Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

Cryptanalysis of the multivariate encryption scheme EFLASH

Post-Quantum Cryptography studies cryptographic algorithms that quantum computers cannot break. Recent advances in quantum computing have made this kind of cryptography necessary, and research in the field has surged over the last years as a result. One of the main families of post-quantum cryptographic schemes is based on finding solutions of a polynomial system over finite fields. This family, known as multivariate cryptography, includes both public key encryption and signature schemes. The majority of the research contribution of this thesis is devoted to understanding the security of multivariate cryptography. We mainly focus on big field schemes, i.e., constructions that utilize the structure of a large extension field. One essential contribution is an increased understanding of how Gröbner basis algorithms can exploit this structure. The increased knowledge furthermore allows us to design new attacks in this setting. In particular, the methods are applied to two encryption schemes suggested in the literature: EFLASH and Dob. We show that the recommended parameters for these schemes will not achieve the proposed 80-bit security. Moreover, it seems unlikely that there can be secure and efficient variants based on these ideas. Another contribution is the study of the effectiveness and limitations of a recently proposed rank attack. Finally, we analyze some of the algebraic properties of MiMC, a block cipher designed to minimize its multiplicative complexity.Doktorgradsavhandlin

Two-Face: New Public Key Multivariate Schemes

We present here new multivariate schemes that can be seen as HFE generalization having a property called `Two-Face\u27. Particularly, we present five such families of algorithms named `Dob\u27, `Simple Pat\u27, `General Pat\u27, `Mac\u27, and `Super Two-Face\u27. These families have connections between them, some of them are refinements or generalizations of others. Notably, some of these schemes can be used for public key encryption, and some for public key signature. We introduce also new multivariate quadratic permutations that may have interest beyond cryptography

Building Secure Public Key Encryption Scheme from Hidden Field Equations

Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose a new variant of the HFE scheme by considering the special equation x2=x defined over the finite field F3 when x=0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size

Extracting Linearization Equations from Noisy Sources

This note was originally written under the name ``On the Security of HMFEv\u27\u27 and was submitted to PQCrypto 2018. The author was informed by the referees of his oversight of an eprint work of the same name by Hashimoto, see eprint article /2017/689/, that completely breaks HMFEv, rendering the result on HMFEv obsolete. Still, the author feels that the technique used here is interesting and that, at least in principal, this method could contribute to future cryptanalysis. Thus, with a change of title indicating the direction in which this work is leading, we present the original work with all of its oversights intact and with minimal correction (only references fixed). At PQCRYPTO 2017, a new multivariate digital signature based on Multi-HFE and utilizing the vinegar modifier was proposed. The vinegar modifier increases the Q-rank of the central map, preventing a direct application of the MinRank attack that defeated Multi-HFE. The authors were, therefore, confident enough to choose aggressive parameters for the Multi-HFE component of the central map (with vinegar variables fixed). Their analysis indicated that the security of the scheme depends on the sum of the number of variables $k$ over the extension field and the number $v$ of vinegar variables with the individual values being unimportant as long as they are not ``too small.\u27\u27 We analyze the consequences of this choice of parameters and derive some new attacks showing that the parameter $v$ must be chosen with care

New candidates for multivariate trapdoor functions

We present a new method for building pairs of HFE polynomials of high degree, such that the map constructed with such a pair is easy to invert. The inversion is accomplished using a low degree polynomial of Hamming weight three, which is derived from a special reduction via Hamming weight three polynomials produced by these two HFE polynomials. This allows us to build new candidates for multivariate trapdoor functions in which we use the pair of HFE polynomials to fabricate the core map. We performed the security analysis for the case where the base field is $GF(2)$ and showed that these new trapdoor functions have high degrees of regularity, and therefore they are secure against the direct algebraic attack. We also give theoretical arguments to show that these new trapdoor functions over $GF(2)$ are secure against the MinRank attack as well

Nuevas candidatas para funciones trampa multivariadas

Presentamos un nuevo método de reducción que permite construirparejas de polinomios HFE de grado alto, tal que la función construida concada una de estas parejas de polinomios es fácil de invertir. Para invertir lapareja de polinomios usamos un polinomio de grado bajo y de peso de Ham-ming tres, el cual es derivado mediante un método especial de reducción queinvolucra polinomios de peso de Hamming tres producidos a partir de los dospolinomios HFE. Esto nos permite construir nuevas candidatas para funcionestrampa multivariadas usando la pareja de polinomios HFE para construir lafunción central. Realizamos un análisis de seguridad cuando el campo base esGF(2) y mostramos que estas nuevas funciones trampa multivariadas tienen grado de regularidad alto, y por lo tanto resisten el ataque algebraico. Ademásdamos argumentos teóricos para mostrar que estas nuevas funciones trampasobre GF(2) tambien resisten el ataque MinRank.We present a new method for building pairs of HFE polynomialsof high degree, such that the map constructed with one of these pairs is easyto invert. The inversion is accomplished using a low degree polynomial ofHamming weight three, which is derived from a special reduction via Hammingweight three polynomials produced by these two HFE polynomials. This allowsus to build new candidates for multivariate trapdoor functions in which weuse the pair of HFE polynomials to fabricate the core map. We performed thesecurity analysis for the case where the base eld is GF(2) and showed thatthese new trapdoor functions have high degrees of regularity, and thereforethey are secure against the direct algebraic attack. We also give theoreticalarguments to show that these new trapdoor functions over GF(2) are secureagainst the MinRank attack as well

Small Odd Prime Field Multivariate PKCs

We show that Multivariate Public Key Cryptosystems (MPKCs) over fields of small odd prime characteristic, say 31, can be highly efficient. Indeed, at the same design security of $2^{80}$ under the best known attacks, odd-char MPKC is generally faster than prior MPKCs over \GF{2^k}, which are in turn faster than ``traditional\u27\u27 alternatives. This seemingly counter-intuitive feat is accomplished by exploiting the comparative over-abundance of small integer arithmetic resources in commodity hardware, here embodied by SSE2 or more advanced special multimedia instructions on modern x86-compatible CPUs. We explain our implementation techniques and design choices in implementing our chosen MPKC instances modulo small a odd prime. The same techniques are also applicable in modern FPGAs which often contains a large number of multipliers