Public-Key Identification Schemes Based on Multivariate Polynomials

1. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Public-Key Identiﬁcation Schemes Based on Multivariate Polynomials Cassius Puodzius Technische Universit¨t Darmstadt a July 19, 2012

2. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Outline Outline of the talk Preliminary Identification Schemes MQ Problem MQ-based Identification Scheme 3-pass Protocol Soundness Zero-Knowledge Parameters Implementation Further Schemes MQ 5-pass Protocol MC 3,5-pass Protocol MP 3,5-pass Protocol

3. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Problem Peggy wants to prove Victor that she is actually Peggy. On the other hand, Victor wants to be sure that Oscar is not trying to impersonate Peggy. Protocol Peggy Victor

4. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Challange-Response Challange: Victor prepares a challenge, which is solvable with the knowledge of some secret that belongs to Peggy. Response: Peggy sends back the challenge response to Victor.

5. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Interactive Proof (Challenge) ←−

6. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Interactive Proof (Response) −→

7. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Interactive Proof (Challenge) ←− (Response) −→ Many times!

8. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Completeness If the prover knows the secret, after the interaction, then Victor can trust that the prover is actually Peggy (with very high probability). Soundness If the prover is not Peggy, then he/she cannot fool Victor (with very high probability).

9. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Identiﬁcation Schemes Completeness If the prover knows the secret, after the interaction, then Victor can trust that the prover is actually Peggy (with very high probability). Soundness If the prover is not Peggy, then he/she cannot fool Victor (with very high probability).

10. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Identification Schemes Quite good... but not enough! Could Victor prepare challenges in order to learn Peggy’s secret and be able to impersonate her in the future? Conformation In order to avoid Victor specifically crafted challenges, this step is replaced by: 1 Peggy chooses a bunch of challenge candidates and send them to Victor 2 Victor choose one of them and send it back to Peggy

11. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Identification Schemes Quite good... but not enough! Could Victor prepare challenges in order to learn Peggy’s secret and be able to impersonate her in the future? Conformation In order to avoid Victor specifically crafted challenges, this step is replaced by: 1 Peggy chooses a bunch of challenge candidates and send them to Victor 2 Victor choose one of them and send it back to Peggy

12. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Identification Schemes Zero-Knowledge A interactive proof which grant no further information to the verifier beyond those he could get himself.

13. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Cut-and-choose Cut-and-choose Paradigm Peggy divides her secret into shares and prove the knowledge of (some) them, according to the choice of Victor Moreover, Peggy does not reveal any share of the secret itself

14. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix MQ Problem MQ Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi i=1 j=i i=1 A MQ Function, F : Fn → Fm , is then defined as: q q F (x) = (f1 , . . . , fm ) The family of MQ functions is denoted by MQ(n, m, Fq ). Polar Form G (x, y ) = F (x + y ) − F (x) − F (y ) G (x, y ) is bilinear.

18. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ Problem Multivariate Quadratic Polynomials over a Finite Field Given y = F (x), it is not feasible to get some x , such that F (x ) = y . Features of MQ functions There is no known quantum algorithm able to solve MQ problem Decision problem is know to be NP-complete General attack: Gr¨bner basis. Which is exponential in time o and memory (if m = Θ(n))

22. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix 3-Pass Protocol String Commitment Function 1 s is a fixed and ρ a is random string 2 c is statistically hiding and computationally binding String Commitment Scheme 1 Peggy computes c ← Com(s; ρ) and sends it to Victor 2 Peggy sends s and ρ to Victor, which verifies whether ? c = Com(s; ρ)

23. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix 3-Pass Protocol String Commitment Function 1 s is a fixed and ρ a is random string 2 c is statistically hiding and computationally binding String Commitment Scheme 1 Peggy computes c ← Com(s; ρ) and sends it to Victor 2 Peggy sends s and ρ to Victor, which verifies whether ? c = Com(s; ρ)

24. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Statistically hiding No receiver is able to distinguish between Com(s1 ; ρ1 ) and Com(s2 ; ρ2 ) Computationally binding No sender is able to ﬁnd in polynomial-time (s2 ; ρ2 ) such that Com(s1 ; ρ1 ) = Com(s2 ; ρ2 )

25. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Statistically hiding No receiver is able to distinguish between Com(s1 ; ρ1 ) and Com(s2 ; ρ2 ) Computationally binding No sender is able to ﬁnd in polynomial-time (s2 ; ρ2 ) such that Com(s1 ; ρ1 ) = Com(s2 ; ρ2 )

26. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix 3-Pass Protocol Setup Public known MQ(n, m, Fq ): n → input dimension m → number of equations Fq → chosen finite field Coefficients of MQ(n, m, Fq ) or a seed From Peggy: Secret key → s Public key → v = F(s) Victor’s Goal From MQ(n, m, Fq ) and v decide whether the prover is indeed Peggy.

29. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Why is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).

39. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol Pick r0 , t0 ∈R Fn , e0 ∈R Fm q q r1 ← s − r0 t1 ← r0 − t0 e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )

43. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol (c0 ,c1 ,c2 ) −→

44. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol Pick Ch ∈R {0, 1, 2}

45. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol Ch ←−

46. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol If Ch = 0, then Rsp ← (r0 , t1 , e1 ) If Ch = 1, then Rsp ← (r1 , t1 , e1 ) If Ch = 2, then Rsp ← (r1 , t0 , e0 )

50. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol Rsp −→

51. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )

58. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Completeness Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 ) and once that r0 , t0 and e0 are set, there is no further randomness. Soundness RF = (v, x) ∈ Fm × Fn : v = F(x) q q Theorem. The 3-pass protocol is argument of knowledge for RF with knowledge error 2/3 when the commitment scheme Com is computationally binding.[5] After enough rounds, the probability of impersonation by Oscar is negligible.

62. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Zero-Knowledge Theorem. The 3-pass protocol is statically zero knowledge when the commitment scheme Com is statistically hiding.[5] Victor has access only to r0 or r1 , t0 or t1 , e0 or e1 , which are completely random. Cut-and-choose Private-key separated between (t0 , e0 ) part and (t1 , e1 ) part.

65. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Protocol Theoretical Security on the Protocol Victor needs almost as many rounds as the desired security level[2] Practical Security on the Keys For MQ(80, 84, F2 ): Best attack: improved exhaustive search algorithm −→ 288.7 .[5][3]

69. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix 3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4

77. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix Implementation Implementation

78. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix 3-Pass Parallel version Features Require only one round, instead of multiple rounds Still secure against active attacker

79. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix 5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient

85. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix MC 3,5-pass protocol MC Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn Σn al,i,j,k xi xj xk + Σn Σn bl,i,j xi xj + Σn cl,i xi i=1 j=i k=j i=1 j=i i=0 A MC Function, FMC : Fn → Fm , is then defined as: q q FMC (x) = (f1 , . . . , fm ) Polar Form Mapping (x, y ) → FMC (x + y ) − FMC (x) − FMC (y ) is not bilinear anymore. Definition of a linear-in-one-argument (LOA) form of FMC : GMC (x, y ) − GMC (y , x) = FMC (x + y ) − FMC (x) − FMC (y )

89. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix MC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient

99. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MC 3,5-pass protocol ZK (3) Introduction of new variables Xij = xi xj (1 ≤ i ≤ j ≤ n) in (xi ) in order to get: fl (x) = Σn n 1≤i≤j≤k≤n al,i,j,k Xij xk + Σ1≤i≤j≤n bl,i,j Xij + Σi=1 cl,i xi Features Larger public key More communication bits Lower number of communications

103. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix MP 3,5-pass protocol MP function Given x ∈ Fn , a function of degree d, fl : Fn → Fq is defined as: q q fl (x) = Σn 1 ≤...≤id al,i1 ,...,id xi1 · · · xid + 1≤i Σn 1 ≤...≤id−1 al,i1 ,...,id−1 xi1 · · · xid−1 + · · · + 1≤i Σn 1 n al,i1 xi1 1≤i A MP Function, FMP : Fn → Fm , is then defined as: q q FMP (x) = (f1 , . . . , fm ) Polar Form GMP (r0 , r1 , . . . , rd−1 ) = Σd (−1)d−1 ΣS⊂{0,...,d−1} FMP( i=1 j∈S rj ) |S|=i

106. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MP 3,5-pass protocol [4] Features Generalization No practical advantage

107. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix The End That’s it! Questions? Remarks?

108. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Bibliography References Public-key identification schemes based on multivariate cubic polynomials. In PKC, pages 172–189, 2012. Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. pages 390–420. Springer-Verlag, 1998. Charles Bouillaguet, Hsieh-Chung Chen, Chen-Mou Cheng, Tung Chou, Ruben Niederhagen, Adi Shamir, and Bo-Yin Yang. Fast exhaustive search for polynomial systems in f2. In Proceedings of the 12th international conference on Cryptographic hardware and embedded systems, CHES’10, pages 203–218, Berlin, Heidelberg, 2010. Springer-Verlag. Val´rie Nachef, Jacques Patarin, and Emmanuel Volte. e Zero-knowledge for multivariate polynomials. IACR Cryptology ePrint Archive, 2012:239, 2012. Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In CRYPTO, pages 706–723, 2011.

109. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Completeness) Proof r1 ← s − r0 , t1 ← r0 − t0 , e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )

110. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Completeness) Proof If Ch = 0: ∆ r0 − t1 = r1 ∆ F(r0 ) − e1 = e0

111. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Completeness) Proof If Ch = 1: G(t0 , r1 ) + e0 = G(r0 − t1 , r1 ) + e0 = G(r0 , r1 ) − G(t1 , r1 ) + e0 = F(r0 + r1 ) − F(r0 ) − F(r1 ) − G(t1 , r1 ) + e0 ∆ = v − F(r1 ) − G(t1 , r1 ) − e1

112. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Completeness) Proof If Ch = 2:

113. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof Say that Oscar takes F and v and tries to fool Victor in order to impersonate Peggy. Let Ch∗ ∈ {0, 1, 2} a Oscar’s prediction of which value Victor is not going to choose.

114. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof Say that Oscar takes F and v and tries to fool Victor in order to impersonate Peggy. Let Ch∗ ∈ {0, 1, 2} a Oscar’s prediction of which value Victor is not going to choose.

115. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof Commitments preparation: Oscar take at random s , r 0 , t 0 ∈R Fn , e 0 ∈R Fm q q And computes r 1 ← s − r 0 and t 1 ← r 0 − t 0 .

116. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 0: e 1 ← v − F(s ) + F(r 0 ) − e 0 c0 ← Com(r 1 , G(t 0 , r 1 ) + e 0 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 ) Note that if Ch = 1, then: ∆ v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = −G(t 1 , r 1 ) + G(r 0 , r 1 ) + e 0 = G(r 0 − t 1 , r 1 ) + e 0 ∆ = G(t 0 , r 1 ) + e 0

117. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 0 and Ch = 0: e 1 = v − F(s ) + F(r 0 ) − e 0 = F(r 0 ) − e 0

118. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 1: e 1 ← F(r 0 ) − e 0 c0 ← Com(r 1 , G(t 0 , r 1 ) + e 0 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 )

119. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 1 and Ch = 1: ∆ v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = v − F(r 1 ) + G(t 1 , r 1 ) −F(r 0 ) − e 0 ∆ = v − F(s ) + G(t 0 , r 1 ) − e 0 = G(t 0 , r 1 ) − e 0

120. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 2: e 1 ← F(r 0 ) − e 0 c0 ← Com(r 1 , v − F(r 1 ) − G(t 1 , r 1 ) − e 1 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 )

121. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 2 and Ch = 2: G(t 0 , r 1 ) − v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = G(t 0 , r 1 ) − e 0

122. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Soundness) Proof Conclusion: Error knowledge = 2/3.

123. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Zero Knowledge) Proof For each o Chi (i ∈ {0, 1, 2}), Victor receives (c0 , c1 , c2 ) and Rspi , with whom he calculates two commitments from (c0 , c1 , c2 ) during the protocol. Say that for Rspi , cj is the remainder commitment. Also say that C = r0 if i = 0, otherwise C = t1 + r1 , a vector obtained from Rspi . R is a random string indistinguishable from cj .

124. Outline Preliminary MQ-Based Identiﬁcation Scheme Further Schemes Appendix MQ 3-Pass Protocol (Zero Knowledge) Proof Suppose that the scheme is not Zero Knowledge, then Victor is able to learn something from the set of challenges or the responses. Challenges: Victor is able to learn from cj . Responses: Victor is able to learn from C = s − r1 , if Ch = 0, otherwise C = s − t0 . If Victor is able to learn from the challenges, than Victor is also able to learn from R, once that cj and R are indistinguishable. But that is clearly absurd, because there is nothing to learn from R. If Victor is able to learn from responses, than he is able to learn from s and r0 or t0 , which are truly random. But again it is clearly absurd.

Public-Key Identification Schemes Based on Multivariate Polynomials

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (20)

Public-Key Identification Schemes Based on Multivariate Polynomials