Patarin J., Goubin L., Courtois N. (1998) Improved algorithms for isomorphisms of polynomials. In: Nyberg K. (eds) Advances in Cryptology — EUROCRYPT'98. EUROCRYPT 1998. Lecture Notes in Computer Science, vol 1403. Springer, Berlin, Heidelberg

Abstract

This paper is about the design of improved algorithms to solve Isomorphisms of Polynomials (IP) problems. These problems were first explicitly related to the problem of finding the secret key of some asymmetric cryptographic algorithms (such as Matsumoto and Imai's C* scheme of [12], or some variations of Patarin's HFE scheme of [14]). Moreover, in [14], it was shown that IP can be used in order to design an asymmetric authentication or signature scheme in a straightforward way. We also introduce the more general Morphisms of Polynomials problem (MP). As we see in this paper, these problems IP and MP have deep links with famous problems such as the Isomorphism of Graphs problem or the problem of fast multiplication of n x n matrices. The complexities of our algorithms for IP are still not polynomial, but they are much more efficient than the previously known algorithms. For example, for the IP problem of finding the two secret matrices of a Matsumoto-Imai C* scheme over K = Fq, the complexity of our algorithms is \(\mathcal{O}(q^{n/2} )\) instead of \(\mathcal{O}(q^{(n^2 )} )\) for previous algorithms. (In [13], the C* scheme was broken, but the secret key was not found). Moreover, we have algorithms to achieve a complexity \(\mathcal{O}(q^{\tfrac{3}{2}n} )\) on any system of n quadratic equations with n variables over K = Fq (not only equations from C*). We also show that the problem of deciding whether a polynomial isomorphism exists between two sets of equations is not NP-complete (assuming the classical hypothesis about Arthur-Merlin games), but solving IP is at least as difficult as the Graph Isomorphism problem (GI) (and perhaps much more difficult), so that IP is unlikely to be solvable in polynomial time. Moreover, the more general Morphisms of Polynomials problem (MP) is NP-hard. Finally, we suggest some variations of the IP problem that may be particularly convenient for cryptographic use.