Algebraic Cryptanalysis of the PKC’2009 Algebraic Surface Cryptosystem

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6056)


In this paper, we fully break the Algebraic Surface Cryptosystem (ASC for short) proposed at PKC’2009 [3]. This system is based on an unusual problem in multivariate cryptography: the Section Finding Problem. Given an algebraic surface \(X(x,y,t)\in\mathbb{F}_p[x,y,t]\) such that \(\deg_{xy} X(x,y,t)= w\), the question is to find a pair of polynomials of degree d, u x (t) and u y (t), such that X(u x (t),u y (t),t) = 0. In ASC, the public key is the surface, and the secret key is the section. This asymmetric encryption scheme enjoys reasonable sizes of the keys: for recommended parameters, the size of the secret key is only 102 bits and the size of the public key is 500 bits. In this paper, we propose a message recovery attack whose complexity is quasi-linear in the size of the secret key. The main idea of this algebraic attack is to decompose ideals deduced from the ciphertext in order to avoid to solve the section finding problem. Experimental results show that we can break the cipher for recommended parameters (the security level is 2102) in 0.05 seconds. Furthermore, the attack still applies even when the secret key is very large (more than 10000 bits). The complexity of the attack is \(\widetilde{\mathcal{O}}(w^{7} d \log(p))\) which is polynomial with respect to all security parameters. In particular, it is quasi-linear in the size of the secret key which is (2 d + 2) log(p). This result is rather surprising since the algebraic attack is often more efficient than the legal decryption algorithm.


Multivariate Cryptography Algebraic Cryptanalysis Section Finding Problem (SFP) Gröbner bases Decomposition of ideals 


  1. 1.
    Adams, W.W., Loustaunau, P.: An introduction to Gröbner bases. American Mathematical Society (1994)Google Scholar
  2. 2.
    Akiyama, K., Goto, Y.: An Algebraic Surface Public-key Cryptosystem. IEIC Technical Report (Institute of Electronics, Information and Communication Engineers) 104(421), 13–20 (2004)Google Scholar
  3. 3.
    Akiyama, K., Goto, Y., Miyake, H.: An Algebraic Surface Cryptosystem. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, p. 442. Springer, Heidelberg (2009)Google Scholar
  4. 4.
    Bardet, M., Faugere, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of the International Conference on Polynomial System Solving, pp. 71–74 (2004)Google Scholar
  5. 5.
    Bardet, M., Faugere, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of the Eight International Symposium on Effective Methods in Algebraic Geometry, MEGA (2005)Google Scholar
  6. 6.
    Cox, D.A., Little, J.B., O’Shea, D.: Ideals, varieties, and algorithms: an introduction to computational algebraic geometry and commutative algebra. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 international symposium on symbolic and algebraic computation, pp. 75–83. ACM, New York (2002)CrossRefGoogle Scholar
  9. 9.
    Faugère, J.-C., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Garey, M.R., Johnson, D.S., et al.: Computers and Intractability: A Guide to the Theory of NP-completeness. W.H. Freeman, San Francisco (1979)zbMATHGoogle Scholar
  11. 11.
    Ivanov, P., Voloch, J.F.: Breaking the Akiyama-Goto cryptosystem. Arithmetic, Geometry, Cryptography and Coding Theory 487 (2009)Google Scholar
  12. 12.
    Iwami, M.: A Reduction Attack on Algebraic Surface Public-Key Cryptosystems. In: Workshop of Research Institute for Mathematical Sciences (RIMS) Kyoto University, New development of research on Computer Algebra, RIMS Kokyuroku, vol. 1572. Springer, Heidelberg (2007)Google Scholar
  13. 13.
    Lazard, D.: Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations. In: EUROCAL, vol. 162, pp. 146–156. Springer, Heidelberg (1983)Google Scholar
  14. 14.
    Lecerf, G.: New recombination algorithms for bivariate polynomial factorization based on Hensel lifting. To appear in AAECC (2007)Google Scholar
  15. 15.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: SFCS 1994: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Washington, DC, USA, pp. 124–134. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar
  17. 17.
    Uchiyama, S., Tokunaga, H.: On the Security of the Algebraic Surface Public-key Cryptosystems. In: Proceedings of SCIS (2007)Google Scholar
  18. 18.
    Von Zur Gathen, J., Gerhard, J.: Modern computer algebra. Cambridge University Press, Cambridge (2003)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.UPMC, Université Paris 06, LIP6, INRIA Centre Paris-Rocquencourt, SALSA Project, CNRS, UMR 7606, LIP6Paris Cedex 05France

Personalised recommendations