Multivariate Encryption Schemes Based on Polynomial Equations over Real Numbers

Abstract

The MQ problem, an NP-complete problem, is related to the security of Multivariate Public Key Cryptography (MPKC). Its variant, the constrained MQ problem, was first considered in constructing secure multivariate encryption schemes using the pq-method proposed at ProvSec2018. In this paper, we propose an encryption scheme named PERN, whose key space completely includes that of the pq-method. The decryption of PERN uses methods of solving nonlinear equations over the real numbers, which is different from the decryption of the existing encryption schemes in MPKC. The construction of PERN is fairly flexible, which enables us to construct a multivariate encryption scheme, whose public key consists of multivariate polynomials of degree 2, 3 or higher degrees while constraining its public key to a reasonable size.

ASolving Algorithms of Nonlinear Equations Except For the Levenberg-Marquardt Method

Steepest Decent Method

[Input]   \(H(\mathbf {x})\), an odd number \(L\in \mathbb {Z}_{>0},\ \alpha ,\beta ,\gamma \in (0,1)\).

[Output] A (constrained) solution of \(H(\mathbf {x})=\mathbf {0}\) with integer components.

• 1. Choose \(\mathbf {x}_0\in [-(L-1)/2,(L-1)/2]^{\,n}\) in the range of real numbers randomly.

• 2. Repeat (2-1)–(2-4):

  • 2-1. Compute \(\mathbf {d}_0=-H(\mathbf {x}_0)J_H(\mathbf {x}_0)\).

  • 2-2. Compute the minimal non-negative integer l satisfying the following condition, and set \(t_0=\beta ^l\).

    $$\begin{aligned} \theta (\mathbf {x}_0+\beta ^l\mathbf {d}_0)-\theta (\mathbf {x}_0)\le -\alpha \beta ^l\Vert \mathbf {d}_0\Vert _2^{\,2}. \end{aligned}$$

  • 2-3.\(\mathbf {x}_0\leftarrow \mathbf {x}_0+t_0\mathbf {d}_0\).

  • 2-4. If \(\Vert t_0\mathbf {d}_0\Vert _{\infty }<\gamma \) then finish the loop, and move to 3.

• 3.\(\tilde{\mathbf {x}}_0\leftarrow \text {round}(\mathbf {x}_0)\).

• 4. If \(H(\tilde{\mathbf {x}}_0)=\mathbf {0}\) then output \(\tilde{\mathbf {x}}_0\), otherwise go back to 1.

Quasi-Newton Method

[Input]   \(H(\mathbf {x})\), an odd number \(L\in \mathbb {Z}_{>0},\ \alpha ,\beta ,\gamma \in (0,1)\).

[Output] A (constrained) solution of \(H(\mathbf {x})=\mathbf {0}\) with integer components.

• 1. Choose \(\mathbf {x}_0\in [-(L-1)/2,(L-1)/2]^{\,n}\) in the range of real numbers randomly.

• 2. Compute \(\mathbf {e}_1=-H(\mathbf {x}_0)J_H(\mathbf {x}_0)\).

• 3. Compute \(B=(J_H(\mathbf {x}_0)^{\mathsf {T}}J_H(\mathbf {x}_0))^{-1}\).

• 4. Repeat (4-1)–(4-8):

  • 4-1. Compute \(\mathbf {d}_0=\mathbf {e}_1\, B\).

  • 4-2. Compute the minimal non-negative integer l satisfying the following condition, and set \(t_0=\beta ^l\).

    $$\begin{aligned} \theta (\mathbf {x}_0+\beta ^l\mathbf {d}_0)-\theta (\mathbf {x}_0)\le -\alpha \beta ^l\mathbf {e}_1\mathbf {d}_0^{\mathsf {T}}. \end{aligned}$$

  • 4-3.   \(\mathbf {s}_0=t_0\mathbf {d}_0,\ \ \mathbf {x}_0\leftarrow \mathbf {x}_0+\mathbf {s}_0\).

  • 4-4. If \(\Vert \mathbf {s}_0\Vert _{\infty }<\gamma \) then finish the loop, and move to 5.

  • 4-5.   \(\mathbf {e}_2\leftarrow \mathbf {e}_1.\)

  • 4-6. Compute \(\mathbf {e}_1=-H(\mathbf {x}_0)J_H(\mathbf {x}_0)\).

  • 4-7.   \(\mathbf {y}_0=\mathbf {e}_1-\mathbf {e}_2\).

  • 4-8.   \(B\leftarrow B-\frac{\mathbf {s}_0^{\mathsf {T}}\cdot \,\mathbf {y}_0B\,+\,(\mathbf {y}_0 B)^{\mathsf {T}}\cdot \,\mathbf {s}_0}{(\mathbf {s}_0,\mathbf {y}_0)} +\left( 1+\frac{(\mathbf {y}_0, B \mathbf {y}_0)}{(\mathbf {s}_0,\mathbf {y}_0)}\right) \frac{\mathbf {s}_0^{\mathsf {T}}\cdot \, \mathbf {s}_0}{(\mathbf {s}_0,\mathbf {y}_0)}\).

• 5.\(\tilde{\mathbf {x}}_0\leftarrow \text {round}(\mathbf {x}_0)\).

• 6. If \(H(\tilde{\mathbf {x}}_0)=\mathbf {0}\) then output \(\tilde{\mathbf {x}}_0\), otherwise go back to 1.

Newton Method

[Input]   \(H(\mathbf {x})\), an odd number \(L\in \mathbb {Z}_{>0},\ \alpha ,\beta ,\gamma \in (0,1)\).

[Output] A (constrained) solution of \(H(\mathbf {x})=\mathbf {0}\) with integer components.

• 1. Choose \(\mathbf {x}_0\in [-(L-1)/2,(L-1)/2]^{\,n}\) in the range of real numbers randomly.

• 2. Repeat (2-1)–(2-6):

  • 2-1. Compute \(\mathbf {e}=-H(\mathbf {x}_0)J_H(\mathbf {x}_0)\).

  • 2-2. Compute the Hessian matrix \(S=\nabla ^2\theta (\mathbf {x}_0)\).

  • 2-3. Solve the linear equation \(\mathbf {x}\, S=\mathbf {e}\) in the range of real numbers, its solution is denoted by \(\mathbf {d}_0\).

  • 2-4. Compute the minimal non-negative integer l satisfying the following condition, and set \(t_0=\beta ^l\).

    $$\begin{aligned} \theta (\mathbf {x}_0+\beta ^l\mathbf {d}_0)-\theta (\mathbf {x}_0)\le -\alpha \beta ^l\mathbf {e}\,\mathbf {d}_0^{\mathsf {T}}. \end{aligned}$$

  • 2-5.\(\mathbf {x}_0\leftarrow \mathbf {x}_0+t_0\mathbf {d}_0\).

  • 2-6. If \(\Vert t_0\mathbf {d}_0\Vert _{\infty }<\gamma \) then finish the loop, and move to 3.

• 3.\(\tilde{\mathbf {x}}_0\leftarrow \text {round}(\mathbf {x}_0)\).

• 4. If \(H(\tilde{\mathbf {x}}_0)=\mathbf {0}\) then output \(\tilde{\mathbf {x}}_0\), otherwise go back to 1.