Cryptanalysis of Two New Instances of TTM Cryptosystem

In 2006, Nie et al proposed an attack to break an instance of TTM cryptosystems. However, the inventor of TTM disputed this attack and he proposed two new instances of TTM to support his viewpoint. At this time, he did not give the detail of key construction --- the construction of the lock polynomials in these instances which would be used in decryption. The two instances are claimed to achieve a security of $2^{109}$ against Nie et al attack. In this paper, we show that these instances are both still insecure, and in fact, they do not achieve a better design in the sense that we can find a ciphertext-only attack utilizing the First Order Linearization Equations while for the previous version of TTM, only Second Order Linearization Equations can be used in the beginning stage of the previous attack. Different from previous attacks, we use an iterated linearization method to break these two instances. For any given valid ciphertext, we can find its corresponding plaintext within $2^{31}$ $\mathbb{F}_{2^8}$-computations after performing once for any public key a computation of complexity less than $2^{44}$. Our experiment result shows we have unlocked the lock polynomials after several iterations, though we do not know the detailed construction of lock polynomials

New Directions in Multivariate Public Key Cryptography

Most public key cryptosystems used in practice are based on integer factorization or discrete logarithms (in finite fields or elliptic curves). However, these systems suffer from two potential drawbacks. First, they must use large keys to maintain security, resulting in decreased efficiency. Second, if large enough quantum computers can be built, Shor\u27s algorithm will render them completely insecure. Multivariate public key cryptosystems (MPKC) are one possible alternative. MPKC makes use of the fact that solving multivariate polynomial systems over a finite field is an NP-complete problem, for which it is not known whether there is a polynomial algorithm on quantum computers. The main goal of this work is to show how to use new mathematical structures, specifically polynomial identities from algebraic geometry, to construct new multivariate public key cryptosystems. We begin with a basic overview of MPKC and present several significant cryptosystems that have been proposed. We also examine in detail some of the most powerful attacks against MPKCs. We propose a new framework for constructing multivariate public key cryptosystems and consider several strategies for constructing polynomial identities that can be utilized by the framework. In particular, we have discovered several new families of polynomial identities. Finally, we propose our new cryptosystem and give parameters for which it is secure against known attacks on MPKCs

Performance Analysis of Rainbow on ARM Cortex-M4

The risk posed by a fully operational quantum computer has anticipated a revolution in the way to approach the level of security provided by a cryptographic algorithm. Public keybased solutions such as RSA or ECC will be easily broken once we enter the post-quantum era. Multivariate quadratic cryptosystems are a promising candidate for the need of quantum resistant digital signature schemes. In order to estimate if these approach will someday be able to replace current standards, it is necessary to determine how ef?ciently can they operate on diverse platforms and at which level of security can they do it. This aspects are particularly relevant for reduced size devices with restricted energy, memory or computational power. In this work, a theoretical description of the so-called Rainbow multivariate signature algorithm is given, which is later implemented on a memory-constrained environment. An optimization approach is proposed in order to improve the ef?ciency of the scheme, in terms of message signature and veri?cation speed. A performance comparison is also presented between various state-of-the-art post-quantum signature cryptosystems and the optimized instances of Rainbow, in order to study its characteristics from a wider perspective.El riesgo que supone un futuro ordenador cuántico con suficientes recursos computacionales ha anticipado una revolución en la manera de enfocar la seguridad de la información. Varias técnicas de clave pública empleados tradicionalmente, como el RSA o el ECC resultarán totalmente desprotegidos en cuanto la sociedad moderna entre en la era cuántica. Algoritmos de encriptación basados ??en ecuaciones polinómicas multivariable son actualmente un potencial candidato para producir firmas digitales suficientemente robustas contra sistemas de computación cuántica. Para evaluar las capacidades de esta técnica y estudiar la posibilidad de sustituir los sistemas tradicionales de encriptación en un futuro próximo, es necesario cuantificar por un lado la eficiencia a la que pueden operar en diferentes plataformas y por otro lado el nivel de seguridad que pueden llegar a ofrecer. Estos aspectos son especialmente clave en dispositivos de tamaño reducido con restricciones sobre el consumo de energía, la cantidad de memoria disponible o la potencia computacional. En este trabajo, se da una descripción teórica del algoritmo Rainbow, basado en ecuaciones polinómicas multivariable, el cual es posteriormente implementado sobre un sistema limitado en memoria. Adicionalmente se propone una modificación en el algoritmo original, con el fin de de reducir el tiempo de ejecución de firma y verificación de mensajes. Finalmente, se presenta una comparación de rendimiento entre diversas técnicas criptográficas dedicadas a firma digital y las instancias que se implementan en esta disertación, para así analizar las características de los sistemas de encriptación basados ??en ecuaciones polinómicas multivariable desde una perspectiva más amplia.El risc que suposa un futur ordinador quàntic amb suficients recursos computacionals ha anticipat una revolució en la manera d'enfocar la seguretat de la informació. Diverses tècniques de clau pública emprats tradicionalment, com l'RSA o l'ECC esdevindràn totalment vulnerables tant bon punt la societat moderna entri en l'era quàntica. Sistemes d'encriptació basats en equacions polinòmiques multivariable són actualment un potencial candidat per produïr firmes digitals suficientment robustes contra sistemes de computació quàntica. Per avaluar les capacitats d'aquesta tècnica i estudiar la possibilitat de substituir els sistemes tradicionals d'encriptació en un futur pròxim, és necessari quantificar d'una banda la eficiència a la que poden operar en diferents plataformes i d'altra banda el nivell de seguretat que poden arribar a oferir. Aquests aspectes són especialment clau en dispositius de mida reduïda amb restriccions sobre el consum d'energia, la quantitat de memòria disponible o la potència computacional. En aquest treball, es dóna una descripció teòrica de l'algoritme Rainbow, basat en equacions polinòmiques multivariable, el qual és posteriorment implementat sobre un sistema limitat en memòria. Adicionalment es proposa una modificació a l'algoritme original, per tal de de reduïr el temps d'execució de firma i verificació de missatges. Finalment, es presenta una comparació de rendiment entre diverses tècniques criptogràfiques dedicades a firma digital i les instàncies que s'implementen en aquesta dissertació, per així analitzar les característiques dels sistemes d'encriptació basats en equacions polinòmiques multivariable des d'una perspectiva més amplia

Building Instances of TTM Immune to the Goubin-Courtois Attack and the Ding-Schmidt Attack

We think that there are two main attacks on TTM cryptosystem; the Goubin-Courtois attack ([6]) and the Ding-Schmidt attack ([5]). The paper of Goubin-Courtois is not clearly written. Their arguments (with many gaps) depend on an parameter $r$ which is never defined. It is nature to take their parameter $r$ to be the index $s$ used in our lock polynomials (see section 1). Later on Courtois implies otherwise in his website. In their paper ([6]) or in his website, Courtois simply declares that TTM is of rank 2 (i.e., $r=2$) without any justification. In this paper, we will illustrate another example (cf Example below) satisfies both requirements, i.e., the index $s$ used in our lock polynomials (see section 1) is 7, and the number of variables in all quartic forms is 4 which shows that Goubin-Courtois\u27 unsubstantial claim: TTM is rank 2 invalid. Thus we settle this question of Goubin-Courtois attack once for all. To guard against high rank attack , in this Example every variable appears 9 times in 9 different polynomials. On the other hand J.~Ding and D.~Schmidt show ([5]) how to construct an interesting attack on some implementations of TTM ([10,11]) based on Patarin\u27s idea ([14]) of bilinear relations created by the structure in the kernel equations in an implementation of TTM. The success of this attack is accidental. In our Example, the attack fails. we will describe a {\it mixed implementation} which will make any attack, which is sensitive to the size of the ground field, ineffective. In this paper, the Example is strong (i.e., $\geq 2^{148})$ against both Goubin-Courtois attack and Ding-Schmidt attack as well as other previously proposed incomplete attacks like XL($>2^{97}$), FXL($>2^{112}$)