Title, Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. Booktitle, Advances in Cryptology – CRYPTO ’99, 19th Annual International. Download Citation on ResearchGate | Cryptanalysis of the HFE Public Key Finally, we develop a new relinearization method for solving such systems for any. Finally, we develop a new relinearization method for solving such systems for any constant ffl? Cryptanalysis of the HFE Public Key Cryptosystem ().
|Published (Last):||9 July 2011|
|PDF File Size:||8.69 Mb|
|ePub File Size:||12.4 Mb|
|Price:||Free* [*Free Regsitration Required]|
Considering the aforementioned discussions, we suggest choosing and. Suggested Parameters Considering the aforementioned discussions, we suggest choosing and. Indexed in Science Citation Index Expanded.
So under the algebraic attacks, the proposed modification HFE encryption scheme can obtain a security level of 80 bits under the suggested parameters.
In the Matsumoto-Imai scheme, a permutation over with characteristic 2 is defined such thatthen using two invertible affine transformations and to disguise the central map into cryltosystem quadratic map overnamely, The basic idea of the attack is as follows.
During encryption, the proposed modification HFE scheme does not need to do the square computations, so the proposed encryption reduces the computational costs by bit operations. In this matrix equation, we only know that is of low rank at most.
Security and Communication Networks
It is shown that the modification can defend the known attacks including the MinRank attack, the linearization equations attack, and the direct algebraic attacks. We then can look at as a quadratic crypotsystem about then we associate with a symmetric -dimensional square matrix such that The symmetric matrix is of low rank, and it is the special structure of the symmetric matrix that makes the original HFE scheme insecure.
This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. We first review the basic idea of known attacks and then illustrate why the proposal is secure against these attacks.
In fact, the quadratic polynomial map is exactly the public key of the original HFE scheme, and the secret key of the original scheme also consists of, and. El Din, and P. The plaintext space is. Subscribe to Table of Contents Alerts. If we lift to the extension field and find that the corresponding matrix is not of low rank, we can claim our proposal is secure against the MinRank attack [ 78 ].
Multivariate cryptography Post-quantum cryptography. Description The encryption scheme consists of three subalgorithms: So and satisfy the following equations derived from the bilinear equations, namely, where and all the coefficients in.
Retrieved from ” https: Views Read Edit View history. We analyze the security of the proposed HFE modified encryption scheme.
MinRank Attacks Basic Idea. We set the quadratic part of the public key as with for. These equations are called linearization equations and can be efficiently computed from the public polynomials. The hidden field equations HFE relinearizatioj [ 5 ] may be the most famous cryptosystem amongst all multivariate public key cryptographic schemes. In the proposed modification HFE encryption scheme, we impose some crypgosystem on the plaintext space.
So the computational overhead is about bit operations. Given the ciphertextwe want to solve the plaintext from the quadratic equations: It can be easily relineatization that both the modified and the original HFE schemes share a common secret key and decryption algorithm. If the polynomials have the degree two, we talk about multivariate quadratics. Loosely speaking, when we apply two linear transformations on the input and output of the mapthe rank of the corresponding matrix remains at most.
As far as the proposed HFE modification scheme is concerned, we just note that, for any plaintextis a valid ciphertext for both the original FHE scheme and the proposed modification HFE scheme.
To make a comparison between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over and its extension field. We first note that the HFE scheme [ 5 ] was proposed by Patarin to thwart the linearization equations attack and no known evidence was reported on the existence of linearization equations in the HFE scheme.
By setting we can express as bilinear equations about input and output of function: Advanced Search Include Citations Disambiguate.
Without loss of generality, we assume that the two invertible affine transformations and are linear [ 21 ] and define the terms of in in 1. The encryption of the original HFE scheme is just to computewhere the plaintext is in but not necessarily in.
CiteSeerX — Cryptanalysis of the HFE Public Key Cryptosystem
We define with forand It is obvious that. So both schemes have the same secret key sizes and decryption costs. So the proposed scheme reduces the public key size by bits. To illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [ 78 ], we just need to show that when lifted to the extension fieldthe quadratic part of the public key is not connected with a low-rank matrix. View at MathSciNet J.
The proposed method is a universal padding scheme and hence can be used to other multivariate cryptographic constructions.
Under the suggested parameters andthe degree of regularity of the quadratic equations is. It is shown that the proposed public key encryption scheme is secure cryptanaalysis known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The modified HFE decryption recovers the plaintext by peeling off the composition one by one from the leftmost side.