New Directions in Multivariate Public Key Cryptography

Most public key cryptosystems used in practice are based on integer factorization or discrete logarithms (in finite fields or elliptic curves). However, these systems suffer from two potential drawbacks. First, they must use large keys to maintain security, resulting in decreased efficiency. Second, if large enough quantum computers can be built, Shor\u27s algorithm will render them completely insecure. Multivariate public key cryptosystems (MPKC) are one possible alternative. MPKC makes use of the fact that solving multivariate polynomial systems over a finite field is an NP-complete problem, for which it is not known whether there is a polynomial algorithm on quantum computers. The main goal of this work is to show how to use new mathematical structures, specifically polynomial identities from algebraic geometry, to construct new multivariate public key cryptosystems. We begin with a basic overview of MPKC and present several significant cryptosystems that have been proposed. We also examine in detail some of the most powerful attacks against MPKCs. We propose a new framework for constructing multivariate public key cryptosystems and consider several strategies for constructing polynomial identities that can be utilized by the framework. In particular, we have discovered several new families of polynomial identities. Finally, we propose our new cryptosystem and give parameters for which it is secure against known attacks on MPKCs

Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

Enhanced STS using Check Equation --Extended Version of the Signature scheme proposed in the PQCrypt2010--

We propose solutions to the problems which has been left in the Enhanced STS, which was proposed in the PQCrypto 2010. Enhanced STS signature scheme is dened as the public key with the Complementary STS structure, in which two STS public keys are symmetrically joined together. Or, the complementary STS is the public key where simply two STS public keys are joined together, without the protection with Check Equation. We discuss the following issues left in the Enhanced STS, which was prosented in the PQCrypt2010: (i) We implied that there may exist a way to cryptanalyze the Complementary STS structure. Although it has been proposed that the system be protected by Check Equations [35][37], in order to cope with an unknown attack, we did not show the concrete procedure. We show the actual procedure to cryptanalyze it and forge a signature. (ii) We assumed that the Check Equation should be changed every time a document is signed. This practice is not always allowed. We improved this matter. The Check Equation which was proposed in the PQCrypto 2010 dened the valid life as a function of the number of times the documents are signed, because the secret key of Check Equation is analyzed by collecting valid signatures. Now we propose a new method of integrating the Check Equation into the secret key and eliminate the risk of the hidden information drawn from the existing signature

Proposal of a Signature Scheme based on STS Trapdoor

A New digital signature scheme based on Stepwise Triangular Scheme (STS) is proposed. The proposed trapdoor has resolved the vulnerability of STS and secure against both Gröbner Bases and Rank Attacks. In addition, as a basic trapdoor, it is more efficient than the existing systems. With the efficient implementation, the Multivariate Public Key Cryptosystems (MPKC) signature public key has the signature longer than the message by less than 25 %, for example

Revision of Tractable Rational Map Cryptosystem

We introduce a new public-key cryptosystem with tractable rational maps. As an application of abstract algebra and algebraic geometry to cryptography, TRMC (Tractable Rational Map Cryptosystem) has many superior properties including high complexity, easy implementation and very fast execution. We describe the principles and implementation of TRMC and analyze its properties. Also, we give a brief account of security analysis

Linearity Measures for MQ Cryptography

We propose a new general framework for the security of multivariate quadratic (\mathcal{MQ}) schemes with respect to attacks that exploit the existence of linear subspaces. We adopt linearity measures that have been used traditionally to estimate the security of symmetric cryptographic primitives, namely the nonlinearity measure for vectorial functions introduced by Nyberg at Eurocrypt \u2792, and the $(s, t)$--linearity measure introduced recently by Boura and Canteaut at FSE\u2713. We redefine some properties of \mathcal{MQ} cryptosystems in terms of these known symmetric cryptography notions, and show that our new framework is a compact generalization of several known attacks in \mathcal{MQ} cryptography against single field schemes. We use the framework to explain various pitfalls regarding the successfulness of these attacks. Finally, we argue that linearity can be used as a solid measure for the susceptibility of \mathcal{MQ} schemes to these attacks, and also as a necessary tool for prudent design practice in \mathcal{MQ} cryptography

NOVA, a Noncommutative-ring Based Unbalanced Oil and Vinegar Signature Scheme with Key-randomness Alignment

In this paper, we propose a noncommutative-ring based unbalanced oil and vinegar signature scheme with key-randomness alignment: NOVA (Noncommutative Oil and Vinegar with Alignment). Instead of fields or even commutative rings, we show that noncommutative rings can be used for algebraic cryptosystems. At the same or better level of security requirement, NOVA has a much smaller public key than UOV (Unbalanced Oil and Vinegar), which makes NOVA practical in most situations. We use Magma to actually implement and give a detailed security analysis against known major attacks

Selecting and Reducing Key Sizes for Multivariate Cryptography

Cryptographic techniques are essential for the security of communication in modern society. As more and more business processes are performed via the Internet, the need for efficient cryptographic solutions will further increase in the future. Today, nearly all cryptographic schemes used in practice are based on the two problems of factoring large integers and solving discrete logarithms. However, schemes based on these problems will become insecure when large enough quantum computers are built. The reason for this is Shor's algorithm, which solves number theoretic problems such as integer factorization and discrete logarithms in polynomial time on a quantum computer. Therefore one needs alternatives to those classical public key schemes. Besides lattice, code and hash based cryptosystems, multivariate cryptography seems to be a candidate for this. Additional to their (believed) resistance against quantum computer attacks, multivariate schemes are very fast and require only modest computational resources, which makes them attractive for the use on low cost devices such as RFID chips and smart cards. However, there remain some open problems to be solved, such as the unclear parameter choice of multivariate schemes, the large key sizes and the lack of more advanced multivariate schemes like signatures with special properties and key exchange protocols. In this dissertation we address two of these open questions in the area of multivariate cryptography. In the first part we consider the question of the parameter choice of multivariate schemes. We start with the security model of Lenstra and Verheul, which, on the basis of certain assumptions like the development of the computing environment and the budget of an attacker, proposes security levels for now and the near future. Based on this model we study the known attacks against multivariate schemes in general and the Rainbow signature scheme in particular and use this analysis to propose secure parameter sets for these schemes for the years 2012 - 2050. In the second part of this dissertation we present an approach to reduce the public key size of certain multivariate signature schemes such as UOV and Rainbow. We achieve the reduction by inserting a structured matrix into the coefficient matrix of the public key, which enables us to store the public key in an efficient way. We propose several improved versions of UOV and Rainbow which reduce the size of the public key by factors of 8 and 3 respectively. Using the results of the first part, we show that using structured public keys does not weaken the security of the underlying schemes against known attacks. Furthermore we show how the structure of the public key can be used to speed up the verification process of the schemes. Hereby we get a speed up of factors of 6 for UOV and 2 for Rainbow. Finally we show how to apply our techniques to the QUAD stream cipher. By doing so we can increase the data throughput of QUAD by a factor of 7

MS FT-2-2 7 Orthogonal polynomials and quadrature: Theory, computation, and applications

Quadrature rules find many applications in science and engineering. Their analysis is a classical area of applied mathematics and continues to attract considerable attention. This seminar brings together speakers with expertise in a large variety of quadrature rules. It is the aim of the seminar to provide an overview of recent developments in the analysis of quadrature rules. The computation of error estimates and novel applications also are described