Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial with One Secret Problem

  • Charles Bouillaguet
  • Jean-Charles Faugère
  • Pierre-Alain Fouque
  • Ludovic Perret
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6571)


This paper presents a practical cryptanalysis of the Identification Scheme proposed by Patarin at Crypto 1996. This scheme relies on the hardness of the Isomorphism of Polynomial with One Secret (IP1S), and enjoys shorter key than many other schemes based on the hardness of a combinatorial problem (as opposed to number-theoretic problems). Patarin proposed concrete parameters that have not been broken faster than exhaustive search so far. On the theoretical side, IP1S has been shown to be harder than Graph Isomorphism, which makes it an interesting target. We present two new deterministic algorithms to attack the IP1S problem, and we rigorously analyze their complexity and success probability. We show that they can solve a (big) constant fraction of all the instances of degree two in polynomial time. We verified that our algorithms are very efficient in practice. All the parameters with degree two proposed by Patarin are now broken in a few seconds. The parameters with degree three can be broken in less than a CPU-month. The identification scheme is thus quite badly broken.


  1. 1.
    Baena, J., Clough, C., Ding, J.: Square-vinegar signature scheme. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 17–30. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bardet, M., Faugère, J.C., Salvy, B., Yang, B.Y.: Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems. In: MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry, Porto Conte, Alghero, Sardinia (Italy), May 27-June 1 (2005)Google Scholar
  3. 3.
    Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. PhD thesis, Université de Paris VI (2004)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  5. 5.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  6. 6.
    Bennett, A.A.: Products of skew-symmetric matrices. American M. S. Bull. 25, 455–458 (1919)MATHCrossRefGoogle Scholar
  7. 7.
    Bernstein, D.S.: Matrix mathematics. Theory, facts, and formulas, 2nd expanded edn., vol. xxxix, p. 1139. Princeton University Press, Princeton (2009)MATHGoogle Scholar
  8. 8.
    Billet, O., Gilbert, H.: A traceable block cipher. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 331–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Bosma, W., Cannon, J.J., Playoust, C.: The Magma Algebra System I: The User Language. J. Symb. Comput. 24(3/4), 235–265 (1997)MathSciNetMATHCrossRefGoogle Scholar
  10. 10.
    Chevalley, C.: Démonstration d’une hypothèse de M. Artin. Abh. Math. Semin. Hamb. Univ. 11, 73–75 (1935)MATHCrossRefGoogle Scholar
  11. 11.
    Clough, C., Baena, J., Ding, J., Yang, B.-Y., Chen, M.-s.: Square, a new multivariate encryption scheme. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 252–264. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Ding, J., Wolf, C., Yang, B.-Y.: ℓ-invertible cycles for multivariate quadratic public key cryptography. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 266–281. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    dit Vehel, F.L., Perret, L.: Polynomial Equivalence Problems and Applications to Multivariate Cryptosystems. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 235–251. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Faugère, J.-C., Gianni, P., Lazard, D., Mora, T.: Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)MathSciNetMATHCrossRefGoogle Scholar
  15. 15.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetMATHCrossRefGoogle Scholar
  16. 16.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases Without Reduction to Zero (F5). In: ISSAC 2002: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83. ACM, New York (2002)CrossRefGoogle Scholar
  17. 17.
    Faugère, J.-C., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  19. 19.
    Fortin, S.: The graph isomorphism problem. Technical report, University of Alberta (1996)Google Scholar
  20. 20.
    Fuhrmann, P.A.: A polynomial approach to linear algebra. Springer, New York (1996)MATHGoogle Scholar
  21. 21.
    Fulman, J.: Random matrix theory over finite fields. Bull. Amer. Math. Soc. (N.S) 39, 51–85Google Scholar
  22. 22.
    Garey, M.R., Johnson, D.S.: Computers and Intractability, A Guide to the Theory of NP Completeness. Freeman, New York (1979)MATHGoogle Scholar
  23. 23.
    Geiselmann, W., Meier, W., Steinwandt, R.: An Attack on the Isomorphisms of Polynomials Problem with One Secret. Int. J. Inf. Sec. 2(1), 59–64 (2003)CrossRefGoogle Scholar
  24. 24.
    Geiselmann, W., Steinwandt, R., Beth, T.: Attacking the Affine Parts of SFLASH. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 355–359. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In: FOCS, pp. 174–187. IEEE, Los Alamitos (1986)Google Scholar
  26. 26.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC, pp. 291–304. ACM, New York (1985)Google Scholar
  27. 27.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar Signature Schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  28. 28.
    Koblitz, N.: Algebraic Aspects of Cryptography. Algorithms and Computation in Mathematics, vol. 3. Springer, Heidelberg (1998)Google Scholar
  29. 29.
    Lazard, D.: Gröbner-bases, gaussian elimination and resolution of systems of algebraic equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)Google Scholar
  30. 30.
    Lidl, R., Niederreiter, H.: Finite fields. Cambridge University Press, New York (1997)Google Scholar
  31. 31.
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    MacWilliams, J.: Orthogonal matrices over finite fields. The American Mathematical Monthly 76(2), 152–164 (1969)MathSciNetMATHCrossRefGoogle Scholar
  33. 33.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  34. 34.
    Naccache, D. (ed.): CT-RSA 2001. LNCS, vol. 2020. Springer, Heidelberg (2001)MATHGoogle Scholar
  35. 35.
    Patarin, J.: Hidden fields equations (hfe) and isomorphisms of polynomials (ip): Two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  36. 36.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996), Google Scholar
  37. 37.
    Patarin, J.: The Oil and Vinegar signature scheme. Presented at the Dagstuhl Workshop on Cryptography (1997)Google Scholar
  38. 38.
    Patarin, J., Courtois, N., Goubin, L.: Flash, a fast multivariate signature algorithm. In: [34], pp. 298–307Google Scholar
  39. 39.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-Bit Long Digital Signatures. In: [34], pp. 282–297Google Scholar
  40. 40.
    Patarin, J., Goubin, L., Courtois, N.: Improved Algorithms for Isomorphisms of Polynomials. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 184–200. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  41. 41.
    Perret, L.: A Fast Cryptanalysis of the Isomorphism of Polynomials with One Secret Problem. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 354–370. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  42. 42.
    Pointcheval, D.: A new identification scheme based on the perceptrons problem. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 319–328. Springer, Heidelberg (1995)Google Scholar
  43. 43.
    Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990)Google Scholar
  44. 44.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)Google Scholar
  45. 45.
    Stern, J.: Designing identification schemes with keys of short size. In: Desmedt, Y. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 164–173. Springer, Heidelberg (1994)Google Scholar
  46. 46.
    Warning, E.: Bemerkung zur vorstehenden Arbeit von Herrn Chevalley.. Abh. Math. Semin. Hamb. Univ. 11, 76–83 (1935)MATHCrossRefGoogle Scholar
  47. 47.
    Wolf, C., Preneel, B.: Taxonomy of Public Key Schemes Based on the Problem of Multivariate Quadratic Equations. Cryptology ePrint Archive, Report 2005/077 (2005)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Charles Bouillaguet
    • 1
  • Jean-Charles Faugère
    • 2
    • 3
  • Pierre-Alain Fouque
    • 1
  • Ludovic Perret
    • 3
    • 2
  1. 1.Ecole Normale SupérieureParisFrance
  2. 2.UPMC Univ. Paris 06, UMR 7606, LIP6INRIA, Paris-Rocquencourt Center, SALSA ProjectParisFrance
  3. 3.UMR 7606, LIP6CNRSParisFrance

Personalised recommendations