45 research outputs found
Cryptanalysis of Two New Instances of TTM Cryptosystem
In 2006, Nie et al proposed an attack to break an instance of TTM
cryptosystems. However, the inventor of TTM disputed this attack and
he proposed two new instances of TTM to support his viewpoint. At
this time, he did not give the detail of key construction
--- the construction of the lock polynomials in these instances
which would be used in decryption. The two instances are claimed to
achieve a security of against Nie et al attack. In this
paper, we show that these instances are both still insecure, and in
fact, they do not achieve a better design in the sense that we can
find a ciphertext-only attack utilizing the First Order
Linearization Equations while for the previous version of TTM, only
Second Order Linearization Equations can be used in the beginning
stage of the previous attack. Different from previous attacks, we
use an iterated linearization method to break these two instances.
For any given valid ciphertext, we can find its corresponding
plaintext within -computations after
performing once for any public key a computation of complexity less
than . Our experiment result shows we have unlocked the lock
polynomials after several iterations, though we do not know the
detailed construction of lock polynomials
Cryptography from tensor problems
We describe a new proposal for a trap-door one-way function. The new proposal belongs to the "multivariate quadratic" family but the trap-door is different from existing methods, and is simpler
New Directions in Multivariate Public Key Cryptography
Most public key cryptosystems used in practice are based on integer factorization or discrete logarithms (in finite fields or elliptic curves). However, these systems suffer from two potential drawbacks. First, they must use large keys to maintain security, resulting in decreased efficiency. Second, if large enough quantum computers can be built, Shor\u27s algorithm will render them completely insecure. Multivariate public key cryptosystems (MPKC) are one possible alternative. MPKC makes use of the fact that solving multivariate polynomial systems over a finite field is an NP-complete problem, for which it is not known whether there is a polynomial algorithm on quantum computers. The main goal of this work is to show how to use new mathematical structures, specifically polynomial identities from algebraic geometry, to construct new multivariate public key cryptosystems. We begin with a basic overview of MPKC and present several significant cryptosystems that have been proposed. We also examine in detail some of the most powerful attacks against MPKCs. We propose a new framework for constructing multivariate public key cryptosystems and consider several strategies for constructing polynomial identities that can be utilized by the framework. In particular, we have discovered several new families of polynomial identities. Finally, we propose our new cryptosystem and give parameters for which it is secure against known attacks on MPKCs
Multivariate Public Key Cryptosystem from Sidon Spaces
A Sidon space is a subspace of an extension field over a base field in which
the product of any two elements can be factored uniquely, up to constants. This
paper proposes a new public-key cryptosystem of the multivariate type which is
based on Sidon spaces, and has the potential to remain secure even if quantum
supremacy is attained. This system, whose security relies on the hardness of
the well-known MinRank problem, is shown to be resilient to several
straightforward algebraic attacks. In particular, it is proved that the two
popular attacks on the MinRank problem, the kernel attack, and the minor
attack, succeed only with exponentially small probability. The system is
implemented in software, and its hardness is demonstrated experimentally.Comment: Appeared in Public-Key Cryptography - PKC 2021, 24th IACR
International Conference on Practice and Theory of Public Key Cryptograph
Hash-based Multivariate Public Key Cryptosystems
Many efficient attacks have appeared in recent years, which have led
to serious blow for the traditional multivariate public key
cryptosystems. For example, the signature scheme SFLASH was broken
by Dubois et al. at CRYPTO\u2707, and the Square signature (or
encryption) scheme by Billet et al. at ASIACRYPTO\u2709. Most
multivariate schemes known so far are insecure, except maybe the
sigature schemes UOV and HFEv-. Following these new developments, it
seems that the general design principle of multivariate schemes has
been seriously questioned, and there is a rather pressing desire to
find new trapdoor construction or mathematical tools and ideal. In
this paper, we introduce the hash authentication techniques and
combine with the traditional MQ-trapdoors to propose a novel
hash-based multivariate public key cryptosystems. The resulting
scheme, called EMC (Extended Multivariate Cryptosystem), can
also be seen as a novel hash-based cryptosystems like Merkle tree
signature. And it offers the double security protection for signing
or encrypting. By the our analysis, we can construct the secure and
efficient not only signature scheme but also encryption scheme by
using the EMC scheme combined some modification methods summarized
by Wolf. And thus we present two new schems: EMC signature scheme
(with the Minus method ``- ) and EMC encryption scheme (with the
Plus method ``+ ). In addition, we also propose a reduced scheme of
the EMC signature scheme (a light-weight signature scheme). Precise
complexity estimates for these schemes are provided, but their
security proofs in the random oracle model are still an open
problem
Solving multivariate polynomial systems and an invariant from commutative algebra
The complexity of computing the solutions of a system of multivariate
polynomial equations by means of Gr\"obner bases computations is upper bounded
by a function of the solving degree. In this paper, we discuss how to
rigorously estimate the solving degree of a system, focusing on systems arising
within public-key cryptography. In particular, we show that it is upper bounded
by, and often equal to, the Castelnuovo Mumford regularity of the ideal
generated by the homogenization of the equations of the system, or by the
equations themselves in case they are homogeneous. We discuss the underlying
commutative algebra and clarify under which assumptions the commonly used
results hold. In particular, we discuss the assumption of being in generic
coordinates (often required for bounds obtained following this type of
approach) and prove that systems that contain the field equations or their fake
Weil descent are in generic coordinates. We also compare the notion of solving
degree with that of degree of regularity, which is commonly used in the
literature. We complement the paper with some examples of bounds obtained
following the strategy that we describe
PUBLIC KEY CRYPTOGRAPHY USING PERMUTATION P-POLYNOMIALS OVER FINITE FIELDS
In this paper we propose an efficient multivariate
public key cryptosystem based on permutation p-polynomials over
finite fields. We first characterize a class of permutation
p-polynomials over finite fields and then construct a
trapdoor function using this class of permutation p-polynomials.
The complexity of encryption in our public key cryptosystem is
multiplication which is equivalent to other
multivariate public key cryptosystems. However the decryption is
much faster than other multivariate public key cryptosystems. In
decryption we need left cyclic shifts and
xor operations
Expanded Gabidulin Codes and Their Application to Cryptography
This paper presents a new family of linear codes, namely the expanded
Gabidulin codes. Exploiting the existing fast decoder of Gabidulin codes, we
propose an efficient algorithm to decode these new codes when the noise vector
satisfies a certain condition. Furthermore, these new codes enjoy an excellent
error-correcting capability because of the optimality of their parent Gabidulin
codes. Based on different masking techniques, we give two encryption schemes by
using expanded Gabidulin codes in the McEliece setting. According to our
analysis, both of these two cryptosystems can resist the existing structural
attacks. Our proposals have an obvious advantage in public-key representation
without using the cyclic or quasi-cyclic structure compared to some other
code-based cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
International audienceWe investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack. Our key-recovery attack finds an equivalent key using the idea of so-called {\it good keys} that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key, that is, using the minus modifier. This was not the case for previous MinRank like-attacks against \MQ\ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of bits security in less than days, and one of the more conservative MQQ-ENC instances of bits security in little bit over days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure