Improved algorithms for isomorphisms of polynomials

  • Jacques Patarin
  • Louis Goubin
  • Nicolas Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)


This paper is about the design of improved algorithms to solve Isomorphisms of Polynomials (IP) problems. These problems were first explicitly related to the problem of finding the secret key of some asymmetric cryptographic algorithms (such as Matsumoto and Imai's C* scheme of [12], or some variations of Patarin's HFE scheme of [14]). Moreover, in [14], it was shown that IP can be used in order to design an asymmetric authentication or signature scheme in a straightforward way. We also introduce the more general Morphisms of Polynomials problem (MP). As we see in this paper, these problems IP and MP have deep links with famous problems such as the Isomorphism of Graphs problem or the problem of fast multiplication of n x n matrices. The complexities of our algorithms for IP are still not polynomial, but they are much more efficient than the previously known algorithms. For example, for the IP problem of finding the two secret matrices of a Matsumoto-Imai C* scheme over K = Fq, the complexity of our algorithms is \(\mathcal{O}(q^{n/2} )\) instead of \(\mathcal{O}(q^{(n^2 )} )\) for previous algorithms. (In [13], the C* scheme was broken, but the secret key was not found). Moreover, we have algorithms to achieve a complexity \(\mathcal{O}(q^{\tfrac{3}{2}n} )\) on any system of n quadratic equations with n variables over K = Fq (not only equations from C*). We also show that the problem of deciding whether a polynomial isomorphism exists between two sets of equations is not NP-complete (assuming the classical hypothesis about Arthur-Merlin games), but solving IP is at least as difficult as the Graph Isomorphism problem (GI) (and perhaps much more difficult), so that IP is unlikely to be solvable in polynomial time. Moreover, the more general Morphisms of Polynomials problem (MP) is NP-hard. Finally, we suggest some variations of the IP problem that may be particularly convenient for cryptographic use.


  1. 1.
    László Babai, Shlomo Moran, Arthur-Merlin games: A randomized proof system, and a hierarchy of complexity classes, JCSS, vol. 36, 1988, pp. 254–276.MATHMathSciNetGoogle Scholar
  2. 2.
    Manuel Blum, How to prove a theorem so no one else can claim it, Proceeedings of the International Congress of Mathematics, Berkeley CA, 1986, pp. 1444–1451.Google Scholar
  3. 3.
    Ravi B. Boppana, Johan Håstad, Stathis Zachos, Does co-NP have short interactive proofs, Information Proc. Letters, vol. 25, 1987, pp. 127–132.MATHCrossRefGoogle Scholar
  4. 4.
    Don Coppersmith, Shmuel Winograd, Matrix multiplication via arithmetic progressions, J. Symbolic Computation (1990), 9, pp. 251–280.MATHMathSciNetCrossRefGoogle Scholar
  5. 5.
    Scott Fortin, The Graph Isomorphism Problem, Technical Report 93-20, University of Alberta, Edmonton, Alberta, Canada, July 1996. This paper is available at Scholar
  6. 6.
    Oded Goldreich, Silvio Micali, Avi Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design, Journal of the ACM, v. 38, n. 1, Jul. 1991, pp. 691–729.MATHMathSciNetGoogle Scholar
  7. 7.
    Shafi Goldwasser, Silvio Micali, Charles Rackoff, The knowledge complexity of interactive proofs, SIAM J. Comput., vol. 18, 1989, pp. 186–208.MATHMathSciNetCrossRefGoogle Scholar
  8. 8.
    Shafi Goldwasser, Michael Sipser, Private coins vs. public coins in interactive proof systems, Advances in Computing Research, S. Micali (Ed.), vol. 5, 1989, pp. 73–90.Google Scholar
  9. 9.
    John Gustafson, Srinivas Aluru, Massively Parallel Searching for Better Algorithms or, How to Do a Cross Product with Five Multiplications, Ames Laboratory, Department of Energy, ISU, Ames, Iowa. This paper is available at Scholar
  10. 10.
    Johan Håstad, Tensor Rank is NP-Complete, Journal of Algorithms, vol. 11, pp. 644–654, 1990.MATHMathSciNetCrossRefGoogle Scholar
  11. 11.
    Rudolf Lidl, Harald Niederreiter, “Finite Fields”, Encyclopedia of Mathematics and its applications, Volume 20, Cambridge University Press.Google Scholar
  12. 12.
    Tsutomu Matsumoto, Hideki Imai, Public quadratic polynomial-Tuples for efficient Signature-Verification and Message-Encryption, EUROCRYPT'88, Springer-Verlag, pp. 419–453.Google Scholar
  13. 13.
    Jacques Patarin, Cryptanalysis of the Matsumoto and Imai public Key Scheme of Eurocrypt'88, CRYPTO'95, Springer-Verlag, pp. 248–261.Google Scholar
  14. 14.
    Jacques Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new Families of asymmetric Algorithms, EUROCRYPT'96, Springer-Verlag, pp. 33–48.Google Scholar
  15. 15.
    Erev Petrank, Ron M. Roth, Is Code Equivalence Easy to Decide?, IEEE Transactions on Information Theory, 1997.Google Scholar
  16. 16.
    Volker Strassen, Gaussian elimination is not optimal, Numerische Mathematik 13, 1969, pp. 354–356.MATHMathSciNetCrossRefGoogle Scholar
  17. 17.
    Volker Strassen, The asymptotic spectrum of tensors, J. Reine Angew. Math., vol. 384, pp. 102–152, 1988.MATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Jacques Patarin
    • 1
  • Louis Goubin
    • 1
  • Nicolas Courtois
    • 2
  1. 1.Bull Smart Cards and TerminalsLouveciennes CedexFrance
  2. 2.Modélisation et SignalUniversité de Toulon et du VarLa Garde CedexFrance

Personalised recommendations