Oil-Vinegar signature cryptosystems
|
|
- Timothy Mitchell
- 6 years ago
- Views:
Transcription
1 Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science and Technology 1
2 1. Introduction 2. The Oil-Vinegar signature schemes ( balanced and unbalanced ) 3. The attacks 4. The generalizations 2
3 1 Introduction Multivariable public key signature cryptosystems: The public key - verifier is given as: G(x 1,..., x n ) = (G 1 (x 1,..., x n ),..., G m (x 1,..., x n )), which is the public key. Any document (its hash value) D = (y 1,..., y m ) has a signature S = (x 1,..., x n), and accpet it only if G(S) = D. The secret key is something that allows one to find S once we are given D. 3
4 The first one of Ong-Schnorr-Shamir ( OSS ) 1985: b the message ot its hash. y 2 ax 2 = b mod(p 1 p 2 ) But it is defeated in 1987 by Pollard-Schnorr. 4
5 The origin of Oil-Vinegar. The inspiration is from the linearization equations (LEs) satisfied by the MI system: aij x i y j + b i x i + c i y j + d = 0, where (x 1,..., x n ) is the plaintext, and (y 1,..., y n ) the ciphertext. Patarin transformed an attack method into a method to build cryptosystems. 5
6 2 Oil-Vinegar Oil-Vinegar is a design for signatures Oil and Vinegar construction (Patarin, Kipnis, Goubin) uses the idea that certain quadratic equations can be easily solved if we are allowed to guess a few variables like the case of LE attack. 6
7 Let k be a finite field. The key construction is a map F from k o+v to k o : F (x 1,.., x o, x 1,.., x v ) = (F 1 (x 1,.., x o, x 1,.., x v),..., F o (x 1,.., x o, x 1,.., x v)), and each F l is in the form: 7
8 F l (x 1,..., x o, x 1,..., x v) = al,i,j x i x j + b l,i,j x i x j + c l,i x i + d l,j x j + e l where x i, i = 1,..., o, are the Oil variables and x j, j = 1,..., v, are the Vinegar variables in the finite field k. 8
9 We call such a type of polynomial an Oil and Vinegar polynomial. The reason that it is called Oil and Vinegar scheme is due to the fact that in the quadratic terms the Oil and Vinegar variables are not fully mixed (like oil and vinegar). 9
10 This allows us to find one solution easily for any equation of the form F (x 1,..., x o, x 1,..., x v) = (y 1,..., y o ), when (y 1,..., y o ) is given. To find one solution, one just needs to randomly choose values for the Vinegar variables and plug them into the equations above, which will produce a set of o linear equations with o variables. 10
11 This should, with a good probability, give us a solution. If it does not, one can try again by selecting different values for the Vinegar variables, until one succeeds in finding a solution. Roughly the probability is near 1 1/q, but bigger in general. 11
12 Toy example We use the finite field k = GF [2]/(x 2 + x + 1) with 2 2 elements. We denote the elements of the field by the set {0, 1, 2, 3 } to simplify the notation. Here 0 represent the 0 in k, 1 for 1, 2 for x, and 3 for 1 + x. In this case, = 2 and 2 3 = 1. 12
13 F 1 (x 1, x 2, x 1, x 2) = 1 + x 1 + x x 1 x x 1x 2 + x 2 2 F 2 (x 1, x 2, x 1, x 2) = x x x 1 x 2 + x 2 x 2 + x 1x 2 + x 2 1 Let x 1 = 0, x 2 = 1 : F 1 = 3 x F 2 = x x 1 13
14 This family of cryptosystems is designed specifically for signature schemes, where we need only to find one solution for a given set of equations and not a unique solution. 14
15 Once we have this map F, we hide it by composing it from the left and the right sides by two invertible affine linear maps L 1 and L 2, in the same way as it was done in the construction of MI cryptosystem. Since L 1 is on k o and L 2 on k o+v, this generates a quadratic map F = L 1 F L 2 from k o+v to k o ( means composition of two maps). L 1 is not necessary due to randomness of F. The pubic key F = F L 15
16 3 Attack The balanced Oil and Vinegar scheme is characterized by o = v, but it was defeated by Kipnis and Shamir using matrices related to the bilinear forms defined by quadratic polynomials. For the unbalanced Oil and Vinegar scheme, v > o, it was shown (Kipnis, Patarin, Goubin) that a specific attack has a complexity of roughly q v o 1 o 4, when v o. This means, that if o is not too large (< 100) and a given fixed field of size q, then v o should be large enough, but also not too large, to ensure the security of the scheme. 16
17 3.1 Balanced case, o=v The basis idea: Given any quadratic polynomial, we can associate a symmetric matrix. Let f(x 1,..., x n ) = a ij x i x j +... H = (a ij ). H = H + H t. For casesa that is not of characteristic 2, 2f(x 1,..., x n ) = (x 1,..., x n )H(x 1,..., x n ) t. 17
18 Base change If f (x 1,..., x n ) = f L(x 1,.., x n ), L(x 1,..., x n ) = (x 1,..., x n ) T, then H = T HT t, wher H is the matrix for f. 18
19 To simplify the exposition, let s assume that k to be a field of odd characteristic and the case of characteristic 2 is essentially the same, but subtle. Let s now assume that an attacker has the public key, namely the set of polynomials F i, i = 1,..., v with 2v variables, z 1,..., z 2v and the field structure of k. Let Z = (z 1,..., z 2v ) be the 2v dimensional vector. 19
20 For each F i, let s look at its quadratic part, which we denote by F i 0. We know that there exists an unique 2v 2v symmetric square matrix M i such that where Z t is the transpose of Z. F 0 i (Z) = Z M i Z t, For each F i, we will denote its quadratic part by F 0 i. Similarly we have F 0 i (Z) = Z M i Z t. where z 1,..., z v are the Oil variables, z v+1,..., z 2v are the Vinegar variables and M i as a matrix is in the special form: M i = ( 0 B i1 B t i1 B i2 ), where 0 here is a v v zero matrix and B ij are v v matrices. 20
21 Let u 1 and u 2 be any two vectors in O = {(z 1,.., z v, 0,.., 0)}, the Oil-space, then u 1 M i u t 2 = 0. V = {(0,..., 0, z v+1,.., z 2v )} 21
22 Let L(Z) = Z A + a, where A is a 2v 2v matrix and a a vector in k 2v. The matrix relations F 0 i (Z) = Z M i Z t = F 0 i (L(Z)) = Z A M i A t Z t, which implies that M i = A M i A t. Therefore M i = A 1 M i (A 1 ) t. The M i are all known, this implies that we break the system, essentially if we can find this matrix A 1 such that we can change all the M i into the form just like M i, where the submatrix consisting elements of all the first v rows and columns are all zero. 22
23 Let U be an invertible linear map on k 2v such that Then we have that U(Z) = Z ( U 11 0 U 21 U 22 ). F 0 i (U(Z)) = Z U M i U t Z t, and clearly we can compute to derive that U M i U t = ( 0 C i1 C t i1 C i2 ). This tells that there does not just exist one such A 1 ( or its constant multiples) which we gives what we need to break the system but rather there are a large family of them and we need only to find one of them. 23
24 . The problem. If we have a set of symmetric 2v 2v matrices M i, i = 1,.., v, how do we find a matrix Ā such that all Ā MĀt are in the form of ( 0 ). The key property of U is that O is an invariant subspace of U, therefore what we need to do is to find a v dimensional subspace such that any two vectors u 1 and u 2 satisfies the property u 1 Mi u t 2 = 0 as the O space, which as we know is the image subspace of O under the action of A 1. 24
25 Let M be the linear subspace of matrices spanned by M i. Because each M i are randomly chosen, if we randomly choose an element W 1 in M, we have roughly a probability (1 1/q) to derives a nonsingular matrix. Let s assume that we have choose two such elements W i, i = 1, 2. Let Ŵ = W 2 ( W 1 ) 1 This is the key operator we will use. 25
26 Definition For the vector space k n, let H be a linear map over V. A linear subspace S of the space is called invariant under H if for any s S, H(s) S. If we choose a basis in the form s 1,.., s m, v 1,..., v l, where s 1,..., s m is a basis of S, then the corresponding matrix for H is in the form of ( 0 ). 26
27 Let E be a (v + v) v + v matrix such that E = ( 0 E 12 E 2,1 E 22 ), where 0 is the v v zero matrix and E 22 is an v v matrix. 27
28 Lemma For any matrix E 1, and E 2 as in the form defined above, as a linear operator acting on a the row space k v+v, we have that a) E i maps the Oil subspace into the Vinegar subspace and if the matrix E 1 i exists, it maps the Oil subspace into the Vinegar subspace; b) If the matrix Ei 1 exists, then the image of the Vinegar subspace by Ei 1 is eaxctly the Oil subspace in; c) The Oil subspace is invariant under the action of E 1 E
29 The random assumption tells that we have a very good probability that a random element in M is invertible. Let Ŵ i be a elements in the set of elements like W 29
30 Assume we have a number of such Ŵi, i = 1,...l < v 2. Let ω be the linear space spanned by Ŵi. It is clear that all elements in ω shares the same v dimensional invariant subspace. From linear algebra, we know that to find such a A t is equivalent to finding a v dimension subspace I v such that it is invariant under the action of all the Ŵi, which in this case should be unique once we have enough W i. The attack becomes a problem finding the common invariant subspace of Ŵ i, which can be solved. 30
31 There exists a matrix Ā such that ĀŴiĀ 1 = ( 0 ). Given W, the basic way to find the invariant subspace is give as Kernel(r(W )), where r(x) is a factor of the characteristic polynomial of W. W r(w ) = r(w )w. 31
32 An example. W = ( ). (1, 0) is the basis of the kernel of W 2I. An algorithm using the fact that a randomly chosen irreducible polynomial over a finite field of degree n is roughly 1/n. 32
33 Let D = ( D 1 0 D 3 D2 ), where D i and 0 are v v matrices, then f(λ) = f 1 (λ)f 2 (λ), where f is the characteristic polynomial of D, and f 1, f 2 are the characteristic polynomials of D 1, D 2. Assume that one of the f i is irreducible and f 1 f 2, then O = kernel(f 1 (D)). 33
34 1. The attack steps. 2. Step 1. For each F i, we find it associated symmetric matrix M i, then we choose randomly any two matrix W 1 and W 2, which are both nonsingular. 3. Step 2. We calculate Ŵ = W 2 ( W 1 ) 1, compute its characteristic polynomials C(x). 4. Step 3. We factor C(x) into irreducible components. If one of the factors, which we call C 1 (x) is an irreducible polynomial, we move to the next step; otherwise we go back to Step 1. 34
35 5. Step 4 Let C 2 (x) = C(x) C 1 (x). Calculate C 1(Ŵ ) and C 2(Ŵ ). For each of these two matrix, we find a basis of the kernel of the linear operator acting through a right multiplication on a row vector. Then we establish a basis of the whole space of dimension v where the first v vector are the basis of either of the kernel. 6. Step 5 Then we apply a change of basis using either of the two basis we derived above to see which one will change the basis into the polynomials into a set of Oil-vinegar polynomials. 7. Step 6 An attacker then can use the same method as the legitimate user to forge a signature that will be accepted as a valid signature. 35
36 3.2 Unbalanced case The attack idea is very similar, but more subtle with a more probabilistic argument. The complexity relies on q v 0, which is probabilistic. 36
37 When v too large ( o 2 ), it is not secure for the reason that the real O space is actually much bigger. Other related results (Wolf, etc. Groebner basis analysis and linear approximation) 37
38 The document to be signed is a vector in k o and the signature is a vector in k o+v. This means that the signature is at least twice the size of the document and with a large v + o the system becomes less efficient. The next step? 38
39 4 Generalizations HFEv Rainbow TTS TRMS 39
40 Thanks and questions 40
Multivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAn Improved Affine Equivalence Algorithm for Random Permutations
An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationCSL361 Problem set 4: Basic linear algebra
CSL361 Problem set 4: Basic linear algebra February 21, 2017 [Note:] If the numerical matrix computations turn out to be tedious, you may use the function rref in Matlab. 1 Row-reduced echelon matrices
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationPIT problems in the light of and the noncommutative rank algorithm
PIT problems in the light of and the noncommutative rank algorithm Gábor Ivanyos MTA SZTAKI Optimization, Complexity and Invariant Theory, IAS, June 4-8, 2018. PIT problems in this talk Determinant: det(x
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationDifferential Security of the HF Ev Signiture Primitive
Differential Security of the HF Ev Signiture Primitive Ryann Cartor 1 Ryan Gipson 1 Daniel Smith-Tone 1,2 Jeremy Vates 1 1 University of Louisville 2 National Institute of Standards and Technology 25th
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationUpdated: January 16, 2016 Calculus II 7.4. Math 230. Calculus II. Brian Veitch Fall 2015 Northern Illinois University
Math 30 Calculus II Brian Veitch Fall 015 Northern Illinois University Integration of Rational Functions by Partial Fractions From algebra, we learned how to find common denominators so we can do something
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationHidden Pair of Bijection Signature Scheme
Hidden Pair of Bijection Signature Scheme Masahito Gotaishi and Shigeo Tsujii Research and Development Initiative, Chuo University, 1-13-27 Kasuga, Tokyo, Japan, 112-8551 gotaishi@tamaccchuo-uacjp http://wwwchuo-uacjp/chuo-u/rdi/index
More informationOn the Goubin-Courtois Attack on TTM
On the Goubin-Courtois Attack on TTM T. Moh and Jiun-Ming Chen Abstract In the paper [1] published in Asiacrypt 2000, L. Goubin and N.T. Courtois propose an attack on the TTM cryptosystem. In paper [1],
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSolving LWE problem with bounded errors in polynomial time
Solving LWE problem with bounded errors in polynomial time Jintai Ding, Southern Chinese University of Technology, University of Cincinnati, ding@mathucedu Abstract In this paper, we present a new algorithm,
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationAlgorithms to solve massively under-defined systems of multivariate quadratic equations
Agorithms to sove massivey under-defined systems of mutivariate quadratic equations Yasufumi Hashimoto Abstract It is we known that the probem to sove a set of randomy chosen mutivariate quadratic equations
More informationTropical Polynomials
1 Tropical Arithmetic Tropical Polynomials Los Angeles Math Circle, May 15, 2016 Bryant Mathews, Azusa Pacific University In tropical arithmetic, we define new addition and multiplication operations on
More informationMODULE 8 Topics: Null space, range, column space, row space and rank of a matrix
MODULE 8 Topics: Null space, range, column space, row space and rank of a matrix Definition: Let L : V 1 V 2 be a linear operator. The null space N (L) of L is the subspace of V 1 defined by N (L) = {x
More informationChapter 1 Vector Spaces
Chapter 1 Vector Spaces Per-Olof Persson persson@berkeley.edu Department of Mathematics University of California, Berkeley Math 110 Linear Algebra Vector Spaces Definition A vector space V over a field
More informationSolving Underdefined Systems of Multivariate Quadratic Equations
Solving Underdefined Systems of Multivariate Quadratic Equations Nicolas Courtois 1, Louis Goubin 1, Willi Meier 2, and Jean-Daniel Tacier 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse,
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More information4.5 Integration of Rational Functions by Partial Fractions
4.5 Integration of Rational Functions by Partial Fractions From algebra, we learned how to find common denominators so we can do something like this, 2 x + 1 + 3 x 3 = 2(x 3) (x + 1)(x 3) + 3(x + 1) (x
More information2-4 Zeros of Polynomial Functions
Write a polynomial function of least degree with real coefficients in standard form that has the given zeros. 33. 2, 4, 3, 5 Using the Linear Factorization Theorem and the zeros 2, 4, 3, and 5, write f
More informationMATH 315 Linear Algebra Homework #1 Assigned: August 20, 2018
Homework #1 Assigned: August 20, 2018 Review the following subjects involving systems of equations and matrices from Calculus II. Linear systems of equations Converting systems to matrix form Pivot entry
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationPolynomials. Henry Liu, 25 November 2004
Introduction Polynomials Henry Liu, 25 November 2004 henryliu@memphis.edu This brief set of notes contains some basic ideas and the most well-known theorems about polynomials. I have not gone into deep
More informationMath 113 Winter 2013 Prof. Church Midterm Solutions
Math 113 Winter 2013 Prof. Church Midterm Solutions Name: Student ID: Signature: Question 1 (20 points). Let V be a finite-dimensional vector space, and let T L(V, W ). Assume that v 1,..., v n is a basis
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationSolutions for Math 225 Assignment #4 1
Solutions for Math 225 Assignment #4 () Let B {(3, 4), (4, 5)} and C {(, ), (0, )} be two ordered bases of R 2 (a) Find the change-of-basis matrices P C B and P B C (b) Find v] B if v] C ] (c) Find v]
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationTaxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations Christopher Wolf, and Bart Preneel {Christopher.Wolf, Bart.Preneel}@esat.kuleuven.ac.be chris@christopher-wolf.de
More informationLinear, Quadratic, and Cubic Forms over the Binary Field
Linear, Quadratic, and Cubic Forms over the Binary Field Akihiro Munemasa 1 1 Graduate School of Information Sciences Tohoku University October 28, 2009 POSTECH Linear, Quadratic, and Cubic Forms over
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationMath-Net.Ru All Russian mathematical portal
Math-Net.Ru All Russian mathematical portal G. P. Agibalov, I. A. Pankratova, Asymmetric cryptosystems on Boolean functions, Prikl. Diskr. Mat., 2018, Number 40, 23 33 DOI: https://doi.org/10.17223/20710410/40/3
More informationEXERCISES AND SOLUTIONS IN LINEAR ALGEBRA
EXERCISES AND SOLUTIONS IN LINEAR ALGEBRA Mahmut Kuzucuoğlu Middle East Technical University matmah@metu.edu.tr Ankara, TURKEY March 14, 015 ii TABLE OF CONTENTS CHAPTERS 0. PREFACE..................................................
More informationMATH 112 QUADRATIC AND BILINEAR FORMS NOVEMBER 24, Bilinear forms
MATH 112 QUADRATIC AND BILINEAR FORMS NOVEMBER 24,2015 M. J. HOPKINS 1.1. Bilinear forms and matrices. 1. Bilinear forms Definition 1.1. Suppose that F is a field and V is a vector space over F. bilinear
More informationVector Spaces and SubSpaces
Vector Spaces and SubSpaces Linear Algebra MATH 2076 Linear Algebra Vector Spaces & SubSpaces Chapter 4, Section 1b 1 / 10 What is a Vector Space? A vector space is a bunch of objects that we call vectors
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLinear Algebra. Min Yan
Linear Algebra Min Yan January 2, 2018 2 Contents 1 Vector Space 7 1.1 Definition................................. 7 1.1.1 Axioms of Vector Space..................... 7 1.1.2 Consequence of Axiom......................
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationDifferential Algorithms for the Isomorphism of Polynomials Problem
Differential Algorithms for the Isomorphism of Polynomials Problem Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S.
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationExamples 2: Composite Functions, Piecewise Functions, Partial Fractions
Examples 2: Composite Functions, Piecewise Functions, Partial Fractions September 26, 206 The following are a set of examples to designed to complement a first-year calculus course. objectives are listed
More informationChapter 2 Classical Cryptosystems
Chapter 2 Classical Cryptosystems Note We will use the convention that plaintext will be lowercase and ciphertext will be in all capitals. 2.1 Shift Ciphers The idea of the Caesar cipher: To encrypt, shift
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationNew algebraic decoding method for the (41, 21,9) quadratic residue code
New algebraic decoding method for the (41, 21,9) quadratic residue code Mohammed M. Al-Ashker a, Ramez Al.Shorbassi b a Department of Mathematics Islamic University of Gaza, Palestine b Ministry of education,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationEcon Slides from Lecture 8
Econ 205 Sobel Econ 205 - Slides from Lecture 8 Joel Sobel September 1, 2010 Computational Facts 1. det AB = det BA = det A det B 2. If D is a diagonal matrix, then det D is equal to the product of its
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationMAT 1332: CALCULUS FOR LIFE SCIENCES. Contents. 1. Review: Linear Algebra II Vectors and matrices Definition. 1.2.
MAT 1332: CALCULUS FOR LIFE SCIENCES JING LI Contents 1 Review: Linear Algebra II Vectors and matrices 1 11 Definition 1 12 Operations 1 2 Linear Algebra III Inverses and Determinants 1 21 Inverse Matrices
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More information