## ℓ-Invertible Cycles for Multivariate Quadratic (MQ) Public Key Cryptography

Citations: | 2 - 0 self |

### BibTeX

@MISC{Ding_ℓ-invertiblecycles,

author = {Jintai Ding and Christopher Wolf and Bo-yin Yang},

title = {ℓ-Invertible Cycles for Multivariate Quadratic (MQ) Public Key Cryptography},

year = {}

}

### OpenURL

### Abstract

Abstract. We propose a new basic trapdoor ℓIC (ℓ-Invertible Cycles) of the mixed field type for Multivariate Quadratic public key cryptosystems. This is the first new basic trapdoor since the invention of Unbalanced Oil and Vinegar in 1997. ℓICcanbeconsideredanextended form of the well-known Matsumoto-Imai Scheme A (also MIA or C ∗), and share some features of stagewise triangular systems. However ℓIC has very distinctive properties of its own. In practice, ℓIC is much faster than MIA, and can even match the speed of single-field MQ schemes.

### Citations

879 | Polynomial-time algorithms f or prime factorization and discrete logarithms on a quantum computer
- Shor
- 1997
(Show Context)
Citation Context ...phy 267 PKCs. A common excuse given to study them is “for ecological diversity”, inevitably mentioning Quantum Computers that will easily break factoring and discrete-log-based PKCs (Shor’s algorithm =-=[Sho97]-=-). However, we hope to show that there is independent interest in studying MQ PKCs below. To construct a PKC, we need to be able to invert P ′ efficiently. A simple method to build P ′ for consequent ... |

248 | A New Efficient Algorithm for Computing Gröbner Basis without Reduction to Zero: F5 - Faugère - 2002 |

134 | Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations - Courtois, Klimov, et al. |

103 | Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases
- Faugère, Joux
- 2003
(Show Context)
Citation Context ...odified ℓIC schemes with blocks of 24 and 32 bits (which are admittedly very small). 3.3 Gröbner Basis Computations Another important type of attack are Gröbner attacks as in the cryptanalysis of HFE =-=[FJ03]-=-. The most powerful algorithms known are of the Faugère-Lazard type. These essentially run eliminations on an extended Macaulay matrix, and include F4/F5 and what is known as XL [CKPS00, Fau99, Fau02]... |

83 |
Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88
- Patarin
- 1995
(Show Context)
Citation Context ...is left to a later section because we only heard of it succeeding, and do not even have any details. 3.1 Patarin Relations We start with an extension of the Patarin relations used to cryptanalyse MIA =-=[Pat95]-=-. This was used by Fouque, Granboulan, and Stern to cryptanalyse the internally perturbed MIA encryption scheme (PMI/MIAi) [FGS05]. As is more customarily employed against symmetric cryptosystems, we ... |

78 | On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations - Bardet, Faugère, et al. - 2004 |

62 |
Algebraic Curves - An Introduction to Algebraic Geometry
- Fulton
- 1969
(Show Context)
Citation Context ...we call it “ℓ-Invertible Cycles” (ℓIC). We will motivate this name later. 2.1 Basic Trapdoor A Cremona Transformation is a map on the projective plane that is quadratic in the homogeneous coordinates =-=[Ful89]-=-. A standard example is the map (A1,A2,A3) → (A2A3,A3A1,A1A2) which easily checks to be well-defined. The map is uniquely and efficiently invertible when A1A2A3 �=0. We extend this idea below to any i... |

48 |
European Schemes for Signature, Integrity and Encryption
- New
(Show Context)
Citation Context ... we have q =2, n = 103 in Quartz [CGP01]. Choices for ℓIC are given in Sec. 5.3 and Table 1, respectively. Both trapdoors have a claimed security level of 2 80 3DES computations as required in NESSIE =-=[NES]-=-. Note that Quartz uses the underlying trapdoor four times to achieve very short signatures of 128 bit. Thissℓ-Invertible Cycles for MQ Public Key Cryptography 277 special construction is called a “Ch... |

45 | Unbalanced Oil and Vinegar signature schemes
- Kipnis, Patarin, et al.
(Show Context)
Citation Context ...stantly. 3.4 Separation of Oil and Vinegar In the original 3IC, we see that variables corresponding to the components of A1 are only multiplied with those of A2 and A3. ThismakesforaUOVtype of attack =-=[KPG99]-=- which has a complexity roughly proportional to n4qd ,where d is the difference between the size of the oil and vinegar sets. We can proceed similarly for other choices of ℓ. We see that the UOV attac... |

39 | A new variant of the Matsumoto-Imai cryptosystem through perturbation - Ding - 2004 |

34 | Efficient Signature Schemes Based on Birational Permutations
- Shamir
- 1993
(Show Context)
Citation Context ...ndividual components of x ′ and y ′ . UOV: Unbalanced Oil and Vinegar ([Pat97, KPG99], Patarin et al). STS: Stepwise Triangular System (lectures in Japanese from ’85 – [TKI + 86], Tsujii; in English, =-=[Sha93]-=-). Generalized later to its present form [GC00, WBP04]. Some primitives are composite, e.g., Medium Field Encryption (triangular stages [WYHL06]) or enTTS/TRMS/Rainbow [DS05b, WHL + 05, YC05] (UOV sta... |

31 | An overview of elliptic curve cryptography
- Lopez, Dahab
- 2011
(Show Context)
Citation Context ...s means in particular that we do not have precise security estimations for higher security levels. 5.4 Implementation and Speed A good overview on implementing finite field operations can be found in =-=[LD00]-=-. Computing direct division in finite fields is given in [FW02]. Counting operations for the inversion formula in Lemma 1 over E =GF(q k ), we see that we need ℓ divisions, (ℓ − 2) multiplications, an... |

29 |
T.: Algebraic Methods for Constructing Asymmetric Cryptosystems
- Imai, Matsumoto
- 1986
(Show Context)
Citation Context ...aps, which we call “Modifiers”, from the following four previously known basic trapdoors: Mixed-Field (or “Big Field”): Operates over an extension field E = F k . MIA: Matsumoto-Imai Scheme A or C ∗ (=-=[IM85]-=-, Imai-Matsumoto). HFE: Hidden Field Equations ([Pat96], Patarin), a generalization of MIA. Single-Field (or “True”): Works on the individual components of x ′ and y ′ . UOV: Unbalanced Oil and Vinega... |

29 | B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077
- Wolf, Preneel
- 2005
(Show Context)
Citation Context ...to be able to invert P ′ efficiently. A simple method to build P ′ for consequent inversion is a basic trapdoor, whichcan be combined or modified slightly to create variants. Using the terminology of =-=[WP05b]-=-, we have a handful of systemic ways to create new central maps, which we call “Modifiers”, from the following four previously known basic trapdoors: Mixed-Field (or “Big Field”): Operates over an ext... |

26 | Differential Cryptanalysis for Multivariate Schemes
- Fouque, Granboulan, et al.
- 2005
(Show Context)
Citation Context ...t with an extension of the Patarin relations used to cryptanalyse MIA [Pat95]. This was used by Fouque, Granboulan, and Stern to cryptanalyse the internally perturbed MIA encryption scheme (PMI/MIAi) =-=[FGS05]-=-. As is more customarily employed against symmetric cryptosystems, we examine this multivariate differential : P(A1,...,Aℓ) − P(A1 − δ1,...,Aℓ − δℓ)+P(δ1,...,δℓ) =(A qλ 1 1 δ2 + A2δ qλ 1 1 ,...,A qλ ℓ... |

25 | Cryptanalysis of the TTM cryptosystem
- Goubin, Courtois
- 2000
(Show Context)
Citation Context ...near combinations of the public matrices with certain specific ranks. Their initial cryptographical use was by Coppersmith-Stern-Vaudenay to break Birational Permutations [CSV93]. Goubin and Courtois =-=[GC00]-=- have the most straightforward exposition of rank attacks. Later extensions and analysis can be seen in [WBP04, YC05]. There are two distinct types: In one the cryptanalyst randomly tries to hit kerne... |

24 | Asymptotic expansion of the degree of regularity for semi-regular systems of equations - Bardet, Faugère, et al. - 2005 |

19 |
A fast and secure implementation of SFLASH
- Akkar, Courtois, et al.
- 2003
(Show Context)
Citation Context ...]. In a nutshell, this translates to n squaring operations and 1/2n multiplications in GF(q n ). Therefore, we obtain an overall workload of O(n 3 ). Tricks to speed this operation up can be found in =-=[ACDG03]-=-. In the case of HFE, the situation is even worse as we need to execute a complete root finding algorithm to invert the central mapping [CGP01]. Its running time is estimated to be in O(n 3 d 2 + n 2 ... |

17 | Analysis of public key approach based on polynomial substitution - Fell, Diffie - 1985 |

16 | a new multivariable polynomial signature scheme - Rainbow - 2005 |

15 | Attacks on the birational permutation signature schemes
- Coppersmith, Stern, et al.
- 1993
(Show Context)
Citation Context ...the private key by finding linear combinations of the public matrices with certain specific ranks. Their initial cryptographical use was by Coppersmith-Stern-Vaudenay to break Birational Permutations =-=[CSV93]-=-. Goubin and Courtois [GC00] have the most straightforward exposition of rank attacks. Later extensions and analysis can be seen in [WBP04, YC05]. There are two distinct types: In one the cryptanalyst... |

15 | Inoculating multivariate schemes against differential cryptanalysis
- Ding, Gower
- 2006
(Show Context)
Citation Context ...FE as PMI (“Perturbated Matsumoto-Imai”) and ipHFE respectively [Din04, DS05a]. We can also call them MIAi and HFEi. As PMI/MIAi has been broken in [FGS05], a new variant PMI+/MIAi+ has been proposed =-=[DG06]-=-. Due to space limitations we do not go into details, but we believe PMI+ unaffected by the attack from [FGS05]. Hence, combining the two modifications internal perturbation and plus allows the constr... |

13 |
Quartz: Primitive specification (second revised version
- Courtois, Goubin, et al.
- 2001
(Show Context)
Citation Context ... 3 ). Tricks to speed this operation up can be found in [ACDG03]. In the case of HFE, the situation is even worse as we need to execute a complete root finding algorithm to invert the central mapping =-=[CGP01]-=-. Its running time is estimated to be in O(n 3 d 2 + n 2 d 3 ) for d the total degree of the central mapping [Pat96]. In practice, we have d = 129,...,257. We can summarize our results for the three m... |

13 | J.-M.: All in the XL family: Theory and practice
- Yang, Chen
(Show Context)
Citation Context ...ures of 128 bit. This special construction is called a Chained Patarin Construction (CPC). We summarize our comparison in Table 2. Preliminary runs to sign with m = 24, n = 36 matches the speed enTTS =-=[YC05]-=- which means it is much faster than SFLASH. Further Speed up. ℓIC is amenable to parallelizing on multiple arithmetic units. ℓIC i+ implementations we compare simple runs of ℓIC i+ on a 10MHz 8052 sim... |

11 | The Oil and Vinegar Signature Scheme, presented at the Dagstuhl Workshop on Cryptography - Patarin - 1997 |

11 | Generalization of the public-key cryptosystem based on the difficulty of solving a system of non-linear equations - Tsujii, Fujioka, et al. - 1989 |

11 | Theoretical Analysis of XL over Small Fields - Yang, Chen - 2004 |

11 | A new e cient algorithm for computing Gröbner bases without reduction to zero (F5 - Faugère - 2002 |

10 |
Jean-Daniel Tacier: Solving Underdefined Systems of Multivariate Quadratic Equations
- Courtois, Goubin, et al.
(Show Context)
Citation Context ...led “branching” as used in the original C ∗ . We have investigated this matter and concluded that the attacks against branching do not apply against ℓIC. A different class from XL are algorithms from =-=[CGMT02]-=- which deal with the case n ≫ m. As we usually have m = n, orn ≈ m for the embedding modification (cf Sec. 4.3), these algorithms are not applicable to our setting.s4 Modified Versions ℓ-Invertible Cy... |

10 | J.-M.: Building Secure Tame-like Multivariate Public-Key Cryptosystems: The New TTS
- Yang, Chen
(Show Context)
Citation Context ...ic Key Cryptography 277 special construction is called a “Chained Patarin Construction” (CPC). We summarize our comparison in Table 2. Preliminary runs to sign with m =24,n=36 matches the speed enTTS =-=[YC05]-=- which means it is much faster than SFLASH. Further Speed up. ℓIC is amenable to parallelizing on multiple arithmetic units. ℓIC i+ implementations. We compare simple runs of ℓIC i+ on a 10MHz 8052 si... |

9 | Cryptanalysis of HFEv and Internal Perturbation of HFE - Ding, Schmidt |

9 | E cient cryptanalysis of RSE(2)PKC and RSSE(2)PKC - Wolf, Braeken, et al. |

7 | Complexity Estimates for the F4 Attack on the Perturbed Matsumoto-Imai Cryptosystem - Ding, Gower, et al. |

7 | E cient algorithms for solving overde ned systems of multivariate polynomial equations - Courtois, Klimov, et al. |

6 |
Equations (HFE) and Isomorphisms of Polynomials (IP): Two new families of asymmetric algorithms
- Field
- 1996
(Show Context)
Citation Context ...r previously known basic trapdoors: Mixed-Field (or “Big Field”): Operates over an extension field E = F k . MIA: Matsumoto-Imai Scheme A or C ∗ ([IM85], Imai-Matsumoto). HFE: Hidden Field Equations (=-=[Pat96]-=-, Patarin), a generalization of MIA. Single-Field (or “True”): Works on the individual components of x ′ and y ′ . UOV: Unbalanced Oil and Vinegar ([Pat97, KPG99], Patarin et al). STS: Stepwise Triang... |

6 | A mediumeld multivariate public-key encryption scheme
- Wang, Yang, et al.
(Show Context)
Citation Context ...s in Japanese from ’85 – [TKI + 86], Tsujii; in English, [Sha93]). Generalized later to its present form [GC00, WBP04]. Some primitives are composite, e.g., Medium Field Encryption (triangular stages =-=[WYHL06]-=-) or enTTS/TRMS/Rainbow [DS05b, WHL + 05, YC05] (UOV stages). Outline. In the next section, we introduce our new trapdoor and discuss its basic properties. In particular, we show that certain instance... |

5 | Asymmetric Cryptography: Hidden Field Equations
- WOLF, PRENEEL
- 2004
(Show Context)
Citation Context ...spaces F n and F k, respectively, and can hence be absorbed into the mappings S, T ∈ A −1 (F n ). For Multivariate Quadratic systems, this idea has been introduced under the name Frobenius sustainers =-=[WP05a]-=-. 2.2 Singularities To use ℓIC in as an encryption or as a signature scheme, we need to invert the central map P, i.e., we need to nd a solution (A1, . . . , Aℓ) ∈ E ℓ for given input (B1, . . . , Bℓ)... |

5 | Equivalent keys in HFE, C ∗ , and variations
- Wolf, Preneel
- 2005
(Show Context)
Citation Context ...spaces Fn and Fk , respectively, and can hence be “absorbed” into the mappings S, T ∈ Aff −1 (Fn ).ForMultivariate Quadratic systems, this idea has been introduced under the name Frobenius sustainers =-=[WP05a]-=-. 2.2 Singularities To use ℓIC in as an encryption or as a signature scheme, we need to invert the central map P, i.e., we need to find a solution (A1,...,Aℓ) ∈ E ℓ for given input (B1,...,Bℓ) ∈ E ℓ .... |

4 |
S ash: Primitive speci cation (second revised version
- Courtois, Goubin, et al.
- 2002
(Show Context)
Citation Context ...(n 3 ). Tricks to speed this operation up can be found in [ACDG03]. In the case of HFE, the situation is even worse as we need to execute a complete root nding algorithm to invert the central mapping =-=[CGP01]-=-. Its running time is estimated to be in O(n 3 d 2 + n 2 d 3 ) for d the total degree of the central mapping [Pat96]. In practice, we have d = 129, . . . , 257. We can summarize our results for the th... |

3 |
Di erential Cryptanalysis for Multivariate Schemes
- Fouque, Granboulan, et al.
- 2005
(Show Context)
Citation Context ...t with an extension of the Patarin relations used to cryptanalyse MIA [Pat95]. This was used by Fouque, Granboulan, and Stern to cryptanalyse the internally perturbed MIA encryption scheme (PMI/MIAi) =-=[FGS05]-=-. As is morecustomarily employed against symmetric cryptosystems, we examine this multivariate di erential : P (A1, . . . , Aℓ) − P (A1 − δ1, . . . , Aℓ − δℓ) + P (δ1, . . . , δℓ) = (A qλ 1 1 δ2 + A2... |

2 | On the a ne transformations of HFE-cryptosystems and systems with branches. Cryptology ePrint Archive, Report 2004/367, 2004. http://eprint.iacr.org/2004/367, version from 2004-12-17
- Felke
(Show Context)
Citation Context ...heme is ok if we use large enough Q. The plus modifier disrupts the UOV attack so the 2ICi+ that we will investigate later is not susceptible. 3.5 Further Attacks There is a special attack from Felke =-=[Fel04]-=- to defeat the technique called “branching” as used in the original C ∗ . We have investigated this matter and concluded that the attacks against branching do not apply against ℓIC. A different class ... |

2 | Tractable rational map signature - Wang, Hu, et al. |

2 |
Jean-Daniel Tacier. Solving underde ned systems of multivariate quadratic equations
- Courtois, Goubin, et al.
- 2002
(Show Context)
Citation Context ... called branching as used in the original C ∗. We have investigated this matter and concluded that the attacks against branching do not apply against ℓIC.A di erent class from XL are algorithms from =-=[CGMT02]-=- which deal with the case n ≫ m. As we usually have m = n, or n ≈ m for the embedding modi cation (cf Sec. 4.3), these algorithms are not applicable to our setting. 4 Modi ed Versions Due to the e ect... |

1 | Direct division in factor rings
- Fitzpatrick, Wolf
- 2002
(Show Context)
Citation Context ...mations for higher security levels. 5.4 Implementation and Speed A good overview on implementing finite field operations can be found in [LD00]. Computing direct division in finite fields is given in =-=[FW02]-=-. Counting operations for the inversion formula in Lemma 1 over E =GF(q k ), we see that we need ℓ divisions, (ℓ − 2) multiplications, and one root. Note that the operations do not take place in a big... |

1 | The Cryptographer’s Track at RSA Conference 2005, volume 3860 - Pointcheval, editor - 2005 |

1 | Cryptanalysis of the s ash family of signature schemes. ECrypt Electronic Newsletter - Dubois, Fouque, et al. - 1206 |

1 |
presented at Asiacrypt 2006 Rump Session. Jintai Ding and Jason Gower. Inoculating multivariate schemes against di erential attacks
- Also
- 2006
(Show Context)
Citation Context ...HFE as PMI ( Perturbated Matsumoto-Imai ) and ipHFE respectively [Din04,DS05a]. We can also call them MIAi and HFEi. As PMI/MIAi has been broken in [FGS05], a new variant PMI+/MIAi+ has been proposed =-=[DG06]-=-. Due to space limitations we do not go into details, but we believe PMI+ una ected by the attack from [FGS05]. Hence, combining the two modi cations internal perturbation and plus allows the construc... |