0 Up votes0 Down votes

0 views101 pageshello

Apr 28, 2018

© © All Rights Reserved

PDF, TXT or read online from Scribd

hello

© All Rights Reserved

0 views

hello

© All Rights Reserved

- IJSPTM 010602
- Lab1.pdf
- Cryptography Mcq
- Agarwal a 2012
- A Survey on Security Based Spontaneous Wireless Ad Hoc Networks for Communication Based Elliptical Curve Cryptography
- Cs3700 9 Security
- CSE CRYPTOGRAPHY ppt.pptx
- 31
- B-Tech-SEM-6 ( CE-IT )=20130002
- C102
- Cryptography
- Tde Control of Industrial Robots Polimi 01-03-2016
- This Dissertation Addresses the Issue of Securing Data Sharing on Untrusted Storage
- Procure Sharing Of Health Records In Cloud Using Attribute Based Encryption
- Logical Attacks.pdf
- IntroModernCryptography-Chapter1
- Survey on End-To-End Confidentiality in Wireless Sensor Networks
- TJ-ACA: An Advanced Cryptographic Algorithm for Color Images using Ikeda Mapping
- seminar5.pdf
- 08012013130843 Atm Using Fingerprint

You are on page 1of 101

Key Cryptography

Geovandro Carlos C. F. Pereira

PhD advisor: Prof. Dr. Paulo S. L. M. Barreto

Department of Computer Engineering and Digital Systems

Escola Politécnica

University of Sao Paulo

Slide 1

Agenda

• Motivation to Post-Quantum Crypto

• Introduction to MPKC

• Matsumoto-Imai Encryption

• UOV Signature

• Technique for Key Size Reduction

• Security Analysis

Slide 2

Motivation

Internet of Things (IoT)

Any object connected to the internet

Slide 3

Motivation

• Typical Platforms

Smartcard (Java Card)

Slide 4

Motivation

• Typical Platforms

Smartcard (Java Card)

• Resources

• Instruction set of 8, 16 or 32 bits

• Small amount of RAM(2-8 KiB) and ROM (32-128 KiB)

• Low clock: 5-40 MHz

• Energy is expensive

Slide 5

Motivation

• Symmetric Crypto: ok

Slide 6

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

Slide 7

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Slide 8

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

Slide 9

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

• Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time

End of pairings over binary fields (it was the most suitable for WSNs)

Slide 10

Motivation

• Symmetric Crypto: ok

• Conventional Asymmetric Criptography: bottleneck

Security relies on a few computational problems.

“Complex” operations (e.g. multiple-precision arithmetic).

Threats in medium and long-terms:

• Shor [1997]

Quantum algorithm for DLP e IFP

• Barbulescu, Joux,...[2013]

Conventional algorithms for DLP over binary fields in quase-polynomial time

End of pairings over binary fields (it was the most suitable for WSNs)

Slide 11

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Slide 12

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

Slide 13

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

Slide 14

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

• Lattice-based

• Encryption, Digital signatures, FHE

Slide 15

Motivation

• Post-Quantum Cryptography

Cryptosystems that resist to quantum algorithms.

Main lines of research:

• Hash-based

• Very efficient, large signatures.

• Code-based

• Public Key Encryption schemes

• Singatures (one-time, large keys)

• Lattice-based

• Encryption, Digital signatures, FHE

• Some digital signature schemes are robust (original UOV, 14 years)

• Most of the encryption constructions were broken (Jintai has a new perspective about it)

Slide 16

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

Slide 17

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

• Advantages of MPKC

• Simplicity of Operations (matrices and vectors).

• Small fields avoid multiple-precision arithmetic.

• Long term security. (prevention against spying)

• Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

Slide 18

Motivation

• Conventional Public Key Cryptography

• Need coprocessors in smartcards.

• Low flexibility for use or optimizations.

• Advantages of MPKC

• Simplicity of Operations (matrices and vectors).

• Small fields avoid multiple-precision arithmetic.

• Long term security. (prevention against spying)

• Efficiency

Signature generation in 804 cycles by Ding [ASAP 2008].

• Main Challenge

• Relatively large key sizes.

Slide 19

•MPKC Constructions

Slide 20

Multivariate Public Key Cryptography

• Basic Property:

• Cryptosystems whose public keys are a set of multivariate polynomials.

Slide 21

Multivariate Public Key Cryptography

• Basic Property:

• Cryptosystems whose public keys are a set of multivariate polynomials.

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = (𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , 𝑝2 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

Slide 22

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

Slide 23

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

• Ciphertext is simply a polynomial evaluation:

𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

Slide 24

MPKC Encryption

• Given a plaintext 𝑀 = 𝑥1 , ⋯ , 𝑥𝑛 .

• Ciphertext is simply a polynomial evaluation:

𝑃 𝑀 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

feasible to invert the quadratic map to find the plaintext:

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 𝑐1 , ⋯ , 𝑐𝑚

Slide 25

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

Slide 26

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

Slide 27

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

Slide 28

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚

Slide 29

MPKC Signature

• Public Key:

𝑃 𝑥1 , ⋯ , 𝑥𝑛 = 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛

𝑥1 , ⋯ , 𝑥𝑛 = 𝑃−1 ℎ1 , ⋯ , ℎ𝑚

• Verify: ℎ1 , ⋯ , ℎ𝑛 = 𝑃 𝑥1 , ⋯ , 𝑥𝑚

Slide 30

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

Slide 31

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

with 𝑛 variables is NP-complete.

Slide 32

Security

𝑃 𝑀 = 𝑃 𝑝1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝑝𝑚 𝑥1 , ⋯ , 𝑥𝑛 = (𝑐1 , ⋯ , 𝑐𝑚 )

with 𝑛 variables is NP-complete.

systems.

Slide 33

Security

Slide 34

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 35

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 36

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.

Slide 37

Security

• Many systems have the structure

𝑃(𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

• This structure enables computing 𝐹 −1 easily.

• 𝐿1 and 𝐿2 are full-rank linear maps used to hide 𝐹.

Slide 38

Security

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:

𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0

Slide 39

Security

variables x = (𝑥1 , ⋯ , 𝑥𝑛 ), solve the system:

𝑝1 𝑥 = ⋯ = 𝑝𝑚 𝑥 = 0

The problem is to look for two linear transformations 𝐿1 and

𝐿2 (if they exist) s.t.:

𝐹1 (𝑥1 , ⋯ , 𝑥𝑛 ) = 𝐿1 ∘ 𝐹 ∘ 𝐿2 (𝑥1 , ⋯ , 𝑥𝑛 )

Slide 40

Multivariate Quadratic

Construction

• MQ system with 𝑚 equations in 𝑛 vars, all coefs. in 𝔽𝑞 :

Polynomial notation:

𝑘 𝑘

𝑝𝑘 𝑥1 , … , 𝑥𝑛 ≔ 𝑃𝑖𝑗 𝑥𝑖 𝑥𝑗 + 𝐿𝑖 𝑥𝑖 + 𝑐 (𝑘)

𝑖,𝑗 𝑖

Vector notation:

𝑝𝑘 𝑥1 , … , 𝑥𝑛 = 𝑥𝑃 𝑘 𝑥 𝑇 + 𝐿(𝑘) 𝑥 + 𝑐 (𝑘)

Slide 41

(Pure) Quadratic Map

𝒫 𝑥 =ℎ ⇔

𝑥 𝑃(𝑘) 𝑥 𝑇 = ℎ𝑘 (𝑘 = 1, … , 𝑚)

𝑥𝑇

𝑥 ℎ𝑘

𝑃(𝑘) =

Slide 42

Matsumoto-Imai Cryptosystem

encryption scheme.

• Small number of variables.

• Huge key sizes.

C* construction.

Slide 43

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

Slide 44

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

Slide 45

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

Slide 46

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

Slide 47

Matsumoto-Imai Cryptosystem

• 𝑘 is a small finite field with 𝑘 = 𝑞.

• 𝐾 = 𝑘 𝑥 /(𝑔(𝑥)) a degree 𝑛 extension of 𝑘.

• The linear map 𝜙: 𝐾 → 𝑘 𝑛 and 𝜙 −1 : 𝑘 𝑛 → 𝐾 .

𝜙 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑛−1 𝑥 𝑛−1 = (𝑎0 , 𝑎1 , ⋯ , 𝑎𝑛−1 )

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

• Inversion of 𝐹 is related to the IP Problem

Slide 48

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

Slide 49

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

• Let

𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

Slide 50

Matsumoto-Imai Cryptosystem

• The map 𝐹 adopted was:

𝐹 ∶𝐾⟶𝐾

𝜃 +1

𝑋 ⟼ 𝑋𝑞

• Let

𝐹 𝑥1 , ⋯ , 𝑥𝑛 = 𝜙 ∘ 𝐹 ∘ 𝜙 −1 𝑥1 , ⋯ , 𝑥𝑛 = (𝐹1 𝑥1 , ⋯ , 𝑥𝑛 , ⋯ , 𝐹𝑚 (𝑥1 , ⋯ , 𝑥𝑛 ))

𝑞 𝜃

𝑋⟼ 𝑋 is linear (it is the Frobenius automorphism of

order 𝜃).

Slide 51

Matsumoto-Imai Cryptosystem

• Encryption is done by the quadratic map over 𝑘 𝑛

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

where 𝐿𝑖 are affine maps over 𝑘 𝑛 .

Slide 52

Matsumoto-Imai Cryptosystem

• Encryption is done by the quadratic map over 𝑘 𝑛

𝐹 = 𝐿1 ∘ 𝜙 ∘ 𝐹 ∘ 𝜙 −1 ∘ 𝐿2

where 𝐿𝑖 are affine maps over 𝑘 𝑛 .

𝐹 −1 = 𝐿−1

2 ∘𝜙∘𝐹

−1

∘ 𝜙 −1 ∘ 𝐿−1

1

Slide 53

Matsumoto-Imai Cryptosystem

• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1

to ensure the invertibility of the decryption map 𝐹 −1

Slide 54

Matsumoto-Imai Cryptosystem

• Requirement: G.C.D. 𝑞 𝜃 + 1, 𝑞 𝑛 − 1 = 1

to ensure the invertibility of the decryption map 𝐹 −1

• The public key includes 𝑘 and 𝐹 = (𝐹1 , ⋯ , 𝐹𝑛 )

• The private key includes 𝐿1 , 𝐿2 and 𝐾 .

Slide 55

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

Slide 56

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

Slide 57

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )

vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

Slide 58

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Split vars. into 2 sets: oil variables: O ≔ (𝑥1 , ⋯ , 𝑥𝑜 )

vinegar variables: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 59

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Choose uniformly at random vinegars: 𝑉 ≔ (𝑥1′ , … , 𝑥𝑣′ )

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘 =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 60

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ = ℎ𝑘

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 61

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

• ℎ = 𝐻𝑎𝑠ℎ(𝑀)

• Fix vinegars: 𝑉 ≔ 𝑥1′ , … , 𝑥𝑣′

𝑓𝑘 𝑥1 , ⋯ , x𝑜 , 𝑥1′ , … , 𝑥𝑣′ =

𝑘 𝑘 𝑘 𝑘

= 𝐹𝑖𝑗 𝑥𝑖 𝑥′𝑗 + 𝐹𝑖𝑗 𝑥′𝑖 𝑥′𝑗 + 𝐿𝑖 𝑥𝑖 + 𝐿𝑖 𝑥′𝑖 + 𝑐 (𝑘)

𝑂×𝑉 𝑉×𝑉 𝑂 𝑉

Slide 62

UOV Signature

• Trapdoor to invert 𝐹 [Patarin]

Vinegar Oil

variables variables

𝒙𝟏 … 𝒙𝒗 … 𝒙𝒏

𝒙𝟏

𝒙𝒗

0 ⋮ Oil variables

𝒙𝒏

Slide 63

Rainbow Signature

Slide 64

MQ Signatures

• UOV key sizes.

(KiB)

113.4

99.4

77.7

66.7

14.5

11.0

10.2

Slide 65

•Technique for Key Size

Reduction

Slide 66

MQ Signatures - Cyclic UOV

Slide 67

MQ Signatures - Cyclic UOV

Slide 68

MQ Signatures - Cyclic UOV

Slide 69

MQ Signatures - Cyclic UOV

Public matrix of coefficients 𝑀𝑃

𝑃(1)

𝑃(2) 𝑀𝑃 = ⋮

⋮

𝑚𝑥l ′

𝑃(𝑚)

𝑛 𝑛+1

l′ =

2

Slide 70

MQ Signatures - Cyclic UOV

Public matrix of coefficients 𝑀𝑃

𝑀𝑃 = ⋮ = 𝐵 𝐶

𝑚𝑥l ′ 𝑚𝑥l ′

l l

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 71

MQ Signatures - Cyclic UOV

Private matrix of coefficients 𝑀𝐹

1

𝐹

0 0

𝐹 2 𝑀𝐹 = ⋮

0

⋮ 0

𝑚𝑥l ′

l

𝑚

𝐹

0

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 72

MQ Signatures - Cyclic UOV

Private matrix of coefficients 𝑀𝐹

0

𝑀𝐹 =

⋮

= 𝐹 0

0 𝑚𝑥l ′ 𝑚𝑥l ′

l l

𝑣 𝑣+1 𝑛 𝑛+1

l= + 𝑚𝑣, l′ =

2 2

Slide 73

MQ Signatures - Cyclic UOV

• There is a linear relation between 𝐵 and 𝐹 which only depends

on 𝐵,𝐹 and 𝑆 [Petzoldt et. al, 2010]

𝐵 = 𝐹 ∙ 𝐴𝑈𝑂𝑉 (S)

𝑀𝑃 =

𝐵 𝐶 𝑟𝑠 𝑠𝑟𝑖 . 𝑠𝑠𝑖 , 𝑖=𝑗

𝑎𝑖𝑗 = 𝑠 .𝑠 + 𝑠 .𝑠 , 𝑖≠𝑗

𝑟𝑖 𝑠𝑗 𝑟𝑗 𝑠𝑖

l 𝑚𝑥l ′

1 ≤ 𝑖 ≤ 𝑣, 𝑖 ≤ 𝑗 ≤ 𝑛

1 ≤ 𝑟 ≤ 𝑣, 𝑟 ≤ 𝑠 ≤ 𝑛

𝑀𝐹 =

𝐹 0

l 𝑚𝑥l ′

Slide 74

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

Slide 75

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

Slide 76

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

• In particular:

𝐵 = 0 does not result in a valid F,

𝐵 = Identity blocks, reveals too much info of 𝐴−1

𝑈𝑂𝑉 ,

𝐵 circulant was adopted by [Petzoldt et. al, 2010]

Slide 77

MQ Signatures - Cyclic UOV

By choosing 𝐴𝑈𝑂𝑉 (𝑆) invertible:

𝑈𝑂𝑉

𝐹 = 𝐵 ∙ 𝐴−1

𝑈𝑂𝑉

• In particular:

𝐵 = 0 does not result in a valid F,

𝐵 = Identity blocks, reveals too much info of 𝐴−1

𝑈𝑂𝑉 ,

𝐵 circulant was adopted by [Petzoldt et. al, 2010]

circulant 𝐵 provides consistent UOV signatures.

Slide 78

MQ Signatures - Cyclic UOV

Adopting 𝐵 circulant:

𝑀𝑃 =

𝐵 𝐶

⋮

l 𝑚𝑥l ′

𝑚𝑥l ′

l

⋯

𝒃 = (𝑏1 , ⋯ , 𝑏l )

|𝑴𝑷 | = l + 𝑚(l ′ − l)

Slide 79

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

1

𝑃

Slide 80

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

2

𝑃

Slide 81

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

3

𝑃

Slide 82

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

4

𝑃

Slide 83

MQ Signatures - Cyclic UOV

𝑘

Public matrices 𝑃

Slide 84

Equivalent Keys in UOV

given public key system.

Slide 85

Equivalent Keys in UOV

given public key system.

Slide 86

Equivalent Keys in UOV

given public key system.

Slide 87

Equivalent Keys in UOV

• UOV public key:

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚

Slide 88

Equivalent Keys in UOV

• UOV public key:

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 , 1 ≤ 𝑖 ≤ 𝑚

(𝑖) 𝑇

𝑃(𝑖) = 𝑆𝐹 (𝑖) 𝑆 𝑇 = 𝑆 ′ 𝐹 ′ 𝑆 ′ , 1 ≤ 𝑖 ≤ 𝑚

(𝑖)

where matrices 𝐹 ′ share with 𝐹 (𝑖) the same trapdoor

structure?

Slide 89

Equivalent Keys in UOV

• Idea: Introduce a matrix Ω in 𝑃(𝑖) :

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆

• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇

Slide 90

Equivalent Keys in UOV

• Idea: Introduce a matrix Ω in 𝑃(𝑖) :

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 Ω𝐹 𝑖 Ω𝑇 Ω𝑇 𝑆

• Define 𝐹 ′ 𝑖 ≔ Ω𝐹 (𝑖) Ω𝑇

𝑣 𝑚 𝑣 𝑚 𝑣 𝑚

𝑣

Ω1 Ω2 𝐹1 𝐹2 Ω1𝑇

𝑣 𝑣

Ω𝑇3

=

Ω3 Ω4 𝑚 𝐹3 0 Ω𝑇2 Ω𝑇4 𝑚

𝜌 𝑚

Ω 𝐹 (𝑖) ΩT 𝐹′(𝑖)

Slide 91

Equivalent Keys in UOV

𝜌 = Ω3 𝐹1 + Ω4 𝐹3 Ω𝑇3 + Ω3 𝐹2 Ω𝑇4 = 0

and Ω3 = 0 is a solution.

𝑣 𝑚

𝑣

Ω1 Ω2

Ω=

𝑚

0 Ω4

Slide 92

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (Ω𝐹 𝑖 Ω𝑇 )Ω𝑇 𝑆

Slide 93

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆

Slide 94

Equivalent Keys in UOV

• Thus, 𝐹′(𝑖) = Ω𝐹 (𝑖) Ω𝑇 has the same structure of 𝐹 𝑖 .

𝑖 −1 𝑇

𝑃 = 𝑆Ω−1 (𝐹′(𝑖) )Ω𝑇 𝑆

𝑖

𝑃 = 𝑆 ′ 𝐹 ′(𝑖) 𝑆 ′𝑇

Slide 95

Equivalent Keys in UOV

𝑣 𝑚

−1

ΩΩ1−1 −1 𝑣

Ω−1

𝑆1 𝑆2 1 Ω 2

2

𝑆 ′ = 𝑆Ω−1 =

−1

𝑆3 𝑆4 0 Ω−1 𝑚

Ω4

4

𝑆 Ω−1

Slide 96

Equivalent Keys in UOV

• By choosing suitable values of Ω𝑖−1 , it is possible to get:

𝑆1′ = 𝐼𝑣𝑥𝑣

𝑆2′ = 0𝑣𝑥𝑚

𝑆4′ = 𝐼𝑚𝑥𝑚

what implies

Slide 97

Equivalent Keys in UOV

• Structure of 𝑆′:

𝑚 𝑣

𝑚

𝑆′ =

𝑆3′ 𝑣

Slide 98

Equivalent Keys in UOV

• Structure of 𝑆′:

𝑚 𝑣

𝑚

𝑆′ =

𝑆3′ 𝑣

(𝑖)

• So, the answer is yes, there exist equivalent 𝑆 ′ , 𝐹 ′ s.t.

(𝑖)

𝑆 ′ 𝐹 ′ (𝑆 ′ )𝑇 = (𝑆Ω−1 ) Ω𝐹 𝑖 Ω𝑇 𝑆Ω−1 𝑇 =𝑃 𝑖

(𝑖)

and 𝐹 ′ have the desired trapdoor structure.

Slide 99

Recap. MQ Schemes

Slide 100

Thanks!

Questions?

Slide 101

- IJSPTM 010602Uploaded byijsptm
- Lab1.pdfUploaded byKhalil Al-khateeb
- Cryptography McqUploaded byShesh Narayan Mishra
- Agarwal a 2012Uploaded byPraful Mandaliya
- A Survey on Security Based Spontaneous Wireless Ad Hoc Networks for Communication Based Elliptical Curve CryptographyUploaded byEditor IJRITCC
- Cs3700 9 SecurityUploaded byalex8392009
- CSE CRYPTOGRAPHY ppt.pptxUploaded byHari Haran
- 31Uploaded byMebiratu Beyene
- B-Tech-SEM-6 ( CE-IT )=20130002Uploaded byVishal Kamlani
- C102Uploaded byBalaji Mcr
- CryptographyUploaded byXozan
- Tde Control of Industrial Robots Polimi 01-03-2016Uploaded byPizzocaroSolomon
- This Dissertation Addresses the Issue of Securing Data Sharing on Untrusted StorageUploaded byshini s g
- Procure Sharing Of Health Records In Cloud Using Attribute Based EncryptionUploaded byseventhsensegroup
- Logical Attacks.pdfUploaded byLorena Strechie
- IntroModernCryptography-Chapter1Uploaded byMuhammad Yasin
- Survey on End-To-End Confidentiality in Wireless Sensor NetworksUploaded byseventhsensegroup
- TJ-ACA: An Advanced Cryptographic Algorithm for Color Images using Ikeda MappingUploaded byseventhsensegroup
- seminar5.pdfUploaded byAkintoroye Oluronke Funsho
- 08012013130843 Atm Using FingerprintUploaded byShiva
- Smartphones Stream CiphersUploaded bymahesh121192
- sg248249_IBMi7.2Uploaded byAjay Kumar Akurathi
- EMV v4.3 Book 2 Security and Key Management 20120607061923900Uploaded byGregorio Gazca
- 02 Css Assignment Uc3f1511it Iss Nc Fc DBAUploaded bynashath
- Elliptic-Curves Cryptography on High-Dimensional SurfacesUploaded byIJAERS JOURNAL
- Getting the Deal Through – e-Commerce 2012Uploaded byobservatorioegovperu
- 10.1.1.113.7818Uploaded byaaifan
- MIT6_045JS11_lec13Uploaded byMuhammad Al Kahfi
- HIPAAUploaded byDucTri
- Lecture 11Uploaded byKuru Kshetran

- My PhishingUploaded byNilesh Kumar
- [Goutam Paul; Subhamoy Maitra] RC4 Stream Cipher a(B-ok.xyz)Uploaded byHipMorsq
- 3252314.pptUploaded byHipMorsq
- 3933265Uploaded byHipMorsq
- 4930614Uploaded byHipMorsq
- 160025 Letters Template 16x9Uploaded bysongjihyo16111994
- 1-Basics.pdfUploaded byHipMorsq
- Does the Money and Skills Returning Migrants Bring to Developing Countries Outweigh the BrainUploaded byHipMorsq
- Download.txtUploaded byHipMorsq
- Download.txtUploaded byHipMorsq

- Athilah PrintUploaded byAinaa Najwaa
- Zumdahl solution 8Uploaded byKwan-Soo Park
- Helen KennedyUploaded byIvo Furman
- Michelle Carter Trial: Judge's Pamphlet from SentencingUploaded bySteven L. Sheppard
- Rajyasabha It is Contribution to IndianUploaded byvensri999
- 02_SECUploaded bybarone_28
- Vincent Van Gogh - Chemicals, Crises, Creativity (Art eBook)Uploaded byJunior Leme
- 2 Marks, 16 Marks Questions Electrical circuits and Electronic DevicesUploaded byEmmanuelGospelRaj
- Donation QnAUploaded byVanessa Canceran Alporha
- Sysmex - CA 50Uploaded byDodik E. Prasetyo
- literature reviewUploaded byapi-346609107
- 3G Network OptimisationUploaded byRwayda Nadim
- psqcm projectUploaded byapi-371817203
- Archimedes - Biliogr.Uploaded byon77eir2
- After FriendshipUploaded byNaveen Raj
- SBP.docxUploaded byMuhammad Zuhair
- 7 Wonders of the WorldUploaded byRimpa Dey
- Sophocles and the Athenian DemocracyUploaded byMiah Rashiduzzaman
- ICAO Doc 7192 Training Manual - Flight DispatchersUploaded byfercogicsa
- Bowersock - HISTORIOGRAPHY. Herodotus, Alexander, And RomeUploaded byEduardo Abdala
- Implementation of Lean Six Sigma in small- and medium-sized manufacturing enterprises in the NetherlandsUploaded byGilmer ER
- SylUploaded bycprabhakaran
- AssessmentUploaded byRica Licer Chantengco Lacandola
- How to Write a Flawless ManuscriptUploaded byAriel Vicente
- 92947505Uploaded byRozika Nervozika
- m301Uploaded bySandipan Das
- Psyc 100 NotesUploaded byJi Wook Hwang
- Radical Hysterectomy With Pelvic Lymphadenectomy_ Indications TeUploaded byxmatisa
- W02 Cultural EnvironmentUploaded bysduui23ijek
- Marketing of Services in Education Service SectorUploaded bysimmishweta

## Much more than documents.

Discover everything Scribd has to offer, including books and audiobooks from major publishers.

Cancel anytime.