;  TeX output 2001.04.05:0010K landscapeaaZcmr5SecuritӍy\tof-hcmbx5HiddenFieldEquations(HFE)l1ń @J kύkI5Q]ssrc:154hfesecsl.texXQ cmr12ThesecuritryofHsrc:157hfesecsl.texNq cmbx12HDtqGcmr17iddenBڻFieldEquations=hc#src:161hfesecsl.texXQ ff cmr12(ffNff cmbx12HFE))=hK:nsrc:163hfesecsl.texR6ff cmss12Nicolas/T.Courtois ܍ &f33 &f+fW33 ɍsrc:236hfesecsl.texA9tTleast#t : cmbx9"Chosen-CiphertextSecuritCy": }% cmsy9Tsematicsecurit9yIND-CCA2non-malleabilityNM-CCA2ܒٚ\ffJnҟff@W:eakTisenough!IffffffJnҎ- &f33 &f`33JnҎsrc:242hfesecsl.texRecen9tTconversionsfromone-waytrapAdoorfunctions:TO9AEP+[Bellare-Rogaway+Shoup]:forOWpremutationsTF:ujisaki-Ok|ramotoandP9ointchevalTconversions[1999]uREA9CTp[Pointchev|ral-Okamoto2001]:maxim9umeciency:.REA9CTTalsoachievesstrongPlaintextAwareness(P:A2).dJǟff;; @ @ffAllTw9eneed::o @ffffff;;ϟff 33ffhJlj33;;src:250hfesecsl.texIn9vestigateTtheone-w9aynessTofHFEtrapAdoorTfunction:TheTHFEproblem.RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001 OaaSecuritӍy\tofHiddenFieldEquations(HFE)l4ń @J kύkI5cIT ff\ @ @ffAlternativ9esTforRSA[E @ffffff\ff 33ffX 33\`src:268hfesecsl.texTheXRSApublickÎeycryptosystemisbasedonasinglemo cmmi10:H񍍟ٚ[ffMMeff@Tigh9terTsecurity?LffffffMMe &f33 &f_33MMesrc:308hfesecsl.texTheTonlycandidatewithoutPp ʦPaH*t1[exhaustiv9e8T+attac9ks: ܍Multiv|rariateTP9olynomialsover nite elds:1996THFEfamily[P9atarin](=But...isitexpAonential?RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001XaaSecuritӍy\tofHiddenFieldEquations(HFE)l6ń @J kύkI5hC&ٚU:DffYAff@Securit9yTfoundationsYuffffffYAR &f33 &fY:D33YA_FRSAsrc:322hfesecsl.tex-Xanalgebraicalproblem:factoring 5-XtheRSAproblem(one-wÎaynessXofRSA). &^McEl.src:326hfesecsl.tex-XaGoppaco;:1u cmex108 1< 1:~[bi?k=n P \ti=0Ein MgP jY=ii?ijYk a8:i,ra8:j?[with&qk=\t1::m; aq0=1#Ysrc:397hfesecsl.texCaseXn\t=m=1..src:402hfesecsl.texff(o ϥ ϥffҍK*=\tZZ ^ßX.N( ϥffffff(o+isXhard,factoringNz[Rabin]. src:406hfesecsl.texff1KffK*=\tGF.:(qI{)0ffffff1K4solvÎed,Xalsoforany xeddegree[Berlekamp 1967].RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001 $BaaSecuritӍy\tofHiddenFieldEquations(HFE)l9ń @J kύkI5a捑src:425hfesecsl.texMQTisNP-completeforanCy eld$5" cmmi9Ksrc:428hfesecsl.tex[GareyJ,Johnson],X[PÎatarin,Goubin].src:430hfesecsl.texPro< >:0\t=x_y- _z s1\t=:t쪍...S h8 S h>S h< S h>S h:a0\t=xyI{z:+xy- +yz:+xz+x+y- +z sa1\t=1+t쪍a.a.a.src:460hfesecsl.texTJransformXcubic;quadratic.Weput:src:464hfesecsl.texXnewvariablesy8:ij=\tx8:i,rx8:j 5Xnewtrivialequations0\t=y8:ijzx8:i,rx8:j.RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001 )aaSecuritӍy\tofHiddenFieldEquations(HFE)10ń @J kύkI5[Γٚfff7ff@SolvingTMQ6MȄffffff7{ &f33 &fj337卑,"V cmbx10CaseTm> K 0ercmmi7nr2K&fe؞n2p:src:481hfesecsl.texMQXissolvÎedbylinearization(folklore):򍍍{src:485hfesecsl.texNewXvariablesy8:ij=\tx8:i,rx8:j. {src:486hfesecsl.texAÎtXleastmlinearequationswithmvariables.}CaseTm=" 33nr233&fe؞n2X:src:489hfesecsl.texMQXisexp100.*ٚ[AffMΟff@T:rapAdoorsTinMQMffffffMΎݘ &f33 &f_A33MΎsrc:531hfesecsl.texGeneralXprincipleso?H@< ?H@>?H@:=M+bq2^R=oaq27+aq2*aq1+aq2*aq0+aq1 sM+bq1^R=oaq2*aq17+aq1aq0+aq2M+bq0^R=oaq07+aq2+aq1*aq0+aq2*aq0RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001@aaSecuritӍy\tofHiddenFieldEquations(HFE)14ń @J kύkI5tyY>@ffKʟffHiddenTFieldEquation(HFE).~ffffffKʎ f33 fB33Kʎ src:653hfesecsl.tex QFf(a)\t= X vލq7Gs+q7Gtd!x8 =st a:q7{qs+q7{qtCʍ{src:657hfesecsl.texRe-writeXasnmÎultivariatequadraticequations: _src:659hfesecsl.texf>;:\tfbvύ1src:661hfesecsl.texHb8:i=\tf8:i,r(aq1*;j::: ;jan7)Z*nfb _şi=1::n V{src:667hfesecsl.texHideXtheunivariaterepresenÎtationoff: 5src:669hfesecsl.texApplyXtÎwoaneinvertiblevariablechangesSGandT.:.5kg=\tTfWSj܍ag:\tx㍍XS7! 8a㍍꫍"fU7!b㍍T7!yRȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001I2aaSecuritӍy\tofHiddenFieldEquations(HFE)15ń @J kύkI5_u.ٚh ٛff4 e eff@UsingTHFE3D effffff4 &f133 &fl 334 src:718hfesecsl.texqljff2J r rffqǍpublicXkÎey:15~ rffffff2J7nXquadraticp< 9 9ffSoundnessXofthede nitionjqp 9ffffffk>33bɉ33F6src:1110hfesecsl.texWJeXfoundequationsoftÎyp128Tisstillv9erysecure.src:1188hfesecsl.texTMoAdi ed,com9binatorialversionsofHFEhavenow9eaknessesTknown,e.g. ?-HFE-= \m[Asiacrypt'98],-HFEvT[EuroAcrypt'99],-QuartzTandev9enFlashandS ash[RSA2001].src:1193hfesecsl.texTCom9binatorialversionsofHFEcanbAeeither:-h9undredsToftimesfasterthanRSAandbAeimplementedonsmartTcards(Flash,S ash),or˿-giv9eTveryshortsignaturesformemorycards(Quartz).RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001aaSecuritӍy\tofHiddenFieldEquations(HFE)27ń @J kύkI5hEٚYSffP"ff@DigitalTsignatures.OVffffffP"\B &f33 &f]S33P"src:1242hfesecsl.texf-XatrapffffffK ^rH-cryptographichash.*src:1247hfesecsl.tex aqljffR᳟ r rffqǍExistenÎtialXFJorgery:R rffffffR᳎R >3333R᳎Y BirthdaÎyXparadoxattack:V1.src:1250hfesecsl.texGenerateX2-:n=2svOersionsofthemessagetob3fb~:Hq1*(m)+fǟ-:1 >3fbhHq2(m)+fǟ-:1 Ӈ(Hq1(m))fbfbffffffͻ뎎src:1301hfesecsl.texComparisonXoftÎypicalsignatures(security\t2-:80N):1񊍑src:1303hfesecsl.tex bff؎ *͟  sff,şRSAJ/;^700Xbits͟  sffoff؎͟  sff,hSDSAJ/;^320Xbits͟  sffff؎͟  sff2ECJ/;^321Xbits͟  sffff؎͟  sffΟHFEv-,XQuartzJ/;^128Xbits͟  sffwww.minrank.org/quartz/ff؎͟  sff#͟HFEf+J/;^92Xbits џ  sffٱMyPhDthesis,sec.19.4.2.ff؎͟  sff}McElieceJ/;^87Xbits џ  sffwww.minrank.org/mceliece/ff؎RȄk 莎},aNicolas\tT.CourtoisdRSA'2001,SanFzrancisco,April10th2001荟aaSecuritӍy\tofHiddenFieldEquations(HFE)29ń @J kύkI5k,WhatsignaturesarethebKesth?ٚTff;鮟ff@Badquestion;ffffff;鮎>ϟ &f33 &fT33;鮎src:1342hfesecsl.texUseXsevÎeralalgorithmsandissueseveralcerti cates.src:1344hfesecsl.texPrograms,XterminalsanddeviceswillhaÎveXatleastonecommon 5algorithmXforfewyÎears.src:1347hfesecsl.texPro-activOeDFscenario:XInÎvalidatesomealgorithmsandintro cmmi10 0ercmmi7O \cmmi5K`y cmr10ٓRcmr7Zcmr5u cmex10