Choosing parameters for one IND- CCA2 secure McEliece modification in the standard model

The paper is devoted to choosing parameters for one IND-CCA2-secure McEliece modification in the standard model. In particular, the underlying code, plaintext length and one-time strong signature scheme are suggested. The choice of parameters for the scheme was based on efficiency, on the one hand, and security, on the other. Also, experiments for the suggested parameters are provided using the NIST statistical test suite. The paper is devoted to choosing parameters for one IND-CCA2-secure McEliece modification in the standard model. In particular, the underlying code, plaintext length and one-time strong signature scheme are suggested. The choice of parameters for the scheme was based on efficiency, on the one hand, and security, on the other. Also, experiments for the suggested parameters are provided using the NIST statistical test suite

A Variant of the XL Algorithm Using the Arithmetic over Polynomial Matrices (Computer Algebra : Foundations and Applications)

The title of this paper has been changed from the title of talk “Polynomial XL: A Variant of the XL Algorithm Using Macaulay Matrices over Polynomial Rings” at “Computer Algebra -Foundations and Applications”.Solving a system of multivariate polynomials is a classical but very important problem in many areas of mathematics and its applications, and in particular quadratic systems over finite fields play a major role in the multivariate public key cryptography. The XL algorithm is known to be one of the main approaches for solving a multivariate system, as well as Groebner basis approaches, and so far many variants of XL have been proposed. In this talk, we present a new variant of XL, which we name “Polynomial XL”, by using Macaulay matrices over polynomial rings

Solving Polynomial Systems over Finite Fields: Improved Analysis of the Hybrid Approach

International audienceThe Polynomial System Solving (PoSSo) problem is a fundamental NP-Hard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate public-key schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of PoSSo over finite fields. The goal of this paper is to further understand the influence of finite fields on the hardness of PoSSo. To this end, we consider the so-called hybrid approach. This is a polynomial system solving method dedicated to finite fields proposed by Bettale, Faugère and Perret (Journal of Mathematical Cryptography, 2009). The idea is to combine exhaustive search with Gröbner bases. The efficiency of the hybrid approach is related to the choice of a trade-off between the two meth- ods. We propose here an improved complexity analysis dedicated to quadratic systems. Whilst the principle of the hybrid approach is simple, its careful analysis leads to rather surprising and somehow unexpected results. We prove that the optimal trade-off (i.e. num- ber of variables to be fixed) allowing to minimize the complexity is achieved by fixing a number of variables proportional to the number of variables of the system considered, denoted n. Under some nat- ural algebraic assumption, we show that the asymptotic complexity of the hybrid approach is 2^{n(3.31−3.62 log_2(q))} , where q is the size of the field (under the condition in particular that log(q) 2). We have been able to quantify the gain provided by the hybrid approach compared to a direct Gröbner basis method. For quadratic systems, we show (assuming a natural algebraic as- sumption) that this gain is exponential in the number of variables. Asymptotically, the gain is 2^{1.49 n} when both n and q grow to infinity and log(q) << n

Порождение дополнительных ограничений в задачах алгебраического криптоанализа при помощи SAT-оракулов

Описывается новая техника, предназначенная для дополнения исходной системы ограничений в задаче алгебраического криптоанализа новыми ограничениями. Порождаемые ограничения могут иметь форму линейных уравнений над полем из двух элементов в случае, если задача криптоанализа сведена к квадратичной системе над GF(2). Если же рассматриваемая задача сведена к SAT, то порождаемые ограничения имеют вид эквивалентностей или единичных резольвент. Для обеих ситуаций мы показываем, что порождаемые ограничения могут снижать оценки трудоёмкости криптоанализа. We describe a new technique aimed to generate new constraints which augment with the original set of constraints for a problem of algebraic cryptanalysis. In case the original problem is reduced to a system of Multivariate Quadratic equations over GF(2), the generated constraints can be in the form of linear equations over two-element field. If the considered problem is reduced to SAT, then new constraints are in the form of logic equivalences, anti-equivalences or unit resolvents. In both cases we demonstrate that new constraints generated by the proposed technique can decrease the complexity estimation of attacks on considered functions

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

International audienceWe investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack. Our key-recovery attack finds an equivalent key using the idea of so-called {\it good keys} that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic $2$ which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key, that is, using the minus modifier. This was not the case for previous MinRank like-attacks against \MQ\ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of $80$ bits security in less than $2$ days, and one of the more conservative MQQ-ENC instances of $128$ bits security in little bit over $9$ days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure

Building Secure Public Key Encryption Scheme from Hidden Field Equations

Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose a new variant of the HFE scheme by considering the special equation x2=x defined over the finite field F3 when x=0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size

Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

Cryptanalysis of SFlash v3

Sflash is a fast multivariate signature scheme. Though the first version Sflash-v1 was flawed, a second version, Sflash-v2 was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash-v2 should not be used, instead a new version Sflash-v3 is proposed, which essentially only increases the length of the signature. The Sflash family of signature schemes is a variant of the Matsumoto and Imai public key cryptosystem. The modification is through the Minus method, namely given a set of polynomial equations, one takes out a few of them to make them much more difficult to solve. In this paper, we attack the Sflash-v3 scheme by combining an idea from the relinearization method by Kipnis and Shamir, which was used to attack the Hidden Field Equation schemes, and the linearization method by Patarin. We show that the attack complexity is less than 2^80, the security standard required by the Nessie Consortium