PQCrypto 2013: Post-Quantum Cryptography pp 52-66

Degree of Regularity for HFEv and HFEv-

• Jintai Ding
• Bo-Yin Yang
Conference paper

DOI: 10.1007/978-3-642-38616-9_4

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7932)
Cite this paper as:
Ding J., Yang BY. (2013) Degree of Regularity for HFEv and HFEv-. In: Gaborit P. (eds) Post-Quantum Cryptography. PQCrypto 2013. Lecture Notes in Computer Science, vol 7932. Springer, Berlin, Heidelberg

Abstract

In this paper, we first prove an explicit formula which bounds the degree of regularity of the family of HFEv (“HFE with vinegar”) and HFEv- (“HFE with vinegar and minus”) multivariate public key cryptosystems over a finite field of size q. The degree of regularity of the polynomial system derived from an HFEv- system is less than or equal to

$${{(q-1)(r+v+a-1)} \over{2}}+2 ~\text{if q is even and r+a is odd,}$$
$${{(q-1)(r+v+a-1)} \over{2}} +2 ~{\rm otherwise},$$

where the parameters v, D, q, and a are parameters of the cryptosystem denoting respectively the number of vinegar variables, the degree of the HFE polynomial, the base field size, and the number of removed equations, and r is the “rank” paramter which in the general case is determined by D and q as $$r=\lfloor \log_q(D-1)\rfloor +1$$. In particular, setting a = 0 gives us the case of HFEv where the degree of regularity is bound by

$${{(q - 1)(r + v - 1)} \over{2}} +2 ~\text{if q is even and r is odd,}$$
$${{(q-1)(r+v)} \over{2}} +2 ~\text{otherwise.}$$

This formula provides the first solid theoretical estimate of the complexity of algebraic cryptanalysis of the HFEv- signature scheme, and as a corollary bounds on the complexity of a direct attack against the QUARTZ digital signature scheme. Based on some experimental evidence, we evaluate the complexity of solving QUARTZ directly using F4/F5 or similar Gröbner methods to be around 292.

Keywords

Degree of regularity HFE HFEv HFEv-