Results 1  10
of
10
Cryptanalysis of MinRank
, 2008
"... In this paper, we investigate the difficulty of one of the most relevant problems in multivariate cryptography – namely MinRank – about which no real progress has been reported since [19, 9]. Our starting point is the KipnisShamir attack [19]. We first show new properties of the ideal generated by ..."
Abstract

Cited by 19 (11 self)
 Add to MetaCart
In this paper, we investigate the difficulty of one of the most relevant problems in multivariate cryptography – namely MinRank – about which no real progress has been reported since [19, 9]. Our starting point is the KipnisShamir attack [19]. We first show new properties of the ideal generated by KipnisShamir’s equations. We then propose a new modeling of the problem. Concerning the practical resolution, we adopt a Gröbner basis approach that permitted us to actually solve challenges A and B proposed by Courtois in [8]. Using the multihomogeneous structure of the algebraic system, we have been able to provide a theoretical complexity bound reflecting the practical behavior of our approach. Namely, when r ′ the dimension of the matrices minus the rank of the target matrix in the MinRank ( problem is constant, then we have a polynomial time at3 tack: O ln (q) n r′2). For the challenge C, we obtain a theoretical bound of 2 66.3 operations.
A Family of Weak Keys in HFE (and the Corresponding Practical KeyRecovery)
"... The HFE (Hidden Field Equations) cryptosystem is one of the most interesting publickey multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The p ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
The HFE (Hidden Field Equations) cryptosystem is one of the most interesting publickey multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) problem between the equations of the public key and themselves. Even though for schemes such as SFLASH or C ∗ the hardness of keyrecovery relies on the hardness of the IP problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”.
Analysis of the MQQ Public Key Cryptosystem
"... MQQ is a multivariate cryptosystem based on multivariate quadratic quasigroups and the Dobbertin transformation [18]. The cryptosystem was broken both by Gröbner bases computation and MutantXL [27]. The complexity of Gröbner bases computation is exponential in the degree of regularity, which is the ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
MQQ is a multivariate cryptosystem based on multivariate quadratic quasigroups and the Dobbertin transformation [18]. The cryptosystem was broken both by Gröbner bases computation and MutantXL [27]. The complexity of Gröbner bases computation is exponential in the degree of regularity, which is the maximum degree of polynomials occurring during the computation. The authors of [27] observed that the degree of regularity for solving the MQQ system is bounded from above by a small constant. In this paper we go one step further in the analysis of MQQ. We explain why the degree of regularity for the MQQ system is bounded. The main result of this paper is how the complexity of solving the MQQ system is the minimum complexity of solving just one quasigroup block and solving the Dobbertin transformation. Furthermore, we show that the degree of regularity for solving the Dobbertin transformation is bounded from above by the same constant as the bound on the MQQ system. We then investigate the strength of a tweaked MQQ system where the input to the Dobbertin transformation is replaced with random linear equations. We find that the degree of regularity for this tweaked system varies both in the size of the quasigroups and the number of variables. We conclude that if a suitable replacement for the Dobbertin transformation is found, MQQ can possibly be made strong enough to resist pure Gröbner attack for correct choices of quasigroups size and number of variables.
Isomorphism of Polynomials: New Results
"... Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S. The Isomorphism of Polynomials is a wellknown problem studied in multivariate cryptography. It is related to the hardness of the key recovery of some cryptosyste ..."
Abstract
 Add to MetaCart
Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S. The Isomorphism of Polynomials is a wellknown problem studied in multivariate cryptography. It is related to the hardness of the key recovery of some cryptosystems. The problem is the following: given two families of multivariate polynomials a and b, find two invertible linear (or affine) mappings S and T such that b = T ◦a◦S. For IP1S, we suppose that T is the identity. It is known that the difficulty of such problems depends on the structure of the polynomials (i.e., homogeneous, or not) and the nature of the transformations (affine, or linear). Here, we analyze the different cases and propose improved algorithms. We precisely describe the situation in term of complexity and sufficient conditions so that the algorithms work. The algorithms presented here combine linear algebra techniques, including the use of differentials, together with Gröbner bases. We show that random instances of IP1S with quadratic polynomials can be broken in time O ` n 6 ´ , where n is the number of variables, independently of the number of polynomials. For IP1S with cubic polynomials, as well as for IP, we propose new algorithms of complexity O ` n 6 ´ if the polynomials of a are inhomogeneous and S, T linear. In all the other cases, we propose an algorithm that requires O ` n 6 q n ´ computation. Finally, if a and b have a small number of nontrivial zeros, the complexity solving the IP instance is reduced to O ` n 6 + q n ´. This allows to break a publickey authentication scheme based on IP1S, and to break all the IP challenges proposed by Patarin in 1996 in practical time: the more secure parameters require less than 6 months of computations on 10 inexpensive GPUs. A consequence of our results is that HFE can be broken in polynomial time if the secret transforms S and T are linear and if the internal polynomial is made public and contains linear and constant terms. 1
unknown title
"... Abstract. The HFE (Hidden Field Equations) cryptosystem is one of the most interesting publickey multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been propos ..."
Abstract
 Add to MetaCart
Abstract. The HFE (Hidden Field Equations) cryptosystem is one of the most interesting publickey multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) problem between the equations of the public key and themselves. Even though for schemes such as SFLASH or C ∗ the hardness of keyrecovery relies on the hardness of the IP problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”. Recovering the secret key takes a few minutes.
3.3. Symmetric Cryptography 5
"... c t i v it y e p o r t 2008 Table of contents 1. Team.................................................................................... 1 ..."
Abstract
 Add to MetaCart
c t i v it y e p o r t 2008 Table of contents 1. Team.................................................................................... 1
Practical Keyrecovery For All Possible Parameters of SFLASH
"... Abstract. In this paper we present a new practical keyrecovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C ∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s ..."
Abstract
 Add to MetaCart
Abstract. In this paper we present a new practical keyrecovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C ∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is wellknown for having been considered secure and selected in 2004 by the NESSIE project of the European Union to be standardized. However, SFLASH was practically broken in 2007 by Dubois, Fouque, Stern and Shamir. Their attack breaks the original (and most relevant) parameters, but does not apply when more than half of the public key is truncated. It is therefore possible to choose parameters such that SFLASH is not broken by the existing attacks, although it is less efficient. We show a keyrecovery attack that breaks the full range of parameters in practice, as soon as the informationtheoretically required amount of information is available from the publickey. The attack uses new cryptanalytic tools, most notably pencils of matrices and quadratic forms. 1
On Enumeration of Polynomial Equivalence Classes and Their Application to MPKC
"... The Isomorphism of Polynomials (IP) is one of the most fundamental problems in multivariate public key cryptography (MPKC). In this paper, we introduce a new framework to study the counting problem associated to IP. Namely, we present tools of finite geometry allowing to investigate the counting pro ..."
Abstract
 Add to MetaCart
The Isomorphism of Polynomials (IP) is one of the most fundamental problems in multivariate public key cryptography (MPKC). In this paper, we introduce a new framework to study the counting problem associated to IP. Namely, we present tools of finite geometry allowing to investigate the counting problem associated to IP. Precisely, we focus on enumerating or estimating the number of isomorphism equivalence classes of homogeneous quadratic polynomial systems. These problems are equivalent to finding the scale of the key space of a multivariate cryptosystem and the total number of different multivariate cryptographic schemes respectively, which might impact the security and the potential capability of MPKC. We also consider their applications in the analysis of a specific multivariate public key cryptosystem. Our results not only answer how many cryptographic schemes can be derived from monomials and how big the key space is for a fixed scheme, but also show that quite many HFE cryptosystems are equivalent to a MatsumotoImai scheme.
Hashbased Multivariate Public Key
"... Abstract. Many efficient attacks have appeared in recent years, which have led to serious blow for the traditional multivariate public key cryptosystems. For example, the signature scheme SFLASH was broken by Dubois et al. at CRYPTO’07, and the Square signature (or encryption) scheme by Billet et al ..."
Abstract
 Add to MetaCart
Abstract. Many efficient attacks have appeared in recent years, which have led to serious blow for the traditional multivariate public key cryptosystems. For example, the signature scheme SFLASH was broken by Dubois et al. at CRYPTO’07, and the Square signature (or encryption) scheme by Billet et al. at ASIACRYPTO’09. Most multivariate schemes known so far are insecure, except maybe the sigature schemes UOV and HFEv. Following these new developments, it seems that the general design principle of multivariate schemes has been seriously questioned, and there is a rather pressing desire to find new trapdoor construction or mathematical tools and ideal. In this paper, we introduce the hash authentication techniques and combine with the traditional MQtrapdoors to propose a novel hashbased multivariate public key cryptosystems. The resulting scheme, called EMC (Extended Multivariate Cryptosystem), can also be seen as a novel hashbased cryptosystems like Merkle tree signature. And it offers the double security protection for signing or encrypting. By the our analysis, we can construct the secure and efficient not only signature scheme but also encryption scheme by using the EMC scheme combined some modification methods summarized by Wolf. And thus we present two new schems: EMC signature scheme (with the Minus method “”) and EMC encryption scheme (with the Plus method “+”). In addition, we also propose a reduced scheme of the EMC signature scheme (a lightweight signature scheme). Precise complexity estimates for these schemes are provided, but their security proofs in the random oracle model are still an open problem.