A Multivariate Encryption Scheme with Rainbow
 17 Citations
 1.4k Downloads
Abstract
Multivariate Public Key Cryptosystems (MPKC) are a candidate of postquantum cryptography. The MPKC signature scheme Rainbow is endowed of efficient signature generation and verification, while no major attack has been reported so far. In this paper, we propose a MPKC encryption scheme based on Rainbow. The public key of Rainbow is a surjective polynomial map, whereas the encryption scheme requires an injective polynomial map. We explain how to change the public key of Rainbow to an injective map.
Keywords
Multivariate Public Key Cryptosystem Rainbow Square Postquantum cryptography1 Introduction
1.1 Motivation and Background
The foundation of public key cryptography currently consists of RSA and elliptic curve cryptography. However, these two cryptosystems do not have sufficient resistance against quantum computers. Therefore, the current foundation of public key cryptography needs to shift to cryptography preventing attacks coming from quantum computers, which is called postquantum cryptography [12], and before quantum computers become widely spread. Since 2013, a working group on postquantum cryptography at NIST is studying the standardization of PostQuantum cryptography. ETSI is also holding a regular QuantumSafeCrypto Workshop. Main candidates for postquantum cryptography are latticebased cryptography, codebased cryptography, multivariate public key cryptography, and hashbased cryptography.
1.2 Previous Work and Challenging Issues
The encryption scheme \(C^*\) proposed in [29] is considered to be the first MPKC scheme. However, Patarin in [33] showed an efficient attack against \(C^*\). After that, many encryption schemes have been proposed [17, 35, 36]. However, efficient attacks have been found against most of these schemes [9, 13, 21, 27], and at present, only few MPKC encryption schemes have remained safe. Among them are ZHFE [39], ABC [41] and cubic ABC [14]. Besides safety, it is also important to design a secure MPKC encryption scheme which has efficient encryption and decryption algorithms.
As for signature schemes, SFlash [36], TTS[10] have been proposed, but efficient attacks against these schemes have been found [13, 16]. Rainbow [15] is a signature scheme which has efficient signature generation and verification. Its security has been analyzed by several researchers, and so far no major attack against it has been found.
1.3 Contribution
We propose a new encryption scheme which has an efficient decryption algorithm. The proposed scheme is a combination of the encryption scheme “Square” [7] and the signature scheme “Rainbow”. Since the decryption in both Square and Rainbow is efficient, it results that the decryption of the proposed scheme is also efficient. Furthermore, we analyze the security of the proposed scheme. We consider existing attacks against Square and existing attacks against Rainbow etc. Based on this security analysis, we estimate the parameters yielding 80bit, 112bit and 160bit security levels. Finally, for these parameters we have implemented the new scheme and measured encryption time and decryption time.
In MPKC, encryption scheme and signature scheme deploy different kinds of multivariate polynomial maps. MPKC signature scheme often uses surjective maps because given an arbitrary message, the corresponding signature has to be generated at least one. On the other hand, MPKC encryption schemes use injective map because if not, the scheme would cause decryption failures. For instance the latticebased encryption NTRU can cause decryption failures. But NTRU avoids this problem by tuning parameters so that the probability that a decryption failure occurs is minimal. Among MPKC encryption schemes, ABC also has this problem. The original ABC has a nonnegligible probability of decryption failure, but it was improved by using almost injective multivariate maps so that the probability is minimized [42].
Our scheme adopts basically the same policy as the improved ABC. The multivariate map associated with our scheme is almost injective. To the end, we thought of two devices: (1) the vinegar variables used in Rainbow are exchanged to variables in the encryption scheme (which in this paper is Square), and (2) the number of equations increases for each layer in Rainbow. About (1), in the decryption of Rainbow, a signer can substitute several values in the vinegar variables. However in the encryption scheme, the decryption result has to coincide in a unique way with the plain text. We make use of the decryption method of Square instead of substituting in vinegar variables, so that the inverse is determined uniquely. The reason why we adopt Square as an encryption scheme in (1) is that it has strong tolerance against the direct attacks [12] and an efficient decryption algorithm. Next, we explain about (2). In the decryption of Rainbow, solving linear equations is required for each layer. The linear equations may be degenerated, in which case the decryption algorithm reselects values in vinegar variables, and reconstruct linear equations. However, since the proposed scheme does not use vinegar variables, we increase the number of equations such that the linear equations are not degenerated. As the number of equations increases, the probability of degeneration becomes indeed lower; thus we can control the probability.
Square requires square root computation during decryption. This computation is executed by some exponentiation algorithms. In the original paper [7], the decryption time takes more than ten times that of the encryption time. We rather adopt the multiexponentiation technique [32], which has been put into practice in efficient pairing computations [40], GLV [23], GLS [24], so that seeing on single Square, we achieve about 10 times acceleration of the decryption of the original Square.
1.4 Comparison with Related Works
The public key size of the proposed scheme is about 30 times shorter as large as that of ABC. The decryption of the proposed scheme is more efficient than that of ZHFE because ZHFE requires heavy computations like the Berlekamp algorithm for decryption.
The direct attack is an attack which directly computes the plain text from a cipher text and the public key. Gröbner basis computations are often used for this attack. From our experiments for low parameters, we observed that the multivariate system provided by the proposed scheme is semiregular [4]. Since Square has a property that its security against direct attack is strong [11], and Rainbow has a wide range of possible secret keys, we can expect that the security of our scheme against direct attacks is also strong. Therefore, we infer that our scheme also holds the semiregular property for higher parameters. On the other hand, since ABC does not have the semiregular property, we have to select a higher number of variables and of equations than those of our scheme.
The multivariate polynomial maps used in our scheme are constructed from those of Square and Rainbow, and additionally, randomly chosen polynomial maps are appended. Adding such polynomials is called the Plus method [12], which is used to enhance the security mainly. In fact, due to the Plus method the UOV attack, the UOVReconciliation attack and the RainbowBandSeparation attack cannot be applied to our scheme. We remark that the Plus method cannot be applied to the original Rainbow neither because in order to find an inverse image of a randomly chosen polynomial map, a searching process is required, therefore, the signature generation of Rainbow loses its good efficiency. On the other hand, in the case of our scheme, since the decryption requires only the decryption of Square and the decryption Rainbow, the inverse computation of the plus part is not necessary.
2 Background
2.1 A Signature Scheme, Rainbow
Ding and Schmidt proposed a signature scheme called Rainbow, which is a multilayer variant of Unbalanced Oil and Vinegar [15]. In this section, we review Rainbow shortly.
First, we set some parameters in order to describe Rainbow with a hlayer structure. Let \(v_1\) and \(o_1,\ldots ,o_{h}\) be positive integers. For \(k=2,\ldots ,h+1\), let \(v_k=v_1+o_1+\cdots +o_{k1}\). For \(k=1,\ldots ,h\), we define two sets of integers, \(V_k=\{1,2,\ldots ,v_k\},\ O_k=\{v_k+1,\ldots ,v_k+o_k\}\). The sets \(O_i\) and \(V_i\) are used for the indices of the oil and vinegar variables in Rainbow, respectively. We define \(n=v_{h+1}\), which is the number of variables used in Rainbow.
Key Generation. A secret key consists of a central map G and two affine transformations \(A_1:K^m\rightarrow K^m\ (m=nv_1),\ A_2:K^n\rightarrow K^n\). The public key consists of the field K and the composed map \(F=A_1\circ G\circ A_2:K^n\rightarrow K^m\), which is a system of m quadratic polynomials of n variables over K.
Signature Generation. Let \(M\in K^{m}\) be a message. A signer computes \(A=A_1^{1}(M)\), \(B=G^{1}(A)\) and \(C=A_2^{1}(B)\) in that order. The signature of the message is \(C\in K^n\). Here, the inverse computation \(B=G^{1}(A)\) for \(A=(a_{v_1+1},\ldots ,a_n)\), is executed by the following algorithm.

Step 1. Select \(B_0=(b_1,\ldots ,b_{v_1})\in K^{v_1}\) randomly.
 Step 2. For \(k=1\) to h do:
 (41)For a subsequence \(A_k=(a_{v_{k}+1},\ldots ,a_{v_{k}+o_k})\) of A, set up a linear equation with respect to \(X_k=(x_{v_{k}+1},\ldots ,x_{v_k+o_k})\),(We remark that \(G_k\) can be regarded as a map having \(v_{k+1}\) variables.)$$\begin{aligned} G_k(B_{k1},X_k)=A_k. \end{aligned}$$
 (42)
Solve the above linear equation. If it has an unique solution, denote the solution by \(D_k\). Otherwise, go back to Step 1.
 (43)
Put \(B_k=B_{k1}\Vert D_k\) (concatenation).
 (41)

Output \(B=B_h\).
Remark 1
The linear equation \(G_k(B_{k1},X_k)=A_k\) in Step 41 has \(o_k\) variables and \(o_k\) equations. Therefore, solving the equation fails with the probability of \(q^{1}\). However, since there are many choice for \(B_0\) in Step 1, the signature generation itself does not fail.
Attacks Against Rainbow. In this section, we summarize the necessary information about the known attacks against Rainbow that have been reported in previous papers. Since the scheme which we propose later make uses of structure of Rainbow, we will analyze the effect of these attacks on the proposed scheme. The known relevant attacks against Rainbow are as follows.
(1) Find a simultaneous isotropic subspace of \(K^n\).
In Rainbow, m quadratic forms on \(K^n\) are defined by the quadratic parts of the public polynomials of F. Note that the subspace \(K^{o_t}\) appearing in (2) is a simultaneous isotropic subspace of \(K^n\). If we find a simultaneous isotropic subspace, the basis of \(K^{o_t}\) is then obtained and the above attack is feasible. The UOV, UOVR and RBS attacks are classified as being of this type.
(2) Find a quadratic form with the minimum or second maximum rank.
The details of above mentioned six attacks can be found in the literature [37].
3 Our Proposed Scheme

\(K=GF(q)\): finite field of odd characteristic (\(q\equiv 3\ \mathrm {mod}\ 4\))

d: degree of extension field \(L=GF(q^d)\) over K (\(d\equiv 1\ \mathrm {mod}\ 2\))

h: number of layers

\(o_1,\ldots ,o_h\): number of oil variables in each layer

r: number determining the probability of decryption success

s: number of equations added in the Plus method

l: number of variables reduced in the embedding method

\(\phi :GF(q^d)\rightarrow K^d\): linear isomorphism over K
3.1 Key Generation
 (i)
Construction of \(G_S:K^{n'}\rightarrow K^d\).
A multivariate quadratic map \(G'_S:K^d\rightarrow K^d\) is defined by\(G_S\) is defined as a natural extension of \(G'_S\) to \(K^{n'}\), i.e.$$\begin{aligned} G'_S:K^d\xrightarrow {\phi ^{1}} GF(q^d)\ni X\rightarrow X^2\in GF(q^d)\xrightarrow {\phi } K^d. \end{aligned}$$$$\begin{aligned} G_S:K^{d+o_1+\cdots +o_h}\xrightarrow {\text {projection}} K^d\xrightarrow {G'_S}K^d. \end{aligned}$$  (ii)
Construction of \(G_R:K^{n'}\rightarrow K^{o_1+\cdots +o_h+hr}\).
For each layer \(k=1,\ldots ,h\), we construct a multivariate quadratic map \(G_{R,k}:K^{n'}\rightarrow K^{o_k+r}\) as follows. Let \(v_k=d+o_1+\cdots +o_{k1}\) and \(V_k=\{1,2,\ldots ,v_k\},\ O_k=\{v_k+1,\ldots ,v_k+o_k\}\). The \(o_k+r\) components of \(G_{R,k}\) are chosen by the multivariate quadratic polynomials of the form,Here, \(\alpha _{i,j},\beta _{i,j},\gamma _{i},\eta \) are randomly chosen in K for each component of \(G_{R,k}\). Then, \(G_R\) is defined by the concatenation \(G_R=G_{R,1}\Vert \ldots \Vert G_{R,h}\).$$\begin{aligned} g(x_1,\ldots ,x_{n'})=\sum _{i\in O_k,j\in V_k}\alpha _{i,j} x_i x_j +\sum _{i,j\in V_k,\,i\le j}\beta _{i,j} x_i x_j+\sum _{i\in V_{k}\cup O_{k}}\gamma _{i} x_i+\eta .\nonumber \end{aligned}$$  (iii)
Construction of \(G_P:K^{n'}\rightarrow K^{s}\).
\(G_P\) consist of randomly chosen s multivariate quadratic polynomials of the form,$$\begin{aligned} g(x_1,\ldots ,x_{n'})=\sum _{1\le i\le j\le n'}\alpha _{i,j} x_i x_j +\sum _{1\le i\le n'}\beta _{i} x_i+\gamma \ \ \ (\alpha _{i,j},\beta _{i},\gamma \in K).\nonumber \end{aligned}$$
Using above (i), (ii), (iii), a polynomial map \(G:K^{n'}\rightarrow K^m\) is defined by the concatenation \(G=G_S\Vert G_R\Vert G_P\). Additionally, the following are selected randomly.
 (1)
affine embedding map \(A_1:K^n\rightarrow K^{n'},\)
 (2)
affine isomorphism \(A_2:K^m\rightarrow K^m.\)
A multivariate quadratic map F from \(K^n\) to \(K^m\) is defined by \(F=A_2\circ G\circ A_1\). Then, the secret key consists of \(G,\ A_1\) and \(A_2\), and the public key consists of F.
3.2 Encryption
3.3 Decryption
For a cipher text \(C=(c_1,\ldots ,c_m)\in K^m\), the decryption is executed as follows.

Step 1. Compute \(B=(b_1,\ldots ,b_m)=A_2^{1}(C)\).

Step 2. Compute \(B_0=\phi ^{1}(B_S)\) where \(B_S=(b_1,\ldots ,b_d)\), the vector of the first dcomponents of B.

Step 3. Compute \(R=\pm B_0^{(q^d+1)/4}\) and \(D_0=\phi (R).\)
 Step 4. For \(k=1\) to h do:
 (41)For \(B_k=(b_{m_{k}+1},\ldots ,b_{m_k+o_k+r})\), where \(m_k:=v_k+(k1)r\), set up a linear equation with respect to \(X_k=(x_{v_{k}+1},\ldots ,x_{v_k+o_k})\),(We remark that \(G_{R,k}\) can be regarded as a map having \(v_{k+1}\) variables.)$$\begin{aligned} G_{R,k}(D_{k1},X_k)=B_k. \end{aligned}$$
 (42)
Solve the above linear equation, and denote the solution by \(D_k\).
 (41)

Step 4. Put \(D=D_0\Vert D_1\Vert \cdots \Vert D_h\) (concatenation).

Step 5. Compute \(M'=A_1^{1}(D)\), which is the corresponding plain text.
3.4 Probability of Decryption Failure
We have to guarantee that the above decryption algorithm recovers the plain text. To the end, it is necessary to show that the public key F is injective. In the case of the original ABC [41], the probability of decryption failure is nonnegligible because its public key is not injective. However, ABC has been already improved such that the public key becomes almost injective [42]. Therefore, the probability of decryption failure of the improved ABC can be minimized by choosing a suitable parameter.
The public key of our scheme is also almost injective. More precisely,
Proposition 1
The probability of F are not injective is equal to \(hq^{l1}\).
This proposition implies that the probability of the decryption failure in our scheme is equal to \(hq^{l1}\). The above proposition is shown in the Appendix B.
4 Security Analysis
 1.
Direct attack
 2.
Differential attack [6]
 3.
Rank attacks
 4.
Other attacks against Rainbow (RBS attack, UOV attack, UOVR attack)
4.1 Direct Attack
Result of experiments of the direct attack using MAGMA
\((q,d,\{o_1,\ldots \},r,s,l)\)  (m, n)  Time  Time (RS)  \(d_{\mathrm {reg}}\)  semiregular degree 

(31, 15, 11, 3, 2, 10)  (31, 16)  14 s  14 s  5  5 
(31, 15, 11, 3, 2, 9)  (31, 17)  44 s  42 s  5  5 
(31, 15, 11, 3, 2, 8)  (31, 18)  206 s  204 s  5  5 
(31, 15, 11, 3, 2, 7)  (31, 19)  2311 s  2351 s  6  6 
(31, 15, 10, 3, 2, 6)  (30, 19)  2916 s  2846 s  6  6 
(31, 15, 11, 3, 2, 6)  (31, 20)  9331 s  8840 s  6  6 
(31, 15, 12, 3, 2, 6)  (32, 21)  34080 s  41647 s  6  6 
(31, 15, 11, 3, 2, 5)  (31, 21)  156624 s  168693 s  7  7 
4.2 Differential attack
4.3 Rank Attacks
4.4 Other Attacks against Rainbow
5 Practical Parameters and Implementation
Consider the following parameters.

(A) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),33,1,\{32\},16,5,16)\) (80bit security level)

(B) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),47,1,\{47\},22,5,22)\) (112bit security level)

(C) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),71,1,\{71\},32,5,32)\) (160bit security level)
Experimental results of SRP
SRP  (A)  (B)  (C) 

Security  80 bit  112 bit  160 bit 
Encryption  0.75 ms  2.26 ms  7.82 ms 
Decryption  1.06 ms  3.01 ms  9.14 ms 
Secret key size  57.1 kB  161.4 kB  528.1 kB 
Public key size  69.9 kB  207.0 kB  701.6 kB 
Probability of decryption failure  \(2^{80}\)  \(2^{112}\)  \(2^{160}\) 

OS Microsoft Windows 7 Professional 64bit

CPU Intel(R) Xeon CPU E31270 @ 3.40GHz

memory 16.0 GB

Compiler Cygwin + gcc version 3.4.4

Language C
6 Conclusion
We propose a MPKC encryption scheme called SRP. Our scheme has an efficient decryption algorithm, in fact, the decryption time is less than twice that of the encryption time according to our experiments. The system of multivariate quadratic equations obtained in our scheme by any cipher text behave as if it was a system of random quadratic equations with respect to direct attacks.
Notes
Acknowledgements
This work was commissioned by Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 01590016 Ministry of Internal Affairs and Communications, JAPAN. Dr. Xavier Dahan read carefully and proofread the preliminary version of this paper. The authors would like to thank him.
References
 1.Bardet, M., Faugére, J.C., Salvy, B.: On the complexity of gröbner basis computation of semiregular overdetermined algebraic equations. In: Proceedings of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
 2.Bernstein, D.J., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
 3.Berger, T.P., Cayrel, P.L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009)Google Scholar
 4.Bettale, L., Faugére, J.C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Crypt. 3(3), 177–197 (2010)MathSciNetzbMATHGoogle Scholar
 5.Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006)Google Scholar
 6.Billet, O., MacarioRat, G.: Cryptanalysis of the square cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 451–468. Springer, Heidelberg (2009)Google Scholar
 7.Clough, C., Baena, J., Ding, J., Yang, B.Y., Chen, M.: Square, a new multivariate encryption scheme. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 252–264. Springer, Heidelberg (2009)Google Scholar
 8.Clough, C.L., Ding, J.: Secure variants of the square encryption scheme. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 153–164. Springer, Heidelberg (2010)Google Scholar
 9.Courtois, N.T., Daum, M., Felke, P.: On the security of HFE, HFEv and Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2002)Google Scholar
 10.Chen, J.M., Yang, B.Y.: A more secure and efficacious TTS signature scheme. In: Lim, J.I., Lee, D.H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 320–338. Springer, Heidelberg (2004)Google Scholar
 11.Ding, J., Clough, C., Araujo, R.: Inverting square systems algebraically is exponential. Finite Fields Appl. 26, 32–48 (2014)MathSciNetzbMATHGoogle Scholar
 12.Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Advances in Information Security, vol. 25. Springer, New york (2006)zbMATHGoogle Scholar
 13.Dubois, V., Fouque, P.A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)Google Scholar
 14.Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 76–87. Springer, Heidelberg (2014)Google Scholar
 15.Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)Google Scholar
 16.Ding, J., Schmidt, D., Yin, Z.: Cryptanalysis of the new TTS scheme in CHES 2004. Int. J. Inf. Secur. 5(4), 231–240 (2006)zbMATHGoogle Scholar
 17.Ding, J., Wolf, C., Yang, B.Y.: \(\ell \)invertible cycles for multivariate quadratic (MQ) public key cryptography. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 266–281. Springer, Heidelberg (2007)zbMATHGoogle Scholar
 18.Ding, J., Yang, B.Y., Chen, C.H.O., Chen, M.S., Cheng, C.M.: New differentialalgebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008)Google Scholar
 19.Faugére, J.C.: A new efficient algorithm for computing Gröbner basis (\(F_4\)). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)MathSciNetzbMATHGoogle Scholar
 20.Faugére, J.C.: A new efficient algorithm for computing Gröbner basis without to zero (\(F_5\)). In: Proceedings of the International Symposium on Symbolic and Algebraic Computation, pp. 75–83 (2002)Google Scholar
 21.Fouque, P.A., MacarioRat, G., Perret, L., Stern, J.: Total break of the \(\ell \)IC signature scheme. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 1–17. Springer, Heidelberg (2008)Google Scholar
 22.Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)Google Scholar
 23.Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)Google Scholar
 24.Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Crypt. 24(3), 446–469 (2011)MathSciNetzbMATHGoogle Scholar
 25.Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ringbased public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)Google Scholar
 26.Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
 27.Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
 28.Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
 29.Matsumoto, T., Imai, H.: Public quadratic polynomialtuples for efficient signatureverification and messageencryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
 30.Moh, T.T.: A fast public key system with signature ans master key functions. In: CrypTEC 1999, pp. 63–69 (1999)Google Scholar
 31.Moh, T.T.: A public key system with signature and master key functions. Commun. Algebra 27(5), 2207–2222 (1999)MathSciNetzbMATHGoogle Scholar
 32.Möller, B.: Algorithms for multiexponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001)Google Scholar
 33.Patarin, J.: Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt ’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
 34.Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
 35.Patarin, J., Goubin, L., Courtois, N.T.: \(C_+^*\) and HM: variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998)Google Scholar
 36.Patarin, J., Courtois, N.T., Goubin, L.: FLASH, a fast multivariate signature algorithm. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, p. 298. Springer, Heidelberg (2001)Google Scholar
 37.Petzoldt, A., Bulygin, S., Buchmann, J.: Selecting parameters for the rainbow signature scheme. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 218–240. Springer, Heidelberg (2010)Google Scholar
 38.Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow – a multivariate signature scheme with a partially cyclic public key. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 33–48. Springer, Heidelberg (2010)Google Scholar
 39.Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 229–245. Springer, Heidelberg (2014)Google Scholar
 40.Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009)zbMATHGoogle Scholar
 41.Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013)Google Scholar
 42.Tao, C., Xiang, H., Petzoldt, A., Ding, J.: Simple matrix  a multivariate public key cryptosystem (MPKC) for encryption. Finite Fields Appl. 35, 352–368 (2015)MathSciNetzbMATHGoogle Scholar
 43.Thomae, E., Wolf, C.: Roots of square: cryptanalysis of doublelayer square and square+. In: Yang, B.Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 83–97. Springer, Heidelberg (2011)Google Scholar
 44.Wolf, C., Preneel, B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077, December 2005. http://eprint.iacr.org/2005/077
 45.Yang, B.Y., Chen, J.M.: TTS: rank attacks in tamelike multivariate PKCs. Cryptology ePrint Archive, Report 2004/061, November 2004. http://eprint.iacr.org/2004/061
 46.Yang, B.Y., Chen, J.M.: All in the XL family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)Google Scholar