A study of big field multivariate cryptography.

As the world grapples with the possibility of widespread quantum computing, the cryptosystems of the day need to be up to date. Multivariate Public Key Cryptography is a leading option for security in a post quantum society. One goal of this work is to classify the security of multivariate schemes, especially C*variants. We begin by introducing Multivariate Public Key Cryptography and will then discuss different multivariate schemes and the main types of attacks that have been proven effective against multivariate schemes. Once we have developed an appropriate background, we analyze security of different schemes against particular attacks. Specifically, we will analyze differential security of HFEv- and PFLASH schemes. We then introduce a variant of C* that may be used as an encryption scheme, not just as a signature scheme. Finally, we will analyze the security and efficiency of a (n,d,s,a,p,t) scheme in general. This allows for individuals to generally discuss security and performance of any C* variant

Developments in multivariate post quantum cryptography.

Ever since Shor\u27s algorithm was introduced in 1994, cryptographers have been working to develop cryptosystems that can resist known quantum computer attacks. This push for quantum attack resistant schemes is known as post quantum cryptography. Specifically, my contributions to post quantum cryptography has been to the family of schemes known as Multivariate Public Key Cryptography (MPKC), which is a very attractive candidate for digital signature standardization in the post quantum collective for a wide variety of applications. In this document I will be providing all necessary background to fully understand MPKC and post quantum cryptography as a whole. Then, I will walk through the contributions I provided in my publications relating to differential security proofs for HFEv and HFEv−, key recovery attack for all parameters of HFEm, and my newly proposed multivariate encryption scheme, HFERP

On the Complexity of the Hybrid Approach on HFEv-

The HFEv- signature scheme is one of the most promising candidates for post-quantum digital signatures. Most notably here is the short signature size of the scheme. It has long been known that direct attacks against HFEv- systems work more efficiently than against random systems. The reason for this was found by Jintai Ding et al., who proved an upper bound on the degree of regularity of these systems. However, not much is known about the efficiency of the hybrid approach against the HFEv- scheme. In order to find suitable parameter sets for HFEv- for higher levels of security, this topic has to be studied in more detail. In this article we consider this question by performing a large number of computer experiments. As our experiments show, guessing variables does not help to speed up direct attacks against HFEv- systems. Therefore, in the parameter selection of these schemes, we do not have to consider the hybrid approach. Furthermore, we develop in this article a simple formula to estimate the degree of regularity of a determined HFEv- system. Together with our results on the behavior of the hybrid approach, this formula gives us an easy way to estimate the complexity of direct attacks against HFEv- systems

Improved Key Recovery of the HFEv- Signature Scheme

The HFEv- signature scheme is a twenty year old multivariate public key signature scheme. It uses the Minus and the Vinegar modifier on the original HFE scheme. An instance of the HFEv- signature scheme called GeMSS is one of the alternative candidates for signature schemes in the third round of the NIST Post Quantum Crypto (PQC) Standardization Project. In this paper, we propose a new key recovery attack on the HFEv- signature scheme. We show that the Minus modification does not enhance the security of cryptosystems of the HFE family, while the Vinegar modification increases the complexity of our attack only by a polynomial factor. By doing so, we show that the proposed parameters of the GeMSS scheme are not as secure as claimed. Our attack shows that it is very difficult to build a secure and efficient signature scheme on the basis of HFEv-

Extracting Linearization Equations from Noisy Sources

This note was originally written under the name ``On the Security of HMFEv\u27\u27 and was submitted to PQCrypto 2018. The author was informed by the referees of his oversight of an eprint work of the same name by Hashimoto, see eprint article /2017/689/, that completely breaks HMFEv, rendering the result on HMFEv obsolete. Still, the author feels that the technique used here is interesting and that, at least in principal, this method could contribute to future cryptanalysis. Thus, with a change of title indicating the direction in which this work is leading, we present the original work with all of its oversights intact and with minimal correction (only references fixed). At PQCRYPTO 2017, a new multivariate digital signature based on Multi-HFE and utilizing the vinegar modifier was proposed. The vinegar modifier increases the Q-rank of the central map, preventing a direct application of the MinRank attack that defeated Multi-HFE. The authors were, therefore, confident enough to choose aggressive parameters for the Multi-HFE component of the central map (with vinegar variables fixed). Their analysis indicated that the security of the scheme depends on the sum of the number of variables $k$ over the extension field and the number $v$ of vinegar variables with the individual values being unimportant as long as they are not ``too small.\u27\u27 We analyze the consequences of this choice of parameters and derive some new attacks showing that the parameter $v$ must be chosen with care

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Historically, multivariate public key cryptography has been less than successful at offering encryption schemes which are both secure and efficient. At PQCRYPTO \u2713 in Limoges, Tao, Diene, Tang, and Ding introduced a promising new multivariate encryption algorithm based on a fundamentally new idea: hiding the structure of a large matrix algebra over a finite field. We present an attack based on subspace differential invariants inherent to this methodology. The attack is is a structural key recovery attack which is asymptotically optimal among all known attacks (including algebraic attacks) on the original scheme and its generalizations

On short digital signatures with Eulerian transformations

Let n stands for the length of digital signatures with quadratic multivariate public rule in n variables. We construct postquantum secure procedure to sign O(n^t), t ≥1 digital documents with the signature of size n in time O(n^{3+t}). It allows to sign O(n^t), t 1 documents of size n in time O(n^{t+3}), t>1. The multivariate encryption map has linear degree O(n) and density O(n^4). We discuss the idea of public key with Eulerian transformations which allows to sign O(n^t), t≥0 documents in time O(n^{t+2}). The idea of delivery and usage of several Eulerian and quadratic transformations is also discussed

Proposal of PPS Multivariate Public Key Cryptosystems

In this paper we propose a new MPKC, called PPS, based on (i) the 2-layer nonlinear piece in hand method, (ii) PMI, and (iii) STS. The PPS is a specific MPKC obtained by applying the 2-layer nonlinear piece in hand method to STS, in the manner that the rank and randomness of the lower rank steps in the original secret polynomial vector of STS are enhanced by adding a perturbation polynomial vector and moreover PMI is used in the auxiliary part. The PPS overcomes the drawbacks of the three schemes by the advantage of the three schemes themself. Thus, PPS can be thought to be immune simultaneously from the algebraic attacks, such as the Groebner bases attacks, from the rank attacks, and from the differential attacks

Resisting Key-Extraction and Code-Compression: a Secure Implementation of the HFE Signature Scheme in the White-Box Model

Cryptography is increasingly deployed in applications running on open devices in which the software is extremely vulnerable to attacks, since the attacker has complete control over the execution platform and the software implementation itself. This creates a challenge for cryptography: design implementations of cryptographic algorithms that are secure, not only in the black-box model, but also in this attack context that is referred to as the white-box adversary model. Moreover, emerging applications such as mobile payment, mobile contract signing or blockchain-based technologies have created a need for white-box implementations of public-key cryptography, and especially of signature algorithms. However, while many attempts were made to construct white-box implementations of block-ciphers, almost no white-box implementations have been published for what concerns asymmetric schemes. We present here a concrete white-box implementation of the well-known HFE signature algorithm for a specific set of internal polynomials. For a security level $2^{80}$, the public key size is approximately 62.5 MB and the white-box implementation of the signature algorithm has a size approximately 256 GB