Public-Key Identification Schemes Based on Multivariate Polynomials

373 views
339 views

Published on

Seminar of Post-Quantum Cryptography at TU Darmstadt, supervised by Dr. Stanislav Bulygin.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
373
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Public-Key Identification Schemes Based on Multivariate Polynomials

  1. 1. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix Public-Key Identification Schemes Based on Multivariate Polynomials Cassius Puodzius Technische Universit¨t Darmstadt a July 19, 2012
  2. 2. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixOutline Outline of the talk Preliminary Identification Schemes MQ Problem MQ-based Identification Scheme 3-pass Protocol Soundness Zero-Knowledge Parameters Implementation Further Schemes MQ 5-pass Protocol MC 3,5-pass Protocol MP 3,5-pass Protocol
  3. 3. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Problem Peggy wants to prove Victor that she is actually Peggy. On the other hand, Victor wants to be sure that Oscar is not trying to impersonate Peggy. Protocol Peggy Victor
  4. 4. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Challange-Response Challange: Victor prepares a challenge, which is solvable with the knowledge of some secret that belongs to Peggy. Response: Peggy sends back the challenge response to Victor.
  5. 5. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Interactive Proof (Challenge) ←−
  6. 6. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Interactive Proof (Response) −→
  7. 7. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Interactive Proof (Challenge) ←− (Response) −→ Many times!
  8. 8. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Completeness If the prover knows the secret, after the interaction, then Victor can trust that the prover is actually Peggy (with very high probability). Soundness If the prover is not Peggy, then he/she cannot fool Victor (with very high probability).
  9. 9. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Completeness If the prover knows the secret, after the interaction, then Victor can trust that the prover is actually Peggy (with very high probability). Soundness If the prover is not Peggy, then he/she cannot fool Victor (with very high probability).
  10. 10. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Quite good... but not enough! Could Victor prepare challenges in order to learn Peggy’s secret and be able to impersonate her in the future? Conformation In order to avoid Victor specifically crafted challenges, this step is replaced by: 1 Peggy chooses a bunch of challenge candidates and send them to Victor 2 Victor choose one of them and send it back to Peggy
  11. 11. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Quite good... but not enough! Could Victor prepare challenges in order to learn Peggy’s secret and be able to impersonate her in the future? Conformation In order to avoid Victor specifically crafted challenges, this step is replaced by: 1 Peggy chooses a bunch of challenge candidates and send them to Victor 2 Victor choose one of them and send it back to Peggy
  12. 12. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixIdentification Schemes Zero-Knowledge A interactive proof which grant no further information to the verifier beyond those he could get himself.
  13. 13. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixCut-and-choose Cut-and-choose Paradigm Peggy divides her secret into shares and prove the knowledge of (some) them, according to the choice of Victor Moreover, Peggy does not reveal any share of the secret itself
  14. 14. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem MQ Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi i=1 j=i i=1 A MQ Function, F : Fn → Fm , is then defined as: q q F (x) = (f1 , . . . , fm ) The family of MQ functions is denoted by MQ(n, m, Fq ). Polar Form G (x, y ) = F (x + y ) − F (x) − F (y ) G (x, y ) is bilinear.
  15. 15. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem MQ Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi i=1 j=i i=1 A MQ Function, F : Fn → Fm , is then defined as: q q F (x) = (f1 , . . . , fm ) The family of MQ functions is denoted by MQ(n, m, Fq ). Polar Form G (x, y ) = F (x + y ) − F (x) − F (y ) G (x, y ) is bilinear.
  16. 16. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem MQ Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi i=1 j=i i=1 A MQ Function, F : Fn → Fm , is then defined as: q q F (x) = (f1 , . . . , fm ) The family of MQ functions is denoted by MQ(n, m, Fq ). Polar Form G (x, y ) = F (x + y ) − F (x) − F (y ) G (x, y ) is bilinear.
  17. 17. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem MQ Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi i=1 j=i i=1 A MQ Function, F : Fn → Fm , is then defined as: q q F (x) = (f1 , . . . , fm ) The family of MQ functions is denoted by MQ(n, m, Fq ). Polar Form G (x, y ) = F (x + y ) − F (x) − F (y ) G (x, y ) is bilinear.
  18. 18. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem Multivariate Quadratic Polynomials over a Finite Field Given y = F (x), it is not feasible to get some x , such that F (x ) = y . Features of MQ functions There is no known quantum algorithm able to solve MQ problem Decision problem is know to be NP-complete General attack: Gr¨bner basis. Which is exponential in time o and memory (if m = Θ(n))
  19. 19. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem Multivariate Quadratic Polynomials over a Finite Field Given y = F (x), it is not feasible to get some x , such that F (x ) = y . Features of MQ functions There is no known quantum algorithm able to solve MQ problem Decision problem is know to be NP-complete General attack: Gr¨bner basis. Which is exponential in time o and memory (if m = Θ(n))
  20. 20. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem Multivariate Quadratic Polynomials over a Finite Field Given y = F (x), it is not feasible to get some x , such that F (x ) = y . Features of MQ functions There is no known quantum algorithm able to solve MQ problem Decision problem is know to be NP-complete General attack: Gr¨bner basis. Which is exponential in time o and memory (if m = Θ(n))
  21. 21. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ Problem Multivariate Quadratic Polynomials over a Finite Field Given y = F (x), it is not feasible to get some x , such that F (x ) = y . Features of MQ functions There is no known quantum algorithm able to solve MQ problem Decision problem is know to be NP-complete General attack: Gr¨bner basis. Which is exponential in time o and memory (if m = Θ(n))
  22. 22. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol String Commitment Function 1 s is a fixed and ρ a is random string 2 c is statistically hiding and computationally binding String Commitment Scheme 1 Peggy computes c ← Com(s; ρ) and sends it to Victor 2 Peggy sends s and ρ to Victor, which verifies whether ? c = Com(s; ρ)
  23. 23. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol String Commitment Function 1 s is a fixed and ρ a is random string 2 c is statistically hiding and computationally binding String Commitment Scheme 1 Peggy computes c ← Com(s; ρ) and sends it to Victor 2 Peggy sends s and ρ to Victor, which verifies whether ? c = Com(s; ρ)
  24. 24. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Statistically hiding No receiver is able to distinguish between Com(s1 ; ρ1 ) and Com(s2 ; ρ2 ) Computationally binding No sender is able to find in polynomial-time (s2 ; ρ2 ) such that Com(s1 ; ρ1 ) = Com(s2 ; ρ2 )
  25. 25. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Statistically hiding No receiver is able to distinguish between Com(s1 ; ρ1 ) and Com(s2 ; ρ2 ) Computationally binding No sender is able to find in polynomial-time (s2 ; ρ2 ) such that Com(s1 ; ρ1 ) = Com(s2 ; ρ2 )
  26. 26. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Setup Public known MQ(n, m, Fq ): n → input dimension m → number of equations Fq → chosen finite field Coefficients of MQ(n, m, Fq ) or a seed From Peggy: Secret key → s Public key → v = F(s) Victor’s Goal From MQ(n, m, Fq ) and v decide whether the prover is indeed Peggy.
  27. 27. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Setup Public known MQ(n, m, Fq ): n → input dimension m → number of equations Fq → chosen finite field Coefficients of MQ(n, m, Fq ) or a seed From Peggy: Secret key → s Public key → v = F(s) Victor’s Goal From MQ(n, m, Fq ) and v decide whether the prover is indeed Peggy.
  28. 28. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Setup Public known MQ(n, m, Fq ): n → input dimension m → number of equations Fq → chosen finite field Coefficients of MQ(n, m, Fq ) or a seed From Peggy: Secret key → s Public key → v = F(s) Victor’s Goal From MQ(n, m, Fq ) and v decide whether the prover is indeed Peggy.
  29. 29. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  30. 30. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  31. 31. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  32. 32. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  33. 33. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  34. 34. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  35. 35. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  36. 36. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  37. 37. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  38. 38. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixWhy is G (x, y ) necessary? Cut technique Secret key s, Secret key v = F(s) First cuts: s = r0 + r1 v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 ) G(r0 , r1 ) still depends on r0 and r1 . Repeat cut for r0 = t0 + t1 and F(r0 ) = e0 + e1 v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 ) = e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 ) = (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 ) Shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
  39. 39. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Pick r0 , t0 ∈R Fn , e0 ∈R Fm q q r1 ← s − r0 t1 ← r0 − t0 e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )
  40. 40. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Pick r0 , t0 ∈R Fn , e0 ∈R Fm q q r1 ← s − r0 t1 ← r0 − t0 e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )
  41. 41. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Pick r0 , t0 ∈R Fn , e0 ∈R Fm q q r1 ← s − r0 t1 ← r0 − t0 e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )
  42. 42. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Pick r0 , t0 ∈R Fn , e0 ∈R Fm q q r1 ← s − r0 t1 ← r0 − t0 e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )
  43. 43. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol (c0 ,c1 ,c2 ) −→
  44. 44. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Pick Ch ∈R {0, 1, 2}
  45. 45. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Ch ←−
  46. 46. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, then Rsp ← (r0 , t1 , e1 ) If Ch = 1, then Rsp ← (r1 , t1 , e1 ) If Ch = 2, then Rsp ← (r1 , t0 , e0 )
  47. 47. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, then Rsp ← (r0 , t1 , e1 ) If Ch = 1, then Rsp ← (r1 , t1 , e1 ) If Ch = 2, then Rsp ← (r1 , t0 , e0 )
  48. 48. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, then Rsp ← (r0 , t1 , e1 ) If Ch = 1, then Rsp ← (r1 , t1 , e1 ) If Ch = 2, then Rsp ← (r1 , t0 , e0 )
  49. 49. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, then Rsp ← (r0 , t1 , e1 ) If Ch = 1, then Rsp ← (r1 , t1 , e1 ) If Ch = 2, then Rsp ← (r1 , t0 , e0 )
  50. 50. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol Rsp −→
  51. 51. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  52. 52. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  53. 53. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  54. 54. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  55. 55. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  56. 56. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  57. 57. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Protocol If Ch = 0, parse Rsp = (r0 , t1 , e1 ) and check: ? c1 = Com(r0 − t1 , F(r0 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 1, parse Rsp = (r1 , t1 , e1 ) and check: ? c0 = Com(r1 , v − F(r1 ) − G(t1 , r1 ) − e1 ) ? c2 = Com(t1 , e1 ) If Ch = 2, parse Rsp = (r1 , t0 , e0 ) and check: ? c0 = Com(r1 , G(t0 , r1 ) + e0 ) ? c1 = Com(t0 , e0 )
  58. 58. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Completeness Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 ) and once that r0 , t0 and e0 are set, there is no further randomness. Soundness RF = (v, x) ∈ Fm × Fn : v = F(x) q q Theorem. The 3-pass protocol is argument of knowledge for RF with knowledge error 2/3 when the commitment scheme Com is computationally binding.[5] After enough rounds, the probability of impersonation by Oscar is negligible.
  59. 59. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Completeness Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 ) and once that r0 , t0 and e0 are set, there is no further randomness. Soundness RF = (v, x) ∈ Fm × Fn : v = F(x) q q Theorem. The 3-pass protocol is argument of knowledge for RF with knowledge error 2/3 when the commitment scheme Com is computationally binding.[5] After enough rounds, the probability of impersonation by Oscar is negligible.
  60. 60. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Completeness Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 ) and once that r0 , t0 and e0 are set, there is no further randomness. Soundness RF = (v, x) ∈ Fm × Fn : v = F(x) q q Theorem. The 3-pass protocol is argument of knowledge for RF with knowledge error 2/3 when the commitment scheme Com is computationally binding.[5] After enough rounds, the probability of impersonation by Oscar is negligible.
  61. 61. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Completeness Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 ) and once that r0 , t0 and e0 are set, there is no further randomness. Soundness RF = (v, x) ∈ Fm × Fn : v = F(x) q q Theorem. The 3-pass protocol is argument of knowledge for RF with knowledge error 2/3 when the commitment scheme Com is computationally binding.[5] After enough rounds, the probability of impersonation by Oscar is negligible.
  62. 62. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Zero-Knowledge Theorem. The 3-pass protocol is statically zero knowledge when the commitment scheme Com is statistically hiding.[5] Victor has access only to r0 or r1 , t0 or t1 , e0 or e1 , which are completely random. Cut-and-choose Private-key separated between (t0 , e0 ) part and (t1 , e1 ) part.
  63. 63. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Zero-Knowledge Theorem. The 3-pass protocol is statically zero knowledge when the commitment scheme Com is statistically hiding.[5] Victor has access only to r0 or r1 , t0 or t1 , e0 or e1 , which are completely random. Cut-and-choose Private-key separated between (t0 , e0 ) part and (t1 , e1 ) part.
  64. 64. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Zero-Knowledge Theorem. The 3-pass protocol is statically zero knowledge when the commitment scheme Com is statistically hiding.[5] Victor has access only to r0 or r1 , t0 or t1 , e0 or e1 , which are completely random. Cut-and-choose Private-key separated between (t0 , e0 ) part and (t1 , e1 ) part.
  65. 65. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Theoretical Security on the Protocol Victor needs almost as many rounds as the desired security level[2] Practical Security on the Keys For MQ(80, 84, F2 ): Best attack: improved exhaustive search algorithm −→ 288.7 .[5][3]
  66. 66. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Theoretical Security on the Protocol Victor needs almost as many rounds as the desired security level[2] Practical Security on the Keys For MQ(80, 84, F2 ): Best attack: improved exhaustive search algorithm −→ 288.7 .[5][3]
  67. 67. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Theoretical Security on the Protocol Victor needs almost as many rounds as the desired security level[2] Practical Security on the Keys For MQ(80, 84, F2 ): Best attack: improved exhaustive search algorithm −→ 288.7 .[5][3]
  68. 68. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Theoretical Security on the Protocol Victor needs almost as many rounds as the desired security level[2] Practical Security on the Keys For MQ(80, 84, F2 ): Best attack: improved exhaustive search algorithm −→ 288.7 .[5][3]
  69. 69. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  70. 70. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  71. 71. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  72. 72. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  73. 73. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  74. 74. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  75. 75. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  76. 76. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Protocol Efficiency Impersonation probability less than 2−30 [5]: Number of rounds −→ 52 System parameter (bit) −→ 285, 600 (reducible to a seed of 128 bits) Public key (bit) −→ 80 Secret key (bit) −→ 84 Communication (bit) −→ 20, 640 Arithmetic ops. (times/field) −→ 226 /F2 Hash function (times) −→ 4
  77. 77. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixImplementation Implementation
  78. 78. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix3-Pass Parallel version Features Require only one round, instead of multiple rounds Still secure against active attacker
  79. 79. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  80. 80. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  81. 81. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  82. 82. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  83. 83. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  84. 84. Outline Preliminary MQ-Based Identification Scheme Further Schemes Appendix5-Pass Protocol Features Different cuts, i.e., αr0 = t0 + t1 and αF(r0 ) = e0 + e1 ; α ∈ Fq and chosen by Victor. Victor makes a challenge Ch ∈ {0, 1} and Peggy reveals (r0 , t1 , e1 ) or (r1 , t1 , e1 ) For q = 2, Oscar has a higher chance to win a round than for 3-pass scheme Larger system parameter for the same level of security Larger key sizes for the same level of security More efficient
  85. 85. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol MC Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn Σn al,i,j,k xi xj xk + Σn Σn bl,i,j xi xj + Σn cl,i xi i=1 j=i k=j i=1 j=i i=0 A MC Function, FMC : Fn → Fm , is then defined as: q q FMC (x) = (f1 , . . . , fm ) Polar Form Mapping (x, y ) → FMC (x + y ) − FMC (x) − FMC (y ) is not bilinear anymore. Definition of a linear-in-one-argument (LOA) form of FMC : GMC (x, y ) − GMC (y , x) = FMC (x + y ) − FMC (x) − FMC (y )
  86. 86. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol MC Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn Σn al,i,j,k xi xj xk + Σn Σn bl,i,j xi xj + Σn cl,i xi i=1 j=i k=j i=1 j=i i=0 A MC Function, FMC : Fn → Fm , is then defined as: q q FMC (x) = (f1 , . . . , fm ) Polar Form Mapping (x, y ) → FMC (x + y ) − FMC (x) − FMC (y ) is not bilinear anymore. Definition of a linear-in-one-argument (LOA) form of FMC : GMC (x, y ) − GMC (y , x) = FMC (x + y ) − FMC (x) − FMC (y )
  87. 87. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol MC Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn Σn al,i,j,k xi xj xk + Σn Σn bl,i,j xi xj + Σn cl,i xi i=1 j=i k=j i=1 j=i i=0 A MC Function, FMC : Fn → Fm , is then defined as: q q FMC (x) = (f1 , . . . , fm ) Polar Form Mapping (x, y ) → FMC (x + y ) − FMC (x) − FMC (y ) is not bilinear anymore. Definition of a linear-in-one-argument (LOA) form of FMC : GMC (x, y ) − GMC (y , x) = FMC (x + y ) − FMC (x) − FMC (y )
  88. 88. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol MC Function Given x ∈ Fn , a function fl : Fn → Fq is defined as: q q fl (x) = Σn Σn Σn al,i,j,k xi xj xk + Σn Σn bl,i,j xi xj + Σn cl,i xi i=1 j=i k=j i=1 j=i i=0 A MC Function, FMC : Fn → Fm , is then defined as: q q FMC (x) = (f1 , . . . , fm ) Polar Form Mapping (x, y ) → FMC (x + y ) − FMC (x) − FMC (y ) is not bilinear anymore. Definition of a linear-in-one-argument (LOA) form of FMC : GMC (x, y ) − GMC (y , x) = FMC (x + y ) − FMC (x) − FMC (y )
  89. 89. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  90. 90. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  91. 91. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  92. 92. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  93. 93. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  94. 94. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  95. 95. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  96. 96. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  97. 97. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  98. 98. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol [1] 3-pass Protocol Same key sizes More rounds System parameter almost 30 times bigger Almost 80% bits more to transmit Less efficient Hash function (times) −→ 4 5-pass Protocol Smaller key sizes (88/132 bits against 120/180 bits) System parameter almost 4.5 times bigger Almost 80% bits more to transmit Less efficient
  99. 99. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol ZK (3) Introduction of new variables Xij = xi xj (1 ≤ i ≤ j ≤ n) in (xi ) in order to get: fl (x) = Σn n 1≤i≤j≤k≤n al,i,j,k Xij xk + Σ1≤i≤j≤n bl,i,j Xij + Σi=1 cl,i xi Features Larger public key More communication bits Lower number of communications
  100. 100. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol ZK (3) Introduction of new variables Xij = xi xj (1 ≤ i ≤ j ≤ n) in (xi ) in order to get: fl (x) = Σn n 1≤i≤j≤k≤n al,i,j,k Xij xk + Σ1≤i≤j≤n bl,i,j Xij + Σi=1 cl,i xi Features Larger public key More communication bits Lower number of communications
  101. 101. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol ZK (3) Introduction of new variables Xij = xi xj (1 ≤ i ≤ j ≤ n) in (xi ) in order to get: fl (x) = Σn n 1≤i≤j≤k≤n al,i,j,k Xij xk + Σ1≤i≤j≤n bl,i,j Xij + Σi=1 cl,i xi Features Larger public key More communication bits Lower number of communications
  102. 102. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMC 3,5-pass protocol ZK (3) Introduction of new variables Xij = xi xj (1 ≤ i ≤ j ≤ n) in (xi ) in order to get: fl (x) = Σn n 1≤i≤j≤k≤n al,i,j,k Xij xk + Σ1≤i≤j≤n bl,i,j Xij + Σi=1 cl,i xi Features Larger public key More communication bits Lower number of communications
  103. 103. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMP 3,5-pass protocol MP function Given x ∈ Fn , a function of degree d, fl : Fn → Fq is defined as: q q fl (x) = Σn 1 ≤...≤id al,i1 ,...,id xi1 · · · xid + 1≤i Σn 1 ≤...≤id−1 al,i1 ,...,id−1 xi1 · · · xid−1 + · · · + 1≤i Σn 1 n al,i1 xi1 1≤i A MP Function, FMP : Fn → Fm , is then defined as: q q FMP (x) = (f1 , . . . , fm ) Polar Form GMP (r0 , r1 , . . . , rd−1 ) = Σd (−1)d−1 ΣS⊂{0,...,d−1} FMP( i=1 j∈S rj ) |S|=i
  104. 104. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMP 3,5-pass protocol MP function Given x ∈ Fn , a function of degree d, fl : Fn → Fq is defined as: q q fl (x) = Σn 1 ≤...≤id al,i1 ,...,id xi1 · · · xid + 1≤i Σn 1 ≤...≤id−1 al,i1 ,...,id−1 xi1 · · · xid−1 + · · · + 1≤i Σn 1 n al,i1 xi1 1≤i A MP Function, FMP : Fn → Fm , is then defined as: q q FMP (x) = (f1 , . . . , fm ) Polar Form GMP (r0 , r1 , . . . , rd−1 ) = Σd (−1)d−1 ΣS⊂{0,...,d−1} FMP( i=1 j∈S rj ) |S|=i
  105. 105. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMP 3,5-pass protocol MP function Given x ∈ Fn , a function of degree d, fl : Fn → Fq is defined as: q q fl (x) = Σn 1 ≤...≤id al,i1 ,...,id xi1 · · · xid + 1≤i Σn 1 ≤...≤id−1 al,i1 ,...,id−1 xi1 · · · xid−1 + · · · + 1≤i Σn 1 n al,i1 xi1 1≤i A MP Function, FMP : Fn → Fm , is then defined as: q q FMP (x) = (f1 , . . . , fm ) Polar Form GMP (r0 , r1 , . . . , rd−1 ) = Σd (−1)d−1 ΣS⊂{0,...,d−1} FMP( i=1 j∈S rj ) |S|=i
  106. 106. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMP 3,5-pass protocol [4] Features Generalization No practical advantage
  107. 107. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixThe End That’s it! Questions? Remarks?
  108. 108. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixBibliography References Public-key identification schemes based on multivariate cubic polynomials. In PKC, pages 172–189, 2012. Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. pages 390–420. Springer-Verlag, 1998. Charles Bouillaguet, Hsieh-Chung Chen, Chen-Mou Cheng, Tung Chou, Ruben Niederhagen, Adi Shamir, and Bo-Yin Yang. Fast exhaustive search for polynomial systems in f2. In Proceedings of the 12th international conference on Cryptographic hardware and embedded systems, CHES’10, pages 203–218, Berlin, Heidelberg, 2010. Springer-Verlag. Val´rie Nachef, Jacques Patarin, and Emmanuel Volte. e Zero-knowledge for multivariate polynomials. IACR Cryptology ePrint Archive, 2012:239, 2012. Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In CRYPTO, pages 706–723, 2011.
  109. 109. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Completeness) Proof r1 ← s − r0 , t1 ← r0 − t0 , e1 ← F(r0 ) − e0 c0 ← Com(r1 , G(t0 , r1 ) + e0 ) c1 ← Com(t0 , e0 ) c2 ← Com(t1 , e1 )
  110. 110. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Completeness) Proof If Ch = 0: ∆ r0 − t1 = r1 ∆ F(r0 ) − e1 = e0
  111. 111. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Completeness) Proof If Ch = 1: G(t0 , r1 ) + e0 = G(r0 − t1 , r1 ) + e0 = G(r0 , r1 ) − G(t1 , r1 ) + e0 = F(r0 + r1 ) − F(r0 ) − F(r1 ) − G(t1 , r1 ) + e0 ∆ = v − F(r1 ) − G(t1 , r1 ) − e1
  112. 112. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Completeness) Proof If Ch = 2:
  113. 113. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof Say that Oscar takes F and v and tries to fool Victor in order to impersonate Peggy. Let Ch∗ ∈ {0, 1, 2} a Oscar’s prediction of which value Victor is not going to choose.
  114. 114. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof Say that Oscar takes F and v and tries to fool Victor in order to impersonate Peggy. Let Ch∗ ∈ {0, 1, 2} a Oscar’s prediction of which value Victor is not going to choose.
  115. 115. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof Commitments preparation: Oscar take at random s , r 0 , t 0 ∈R Fn , e 0 ∈R Fm q q And computes r 1 ← s − r 0 and t 1 ← r 0 − t 0 .
  116. 116. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 0: e 1 ← v − F(s ) + F(r 0 ) − e 0 c0 ← Com(r 1 , G(t 0 , r 1 ) + e 0 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 ) Note that if Ch = 1, then: ∆ v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = −G(t 1 , r 1 ) + G(r 0 , r 1 ) + e 0 = G(r 0 − t 1 , r 1 ) + e 0 ∆ = G(t 0 , r 1 ) + e 0
  117. 117. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 0 and Ch = 0: e 1 = v − F(s ) + F(r 0 ) − e 0 = F(r 0 ) − e 0
  118. 118. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 1: e 1 ← F(r 0 ) − e 0 c0 ← Com(r 1 , G(t 0 , r 1 ) + e 0 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 )
  119. 119. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 1 and Ch = 1: ∆ v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = v − F(r 1 ) + G(t 1 , r 1 ) −F(r 0 ) − e 0 ∆ = v − F(s ) + G(t 0 , r 1 ) − e 0 = G(t 0 , r 1 ) − e 0
  120. 120. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 2: e 1 ← F(r 0 ) − e 0 c0 ← Com(r 1 , v − F(r 1 ) − G(t 1 , r 1 ) − e 1 ) c1 ← Com(t 0 , e 0 ) c2 ← Com(t 1 , e 1 )
  121. 121. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof If Ch∗ = 2 and Ch = 2: G(t 0 , r 1 ) − v − F(r 1 ) − G(t 1 , r 1 ) − e 1 = G(t 0 , r 1 ) − e 0
  122. 122. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Soundness) Proof Conclusion: Error knowledge = 2/3.
  123. 123. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Zero Knowledge) Proof For each o Chi (i ∈ {0, 1, 2}), Victor receives (c0 , c1 , c2 ) and Rspi , with whom he calculates two commitments from (c0 , c1 , c2 ) during the protocol. Say that for Rspi , cj is the remainder commitment. Also say that C = r0 if i = 0, otherwise C = t1 + r1 , a vector obtained from Rspi . R is a random string indistinguishable from cj .
  124. 124. Outline Preliminary MQ-Based Identification Scheme Further Schemes AppendixMQ 3-Pass Protocol (Zero Knowledge) Proof Suppose that the scheme is not Zero Knowledge, then Victor is able to learn something from the set of challenges or the responses. Challenges: Victor is able to learn from cj . Responses: Victor is able to learn from C = s − r1 , if Ch = 0, otherwise C = s − t0 . If Victor is able to learn from the challenges, than Victor is also able to learn from R, once that cj and R are indistinguishable. But that is clearly absurd, because there is nothing to learn from R. If Victor is able to learn from responses, than he is able to learn from s and r0 or t0 , which are truly random. But again it is clearly absurd.

×