An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces

© 2013 Toshiba Corporation

An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces

Chiho Mihara (TOSHIBA Corp.)

2013/03/02

2© 2013 Toshiba Corporation

Outline

1. Section Finding Problem(SFP)2. General Solution

How to solve SFP, Relation between MPKC and ASC

3. Security parameters ASC security parameters Complexity parameters in general case

4. Experimental result5. Key Size Estimation6. Conclusion

Main talk


Outline






Given , find such that

1. Section Finding Problem (SFP)Security of Algebraic Surface Cryptosystems(ASC) is based on the difficulty of Section Finding Problem(SFP)

Section Finding Problem(SFP)

),,( tyxX

C： Algebraic Surface (Public Key)

： Section on 　　　　　　　 (Secret Key)

To find Section is Too difficult!!

Find


Outline






We can write down a section as

How to solve SFP(General solution)

degree of

And substitute these into

So the SFP is reduced to a multivariate equation system

(SME(*))

If you solve ,then you can get

(*)Section multivariate equations


Relation between MPKC and ASC

Quadratic multivariate equations1 1 2 1

1 2

( , , , )

( , , , )

n

m n m

c x x x y

c x x x y

which is MPKC based on.

MPKC

Difficulty of SFP on algebraic surface 　　　　　　　　

More general multivariate equations

0),,,,,(

0),,,,,(

00

000

ddr

dd

c

c

which is ASC based on.

( , , ) 0X x y t

More 3 dimensionalpolynomials

Public key includes multi-variable equations implicitly

3( )O n

( )O n

ASC


Outline





Main talk


ASC Security parameters

),,( tyxX

),,( tyxX

C

How to solve SFP

cardinality of the base field

degree of the secret section

degree in of the public surface

Number of distinct monomials in

We propose a new security parameter!

(SME)

Gröbner basis (SME)


Example of NonRed_MonosHow to solve SFP

Algerbraic surface

SectionSolve

ASC security parameter

This example

p 11

d 1

w 3

NonRed_Monos 6

:grand fieldSample image


Complexity parameters in general caseThe Complexity of Solving Multivariable Polynomial Equations

The Complexity ( in general case ) : NP-hardParameters related to the complexity :1. Size of Finite Field : p 　 Complexity 　2. Number of variables : n　　　　　 Complexity 3. Number of equations : m Complexity 4. Sparseness “Sparseness” describe simplicity of equations. Complexity

0),,,(

0),,,(

21

211

nm

n

xxxf

xxxf

Multivariable Polynomial Equationover finite field

Parameterin general case

ASC security parameter

p p

n 2d+2

m wd+dc

Sparseness NonRed_Monos


“Sparseness” and NonRed_Monos“Dense” “Sparse”

hard

We consider that NonRed_Monos is a parameter of Sparseness.

19 7NonRed_Monos NonRed_Monos

easy


How to calculate “NonRed_Monos” from surface

Algebraic form

How to calculate “NonRed_Monos”

We can calculate “NonRed_Monos” from “Algebraic form”

If is max (full size),NonRed_Monos is also max.

Non

Red

_Mon

os

d

Maximal NonRed_Monos and d

(w=3:fix)

Data exist


Necessity of NonRed_Monos

For given 2 surfaces X1,X2,(same p,d,w)

which is more difficult to calculate Section?

Question

𝑋 1 (𝑥 , 𝑦 ,𝑡 )

𝐶1

𝑋 2 (𝑥 , 𝑦 ,𝑡 )𝐶2

We can answer this question,because we can calculate NonRed_Monos!

Even if p,d,w has been fixed,there are many surface variations….


Outline






Experiment

OS : centos(Linux) version 2.6CPU : AMD Opteron (tm) 848 (2.00GHz)Memory : 64GByte Software: Magma version 2.15-11

d = 2, 3, 4w = 3, 4, 5

= 40

size of finite field

Form of Algebraic surface(random generate)

p = 11degree of


Experimental result

log(time)

log(Mem

ory)

NonRed_Monos NonRed_Monos

Process time(left) & Memory use(right) to calculate Groebner basis of

w


log(time)

NonRed_Monos

d234

Regression formula

Prediction interval of 99.9999 ％ ( )★

Experimental result (statistical)

Prediction interval of 99.9999 ％ ( )★

＝： BEST of Computational Complexity!


Outline






Key size estimation (Gröbner basis)

FIX

d

128bit securityPrediction interval of 99.9999 ％ ( )★

Securer Data

Non

Red

_Mon

os

1 2 3 4 5 6 7 8 9 10

Max NonRed_Monos

Data exist

We can choose secure data , d = 8, NonRed_Monos 29000≧


Key size estimation (Exaustive search)

• We estimate Computational Complexity of exhaustive search for (SME) / 　 .

You can reduce to half of variables(by Ogura-Mihara) , so the number of variables in (SME) is d+1.

To satisfy 128bit security( ＝ RSA(3072bit)), d>36 .

(SME(*))

Algorithms D w dc nx* Public Key SizeGröbner basis 8 5 5 20 640 bit

Ogura-Mihara 8 5 5 20 640 bit

Exhaustive search 37 5 5 20 1220 bit

(*)nx: number of terms of algebraic surface (Note: count full terms version in this table)


Outline






Conclusion• We propose new security parameter NonRed_Monos.

We express “Sparseness” as NonRed_Monos.

• We can derive an estimation of computational complexity for the Section Finding Problem on Algebraic Surfaces with high accuracy.

• Recommended Public Key Size of ASC is 1220 bit (128bit security = RSA 3072bit).


Last talk (my failure story)• When I saw the “section finding problem" for the first

time , I think this problem is easy to solve.

• So, we tried to develop a more efficient analysis (over Gröbner basis computation), named Ogura-Mihara algorithm.

• I introduce a concept of Ogura-Mihara algorithm.


Property of Section multivariate equations(SME )

CAT FACE!!

Proposition


Concept of Ogura-Mihara algorithm

Idea! : Reduce “number of valuables” by pseudo division

Vanish!

Vanish!

Gröbner basis


Failure and Conclusion• Indeed, the number of variables is reduced to half, and

in the small parameter, Ogura-Mihara algorithm solves faster than Gröbner basis computation.

• But we found that degrees of section and surface are higher and higher, Ogura-Mihara’ NonRed_Monos significantly bigger and bigger more than the original (SME)’s NonRed_Monos. So it’s not efficient algorithm.

• So when you want to estimate computational complexity such as using Gröbner basis, you need to see NonRed_Monos.


Documents

An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces