21 research outputs found
Cryptography from tensor problems
We describe a new proposal for a trap-door one-way function. The new proposal belongs to the "multivariate quadratic" family but the trap-door is different from existing methods, and is simpler
Degree of regularity for HFE-
In this paper, we prove a closed formula for the degree of regularity of
the family of HFE- (HFE Minus) multivariate public key cryptosystems over
a finite field of size . The degree of regularity of the polynomial
system derived from an HFE- system is less than or equal to
\begin{eqnarray*}
\frac{(q-1)(\lfloor \log_q(D-1)\rfloor +a)}2 +2 & &
\text{if is even and is odd,}
\\
\frac{(q-1)(\lfloor \log_q(D-1)\rfloor+a+1)}2 +2 & &
\text{otherwise.}
\end{eqnarray*}
Here is the base field size, the degree of the HFE
polynomial, and is the
number of removed equations (Minus number).
This allows us to present an estimate of the complexity of breaking the HFE
Challenge 2:
\vskip .1in
\begin{itemize}
\item the complexity to break the HFE Challenge 2 directly using algebraic
solvers is about .
\end{itemize
Cryptanalysis of multi-HFE
Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE
by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack
MI-T-HFE, a New Multivariate Signature Scheme
In this paper, we propose a new multivariate signature scheme named MI-T-HFE as a competitor of QUARTZ. The core map of MI-T-HFE is of an HFEv type but more importantly has a specially designed trapdoor. This special trapdoor makes MI-T-HFE have several attractive advantages over QUARTZ. First of all, the core map and the public map of MI-T-HFE are both surjective. This surjectivity property is important for signature schemes because any message should always have valid signatures; otherwise it may be troublesome to exclude those messages without valid signatures. However this property is missing for a few major signature schemes, including QUARTZ. A practical parameter set is proposed for MI-T-HFE with the same length of message and same level of security as QUARTZ, but it has smaller public key size, and is more efficient than (the underlying HFEv- of) QUARTZ with the only cost that its signature length is twice that of QUARTZ
On the Security and Key Generation of the ZHFE Encryption Scheme
At PQCrypto\u2714 Porras, Baena and Ding proposed a new interesting construction to overcome the security weakness of the HFE encryption scheme, and called their new encryption scheme ZHFE. They provided experimental evidence for the security of ZHFE, and proposed the parameter set with claimed security level estimated by experiment. However there is an important gap in the state-of-the-art cryptanalysis of ZHFE, i.e., a sound theoretical estimation for the security level of ZHFE is missing. In this paper we fill in this gap by computing upper bounds for the Q-Rank and for the degree of regularity of ZHFE in terms of , and thus providing such a theoretical estimation. For instance the security level of ZHFE(7,55,105) can now be estimated theoretically as at least . Moreover for the inefficient key generation of ZHFE, we also provide a solution to improve it significantly, making almost no computation needed
Odd-Char Multivariate Hidden Field Equations
We present a multivariate version of Hidden Field Equations (HFE)
over a finite field of odd characteristic, with an extra
``embedding\u27\u27 modifier. Combining these known ideas makes our new
MPKC (multivariate public key cryptosystem) more efficient
and scalable than any other extant multivariate encryption scheme.
Switching to odd characteristics in HFE-like schemes affects how an
attacker can make use of field equations. Extensive empirical tests
(using MAGMA-2.14, the best commercially available \mathbold{F_4}
implementation) suggests that our new construction is indeed secure
against algebraic attacks using Gröbner Basis algorithms. The
``embedding\u27\u27 serves both to narrow down choices of pre-images and
to guard against a possible Kipnis-Shamir type (rank-based) attack. We
may hence reasonably argue that for practical sizes, prior attacks
take exponential time.
We demonstrate that our construction is in fact efficient by
implementing practical-sized examples of our ``odd-char HFE\u27\u27 with 3
variables (``THFE\u27\u27) over . To be precise, our preliminary
THFE implementation is -- the speed of RSA-1024
Improved Key Recovery of the HFEv- Signature Scheme
The HFEv- signature scheme is a twenty year old multivariate
public key signature scheme. It uses the Minus and the Vinegar modifier
on the original HFE scheme. An instance of the HFEv- signature scheme
called GeMSS is one of the alternative candidates for signature schemes
in the third round of the NIST Post Quantum Crypto (PQC) Standardization Project.
In this paper, we propose a new key recovery attack on
the HFEv- signature scheme. We show that the Minus modification does
not enhance the security of cryptosystems of the HFE family, while the
Vinegar modification increases the complexity of our attack only by a
polynomial factor. By doing so, we show that the proposed parameters
of the GeMSS scheme are not as secure as claimed. Our attack shows
that it is very difficult to build a secure and efficient signature scheme
on the basis of HFEv-