arxiv:1010.3163v1 [cs.cr] 15 Oct 2010



Similar documents
On some Constructions of Shapeless Quasigroups

Direct Methods for Solving Linear Systems. Matrix Factorization

Notes on Determinant

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

6. Cholesky factorization

Length extension attack on narrow-pipe SHA-3 candidates

SFLASH v3, a fast asymmetric signature scheme

Bits Superposition Quantum Parallelism

A New Generic Digital Signature Algorithm

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

A NEW HASH ALGORITHM: Khichidi-1

Introduction to Cryptography CS 355

Crittografia e sicurezza delle reti. Digital signatures- DSA

Introduction. Digital Signature

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 2. x n. a 11 a 12 a 1n b 1 a 21 a 22 a 2n b 2 a 31 a 32 a 3n b 3. a m1 a m2 a mn b m

The Digital Signature Scheme MQQ-SIG

Solutions to Problem Set 1

Content. Chapter 4 Functions Basic concepts on real functions 62. Credits 11

Elementary Matrices and The LU Factorization

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

7. LU factorization. factor-solve method. LU factorization. solving Ax = b with A nonsingular. the inverse of a nonsingular matrix

Lecture 3: Finding integer solutions to systems of linear equations

Mathematics Course 111: Algebra I Part IV: Vector Spaces

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

ECE 842 Report Implementation of Elliptic Curve Cryptography

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Public Key Cryptography. Performance Comparison and Benchmarking

Math 115A HW4 Solutions University of California, Los Angeles. 5 2i 6 + 4i. (5 2i)7i (6 + 4i)( 3 + i) = 35i + 14 ( 22 6i) = i.

Lightweight MDS Involution Matrices

Masao KASAHARA. Public Key Cryptosystem, Error-Correcting Code, Reed-Solomon code, CBPKC, McEliece PKC.

SOLVING LINEAR SYSTEMS

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Paillier Threshold Encryption Toolbox

Solving Systems of Linear Equations

Precalculus REVERSE CORRELATION. Content Expectations for. Precalculus. Michigan CONTENT EXPECTATIONS FOR PRECALCULUS CHAPTER/LESSON TITLES

Abstract: We describe the beautiful LU factorization of a square matrix (or how to write Gaussian elimination in terms of matrix multiplication).

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS

Solution of Linear Systems

Continued Fractions and the Euclidean Algorithm

4: EIGENVALUES, EIGENVECTORS, DIAGONALIZATION

7! Cryptographic Techniques! A Brief Introduction

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

The Characteristic Polynomial

The Advanced Encryption Standard (AES)

Operation Count; Numerical Linear Algebra

Notes on Factoring. MA 206 Kurt Bryan

CS 758: Cryptography / Network Security

General Framework for an Iterative Solution of Ax b. Jacobi s Method

Implementing Network Security Protocols

Introduction to General and Generalized Linear Models

Solving Linear Systems, Continued and The Inverse of a Matrix

Linear Codes. Chapter Basics

Introduction to Matrix Algebra

8 Primes and Modular Arithmetic

AStudyofEncryptionAlgorithmsAESDESandRSAforSecurity

Improved Online/Offline Signature Schemes

CSE 135: Introduction to Theory of Computation Decidability and Recognizability

SeChat: An AES Encrypted Chat

Factoring Algorithms

Optimization of the MPQS-factoring algorithm on the Cyber 205 and the NEC SX-2

A linear algebraic method for pricing temporary life annuities

Capture Resilient ElGamal Signature Protocols

Introduction to Hill cipher

Lecture 3: One-Way Encryption, RSA Example

University of Lille I PC first year list of exercises n 7. Review

Computer and Network Security

Factorization Theorems

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

IMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM

Integer Factorization using the Quadratic Sieve

Lukasz Pater CMMS Administrator and Developer

2.1 Complexity Classes

LINEAR ALGEBRA. September 23, 2010

8 Square matrices continued: Determinants

CRYPTOGRAPHY AND NETWORK SECURITY

Question 2 Naïve Bayes (16 points)

Victor Shoup Avi Rubin. Abstract

CMSS An Improved Merkle Signature Scheme

Post-Quantum Cryptography #4

The Advanced Encryption Standard: Four Years On

(67902) Topics in Theory and Complexity Nov 2, Lecture 7

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Fast Fourier Transform: Theory and Algorithms

1.4 Fast Fourier Transform (FFT) Algorithm

MAT188H1S Lec0101 Burbulla

Chapter 3. Distribution Problems. 3.1 The idea of a distribution The twenty-fold way

A Factoring and Discrete Logarithm based Cryptosystem

Distributed Storage Networks and Computer Forensics

Transcription:

The Digital Signature Scheme MQQ-SIG Intellectual Property Statement and Technical Description 10 October 2010 Danilo Gligoroski 1 and Svein Johan Knapskog 2 and Smile Markovski 3 and Rune Steinsmo Ødegård 2 and Rune Erlend Jensen 2 and Ludovic Perret and Jean-Charles Faugère 5 arxiv:1010.3163v1 [cs.cr] 15 Oct 2010 1 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, The Norwegian University of Science and Technology (NTNU), O.S.Bragstads plass 2E, N-791 Trondheim, NORWAY, danilog@item.ntnu.no 2 Norwegian University of Science and Technology Centre for Quantifiable Quality of Service in Communication Systems. O.S. Bragstads plass 2E, N-791 Trondheim, NORWAY, knapskog@q2s.ntnu.no, rune.odegard@q2s.ntnu.no, runeerle@stud.ntnu.no 3 Ss Cyril and Methodius University, Faculty of Natural Sciences and Mathematics, Institute of Informatics, P.O.Box 162, 1000 Skopje, MACEDONIA, smile@ii.edu.mk Pierre and Marie Curie University - Paris, Laboratory of Computer Sciences, Paris 6, 10 avenue du Président Kennedy 75016 Paris FRANCE, ludovic.perret@lip6.fr 5 UPMC, Université Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project-team CNRS, UMR 7606, LIP6, place Jussieu 75252 Paris, Cedex 5, FRANCE jean-charles.faugere@inria.fr Abstract: This document contains the Intellectual Property Statement and the technical description of the MQQ-SIG - a new public key digital signature scheme. The complete scientific publication covering the design rationale and the security analysis will be given in a separate publication. MQQ- SIG consists of n n quadratic polynomials with n Boolean variables where n = 160, 196, 22 or 256. Keywords: Public Key Cryptosystems, Fast signature generation, Multivariate Quadratic Polynomials, Quasigroup String Transformations, Multivariate Quadratic Quasigroup 1 Intellectual Property Statement We, the seven names given in the title of this document and undersigned on this statement, the authors and designers of MQQ-SIG digital signature scheme, do hereby agree to grant any interested party an irrevocable, royalty free licence to practice, implement and use MQQ-SIG digital signature scheme, provided our roles as authors and designers of the MQQ-SIG digital signature scheme are recognized by the interested party as authors and designers of the MQQ-SIG digital signature scheme. Name Signature Place Date 1. Danilo Gligoroski Trondheim 2. Svein Johan Knapskog Trondheim 3. Smile Markovski Skopje. Rune Steinsmo Ødegård Trondheim 5. Rune Erlend Jensen Trondheim 6. Ludovic Perret Paris 7. Jean-Charles Faugère Paris

2 Description of the MQQ-SIG digital signature scheme A generic description for our scheme can be expressed as a 3 truncation of a typical multivariate quadratic system: S P S : {0,1} n {0,1} n where S = S x + v (i.e. S is a bijective affine transformation), S is a nonsingular linear transformation, and P is a bijective multivariate quadratic mapping on {0,1} n. The bijective multivariate quadratic mapping P : {0,1} n {0,1} n is defined in Table 1. Bijective multivariate quadratic mapping P (x) Input: A vector x = (f 1,...,f n) of n linear Boolean functions of n variables. We implicitly suppose that a multivariate quadratic quasigroup is previously defined, and that n = 32k, k {5,6,7,8} is also previously determined. Output: 8 linear expressions P i (x1,...,xn),i = 1,...,8 and n 8 multivariate quadratic polynomials P i (x1,...,xn),i = 9,...,n 1. Represent a vector x = (f 1,...,f n) of n linear Boolean functions of n variables x 1,...,x n, as a string x = X 1...Xn 8 where X i are vectors of dimension 8; 2. Compute y = Y 1...Yn 8 where: Y 1 = X 1, Y j+1 = X j X j+1, for even j = 2,,..., and Y j+1 = X j+1 X j, for odd j = 3,5,... 3. Output: y. Table 1. Definition of the bijective multivariate quadratic mapping P : {0,1} n {0,1} n The algorithm for generating the public and private key is defined in the Table 2. Algorithm for generating Public and Private key for the MQQ-SIG scheme Input: Integer n, where n = 32 k and k {5,6,7,8}. Output: Public key P: n n multivariate quadratic polynomials Pi(x1,...,xn), i = 1+ n,...,n, Private key: Two permutations σ 1 and σ K of the numbers {1,...,n}, and 81 bytes for encoding a quasigroup. 1. Generate an MQQ according to equations (1)...(). 2. Generate a nonsingular n n Boolean matrix S and affine transformation S according to equations (5),..., (11). 3. Compute y = S(P (S (x))), where x = (x 1,...,x n).. Output: The public key is y as n n multivariate quadratic polynomials Pi(x1,...,xn) i = 1 + n,...,n, and the private key is the tuple (σ1,σk, ). Table 2. Generating the public and private key The algorithm for signing by the private key (σ 1,σ K, ) is defined in Table 3. Algorithm for digital signature with the private key (σ 1,σ K, ) Input: A document M to be signed. Output: A signature sig = (x 1,...,x n). 1. Compute y = (y 1,...,y n) = H(M) n, where M is the message to be signed, H() is a standardized cryptographic hash function such as SHA-1, or SHA-2, with a hash output of not less than n bits. The notation H(M) n denotes the least significant n bits from the hash output H(M). 2. Set y = S 1 (y). 3. Represent y as y = Y 1...Yn 8 where Y i are Boolean vectors of dimension 8.. By using the left and right parastrophes \ and / of the quasigroup compute x = X 1...Xn 8, such that: X 1 = Y 1, X j = X j 1\Y j, for even j = 2,,..., and X j = Y j/x j 1, for odd j = 3,5,... 5. Compute x = S 1 (x ) + v = (x 1,...,x n). 6. The MQQ-SIG digital signature of the document M is the vector sig = (x 1,...,x n). Table 3. Digital signing

The algorithmfor signature verificationwith the public key P = {P i (x 1,...,x n ) i = 1+ n,...,n} is given in Table. Algorithm for signature verification with a public key P = {P i(x 1,...,x n) i = 1 + n,...,n} Input: A document M and its signature sig = (x 1,...,x n). Output: TRUE or FALSE. 1. Compute y = (y 1+ n,...,y n) = H(M) n n, where M is the signed message, H() is a standardized cryptographic hash function such as SHA-1, or SHA-2, with a hash output of not less than n bits, and the notation H(M) n n denotes the least significant n n bits from the hash output H(M). 2. Compute z = (z 1+ n,...,z n) = P(sig). 3. If z = y then return TRUE, else return FALSE. Table. Digital verification 3 Multivariate Quadratic Quasigroups A Multivariate Quadratic Quasigroup (MQQ) of order 2 d used in this version of MQQ-SIG can be described shortly by the following expression: x y B U(x) A 2 y+b A 1 x+c (1) where x = (x 1,...,x d ), y = (y 1,...,y d ), the matrices A 1, A 2 and B are nonsingular in GF(2), of size d d, the vector c is a random d-dimensional vector with elements in GF(2) and all of them are generated by a uniformly random process. The matrix U(x) is an upper triangular matrix with all diagonal elements equal to 1, and the elements above the main diagonal are linear expressions of the variables of x = (x 1,...,x d ). It is computed by the following expression: d 1 U(x) = I + U i A 1 x, (2) i=1 where the matrices U i have all elements 0 except the elements in the rows from {1,...,i} that are strictly above the main diagonal. Those elements can be either 0 or 1. Once we have a multivariate quadratic quasigroup vv (x 1,...,x d,y 1,...,y d ) = (f 1 (x 1,...,x d,y 1,...,y d ),...,f d (x 1,...,x d,y 1,...,y d )) we will be interested in those quasigroups that will satisfy the following conditions: i {1,...,d},Rank(B fi ) 2d, j {1,...,d}, Rank(B fj ) = 2d 2 (3a) (3b) where matrices B fi are 2d 2d Boolean matrices defined from the expressions f i as B fi = [b j,k ], b j,d+k = b d+k,j = 1, iff x j y k is a term in f i. () Proposition 1. For d = 8, a multivariate quadratic quasigroup that satisfies the conditions (1),..., () can be encoded in a unique way with 81 bytes.

Nonsingular Boolean matrices in MQQ-SIG In MQQ-SIG the nonsingular matrices S are defined by the following expression: S 1 = K I σi, (5) where I σi, i = {1,2,...,K} are permutation matrices of size n = 32 k and where permutations σ i are permutations on n elements. They are defined by the following expressions: { k, if k is odd, K = (6) k +1, if k is even σ 1 random permutation on {1,2,...n} satisfying the condition (8), σ 2 = RotateLeft(σ 1,32) satisfying the condition (8), σ 3 = RotateLeft(σ 2,6) satisfying the condition (8), σ j = RotateLeft(σ j 1,32), for j =,...,K 1, satisfying the condition (8), σ K random permutation on {1,2,...n} satisfying the condition (8) ( 1 2... 8 9... n 1 n σ ν = s (ν) 1 s (ν) 2... s (ν) 8 s (ν) 9... s (ν) n 1 s(ν) n i=1 (7) ), {s (ν) 1,s(ν) 2,...,s(ν) 8 } {1,2,...,8} = (8) where RotateLef t(σ, l) denotes a permutation obtained from the permutation σ by rotating it to the left for l positions. We require an additional condition to be fulfilled by the permutations σ 1,...,σ K : L = σ 1 σ 2.. σ K 1 σ K, is a Latin Rectangle. (9) Once we have a nonsingular matrix S 1 we will compute its inverse obtaining S = (S 1 ) 1 and from there we will obtain the affine transformation S (x) = S x+v, (10) where the vector v is n dimensional Boolean vector defined from the values of the permutation σ K by the following expression: s (K) 65 v = (v 1,v 2,...,v n ), where v i = s(k) 6+ i 2 i mod mod 2. (11) In words: we construct the bits of the vector v by taking the four least significant bits of the values,..., s(k) in the permutation σ K. 6+ n Proposition 2. The linear transformation S 1 can be encoded in a unique way with 2n bytes.

5 Characteristics of the MQQ-SIG digital signature scheme The main characteristics of our MQQ-SIG digital signature scheme can be briefly summarized as follows: there is no message expansion; the length of the signature is n bits where (n = 160,192,22 or 256); its conjectured security level is 2 n 2; its verification speed is comparable to the speed of other multivariate quadratic PKCs; in software its signing speed is in the range of 500 5,000 times faster than RSA and ECC schemes; in hardware its signing or verification speed is more than 10,000 times faster than RSA and ECC schemes; it is also well suited for producing short signatures in smart cards and RFIDs; 5.1 The size of the public and the private key The size of the public key is 0.75 n (1+ n(n+1) 2 ) bits. The private key of our scheme is the tuple (σ 1,σ K, ). The corresponding memory size needed for storage of the private key is 2n+81 bytes. In Table 5 we give the size of the public key (in KBytes) and the size of the private key (in bytes) for n {160,192,22,256}. Size of the Size of the n public key (KBytes) private key (bytes) 160 188.69 01 192 325.71 65 22 516.82 529 256 771.02 593 Table 5. Memory size in KBytes for the public key and in bytes for the private key

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information