MQQ-ENC is defined over the fields $\mathbb{F}_{2^k}$ for any $k \geq 1$, and can easily be extended to any $\mathbb{F}_{p^k}$, for prime $p$. One important difference from MQQ-SIG is that in MQQ-ENC we use left MQQs (LMQQs) instead of bilinear MQQs. Our choice can be justified by our extensive experimental analysis that showed the superiority of the LMQQs over the bilinear MQQs for the design of MQQ-ENC.
We apply the standard cryptanalytic techniques on MQQ-ENC, and from the results, we pose a plausible conjecture that the instances of the MQQ-ENC trapdoor are hard instances with respect to the MQ problem. Under this assumption, we adapt the Kobara-Imai conversion of the McEliece scheme for MQQ-ENC and prove that it provides $\mathsf{IND-CCA}$ security despite the negligible probability of decryption errors.
We also recommend concrete parameters for MQQ-ENC for encryption of blocks of 128 bits for a security level of $\mathcal{O}(2^{128})$.
Category / Keywords: public-key cryptography / Multivariate Quadratic Public Key Cryptosystems, Multivariate Quadratic Quasigroup MQQ, Left Multivariate Quadratic Quasigroup LMQQ, Probabilistic encryption with decryption errors, One way encryption, $\mathsf{IND-CCA}$ security Publication Info: Accepted for oral presentation at SCC 2012 Date: received 9 Jun 2012 Contact author: simonas at item ntnu no Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20120612:040419 (All versions of this report) Short URL: ia.cr/2012/328