The Security of Hidden Field Equations (HFE)

  • Nicolas T. Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2020)


We consider the basic version of the asymmetric cryptosy- stem HFE from Eurocrypt 96.

We propose a notion of non-trivial equations as a tentative to account for a large class of attacks on one-way functions. We found equations that give experimental evidence that basic HFE can be broken in expected polynomial time for any constant degree d. It has been independently proven by Shamir and Kipnis [Crypto’99].

We designed and implemented a series of new advanced attacks that are much more efficient that the Shamir-Kipnis attack. They are practical for HFE degree d ≤ 24 and realistic up to d = 128. The 80-bit, 500$ Patarin’s 1st challenge on HFE can be broken in about 262.

Our attack is subexponential and requires n 32log d computations. The original Shamir-Kipnis attack was in at least n log2 d . We show how to improve the Shamir-Kipnis attack, by using a better method of solving the involved algebraical problem MinRank. It becomes then in n 3 log d+O(1).

All attacks fail for modified versions of HFE: HFE- (Asiacrypt’98), vHFE (Eurocrypt’99), Quartz (RSA’2000) and even for Flash (RSA’2000).


asymmetric cryptography finite fields one-way functions Hidden Field Equation HFE problem basic HFE MinRank problem short signature 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Don Coppersmith, Jacques Stern, Serge Vaudenay: Attacks on the birational permutation signature schemes; CRYPTO 93, Springer-Verlag, pp. 435–443.Google Scholar
  2. 2.
    Don Coppersmith, Samuel Winograd: “Matrix multiplication via arithmetic progressions”; J. Symbolic Computation (1990), 9, pp. 251–280.zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Nicolas Courtois: La séxcurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhD thesis, Paris 6 University, to appear in 2001, partly in English.Google Scholar
  4. 4.
    Nicolas Courtois: The HFE cryptosystem home page. Describes all aspects of HFE and allows to download an example of HFE challenge.
  5. 5.
    Nicolas Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at
  6. 6.
    Michael Garey, David Johnson: Computers and Intractability, a guide to the theory of NP-completeness, Freeman, p. 251.Google Scholar
  7. 7.
    J. von zur Gathen, Victor Shoup, “Computing Fröbenius maps and factoring polynomials”, Proceedings of the 24th Annual ACM Symposium in Theory of Computation, ACM Press, 1992.Google Scholar
  8. 8.
    Neal Koblitz: “Algebraic aspects of cryptography”; Springer-Verlag, ACM3, 1998, Chapter 4: “Hidden Monomial Cryptosystems”, pp. 80–102.Google Scholar
  9. 9.
    Tsutomu Matsumoto, Hideki Imai: “Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption”, Eurocrypt’88, Springer-Verlag 1998, pp. 419–453.Google Scholar
  10. 10.
    Tsutomu Matsumoto, Hideki Imai: “A class of asymmetric cryptosystems based on polynomials over finite rings”; 1983 IEEE International Symposium on Information Theory, Abstract of Papers, pp.131–132, September 1983.Google Scholar
  11. 11., a non-profit web site dedicated to MinRank and Multi-variate Cryptography in general.
  12. 12.
    Peter L. Montgomery: A Block Lanczos Algorithm for Finding Dependencies over GF(2); Eurocrypt’95, LNCS, Springer-Verlag.Google Scholar
  13. 13.
    Jacques Patarin: “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88”; Crypto’95, Springer-Verlag, pp. 248–261.Google Scholar
  14. 14.
    Jacques Patarin: “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms”; Eurocrypt’96, Springer Verlag, pp. 33–48. The extended version can be found at
  15. 15.
    Jacques Patarin: La Cryptographie Multivariable; Mémoire d’habilitation à diriger des recherches de l’Université Paris 7, 1999.Google Scholar
  16. 16.
    Jacques Patarin, Nicolas Courtois, Louis Goubin: “C*-+ and HM-Variations around two schemes of T. Matsumoto and H. Imai”; Asiacrypt 1998, Springer-Verlag, pp. 35–49.Google Scholar
  17. 17.
    Jacques Patarin, Aviad Kipnis, Louis Goubin: “Unbalanced Oil and Vinegar Signature Schemes”; Eurocrypt 1999, Springer-Verlag.Google Scholar
  18. 18.
    Jacques Patarin, Louis Goubin: “Asymmetric Cryptography with Multivariate Polynomials over Finite Fields”; a draft with a compilation of various papers and some unpublished work, Bull PTS, ask from authors.Google Scholar
  19. 19.
    Jacques Patarin, Louis Goubin, Nicolas Courtois: Quartz, 128-bit long digital signatures; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.Google Scholar
  20. 20.
    Jacques Patarin, Louis Goubin, Nicolas Courtois: Flash, a fast multivariate signature algorithm; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.Google Scholar
  21. 21.
    Adi Shamir, Nicolas Courtois, Jacques Patarin, Alexander Klimov, Efficient Algorithms for solving Over defined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n˚1807, Springer, 2000, pp. 392–407.Google Scholar
  22. 22.
    Adi Shamir, Aviad Kipnis: “Cryptanalysis of the Oil and Vinegar Signature Scheme”; Crypto’98, Springer-Verlag.Google Scholar
  23. 23.
    Adi Shamir, Aviad Kipnis: “Cryptanalysis of the HFE Public Key Cryptosystem”; Crypto’99. Can be found at
  24. 24.
    J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  1. 1.Modélisation et SignalUniversitéde Toulon et du VarFrance

Personalised recommendations