On the first fall degree of summation polynomials

We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev's summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gr\"obner basis algorithms.Comment: 12 pages, fina

Stronger bounds on the cost of computing Groebner bases for HFE systems

We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate changes.Comment: 15 page

Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

Construction of the Tsujii-Shamir-Kasahara (TSK) Type Multivariate Public Key Cryptosystem, which relies on the Difficulty of Prime Factorization

A new multivariate public-key cryptosystem (MPKC) with the security based on the difficulty of the prime factoring is proposed. Unlike conventional cryptosystems such as RSA, most MPKCs are expected secure against quantum computers, and their operation of encryption and decryption is expected quick, because they do not need exponential operation. However, their security against quantum computers is very difficult to prove mathematically. We propose a new MPKC based on sequential solution method, assuming the security against von Neumann computers, whose attack seems as difficult as prime factoring. This cryptosystem is applicable to both encryption and signature

New candidates for multivariate trapdoor functions

We present a new method for building pairs of HFE polynomials of high degree, such that the map constructed with such a pair is easy to invert. The inversion is accomplished using a low degree polynomial of Hamming weight three, which is derived from a special reduction via Hamming weight three polynomials produced by these two HFE polynomials. This allows us to build new candidates for multivariate trapdoor functions in which we use the pair of HFE polynomials to fabricate the core map. We performed the security analysis for the case where the base field is $GF(2)$ and showed that these new trapdoor functions have high degrees of regularity, and therefore they are secure against the direct algebraic attack. We also give theoretical arguments to show that these new trapdoor functions over $GF(2)$ are secure against the MinRank attack as well

Extension Field Cancellation: a New Central Trapdoor for Multivariate Quadratic Systems

This paper introduces a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Hidden Field Equations which only allow for signatures. Our construction is a mixed-field scheme that exploits the commutativity of the extension field to dramatically reduce the complexity of the extension field polynomial implicitly present in the public key. However, this reduction can only be performed by the user who knows concise descriptions of two simple polynomials, which constitute the private key. After applying this transformation, the plaintext can be recovered by solving a linear system. We use the minus and projection modifiers to inoculate our scheme against known attacks. A straightforward C++ implementation confirms the efficient operation of the public key algorithms

Nuevas candidatas para funciones trampa multivariadas

Presentamos un nuevo método de reducción que permite construirparejas de polinomios HFE de grado alto, tal que la función construida concada una de estas parejas de polinomios es fácil de invertir. Para invertir lapareja de polinomios usamos un polinomio de grado bajo y de peso de Ham-ming tres, el cual es derivado mediante un método especial de reducción queinvolucra polinomios de peso de Hamming tres producidos a partir de los dospolinomios HFE. Esto nos permite construir nuevas candidatas para funcionestrampa multivariadas usando la pareja de polinomios HFE para construir lafunción central. Realizamos un análisis de seguridad cuando el campo base esGF(2) y mostramos que estas nuevas funciones trampa multivariadas tienen grado de regularidad alto, y por lo tanto resisten el ataque algebraico. Ademásdamos argumentos teóricos para mostrar que estas nuevas funciones trampasobre GF(2) tambien resisten el ataque MinRank.We present a new method for building pairs of HFE polynomialsof high degree, such that the map constructed with one of these pairs is easyto invert. The inversion is accomplished using a low degree polynomial ofHamming weight three, which is derived from a special reduction via Hammingweight three polynomials produced by these two HFE polynomials. This allowsus to build new candidates for multivariate trapdoor functions in which weuse the pair of HFE polynomials to fabricate the core map. We performed thesecurity analysis for the case where the base eld is GF(2) and showed thatthese new trapdoor functions have high degrees of regularity, and thereforethey are secure against the direct algebraic attack. We also give theoreticalarguments to show that these new trapdoor functions over GF(2) are secureagainst the MinRank attack as well

A Nonlinear Multivariate Cryptosystem Based on a Random Linear Code

We introduce a new technique for building multivariate encryption schemes based on random linear codes. The construction is versatile, naturally admitting multiple modifications. Among these modifications is an interesting embedding modifier--- any efficiently invertible multivariate system can be embedded and used as part of the inversion process. In particular, even small scale secure multivariate signature schemes can be embedded producing reasonably efficient encryption schemes. Thus this technique offers a bridge between multivariate signatures, many of which have remained stable and functional for many years, and multivariate encryption, a historically more troubling area

On Generalized First Fall Degree Assumptions

The first fall degree assumption provides a complexity approximation of Gröbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater\u27s to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play. In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater\u27s analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences. Our results shed light on a Gröbner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP