Results 1 
6 of
6
Multivariate polynomials for hashing
 In Inscrypt, Lecture Notes in Computer Science
, 2007
"... Abstract. We propose the idea of building a secure hash using quadratic or higher degree multivariate polynomials over a finite field as the compression function. We analyze some security properties and potential feasibility, where the compression functions are randomly chosen highdegree polynomials ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We propose the idea of building a secure hash using quadratic or higher degree multivariate polynomials over a finite field as the compression function. We analyze some security properties and potential feasibility, where the compression functions are randomly chosen highdegree polynomials, and show that under some plausible assumptions, highdegree polynomials as compression functions has good properties. Next, we propose to improve on the efficiency of the system by using some specially designed polynomials generated by a small number of random parameters, where the security of the system would then relies on stronger assumptions, and we give empirical evidence for the validity of using such polynomials.
Secure PRNGs from Specialized Polynomial Maps over Any Fq
"... Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The origina ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the onewayness of multivariate quadratic polynomial systems over F2. The original BGP proof only worked for F2 and left a gap to general Fq. We show that the result can be generalized to any arbitrary finite field Fq, and thus produces a stream cipher with alphabets in Fq. Further, we generalize the underlying hardness assumption to specialized systems in Fq (including F2) that can be evaluated more efficiently. Barring breakthroughs in the current stateoftheart for systemsolving, a rough implementation of a provably secure instance of our new PRNG is twice as fast and takes 1/10 the storage of an instance of QUAD with the same level of provable security. Recent results on specialization on security are also examined. And we conclude that our ideas are consistent with these new developments and complement them. This gives a clue that we may build secure primitives based on specialized polynomial maps which are more efficient.
On the security of multivariate hash functions
"... Abstract Multivariate hash functions are a type of hash functions whose compression function is explicitly defined as a sequence of multivariate equations. Olivier Billet etc. have designed the hash function MQHASH and Jintai Ding etc. also propose a similar construction, which the security depends ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract Multivariate hash functions are a type of hash functions whose compression function is explicitly defined as a sequence of multivariate equations. Olivier Billet etc. have designed the hash function MQHASH and Jintai Ding etc. also propose a similar construction, which the security depends on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. Finding preimage and collision can be reduced to solve the multivariate equations, which is a well known NPhard problem. To prove the security of MQHASH, the designer assume that a multivariate hash function is a pseudorandom number generator. In this paper, we analyze the security of multivariate hash functions and conclude that low degree multivariate functions such as MQHASH are neither pseudorandom nor unpredictable. There may be trivial collisions and fixed point attacks if the parameter of the compression function has been chosen. And they are also not computationresistance, which makes MAC forgery easily.
Secure PRNGs from Specialized Polynomial Maps over Any Fq
, 2007
"... We prove that a random map drawn from any class C of polynomial maps from (Fq) n to (Fq) n+r that is (i) totally random in the a ne terms, and (ii) has a negligible chance of being not strongly oneway, provides a secure PRNG (hence a secure stream cipher) for any q. Plausible choices for C are semi ..."
Abstract
 Add to MetaCart
We prove that a random map drawn from any class C of polynomial maps from (Fq) n to (Fq) n+r that is (i) totally random in the a ne terms, and (ii) has a negligible chance of being not strongly oneway, provides a secure PRNG (hence a secure stream cipher) for any q. Plausible choices for C are semisparse (i.e., the a ne terms are truly random) systems and other systems that are easy to evaluate from a small (compared to a generic map) number of parameters. To our knowledge, there are no other positive results for provable security of specialized polynomial systems, in particular sparse ones (which are natural candidates to investigate for speed). We can build a family of provably secure stream ciphers a rough implementation of which at the same security level can be more than twice faster than an optimized QUAD (and any other provably secure stream ciphers proposed so far), and uses much less storage. This may also help build faster provably secure hashes. We also examine the e ects of recent results on specialization on security, e.g., AumassonMeier (ICISC 2007), which precludes MerkleDamgård compression using polynomials systems uniformly very sparse in every degree from being universally collisionfree. We conclude that our ideas are consistent with and complements these new results. We think that we can build secure primitives based on specialized (versus generic) polynomial maps which are more e cient.
Interpreting Hash Function Security Proofs
"... Abstract. We provide a concrete security treatment of several “provably secure ” hash functions. Interpreting arguments behind MQHASH, FSB, SWIFFTX and VSH we identify similar lines of reasoning. We aim to formulate the main security claims in a language closer to that of attacks. We evaluate desig ..."
Abstract
 Add to MetaCart
Abstract. We provide a concrete security treatment of several “provably secure ” hash functions. Interpreting arguments behind MQHASH, FSB, SWIFFTX and VSH we identify similar lines of reasoning. We aim to formulate the main security claims in a language closer to that of attacks. We evaluate designers ’ claims of provable security and quantify them more precisely, deriving “second order ” bounds on bounds. While the authors of FSB, MQHASH and SWIFFT(X) prove existence of nontrivial lower bounds on security, we show that the quantification of the bounds limits the practical significance of the proofs.
Cube Testers and Key Recovery Attacks On
"... Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14r ..."
Abstract
 Add to MetaCart
Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.