Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

  • Aviad Kipnis
  • Adi Shamir
Conference paper

DOI: 10.1007/3-540-48405-1_2

Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)
Cite this paper as:
Kipnis A., Shamir A. (1999) Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. In: Wiener M. (eds) Advances in Cryptology — CRYPTO’ 99. CRYPTO 1999. Lecture Notes in Computer Science, vol 1666. Springer, Berlin, Heidelberg


The RSA public key cryptosystem is based on a single modular equation in one variable. A natural generalization of this approach is to consider systems of several modular equations in several variables. In this paper we consider Patarin’s Hidden Field Equations (HFE) scheme, which is believed to be one of the strongest schemes of this type. We represent the published system of multivariate polynomials by a single univariate polynomial of a special form over an extension field, and use it to reduce the cryptanalytic problem to a system of ∈m2 quadratic equations in m variables over the extension field. Finally, we develop a new relinearization method for solving such systems for any constant > 0 in expected polynomial time. The new type of attack is quite general, and in a companion paper we use it to attack other multivariate algebraic schemes, such as the Dragon encryption and signature schemes. However, we would like to emphasize that the polynomial time complexities may be infeasibly large for some choices of the parameters, and thus some variants of these schemes may remain practically unbroken in spite of the new attack.

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Aviad Kipnis
    • 1
  • Adi Shamir
    • 2
  1. 1.NDS TechnologiesJerusalemIsrael
  2. 2.Computer Science Dept.The Weizmann InstituteRehovotIsrael

Personalised recommendations