An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces

transcript

Chiho Mihara (TOSHIBA Corp.)

2013/03/02

Outline

1. Section Finding Problem(SFP)2. General Solution

How to solve SFP, Relation between MPKC and ASC

3. Security parameters ASC security parameters Complexity parameters in general case

4. Experimental result5. Key Size Estimation6. Conclusion

Main talk

Outline

Given , find such that

1. Section Finding Problem (SFP)Security of Algebraic Surface Cryptosystems(ASC) is based on the difficulty of Section Finding Problem(SFP)

Section Finding Problem(SFP)

),,( tyxX

C： Algebraic Surface (Public Key)

： Section on 　　　　　　　 (Secret Key)

To find Section is Too difficult!!

Outline

We can write down a section as

How to solve SFP(General solution)

degree of

And substitute these into

So the SFP is reduced to a multivariate equation system

(SME(*))

If you solve ,then you can get

(*)Section multivariate equations

Relation between MPKC and ASC

Quadratic multivariate equations1 1 2 1

( , , , )

c x x x y

which is MPKC based on.

Difficulty of SFP on algebraic surface 　　　　　　　　

More general multivariate equations

0),,,,,(

which is ASC based on.

( , , ) 0X x y t

More 3 dimensionalpolynomials

Public key includes multi-variable equations implicitly

3( )O n

( )O n

Outline

Main talk

ASC Security parameters

),,( tyxX

How to solve SFP

cardinality of the base field

degree of the secret section

degree in of the public surface

Number of distinct monomials in

We propose a new security parameter!

Gröbner basis (SME)

Example of NonRed_MonosHow to solve SFP

Algerbraic surface

SectionSolve

ASC security parameter

This example

NonRed_Monos 6

:grand fieldSample image

Complexity parameters in general caseThe Complexity of Solving Multivariable Polynomial Equations

The Complexity ( in general case ) : NP-hardParameters related to the complexity :1. Size of Finite Field : p 　 Complexity 　2. Number of variables : n　　　　　 Complexity 3. Number of equations : m Complexity 4. Sparseness “Sparseness” describe simplicity of equations. Complexity

0),,,(

Multivariable Polynomial Equationover finite field

Parameterin general case

ASC security parameter

n 2d+2

m wd+dc

Sparseness NonRed_Monos

“Sparseness” and NonRed_Monos“Dense” “Sparse”

We consider that NonRed_Monos is a parameter of Sparseness.

19 7NonRed_Monos NonRed_Monos

How to calculate “NonRed_Monos” from surface

Algebraic form

How to calculate “NonRed_Monos”

We can calculate “NonRed_Monos” from “Algebraic form”

If is max (full size),NonRed_Monos is also max.

Maximal NonRed_Monos and d

(w=3:fix)

Data exist

Necessity of NonRed_Monos

For given 2 surfaces X1,X2,(same p,d,w)

which is more difficult to calculate Section?

Question

𝑋 1 (𝑥 , 𝑦 ,𝑡 )

𝑋 2 (𝑥 , 𝑦 ,𝑡 )𝐶2

We can answer this question,because we can calculate NonRed_Monos!

Even if p,d,w has been fixed,there are many surface variations….

Outline

Experiment

OS : centos(Linux) version 2.6CPU : AMD Opteron (tm) 848 (2.00GHz)Memory : 64GByte Software: Magma version 2.15-11

d = 2, 3, 4w = 3, 4, 5

size of finite field

Form of Algebraic surface(random generate)

p = 11degree of

Experimental result

log(time)

log(Mem

NonRed_Monos NonRed_Monos

Process time(left) & Memory use(right) to calculate Groebner basis of

log(time)

NonRed_Monos

Regression formula

Prediction interval of 99.9999 ％ ( )★

Experimental result (statistical)

Prediction interval of 99.9999 ％ ( )★

＝： BEST of Computational Complexity!

Outline

Key size estimation (Gröbner basis)

128bit securityPrediction interval of 99.9999 ％ ( )★

Securer Data

1 2 3 4 5 6 7 8 9 10

Max NonRed_Monos

Data exist

We can choose secure data , d = 8, NonRed_Monos 29000≧

Key size estimation (Exaustive search)

• We estimate Computational Complexity of exhaustive search for (SME) / 　 .

You can reduce to half of variables(by Ogura-Mihara) , so the number of variables in (SME) is d+1.

To satisfy 128bit security( ＝ RSA(3072bit)), d>36 .

(SME(*))

Algorithms D w dc nx* Public Key SizeGröbner basis 8 5 5 20 640 bit

Ogura-Mihara 8 5 5 20 640 bit

Exhaustive search 37 5 5 20 1220 bit

(*)nx: number of terms of algebraic surface (Note: count full terms version in this table)

Outline

Conclusion• We propose new security parameter NonRed_Monos.

We express “Sparseness” as NonRed_Monos.

• We can derive an estimation of computational complexity for the Section Finding Problem on Algebraic Surfaces with high accuracy.

• Recommended Public Key Size of ASC is 1220 bit (128bit security = RSA 3072bit).

Last talk (my failure story)• When I saw the “section finding problem" for the first

time , I think this problem is easy to solve.

• So, we tried to develop a more efficient analysis (over Gröbner basis computation), named Ogura-Mihara algorithm.

• I introduce a concept of Ogura-Mihara algorithm.

Property of Section multivariate equations(SME )

CAT FACE!!

Proposition

Concept of Ogura-Mihara algorithm

Idea! : Reduce “number of valuables” by pseudo division

Vanish!

Gröbner basis

Failure and Conclusion• Indeed, the number of variables is reduced to half, and

in the small parameter, Ogura-Mihara algorithm solves faster than Gröbner basis computation.

• But we found that degrees of section and surface are higher and higher, Ogura-Mihara’ NonRed_Monos significantly bigger and bigger more than the original (SME)’s NonRed_Monos. So it’s not efficient algorithm.

• So when you want to estimate computational complexity such as using Gröbner basis, you need to see NonRed_Monos.

An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces

Documents