Abstract. In this paper, we present an efficient cryptanalysis of the socalled HM cryptosystem which was published at Asiacrypt’1999, and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which uses a differential property of the public key. This distinguisher permits to break one perturbed version of HM. After that, we describe a practical message-recovery attack against HM using Gröbner bases. The attack can be mounted in few hundreds seconds for recommended parameters. It turns out that algebraic systems arising in HM are easier to solve than random systems of the same size. Note that this fact provides another distinguisher for HM. Interestingly enough, we offer an explanation why algebraic systems arising in HM are easy to solve in practice. Briefly, this is due to the apparition of many new linear and quadratic equations during the Gröbner basis computation. More precisely, we provide an upper bound on the maximum degree reached during the Gröbner basis computation (a.k.a. the degree of regularity) of HM systems. For F2, which is the initial and usual setting of HM, the degree of regularity is upper-bounded by 3. In general, this degree of regularity is upper-bounded by 4. These bounds allow a polynomial-time solving of the system given by the public equations in any case. All in all, we consider that the HM scheme is broken for all practical parameters. 1

Abstract not found

In 1998 [8], Patarin proposed an efficient cryptosystem called Little Dragon which was a variant a variant of Matsumoto Imai cryptosystem C*. However Patarin latter found that Little Dragon cryptosystem is not secure [8], [3]. In this paper we propose a cryptosystem Little Dragon Two which is as efficient as Little Dragon cryptosystem but secure against all the known attacks. Like Little Dragon cryptosystem the public key of Little Dragon Two is mixed type that is quadratic in plaintext and cipher text variables. So the public key size of Little Dragon Two is equal to Little Dragon Cryptosystem. Our public key algorithm is bijective and can be used for both encryption and signatures.

Abstract. Recently, the C ∗ − signature scheme has been completely broken by Dubois et al. [2, 3]. As a consequence, the security of SFLASH and other multivariate public key systems have been impaired. The attacks presented in [2, 3] rely on a symmetry of the differential of the encryption mapping. In [1], Ding et al. experimentally justify the use projection as a method of avoiding the new attack. In this paper, we derive some properties of the discrete differential, give a theoretical justification for the reparation in [1], and establish the exact context in which this attack is applicable. Key words: Matsumoto-Imai, multivariate public key cryptography, discrete, differential, SFLASH, symmetry, HFE 1

In this paper we propose an efficient multivariate public key cryptosystem. Public key of our cryptosystem contains polynomials of total degree three in plaintext and ciphertext variables, two in plaintext variables and one in ciphertext variables. However, it is possible to reduce the public key size by writing it as two sets of quadratic multivariate polynomials. The complexity of encryption in our public key cryptosystem is O(n 3), where n is bit size, which is equivalent to other multivariate public key cryptosystems. For decryption we need only four exponentiations in the binary field. Our Public key algorithm is bijective and can be used for encryption as well as for signatures.

Abstract. Multivariate (or MQ) public-key cryptosystems (PKC) are alternatives to traditional PKCs based on large algebraic structures (e.g., RSA and ECC); they usually execute much faster than traditional PKCs on the same hardware. However, one major challenge in implementing multivariates in embedded systems is that the key size can be prohibitively large for applications with stringent resource constraints such as low-cost smart cards, sensor networks (e.g., Berkeley motes), and radio-frequency identification (RFID). In this paper, we investigate strategies for shortening the key of a multivariate PKC. We apply these strategies to the Tame Transformation Signatures (TTS) as an example and quantify the improvement in key size and running speed, both theoretically and via implementation. We also investigate ways to save die space and energy consumption in hardware, reporting on our ASIC implementation of TTS on a TSMC 0.25µm process. Even without any key shortening, the current consumption of TTS is only 21 µA for computing a signature, using 22,000 gate equivalents and 16,000 100-kHz cycles (160 ms). With circulant-matrix key shortening, the numbers go down to 17,000 gates and 4,400 cycles (44 ms). We therefore conclude: besides representing a future-proofing investment against the emerging quantum computers, multivariates can be immediately useful in niches.

The Isomorphism of Polynomials (IP) is one of the most fundamental problems in multivariate public key cryptography (MPKC). In this paper, we introduce a new framework to study the counting problem associated to IP. Namely, we present tools of finite geometry allowing to investigate the counting problem associated to IP. Precisely, we focus on enumerating or estimating the number of isomorphism equivalence classes of homogeneous quadratic polynomial systems. These problems are equivalent to finding the scale of the key space of a multivariate cryptosystem and the total number of different multivariate cryptographic schemes respectively, which might impact the security and the potential capability of MPKC. We also consider their applications in the analysis of a specific multivariate public key cryptosystem. Our results not only answer how many cryptographic schemes can be derived from monomials and how big the key space is for a fixed scheme, but also show that quite many HFE cryptosystems are equivalent to a Matsumoto-Imai scheme.