Bo-Yin Yang

Building secure tame-like multivariate public-key cryptosystems: the new TTS

Multivariate public-key cryptosystems (sometimes polynomial-based PKC’s or just multivariates) handle polynomials of many variables over relatively small fields instead of elements of a large ring or group. The “tame-like” or “sparse” class of multivariates are distinguished by the relatively few terms that they have per central equation. We explain how they differ from the “big-field” type of multivariates, represented by derivatives of C∗ and HFE, how they are better, and give basic security criteria for them. The last is shown to be satisfied by efficient schemes called “Enhanced TTS” which is built on a combination of the Oil-and-Vinegar and Triangular ideas. Their security levels are estimated. In this process we summarize and in some cases, improve rank-based attacks, which seek linear combinations of certain matrices at given ranks. These attacks are responsible for breaking many prior multivariate designs.

GAnGS: gather, authenticate 'n group securely

Establishing secure communication among a group of physically collocated people is a challenge. This problem can be reduced to establishing authentic public keys among all the participants - these public keys then serve to establish a shared secret symmetric key for encryption and authentication of messages. Unfortunately, in most real-world settings, public key infrastructures (PKI) are uncommon and distributing a secret in a public space is difficult. Thus, it is a challenge to exchange authentic public keys in a scalable, secure, and easy to use fashion. In this paper, we propose GAnGS, a protocol for the secure exchange of authenticated information among a group of people. In contrast to prior work, GAnGS resists Group-in-the-Middle and Sybil attacks by malicious insiders, as well as infiltration attacks by malicious bystanders. GAnGS is designed to be robust to user errors, such as miscounting the number of participants or incorrectly comparing checksums. We have implemented and evaluated GAnGS on Nokia N70 phones. The GAnGS system is viable and achieves a good balance between scalability, security, and ease of use.

On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis

“Algebraic Cryptanalysis” against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard.

All in the XL family: theory and practice

The XL (eXtended Linearization) equation-solving algorithm belongs to the same extended family as the advanced Grobner Bases methods F4/F5. XL and its relatives may be used as direct attacks against multivariate Public-Key Cryptosystems and as final stages for many “algebraic cryptanalysis” used today. We analyze the applicability and performance of XL and its relatives, particularly for generic systems of equations over medium-sized finite fields. In examining the extended family of Grobner Bases and XL from theoretical, empirical and practical viewpoints, we add to the general understanding of equation-solving. Moreover, we give rigorous conditions for the successful termination of XL, Grobner Bases methods and relatives. Thus we have a better grasp of how such algebraic attacks should be applied. We also compute revised security estimates for multivariate cryptosystems. For example, the schemes SFLASHv2 and HFE Challenge 2 are shown to be unbroken by XL variants.

New differential-algebraic attacks and reparametrization of rainbow

A recently proposed class of multivariate Public-Key Cryptosystems, the Rainbow-Like Digital Signature Schemes, in which successive sets of central variables are obtained from previous ones by solving linear equations, seem to lead to efficient schemes (TTS, TRMS, and Rainbow) that perform well on systems of low computational resources. Recently SFLASH (C*-) was broken by Dubois, Fouque, Shamir, and Stern via a differential attack. In this paper, we exhibit similar algebraic and diffential attacks, that will reduce published Rainbow-like schemes below their security levels. We will also discuss how parameters for Rainbow and TTS schemes should be chosen for practical applications.

Theoretical Analysis of XL over Small Fields

XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent).

Multivariate Public Key Cryptography

Amultivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a finite field as its public map. Its main security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. This family is considered as one of the major families of PKCs that could resist potentially even the powerful quantum computers of the future. There has been fast and intensive development in Multivariate Public Key Cryptography in the last two decades. Some constructions are not as secure as was claimed initially, but others are still viable. The paper gives an overview of multivariate public key cryptography and discusses the current status of the research in this area.

A medium-field multivariate public-key encryption scheme

Electronic commerce fundamentally requires two different public-key cryptographical primitives, for key agreement and authentication. We present the new encryption scheme MFE, and provide a performance and security review. MFE belongs to the

Design Principles for HFEv- Based Multivariate Signature Schemes

\mathcal{MQ}

Implementing minimized multivariate PKC on low-resource embedded systems

class, an alternative class of PKCs also termed Polynomial-Based, or multivariate. They depend on multivariate quadratic systems being unsolvable. The classical trapdoors central to PKC’s are modular exponentiation for RSA and discrete logarithms for ElGamal/DSA/ECC. But they are relatively slow and will be obsoleted by the arrival of QC (Quantum Computers). The argument for