WO2009115824A1

WO2009115824A1 - Encryption method

Info

Publication number: WO2009115824A1
Application number: PCT/GB2009/000761
Authority: WO
Inventors: Danilo Gligoroski; Svein Johan Knapskog; Smile Markovski
Original assignee: Ntnu Technology Transfer As; Taylor, Adam
Priority date: 2008-03-20
Filing date: 2009-03-20
Publication date: 2009-09-24
Also published as: GB0805271D0

Abstract

A method of public key cryptography using a trapdoor function, wherein the provision of the trapdoor function comprises the use of a plurality of multivariate quadratic quasigroups (MQQs). The public key is generated using MQQs and comprises a set of multivariate quadratic polynomials derived from the MQQs. The private key is generated using MQQs and comprises at least one non-singular Boolean matrix and a plurality of MQQs. The MQQs are provided by randomly generating candidate MQQ data sets which may or may not be MQQs, testing the data sets and selecting MQQs therefrom.

Description

Encryption Method

The present invention relates to encryption systems and in particular to asymmetric or public key cryptography. ' For most of the history of cryptography, a key had to be kept absolutely secret and would be agreed upon beforehand using a secure, but non-cryptographic, method; for example, a face-to-face meeting or a trusted courier. Such systems are examples of symmetric key (or secret key) cryptography since the same secret key must be used to encrypt and decrypt the message. There are a number of significant practical difficulties in this approach to distributing keys and these problems only became more acute as modern means of long-distance communication developed.

Public-key cryptography was invented to address these drawbacks. It is thought to have first been developed at the UK government's GCHQ in the early 1970s^", but was not disclosed at the time. The public key paradigm was initially described by Diffe and Hellman in 1976 and this has completely changed and reshaped modern cryptography. The fruits of that change are noticeable now, 30 years after, with the boom of the Internet, digital telecommunications, the convergence of information and communication technologies. Most of the security protocols in these fields in one way or the other use the public key paradigm. With public-key cryptography, users can communicate securely over an insecure channel without having to agree upon a shared key beforehand. This enables secure communication by radio, over the Internet, etc. In this approach, a user has a pair of cryptographic keys: a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

Another application of public key cryptography is in the field of digital signatures, i.e. when it is desired to check that a message was sent by the claimed sender. To digitally sign a message (data) it is encrypted using the signer's private key and the encrypted data (i.e. the signature) is then appended to the message when it is sent. The recipient can verify the authenticity of the message by using the signer's public key to decrypt the signature and comparing it to the message. In practice, the signature is formed from a "message digest" which is the result of applying a hash function, such as SHA-I, SHA-2, etc, to the message and when this signature is decrypted it is compared to a message digest created by the recipient. Public key techniques are much more computationally intensive than purely symmetric algorithms. The judicious use of these techniques enables a wide variety of applications. In practice, public key cryptography is used in combination with secret-key methods for efficiency reasons. The sender may encrypt a message with a secret-key algorithm using a randomly generated key, and that random key is then encrypted with the recipient's public key. Using his private key, the recipient can decrypt the random key and this can then be used to decrypt the message.

Such systems rely on a so-called "trapdoor" function, i.e. one that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the trapdoor. In mathematical terms, if /is a trapdoor function there exists some secret information y, such that given f(x) and y it is easy to compute x.

Perhaps the best-known public key algorithm was the "RSA algorithm" published by Rivest, Shamir and Adleman, of MIT in 1978. RSA uses exponentiation modulo a product of two large primes to encrypt and decrypt, performing both public key encryption and public key digital signature, and its security is connected to the presumed difficulty of factoring large integers, a problem for which there is no known efficient (i.e., practicably fast) general technique. Thus, whilst it is comparatively easy to multiply two known large prime numbers, it is much more difficult to factorise the result in order to identify the primes.

In the RSA algorithm, a hash function (such as SHA-I) is first applied to the document to produce a smaller number of bits (160 bits) and then the output from the hash function is expanded (by adding bits of effectively useless data) to a length of 1024 bits before the RSA encryption proper takes place. Unlike a one-time pad (secret key) system, no public key system can be secure against an attacker that has unlimited time and computational power. Instead, these systems are designed to be impossible to break during any useful time period using any available computer. If the security level of a symmetric encryption system using n bits is 2" (i.e. 2" guesses are needed to be sure of decryption) then RSA using 1024 bits has a level of only 2⁸⁰ and not 2¹⁰²⁴ as might be expected. This is because there are known factorization algorithms that assist in the factorization process.

Since the 1970s, a large number and variety of encryption, digital signature, key agreement, and other techniques have been developed in the field of public-key cryptography. The ElGamal cryptosystem (invented by Taher ElGamal then of Netscape) relies on the (similar, and related) difficulty of the discrete logarithm problem, as does the closely related DSA developed by the NSA and NIST. The introduction of elliptic curve cryptography by Koblitz and Miller has yielded a new family of analogous public-key algorithms. Although mathematically more complex, elliptic curves appear to provide a more efficient way to leverage the discrete logarithm problem, particularly with respect to key size. Several other ideas have been proposed during the last 30 years, such as

McEliece PKC based on error correcting codes, Rabin's digital signature method, PKCs based on lattice reduction problems and on lattice problems over rings such as NTRU₅ PKCs based on braid groups.

However, there remains a need to improve the security and speed of public key systems. Compared to symmetric key algorithms, they are thousands of times slower. One approach to this problem has been based on the use of multivariate quadratic (MQ) polynomials as trapdoor 'functions, which should enable greater speed for a given level of security. A number of such functions have been proposed, such as the use of "hidden field equations" described in USA 5,790,675 (Patarin), but so far, successful attacks have been published against at least subsets of each of these.

According to the present invention there is provided a method of public key cryptography using a trapdoor function, wherein the provision of the trapdoor function comprises the use of a plurality of multivariate quadratic quasigroups. Thus, the inventors have provided a new class of MQ trapdoor functions, the generation of which is based on the theory of quasigroups and quasigroup string transformations. A summary of the key concepts that are used is given in Annex 1. By means of the present invention it is possible to provide a deterministic one-to-one mapping. In other words, unlike some alternatives to RSA, there are not multiple decrypts for one encryption that would require additional data to resolve.

It is also possible to apply the encryption system directly to a message block. Thus, there is no need for, and preferably there is not, a message expansion stage, as in RSA.

A preferred algorithm that may be used in the invention has only one ' parameter n, which is the number of bits that are encrypted, n may be chosen to suit the application of the system, but is typically 140, 160, 180... It is possible to use a lower number of bits, such as 80 for less sensitive applications, but preferably at least 140 bits are used. The security level of such preferred forms of the invention with n bits is believed to be 2^n/2.

Although the encryption speed of the preferred forms of the invention is comparable to the speed of other multivariate quadratic public key cryptosystems (PKCs), their decryption/signature speed is as fast as a typical symmetric block cipher (i.e. in the range of 500—1000 times faster than any known public key scheme).

The invention may be applied in any context where PKCs are employed. However, embodiments of the invention are particularly well suited for short signatures and smart card implementations.

Prior art MQ-based cryptosystems have been based on the overall scheme described in C. Wolf and B. Preneel: Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic Equations, Cryptology ePrint Archive, Report 2005/077, 2005. Such a trapdoor function can be seen to be a composition of three bijective transformations S, P', T : {0, l}ⁿ → {0, If where S and T are (affme) linear transformations, and P' is a bijective multivariate quadratic mapping on {.0,l}ⁿ.

The present invention, at least in a preferred form, comprises a cryptographic scheme that can be expressed genetically as:

T ° P' ° T : {0, l }ⁿ → {0, l}ⁿ where T is a non-singular (i.e. invertible) linear transformation, and P' is a bijective multivariate quadratic mapping on {0, l}ⁿ. Indeed, viewed from a further aspect, the present invention comprises the use of a cryptographic scheme of this form. As noted above, the present invention comprises the use of MQQs. These will typically be used as part of the process for creating a public key and a private key. Preferably the MQQs are generated randomly, preferably as a step in the generation of the keys. This may be done by generating a very large number of candidate data sets (e.g. matrices), most of which will not be MQQs and then testing them and only accepting suitable candidates.

As will be discussed below, the quasigroups can be represented as vector valued Boolean functions (v.v.b.f.) and algebraic normal form of these functions can be used to provide information about the complexity of the quasi group via the degrees of these functions. The invention requires the use of polynomials of order no higher than 2 and in general, for a randomly generated quasigroup of order 2^d, d >= 4, the degrees are higher than 2. Thus, there may be further provided a step of selecting useful quasigroups from a set of randomly generated quasigroups. In the preferred embodiments of the invention, the procedure MQQ(d, k) (described herein) is employed for finding MQQs of order 2^d and type Quad_d -_kLiri_k', (as defined herein). As it works on a trial-and-error basis, for J= 5 the average number of attempts for finding MQQs of type Quad₄ Linj is around 2¹⁵ and for finding MQQs of type Quads Lino is around 2¹⁶. It is preferable to use MQQs of the latter type, but there is a trade-off with processing speed. In this (or for that matter any other) process of a random generation of

MQQs of type usuallythe number of quadratic polynomials is exactly

d-k, and the number of linear polynomials is exactly k. However, there are rare cases when all quadratic terms can cancel each other, and the number of linear polynomials will be bigger than k while the number of quadratic polynomials will be less than d-k. Thus, the invention preferably comprises the step of detecting such polynomials and omitting them from consideration.

In preferred embodiments, in order to generate the keys, a suitable plurality (preferably eight) quasigroups (referred to herein are generated

along with a number (ή) multivariate quadratic polynomials (MQPs). These are preferably generated from an input of an integer n (where n may be 5k and k >= 28) and an input of n linear Boolean functions of n variables. In preferred embodiments, an algorithm P'(ri) (two variants of which are described herein) is employed, and this calls the procedure MQQ(J, k) referred to above to generate two large sets of MQQs (preferably with more than 2²⁰ elements in each). It will be seen that the algorithm forms a multi-dimensional (e.g. 7 or 13 dimensions) vector Z that has all (e.g. 7, 13 respectively) components as linear Boolean functions.

By using only MQQs, some of the coordinate functions will remain linear. It is therefore preferred that, in order to make a trapdoor bijective function {0, 1 }^π -→{0,l }ⁿ that is multivariate quadratic in all of its coordinates, a further step is employed, such as the application of Dobbertin's bijection to vector Z.

As noted above, the MQQs are used in the generation of public and private keys. In one embodiment, the public key comprises a set of n multivariate quadratic polynomials y where y = Pι(xι, X2,.. X_n), in a more preferred form only n - k polynomials are used, thus an attacker does not have the possibility of solving the system. Thus, viewed from a further aspect, the invention provides a public key cryptosystem wherein the public key comprises a plurality of multivariate quadratic polynomials derived from MQQs. The invention extends to a corresponding method of generating such a public key and also to the use of such a key to encrypt data or to verify a signature. In the preferred embodiment, the algorithm for encryption or verification with the public key comprises the application of the set of n multivariate polynomials P ≡

The private key of the preferred embodiment comprises at least one non- singular (invertible) Boolean matrix referred to here as T (order n x ή) and a suitable plurality (preferably eight) quasigroups (referred to here as

'In some embodiments, a plurality, e.g. two, matrices are used. Thus, the private key may be regarded as a tuple. More than one Boolean matrix may be used.

Thus, viewed from a further aspect, the invention provides a public key cryptosystem wherein the private key comprises a plurality of MQQs and preferably also at least one Boolean matrix. The invention extends to a corresponding method of generating such a private key and also to the use of such a key to decrypt data. It also extends to the use of such a key for signing. Decryption and signing are generally similar processes as the scheme of the invention is bijective. Where Dobertin's bijection is used in encrypting/verification, its inverse is applied. The process will typically also comprise the application of the left parastrophes of the quasigroups. The algorithms of preferred embodiments are described below in Tables 4 and 11. The latter describes an algorithm that is optimised for use in a digital signature scheme where a hash function is preferably applied to the message prior to encryption with a private key according to the invention.

The invention preferably comprises the generation of public and private keys in the manner described above, the encryption of a message using the public key and its subsequent decryption by the private key. Likewise, the invention applies to the . signing of a document using a private' key and also to its verification using a public key. However, it will be appreciated that the aspects of the invention described above each represent separate and separable aspects of the invention. Plainly, it would be unusual for the same party to encrypt and decrypt or sign and verify the same message.

The invention thus extends to a method of generating a public key; a method of generating a private key; a method of encryption or verification using the public key and a method of decryption or signing using the private key. It extends to the , application of such methods to a "message" which is any form of encryptable data, most commonly digital data, and to a method of data transmission and a method of data reception using such encryption.

The invention also extends to corresponding apparatus having means arranged for carrying out the above methods. Such apparatus preferably comprises a data processor, such as an electronic computer, which will normally achieve this by running suitable software. The invention therefore also extends to such software (i.e. software to cause apparatus to perform the methods of the invention), whether on a data carrier (disk, etc.), or transmitted over a network (including the Internet). The encrypted data may be transmitted over a data network of any sort (including the Internet), be transmitted wirelessly, etc. The invention also extends to means for encrypting and transmitting and decrypting and receiving such transmissions. Embodiments of the invention will now be described, by way of example only.

As previously discussed, the invention is based upon the use of multivariate quadratic quasi groups (MQQs) to provide a set of multivariate quadratic equations. Thus, it is necessary to generate suitable MQQs.

With reference to Theorem 2 (described in the Annex 1), which sets out sufficient conditions for a quasigroup to be an MQQ, a procedure called MQQ(d, k) is used for producing MQQs of order 2^d and typ

. This is set out in the

,0 The procedure MQQ(J, k) is a randomized algorithm for finding MQQs of order 2^d and type

it works on a trial-and-error basis. For d - 5 the average number of attempts for finding MQQs of type Quad₄ him is around 2 and for finding MQQs of type Quads Lino is around 2^!6.

In this process of a random generation of MQQs of typ

5 usually the number of quadratic polynomials is exactly d-k, and the number of linear polynomials is exactly k. However, there are rare cases when all quadratic terms cancel each other, and then the number of linear polynomials- will be bigger than k, while the number of quadratic polynomials will be less than d~ k. Nevertheless, these cases, if they occur, can be easily detected, and quasigroups with such properties can be omitted from consideration as candidates for the private key.

Another issue is that by using only MQQs, some of the coordinate functions will remain linear. In order to make a trapdoor bijective function {0, 1 }^π → {0, 1 }ⁿ that is multivariate quadratic in all of its coordinates Dobbertin's bijection (defined in Annex 1) is used, as will be discussed further below.

A generic description of the cryptographic scheme used in this embodiment can be expressed as: T ° P' ° T : {0, l}ⁿ — > {0, l}ⁿ where T is a non-singular (i.e. invertible) linear transformation, and P' is a bijective multivariate quadratic mapping on {0, 1}". The algorithm for the mapping P' : {0, 1 } " → {0, 1 }" is defined in Table 2.

The algorithm for generating the public and private key is set out in Table 3:

Table 3: Generation of Public and Private key for the MQQ scheme

The algorithm for encryption (or verification) with the public key is straightforward, being the application of the set of n multivariate polynomial

The algorithm for decryption/signing by the use of the private key

. , *g) is given in Table 4:

Table 4: Algorithm for decryption or signing An example of the creation of private and public keys, and also of signature generation, with n = 80 will now be described. This is based on a modified version of the embodiment in which an index vector / and a second non-singular matrix S are used, as will be described. Such matrices are also found in the second embodiment and their purpose will be discussed further in that context.

In order to simplify the description of the algorithm for creation of a private and a public key, a particular value n = 80 is chosen. The generalization of the procedure for different values of n = 5k is straightforward.

Let x = (xi, X_{2 VJ} ^₈o)be a vector of 80 Boolean variables. The private and the public key is created by the following procedure:

1. Generate a uniformly distributed random nonsingular 80 x 80 Boolean matrix T;

2. Set

^r

3. Generate 4 multivariate quadratic quasigroups

randomly by the procedure MQQ(5, 1 );

4. Generate one multivariate quadratic quasigroup

randomly by the procedure MQQ(5, 0);

5. Represent the vector x' by chunks of 5 bits, i.e.

6. Generate an index vector of 2-bit numbers

randomly;

7. Compute such that

1, 2, ..., 15;

8. Represent

9. Set

10. Generate a nonsingular 20 x 20 matrix S in GF(2) randomly;

11. Set

12.. Represent by chunks of 5 linear expressions i.e.

W W W W

13. Compute U= Ui U₂U₃U₄ such tha

14.. Represent

15. Set

— CollectLinear (U),

<- CollectLinearPositions(U);

16. Set <- CollectQuadmtic(Y);

17. Set ( <r- CollectQuadratic(U);

18. Set

19. Set

where

20. The public key is C given by the following system of 80 equations of 80 unknowns:

where Pi are multivariate quadratic polynomials of n Boolean variables; 21. The private key consists of the following tuple:

In steps 9, 15, 16 and 17 descriptive names are used for three procedures CollectLinear, CollectQuadratic and CollectLinearPositions that have a vector of multivariate Boolean expressions that are linear or quadratic as input parameter. The procedure CollectLinear returns a vector with only linear expressions extracted from the input vector, CollectQuadratic returns only quadratic expressions and CollectLinearPositions is returning the positions of the corresponding linear expressions. The positions of the linear and quadratic _ expressions can be deduced by the quasigroups transformations used. Here those procedures are used just for the clarity of the presentation. That is why information is not included for the position of the linear and quadratic expressions in the private key.

Since this PKC scheme is bijective, it acts in exactly the same manner whether it is used for generation of signatures or in decryption mode. By using the private key, the signature of the message is performed in a standard way by finding C^'1 where C = H(M) is a given Boolean vector of 80 bits and where His a cryptographic collision free hash function of the message M. Finding the inverse image of C is performed by applying the following steps:

1. Perform a linear operation on the matrix

C where x" =

2. Set

3. Construct the vecto

g, ₃) ( ) such that

4. Represent U as chunk of 5-bit words

and compute

5. Rφresent

as avector

( nd compute(zi,

6. Construct the vecto

from

and

such that

_{p ι}

7. Represent 7 as chunk of 5-bit word

and compute

8. RepresentX

as avector

9. Finally apply yet another linear operation with the matrix

,

•

The encryption is performed, by using the public key C which is given by the system (7) of n equations of n unknowns and where Pi are multivariate quadratic polynomials of n Boolean variables. The concrete Boolean values of the variables

are replaced, and the polynomials

are evaluated.

The suitable size of the public and private key and the number of operations per byte for encryption and decryption has been considered. Since the public key consists of n multivariate quadratic equations, and they appear to be randomly generated, the size of the public key follows known rules. So, for n bit blocks the size of the public key is n x (1 + n(n+l) /2 ) bits. In the Table 5 below, we give the size of the public key for n e {140, 160, 180, 200} in Kbytes.

Table 5: Memory size in Kbytes for the public key and the private key.

The private key of our scheme is the tuple (T, *_/ , . . . , *s). The corresponding memory size needed for storage of T is n² bits. The memory size for the quasigroups (*i, . . . , *$), (actually for their parastrophes), is 8 x 32 x 32 x 5 = 40960 bits. For the storage of the inverse table of the bijection of Dobbertin we need additional 896 bits.

In total, the size of the private key expressed in Kb is

896). In the second column of the Table 5 we give the size of the private key for ne {140, 160, 180, 200} in Kbytes. The number of operations for encryption and decryption will now be considered. In order to obtain an independent measure for the operating speed of the scheme, the speed of encryption and decryption/signing will be expressed as the number of operations per processed byte. Three widespread microprocessor architectures will be taken into account: 8-bit, 32-bit and 64-bit architectures. Since the public part of the scheme follows the typical paradigm of the MQ public key cryptosystems, its speed of encryption is the same as (or similar to) the speed of other MQ systems. That means that the encryption is done after O(n³) logical AND and logical XOR operations.

The actual speed of any multivariate quadratic PKC when encryption is performed on 32-bit or 64-bit microprocessor architectures, using internal parallelism of the modern CPUs, as well as techniques of bit slicing can result in an encryption process which is at least two orders of magnitude faster than RSA/DH or ECC encryption for systems with equivalent security levels.

If it is assumed that AND or XOR operations can be executed in one cycle (without taking into account that modern 32-bit and 64-bit CPUs actually can perform several such operations in parallel), then non-optimized encryption of any general n-bit variant of any multivariate quadratic PKC scheme have a speed of (\6ln)[nlArcK\{\ + n(n+l)/2) operations per byte where Arch = 8, 32 or 64.

The speed of decryption/signing in the class of multivariate quadratic PKCs is not so uniformly distributed as it is for encryption. The number of operations for particular parts of the process of decryption of this scheme can be summarized in the following list: a) Two linear operation by the matrix T^~' that takes 2«(«/Arch) operations; b) One lookup operation at the table of the Dobbertin's bijection; c) Exactly (n/5) - 1 lookup operations at the quasigroup parastrophes. The total number of operations per byte can be computed by the expression

B,/n(2n[n/Arch] + n/5) and are given in the Table 6 and Table 7.

Table 6: Estimated operations per encrypted byte, for different n and 8, 32 or 64 bit architectures.

Table 7: Estimated operations per decrypted byte, for different n and 8, 32 or 64 bit architectures.

The security characteristics of the algorithm will now be considered, in particular, the inventors' projections of the strength of the scheme with n variables. As a general claim for our MQQ scheme with n variables its strength is said to be 2^nl2. The inventors base this claim on the analysis of the power of the methods using Grobner basis to solve random multivariate quadratic systems of equations. J. C. Faugere, and A. Joux, in their paper Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Grobner Bases, Advances in Cryptology, CRYPTO 2003, LNCS, Vol. 2729, 2003, pp. 44-60., give a formula for computing the upper bound for the efficiency of the Grobner basis attacks: Based on that analysis Table 8 below gives the projected complexity for solving random multivariate quadratic systems of equations by Grobner basis algorithms for different number of variables n. Based on that projection in the second row there is given the projection for the strength of this PKC scheme.

A further embodiment of the invention will now be discussed, which is optimized for use with a digital signature system. The MQQs are found as previously described. However, there are modifications to other stages. Instead of a single matrix T, two Boolean matrices S and T are used (each provided in the same manner as before). More significantly, only n - k equations are made available in the public key, which provides resistance against Groebner basis or XL attacks. An index set I is also referred to; this is merely a table which contains information about which quasigroup is used in each step of the algorithm. The definition of the index set, /= (ir, Ϊ₂,-, h-i) where i,- e {1, 2, ..., 8}, can be either public or private. The security of the algorithm does not depend on the secrecy of that set.

In this embodiment, the mapping P' : {0; 1 }" -» {0, 1 }" is defined by the algorithm described in Table 9:

The algorithm for generating the public and private key is defined in Table 10:

Appendix 2 gives a detailed example of the process of generating the public and private key with small number of variables n - 20.

The algorithm for signing by the private key is defined in Table

11.

The algorithm for signature verification with the public ke

i = 1 , ..., n - Lft/ioj} is given in the Table 12.

We now consider the size of the private and the public key of this embodiment, as well as the number of operations per byte for verification and signing.

Regarding the size of the keys, since the public key consists of n - Ln/ioj multivariate quadratic equations, and they appear to be randomly generated, the size of the public key follows the rules given in C. Wolf and B. Preneel, "Taxonomy of Public Key Schemes Based on the Problem of Multivariate Quadratic Equations", Cryptology ePrint Archive, Report 2005/077, 2005. So, for n bit blocks the size of

the public key is 0.9 x n x (1 + n - -) bits. Table 13 gives the size of the

public key for n {140, 160, 180, 200} in KBytes.

Table 13. Memory size in Kbytes for the public key and the private key

The private key of this scheme is the tuple

The corresponding memory size needed for storage of T and P is 2n² bits. The memory size for the quasigroups

(actually for their parastrophes), is 8 x 32 x 32 x 5 = 40960 bits. For the storage of particular quasigroups in memory, note that it is not necessary to store 32 x 32 x 5 bits for every quasigroup, since that type of the storage has redundancy (the last row of the Latin Square is uniquely determined by the rest of the table), but in order to achieve efficient speed in the signing the full information about the parastrophes is stored. In total, the size of the private key

expressed in The second column of the Table 13 gives the

size of the private key for n e {140, 160, 180, 200} in KB (kilo bytes).

For the storage of the inverse table of the bijection of Dobbertin an additional 2¹³ x 13 = 106496 bits are needed, which is exactly 13KB, but those 13KB do not belong to the private key.

With regard to speed, the number of operations for particular parts of the process of signing of this scheme can be summarized in the following list:

- Two linear operations by the matrices

^] and

that take operations;

- One lookup operation at the table of the bijection of Dobbertin;

- Exactly k - 1 lookup operations at the quasigroup parastrophes.

The total number of operations per byte can be computed by the expression

and give results corresponding to those already

shown in Table 7. The considerations that apply to the security of the algorithm are as previously described. However, by reducing the functionality of MQQ just for performing digital signatures by removing certain number of equations, two possible modes of attack (Groebner bases and MutantXL) hit their limits for solving systems of random multivariate quadratic equations and they are not capable to successfully attack the digital scheme MQQ-SIG.

The algorithm of this embodiment ("MQQ-SIG") has a public key consisting of n - Ln/lθJ quadratic polynomials with n variables where n = 140, 160, .... The same performance characteristics of the previous embodiment ("MQQ") are present in MQQ-SIG. That means, digital signing and verification by MQQ-SIG is very fast and highly parallelizable. More concretely, signing can be performed in less than 11,000 cycles (on Intel Core 2 Duo - using only one processor core), and in around 6,00O₁ cycles using two CPU cores and OpenMP 2.0 library. However, implemented in FPGA hardware MQQ-SIG digital signature algorithm is more than 10,000 times faster.

Appendix 1 - Ouasigroups

Here we give a brief overview of some of the mathematics of quasigroups and quasigroup string transformations used in the description of the invention.

Quasigroup string transformations

Definition 1

A quasigroup (Q,*) is a groupoid satisfying the law

^• (

Given a quasigroup (Q, ) five new operations called parastrophes or adjoint operators can be derived from the operation . We will need only one, the left parastrophe, denoted by \* and defined by:

Then the algebra (Q, *, \) satisfies the identities:

and is a quasigroup too.

Consider an alphabet (i.e., a finite set) Q, and denote by Q+ the set of all

. nonempty words (i.e. finite strings) formed by the elements of Q. The elements of Q+ will be denoted by ai a₂. . . a_n rather than , where t *

be a quasigroup operation on the set Q, i.e. consider a quasigroup

. For each a we define two functions set out in Definition 2 below:

Definition 2

Le Then

i.e

The functions

, and

are called the e-transformation and the d-transformation of Q+ based on the operation * with leader / respectively, and their graphical representations are shown below:

These transformations are the- basis of the following theorem:

Theorem 1

If

s ^a finite quasigroup, then and are mutually inverse

permutations of Q+, i.e.,

for each leader / S Q and for every string

Quasigroups as vector valued Boolean functions

We will now describe the presentation of finite quasigroups (Q, *) of order

2^d by vector valued Boolean functions (v.v.b.f.). In what follows we will represent a €Ξ Q by a d-bύ^' representation, i.e., a ≡ Xi X₂. . . Xd (as a string of bits) or, sometimes, a ≡ (x\ , xι , . . . , X_d). Now, the binary operation * on Q can be seen as a vector valued operation *_w : {0, \}^2d → {0, \}^d defined as:

where

are binary representations of.α, h, c.

Each Zi depends of the bits and is uniquely

determined by them. Thus, each z,- can be seen as a 2d-ary Boolean function

where/f:

strictly depends on, and is uniquely determined by, *,

We now use the fact that each fc-ary Boolean function/

can be represented in a unique way by its algebraic normal form (ANF), i.e. as a sum of products

where the coefficients α

are in the set {0, 1} and the addition and multiplication are in the field GF(2), that is, a finite field of two elements (i.e. 1 and 0). In the rest of the text we will abuse the notation and identify the Boolean function/and its ANF, i.e., we will take We say a polynomia

(

xp) when we consider the arguments of/to be indeterminate variables

The ANFs of the functions/ give us information about the complexity of the quasigroup (Q, *) via the degrees of the Boolean functions/. It can be observed that the degrees of the polynomials

ise with the order of the quasigroup. In general, for a randomly generated quasigroup of order 2^d, d> 4, the degrees are higher than 2 (i.e. they are not quadratic). Such quasigroups are not suitable for our construction of multivariate quadratic PKC.

Multivariate Quadratic Ouasigroups.

Definition 3 describes a special class of quasigroups, called multivariate quadratic quasigroups (MQQs) that can be of different types.

Definition 3

A quasigroup

of order 2 is called Multivariate Quadratic Quasigroup

(MQQ) of type

f exactly d - k of the polynomials f, are of degree 2 (i.e., are quadratic) and k of them are of degree 1 (i.e., are linear), where 0 ≤ k.< d. Theorem 2 below gives us sufficient conditions for a quasigroup (Q, *) to be

MQQ.

Theorem 2

Let Ai

x_d and be two d*d matrices of linear Boolean

expressions, and let be two d * \ vectors of linear or

quadratic Boolean expressions. Let the functions^- and w,- depend only on variables

( ) , and let the functions and depend only on variables

and if

then the vector valued operation *w (X/, . . . , X2d) = A₁ ^• X₂ + O₁ (6)

defines a quasigroup (Q, #) of order 2^d that is MQQ.

This can be proved by considering the equation

where

( ) re unknown bits nd α,- , c/ are given

bits. We have the linear system in GF(2) of kind

where A'i and b'i are the valuations OfA₁ and bi over the vector Since

Det(Ai) = 1, it follows that Det(A'i) = 1 too, so the linear system (7) has a unique solution

( ) ( ) In the same manner a unique solution of the equation

can be found, and *_Vv is a v.v.b.f. of a quasigroup operation * on the set Q = {0, 1, . . . , 2 d-i}- The quasigroup (Q, *) is MQQ since the vector

has as elements multivariate quadratic polynomials. This can be understood more readily with reference to an example:

Example 1 Let the quasigroup (Q, *) of order 2³ = 8 be given by the multiplication scheme in Table 1.

Table 1: A quasigroup (Q, *) of order 8.

The corresponding ANF representation of the operation * as a vector valued Boolean function is the following:

The corresponding matrix-vector representations of * by A^, b_lt A₂, and b₂, are the following:

It can be checked that in

The definition of MQQs implies the following theorem:

5 Theorem 3

Let

) and

be two (/-dimensional vectors of linear Boolean functions of variables

) be a multivariate quadratic quasigroup of type

then at most d - k of the polynomials g, are multivariate quadratic and at least k polynomials are 10 linear.

Dobbertin's biiection

Dobbertin proved in his paper One-to-one highly nonlinear power functions 15 on GF (2n), Appl. Algebra Eng. Commun. Comput, Vol. 9(2), 1998, pp. 139-152 that the function

a bijection in

GF(2^2m+l) Moreover it is also multivariate quadratic. (In the design of MQQ public key cryptosystem described herein Dobbertin's bijection for m = 3 is employed). Appendix 2 - An example of the creation of a private and a public key with n = 20 bits

This example is for n — 20. Since even with such a small example, the number of terms in some expressions will increase to more than 100, in the notation we will use horizontal lines to make a distinction between different coordinates.

We will use the simplified version of the algorithm where

be a vector of 20 Boolean variables. The private and the public key is created by the following procedure:

1) Set T =

where T is a nonsingular 20 x 20 Boolean matrix generated uniformly at random; 2) Set

*2(£l , £2 , X3 , X4, XS, X6 , X7, X8, £9, £lθ) =

*3 (xi , α;2 , xz, Xi, Xz , x&, X7, x%, xg, xio) =

3) The tuple

is the private key;

5) Represent the vector x' by chunks of 5 bits, i.e. a/ =

6) Compute

such that . The Following relations will be obtained-

7) Set a 7-dimensional vector Z that has all 7 coordinates as Boolean linear functions:

8) Transform Z by the bijection of Dobbertin: w

here

9) Set

10) Compute

11) The public key is y , given by the system of 20 equations of 20 unknowns:

where P-i are multivariate quadratic polynomials of 20 Boolean variables.

In developed form, they look like these:

31

Claims

1. A method of public key cryptography using a trapdoor function, wherein the provision of the trapdoor function comprises the use of a plurality of multivariate quadratic quasigroups (MQQs).

2. A method as claimed in claim 1, wherein the public key is generated using MQQs.

3. A method as claimed in claim 2, wherein the public key comprises a set of multivariate quadratic polynomials derived from the MQQs.

4. A method as claimed in any preceding claim, wherein the private key is generated using MQQs.

5. A method as claimed in claim 4, wherein the private key comprises at least one non-singular Boolean matrix and a plurality of MQQs.

6. A method as claimed in any preceding claim, wherein the MQQs are provided by randomly generating candidate MQQ data sets which may or may not be MQQs, testing the data sets and selecting MQQs therefrom.

7. A method as claimed in claim 6, wherein, when testing the data sets, the pprroocceedduurree

ddeessccriribbeedd hheerreeiinn)) ii;s employed for finding MQQs of order 2^d and type

(as defined herein).

8. A method as claimed in any preceding claim, wherein the encryption system is applied directly to a message block without use of a message expansion stage.

9. A method as claimed in any preceding claim, wherein the cryptographic scheme can be expressed as

where T is a non-singular linear transformation, and P' is a bijective multivariate quadratic mapping on {0, i}ⁿ-

5

10. A method as claimed in any of claims 1 to 9, wherein the cryptographic scheme can be expressed as: T ° P' ° S : {0, 1 }ⁿ → {0, 1 }ⁿ where T and S are non- singular linear transformation, and P' is a bijective multivariate quadratic mapping on {0, l}ⁿ.

10.

11. A method as claimed in any preceding claim, wherein the algorithm for encryption or verification with the public key comprises the application of the set of n multivariate polynomials n over a vector .

15

12. A method of transmitting data comprising the use of a method of public key cryptography according to any preceding claim.

13. A method of transmitting data, wherein the data is encrypted using a public 20 key for decryption using a private key, wherein the public key is generated using multivariate quadratic quasigroups and the encrypted data may be decrypted using a private key generated from multivariate quadratic quasigroups.

14. A method of receiving and decrypting data encrypted using a public key,

25 where the data has been encrypted using a public key generated using multivariate quadratic quasigroups, wherein the encrypted data is decrypted using a private key generated from multivariate quadratic quasigroups.

15. A method of digitally signing and/or verifying a document, comprising the use 30 of a method of public key cryptography according to any of claims 1 to 11.

16. A method of digitally signing a document comprising the steps of: generating a private key using a plurality of multivariate quadratic quasigroups (MQQs); and signing the document by encrypting it with the private key.

17. A method as claimed in claim 16, wherein the private key comprises a non- singular Boolean matrix and a plurality of MQQs.

18. A method as claimed in claim 16 or 17, wherein the signed document is a message digest of a document created using a hash function.

19. A method of digitally verifying a document comprising the steps of: generating a public key using a plurality of multivariate quadratic quasigroups (MQQs); and verifying the document by encrypting it with the public key,

20. A method as claimed in claim 19, wherein the public key comprises a set of multivariate quadratic polyamides derived from MQQs.

21. Data processing or transmission apparatus arranged to perform the method, of any preceding claim.

22. A software product arranged to cause a suitable data processing apparatus to perform the method of any of claims 1 to 20.