Results 1 
9 of
9
Hybrid approach for solving multivariate systems over finite fields
 JOURNAL OF MATHEMATICAL CRYPTOLOGY
, 2009
"... In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly d ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV,...). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be chosen for multivariate schemes.
Cryptanalysis of GRINDAHL
"... Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an ef ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1
Analysis of Multivariate Hash Functions
"... Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce a method inspired from coding theory for solving underdefined systems with a low density of nonlinear monomials, and apply it to find collisions in certain functions. We also study the security of message authentication codes HMAC and NMAC built on multivariate hash functions, and demonstrate that families of lowdegree functions over GF(2) are neither pseudorandom nor unpredictable. 1
Multivariate public key cryptography
, 2009
"... Abstract. A multivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a nite eld as its public map. Its main security assumption is backed by the NPhardness of the problem to solve nonlinear equations over a nite eld. This family is considered as one ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. A multivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a nite eld as its public map. Its main security assumption is backed by the NPhardness of the problem to solve nonlinear equations over a nite eld. This family is considered as one of the major families of PKCs that could resist potentially even the powerful quantum computers of the future. There has been fast and intensive development in Multivariate Public Key Cryptography in the last two decades. Some constructions are not as secure as was claimed initially, but others are still viable. The paper gives an overview of multivariate public key cryptography and discusses the current status of the research in this area.
Secure PRNGs from Specialized Polynomial Maps over Any Fq
"... Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The origina ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The original BGP proof only worked for F2 and left a gap to general Fq. We show that the result can be generalized to any arbitrary finite field Fq, and thus produces a stream cipher with alphabets in Fq. Further, we generalize the underlying hardness assumption to specialized systems in Fq (including F2) that can be evaluated more efficiently. Barring breakthroughs in the current stateoftheart for systemsolving, a rough implementation of a provably secure instance of our new PRNG is twice as fast and takes 1/10 the storage of an instance of QUAD with the same level of provable security. Recent results on specialization on security are also examined. And we conclude that our ideas are consistent with these new developments and complement them. This gives a clue that we may build secure primitives based on specialized polynomial maps which are more efficient.
Security Analysis of Multivariate Polynomials for Hashing
"... Abstract. In this paper, we investigate the security of a hash function based on the evaluation of multivariate polynomials [17]. The security of such hash function is related to the difficulty of solving (underdefined) systems of algebraic equations. To solve these systems, we have used a general ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper, we investigate the security of a hash function based on the evaluation of multivariate polynomials [17]. The security of such hash function is related to the difficulty of solving (underdefined) systems of algebraic equations. To solve these systems, we have used a general hybrid approach [8] mixing exhaustive search and Gröbner bases solving. This shows that this approach is general and can be used in several contexts. For the sparse construction, we have refined this strategy. From a practical point of view, we have been able to break several challenges proposed by Ding and Yang [17] in real time. 1
On the security of multivariate hash functions
"... Abstract Multivariate hash functions are a type of hash functions whose compression function is explicitly defined as a sequence of multivariate equations. Olivier Billet etc. have designed the hash function MQHASH and Jintai Ding etc. also propose a similar construction, which the security depends ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract Multivariate hash functions are a type of hash functions whose compression function is explicitly defined as a sequence of multivariate equations. Olivier Billet etc. have designed the hash function MQHASH and Jintai Ding etc. also propose a similar construction, which the security depends on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. Finding preimage and collision can be reduced to solve the multivariate equations, which is a well known NPhard problem. To prove the security of MQHASH, the designer assume that a multivariate hash function is a pseudorandom number generator. In this paper, we analyze the security of multivariate hash functions and conclude that low degree multivariate functions such as MQHASH are neither pseudorandom nor unpredictable. There may be trivial collisions and fixed point attacks if the parameter of the compression function has been chosen. And they are also not computationresistance, which makes MAC forgery easily.
Cube Testers and Key Recovery Attacks On
"... Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14r ..."
Abstract
 Add to MetaCart
Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.