Last Fall Degree, HFE, and Weil Descent Attacks on ECDLP

  • Ming-Deh A. Huang
  • Michiel Kosters
  • Sze Ling Yeo
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)

Abstract

Weil descent methods have recently been applied to attack the Hidden Field Equation (HFE) public key systems and solve the elliptic curve discrete logarithm problem (ECDLP) in small characteristic. However the claims of quasi-polynomial time attacks on the HFE systems and the subexponential time algorithm for the ECDLP depend on various heuristic assumptions.

In this paper we introduce the notion of the last fall degree of a polynomial system, which is independent of choice of a monomial order. We then develop complexity bounds on solving polynomial systems based on this last fall degree.

We prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed. For the ECDLP over a finite field of characteristic 2, we provide computational evidence that raises doubt on the validity of the first fall degree assumption, which was widely adopted in earlier works and which promises sub-exponential algorithms for ECDLP. In addition, we construct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These examples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates.

These results taken together underscore the importance of rigorously bounding last fall degrees of Weil descent systems, which remains an interesting but challenging open problem.

Keywords

HFE ECDLP Weil descent Solving equations First fall degree Last fall degree 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

The authors would like to thank Bagus Santoso, Chaoping Xing and Yun Yang for their help and support in preparing this manuscript. We are grateful to Steven Galbraith and the anonymous reviewers for their valuable comments. Finally, we would like to thank the Caramel team from Nancy (France) for allowing us to use their computers to do experiments.

References

  1. 1.
    Buchberger, B.: Ein Algorithmus zum Auffffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. Ph.D. thesis, University of Innsbruck (1965)Google Scholar
  2. 2.
    Buchmann, J.A., Ding, J., Mohamed, M.S.E., Mohamed, W.S.A.E.: Mutantxl: solving multivariate polynomial equations for cryptanalysis. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography (Dagstuhl, Germany, 2009). Dagstuhl Seminar Proceedings, vol. 09031. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009) Google Scholar
  3. 3.
    Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  4. 4.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  5. 5.
    Courtois, N.T., Patarin, J.: About the XL algorithm over \(GF(2)\). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  6. 6.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Math. 147, 75–104 (2011)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Ding, J., Hodges, T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 724–742. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  9. 9.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases \((F_{4})\). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero \(F_5\). In: Proceedings of ISSAC, pp. 75–83. ACM Press (2002)Google Scholar
  11. 11.
    Faugère, J.C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero- dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)CrossRefMATHGoogle Scholar
  12. 12.
    Galbraith, S.D., Smart, N.P.: A cryptographic application of Weil descent. In: Walker, M. (ed.) Cryptography and Coding 1999. LNCS, vol. 1746, pp. 191–200. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  13. 13.
    von zur Gathen, J., Panario, D.: Factoring polynomials over finite fields: a survey. J. Symbolic Comput. 31(1–2), 3–17 (2001). Computational algebra and number theory, (1996)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  17. 17.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999) Google Scholar
  18. 18.
    Kosters, M.: Groups and fields in arithmetic. Ph.D. thesis, Universiteit Leiden (2014)Google Scholar
  19. 19.
    Kosters, M., Yeo, S.L.: Notes on summation polynomials. Preprint (2015). http://arxiv.org/abs/1503.08001
  20. 20.
    Huang, M.-D.A., Kosters, M., Yang, Y., Yeo, S.L.: On the last fall degree of zero-dimensional Weil descent systems. Preprint (2015). http://arxiv.org/abs/1505.02532
  21. 21.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  22. 22.
    Petit, C.: Bounding HFE with SRA. Preprint (2013). http://www0.cs.ucl.ac.uk/staff/c.petit/files/SRA_GB.pdf
  23. 23.
    Petit, C., Quisquater, J.-J.: On polynomial systems arising from a Weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  24. 24.
    Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Preprint (2004). https://eprint.iacr.org/2004/031.pdf
  25. 25.
    Seroussi, G.: Compact representation of elliptic curve points over \(\mathbb{F}_2^n\) research contribution to IEEE P1363 (1998)Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Ming-Deh A. Huang
    • 1
  • Michiel Kosters
    • 2
  • Sze Ling Yeo
    • 3
  1. 1.USCLos AngelesCalifornia
  2. 2.TL@NTUSingaporeSingapore
  3. 3.I2RSingaporeSingapore

Personalised recommendations