Hindawi Security and Communication Networks Volume 2017, Article ID 9289410, 6 pages https://doi.org/10.1155/2017/9289410
Research Article Building Secure Public Key Encryption Scheme from Hidden Field Equations
Yuan Ping,1,2 Baocang Wang,1,3 Yuehua Yang,1 and Shengli Tian1
1 School of Information Engineering, Xuchang University, Xuchang 461000, China 2Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China 3State Key Laboratory of Integrated Service Networks, Xidian University, Xiβan 710071, China
Correspondence should be addressed to Baocang Wang; [email protected]
Received 4 April 2017; Accepted 5 June 2017; Published 10 July 2017
Academic Editor: Dengpan Ye
Copyright Β© 2017 Yuan Ping et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose 2 a new variant of the HFE scheme by considering the special equation π₯ =π₯defined over the finite field F3 when π₯=0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks. The proposal gains some advantages over the original HFE scheme with respect to the encryption speed and public key size.
1. Introduction central map F(π) can be represented with a low-rank matrix [7], which makes it vulnerable to MinRank attacks [7β9]. Public key cryptography [1] built from the NP-hardness So some modifications are needed to repair the basic HFE of solving multivariate quadratic equations over finite filed scheme [10β14]. However, all known modification methods [2, 3] was conceived as a plausible candidate to traditional only can impose partial nonlinear transformation on the factorization and discrete logarithm based public key cryp- special structure of the HFE central map, and hence they are tosystems due to its high performance and the resistance to quantum attacks [4]. The hidden field equations (HFE) still vulnerable to some attacks [15β17]. scheme [5] may be the most famous cryptosystem amongst We consider the HFE scheme over finite fields with all multivariate public key cryptographic schemes. The HFE characteristic 3. We impose some restrictions on the plaintext scheme firstly defines a univariate map over an extension field space and can use the restriction to merge the coefficients Fππ : of the linear part and the square part. By doing this, we
π π π can impose a fully nonlinear transformation on the central (π) = β π ππ +π + β π ππ + π, F ππ π (1) map of the HFE encryption scheme. Performance analysis 0β€πβ€π<π,ππ+ππβ€π· 0β€π<π,ππβ€π· shows that the modification can save the public key storage (π2) where the degree bound π· chosen cannot be very large by O bits and reduces the encryption costs by about (π2) in order that the user can use the Berlekamp algorithm O bit operations. It is shown that the modification can [6] to efficiently compute the roots of F(π). Then two defend the known attacks including the MinRank attack, invertible affine transformations are applied to hide the the linearization equations attack, and the direct algebraic special structure of the central map [2, 5]. However, the attacks. 2 Security and Communication Networks
2. Proposal Why Decryption Works.Wejustobservethatππ =0,1,so 2 ππ =ππ.Hence,forπ=0,1,...,πβ1, 2.1. Notations. Let Fπ be a π-order finite field with π being aprimepower.Letπ(π₯) be an irreducible polynomial πβ2 πβ1 πβ1 (π) (π) (π) π F F π = F [π₯]/β¨π(π₯)β© with degree over π;then π π forms a ππ =ππ (m) = β β π½ππ ππππ + βππ ππ +πΏ degree-π extension field. The construction admits a standard π=0 π=π+1 π=0 π Fππ isomorphism between the extension field and the vector πβ2 πβ1 πβ1 π πβ1 π F π(π₯) = β π π₯ β F π (π) (π) (π) (π) space π ;namely,foranelement π=0 π π ,we = β β π½ ππππ + β (πΌ +πΎ )ππ +πΏ π ππ π π have π(π(π₯))0 =(π ,...,ππβ1)βFπ .Wedenotetheinverseof π=0 π=π+1 π=0 (4) β1 ππ map π as π .NotethattheFrobeniusmapsT(π) = π for πβ1 πβ2 πβ1 πβ1 (π) 2 (π) (π) (π) π=0,1,...,πβ1 F π F defined over π are π-linear; namely, when = βπΌπ ππ + β β π½ππ ππππ + βπΎπ ππ +πΏ expressed in the base field Fπ, T(π) will be π-dimensional π=0 π=0 π=π+1 π=0 linear functions over Fπ. =ππ (m) . 2.2. Description. The encryption scheme consists of three β1 So c = Q(m)=P(m)=L1 βπβF βπ β L2(m).The subalgorithms: key generation, encryption, and decryption. modified HFE decryption recovers the plaintext m by peeling off the composition one by one from the leftmost side. Key Generation. The system parameters consist of an irre- ducible polynomial π(π₯) with degree π over F3, the extension Remarks. The original HFE scheme [5] works on any field Fπ field F3π = F3[π₯]/β¨π(π₯)β©, and the isomorphism π between π and its extension Fππ . In fact, the quadratic polynomial map F π F F(π) 3 and 3 . Firstly, we define an HFE map in (1) P is exactly the public key of the original HFE scheme, and and randomly choose two invertible affine transformations π π π π the secret key of the original scheme also consists of F(π), L1 : F3 β F3 and L2 : F3 β F3 .Thenwecompute β1 β1 β1 β1 L1 ,andL2 . The encryption of the original HFE scheme π their inverses L1 and L2 and the π-variable quadratic c = P(m) m F β1 is just to compute , where the plaintext is in π polynomials P = L1 βπβF βπ β L2 =(π0,π1,...,ππβ1). M = {0, 1}π x =(π₯,π₯ ,...,π₯ ) but not necessarily in .Thedecryptionalgorithm For 0 1 πβ1 ,weset of the modified HFE scheme is exactly the original HFE decryption. πβ1 πβ2 πβ1 πβ1 (π) 2 (π) (π) (π) ππ (x) = βπΌπ π₯π + β β π½ππ π₯ππ₯π + βπΎπ π₯π +πΏ , (2) 2.3. Performance and Comparisons. To make a comparison π=0 π=0 π=π+1 π=0 between the proposed HFE modification and the original HFE schemes in a uniform platform, we consider the HFE scheme defined over F3 and its extension field F3π .Itcan whereallthecoefficientsareinF3 for π = 0,...,πβ1.Then be easily seen that both the modified and the original we merge the coefficients of the square and linear terms of ππ, HFE schemes share a common secret key and decryption (π) (π) (π) that is, ππ =πΌπ +πΎπ for π,π= 0,1,...,πβ1,andgetthe algorithm. So both schemes have the same secret key sizes public key of the modified HFE scheme, namely, π quadratic anddecryptioncosts.Inthemodifiedscheme,thepublickey polynomials Q =(π0,π1,...,ππβ1),where,forπ=0,...,πβ1, is Q, and hence we need not to store the coefficients of the square terms of the public key P. So the proposed scheme 2 reduces the public key size by O(π ) bits. During encryption, πβ2 πβ1 πβ1 π (x) = β β π½(π)π₯ π₯ + βπ(π)π₯ +πΏ(π). the proposed modification HFE scheme does not need to do π ππ π π π π (3) the square computations, so the proposed encryption reduces π=0 π=π+1 π=0 2 the computational costs by O(π ) bit operations.
β1 β1 The secret key consists of F(π), L1 ,andL2 . 3. Security π Encryption. The plaintext space is M = {0, 1} . For a plaintext We analyze the security of the proposed HFE modified π m β M,wejustcomputec =(π0,...,ππβ1)=Q(m)βF3 as encryption scheme. We first review the basic idea of known the ciphertext. attacks and then illustrate why the proposal is secure against these attacks. π Decryption. Given a ciphertext c β F3 ,wecomputey = β1 β1 L1 (c) and π=π (y)βF3π ,andweusetheBerlekamp 3.1. Linearization Equations Attack algorithm [6] to compute all the preimages πβF3π such that π F(π) =,and,foreach π π,wecomputex =π(π)βF3 . Basic Idea. Linearization equations attack [18] was found m = Lβ1(x) m β M by Patarin on the Matsumoto-Imai scheme [19]. In the Finally, we compute 2 .If ;thenweoutput ππ+1 m as the plaintext. If we fail to derive a vector in M form Matsumoto-Imai scheme, a permutation F(π) = π over π π all the preimages π,weoutputthesymbolβ₯ designating an Fππ with characteristic 2 is defined such that gcd(π β1,π + invalid ciphertext. 1) = 1,thenusingtwoinvertibleaffinetransformationsL1 Security and Communication Networks 3
β and L2 to disguise the central map F into a quadratic map in F(π) in (1). We then can look at F as a quadratic form P over Fπ,namely, about π ππβ1 β1 X =(π,π,...,π ); P = L1 βπβF βπ β L2. (5) (10) β The basic idea of the attack is as follows. Note that π= then we associate with F asymmetricπ-dimensional square ππ+1 ππ π2π F(π) = π implies ππ βπ π=0.Bysetting matrix F such that Fβ (π) = XFXπ. x =(π₯0,...,π₯πβ1)=π(π) , (11) The symmetric matrix F is of low rank, and it is the special y =(π¦0,...,π¦πβ1)=π(π) =π(F (π)) (6) structure of the symmetric matrix F that makes the original π π =π(F (πβ1 (x))) , HFE scheme insecure. We recall 0β€πβ€π<π, π +π β€ π· and denote the smallest integer smaller than or equal to ππ π2π (π· β 1) +1 π we can express ππ βπ π=0as π bilinear equations about logπ as , and we will find that all the elements of β1 πβπ F input x and output y of function πβF βπ : the last columns (rows, resp.) of are zero. So the rank of the symmetric matrix F is at most π.Looselyspeaking,when πβ1 πβ1 we apply two linear transformations on the input and output β βπ(π)π₯ π¦ =0, β ππ π π (7) of the map F , the rank of the corresponding matrix remains π=0 π=0 at most π. We define the quadratic part of P = L1 βπβF β β1 β β β (π) π β L2 as P =(π0 ,...,ππβ1),namely,forπ=0,...,πβ1, where π,π,π=0,...,πβ1and πππ β Fπ. Given a ciphertext c = πβ1 πβ2 πβ1 (π0,...,ππβ1)=P(m), we want to recover the corresponding πβ (x) = βπΌ(π)π₯2 + β β π½(π)π₯ π₯ . plaintext m =(π0,...,ππβ1).Notethatm (c,resp.)isan π π π ππ π π (12) π=0 π=0 π=π+1 affine transformation L2 (L1,resp.)ontheinput(output, β1 πβF βπ m c β resp.) of the function .So and satisfy the Note that F (π) canbeexpressedasπ homogeneous following π equations derived from the π bilinear equations, quadraticpolynomialsoverthebasefieldFπ; then the applica- namely, tion of two linear transformations on the input and output of β πβ1 πβ1 πβ1 πβ1 F (π) will also give π homogeneous quadratic polynomials (π) (π) (π) (π) β βπΌππ ππππ + βπ½π ππ + βπΎπ ππ +πΏ =0, (8) overthebasefieldFπ.Thatistosay π=0 π=0 π=0 π=0 β β β1 P = L1 βπβF βπ β L2. (13) where π,π,π = 0,...,πβ 1 andallthecoefficientsinFπ. These π equations are called linearization equations and can Or equivalently, be efficiently computed from the public polynomials P.Itwas β β1 β1 β β1 F =π β L β P β L βπ. (14) shown that the linearization equations have a rank of at least 1 2 πβgcd(π, π) [20]. So given a ciphertext c =(π0,...,ππβ1)= Theaboveequationsaysthatwecanliftthequadraticpart P(m) π β ,weonlyneedtosolvethe linearization equations to P of the public key P to the extension field Fππ under some m =(π,...,π ) β obtain the corresponding plaintext 0 πβ1 . unknown linear transformations to derive F and hence F. Kipnis and Shamir noted [7] that, by lifting the quadratic part β Why the Proposal Is Secure against the Linearization Equa- P of the public key P of the HFE scheme to the extension tions Attack.WefirstnotethattheHFEscheme[5]was field Fππ , they can find a collection of matrices. The matrix F proposed by Patarin to thwart the linearization equations is then determined by finding a linear combination of these attack and no known evidence was reported on the existence matrices such that F has a minimum rank (at most π). Thus by of linearization equations in the HFE scheme. So the HFE solving the MinRank problem we can determine the matrix F scheme is secure against linearization equations attack. As and the coefficients of the linear transformation L1.Though far as the proposed HFE modification scheme is concerned, π theMinRankproblemisproventobeNP-complete[22,23], we just note that, for any plaintext m β M ={0,1}, c = Q(m)=P(m) thereductiontotheMinRankproblemdoesimposeaserious is a valid ciphertext for both the original security threat on the security of the HFE scheme [7, 8]. FHEschemeandtheproposedmodificationHFEscheme. Therefore,wecannothopetoderivelinearizationequations Why the Proposal Is Secure against the MinRank Attack.To from the modified HFE scheme. illustrate why the proposed modification of the HFE scheme is secure against the MinRank attack [7, 8], we just need to 3.2. MinRank Attacks show that when lifted to the extension field F3π , the quadratic part of the public key Q is not connected with a low-rank β Basic Idea. Without loss of generality, we assume that the two matrix. We set the quadratic part of the public key Q as Q = invertible affine transformations L1 and L2 are linear [21] β β β (π0 ,π1 ,...,ππβ1) with and define the terms of π π πβ2 πβ1 Fβ (π) = β π ππ +π πβ = (x) = β β π½(π)π₯ π₯ ππ (9) π ππ π π (15) 0β€πβ€π<π,ππ+ππβ€π· π=0 π=π+1 4 Security and Communication Networks
β for π=0,...,πβ1.IfweliftQ to the extension field and find be useful to simplify the computations, so we also can add that the corresponding matrix is not of low rank, we can claim the π field equations to the generators; namely, we solve the ourproposalissecureagainsttheMinRankattack[7,8].So GrobnerΒ¨ basis of the ideal we define β π π I =β¨π0 βπ0,...,ππβ1 βππβ1,π0 βπ0,...,ππβ1 β1 β1 β β1 π F1 (π) =π β L1 β Q β L2 βπ(π) = XF1X . (16) (21) βππβ1β©. Now we show that the corresponding matrix F1 is of not necessarily low rank. We define S =(π 0,π 1,...,π πβ1) with Why the Proposal Is Secure against the Algebraic Attack. In the proposed modification HFE encryption scheme, we πβ1 impose some restrictions on the plaintext space. The plaintext π (x) = βπΌ(π)π₯2 π π π π π (17) space is M ={0,1}but not F3 .Thuswehavesome π=0 additional equations that associate with the plaintext m = (π0,π1,...,ππβ1);namely,forπ = 0,π,...,π,wehave β1 for π=0,...,πβ1,and 2 ππ βππ =0. The plaintext block ππ also satisfies the field β1 β1 β1 π π3 βπ =0 F2 (π) =π β L β S β L βπ(π) = XF2X . (18) equation π π . However, we can derive the field 1 2 3 2 equations ππ βππ =0from the equations ππ βππ =0. β β It is obvious that P (x)=Q (x)+S(x).Thuswecaneasily So in the proposed modification encryption scheme, we need verify that to find the GrobnerbasisfortheidealΒ¨ π β β1 β1 β β1 IσΈ =β¨π βπ,...,π βπ ,π2 βπ ,...,π2 XFX = F (π) =π β L1 β P β L2 βπ(π) 0 0 πβ1 πβ1 0 0 πβ1 (22) β1 β1 β β1 =π β L1 β(Q + S)βL2 βπ(π) βππβ1β©. β1 β1 β β1 β1 β1 =π β L1 β Q β L2 βπ(π) +π β L1 (19) To evaluate the difficulty of the GrobnerΒ¨ basis algorithms to recover the plaintext, we can use the degree of regularity π· β S β Lβ1 βπ(π) = F (π) + F (π) reg 2 1 2 of the quadratic equations [27] to estimate the computational 2π· costs. The computational costs are at least O(π reg ) bit = XF Xπ + XF Xπ = X (F + F ) Xπ. 1 2 1 2 operations, according to the results given on page 219 in [2]. Under the suggested parameters π = 256 and π· = 144, So we get F1 = F β F2. In this matrix equation, we only know π· = the degree of regularity of the quadratic equations is reg that F is of low rank (at most π). However, the rank of the 10 80 5. So the computational overhead is about 256 =2 matrix F2 is unknown, and hence the rank of the matrix F1 is not necessarily low. So the adversary cannot derive from the bit operations. So under the algebraic attacks, the proposed β publicly known map Q alow-rankmatrix.SotheMinRank modification HFE encryption scheme can obtain a security attack does not apply to cryptanalyzing the proposed HFE level of 80 bits under the suggested parameters. modification scheme. 3.4. Suggested Parameters. Considering the aforementioned discussions, we suggest choosing π = 256 and π· = 144. 3.3. Algebraic Attacks We can see from the security analysis that the proposed HFE Basic Idea. One straightforward way to attack multivariate modification encryption scheme can obtain a security level of public key cryptosystems is to directly solve the multivariate 80 bits under the suggested parameters. quadratic equations by utilizing some algorithms to compute the GrobnerΒ¨ basis of some ideals. Given the ciphertext c = 4. Conclusions Q(m), we want to solve the plaintext m from the quadratic equations: In this paper, we proposed a novel modified HFE encryption scheme. The proposed HFE modification has the following
π0 (π0,π1,...,ππβ1)=π0, features:
π1 (π0,π1,...,ππβ1)=π1, (i) Universal padding scheme for multivariate public key encryptions:theproposedHFEvariantcanmergethe (20) . square and linear terms by imposing some restrictions . on the plaintext space. The proposed method is a π (π ,π ,...,π )=π . universal padding scheme and hence can be used to πβ1 0 1 πβ1 πβ1 other multivariate cryptographic constructions. ThealgebraicorthedirectattackscanusesomeGrobnerΒ¨ basis (ii) Fully nonlinear transformation on the central map:the algorithms such as F5 [24] and the XL [25] algorithms to solve proposed method can remove all the square terms the generators for the ideal I =β¨π0βπ0,π1βπ1,...,ππβ1βππβ1β© in the public multivariate quadratic polynomials and generated by π0 βπ0,π1 βπ1,...,ππβ1 βππβ1.Itisobserved[26] thus impose a nonlinear transformation on all the π that the field equations ππ βππ =0for π=0,1,...,πβ1will polynomials. Security and Communication Networks 5
(iii) Security against known attacks: we illustrated that the [8] J. C. Faugere` and A. Joux, βAlgebraic cryptanalysis of hidden proposed HFE modification encryption scheme is field equation (HFE) cryptosystems usingobner GrΒ¨ bases,β in secure against known attacks including the lineariza- Proceedings of the Advances in Cryptology-Crypto 2003,vol. tion equation attack, the MinRank attack, and the 2729, pp. 44β60, Springer-Verlag, Santa Barbara, USA, 2003. algebraic attacks. [9] N. Courtois, βThe security of Hidden Field Equations (HFE),βin ProceedingsoftheTopicsinCryptology-CT-RSA2001,vol.2020, (iv) More efficient encryption and smaller public key :size pp.266β281,Springer-Verlag,SanFrancisco,CA,USA. the proposed modification encryption scheme does notstorethesquaretermsinthepublickeyand [10] J. Patarin, N. Courtois, and L. Goubin, βQUARTZ, 128-bit long O(π2) digital signatures,β in Proceedings of the Topics in Cryptology- hencecanreducetheencryptioncostsby bit CT-RSA 2001,vol.2020,pp.282β297,Springer-Verlag,San O(π2) operations and saves the public key storage by Francisco, CA, USA. bits. [11] O. Billet, J. Patarin, and Y.Seurin, βAnalysis of intermediate field As a new multivariate public key encryption, the security systems,β 2013, http://eprint.iacr.org/2009/542. of the proposal needs to be furthered. So we encourage the [12]C.Chen,M.S.Chen,andJ.Ding,βOdd-charmultivariate readers to examine the security of the proposal. hidden field equations,β 2013, http://eprint.iacr.org/2008/543. [13] J. Ding, D. Schmidt, and F. Werner, βAlgebraic attack on HFE Conflicts of Interest revisited,β in Proceedings of the International Conference on Information Security-ISC 2008,vol.5222,pp.215β227,Springer- The authors declare that they have no conflicts of interest. Verlag, Taipei, China, 2008. [14] C. Wolf and B. Preneel, βTaxonomy of public key schemes Acknowledgments basedontheproblemofmultivariatequadraticequations,β2013, https://eprint.iacr.org/2005/077. This work was supported by National Natural Science [15] N. T. Courtois, M. Daum, and P. Felke, βOn the security of Foundation of China (Grants nos. 61572390, 61303232, and HFE, HFEv- and Quartz,β in Proceedings of the International 61540049), National Key Research and Development Pro- Conference on Practice and Theory in Public Key Cryptography- gram of China (no. 2017YFB0802002), Natural Science Foun- PKC 2003,vol.2567,pp.337β350,Springer-Verlag,Miami,Fl, dation in Ningbo of China (no. 201601HJ-B01382), Program USA, 2003. for Science & Technology Innovation Talents in Univer- [16] L. Bettale, J. C. Faugere,` and L. Perret, βCryptanalysis of sities of Henan Province (no. 18HASTIT022), Foundation HFE, Multi-HFE and variants for odd and even characteristic,β of Henan Educational Committee (Grants nos. 16A520025 Designs, Codes and Cryptography,vol.69,no.1,pp.1β52,2013. and 18A520047), Foundation for University Key Teacher of [17] L. Bettale, J.-C. Faugere,` and L. Perret, βCryptanalysis of Henan Province (no. 2016GGJS-141), Open Foundation of multivariate and odd-characteristic hfe variants,βin Proceedings Key Laboratory of Cognitive Radio and Information Process- of the International Conference on Practice and Theory in Public ing, Ministry of Education (Guilin University of Electronic Key Cryptography-PKC 2011,vol.6571,pp.441β458,Springer, Technology) (no. CRKL160202), and Outstanding Young Heidelberg. Teacher Project of Xuchang University. [18] J. Patarin, βCryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt β88,β in Advances in cryptology-CRYPTO β95,vol.963,pp.248β261,Springer,Berlin,SantaBarbara,CA, References USA, 1995. [1] N. Koblitz and A. J. Menezes, βAsurvey of public-key cryptosys- [19] T.Matsumoto and H. Imai, βPublic quadratic polynomial-tuples tems,β SIAM Review, vol. 46, no. 4, pp. 599β634, 2004. for efficient signature-verification and message-encryption,β in [2] J. Ding, J. E. Gower, and D. S. Schmidt, Multivariate Public Advances in cryptology-EUROCRYPT β88,vol.330,pp.419β453, Key Cryptosystems,vol.25ofAdvances in Information Security, Springer, Berlin, Davos, Switzerland, 1988. Springer,NewYork,Berlin,Germany,2006. [20]A.Diene,J.Ding,J.E.Gower,T.J.Hodges,andZ.Yin,βDimen- [3]Y.Zou,W.Ma,Z.Ran,andS.Wang,βNewmultivariatehash sion of the linearization equations of the Matsumoto-Imai function quadratic polynomials multiplying linear polynomi- cryptosystems,β in Proceedings of the International Workshop on als,β IET Information Security,vol.7,no.3,pp.181β188,2013. Coding and Cryptography-WCC 2005,vol.3969,pp.242β251, [4] P.W.Shor, βPolynomial-time algorithms for prime factorization Springer-Verlag, Bergen, Norway, 2005. and discrete logarithms on a quantum computer,β SIAM Journal [21] L. Perret, βA fast cryptanalysis of the isomorphism of polyno- on Computing,vol.26,no.5,pp.1484β1509,1997. mials with one secret problem,β in Proceedings of the Advances [5] J. Patarin, βHidden fields equations (HFE) and isomorphism of in Cryptology-Eurocrypt 2005,vol.3494,pp.354β370,Springer- polynomials (IP): two new families of asymmetric algorithms,β Verlag, Aarhus, Denmark, 2005. in Proceedings of Advances in Cryptology-Eurocrypt 1996,vol. [22]J.F.Buss,G.S.Frandsen,andJ.O.Shallit,βThecomputational 1070, pp. 33β48, Springer-Verlag, Saragossa, Spain, 1996. complexity of some problems of linear algebra (extended [6] E. R. Berlekamp, βFactoring polynomials over finite fields,β The abstract),β in Proceedings of the Symposium on Theoretical Bell System Technical Journal,vol.46,pp.1853β1859,1967. Aspects of Computer Science-STACS 1997,vol.1200,pp.451β462, [7] A. Kipnis and A. Shamir, βCryptanalysis of the HFE public key Springer-Verlag, Lubeck,Β¨ Germany, 1997. cryptosystem by relinearization,β in Proceedings of the Advances [23] J.-C. Faugere,` M. S. El Din, and P.-J. Spaenlehauer, βOn the in Cryptology-Crypto 1999,vol.1666,pp.19β30,Springer,Berlin, complexity of the generalized MinRank problem,β Journal of Santa Barbara, CA, USA, 1999. Symbolic Computation,vol.55,no.1,pp.30β58,2013. 6 Security and Communication Networks
[24] J.-C. Faugere,` βAnew efficient algorithm for computing GrobnerΒ¨ bases without reduction to zero (F5),β in Proceedings of the 2002 International Symposium on Symbolic And Algebraic Computation-ISSAC 2002,pp.75β83,ACMPress,NewYork, NY, USA, 2002. [25] N. Courtois, A. Klimov, J. Patarin et al., βEfficient algorithms for solving overdefined systems of multivariate polynomial equa- tions,β in Proceedings of the Advances in Cryptology-Eurocrypt 2000, vol. 1807, pp. 392β407, Springer-Verlag, Bruges, Belgium, 2000. [26] N. T. Courtois and J. Patarin, βAbout the XL algorithm over GF(2),βin Proceedings of the Topics in Cryptology-CT-RSA 2003, vol. 2612, pp. 141β157, Springer-Verlag, San Francisco, CA, USA, 2003. [27] V. Dubois and N. Gama, βThe degree of regularity of HFE systems,βin Proceedings of the Advances in Cryptology-Asiacrypt 2010,vol.6477,pp.557β576,Springer-Verlag,Singapore,2010. International Journal of Rotating Machinery
International Journal of Journal of The Scientific Journal of Distributed (QJLQHHULQJ World Journal Sensors Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 201 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014
Journal of Control Science and Engineering
Advances in Civil Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014
Submit your manuscripts at https://www.hindawi.com
Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014
VLSI Design Advances in OptoElectronics ,QWHUQDWLRQDO-RXUQDORI Modelling & International Journal of Simulation $HURVSDFH Navigation and in Engineering Observation (QJLQHHULQJ
Hindawi Publishing Corporation Hindawi Publishing Corporation +LQGDZL3XEOLVKLQJ&RUSRUDWLRQ Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 KWWSZZZKLQGDZLFRP 9ROXPH http://www.hindawi.com Hindawi Publishing Corporation http://www.hindawi.com Volume 201-
International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration
Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014