Post-Quantum Cryptography #2

(1)

Post-Quantum

Cryptography #2

Prof. Claude Crépeau

McGill University

(2)

Post-Quantum

Cryptography

Finite Fields based cryptography

Codes

Multi-variate Polynomials

Integers based cryptography

Approximate Integer GCD

Lattices

50 jeudi 18 juillet 13

(3)

(4)

Public Key

Encryption

(5)

P

C

EEnnccrryyppttiioonn

D

Deeccrryyppttiioonn

A

Assyym

mm

meettrriicc EEnnccrryyppttiioonn

((PPuubblliicc--KKeeyy CCrryyppttooggrraapphhyy))

K

d

(6)

P

C

EEnnccrryyppttiioonn

D

Deeccrryyppttiioonn

A

Assyym

mm

K

d

K

e

C

Coom

mpplleexxiittyy T

Thheeoorreettiiccaall SSeeccuurriittyy

$

(7)

P

C

D

Deeccrryyppttiioonn

A

Assyym

mm

K

d

K

e

(8)

»

W

Wiillll yyoouu mmaarrrryy mmee ??

»

D Deeccrryyppttiioonn m maarrrryy mmee ??

»

PPuubblliicc--K

Keeyy C

Crryyppttooggrraapphhyy

(9)

»

D Deeccrryyppttiioonn

»

(10)

»

W

»

D Deeccrryyppttiioonn m maarrrryy mmee ??

»

PPuubblliicc--K

Keeyy C

Crryyppttooggrraapphhyy

(11)

Digital

(12)

K

v

K

a

M

T

C

Coom

mpplleexxiittyy T

Thheeoorreettiiccaall SSeeccuurriittyy

A

Auutthheennttiiccaattiioonn

V

Veerriiffiiccaattiioonn

A

Assyym

mm

meettrriicc A

Auutthheennttiiccaattiioonn

((DDiiggiittaall SSiiggnnaattuurree SScchheemmee))

(13)

»

V Veerriiffiiccaattiioonn

»

A Auutthheennttiiccaattiioonn

D

Diiggiittaall SSiiggnnaattuurree

W

(14)

»

W

»

V Veerriiffiiccaattiioonn m maarrrryy mmee ??

»

D

Diiggiittaall SSiiggnnaattuurree

W

Wiillll yyoouu m

maarrrryy m

mee ??

V

VAALLIIDD

(15)

»

V Veerriiffiiccaattiioonn

»

D

Diiggiittaall SSiiggnnaattuurree

W

(16)

)

(17)

(18)

Two [n,k,d] linear codes C,C’ are

(permutation) equivalent if there

exists a kxk non-singular matrix S &

an nxn permutation matrix P s.t.

Code Equivalence

(19)

an nxn permutation matrix P s.t.

G’ = SGP

(20)

an nxn permutation matrix P s.t.

G’ = SGP

the codewords of C and C’ have

exactly all the same weights

Code Equivalence

(21)

(22)

Let C’ be an [n,k,d] linear code equivalent to a

code C.

Code Equivalence

(23)

code C.

Let Cor:{0,1}

n

→

C be an efficient nearest codeword

error-correcting procedure for C (upto

d-1

/

₂

errors)

(24)

code C.

Let Cor:{0,1}

n

→

d-1

/

₂

errors)

Define C’or(w):=Cor(wP

-1

)P,

Code Equivalence

(25)

code C.

Let Cor:{0,1}

n

→

d-1

/

₂

errors)

Define C’or(w):=Cor(wP

-1

)P,

then C’or:{0,1}

n

→

C’ is an efficient nearest codeword

(26)

McEliece

Cryptosystem

(27)

Let G∈rGoppat, S∈r𝔽2kxk, & P∈rPerm be the private-key, &

G = SGP be the public-key,

McEliece

(28)

Let e∈r{error vector of weight t} & m∈{0,1}k a plaintext

let w=mG +e be a ciphertext.

McEliece

Cryptosystem

(29)

let w=mG +e be a ciphertext. Given (only) G ,w finding

McEliece

(30)

let w=mG +e be a ciphertext. Given (only) G ,w finding

c’ =

C’or

(w) is difficult.

McEliece

Cryptosystem

(31)

Niederreiter

Cryptosystem

(32)

Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, & G = SGP be the public-key,

Niederreiter

Cryptosystem

(33)

Let G∈rGRSt, S∈r𝔽2kxk, & P∈rPerm be the private-key, &

Let m∈{error vector of weight t} a plaintext & c’∈rC’

let w=c +m be a ciphertext.

Niederreiter

Cryptosystem

(34)

let w=c +m be a ciphertext. Given (only) G ,w finding

Niederreiter

Cryptosystem

(35)

let w=c +m be a ciphertext. Given (only) G ,w finding

c’ =

C’or

(w) is difficult.

Niederreiter

Cryptosystem

(36)

Both

Cryptosystems

(37)

Let G∈rGRS/Goppat, S∈r𝔽2kxk, & P∈rPerm be the

private-key, & G = SGP be the public-private-key, e∈{error vector of

weight t} and let w=c+e for c∈C(G ).

Both

(38)

Let G∈rGRS/Goppat, S∈r𝔽2kxk, & P∈rPerm be the

private-key, & G = SGP be the public-private-key, e∈{error vector of

weight t} and let w=c+e for c∈C(G ).

Given G,S,P, w finding c=Cor(w) and e=w-c is easy.

Both

Cryptosystems

(39)

(40)

Families of Codes

Nicolas Sendrier

(41)

Binary Goppa codes seem safe, but not

(42)

(Generalized) Reed-Solomon codes,

Families of Codes

Nicolas Sendrier

(43)

Binary Goppa codes seem safe, but not

concatenated codes,

(44)

concatenated codes,

elliptic codes,

Families of Codes

Nicolas Sendrier 65 jeudi 18 juillet 13

(45)

concatenated codes,

elliptic codes,

Reed-Muller codes,

(46)

concatenated codes,

elliptic codes,

Reed-Muller codes,

Convolutional codes

Families of Codes

Nicolas Sendrier 65 jeudi 18 juillet 13

(47)

Code based

cryptography

(48)

Code based

cryptography

Courtois, Finiasz and Sendrier

signature scheme

(49)

Code based

cryptography

signature scheme

(50)

Code based

cryptography

signature scheme

Stern’s identification scheme

Code based PRNG

(51)

Code based

cryptography

signature scheme

Stern’s identification scheme

Code based PRNG

(52)

0

Code based

cryptography

§

(53)

Post-Quantum

Cryptography

Codes

(54)

Multi-variate Poly

based cryptography

§

(55)

Multi-variate Poly

(56)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽n.

(57)

Multi-variate Poly

based cryptography

(58)

Multi-variate Poly

based cryptography

zk = pk(x) := ∑_i Pikxi + ∑_i Qikxi2 + ∑_i<j Rijkxixj

When we are working over 𝔽=𝔽2 , note that x2 = x, so

it suffices to consider multilinear polynomials: zk = pk(x) := ∑_i Pikxi + ∑_i<j Rijkxixj

(59)

Multi-variate Poly

based cryptography

(60)

Multi-variate Poly

based cryptography

In general, finding x from z=P(x) is NP-hard. We seek more :

finding x from z=P(x) being hard on average.

(61)

Multi-variate Poly

(62)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.

(63)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n.

(64)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n. zk = pk(x) := ∑_i Pikxi + ∑_i<j Rijkxixj Public-key: P 71 jeudi 18 juillet 13

(65)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n. zk = pk(x) := ∑_i Pikxi + ∑_i<j Rijkxixj Public-key: P EncP(x)=P(x)

(66)

Multi-variate Poly

based cryptography

P = (p1(x1,...,xn),...,pm(x1,...,xn)) for x=(x1,...,xn) over 𝔽2n. zk = pk(x) := ∑_i Pikxi + ∑_i<j Rijkxixj Public-key: P EncP(x)=P(x)

Dec(z)= find x s.t. z=P(x) (specific to P’s design)

(67)

Multi-variate Poly

(68)

Multi-variate Poly

based cryptography

MPKCs almost always hide a private map Q via composition with secret affine maps S, and T.

(69)

Multi-variate Poly

based cryptography

(70)

Multi-variate Poly

based cryptography

So, P=T◦Q◦S: 𝔽n→𝔽m, or P(x):=M_T Q( M_Sx+c_S ) + c_T

In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily.

(71)

Multi-variate Poly

based cryptography

So, P=T◦Q◦S: 𝔽n→𝔽m, or P(x):=M_T Q( M_Sx+c_S ) + c_T

In any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily.

(72)

Multi-variate Poly

based cryptography

(73)

Multi-variate Poly

based cryptography

MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T◦Q◦S: 𝔽n→𝔽m, or P(x):=M_T Q( M_Sx+c_S ) + c_T

(74)

Multi-variate Poly

based cryptography

MPKCs almost always hide a private map Q via composition with secret affine maps S, and T. So, P=T◦Q◦S: 𝔽n→𝔽m, or P(x):=M_T Q( M_Sx+c_S ) + c_T Private-key: (MT-1, cT), (MS-1, cS), Q-1 Dec(y) = MS-1 _Q-1_{( M}_T-1_y-c_T_{) - c}_S where cT := MT-1 cT and cS := MS-1 cS 73 jeudi 18 juillet 13

(75)

Matsumoto-Imai

(76)

Matsumoto-Imai

Example: ( a sort of RSA type system )

(77)

Matsumoto-Imai

Any single univariate f over 𝔽2n can be represented by

n multivariate algebraic functions yi = fi(x1,x2, ...,xn)

(78)

Matsumoto-Imai

over 𝔽2.

Q(x) := x2a+1_{, a<n, over}_𝔽₂n such that gcd(2a+1,2n-1)=1

(squaring over 𝔽2n is actually a linear transform

over 𝔽₂n)*

(79)

Matsumoto-Imai

over 𝔽2.

Q(x) := x2a+1_{, a<n, over}_𝔽₂n such that gcd(2a+1,2n-1)=1

(squaring over 𝔽2n is actually a linear transform

over 𝔽₂n)*

(80)

Squaring over

𝔽

2

n

is

linear over

𝔽

2

(x

n-1

,...,x

1

,x

0

)

2

=(x

n-1

x

n-1

+...+x

1

x+x

0

)

2

mod P(x)

= x

n-1

x

2n-2

+...+x

1

x

2

+x

0

mod P(x)

/

/ 1 \ / x2_{\ ... / x}2n-2_\

\

/ x

₀

\

=

|

|mod| |mod| ... | mod |

| | x

₁

|

\

\ P / \ P / ... \ P /

/

| ...

|

\x

_n-1

/

= M

sq

x

(81)

Squaring over

𝔽

2

n

is

linear over

𝔽

2

(x

n-1

,...,x

1

,x

0

)

2

=(x

n-1

x

n-1

+...+x

1

x+x

0

)

2

mod P(x)

= x

n-1

x

2n-2

+...+x

1

x

2

+x

0

mod P(x)

/

/ 1 \ / x2_{\ ... / x}2n-2_\

\

/ x

₀

\

=

|

|mod| |mod| ... | mod |

| | x

₁

|

(82)

Squaring over

𝔽

2

n

is

linear over

𝔽

2

(x

n-1

,...,x

1

,x

0

)

2

=(x

n-1

x

n-1

+...+x

1

x+x

0

)

2

mod P(x)

= x

n-1

x

2n-2

+...+x

1

x

2

+x

0

mod P(x)

/

/ 1 \ / x2_{\ ... / x}2n-2_\

\

/ x

₀

\

=

|

|mod| |mod| ... | mod |

| | x

₁

|

\

\ P / \ P / ... \ P /

/

| ...

|

\x

_n-1

/

= M

sq

x

(83)

Squaring over

𝔽

2

n

is

linear over

𝔽

2

(x

n-1

,...,x

1

,x

0

)

2

=(x

n-1

x

n-1

+...+x

1

x+x

0

)

2

mod P(x)

= x

n-1

x

2n-2

+...+x

1

x

2

+x

0

mod P(x)

/

/ 1 \ / x2_{\ ... / x}2n-2_\

\

/ x

₀

\

=

|

|mod| |mod| ... | mod |

| | x

₁

|

(84)

x

2i

over

𝔽

2

n

is linear

over

𝔽

2

(y

n-1

,...,y

1

,y

0

) = (x

n-1

,...,x

1

,x

0

)

2i

= M

isq

x

is a system of n degree 1 equations

y

0

= (M

isq

)

0

x y

1

= (M

isq

)

1

x

y

2

= (M

isq

)

2

x ... y

n-1

= (M

isq

)

n-1

x

(85)

x

2i+1

over

𝔽

2

n

is

quadratic over

𝔽

2

(z

n-1

,...,z

1

,z

0

) = (x

n-1

,...,x

1

,x

0

)

2i+1

= (y

n-1

,...,y

1

,y

0

)*(x

n-1

,...,x

1

,x

0

)

(86)

MI vs RSA

(87)

MI vs RSA

Unlike the RSA scheme, the size

q

n

−

1 of the multiplicative group of

𝔽

_2n

is known, and thus anyone can

(88)

MI vs RSA

Unlike the RSA scheme, the size

q

n

−

1 of the multiplicative group of

𝔽

_2n

is known, and thus anyone can

compute h from 2

a

+1.

MI thus based the security of the

scheme on the different principle

of mapping obfuscation. (à la

McEliece)

(89)

(90)

SFLASH

The MI scheme was broken by a very

clever attack developed by Patarin in

1995.

(91)

SFLASH

The MI scheme was broken by a very

clever attack developed by Patarin in

1995.

Based on an idea of Shamir from 1993,

Patarin et al proposed to avoid their

(92)

SFLASH

(93)

SFLASH

If we denote the final truncation

Π

, the SFLASH public key is:

(94)

SFLASH

If we denote the final truncation

Π

, the SFLASH public key is:

P

Π

=

Π◦

T

◦

Q

◦

S

Such truncated keys can be used in

signature schemes but not in

encryption schemes, since they

cannot be inverted uniquely.

(95)

(96)

SFLASH & NESSIE

The SFLASH scheme was selected in 2003 by the ‘new european schemes for signatures integrity and

encryption’ Consortium as one of only three

recommended public key signature schemes, and as the best known solution for low cost smart cards

(97)

SFLASH & NESSIE

The first version of SFLASH, called SFLASHv1_{, had a}

subtle bug which was discovered by Gilbert and

(98)

SFLASH & NESSIE

Minier. It was replaced by two versions (SFLASHv2 & v3_).

They differ only in their security parameters: for SFLASHv2_{: q = 2}7_{, n = 37, a = 11 and r = 11}

for SFLASHv3_{: q = 2}7_{, n = 67, a = 33 and r = 11}

(99)

SFLASH & NESSIE

Minier. It was replaced by two versions (SFLASHv2 & v3_).

(100)

Variations

(101)

Variations

(102)

Multi-variate Poly

based cryptography

§

(103)

Post-Quantum

Cryptography

Codes

(104)

Cryptographic Money

based on hidden codes

(

hidden sub

-

spaces

)

(105)

(106)

Hidden (Linear) Code

a linear [n,k,d] code C ⊂

𝔽

n

over arbitrary finite field

𝔽

.

(107)

𝔽

n

𝔽

.

(108)

𝔽

n

𝔽

.

a positive integer degree D,

I

D,C

= { degree-D polynomials that vanish on C }.

(109)

𝔽

n

𝔽

.

a positive integer degree D,

I

D,C

= { degree-D polynomials that vanish on C }.

(110)

Hidden Code

(111)

Hidden Code

Lemma A

It is possible to sample a uniformly-random element of

(112)

Hidden Code

Lemma B

Fix C ⊂

𝔽

22n

and

β

> 1, and choose

β

n independent

uniformly-random samples from I

D,C

.

With probability 1 − 2

−Ω(n)

, the set of points on which

they are all zero is exactly C.

Lemma A

It is possible to sample a uniformly-random element of

I

D,C

in time

O

(n

D

).

(113)

Public Q-Money

Christiano Aaronson

(114)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(x) define C=Span(G)

(

Public

-

key

)

Christiano Aaronson

(115)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

Christiano Aaronson

(116)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

Christiano Aaronson 89 jeudi 18 juillet 13

(117)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

|

$

⟩

= ∑

c∈C

|c

⟩

, [H]

⊗n

|$

⟩

= ∑

c’∈C⊥

|c

’⟩

Christiano Aaronson

(118)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

|

$

⟩

= ∑

c∈C

|c

⟩

, [H]

⊗n

|$

⟩

= ∑

c’∈C⊥

|c

’⟩

checking |$

⟩

: using P

₁

(x),...,P

β_n

(x), validate that |$

⟩

is

made only of states from C and using Q

1

(x),...,Q

βn

(x),

validate that [H]|$

⟩

is made only of states from C

⊥

.

Christiano Aaronson

(119)

Public Q-Money

Christiano Aaronson

(120)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Christiano Aaronson

(121)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

Christiano Aaronson

(122)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

Christiano Aaronson 90 jeudi 18 juillet 13

(123)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

The special structure of (

C,C

⊥

), yields an attack for

degree 2 polynomials. So D must be at least 3.

Christiano Aaronson

(124)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

C,C

⊥

degree 2 polynomials. So D must be at least 3.

In Q-Money C or C

⊥

may be sampled once.

Christiano Aaronson

(125)

Public Q-Money

P

1

(x), P

2

(x),...,P

βn

(

Public

-

key

)

Q

1

(x), Q

2

(x),...,Q

βn

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

,c’

∈C

⊥

,i,j

P

i

(c)=0 and Q

j

(

c’

)=0

C,C

⊥

degree 2 polynomials. So D must be at least 3.

In Q-Money C or C

⊥

may be sampled once.

Christiano Aaronson

(126)

Hidden Code

Let Z

D,C,ℇ

be the distribution which sets

I

D,C

with probability 1-

ℇ

I

D,®

with probability

ℇ

where ® is a random code of dimension k.

Lemma C

Fix C ⊂

𝔽

22n

and

ℇ

<1, let

β

=32/(1-

ℇ

)

2

, and choose

β

n

independent samples from Z

D,C,ℇ

. Let

δ

= 1/2 + (1−

ℇ

)/4.

With probability 1 − 2

−Ω(n)

the set of points on which at

least

δβ

n polynomials are zero is exactly C.

Z

D,C,ℇ

=

{

(127)

(128)

Public Q-Money

P

1

′

(x), P

2

′

(x),...,P

β

′

n

(

Public

-

key

)

(129)

Public Q-Money

P

1

′

(x), P

2

′

(x),...,P

β

′

n

(

Public

-

key

)

(130)

Public Q-Money

P

1

′

(x), P

2

′

(x),...,P

β

′

n

(

Public

-

key

)

Q

1

′

(x), Q

2

′

(x),...,Q

β

′

n

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

, c’

∈C

⊥

P

_i

(c)=0 and Q

_j

(

c’

)=0 with probability ≥

δ

.

(131)

Public Q-Money

P

1

′

(x), P

2

′

(x),...,P

β

′

n

(

Public

-

key

)

Q

1

′

(x), Q

2

′

(x),...,Q

β

′

n

(x) define C

⊥

=Ker(G)

(

Public

-

key

)

∀c

∈C

, c’

∈C

⊥

P

_i

(c)=0 and Q

_j

(

c’

)=0 with probability ≥

δ

.

Adding misleading polynomials may only make the

assumption harder to break...

(132)

Cryptographic Money

based on hidden codes

(

hidden sub

-

spaces

)

Dubois,

Fouque, Sh

, Stern br