Overview of Cryptanalysis Techniques in Multivariate Public Key Cryptography

  • Olivier BilletEmail author
  • Jintai Ding


This paper summarizes most of the main developments in the cryptanalysis of multivariate cryptosystems and discuss some problems that remain open. A strong emphasis is put on the symbolic computation tools that have been used to achieve these advances.


Signature Scheme Stream Cipher Multivariate Polynomial Cipher Text Algebraic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. G. Ars, J. C. Faugère, H. Imai, M. Kawazoe, and M. Sugita, Comparison between XL and Gröbner basis algorithms, Proc. of Asiacrypt 2004 (P. J. Lee, ed.), LNCS, vol. 3329, Springer, Berlin, 2004, pp. 338–353. Google Scholar
  2. M. Bardet, An investigation on overdetermined algebraic systems and applications to error-correcting codes and to cryptography, Ph.D. thesis, University of Paris 6, Paris, France, 2004. Google Scholar
  3. C. Berbain and H. Gilbert, On the security of IV dependent stream ciphers, FSE 2007 (A. Biryukov, ed.), LNCS, vol. 4593, Springer, Berlin, 2007, pp. 254–273. Google Scholar
  4. C. Berbain, H. Gilbert, and J. Patarin, QUAD: A practical stream cipher with provable security, EUROCRYPT 2006 (S. Vaudenay, ed.), LNCS, vol. 4004, Springer, Berlin, 2006, pp. 109–128. Google Scholar
  5. O. Billet and H. Gilbert, A traceable block cipher, Asiacrypt 2003 (C. S. Laih, ed.), LNCS, vol. 2894, Springer, Berlin, 2003, pp. 331–346. Google Scholar
  6. O. Billet and H. Gilbert, Cryptanalysis of Rainbow, SCN 2006 (R. De Prisco and M. Yung, eds.), LNCS, vol. 4116, Springer, Berlin, 2006, pp. 336–347. Google Scholar
  7. O. Billet, M. J. B. Robshaw, and T. Peyrin, On building hash functions from multivariate quadratic equations, ACISP 2007 (J. Pieprzyk, H. Ghodosi and E. Dawson, eds.), LNCS, vol. 4586, Springer, Berlin, 2007, pp. 82–95. Google Scholar
  8. O. Billet, J. Patarin, and Y. Seurin, Analysis of Intermediate Field Systems, SCC 2008 (D. Wang and J.-C. Faugère, eds.), 2008. Google Scholar
  9. A. Biryukov, B. Preneel, A. Braeken, and C. de Cannière, A toolbox for cryptanalysis: linear and affine equivalence algorithms, Eurocrypt 2003 (E. Biham, ed.), LNCS, vol. 2656, Springer, Berlin, 2003, pp. 33–50. Google Scholar
  10. A. Braeken, B. Preneel, and C. Wolf, A study of the security of unbalanced Oil & Vinegar signature schemes, CT-RSA 2005 (A. Menezes, ed.), LNCS, vol. 3376, 2005, p. 29. Google Scholar
  11. B. Buchberger, Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal, Ph.D. thesis, Innsbruck, 1965. Google Scholar
  12. B. Buchberger, Ein algorithmisches Kriterium für die Lösbarkeit eines algebraischen Gleichungssystems, Aequationes Math. 4 (1970), 374–383. MathSciNetzbMATHCrossRefGoogle Scholar
  13. B. Buchberger, Gröbner-bases: An algorithmic method in polynomial ideal theory, Multidimensional systems theory, Reidel, Dordrecht, 1985, pp. 184–232. CrossRefGoogle Scholar
  14. B. Buchberger, An algorithmical criterion for the solvability of algebraic systems of equations, London Math. Soc. LNS 251 (1998), 535–545. MathSciNetGoogle Scholar
  15. B. Buchberger, Bruno Buchberger’s PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal, J. Symb. Comput. 41 (2006), nos. 3–4, 475–511. MathSciNetzbMATHCrossRefGoogle Scholar
  16. J. F. Buss, G. S. Frandsen, and J. O. Shallit, The computational complexity of some problems of linear algebra, J. Comput. Syst. Sci. 58 (1999), no. 3, 572–596. MathSciNetzbMATHCrossRefGoogle Scholar
  17. M. Caboara, F. Caruso, and C. Traverso, Gröbner bases for public key cryptography, Proc. of ISSAC 2008 (L. Gonzalez-Vega, ed.), ACM, New York, 2008. Google Scholar
  18. D. Coppersmith, J. Stern, and S. Vaudenay, Attacks on the birational permutation signature schemes, CRYPTO93 (D. R. Stinson, ed.), LNCS, vol. 773, Springer, Berlin, 1993, pp. 435–443. Google Scholar
  19. D. Coppersmith, J. Stern, and S. Vaudenay, The security of the birational permutation signature schemes, Journal of Cryptology 10 (1997), no. 3, 207–221. MathSciNetzbMATHCrossRefGoogle Scholar
  20. N. T. Courtois, The security of Hidden Field Equations (HFE), Proc. of CT-RSA 2001 (D. Naccache, ed.), LNCS, vol. 2020, Springer, Berlin, 2001, pp. 266–281. Google Scholar
  21. N. Courtois and W. Meier, Algebraic attacks on stream ciphers with linear feedback, EUROCRYPT 2003 (E. Biham, ed.), LNCS, vol. 2656, Springer, Berlin, 2003, pp. 345–359. Google Scholar
  22. N. Courtois, A. Klimov, J. Patarin, and A. Shamir, Efficient algorithms for solving overdefined systems of multivariate polynomial equations, Proc. of EUROCRYPT 2000, LNCS, vol. 1807, Springer, Berlin, 2000, pp. 392–407. Google Scholar
  23. M. T. Dickerson, The functional decomposition of polynomials, Ph.D. thesis, Cornell University, Ithaca, NY, USA, 1989. Google Scholar
  24. L. E. Dickson, History of the theory of numbers, vol. 3, Chelsea, New York, 1971. Google Scholar
  25. J. Ding and J. E. Gower, Inoculating multivariate schemes against differential attacks, Cryptology ePrint Archive, Report 2005/255, 2005. Google Scholar
  26. J. Ding and D. Schmidt, A defect of the implementation schemes of the TTM cryptosystem, Cryptology ePrint Archive, Report 2003/085, 2003. Google Scholar
  27. J. Ding and D. Schmidt, The new implementation schemes of the TTM cryptosystem are not secure, Progr. Comput. Sci. Appl. Logic 23 (2004), 113–127. MathSciNetGoogle Scholar
  28. J. Ding and D. Schmidt, Rainbow, a new multivariable polynomial signature scheme, ACNS 2005 (J. Ioannidis, A. D. Keromytis and M. Yung, eds.), LNCS, vol. 3531, Springer, Berlin, 2005a, pp. 164–175. Google Scholar
  29. J. Ding and D. Schmidt, Cryptanalysis of HVEv and internal perturbation of HFE, PKC 2005 (S. Vaudenay, ed.), LNCS, vol. 3386, Springer, Berlin, 2005b, p. 288. Google Scholar
  30. J. Ding, L. Hu, X. Nie, J. Li, and J. Wagner, High order linearization equation (HOLE) attack on multivariate public key cryptosystems, PKC 2007 (T. Okamoto and X. Wang, eds.), LNCS, Springer, Berlin, 2007a. Google Scholar
  31. J. Ding, C. Wolf, and B.-Y. Yang, -invertible cycles for multivariate quadratic (MQ) public key cryptography, PKC 2007 (T. Okamoto and X. Wang, eds.), LNCS, vol. 4450, Springer, Berlin, 2007b, pp. 266–281. Google Scholar
  32. V. Dubois, P.-A. Fouque, A. Shamir, and J. Stern, Practical cryptanalysis of SFLASH, CRYPTO 2007 (A. Menezes, ed.), LNCS, vol. 4622, Springer, Berlin, 2007a, pp. 1–12. Google Scholar
  33. V. Dubois, L. Granboulan, and J. Stern, Cryptanalysis of HFE with internal perturbation, PKC 2007 (T. Okamoto and X. Wang, eds.), LNCS, vol. 3494, Springer, Berlin, 2007b. Google Scholar
  34. J. C. Faugére, A new efficient algorithm for computing Gröbner bases (F 4), J. Pure Appl. Algebra 139 (1999), nos. 1–3, 61–88. MathSciNetzbMATHCrossRefGoogle Scholar
  35. J. C. Faugère, A new efficient algorithm for computing Gröbner bases without reduction to zero (F 5), Proc. of ISSAC 2002, ACM, New York, 2002, pp. 75–83. Google Scholar
  36. J. Faugère and G. Ars, An algebraic cryptanalysis of nonlinear filter generators using Gröbner bases, INRIA Research Report 4739, 2003. Google Scholar
  37. J. C. Faugère and A. Joux, Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases, LNCS, vol. 2729 Springer, Berlin, 2003, pp. 44–60. Google Scholar
  38. J. C. Faugère and L. Perret, Polynomial equivalence problems: algorithmic and theoretical aspects, EUROCRYPT 2006, LNCS, vol. 4004, Springer, Berlin, 2006a, pp. 30–47. Google Scholar
  39. J. C. Faugère and L. Perret, Cryptanalysis of 2R \(^{\mbox{-}}\) schemes, CRYPTO 2006 (C. Dwork, ed.), LNCS, vol. 4117, Springer, Berlin, 2006b, pp. 357–372. Google Scholar
  40. J.-C. Faugère and L. Perret, Cryptanalysis of MinRank, CRYPTO 2008 (D. Wagner, ed.), LNCS, vol. 5157, Springer, Berlin, 2008a, pp. 280–296. Google Scholar
  41. J.-C. Faugère and L. Perret, On the security of UOV, SCC 2008 (D. Wang and J. C. Faugère, eds.), 2008b. Google Scholar
  42. H. J. Fell and W. Diffie, Analysis of a public key approach based on polynomial substitution, CRYPTO 85 (H. C. Williams, ed.), LNCS, vol. 218, Springer, Berlin, 1985, pp. 340–349. Google Scholar
  43. M. Fellows and N. Koblitz, Combinatorial cryptosystems galore!, Finite Fields: Theory, Applications, and Algorithms (G. L. Mullen and P. J.-S. Shiue, eds.), Contemporary Mathematics, vol. 168, AMS, Providence, 1994, pp. 51–61. CrossRefGoogle Scholar
  44. P.-A. Fouque, L. Granboulan, and J. Stern, Differential cryptanalysis for multivariate schemes, EUROCRYPT 2005 (R. Cramer, ed.), LNCS, vol. 3494, Springer, Berlin, 2005, pp. 341–353. Google Scholar
  45. P. A. Fouque, G. Macario-Rat, L. Perret, and J. Stern, Total break of the -IC signature scheme, PKC 2008, LNCS, vol. 4939, Springer, Berlin, 2008a, pp. 1–17. Google Scholar
  46. P.-A. Fouque, G. Macario-Rat, and J. Stern, Key recovery on hidden monomial multivariate schemes, EUROCRYPT 2008 (N. P. Smart, ed.), LNCS, vol. 4965, Springer, Berlin, 2008b, pp. 19–30. Google Scholar
  47. A. S. Fraenkel and Y. Yesha, Complexity of solving algebraic equations, Inf. Process. Lett. 10 (1980), nos. 4–5, 178–179. MathSciNetzbMATHCrossRefGoogle Scholar
  48. W. Geiselmann, R. Steinwandt, and T. Beth, Attacking the affine parts of SFLASH, Cryptography and coding—IMA 2001, Springer, Berlin, 2001, pp. 355–359. CrossRefGoogle Scholar
  49. L. Goubin, Théorie et Pratique de la Cryptologie sur Carte à Microprocesseur, Mémoire d’habilitation à diriger des recherches, 2003. Google Scholar
  50. L. Goubin and N. T. Courtois, Cryptanalysis of the TTM cryptosystem, ASIACRYPT 2000 (T. Okamoto, ed.), LNCS, vol. 1976, Springer, Berlin, 2000, pp. 44–57. Google Scholar
  51. L. Granboulan, A. Joux, and J. Stern, Inverting HFE is quasipolynomial, CRYPTO2006 (C. Dwork, ed.), LNCS, vol. 4117, Springer, Berlin, 2006, pp. 345–356. Google Scholar
  52. H. Imai and T. Matsumoto, Algebraic methods for constructing asymmetric cryptosystems, Proc. of AAECC 3, LNCS, vol. 229, Springer, Berlin, 1985, pp. 108–119. Google Scholar
  53. X. Jiang, J. Ding, and L. Hu, Kipnis-Shamir’s attack on HFE revisited, Inscrypt 2007 (D. Feng and Y. Zhang, eds.), LNCS, Springer, Berlin, 2007. Google Scholar
  54. A. Kipnis and A. Shamir, Cryptanalysis of the oil & vinegar signature scheme, CRYPTO ’98, LNCS, vol. 1462, Springer, Berlin, 1998, pp. 257–266. Google Scholar
  55. A. Kipnis and A. Shamir, Cryptanalysis of the HFE public key cryptosystem by relinearization, CRYPTO 99 (M. J. Wiener, ed.), LNCS, vol. 1666, Springer, Berlin, 1999, pp. 19–30. Google Scholar
  56. A. Kipnis, J. Patarin, and L. Goubin, Unbalanced oil & vinegar signature schemes, EUROCRYPT ’99 (J. Stern, ed.), LNCS, vol. 1592, Springer, Berlin, 1999, pp. 206–222. Google Scholar
  57. D. E. Knuth, The Art of Computer Programming, Volume 2: Seminumerical Algorithms, Third ed., Addison–Wesley, Reading, 1997. Google Scholar
  58. N. Koblitz, Algebraic aspects of cryptography, Algorithms and computation in mathematics, vol. 3, Springer, Berlin, 1999. Google Scholar
  59. F. Levy-dit-Vehel, M. G. Marinari, L. Perret, and C. Traverso, A survey on Polly Cracker systems, this volume, 2009, pp. 285–305. Google Scholar
  60. F. S. Macaulay, The algebraic theory of modular systems, Cambridge University Press, Cambridge, 1916. zbMATHGoogle Scholar
  61. R. J. McEliece, A public key cryptosystem based on algebraic coding theory, JPL DSN 42–44 (1978), 114–116. Google Scholar
  62. T. T. Moh, A fast public key system with signature and master key functions, Proc. of CrypTEC99, Hong Kong City Press, 1999. Google Scholar
  63. T. Mora, Gröbner technology, this volume, 2009, pp. 11–25. Google Scholar
  64. P. Q. Nguyen and J. Stern, The two faces of lattices in cryptology, CaLC 2001 (J. H. Silverman, ed.), LNCS, vol. 2146, Springer, Berlin, 2001, pp. 146–180. Google Scholar
  65. H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory, Problems Control Inform. Theory/Problemy Upravlen. Teor. Inform. 15 (1986), no. 2, 159–166. MathSciNetzbMATHGoogle Scholar
  66. J. Patarin, Cryptoanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88, CRYPTO 95 (D. Coppersmith, ed.), LNCS, vol. 963, Springer, Berlin, 1995, pp. 248–261. Google Scholar
  67. J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, EUROCRYPT ’96 (U. M. Maurer, ed.), LNCS, vol. 1070, Springer, Berlin, 1996, pp. 33–48. Google Scholar
  68. J. Patarin, The oil & vinegar signature scheme, Proc. of Dagstuhl Workshop on Cryptography, 1997. Google Scholar
  69. J. Patarin, Challenge HFE,, 1998.
  70. J. Patarin and L. Goubin, Asymmetric cryptography with S-boxes, ICICS 97, LNCS, vol. 1334, Springer, Berlin, 1997, pp. 369–380. Google Scholar
  71. J. Patarin, L. Goubin, and N. T. Courtois, C *−+ and HM: variations around two schemes of T. Matsumoto and H. Imai, ASIACRYPT ’98 (K. Ohta and D. Pei, eds.), LNCS, vol. 1514, Springer, Berlin, 1998a, pp. 35–49. Google Scholar
  72. J. Patarin, L. Goubin, and N. T. Courtois, Improved algorithms for isomorphisms of polynomials, EUROCRYPT 98 (K. Nyberg, ed.), LNCS, vol. 1403, Springer, Berlin, 1998b, pp. 184–200. Google Scholar
  73. J. Patarin, L. Goubin, and N. T. Courtois, SFLASH, a Fast Asymmetric Signature Scheme for Low Cost Smart-Cards,, 2000.
  74. L. Perret, A fast cryptanalysis of the isomorphism of polynomials with one secret problem, EUROCRYPT 2005 (R. Cramer, ed.), LNCS, vol. 3494, Springer, Berlin, 2005, pp. 354–370. Google Scholar
  75. O. Regev, Lattice-based cryptography, Proc. of CRYPTO2006 (C. Dwork, ed.), LNCS, vol. 4117, Springer, Berlin, 2006, pp. 131–141. Google Scholar
  76. A. Shamir, Efficient signature schemes based on birational permutations, CRYPTO93 (D. R. Stinson, ed.), LNCS, vol. 773, Springer, Berlin, 1993, pp. 1–12. Google Scholar
  77. P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997), 1484–1509. MathSciNetzbMATHCrossRefGoogle Scholar
  78. T. Thierauf, The computational complexity of equivalence and isomorphism problems, LNCS, vol. 1852, Springer, Berlin, 2000, pp. 1–135. CrossRefGoogle Scholar
  79. J. von zur Gathen and V. Shoup, Computing Frobenius Maps and Factoring Polynomials, Computational Complexity 2 (1992), 187–224. MathSciNetzbMATHCrossRefGoogle Scholar
  80. J. von zur Gathen, J. Gutierrez, and R. Rubio, Multivariate polynomial decomposition, Appl. Algebra Eng. Commun. Comput. 14 (2003), no. 1, 11–31. zbMATHGoogle Scholar
  81. L.-C. Wang, B.-Y. Yang, Y.-H. Hu, and F. Lai, A “Medium-Field” multivariate public-key encryption scheme, CT-RSA 2006 (D. Pointcheval, ed.), LNCS, vol. 3860, Springer, Berlin, 2006, pp. 132–149. Google Scholar
  82. B.-Y. Yang and J.-M. Chen, Building secure tame-like multivariate public-key cryptosystems: The new TTS, ACISP 2005 (C. Boyd and J. M. G. Nieto, eds.), LNCS, vol. 3574, Springer, Berlin, 2005, pp. 518–531. Google Scholar
  83. B.-Y. Yang, J.-M. Chen, and Y.-H. Chen, TTS: High-speed signatures on a low-cost smart card, CHES 2004 (M. Joye and J. J. Quisquater, eds.), LNCS, vol. 3156, Springer, Berlin, 2004, pp. 371–385. Google Scholar
  84. D.-F. Ye, K.-Y. Lam, and Z.-D. Dai, Cryptanalysis of “2 R” schemes, CRYPTO 99, LNCS, vol. 1666, Springer, Berlin, 1999, pp. 315–325. Google Scholar
  85. D.-F. Ye, Z.-D. Dai, and K.-Y. Lam, Decomposing attacks on asymmetric cryptography based on mapping compositions, J. of Cryptology 14 (2001), no. 2, 137–150. MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Orange LabsIssy-les-MoulineauxFrance
  2. 2.Department of Mathematical Sciences, Department of Computer SciencesUniversity of CincinnatiCincinnatiUSA

Personalised recommendations