Hardness Evaluation of Solving MQ Problems

MQ Challenge: Hardness Evaluation of Solving MQ Problems

Takanori Yasuda (ISIT), Xavier Dahan (ISIT), Yun-Ju Huang (Kyushu Univ.), Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ., ISIT)

This work was supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0091”, Ministry of Internal Affairs and Communications, Japan. The first author is supported by Grant-in-Aid for Young Scientists (B), Grant number 24740078. Fukuoka MQ challenge

MQ challenge started on April 1st.

https://www.mqchallenge.org/

ETSI Quantum Safe Workshop 2015/4/3 2 Why we need MQ challenge? • Several public key cryptosystems held contests which solve the associated basic mathematical problems. o RSA challenge(RSA Laboratories), ECC challenge(Certicom), Lattice challenge(TU Darmstadt) • Lattice challenge (http://www.latticechallenge.org/) o Target: Short vector problem o 2008 – now continued • Multivariate public-key cryptsystem (MPKC) also need to evaluate the current state-of-the-art in practical MQ problem solvers.

We planed to hold MQ challenge.

ETSI Quantum Safe Workshop 2015/4/3 3 Multivariate Public Key Cryptosystem (MPKC)

• Advantage o Candidate for post-quantum cryptography o Used for both encryption and signature schemes • Encryption: Simple Matrix scheme (ABC scheme), ZHFE scheme • Signature: UOV, Rainbow o Efficient encryption and decryption and signature generation and verification. • Problems o Exact estimate of security of MPKC schemes o Huge length of secret and public keys in comparison with RSA o New application and function

ETSI Quantum Safe Workshop 2015/4/3 4 MQ problem

MPKC are public key cryptosystems whose security depends on the difficulty in solving a system of multivariate quadratic polynomials with coefficients in a finite field .

MQ problem퐾 : find a solution of the system of multivariate equations: (1) (1) (1) f1(x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = d1 1≤i, j≤n 1≤i≤n (2) (2) (2) f2 (x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = d2 1≤i, j≤n 1≤i≤n  (m) (m) (m) fm (x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = dm 1≤i, j≤n 1≤i≤n It is believed that it is difficult to solve (general) MQ problem.

ETSI Quantum Safe Workshop 2015/4/3 5 MPKC Structure

Trapdoor one-way function

1. Choose a multivariate quadratic polynomial map whose inverse can be computed easily.

: Secret key 2. Choose two affine 푛 푚 transformations. 퐺 퐾 퐾 : Public key

3. Define a multivariate푛 polynomial map by the푚 composition of 퐹 퐾 and two affine transformations.퐾 ETSI Quantum Safe Workshop 퐹 2015/4/3 6 MPKC Encryption : : multivariate polynomial map 푛Vector space푚 Vector space 퐹 퐾 → 퐾 푛 푚 퐾 퐾 = ( ) 퐹 = ( ) −ퟏ 푷 푭 푪 Inverse function 푪 푭 푷

plain text cipher text −1 퐹 For any cipher text C, there must exist the corresponding plain text uniquely.

F is injective. . Ex. Simple Matrix scheme, ZHFE 푛 ≤ 푚 ETSI Quantum Safe Workshop 2015/4/3 7 MPKC Signature : : multivariate polynomial map 푛Vector space푚 Vector space 퐹 퐾 → 퐾 푛 푚 퐾 퐾 = ( ) 퐹 −ퟏ 푺 푭 푴 Inverse function 푴

Signature Message −1 퐹 For any message M, there must exist the corresponding signature.

F is surjective. . Ex. UOV, Rainbow

푛 ≥ 푚 ETSI Quantum Safe Workshop 2015/4/3 8 Encryption and Signature • Encryption o Simple matrix scheme(ABC scheme), ZHFE, .... o These encryption schemes use systems of = . QUAD stream cipher also uses systems of = . o 푚 2푛 • Signature 푚 2푛 o UOV, Rainbow,… o Rainbow is the multilayered UOV. o In Rainbow, parameters 1. are often used.

푛 ≒ 5푚 • In MPKC schemes, finite fields with small size are used. o Finite field with small size has an efficient arithmetic. o Binary field (2), binary extension field 2 , prime field (31). 8 퐺� 퐺� 퐺� ETSI Quantum Safe Workshop 2015/4/3 9 Systems of 6 types • We create sequences of MQ problems of 6 types.

Type Relation of Base field Target and I = (2) Encryption 푚 푛 II = 2 Encryption 푚 2푛 퐺� III = 318 Encryption 푚 2푛 퐺� IV 1, (2) Signature 푚 2푛 퐺� V 1, 2 Signature 푛 ≈ 5푚 퐺� VI 1, 318 Signature 푛 ≈ 5푚 퐺� 푛 ≈ 5푚 퐺�

ETSI Quantum Safe Workshop 2015/4/3 10 How to construct MQ problem (Type IV,V,VI) Signature Case ( . )

. . Expected number풏 of≈ solutionsퟏ ퟓퟓ of random system = 1 5푚−푚 0 5푚 ( ) ( ) ∶ 푞 푞 , … , = + + ( ) = ( ), (1) (1) , … , = + + (1) = (1), 푓1 푥1 푥푛 ∑1≤푖≤�≤푛 푎푖푖 푥푖푥� ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 2 2 2 2 2 1 푛 1≤푖≤�≤푛 푖푖 푖 � 1≤푖≤푛 푖푖 푖 푓 푥 푥 ∑ 푎 푥 푥 ∑ 푏 푥 푐 푑 ( ) ( ) , … , = ⋮+ + ( ) = ( ). ⋮ 푚 푚 푚 푚 푚 1 푛 1≤푖≤�≤푛 푖푖 푖 � 1≤푖≤푛 푖푖 푖 푓 푥 푥 ∑ 푎 푥• 푥 ∑ 푏 푥 푐 푑 Step 1: choose randomly all coefficients .

ETSI Quantum Safe Workshop 2015/4/3 11 How to construct MQ problem (Type I,II,III) Encryption Case ( = ) Existence probability of solution of random system 1/ � ퟐ� 푛 ( ) ( ) ( ) ( ) , … , = + + ∶ = 푞 , (1) (1) , … , = + + (1) = (1), 푓1 푥1 푥푛 ∑1≤푖≤�≤푛 푎푖푖 푥푖푥� ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 2 2 2 2 2 1 푛 1≤푖≤�≤푛 푖푖 푖 � 1≤푖≤푛 푖푖 푖 푓 푥 푥 ∑ 푎 푥 푥 ∑ 푏 푥 푐 푑 ( ) ( ) , … , = ⋮+ + ( ) = ( ). ⋮ 푚 • 푚 푚 푚 푚 1 푛 1≤푖≤�≤푛 푖 � 1≤푖≤푛 푖 Step 1: 푓 choose푥 randomly푥 ∑ blue푎푖푖 coefficients푥 푥 ∑ . 푏푖푖 푥 푐 푑 Step 2: choose randomly a solution = ( , … , ). Step 3: compute the red vector by evaluating polynomials at . 푣 푣1 푣푛

This system has at least one solution . 푣

푣 ETSI Quantum Safe Workshop 2015/4/3 12 Gröbner basis attack

A fundamental tool for solving MQ problem is Gröbner basis. Faugère proposed efficient algorithms as and to improve original algorithm[1][2].

퐹4 퐹5 Complexity for solving MQ problem [3]

+ ( 흎) 풏 풅풓풆풆 where < < ,퓞 and� ∙ is an invariant determined 풅풓𝒓 by the multivariate polynomial system. ퟐ 흎 ퟑ 풅풓𝒓

Reference: [1] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F4)", Journal of Pure and Applied Algebra, vol. 139, 1999. [2] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F5)", ISSAC, ACM press, 2002. [3] Bettale, L., Faugère, J.C. and Perret L., Hybrid approach for solving multivariate systems over finite fields", J. Math. Crypt. vol. 2, 2008.

ETSI Quantum Safe Workshop 2015/4/3 13 Experiments

• CPU: Intel(R) Xeon(R) CPU E5-4617, 2.90GHz, 6 cores • OS: Linux Mint 15 Olivia • RAM: 1TB • Platform: Magma V2.19-9

ETSI Quantum Safe Workshop 2015/4/3 14 Fukuoka MQ challenge

MQ challenge started on April 1st.

https://www.mqchallenge.org/

ETSI Quantum Safe Workshop 2015/4/3 15 First Answerer

ETSI Quantum Safe Workshop 2015/4/3 16 Conclusion

• We started MQ challenge which is a contest for solving MQ problem. o MQ Challenge Homepage. https://www.mqchallenge.org/

ETSI Quantum Safe Workshop 2015/4/3 17 PQCrypto 2016

• 2006 Leuven, 2008 Cincinnati, 2010 Darmstadt, 2011 Taipei, 2013 Limoges, 2014 Waterloo

• Seventh International Conference on Post-Quantum Cryptography February 24-26, 2016, Fukuoka, Japan https://pqcrypto2016.jp/

• Winter School February 22-23, 2016, Fukuoka, Japan

ETSI Quantum Safe Workshop 2015/4/3 18

Fukuoka, Japan

Venue: Kyushu University Nishijin Plaza

Airport

Venue

ETSI Quantum Safe Workshop 2015/4/3 19

Thank you for your attention.

ETSI Quantum Safe Workshop 2015/4/3 20