International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 1998: Advances in Cryptology — EUROCRYPT'98 pp 184-200

Improved algorithms for isomorphisms of polynomials

  • Jacques Patarin
  • Louis Goubin
  • Nicolas Courtois
Conference paper

DOI: 10.1007/BFb0054126

Volume 1403 of the book series Lecture Notes in Computer Science (LNCS)

Abstract

This paper is about the design of improved algorithms to solve Isomorphisms of Polynomials (IP) problems. These problems were first explicitly related to the problem of finding the secret key of some asymmetric cryptographic algorithms (such as Matsumoto and Imai's C* scheme of [12], or some variations of Patarin's HFE scheme of [14]). Moreover, in [14], it was shown that IP can be used in order to design an asymmetric authentication or signature scheme in a straightforward way. We also introduce the more general Morphisms of Polynomials problem (MP). As we see in this paper, these problems IP and MP have deep links with famous problems such as the Isomorphism of Graphs problem or the problem of fast multiplication of n x n matrices. The complexities of our algorithms for IP are still not polynomial, but they are much more efficient than the previously known algorithms. For example, for the IP problem of finding the two secret matrices of a Matsumoto-Imai C* scheme over K = Fq, the complexity of our algorithms is \(\mathcal{O}(q^{n/2} )\) instead of \(\mathcal{O}(q^{(n^2 )} )\) for previous algorithms. (In [13], the C* scheme was broken, but the secret key was not found). Moreover, we have algorithms to achieve a complexity \(\mathcal{O}(q^{\tfrac{3}{2}n} )\) on any system of n quadratic equations with n variables over K = Fq (not only equations from C*). We also show that the problem of deciding whether a polynomial isomorphism exists between two sets of equations is not NP-complete (assuming the classical hypothesis about Arthur-Merlin games), but solving IP is at least as difficult as the Graph Isomorphism problem (GI) (and perhaps much more difficult), so that IP is unlikely to be solvable in polynomial time. Moreover, the more general Morphisms of Polynomials problem (MP) is NP-hard. Finally, we suggest some variations of the IP problem that may be particularly convenient for cryptographic use.

Download to read the full conference paper text

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Jacques Patarin
    • 1
  • Louis Goubin
    • 1
  • Nicolas Courtois
    • 2
  1. 1.Bull Smart Cards and TerminalsLouveciennes CedexFrance
  2. 2.Modélisation et SignalUniversité de Toulon et du VarLa Garde CedexFrance