C−+* and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai

  • Jacques Patarin
  • Louis Goubin
  • Nicolas Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1514)


In [4], H. Imai and T. Matsumoto presented new candidate trapdoor one-way permutations with a public key given as multivariate polynomials over a finite field. One of them, based on the idea of hiding a monomial field equation, was later presented in [7] under the name C *. It was broken by J. Patarin in [8]. J. Patarin and L. Goubin then suggested ([9], [10], [11], [12]) some schemes to repair C *, but with slightly more complex public key or secret key computations. In part I, we study some very simple variations of C * — such as C −+ * — where the attack of [8] is avoided, and where the very simple secret key computations are kept. We then design some new cryptanalysis that are efficient against some of — but not all — these variations.

[C] is another scheme of [4], very different from C * (despite the name), and based on the idea of hiding a monomial matrix equation. In part II, we show how to attack it (no cryptanalysis had been published so far). We then study more general schemes, still using the idea of hiding matrix equations, such as HM.

An extended version of this paper can be obtained from the authors.


  1. 1.
    D. Coppersmith, S. Winograd, Matrix Multiplication via Arithmetic Progressions, J. Symbolic Computation, 1990, vol. 9, pp. 251–280.zbMATHMathSciNetGoogle Scholar
  2. 2.
    J.C. Faugere, Rough evaluation (personal communication).Google Scholar
  3. 3.
    F.R. Gantmacher, The Theory of Matrices, volume 1, Chelsae Publishing Company, New-York.Google Scholar
  4. 4.
    H. Imai, T. Matsumoto, Algebraic Methods for Constructing Asymmetric Cryptosystems, Algebraic Algorithms and Error Correcting Codes (AAECC-3), Grenoble, 1985, Lectures Notes in Computer Science nℴ 229, pp.108–119.Google Scholar
  5. 5.
    N. Koblitz, Algebraic Aspects of Cryptography, Algorithms and Computation in Mathematics, Volume 3, Springer, 1998.Google Scholar
  6. 6.
    R. Lidl, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its applications, Volume 20, Cambridge University Press.Google Scholar
  7. 7.
    T. Matsumoto, H. Imai, Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption, Advances in Cryptology, Proceedings of EUROCRYPT’88, Springer-Verlag, pp. 419–453.Google Scholar
  8. 8.
    J. Patarin, Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88, Advances in Cryptology, Proceedings of CRYPTO’95, Springer, pp. 248–261.Google Scholar
  9. 9.
    J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms, Advances in Cryptology, Proceedings of EUROCRYPT’96, Springer, pp. 33–48.Google Scholar
  10. 10.
    J. Patarin, Asymmetric Cryptography with a Hidden Monomial, Advances in Cryptology, Proceedings of CRYPTO’96, Springer, pp. 45–60.Google Scholar
  11. 11.
    J. Patarin, L. Goubin, Trapdoor One-way Permutations and Multivariate Polynomials, Proceedings of ICICS’97, Springer, LNCS nℴ 1334, pp. 356–368.Google Scholar
  12. 12.
    J. Patarin, L. Goubin, Asymmetric Cryptography with S-Boxes, Proceedings of ICICS’97, Springer, LNCS nℴ1334, pp. 369–380.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Jacques Patarin
    • 1
  • Louis Goubin
    • 1
  • Nicolas Courtois
    • 2
  1. 1.Bull Smart Cards TerminalsLouveciennes CedexFrance
  2. 2.Modélisation et SignalUniversité de Toulon et du VarLa Garde CedexFrance

Personalised recommendations