Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt,

Published byCamron Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt,"— Presentation transcript:

1 Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt, Germany PQCrypto 2013 Limoges, France 05. June 2013

2 Outline 1.Motivation: Multivariate Cryptography 2.The UOV Signature Scheme 3.UOV Schemes with partially circulant Public Key 4.The Verification Process 5.Extension to Rainbow 6.Hybrid approach and Application to QUAD (  eprint) 7.Experiments and Results 8.Conclusion 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2

3 Multivariate Cryptography 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 3 Problem MQ: Finding a vector such that is a hard task.

4 Multivariate Cryptography (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 4 Construction Start with an easily invertible quadratic map (central map) Combine it with two invertible affine maps and The public key is supposed to look like a random system

5 Multivariate Cryptography (3) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 5 Signature generation: For a hashvalue compute recursively, and. The signature of the document is. Signature verification: To verify the authenticity of a signature, one computes. If holds, the signature is accepted, otherwise rejected. Signature Schemes

6 Multivariate Cryptography (4) Advantages: Secure against attacks with quantum computers Great diversity of schemes and variations Enables fast en- and decryption as well as signature generation and verification Requires modest computational resources  Can be implemented on low cost smart cards 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 6

7 Multivariate Cryptography (5) Major Drawbacks Relatively young field of Research  Security is not so well understood No explicit parameter choices to meet given security levels known Large size of the public and private keys  Multivariate Cryptography is not yet widely spread 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 7

8 The UOV Signature Scheme  Two types of variables: Vinegar and Oil  Central map  Inversion of 1.Choose the Vinegar variables at random 2.Solve the resulting linear system for the Oil variables  Public Key: with an affine map.  Private Key:,. 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 8 linear constant linear in O o equa- tions

9 Partially Circulant UOV Schemes           05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 9

10 Partially Circulant UOV Schemes (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 10

11 Partially Circulant UOV Schemes (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 11 linear terms

12 Partially Circulant UOV Schemes (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 12 linear terms

13 The verification process (1) Standard approach  Signature  Vector  Macauley matrix 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 13

14 The verification process (2) Alternative approach  extended signature vector  Matrix MP (k) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 14

15 Example (o,v)=(2,4) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 15 =( as 1, bs 1 +gs 2, cs 1 +hs 2 +ls 3, ds 1 +is 2 +ms 3 +ps 4, es 1 +js 2 +ns 3 +qs 4 + , fs 1 +ks 2 +os 3 +rs 4 + ,  ) (s 1, …, s 6,1) T = ( rs 1, as 1 +fs 2, bs 1 +gs 2 +ks 3, cs 1 +hs 2 +ls 3 +os 4, ds 1 +is 2 +ms 3 +ps 4 + , es 1 +js 2 +ns 3 +qs 4 + ,  ) (s 1, …, s 6,1) T

16 Extension to Rainbow 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 16  Several layers of Oil and Vinegar Use the same idea as for UOV for each Rainbow layer separately

17 Hybrid approach (  eprint)  Evaluate the structured part with the alternative approach and the random looking part with the standard approach UOV 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 17

18 Hybrid approach (2) Rainbow First layer 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 18

19 Hybrid approach (3) Rainbow Second layer 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 19

20 Application to QUAD (  eprint)  The systems and can be chosen partially circulant  Experiments indicate that this does not weaken the security of the scheme  Key stream generation can be sped up significantly 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 20

21 Experiments and Results (1) Public key size (kB) reduction factor Verification time (ms) Speed up factor UOV(256,28,56) 99.90.98 (standard) cyclicUOV(256,28,56) 16.56.10.20 (alternative) 4.9 0.18 (hybrid) 5.5 UOV(31,33,66) 108.51.75 (standard) cyclicUOV(31,33,66) 17.16.30.34 (alternative) 5.5 0.32 (hybrid) 5.7 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 21 Implementation in C Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM

22 Experiments and Results (2) Public key size (kB) reduction factor Verification time (ms) Speed up factor Rainbow(256,17,13,13) 25.10.26 (standard) cyclicRainbow (256,17,13,13) 9.52.60.12 (alternative) 2.1 0.12 (hybrid) 2.1 Rainbow(31,14,19,14) 25.30.45 (standard) cyclicRainbow (31,14,19,14) 9.52.60.22 (alternative) 2.0 0.19 (hybrid) 2.3 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 22

23 Experiments and Results (3) Data throughput (kB/s) CPUcycles/byteSpeed up factor QUAD(16,30) 71.735,265 cyclicQUAD(16,30) 458.35,5136.4 QUAD(256,26) 157.315,777 cyclicQUAD(256,26) 853.62,8205.5 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 23

24 Conclusion Structured versions of UOV  Reduce public key size  Speed up the verification process  Technique can be extended to Rainbow and QUAD 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 24 99.9 kB 16.5 kB 0.98 ms 0.19 ms 15,777 cycles/byte 2,820 cycles/byte 0.26 ms 0.12 ms

25 Thank you for your attention 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 25 www.eprint.iacr.org/2013/263 www.eprint.iacr.org/2013/315 Questions? 0.98 ms 0.19 ms 0.26 ms 0.12 ms

Download ppt "Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt,"

Similar presentations

Wheel of Fortune How to set up the game:

Wheel of Fortune How to set up the game:
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)
A Fast Data Protection Technique for Mobile Agents to Avoid Attacks in Malicious Hosts Jesús Arturo Pérez Díaz Darío Álvarez Gutiérrez Department of Informatics.

A Fast Data Protection Technique for Mobile Agents to Avoid Attacks in Malicious Hosts Jesús Arturo Pérez Díaz Darío Álvarez Gutiérrez Department of Informatics.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
1. 2 Gap-QS[O(1), ,2|  | -1 ] Gap-QS[O(n), ,2|  | -1 ] Gap-QS*[O(1),O(1), ,|  | -  ] Gap-QS*[O(1),O(1), ,|  | -  ] conjunctions of constant.

1. 2 Gap-QS[O(1), ,2|  | -1 ] Gap-QS[O(n), ,2|  | -1 ] Gap-QS*[O(1),O(1), ,|  | -  ] Gap-QS*[O(1),O(1), ,|  | -  ] conjunctions of constant.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Multivariate Methods of Data Analysis in Cosmic Ray Astrophysics A. Chilingarian, A. Vardanyan Cosmic Ray Division, Yerevan Physics Institute, Armenia.

Multivariate Methods of Data Analysis in Cosmic Ray Astrophysics A. Chilingarian, A. Vardanyan Cosmic Ray Division, Yerevan Physics Institute, Armenia.

Similar presentations

Ads by Google