Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

  • Aviad Kipnis
  • Adi Shamir
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)

Abstract

The RSA public key cryptosystem is based on a single modular equation in one variable. A natural generalization of this approach is to consider systems of several modular equations in several variables. In this paper we consider Patarin’s Hidden Field Equations (HFE) scheme, which is believed to be one of the strongest schemes of this type. We represent the published system of multivariate polynomials by a single univariate polynomial of a special form over an extension field, and use it to reduce the cryptanalytic problem to a system of ∈m2 quadratic equations in m variables over the extension field. Finally, we develop a new relinearization method for solving such systems for any constant > 0 in expected polynomial time. The new type of attack is quite general, and in a companion paper we use it to attack other multivariate algebraic schemes, such as the Dragon encryption and signature schemes. However, we would like to emphasize that the polynomial time complexities may be infeasibly large for some choices of the parameters, and thus some variants of these schemes may remain practically unbroken in spite of the new attack.

References

  1. CSV97.
    D. Coppersmith, J. Stern and S. Vaudenay, The Security of the Birational Permutation Signature Scheme, Journal of Cryptology, 1997, pp. 207–221.Google Scholar
  2. FD85.
    H. Fell and W. Diffe, Analysis of a Public Key Approach Based on Polynomial Substitution, Crypto 85, Springer Verlag, pp. 340–349.Google Scholar
  3. KS98.
    A. Kipnis and A. Shamir, Cryptanalysis of the Oil and Vinegar Signature Scheme, Crypto 98, Springer Verlag, pp. 257–266.Google Scholar
  4. K98.
    N. Koblitz Algebraic Aspects of Cryptography, Springer Verlag, 1998.Google Scholar
  5. MI88.
    T. Matsumoto and H. Imai, Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, Eurocrypt 88, Springer Verlag, pp. 419–453.Google Scholar
  6. OSS84.
    H. Ong, C. P. Schnorr, and A. Shamir A Fast Signature Scheme Based on Quadratic Equations, Proc. 16-th ACM Symp. Theory of Computation, 1984, pp. 208–216.Google Scholar
  7. P95.
    J. Patarin, Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, Crypto 95, Springer Verlag, pp.248–261.Google Scholar
  8. P96a.
    J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms, Eurocrypt 96, Springer Verlag, pp.33–48.Google Scholar
  9. P96b.
    J. Patarin, Asymmetric Cryptography with a Hidden Monomial, Crypto 96, Springer Verlag, pp. 45–60.Google Scholar
  10. P97.
    J. Patarin, The Oil and Vinegar Algorithm for Signatures, presented at the Dagstuhl Workshop on Cryptography, September 97.Google Scholar
  11. PS87.
    J. M. Pollard and C. P. Schnorr, An Efficient Solution of the Congruence x2 + ky2 = m(mod n), IEEE Trans. Information Theory, vol. IT-33, no. 5, 1987, pp. 702–709.CrossRefMathSciNetGoogle Scholar
  12. S93.
    A. Shamir Efficient Signature Schemes Based on Birational Permutations, Crypto 93, Springer Verlag, pp.1–12.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Aviad Kipnis
    • 1
  • Adi Shamir
    • 2
  1. 1.NDS TechnologiesJerusalemIsrael
  2. 2.Computer Science Dept.The Weizmann InstituteRehovotIsrael

Personalised recommendations