Results 1  10
of
11
Hybrid approach for solving multivariate systems over finite fields
 JOURNAL OF MATHEMATICAL CRYPTOLOGY
, 2009
"... In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly d ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV,...). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be chosen for multivariate schemes.
MicroEliece: McEliece for Embedded Devices
"... Abstract. Most advanced security systems rely on publickey schemes based either on the factorization or the discrete logarithm problem. Since both problems are known to be closely related, a major breakthrough in cryptanalysis tackling one of those problems could render a large set of cryptosystems ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. Most advanced security systems rely on publickey schemes based either on the factorization or the discrete logarithm problem. Since both problems are known to be closely related, a major breakthrough in cryptanalysis tackling one of those problems could render a large set of cryptosystems completely useless. The McEliece publickey scheme is based on the alternative security assumption that decoding unknown linear binary codes is NPcomplete. In this work, we investigate the efficient implementation of the McEliece scheme on embedded systems what was – up to date – considered a challenge due to the required storage of its large keys. To the best of our knowledge, this is the first time that the McEliece encryption scheme is implemented on a lowcost 8bit AVR microprocessor and a Xilinx Spartan3AN FPGA. 1
Cryptanalysis of Multivariate and OddCharacteristic HFE Variants
"... Abstract. We investigate the security of a generalization of HFE (multivariate and oddcharacteristic variants). First, we propose an improved version of the basic KipnisShamir key recovery attack against HFE. Second, we generalize the KipnisShamir attack to MultiHFE. The attack reduces to solve ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We investigate the security of a generalization of HFE (multivariate and oddcharacteristic variants). First, we propose an improved version of the basic KipnisShamir key recovery attack against HFE. Second, we generalize the KipnisShamir attack to MultiHFE. The attack reduces to solve a MinRank problem directly on the public key. This leads to an improvement of a factor corresponding to the square of the degree of the extension field. We used recent results on MinRank to show that our attack is polynomial in the degree of the extension field. It appears that multiHFE is less secure than original HFE for equalsized keys. Finally, adaptations of our attack overcome several variants (i.e. minus modifier and embedding). As a proof of concept, we have practically broken the most conservative parameters given by Chen, Chen, Ding, Werner and Yang in 9 days for 256 bits security. All in all, our results give a more precise picture on the (in)security of several variants of HFE proposed these last years.
SSE implementation of multivariate pkcs on modern x86 cpus
 CHES 2009, LNCS
, 2009
"... Multivariate Public Key Cryptosystems (MPKCs) are often touted as futureproo ng the advent of the Quantum Computer. It also has been known for e ciency compared to traditional alternatives. However, this advantage seems to be eroding with the increase of arithmetic resources in modern CPUs and impr ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Multivariate Public Key Cryptosystems (MPKCs) are often touted as futureproo ng the advent of the Quantum Computer. It also has been known for e ciency compared to traditional alternatives. However, this advantage seems to be eroding with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to ECC. We show that the same hardware advances do not necessarily just favor ECC. The same modern commodity CPUs also have an overabundance of small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction set extensions, that are also useful for MPKCs. On CPUs supporting Intel's SSSE3 instructions, we achieve a 4 × speedup over prior implementations of Rainbowtype systems (such as the ones implemented in hardware by Bogdanov et al. at CHES 2008) in both public and private map operations. Furthermore, if we want to implement MPKCs for all general purpose 64bit CPUs from Intel and AMD, we can switch to MPKC over elds of relatively small odd prime characteristics. For example, by taking advantage of SSE2 instructions, Rainbow over F31 can be up to 2 × faster than prior implementations of samesized systems over F16. A key advance is in implementing Wiedemann instead of Gaussian system solvers. We explain the techniques and design choices in implementing our chosen MPKC instances, over representative elds such as F31, F16 and F256. We believe that our results can easily carry over to modern FPGAs, which often contain a large number of multipliers in the form of DSP slices, o ering superior computational power to odd eld MPKCs.
PublicKey Cryptography from New Multivariate Quadratic Assumptions
, 2012
"... In this work, we study a new multivariate quadratic (MQ) assumption that can be used to construct publickey encryptions. In particular, we research in the following two directions: • We establish a precise asymptotic formulation of a family of hard MQ problems, and provide empirical evidence to con ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
In this work, we study a new multivariate quadratic (MQ) assumption that can be used to construct publickey encryptions. In particular, we research in the following two directions: • We establish a precise asymptotic formulation of a family of hard MQ problems, and provide empirical evidence to confirm the hardness. • We construct publickey encryption schemes, and prove their security under the hardness assumption of this family. Also, we provide a new perspective to look at MQ systems that plays a key role to our design and proof of security. As a consequence, we construct the first publickey encryption scheme that is provably secure under the MQ assumption. Moreover, our publickey encryption scheme is efficient in the sense that it only needs a ciphertext length L + poly(k) to encrypt a message M ∈ {0, 1} L for any unprespecified polynomial L, where k is the security parameter. This is essentially optimal since an additive overhead is the best we can hope for. 1
Practical latticebased cryptography: A signature scheme for embedded systems
 of LNCS
, 2012
"... Abstract. Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a lar ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number of schemes have to be replaced with alternatives. In this work we present such an alternative – a signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 12000 and 2000 bits long, while the signature size is approximately 9000 bits for a security level of around 100 bits. The implementation results on reconfigurable hardware (Spartan/Virtex 6) are very promising and show that the scheme is scalable, has low area consumption, and even outperforms some classical schemes.
L.: Cryptanalysis of HFE, multiHFE and Variants for Odd and Even Characteristic. Des
 Codes Cryptography
, 2012
"... investigate in this paper the security of HFE and MultiHFE schemes as well as their minus and embedding variants. MultiHFE is a generalization of the wellknown HFE schemes. The idea is to use a multivariate quadratic system – instead of a univariate polynomial in HFE – over an extension field as ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
investigate in this paper the security of HFE and MultiHFE schemes as well as their minus and embedding variants. MultiHFE is a generalization of the wellknown HFE schemes. The idea is to use a multivariate quadratic system – instead of a univariate polynomial in HFE – over an extension field as a private key. According to the authors, this should make the classical direct algebraic (messagerecovery) attack proposed by Faugère and Joux on HFE no longer efficient against MultiHFE. We consider here the hardness of the keyrecovery in MultiHFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic KipnisShamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on MultiHFE. Due to its structure, we prove that a MultiHFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and MultiHFE. This makes then MultiHFE less secure than basic HFE for equallysized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multiHFE in few days (256 bits security broken in 9 days).
unknown title
"... Abstract. In this paper, we present an efficient cryptanalysis of the socalled HM cryptosystem which was published at Asiacrypt’1999, and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which uses a differential property of the publ ..."
Abstract
 Add to MetaCart
Abstract. In this paper, we present an efficient cryptanalysis of the socalled HM cryptosystem which was published at Asiacrypt’1999, and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which uses a differential property of the public key. This distinguisher permits to break one perturbed version of HM. After that, we describe a practical messagerecovery attack against HM using Gröbner bases. The attack can be mounted in few hundreds seconds for recommended parameters. It turns out that algebraic systems arising in HM are easier to solve than random systems of the same size. Note that this fact provides another distinguisher for HM. Interestingly enough, we offer an explanation why algebraic systems arising in HM are easy to solve in practice. Briefly, this is due to the apparition of many new linear and quadratic equations during the Gröbner basis computation. More precisely, we provide an upper bound on the maximum degree reached during the Gröbner basis computation (a.k.a. the degree of regularity) of HM systems. For F2, which is the initial and usual setting of HM, the degree of regularity is upperbounded by 3. In general, this degree of regularity is upperbounded by 4. These bounds allow a polynomialtime solving of the system given by the public equations in any case. All in all, we consider that the HM scheme is broken for all practical parameters. 1
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Cryptanalysis of HFE, MultiHFE and Variants for Odd and Even Characteristic
, 2012
"... Abstract We investigate in this paper the security of HFE and MultiHFE schemes as well as their minus and embedding variants. MultiHFE is a generalization of the wellknown HFE schemes. The idea is to use a multivariate quadratic system – instead of a univariate polynomial in HFE – over an extensi ..."
Abstract
 Add to MetaCart
Abstract We investigate in this paper the security of HFE and MultiHFE schemes as well as their minus and embedding variants. MultiHFE is a generalization of the wellknown HFE schemes. The idea is to use a multivariate quadratic system – instead of a univariate polynomial in HFE – over an extension field as a private key. According to the authors, this should make the classical direct algebraic (messagerecovery) attack proposed by Faugère and Joux on HFE no longer efficient against MultiHFE. We consider here the hardness of the keyrecovery in MultiHFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic KipnisShamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on MultiHFE. Due to its structure, we prove that a MultiHFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and MultiHFE. This makes then MultiHFE less secure than basic HFE for equallysized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multiHFE in few days (256 bits security broken in 9 days).