The Security of Hidden Field Equations (HFE)
We consider the basic version of the asymmetric cryptosy- stem HFE from Eurocrypt 96.
We propose a notion of non-trivial equations as a tentative to account for a large class of attacks on one-way functions. We found equations that give experimental evidence that basic HFE can be broken in expected polynomial time for any constant degree d. It has been independently proven by Shamir and Kipnis [Crypto’99].
We designed and implemented a series of new advanced attacks that are much more efficient that the Shamir-Kipnis attack. They are practical for HFE degree d ≤ 24 and realistic up to d = 128. The 80-bit, 500$ Patarin’s 1st challenge on HFE can be broken in about 262.
Our attack is subexponential and requires n 32log d computations. The original Shamir-Kipnis attack was in at least n log2 d . We show how to improve the Shamir-Kipnis attack, by using a better method of solving the involved algebraical problem MinRank. It becomes then in n 3 log d+O(1).
All attacks fail for modified versions of HFE: HFE- (Asiacrypt’98), vHFE (Eurocrypt’99), Quartz (RSA’2000) and even for Flash (RSA’2000).
KeyWordsasymmetric cryptography finite fields one-way functions Hidden Field Equation HFE problem basic HFE MinRank problem short signature
Unable to display preview. Download preview PDF.
- 1.Don Coppersmith, Jacques Stern, Serge Vaudenay: Attacks on the birational permutation signature schemes; CRYPTO 93, Springer-Verlag, pp. 435–443.Google Scholar
- 3.Nicolas Courtois: La séxcurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhD thesis, Paris 6 University, to appear in 2001, partly in English.Google Scholar
- 4.Nicolas Courtois: The HFE cryptosystem home page. Describes all aspects of HFE and allows to download an example of HFE challenge. http://www.hfe.minrank.org
- 5.Nicolas Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at http://www.minrank.org
- 6.Michael Garey, David Johnson: Computers and Intractability, a guide to the theory of NP-completeness, Freeman, p. 251.Google Scholar
- 7.J. von zur Gathen, Victor Shoup, “Computing Fröbenius maps and factoring polynomials”, Proceedings of the 24th Annual ACM Symposium in Theory of Computation, ACM Press, 1992.Google Scholar
- 8.Neal Koblitz: “Algebraic aspects of cryptography”; Springer-Verlag, ACM3, 1998, Chapter 4: “Hidden Monomial Cryptosystems”, pp. 80–102.Google Scholar
- 9.Tsutomu Matsumoto, Hideki Imai: “Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption”, Eurocrypt’88, Springer-Verlag 1998, pp. 419–453.Google Scholar
- 10.Tsutomu Matsumoto, Hideki Imai: “A class of asymmetric cryptosystems based on polynomials over finite rings”; 1983 IEEE International Symposium on Information Theory, Abstract of Papers, pp.131–132, September 1983.Google Scholar
- 11.http://www.minrank.org, a non-profit web site dedicated to MinRank and Multi-variate Cryptography in general.
- 12.Peter L. Montgomery: A Block Lanczos Algorithm for Finding Dependencies over GF(2); Eurocrypt’95, LNCS, Springer-Verlag.Google Scholar
- 13.Jacques Patarin: “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88”; Crypto’95, Springer-Verlag, pp. 248–261.Google Scholar
- 14.Jacques Patarin: “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms”; Eurocrypt’96, Springer Verlag, pp. 33–48. The extended version can be found at http://www.minrank.org/scourtois/hfe.ps
- 15.Jacques Patarin: La Cryptographie Multivariable; Mémoire d’habilitation à diriger des recherches de l’Université Paris 7, 1999.Google Scholar
- 16.Jacques Patarin, Nicolas Courtois, Louis Goubin: “C*-+ and HM-Variations around two schemes of T. Matsumoto and H. Imai”; Asiacrypt 1998, Springer-Verlag, pp. 35–49.Google Scholar
- 17.Jacques Patarin, Aviad Kipnis, Louis Goubin: “Unbalanced Oil and Vinegar Signature Schemes”; Eurocrypt 1999, Springer-Verlag.Google Scholar
- 18.Jacques Patarin, Louis Goubin: “Asymmetric Cryptography with Multivariate Polynomials over Finite Fields”; a draft with a compilation of various papers and some unpublished work, Bull PTS, ask from authors.Google Scholar
- 19.Jacques Patarin, Louis Goubin, Nicolas Courtois: Quartz, 128-bit long digital signatures; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.Google Scholar
- 20.Jacques Patarin, Louis Goubin, Nicolas Courtois: Flash, a fast multivariate signature algorithm; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.Google Scholar
- 21.Adi Shamir, Nicolas Courtois, Jacques Patarin, Alexander Klimov, Efficient Algorithms for solving Over defined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n˚1807, Springer, 2000, pp. 392–407.Google Scholar
- 22.Adi Shamir, Aviad Kipnis: “Cryptanalysis of the Oil and Vinegar Signature Scheme”; Crypto’98, Springer-Verlag.Google Scholar
- 23.Adi Shamir, Aviad Kipnis: “Cryptanalysis of the HFE Public Key Cryptosystem”; Crypto’99. Can be found at http://www.minrank.org/~courtois/hfesubreg.ps
- 24.J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at http://www.brics.dk/RS/96/33