multivariate signature scheme using quadratic forms
Post on 23-Mar-2016
32 Views
Preview:
DESCRIPTION
TRANSCRIPT
Multivariate Signature Scheme using Quadratic
Forms
Takanori Yasuda (ISIT) Joint work with
Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)
1
This work was partially supported by the Japan Science and Technology Agency (JST) Strategic Japanese-Indian Cooperative Programme for Multidisciplinary Research Fields, which aims to combine Information and Communications Technology with Other Fields. The first author is supported by Grant-in-Aid for Young Scientists (B), Grant number 24740078.
Contents1. Multivariate Signature Schemes2. Quadratic Forms3. Multivariate System defined by Quadratic Forms4. Application to Signature Scheme5. Comparison with Rainbow
1. Efficiency of Signature Generation2. Key Sizes3. Security
6. Conclusion
2
MPKC Signature: multivariate polynomial map
𝐹
Inverse function
Vector space Vector space
Signature Message
𝑺=𝑭 −𝟏(𝑴 ) 𝑴
For any message M, there must exist the corresponding signature.
F is surjective. 3
New Multivariate Polynomial Map
• We introduce a multivariate polynomial map not surjective, and apply it to signature scheme.
Multivariate polynomial map
For a symmetric matrix A,
𝐺 (𝑋 )=𝑋 . 𝐴 . 𝑋𝑇
where is a matrix of variables of size .
is a map which assigns a matrix to a matrix.
G can be regarded as a multivariate polynomial map.
𝐾 𝑟 (𝑟+1)/2
4
QuestionsIs G applicable to signature scheme or not?
1. Can its inverse map be computed efficiently? Necessary to compute for a message M in order to generate a signature.
2. Is it surjective or not?
For any message M, necessary to generate its signature.
Questions
5
Quadratic Forms• Definition 1 : Field with odd characteristic (or 0) : Natural number is a quadratic form for some symmetric matrix
• Definition 2 , : quadratic forms associated to
and are isometric for some
6
Translation of questions of in terms of quadratic
form• Equation
• Restrict solution o Problem 1 For , , isometric each other, find a translation matrix efficiently.o Problem 2 For any , , determine whether and isometric or not?
𝐺 (𝑋 )=𝑋 . 𝐴 . 𝑋𝑇=𝐵
(: symmetric matrices)
7
How to compute the inverse map
Simple case 𝐴=𝐼 𝑟=( 1 ¿ 0
⋱ ¿ ¿1¿)Problem 1 is equivalent to
Problem 1’: Find an orthonormal basis of with respect to .
Orthonormal basis: in
for for
8
Real field Case• : real field
Gram-Schmidt orthonormalization provides an efficient algorithm to solve Problem 1’.
It uses special property of .
Fact: is anisotropic.
A quadratic form is anisotropic for any ,
Definition:
We want to apply Gram-Schmidt orthonormalization technique to the case of finite fields.
9
Finite Field Case
• However, we can extend Gram-Schmidt orthonormalization by inserting a step:
Fact Let be a finite field. Any quadratic form on () is not anisotropic.
We cannot apply Gram-Schmidt orthonormalization directly.
If , then find another element such that .
Solve Problem 1
10
2-dimensional case (1)Operation for Matrices of 22 is fundamental.
In this case, apply the usual GS orthonormalization.
11
2-dimensional case (2)
• There are two cases: or .
12
⇒ apply the usual GS-normalization.
2-dimensional case (3)• We obtained
• There is a matrix such that
.
This completes the Extended GS-normalization.
13
Problem 2• Definition : quadratic form associated to . is nondegenerate det
Classification theorem Any nondegenerate quadratic form is isometric to either or .
14
Classification Theorem• For any (nondegenerate) message , either
has a solution.• or is determined by det.
• or is not surjective.• However, we can apply these maps to MPKC
signature scheme.
or
15
Application to MPKC Signature Scheme
• Secret Key
, , ,
• Public Key
, , affine transformations
defined by , defined by ,
16
Signature Generation For a symmetric matrix ,• Step 1 Compute .• Step 2 Apply the extended Gram-Schmidt
orthornormalization to .o Find a solution of either
• Step 3 Compute or .
• Step 4 Compute .
or is a solution of or .
17
Property of Our Scheme
• Respective map or is not surjective.• However, the union of images of these maps
covers the whole space.
𝑲 𝑛𝑲𝑚𝑮𝟏
𝑮𝜹
For any M, there exists the corresponding signature.
M
18
Other Signature Schemes
Multivariate Polynomial Maps
Rainbow
UOV
HFE
MI
Proposal
Surjective
Not Surjective
19
Security of Our Scheme
• There are several attacks of MPKC signature schemes which depend on the structure of central map.
• For example, UOV attack is an attack which transforms public key into a form of central map of UOV scheme.o Central maps of UOV are surjective.o The public key of our scheme cannot be transformed into any
surjective map.• These attacks is not applicable against our scheme.( Other examples: Rainbow-band-separation attack,
UOV-Reconciliation attack )• However, attacks which is independent of scheme, like
direct attacks, are applicable to our scheme.
20
Comparison with Rainbow
• Equivalent with respect to cost of verification and public key length.
• Cost of signature generation (number of mult.)o Proposal o Rainbow ⇒ 8 or 9 times more efficient at the level of 88-bit security.
• Secret Key Size (number of elements of field)o Proposal
o Rainbow
Compared in the case that and are same for public key F :
21
Conclusion• We propose a new MPKC signature scheme using
quadratic forms. The multivariate polynomial map used in the scheme is not surjective.
• Signature generation uses an extended Gram-Schmidt orthonormalization. It is 8 or 9 times more efficient than that of Rainbow at the level of 88-bit security.
Future Work• Security analysis• Application to encryption scheme
22
top related