Efficient Cryptanalysis of RSE(2)PKC and RSSE(2)PKC

  • Christopher Wolf
  • An Braeken
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3352)


In this paper, we study the new class step-wise Triangular Schemes (STS) of public key cryptosystems (PKC) based on multivariate quadratic polynomials. In these schemes, we have m the number of equations, n the number of variables, L the number of steps/layers, r the number of equations/variables per step, and q the size of the underlying field. We present two attacks on the STS class by exploiting the chain of the kernels of the private key polynomials. The first attack is an inversion attack which computes the message/signature for given ciphertext/message in O(mn 3 Lq r + n 2 Lrq r ), the second is a structural attack which recovers an equivalent version of the secret key in O(mn 3 Lq r + mn 4) operations. Since the legitimate user has workload q r for decrypting/computing a signature, the attacks presented in this paper are very efficient. As an application, we show that two special instances of STS, namely RSE(2)PKC and RSSE(2)PKC, recently proposed by Kasahara and Sakai, are insecure.


Signature Scheme Legitimate User Central Equation Structural Attack Hide Field Equation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Computational Algebra Group, University of Sydney. The MAGMA Computational Algebra System for Algebra, Number Theory and Geometry,
  2. 2.
    Coppersmith, D., Stern, J., Vaudenay, S.: Attacks on the birational permutation signature schemes. In: Cr [7], pp. 435–443 (1994)Google Scholar
  3. 3.
    Coppersmith, D., Stern, J., Vaudenay, S.: The security of the birational permutation signature schemes. Jounal of Cryptology 10, 207–221 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Courtois, N., Goubin, L., Meier, W., Tacier, J.-D.: Solving underdefined systems of multivariate quadratic equations. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 211–227. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Courtois, N., Goubin, L., Patarin, J.: Quartz: Primitive specification (second revised version), 18 pages (October 2001)
  6. 6.
    Courtois, N.T.: The security of Hidden Field Equations (HFE). In: CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001),{ps|dvi|pdf}Google Scholar
  7. 7.
    Stinson, D.R. (ed.) Advances in Cryptology — CRYPTO 1993. LNCS, vol. 773, Springer, Heidelberg (1993) Google Scholar
  8. 8.
    Fell, H., Diffie, W.: Analysis of public key approach based on polynomial substitution. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 340–349. Springer, Heidelberg (1986)Google Scholar
  9. 9.
    Garay, M.R., Johnson, D.S.: Computers and Intractability — A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)Google Scholar
  10. 10.
    Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Kasahara, M., Sakai, R.: private communication, (April 3, 2004)Google Scholar
  12. 12.
    Kasahara, M., Sakai, R.: A construction of public-key cryptosystem based on singular simultaneous equations. In: Symposium on Cryptography and Information Security — SCIS 2004; The Institute of Electronics, Information and Communication Engineers, January 27–30, p. 6 (2004)Google Scholar
  13. 13.
    Kasahara, M., Sakai, R.: A construction of public key cryptosystem for realizing ciphtertext of size 100 bit and digital signature scheme. IEICE Trans. Fundamentals E87-A(1), 102–109 (2004), Electronic version:,1,102
  14. 14.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999); Extended version: [15] Google Scholar
  15. 15.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes — extended version, 17 pages, (2003)citeseer/231623.html, 2003-06-11, based on [14] Google Scholar
  16. 16.
    MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. Elsevier Science Publisher, Amsterdam (1991) Google Scholar
  17. 17.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–545. Springer, Heidelberg (1988)Google Scholar
  18. 18.
    Menezes,, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996), online-version: CrossRefGoogle Scholar
  19. 19.
    Patarin, J.: Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996), Extended Version: Google Scholar
  20. 20.
    Patarin, J., Goubin, L.: Trapdoor one-way permutations and multivariate polynomials. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 356–368. Springer, Heidelberg (1997), Extended Version: CrossRefGoogle Scholar
  21. 21.
    Patarin, J., Goubin, L., Courtois, N.: Improved algorithms for Isomorphisms of Polynomials. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 184–200. Springer, Heidelberg (1998), Extended Version: CrossRefGoogle Scholar
  22. 22.
    Shamir, A.: Efficient signature schemes based on birational permutations. In: Cr [7], pp. 1–12 (1994)Google Scholar
  23. 23.
    Theobald, T.: How to break shamir’s asymmetric basis. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 136–147. Springer, Heidelberg (1995)Google Scholar
  24. 24.
    Toli, I.: Cryptanalysis of HFE, (June 2003), arXiv preprint server 7 pages,

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Christopher Wolf
    • 1
  • An Braeken
    • 1
  • Bart Preneel
    • 1
  1. 1.Department Electrical Engineering, ESAT/COSICKatholieke Universiteit LeuvenHeverlee-LeuvenBelgium

Personalised recommendations