Enrico Thomae

Decoding random linear codes in Õ(2 0.054 n )

Decoding random linear codes is a fundamental problem in complexity theory and lies at the heart of almost all code-based cryptography. The best attacks on the most prominent code-based cryptosystems such as McEliece directly use decoding algorithms for linear codes. The asymptotically best decoding algorithm for random linear codes of length n was for a long time Sterns variant of information-set decoding running in time

Cryptanalysis of enhanced TTS, STS and all its variants, or: why cross-terms are important

\tilde{\mathcal{O}}\left(2^{0.05563n}\right)

Small Public Keys and Fast Verification for \(\mathcal{M}\)ultivariate \(\mathcal{Q}\)uadratic Public Key Systems

. Recently, Bernstein, Lange and Peters proposed a new technique called Ball-collision decoding which offers a speed-up over Sterns algorithm by improving the running time to

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

\tilde{\mathcal{O}}\left(2^{0.05558n}\right)

Roots of square: cryptanalysis of double-layer square and square+

. In this paper, we present a new algorithm for decoding linear codes that is inspired by a representation technique due to Howgrave-Graham and Joux in the context of subset sum algorithms. Our decoding algorithm offers a rigorous complexity analysis for random linear codes and brings the time complexity down to

Solving underdetermined systems of multivariate quadratic equations revisited

\tilde{\mathcal{O}}\left(2^{0.05363n}\right)

Small public keys and fast verification for multivariate quadratic public key systems

.

A Generalization of the Rainbow Band Separation Attack and its Applications to Multivariate Schemes.

We show that the two multivariate signature schemes Enhanced STS, proposed at PQCrypto 2010, and Enhanced TTS, proposed at ACISP 2005, are vulnerable due to systematically missing cross-terms. To this aim, we generalize equivalent keys to so-called good keys for an improved algebraic key recovery attack. In particular, we demonstrate that it is impossible to choose both secure and efficient parameters for Enhanced STS and break all current parameters of both schemes. Since 2010, many variants of Enhanced STS, such as Check Equations or Hidden Pair of Bijections were proposed. We break all these variants and show that making STS secure will either lead to a variant known as the Oil, Vinegar and Salt signature scheme or, if we also require the signing algorithm to be efficient, to the well-known Rainbow signature scheme. We show that our attack is more efficient than any previously known attack.

Quo vadis quaternion? cryptanalysis of rainbow over non-commutative rings

Security of public key schemes in a post-quantum world is a challenging task—as both RSA and ECC will be broken then. In this paper, we show how post-quantum signature systems based on \(\mathcal{M}\)ultivariate \(\mathcal{Q}\)uadratic (\(\mathcal{MQ}\)) polynomials can be improved up by about 9/10, and 3/5, respectively, in terms of public key size and verification time. The exact figures are 88% and 59%. This is particularly important for small-scale devices with restricted energy, memory, or computational power. In addition, we provide evidence that this reduction does not affect security and that it is also optimal in terms of possible attacks. We do so by combining the previously unrelated concepts of reduced and equivalent keys. Our new scheme is based on the so-called Unbalanced Oil and Vinegar class of \(\mathcal{MQ}\)-schemes. We have derived our results mathematically and verified the speed-ups through a C++ implementation.

Unravel XL and its variants.

We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack that finds an equivalent key using the idea of so-called good keys. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic \(2\) which is known to be the most difficult case to address in theory for MinRank attacks and also without any restriction on the number of polynomials removed from the public-key. This was not the case for previous MinRank like-attacks against \(\mathcal {MQ}\) schemes. From a practical point of view, we are able to break an MQQ-SIG instance of \(80\) bits security in less than \(2\) days, and one of the more conservative MQQ-ENC instances of \(128\) bits security in little bit over \(9\) days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure.