TY - GEN
T1 - Degree of regularity for HFEv and HFEv-
AU - Ding, Jintai
AU - Yang, Bo Yin
PY - 2013
Y1 - 2013
N2 - In this paper, we first prove an explicit formula which bounds the degree of regularity of the family of HFEv ("HFE with vinegar") and HFEv- ("HFE with vinegar and minus") multivariate public key cryptosystems over a finite field of size q. The degree of regularity of the polynomial system derived from an HFEv- system is less than or equal to (q - 1)(r + v + a - 1)/2 + 2 if q is even and r + a is odd, (q - 1)(r + v + a)/2 + 2 otherwise, where the parameters v, D, q, and a are parameters of the cryptosystem denoting respectively the number of vinegar variables, the degree of the HFE polynomial, the base field size, and the number of removed equations, and r is the "rank" paramter which in the general case is determined by D and q as r = ⌊q(D - 1)⌋ + 1. In particular, setting a = 0 gives us the case of HFEv where the degree of regularity is bound by (q - 1)(r + v - 1)/2 + 2 if q is even and r is odd, (q - 1)(r + v)/2 + 2 otherwise. This formula provides the first solid theoretical estimate of the complexity of algebraic cryptanalysis of the HFEv- signature scheme, and as a corollary bounds on the complexity of a direct attack against the QUARTZ digital signature scheme. Based on some experimental evidence, we evaluate the complexity of solving QUARTZ directly using F4/F5 or similar Gröbner methods to be around 292.
AB - In this paper, we first prove an explicit formula which bounds the degree of regularity of the family of HFEv ("HFE with vinegar") and HFEv- ("HFE with vinegar and minus") multivariate public key cryptosystems over a finite field of size q. The degree of regularity of the polynomial system derived from an HFEv- system is less than or equal to (q - 1)(r + v + a - 1)/2 + 2 if q is even and r + a is odd, (q - 1)(r + v + a)/2 + 2 otherwise, where the parameters v, D, q, and a are parameters of the cryptosystem denoting respectively the number of vinegar variables, the degree of the HFE polynomial, the base field size, and the number of removed equations, and r is the "rank" paramter which in the general case is determined by D and q as r = ⌊q(D - 1)⌋ + 1. In particular, setting a = 0 gives us the case of HFEv where the degree of regularity is bound by (q - 1)(r + v - 1)/2 + 2 if q is even and r is odd, (q - 1)(r + v)/2 + 2 otherwise. This formula provides the first solid theoretical estimate of the complexity of algebraic cryptanalysis of the HFEv- signature scheme, and as a corollary bounds on the complexity of a direct attack against the QUARTZ digital signature scheme. Based on some experimental evidence, we evaluate the complexity of solving QUARTZ directly using F4/F5 or similar Gröbner methods to be around 292.
KW - Degree of regularity
KW - HFE
KW - HFEv
KW - HFEv-
UR - http://www.scopus.com/inward/record.url?scp=84884475093&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-38616-9_4
DO - 10.1007/978-3-642-38616-9_4
M3 - Conference Proceeding
AN - SCOPUS:84884475093
SN - 9783642386152
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 52
EP - 66
BT - Post-Quantum Cryptography - 5th International Workshop, PQCrypto 2013, Proceedings
T2 - 5th International Workshop on Post-Quantum Cryptography, PQCrypto 2013
Y2 - 4 June 2013 through 7 June 2013
ER -