208 research outputs found
Cryptography from tensor problems
We describe a new proposal for a trap-door one-way function. The new proposal belongs to the "multivariate quadratic" family but the trap-door is different from existing methods, and is simpler
Cryptanalysis of the multivariate encryption scheme EFLASH
Post-Quantum Cryptography studies cryptographic algorithms that quantum computers cannot break. Recent advances in quantum computing have made this kind of cryptography necessary, and research in the field has surged over the last years as a result. One of the main families of post-quantum cryptographic schemes is based on finding solutions of a polynomial system over finite fields. This family, known as multivariate cryptography, includes both public key encryption and signature schemes.
The majority of the research contribution of this thesis is devoted to understanding the security of multivariate cryptography. We mainly focus on big field schemes, i.e., constructions that utilize the structure of a large extension field. One essential contribution is an increased understanding of how Gröbner basis algorithms can exploit this structure. The increased knowledge furthermore allows us to design new attacks in this setting. In particular, the methods are applied to two encryption schemes suggested in the literature: EFLASH and Dob. We show that the recommended parameters for these schemes will not achieve the proposed 80-bit security. Moreover, it seems unlikely that there can be secure and efficient variants based on these ideas. Another contribution is the study of the effectiveness and limitations of a recently proposed rank attack. Finally, we analyze some of the algebraic properties of MiMC, a block cipher designed to minimize its multiplicative complexity.Doktorgradsavhandlin
MI-T-HFE, a New Multivariate Signature Scheme
In this paper, we propose a new multivariate signature scheme named MI-T-HFE as a competitor of QUARTZ. The core map of MI-T-HFE is of an HFEv type but more importantly has a specially designed trapdoor. This special trapdoor makes MI-T-HFE have several attractive advantages over QUARTZ. First of all, the core map and the public map of MI-T-HFE are both surjective. This surjectivity property is important for signature schemes because any message should always have valid signatures; otherwise it may be troublesome to exclude those messages without valid signatures. However this property is missing for a few major signature schemes, including QUARTZ. A practical parameter set is proposed for MI-T-HFE with the same length of message and same level of security as QUARTZ, but it has smaller public key size, and is more efficient than (the underlying HFEv- of) QUARTZ with the only cost that its signature length is twice that of QUARTZ
Hash-based Multivariate Public Key Cryptosystems
Many efficient attacks have appeared in recent years, which have led
to serious blow for the traditional multivariate public key
cryptosystems. For example, the signature scheme SFLASH was broken
by Dubois et al. at CRYPTO\u2707, and the Square signature (or
encryption) scheme by Billet et al. at ASIACRYPTO\u2709. Most
multivariate schemes known so far are insecure, except maybe the
sigature schemes UOV and HFEv-. Following these new developments, it
seems that the general design principle of multivariate schemes has
been seriously questioned, and there is a rather pressing desire to
find new trapdoor construction or mathematical tools and ideal. In
this paper, we introduce the hash authentication techniques and
combine with the traditional MQ-trapdoors to propose a novel
hash-based multivariate public key cryptosystems. The resulting
scheme, called EMC (Extended Multivariate Cryptosystem), can
also be seen as a novel hash-based cryptosystems like Merkle tree
signature. And it offers the double security protection for signing
or encrypting. By the our analysis, we can construct the secure and
efficient not only signature scheme but also encryption scheme by
using the EMC scheme combined some modification methods summarized
by Wolf. And thus we present two new schems: EMC signature scheme
(with the Minus method ``- ) and EMC encryption scheme (with the
Plus method ``+ ). In addition, we also propose a reduced scheme of
the EMC signature scheme (a light-weight signature scheme). Precise
complexity estimates for these schemes are provided, but their
security proofs in the random oracle model are still an open
problem
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
In this paper, we design a novel one-way trapdoor function, and then propose a new multivariate public key cryptosystem called , which can be used for encryption, signature and authentication. Through analysis, we declare that is secure, because it can resist current known algebraic attacks if its parameters are properly chosen. Some practical implementations for are also given, and whose security level is at least . The comparison shows that is more secure than , and (when and , is still secure), and it can reach almost the same speed of computing the secret map by and (even though was broken, its high speed has been affirmed)
Proposal of a Signature Scheme based on STS Trapdoor
A New digital signature scheme based on Stepwise Triangular Scheme (STS) is proposed. The proposed trapdoor has resolved the vulnerability of STS and secure against both Gröbner Bases and Rank Attacks. In addition, as a basic trapdoor, it
is more efficient than the existing systems. With the efficient implementation, the Multivariate Public Key Cryptosystems (MPKC) signature public key has the signature
longer than the message by less than 25 %, for example
Cryptanalysis of SFlash v3
Sflash is a fast multivariate signature scheme. Though the first version Sflash-v1 was flawed, a second version, Sflash-v2 was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash-v2 should not be used, instead a new version Sflash-v3 is proposed, which essentially only increases the length of the signature.
The Sflash family of signature schemes is a variant of the Matsumoto and Imai public key cryptosystem. The modification is through the Minus method, namely given a set of polynomial equations, one takes out a few of them to make them much more difficult to solve.
In this paper, we attack the Sflash-v3 scheme by combining an idea from the relinearization method by Kipnis and Shamir, which was used to attack the Hidden Field Equation schemes, and the linearization method by Patarin. We show that the attack complexity is less than 2^80, the security standard required by the Nessie Consortium
Enhanced STS using Check Equation --Extended Version of the Signature scheme proposed in the PQCrypt2010--
We propose solutions to the problems which has been left in the Enhanced STS, which was proposed in the PQCrypto 2010.
Enhanced STS signature scheme is dened as the public key with the Complementary STS structure, in which two STS public keys are symmetrically joined together. Or, the complementary STS is the public key where simply two STS public keys are joined together, without the protection with Check Equation.
We discuss the following issues left in the Enhanced STS, which was prosented in the PQCrypt2010:
(i) We implied that there may exist a way to cryptanalyze the Complementary STS structure. Although it has been proposed that the system be protected by Check Equations [35][37], in order to cope with an unknown attack, we did not show the concrete procedure. We show the actual procedure to cryptanalyze it and forge a signature.
(ii) We assumed that the Check Equation should be changed every time a document is signed. This practice is not always allowed. We improved this matter. The Check Equation which was proposed in the PQCrypto 2010 dened the valid life as a function of the number of times the documents are signed, because the secret key of Check Equation is analyzed by collecting valid signatures.
Now we propose a new method of integrating the Check Equation into the secret key and eliminate the risk of the hidden information drawn from the existing signature
- …