate Digital Signatures • Tame Transformation Signature • Performance and Cryptanalysis

  3. Basics • A cryptosystem consists of an algorithm, all possible keys, plaintexts, and ciphertexts. • Its security is based on the privacy of its keys, not the privacy of its algorithm. • In math language: the type of the function is known, but its parameters are secret.

  4. Two Types of Cryptosystems • Symmetric Key Cryptosystems (Secret Key) • Public Key Cryptosystems (Asymmetric Key)

  5. Symmetric Key Cryptosystems Encrypt 加密 ↗ ▲ ↘ Plaintext 明文Symmetric keyCiphertext密文 ↖ ▼ ↙ Decrypt 解密 DES (Data Encryption Standard) AES (Advanced Encryption Standard) — bytes are treated as elements of GF (28)

  6. Public Key Cryptosystems Public key ▼ Plaintext 明文 →Encrypt 加密 ↖ ↘ Decrypt 解密←Ciphertext 密文 ▲ Private key The most famous and important PKC: RSA (Ron Rivest – Adi Shamir – Len Adleman, 1977)

  7. In Math Language … Find a function f such that • f1exists but hard to find (computationally infeasible). • Given x , easy to compute y = f(x) with publicf . • Given y , hard to find x = f1(y) , unless some secret information about f1is known. Such f is called a trapdoor one-way function.

  8. Digital Signatures 數位簽章 Private key 私鑰 ▼ Message→ Sign 簽章 ↖↘ Verify 驗章←Signature ▲ Public key公鑰

  9. Public Key Infrastructure • CA (Certificate Authority) – 憑證管理中心 RA (Registration Authority) – 憑證註冊中心 • Confidentiality (秘密性) Authentication (身份鑑別性) Integrity (完整性)Non-repudiation (不可否認性) • 數位簽章是公開金鑰基礎建設( PKI )的核心技術

  10. Two Major Categories of PKC • Univariate 單變量 - many bytes are concatenated to represent an element in a huge algebraic structure (usually a group) • Multivariate 多變量- use compositions of mappings in multivariate polynomials over a small finite field (GF (28)is a natural choice) • Miscellaneous- e.g. NTRU

  11. Univariate Digital Signature Schemes • RSA-PSS(Probabilistic Signature Scheme) • ECDSA(Elliptic Curve Digital Signature Algorithm) • Discrete logarithm problem on Elliptic Curves • DSA(Digital Signature Algorithm) • DSS -Standard of US government • Discrete logarithm problem • Find x to satisfy ax = b mod p

  12. Brief of RSA • Encrypt or Verify: c ≡ me(public) mod n • Decrypt or Sign: m ≡ cd(private) mod n • Widely used today:n = pq has 1024bits • Numbers of size ≈ 21024 are manipulated

  13. Multivariate Digital Signature Schemes • Shamir-Schnorr-Ong (1984) • Imai-Matsumoto’s C* (1988) • Shamir’s Birational Permutation Schemes(1993) • Oil and Vinegar (1997) • QUARTZ(2000) • FLASH / SFLASH(2000) • TTS - Tame Transformation Signatures

  14. Common Design • Composition of mappings • Public quadratic polynomials • F1 and Fkare affine(Y = AX + B) 2. EncryptionP――――→ E ――――→ C easy↑ ↓hard 1. GenerationP → F1 → F2 … → Fk → C ↓easy↓easy easy↓ 3. DecryptionP ← D1 ← D2 … ← Dk ←C

  15. Signature Schemes in NESSIE • Phase I : • ACE-SIGN, ECDSA, ESIGN, FLASH, SFLASH, QUARTZ, RSA-PSS. • Phase II : • ECDSA, ESIGN, SFLASH, QUARTZ, RSA-PSS. • Final selection: • ECDSA (Certicom Corp., USA and Canada) 160+ bits • RSA-PSS (RSA Laboratories, USA) 1536+ bits • SFLASH (Schlumberger, France)

  16. Why SFLASH? • NESSIE’s comments on SFLASH: “…very efficient on low cost smart cards, where the size of the public key is not a constraint.” • Facts: • TTS is even more efficient than SFLASH on low cost smart cards, and has smaller size of keys. • The size of the public key is NOT a constraint for TTS, since keys can be generated on card easily.

  17. Smart Cards

  18. Comparison on Pentium III/500 Data of ECDSA, RSA-PSS, and SFLASH from NESSIE Performance Report

  19. Comparison on Smart Cards Data of ECDSA, RSA-PSS, and SFLASH from the proceedings of PKC 2003

  20. Tame Transformations • Introduced from Algebraic Geometry by T. Moh. Φ: K n ―→ K n is defined by y1 = x1 y2 = x2 + f 2 ( x1 ) y3 = x3 + f 3 ( x1 , x2 ) y4 = x4 + f 4 ( x1 , x2 , x3 ) … … yn = xn + f n ( x1 , x2 , … , xn-1 ) fi's are polynomials, the indices of xi's can be permuted.

  21. Pre-images and Inverses x1 = y1 x2 = y2- f2 (x1) x3 = y3 - f3 (x1 , x2) = y3 - f3 (y1 , y2-f2 (y1)) x4 = y4 - f4 (x1 , x2 , x3) = y4 - f4 (y1 , y2-f2 (y1) , y3-f3 (y1, y2-f2 (y1))) … … … xn= yn- fn (x1 , x2 , … , xn-1) = yn- fn(y1 , y2-f2(y1) , … , yn-1-fn-1(…))

  22. History • Tame Transformations have a long and distinguished history in algebraic geometry. Thousands of papers have been published studying automorphism groups for affine spaces and embedding theory in mathematics. • Question: Auto(KN ) = Tame(KN)? Auto(K 2) = Tame(K 2), van der Kulk, 1953. Still an open problem for N > 2.

  23. Factorization in Tame(KN ) • Given an element π Tame(KN ) , N > 2. No known way to factor π= φt。。φ1. That is, no factorization theorem for N > 2. • Nagata’s example, 1972: y1 = x1 y2 = x2 + x 1 ( x1 x3 + x22 ) y3 = x3−x 2 ( x1 x3 + x22 ) − x1 ( x1 x3 + x22 )2 Is it in Tame(K 3)? Nobody can answer yet.

  24. TTS (Tame Transformation Signature) • Φ = φ3。φ2。φ1 is surjective (not bijective). • φ1 and φ3 are affine maps. • φ2 is a tame-like transformation. • We use a little bit more complicated central maps to defend against Rank Attacks.

  25. Toy Example: GF(2)5→ GF(2)3 φ1 φ2 φ3 w ―――――→ x ―――――→ y ―――――→ z x = M1 w + c1 y2 = x2 + x0 x1 z = M3 y + c3 y3 = x3 + x1 x2 y4 = x4 + x2 x3 Private key: M1 1 , M3 1 , c1 , c3 Public key: z = Φ(w) = φ3。φ2。φ1 (w) Signing: w =φ1 1 (φ2 1 (φ3 1 (z))) Verifying: z׳ = Φ(w), z׳ = z ?

  26. Concrete Test Values Public key: z0 = w0 + w1 + w2 + w3 + w0w1 + w0w2 + w1w3 + w1w4 + w2w4 + w3w4 z1 = w2 + w4 + w0w3 + w1w2 + w1w3 + w1w4 + w2w3 + w2w4 + w3w4 z2 = w0 + w2 + w0w2 + w0w3 + w0w4 + w1w2 + w1w3 + w1w4 + w2w3 + w3w4 Note that wi2 = wi in GF(2).

  27. Signing a Mini Message (1/3) φ11 φ21 φ31 w←――――― x←――――― y←―――――z x = M1 w + c1 1 =y2 = x2 + x0 x1 z = M3 y + c3 1 =y3 = x3 + x1 x2 y = M31(zc3) 1 =y4 = x4 + x2 x3 • Assume a mini message to sign: z = (1,1,0). • Then y = M31 (zc3) = (1,1,1).

  28. Signing a Mini Message (2/3) φ11 φ21 φ31 w←――――― x←―――――y←―――――z x = M1 w + c1 1 =y2 = x2+ x0x1z = M3 y + c3 1 =y3 = x3+ x1x2y = M31(zc3) 1 =y4 = x4+ x2x3 • Assigning values to x0 and x1 forces the rest. • Randomly take x0 = 1, x1 = 0, then x2 = 1, x3 = 1, x4 = 0. • All possible x: (0,0,1,1,0), (0,1,1,0,1), (1,0,1,1,0), (1,1,0,1,1).

  29. Signing a Mini Message (3/3) φ11φ21 φ31 w←――――― x←――――― y←―――――z x = M1 w + c1 y2 = x2 + x0 x1 z = M3 y + c3 w = M11(xc1)y3 = x3 + x1 x2 y = M31(zc3) y4 = x4 + x2 x3 • x = (1,0,1,1,0)  w = M11 (xc1) = (1,0,0,0,1) is a digital signature of z = (1,1,0). • All possible signatures form an algebraic variety.

  30. Central Map of TTS (20,28) • Base field: GF(28) • Central map:

  31. Central Map of TTS (24,32) • Central map: • In current design of TTS, two systems of linear equations are solved by Gaussian eliminations or Lanczos method during signing processes.

  32. Related Attacks • Various Rank Attacks • Low rank attack • High rank attack (Dual rank attack) • Separation of variables (Unbalanced Oil and Vinegar) • System of Equations Solving Methods • Gröbner bases • Family of XL, XL, FXL, ...

  33. Forging a Digital Signature • Given z= (z1, …, zm), forging a signature is equivalent to finding a solution w = (w1, …, wn) to the system of equationsz= Φ(w). That is, zk = Σi<jpijkwi wj+Σqjkwj2 +Σrjkwj for every k. • Fact:Solving a large system of multivariate quadratic equations over GF(q) isNP-hard.

  34. Gröbner Bases • Define a lexicographical order with w1 >…> wn, the Gröbner basis of z = Φ(w)usually contains hn(wn), wn-1 −hn-1(wn), … … w1 −h1(wn). • Set hn(wn) = 0 and solve it over GF(q) with Berlekamp algorithm. Then compute wn-1 …w1.

  35. Algorithms • Buchberger (1965) • Faugére’s F4 (1999) • Faugére’s F5 (2002) • HFE challenge 1 was broken by F5 / 2 in 2002. (80 variables in 80 equations over GF(2) with special inner structure)

  36. XL at degree-D • Generate all products of arbitrary monomials of degree D− 2 or less with each zi. Linearize by considering every monomial as an variable. • Perform Gaussian elimination, ordering the set of variables such that monomials in a given variable (say w0) are the last to go. • Solve for w0 with Berlekamp algorithm. Repeat if any independent variable remains.

  37. Mathematics Connected to XL • Combinatorics • Gives formulas for parameter D0 (minimal D needed by XL) for generic cases. • Algebra • Gives results on behavior of non-generic system, including Lemma of Operability. Of particular interest is Fröberg’s “Maximal Rank Conjecture”. • Analysis • Gives asymptotic estimates for XL and variants.

  38. Conclusions • Multivariate PKC is a burgeoning research area rich in surprises and new discovery. • We are confident that the myriad variations possible in the structure means that TTS will adapt and survive in the wilderness as a secure and fast signature scheme.

More Related