A Measure of Dependence for Cryptographic Primitives Relative to Ideal Functions

In this work we present a modification of a well-established measure of dependence appropriate for the analysis of stopping times for adversarial processes on cryptographic primitives. We apply this measure to construct generic criteria for the ideal behavior of fixed functions in both the random oracle and ideal permutation setting. More significantly, we provide a nontrivial extension of the notion of hash function indifferentiability, transporting the theory from the status of providing security arguments for protocols utilizing ideal primitives into the more realistic setting of protocol assurance with fixed functions. The methodology this measure introduces to indifferentiability analysis connects the security of a hash function with an indifferentiable mode to the security of the underlying compression function in a quantitative way; thus, we prove that dependence results on cryptographic primitives provide a direct means of determining the practical resistance or vulnerability of protocols employing such primitives

A Nonlinear Multivariate Cryptosystem Based on a Random Linear Code

We introduce a new technique for building multivariate encryption schemes based on random linear codes. The construction is versatile, naturally admitting multiple modifications. Among these modifications is an interesting embedding modifier--- any efficiently invertible multivariate system can be embedded and used as part of the inversion process. In particular, even small scale secure multivariate signature schemes can be embedded producing reasonably efficient encryption schemes. Thus this technique offers a bridge between multivariate signatures, many of which have remained stable and functional for many years, and multivariate encryption, a historically more troubling area

Extracting Linearization Equations from Noisy Sources

This note was originally written under the name ``On the Security of HMFEv\u27\u27 and was submitted to PQCrypto 2018. The author was informed by the referees of his oversight of an eprint work of the same name by Hashimoto, see eprint article /2017/689/, that completely breaks HMFEv, rendering the result on HMFEv obsolete. Still, the author feels that the technique used here is interesting and that, at least in principal, this method could contribute to future cryptanalysis. Thus, with a change of title indicating the direction in which this work is leading, we present the original work with all of its oversights intact and with minimal correction (only references fixed). At PQCRYPTO 2017, a new multivariate digital signature based on Multi-HFE and utilizing the vinegar modifier was proposed. The vinegar modifier increases the Q-rank of the central map, preventing a direct application of the MinRank attack that defeated Multi-HFE. The authors were, therefore, confident enough to choose aggressive parameters for the Multi-HFE component of the central map (with vinegar variables fixed). Their analysis indicated that the security of the scheme depends on the sum of the number of variables $k$ over the extension field and the number $v$ of vinegar variables with the individual values being unimportant as long as they are not ``too small.\u27\u27 We analyze the consequences of this choice of parameters and derive some new attacks showing that the parameter $v$ must be chosen with care

A Total Break of the Scrap Digital Signature Scheme

Recently a completely new post-quantum digital signature scheme was proposed using the so called ``scrap automorphisms\u27\u27. The structure is inherently multivariate, but differs significantly from most of the multivariate literature in that it relies on sparsity and rings containing zero divisors. In this article, we derive a complete and total break of Scrap, performing a key recovery in not much more time than verifying a signature. We also generalize the result, breaking unrealistic instances of the scheme for which there is no particularly efficient signing algorithm and key sizes are unmanageable

Properties of the Discrete Differential with Cryptographic Applications

Recently, the $C^{*-}$ signature scheme has been completely broken by Dubois et al. (Dubois et al., CRYPTO and EUROCRYPT 2007). As a consequence, the security of SFLASH and other multivariate public key systems have been impaired. The attacks presented in (Dubois et al., CRYPTO and EUROCRYPT 2007) rely on a symmetry of the differential of the encryption mapping. In (Ding et al., 2007), Ding et al. experimentally justify the use projection as a method of avoiding the new attack. In this paper, we derive some properties of the discrete differential, give a theoretical justification for the reparation in (Ding et al., 2007), and establish the exact context in which this attack is applicable

A Total Break of the 3WISE Digital Signature Scheme

A new batch of ``complete and proper\u27\u27 digital signature scheme submissions has recently been published by NIST as part of its process for establishing post-quantum cryptographic standards. This note communicates an attack on the 3WISE digital signature scheme that the submitters did not wish to withdraw after NIST communicated it to them. While the 3WISE digital signature scheme is based on a collection of cubic maps which are naturally modeled as symmetric 3-tensors and 3-tensor rank is a difficult problem, the multivariate signature scheme is still vulnerable to MinRank attacks upon projection. We are able to break the NIST security level I parameters within a few seconds. Since the attack is polynomial time, there is no reparametrization resulting in a secure scheme

The Generating Series of Support Minors MinRank Ideals

The support minors method has become indispensable to cryptanalysts in attacking various post-quantum cryptosystems in the areas of multivariate cryptography and rank-based cryptography. The complexity analysis for support minors minrank calculations is a bit messy, with no closed form for the Hilbert series of the ideal generated by the support minors equations (or, more correctly, for the quotient of the polynomial ring by this ideal). In this article, we provide a generating series whose coefficients are the Hilbert Series of related MinRank ideals. This simple series therefore reflects and relates the structure of all support minors ideals. Its simplicity also makes it practically useful in computing the complexity of support minors instances

Rainbow Band Separation is Better than we Thought

Currently the National Institute of Standards and Technology (NIST) is engaged in a post-quantum standardization effort, analyzing numerous candidate schemes to provide security against the advancing threat of quantum computers. Among the candidates in the second round of the standardization process is Rainbow, a roughly 15 year old digital signature scheme based on multivariate systems of equations. While there are many attack avenues for Rainbow, the parameters have to date seemed balanced in such a way to make every attack sufficiently costly that it meets the security levels specified by NIST in their standardization effort. One type of attack against Rainbow has historically outperformed empirically its theoretical complexity: the Rainbow Band Separation (RBS) attack. We explain this discrepancy by providing a tighter theoretical analysis of the attack complexity. While previous analyses assumed that the system of equations derived in the attack are generic, our analysis uses the fact that they are structured to justify tighter bounds on the complexity. As a result, we can prove under the same set of assumptions used to justify the analysis in the Rainbow submission specification that none of the parameters of Rainbow achieve their claimed security level. Specifically, the level I, III and V parameter sets fall short of their claimed security levels by at least 3, 6 and 10 bits, respectively. We then apply our analysis to suggest the small parameter changes necessary to guarantee that Rainbow can meet the NIST security levels

EFLASH: A New Multivariate Encryption Scheme

Multivariate Public Key Cryptography is a leading option for security in a post quantum society. In this paper we propose a new encryption scheme, EFLASH, and analyze its efficiency and security

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

Historically, multivariate public key cryptography has been less than successful at offering encryption schemes which are both secure and efficient. At PQCRYPTO \u2713 in Limoges, Tao, Diene, Tang, and Ding introduced a promising new multivariate encryption algorithm based on a fundamentally new idea: hiding the structure of a large matrix algebra over a finite field. We present an attack based on subspace differential invariants inherent to this methodology. The attack is is a structural key recovery attack which is asymptotically optimal among all known attacks (including algebraic attacks) on the original scheme and its generalizations