Jintai Ding

DOI: https://doi.org/10.1007/978-3-540-24632-9_22

2004-01-01

Abstract:Though the multivariable cryptosystems first suggested by Matsumoto and Imai was defeated by the linearization method of Patarin due to the special properties of the Matsumoto-Imai (MI) cryptosystem, many variants and extensions of the MI system were suggested mainly by Patarin and his collaborators. In this paper, we propose a new variant of the MI system, which was inspired by the idea of "perturbation". This method uses a set of r (a small number) linearly independent linear functions z(i) = Sigma(j)(n) = alpha(ij)x(j) + beta(i), i=1,..,r, over the variables x(i), which are variables of the MI system. The perturbation is performed by adding random quadratic function of z(i) to the MI systems. The difference between our idea and a very similar idea of the Hidden Field Equation and Oil-Vinegar system is that our perturbation is internal, where we do not introduce any new variables, while the Hidden Field Equation and Oil-Vinegar system is an "external" perturbation of the HFE system, where a few extra (external) new variables are introduced to perform the perturbation. A practical implementation example of 136 bits, its security analysis and efficiency analysis axe presented. The attack complexity of this perturbed Matsumoto-Imai cryptosystem is estimated.

Jintai Ding,Albrecht Petzoldt,Dieter S. Schmidt

DOI: https://doi.org/10.1007/978-1-0716-0987-3_3

2020-01-01

Abstract:This chapter describes the Matsumoto-Imai cryptosystem, which is one of the oldest multivariate public key cryptosystems. After introducing the plain scheme, we discuss its cryptanalysis by the linearization equations attack of Patarin. We then consider variants of the basic scheme which are immune against this attack. In the area of encryption schemes, these are the PMI and PMI+ schemes, which are obtained by a concept named internal perturbation and the plus modifier. In the area of signature schemes based on MI, we present the MI-Minus or SFlash scheme and its extension PFlash.

Jintai Ding,Lei Hu,Xuyun Nie,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-71677-8_16

2007-01-01

Abstract:In the CT-track of the 2006 RSA conference, a new multivariate public key cryptosystem, which is called the Medium Field Equation (MFE) multivariate public key cryptosystem, is proposed by Wang, Yang, Hu and Lai. We use the second order linearization equation attack method by Patarin to break MFE. Given a ciphertext, we can derive the plaintext within 2(23) F(2)16-multiplications, after performing once for any given public key a computation of complexity less than 2(52). We also propose a high order linearization equation (HOLE) attack on multivariate public key cryptosystems, which is a further generalization of the (first and second order) linearization equation (LE). This method can be used to attack extensions of the current MFE.

A. A. Chilikov

DOI: https://doi.org/10.24108/mathm.0122.0000262

2022-09-24

Mathematics and Mathematical Modeling

Abstract:A problem of great importance that arises in designing and implementation of a cryptosystem is countering side channel attacks. Often an appropriate mathematical algorithm, implemented on a specific physical device to work in the physical environment, becomes vulnerable to such attacks. The “function sharing” technique is a prospective and efficient way to avoid this problem. In the paper we investigate “non-complete sharing” of Boolean functions and mappings, and functions and mappings over finite fields and provide a complete description of the set of functions with n variables, which have sharing. The main findings are the following: introducing and investigating a new concept of “weak” non-complete n -sharing, establishing its connection with “weak” and “classical” n- sharing, and substantiating its advantages from the algebraic point-of-view as well as establishing and proving a criterion for the existence of weak non-complete n -sharing for an arbitrary function. The results also include an explicit description of a set of functions which have weak sharing in terms of algebraic normal form, obtaining the precise and simple descriptions for the boundary (“border”) cases: n = 2, n=m and binary fields. Applying these results to the AES S-box allows complete solving the problem, i.e. a complete answer to the question of a representability of the S-box of the AES cipher as a sharing is available. We believe that the same way can be successful for other cryptographic algorithms.

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Chengdong Tao,Hong Xiang,Albrecht Petzoldt,Jintai Ding

DOI: https://doi.org/10.1016/j.ffa.2015.06.001

IF: 1.655

2015-01-01

Finite Fields and Their Applications

Abstract:Multivariate cryptography is one of the main candidates to guarantee the security of communication in the presence of quantum computers. While there exist a large number of secure and efficient multivariate signature schemes, the number of practical multivariate encryption schemes is somewhat limited. In this paper we present our results on creating a new multivariate encryption scheme, which is an extension of the original Simple Matrix encryption scheme of PQCrypto 2013. Our scheme allows fast en- and decryption and resists all known attacks against multivariate cryptosystems. Furthermore, we present a new idea to solve the decryption failure problem of the original Simple Matrix encryption scheme. (C) 2015 Elsevier Inc. All rights reserved.

Jintai Ding,Jason E. Gower

DOI: https://doi.org/10.1007/11745853_19

2006-01-01

Abstract:We demonstrate how to prevent differential attacks on multivariate public key cryptosystems using the Plus (+) method of external perturbation. In particular, we prescribe adding as few as 10 Plus polynomials to the Perturbed Matsumoto-Imai (PMI) cryptosystem when g=1 and r=6, where θ is the Matsumoto-Imai exponent, n is the message length, g=gcd(θ,n), and r is the internal perturbation dimension; or as few as g+10 when g ≠ 1. The external perturbation does not significantly decrease the efficiency of the system, and in fact has the additional benefit of resolving the problem of finding the true plaintext among several preimages of a given ciphertext. We call this new scheme the Perturbed Matsumoto-Imai-Plus (PMI+) cryptosystem.

Jintai Ding,Bo-Yin Yang

DOI: https://doi.org/10.1007/978-3-540-88702-7_6

2009-01-01

Abstract:A multivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a finite field as its public map. Its main security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. This family is considered as one of the major families of PKCs that could resist potentially even the powerful quantum computers of the future. There has been fast and intensive development in Multivariate Public Key Cryptography in the last two decades. Some constructions are not as secure as was claimed initially, but others are still viable. The paper gives an overview of multivariate public key cryptography and discusses the current status of the research in this area.

Jiang Xin,Hu Lei,Ding Jintai

DOI: https://doi.org/10.1109/ICASID.2009.5276944

2009-01-01

Abstract:The multivariate public key cryptosystems (MPKCs) have a bigger scale of private key and public key than conventional number theoretic based public key cryptosystems like RSA, DH, and ECDH. In this paper, we present a method to construct the linear transformations in a private key of MPKC by generalized central symmetric matrices over a finite field of odd characteristic. This method reduces 3/8 of the scale of private key and improves the computation of inverting the linear transformations in decryption or signature generation to 3/4. It also speedups the generation of public and private keys of MPKC. The method can be recursively applied for achieving a further advantage.

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/978-3-0348-7865-4_6

2004-01-01

Abstract: We show that the new TTM implementation schemes have a defect. There exist linearization equations å</font >i = 1,j = 1n,m aijxiyj(x1, ¼</font >,xn) + å</font >i = 1n bixi + å</font >j = 1m cjyj(x1, ¼</font >,xn) + d = 0,\sum\limits_{i = 1,j = 1}^{n,m} {{a_{ij}}{x_i}{y_j}({x_1}, \ldots ,{x_n}) + \sum\limits_{i = 1}^n {{b_i}{x_i} + \sum\limits_{j = 1}^m {{c_j}{y_j}({x_1}, \ldots ,{x_n}) + d = 0,} } } which are satisfied by the components y3 (x1 … xn) of the ciphers of the TTM schemes. The inventor of TTM used two versions of the paper [2] to refute a claim in [3]. When we do a linear substitution with the linear equations derived from the linearization equations for a given ciphertext,we can find the plaintext by an iteration of the procedure of first search for linear equations by linear combinations and then linear substitution. The computational complexity of the attack on these two schemes is less than 235 over a finite field of size 28.

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

Xuyun Nie,Lei Hu,Jintai Ding,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-72738-5_7

2007-01-01

Abstract:In 2006, the inventors of TRMC public key cryptosystem proposed a new variant of TRMC, TRMC-4, which can resist the existing attack, in particular, the Joux et al attack. In this paper, we show that the new version is vulnerable to attack via the linearization equations (LE) method. For any given valid ciphertext and its corresponding TRMC-4 public key, we can derive the corresponding plaintext within 224$\mathbb{F}_{2^8}$-operations, after performing once for the public key a computation of complexity less than 234. Our results are confirmed by computer experiments.

Gennady Khalimov,Yevgen Kotukh,Maksym Kolisnyk,Svitlana Khalimova,Oleksandr Sievierinov

2024-05-25

Abstract:The paper explores a novel cryptosystem for digital signatures based on linear equa-tions for logarithmic signatures. A logarithmic signature serves as a fundamental cryptographic primitive, characterized by properties such as nonlinearity, non-commutability, unidirectionality, and key-dependent factorability. The proposed cryptosystem ensures the secrecy of logarithmic signatures through its foundation in linear equations. Quantum security is achieved by eliminating any possible mapping between the input and output of the logarithmic signature, thereby rendering Grover's quantum attack ineffective. The public key sizes for the NIST security levels of 128, 192, and 256 bits are 1, 1.5, and 2 KB, respectively. The algorithm demonstrates scalability concerning computational costs, memory usage, and hardware limitations without compromising security. Its primary operation involves bitwise XOR over logarithmic arrays of 8, 16, 32, and 64 bits.

Cryptography and Security,Information Theory,Group Theory

Xuyun Nie,Xin Jiang,Lei Hu,Jintai Ding

2007-01-01

Abstract:In 2006, Nie et al proposed an attack to break an instance of TTM cryptosystems. However, the inventor of TTM disputed this attack and he proposed two new instances of TTM to support his viewpoint. At this time, he did not give the detail of key construction — the construction of the lock polynomials in these instances which would be used in decryption. The two instances are claimed to achieve a security of 2 against Nie et al attack. In this paper, we show that these instances are both still insecure, and in fact, they do not achieve a better design in the sense that we can find a ciphertext-only attack utilizing the First Order Linearization Equations while for the previous version of TTM, only Second Order Linearization Equations can be used in the beginning stage of the previous attack. Different from previous attacks, we use an iterated linearization method to break these two instances. For any given valid ciphertext, we can find its corresponding plaintext within 2 F28 computations after performing once for any public key a computation of complexity less than 2. Our experiment result shows we have unlocked the lock polynomials after several iterations, though we do not know the detailed construction of lock polynomials. Keyword: multivariate public key cryptosystem, TTM, algebraic attack, linearization equation, triangular cryptosystem.

Jingguo Bi,Mingjie Liu,Xiaoyun Wang

DOI: https://doi.org/10.1109/ISIT.2012.6283832

2012-01-01

Abstract:At ISIT 2008, Aguilar Melchor, Castagnos and Gaborit presented a lattice-based homomorphic encryption scheme (abbreviated as MCG). Its security is based on the Computational Knapsack Vector Problem. In this paper, we explore a secret linear relationship between the public keys and the secret keys, which can be used to construct a reduced-dimension lattice, and then we obtain a group of equivalent private keys by solving the Closest Vector Problem of the lattice. Moreover, our attack is practical on all the three settings of recommended parameters, and the running time to recover the equivalent private keys is only several hours on a single PC.

J. Ding,J. E. Gower,D. Schmidt,C. Wolf,Z. Yin

DOI: https://doi.org/10.1007/11586821_18

2005-01-01

Abstract:Though the Perturbed Matsumoto-Imai (PMI) cryptosystem is considered insecure due to the recent differential attack of Fouque, Granboulan, and Stern, even more recently Ding and Gower showed that PMI can be repaired with the Plus (+) method of externally adding as few as 10 randomly chosen quadratic polynomials. Since relatively few extra polynomials are added, the attack complexity of a Gröbner basis attack on PMI+ will be roughly equal to that of PMI. Using Magma's implementation of the F4 Gröbner basis algorithm, we attack PMI with parameters q = 2, 0 ≤ r ≤ 10, and 14 ≤ n ≤ 59. Here, q is the number of field elements, n the number of equations/variables, and r the perturbation dimension. Based on our experimental results, we give estimates for the running time for such an attack. We use these estimates to judge the security of some proposed schemes, and we suggest more efficient schemes. In particular, we estimate that an attack using F4 against the parameters q = 2, r = 5, n = 96 (suggested in [7]) has a time complexity of less than 250 3-DES computations, which would be considered insecure for practical applications.

Albrecht Petzoldt,Jintai Ding,Lih-chung Wang

2016-01-01

Abstract:The SimpleMatrix encryption scheme as proposed by Tao et al. [16] is one of the very few existing approaches to create a secure and efficient encryption scheme on the basis of multivariate polynomials. However, in its basic version, decryption failures occur with non-negligible probability. Although this problem has been addressed in several papers [5,17], a general solution to it is still missing. In this paper we propose an improved version of the SimpleMatrix scheme, which eliminates decryption failures completely and therefore solves the biggest problem of the SimpleMatrix encryption scheme. Additionally, we propose a second version of the scheme, which reduces the blow-up factor between plain and ciphertext size to a value arbitrary close to 1.

Jíntai Ding,Zheng Zhang,Joshua D. Deaton,Lih-Chung Wang

DOI: https://doi.org/10.1007/978-3-030-61078-4_24

2020-01-01

Abstract:In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.