Results 1  10
of
39
Hybrid approach for solving multivariate systems over finite fields
 JOURNAL OF MATHEMATICAL CRYPTOLOGY
, 2009
"... In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly d ..."
Abstract

Cited by 37 (9 self)
 Add to MetaCart
(Show Context)
In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV,...). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be chosen for multivariate schemes.
Building secure tamelike multivariate publickey cryptosystems: The new TTS
 In ACISP 2005, volume 3574 of LNCS
, 2005
"... Abstract. Multivariate publickey cryptosystems (sometimes polynomialbased PKC’s or just multivariates) handle polynomials of many variables over relatively small fields instead of elements of a large ring or group. The “tamelike ” or “sparse ” class of multivariates are distinguished by the relat ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Multivariate publickey cryptosystems (sometimes polynomialbased PKC’s or just multivariates) handle polynomials of many variables over relatively small fields instead of elements of a large ring or group. The “tamelike ” or “sparse ” class of multivariates are distinguished by the relatively few terms that they have per central equation. We explain how they differ from the “bigfield ” type of multivariates, represented by derivatives of C ∗ and HFE, how they are better, and give basic security criteria for them. The last is shown to be satisfied by efficient schemes called “Enhanced TTS ” which is built on a combination of the OilandVinegar and Triangular ideas. Their security levels are estimated. In this process we summarize and in some cases, improve rankbased attacks, which seek linear combinations of certain matrices at given ranks. These attacks are responsible for breaking many prior multivariate designs. 1 Introduction: Multivariate
Timearea optimized publickey engines: MQcryptosystems as replacement for elliptic curves?
, 2008
"... In this paper ways to efficiently implement publickey schemes based on Multivariate Quadratic polynomials (MQschemes for short) are investigated. In particular, they are claimed to resist quantum computer attacks. It is shown that such schemes can have a much better timearea product than elliptic ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
In this paper ways to efficiently implement publickey schemes based on Multivariate Quadratic polynomials (MQschemes for short) are investigated. In particular, they are claimed to resist quantum computer attacks. It is shown that such schemes can have a much better timearea product than elliptic curve cryptosystems. For instance, an optimised FPGA implementation of amended TTS is estimated to be over 50 times more efficient with respect to this parameter. Moreover, a general framework for implementing smallfield MQschemes in hardware is proposed which includes a systolic architecture performing Gaussian elimination over composite binary fields.
Key Recovery on Hidden Monomial Multivariate Schemes
"... Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multi ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multivariate polynomial hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin et al. Some cryptosystems have been built on this appearing hard problem such as a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate monomial is a quadratic monomial, as in SFLASH, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d) where n is the number of variables and d is the degree of the public polynomials. 1
Analysis of QUAD
 THE PROCEEDINGS OF FAST SOFTWARE ENCRYPTION
, 2007
"... ... introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity” a proof was given for ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
... introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity” a proof was given for GF(2) only. This reduction deduces the infeasibility of attacks on QUAD from the hypothesized infeasibility (with an extra looseness factor) of attacks on the wellknown hard problem of solving systems of multivariate quadratic equations over finite fields. This paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XLWiedemann to break the GF(256) instance QUAD(256, 20, 20) in approximately 2 66 Opteron cycles, and to break the underlying hard problem in approximately 2 45 cycles. The analysis shows, for each of the QUAD parameters mentioned in the paper or the talk (as implementation reports), the implications and limitations of the security proofs, pointing out which QUAD instances are not, and which ones will never be proven secure. Empirical data backs up the theoretical conclusions; in particular, the 2 45cycle attack was carried out successfully.
A mediumeld multivariate publickey encryption scheme
 In CTRSA 2006, volume 3860 of LNCS
"... Abstract. Electronic commerce fundamentally requires two di erent publickey cryptographical primitives, for key agreement and authentication. We present the new encryption scheme MFE, and provide a performance and security review. MFE belongs to the MQ class, an alternative class of PKCs also terme ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Electronic commerce fundamentally requires two di erent publickey cryptographical primitives, for key agreement and authentication. We present the new encryption scheme MFE, and provide a performance and security review. MFE belongs to the MQ class, an alternative class of PKCs also termed PolynomialBased, or multivariate. They depend on multivariate quadratic systems being unsolvable. The classical trapdoors central to PKC's are modular exponentiation for RSA and discrete logarithms for ElGamal/DSA/ECC. But they are relatively slow and will be obsoleted by the arrival of QC (Quantum Computers). The argument for MQschemes is that they are usually faster, and there are no known QCassisted attacks on them. There are several MQ digital signature schemes being investigated today. But encryption (or key exchange schemes) are another story in fact, only two other MQencryption schemes remain unbroken. They are both built along big eld lines. In contrast MFE uses mediumsized eld extensions, which makes it faster. For security and e ciency, MFE employs an iteratively triangular decryption process which involves rational functions (called by some tractable rational maps) and taking square roots. We discuss how MFE avoids previously known pitfalls of this genre while addressing its security concerns.
SSE implementation of multivariate pkcs on modern x86 cpus
 CHES 2009, LNCS
, 2009
"... Multivariate Public Key Cryptosystems (MPKCs) are often touted as futureproo ng the advent of the Quantum Computer. It also has been known for e ciency compared to traditional alternatives. However, this advantage seems to be eroding with the increase of arithmetic resources in modern CPUs and impr ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Multivariate Public Key Cryptosystems (MPKCs) are often touted as futureproo ng the advent of the Quantum Computer. It also has been known for e ciency compared to traditional alternatives. However, this advantage seems to be eroding with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to ECC. We show that the same hardware advances do not necessarily just favor ECC. The same modern commodity CPUs also have an overabundance of small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction set extensions, that are also useful for MPKCs. On CPUs supporting Intel's SSSE3 instructions, we achieve a 4 × speedup over prior implementations of Rainbowtype systems (such as the ones implemented in hardware by Bogdanov et al. at CHES 2008) in both public and private map operations. Furthermore, if we want to implement MPKCs for all general purpose 64bit CPUs from Intel and AMD, we can switch to MPKC over elds of relatively small odd prime characteristics. For example, by taking advantage of SSE2 instructions, Rainbow over F31 can be up to 2 × faster than prior implementations of samesized systems over F16. A key advance is in implementing Wiedemann instead of Gaussian system solvers. We explain the techniques and design choices in implementing our chosen MPKC instances, over representative elds such as F31, F16 and F256. We believe that our results can easily carry over to modern FPGAs, which often contain a large number of multipliers in the form of DSP slices, o ering superior computational power to odd eld MPKCs.
Implementing Minimized Multivariate PKC on LowResource Embedded Systems
"... Abstract. Multivariate (or MQ) publickey cryptosystems (PKC) are alternatives to traditional PKCs based on large algebraic structures (e.g., RSA and ECC); they usually execute much faster than traditional PKCs on the same hardware. However, one major challenge in implementing multivariates in embed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Multivariate (or MQ) publickey cryptosystems (PKC) are alternatives to traditional PKCs based on large algebraic structures (e.g., RSA and ECC); they usually execute much faster than traditional PKCs on the same hardware. However, one major challenge in implementing multivariates in embedded systems is that the key size can be prohibitively large for applications with stringent resource constraints such as lowcost smart cards, sensor networks (e.g., Berkeley motes), and radiofrequency identification (RFID). In this paper, we investigate strategies for shortening the key of a multivariate PKC. We apply these strategies to the Tame Transformation Signatures (TTS) as an example and quantify the improvement in key size and running speed, both theoretically and via implementation. We also investigate ways to save die space and energy consumption in hardware, reporting on our ASIC implementation of TTS on a TSMC 0.25µm process. Even without any key shortening, the current consumption of TTS is only 21 µA for computing a signature, using 22,000 gate equivalents and 16,000 100kHz cycles (160 ms). With circulantmatrix key shortening, the numbers go down to 17,000 gates and 4,400 cycles (44 ms). We therefore conclude: besides representing a futureproofing investment against the emerging quantum computers, multivariates can be immediately useful in niches.
Complexity Estimates for the F4 Attack on the Perturbed MatsumotoImai Cryptosystem
 IN THE PROCEEDINGS OF THE TENTH IMA INTERNATIONAL CONFERENCE ON CRYPTOGRAPHY AND CODING, LNCS
, 2005
"... Though the Perturbed MatsumotoImai (PMI) cryptosystem is considered insecure due to the recent differential attack of Fouque, Granboulan, and Stern, even more recently Ding and Gower showed that PMI can be repaired with the Plus (+) method of externally adding as few as 10 randomly chosen quadrati ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Though the Perturbed MatsumotoImai (PMI) cryptosystem is considered insecure due to the recent differential attack of Fouque, Granboulan, and Stern, even more recently Ding and Gower showed that PMI can be repaired with the Plus (+) method of externally adding as few as 10 randomly chosen quadratic polynomials. Since relatively few extra polynomials are added, the attack complexity of a Gröbner basis attack on PMI+ will be roughly equal to that of PMI. Using Magma’s implementation of the F4 Gröbner basis algorithm, we attack PMI with parameters q = 2, 0 ≤ r ≤ 10, and 14 ≤ n ≤ 59. Here, q is the number of field elements, n the number of equations/variables, and r the perturbation dimension. Based on our experimental results, we give estimates for the running time for such an attack. We use these estimates to judge the security of some proposed schemes, and we suggest more efficient schemes. In particular, we estimate that an attack using F4 against the parameters q = 2, r = 5, n = 96 (suggested in [7]) has a time complexity of less than 2 50 3DES computations, which would be considered insecure for practical applications.
Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial with One Secret Problem
"... Abstract. This paper presents a practical cryptanalysis of the Identification Scheme proposed by Patarin at Crypto 1996. This scheme relies on the hardness of the Isomorphism of Polynomial with One Secret (IP1S), and enjoys shorter key than many other schemes based on the hardness of a combinatorial ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a practical cryptanalysis of the Identification Scheme proposed by Patarin at Crypto 1996. This scheme relies on the hardness of the Isomorphism of Polynomial with One Secret (IP1S), and enjoys shorter key than many other schemes based on the hardness of a combinatorial problem (as opposed to numbertheoretic problems). Patarin proposed concrete parameters that have not been broken faster than exhaustive search so far. On the theoretical side, IP1S has been shown to be harder than Graph Isomorphism, which makes it an interesting target. We present two new deterministic algorithms to attack the IP1S problem, and we rigorously analyze their complexity and success probability. We show that they can solve a (big) constant fraction of all the instances of degree two in polynomial time. We verified that our algorithms are very efficient in practice. All the parameters with degree two proposed by Patarin are now broken in a few seconds. The parameters with degree three can be broken in less than a CPUmonth. The identification scheme is thus quite badly broken. 1