http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=Multivariate_cryptographyMultivariate cryptography - Revision history2026-05-06T18:30:19ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=Multivariate_cryptography&diff=6404293&oldid=previmported>Citation bot: Add: date, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Dominic3203 | Linked from User:LinguisticMystic/cs/outline | #UCB_webform_linked 1389/22772025-04-17T02:58:26Z<p>Add: date, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | <a href="/wiki143/index.php?title=En:WP:UCB&action=edit&redlink=1" class="new" title="En:WP:UCB (page does not exist)">Use this bot</a>. <a href="/wiki143/index.php?title=En:WP:DBUG&action=edit&redlink=1" class="new" title="En:WP:DBUG (page does not exist)">Report bugs</a>. | Suggested by Dominic3203 | Linked from User:LinguisticMystic/cs/outline | #UCB_webform_linked 1389/2277</p>
<p><b>New page</b></p><div>{{Short description|Field of asymetric cryptographic primitives}}<br />
{{More citations needed|date=February 2022}}<br />
<br />
'''Multivariate cryptography''' is the generic term for asymmetric [[Cryptography|cryptographic]] [[Cryptographic primitive|primitives]] based on [[Polynomial|multivariate polynomials]] over a [[finite field]] <math>F</math>. In certain cases, those polynomials could be defined over both a ground and an extension [[Field (mathematics)|field]]. If the polynomials have [[Degree of a polynomial|degree]] two, we talk about multivariate [[Quadratic polynomial|quadratics]]. Solving systems of multivariate [[Polynomial#Solving equations|polynomial equations]] is proven to be [[NP-complete]].<ref>{{Cite book|title=Computers and intractability : a guide to the theory of NP-completeness|last=Garey, Michael R.|date=1979|publisher=W.H. Freeman|others=Johnson, David S., 1945-|isbn=0-7167-1044-7|location=San Francisco|oclc=4195125}}</ref> That's why those schemes are often considered to be good candidates for [[post-quantum cryptography]]. Multivariate cryptography has been very productive in terms of design and [[cryptanalysis]]. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build [[Digital signature|signature schemes]] primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.<br />
<br />
== History ==<br />
{{harvs|txt|last=Matsumoto | first=Tsutomu | last2=Imai | first2=Hideki | author2-link=Hideki Imai |year=1988}} presented their so-called C* scheme at the [[Eurocrypt]] conference. Although C* has been broken by {{harvs|txt|last=Patarin | first=Jacques|year=1995}}, the general principle of Matsumoto and Imai has inspired a generation of improved proposals. In later work, the "Hidden Monomial Cryptosystems" was developed by {{in lang|fr}} [[:fr:Jacques Patarin|Jacques Patarin]]. It is based on a ground and an extension field. "[[Hidden Field Equations]]" (HFE), developed by Patarin in 1996, remains a popular multivariate scheme today [P96]. The security of HFE has been thoroughly investigated, beginning with a direct [[Gröbner basis]] attack [FJ03, GJS06], key-recovery attacks {{harv|Kipnis|Shamir|1999}} [BFP13], and more. The plain version of HFE is considered to be practically broken, in the sense that secure parameters lead to an impractical scheme. However, some simple variants of HFE, such as the ''minus variant'' and the ''vinegar variant'' allow one to strengthen the basic HFE against all known attacks. <br />
<br />
In addition to HFE, Patarin developed other schemes. In 1997 he presented “Balanced Oil & Vinegar” and in 1999 “[[Unbalanced Oil and Vinegar]]”, in cooperation with Aviad Kipnis and Louis Goubin {{harv|Kipnis|Patarin|Goubin|1999}}.<br />
<br />
==Construction==<br />
Multivariate Quadratics involves a public and a private key. The private key consists of two affine transformations, S and T, and an easy to invert quadratic map <math>P' \colon F^m \rightarrow F^n</math>. We denote the <math>n \times n</math> matrix of the [[Affine transformation|affine]] [[endomorphism]]s<br />
<math>S\colon F^n \rightarrow F^n</math> by <math>M_S</math> and the shift vector by <math>v_S \in F^n</math> and similarly for <math>T\colon F^m \rightarrow F^m</math>. In other words,<br />
* <math>S(x) = M_S x + v_S</math> and<br />
* <math>T(y) = M_T y + v_T</math>.<br />
The triple <math>(S^{-1},{P'}^{-1},T^{-1})</math> is the private key, also known as the trapdoor. The public key is the composition <math> P = S \circ P' \circ T</math> which is by assumption hard to invert without the knowledge of the trapdoor.<br />
<br />
==Signature==<br />
Signatures are generated using the private key and are verified using the public key as follows. The message is [[Hash function|hashed]] to a vector in <math> y \in F^n</math> via a known hash function. The signature is <br />
:<math> x=P^{-1}(y) = T^{-1} \left({P'}^{-1}\left(S^{-1}(y)\right)\right)</math>.<br />
<br />
The receiver of the signed document must have the public key P in possession. He computes the hash <math>y</math> and checks that the signature <math>x</math> fulfils <math>P(x)=y</math>.<br />
<br />
==Applications==<br />
{{Unreferenced section|date=August 2018}}<br />
* [[Unbalanced Oil and Vinegar]]<br />
* [[Hidden Field Equations]]<br />
* SFLASH by [[NESSIE]]<br />
* Rainbow<br />
* TTS<br />
* QUARTZ<br />
* [[QUAD (cipher)]]<br />
* Four multivariate cryptography signature schemes (GeMMS, LUOV, Rainbow and MQDSS) have made their way into the 2nd round of the NIST post-quantum competition: see slide 12 of the report.<ref>{{cite web |last1=Moody |first1=Dustin |title=The 2nd Round of the NIST PQC Standardization Process |date=22 August 2019 |url=https://csrc.nist.gov/Presentations/2019/the-2nd-round-of-the-nist-pqc-standardization-proc |publisher=NIST |accessdate=11 October 2020}}</ref><br />
<br />
==References==<br />
<references /><br />
<br />
* [BFP13] L. Bettale, [[Jean-Charles Faugère]], and L. Perret, Cryptanalysis of HFE, Multi-HFE and Variants for Odd and Even Characteristic. DCC'13<br />
* [FJ03] [[Jean-Charles Faugère]] and A. Joux, Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. CRYPTO'03<br />
* [GJS06] L. Granboulan, Antoine Joux, J. Stern: Inverting HFE Is Quasipolynomial. CRYPTO'06.<br />
* {{cite book | last1=Kipnis | first1=Aviad | last2=Shamir | first2=Adi | title=Advances in Cryptology – CRYPTO' 99 | chapter=Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization | publisher=Springer | location=Berlin, Heidelberg | year=1999 | isbn=978-3-540-66347-8 | issn=0302-9743 | doi=10.1007/3-540-48405-1_2 | mr=1729291}}<br />
* {{cite conference |last1=Kipnis |first1=Aviad |last2=Patarin |first2=Jacques |last3=Goubin |first3=Louis |date=1999 |chapter=Unbalanced Oil and Vinegar Signature Schemes |conference=Eurocrypt'99 |editor=Jacques Stern |title=Advances in Cryptology – CRYPTO' 99 |publisher=Springer |isbn=3-540-65889-0 |issn=0302-9743 |doi=10.1007/3-540-48910-x_15 |mr=1717470 |chapter-url=https://link.springer.com/content/pdf/10.1007/3-540-48910-X_15.pdf|doi-access=free }}<br />
* {{cite book | last1=Matsumoto | first1=Tsutomu | last2=Imai | first2=Hideki | author2-link=Hideki Imai |title=Lecture Notes in Computer Science | chapter=Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption | publisher=Springer | location=Berlin, Heidelberg | year=1988 | isbn=978-3-540-50251-7 | issn=0302-9743 | doi=10.1007/3-540-45961-8_39 | mr=0994679}}<br />
* {{cite book | last=Patarin | first=Jacques | title=Advances in Cryptology – CRYPT0' 95 | chapter=Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88 | series=Lecture Notes in Computer Science | publisher=Springer | location=Berlin, Heidelberg | year=1995 | volume=963 | pages=248–261 | isbn=978-3-540-60221-7 | issn=0302-9743 | doi=10.1007/3-540-44750-4_20 | mr=1445572}}<br />
* [P96] Jacques Patarin, Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new Families of Asymmetric Algorithms (extended version); Eurocrypt '96<br />
* Christopher Wolf and [[Bart Preneel]], Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations; Current Version: 2005-12-15<br />
*An Braeken, Christopher Wolf, and [[Bart Preneel]], A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes, Current Version: 2005-08-06<br />
*Jintai Ding, Research Project: Cryptanalysis on Rainbow and TTS multivariate public key signature scheme<br />
*Jacques Patarin, [[Nicolas Courtois]], Louis Goubin, SFLASH, a fast asymmetric signature scheme for low-cost smartcards. Primitive specification and supporting documentation.<br />
*Bo-Yin Yang, Chen-Mou Cheng, Bor-Rong Chen, and Jiun-Ming Chen, Implementing Minimized Multivariate PKC on Low-Resource Embedded Systems, 2006<br />
*Bo-Yin Yang, Jiun-Ming Chen, and Yen-Hung Chen, TTS: High-Speed Signatures on a Low-Cost Smart Card, 2004<br />
*[[Nicolas Courtois|Nicolas T. Courtois]], Short Signatures, Provable Security, Generic Attacks and Computational Security of Multivariate Polynomial Schemes such as HFE, Quartz and Sflash, 2005<br />
*Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied Cryptography, 1997<br />
<br />
==External links==<br />
* [http://www.s1on1.com/main/index.cgi/000000A/http://www.minrank.org/hfe/] The HFE public key encryption and signature<br />
* [http://www-polsys.lip6.fr/Links/hfeboost.html] HFEBoost<br />
<br />
{{Cryptography navbox}}<br />
<br />
[[Category:Multivariate cryptography| ]]<br />
[[Category:Post-quantum cryptography]]</div>imported>Citation bot