Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multivariate polynomial hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin et al. Some cryptosystems have been built on this appearing hard problem such as a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate monomial is a quadratic monomial, as in SFLASH, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d) where n is the number of variables and d is the degree of the public polynomials. 1

In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV,...). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be chosen for multivariate schemes.

In this paper ways to efficiently implement public-key schemes based on Multivariate Quadratic polynomials (MQ-schemes for short) are investigated. In particular, they are claimed to resist quantum computer attacks. It is shown that such schemes can have a much better time-area product than elliptic curve cryptosystems. For instance, an optimised FPGA implementation of amended TTS is estimated to be over 50 times more efficient with respect to this parameter. Moreover, a general framework for implementing small-field MQ-schemes in hardware is proposed which includes a systolic architecture performing Gaussian elimination over composite binary fields. 1

Abstract. Though the Perturbed Matsumoto-Imai (PMI) cryptosystem is considered insecure due to the recent differential attack of Fouque, Granboulan, and Stern, even more recently Ding and Gower showed that PMI can be repaired with the Plus (+) method of externally adding as few as 10 randomly chosen quadratic polynomials. Since relatively few extra polynomials are added, the attack complexity of a Gröbner basis attack on PMI+ will be roughly equal to that of PMI. Using Magma’s implementation of the F4 Gröbner basis algorithm, we attack PMI with parameters q = 2, 0 ≤ r ≤ 10, and 14 ≤ n ≤ 59. Here, q is the number of field elements, n the number of equations/variables, and r the perturbation dimension. Based on our experimental results, we give estimates for the running time for such an attack. We use these estimates to judge the security of some proposed schemes, and we suggest more efficient schemes. In particular, we estimate that an attack using F4 against the parameters q = 2, r = 5, n = 96 (suggested in [7]) has a time complexity of less than 2 50 3-DES computations, which would be considered insecure for practical applications.

introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160-bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity ” a proof was given for GF(2) only. This reduction deduces the infeasibility of attacks on QUAD from the hypothesized infeasibility (with an extra looseness factor) of attacks on the well-known hard problem of solving systems of multivariate quadratic equations over finite fields. This paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XL-Wiedemann to break the GF(256) instance QUAD(256, 20, 20) in approximately 2 66 Opteron cycles, and to break the underlying hard problem in approximately 2 45 cycles. The analysis shows, for each of the QUAD parameters mentioned in the paper or the talk (as implementation reports), the implications and limitations of the security proofs, pointing out which QUAD instances are not, and which ones will never be proven secure. Empirical data backs up the theoretical conclusions; in particular, the 2 45-cycle attack was carried out successfully.

We propose the idea of building a secure hash using quadratic or higher degree multivariate polynomials over a finite field as the compression function, whose security relies on simple hard questions. We analyze some security properties and potential feasibility, where the compression functions are randomly chosen high-degree polynomials. Next, we propose to improve on the efficiency of the system by using some specially designed polynomials using composition of maps and certain sparsity property, where the security of the system would then relies on stronger assumptions.

Abstract. We propose a new basic trapdoor ℓIC (ℓ-Invertible Cycles) of the mixed field type for Multivariate Quadratic public key cryptosystems. This is the first new basic trapdoor since the invention of Unbalanced Oil and Vinegar in 1997. ℓICcanbeconsideredanextended form of the well-known Matsumoto-Imai Scheme A (also MIA or C ∗), and share some features of stagewise triangular systems. However ℓIC has very distinctive properties of its own. In practice, ℓIC is much faster than MIA, and can even match the speed of single-field MQ schemes.

Abstract. Wireless Sensor Networks (WSN) are becoming a key technology in the support of pervasive and ubiquitous services. The previous notion of “PKC is too expensive for WSN ” has changed partially due to the existence of new hardware and software prototypes based on Elliptic Curve Cryptography and other PKC primitives. Then, it is necessary to analyze whether it is both feasible and convenient to have a Public Key Infrastructure for sensor networks that would allow the creation of PKC-based services like Digital Signatures.

Abstract. The piece in hand (PH) is a general scheme which is applicable to any reasonable type of multivariate public key cryptosystems for the purpose of enhancing their security. In this paper, we propose a new class PH method called NLPHPV (NonLinear Piece in Hand Perturbation Vector) method. Although our NLPHPV uses similar perturbation vectors as is used for the previously known internal perturbation method, this new method can avoid redundant repetitions in decryption process. With properly chosen parameter sizes, NLPHPV achieves an observable gain in security from the original multivariate public key cryptosystem. We demonstrate these by both theoretical analyses and computer simulations against major known attacks and provides the concrete sizes of security parameters, with which we even expect the grater security against potential quantum attacks. Key words: public key cryptosystem, multivariate polynomial, multivariate public key cryptosystem, piece in hand concept, perturbation vector 1

Abstract. MQQ is a multivariate cryptosystem based on multivariate quadratic quasigroups and the Dobbertin transformation [18]. The cryptosystem was broken both by Gröbner bases computation and MutantXL [27]. The complexity of Gröbner bases computation is exponential in the degree of regularity, which is the maximum degree of polynomials occurring during the computation. The authors of [27] observed that the degree of regularity for solving the MQQ system is bounded from above by a small constant. In this paper we go one step further in the analysis of MQQ. We explain why the degree of regularity for the MQQ system is bounded. The main result of this paper is how the complexity of solving the MQQ system is the minimum complexity of solving just one quasigroup block and solving the Dobbertin transformation. Furthermore, we show that the degree of regularity for solving the Dobbertin transformation is bounded from above by the same constant as the bound on the MQQ system. We then investigate the strength of a tweaked MQQ system where the input to the Dobbertin transformation is replaced with random linear equations. We find that the degree of regularity for this tweaked system varies both in the size of the quasigroups and the number of variables. We conclude that if a suitable replacement for the Dobbertin transformation is found, MQQ can possibly be made strong enough to resist pure Gröbner attack for correct choices of quasigroups size and number of variables.