A multivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a nite eld as its public map. Its main security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a nite eld. This family is considered as one of the major families of PKCs that could resist potentially even the powerful quantum computers of the future. There has been fast and intensive development in Multivariate Public Key Cryptography in the last

more »

... wo decades. Some constructions are not as secure as was claimed initially, but others are still viable. The paper gives an overview of multivariate public key cryptography and discusses the current status of the research in this area. Keywords: Gröbner basis, multivariate public key cryptosystem, linear algebra, dierential attack Cipher block or Message digest Size: m elements of F q Plaintext block or Signature Size: n elements of F q Public Key Size: mn(n + 3)/2 F q -elements, often stored in log-form Secret Key Size: Usually n 2 + m 2 + [# parameters in Q] F q -elements, often stored in log-form Secret Map Time Complexity: (n 2 + m 2 ) F q -multiplications, plus whatever time it is needed to invert Q Public Map Time Complexity: About mn 2 /2 F q -multiplications Key Generation Time Complexity: n 2 times the invocation cost of P; between O(n 4 ) and O(n 5 ) We immediately see the major disadvantage with MPKCs: Their keys are very large compared to traditional systems like RSA or ECC. For example, the public key size of RSA-2048 is not much more than 2048 bits, but a current version of the Rainbow signature scheme has n = 42, m = 24, q = 256, i.e.,