Cryptanalysis of the TRMS Signature Scheme of PKC’05

  • Luk Bettale
  • Jean-Charles Faugère
  • Ludovic Perret
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5023)


In this paper, we investigate the security of the Tractable Rationale Maps Signature (TRMS) signature scheme [9] proposed at PKC’05. To do so, we present a hybrid approach for solving the algebraic systems naturally arising when mounting a signature-forgery attack. The basic idea is to compute Gröbner bases of several modified systems rather than a Gröbner basis of the initial system. We have been able to provide a precise bound on the (worst-case) complexity of this approach. For that, we have however assumed a technical condition on the systems arising in our attack; namely the systems are semi-regular [3,5]. This claim is supported by experimental evidences. Finally, it turns out that our approach is efficient. We have obtained a complexity bounded from above by 257 to forge a signature on the parameters proposed by the designers of TRMS [9]. This bound can be improved; assuming an access to 216 processors (which is very reasonable), one can actually forge a signature in approximately 51 hours.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, W.W., Loustaunau, P.: An Introduction to Gröbner Bases. Graduate Studies in Mathematics, vol. 3, AMS (1994)Google Scholar
  2. 2.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison Between XL and Gröbner Basis Algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Bardet, M.: Etude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Thèse de doctorat, Université de Paris VI (2004)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Grbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004),
  5. 5.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems. In: Proc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  6. 6.
    Buchberger, B., Collins, G.-E., Loos, R.: Computer Algebra Symbolic and Algebraic Computation, 2nd edn. Springer, Heidelberg (1982)MATHGoogle Scholar
  7. 7.
    Buchberger, B.: Gröbner Bases : an Algorithmic Method in Polynomial Ideal Theory. In: Recent trends in multidimensional systems theory, Reider ed. Bose (1985)Google Scholar
  8. 8.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: A Practical Stream Cipher with Provable Security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Chou, C.-Y., Hu, Y.-H., Lai, F.-P., Wang, L.-C., Yang, B.-Y.: Tractable Rational Map Signature. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 244–257. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Courtois, N., Goubin, L., Patarin, J.: SFLASH, a Fast Symmetric Signature Scheme for low-cost Smartcards – Primitive Specification and Supporting documentation,
  12. 12.
    Cox, D.A., Little, J.B., O’Shea, D.: Ideals, Varieties, and algorithms: an Introduction to Computational Algebraic Geometry and Commutative algebra. Undergraduate Texts in Mathematics. Springer, New York (1992)MATHGoogle Scholar
  13. 13.
    Dubois, V., Fouque, P.-A., Stern, J.: Cryptanalysis of SFLASH with Slightly Modified Parameters. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical Cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Diffie, W., Fell, H.J.: Analysis of a Public Key Approach Based on Polynomial Substitution. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 340–349. Springer, Heidelberg (1986)Google Scholar
  16. 16.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT 22, 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Faugère, J.C., Gianni, P., Lazard, D., Mora, T.: Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)CrossRefMathSciNetMATHGoogle Scholar
  18. 18.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Basis: F4. Journal of Pure and Applied Algebra 139, 61–68 (1999)CrossRefMathSciNetMATHGoogle Scholar
  19. 19.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Basis without Reduction to Zero: F5. In: Proceedings of ISSAC, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  20. 20.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)Google Scholar
  21. 21.
    Faugère, J.-C., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Faugère, J.-C., Perret, L.: Cryptanalysis of 2R schemes. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 357–372. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Fellows, M.R., Koblitz, N.: Combinatorial cryptosystems galore! Contemporary Math. 168, 51–61 (1994)MathSciNetGoogle Scholar
  24. 24.
    Garey, M.R., Johnson, D.B.: Computers and Intractability. A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)MATHGoogle Scholar
  25. 25.
    Joux, A., Kunz-Jacques, S., Muller, F., Ricordel, P.-M.: Cryptanalysis of the Tractable Rational Map Cryptosystem. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 258–274. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar Signature Schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  27. 27.
    Koblitz, N.: Algebraic Aspects of Cryptography. In: Algorithms and Computation in Mathematics, vol. 3, Springer, Heidelberg (1998)Google Scholar
  28. 28.
    Levy–dit–Vehel, F., Mora, T., Perret, L., Traverso, C.: A Survey of Polly Cracker Systems (to appear)Google Scholar
  29. 29.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  30. 30.
    Macaulay, F.S.: The Algebraic Theory of Modular Systems. Cambrige University Press, Cambrige (1916)MATHGoogle Scholar
  31. 31.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  32. 32.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-Bit Long Digital Signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. 33.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)CrossRefMathSciNetMATHGoogle Scholar
  34. 34.
    Shor, P.W.: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Computing 26, 1484–1509 (1997)CrossRefMathSciNetMATHGoogle Scholar
  35. 35.
    Szanto, A.: Multivariate subresultants using jouanolous resultant matrices. Journal of Pure and Applied Algebra (to appear)Google Scholar
  36. 36.
    Wang, L., Chang, F.: Tractable Rational Map Cryptosystem.Cryptology ePrint archive, Report 2004/046,
  37. 37.
    Wolf, C.: Multivariate Quadratic Polynomials in Public Key Cryptography. Ph.D. thesis, Katholieke Universiteit Leuven, B. Preneel (supervisor), 156+xxiv pages (November 2005)Google Scholar
  38. 38.
    Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Luk Bettale
    • 1
  • Jean-Charles Faugère
    • 1
  • Ludovic Perret
    • 1
  1. 1.INRIA, Centre Paris-Rocquencourt, SALSA ProjectUPMC, Univ Paris 06, LIP6, CNRS, UMR 7606, LIP6ParisFrance

Personalised recommendations