Hindawi Security and Communication Networks Volume 2017, Article ID 9289410, 6 pages https://doi.org/10.1155/2017/9289410

Research Article Building Secure Public Key Encryption Scheme from Hidden Field Equations

Yuan Ping,1,2 Baocang Wang,1,3 Yuehua Yang,1 and Shengli Tian1

1 School of Information Engineering, Xuchang University, Xuchang 461000, China 2Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China 3State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China

Correspondence should be addressed to Baocang Wang; [email protected]

Received 4 April 2017; Accepted 5 June 2017; Published 10 July 2017

Academic Editor: Dengpan Ye

Copyright © 2017 Yuan Ping et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose 2 a new variant of the HFE scheme by considering the special equation 𝑥 =𝑥defined over the finite field F3 when 𝑥=0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size.

1. Introduction central map F(𝑋) can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7–9]. Public key cryptography [1] built from the NP-hardness So some modifications are needed to repair the basic HFE of solving multivariate quadratic equations over finite filed scheme [10–14]. However, all known modification methods [2, 3] was conceived as a plausible candidate to traditional only can impose partial nonlinear transformation on the factorization and discrete logarithm based public key cryp- special structure of the HFE central map, and hence they are tosystems due to its high performance and the resistance to quantum attacks [4]. The hidden field equations (HFE) still vulnerable to some attacks [15–17]. scheme [5] may be the most famous cryptosystem amongst We consider the HFE scheme over finite fields with all multivariate public key cryptographic schemes. The HFE characteristic 3. We impose some restrictions on the plaintext scheme firstly defines a univariate map over an extension field space and can use the restriction to merge the coefficients F𝑞𝑛 : of the linear part and the square part. By doing this, we

𝑖 𝑗 𝑖 can impose a fully nonlinear transformation on the central (𝑋) = ∑ 𝑎 𝑋𝑞 +𝑞 + ∑ 𝑏 𝑋𝑞 + 𝑐, F 𝑖𝑗 𝑖 (1) map of the HFE encryption scheme. Performance analysis 0≤𝑖≤𝑗<𝑛,𝑞𝑖+𝑞𝑗≤𝐷 0≤𝑖<𝑛,𝑞𝑖≤𝐷 shows that the modification can save the public key storage (𝑛2) where the degree bound 𝐷 chosen cannot be very large by O bits and reduces the encryption costs by about (𝑛2) in order that the user can use the Berlekamp algorithm O bit operations. It is shown that the modification can [6] to efficiently compute the roots of F(𝑋). Then two defend the known attacks including the MinRank attack, invertible affine transformations are applied to hide the the linearization equations attack, and the direct algebraic special structure of the central map [2, 5]. However, the attacks. 2 Security and Communication Networks

2. Proposal Why Decryption Works.Wejustobservethat𝑚𝑖 =0,1,so 2 𝑚𝑖 =𝑚𝑖.Hence,for𝑘=0,1,...,𝑛−1, 2.1. Notations. Let F𝑞 be a 𝑞-order finite field with 𝑞 being aprimepower.Let𝑓(𝑥) be an irreducible polynomial 𝑛−2 𝑛−1 𝑛−1 (𝑘) (𝑘) (𝑘) 𝑛 F F 𝑛 = F [𝑥]/⟨𝑓(𝑥)⟩ with degree over 𝑞;then 𝑞 𝑞 forms a 𝑐𝑘 =𝑞𝑘 (m) = ∑ ∑ 𝛽𝑖𝑗 𝑚𝑖𝑚𝑗 + ∑𝜌𝑖 𝑚𝑖 +𝛿 degree-𝑛 extension field. The construction admits a standard 𝑖=0 𝑗=𝑖+1 𝑖=0 𝜙 F𝑞𝑛 isomorphism between the extension field and the vector 𝑛−2 𝑛−1 𝑛−1 𝑛 𝑛−1 𝑖 F 𝑔(𝑥) = ∑ 𝑔 𝑥 ∈ F 𝑛 (𝑘) (𝑘) (𝑘) (𝑘) space 𝑞 ;namely,foranelement 𝑖=0 𝑖 𝑞 ,we = ∑ ∑ 𝛽 𝑚𝑖𝑚𝑗 + ∑ (𝛼 +𝛾 )𝑚𝑖 +𝛿 𝑛 𝑖𝑗 𝑖 𝑖 have 𝜙(𝑔(𝑥))0 =(𝑔 ,...,𝑔𝑛−1)∈F𝑞 .Wedenotetheinverseof 𝑖=0 𝑗=𝑖+1 𝑖=0 (4) −1 𝑞𝑖 map 𝜙 as 𝜙 .NotethattheFrobeniusmapsT(𝑋) = 𝑋 for 𝑛−1 𝑛−2 𝑛−1 𝑛−1 (𝑘) 2 (𝑘) (𝑘) (𝑘) 𝑖=0,1,...,𝑛−1 F 𝑛 F defined over 𝑞 are 𝑞-linear; namely, when = ∑𝛼𝑖 𝑚𝑖 + ∑ ∑ 𝛽𝑖𝑗 𝑚𝑖𝑚𝑗 + ∑𝛾𝑖 𝑚𝑖 +𝛿 expressed in the base field F𝑞, T(𝑋) will be 𝑛-dimensional 𝑖=0 𝑖=0 𝑗=𝑖+1 𝑖=0 linear functions over F𝑞. =𝑝𝑘 (m) . 2.2. Description. The encryption scheme consists of three −1 So c = Q(m)=P(m)=L1 ∘𝜙∘F ∘𝜙 ∘ L2(m).The subalgorithms: key generation, encryption, and decryption. modified HFE decryption recovers the plaintext m by peeling off the composition one by one from the leftmost side. Key Generation. The system parameters consist of an irre- ducible polynomial 𝑓(𝑥) with degree 𝑛 over F3, the extension Remarks. The original HFE scheme [5] works on any field F𝑞 field F3𝑛 = F3[𝑥]/⟨𝑓(𝑥)⟩, and the isomorphism 𝜙 between 𝑛 and its extension F𝑞𝑛 . In fact, the quadratic polynomial map F 𝑛 F F(𝑋) 3 and 3 . Firstly, we define an HFE map in (1) P is exactly the public key of the original HFE scheme, and and randomly choose two invertible affine transformations 𝑛 𝑛 𝑛 𝑛 the secret key of the original scheme also consists of F(𝑋), L1 : F3 → F3 and L2 : F3 → F3 .Thenwecompute −1 −1 −1 −1 L1 ,andL2 . The encryption of the original HFE scheme 𝑛 their inverses L1 and L2 and the 𝑛-variable quadratic c = P(m) m F −1 is just to compute , where the plaintext is in 𝑞 polynomials P = L1 ∘𝜙∘F ∘𝜙 ∘ L2 =(𝑝0,𝑝1,...,𝑝𝑛−1). M = {0, 1}𝑛 x =(𝑥,𝑥 ,...,𝑥 ) but not necessarily in .Thedecryptionalgorithm For 0 1 𝑛−1 ,weset of the modified HFE scheme is exactly the original HFE decryption. 𝑛−1 𝑛−2 𝑛−1 𝑛−1 (𝑘) 2 (𝑘) (𝑘) (𝑘) 𝑝𝑘 (x) = ∑𝛼𝑖 𝑥𝑖 + ∑ ∑ 𝛽𝑖𝑗 𝑥𝑖𝑥𝑗 + ∑𝛾𝑖 𝑥𝑖 +𝛿 , (2) 2.3. Performance and Comparisons. To make a comparison 𝑖=0 𝑖=0 𝑗=𝑖+1 𝑖=0 between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over F3 and its extension field F3𝑛 .Itcan whereallthecoefficientsareinF3 for 𝑘 = 0,...,𝑛−1.Then be easily seen that both the modified and the original we merge the coefficients of the square and linear terms of 𝑝𝑘, HFE schemes share a common secret key and decryption (𝑘) (𝑘) (𝑘) that is, 𝜌𝑖 =𝛼𝑖 +𝛾𝑖 for 𝑖,𝑘= 0,1,...,𝑛−1,andgetthe algorithm. So both schemes have the same secret key sizes public key of the modified HFE scheme, namely, 𝑛 quadratic anddecryptioncosts.Inthemodifiedscheme,thepublickey polynomials Q =(𝑞0,𝑞1,...,𝑞𝑛−1),where,for𝑘=0,...,𝑛−1, is Q, and hence we need not to store the coefficients of the square terms of the public key P. So the proposed scheme 2 reduces the public key size by O(𝑛 ) bits. During encryption, 𝑛−2 𝑛−1 𝑛−1 𝑞 (x) = ∑ ∑ 𝛽(𝑘)𝑥 𝑥 + ∑𝜌(𝑘)𝑥 +𝛿(𝑘). the proposed modification HFE scheme does not need to do 𝑘 𝑖𝑗 𝑖 𝑗 𝑖 𝑖 (3) the square computations, so the proposed encryption reduces 𝑖=0 𝑗=𝑖+1 𝑖=0 2 the computational costs by O(𝑛 ) bit operations.

−1 −1 The secret key consists of F(𝑋), L1 ,andL2 . 3. Security 𝑛 Encryption. The plaintext space is M = {0, 1} . For a plaintext We analyze the security of the proposed HFE modified 𝑛 m ∈ M,wejustcomputec =(𝑐0,...,𝑐𝑛−1)=Q(m)∈F3 as encryption scheme. We first review the basic idea of known the ciphertext. attacks and then illustrate why the proposal is secure against these attacks. 𝑛 Decryption. Given a ciphertext c ∈ F3 ,wecomputey = −1 −1 L1 (c) and 𝑌=𝜙 (y)∈F3𝑛 ,andweusetheBerlekamp 3.1. Linearization Equations Attack algorithm [6] to compute all the preimages 𝑋∈F3𝑛 such that 𝑛 F(𝑋) =,and,foreach 𝑌 𝑋,wecomputex =𝜙(𝑋)∈F3 . Basic Idea. Linearization equations attack [18] was found m = L−1(x) m ∈ M by Patarin on the Matsumoto-Imai scheme [19]. In the Finally, we compute 2 .If ;thenweoutput 𝑞𝜃+1 m as the plaintext. If we fail to derive a vector in M form Matsumoto-Imai scheme, a permutation F(𝑋) = 𝑋 over 𝑛 𝜃 all the preimages 𝑋,weoutputthesymbol⊥ designating an F𝑞𝑛 with characteristic 2 is defined such that gcd(𝑞 −1,𝑞 + invalid ciphertext. 1) = 1,thenusingtwoinvertibleaffinetransformationsL1 Security and Communication Networks 3

∗ and L2 to disguise the central map F into a quadratic map in F(𝑋) in (1). We then can look at F as a quadratic form P over F𝑞,namely, about 𝑞 𝑞𝑛−1 −1 X =(𝑋,𝑋,...,𝑋 ); P = L1 ∘𝜙∘F ∘𝜙 ∘ L2. (5) (10) ∗ The basic idea of the attack is as follows. Note that 𝑌= then we associate with F asymmetric𝑛-dimensional square 𝑞𝜃+1 𝑞𝜃 𝑞2𝜃 F(𝑋) = 𝑋 implies 𝑋𝑌 −𝑋 𝑌=0.Bysetting matrix F such that F∗ (𝑋) = XFX𝑇. x =(𝑥0,...,𝑥𝑛−1)=𝜙(𝑋) , (11) The symmetric matrix F is of low rank, and it is the special y =(𝑦0,...,𝑦𝑛−1)=𝜙(𝑌) =𝜙(F (𝑋)) (6) structure of the symmetric matrix F that makes the original 𝑖 𝑗 =𝜙(F (𝜙−1 (x))) , HFE scheme insecure. We recall 0≤𝑖≤𝑗<𝑛, 𝑞 +𝑞 ≤ 𝐷 and denote the smallest integer smaller than or equal to 𝑞𝜃 𝑞2𝜃 (𝐷 − 1) +1 𝑟 we can express 𝑋𝑌 −𝑋 𝑌=0as 𝑛 bilinear equations about log𝑞 as , and we will find that all the elements of −1 𝑛−𝑟 F input x and output y of function 𝜙∘F ∘𝜙 : the last columns (rows, resp.) of are zero. So the rank of the symmetric matrix F is at most 𝑟.Looselyspeaking,when 𝑛−1 𝑛−1 we apply two linear transformations on the input and output ∑ ∑𝑎(𝑘)𝑥 𝑦 =0, ∗ 𝑖𝑗 𝑖 𝑗 (7) of the map F , the rank of the corresponding matrix remains 𝑖=0 𝑗=0 at most 𝑟. We define the quadratic part of P = L1 ∘𝜙∘F ∘ −1 ∗ ∗ ∗ (𝑘) 𝜙 ∘ L2 as P =(𝑝0 ,...,𝑝𝑛−1),namely,for𝑘=0,...,𝑛−1, where 𝑖,𝑗,𝑘=0,...,𝑛−1and 𝑎𝑖𝑗 ∈ F𝑞. Given a ciphertext c = 𝑛−1 𝑛−2 𝑛−1 (𝑐0,...,𝑐𝑛−1)=P(m), we want to recover the corresponding 𝑝∗ (x) = ∑𝛼(𝑘)𝑥2 + ∑ ∑ 𝛽(𝑘)𝑥 𝑥 . plaintext m =(𝑚0,...,𝑚𝑛−1).Notethatm (c,resp.)isan 𝑘 𝑖 𝑖 𝑖𝑗 𝑖 𝑗 (12) 𝑖=0 𝑖=0 𝑗=𝑖+1 affine transformation L2 (L1,resp.)ontheinput(output, −1 𝜙∘F ∘𝜙 m c ∗ resp.) of the function .So and satisfy the Note that F (𝑋) canbeexpressedas𝑛 homogeneous following 𝑛 equations derived from the 𝑛 bilinear equations, quadraticpolynomialsoverthebasefieldF𝑞; then the applica- namely, tion of two linear transformations on the input and output of ∗ 𝑛−1 𝑛−1 𝑛−1 𝑛−1 F (𝑋) will also give 𝑛 homogeneous quadratic polynomials (𝑘) (𝑘) (𝑘) (𝑘) ∑ ∑𝛼𝑖𝑗 𝑚𝑖𝑐𝑗 + ∑𝛽𝑖 𝑚𝑖 + ∑𝛾𝑖 𝑐𝑖 +𝛿 =0, (8) overthebasefieldF𝑞.Thatistosay 𝑖=0 𝑗=0 𝑖=0 𝑖=0 ∗ ∗ −1 P = L1 ∘𝜙∘F ∘𝜙 ∘ L2. (13) where 𝑖,𝑗,𝑘 = 0,...,𝑛− 1 andallthecoefficientsinF𝑞. These 𝑛 equations are called linearization equations and can Or equivalently, be efficiently computed from the public polynomials P.Itwas ∗ −1 −1 ∗ −1 F =𝜙 ∘ L ∘ P ∘ L ∘𝜙. (14) shown that the linearization equations have a rank of at least 1 2 𝑛−gcd(𝑛, 𝜃) [20]. So given a ciphertext c =(𝑐0,...,𝑐𝑛−1)= Theaboveequationsaysthatwecanliftthequadraticpart P(m) 𝑛 ∗ ,weonlyneedtosolvethe linearization equations to P of the public key P to the extension field F𝑞𝑛 under some m =(𝑚,...,𝑚 ) ∗ obtain the corresponding plaintext 0 𝑛−1 . unknown linear transformations to derive F and hence F. Kipnis and Shamir noted [7] that, by lifting the quadratic part ∗ Why the Proposal Is Secure against the Linearization Equa- P of the public key P of the HFE scheme to the extension tions Attack.WefirstnotethattheHFEscheme[5]was field F𝑞𝑛 , they can find a collection of matrices. The matrix F proposed by Patarin to thwart the linearization equations is then determined by finding a linear combination of these attack and no known evidence was reported on the existence matrices such that F has a minimum rank (at most 𝑟). Thus by of linearization equations in the HFE scheme. So the HFE solving the MinRank problem we can determine the matrix F scheme is secure against linearization equations attack. As and the coefficients of the linear transformation L1.Though far as the proposed HFE modification scheme is concerned, 𝑛 theMinRankproblemisproventobeNP-complete[22,23], we just note that, for any plaintext m ∈ M ={0,1}, c = Q(m)=P(m) thereductiontotheMinRankproblemdoesimposeaserious is a valid ciphertext for both the original security threat on the security of the HFE scheme [7, 8]. FHEschemeandtheproposedmodificationHFEscheme. Therefore,wecannothopetoderivelinearizationequations Why the Proposal Is Secure against the MinRank Attack.To from the modified HFE scheme. illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [7, 8], we just need to 3.2. MinRank Attacks show that when lifted to the extension field F3𝑛 , the quadratic part of the public key Q is not connected with a low-rank ∗ Basic Idea. Without loss of generality, we assume that the two matrix. We set the quadratic part of the public key Q as Q = invertible affine transformations L1 and L2 are linear [21] ∗ ∗ ∗ (𝑞0 ,𝑞1 ,...,𝑞𝑛−1) with and define the terms of 𝑖 𝑗 𝑛−2 𝑛−1 F∗ (𝑋) = ∑ 𝑎 𝑋𝑞 +𝑞 𝑞∗ = (x) = ∑ ∑ 𝛽(𝑘)𝑥 𝑥 𝑖𝑗 (9) 𝑘 𝑖𝑗 𝑖 𝑗 (15) 0≤𝑖≤𝑗<𝑛,𝑞𝑖+𝑞𝑗≤𝐷 𝑖=0 𝑗=𝑖+1 4 Security and Communication Networks

∗ for 𝑘=0,...,𝑛−1.IfweliftQ to the extension field and find be useful to simplify the computations, so we also can add that the corresponding matrix is not of low rank, we can claim the 𝑛 field equations to the generators; namely, we solve the ourproposalissecureagainsttheMinRankattack[7,8].So Grobner¨ basis of the ideal we define ∗ 𝑞 𝑞 I =⟨𝑞0 −𝑐0,...,𝑞𝑛−1 −𝑐𝑛−1,𝑚0 −𝑚0,...,𝑚𝑛−1 −1 −1 ∗ −1 𝑇 F1 (𝑋) =𝜙 ∘ L1 ∘ Q ∘ L2 ∘𝜙(𝑋) = XF1X . (16) (21) −𝑚𝑛−1⟩. Now we show that the corresponding matrix F1 is of not necessarily low rank. We define S =(𝑠0,𝑠1,...,𝑠𝑛−1) with Why the Proposal Is Secure against the Algebraic Attack. In the proposed modification HFE encryption scheme, we 𝑛−1 impose some restrictions on the plaintext space. The plaintext 𝑠 (x) = ∑𝛼(𝑘)𝑥2 𝑛 𝑛 𝑘 𝑖 𝑖 (17) space is M ={0,1}but not F3 .Thuswehavesome 𝑖=0 additional equations that associate with the plaintext m = (𝑚0,𝑚1,...,𝑚𝑛−1);namely,for𝑖 = 0,𝑞,...,𝑛,wehave −1 for 𝑘=0,...,𝑛−1,and 2 𝑚𝑖 −𝑚𝑖 =0. The plaintext block 𝑚𝑖 also satisfies the field −1 −1 −1 𝑇 𝑚3 −𝑚 =0 F2 (𝑋) =𝜙 ∘ L ∘ S ∘ L ∘𝜙(𝑋) = XF2X . (18) equation 𝑖 𝑖 . However, we can derive the field 1 2 3 2 equations 𝑚𝑖 −𝑚𝑖 =0from the equations 𝑚𝑖 −𝑚𝑖 =0. ∗ ∗ It is obvious that P (x)=Q (x)+S(x).Thuswecaneasily So in the proposed modification encryption scheme, we need verify that to find the Grobnerbasisfortheideal¨ 𝑇 ∗ −1 −1 ∗ −1 I󸀠 =⟨𝑞 −𝑐,...,𝑞 −𝑐 ,𝑚2 −𝑚 ,...,𝑚2 XFX = F (𝑋) =𝜙 ∘ L1 ∘ P ∘ L2 ∘𝜙(𝑋) 0 0 𝑛−1 𝑛−1 0 0 𝑛−1 (22) −1 −1 ∗ −1 =𝜙 ∘ L1 ∘(Q + S)∘L2 ∘𝜙(𝑋) −𝑚𝑛−1⟩. −1 −1 ∗ −1 −1 −1 =𝜙 ∘ L1 ∘ Q ∘ L2 ∘𝜙(𝑋) +𝜙 ∘ L1 (19) To evaluate the difficulty of the Grobner¨ basis algorithms to recover the plaintext, we can use the degree of regularity 𝐷 ∘ S ∘ L−1 ∘𝜙(𝑋) = F (𝑋) + F (𝑋) reg 2 1 2 of the quadratic equations [27] to estimate the computational 2𝐷 costs. The computational costs are at least O(𝑛 reg ) bit = XF X𝑇 + XF X𝑇 = X (F + F ) X𝑇. 1 2 1 2 operations, according to the results given on page 219 in [2]. Under the suggested parameters 𝑛 = 256 and 𝐷 = 144, So we get F1 = F − F2. In this matrix equation, we only know 𝐷 = the degree of regularity of the quadratic equations is reg that F is of low rank (at most 𝑟). However, the rank of the 10 80 5. So the computational overhead is about 256 =2 matrix F2 is unknown, and hence the rank of the matrix F1 is not necessarily low. So the adversary cannot derive from the bit operations. So under the algebraic attacks, the proposed ∗ publicly known map Q alow-rankmatrix.SotheMinRank modification HFE encryption scheme can obtain a security attack does not apply to cryptanalyzing the proposed HFE level of 80 bits under the suggested parameters. modification scheme. 3.4. Suggested Parameters. Considering the aforementioned discussions, we suggest choosing 𝑛 = 256 and 𝐷 = 144. 3.3. Algebraic Attacks We can see from the security analysis that the proposed HFE Basic Idea. One straightforward way to attack multivariate modification encryption scheme can obtain a security level of public key cryptosystems is to directly solve the multivariate 80 bits under the suggested parameters. quadratic equations by utilizing some algorithms to compute the Grobner¨ basis of some ideals. Given the ciphertext c = 4. Conclusions Q(m), we want to solve the plaintext m from the quadratic equations: In this paper, we proposed a novel modified HFE encryption scheme. The proposed HFE modification has the following

𝑞0 (𝑚0,𝑚1,...,𝑚𝑛−1)=𝑐0, features:

𝑞1 (𝑚0,𝑚1,...,𝑚𝑛−1)=𝑐1, (i) Universal padding scheme for multivariate public key encryptions:theproposedHFEvariantcanmergethe (20) . square and linear terms by imposing some restrictions . on the plaintext space. The proposed method is a 𝑞 (𝑚 ,𝑚 ,...,𝑚 )=𝑐 . universal padding scheme and hence can be used to 𝑛−1 0 1 𝑛−1 𝑛−1 other multivariate cryptographic constructions. ThealgebraicorthedirectattackscanusesomeGrobner¨ basis (ii) Fully nonlinear transformation on the central map:the algorithms such as F5 [24] and the XL [25] algorithms to solve proposed method can remove all the square terms the generators for the ideal I =⟨𝑞0−𝑐0,𝑞1−𝑐1,...,𝑞𝑛−1−𝑐𝑛−1⟩ in the public multivariate quadratic polynomials and generated by 𝑞0 −𝑐0,𝑞1 −𝑐1,...,𝑞𝑛−1 −𝑐𝑛−1.Itisobserved[26] thus impose a nonlinear transformation on all the 𝑞 that the field equations 𝑚𝑖 −𝑚𝑖 =0for 𝑖=0,1,...,𝑛−1will polynomials. Security and Communication Networks 5

(iii) Security against known attacks: we illustrated that the [8] J. C. Faugere` and A. Joux, “Algebraic cryptanalysis of hidden proposed HFE modification encryption scheme is field equation (HFE) cryptosystems usingobner Gr¨ bases,” in secure against known attacks including the lineariza- Proceedings of the Advances in Cryptology-Crypto 2003,vol. tion equation attack, the MinRank attack, and the 2729, pp. 44–60, Springer-Verlag, Santa Barbara, USA, 2003. algebraic attacks. [9] N. Courtois, “The security of Hidden Field Equations (HFE),”in ProceedingsoftheTopicsinCryptology-CT-RSA2001,vol.2020, (iv) More efficient encryption and smaller public key :size pp.266–281,Springer-Verlag,SanFrancisco,CA,USA. the proposed modification encryption scheme does notstorethesquaretermsinthepublickeyand [10] J. Patarin, N. Courtois, and L. Goubin, “QUARTZ, 128-bit long O(𝑛2) digital signatures,” in Proceedings of the Topics in Cryptology- hencecanreducetheencryptioncostsby bit CT-RSA 2001,vol.2020,pp.282–297,Springer-Verlag,San O(𝑛2) operations and saves the public key storage by Francisco, CA, USA. bits. [11] O. Billet, J. Patarin, and Y.Seurin, “Analysis of intermediate field As a new multivariate public key encryption, the security systems,” 2013, http://eprint.iacr.org/2009/542. of the proposal needs to be furthered. So we encourage the [12]C.Chen,M.S.Chen,andJ.Ding,“Odd-charmultivariate readers to examine the security of the proposal. hidden field equations,” 2013, http://eprint.iacr.org/2008/543. [13] J. Ding, D. Schmidt, and F. Werner, “Algebraic attack on HFE Conflicts of Interest revisited,” in Proceedings of the International Conference on Information Security-ISC 2008,vol.5222,pp.215–227,Springer- The authors declare that they have no conflicts of interest. Verlag, Taipei, China, 2008. [14] C. Wolf and B. Preneel, “Taxonomy of public key schemes Acknowledgments basedontheproblemofmultivariatequadraticequations,”2013, https://eprint.iacr.org/2005/077. This work was supported by National Natural Science [15] N. T. Courtois, M. Daum, and P. Felke, “On the security of Foundation of China (Grants nos. 61572390, 61303232, and HFE, HFEv- and Quartz,” in Proceedings of the International 61540049), National Key Research and Development Pro- Conference on Practice and Theory in Public Key Cryptography- gram of China (no. 2017YFB0802002), Natural Science Foun- PKC 2003,vol.2567,pp.337–350,Springer-Verlag,Miami,Fl, dation in Ningbo of China (no. 201601HJ-B01382), Program USA, 2003. for Science & Technology Innovation Talents in Univer- [16] L. Bettale, J. C. Faugere,` and L. Perret, “Cryptanalysis of sities of Henan Province (no. 18HASTIT022), Foundation HFE, Multi-HFE and variants for odd and even characteristic,” of Henan Educational Committee (Grants nos. 16A520025 Designs, Codes and Cryptography,vol.69,no.1,pp.1–52,2013. and 18A520047), Foundation for University Key Teacher of [17] L. Bettale, J.-C. Faugere,` and L. Perret, “Cryptanalysis of Henan Province (no. 2016GGJS-141), Open Foundation of multivariate and odd-characteristic hfe variants,”in Proceedings Key Laboratory of Cognitive Radio and Information Process- of the International Conference on Practice and Theory in Public ing, Ministry of Education (Guilin University of Electronic Key Cryptography-PKC 2011,vol.6571,pp.441–458,Springer, Technology) (no. CRKL160202), and Outstanding Young Heidelberg. Teacher Project of Xuchang University. [18] J. Patarin, “Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88,” in Advances in cryptology-CRYPTO ’95,vol.963,pp.248–261,Springer,Berlin,SantaBarbara,CA, References USA, 1995. [1] N. Koblitz and A. J. Menezes, “Asurvey of public-key cryptosys- [19] T.Matsumoto and H. Imai, “Public quadratic polynomial-tuples tems,” SIAM Review, vol. 46, no. 4, pp. 599–634, 2004. for efficient signature-verification and message-encryption,” in [2] J. Ding, J. E. Gower, and D. S. Schmidt, Multivariate Public Advances in cryptology-EUROCRYPT ’88,vol.330,pp.419–453, Key Cryptosystems,vol.25ofAdvances in Information Security, Springer, Berlin, Davos, Switzerland, 1988. Springer,NewYork,Berlin,Germany,2006. [20]A.Diene,J.Ding,J.E.Gower,T.J.Hodges,andZ.Yin,“Dimen- [3]Y.Zou,W.Ma,Z.Ran,andS.Wang,“Newmultivariatehash sion of the linearization equations of the Matsumoto-Imai function quadratic polynomials multiplying linear polynomi- cryptosystems,” in Proceedings of the International Workshop on als,” IET Information Security,vol.7,no.3,pp.181–188,2013. Coding and Cryptography-WCC 2005,vol.3969,pp.242–251, [4] P.W.Shor, “Polynomial-time algorithms for prime factorization Springer-Verlag, Bergen, Norway, 2005. and discrete logarithms on a quantum computer,” SIAM Journal [21] L. Perret, “A fast cryptanalysis of the isomorphism of polyno- on Computing,vol.26,no.5,pp.1484–1509,1997. mials with one secret problem,” in Proceedings of the Advances [5] J. Patarin, “Hidden fields equations (HFE) and isomorphism of in Cryptology-Eurocrypt 2005,vol.3494,pp.354–370,Springer- polynomials (IP): two new families of asymmetric algorithms,” Verlag, Aarhus, Denmark, 2005. in Proceedings of Advances in Cryptology-Eurocrypt 1996,vol. [22]J.F.Buss,G.S.Frandsen,andJ.O.Shallit,“Thecomputational 1070, pp. 33–48, Springer-Verlag, Saragossa, Spain, 1996. complexity of some problems of linear algebra (extended [6] E. R. Berlekamp, “Factoring polynomials over finite fields,” The abstract),” in Proceedings of the Symposium on Theoretical Bell System Technical Journal,vol.46,pp.1853–1859,1967. Aspects of Computer Science-STACS 1997,vol.1200,pp.451–462, [7] A. Kipnis and A. Shamir, “Cryptanalysis of the HFE public key Springer-Verlag, Lubeck,¨ Germany, 1997. cryptosystem by relinearization,” in Proceedings of the Advances [23] J.-C. Faugere,` M. S. El Din, and P.-J. Spaenlehauer, “On the in Cryptology-Crypto 1999,vol.1666,pp.19–30,Springer,Berlin, complexity of the generalized MinRank problem,” Journal of Santa Barbara, CA, USA, 1999. Symbolic Computation,vol.55,no.1,pp.30–58,2013. 6 Security and Communication Networks

[24] J.-C. Faugere,` “Anew efficient algorithm for computing Grobner¨ bases without reduction to zero (F5),” in Proceedings of the 2002 International Symposium on Symbolic And Algebraic Computation-ISSAC 2002,pp.75–83,ACMPress,NewYork, NY, USA, 2002. [25] N. Courtois, A. Klimov, J. Patarin et al., “Efficient algorithms for solving overdefined systems of multivariate polynomial equa- tions,” in Proceedings of the Advances in Cryptology-Eurocrypt 2000, vol. 1807, pp. 392–407, Springer-Verlag, Bruges, Belgium, 2000. [26] N. T. Courtois and J. Patarin, “About the XL algorithm over GF(2),”in Proceedings of the Topics in Cryptology-CT-RSA 2003, vol. 2612, pp. 141–157, Springer-Verlag, San Francisco, CA, USA, 2003. [27] V. Dubois and N. Gama, “The degree of regularity of HFE systems,”in Proceedings of the Advances in Cryptology-Asiacrypt 2010,vol.6477,pp.557–576,Springer-Verlag,Singapore,2010. International Journal of Rotating Machinery

International Journal of Journal of The Scientific Journal of Distributed (QJLQHHULQJ World Journal Sensors Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 201 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Submit your manuscripts at https://www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

VLSI Design Advances in OptoElectronics ,QWHUQDWLRQDO-RXUQDORI Modelling & International Journal of Simulation $HURVSDFH Navigation and in Engineering Observation (QJLQHHULQJ

Hindawi Publishing Corporation Hindawi Publishing Corporation +LQGDZL3XEOLVKLQJ&RUSRUDWLRQ Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 KWWSZZZKLQGDZLFRP 9ROXPH http://www.hindawi.com Hindawi Publishing Corporation http://www.hindawi.com Volume 201-

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014