Adama Diene,Jintai Ding,Jason E. Gower,Timothy J. Hodges,Zhijun Yin

DOI: https://doi.org/10.1007/11779360_20

2006-01-01

Abstract:The Matsumoto-Imai (MI) cryptosystem was the first multivariate public key cryptosystem proposed for practical use. Though MI is now considered insecure due to Patarin's linearization attack, the core idea of MI has been used to construct many variants such as Sflash, which has recently been accepted for use in the New European Schemes for Signatures, Integrity, and Encryption project. Linearization attacks take advantage of the algebraic structure of MI to produce a set of equations that can be used to recover the plaintext from a given ciphertext. In our paper, we present a solution to the problem of finding the dimension of the space of linearization equations, a measure of how much work the attack will require.

Jintai Ding,Jason E. Gower

DOI: https://doi.org/10.1007/11745853_19

2006-01-01

Abstract:We demonstrate how to prevent differential attacks on multivariate public key cryptosystems using the Plus (+) method of external perturbation. In particular, we prescribe adding as few as 10 Plus polynomials to the Perturbed Matsumoto-Imai (PMI) cryptosystem when g=1 and r=6, where θ is the Matsumoto-Imai exponent, n is the message length, g=gcd(θ,n), and r is the internal perturbation dimension; or as few as g+10 when g ≠ 1. The external perturbation does not significantly decrease the efficiency of the system, and in fact has the additional benefit of resolving the problem of finding the true plaintext among several preimages of a given ciphertext. We call this new scheme the Perturbed Matsumoto-Imai-Plus (PMI+) cryptosystem.

Jintai Ding,Albrecht Petzoldt,Dieter S. Schmidt

DOI: https://doi.org/10.1007/978-1-0716-0987-3_3

2020-01-01

Abstract:This chapter describes the Matsumoto-Imai cryptosystem, which is one of the oldest multivariate public key cryptosystems. After introducing the plain scheme, we discuss its cryptanalysis by the linearization equations attack of Patarin. We then consider variants of the basic scheme which are immune against this attack. In the area of encryption schemes, these are the PMI and PMI+ schemes, which are obtained by a concept named internal perturbation and the plus modifier. In the area of signature schemes based on MI, we present the MI-Minus or SFlash scheme and its extension PFlash.

WU Zhi-ping,Jíntai Ding,Jason E. Gower,Dingfeng Ye

DOI: https://doi.org/10.1007/11424826_63

2005-01-01

Abstract:We apply internal perturbation [3] to the matrix-type cryptosystems [C n ] and HM constructed in [9]. Using small instances of these variants, we investigate the existence of linearization equations and degree 2 equations that could be used in a XL attack. Our results indicate that these new variants may be suitable for use in practical implementations. We propose a specific instance for practical implementation, and estimate its performance and security.

J. Ding,J. E. Gower,D. Schmidt,C. Wolf,Z. Yin

DOI: https://doi.org/10.1007/11586821_18

2005-01-01

Abstract:Though the Perturbed Matsumoto-Imai (PMI) cryptosystem is considered insecure due to the recent differential attack of Fouque, Granboulan, and Stern, even more recently Ding and Gower showed that PMI can be repaired with the Plus (+) method of externally adding as few as 10 randomly chosen quadratic polynomials. Since relatively few extra polynomials are added, the attack complexity of a Gröbner basis attack on PMI+ will be roughly equal to that of PMI. Using Magma's implementation of the F4 Gröbner basis algorithm, we attack PMI with parameters q = 2, 0 ≤ r ≤ 10, and 14 ≤ n ≤ 59. Here, q is the number of field elements, n the number of equations/variables, and r the perturbation dimension. Based on our experimental results, we give estimates for the running time for such an attack. We use these estimates to judge the security of some proposed schemes, and we suggest more efficient schemes. In particular, we estimate that an attack using F4 against the parameters q = 2, r = 5, n = 96 (suggested in [7]) has a time complexity of less than 250 3-DES computations, which would be considered insecure for practical applications.

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/978-3-540-30580-4_20

2005-01-01

Abstract:Hidden field equation (HFE) multivariable cryptosystems were first suggested by Patarin. Kipnis and Shamir showed that to make the cryptosystem secure, a special parameter D of any HFE cryptosystem can not be too small. Consequently Kipnis, Patarin and Goubin proposed an enhanced variant of the HFE cryptosystem by combining the idea of Oil and Vinegar construction with the HFE construction. Essentially they “perturb” the HFE system with some external variables. In this paper, we will first present a new cryptanalysis method for the HFEv schemes. We then use the idea of internal perturbation to build a new cryptosystem, an internally perturbed HFE cryptosystem (IPHFE).

Yong Wang,Lingyue Li,Ying Zhou,Huili Zhang

DOI: https://doi.org/10.3390/axioms13110741

2024-01-01

Axioms

Abstract:The RSA cryptosystem has been a cornerstone of modern public key infrastructure; however, recent advancements in quantum computing and theoretical mathematics pose significant risks to its security. The advent of fully operational quantum computers could enable the execution of Shor’s algorithm, which efficiently factors large integers and undermines the security of RSA and other cryptographic systems reliant on discrete logarithms. While Grover’s algorithm presents a comparatively lesser threat to symmetric encryption, it still accelerates key search processes, creating potential vulnerabilities. In light of these challenges, there has been an intensified focus on developing quantum-resistant cryptography. Current research is exploring cryptographic techniques based on error-correcting codes, lattice structures, and multivariate public key systems, all of which leverage the complexity of NP-hard problems, such as solving multivariate quadratic equations, to ensure security in a post-quantum landscape. This paper reviews the latest advancements in quantum-resistant encryption methods, with particular attention to the development of robust trapdoor functions. It also provides a detailed analysis of prominent multivariate cryptosystems, including the Matsumoto–Imai, Oil and Vinegar, and Polly Cracker schemes, alongside recent progress in lattice-based systems such as Kyber and Crystals-DILITHIUM, which are currently under evaluation by NIST for potential standardization. As the capabilities of quantum computing continue to expand, the need for innovative cryptographic solutions to secure digital communications becomes increasingly critical.

NIE Xu-yun,LIU Bo,LU Gang,ZHONG Ting

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015182

2015-01-01

Abstract:The novel extended multivariate public key cryptosystem is a new security enhancement method on multivariate public key cryptosystems,which is proposed by Qiao,et al.A nonlinear invertible transformation was used,named“tame transformation”,on the original multivariate public key cryptosystem to hide its weakness such as linearization equation.However,it is found that if there are many linearization equations satisfied by the original MPKC,there would be many quadratization equations (QE) satisfied by the improved scheme.Given a public key,after finding all QE,a valid cipheretext can be substituted into the QE to derive a set of quadratic equations on the plaintext variable.This exactly reduce the degree of the system wanted to solve.Then the corresponding plaintext can be recovered for a given valid ciphertext combining with Groebner basis method.

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.

Jiahui Chen,Jianting Ning,Jie Ling,Terry Shue Chien Lau,Yacheng Wang

DOI: https://doi.org/10.1016/j.tcs.2019.12.032

IF: 1.002

2020-01-01

Theoretical Computer Science

Abstract:It is regarded as a difficult task to design a secure MPKC fundamental schemes such as an encryption scheme. In this paper we introduce a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Rainbow which only allow for signatures. The same as UOV or Rainbow, our construction is single field scheme where the central polynomial system is chosen to have a particular structure that enables efficient inversion. After applying this transformation, the plaintext can be recovered by solving a linear system. Our new central trapdoor can use to replace the broken extension field calculation trapdoor and simple matrix encryption trapdoor, thereafter, we use the minus and plus modifiers to inoculate our scheme against known attacks. It is highlight that our encryption scheme is a good explore in the area of multivariate cryptography. Finally, a straightforward Magma implementation confirms the efficient operation of the public key algorithms.

Jintai Ding,Lei Hu,Xuyun Nie,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-71677-8_16

2007-01-01

Abstract:In the CT-track of the 2006 RSA conference, a new multivariate public key cryptosystem, which is called the Medium Field Equation (MFE) multivariate public key cryptosystem, is proposed by Wang, Yang, Hu and Lai. We use the second order linearization equation attack method by Patarin to break MFE. Given a ciphertext, we can derive the plaintext within 2(23) F(2)16-multiplications, after performing once for any given public key a computation of complexity less than 2(52). We also propose a high order linearization equation (HOLE) attack on multivariate public key cryptosystems, which is a further generalization of the (first and second order) linearization equation (LE). This method can be used to attack extensions of the current MFE.

Shiling Luo,Wenchao Gao,Le Huang,Qiang Zhou

DOI: https://doi.org/10.1109/cis58238.2022.00082

2022-01-01

Abstract:As a defence to the SAT-based de-camouflaging attack, a brand new camouflaging strategy (called CamoPerturb) has been proposed. This camouflaging strategy achieves good resistance against the SAT-based attack. However, there is no stable generation algorithm for the perturbation circuit of the CamoPerturb. Furthermore, there is no way to control three key logic: specific output, specific gate and specific minterm, which makes it difficult for the technology to be used in practical circuits. In this paper, a perturbation circuit generation algorithm is proposed. By dividing a limited region, introducing the original input signal and narrowing the minterm range affected by the logic gate, we can find a single minterm perturbation quickly. Furthermore, we can design key logic arbitrarily. The experimental results in ISCAS’ 89 benchmark circuits and the controllers of the OpenSPARC microprocessor show that our method can be applied to the actual circuit stably with very little time consumption. Finally, our method is experimentally analyzed on an IP (intellectual property) core circuit (full adder circuit).

Alan Szepieniec,Jintai Ding,Bart Preneel

DOI: https://doi.org/10.1007/978-3-319-29360-8_12

2016-01-01

Abstract:This paper introduces a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Hidden Field Equations which only allow for signatures. Our construction is a mixed-field scheme that exploits the commutativity of the extension field to dramatically reduce the complexity of the extension field polynomial implicitly present in the public key. However, this reduction can only be performed by the user who knows concise descriptions of two simple polynomials, which constitute the private key. After applying this transformation, the plaintext can be recovered by solving a linear system. We use the minus and projection modifiers to inoculate our scheme against known attacks. A straightforward C++ implementation confirms the efficient operation of the public key algorithms.

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/978-3-0348-7865-4_6

2004-01-01

Abstract: We show that the new TTM implementation schemes have a defect. There exist linearization equations å</font >i = 1,j = 1n,m aijxiyj(x1, ¼</font >,xn) + å</font >i = 1n bixi + å</font >j = 1m cjyj(x1, ¼</font >,xn) + d = 0,\sum\limits_{i = 1,j = 1}^{n,m} {{a_{ij}}{x_i}{y_j}({x_1}, \ldots ,{x_n}) + \sum\limits_{i = 1}^n {{b_i}{x_i} + \sum\limits_{j = 1}^m {{c_j}{y_j}({x_1}, \ldots ,{x_n}) + d = 0,} } } which are satisfied by the components y3 (x1 … xn) of the ciphers of the TTM schemes. The inventor of TTM used two versions of the paper [2] to refute a claim in [3]. When we do a linear substitution with the linear equations derived from the linearization equations for a given ciphertext,we can find the plaintext by an iteration of the procedure of first search for linear equations by linear combinations and then linear substitution. The computational complexity of the attack on these two schemes is less than 235 over a finite field of size 28.

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Jintai Ding,Timonthy Hodges

DOI: https://doi.org/10.1142/S0219498804000861

2011-01-01

Journal of Algebra and Its Applications

Abstract:A Tamed Transformation Method (TTM) cryptosystem was proposed by T. T. Moh in 1999. We describe how the first implementation scheme of the TTM system can be defeated. The computational complexity of our attack is 2(33) computations on the finite field with 2(8) elements. The cipher of the TTM systems are degree 2 polynomial maps derived from composition of invertible maps of either total degree 2 or linear maps which can be easily calculated and can be easily inverted. To ensure the system to be of degree two, the key construction of the implementation schemes of the TTM systems is a multi-variable polynomial Q(8)(x(1),..., x(n)) and a set of linearly independent quadratic polynomials q(i)(x(1),..., x(m)), i = 1,..., n such that Q(8)(q(1),..., q(n)) is again a degree 2 polynomials of x(1),..., x(m). In this paper, we study the first implementation scheme of the TTM systems [6]. We discovered that in this implementation scheme the specific polynomial Q(8) can be decomposed further into a factorization in terms of composition. By taking powers of the equality satisfied by the new composition factors, we can actually derive a set of equations, that can produce linear equations satisfied by the plaintext. These linear equations lead us to find a way to defeat this implementation scheme.

Xuyun Nie,Lei Hu,Jianyu Li,Crystal Updegrove,Jintai Ding

DOI: https://doi.org/10.1007/11767480_14

2006-01-01

Abstract:In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form$$\sum\limits_{i=0}^{n-1}a_ix_i+\sum\limits_{0\leq j\leq k\leq m-1}b_{jk}F_jF_k+\sum\limits_{j=0}^{m-1}c_jF_j+d=0,$$ which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the ”lock” polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 239 operations over a finite field of size 28. Our results are further confirmed by computer experiments.

Chengdong Tao,Hong Xiang,Albrecht Petzoldt,Jintai Ding

DOI: https://doi.org/10.1016/j.ffa.2015.06.001

IF: 1.655

2015-01-01

Finite Fields and Their Applications

Abstract:Multivariate cryptography is one of the main candidates to guarantee the security of communication in the presence of quantum computers. While there exist a large number of secure and efficient multivariate signature schemes, the number of practical multivariate encryption schemes is somewhat limited. In this paper we present our results on creating a new multivariate encryption scheme, which is an extension of the original Simple Matrix encryption scheme of PQCrypto 2013. Our scheme allows fast en- and decryption and resists all known attacks against multivariate cryptosystems. Furthermore, we present a new idea to solve the decryption failure problem of the original Simple Matrix encryption scheme. (C) 2015 Elsevier Inc. All rights reserved.

Jíntai Ding,Zheng Zhang,Joshua D. Deaton,Lih-Chung Wang

DOI: https://doi.org/10.1007/978-3-030-61078-4_24

2020-01-01

Abstract:In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.

Yong Liu,Zejun Xiang,Siwei Chen,Shasha Zhang,Xiangyong Zeng

DOI: https://doi.org/10.1007/978-3-031-33488-7_5

2023-01-01

Abstract:The Mixed Integer Linear Programming (MILP) is a common method of searching for impossible differentials (IDs). However, the optimality of the distinguisher should be confirmed by an exhaustive search of all input and output differences, which is clearly computationally infeasible due to the huge search space. In this paper, we propose a new technique that uses two-dimensional binary variables to model the input and output differences and characterize contradictions with constraints. In our model, the existence of IDs can be directly obtained by checking whether the model has a solution. In addition, our tool can also detect any contradictions between input and output differences by changing the position of the contradictions. Our method is confirmed by applying it to several block ciphers, and our results show that we can find 6-, 13-, and 12-round IDs for Midori-64, CRAFT, and SKINNY-64 within a few seconds, respectively. Moreover, by carefully analyzing the key schedule of Midori-64, we propose an equivalent key transform technique and construct a complete MILP model for an 11-round impossible differential attack (IDA) on Midori-64 to search for the minimum number of keys to be guessed. Based on our automatic technique, we present a new 11-round IDA on Midori-64, where 23 nibbles of keys need to be guessed, which reduces the time complexity compared to previous work. The time and data complexity of our attack are 2 116.59 and 2 60 , respectively. To the best of our knowledge, this is the best IDA on Midori-64 at present.