Kryptowochenende 2006 - Workshop über Kryptographie

Das Kryptowochenende ist eine Aktivität der Fachgruppe Angewandte Kryptologie in der Gesellschaft für Informatik (GI) mit dem Ziel, Nachwuchswissenschaftlern, etablierten Forschern und Praktikern auf dem Gebiet der Kryptologie und Computersicherheit die Möglichkeit zu bieten, Kontakte über die eigene Universität hinaus zu knüpfen und sich mit Kollegen aus dem Fachgebiet auszutauschen. Die Vorträge decken ein breites Spektrum ab, von noch laufenden Projekten bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen publiziert wurden bzw. werden sollen. Das erste Kryptowochenende hat stattgefunden vom 01.-02. Juli 2006 im Tagungszentrum der Universität Mannheim im Kloster Bronnbach. Die Beiträge zu diesem Workshop sind im vorliegenden Tagungsband zusammengefasst

Total Break of the l-IC Signature Scheme

The original publication is available at www.springerlink.comInternational audienceIn this paper, we describe efficient forgery and full-key recovery attacks on the l-IC- signature scheme recently proposed at PKC 2007. This cryptosystem is a multivariate scheme based on a new internal quadratic primitive which avoids some drawbacks of previous multivariate schemes: the scheme is extremely fast since it requires one exponentiation in a finite field of medium size and the public key is shorter than in many multivariate signature schemes. Our attacks rely on the recent cryptanalytic tool developed by Dubois et al. against the SFLASH signature scheme. However, the final stage of the attacks require the use of Grobner basis techniques to conclude to actually forge a signature (resp. to recover the secret key). For the forgery attack, this is due to the fact that Patarin's attack is much more difficult to mount against l-IC. The key recovery attack is also very efficient since it is faster to recover equivalent secret keys than to forge

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

International audienceWe investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack. Our key-recovery attack finds an equivalent key using the idea of so-called {\it good keys} that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic $2$ which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key, that is, using the minus modifier. This was not the case for previous MinRank like-attacks against \MQ\ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of $80$ bits security in less than $2$ days, and one of the more conservative MQQ-ENC instances of $128$ bits security in little bit over $9$ days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure

Equivalent Keys in Multivariate Quadratic Public Key Systems

Multivariate Quadratic public key schemes have been suggested back in 1985 by Matsumoto and Imai as an alternative for the RSA scheme. Since then, several other schemes have been proposed, for example Hidden Field Equations, Unbalanced Oil and Vinegar schemes, and Stepwise Triangular Schemes. All these schemes have a rather large key space for a secure choice of parameters. Surprisingly, the question of equivalent keys has not been discussed in the open literature until recently. In this article, we show that for all basic classes mentioned above, it is possible to reduce the private --- and hence the public --- key space by several orders of magnitude. For the Matsumoto-Imai scheme, we are even able to show that the reductions we found are the only ones possible, i.e., that these reductions are tight. While the theorems developed in this article are of independent interest themselves as they broaden our understanding of Multivariate Quadratic public key systems, we see applications of our results both in cryptanalysis and in memory efficient implementations of MQ-schemes

Public Key Block Cipher Based on Multivariate Quadratic Quasigroups

We have designed a new class of public key algorithms based on quasigroup string transformations using a specific class of quasigroups called \emph{multivariate quadratic quasigroups (MQQ)}. Our public key algorithm is a bijective mapping, it does not perform message expansions and can be used both for encryption and signatures. The public key consist of $n$ quadratic polynomials with $n$ variables where $n=140, 160, \ldots$. A particular characteristic of our public key algorithm is that it is very fast and highly parallelizable. More concretely, it has the speed of a typical modern symmetric block cipher -- the reason for the phrase \emph{ A Public Key Block Cipher } in the title of this paper. Namely the reference C code for the 160--bit variant of the algorithm performs decryption in less than 11,000 cycles (on Intel Core 2 Duo -- using only one processor core), and around 6,000 cycles using two CPU cores and OpenMP 2.0 library. However, implemented in Xilinx Virtex-5 FPGA that is running on 249.4 MHz it achieves decryption throughput of 399 Mbps, and implemented on four Xilinx Virtex-5 chips that are running on 276.7 MHz it achieves encryption throughput of 44.27 Gbps. Compared to fastest RSA implementations on similar FPGA platforms, MQQ algorithm is more than 10,000 times faster

Reducing keys in Rainbow-like signature schemes

TCC (graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Ciências da Computação.Os algoritmos clássicos de assinatura digital como RSA e ECDSA baseiam sua segurança na dificuldade da fatoração de inteiros, e no logaritmo discreto, respectivamente. Esses problemas já possuem algoritmos quânticos que os resolvem em tempo polinomial, ou seja, com computadores quânticos poderosos o suficiente, o uso dos algoritmos de assinatura digital mais difundidos tornará-se impraticável. Naturalmente, com o aumento do poder computacional quântico, o interesse por criptossistemas resistentes a ataques que utilizam-se de tais computadores também cresceu. A área que estuda esses criptossistemas é chamada de criptografia pós-quântica. Particularmente, esses algoritmos baseiam-se numa série de problemas que, por enquanto, permanecem difíceis, mesmo que computadores quânticos poderosos sejam utilizados, logo, despertam o interesse para substituir os criptossistemas clássicos. Este trabalho aborda criptossistemas baseados em sistemas de polinômios multivariados, que, baseiam-se em problemas como a solução de sistemas de polinômios e o isomorfismo de polinômios, os quais ainda são resistentes a algoritmos quânticos, e portanto, são candidatos para criptografia pós-quântica. Tais esquemas possuem tamanhos de chaves muito maiores que os algoritmos clássicos. Neste trabalho um novo método para redução de chaves privadas do esquema de assinatura digital Rainbow é proposto. Usando este método as chaves privadas podem ser reduzidas em até 84\%. Ainda, este método pode ser combinado com outros de forma a reduzir tanto a chave privada como a chave pública.Classic digital signature algorithms base their security upon the difficulty of the integer factorization problem, and the discrete logarithm problem, respectively. These problems already have quantum algorithms that solve them in polynomial time, consequently, with sufficiently powerful quantum computers, the use of the most common digital signature algorithms would become impractical. Naturally, with the rise in quantum computational power, the interest in cryptosystems resistant to attacks that make use of such computers has raised as well. The area that studies such cryptosystems is called post-quantum cryptography. Particularly, these algorithms are based upon a series of problems that, at this time, continue to be hard, even with quantum computers available, hence, provoke interest to substitute the classical schemes. This work approaches cryptosystems based on systems of multivariate polynomials. They base their security upon problems like the polynomial system solving and the isomorphism of polynomials, which are still resistant to quantum computers, henceforth are candidates to post-quantum cryptography. Such schemes have much larger keys than classical algorithms. In this work a new method that allows the reduction of private keys of the Rainbow digital signature scheme is proposed. Using this method, private keys can be reduced by up to 84\%. Still, this method can be combined with others to reduce the private key and the public key simultaneously

Selecting and Reducing Key Sizes for Multivariate Cryptography

Cryptographic techniques are essential for the security of communication in modern society. As more and more business processes are performed via the Internet, the need for efficient cryptographic solutions will further increase in the future. Today, nearly all cryptographic schemes used in practice are based on the two problems of factoring large integers and solving discrete logarithms. However, schemes based on these problems will become insecure when large enough quantum computers are built. The reason for this is Shor's algorithm, which solves number theoretic problems such as integer factorization and discrete logarithms in polynomial time on a quantum computer. Therefore one needs alternatives to those classical public key schemes. Besides lattice, code and hash based cryptosystems, multivariate cryptography seems to be a candidate for this. Additional to their (believed) resistance against quantum computer attacks, multivariate schemes are very fast and require only modest computational resources, which makes them attractive for the use on low cost devices such as RFID chips and smart cards. However, there remain some open problems to be solved, such as the unclear parameter choice of multivariate schemes, the large key sizes and the lack of more advanced multivariate schemes like signatures with special properties and key exchange protocols. In this dissertation we address two of these open questions in the area of multivariate cryptography. In the first part we consider the question of the parameter choice of multivariate schemes. We start with the security model of Lenstra and Verheul, which, on the basis of certain assumptions like the development of the computing environment and the budget of an attacker, proposes security levels for now and the near future. Based on this model we study the known attacks against multivariate schemes in general and the Rainbow signature scheme in particular and use this analysis to propose secure parameter sets for these schemes for the years 2012 - 2050. In the second part of this dissertation we present an approach to reduce the public key size of certain multivariate signature schemes such as UOV and Rainbow. We achieve the reduction by inserting a structured matrix into the coefficient matrix of the public key, which enables us to store the public key in an efficient way. We propose several improved versions of UOV and Rainbow which reduce the size of the public key by factors of 8 and 3 respectively. Using the results of the first part, we show that using structured public keys does not weaken the security of the underlying schemes against known attacks. Furthermore we show how the structure of the public key can be used to speed up the verification process of the schemes. Hereby we get a speed up of factors of 6 for UOV and 2 for Rainbow. Finally we show how to apply our techniques to the QUAD stream cipher. By doing so we can increase the data throughput of QUAD by a factor of 7

Equivalent Keys in HFE, C*, and Variations

In this article, we investigate the question of equivalent keys for two Multivariate Quadratic public key schemes HFE and C*(--) and improve over a previously known result, which appeared at PKC 2005. Moreover, we show a new non-trivial extension of these results to the classes HFE-, HFEv, HFEv-, and C*(--), which are cryptographically stronger variants of the original HFE and C* schemes. In particular, we are able to reduce the size of the private - and hence the public - key space by at least one order of magnitude and several orders of magnitude on average. While the results are of independent interest themselves as they broaden our understanding of Multivariate Quadratic schemes, we also see applications both in cryptanalysis and in memory efficient implementations.status: publishe