Advertisement

Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases

  • Jean-Charles Faugère
  • Antoine Joux
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)

Abstract

In this paper, we review and explain the existing algebraic cryptanalysis of multivariate cryptosystems from the hidden field equation (HFE) family. These cryptanalysis break cryptosystems in the HFE family by solving multivariate systems of equations. In this paper we present a new and efficient attack of this cryptosystem based on fast algorithms for computing Gröbner basis. In particular it was was possible to break the first HFE challenge (80 bits) in only two days of CPU time by using the new algorithm F5 implemented in C.

From a theoretical point of view we study the algebraic properties of the equations produced by instance of the HFE cryptosystems and show why they yield systems of equations easier to solve than random systems of quadratic equations of the same sizes. Moreover we are able to bound the maximal degree occuring in the Gröbner basis computation.

As a consequence, we gain a deeper understanding of the algebraic cryptanalysis against these cryptosystems. We use this understanding to devise a specific algorithm based on sparse linear algebra. In general, we conclude that the cryptanalysis of HFE can be performed in polynomial time. We also revisit the security estimates for existing schemes in the HFE family.

Keywords

Linear Algebra Signature Scheme Algebraic System Random System Multivariate Polynomial 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965)Google Scholar
  2. 2.
    Buchberger, B.: An Algorithmical Criterion for the Solvability of Algebraic Systems. Aequationes Mathematicae 4(3), 374–383 (1970) (German)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Buchberger, B.: A Criterion for Detecting Unnecessary Reductions in the Construction of Gröbner Basis. In: Ng, K.W. (ed.) EUROSAM 1979 and ISSAC 1979. LNCS, vol. 72, pp. 3–21. Springer, Heidelberg (1979)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner basis computation for regular, overdetermined (2003) (in preparation)Google Scholar
  5. 5.
    Becker, T., Weispfenning, V.: Groebner Bases, a Computationnal Approach to Commutative Algebra. Graduate Texts in Mathematics. Springer, Heidelberg (1993)Google Scholar
  6. 6.
    Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comp. 62, 333–350 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Cox, D., Little, J., O’Shea, D.: Using Algebraic Geometry. Springer, New York (1998)zbMATHGoogle Scholar
  10. 10.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1–3), 61–88 (1999)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Faugère, J.-C.: Algebraic cryptanalysis of HFE using Göbner bases. Technical Report 4738, INRIA (2003)Google Scholar
  12. 12.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero F5. In: Mora, T. (ed.) Proceedings of ISSAC, pp. 75–83. ACM Press, New York (2002)Google Scholar
  13. 13.
    Gilbert, H., Minier, M.: Cryptanalysis of SFLASH. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 288–298. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  15. 15.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem by R elinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Lazard, D.: Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 146–157. Springer, Heidelberg (1983)Google Scholar
  17. 17.
    Macaulay, F.S.: The algebraic theory of modular systems. Cambridge Mathematical Library, vol. xxxi. Cambridge University Press, Cambridge (1916)zbMATHGoogle Scholar
  18. 18.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signatureveri fication and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  19. 19.
    Montgomery, P.L.: A block Lanczos algorithm for finding dependencies over Gf(2). In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 106–120. Springer, Heidelberg (1995)Google Scholar
  20. 20.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme o f Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  21. 21.
    Patarin, J.: HFE first challenge (1996), http://www.minrank.org/challenge1.txt
  22. 22.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. Extended version (1996)Google Scholar
  24. 24.
    Patarin, J., Goubin, L., Courtois, N.: Quartz: An Asymetric Signature Scheme for Short Signatures on PC, submission to NESSIE (2000)Google Scholar
  25. 25.
    Shoup, V.: NTL 5.3.1, a Library for doing Number Theory (2003), http://www.shoup.net/ntl

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Jean-Charles Faugère
    • 1
  • Antoine Joux
    • 2
  1. 1.Projet SPACES LIP6/LORIA CNRS/UPMC/INRIA 
  2. 2.DCSSI/Crypto LabPARIS 07 SP

Personalised recommendations