Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [multivariate-cryptography]

A generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field $F$. In certain cases, those polynomials could be defined over both a ground and an extension field. If the polynomials have degree two, we talk about multivariate quadratics.

Wikipedia

25 questions
6
votes
3 answers

Why do Problems for Post-Quantum algorithms have to be NP-Hard?

The mathematical problems used for Post-Quantum Cryptography problems I came across, are NP-complete, e.g. Solving quadratic equations over finite fields short lattice vectors and close lattice vectors bounded distance decoding over finite…
Marc
  • 327
  • 1
  • 13
4
votes
5 answers

Why do we use groups, rings and fields in cryptography?

I'm a student of Masters in Cyber Security. I have a habit to understand things from their first principles (at the very beginning). Kindly use any simple mathematical example to answer because I have read plenty of technical answers but they aren't…
Zain
  • 57
  • 1
  • 4
4
votes
0 answers

Help with cryptanalysis of branching in schemes based on Multivariate Public Key Cryptography

I'm familiarized with the structure of branching found in Multivariate Cryptography, as it allows us to partition a $n$-tuple over $F_{q}$ into a $k$-tuple where the $i$-th element is in $F_{q^{\lambda_i}}$ for $\lambda \vdash n$ and $k$ is the…
kub0x
  • 898
  • 11
  • 21
4
votes
0 answers

Solving not so much overdetermined system of multivariate polynomial equations

I'm studying algorithms solving multivariate equations. I'm stuck in solving overdetermined set of quadratic equations. Concretely, with the number $n$ of variables, the number of equations is $m=\epsilon n^2$. If $\epsilon\geq 1/2$, it is known…
wooa0923
  • 173
  • 5
3
votes
1 answer

Multivariate cryptography - easily invertible quadratic map

I am reading through multivariate cryptography and in every source I have seen, the secret map $P$ is described as "easily invertible" or "easy to invert". What exactly does it mean "easily invertible"?
gorte
  • 167
  • 1
  • 5
3
votes
0 answers

Signing failure probability of SNOVA

UOV and SNOVA are two multivariate digital signatures that are currently considered by NIST for potential standardization. They are based on the hardness of solving a set of multivariate quadratic equations. More specifically, the public key of both…
user2249675
  • 358
  • 2
  • 6
3
votes
1 answer

Multivariate Cryptography: What is the secret oil space in the MAYO signature scheme?

IN UOV schemes, I understand that you need to choose a secret subspace $O \in \mathcal{F}^q_n$ such that $P(\mathbf{o}) = 0$ for all $\mathbf{o} \in O$. According to the paper Improved cryptanalysis of UOV and Rainbow, this is typically done by…
BlockchainThomas
  • 117
  • 3
2
votes
1 answer

Hidden field equations - existence of zeroes

Let $\mathbb{F}_q$ be a finite field of size $q$ (prime), and $\mathbb{F}_{q^n}$ be a degree-$n$ algebraic extension of $\mathbb{F}_q$. Let $F$ be a polynomial function $\mathbb{F}_{q^n} \to \mathbb{F}_{q^n}$ of the form $$ \sum_{i, j \in I_A}…
Myath
  • 902
  • 7
  • 20
2
votes
1 answer

Sage code for finding generator matrix of MDS code

Let $L$ be an $[n,k]$ code. A $k\times n$ matrix $G$ whose rows form a basis for $L$ is called a generator matrix for $L$. A linear $[n,k,d]$ code with largest possible minimum distance is called maximum distance $d$ separable or MDS code. I…
Laba Sa
  • 23
  • 4
2
votes
1 answer

Why does solving the underlying polynomial system "break" the multivariate cryptosystem

I was wondering why exactly does solving a polynomial system (directly or indirectly) "break" a multivariate cryptosystem as a digital signature. I realize that the exact reason differs from system to system, but in general, from what I can see, it…
João Diogo Duarte
  • 25
  • 5
2
votes
1 answer

Multivariate Cryptography: Security of the affine transform T

In this question, I'd like to discuss the security of the last transformation $T$ employed in the construction of a MV-scheme. MVCrypto is based on solving a system of polynomial equations, but eventually, those polynomials are constructed by a…
kub0x
  • 898
  • 11
  • 21
2
votes
0 answers

I just want a post-quantum permutation and I don't care about efficiency. Can multivariate reciprocals help me?

Let's say there's an application that require a public-key permutation, and we can throw all other requirements away, and design one out of reciprocal multivariate system. Is this viable? If yes, how confident are we in choosing parameters for such…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
1
vote
1 answer

The mathematical similarity and difference between code-based PKE and multivariate DSS

In code-based public key encryption schemes, a public key is formed by matrix-multiplying 2 linear matrices to the left and right side of a easily decodeable error-correcting code, so that it'll be difficult to extract useful information that may be…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
1
vote
0 answers

Kernel attack on MinRank - How do we check if we can stop?

I have some trouble understanding how Kernel Attack to MinRank is implemented. MinRank: Let $k, n, r$ be positive integers, and let $M_0, M_1, \dots, M_k$ be $n \times n$ matrices with entries in a finite field $\mathbb{F}_q$. We want to find (if…
ethan_T
  • 11
  • 1
1
vote
1 answer

Why all multivariate schemes restrict themselves to polynomials of degree 2

If we note all multivariate schemes restrict themselves to polynomials of degree 2. I was wondering why they do it. After looking on the internet, I came to know that they do it for the efficiency. My question is how working with degree 2 is more…
Shweta Aggrawal
  • 309
  • 1
  • 6
1
2