A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
|
|
- Chloe Gilmore
- 5 years ago
- Views:
Transcription
1 A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA
2 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG MQQ-ENC [Gligoroski, Ødegård, Jensen, Perret, Faugère, Knapskog & Markovski '11] [Gligoroski & Samardjiska '12]
3 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days
4 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 )
5 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 ) The attack - Recovery of equivalent key MinRank + Good keys
6 2 Summary Cryptanalysis of the Multivariate cryptosystems MQQ-SIG 80 bits security in less than 15 days MQQ-ENC 128 bits security in 9 days Poly-time complexity O(n 10 ) The attack - Recovery of equivalent key MinRank + Good keys Solved problems of MinRank attacks over even characteristic Simultaneous MinRank Proven complexity bounds independent of the eld size
7 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S private: F x public : P = T F S y private: T output y
8 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y
9 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y Public P p 1 (x 1,, x n ) p 2 (x 1,, x n ) p m (x 1,, x n )
10 3 Multivariate (MQ) public key scheme: F n q F m q input x Public P Matrix form: x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y p 1 (x 1,, x n ) x P 1 x p 2 (x 1,, x n ) x P 2 x p m (x 1,, x n ) x P m x
11 3 Multivariate (MQ) public key scheme: F n q F m q input x Public P Matrix form: x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y p 1 (x 1,, x n ) p 2 (x 1,, x n ) p m (x 1,, x n ) x P 1 x x P 2 x x P m x Matrices representing the quadratic part of the polynomials
12 3 Multivariate (MQ) public key scheme: F n q F m q input x x = (x 1,, x n ) private: S linear x public : P = T F S private: F quadratic private: T y linear output y Inverting P should be hard Underlying NP-complete problem PoSSo: Input: p 1, p 2,, p m F q [x 1,, x n ] Question: Find - if any - (u 1,, u n ) F n q st p 1 (u 1,, u n ) = 0 p 2 (u 1,, u n ) = 0 p m (u 1,, u n ) = 0
13 4 Research in MQ cryptography? Post - Quantum security
14 5 Research in MQ cryptography? MQ schemes are naturally parallelizable!
15 5 Research in MQ cryptography? MQ schemes are naturally parallelizable! up to 1000s times faster than classical amd64; HW+AES (306c3); 2013 Intel Xeon E V3; 4 x 3500MHz; titan0, supercop Cycles to sign 59 bytes ,60548 mqqsig224 11,86264 mqqsig256 11, rainbowbinary , tts
16 5 Research in MQ cryptography? MQ schemes are naturally parallelizable! up to 1000s times faster than classical amd64; HW+AES (306c3); 2013 Intel Xeon E V3; 4 x 3500MHz; titan0, supercop Cycles to sign 59 bytes ,60548 mqqsig224 11,86264 mqqsig256 11, rainbowbinary , tts MQQ-SIG fastest!!! Secure until now! 0
17 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r
18 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r
19 6 The MQQ family of cryptosystems MQQ (Multivariate Quadratic Quasigroups) [GMK08] Encryption scheme Direct algebraic attack [Mohamed et al'09, Faugère et al'10] MQQ-SIG [GØJPFKM11] n/2 equations removed - measure against the attack Recommended parameters: Security n MQQ-ENC [GS12] only r equations removed Left MQQs - less structure Recommended parameters for security level of : eld F 2 F 4 F 16 F 256 n r
20 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system
21 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system
22 7 Crucial for the security of MQ schemes MinRank MR(n, r, k, M 1,, M k ) Input: n, r, k N, and M 1,, M k M n (F q ) Question: Find if any a nonzero k-tuple (λ 1,, λ k ) F k q st: ( k ) Rank λ i M i r i=1 [Kipnis, Shamir '99], [Buss, Shallit '99] NP-hard!!! [Courtois '01], however, Instances in MQ crypto can be much easier, even polynomial! Underlays the security of HFE, STS, Rainbow, and more In this talk: Use MinRank to recover equivalent key of MQQ system
23 8 Solving MinRank - Minors modeling ( k ) ( k ) Rank λ i M i r all minors of size r + 1 of λ i M i vanish i=1 i=1 ( ) 2 n equations of degree r + 1, in k variables r + 1
24 8 Solving MinRank - Minors modeling ( k ) ( k ) Rank λ i M i r all minors of size r + 1 of λ i M i vanish i=1 i=1 ( ) 2 n equations of degree r + 1, in k variables r + 1 [Faugère & Levy-dit-Vehel & Perret '08], Cryptanalysis of MinRank authentication scheme [Courtois '01] [Faugère & Safey El Din & Spaenlehauer '13] Precise complexity bounds
25 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables i=1
26 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Relinearization [Kipnis & Shamir '99] i=1
27 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret '08] ( (n+dreg ) ω ) Complexity of F5 algorithm: O d reg [Faugère '02] with 2 ω 3 - the linear algebra constant i=1
28 9 Solving MinRank - Kipnis-Shamir modeling ( k ) ( k ) Rank λ i M i r x (1),, x (n r) Ker λ i M i i=1 1 x 1 1 x (1) r ( k ) λ i M i = 0 n n 1 x (n r) 1 x (n r) i=1 r n (n r) quadratic (bilinear) equations in r (n r) + k variables Gröbner bases [Faugère & Levy-dit-Vehel & Perret '08] ( (n+dreg ) ω ) Complexity of F5 algorithm: O d reg [Faugère '02] with 2 ω 3 - the linear algebra constant d reg min(n X, n Y ) + 2, for bilinear system in X, Y blocks of variables of sizes n X, n Y i=1
29 10 The central map of the MQQ cryptosystems f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n
30 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n
31 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d P = T F S Matrix notation of F f n
32 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d P = T F S Matrix notation of F f n
33 10 Crucial observation about the algebraic structure f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 fd d d f 2d f 3d d df n s P = T F S P = (T B 1 ) F (B 2 S) Matrix notation of F
34 11 = We obtain an equivalent central map f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d Matrix notation of F f n
35 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n
36 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n
37 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Transform S n = input space
38 12 Initially, note f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Transform S n = input space Solve: (m(n 1) linear equations in (n 1) variables) n P (k) yj s y,n = 0, 1 k m, 1 j < n y=1
39 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n
40 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved
41 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do The structure gradually revealed Step N: Find a good key (S N, T N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved
42 13 Key Recovery Attack Input: n r public polynomials P in n variables for number of variables N := n down to r + 2 do The structure gradually revealed Step N: Find a good key (S N, T one column at a time N) Transform the public key as P T N P S N, end for; Output: An equivalent key S = S n S n 1 S r+2 and T = T r+2 T n 1 T n Essential structure preserved
43 14 Step n f 1 f d+1 f 2d+1 f n d+1 x n does not occur quadratically! f 2 f d+2 f 2d+2 f n d+2 f d f 2d f 3d f n n 1 1 n 1 1 Recover structure Find good key S n = Solve: (m(n 1) linear equations in (n 1) variables) n P (k) yj s y,n = 0, 1 k m, 1 j < n y=1
44 14 Step N f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 x N occurs quadratically in at most one polynomial! f d f 2d f 3d f n
45 14 Step N f 1 f d+1 f 2d+1 f n d+1 f 2 f d+2 f 2d+2 f n d+2 x N occurs quadratically in at most one polynomial! f d f 2d f 3d f n N N r 1 Find good key S N =, T N =
46 14 Theorem f 1 f d+1 f 2d+1 f n d+1 Step N The solution of the Simultaneous MinRank problems: f 2 f d+2 Find t f 2d+2 f k1 F q, 1 < n d+2 k N r + 1 such that ) ( (P (k) + t k1p (1) Rank gives the unknown columns of S N, T N f d f 2d f 3d x N occurs quadratically < N and s inker at most P (k) one + t k1p polynomial! (1)), k f n N N r 1 Find good key S N =, T N =
47 14 Theorem f 1 f d+1 f 2d+1 f n d+1 Step N The solution of the Simultaneous MinRank problems: f 2 f d+2 Find t f 2d+2 f k1 F q, 1 < n d+2 k N r + 1 such that ) ( (P (k) + t k1p (1) Rank gives the unknown columns of S N, T N f d f 2d f 3d x N occurs quadratically < N and s inker at most P (k) one + t k1p polynomial! (1)), k f n Kipnis-Shamir: N N r 1 ( Find good key S N =, s P (k) + t T N = k1p (1)) = 0 1 N, 1 < k N r + 1 [ N(N r + 1) equations in (N 1) + (N r 1) variables ]
48 15 Practical Key Recovery Key Recovery MQQ-ENC eld n r Security Theoretical (ω = 3) F F F F Practical time days Key Recovery MQQ-SIG n Security Theoretical (ω = 3) Practical time days Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM
49 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1))
50 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1)
51 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Theorem Complexity: O ( n ω+3) with probability 1 1/q
52 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Any q Solve few of the MinRank(s) few=2 with high probability! Theorem Complexity: O ( n ω+3) with probability 1 1/q
53 16 Complexity Analysis over even characteristic Solving Simultaneous MinRank Find t k1 F q, 1 < k N r + 1 such that ) Rank (P (k) + t k1p (1) < N, and s Ker (P (k) + t k1p (1)) q = O(n) Solve one MinRank and use exhaustion over F q Plausible to have small rank defect (for ex 1) Theorem Complexity: O ( n ω+3) with probability 1 1/q Any q Solve few of the MinRank(s) few=2 with high probability! Theorem Complexity: O(n 3ω+1 ) with probability ( 1 1 q )( 1 1 q n 3 )
54 17 Practical Results Key Recovery MQQ-ENC eld n r Theoretical (ω = 3) Practical F F F F F F Key Recovery MQQ-SIG n r Theoretical (ω = 3) Practical Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM
55 17 Practical Results Key Recovery MQQ-ENC eld n r Theoretical (ω = 3) Practical F F F F F F Security time days Key Recovery MQQ-SIG n r Theoretical (ω = 3) Practical Security time days Implemented in Magma on 32 core Intel Xeon 227GHz, 1TB RAM
56 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto
57 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto
58 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto
59 18 Conclusion Very hard to design a secure scheme based on easily invertible MQQ structure For any advancement deeper insights in quasigroup theory needed MinRank - fundamental for MQ security Our attack Works over characteristic 2 Independent of the eld size Works regardless of the number of removed equations Simultaneous MinRank a proper way to model MinRank in MQ crypto
60 Thank you for listening!?
On the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationMQQ-SIG - An Ultra-Fast and Provably CMA Resistant Digital Signature Scheme
MQQ-SIG - An Ultra-Fast and Provably CMA Resistant Digital Signature Scheme Danilo Gligoroski, Rune Steinsmo Ødegard, Rune Erlend Jensen, Ludovic Perret, Jean-Charles Faugère, Svein Johan Knapskog, Smile
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationA Public Key Block Cipher Based on Multivariate Quadratic Quasigroups
A Public Key Block Cipher Based on Multivariate Quadratic Quasigroups Danilo Gligoroski 1 and Smile Markovski 2 and Svein Johan Knapskog 3 1 Department of Telematics, Faculty of Information Technology,
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationAn algorithm for judging and generating multivariate quadratic quasigroups over Galois fields
DOI 101186/s40064-016-3525-2 RESEARCH Open Access An algorithm for judging and generating multivariate quadratic quasigroups over Galois fields Ying Zhang * and Huisheng Zhang *Correspondence: zhgyg77@sinacom
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationAnalysis of the MQQ Public Key Cryptosystem
Analysis of the MQQ Public Key Cryptosystem Rune Ødegård 1, Ludovic Perret 2, Jean-Charles Faugère 2, and Danilo Gligoroski 3 1 Centre for Quantifiable Quality of Service in Communication Systems at the
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationRoots of Square: Cryptanalysis of Double-Layer Square and Square+
Roots of Suare: Cryptanalysis of Double-Layer Suare and Suare+ Full Version Enrico Thomae, Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum, 44780
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationarxiv: v1 [cs.cr] 6 Jan 2013
On the complexity of the Rank Syndrome Decoding problem P. Gaborit 1, O. Ruatta 1 and J. Schrek 1 Université de Limoges, XLIM-DMI, 123, Av. Albert Thomas 87060 Limoges Cedex, France. philippe.gaborit,julien.schrek,olivier.ruatta@unilim.fr
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationAlgebraic Decoding of Rank Metric Codes
Algebraic Decoding of Rank Metric Codes Françoise Levy-dit-Vehel ENSTA Paris, France levy@ensta.fr joint work with Ludovic Perret (UCL Louvain) Special Semester on Gröbner Bases - Workshop D1 Outline The
More informationCryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationDifferential Algorithms for the Isomorphism of Polynomials Problem
Differential Algorithms for the Isomorphism of Polynomials Problem Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S.
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationJean-Charles Faugère
ECC 2011 The 15th workshop on Elliptic Curve Cryptography INRIA, Nancy, France Solving efficiently structured polynomial systems and Applications in Cryptology Jean-Charles Faugère Joint work with: L Huot
More informationReconstructing Chemical Reaction Networks by Solving Boolean Polynomial Systems
Reconstructing Chemical Reaction Networks by Solving Boolean Polynomial Systems Chenqi Mou Wei Niu LMIB-School of Mathematics École Centrale Pékin and Systems Science Beihang University, Beijing 100191,
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationOn the Security of HFE, HFEv- and Quartz
On the Security of HFE, HFEv- and Quartz Nicolas T. Courtois 1, Magnus Daum 2,andPatrickFelke 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP 45, 78430Louveciennes Cedex, France courtois@minrank.org
More informationCryptography from tensor problems (draft)
Cryptography from tensor problems (draft) Leonard J. Schulman May 1, 2012 Abstract We describe a new proposal for a trap-door one-way function. The new proposal belongs to the multivariate quadratic family
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationComparison between XL and Gröbner Basis Algorithms
Comparison between XL and Gröbner Basis Algorithms Gwénolé Ars 1, Jean-Charles Faugère 2, Hideki Imai 3, Mitsuru Kawazoe 4, and Makoto Sugita 5 1 IRMAR, University of Rennes 1 Campus de Beaulieu 35042
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationSolving Underdetermined Systems of Multivariate Quadratic Equations Revisited
Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited Enrico Thomae and Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum,
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Antoine Joux 1,2 and Vanessa Vitse 2 1 Direction Générale de l Armement (DGA) 2 Université de Versailles Saint-Quentin, Laboratoire PRISM, 45 av. des États-Unis, 78035 Versailles
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationOwen (Chia-Hsin) Chen, National Taiwan University
Analysis of QUAD Owen (Chia-Hsin) Chen, National Taiwan University March 27, FSE 2007, Luxembourg Work at Academia Sinica supervised by Dr. Bo-Yin Yang Jointly with Drs. Dan Bernstein and Jiun-Ming Chen
More informationAlgebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case
1 / 27 Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case Marta Conde Pena 1 Jean-Charles Faugère 2,3,4 Ludovic Perret 3,2,4 1 Spanish National Research Council (CSIC) 2 Sorbonne Universités,
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationOn Enumeration of Polynomial Equivalence Classes and Their Application to MPKC
On Enumeration of Polynomial Equivalence Classes and Their Application to MPKC Dongdai Lin a, Jean-Charles Faugère b, Ludovic Perret b, Tianze Wang a,c a SKLOIS, Institute of Software, Chinese Academy
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Antoine Joux 1,2 and Vanessa Vitse 2 1 Direction Générale de l Armement (DGA) 2 Université de Versailles Saint-Quentin, Laboratoire PRISM, 45 av. des États-Unis, 78035 Versailles
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationVulnerabilities of McEliece in the World of Escher
Vulnerabilities of McEliece in the World of Escher Dustin Moody and Ray Perlner National Institute of Standards and Technology, Gaithersburg, Maryland, USA dustin.moody@nist.gov, ray.perlner@nist.gov Abstract.
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationLow Rank Parity Check codes and their application to cryptography
Noname manuscript No. (will be inserted by the editor) Low Rank Parity Check codes and their application to cryptography Philippe Gaborit Gaétan Murat Olivier Ruatta Gilles Zémor Abstract In this paper
More informationRounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faugère, P. Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014
More informationNew Insight into the Isomorphism of Polynomial Problem IP1S and its Use in Cryptography
New Insight into the Isomorphism of Polynomial Problem IP1S and its Use in Cryptography Gilles Macario-Rat 1, Jérôme Plut 2, and Henri Gilbert 2 1 Orange Labs 38 40, rue du Général Leclerc, 92794 Issy-les-Moulineaux
More informationA Smart Approach for GPT Cryptosystem Based on Rank Codes
A Smart Approach for GPT Cryptosystem Based on Rank Codes arxiv:10060386v1 [csit 2 Jun 2010 Haitham Rashwan Department of Communications InfoLab21, South Drive Lancaster University Lancaster UK LA1 4WA
More informationAnalysing Relations involving small number of Monomials in AES S- Box
Analysing Relations involving small number of Monomials in AES S- Box Riddhi Ghosal Indian Statistical Institute Email: postboxriddhi@gmail.com June 13, 2017 Abstract In the present day, AES is one the
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationOn Polynomial Systems Arising from a Weil Descent
On Polynomial Systems Arising from a Weil Descent Christophe Petit and Jean-Jacques Quisquater UCL Crypto Group, Université catholique de Louvain Place du Levant 3 1348 Louvain-la-Neuve (Belgium) christophe.petit@uclouvain.be,
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationMXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy Mohamed Saied Emam Mohamed 1, Wael Said Abd Elmageed Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB
More informationCryptanalysis of the Algebraic Eraser
Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob
More informationOn multivariate signature-only public key cryptosystems
On multivariate signature-only public key cryptosystems Nicolas T. Courtois 1,2 courtois@minrank.org http://www.minrank.org 1 Systèmes Information Signal (SIS), Université de Toulon et du Var BP 132, F-83957
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More information