A novel homomorphic polynomial public key encapsulation algorithm

Randy Kuang; Maria Perepechaenko

doi:10.12688/f1000research.133031.1

Home Browse A novel homomorphic polynomial public key encapsulation algorithm

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Research Article

A novel homomorphic polynomial public key encapsulation algorithm

[version 1; peer review: 1 approved, 1 approved with reservations]

Randy Kuang ¹, Maria Perepechaenko¹

PUBLISHED 17 Oct 2023

Author details Author details

¹ Quantropi Inc., Ottawa, ON, K1Z 8P9, Canada

Randy Kuang
Roles: Conceptualization, Methodology, Project Administration, Supervision, Writing – Original Draft Preparation, Writing – Review & Editing

Maria Perepechaenko
Roles: Formal Analysis, Investigation, Writing – Original Draft Preparation, Writing – Review & Editing

OPEN PEER REVIEW

REVIEWER STATUS

This article is included in the Cybersecurity collection.

Abstract

Background: One of the primary drivers in development of novel quantum-safe cryptography techniques is the ongoing National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) competition, which aims to identify quantum-safe algorithms for standardization. Although NIST has recently announced candidates to be standardized, the development of novel PQC algorithms remains desirable to address the challenges of quantum computing. Furthermore, to enhance security and improve performance. Methods: This paper introduces a novel public key encapsulation algorithm that incorporates an additional layer of encryption during key construction procedure, through a hidden ring. This encryption involves modular multiplication over the hidden ring using a homomorphism operator that is closed under addition and scalar multiplication. The homomorphic encryption key is comprised of two values - one used to create the hidden ring and the other to form an encryption operator. This homomorphic encryption can be applied to any polynomials during key construction over a finite field with their coefficients considered private. Particularly, the proposed homomorphic encryption operator can be applied to the public key of the Multivariate Public Key Cryptography schemes (MPKC) to hide the structure of its central map construction. Results: This paper presents a new variant of the MPKC with its public key encrypted using the proposed homomorphic operator. This novel scheme is called the Homomorphic Polynomial Public Key (HPPK) algorithm, which simplifies MPKC central map to two multivariate polynomials constructed from polynomial multiplications. The HPPK algorithm employs a single polynomial vector for the plaintext and a multi-variate noise vector associated with the central map. In contrast, in MPKC, a single multivariate vector is created by segmenting the secret plaintext over a small finite field. The HPPK algorithm is Indistinguishability Under Chosen-Plaintext Attack (IND-CPA) secure, and its classical complexity for cracking is exponential in the size of the prime field GF(p).

Keywords

Post-Quantum Cryptography, PQC, Public-Key Cryptography, Multivariate Polynomial Public Key, MPPK, Key Encapsulation Mechanism, KEM, Multivariate Cryptography

Corresponding author: Randy Kuang

Competing interests: The authors are associated with Quantropi Inc., a company which offers quantum-secure software solutions. Elements of research presented in this paper are or may become incorporated in the company's commercial solutions.

Grant information: The author(s) declared that no grants were involved in supporting this work.

Copyright: © 2023 Kuang R and Perepechaenko M. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Kuang R and Perepechaenko M. A novel homomorphic polynomial public key encapsulation algorithm [version 1; peer review: 1 approved, 1 approved with reservations]. F1000Research 2023, 12:1347 (https://doi.org/10.12688/f1000research.133031.1) First published: 17 Oct 2023, 12:1347 (https://doi.org/10.12688/f1000research.133031.1) Latest published: 17 Oct 2023, 12:1347 (https://doi.org/10.12688/f1000research.133031.1)

Introduction

In 1978, Rivest et al. proposed homomorphic encryption, a technique for performing computations on encrypted data without knowledge of the decryption key or procedure.¹ This was just one year after filing the patent for Rivest-Shamir-Adleman (RSA) public key cryptography.² Homomorphic encryption is distinct from the cryptographic algorithms used for secure communication or storage with public key mechanisms like RSA,² Diffie-Hellman,³ and elliptic curve cryptography,⁴^,⁵ which are used to establish shared keys for symmetric encryption with algorithms like Advanced Encryption Standard (AES).

Homomorphic encryption can be divided into two categories: partially homomorphic and fully homomorphic. Partially homomorphic encryption supports either multiplicative or additive homomorphic operations. Examples of multiplicatively homomorphic systems include RSA⁶ and ElGamal cryptosystems,⁷ while additively homomorphic systems include Goldwasser-Micali,⁸ Benaloh,⁹ and Paillier.¹⁰ The first milestone for fully homomorphic encryption was achieved by Gentry in 2009 using lattice-based cryptography¹¹ to support both addition and multiplication operators in the encrypted mode. Additionally, Chan proposed a symmetric homomorphic scheme based on an improved Hill Cipher¹² in 2009, while Kipnis and Hibshoosh proposed their symmetric homomorphic scheme in 2012¹³ with a randomization function for non-deterministic encryption. Gupta and Sharma proposed their symmetric homomorphic scheme based on linear algebraic computation in 2013.¹⁴ More recently, Li et al. proposed a new symmetric homomorphic scheme in 2016, called Li-Scheme, for outsourcing databases.¹⁵ Their scheme involves two finite fields: a secret small field $F_{q}$ and a big public field $F_{p}$ . It uses modular exponentiation with its secret base $s$ followed by modular multiplication with plaintext message $m$ . Li-Scheme supports both additive and multiplicative operations, making it a fully homomorphic encryption. However, in 2018, Wang et al. performed a cryptoanalysis of the Li-Scheme¹⁶ and broke the scheme with certain known plaintext-ciphertext pairs. They further improved their cryptoanalysis in 2019 and successfully recovered the secret key with the ciphertext-only attack using lattice reduction algorithm.¹⁷

Homomorphic encryption is a technique that enables performing mathematical operations on encrypted data without decrypting it first, thus providing data privacy. However, it would be interesting to extend this technique from data privacy to public key schemes. Specifically, it would be beneficial to explore cases where the public keys can provide privacy with variables that can take user inputs in a public key scheme. Some research in this area has yielded fruitful results,¹⁸^,¹⁹ but there is still room for further research. Motivated by this need, we introduce a new asymmetric key encapsulation scheme called Homomorphic Polynomial Public Key (HPPK), which uses partial homomorphic encryption to encrypt public keys. The HPPK algorithm leverages multivariate polynomials to not only take advantage of the homomorphic properties of addition and scalar multiplication, but also to allow for the encryption of the input of the encrypting party during the creation of the ciphertext. In other words, the coefficients of the public key polynomial are encrypted using a homomorphic function to ensure that they are not truly public and to hide the structure of the public key. At the same time, treating the variables of the public key polynomials as user input allows for greater flexibility during the encryption process.

The HPPK cryptosystem possesses two distinct features. Firstly, it employs homomorphic encryption of the public key, which enables the inclusion of user input during ciphertext creation. Secondly, it utilizes a hidden ring. However, HPPK is not the first cryptosystem to employ hidden structure. For instance, Li et al. developed a cryptosystem that utilizes a hidden prime ring.¹⁵ Hidden Field Equations (HFE) cryptosystems are another notable example. Several asymmetric multivariate encryption schemes based on HFE have been proposed.²⁰^–²³ Additionally, various signature schemes based on HFE have been developed.²⁴^–²⁸ In HFE, both the private polynomials and the structure they are defined over, a field extension, are concealed using affine transformations.

The aforementioned algorithms based on HFE fall under the category of quantum-safe algorithms, specifically multivariate quantum-safe algorithms. With the advent of quantum computing, quantum-resistant cryptography has gained significant attention from both academia and industry leaders. The National Institution of Standards and Technology (NIST) played a pivotal role in this arena by initiating the post-quantum cryptography (PQC) standardization process in November 2017.²⁹^–³¹ Recently, the NIST announced the third-round finalists, which include four key encapsulation mechanism schemes (KEM) and three digital signature finalists.²⁹ The four KEM finalists include Classic McEliece, which is code-based³²; CRYSTALS-KYBER, which is lattice-based³³; NTRU, which is based on lattices³⁴^,³⁵; and Saber.³⁶ NIST has selected CRYSTALS-KYBER as the standardized algorithm for KEM. Besides the aforementioned finalists, Multivariate Public Key Cryptosystems (MPKC) are noteworthy for their simplicity and efficiency.³⁷^,³⁸^,²⁷^,²⁸ Algorithms based on multivariate polynomial problems are considered quantum-safe and can also serve as excellent candidates for homomorphic encryption due to the use of multivariate polynomials.

The framework of MPKC is based on a system of quadratic polynomials, with the public key represented by a central map $P : F_{p}^{m} \to F_{p}^{ℓ}$ , where $m$ variables and $ℓ$ polynomials are used.³⁹ Since its introduction by Matsumoto and Imai in 1988,⁴⁰ numerous variants of MPKC central map constructions have been proposed, including single field systems and mixed field systems.⁴¹ Single field MPKC comprises several triangular systems and the Oil and Vinegar system, which were first introduced by Patarin and Goubin in 1997,⁴² as well as the unbalanced Oil and Vinegar scheme proposed by Kipnis et al. in 1999.²⁰ Mixed field MPKC refers to the Matsumoto-Imai system⁴⁰ and the HFE.⁴³ Moreover, Wang et al. proposed a Medium-Field MPKC scheme in 2006,⁴⁴ which was improved upon in 2008.⁴⁵ Additionally, Ding and Schmidt proposed Rainbow as a MPKC digital signature scheme in 2005.²⁷

Attacks on MPKC cryptosystems are mainly classified into two categories: algebraic solving attacks and linear algebra attacks. Algebra solving attacks attempt to solve the MPKC multivariate equation system from the public key with ciphertext $(z_{1} z_{2} \dots z_{ℓ})$ to recover the pre-image $(x_{1} x_{2} \dots x_{m})$ . Faugére reported his first attack on MPKC in 1999⁴⁶ and in 2002⁴⁷ using Gröber bases ( $F_{4}$ ), later in 2003 Faugére and Antoine reported their attack on HFE Gröber bases ( $F_{5}$ ). Ding et al. proposed their new Zhuang-Zi algorithm to solve the multivariate system in 2006.⁴⁸ In linear algebra attacks, Courtois et al. reported their attack on MPKC using the relinearization technique, aclled XL in 2000.⁴⁹ The Minrank attack has been successfully applied by Goubin and Courtois on the single field system in 2000⁵⁰ and by Kipnis and Patarin on the mixed field system in 1999.⁵¹

A novel type of polynomial public key has recently been proposed by Kuang in 2021,⁵² based on univariate polynomial multiplications. Additionally, Kuang and Barbeau have further proposed a related public key in 2021,⁵³^,⁵⁴^,⁵⁵ which utilizes multivariate polynomial multiplications with two noise functions to improve public key security against potential attacks. Recently, Kuang, Perepechaenko, and Barbeau have proposed a majorly improved Key Encapsulation Mechanism (KEM),⁵⁶ where modular multiplication encryption over a hidden ring was applied for both noise functions. Building on top of this previous work,⁵⁶ this paper investigates the potential benefits of combining a new homomorphic encryption with key construction to further enhance the security of MPPK cryptography for KEM and reduce the cipher size. Furthermore, a digital signature scheme based on the multivariate polynomial public key, or MPPK, has been introduced by Kuang, Perepechaenko, and Barbeau in 2022.⁵⁷

Homomorphic encryption operator designed from a hidden ring

In contrast to conventional homomorphic cryptography used for data privacy, in this paper we propose homomorphic encryption to be applied to the public key in the framework of multivariate asymmetric cryptography. This will allow for an asymmetric scheme with encrypted public keys. Moreover, by construction, homomorphic encryption allows for user’s input during the ciphertext generation procedure. That is, the ciphertext can be created with the input of the encrypting party, however, the public key used for encryption is itself encrypted using a homomorphic operator. The decrypting party is the only party that has knowledge of the private key associated with the homomorphic encryption operator as well as the asymmetric scheme private key. Essentially, the homomorphic encryption defined in this paper provides a round-trip envelope for a public key encryption.

In a way, such approach combines three main areas of cryptography, namely, asymmetric cryptography, homomorphic cryptography, and symmetric cryptography with the self-shared key. This phenomenon is illustrated in Figure 1. In the figure, the traditional public key derived from a given asymmetric algorithm is called plain public key (PPK), the homomorphically encrypted PPK is called cipher public key or CPK. The cipher is produced by evaluating the public key polynomial values using a user-selected secret together with the random noise variables. The decryption would perform in two stages: homomorphic decryption and then secret extraction.

Figure 1. Illustration of a cryptosystem combining asymmetric cryptography, symmetric cryptography with a single self-shared key, and homomorphic encryption.

We begin by introducing the homomorphic encryption operator. In order to allow for the user’s input during ciphertext creation, and leverage additive and scalar multiplicative homomorphic features, the homomorphic encryption is applied to polynomials. We discuss the reason for this further. Hence, when introducing the said operator we assume that it will be applied to polynomials.

Homomorphic encryption operator

Let $S$ be a positive integer, and $R$ be a randomly chosen value such that $R \in ℤ_{S}$ and $gcd (R, S) = 1 .$ We propose a homomorphic encryption operator ${\hat{ℰ}}_{(R, S)}$ , with a secret homomorphic key being a tuple $(R, S)$ . The values $S$ and $R$ are never shared. In its general form, the encryption operator is defined as a multiplicative operation modulo a hidden value $S$ as

(1)

{\hat{ℰ}}_{(R, S)} (f) = (R \circ f) mod S,

where

f

denotes any univariate or multivariate polynomial

f = \sum_{i = 0}^{k} f_{i} X_{i}

, over

F_{q}

with

X_{i}

being its monomials. The encryption operator acts on the coefficients of

f

, which we refer to as plain coefficients.

{\hat{ℰ}}_{(R, S)} f_{i} = {Rf}_{i} mod S = h_{i}

for every

i

. Similarly, we can define a Homomorphic Decryption Operator as

(2)

{\hat{ℰ}}_{(R^{- 1}, S)} h = (R^{- 1} \circ h) mod S .

Such operator decrypts the coefficients of the polynomial $h$ . That is, it successfully decrypts the cipher coefficients back to the plain coefficients. More precisely,

{\hat{ℰ}}_{(R^{- 1}, S)} h_{i} = R^{- 1} ({Rf}_{i}) mod S = (R^{- 1} R) f_{i} mod S = f_{i}

for any

i .

The above defined homomorphic operator

{\hat{ℰ}}_{(R, S)}

holds following homomorphic properties:

• ${\hat{ℰ}}_{(R, S)}$ is additively homomorphic: if $a$ and $b$ are two plain constants, then ${\hat{ℰ}}_{(R, S)} (a + b) = R (a + b) mod S = Ra + Rb mod S = {\hat{ℰ}}_{(R, S)} a + {\hat{ℰ}}_{(R, S)} b$ ;
• ${\hat{ℰ}}_{(R, S)}$ is scalar multiplicatively homomorphic: if $a$ is a plain constant and $x$ is a variable, then ${\hat{ℰ}}_{(R, S)} (ax) = R (ax) = (Ra) x = [{\hat{ℰ}}_{(R, S)} a] x$ .

Thus, the operator ${\hat{ℰ}}_{(R, S)}$ offers partially homomorphic encryption. We leave it to the reader to verify that the same properties hold true for the proposed homomorphic decryption operator ${\hat{ℰ}}_{(R^{- 1}, S)}$ . Note that these homomorphic properties come from linearity, and thus are natural to polynomials. Indeed, polynomials hold additive and scalar multiplicative properties through their coefficients. Moreover, polynomials can be defined and evaluated with coefficients in a field or a ring, different from a field or a ring for variables. We leverage this property, and thus, apply the homomorphic encryption to public key cryptosystems with polynomial public keys.

Homomorphically encrypted polynomials

As we have previously stated, the proposed homomorphic encryption is applicable to all polynomials over a ring $ℤ_{q}$ or finite field $F_{q}$ characterized by a prime $q$ . In this work, when we refer to polynomials, we imply that the plain polynomials, to be encrypted, are considered modulo $q$ , unless stated otherwise. A generic multivariate polynomial has the following form

p (x_{1} \dots x_{m}) = \sum_{j_{1} = 1}^{ℓ_{1}} \dots \sum_{j_{m} = 1}^{ℓ_{m}} p_{{ij}_{1} \dots j_{m}} x_{1}^{j_{1}} \dots x_{m}^{j_{m}} .

Alternatively, let $X_{j} = x_{1}^{j_{1}} \dots x_{m}^{j_{m}}$ denote the monomials of such polynomial, then

(3)

p (x_{1} \dots x_{m}) = \sum_{j = 1}^{L} p_{j} X_{j},

where L denotes the total number of terms. To successfully encrypt and decrypt any polynomial

p (x_{1} \dots x_{m})

using the homomorphic encryption and decryption operators defined in Equation (1) and (2) respectively, the following conditions must be met:

• The monomials $X_{j}$ are to be computed as $X_{j} = (X_{j} mod q)$ . The values of monomials reduced modulo $q$ are used to compute the value of the polynomial $p (x_{1} \dots x_{m})$ .
• The homomorphic secret key value $S$ should satisfy the bit length condition: ${|S|}_{2} > 2 {|p|}_{2} + {|L|}_{2}$ .

The first condition ensures that polynomial $p (x_{1} \dots x_{m})$ is evaluated as if the monomials $X_{j}$ are new variables over $F_{q}$ , Indeed, the operator ${\hat{ℰ}}_{(R, S)}$ is applied to the polynomial $p (x_{1} \dots x_{m})$ in the following way

(4)

{\hat{ℰ}}_{(R, S)} p (x_{1} \dots x_{m}) = \sum_{j = 1}^{L} [{Rp}_{j} mod S] X_{j} .

Such encrypted polynomial can be computed as

\sum_{j = 1}^{L} [{Rp}_{j} mod S] (X_{j} mod q) = \bar{p} .

Note that the computed value was not reduced modulo any integer, nor is the arithmetic performed modulo any integer. Thus, the user’s input through monomials $X_{j}$ remains intact and can be decrypted correctly. Let the plain value of the polynomial with user’s input, that is, if the polynomial was not encrypted with ${\hat{ℰ}}_{(R, S)},$ be

\hat{p} = \sum_{j = 1}^{L} p_{j} X_{j} mod q .

To ensure successful decryption, the second condition must be met. If the size of $S$ is sufficiently large, the values of coefficients and variables remains the same after decryption, and it is possible to recover $\hat{p} .$ Indeed,

(5)

{\hat{ℰ}}_{(R^{- 1}, S)} \bar{p} = \sum_{j = 1}^{L} [R^{- 1} {Rp}_{j} mod S] (X_{j} mod q) = \sum_{j = 1}^{L} p_{j} (X_{j} mod q),

and then the value

\sum_{j = 1}^{L} p_{j} (X_{j} mod q)

can be reduced modulo

q

to yield

\sum_{j = 1}^{L} p_{j} X_{j} mod q = \hat{p} .

To elaborate more on this, we present the reader with two examples of homomorphic encryption of linear and quadratic polynomials.

Linear polynomials

Recall, that we encrypt the coefficients of the polynomials defined over $F_{q}$ , which successfully maps polynomials from $F_{q} [x_{1} \dots x_{m}]$ to $ℤ_{S} [x_{1} \dots x_{m}]$ , leaving $x_{1}, \dots, x_{m} \in F_{q} .$ A generic linear multivariate polynomial over a finite field $F_{q}$ has form

(6)

p (x_{1} x_{2} \dots x_{m}) = \sum_{j = 1}^{m} p_{j} x_{j} mod q .

Conventionally, in the asymmetric encryption schemes, the public key inherits mathematical logic from the private key, making it vulnerable. Hence, if public key consists of polynomials, we wish to encrypt the coefficients of the said polynomials using homomorphic operator, to hide the mathematical logic. In this case we share the cipher public key, encrypted using homomorphic operator. To ensure that the ciphertext can be still created in the framework of asymmetric public key scheme, the variables in the public key polynomials are used for user’s input. They are not encrypted using homomorphic encryption, but only using the encryption procedure from the asymmetric scheme. Such variable values can consist of the plaintext only, or plaintext and noise used for obscurity.

Applying homomorphic encryption operator to the above linear polynomial, defined in Equation (6), produces a cipher linear polynomial with coefficients in a hidden ring $ℤ_{S}$ , and variables in $F_{q} :$

(7)

P (x_{1} x_{2} \dots x_{m}) = {\hat{ℰ}}_{(R, S)} p (x_{1} x_{2} \dots x_{m}) = \sum_{j = 1}^{m} ({Rp}_{j} mod S) x_{j} = \sum_{j = 1}^{m} P_{j} x_{j} .

While the plain coefficients, $p_{j}$ , are encrypted into cipher coefficients, $P_{j}$ , the cipher polynomial $P (x_{1} x_{2} \dots x_{m})$ can still be evaluated with a set of chosen values $r_{1}, \dots, r_{m} \in F_{q}$ to produce value $\bar{P}$

(8)

\bar{P} = P (r_{1} r_{2} \dots r_{m}) = \sum_{j = 1}^{m} P_{j} (r_{j} mod q) .

Let the value $\bar{p} = \sum_{i = 1}^{m} p_{j} r_{j} mod q,$ be the original ciphertext of the asymmetric scheme. However, it is encrypted into the value $\bar{P}$ using homomorphic encryption. To recover the plain polynomial value, that is, decrypt the cipher coefficients, into the plain coefficients and evaluate polynomial modulo $q$ , we first apply the homomorphic decryption operator ${\hat{ℰ}}_{(R^{- 1}, S)}$ to get ${\hat{ℰ}}_{(R^{- 1}, S)} \bar{P},$ and then reduce this value modulo $q$ . More precisely,

{\hat{ℰ}}_{(R^{- 1}, S)} \bar{P} = \sum_{j = 1}^{m} [R^{- 1} P_{j} mod S] (r_{j} mod q) = \sum_{i = 1}^{m} p_{j} (r_{j} mod q),

which reduced modulo

q

is

\sum_{i = 1}^{m} p_{j} r_{j} mod q = \bar{p} .

In a framework of asymmetric scheme with homomorphic encryption element, polynomials such as in Equation (6) are associated with plain coefficients, that is, the original public keys. The cipher polynomials have form as in Equation (7), with coefficients being encrypted from the plain public keys, using homomorphic encryption. Such cipher public keys are shared, and the plain public keys are stored securely and never shared. The ciphertext in this combined algorithm is of the form as in Equation (8). The decrypting party first needs to decrypt the ciphertext to nullify the homomorphic encryption of the public key, as shown in Equation (8). Afterwards, the decryption party can perform decryption procedure that corresponds to the given asymmetric scheme.

Quadratic polynomials

Multivariate quadratic polynomials serve as the foundation of Multivariate Public Key Cryptosystem or MPKC.³⁹^,⁵⁸^–⁶⁰ Thus, we want to pay special attention on applications of homomorphic encryption on multivariate quadratic polynomials. A general quadratic multivariate polynomial $p (x_{1} x_{2} \dots x_{n})$ over a finite field $F_{q}$ has the following form

(9)

p (x_{1} x_{2} \dots x_{m}) = \sum_{1 \leq i \leq j}^{m} p_{ij} x_{i} x_{j} mod q,

where the coefficients

p_{ij}

are considered as the privacy constants for this polynomial function so they must be hidden from public. This is done by applying the homomorphic encryption operator to this polynomial as follows

(10)

P (x_{1} x_{2} \dots x_{m}) = {\hat{ℰ}}_{(R, S)} p (x_{1} x_{2} \dots x_{m})

(11)

= \sum_{1 \leq i \leq j}^{m} ({Rp}_{ij} mod S) x_{i} x_{j} = \sum_{1 \leq i \leq j}^{m} P_{ij} x_{i} x_{j} .

(12)

P (x_{1} x_{2} \dots x_{m}) = {\hat{ℰ}}_{(R, S)} p (x_{1} x_{2} \dots x_{m}) = \sum_{1 \leq i \leq j}^{m} ({Rp}_{ij} mod S) x_{i} x_{j} = \sum_{1 \leq i \leq j}^{m} P_{ij} x_{i} x_{j} .

Here, the encrypted coefficients are defined over the hidden ring $ℤ_{S}$ , however, all the variables $x_{1}, \dots, x_{m}$ are still elements of the field $F_{q}$ . As we have previously mentioned, we refer to the coefficients $p_{ij}$ as plain coefficients, and $P_{ij}$ are referred to as cipher coefficients. Similarly, $P (x_{1} x_{2} \dots x_{m})$ and $p (x_{1} x_{2} \dots x_{m})$ are referred to as cipher and plain polynomials respectively. While coefficients are encrypted with homomorphic encryption operator, the polynomial $P (x_{1} x_{2} \dots x_{m})$ still accepts user’s input. That is, the cipher polynomial value $\bar{P}$ can be still calculated with a chosen set of $r_{1}, \dots, r_{m}$ from the field $F_{q}$ as follows

(13)

\bar{P} = P (r_{1} r_{2} \dots r_{m}) = \sum_{1 \leq i \leq j}^{m} P_{ij} (x_{i} x_{j} mod q) .

Note that the computed value $\bar{P}$ is an integer. The arithmetic to compute such value was not performed modulo any integer. The plain polynomial values are securely hidden through the hidden ring $ℤ_{S}$ . To recover the plain polynomial equation, decryption operator ${\hat{ℰ}}_{(R^{- 1}, S)}$ can be applied to the cipher polynomial value $\bar{P}$ , followed by reduction $mod q$ :

(14)

{\hat{ℰ}}_{(R^{- 1}, S)} \bar{P} = R^{- 1} \bar{P} mod S, then

(15)

(R^{- 1} \bar{P} mod S) mod q = p (r_{1} r_{2} \dots r_{m}) = \bar{p} .

The value $\bar{p}$ is the plain polynomial value for the chosen values of variables $x_{1}, \dots, x_{m}$ by the encrypting party.

Similar to the linear case, the public key of the asymmetric scheme consist of quadratic polynomials of the form (9), to be encrypted using homomorphic encryption operators. The cipher public keys are of the form (10). Such cipher public keys are the ones shared, while the plain public keys are not. The ciphertext in the combined scheme is of the form (13), which needs to be decrypted back to the plain value. For that a homomorphic decryption operator is applied, as in Eq. (14), and the plain ciphertext value is recovered.

Homomorphic Polynomial Public Key Cryptosystem

The Homomorphic Polynomial Public Key Cryptosystem or HPPK for short is a variant of a MPKC scheme with public keys encrypted using homomorphic encryption operator. We feel it is valuable to provide the reader with a brief summary of MPKC to facilitate better understanding of the HPPK scheme.

Brief summary of MPKC

An interested reader can find the detail description of MPKC schemes by Ding and Yang.³⁹ In this section, we briefly outline the basic mechanism of MPKC algorithms. The framework mainly consists of $ℓ$ quadratic multivariate polynomials

p_{1} (x_{1} \dots x_{m}), p_{2} (x_{1} \dots x_{m}), \dots, p_{ℓ} (x_{1} \dots x_{m})

in

m

variables over finite field

F_{q}

. Each polynomial

p_{k} (x_{1} \dots x_{m})

can be written in its expanded form as

(16)

p_{k} (x_{1} \dots x_{m}) = \sum_{i < j = 1}^{m} p_{ijk} x_{i} x_{j}

for

k = 1, 2, \dots, l

. In the literature Equation (16) is generally written in a matrix form as

(17)

p_{k} (x_{1} \dots x_{m}) = (x_{1} \dots x_{m}) (\begin{array}{c} p_{11 k} & p_{12 k} & \dots & p_{1 mk} \\ \dots & \dots & \dots & \dots \\ p_{i 1 k} & p_{i 2 k} & \dots & p_{imk} \\ \dots & \dots & \dots & \dots \\ p_{m 1 k} & p_{m 2 k} & \dots & p_{mmk} \end{array}) {(x_{1} \dots x_{m})}^{T}

briefly expressed as

p_{k} (x_{1} \dots x_{m}) = \vec{x} \cdot P_{k} \cdot {\vec{x}}^{T},

where

P_{k}

is an

m \times m

square matrix. Considering all

ℓ

polynomials, we can write the MPKC map from

F_{q}^{m}

to

F_{q}^{ℓ}

as a 3-dimensional matrix

P [ℓ] [m] [m]

, which is a trapdoor called the central map. The central map is selected to be easily invertible. In order to protect this central map and its structure, two affine linear invertible maps

T

and

S

are chosen to construct the MPKC public key:

• Public Key: $\bar{P} = T \circ P \circ S$ .
• Private Key: $(T, P, S) .$

The MPKC encryption procedure simply evaluates $ℓ$ polynomials over the field $F_{q}$ as

(18)

\vec{z} = \bar{P} (\vec{x}) = \{z_{1} = p_{1} (x_{1} \dots x_{m}) z_{2} = p_{2} (x_{1} \dots x_{m}) \dots z_{ℓ} = p_{ℓ} (x_{1} \dots x_{m})\}

and decryption works as follows

\vec{u} = T^{- 1} (\vec{z}), \vec{v} = P^{- 1} (\vec{u}), \vec{x} = S^{- 1} (\vec{v}) .

The major step to use MPKC is to construct the invertible central map $P$ over a finite field $F_{q}$ to perform a map: $F_{q}^{m} \to F_{q}^{ℓ}$ .

There may be a potential way to enhance the security of MPKC cryptosystem by applying the proposed homomorphic encryption on its map: $F_{q}^{m} \to F_{q}^{ℓ}$ . The homomorphic encryption effectively hides the public key construction logic over a hidden ring $ℤ_{S}$ . In this case, an encryption key $R_{k}$ is required for each quadratic polynomial $p_{k} (x_{1} \dots x_{m})$ , with value $R_{k}$ chosen over the hidden ring $ℤ_{S}$ for all $k$ . Hence, there are a total of $ℓ$ encryption keys for MPKC. The MPKC encryption in this case is almost the same as the original MPKC encryption. The ciphertext $(z_{1} z_{2} \dots z_{ℓ})$ is to be homomorphically decrypted to create original multivariate equation system, as illustrated in Equation (18). This means, Equation (18) is hidden under the hidden ring $ℤ_{S}$ . On one hand, applying the homomorphic encryption would increase the public key size for MPKC, however, the number of variables can be reduced due to the homomorphic encryption.

In this paper, we are not going to further explore this variant of MPKC schemes but we will focus on another variant of MPKC, called HPPK which we propose in the new section.

HPPK encapsulation

We propose a new variant of an MPKC scheme, called the Homomorphic Polynomial Public Key or HPPK, with the following considerations:

• The vector on the left hand side of the map $P$ is treated as ${\vec{x}}_{l}$ and the vector on the right hand side as ${\vec{x}}_{r}$ ;
• The vector ${\vec{x}}_{l}$ is replaced with ${\vec{x}}_{l} = (x^{0} x^{1} x^{2} \dots x^{n})$ , considering ${\vec{x}}_{l}$ as a message vector in a polynomial vector space represented by a basis $\{x^{0} x^{1} x^{2} \dots x^{n}\}$ for a message variable $x$ and ${\vec{x}}_{r} = (x_{1} \dots x_{m})$ as a noise vector for noise variables $x_{1}, \dots, x_{m}$ ;
• The proposed homomorphic encryption is applied to the central map $P$ , mapping the elements from $F_{q} \to ℤ_{S}$ : $\bar{P} = {\hat{ℰ}}_{(R, S)} P$
and the decryption is de-mapping from $ℤ_{S} \to F_{q}$ : $P = {\hat{ℰ}}_{(R^{- 1}, S)} \bar{P} mod q$
• The number of polynomials is reduced to $ℓ = 2$ ;
• The decryption mechanism is changed from inverting maps to modular division, which automatically cancels the noise used for obscurity.

Key construction

Without loss of generality, we change the notation of the unencrypted central map to $P$ . Under the above considerations, the central map $P$ consists of two multivariate polynomials

(19)

p_{1} (x x_{1} x_{2} \dots x_{m}) = (1 x^{1} \dots x^{n}) (\begin{array}{c} p_{011} & p_{021} & \dots & p_{0 m 1} \\ p_{111} & p_{121} & \dots & p_{1 m 1} \\ \dots & \dots & \dots & \dots \\ p_{i 11} & p_{i 21} & \dots & p_{im 1} \\ \dots & \dots & \dots & \dots \\ p_{n 11} & p_{n 21} & \dots & p_{nm 1} \end{array}) {(x_{1} x_{2} \dots x_{m})}^{T},

and

(20)

p_{2} (x x_{1} x_{2} \dots x_{m}) = (1 x^{1} \dots x^{n}) (\begin{array}{c} p_{012} & p_{122} & \dots & p_{0 m 2} \\ p_{112} & p_{122} & \dots & p_{1 m 2} \\ \dots & \dots & \dots & \dots \\ p_{i 12} & p_{i 22} & \dots & p_{im 2} \\ \dots & \dots & \dots & \dots \\ p_{n 12} & p_{n 22} & \dots & p_{nm 2} \end{array}) {(x_{1} x_{2} \dots x_{m})}^{T} .

Note that the matrix maps $P_{1}$ and $P_{2}$ are of size $(n + 1) \times m$ , thus, no longer square. The construction of $p_{1} (x x_{1} \dots x_{m})$ and $p_{2} (x x_{1} \dots x_{m})$ can alternatively be achieved with polynomial multiplications

(21)

\begin{array}{l} p_{1} (x x_{1} \dots x_{m}) = B (x x_{1} \dots x_{m}) f_{1} (x) \\ p_{2} (x x_{1} \dots x_{m}) = B (x x_{1} \dots x_{m}) f_{2} (x), \end{array}

where the base multivariate polynomial

B (x x_{1} x_{2} \dots x_{m})

and univariate polynomials

f_{1} (x)

and

f_{2} (x)

have the following generic forms

(22)

B (x x_{1} \dots x_{m}) = \sum_{i = 0}^{n_{b}} \sum_{j = 1}^{m} b_{ij} x^{i} x_{j}

f_{1} (x) = \sum_{i = 0}^{λ} f_{1 i} x^{i}

f_{2} (x) = \sum_{i = 0}^{λ} f_{2 i} x^{i} .

Here, $n_{b}$ and $λ$ are orders of base multivariate polynomial and univariate polynomials with respect to message variable $x$ respectively. Without loss of generality, we assume that the univariate polynomials $f_{1} (x)$ and $f_{2} (x)$ are solvable, in other words $λ < 5$ . Using Equations (21) and (22), we can express

(23)

\begin{array}{l} p_{1} (x x_{1} \dots x_{m}) = \sum_{i = 0}^{n} \sum_{j = 1}^{m} p_{ij 1} x^{i} x_{j} = {\vec{x}}_{l} \cdot P_{1} \cdot {\vec{x}}_{r} \\ p_{2} (x x_{1} \dots x_{m}) = \sum_{i = 0}^{n} \sum_{j = 1}^{m} p_{ij 2} x^{i} x_{j} = {\vec{x}}_{l} \cdot P_{2} \cdot {\vec{x}}_{r}, \end{array}

with

p_{ij 1} = \sum_{s + t = i} b_{sj} f_{1 t}

and

p_{ij 2} = \sum_{s + t = i} b_{sj} f_{2 t}

being the coefficients, and

n = n_{b} + λ

. It is apparent that the plain central map

P

as shown in Equation (19) and Equation (20) expanded as Equation (23) inherits a lot of structure. Given that the components of the central map are private key elements, the map in its unaltered form is not secure against potential attacks such as polynomial factorization, root finding, etc. To secure the central map, we apply homomorphic encryption operator to the plain central map by acting with

{\hat{ℰ}}_{(R_{1}, S)}

on

p_{1} (x x_{1} \dots x_{m})

and

{\hat{ℰ}}_{(R_{2}, S)}

on

p_{2} (x x_{1} \dots x_{m})

. To be more precise, the cipher central map consists of two polynomials

(24)

P_{1} (x x_{1} \dots x_{m}) = \sum_{i = 0}^{n} \sum_{j = 1}^{m} (R_{1} p_{ij 1} mod S) x^{i} x_{j} = {\vec{x}}_{l} \cdot P_{1} \cdot {\vec{x}}_{r}

(25)

P_{2} (x x_{1} \dots x_{m}) = \sum_{i = 0}^{n} \sum_{j = 1}^{m} (R_{2} p_{ij 2} mod S) x^{i} x_{j} = {\vec{x}}_{l} \cdot P_{2} \cdot {\vec{x}}_{r} .

We set public key to be the cipher central map $P$ , while private key consists of the homomorphic operators, the hidden ring, together with univariate polynomials:

Security parameters: $n_{b}, λ$ , and the prime finite field $F_{q}$ which is agreed on before the key generation procedure.

Private key:

• hidden ring $ℤ_{S}$ with a randomly selected $S$ for the required bit length;
• homomorphic encryption key values $R_{1}$ and $R_{2}$ chosen from $ℤ_{S}$ ;
• univariate polynomials $f_{1} (x)$ and $f_{2} (x)$ with coefficients randomly selected from $F_{q}$ ;

Public key: the map $P$ , consisting of

• polynomial $P_{1} ({\vec{x}}_{l}, {\vec{x}}_{r}) = {\vec{x}}_{l} \cdot P_{1} \cdot {\vec{x}}_{r}$
• polynomial $P_{2} ({\vec{x}}_{l}, {\vec{x}}_{r}) = {\vec{x}}_{l} \cdot P_{2} \cdot {\vec{x}}_{r}$

Encryption

Encryption is straightforward, by determining the value for the secret $x$ and randomly choosing values for the noise variables $x_{1}, \dots, x_{m}$ over the field $F_{q}$ and evaluating ciphertext integer values ${\bar{P}}_{1}$ and ${\bar{P}}_{2}$ . That is, the ciphertext consists of two integer values $C = ({\bar{P}}_{1}, {\bar{P}}_{2}),$ where

(26)

\begin{array}{l} {\bar{P}}_{1} = \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 1} (x_{j} x^{i} mod q) \\ {\bar{P}}_{2} = \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 2} (x_{j} x^{i} mod q) . \end{array}

Here, $P_{ij 1}$ and $P_{ij 2}$ denote the cipher coefficients encrypted with the homomorphic encryption operators. Note that the cipher polynomials have coefficients in the hidden ring $ℤ_{S}$ , and all monomial calculations are performed $mod q$ , the rest of the arithmetic is performed over integers. The values ${\bar{P}}_{1}$ , and ${\bar{P}}_{2}$ are integers forming the ciphertext $C = \{P_{1}, P_{2}\}$ .

Decryption

It is easy to verify that the HPPK map as in Equation (19) and Equation (20), under construction as shown in Equation (21), holds a division invariant property on the multiplicand or the base multivariate polynomial $B (x x_{1} x_{2} \dots x_{m})$ . Indeed,

\frac{p_{1} (x x_{1} \dots x_{m})}{p_{2} (x x_{1} \dots x_{m})} = \frac{B (x x_{1} \dots x_{m}) f_{1} (x)}{B (x x_{1} \dots x_{m}) f_{2} (x)} = \frac{f_{1} (x)}{f_{2} (x)} .

The first step in the decryption process is to apply the homomorphic decryption operator to the ciphertext to recover plain polynomial values ${\bar{p}}_{1}$ and ${\bar{p}}_{2}$ , which are evaluation results of plain multivariate polynomials $p_{1} (x x_{1} \dots x_{m})$ and $p_{2} (x x_{1} \dots x_{m})$ at the chosen message and noises respectively. This can be done as

\begin{array}{l} {\hat{ℰ}}_{(R_{1}^{- 1}, S)} {\bar{P}}_{1} = p_{1} (x x_{1} \dots x_{m}) = {\bar{p}}_{1} \\ {\hat{ℰ}}_{(R_{2}^{- 1}, S)} {\bar{P}}_{2} = p_{2} (x x_{1} \dots x_{m}) = {\bar{p}}_{2} . \end{array}

These values are used to compute the ratio $K$ modulo $q$ of the form

(27)

K = \frac{{\bar{p}}_{1}}{{\bar{p}}_{2}} = \frac{p_{1} (x x_{1} \dots x_{m})}{p_{2} (x x_{1} \dots x_{m})} = \frac{f_{1} (x)}{f_{2} (x)} mod q

Note that the noise vector ${\vec{x}}_{r}$ is automatically eliminated through the division. The secret $x$ can then be found from Equation (27) by radicals if $f_{1} (x)$ and $f_{2} (x)$ are solvable such as linear or quadratic polynomials. The optimal choice of $λ$ is $1$ in the framework of the HPPK algorithm. This division invariant property is the foundation for the HPPK encapsulation to be indistinguishable under chosen plaintext attacks.

A toy example

We demonstrate how HPPK works with a toy example.

Key pair generation

Considering a prime field $F_{13}$ with the prime $q = 13$ and two noise variables $x_{1}, x_{2}$ for the simplicity of the demonstration purpose only, we can choose the hidden ring characterized by an integer of length $> 12$ bits. The private key consists of the following values:

• $S = 6798, R_{1} = 4267, R_{2} = 6475$
• $f_{1} (x) = 4 + 9 x$
• $f_{2} (x) = 10 + 7 x$
• $B (x, x_{1}, x_{2}) = (8 + 7 x) x_{1} + (5 + 11 x) x_{2}$ (note: just for key pair construction procedure; this polynomial is not stored in the memory)

The PPK is simply constructed as

\begin{array}{l} P_{1} (x, x_{1}, x_{2}) = f_{1} (x) B (x, x_{1}, x_{2}) mod 13 = x_{1} (6 + 9 x + 11 x^{2}) + x_{2} (7 + 11 x + 8 x^{2}), \\ P_{2} (x, x_{1}, x_{2}) = f_{2} (x) B (x, x_{1}, x_{2}) mod 13 = x_{1} (2 + 9 x + 10 x^{2}) + x_{2} (11 + 2 x + 12 x^{2}) . \end{array}

The PPK polynomials are encrypted with the self-shared key $R_{1}, R_{2}$ over the ring $ℤ_{S}$

P_{1} (x, x_{1}, x_{2}) = ℰ_{(R_{1}, S)} P_{1} (x, x_{1}, x_{2}) = x_{1} (5208 + 4413 x + 6149 x^{2}) + x_{2} (2677 + 6149 x + 146 x^{2}) \Rightarrow P_{1} = (\begin{array}{c} 5208 & 2677 \\ 4413 & 6149 \\ 6149 & 146 \end{array})

P_{2} (x, x_{1}, x_{2}) = ℰ_{(R_{2}, S)} P_{2} (x, x_{1}, x_{2}) = x_{1} (6152 + 3891 x + 3568 x^{2}) + x_{2} (3245 + 6152 x + 2922 x^{2}) \Rightarrow P_{2} = (\begin{array}{c} 6152 & 3245 \\ 3891 & 6152 \\ 3568 & 2922 \end{array})

to create the so-called CPK

P_{1}

and

P_{2}

.

Encryption

We randomly choose variables from $F_{13}$ : $x = 8, x_{1} = 3, x_{2} = 6 .$ We, then, pre-calculate values

\begin{array}{c} x_{11} = x_{1} x mod 13 = 8 \times 3 mod 13 = 11, \\ x_{12} = x_{1} x^{2} mod 13 = 8^{2} \times 3 mod 13 = 10, \\ x_{21} = x_{2} x mod 13 = 8 \times 6 mod 13 = 9, \\ x_{22} = x_{2} x^{2} mod 13 = 8^{2} \times 6 mod 13 = 7 . \end{array}

Now we can calculate the ciphertext $C = \{198082, 192229\}$ as follows

\begin{array}{l} {\bar{P}}_{1} = x_{1} (5208 + 4413 x + 6149 x^{2}) + x_{2} (2677 + 6149 x + 146 x^{2}) = 198082 \\ {\bar{P}}_{2} = x_{1} (6152 + 3891 x + 3568 x^{2}) + x_{2} (3245 + 6152 x + 2922 x^{2}) = 192229 \end{array}

Decryption

We first perform the homomorphic decryption to rebuild the plain polynomial equations

P_{1} (x, x_{1}, x_{2}) = f_{1} (x) B (x, x_{1}, x_{2}) = [ℰ_{(R_{1}^{- 1}, S)} 198082] mod 13 = [\frac{198082}{4267} mod 6798] mod 13 = 8

P_{2} (x, x_{1}, x_{2}) = f_{2} (x) B (x, x_{1}, x_{2}) = [ℰ_{(R_{2}^{- 1}, S)} 192229] mod 13 = [\frac{192229}{6475} mod 6798] mod 13 = 9

then we can eliminate the noise introduced by the base multivariate polynomial

\frac{P_{1} (x, x_{1}, x_{2})}{P_{2} (x, x_{1}, x_{2})} = \frac{4 + 9 x}{10 + 7 x} = \frac{8}{9} mod 13 = 11

where the secret

x

can be easily extracted as

x = 8

. The encryption can be done with any possible values for

x_{1}

and

x_{2}

at a given secret

x

, which would produce different ciphertext

C

, but the decryption would reveal the same secret. This simple toy example demonstrates its capability of randomized encryption.

HPPK security analysis

In this section, we analyze the security of the proposed HPPK algorithm. The security of HPPK relies on the computational hardness of the Modular Diophantine Equation, introduced in Definition 0.1, and Hilbert’s tenth Problem, introduced in Definition 0.7. We begin by proving that HPPK satisfies the IND-CPA indistinguishability property. These results are then extended to prove that the task of recovering plaintext from the ciphertext in the framework of HPPK is NP-complete, and state its classical and quantum complexity. Afterward, we focus on the private key attack and prove that the problem of obtaining the private key from the public key is NP-complete. Here we also provide classical and quantum complexities of obtaining private key from the public key.

Plaintext attack

An attentive reader will notice that the evaluated ciphertext as illustrated in Equation (26) has not been reduced modulo any integer. Thus, an adversary looking to perpetrate an attack to recover the plaintext can treat the coefficients of the polynomials in Equation (26) and evaluated ciphertext as integers. The plaintext values, sought after by the adversary, are elements of the field $F_{q}$ , thus the malicious party can reduce the public values of the ciphertext modulo $q$ to solve for plaintext variables in the Equation (26). We formally phrase it in the following remark.

Remark 0.0.1.

For the purpose of obtaining the plaintext, the ciphertext and cipher coefficients as illustrated in the Equation (26) can be considered modulo $q$ as follows

(28)

C = \{\begin{cases} \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 1} x_{j} x^{i} - {\bar{P}}_{1} = 0 (mod q) \\ \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 2} x_{j} x^{i} - {\bar{P}}_{2} = 0 (mod q) \end{cases}

Definition 0.1

(Modular Diophantine Equation). The Modular Diophantine Equation asks whether an integer solution exists to the equation

P (y_{1} \dots y_{k}) - 1 = 0 mod q,

given as an input of a polynomial

P (y_{1} \dots y_{k})

and a prime

q .

Remark 0.0.2.

A positive answer to this question would include a solution.

Let $m + 1 > 2$ . Note that the system in the Equation (28) can be normalized as

(29)

C = (\begin{array}{c} \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 1}^{'} x_{j} x^{i} - 1 = 0 (mod q), \\ \sum_{i = 0}^{n} \sum_{j = 1}^{m} P_{ij 2}^{'} x_{j} x^{i} - 1 = 0 (mod q) . \end{array}

A naive way of solving such a normalized system is to solve each equation and find a common solution. Each such equation is an instance of a Modular Diophantine Equation. The more obvious way to solve the system in Equation (28) would be to use Gaussian elimination and transform the system into a single equation. Indeed, since the coefficients of the ciphertext are publicly known, and the noise variables are linear in the ciphertext, the adversary can express any noise variable using the remaining terms of the equation and reduce the system to a single equation of the form

(30)

H (x x_{1} \dots x_{m - 1}) - 1 = 0

over

F_{q}

with

m

unknowns, where

m > 1

. We assume that the adversary favours the ciphertext form with fewer variables. Thus, from the perspective of the adversary the ciphertext has form as in Equation (30). From here on forward, we consider the ciphertext in the form given in Equation (30). We formally define said form below.

Definition 0.2

Let $m + 1 > 2$ . The ciphertext in its normalized reduced form is a single equation

(31)

H (x x_{1} \dots x_{m - 1}) - 1 = 0

over

F_{q}

, where

x

corresponds to the plaintext variable and the remaining variables are noise variables.

Note that even in its normalized reduced form the ciphertext is an instance of a Modular Diophantine Equation. Since $m + 1 > 2$ we can argue that the adversary does not benefit much by reducing the system in Equation (29) to a single equation (31), and eliminating one variable. The number of expected solutions to the Equation (31) remains $q^{m - 1}$ , and the adversary is facing with the problem of deciding which solution is the correct one. That is, a brute-force search algorithm can find a list of solutions to the Equation (31) by trying all the possible $m - 1$ variables values over $F_{q}$ . The adversary is interested in a particular solution from the list.

One might argue that the attacker is interested only in the plaintext variable $x \in F_{q}$ . Thus, the adversary can simply guess the value $x$ . The complexity of this guess is $O (q)$ . This is a probabilistic attack. For a deterministic result, this guess has to be tested for correctness. This will require coming up with values for the noise variables and testing whether the guess is correct. Moreover, NIST requires the size of the actually communicated secret to be $32$ bytes.⁶¹ Thus, the secret that is transferred between two parties consists of $v = 32 / {|q|}_{8}$ blocks, where each block is ${|q|}_{2}$ bits. Each block corresponds to the HPPK secret $x$ . The secret message is then $v$ different values $x$ concatenated together to form a 32 byte secret. Each such block $x$ is encrypted separately using HPPK. The complexity of correctly guessing the transferred secret message is then $O (q^{v})$ , where $v = 32 / q,$ comparing with the complexity $O (q^{v (m - 1)})$ of attacking all blocks.

Theorem 0.1

The Modular Diophantine Equation Problem is NP-complete.

Proof.

The proof, using the Boolean Satisfiability Problem, is given by Moore and Meterns [,⁶² Section 5.4.4]. □

Theorem 0.1 states that a brute-force search algorithm can find a solution to the Modular Diophantine Equation by trying all the possible solutions. Thus, without loss of generality, we treat the ciphertext-only attack on a ciphertext in its normal reduced form as a Modular Diophantine Problem. Indeed, by Theorem 0.1 the algorithm to find a solution to a Modular Diophantine Equation does not simply terminate to give a solution, it is a brute-force search algorithm that considers every possible solution before producing a result. In other words, it goes through all the possibilities to choose the correct one.

IND-CPA indistinguishability property and ciphertext only attack

We suppose that the adversary will choose to perpetrate the attack on the ciphertext in its normal reduced form as in Equation (31), for its easier to attack. In the framework of HPPK, the public key elements are the coefficients of the ciphertext polynomials.

Theorem 0.2

(HPPK has IND-CPA property). Let $m > 1$ , where $m$ is the total number of variables in the normalized reduced form of the ciphertext as in Equation (31). If the Modular Diophantine Equation is NP-complete, the HPPK encryption system is provably secure in the IND-CPA security model with a reduction loss of $q^{m - 2}$ .

Proof.

Assume that there exists an adversary $A$ that $(t, ε)$ -breaks the HPPK encryption system in the IND-CPA security model. We construct a simulator $ℬ$ that solves the Modular Diophantine Equation. Given as input, a Modular Diophantine Equation instance $(q, H (x x_{1} \dots x_{m - 1}))$ , where $H (x x_{1} \dots x_{m - 1})$ is of the form Equation (31) and $m > 1$ , the simulator $ℬ$ runs $A$ as follows. The simulator sets the normalized public key over $F_{p}$ to the coefficients of the polynomial $H (x x_{1} \dots x_{m - 1})$ . The challenge consists of the following game. The adversary $A$ generates two distinct messages $m_{0}$ and $m_{1} \in F_{q}$ , and submits them to the simulator. The simulator $ℬ$ randomly chooses $b$ in $\{0, 1\}$ as well as random values $r_{1}, \dots, r_{m - 1}$ for the noise variables, and sets the ciphertext to be the value

\bar{H} = H (m_{b} r_{1} \dots r_{m - 1}) .

The challenge for the adversary then consists of the following equation to be solved for $x$ :

\hat{H} (x x_{1} \dots x_{m - 1}) - 1 = 0

over

F_{q}

. Here,

\hat{H} (x x_{1} \dots x_{m - 1}) = \frac{1}{\bar{H}} H (x x_{1} \dots x_{m - 1}) .

This equation remains to meet the definition of the Modular Diophantine Equation $H (x x_{1} \dots x_{m - 1}) - 1 = 0$ , since the value $\frac{1}{\bar{H}}$ can be pushed to the noise variables, which are random and do not influence the plaintext. Indeed, let $h_{ij}$ be the coefficients of the polynomial $H (x x_{1} \dots x_{m - 1})$ for any $i \in \{0 \dots n\}$ and $j \in \{1 \dots m - 1\}$ , then

\sum_{i = 0}^{l} \sum_{j = 1}^{m - 1} h_{ij} x^{i} x_{j} \times \frac{1}{H (m_{b} r_{1} \dots r_{m - 1})} = \sum_{i = 0}^{l} \sum_{j = 1}^{m - 1} h_{ij} x^{i} x_{j}^{'},

where

x_{j}^{'} = \frac{x_{j}}{\bar{H}} .

The challenge in this case is correct, as it corresponds to the challenged plaintext and remains in the form of a Diophantine equation chosen by the simulator.

The coefficients of the challenge equation come from the submitted Diophantine equation, and thus, from the point of view of the adversary are random. The values $r_{1}, \dots, r_{m - 1}$ are selected at random. The adversary does not have knowledge of the values $\{x_{1}^{'} \dots x_{m - 1}^{'}\}$ and they can not be calculated from the other parameters given to the adversary. So the noise variables $x_{j^{'}}$ for all $j \in \{1 \dots m - 1\}$ are random. Hence, the simulation holds randomness property. By construction, the simulation is indistinguishable from a real attack. That is, the adversary is challenged with solving the equation as in the Equation (30), which is HPPK ciphertext in its normalized reduced form.

The simulator does not abort in the simulation while interacting with the adversary. The adversary outputs a random guess $b^{'}$ of $b$ . When $b^{'}$ is equal to $b$ , the adversary wins. Otherwise, the adversary looses. The probability of simply guessing the value for $x$ is $Pr = \frac{1}{2}$ . We will calculate the probability of solving the IND-CPA challenge with the advantage of the adversary, that is $Pr = \frac{1}{2} + α$ . The advantage comes from the assumption that the adversary can break the HPPK cryptosystem.

The challenge has a general form as in the Equation (31), thus, the equation is expected to have $q^{m - 1}$ distinct solutions, considering all $m$ variables. On the other hand, it is known that the variable $x \in \{m_{0}, m_{1}\}$ . Assuming $x = m_{0}$ , there are now $q^{m - 2}$ possible solutions to choose the correct solution from. The same is true for $x = m_{1}$ . That is, the probability of finding correct solution of the equation $H (x x_{1} \dots x_{m - 1}) - 1 = 0$ is

Pr (correct solution| x_{0} = m_{0}) = Pr (correct solution| x = m_{1}) = \frac{1}{q^{m - 2}},

where

Pr (correctsolution)

denotes probability of finding the correct solution to the equation

H (x x_{1} \dots x_{m - 1}) - 1 = 0

. Then by the law of total probability, the probability of solving the challenge equation is

Pr (correct solution) = Pr (correct solution| x = m_{0}) Pr (x = m_{0}) + Pr (correct solution| x = m_{1}) Pr (x = m_{1}) = \frac{1}{q^{m - 2}} .

Accounting for the advantage that the adversary has, the probability $α$ is $Pr (correct solution) = \frac{ε}{q^{m - 2}}$ . The total probability of solving the IND-CPA challenge is then $\frac{1}{2} + \frac{ε}{q^{m - 2}} .$

The simulation is indistinguishable from a real attack. So the adversary who can break the challenge ciphertext will uncover the solution to the given Modular Diophantine Equation problem. The probability of breaking the ciphertext is $\frac{ε}{q^{m - 2}}$ .

The advantage of solving the Diophantive Equation problem is then $\frac{ε}{q^{m - 2}} .$ Let $T_{s}$ denote the time cost of the simulation. We have $T_{s} = O (1)$ . The simulator $ℬ$ solves the Modular Diophantine Equation with time cost and advantage $(t + T_{s}, ε / q^{m - 2}) = (t, ε / q^{m - 2})$ . Thus, contradicting the Theorem 0.1 so the initial assumption is wrong. □

The framework of the IND-CPA challenge entails known plaintext, in other words, the adversary knows that the secret $x \in \{m_{0}, m_{1}\} .$ We now state the complexity of the unknown plaintext ciphertext-only attack.

Lemma 0.3

(Ciphertext-only attack). Let $m + 1 > 2$ . The classical complexity of finding the plaintext from the ciphertext is $O (q^{m - 1}) .$

Proof.

Let the adversary favour the ciphertext in its reduced normal form (31). Without any knowledge about the plaintext, the adversary will need to solve the Equation (31) to obtain the plaintext along with the noise variables. A single equation over $F_{q}$ with $m$ variables is expected to have $q^{m - 1}$ possible solutions over $F_{q}$ . The correct one is among them. That is, the plaintext encapsulated in a single variable $x$ is not the sole variable in the ciphertext equation. However, it is the only unknown of interest. The adversary can try and simply guess $x$ , the complexity of the guess is $O (q)$ . However, they have to test whether their guess is correct. Moreover, the secret transferred between the communicating parties consist of 32 bytes as required by NIST. Thus, the adversary will have to guess $K$ many values for $x$ , where $K = \frac{32 \times 8}{q}$ . In this case, the complexity is $O (q^{K}) .$ We expect $K > m - 1 .$ Quantum complexity of the described attack due to Grover’s search algorithm is $O (q^{\frac{m - 1}{2}}) .$ □

Private key attack

Lemma 0.4.

Let $λ \leq 2$ . There exists a polynomial time algorithm to find coefficients of univariate polynomials $f_{1} (x_{0})$ and $f_{2} (x_{0})$ given the plain central maps $P_{1}$ and $P_{2}$ .

Proof.

Note that all the plain coefficients of the polynomials $p_{1} (x x_{1} \dots x_{m})$ and $p_{2} (x x_{1} \dots x_{m})$ as defined in Equation (22) are defined over the prime field $F_{q}$ . Thus, for any fixed $j$ , it is possible to use Gaussian elimination to reduce the system of equations formed by the plain coefficients of $p_{1} (x x_{1} \dots x_{m})$ and $p_{2} (x x_{1} \dots x_{m})$ of the form

(32)

\{\begin{cases} f_{z 0} b_{0 j} = p_{0 jz}, \\ f_{z 1} b_{0 j} + f_{z 0} b_{1 j} = p_{1 jz}, \\ ⋮ \\ f_{zλ} b_{n_{b} j} = p_{njz}, \end{cases}

where

z \in \{1, 2\}

corresponding to either plain polynomial

p_{1} (x x_{1} \dots x_{m})

or

p_{2} (x x_{1} \dots x_{m})

for any given noise variable

x_{j}

. Gaussian elimination would produce a single polynomial in

λ

variables, namely

\frac{f_{z 2}}{f_{z 0}}

and

\frac{f_{z 1}}{f_{z 0}}

for

λ = 2

or

\frac{f_{z 1}}{f_{z 0}}

if

λ = 1

. Such univariate or bivariate equation is solvable. Depending on the HPPK parameters, the adversary can simply use radical solutions, Evdokimov’s algorithm,⁶³ or resultants together with Evdokimov’s algorithm to solve such equation.⁶³^,⁶⁴ Gaussian elimination can be performed in polynomial time, and finding solutions by radicals, Evdokimov’s algorithm and computing resultants all have polynomial time complexity.⁶³^,⁶⁴ □

Lemma 0.5.

Let $λ \leq 2$ . Finding private key from the cipher public key in the framework of HPPK reduces to finding the homomorphic encryption key $S, R_{1},$ and $R_{2} .$

Proof.

The private key consists of the coefficients of the univariate polynomials $f_{1} (x), f_{2} (x)$ as well as values $S, R_{1}, R_{2}$ used to encrypt the plain public key to the cipher public key. By Lemma 0.4 once the values $R_{1}, R_{2}$ and $S$ are known, the coefficients of $f_{1} (x), f_{2} (x)$ can be found in polynomial time. □

Definition 0.3

(Diophantine set). The Diophantine set is a set $S \subset ℕ$ associated with a Diophantine equation $P (b a_{1} \dots a_{k}) \in ℤ [b a_{1} \dots a_{k}],$ where $k > 0$ such that

b \in S if and only if (\exists a_{1} \dots a_{k}) (P (b a_{1} \dots a_{m}) = 0)

Theorem 0.6

(MRDP Theorem). The Matiyasevich–Robinson–Davis–Putnam (MRDP) theorem states that every computably enumerable set is Diophantine, and every Diophantine set is computably enumerable.

Proof.

The result has been proven in various works, for instance.⁶⁵ □

Theorem 0.7

(Hilbert's tenth problem) Hilbert’s tenth problem asks whether the general Diophantine Problem is solvable. Due to MRDP, Hilbert’s tenth problem is undecidable.

Proof.

For proof see.⁶⁵ □

Theorem 0.8.

Private key attack is non-deterministic and has complexity of at least $O (T^{3})$ , where $T$ is the largest number with $(n + λ + 1) {|q|}_{2} + | (| q {|_{2})|}_{2}$ bit-length.

Proof.

By Lemma 0.4 and 0.5 the attack on public key reduces to finding the values $S, R_{1}$ , and $R_{2} .$ From the perspective of the attacker, the values $S, R_{1}$ , and $R_{2}$ could be treated as a one-time pad keys as they have been chosen at random, and can not be calculated from other parameters given to the attacker. An obvious attack would be a brute force search for all the three values, $S, R_{1}$ , and $R_{2} .$ The direct brute force search classical complexity would be greater than $O (T^{3})$ for the three values together, where $T$ is the largest $(n + λ + 1) {|q|}_{2} + | (| q {|_{2})|}_{2}$ -bit number. Due to Grover’s algorithm, the quantum complexity is greater than $O (T^{\frac{3}{2}}) .$ Note however, because of the condition $gcd (S, R_{1}) = gcd (S, R_{2}) = 1$ , once $S$ is found the search span for $R_{1}$ and $R_{2}$ reduces. Brute force search entails a non-deterministic result, however, we provide a more formal argument below.

For each fixed chose of $j$ , each public key coefficient can be written in the integer domain as follows

(33)

\{\begin{cases} f_{z 0} b_{z 0 j}^{'} = r_{0 jz} S + P_{0 jz}, \\ f_{z 1} b_{z 0 j}^{'} + f_{z 0} b_{z 1 j}^{'} = r_{1 jz} S + P_{1 jz}, \\ ⋮ \\ f_{zλ} b_{{zn}_{b} j}^{'} = r_{njz} S + P_{njz}, \end{cases}

with

j = 1, \dots, m

,

z = 1, 2

, and

b_{zij}^{'} = R_{z} b_{ij}

. Here,

R_{z}

, and

S

are unknowns from the hidden ring

ℤ_{S}

. Values

r_{ijz}

are merely some unknown integers. The only known values are those of the form

P_{ijz}

. Using Gaussian eliminations, all unknowns of the form

b_{zij}^{'}

can be eliminated, and the equation system in Eq (33) can be reduced to a single equation over

ℤ

(34)

P (f_{z 0} \dots f_{zλ} r_{0 jz} \dots r_{njz} S) - \bar{P} = 0 .

Solving such equation by Theorem 0.6 and 0.7 is an NP-complete task. For each $j$ , we can generate one such equation. Considering them all together, the adversary will arrive at an underdetermined system as the variables in the system depend on $j$ . Each equation in such a system is a multivariate Diophantine equation. One way to solve this system is to solve each equation separately and search for common solutions. However, by Theorem 0.6 and 0.7 this is an NP-complete problem. Reducing the system to a single polynomial still produces a multivariate Diophantine equation, solving which is an NP-complete problem by Theorem 0.6 and 0.7. □

Security of the homomorphic operator

Recall, that the homomorphic operator ${\hat{ℰ}}_{S, R}$ is defined by the two secret values $S, R$ . These values are known only to the decrypting party and are never shared. Thus, we assume that the adversary can not simply access the homomorphic encryption oracle. Indeed, if the adversary were to have access to such oracle, they could pass $1$ to be encrypted, resulting in the output value $R .$ Thus, the adversary would learn half of the homomorphic secret key. In order to find the value $S$ , the adversary can pass values $R^{- 1} k$ to be encrypted, producing $k$ mod $S .$ The values $k$ can be chosen to determine $S$ . For instance, with public knowledge of the bit-size of $S$ , the adversary can consider an interval between the smallest number of that bit-size and the largest number of that bit-size, and divide that interval in half, where $k$ is the mark at the half. If $k mod S \neq k,$ then $S$ must be smaller than $k$ . If $k mod S = k$ , then $S$ is larger than $k$ . In the first case, take the interval between the smallest number of bit-size $2 {|p|}_{2} + {|L|}_{2}$ and $k$ , and consider the halfway mark. Repeat the experiment, each time decreasing the interval until the value $S$ is “trapped” in a small interval and can be determined. Similarly for the latter case, take the interval between $k$ and the largest number of bit-size $2 {|p|}_{2} + {|L|}_{2}$ , mark a halfway and use that mark value to repeat the experiment. Based on whether or not the value changes, decrease the interval and repeat the experiment. This is only but one way to find $S$ , while $R$ is known.

Since the operation is deterministic, after the values of $R$ and $S$ are fixed, it is important that they remain secret and the adversary does not have access to the homomorphic encryption oracle. Note that in the framework of HPPK, the adversary has access to the public key polynomials which are essentially randomly chosen values encrypted using the homomorphic operator with secret values $R, S .$ Without the knowledge of the values before they were acted on with $ℰ_{R, S}$ , finding $R, S$ can be considered a brute force search problem.

Security conclusion

At large, the security of the HPPK cryptosystem relies on the problem of solving undetermined system of equations over $F_{q}$ . Such system is expected to have $q^{v - w}$ possible solutions, where $v$ is the number of variables and $w$ is the number of equations in the system. The attacker can solve this system to find all possible solutions, however, it is the problem of determining the correct solution from all the possible solutions that makes HPPK secure.

The ciphertext attack requires the adversary to solve an underdetermined system of equations over $F_{q}$ , which can be reduced to a single Modular Diophantine equation. Solving this equation is an NP-complete problem.

The public key attack aimed to unveil the plaintext reduces to a brute force search for three unknown values $S, R_{1}, R_{2} .$ To find these values, the attacker can either use brute-force search or solve an underdetermined system of equations over the integers. The former yields non-deterministic results and the latter is an NP-complete problem.

We conclude that from the point of view of the adversary, the following is true.

Proposition 0.8.1.

The best classical complexity to attack HPPK is $O (q^{m - 1})$ .

Proof.

We assume that the malicious party will take the most advantageous path for them. Thus, by Lemma 0.3, Lemma 0.4, Lemma 0.5, and Theorem 0.8 we can conclude that the best attack is to obtain the plaintext from the ciphertext. Such attack is non-deterministic with classical complexity of $O (q^{m - 1}) .$ □

Conclusions

In this paper, we introduce a new homomorphic encryption scheme intended to secure public keys of multivariate asymmetric cryptosystems. Unlike conventional homomorphic encryption, our scheme uses encrypted plain public keys or CPK that can be published for anyone to use to establish a secret sharing between two parties. Our homomorphic encryption is applied to polynomials, leveraging homomorphic properties and allowing for user input through variables. The homomorphic encryption and decryption operators are modular multiplication operators modulo a hidden value $S$ , with values $R_{1}$ and $R_{2}$ chosen uniformly at random from the hidden ring $ℤ_{S}$ under certain conditions. We propose using this homomorphic encryption in conjunction with Multivariate Polynomial Public-key Cryptosystem (MPKC) to secure polynomial public keys, called Homomorphic Polynomial Public Key (HPPK). We describe the HPPK algorithm in detail, drawing from the framework of MPKC. HPPK public keys are product polynomials of a multivariate and univariate polynomials, encrypted with a homomorphic encryption operator. The ciphertext is created by the encrypting party through the input of plaintext and random noise as public polynomial variables. The decryption procedure involves first homomorphic decryption of the ciphertexts to produce plain polynomial values for a division of two plain polynomials. By construction, such division cancels the base multiplicand polynomial with the noise variable and retains a single equation in one variable. This variable is the plaintext, which can be found by radicals. We provide a thorough security analysis of the HPPK cryptosystem, proving that the hardness of breaking the HPPK algorithm comes from the NP-completeness problem of the Modular Diophantine Equation. We also show that HPPK holds the IND-CPA property. In the future work, we will perform a detailed benchmarking study with variety of configurations as well as a more extensive security analysis, considering attacks that have not been described in the work.

Author contributions

R.K. provided the core ideas. M.P. developed the security analysis. All authors reviewed the manuscript and approved its publication.

Data availability

No data is associated with this article.

Acknowledgements

All authors acknowledge Professor Michel Barbeau for his contributions to the MPPK algorithm and discussions regarding security reductions included in this work.

References

1. Rivest RL, Adleman L, Dertouzos ML: On data banks and privacy homomorphisms. Foundations of Secure Computation, Academia Press; 1978; 169–179.
2. Rivest RL, Shamir A, Adleman LM: Cryptographic communications system and method. US Patent 4,405,829. December 1977.
3. Diffie W, Hellman M: New directions in cryptography. IEEE Trans. Inf. Theory. November 1976; 22(6): 644–654. 0018-9448. Publisher Full Text
4. Koblitz N: Elliptic curve cryptosystems. Math. Comput. 1987; 48(177): 203–209. Publisher Full Text
5. Miller VS: Use of elliptic curves in cryptography.Williams HC, editor. Advances in Cryptology — CRYPTO’85 Proceedings. Berlin, Heidelberg: Springer Berlin Heidelberg; 1986; pages 417–426.
6. Rivest RL, Shamir A, Adleman L: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM. 1978; 21(2): 120–126. Publisher Full Text
7. Elgamal T: A public key cryptosystem and a signature scheme based on discrete logarithms. ADV. IN CRYPTOLOGY. SPRINGER-VERLAG; 1985.
8. Goldwasser S, Micali S: Probabilistic encryption amp; how to play mental poker keeping secret all partial information. Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC’82. New York, NY, USA: Association for Computing Machinery; 1982; page 365–377. 0897910702.
9. Fousse L, Lafourcade P, Alnuaimi M: Benaloh’s dense probabilistic encryption revisited.Nitaj A, Pointcheval D, editors, Progress in Cryptology – AFRICACRYPT 2011. Berlin, Heidelberg: Springer Berlin Heidelberg; 2011; pages 348–362. 978-3-642-21969-6.
10. Paillier P: Public-key cryptosystems based on composite degree residuosity classes.Stern J, editor, Advances in Cryptology — EUROCRYPT’99. Berlin, Heidelberg: Springer Berlin Heidelberg; 1999; 223–238. 978-3-540-48910-8.
11. van Dijk M , Gentry C, Halevi S, et al.: Fully homomorphic encryption over the integers.Gilbert H, editor. Advances in Cryptology – EUROCRYPT 2010. Berlin, Heidelberg: Springer Berlin Heidelberg; 2010; pages 24–43. 978-3-642-13190-5.
12. Chan AC-F: Symmetric-key homomorphic encryption for encrypted data processing. 2009 IEEE International Conference on Communications. 2009; pages 1–5.
13. Kipnis A, Hibshoosh E: Efficient methods for practical fully-homomorphic symmetric-key encryption, randomization, and verification.2012.
14. Gupta CP, Sharma I: A fully homomorphic encryption scheme with symmetric keys with application to private data processing in clouds. 2013 Fourth International Conference on the Network of the Future (NoF). 2013; pages 1–4.
15. Li L, Rongxing L, Choo K-KR, et al.: Privacy-preserving-outsourced association rule mining on vertically partitioned databases. IEEE Trans. Inf. Forensics Secur. 2016; 11(8): 1847–1861. Publisher Full Text
16. Wang B, Zhan Y, Zhang Z: Cryptanalysis of a symmetric fully homomorphic encryption scheme. IEEE Trans. Inf. Forensics Secur. 2018; 13(6): 1460–1467. Publisher Full Text
17. Quanbo Q, Wang B, Ping Y, et al.: Improved cryptanalysis of a fully homomorphic symmetric encryption scheme. Security and Communication Networks. 2019; 2019: 1–6. Publisher Full Text
18. Zhang W, Liu S, Yang X: Rlwe-based homomorphic encryption and private information retrieval. 2013 5th International Conference on Intelligent Networking and Collaborative Systems. 2013; pages 535–540.
19. Zhang X, Xu C, Jin C, et al.: Efficient fully homomorphic encryption from rlwe with an extension to a threshold encryption scheme. Futur. Gener. Comput. Syst. 2014; 36: 180–186. 0167-739X. Special Section: Intelligent Big Data Processing Special Section: Behavior Data Security Issues in Network Information Propagation Special Section: Energy-efficiency in Large Distributed Computing Architectures Special Section: eScience Infrastructure and Applications. Publisher Full Text
20. Kipnis A, Patarin J, Goubin L: Unbalanced oil and vinegar signature schemes. IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 1999. Springer; 1999; pages 206–222.
21. Clough C, Baena J, Ding J, et al.: Square, a new multivariate encryption scheme. Topics in Cryptology – CT-RSA 2009, Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg; pages 252–264. 9783642008610.
22. Porras J, Baena J, Ding J: Zhfe, a new multivariate public key encryption scheme. Post-Quantum Cryptography, Lecture Notes in Computer Science. Cham: Springer International Publishing; pages 229–245. 3319116584.
23. Szepieniec A, Ding J, Preneel B: Extension field cancellation: A new central trapdoor for multivariate quadratic systems. Post-Quantum Cryptography, Lecture Notes in Computer Science. Cham: Springer International Publishing; 2016; pages 182–196. 3319293591.
24. Jacques PATARIN, Nicolas COURTOIS, GOUBIN L: Quartz, 128-bit long digital signatures. Lecture notes in computer science. Berlin: Springer; 2001; pages 282–297. 3540418989.
25. Petzoldt A, Chen M-S, Yang B-Y, et al.: Design principles for hfev- based multivariate signature schemes. Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg; 2016; pages 311–334. 3662487969.
26. Zhang W, Tan CH: Mi-t-hfe, a new multivariate signature scheme.Groth J, editor, Cryptography and Coding. Cham: Springer International Publishing; 2015; pages 43–56. 978-3-319-27239-9.
27. Ding J, Schmidt DS: Rainbow, a new multivariable polynomial signature scheme. ACNS. 2005.
28. Casanova A, Faugère J-C, Macario-Rat G, et al.: Gemss: A great multivariate short signature.2017.
29. NIST: Post-quantum cryptography.2021. Reference Source
30. NIST: Status report on the second round of the nist post-quantum cryptography standardization process.July 2021. Reference Source
31. Moody D: Status update on the 3rd round.Reference Source
32. McEliece RJ: A Public-Key Cryptosystem Based On Algebraic Coding Theory. Deep Space Network Progress Report. January 1978; 44: 114–116.
33. Avanzi R, Bos J, Ducas L, et al.: Crystals-kyber algorithm specifications and supporting documentation. NIST PQC Round. 2017; 2: 4.
34. Hoffstein J, Pipher J, Silverman JH: Ntru: A ring-based public key cryptosystem.Buhler JP, editor. Algorithmic Number Theory. Berlin, Heidelberg: Springer Berlin Heidelberg; 1998; pages 267–288. 978-3-540-69113-6.
35. Bernstein DJ, Chuengsatiansup C, Lange T, et al.: NTRU prime: Reducing attack surface at low cost.Adams C, Camenisch J, editors. Selected Areas in Cryptography – SAC 2017. Cham: Springer International Publishing; 2018; pages 235–260. 978-3-319-72565-9.
36. Vercauteren IF: Saber: Mod-lwr based kem (round 3 submission).
37. Goubin L, Patarin J, Yang B-Y: Multivariate Cryptography. US, Boston, MA: Springer; 2011; 824–828. 978-1-4419-5906-5. Publisher Full Text
38. Ding J, Petzoldt A, Schmidt DS: Multivariate Public Key Cryptosystems. 2nd ed.New York, NY: Springer; 2020.
39. Ding J, Yang B-Y: Multivariate Public Key Cryptography. Berlin, Heidelberg: Springer Berlin Heidelberg; 2009; 193–241.
40. Matsumoto T, Imai H: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption.Barstow D, Brauer W, Hansen PB, et al., editors. Advances in Cryptology — EUROCRYPT’88. Berlin, Heidelberg: Springer Berlin Heidelberg; 1988; pages 419–453. 978-3-540-45961-3.
41. Wolf C, Preneel B: Large superfluous keys in multivariate quadratic asymmetric systems. Proceedings of the 8th International Conference on Theory and Practice in Public Key Cryptography, PKC’05. Berlin, Heidelberg: Springer-Verlag; 2005; page 275–287. 3540244549.
42. Patarin J, Goubin L: Trapdoor one-way permutations and multivariate polynomials. Proc. of ICICS’97, LNCS 1334. Springer; 1997; pages 356–368.
43. Patarin J: Hidden fields equations (hfe) and isomorphisms of polynomials (ip): Two new families of asymmetric algorithms.Maurer U, editor. Advances in Cryptology — EUROCRYPT’96. Berlin, Heidelberg: Springer Berlin Heidelberg; 1996; pages 33–48. 978-3-540-68339-1.
44. Wang LC, Yang BY, Hu YH, et al.: A medium field multivariate public-key encryption scheme. In CT-RSA 2006, volume 3860 of LNCS. 132–149.
45. Wang X, Wang X: An improved medium field multivariate public key cryptosystem. 2008 Third International Conference on Convergence and Hybrid Information Technology. 2008; volume 2: pages 1120–1124.
46. Faugére J-C: A new efficient algorithm for computing gröbner bases (f4). Journal of Pure and Applied Algebra. 1999; 139(1): 61–88. 0022-4049. Publisher Full Text
47. Faugère JC: A new efficient algorithm for computing gröbner bases (f4). ISSAC’02: PROCEEDINGS OF THE 2002 INTERNATIONAL SYMPOSIUM ON SYMBOLIC AND ALGEBRAIC COMPUTATION. 2002; pages 75–83.
48. Ding J, Gower JE, Schmidt DS: Zhuang-zi: A new algorithm for solving multivariate polynomial equations over a finite field. IACR Cryptol. ePrint Arch. 2006; 38: 2006.
49. Courtois N, Klimov A, Patarin J, et al.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science. Springer; 2000; pages 392–407.
50. Goubin L, Courtois NT: Cryptanalysis of the ttm cryptosystem.Okamoto T, editor. Advances in Cryptology — ASIACRYPT 2000. Berlin, Heidelberg: Springer Berlin Heidelberg; 2000; pages 44–57. 978-3-540-44448-0.
51. Kipnis A, Patarin J, Goubin L: Unbalanced oil and vinegar signature schemes.Stern J, editor. Advances in Cryptology — EUROCRYPT’99. Berlin, Heidelberg: Springer Berlin Heidelberg; 1999; pages 206–222.978-3-540-48910-8.
52. Kuang R: A deterministic polynomial public key algorithm over a prime galois field gf(p). 2021 2nd Asia Conference on Computers and Communications (ACCC). 2021; pages 79–88.
53. Kuang R, Barbeau M: Indistinguishability and non-deterministic encryption of the quantum safe multivariate polynomial public key cryptographic system. 2021 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE). 2021; pages 1–5.
54. Kuang R, Barbeau M: Performance analysis of the quantum safe multivariate polynomial public key algorithm. 2021 IEEE International Conference on Quantum Computing and Engineering (QCE). IEEE; 2021; pages 351–358.
55. Kuang R, Barbeau M: Performance analysis of the quantum safe multivariate polynomial public key algorithm. 2021 IEEE International Conference on Quantum Computing and Engineering (QCE). 2021; pages 351–358.
56. Kuang R, Perepechaenko M, Barbeau M: A new post-quantum multivariate polynomial public key encapsulation algorithm. Quantum Inf. Process. 2022; 21. Publisher Full Text
57. Kuang R, Perepechaenko M, Barbeau M: A new quantum-safe multivariate polynomial public key digital signature algorithm. Sci. Rep. 2022; 12: 13168. PubMed Abstract | Publisher Full Text | Free Full Text
58. Ding J, Petzoldt A, Schmidt DS: Multivariate Cryptography. New York, NY: Springer US; 2020; 7–23. 978-1-0716-0987-3.
59. Ding J, Petzoldt A, Schmidt DS: The SimpleMatrix Encryption Scheme. New York, NY: Springer US; 2020; 169–183. 978-1-0716-0987-3.
60. Ding J, Petzoldt A, Schmidt DS: Hidden Field Equations. New York, NY: Springer US; 2020; pages 61–88. 978-1-0716-0987-3.
61. National Institute for Standards and Technology: Post-Quantum Cryptography; Call for Proposals.2017. Reference Source
62. Moore C, Mertens S: The Nature of Computation. OUP Oxford; 2011. 9780199233212. Reference Source
63. Evdokimov S: Factorization of polynomials over finite fields in subexponential time under grh. International Algorithmic Number Theory Symposium. Springer; 1994; pages 209–219.
64. Stiller PF: An introduction to the theory of resultants.2004.
65. Matiyasevich Y: Hilbert’s tenth problem. Cambridge, MA: Foundations of Computing Series. MIT Press; 1993. Translated from the 1993 Russian original by the author, with a foreword by Martin Davis.

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 17 Oct 2023

Author details Author details

¹ Quantropi Inc., Ottawa, ON, K1Z 8P9, Canada

Randy Kuang
Roles: Conceptualization, Methodology, Project Administration, Supervision, Writing – Original Draft Preparation, Writing – Review & Editing

Maria Perepechaenko
Roles: Formal Analysis, Investigation, Writing – Original Draft Preparation, Writing – Review & Editing

Competing interests

The authors are associated with Quantropi Inc., a company which offers quantum-secure software solutions. Elements of research presented in this paper are or may become incorporated in the company's commercial solutions.

Grant information

The author(s) declared that no grants were involved in supporting this work.

Article Versions (1)

version 1

Published: 17 Oct 2023, 12:1347

https://doi.org/10.12688/f1000research.133031.1

Copyright

© 2023 Kuang R and Perepechaenko M. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

Kuang R and Perepechaenko M. A novel homomorphic polynomial public key encapsulation algorithm [version 1; peer review: 1 approved, 1 approved with reservations]. F1000Research 2023, 12:1347 (https://doi.org/10.12688/f1000research.133031.1)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Version 1

VERSION 1

PUBLISHED 17 Oct 2023

Views

4

Reviewer Report 22 Mar 2024

Taniya Hasija, Chitkara University Institute of Engineering and Technology,, Chitkara University, Rajpura, Punjab, India

Approved with Reservations

https://doi.org/10.5256/f1000research.145999.r242797

A novel homomorphic polynomial public key encapsulation algorithm
The author has presented a proposed method named as homomorphic polynomial public key encapsulation algorithm that incorporates an additional layer of encryption during key construction procedure, through a hidden ring. The ... Continue reading

A novel homomorphic polynomial public key encapsulation algorithm
The author has presented a proposed method named as homomorphic polynomial public key encapsulation algorithm that incorporates an additional layer of encryption during key construction procedure, through a hidden ring. The proposed algorithm is applied to Multivariate Public Key Cryptography Schemes (MPKC) to hide the structure of their central map construction. A homomorphic operator is performed to encrypt the public key, called as new variant of MPKC. There is a need for some improvemeAczxnts before acceptance of the manuscript.
1. The abstract should begin by outlining the background information or context of your field, followed by the precise subject of your study, a problem statement, and the course of action for this article. Finally, take into account the significance of your work, particularly how the community will benefit from your article.
There are several errors in the abstract, which is not up to par. Certain lines lack context, while others are incomplete. There is not enough clarity.
2. Title of the article is general; it should be specific.
3. The meaning of homomorphic world in context to cryptography is not clear in introduction. Why is there a need to work on homomorphic cryptography?
4. The description of the algorithm is useful, but much better would be to provide the code as supplementary material, which would facilitate the use of this algorithm to those who are not experts on recommender systems.
5. This paper's citations are not current; it would be beneficial to incorporate some more recent work.
6. Literature work should be improved in the paper, as it is very limited. Summarize the related works in the form of a table. Add one or two tables of comparison along with line diagram of progress in existing work.
What are the limitations of existing algorithms that motivated you to do the current research?

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Cryptography, Post quantum cryptography

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Respond or Comment

Views

9

Reviewer Report 01 Nov 2023

Gui-Lu Long, Department of Physics, Tsinghua University, Beijing, Beijing, China

Approved

https://doi.org/10.5256/f1000research.145999.r216597

In this work, the authors presents a variant of the MPKC. It simplifies MPKC central map to two multivariate polynomials constructed from polynomial multiplications. The HPPK algorithm employs a single polynomial vector for the plaintext and a multi-variate noise vector associated ... Continue reading

In this work, the authors presents a variant of the MPKC. It simplifies MPKC central map to two multivariate polynomials constructed from polynomial multiplications. The HPPK algorithm employs a single polynomial vector for the plaintext and a multi-variate noise vector associated with the central map. It is Indistinguishability Under Chosen-Plaintext Attack (IND-CPA) secure, and its classical complexity for cracking is exponential in the size of the prime field GF(p). It is an important PQC algorithm and has great potential in the near future applications. I recommend its acceptance in its present form.

Is the work clearly and accurately presented and does it cite the current literature?

Yes
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Yes
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Quantum information and quantum algorithm.

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard.

CITE

Report a concern

Respond or Comment

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 17 Oct 2023

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1	2
Version 1 17 Oct 23	read	read

Gui-Lu Long, Tsinghua University, Beijing, China
Taniya Hasija, Chitkara University, Rajpura, India

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

Back to all reports

Reviewer Report

4 Views

22 Mar 2024 | for Version 1

Taniya Hasija, Chitkara University Institute of Engineering and Technology,, Chitkara University, Rajpura, Punjab, India

4 Views Cite this report Responses(0)

Approved With Reservations

A novel homomorphic polynomial public key encapsulation algorithm
The author has presented a proposed method named as homomorphic polynomial public key encapsulation algorithm that incorporates an additional layer of encryption during key construction procedure, through a hidden ring. The proposed algorithm is applied to Multivariate Public Key Cryptography Schemes (MPKC) to hide the structure of their central map construction. A homomorphic operator is performed to encrypt the public key, called as new variant of MPKC. There is a need for some improvemeAczxnts before acceptance of the manuscript.
1. The abstract should begin by outlining the background information or context of your field, followed by the precise subject of your study, a problem statement, and the course of action for this article. Finally, take into account the significance of your work, particularly how the community will benefit from your article.
There are several errors in the abstract, which is not up to par. Certain lines lack context, while others are incomplete. There is not enough clarity.
2. Title of the article is general; it should be specific.
3. The meaning of homomorphic world in context to cryptography is not clear in introduction. Why is there a need to work on homomorphic cryptography?
4. The description of the algorithm is useful, but much better would be to provide the code as supplementary material, which would facilitate the use of this algorithm to those who are not experts on recommender systems.
5. This paper's citations are not current; it would be beneficial to incorporate some more recent work.
6. Literature work should be improved in the paper, as it is very limited. Summarize the related works in the form of a table. Add one or two tables of comparison along with line diagram of progress in existing work.
What are the limitations of existing algorithms that motivated you to do the current research?

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Cryptography, Post quantum cryptography

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

Respond to this report

Responses (0)

Back to all reports

Reviewer Report

9 Views

01 Nov 2023 | for Version 1

Gui-Lu Long, Department of Physics, Tsinghua University, Beijing, Beijing, China

9 Views Cite this report Responses(0)

Approved

In this work, the authors presents a variant of the MPKC. It simplifies MPKC central map to two multivariate polynomials constructed from polynomial multiplications. The HPPK algorithm employs a single polynomial vector for the plaintext and a multi-variate noise vector associated with the central map. It is Indistinguishability Under Chosen-Plaintext Attack (IND-CPA) secure, and its classical complexity for cracking is exponential in the size of the prime field GF(p). It is an important PQC algorithm and has great potential in the near future applications. I recommend its acceptance in its present form.

Is the work clearly and accurately presented and does it cite the current literature?

Yes
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Yes
If applicable, is the statistical analysis and its interpretation appropriate?

Yes
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Yes

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Quantum information and quantum algorithm.

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard.

Respond to this report

Responses (0)

[1] 1. Rivest RL, Adleman L, Dertouzos ML: On data banks and privacy homomorphisms. Foundations of Secure Computation, Academia Press; 1978; 169–179.

[2] 2. Rivest RL, Shamir A, Adleman LM: Cryptographic communications system and method. US Patent 4,405,829. December 1977.

[3] 3. Diffie W, Hellman M: New directions in cryptography. IEEE Trans. Inf. Theory. November 1976; 22(6): 644–654. 0018-9448. Publisher Full Text

[4] 4. Koblitz N: Elliptic curve cryptosystems. Math. Comput. 1987; 48(177): 203–209. Publisher Full Text

[5] 5. Miller VS: Use of elliptic curves in cryptography.Williams HC, editor. Advances in Cryptology — CRYPTO’85 Proceedings. Berlin, Heidelberg: Springer Berlin Heidelberg; 1986; pages 417–426.

[6] 6. Rivest RL, Shamir A, Adleman L: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM. 1978; 21(2): 120–126. Publisher Full Text

[7] 7. Elgamal T: A public key cryptosystem and a signature scheme based on discrete logarithms. ADV. IN CRYPTOLOGY. SPRINGER-VERLAG; 1985.

[8] 8. Goldwasser S, Micali S: Probabilistic encryption amp; how to play mental poker keeping secret all partial information. Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC’82. New York, NY, USA: Association for Computing Machinery; 1982; page 365–377. 0897910702.

[9] 9. Fousse L, Lafourcade P, Alnuaimi M: Benaloh’s dense probabilistic encryption revisited.Nitaj A, Pointcheval D, editors, Progress in Cryptology – AFRICACRYPT 2011. Berlin, Heidelberg: Springer Berlin Heidelberg; 2011; pages 348–362. 978-3-642-21969-6.

[10] 10. Paillier P: Public-key cryptosystems based on composite degree residuosity classes.Stern J, editor, Advances in Cryptology — EUROCRYPT’99. Berlin, Heidelberg: Springer Berlin Heidelberg; 1999; 223–238. 978-3-540-48910-8.

[11] 11. van Dijk M , Gentry C, Halevi S, et al.: Fully homomorphic encryption over the integers.Gilbert H, editor. Advances in Cryptology – EUROCRYPT 2010. Berlin, Heidelberg: Springer Berlin Heidelberg; 2010; pages 24–43. 978-3-642-13190-5.

[12] 12. Chan AC-F: Symmetric-key homomorphic encryption for encrypted data processing. 2009 IEEE International Conference on Communications. 2009; pages 1–5.

[13] 13. Kipnis A, Hibshoosh E: Efficient methods for practical fully-homomorphic symmetric-key encryption, randomization, and verification.2012.

[14] 14. Gupta CP, Sharma I: A fully homomorphic encryption scheme with symmetric keys with application to private data processing in clouds. 2013 Fourth International Conference on the Network of the Future (NoF). 2013; pages 1–4.

[15] 15. Li L, Rongxing L, Choo K-KR, et al.: Privacy-preserving-outsourced association rule mining on vertically partitioned databases. IEEE Trans. Inf. Forensics Secur. 2016; 11(8): 1847–1861. Publisher Full Text

[16] 16. Wang B, Zhan Y, Zhang Z: Cryptanalysis of a symmetric fully homomorphic encryption scheme. IEEE Trans. Inf. Forensics Secur. 2018; 13(6): 1460–1467. Publisher Full Text

[17] 17. Quanbo Q, Wang B, Ping Y, et al.: Improved cryptanalysis of a fully homomorphic symmetric encryption scheme. Security and Communication Networks. 2019; 2019: 1–6. Publisher Full Text

[18] 18. Zhang W, Liu S, Yang X: Rlwe-based homomorphic encryption and private information retrieval. 2013 5th International Conference on Intelligent Networking and Collaborative Systems. 2013; pages 535–540.

[19] 19. Zhang X, Xu C, Jin C, et al.: Efficient fully homomorphic encryption from rlwe with an extension to a threshold encryption scheme. Futur. Gener. Comput. Syst. 2014; 36: 180–186. 0167-739X. Special Section: Intelligent Big Data Processing Special Section: Behavior Data Security Issues in Network Information Propagation Special Section: Energy-efficiency in Large Distributed Computing Architectures Special Section: eScience Infrastructure and Applications. Publisher Full Text

[20] 20. Kipnis A, Patarin J, Goubin L: Unbalanced oil and vinegar signature schemes. IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 1999. Springer; 1999; pages 206–222.

[21] 21. Clough C, Baena J, Ding J, et al.: Square, a new multivariate encryption scheme. Topics in Cryptology – CT-RSA 2009, Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg; pages 252–264. 9783642008610.

[22] 22. Porras J, Baena J, Ding J: Zhfe, a new multivariate public key encryption scheme. Post-Quantum Cryptography, Lecture Notes in Computer Science. Cham: Springer International Publishing; pages 229–245. 3319116584.

[23] 23. Szepieniec A, Ding J, Preneel B: Extension field cancellation: A new central trapdoor for multivariate quadratic systems. Post-Quantum Cryptography, Lecture Notes in Computer Science. Cham: Springer International Publishing; 2016; pages 182–196. 3319293591.

[24] 24. Jacques PATARIN, Nicolas COURTOIS, GOUBIN L: Quartz, 128-bit long digital signatures. Lecture notes in computer science. Berlin: Springer; 2001; pages 282–297. 3540418989.

[25] 25. Petzoldt A, Chen M-S, Yang B-Y, et al.: Design principles for hfev- based multivariate signature schemes. Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg; 2016; pages 311–334. 3662487969.

[26] 26. Zhang W, Tan CH: Mi-t-hfe, a new multivariate signature scheme.Groth J, editor, Cryptography and Coding. Cham: Springer International Publishing; 2015; pages 43–56. 978-3-319-27239-9.

[27] 27. Ding J, Schmidt DS: Rainbow, a new multivariable polynomial signature scheme. ACNS. 2005.

[28] 28. Casanova A, Faugère J-C, Macario-Rat G, et al.: Gemss: A great multivariate short signature.2017.

[29] 29. NIST: Post-quantum cryptography.2021. Reference Source

[30] 30. NIST: Status report on the second round of the nist post-quantum cryptography standardization process.July 2021. Reference Source

[31] 31. Moody D: Status update on the 3rd round.Reference Source

[32] 32. McEliece RJ: A Public-Key Cryptosystem Based On Algebraic Coding Theory. Deep Space Network Progress Report. January 1978; 44: 114–116.

[33] 33. Avanzi R, Bos J, Ducas L, et al.: Crystals-kyber algorithm specifications and supporting documentation. NIST PQC Round. 2017; 2: 4.

[34] 34. Hoffstein J, Pipher J, Silverman JH: Ntru: A ring-based public key cryptosystem.Buhler JP, editor. Algorithmic Number Theory. Berlin, Heidelberg: Springer Berlin Heidelberg; 1998; pages 267–288. 978-3-540-69113-6.

[35] 35. Bernstein DJ, Chuengsatiansup C, Lange T, et al.: NTRU prime: Reducing attack surface at low cost.Adams C, Camenisch J, editors. Selected Areas in Cryptography – SAC 2017. Cham: Springer International Publishing; 2018; pages 235–260. 978-3-319-72565-9.

[36] 36. Vercauteren IF: Saber: Mod-lwr based kem (round 3 submission).

[37] 37. Goubin L, Patarin J, Yang B-Y: Multivariate Cryptography. US, Boston, MA: Springer; 2011; 824–828. 978-1-4419-5906-5. Publisher Full Text

[38] 38. Ding J, Petzoldt A, Schmidt DS: Multivariate Public Key Cryptosystems. 2nd ed.New York, NY: Springer; 2020.

[39] 39. Ding J, Yang B-Y: Multivariate Public Key Cryptography. Berlin, Heidelberg: Springer Berlin Heidelberg; 2009; 193–241.

[40] 40. Matsumoto T, Imai H: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption.Barstow D, Brauer W, Hansen PB, et al., editors. Advances in Cryptology — EUROCRYPT’88. Berlin, Heidelberg: Springer Berlin Heidelberg; 1988; pages 419–453. 978-3-540-45961-3.

[41] 41. Wolf C, Preneel B: Large superfluous keys in multivariate quadratic asymmetric systems. Proceedings of the 8th International Conference on Theory and Practice in Public Key Cryptography, PKC’05. Berlin, Heidelberg: Springer-Verlag; 2005; page 275–287. 3540244549.

[42] 42. Patarin J, Goubin L: Trapdoor one-way permutations and multivariate polynomials. Proc. of ICICS’97, LNCS 1334. Springer; 1997; pages 356–368.

[43] 43. Patarin J: Hidden fields equations (hfe) and isomorphisms of polynomials (ip): Two new families of asymmetric algorithms.Maurer U, editor. Advances in Cryptology — EUROCRYPT’96. Berlin, Heidelberg: Springer Berlin Heidelberg; 1996; pages 33–48. 978-3-540-68339-1.

[44] 44. Wang LC, Yang BY, Hu YH, et al.: A medium field multivariate public-key encryption scheme. In CT-RSA 2006, volume 3860 of LNCS. 132–149.

[45] 45. Wang X, Wang X: An improved medium field multivariate public key cryptosystem. 2008 Third International Conference on Convergence and Hybrid Information Technology. 2008; volume 2: pages 1120–1124.

[46] 46. Faugére J-C: A new efficient algorithm for computing gröbner bases (f4). Journal of Pure and Applied Algebra. 1999; 139(1): 61–88. 0022-4049. Publisher Full Text

[47] 47. Faugère JC: A new efficient algorithm for computing gröbner bases (f4). ISSAC’02: PROCEEDINGS OF THE 2002 INTERNATIONAL SYMPOSIUM ON SYMBOLIC AND ALGEBRAIC COMPUTATION. 2002; pages 75–83.

[48] 48. Ding J, Gower JE, Schmidt DS: Zhuang-zi: A new algorithm for solving multivariate polynomial equations over a finite field. IACR Cryptol. ePrint Arch. 2006; 38: 2006.

[49] 49. Courtois N, Klimov A, Patarin J, et al.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science. Springer; 2000; pages 392–407.

[50] 50. Goubin L, Courtois NT: Cryptanalysis of the ttm cryptosystem.Okamoto T, editor. Advances in Cryptology — ASIACRYPT 2000. Berlin, Heidelberg: Springer Berlin Heidelberg; 2000; pages 44–57. 978-3-540-44448-0.

[51] 51. Kipnis A, Patarin J, Goubin L: Unbalanced oil and vinegar signature schemes.Stern J, editor. Advances in Cryptology — EUROCRYPT’99. Berlin, Heidelberg: Springer Berlin Heidelberg; 1999; pages 206–222.978-3-540-48910-8.

[52] 52. Kuang R: A deterministic polynomial public key algorithm over a prime galois field gf(p). 2021 2nd Asia Conference on Computers and Communications (ACCC). 2021; pages 79–88.

[53] 53. Kuang R, Barbeau M: Indistinguishability and non-deterministic encryption of the quantum safe multivariate polynomial public key cryptographic system. 2021 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE). 2021; pages 1–5.

[54] 54. Kuang R, Barbeau M: Performance analysis of the quantum safe multivariate polynomial public key algorithm. 2021 IEEE International Conference on Quantum Computing and Engineering (QCE). IEEE; 2021; pages 351–358.

[55] 55. Kuang R, Barbeau M: Performance analysis of the quantum safe multivariate polynomial public key algorithm. 2021 IEEE International Conference on Quantum Computing and Engineering (QCE). 2021; pages 351–358.

[56] 56. Kuang R, Perepechaenko M, Barbeau M: A new post-quantum multivariate polynomial public key encapsulation algorithm. Quantum Inf. Process. 2022; 21. Publisher Full Text

[57] 57. Kuang R, Perepechaenko M, Barbeau M: A new quantum-safe multivariate polynomial public key digital signature algorithm. Sci. Rep. 2022; 12: 13168. PubMed Abstract | Publisher Full Text | Free Full Text

[58] 58. Ding J, Petzoldt A, Schmidt DS: Multivariate Cryptography. New York, NY: Springer US; 2020; 7–23. 978-1-0716-0987-3.

[59] 59. Ding J, Petzoldt A, Schmidt DS: The SimpleMatrix Encryption Scheme. New York, NY: Springer US; 2020; 169–183. 978-1-0716-0987-3.

[60] 60. Ding J, Petzoldt A, Schmidt DS: Hidden Field Equations. New York, NY: Springer US; 2020; pages 61–88. 978-1-0716-0987-3.

[61] 61. National Institute for Standards and Technology: Post-Quantum Cryptography; Call for Proposals.2017. Reference Source

[62] 62. Moore C, Mertens S: The Nature of Computation. OUP Oxford; 2011. 9780199233212. Reference Source

[63] 63. Evdokimov S: Factorization of polynomials over finite fields in subexponential time under grh. International Algorithmic Number Theory Symposium. Springer; 1994; pages 209–219.

[64] 64. Stiller PF: An introduction to the theory of resultants.2004.

[65] 65. Matiyasevich Y: Hilbert’s tenth problem. Cambridge, MA: Foundations of Computing Series. MIT Press; 1993. Translated from the 1993 Russian original by the author, with a foreword by Martin Davis.