分野別セミナー

Multivariate public key cryptography is one of the main candidates for post-quantum cryptography. Using multivariate polynomials to construct digital signature schemes is especially one of the hot topics in post quantum cryptographic field. At Inscrypt 2015, Nie et al. proposed a multivariate signature scheme called CUOV, whose public key consists of both quadratic and cubic multivariate polynomials. In 2016, Hashimoto proposed a method to forge signatures for CUOV by manipulating the first two cubic public key polynomials to recover part of the secret key. Generally, this method achieves forging signatures efficiently with probability (q-1)/q over fields of odd characteristic, where q is the cardinality of the finite fields. However, there exists one unclear point about the case of even characteristic fields, which are consistent with fields in proposed parameters for CUOV. In this talk, I will show two polynomial-time attacks on CUOV that manage to recover the secret key completely under any parameter sets, and achieve breaking CUOV in several seconds under claimed 80-bit security level parameters on a stand PC.