Graph-Theoretic Algorithms for the “Isomorphism of Polynomials” Problem

  • Charles Bouillaguet
  • Pierre-Alain Fouque
  • Amandine Véber
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)


We give three new algorithms to solve the “isomorphism of polynomial” problem, which was underlying the hardness of recovering the secret-key in some multivariate trapdoor one-way functions. In this problem, the adversary is given two quadratic functions, with the promise that they are equal up to linear changes of coordinates. Her objective is to compute these changes of coordinates, a task which is known to be harder than Graph-Isomorphism. Our new algorithm build on previous work in a novel way. Exploiting the birthday paradox, we break instances of the problem in time q2n/3 (rigorously) and qn/2 (heuristically), where qn is the time needed to invert the quadratic trapdoor function by exhaustive search. These results are obtained by turning the algebraic problem into a combinatorial one, namely that of recovering partial information on an isomorphism between two exponentially large graphs. These graphs, derived from the quadratic functions, are new tools in multivariate cryptanalysis.


  1. 1.
    Agrawal, M., Saxena, N.: Equivalence of f-algebras and cubic forms. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 115–126. Springer, Heidelberg (2006)Google Scholar
  2. 2.
    Alon, N., Blais, E.: Testing boolean function isomorphism. In: Serna, M.J., Shaltiel, R., Jansen, K., Rolim, J.D.P. (eds.) APPROX 2010. LNCS, vol. 6302, pp. 394–405. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Babai, L., Kucera, L.: Canonical labelling of graphs in linear average time. In: FOCS, pp. 39–46. IEEE Computer Society (1979)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  5. 5.
    Bettale, L., Faugère, J.-C., Perret, L.: Cryptanalysis of the trms signature scheme of pkc’05. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 143–155. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Billet, O., Gilbert, H.: A traceable block cipher. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 331–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Cannière, C.D., Braeken, A., Preneel, B.: A toolbox for cryptanalysis: Linear and affine equivalence algorithms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Bosma, W., Cannon, J.J., Playoust, C.: The Magma Algebra System I: The User Language. J. Symb. Comput. 24(3/4), 235–265 (1997)MathSciNetMATHCrossRefGoogle Scholar
  9. 9.
    Bouillaguet, C., Faugère, J.-C., Fouque, P.-A., Perret, L.: Practical cryptanalysis of the identification scheme based on the isomorphism of polynomial with one secret problem. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 473–493. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Bouillaguet, C., Fouque, P.A., Véber, A.: Graph-theoretic algorithms for the “isomorphism of polynomials” problem. Cryptology ePrint Archive, Report 2012/607 (2012),
  11. 11.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)MATHGoogle Scholar
  12. 12.
    Daemen, J.: Limitations of the even-mansour construction. In: [25], pp. 495–498Google Scholar
  13. 13.
    Ding, J., Wolf, C., Yang, B.-Y.: ℓ-Invertible cycles for multivariate quadratic public key cryptography. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 266–281. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical Cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Dubois, V., Granboulan, L., Stern, J.: An efficient provable distinguisher for hfe. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 156–167. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: The even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Even, S., Mansour, Y.: A construction of a cioher from a single pseudorandom permutation. In: [25], pp. 210–224Google Scholar
  18. 18.
    Faugère, J.-C., Joux, A., Perret, L., Treger, J.: Cryptanalysis of the hidden matrix cryptosystem. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 241–254. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.-C., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Fouque, P.A., Granboulan, L., Stern, J.: Differential cryptanalysis for multivariate schemes. In: [11], pp. 341–353Google Scholar
  21. 21.
    Fouque, P.-A., Macario-Rat, G., Perret, L., Stern, J.: Total break of the ℓ-ic signature scheme. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 1–17. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Fouque, P.-A., Macario-Rat, G., Stern, J.: Key Recovery on Hidden Monomial Multivariate Schemes. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 19–30. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Geiselmann, W., Meier, W., Steinwandt, R.: An Attack on the Isomorphisms of Polynomials Problem with One Secret. Int. J. Inf. Sec. 2(1), 59–64 (2003)CrossRefGoogle Scholar
  24. 24.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In: FOCS, pp. 174–187. IEEE (1986)Google Scholar
  25. 25.
    Matsumoto, T., Imai, H., Rivest, R.L. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993)MATHGoogle Scholar
  26. 26.
    Joux, A., Kunz-Jacques, S., Muller, F., Ricordel, P.M.: Cryptanalysis of the tractable rational map cryptosystem. In: [40], pp. 258–274Google Scholar
  27. 27.
    Kayal, N.: Efficient algorithms for some special cases of the polynomial equivalence problem. In: Randall, D. (ed.) SODA, pp. 1409–1421. SIAM (2011)Google Scholar
  28. 28.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  29. 29.
    Patarin, J., Goubin, L., Courtois, N.T.: C − + * and HM: Variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  30. 30.
    Patarin, J., Goubin, L., Courtois, N.T.: Improved Algorithms for Isomorphisms of Polynomials. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 184–200. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    Patarin, J., Goubin, L., Courtois, N.: Improved Algorithms for Isomorphisms of Polynomials – Extended Version (1998),
  32. 32.
    Perret, L.: A Fast Cryptanalysis of the Isomorphism of Polynomials with One Secret Problem. In: [11], pp. 354–370Google Scholar
  33. 33.
    Pointcheval, D.: A new identification scheme based on the perceptrons problem. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 319–328. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  34. 34.
    Sakumoto, K.: Public-key identification schemes based on multivariate cubic polynomials. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 172–189. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  36. 36.
    Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990)Google Scholar
  37. 37.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  38. 38.
    Stern, J.: Designing identification schemes with keys of short size. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 164–173. Springer, Heidelberg (1994)Google Scholar
  39. 39.
    Vaudenay, S.: A Classical Introduction to Cryptography: Applications for Communications Security. Springer-Verlag New York, Inc., Secaucus (2005)Google Scholar
  40. 40.
    Vaudenay, S. (ed.): PKC 2005. LNCS, vol. 3386. Springer, Heidelberg (2005)MATHGoogle Scholar
  41. 41.
    Wang, L.C., Hu, Y.H., Lai, F., Yen Chou, C., Yang, B.Y.: Tractable rational map signature. In: [40], pp. 244–257Google Scholar
  42. 42.
    Wilf, H., Zeilberger, D.: An algorithmic proof theory for hypergeometric (ordinary and “q”) multisum/integral identities. Inventiones Mathematicae 108, 575–633 (1992), 10.1007/BF02100618Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Charles Bouillaguet
    • 1
  • Pierre-Alain Fouque
    • 2
  • Amandine Véber
    • 3
  1. 1.University of Lille-1France
  2. 2.University of Rennes-1France
  3. 3.CMAP LabCNRS and Ecole PolytechniqueFrance

Personalised recommendations