Seminar of Post-Quantum Cryptography at TU Darmstadt, supervised by Dr. Stanislav Bulygin.

1. Public-Key Identification Schemes Based on
Multivariate Polynomials
Cassius Puodzius
July 27, 2012
1 Introduction
Identification schemes yield a manner to verify remotely the identities of partak-
ers by a verifier. Commonly such a scheme is achieved using password, which is
supposed to be known only by its owner, nevertheless such a scheme sometimes
does not supply the security needs. Therefore, there are schemes in which the
identity is based on the possession of a key, and not only in some memorizable
secret. This seminar approaches a family of identification protocols, which are
based on the possession of a key, under the assumption that solving multivariate
polynomial equations is hard.
Multivariate polynomials enjoy great security features. The problem related
to them is to find any solution of a multivariate polynomial equation system, and
it is known to be in NP-Complete class. The best general attack is performed
using Gr¨bner basis, however if the number of coefficients of each equation n
o
and the number of equations m are not discrepant (i.e. m = Θ(n)), then this
attack is not only exponential in time but also in memory. Furthermore, there
is no known quantum algorithm able to find a solution to such multivariate
polynomial equations.
In order to describe it more concretely, it is crafted a scenario in which Peggy
or Oscar, as a prover, wants to prove or impersonate her identity to Victor, which
works as a verifier. Thus, after the fulfillment of the protocol, Victor must be
able to decide with overwhelming probability whether the prover is Peggy or
Oscar.
In this seminar it is discussed identification scheme in general and than a 3-
pass protocol based on quadratic polynomials is presented. The 3-pass protocol
based on quadratic polynomials was implemented to the seminar, in order to
illustrate one round of a legitimate prover, or to check how many rounds a
illegitimate could fool the verifier.
1

2. 2 Identification Schemes (general)
In identification schemes a prover and a verifier take part in a protocol. Our
legitimate prover is denoted by Peggy, the illegitimate prove is Oscar and the
verifier is Victor. In such a scheme Peggy wants to prove Victor that she is
actually Peggy. On the other hand, Victor wants to be sure that Oscar is not
trying to impersonate Peggy.
The technique applied to accomplish the verification is Challenge-Response,
in which Victor prepares a challenge only solvable with the knowledge of some
secret that belongs to Peggy, and Peggy sends back the challenge response
to Victor. This Challenge-Response procedure is repeated as many times as
required until Victor believe, with overwhelming probability, that the prover is
actually Peggy. In each round, if the prover answers correctly to the challenge,
than Victor moves to the next one, however, if the prover’s response is wrong,
then the interaction cease, and Victor reject the prover to be Peggy.
In order to avoid that Victor specifically craft challenges, which let him learn
Peggys secret and thus be able to impersonate her in the future, an extra care is
taken. Peggy chooses a bunch of challenge candidates and send them to Victor,
who chooses one of them and send it back to Peggy.
The features desired in the protocol are:
• Completeness: If the prover knows the secret, after the interaction,
then Victor can trust that the prover is actually Peggy (with very high
probability).
• Soundness: If the prover is not Peggy, then he/she cannot fool Victor
(with very high probability).
• Zero-Knowledge: A interactive proof which grant no further informa-
tion to the verifier beyond those he could get himself.
Cut-and-choose is a paradigm to achieve Zero-Knowledge in which Peggy
divides her secret into shares and prove the knowledge of (some of) them, ac-
cording to the choice of Victor. Moreover, Peggy does not reveal any share of
the secret itself.
3 MQ Problem
n n
Given x ∈ Fq , a function fl : Fq → Fq is defined as:
fl (x) = Σn Σn al,i,j xi xj + Σn bl,i xi
i=1 j=i i=1
n m
A MQ Function, F : Fq → Fq , is then defined as:
F (x) = (f1 , . . . , fm )
In this vein the MQ problem is to find some x , such that F (x ) = y, given
y = F (x).
2

3. From F (x) is possible to define its polar form G (x, y) = F (x + y) − F (x) −
F (y), which has the important property of bilinearity.
4 3-Pass protocol
4.1 The importance of G (x, y) to be bilinear
The property of bilinearity is used in the cut technique. From the secret key is
possible to get shares of it, which are no dependent. The cuts can be done as
follows:
Form the Secret key s, and Public key v = F(s) the first cuts are:
s = r0 + r1
v = F(r0 + r1 ) = F(r0 ) + F(r1 ) + G(r0 , r1 )
Since G(r0 , r1 ) still depends on r0 and r1 we repeat the cut for r0 = t0 + t1
and F(r0 ) = e0 + e1 :
v = F(r0 ) + F(r1 ) + G(t0 + t1 , r1 )
= e0 + e1 + F(r1 ) + G(t0 , r1 ) + G(t1 , r1 )
= (G(t0 , r1 ) + e0 ) + (F(r1 ) + G(t1 , r1 ) + e1 )
Hence the shares depends directly either on (r1 , t0 , e0 ) or (r1 , t1 , e1 ).
4.2 String Commitment Function
In this protocol, it is used string commitment functions in order to commit
the prover to responses without revealing them, which let Victor verify the
validity of this responses afterward. Thus Peggy computes c ← Com(s; ρ) and
sends it to Victor. Later Peggy sends s and ρ to Victor, which verifies whether
?
c = Com(s; ρ).
This function c is statistically hiding and computationally binding, i.e.:
1. Statistically hiding: No receiver is able to distinguish between Com(s1 ; ρ1 )
and Com(s2 ; ρ2 )
2. Computationally binding: No sender is able to find in polynomial-time
(s2 ; ρ2 ) such that Com(s1 ; ρ1 ) = Com(s2 ; ρ2 )
4.3 Protocol
The setup of this protocol is to publicly agree on parameters to MQ(m, n, Fq )
and on the system of polynomial equations. In order to avoid great amounts
of communication bits to describe a system, one can define it using a seed of
3

4. Darmstadt/Post-Quantum Cryptography/3pass.JPG
Figure 1: 3-pass identification protocol
a pseudo-random generator, which outputs each coefficient. Moreover, Peggy’s
public key is also disclosed.
The protocol is illustrated in [3] as in picture 1.
4.3.1 Completeness
Peggy will always give the right answer to Victor, since she has sent (c0 , c1 , c2 )
and once that r0 , t0 and e0 are set, there is no further randomness.
4.3.2 Soundness
The following theorem is stated in [3]:
Theorem. The 3-pass protocol is argument of knowledge for RF with knowl-
edge error 2/3 when the commitment scheme Com is computationally binding.
where:
m n
RF = (v, x) ∈ Fq × Fq : v = F(x)
Therefore after enough rounds, the probability of impersonation by Oscar is
negligible.
4.3.3 Zero-Knowledge
The following theorem is also stated in [3]:
Theorem. The 3-pass protocol is statically zero knowledge when the com-
mitment scheme Com is statistically hiding.
4

5. Therefore Victor has access only to r0 or r1 , t0 or t1 , e0 or e1 , which
are completely random. This happens due to Cut-and-choose paradigm, which
separate the private-key between (t0 , e0 ) part and (t1 , e1 ) part.
4.3.4 Security
The parameters for 80-bit security are:
• n ← 80
• m ← 84
• q ← 2 ⇒ F2
The best known attack is an improved exhaustive search algorithm [2] [3],
which performs in 288.7 .
In terms of impersonation, from [1] it is shown that Victor needs almost as
many rounds as the desired security level. For an impersonation probability less
than 2−30 , the number of rounds needed is 52 [3].
4.4 Efficiency
For a security level of 80 bits, the size of keys a quasi-optimal, 80 and 84 bits for
public and private keys respectively. The parameter could reach 285, 600 bits,
but can be reducible to a small seed of 128 bits [3]. All the computation are
made in GL(2), therefore it is quite efficient. Moreover, there are only 4 calls to
the commitment function per round, which is usually negligible in comparison
to the time consumed in the network to carry messages from the verifier to
Victor and vice-versa.
4.4.1 Implementation
A program was implemented in C++ to illustrate all the computation during the
3-pass protocol based on MQ. In order to make it visual, only a toy example
was presented, nevertheless the program could be expanded to a real secure
instance just by setting the suitable parameters in the code. The parameters
adopted were n = 6 and m = 5 in GF(2), however no modification in terms of
efficiency is noted by setting the parameters to the security ones.
The program begins with a selection of the prover (fig. 2). If one chooses
Peggy (fig. 3), than only a round is performed, since she will be able to respond
correctly all 52 rounds needed to identify herself due to the completeness of the
protocol. On the other hand, if one chooses Oscar (fig. 4), than the rounds are
repeated while he is able to fool Victor. In each round Oscar chooses randomly
a key and perform the attack described in [3], which grants him 2/3 of advan-
tage to successfully fool Victor. Although it is not unusual to Oscar randomly
generate the private key of Peggy in some rounds, due to the small parameters,
Oscar was never able to fool Victor more than 8 times during the experiments.
5

6. Darmstadt/Post-Quantum Cryptography/prog1.JPG
Figure 2: Selection of the prover
Darmstadt/Post-Quantum Cryptography/prog2.JPG
Figure 3: Program running with Peggy as a prover
6

7. Darmstadt/Post-Quantum Cryptography/prog3.JPG
Figure 4: Program running with Oscar as a prover
7

8. 5 Conclusion
It was presented a identification scheme based on the hardness of MQ problem.
It is suitable to scenarios in which a very accurate identification is desired, since
it demands the possession of a key, which is harder to attack than a memoriz-
able password. Therefore, it was discussed general concepts of an identification
scheme and the desired properties that must be holden, such as completeness,
soundness and zero knowledge.
The focus was a 3-pass protocol, which also demanded a commitment func-
tion that must be computationally binding and statistically hiding. Therefore,
it was presented the MQ problem and discussed the reason why it is important
to G (x, y) be bilinear. It was provided secure parameters and an implementa-
tion, with which it was possible to acquaint the high efficiency of this protocol.
In order to make the program visual to the talk, it was set toy parameters.
The program consisted in choose some verifier, Peggy or Oscar, and follow all
challenges and responses to Victor, if the verifier was Peggy, then just a round
was displayed, however if the verifier was Oscar, then it was checked how many
rounds could Oscar fool Victor (with the impersonation described in [3]).
References
[1] Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. pages
390–420. Springer-Verlag, 1998.
[2] Charles Bouillaguet, Hsieh-Chung Chen, Chen-Mou Cheng, Tung Chou,
Ruben Niederhagen, Adi Shamir, and Bo-Yin Yang. Fast exhaustive search
for polynomial systems in f2. In Proceedings of the 12th international con-
ference on Cryptographic hardware and embedded systems, CHES’10, pages
203–218, Berlin, Heidelberg, 2010. Springer-Verlag.
[3] Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identifi-
cation schemes based on multivariate quadratic polynomials. In CRYPTO,
pages 706–723, 2011.
8