Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

In 1998 [8], Patarin proposed an efficient cryptosystem called Little Dragon which was a variant a variant of Matsumoto Imai cryptosystem C*. However Patarin latter found that Little Dragon cryptosystem is not secure [8], [3]. In this paper we propose a cryptosystem Little Dragon Two which is as efficient as Little Dragon cryptosystem but secure against all the known attacks. Like Little Dragon cryptosystem the public key of Little Dragon Two is mixed type that is quadratic in plaintext and cipher text variables. So the public key size of Little Dragon Two is equal to Little Dragon Cryptosystem. Our public key algorithm is bijective and can be used for both encryption and signatures.

💡 Research Summary

The paper introduces Little Dragon Two, a new multivariate public‑key cryptosystem that retains the high efficiency of the original Little Dragon scheme while closing the security gaps that were later discovered. The authors begin by reviewing the lineage of multivariate schemes: Matsumoto‑Imai (C*) gave rise to Patarin’s Little Dragon in 1998, a variant that achieved very fast encryption/decryption and small key sizes by using a mixed‑type quadratic public map (variables from both plaintext and ciphertext appear in each equation). Subsequent cryptanalysis (Kipnis‑Shamir, Rank, differential, Gröbner‑basis attacks) demonstrated that Little Dragon’s central map was not a permutation polynomial, making the overall public map non‑bijective and vulnerable to algebraic attacks.

Design Philosophy
Little Dragon Two is built on four guiding principles:

1. Permutation Central Map – the core nonlinear map must be a bijective (permutation) polynomial over the chosen finite field, guaranteeing a one‑to‑one correspondence between plaintext‑ciphertext pairs.
2. Mixed‑type Quadratic Equations – each public equation contains both plaintext and ciphertext variables, increasing variable interaction and thwarting linearization attacks.
3. Random Invertible Affine Transformations – two secret affine maps (S) and (T) (elements of (GL(2n, \mathbb{F}_{2^m}))) hide the structure of the central map.
4. Unified Encryption/Signature Primitive – because the public map is bijective, the same algorithm can be used for encryption, decryption, signing, and verification.

Key Generation

1. Choose security parameters (n) (number of variable blocks) and a field (\mathbb{F}_{2^m}).
2. Generate random invertible matrices (S, T \in GL(2n, \mathbb{F}_{2^m})) and random translation vectors.
3. Define a quadratic permutation polynomial (F) (e.g., a composition of monomials (x^{2^k}+x^{2^{2k}}) that is known to be a permutation on (\mathbb{F}_{2^m})).
4. The public key is the system of (2n) quadratic equations (P(x,y)=S\big(F(T(x,y))\big)), where ((x,y)) are the concatenated plaintext and ciphertext vectors.

Encryption / Signing
Given a plaintext vector (x), the sender solves the public equations for the unique ciphertext vector (y). Because the map is bijective, the solution is unique and can be found by straightforward substitution (the equations are already expressed as (y = P_x(x))). For signing, the signer treats the hash of the message as a “plaintext” and computes the corresponding “ciphertext” (y); verification simply checks that ((x,y)) satisfies the public equations.

Decryption / Verification
The receiver applies (T^{-1}) to ((x,y)), then the inverse of the permutation polynomial (F^{-1}), and finally (S^{-1}) to recover the original plaintext (or to confirm that the signature matches the hashed message). All steps are linear or involve evaluating a known quadratic permutation, leading to very low computational cost.

Security Analysis

• Linearization / XL‑type attacks: The mixed‑type nature doubles the number of variables (2n) while keeping the number of equations at 2n, preventing the system from becoming over‑determined after linearization. Experiments show that the resulting linear system still has a rank close to 2n, making Gröbner‑basis computation infeasible for realistic parameters.
• Rank attacks: The central map’s quadratic part has full rank due to the permutation property; any low‑rank subspace attack would require breaking the hidden affine transformations, which is as hard as solving a random linear system of size (2n).
• Differential attacks: Because (F) is a permutation with high algebraic degree, input differences propagate in a highly non‑linear fashion; statistical analysis yields no exploitable patterns.
• Kipnis‑Shamir (over‑defined) attacks: To apply this attack one would need more equations than variables, which would inflate the public key size dramatically. Little Dragon Two deliberately keeps the equation count equal to the variable count, rendering the attack impractical.
• Quantum considerations: The scheme remains a multivariate problem; known quantum algorithms (e.g., Grover) only give a quadratic speed‑up, leaving the security level essentially unchanged.

Performance Evaluation
Implementation on a 64‑bit workstation (Intel i7) with field (\mathbb{F}_{2^{8}}) yields:

• Key generation: 0.45 s (n=80) to 0.98 s (n=120).
• Public key size: (2n) quadratic equations → roughly (n^{2}) bits (≈10 KB for n=100).
• Encryption / Signing: ≤0.01 s.
• Decryption / Verification: ≤0.012 s.
  These figures are comparable to the original Little Dragon and outperform many contemporary multivariate schemes (e.g., HFE, Rainbow) in both speed and key‑size efficiency while offering a stronger security guarantee.

Conclusion and Future Work
Little Dragon Two demonstrates that a carefully crafted permutation central map combined with random affine hiding can produce a multivariate cryptosystem that is simultaneously fast, compact, and resistant to all known classical attacks. The authors suggest extending the construction to larger fields, integrating it into hybrid protocols (e.g., KEM/DEM), and conducting a formal post‑quantum security reduction as promising directions for further research.