MQ Challenge: Hardness Evaluation of Solving MQ Problems Takanori Yasuda (ISIT), Xavier Dahan (ISIT), Yun-Ju Huang (Kyushu Univ.), Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ., ISIT) This work was supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0091”, Ministry of Internal Affairs and Communications, Japan. The first author is supported by Grant-in-Aid for Young Scientists (B), Grant number 24740078. Fukuoka MQ challenge MQ challenge started on April 1st. https://www.mqchallenge.org/ ETSI Quantum Safe Workshop 2015/4/3 2 Why we need MQ challenge? • Several public key cryptosystems held contests which solve the associated basic mathematical problems. o RSA challenge(RSA Laboratories), ECC challenge(Certicom), Lattice challenge(TU Darmstadt) • Lattice challenge (http://www.latticechallenge.org/) o Target: Short vector problem o 2008 – now continued • Multivariate public-key cryptsystem (MPKC) also need to evaluate the current state-of-the-art in practical MQ problem solvers. We planed to hold MQ challenge. ETSI Quantum Safe Workshop 2015/4/3 3 Multivariate Public Key Cryptosystem (MPKC) • Advantage o Candidate for post-quantum cryptography o Used for both encryption and signature schemes • Encryption: Simple Matrix scheme (ABC scheme), ZHFE scheme • Signature: UOV, Rainbow o Efficient encryption and decryption and signature generation and verification. • Problems o Exact estimate of security of MPKC schemes o Huge length of secret and public keys in comparison with RSA o New application and function ETSI Quantum Safe Workshop 2015/4/3 4 MQ problem MPKC are public key cryptosystems whose security depends on the difficulty in solving a system of multivariate quadratic polynomials with coefficients in a finite field . MQ problem퐾 : find a solution of the system of multivariate equations: (1) (1) (1) f1(x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = d1 1≤i, j≤n 1≤i≤n (2) (2) (2) f2 (x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = d2 1≤i, j≤n 1≤i≤n (m) (m) (m) fm (x1,..., xn ) = ∑ aij xi x j + ∑bi xi + c = dm 1≤i, j≤n 1≤i≤n It is believed that it is difficult to solve (general) MQ problem. ETSI Quantum Safe Workshop 2015/4/3 5 MPKC Structure Trapdoor one-way function 1. Choose a multivariate quadratic polynomial map whose inverse can be computed easily. Secret key : 2. Choose two affine 푛 푚 transformations. 퐺 퐾 퐾 Public key : 3. Define a multivariate푛 polynomial map by the푚 composition of 퐹 퐾 and two affine transformations.퐾 ETSI Quantum Safe Workshop 퐹 2015/4/3 6 MPKC Encryption : : multivariate polynomial map 푛Vector space푚 Vector space 퐹 퐾 → 퐾 푛 푚 퐾 퐾 퐹 = ( ) = ( ) −ퟏ 푷 푭 푪 Inverse function 푪 푭 푷 plain text cipher text −1 퐹 For any cipher text C, there must exist the corresponding plain text uniquely. F is injective. Ex. Simple Matrix scheme, ZHFE 푛 ≤ 푚 ETSI Quantum Safe Workshop 2015/4/3 7 MPKC Signature : : multivariate polynomial map 푛Vector space푚 Vector space 퐹 퐾 → 퐾 푛 푚 퐾 퐾 퐹 = ( ) −ퟏ 푺 푭 푴 Inverse function 푴 Signature Message −1 퐹 For any message M, there must exist the corresponding signature. F is surjective. Ex. UOV, Rainbow 푛 ≥ 푚 ETSI Quantum Safe Workshop 2015/4/3 8 Encryption and Signature • Encryption o Simple matrix scheme(ABC scheme), ZHFE, .... o These encryption schemes use systems of = . QUAD stream cipher also uses systems of = . o 푚 2푛 • Signature 푚 2푛 o UOV, Rainbow,… o Rainbow is the multilayered UOV. o In Rainbow, parameters 1. are often used. 푛 ≒ 5푚 • In MPKC schemes, finite fields with small size are used. o Finite field with small size has an efficient arithmetic. o Binary field (2), binary extension field 2 , prime field (31). 8 퐺퐹 퐺퐹 퐺퐹 ETSI Quantum Safe Workshop 2015/4/3 9 Systems of 6 types • We create sequences of MQ problems of 6 types. Type Relation of Base field Target and I = (2) Encryption 푚 푛 II = 2 Encryption 푚 2푛 퐺퐹 III = 318 Encryption 푚 2푛 퐺퐹 IV 1, (2) Signature 푚 2푛 퐺퐹 V 1, 2 Signature 푛 ≈ 5푚 퐺퐹 VI 1, 318 Signature 푛 ≈ 5푚 퐺퐹 푛 ≈ 5푚 퐺퐹 ETSI Quantum Safe Workshop 2015/4/3 10 How to construct MQ problem (Type IV,V,VI) Signature Case ( . ) . Expected number풏 of≈ solutionsퟏ ퟓퟓ of random system = 1 5푚−푚 0 5푚 ( ) ( ) ∶ 푞 푞 , … , = + + ( ) = ( ), (1) (1) , … , = + + (1) = (1), 푓1 푥1 푥푛 ∑1≤푖≤푖≤푛 푎푖푖 푥푖푥푖 ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 2 2 2 2 푓2 푥1 푥푛 ∑1≤푖≤푖≤푛 푎푖푖 푥푖푥푖 ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 ( ) ( ) , … , = ⋮+ + ( ) = ( ). ⋮ 푚 푚 푚 푚 푚 1 푛 1≤푖≤푖≤푛 푖푖 푖 푖 1≤푖≤푛 푖푖 푖 푓 푥 푥 ∑ 푎 푥• 푥 ∑ 푏 푥 푐 푑 Step 1: choose randomly all coefficients . ETSI Quantum Safe Workshop 2015/4/3 11 How to construct MQ problem (Type I,II,III) Encryption Case ( = ) Existence probability of solution of random system 1/ ퟓ ퟐ풏 푛 ( ) ( ) ( ) ( ) , … , = + + ∶ = 푞 , (1) (1) , … , = + + (1) = (1), 푓1 푥1 푥푛 ∑1≤푖≤푖≤푛 푎푖푖 푥푖푥푖 ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 2 2 2 2 푓2 푥1 푥푛 ∑1≤푖≤푖≤푛 푎푖푖 푥푖푥푖 ∑1≤푖≤푛 푏푖푖 푥푖 푐 푑 ( ) ( ) , … , = ⋮+ + ( ) = ( ). ⋮ 푚 • 푚 푚 푚 푚 1 푛 1≤푖≤푖≤푛 푖 푖 1≤푖≤푛 푖 Step 1: 푓 choose푥 randomly푥 ∑ blue푎푖푖 coefficients푥 푥 ∑ . 푏푖푖 푥 푐 푑 Step 2: choose randomly a solution = ( , … , ). Step 3: compute the red vector by evaluating polynomials at . 푣 푣1 푣푛 This system has at least one solution . 푣 푣 ETSI Quantum Safe Workshop 2015/4/3 12 Gröbner basis attack A fundamental tool for solving MQ problem is Gröbner basis. Faugère proposed efficient algorithms as and to improve original algorithm[1][2]. 퐹4 퐹5 Complexity for solving MQ problem [3] + ( 흎) 풏 풅풓풆풆 where < < ,퓞 andퟓ ∙ is an invariant determined 풅풓 by the multivariate polynomial system. ퟐ 흎 ퟑ 풅풓 Reference: [1] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F4)", Journal of Pure and Applied Algebra, vol. 139, 1999. [2] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F5)", ISSAC, ACM press, 2002. [3] Bettale, L., Faugère, J.C. and Perret L., Hybrid approach for solving multivariate systems over finite fields", J. Math. Crypt. vol. 2, 2008. ETSI Quantum Safe Workshop 2015/4/3 13 Experiments • CPU: Intel(R) Xeon(R) CPU E5-4617, 2.90GHz, 6 cores • OS: Linux Mint 15 Olivia • RAM: 1TB • Platform: Magma V2.19-9 ETSI Quantum Safe Workshop 2015/4/3 14 Fukuoka MQ challenge MQ challenge started on April 1st. https://www.mqchallenge.org/ ETSI Quantum Safe Workshop 2015/4/3 15 First Answerer ETSI Quantum Safe Workshop 2015/4/3 16 Conclusion • We started MQ challenge which is a contest for solving MQ problem. o MQ Challenge Homepage. https://www.mqchallenge.org/ ETSI Quantum Safe Workshop 2015/4/3 17 PQCrypto 2016 • 2006 Leuven, 2008 Cincinnati, 2010 Darmstadt, 2011 Taipei, 2013 Limoges, 2014 Waterloo • Seventh International Conference on Post-Quantum Cryptography February 24-26, 2016, Fukuoka, Japan https://pqcrypto2016.jp/ • Winter School February 22-23, 2016, Fukuoka, Japan ETSI Quantum Safe Workshop 2015/4/3 18 Fukuoka, Japan Venue: Kyushu University Nishijin Plaza Airport Venue ETSI Quantum Safe Workshop 2015/4/3 19 Thank you for your attention. ETSI Quantum Safe Workshop 2015/4/3 20 .