Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 8 May 2018 doi:10.20944/preprints201805.0126.v1 Article A Zero-Knowledge Proof Based on a Multivariate Polynomial Reduction of the Graph Isomorphism Problem Edgar González Fernández 1,3,†,*, Guillermo Morales-Luna 1,† and Feliú Sagols Troncoso 2,† 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, 07360 Mexico City, Mexico; [email protected] (E.G.F.), [email protected] (G.M.L.) 2 Department of Mathematics, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, 07360 Mexico City, Mexico; [email protected] 3 Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, Madrid 28040, Spain; [email protected] * Correspondence: [email protected]; Tel.: +34 913 947 649 † The authors contributed equally to this work. 1 Abstract: Zero-Knowledge Proofs ZKP provide a reliable option to verify that a claim is true without 2 giving detailed information other than the answer. A classical example is provided by the ZKP based 3 in the Graph Isomorphism problem (GI), where a prover must convince the verifier that he knows an 4 isomorphism between two isomorphic graphs without publishing the bijection. We design a novel 5 ZKP exploiting the NP-hard problem of finding the algebraic ideal of a multivariate polynomial 6 set, and consequently resistant to quantum computer attacks. Since this polynomial set is obtained 7 considering instances of GI, we guarantee that the protocol is at least as secure as the GI based 8 protocol. 9 Keywords: Graph Isomorphism Problem, Multivariate Polynomial System, Zero-Knowledge Proof 10 1. Introduction 11 First presented in [1] by Goldwasser, Micali and Rackoff, interactive proof systems are introduced 12 as a method that allows an entity (the prover) to prove the truth of a proposition to a second party (the 13 verifier) without releasing additional information. The parties involved interact in a challenge-response 14 process until the verifier is convinced that the prover’s claim is correct, or concludes that the claim is 15 false. This kind of proofs are commonly used in authentication and identification systems, allowing 16 an entity to prove ownership of a valid credential (ie, credit card number or password) without 17 transmitting or storing this information. 18 As for now, many of the authentication schemes used in the industry make use of protocols 19 based on PKI by means of digital certificates. A vast majority of these schemes are based on either the 20 factorization problem (RSA) or the DLP, both susceptible to quantum computer attacks. To address this 21 issue, we propose a ZKP whose security relies on MQ, known to be NP-hard, and GI, both resistant 22 against quantum computer attacks up to now. 23 Recently, suitable instances of MQ have been used for proposing novel PKC schemes, since 24 they are considered resistant to quantum computers attacks [2], a feature that popular cryptographic 25 algorithms, such as RSA, DSA and ECDSA, do not share. Frequently, algorithms for key generation in 26 MPKC involve two major phases: 27 • Private key generation. The private key consists of a set of polynomials F = f f1, ... , fmg such 28 that the problem of finding a common root is easy. © 2018 by the author(s). Distributed under a Creative Commons CC BY license. Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 8 May 2018 doi:10.20944/preprints201805.0126.v1 2 of 9 29 • Public key derivation. Starting with the private key F we create another set of polynomials 30 F = f f 1, ... , f ng. Finding a common root of the set F must be a computationally difficult task 31 since this set must be publicly exhibited without weakening the cryptosystem. 32 Public key is usually derived from the private key by performing compositions with affine 33 bijective transformations, say S1, S2, by performing F = S2 ◦ F ◦ S1. Consequently, S1 and S2 are also 34 kept secret, since they can be easily inverted, and are considered part of the private key. Many other 35 methods for public key generation are explained with detail in [3, 1.2]. 36 One of the first attempts to exploit multivariate polynomials in cryptography can be found in [4,5], 37 where a cipher system, known as the Matsumoto-Imai cryptosystem, is proposed but unfortunately 38 broken shortly after being published [6]. However, this effort set the basis for a number of other families 39 of cryptographic schemes, such as the Unbalanced Oil-Vinegar (UOV) [7], the Faugere’s Hidden Field 40 Equations (HFE) [8] and the Rainbow signature schemes [9]. A list of the most promising post-quantum 41 cryptographic algorithms can be found in [10]. 42 We may distinguish cryptanalytic attacks on multivariate schemes (and in public cryptosystems 43 in general) according to two main purposes: 44 • Attacks on ciphertext, where the primary goal is to get the plaintext from the ciphertext. These 45 attacks make use of polynomial system solvers such as the Buchberger Algorithm [11] to compute 46 Groebner bases. The algorithm must be executed each time a ciphertext is gathered. 47 • Attacks to recover the private key, consisting of the private set F and the affine transformations 48 S1, S2. Example of this algorithms are: High Rank, MinRank and Separation of Oil and 49 Vinegar [12](see Section [VI.5.4]). 50 The method we define in this work produces key pairs from an associated isomorphism between 51 a pair of graphs. The public key will consist of a system of polynomial equations. The private key will 52 consist of a solution to this system. We will show that finding this solution is at least as difficult as 53 finding an isomorphism between the associated graphs. At present, the fastest algorithm for solving 54 the GI problem runs in quasi-polynomial time [13], but an authentic prover will be able to provide a 55 solution efficiently. 56 The general layout of this paper is as follows. In Section2 some basic concepts as well as notation 57 necessary for the development of the zero-knowledge proof is introduced. Next, Section3 is appointed 58 to the construction of the polynomial sets arising from the GI problem as a reduction exercise. The 59 construction of the ZKP will be explained in4. Finally, in Section5 we exhibit evidence supporting the 60 viability of the algorithm by estimating the theoretic complexity of the polynomial set construction. 61 2. Mathematical Background 62 We recall the basic concepts needed to develop the translation from instances of the GI problem 63 in instances of the MQ problem. 64 2.1. Graphs (2) 65 A graph consists of a set V = fv1, ... , vng, the vertices and a subset E of V = fe ⊂ Vj #e = 2g, 66 the edges. The number of elements of V and E are known as the order and the size of G respectively. 67 We say that two vertices u1, u2 with u1 6= u2, are adjacent if they are joined by an edge. Similarly, two 68 different edges e1, e2 2 E are said to be adjacent if they are joined by a vertex. The complementary graph 0 0 0 0 (2) 69 G of G is defined as G = (V , E ) with V = V and E = fvivj 2 V jvivj 62 Eg. S 70 Whenever there exist two disjoint subsets V1, V2 of V such that V1 V2 = V and every edge has 71 vertices in both sets V1 and V2 the graph is called bipartite. Additionally, we say G is complete bipartite 72 provided that every vertex in V1 is connected to every vertex in V2 and vice versa. 73 Given a pair of graphs G = (U, D) an H = (V, E) a bijection f : U ! V that preserves edges 74 is an isomorphism between G and H. If such a bijection exists between G and H, they are said to be Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 8 May 2018 doi:10.20944/preprints201805.0126.v1 3 of 9 75 isomorphic and we denote it G ≈ H. Thus, we can define the GI problem as the task of finding one of 76 the possibly many isomorphisms between G and H or deciding that this bijection does not exist. 77 Finally, we define a matching as a subset M ⊆ E where no to edges e1, e2 2 M share a common 78 vertex. If every vertex of G is an extreme of some edge in M, then the matching is perfect. 79 2.2. Polynomial Idelas and Algebraic Sets 80 Let Fq be the finite field of q elements and R the ring of polynomials in n variables over Fq. An 81 ideal is a subset I ⊂ R such that for every f , g 2 I the sum f + g 2 I and for every f 2 I, h 2 R the 82 product h f 2 I. Then by considering a finite set F = f f1, ... , fmg ⊂ R we can define the ideal generated 83 by F as follows hFi = fh1 f1 + ... + hm fmjhi 2 R, i = 1, . , mg. 84 It can be seen without too much effort that a common root for the polynomials fi, i = 1, ... , m is n 85 also a root for any f 2 hFi. The zero-set of the ideal I consists of all the points (x1, ... , xn) 2 Fq such 86 that f (x1, ..