Key Recovery Attack for All Parameters of HFE-

  • Jeremy Vates
  • Daniel Smith-ToneEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10346)


Recently, by an interesting confluence, multivariate schemes with the minus modifier have received attention as candidates for multivariate encryption. Among these candidates is the twenty year old HFE\(^-\) scheme originally envisioned as a possible candidate for both encryption and digital signatures, depending on the number of public equations removed.

HFE has received a great deal of attention and a variety of cryptanalyses over the years; however, HFE\(^-\) has escaped these assaults. The direct algebraic attack that broke HFE Challenge I is provably more complex on HFE\(^-\), and even after two decades HFE Challenge II is daunting, though not achieving a security level we may find acceptable today. The minors modeling approach to the Kipnis-Shamir (KS) attack is very efficient for HFE, but fails when the number of equations removed is greater than one. Thus it seems reasonable to use HFE\(^-\) for encryption with two equations removed.

This strategy may not be quite secure, however, as our new approach shows. We derive a new key recovery attack still based on the minors modeling approach that succeeds for all parameters of HFE\(^-\). The attack is polynomial in the degree of the extension, though of higher degree than the original minors modeling KS-attack. As an example, the complexity of key recovery for HFE\(^-(q=31,n=36,D=1922,a=2)\) is \(2^{52}\). Even more convincingly, the complexity of key recovery for HFE Challenge-2, an HFE\(^-(16,36,4352,4)\) scheme, is feasible, costing around \(2^{67}\) operations. Thus, the parameter choices for HFE\(^-\) for both digital signatures and, particularly, for encryption must be re-examined.


Multivariate cryptography HFE Encryption MinRank Q-rank 


  1. 1.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Sci. Stat. Comp. 26, 1484 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Group, C.T.: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. NIST CSRC (2016).
  3. 3.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988). doi: 10.1007/3-540-45961-8_39 CrossRefGoogle Scholar
  4. 4.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_4 CrossRefGoogle Scholar
  5. 5.
    Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38616-9_16 CrossRefGoogle Scholar
  6. 6.
    Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: [25], pp. 76–87 (2014)Google Scholar
  7. 7.
    Porras, J., Baena, J., Ding, J.: ZHFE, A new multivariate public key encryption scheme. In: [25], pp. 229–245 (2014)Google Scholar
  8. 8.
    Szepieniec, A., Ding, J., Preneel, B.: Extension field cancellation: a new central trapdoor for multivariate quadratic systems. In: [26], pp. 182–196 (2016)Google Scholar
  9. 9.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_3 CrossRefGoogle Scholar
  10. 10.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_2 CrossRefGoogle Scholar
  11. 11.
    Bettale, L., Faugère, J., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Crypt. 69, 1–52 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Moody, D., Perlner, R.A., Smith-Tone, D.: An asymptotically optimal structural attack on the ABC multivariate encryption scheme. In: [25], pp. 180–196 (2014)Google Scholar
  13. 13.
    Moody, D., Perlner, R.A., Smith-Tone, D.: Key recovery attack on the cubic ABC simple matrix multivariate encryption scheme. PQCrypto 2017. LNCS, vol. 10346, pp. 272–288. Springer, Cham (2017)Google Scholar
  14. 14.
    Perlner, R.A., Smith-Tone, D.: Security analysis and key modification for ZHFE. In: [26], pp. 197–212 (2016)Google Scholar
  15. 15.
    Perret, L.: Grobner basis techniques in post-quantum cryptography. Presentation - Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Fukuoka, Japan, 24–26 February 2016.
  16. 16.
    Ding, J., Kleinjung, T.: Degree of regularity for HFE-. IACR Cryptology ePrint Archive 2011, p. 570 (2011)Google Scholar
  17. 17.
    Daniels, T., Smith-Tone, D.: Differential properties of the HFE cryptosystem. In: [25], pp. 59–75 (2014)Google Scholar
  18. 18.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_1 CrossRefGoogle Scholar
  19. 19.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988). doi: 10.1007/3-540-45961-8_39 CrossRefGoogle Scholar
  20. 20.
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24, 713–735 (1970)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Faugère, J., Din, M.S.E., Spaenlehauer, P.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Koepf, W., (ed.) Symbolic and Algebraic Computation, International Symposium, ISSAC 2010, Proceedings, Munich, Germany, 25–28 July 2010, pp. 257–264. ACM (2010)Google Scholar
  22. 22.
    Fröberg, R.: An inequality for Hilbert series of graded algebras. Math. Scand. 56, 117–144 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24, 235–265 (1997). Computational algebra and number theory, London (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Barker, E., Roginsky, A.: Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths. NIST Special Publication (2015).
  25. 25.
    Mosca, M. (ed.): PQCrypto 2014. LNCS, vol. 8772. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4 zbMATHGoogle Scholar
  26. 26.
    Takagi, T. (ed.): PQCrypto 2016. LNCS, vol. 9606. Springer, Cham (2016). doi: 10.1007/978-3-319-29360-8 zbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG (outside the US) 2017

Authors and Affiliations

  1. 1.Department of MathematicsUniversity of LouisvilleLouisvilleUSA
  2. 2.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations