Advertisement

Designs, Codes and Cryptography

, Volume 69, Issue 1, pp 1–52 | Cite as

Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

  • Luk Bettale
  • Jean-Charles Faugère
  • Ludovic Perret
Article

Abstract

We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).

Keywords

Hidden field equations MinRank Gröbner bases 

Mathematics Subject Classification (2000)

13P10 15A33 15A63 94A60 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adams W.W., Loustaunau P.: An Introduction to Gröbner Bases, Graduate Studies in Mahematics, vol. 3. AMS, Providence (1994)Google Scholar
  2. 2.
    Bardet M., Faugère J.C., Salvy B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004).Google Scholar
  3. 3.
    Bardet M., Faugère J.C., Salvy B., Yang B.Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005).Google Scholar
  4. 4.
    Bettale L., Faugère J.C., Perret L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 177–197 (2009).Google Scholar
  5. 5.
    Bettale L., Faugère J.C., Perret L.: Cryptanalysis of multivariate and odd-characteristic hfe variants. In: Public Key Cryptography—PKC 2011. Lecture Notes in Computer Science, vol. 6571, pp. 441–458. Springer, Berlin (2011).Google Scholar
  6. 6.
    Billet O., Patarin J., Seurin Y.: Analysis of intermediate field systems. In: SCC 2008 (2008).Google Scholar
  7. 7.
    Bogdanov A., Eisenbarth T., Rupp A., Wolf C.: Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? In: Cryptographic Hardware and Embedded Systems—CHES ’08, LNCS, pp. 45–61 (2008).Google Scholar
  8. 8.
    Bosma W., Cannon J.J., Playoust C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Buchberger B.: Ein algorithmus zum auffinden der basiselemente des restklassenringes nach einem nulldimensionalen polynomideal. PhD thesis, University of Innsbruck (1965).Google Scholar
  10. 10.
    Buchberger B.: Bruno buchberger’s phd thesis 1965: an algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. J. Symb. Comput. 41(3–4), 475–511 (2006)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Buchberger B.: Comments on the translation of my phd thesis. J. Symb. Comput. 41(3–4), 471–474 (2006)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Buss W., Frandsen G., Shallit J.: The computational complexity of some problems of linear algebra. J. Comput. Syst. Sci. (1999).Google Scholar
  13. 13.
    Chen C.H.O., Chen M.S., Ding J., Werner F., Yang B.Y.: Odd-char multivariate hidden field equations. Cryptology ePrint Archive (2008) http://eprint.iacr.org/2008/543.
  14. 14.
    Chen A.I.T., Chen M.S., Chen T.R., Cheng C.M., Ding J., Kuo E.L.H., Lee F.Y.S., Yang B.Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Cryptographic Hardware and Embedded Systems—CHES 2009, Lecture Notes in Computer Science, vol. 5747, pp. 33–48. Springer, Berlin (2009).Google Scholar
  15. 15.
    Courtois N.T.: Efficient zero-knowledge authentication based on a linear algebra problem MinRank. In: Advances in Cryptology—ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 402–421. Springer, Berlin (2001).Google Scholar
  16. 16.
    Courtois N., Goubin L.: Cryptanalysis of the TTM cryptosystem. In: Advances in Cryptology—ASIACRYPT ’00, Lecture Notes in Computer Science, vol. 1976, pp. 44–57. Springer, Berlin (2000).Google Scholar
  17. 17.
    Cox D.A., Little J.B., O’Shea D.: Ideals, Varieties and Algorithms. Sringer, Berlin (2005)Google Scholar
  18. 18.
    DeMillo R., Lipton R.: A probabilistic remark on algebraic program testing. Inf. Process. Lett. 7(4), 192–194 (1978)CrossRefGoogle Scholar
  19. 19.
    Ding J., Hodges T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway P. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 6841, pp. 724–742. Springer, Berlin (2011).Google Scholar
  20. 20.
    Ding J., Schmidt D., Werner F.: Algebraic attack on HFE revisited. In: Information Security, Lecture Notes in Computer Science, vol. 5222, pp. 215–227. Springer, Berlin (2008).Google Scholar
  21. 21.
    Dubois V., Gama N.: The degree of regularity of HFE systems. In: Advances in Cryptology—ASIACRYPT 2011, Lecture Notes in Computer Science, vol. 6477, pp. 557–576. Springer, Berlin (2011).Google Scholar
  22. 22.
    Faugère J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  23. 23.
    Faugère J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75–83. ACM Press (2002).Google Scholar
  24. 24.
    Faugère J.C.: Algebraic cryptanalysis of HFE using Gröbner bases. Reasearch report RR-4738, INRIA http://hal.inria.fr/inria-00071849/PDF/RR-4738.pdf (2003).
  25. 25.
    Faugère J.C.: FGb: a library for computing Gröbner bases. In: Fukuda K., Hoeven J., Joswig M., Takayama N. (eds.) Mathematical Software—ICMS 2010, Lecture Notes in Computer Science, vol. 6327, pp. 84–87. Springer, Berlin. http://www-salsa.lip6.fr/~jcf/Papers/ICMS.pdf (2010).
  26. 26.
    Faugère J.C., Joux A.: Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner bases. In: Advances in Cryptology—CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, pp. 44–60. Springer, Berlin (2003).Google Scholar
  27. 27.
    Faugère J.C., Levy-dit-Vehel F., Perret L.: Cryptanalysis of MinRank. In: Advances in Cryptology—CRYPTO 2008, Lecture Notes in Computer Science, vol. 5157, pp. 280–296. Springer, Berlin (2008).Google Scholar
  28. 28.
    Faugère J.C., Safey El Din M., Spaenlehauer P.J.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Koepf W. (eds.), ISSAC, pp. 257–264. ACM (2010).Google Scholar
  29. 29.
    Faugère J.C., Safey El Din M., Spaenlehauer P.J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1,1): algorithms and complexity. J. Symb. Comput. 1–39 (2010).Google Scholar
  30. 30.
    Faugère J.C., Safey El Din M., Spaenlehauer P.J.: On the complexity of the generalized minrank problem, preprint (2011).Google Scholar
  31. 31.
    Fröberg R.: An inequality for Hilbert series of graded algebras. Math. Scand. 56, 117–144 (1985)MathSciNetzbMATHGoogle Scholar
  32. 32.
    Garey M.R., Johnson D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)zbMATHGoogle Scholar
  33. 33.
    Granboulan L., Joux A., Stern J.: Inverting HFE is quasipolynomial. In: Advances in Cryptology—CRYPTO 2006, Lecture Notes in Computer Science, vol. 4117, pp. 345–356. Springer, Berlin (2006).Google Scholar
  34. 34.
    Jiang X., Ding J., Hu L.: Kipnis-Shamir attack on HFE revisited. In: Information Security and Cryptology, Lecture Notes in Computer Science, vol. 4990, pp. 399–411. Springer, Berlin (2007).Google Scholar
  35. 35.
    Kipnis A., Shamir A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Advances in Cryptology—CRYPTO ’99, Lecture Notes in Computer Science, vol. 1666, pp. 19–30. Springer, Berlin (1999).Google Scholar
  36. 36.
    Kipnis A., Patarin J., Goubin L.: Unbalanced oil and vinegar signature schemes. In: Advances in Cryptology—EUROCRYPT ’99, Lecture Notes in Computer Science, vol. 1592, pp. 206–222. Springer, Berlin (1999).Google Scholar
  37. 37.
    Matsumoto T., Imai H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Advances in Cryptology—EUROCRYPT ’88, Lecture Notes in Computer Science, vol. 330, pp. 419–453. Springer, Berlin (1988).Google Scholar
  38. 38.
    Moh T.T.: A public key system with signature and master key functions. Commun. Algebra 27(5), 2207–2222 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  39. 39.
    Nguyen P.: New trends in cryptology, european project stork: Strategic roadmap for advances in cryptology—crypto. ist-2002-38273. http://www.di.ens.fr/~pnguyen/pub.html#Ng03 (2003).
  40. 40.
    Patarin J.: Cryptoanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88. In: Advances in Cryptology—CRYPTO ’95, pp. 248–261. Springer, Berlin (1995).Google Scholar
  41. 41.
    Patarin J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Advances in Cryptology—EUROCRYPT ’96, Lecture Notes in Computer Science, vol. 1070, pp. 33–48. Springer, Berlin (1996).Google Scholar
  42. 42.
    Schwartz J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)zbMATHCrossRefGoogle Scholar
  43. 43.
    Szegö G.: Orthogonal Polynomials, 4th edn. American Mathematical Society, Providence (1939)Google Scholar
  44. 44.
    Wang L.C., Hu Y.H., Lai F., yen Chou C., Yang B.Y.: Tractable rational map signature. In: Public Key Cryptography—PKC ’05, Lecture Notes in Computer Science, vol. 3386, pp. 244–257. Springer, Berlin (2005).Google Scholar
  45. 45.
    Wolf C., Preneel B.: Equivalent keys in HFE, C*, and variations. In: Progress in Cryptology—Mycrypt 2005, Lecture Notes in Computer Science, vol. 3715, pp. 33–49. Springer, Berlin (2005).Google Scholar
  46. 46.
    Wolf C., Preneel B.: Large superfluous keys in multivariate quadratic asymmetric systems. In: Public Key Cryptography—PKC 2005, Lecture Notes in Computer Science, vol. 3386, pp. 275–287. Springer, Berlin (2005).Google Scholar
  47. 47.
    Wolf C., Preneel B.: Equivalent keys in multivariate quadratic public key systems. J. Math. Cryptol. 4(4), 375–415 (2011)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Zippel R.: Probabilistic algorithms for sparse polynomials. In: Symbolic and Algebraic Computation (EUROSAM’79), International Symposium, Lecture Notes in Computer Science, vol. 72, pp. 216–226. Springer, Berlin (1979).Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Luk Bettale
    • 1
  • Jean-Charles Faugère
    • 1
  • Ludovic Perret
    • 1
  1. 1.INRIA, Paris-Rocquencourt Center, PolSys Project - UPMC Univ Paris 06, UMR 7606, LIP6 - CNRS, UMR 7606, LIP6, UFR Ingénierie 919, LIP6ParisFrance

Personalised recommendations