HFERP - A New Multivariate Encryption Scheme
|
|
- Agnes Nicholson
- 6 years ago
- Views:
Transcription
1 - A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University of Louisville) 10 April, April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 1/34
2 Early History C Triangular Encryption schemes HFE 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 2/34
3 Early History C Triangular Encryption schemes HFE All of these are essentially broken. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 2/34
4 More Recent Attempts ABC Simple Matrix Scheme (quad and cubic) ZHFE Extension Field Cancellation HFE- 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 3/34
5 Properties of Surviving Schemes Typically have twice as many equations as variables (roughly). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 4/34
6 Properties of Surviving Schemes Typically have twice as many equations as variables (roughly). Question Can we have fewer equations with efficient key gen, encryption, decryption? 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 4/34
7 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34
8 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34
9 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. Benefit: Do not need to add so many equations. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34
10 Idea for Constructing Encryption Scheme Idea Bootstrap the structure of successful signature schemes to achieve encryption. (Add some central equations that make the choice of vinegar variables in inversion deterministic.) Benefit: Security of the shell is well understood. Benefit: Do not need to add so many equations. Drawback: Not an original idea. (Usually weak!) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 5/34
11 1 Use UOV (or Rainbow). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34
12 1 Use UOV (or Rainbow). 2 Use the plus modifier (adding random central equations). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34
13 1 Use UOV (or Rainbow). 2 Use the plus modifier (adding random central equations). 3 Drop in invertible central map *. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 6/34
14 Constants and Structures Fix d, o, r, s Z +, n = d + o, and m = d + o + r + s, a finite field k = GF (q), a degree d extension K of k, a basis (θ 1,..., θ d ) of K/k, and a k-vector space isomorphism φ : k d K defined by φ(x) = d x i θ i. i=1 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 7/34
15 Critical Layer Use an efficiently invertible quadratic map F * : K K. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 8/34
16 Rainbow Layer V = {1,..., d}, O = {d + 1,..., d + o = n} f 1 (x 1,..., x d, x d+1,, x n ) = f o+r (x 1,..., x d, x d+1,, x n ) =. i V,j O i V,j O a (1) i,j x ix j + i,j V b (1) i,j x ix j, a (o+r) i,j x i x j + b (o+r) i,j x i x j, i,j V F R = (f 1,..., f o+r ) : k n k o+r (quadratic map). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 9/34
17 Plus Layer f 1(x 1,..., x n ) = f s (x 1,..., x n ) =. 1 i j n 1 i j n c (1) i,j x i x j, c (s) i,j x ix j, F P = (f 1,..., f s ) : k n k s (quadratic map). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 10/34
18 Central Map F := (F *, F R, F P ) : k n k m K F * K φ φ 1 k n id k n F R k o+r id 2 k m id id 3 k n F P k s 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 11/34
19 F is easily invertible To solve F (x) = z, Solve F * φ(x 1,, x d ) = φ 1 (z 1,..., z d ) Solve F R = (f 1,..., f o+r ) : k n k o+r V = {1,..., d}, O = {d + 1,..., d + o} z d+1 =. z o+r = i V,j O i V,j O a (1) i,j x ix j + i,j V b (1) i,j x ix j, a (o+r) i,j x i x j + b (o+r) i,j x i x j, i,j V 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 12/34
20 Secret Key and Public Key S : k n k n : invertible linear map T : k m k m : invertible linear map Public key G : k n S k n F k m T k m. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 13/34
21 Use F * = F S defined by F S (X ) = X 2. K φ F * K φ 1 k d f * k d (Note that f * is a quadratic map from k d to k d.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 14/34
22 A Relevant Algebra Let Φ : E A be the representation defined by Φ(X ) = (X, X q,..., X qn 1 ). Then we can represent G(X ) = i,j α i,jx qi +q j : [X X q X qn 1] α α 0,1 0,0 α 0,1 α 0,n 1 2 α 0,n α 2 α 1,1 1,n α 1,n 1 2 α n 1,n 1 X X q. X qn April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 15/34
23 F S F S = April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 16/34
24 MinRank Attack on min-q-rank(f S ) = 1. min-q-rank(g ) = 1. Theorem (Petzoldt,, 2017) The complexity of this attack on (q, d, o, r, s) is ( m + 1 O( ) 2 ( m 2 ) ), m = d + o + r + s. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 17/34
25 Construction Security Analysis Parameter selections and Experiments HFE Fix a degree bound D. F HFE (X ) := a i,j X qi +q j = a i,j X qi X qj, (a i,j K). q i +q j D q i +q j D K φ F HFE K φ 1 k d f HFE k d (Note that F HFE is a quadratic map on k d. ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 18/34
26 Construction Security Analysis Parameter selections and Experiments HFE Part of Central Map [X X q X qn 1] α 2 0,r α 2 α 1,1 1,r α r,r α r 1,r α α 0,1 0,0 α 0,1 α 0,r 1 X X q. X qn 1 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 19/34
27 Construction Security Analysis Parameter selections and Experiments More on HFE Necessary Condition The positive integer D must be chosen such that F 0 (X ) = α, (α K), deg(f 0 ) D can be solved efficiently by Berlekamp s algorithm, of which the complexity is O(D 3 + dd 2 log q). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 20/34
28 Construction Security Analysis Parameter selections and Experiments Central map of Central map F := (F HFE, F R, F P ) : k n k m Public Key G := T F S. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 21/34
29 Construction Security Analysis Parameter selections and Experiments Attacks for 1 MinRank attack on HFE primitive 2 Direct attack 3 Attacks on UOV (Rainbow) structure 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 22/34
30 Construction Security Analysis Parameter selections and Experiments Lemma Assume char(k) 2. G = (G,1,, G,m ) (P 1, P 2,, P m ) G = (G,1,, G,m ) (Q 1, Q 2,, Q m ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 23/34
31 Construction Security Analysis Parameter selections and Experiments MinRank Attack on Theorem min-q-rank(f HFE ) = log q D. The complexity of this attack on (q, d, o, r, s) is ( m + logq D O( 1 + log q D ) 2 ( m 2 ) ), m = d + o + r + s. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 24/34
32 Construction Security Analysis Parameter selections and Experiments Direct Attack on Theorem The degree of regularity d reg of (q, d, o, r, s) is bounded by { (q 1)( log d reg q D + 1)/2 + 2, (q : odd or log q D : odd) (q 1)( log q D + 2)/2 + 1, otherwise Theorem The complexity of the algebraic attack is given by ( ) n + 2 ( ) dreg n O( ), n = d + o. 2 d reg 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 25/34
33 Construction Security Analysis Parameter selections and Experiments Base Field Rank Attacks - MinRank MinRank Find one or more vectors w j satisfying m t i DG i (w j ) = 0. i=1 Comp MinRank = O ( q d m ω). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 26/34
34 Construction Security Analysis Parameter selections and Experiments Base Field Rank Attacks - Dual Rank/HighRank HighRank Find linear combinations of the public polynomials in the span of the HFE maps and first layer Rainbow maps. ( Comp HighRank = O q m d n ω). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 27/34
35 Construction Security Analysis Parameter selections and Experiments Parameter selections k = F 3 80-bit security parameters (A) (d = 42, o = 21, r = 15, s = 17, D = ) (B) (d = 63, o = 21, r = 11, s = 10, D = ) 128-bit security parameters (C) (d = 85, o 1 = o 2 = 70, r 1 = r 2 = 89, s = 61, D = ) (D) (d = 60, o 1 = o 2 = 40, r 1 = r 2 = 23, s = 40, D = ) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 28/34
36 Construction Security Analysis Parameter selections and Experiments Environment Platform All the experiments were performed using Magma on a 2.6 GHz Intel Xeon CPU. (These are not optimized implementations. They are barely implementations.) 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 29/34
37 Construction Security Analysis Parameter selections and Experiments Experimental Results 1 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (8, 4, 3, 3, 2188) , 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4 (10, 5, 4, 3, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (12, 6, 5, 4, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (14, 7, 5, 5, 2188) , 5, 5, 5, 5 6, 6, 6, 6, 6 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 Table 2.A. Direct Attack, d = 2o, d + o 2(r + s), o = 4, 5, 6, 7 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (9, 3, 2, 2, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (12, 4, 2, 2, 2188) , 6, 6, 5, 5, 5, 6, 6, 6, 5 6, 5, 6, 6, 5 6, 6, 6, 6, 6 6 (15, 5, 3, 3, 2188) , 5, 5, 5, 5 6, 6, 6, 6, 6 5, 5, 5, 6, 5 6, 6, 6, 6, 6 6 (18, 6, 3, 3, 2188) , 5, 5, 5, 5 7, 7, 7, 7, 7 5, 5, 5, 5, 7 7, 7, 7, 7, 7 7 Table 2.B. Direct Attack, d = 3o, r + s o, o = 3, 4, 5, 6 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 30/34
38 Construction Security Analysis Parameter selections and Experiments Experimental Results 2 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (3, 3 2, 4 2, 2, 2188) , 3, 3, 3, 3 3, 3, 2, 3, 2 3, 3, 3, 3, 3 2, 3, 3, 2, 2 3 (7, 6 2, 7 2, 5, 2188) , 4, 4, 4, 4 4, 4, 4, 4, 4 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (10, 8 2, 11 2, 7, 2188) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (14, 11 2, 14 2, 10, 2188) Table 2.C. Direct Attack, d 3.4a, o (2.8a, 2.8a), r (3.56a, 3.56a), s 2.44a, a = 1, 2, 3, 4 Random (d, o, r, s, D) n m d reg sol. deg d reg sol. deg s.r.d. (5, 3 2, 2 2, 3, ) , 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 4, 4 4, 4, 4, 3, 4 4 (7, 5 2, 3 2, 5, ) , 4, 4, 4, 4 4, 4, 4, 4, 4 5, 5, 5, 5, 5 5, 5, 5, 5, 5 5 (10, 6 2, 4 2, 6, ) , 5, 5, 5, 5 5, 5, 5, 5, 5 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 (12, 8 2, 5 2, 8, ) , 5, 5, 5, 5 6, 6, 5, 6, 5 5, 5, 5, 5, 5 6, 6, 6, 6, 6 6 Table 2.D. Direct Attack, d 2.4a, o (1.6a, 1.6a), r (0.92a, 0.92a), s 1.6a, a = 2, 3, 4, 5 Here 3 2 = (3, 3). 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 31/34
39 Construction Security Analysis Parameter selections and Experiments Experimental Results 3 80-bit 80-bit 128-bit 128-bit (A) (B) (C) (D) Key Generation s s s 3.43 s Encryption s s s s Decryption s s s s Secret Key Size 19.8KB 31.7KB KB 226.0KB Public Key Size 48.2KB 93.6KB KB 552.3KB 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 32/34
40 Construction Security Analysis Parameter selections and Experiments Future Improvements? How do we break this thing? 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 33/34
41 Construction Security Analysis Parameter selections and Experiments Coffee Break Coffee now. Questions later. 10 April, 2018 Ikematsu, Perlner, Smith-Tone, Takagi & Vates - New Multivariate Encryption 34/34
Improved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationDifferential Security of the HF Ev Signiture Primitive
Differential Security of the HF Ev Signiture Primitive Ryann Cartor 1 Ryan Gipson 1 Daniel Smith-Tone 1,2 Jeremy Vates 1 1 University of Louisville 2 National Institute of Standards and Technology 25th
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationDifferential Algorithms for the Isomorphism of Polynomials Problem
Differential Algorithms for the Isomorphism of Polynomials Problem Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S.
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationA Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus)
A Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus) Koichiro Akiyama 1, Yasuhiro Goto 2, Shinya Okumura 3, Tsuyoshi Takagi 4, Koji Nuida 5, Goichiro Hanaoka 5, Hideo
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationReducing the Key Size of Rainbow using Non-Commutative Rings
Reducing the Key Size of Rainbow using Non-Commutative Rings Takanori Yasuda (Institute of systems, Information Technologies and Nanotechnologies (ISIT)), Kouichi Sakurai (ISIT, Kyushu university) and
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationCryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationTaxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations Christopher Wolf, and Bart Preneel {Christopher.Wolf, Bart.Preneel}@esat.kuleuven.ac.be chris@christopher-wolf.de
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLinear Algebra. Workbook
Linear Algebra Workbook Paul Yiu Department of Mathematics Florida Atlantic University Last Update: November 21 Student: Fall 2011 Checklist Name: A B C D E F F G H I J 1 2 3 4 5 6 7 8 9 10 xxx xxx xxx
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationCombinatorics of p-ary Bent Functions
Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014 Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationGröbner Bases. Applications in Cryptology
Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCSL361 Problem set 4: Basic linear algebra
CSL361 Problem set 4: Basic linear algebra February 21, 2017 [Note:] If the numerical matrix computations turn out to be tedious, you may use the function rref in Matlab. 1 Row-reduced echelon matrices
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationMath 201C Homework. Edward Burkard. g 1 (u) v + f 2(u) g 2 (u) v2 + + f n(u) a 2,k u k v a 1,k u k v + k=0. k=0 d
Math 201C Homework Edward Burkard 5.1. Field Extensions. 5. Fields and Galois Theory Exercise 5.1.7. If v is algebraic over K(u) for some u F and v is transcendental over K, then u is algebraic over K(v).
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationList decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationApproximation algorithms for nonnegative polynomial optimization problems over unit spheres
Front. Math. China 2017, 12(6): 1409 1426 https://doi.org/10.1007/s11464-017-0644-1 Approximation algorithms for nonnegative polynomial optimization problems over unit spheres Xinzhen ZHANG 1, Guanglu
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationThe Galois group of a polynomial f(x) K[x] is the Galois group of E over K where E is a splitting field for f(x) over K.
The third exam will be on Monday, April 9, 013. The syllabus for Exam III is sections 1 3 of Chapter 10. Some of the main examples and facts from this material are listed below. If F is an extension field
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC
Cryptography and Security Protocols Paulo Mateus MMA MEIC Previously on CSP Symmetric Cryptosystems. Asymmetric Cryptosystem. Basics on Complexity theory : Diffie-Hellman key agreement. Algorithmic complexity.
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationOn the security of a realization of cryptosystem MST 3
On the security of a realization of cryptosystem MST 3 Spyros S. Magliveras Department of Mathematical Sciences Center for Cryptology and Information Security Florida Atlantic University Boca Raton, FL
More informationM3/4/5P12 PROBLEM SHEET 1
M3/4/5P12 PROBLEM SHEET 1 Please send any corrections or queries to jnewton@imperialacuk Exercise 1 (1) Let G C 4 C 2 s, t : s 4 t 2 e, st ts Let V C 2 with the stard basis Consider the linear transformations
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationPost-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017
Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017 1 Background I will use: Linear algebra. Vectors x. Matrices A, matrix multiplication AB, xa,
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationSection 33 Finite fields
Section 33 Finite fields Instructor: Yifan Yang Spring 2007 Review Corollary (23.6) Let G be a finite subgroup of the multiplicative group of nonzero elements in a field F, then G is cyclic. Theorem (27.19)
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationResultants. summary and questions. December 7, 2011
Resultants summary and questions December 7, 2011 1 An exercise about free modules Let A be a unitary commutative integral ring. Let K be the fraction field of A. Let n 1 be an integer. Set V = A n and
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationPolynomial mappings into a Stiefel manifold and immersions
Polynomial mappings into a Stiefel manifold and immersions Iwona Krzyżanowska Zbigniew Szafraniec November 2011 Abstract For a polynomial mapping from S n k to the Stiefel manifold Ṽk(R n ), where n k
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationDevelopments in multivariate post quantum cryptography.
University of Louisville ThinkIR: The University of Louisville's Institutional Repository Electronic Theses and Dissertations 8-2018 Developments in multivariate post quantum cryptography. Jeremy Robert
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationBREAKING THE AKIYAMA-GOTO CRYPTOSYSTEM. Petar Ivanov & José Felipe Voloch
BREAKING THE AKIYAMA-GOTO CRYPTOSYSTEM by Petar Ivanov & José Felipe Voloch Abstract. Akiyama and Goto have proposed a cryptosystem based on rational points on curves over function elds (stated in the
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More information