Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


The Isomorphism of Polynomials (IP) [28], which is the main concern of this paper, originally corresponds to the problem of recovering the secret key of a C* scheme [26]. Besides, the security of various other schemes (signature, authentication [28], traitor tracing [5], ...) also depends on the practical hardness of IP. Due to its numerous applications, the Isomorphism of Polynomials is thus one of the most fundamental problems in multivariate cryptography. In this paper, we address two complementary aspects of IP, namely its theoretical and practical difficulty. We present an upper bound on the theoretical complexity of “IP-like” problems, i.e. a problem consisting in recovering a particular transformation between two sets of multivariate polynomials. We prove that these problems are not NP-Hard (provided that the polynomial hierarchy does not collapse). Concerning the practical aspect, we present a new algorithm for solving IP. In a nutshell, the idea is to generate a suitable algebraic system of equations whose zeroes correspond to a solution of IP. From a practical point of view, we employed a fast Gröbner basis algorithm, namely F5 [17], for solving this system. This approach is efficient in practice and obliges to modify the current security criteria for IP. We have indeed broken several challenges proposed in literature [28, 29, 5]. For instance, we solved a challenge proposed by O. Billet and H. Gilbert at Asiacrypt’03 [5] in less than one second.


Public-Key Cryptography Cryptanalysis Isomorphism of Polynomials (IP) Gröbner bases F5 algorithm 


  1. 1.
    Adams, W.W., Loustaunau, P.: An Introduction to Gröbner Bases, vol. 3. AMS. Graduate Studies in Mathematics 3 (1994)Google Scholar
  2. 2.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison Between XL and Gröbner Basis Algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems. In: MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry, 15 pages (2005)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the Complexity of Gröbner Basis Computation of Semi-Regular Overdetermined Algebraic Equations. In: Proc. of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  5. 5.
    Billet, O., Gilbert, H.: A Traceable Block Cipher. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 331–346. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Biryukov, A., De Cannière, C., Braeken, A., Preneel, B.: A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Boppana, R.B., Hastad, J., Zachos, S.: Does co–NP Have Short Interactive Proofs? Information Processing Letters 25(2), 127–132 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Buchberger, B.: Gröbner Bases: an Algorithmic Method in Polynomial Ideal Theory. Recent trends in multidimensional systems theory, Reider ed. Bose (1985)Google Scholar
  9. 9.
    Buchberger, B., Collins, G.-E., Loos, R.: Computer Algebra Symbolic and Algebraic Computation, 2nd edn. Springer, Heidelberg (1982)zbMATHGoogle Scholar
  10. 10.
    Courtois, N.: La sécurité des primitives cryptographiques basées sur des problèmes algébriques multivariables: MQ, IP, MinRank, HFE. Ph.D. Thesis, Paris (2001)Google Scholar
  11. 11.
    Courtois, N., Goubin, L., Patarin, J.: Improved Algorithms for Isomorphism of Polynomials. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 184–200. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Goubin, L., Patarin, J.: Improved Algorithms for Isomorphism of Polynomials - (extended Version), available from:
  13. 13.
    Courtois, N., Goubin, L., Patarin, J.: SFLASH, a Fast Asymmetric Signature Scheme for low-cost Smartcards – Primitive Specification and Supporting Documentation, available at:
  14. 14.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Cox, D.A., Little, J.B., O’Shea, D.: Ideals, Varieties, and Algorithms: an Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics. Springer, New York (1992)CrossRefzbMATHGoogle Scholar
  16. 16.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases (F 4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Basis without Reduction to Zero: F5. In: Proceedings of ISSAC, pp. 75–83. ACM press, New York (2002)Google Scholar
  18. 18.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.C., Gianni, P., Lazard, D., Mora, T.: Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Felke, P.: On certain Families of HFE-type Cryptosystems. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 229–241. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Fortin, S.: The Graph Isomorphism problem. Technical Report 96-20, University of Alberta (1996)Google Scholar
  22. 22.
    Garey, M.R., Johnson, D.B.: Computers and Intractability. A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)zbMATHGoogle Scholar
  23. 23.
    Geiselmann, W., Steinwandt, R., Beth, T.: Attacking the Affine Parts of SFLASH. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 355–359. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Hoffman, M.: Group-Theoretic Algorithms and Graph Isomorphism. LNCS, vol. 136. Springer, Heidelberg (1982)Google Scholar
  25. 25.
  26. 26.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  27. 27.
  28. 28.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  29. 29.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms – (extended Version), available from:
  30. 30.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.LIP6France
  2. 2.UCL, Crypto Group, Microelectronic LaboratoryBelgium

Personalised recommendations