Public-Key Identification Schemes Based on

Multivariate Polynomials

Cassius Puodzius

July 27, 2012

1 Introduction

Identification schemes yield a manner to verify remotely the identities of partak-ers by a verifier. Commonly such a scheme is achieved using password, which issupposed to be known only by its owner, nevertheless such a scheme sometimesdoes not supply the security needs. Therefore, there are schemes in which theidentity is based on the possession of a key, and not only in some memorizablesecret. This seminar approaches a family of identification protocols, which arebased on the possession of a key, under the assumption that solving multivariatepolynomial equations is hard.

Multivariate polynomials enjoy great security features. The problem relatedto them is to find any solution of a multivariate polynomial equation system, andit is known to be in NP-Complete class. The best general attack is performedusing Grobner basis, however if the number of coefficients of each equation nand the number of equations m are not discrepant (i.e. m = Θ(n)), then thisattack is not only exponential in time but also in memory. Furthermore, thereis no known quantum algorithm able to find a solution to such multivariatepolynomial equations.

In order to describe it more concretely, it is crafted a scenario in which Peggyor Oscar, as a prover, wants to prove or impersonate her identity to Victor, whichworks as a verifier. Thus, after the fulfillment of the protocol, Victor must beable to decide with overwhelming probability whether the prover is Peggy orOscar.

In this seminar it is discussed identification scheme in general and than a 3-pass protocol based on quadratic polynomials is presented. The 3-pass protocolbased on quadratic polynomials was implemented to the seminar, in order toillustrate one round of a legitimate prover, or to check how many rounds aillegitimate could fool the verifier.

1

2 Identification Schemes (general)

In identification schemes a prover and a verifier take part in a protocol. Ourlegitimate prover is denoted by Peggy, the illegitimate prove is Oscar and theverifier is Victor. In such a scheme Peggy wants to prove Victor that she isactually Peggy. On the other hand, Victor wants to be sure that Oscar is nottrying to impersonate Peggy.

The technique applied to accomplish the verification is Challenge-Response,in which Victor prepares a challenge only solvable with the knowledge of somesecret that belongs to Peggy, and Peggy sends back the challenge responseto Victor. This Challenge-Response procedure is repeated as many times asrequired until Victor believe, with overwhelming probability, that the prover isactually Peggy. In each round, if the prover answers correctly to the challenge,than Victor moves to the next one, however, if the prover’s response is wrong,then the interaction cease, and Victor reject the prover to be Peggy.

In order to avoid that Victor specifically craft challenges, which let him learnPeggys secret and thus be able to impersonate her in the future, an extra care istaken. Peggy chooses a bunch of challenge candidates and send them to Victor,who chooses one of them and send it back to Peggy.

The features desired in the protocol are:

• Completeness: If the prover knows the secret, after the interaction,then Victor can trust that the prover is actually Peggy (with very highprobability).

• Soundness: If the prover is not Peggy, then he/she cannot fool Victor(with very high probability).

• Zero-Knowledge: A interactive proof which grant no further informa-tion to the verifier beyond those he could get himself.

Cut-and-choose is a paradigm to achieve Zero-Knowledge in which Peggydivides her secret into shares and prove the knowledge of (some of) them, ac-cording to the choice of Victor. Moreover, Peggy does not reveal any share ofthe secret itself.

3 MQ Problem

Given x ∈ Fnq , a function fl : Fn

q → Fq is defined as:

fl (x) = Σni=1Σn

j=ial,i,jxixj + Σni=1bl,ixi

A MQ Function, F : Fnq → Fm

q , is then defined as:

F (x) = (f1, . . . , fm)

In this vein the MQ problem is to find some x′, such that F (x′) = y, giveny = F (x).

2

From F (x) is possible to define its polar form G (x, y) = F (x+ y)−F (x)−F (y), which has the important property of bilinearity.

4 3-Pass protocol

4.1 The importance of G (x, y) to be bilinear

The property of bilinearity is used in the cut technique. From the secret key ispossible to get shares of it, which are no dependent. The cuts can be done asfollows:

Form the Secret key s, and Public key v = F(s) the first cuts are:

s = r0 + r1

v = F(r0 + r1) = F(r0) + F(r1) + G(r0, r1)

Since G(r0, r1) still depends on r0 and r1 we repeat the cut for r0 = t0 + t1and F(r0) = e0 + e1:

v = F(r0) + F(r1) + G(t0 + t1, r1)

= e0 + e1 + F(r1) + G(t0, r1) + G(t1, r1)

= (G(t0, r1) + e0) + (F(r1) + G(t1, r1) + e1)

Hence the shares depends directly either on (r1, t0, e0) or (r1, t1, e1).

4.2 String Commitment Function

In this protocol, it is used string commitment functions in order to committhe prover to responses without revealing them, which let Victor verify thevalidity of this responses afterward. Thus Peggy computes c ← Com(s; ρ) andsends it to Victor. Later Peggy sends s and ρ to Victor, which verifies whether

c?= Com(s; ρ).

This function c is statistically hiding and computationally binding, i.e.:

1. Statistically hiding: No receiver is able to distinguish between Com(s1; ρ1)and Com(s2; ρ2)

2. Computationally binding: No sender is able to find in polynomial-time(s2; ρ2) such that Com(s1; ρ1) = Com(s2; ρ2)

4.3 Protocol

The setup of this protocol is to publicly agree on parameters to MQ(m,n, Fq)and on the system of polynomial equations. In order to avoid great amountsof communication bits to describe a system, one can define it using a seed of

3

Darmstadt/Post-Quantum Cryptography/3pass.JPG

Figure 1: 3-pass identification protocol

a pseudo-random generator, which outputs each coefficient. Moreover, Peggy’spublic key is also disclosed.

The protocol is illustrated in [3] as in picture 1.

4.3.1 Completeness

Peggy will always give the right answer to Victor, since she has sent (c0, c1, c2)and once that r0, t0 and e0 are set, there is no further randomness.

4.3.2 Soundness

The following theorem is stated in [3]:Theorem. The 3-pass protocol is argument of knowledge forRF with knowl-

edge error 2/3 when the commitment scheme Com is computationally binding.where:

RF ={

(v,x) ∈ Fmq × Fn

q : v = F(x)}

Therefore after enough rounds, the probability of impersonation by Oscar isnegligible.

4.3.3 Zero-Knowledge

The following theorem is also stated in [3]:Theorem. The 3-pass protocol is statically zero knowledge when the com-

mitment scheme Com is statistically hiding.

4

Therefore Victor has access only to r0 or r1, t0 or t1, e0 or e1, whichare completely random. This happens due to Cut-and-choose paradigm, whichseparate the private-key between (t0, e0) part and (t1, e1) part.

4.3.4 Security

The parameters for 80-bit security are:

• n← 80

• m← 84

• q ← 2⇒ F2

The best known attack is an improved exhaustive search algorithm [2] [3],which performs in 288.7.

In terms of impersonation, from [1] it is shown that Victor needs almost asmany rounds as the desired security level. For an impersonation probability lessthan 2−30, the number of rounds needed is 52 [3].

4.4 Efficiency

For a security level of 80 bits, the size of keys a quasi-optimal, 80 and 84 bits forpublic and private keys respectively. The parameter could reach 285, 600 bits,but can be reducible to a small seed of 128 bits [3]. All the computation aremade in GL(2), therefore it is quite efficient. Moreover, there are only 4 calls tothe commitment function per round, which is usually negligible in comparisonto the time consumed in the network to carry messages from the verifier toVictor and vice-versa.

4.4.1 Implementation

A program was implemented in C++ to illustrate all the computation during the3-pass protocol based on MQ. In order to make it visual, only a toy examplewas presented, nevertheless the program could be expanded to a real secureinstance just by setting the suitable parameters in the code. The parametersadopted were n = 6 and m = 5 in GF(2), however no modification in terms ofefficiency is noted by setting the parameters to the security ones.

The program begins with a selection of the prover (fig. 2). If one choosesPeggy (fig. 3), than only a round is performed, since she will be able to respondcorrectly all 52 rounds needed to identify herself due to the completeness of theprotocol. On the other hand, if one chooses Oscar (fig. 4), than the rounds arerepeated while he is able to fool Victor. In each round Oscar chooses randomlya key and perform the attack described in [3], which grants him 2/3 of advan-tage to successfully fool Victor. Although it is not unusual to Oscar randomlygenerate the private key of Peggy in some rounds, due to the small parameters,Oscar was never able to fool Victor more than 8 times during the experiments.

5

Darmstadt/Post-Quantum Cryptography/prog1.JPG

Figure 2: Selection of the prover

Darmstadt/Post-Quantum Cryptography/prog2.JPG

Figure 3: Program running with Peggy as a prover

6

Darmstadt/Post-Quantum Cryptography/prog3.JPG

Figure 4: Program running with Oscar as a prover

7

5 Conclusion

It was presented a identification scheme based on the hardness ofMQ problem.It is suitable to scenarios in which a very accurate identification is desired, sinceit demands the possession of a key, which is harder to attack than a memoriz-able password. Therefore, it was discussed general concepts of an identificationscheme and the desired properties that must be holden, such as completeness,soundness and zero knowledge.

The focus was a 3-pass protocol, which also demanded a commitment func-tion that must be computationally binding and statistically hiding. Therefore,it was presented theMQ problem and discussed the reason why it is importantto G (x, y) be bilinear. It was provided secure parameters and an implementa-tion, with which it was possible to acquaint the high efficiency of this protocol.In order to make the program visual to the talk, it was set toy parameters.The program consisted in choose some verifier, Peggy or Oscar, and follow allchallenges and responses to Victor, if the verifier was Peggy, then just a roundwas displayed, however if the verifier was Oscar, then it was checked how manyrounds could Oscar fool Victor (with the impersonation described in [3]).

References

[1] Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. pages390–420. Springer-Verlag, 1998.

[2] Charles Bouillaguet, Hsieh-Chung Chen, Chen-Mou Cheng, Tung Chou,Ruben Niederhagen, Adi Shamir, and Bo-Yin Yang. Fast exhaustive searchfor polynomial systems in f2. In Proceedings of the 12th international con-ference on Cryptographic hardware and embedded systems, CHES’10, pages203–218, Berlin, Heidelberg, 2010. Springer-Verlag.

[3] Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identifi-cation schemes based on multivariate quadratic polynomials. In CRYPTO,pages 706–723, 2011.

8