Developments in multivariate post quantum cryptography.

Ever since Shor\u27s algorithm was introduced in 1994, cryptographers have been working to develop cryptosystems that can resist known quantum computer attacks. This push for quantum attack resistant schemes is known as post quantum cryptography. Specifically, my contributions to post quantum cryptography has been to the family of schemes known as Multivariate Public Key Cryptography (MPKC), which is a very attractive candidate for digital signature standardization in the post quantum collective for a wide variety of applications. In this document I will be providing all necessary background to fully understand MPKC and post quantum cryptography as a whole. Then, I will walk through the contributions I provided in my publications relating to differential security proofs for HFEv and HFEv−, key recovery attack for all parameters of HFEm, and my newly proposed multivariate encryption scheme, HFERP

Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities

The rise of quantum computers exposes vulnerabilities in current public key cryptographic protocols, necessitating the development of secure post-quantum (PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches, covering the constructional design, structural vulnerabilities, and offer security assessments, implementation evaluations, and a particular focus on side-channel attacks. We analyze global standardization processes, evaluate their metrics in relation to real-world applications, and primarily focus on standardized PQ schemes, selected additional signature competition candidates, and PQ-secure cutting-edge schemes beyond standardization. Finally, we present visions and potential future directions for a seamless transition to the PQ era

Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

A study of big field multivariate cryptography.

As the world grapples with the possibility of widespread quantum computing, the cryptosystems of the day need to be up to date. Multivariate Public Key Cryptography is a leading option for security in a post quantum society. One goal of this work is to classify the security of multivariate schemes, especially C*variants. We begin by introducing Multivariate Public Key Cryptography and will then discuss different multivariate schemes and the main types of attacks that have been proven effective against multivariate schemes. Once we have developed an appropriate background, we analyze security of different schemes against particular attacks. Specifically, we will analyze differential security of HFEv- and PFLASH schemes. We then introduce a variant of C* that may be used as an encryption scheme, not just as a signature scheme. Finally, we will analyze the security and efficiency of a (n,d,s,a,p,t) scheme in general. This allows for individuals to generally discuss security and performance of any C* variant

Extracting Linearization Equations from Noisy Sources

This note was originally written under the name ``On the Security of HMFEv\u27\u27 and was submitted to PQCrypto 2018. The author was informed by the referees of his oversight of an eprint work of the same name by Hashimoto, see eprint article /2017/689/, that completely breaks HMFEv, rendering the result on HMFEv obsolete. Still, the author feels that the technique used here is interesting and that, at least in principal, this method could contribute to future cryptanalysis. Thus, with a change of title indicating the direction in which this work is leading, we present the original work with all of its oversights intact and with minimal correction (only references fixed). At PQCRYPTO 2017, a new multivariate digital signature based on Multi-HFE and utilizing the vinegar modifier was proposed. The vinegar modifier increases the Q-rank of the central map, preventing a direct application of the MinRank attack that defeated Multi-HFE. The authors were, therefore, confident enough to choose aggressive parameters for the Multi-HFE component of the central map (with vinegar variables fixed). Their analysis indicated that the security of the scheme depends on the sum of the number of variables $k$ over the extension field and the number $v$ of vinegar variables with the individual values being unimportant as long as they are not ``too small.\u27\u27 We analyze the consequences of this choice of parameters and derive some new attacks showing that the parameter $v$ must be chosen with care

On the matrix code of quadratic relationships for a Goppa code

In this article, we continue the analysis started in \cite{CMT23} for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in Classic McEiece, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges about key-recovery attacks on the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial

Encriptação parcialmente homomórfica CCA1-segura

Orientadores: Ricardo Dahab, Diego de Freitas AranhaTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Nesta tese nosso tema de pesquisa é a encriptação homomórfica, com foco em uma solução prática e segura para encriptação parcialmente homomórfica (somewhat homomorphic encryption - SHE), considerando o modelo de segurança conhecido como ataque de texto encriptado escolhido (chosen ciphertext attack - CCA). Este modelo pode ser subdividido em duas categorias, a saber, CCA1 e CCA2, sendo CCA2 o mais forte. Sabe-se que é impossível construir métodos de encriptação homomórfica que sejam CCA2-seguros. Por outro lado, é possível obter segurança CCA1, mas apenas um esquema foi proposto até hoje na literatura; assim, seria interessante haver outras construções oferecendo este tipo de segurança. Resumimos os principais resultados desta tese de doutorado em duas contribuições. A primeira é mostrar que a família NTRU de esquemas SHE é vulnerável a ataques de recuperação de chave privada, e portanto não são CCA1-seguros. A segunda é a utilização de computação verificável para obter esquemas SHE que são CCA1-seguros e que podem ser usados para avaliar polinômios multivariáveis quadráticos. Atualmente, métodos de encriptação homomórfica são construídos usando como substrato dois problemas de difícil solução: o MDC aproximado (approximate GCD problem - AGCD) e o problema de aprendizado com erros (learning with errors - LWE). O problema AGCD leva, em geral, a construções mais simples mas com desempenho inferior, enquanto que os esquemas baseados no problema LWE correspondem ao estado da arte nesta área de pesquisa. Recentemente, Cheon e Stehlé demonstraram que ambos problemas estão relacionados, e é uma questão interessante investigar se esquemas baseados no problema AGCD podem ser tão eficientes quanto esquemas baseados no problema LWE. Nós respondemos afirmativamente a esta questão para um cenário específico: estendemos o esquema de computação verificável proposto por Fiore, Gennaro e Pastro, de forma que use a suposição de que o problema AGCD é difícil, juntamente com o esquema DGHV adaptado para uso do Teorema Chinês dos Restos (Chinese remainder theorem - CRT) de forma a evitar ataques de recuperação de chave privadaAbstract: In this thesis we study homomorphic encryption with focus on practical and secure somewhat homomorphic encryption (SHE), under the chosen ciphertext attack (CCA) security model. This model is classified into two different main categories: CCA1 and CCA2, with CCA2 being the strongest. It is known that it is impossible to construct CCA2-secure homomorphic encryption schemes. On the other hand, CCA1-security is possible, but only one scheme is known to achieve it. It would thus be interesting to have other CCA1-secure constructions. The main results of this thesis are summarized in two contributions. The first is to show that the NTRU-family of SHE schemes is vulnerable to key recovery attacks, hence not CCA1-secure. The second is the utilization of verifiable computation to obtain a CCA1-secure SHE scheme that can be used to evaluate quadratic multivariate polynomials. Homomorphic encryption schemes are usually constructed under the assumption that two distinct problems are hard, namely the Approximate GCD (AGCD) Problem and the Learning with Errors (LWE) Problem. The AGCD problem leads, in general, to simpler constructions, but with worse performance, wheras LWE-based schemes correspond to the state-of-the-art in this research area. Recently, Cheon and Stehlé proved that both problems are related, and thus it is an interesting problem to investigate if AGCD-based SHE schemes can be made as efficient as their LWE counterparts. We answer this question positively for a specific scenario, extending the verifiable computation scheme proposed by Fiore, Gennaro and Pastro to work under the AGCD assumption, and using it together with the Chinese Remainder Theorem (CRT)-version of the DGHV scheme, in order to avoid key recovery attacksDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação143484/2011-7CNPQCAPE

Combinatorial Rank Attacks Against the Rectangular Simple Matrix Encryption Scheme

In 2013, Tao et al. introduced the ABC Simple Matrix Encryption Scheme, a multivariate public key encryption scheme. The scheme boasts great efficiency in encryption and decryption, though it suffers from very large public keys. It was quickly noted that the original proposal, utilizing square matrices, suffered from a very bad decryption failure rate. As a consequence, the designers later published updated parameters, replacing the square matrices with rectangular matrices and altering other parameters to avoid the cryptanalysis of the original scheme presented in 2014 by Moody et al. In this work, we show that making the matrices rectangular, while decreasing the decryption failure rate, actually, and ironically, diminishes security. We show that the combinatorial rank methods employed in the original attack of Moody et al. can be enhanced by the same added degrees of freedom that reduce the decryption failure rate. Moreover, and quite interestingly, if the decryption failure rate is still reasonably high, as exhibited by the proposed parameters, we are able to mount a reaction attack to further enhance the combinatorial rank methods. To our knowledge this is the first instance of a reaction attack creating a significant advantage in this context

Resisting Key-Extraction and Code-Compression: a Secure Implementation of the HFE Signature Scheme in the White-Box Model

Cryptography is increasingly deployed in applications running on open devices in which the software is extremely vulnerable to attacks, since the attacker has complete control over the execution platform and the software implementation itself. This creates a challenge for cryptography: design implementations of cryptographic algorithms that are secure, not only in the black-box model, but also in this attack context that is referred to as the white-box adversary model. Moreover, emerging applications such as mobile payment, mobile contract signing or blockchain-based technologies have created a need for white-box implementations of public-key cryptography, and especially of signature algorithms. However, while many attempts were made to construct white-box implementations of block-ciphers, almost no white-box implementations have been published for what concerns asymmetric schemes. We present here a concrete white-box implementation of the well-known HFE signature algorithm for a specific set of internal polynomials. For a security level $2^{80}$, the public key size is approximately 62.5 MB and the white-box implementation of the signature algorithm has a size approximately 256 GB