Results 1 
7 of
7
Key Recovery on Hidden Monomial Multivariate Schemes
"... Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multi ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multivariate polynomial hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin et al. Some cryptosystems have been built on this appearing hard problem such as a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate monomial is a quadratic monomial, as in SFLASH, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d) where n is the number of variables and d is the degree of the public polynomials. 1
Could SFLASH be repaired?
, 2008
"... The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an e cient attack was nally found in 2007. In this paper, we review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosys ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an e cient attack was nally found in 2007. In this paper, we review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large eld. As the attack demonstrates, this richer structure can be accessed by an attacker by using the speci c symmetry of the core function being used. Then, we investigate the e ect of restricting this large eld to a purely linear subset and we nd that the symmetries exploited by the attack are no longer present. At a purely defensive level, this de nes a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of limitations of the recent attack and raises interesting remarks about the design itself of multivariate schemes.
The Multivariate Probabilistic Encryption Scheme MQQENC
"... Abstract. We propose a new multivariate probabilistic encryption scheme with decryption errors MQQENC that belongs to the family of MQQbased public key schemes. Similarly to MQQSIG, the trapdoor is constructed using quasigroup string transformations with multivariate quadratic quasigroups, and a ..."
Abstract
 Add to MetaCart
Abstract. We propose a new multivariate probabilistic encryption scheme with decryption errors MQQENC that belongs to the family of MQQbased public key schemes. Similarly to MQQSIG, the trapdoor is constructed using quasigroup string transformations with multivariate quadratic quasigroups, and a minus modifier with relatively small and fixed number of removed equations. To make the decryption possible and also efficient, we use a universal hash function to eliminate possibly wrong plaintext candidates. We show that, in this way, the probability of erroneous decryption becomes negligible. MQQENC is defined over the fields F 2 k for any k ≥ 1, and can easily be extended to any F p k,forprime p. One important difference from MQQSIG is that in MQQENC we use left MQQs (LMQQs) instead of bilinear MQQs. Our choice can be justified by our extensive experimental analysis that showed the superiority of the LMQQs over the bilinear MQQs for the design of MQQENC. We apply the standard cryptanalytic techniques on MQQENC, and from the results, we pose a plausible conjecture that the instances of the MQQENC trapdoor are hard instances with respect to the MQ problem. Under this assumption, we adapt the KobaraImai conversion of the McEliece scheme for MQQENC and prove that it provides IND−CCA security despite the negligible probability of decryption errors. We also recommend concrete parameters for MQQENC for encryption of blocks of 128 bits for a security level of O(2 128).
An MQ/Code Cryptosystem Proposal
, 2013
"... We describe a new trapdoor (and PKC) proposal. The proposal is “multivariate quadratic” (relies on the hardness of solving systems of quadratic equations); it is also codebased, and uses the codescrambling technique of McEliece (1978). However, in the new proposal, the errorcorrecting code is not ..."
Abstract
 Add to MetaCart
We describe a new trapdoor (and PKC) proposal. The proposal is “multivariate quadratic” (relies on the hardness of solving systems of quadratic equations); it is also codebased, and uses the codescrambling technique of McEliece (1978). However, in the new proposal, the errorcorrecting code is not revealed in the public key, which protects against the leading attacks on McEliece’s method.
Cryptography from tensor problems (draft)
, 2012
"... We describe a new proposal for a trapdoor oneway function. The new proposal belongs to the “multivariate quadratic ” family but the trapdoor is different from existing methods, and is simpler. Known quantum algorithms do not appear to help an adversary attack this trapdoor. (Beyond the asymptoti ..."
Abstract
 Add to MetaCart
We describe a new proposal for a trapdoor oneway function. The new proposal belongs to the “multivariate quadratic ” family but the trapdoor is different from existing methods, and is simpler. Known quantum algorithms do not appear to help an adversary attack this trapdoor. (Beyond the asymptotic squarerootspeedup which applies to all oracle search problems.) Keywords: cryptography. Multivariate quadratic cryptosystem, MinRank, tensor rank, postquantum 1
Cryptography from tensor problems
, 2012
"... This manuscript describes a proposal for a new trapdoor oneway function of the multivariatequadratic type. It was first posted to the IACR preprint server in May 2012. Subsequently, Enrico Thomae and Christopher Wolf were able to to determine that a smallminors MinRank attack works against this s ..."
Abstract
 Add to MetaCart
This manuscript describes a proposal for a new trapdoor oneway function of the multivariatequadratic type. It was first posted to the IACR preprint server in May 2012. Subsequently, Enrico Thomae and Christopher Wolf were able to to determine that a smallminors MinRank attack works against this scheme. I would like to thank them for their close study of the proposal. The manuscript follows as originally posted, with the addition of a few references and a brief description of the successful attack (end of Section 4.1). Keywords: cryptography. Multivariate quadratic cryptosystem, MinRank, tensor rank, postquantum 1