an estimation of computational complexity for the section finding problem on algebraic surfaces
DESCRIPTION
An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces. C hiho Mihara (TOSHIBA C orp.). 2013/03/02. Outline. Section Finding Problem(SFP) General Solution How to solve SFP, Relation between MPKC and ASC Security parameters - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/1.jpg)
© 2013 Toshiba Corporation
An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces
Chiho Mihara (TOSHIBA Corp.)
2013/03/02
![Page 2: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/2.jpg)
2© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
Main talk
![Page 3: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/3.jpg)
3© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
![Page 4: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/4.jpg)
4© 2013 Toshiba Corporation
Given , find such that
1. Section Finding Problem (SFP)Security of Algebraic Surface Cryptosystems(ASC) is based on the difficulty of Section Finding Problem(SFP)
Section Finding Problem(SFP)
),,( tyxX
C: Algebraic Surface (Public Key)
: Section on (Secret Key)
To find Section is Too difficult!!
Find
![Page 5: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/5.jpg)
5© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
![Page 6: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/6.jpg)
6© 2013 Toshiba Corporation
We can write down a section as
How to solve SFP(General solution)
degree of
And substitute these into
So the SFP is reduced to a multivariate equation system
(SME(*))
If you solve ,then you can get
(*)Section multivariate equations
![Page 7: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/7.jpg)
7© 2013 Toshiba Corporation
Relation between MPKC and ASC
Quadratic multivariate equations1 1 2 1
1 2
( , , , )
( , , , )
n
m n m
c x x x y
c x x x y
which is MPKC based on.
MPKC
Difficulty of SFP on algebraic surface
More general multivariate equations
0),,,,,(
0),,,,,(
00
000
ddr
dd
c
c
which is ASC based on.
( , , ) 0X x y t
More 3 dimensionalpolynomials
Public key includes multi-variable equations implicitly
3( )O n
( )O n
ASC
![Page 8: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/8.jpg)
8© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
Main talk
![Page 9: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/9.jpg)
9© 2013 Toshiba Corporation
ASC Security parameters
),,( tyxX
),,( tyxX
C
How to solve SFP
cardinality of the base field
degree of the secret section
degree in of the public surface
Number of distinct monomials in
We propose a new security parameter!
(SME)
Gröbner basis (SME)
![Page 10: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/10.jpg)
10© 2013 Toshiba Corporation
Example of NonRed_MonosHow to solve SFP
Algerbraic surface
SectionSolve
ASC security parameter
This example
p 11
d 1
w 3
NonRed_Monos 6
:grand fieldSample image
![Page 11: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/11.jpg)
11© 2013 Toshiba Corporation
Complexity parameters in general caseThe Complexity of Solving Multivariable Polynomial Equations
The Complexity ( in general case ) : NP-hardParameters related to the complexity :1. Size of Finite Field : p Complexity 2. Number of variables : n Complexity 3. Number of equations : m Complexity 4. Sparseness “Sparseness” describe simplicity of equations. Complexity
0),,,(
0),,,(
21
211
nm
n
xxxf
xxxf
Multivariable Polynomial Equationover finite field
Parameterin general case
ASC security parameter
p p
n 2d+2
m wd+dc
Sparseness NonRed_Monos
![Page 12: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/12.jpg)
12© 2013 Toshiba Corporation
“Sparseness” and NonRed_Monos“Dense” “Sparse”
hard
We consider that NonRed_Monos is a parameter of Sparseness.
19 7NonRed_Monos NonRed_Monos
easy
![Page 13: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/13.jpg)
13© 2013 Toshiba Corporation
How to calculate “NonRed_Monos” from surface
Algebraic form
How to calculate “NonRed_Monos”
We can calculate “NonRed_Monos” from “Algebraic form”
If is max (full size),NonRed_Monos is also max.
Non
Red
_Mon
os
d
Maximal NonRed_Monos and d
(w=3:fix)
Data exist
![Page 14: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/14.jpg)
14© 2013 Toshiba Corporation
Necessity of NonRed_Monos
For given 2 surfaces X1,X2,(same p,d,w)
which is more difficult to calculate Section?
Question
𝑋 1 (𝑥 , 𝑦 ,𝑡 )
𝐶1
𝑋 2 (𝑥 , 𝑦 ,𝑡 )𝐶2
We can answer this question,because we can calculate NonRed_Monos!
Even if p,d,w has been fixed,there are many surface variations….
![Page 15: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/15.jpg)
15© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
![Page 16: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/16.jpg)
16© 2013 Toshiba Corporation
Experiment
OS : centos(Linux) version 2.6CPU : AMD Opteron (tm) 848 (2.00GHz)Memory : 64GByte Software: Magma version 2.15-11
d = 2, 3, 4w = 3, 4, 5
= 40
size of finite field
Form of Algebraic surface(random generate)
p = 11degree of
![Page 17: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/17.jpg)
17© 2013 Toshiba Corporation
Experimental result
log(time)
log(Mem
ory)
NonRed_Monos NonRed_Monos
Process time(left) & Memory use(right) to calculate Groebner basis of
w
![Page 18: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/18.jpg)
18© 2013 Toshiba Corporation
log(time)
NonRed_Monos
d234
Regression formula
Prediction interval of 99.9999 % ( )★
Experimental result (statistical)
Prediction interval of 99.9999 % ( )★
=: BEST of Computational Complexity!
![Page 19: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/19.jpg)
19© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
![Page 20: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/20.jpg)
20© 2013 Toshiba Corporation
Key size estimation (Gröbner basis)
FIX
d
128bit securityPrediction interval of 99.9999 % ( )★
Securer Data
Non
Red
_Mon
os
1 2 3 4 5 6 7 8 9 10
Max NonRed_Monos
Data exist
We can choose secure data , d = 8, NonRed_Monos 29000≧
![Page 21: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/21.jpg)
21© 2013 Toshiba Corporation
Key size estimation (Exaustive search)
• We estimate Computational Complexity of exhaustive search for (SME) / .
You can reduce to half of variables(by Ogura-Mihara) , so the number of variables in (SME) is d+1.
To satisfy 128bit security( = RSA(3072bit)), d>36 .
(SME(*))
Algorithms D w dc nx* Public Key SizeGröbner basis 8 5 5 20 640 bit
Ogura-Mihara 8 5 5 20 640 bit
Exhaustive search 37 5 5 20 1220 bit
(*)nx: number of terms of algebraic surface (Note: count full terms version in this table)
![Page 22: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/22.jpg)
22© 2013 Toshiba Corporation
Outline
1. Section Finding Problem(SFP)2. General Solution
How to solve SFP, Relation between MPKC and ASC
3. Security parameters ASC security parameters Complexity parameters in general case
4. Experimental result5. Key Size Estimation6. Conclusion
![Page 23: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/23.jpg)
23© 2013 Toshiba Corporation
Conclusion• We propose new security parameter NonRed_Monos.
We express “Sparseness” as NonRed_Monos.
• We can derive an estimation of computational complexity for the Section Finding Problem on Algebraic Surfaces with high accuracy.
• Recommended Public Key Size of ASC is 1220 bit (128bit security = RSA 3072bit).
![Page 24: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/24.jpg)
24© 2013 Toshiba Corporation
Last talk (my failure story)• When I saw the “section finding problem" for the first
time , I think this problem is easy to solve.
• So, we tried to develop a more efficient analysis (over Gröbner basis computation), named Ogura-Mihara algorithm.
• I introduce a concept of Ogura-Mihara algorithm.
![Page 25: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/25.jpg)
25© 2013 Toshiba Corporation
Property of Section multivariate equations(SME )
CAT FACE!!
Proposition
![Page 26: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/26.jpg)
26© 2013 Toshiba Corporation
Concept of Ogura-Mihara algorithm
Idea! : Reduce “number of valuables” by pseudo division
Vanish!
Vanish!
Gröbner basis
![Page 27: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/27.jpg)
27© 2013 Toshiba Corporation
Failure and Conclusion• Indeed, the number of variables is reduced to half, and
in the small parameter, Ogura-Mihara algorithm solves faster than Gröbner basis computation.
• But we found that degrees of section and surface are higher and higher, Ogura-Mihara’ NonRed_Monos significantly bigger and bigger more than the original (SME)’s NonRed_Monos. So it’s not efficient algorithm.
• So when you want to estimate computational complexity such as using Gröbner basis, you need to see NonRed_Monos.
![Page 28: An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces](https://reader036.vdocument.in/reader036/viewer/2022081507/568163f8550346895dd59014/html5/thumbnails/28.jpg)
28© 2013 Toshiba Corporation