The Degree of Regularity of HFE Systems

  • Vivien Dubois
  • Nicolas Gama
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)


HFE is a public key scheme introduced by Patarin in 1996. An HFE public key is a large system of polynomials in many variables over a small finite field. This system results from some secret composition, based on which the owner can solve it to any arbitrary vector. While the security of the cryptosystem relies on the difficulty of solving the public system without the trapdoor information, in 2002 Faugére found experimentally that Gröbner basis computations perform much better on certain HFE instances than on random systems. More specifically, Faugére observed that the regular behaviour of the Gröbner basis computation collapses at a much lower degree than expected for random systems, letting the computation finish much earlier. Accounting for this distinctive property, Faugére and Joux showed in 2003 that mapping HFE systems to some other multivariate ring exhibits the particular algebraic structure of these systems. Nevertheless, they did not offer the actual computation of the degree of regularity of HFE systems. Later, in 2006, Granboulan, Joux and Stern showed an asymptotic upper bound on the degree of regularity of HFE systems over GF(2) using independent results on overdetermined systems of equations. The case of larger ground fields has remained however completely unsolved. In this paper, we exhibit an additional property of HFE systems that is increasingly significant as the size of the ground field grows. Using this property with a standard combinatorial calculation yields an arguably tight numerical bound on the degree of regularity of HFE systems for any parameters.


multivariate polynomials HFE algebraic cryptanalysis 


  1. 1.
    Bardet, M.: Étude des systémes algébriques surdéterminés. Applications aux codes correcteurs et ála cryptographie. PhD thesis, UniversitéParis 6 (2004)Google Scholar
  2. 2.
    Bardet, M., Faugére, J.-C., Salvy, B.: On the Complexity of Gröbner Basis Computation of Semi-Regular Overdetermined Algebraic Equations. In: ICPSS International Conference on Polynomial System Solving (2004)Google Scholar
  3. 3.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassnringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965)Google Scholar
  4. 4.
    Courtois, N.: The Security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Diem, C.: The xl-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Ding, J., Schmidt, D., Werner, F.: Algebraic attack on hfe revisited. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 215–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Dubois, V., Granboulan, L., Stern, J.: An Efficient Provable Distinguisher for HFE. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 156–167. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Faugére, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Faugére, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reductions to Zero F5. In: ISSAC, pp. 75–83 (2002)Google Scholar
  12. 12.
    Faugére, J.-C.: Algebraic Cryptanalysis of HFE using Gröbner Bases. Technical Report 4738, INRIA (2003)Google Scholar
  13. 13.
    Kunz-Jacques, S.: Preuves de sécurité et problémes difficiles en cryptologie: étude de cas. PhD thesis, Université Paris 7 (2007)Google Scholar
  14. 14.
    Lazard, D.: Gröbner-Bases, Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)Google Scholar
  15. 15.
    Granboulan, L., Joux, A., Stern, J.: Inverting HFE Is Quasipolynomial. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Steel, A.: Allan Steel’s Groebner Basis Timings Page (2004),
  18. 18.
    University of Sydney Computational Algebra Group. The MAGMA Computational Algebra SystemGoogle Scholar
  19. 19.
    Yang, B.-Y., Chen, J.-M.: All in the xl family: Theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Vivien Dubois
    • 1
  • Nicolas Gama
    • 2
  1. 1.DGA-MIFrance
  2. 2.EPFLSwitzerland

Personalised recommendations