A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack that finds an equivalent key using the idea of so-called good keys. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic \(2\) which is known to be the most difficult case to address in theory for MinRank attacks and also without any restriction on the number of polynomials removed from the public-key. This was not the case for previous MinRank like-attacks against \(\mathcal {MQ}\) schemes. From a practical point of view, we are able to break an MQQ-SIG instance of \(80\) bits security in less than \(2\) days, and one of the more conservative MQQ-ENC instances of \(128\) bits security in little bit over \(9\) days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure.


MQ cryptography MQQ cryptosystems Equivalent keys Good keys MinRank Gröbner bases 


  1. 1.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  2. 2.
    Bardet, M., Faugère, J.C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  3. 3.
    Bardet, M., Faugère, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proc. of MEGA 2005, Eighth Int. Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  4. 4.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems (2014).
  5. 5.
    Bettale, L., Faugère, J.-C., Perret, L.: Cryptanalysis of multivariate and odd-characteristic HFE variants. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 441–458. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  6. 6.
    Bettale, L., Faugre, J.C., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Designs, Codes and Cryptography 69(1), 1–52 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  8. 8.
    Bosma, W., Cannon, J., Playoust, C.: The Magma Algebra System. I. The User Language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Bouillaguet, C.: Etudes d’hypothèses algorithmiques et attaques de primitives cryptographiques. Ph.D. thesis, Paris Diderot, France (2011)Google Scholar
  10. 10.
    Buss, W., Frandsen, G., Shallit, J.: The computational complexity of some problems of linear algebra. Journal of Computer and System Sciences (1999)Google Scholar
  11. 11.
    Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM Cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 44. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Goubin, L., Patarin, J.: Sflash, a fast asymmetric signature scheme for low-cost smartcards - primitive specification and supporting documentation.
  13. 13.
    Courtois, N.T.: Efficient zero-knowledge authentication based on a linear algebra problem minrank. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 402. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  14. 14.
    Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  15. 15.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  16. 16.
    ETSI: 2nd Quantum-Safe Crypto Workshop in partnership with the IQC. (Retrieved: September 2014)
  17. 17.
    Faugère, J.C., Din, M.S.E., Spaenlehauer, P.J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1, 1): Algorithms and complexity. J. Symb. Comput. 46(4), 406–437 (2011)CrossRefzbMATHGoogle Scholar
  18. 18.
    Faugère, J.-C., Levy-dit-Vehel, F., Perret, L.: Cryptanalysis of minrank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  19. 19.
    Faugère, J.-C., Ødegård, R.S., Perret, L., Gligoroski, D.: Analysis of the MQQ public key cryptosystem. In: Heng, S.-H., Wright, R.N., Goi, B.-M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 169–183. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  20. 20.
    Gantmacher, F.: The Theory of Matrices, Vol. 1. Chelsea (1959)Google Scholar
  21. 21.
    Gligoroski, D., Markovski, S., Knapskog, S.J.: Multivariate quadratic trapdoor functions based on multivariate quadratic quasigroups. In: Proc. of the American Conference on Applied Mathematics, MATH, pp. 44–49. World Scientific and Engineering Academy and Society (WSEAS) (2008)Google Scholar
  22. 22.
    Gligoroski, D., Ødegård, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: MQQ-SIG. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 184–203. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  23. 23.
    Gligoroski, D., Samardjiska, S.: The Multivariate Probabilistic Encryption Scheme MQQ-ENC. In: SCC (2012)Google Scholar
  24. 24.
    Imai, H., Matsumoto, T.: Algebraic methods for constructing asymmetric cryptosystems. In: Calmet, J. (ed.) Algebraic Algorithms and Error-Correcting Codes. LNCS, vol. 229, pp. 108–119. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  25. 25.
    Jiang, X., Ding, J., Hu, L.: Kipnis-shamir attack on HFE revisited. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 399–411. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  26. 26.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 206. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  27. 27.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 19. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  28. 28.
    MacWilliams, J.: Orthogonal matrices over finite fields. Orthogonal matrices over finite fields. The American Mathematical Monthly 76(2), 152–164 (1969)CrossRefzbMATHMathSciNetGoogle Scholar
  29. 29.
    Moh, T.T.: A public key system with signature and master key functions. Communications in Algebra 27(5), 2207–2222 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Mohamed, M.S.E., Ding, J., Buchmann, J., Werner, F.: Algebraic attack on the MQQ public key cryptosystem. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 392–401. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  31. 31.
    NESSIE: New european schemes for signatures, integrity, and encryption (2003). (Retrieved: September 2014)
  32. 32.
    NIST: Workshop on Cybersecurity in a Post-Quantum World. (Retrieved: September 2014)
  33. 33.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  34. 34.
    Perret, L.: A fast cryptanalysis of the isomorphism of polynomials with one secret problem. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 354–370. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  35. 35.
    Samardjiska, S., Chen, Y., Gligoroski, D.: Algorithms for construction of Multivariate Quadratic Quasigroups (MQQs) and their parastrophe operations in arbitrary galois fields. J. Inf. Assurance and Security 7(3), 146–172 (2012)Google Scholar
  36. 36.
    Thomae, E.: About the Security of Multivariate Quadratic Public Key Schemes. Ph.D. thesis, Ruhr-University Bochum, Germany (2013)Google Scholar
  37. 37.
    Thomae, E., Wolf, C.: Cryptanalysis of enhanced TTS, STS and all its variants, or: why cross-terms are important. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 188–202. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  38. 38.
    Wolf, C., Braeken, A., Preneel, B.: On the security of stepwise triangular systems. Designs, Codes and Cryptography 40(3), 285–302 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  39. 39.
    Wolf, C., Preneel, B.: Equivalent keys in HFE, C\(^{*}\), and variations. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 33–49. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  40. 40.
    Wolf, C., Preneel, B.: Large superfluous keys in multivariate quadratic asymmetric systems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 275–287. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  41. 41.
    Wolf, C., Preneel, B.: Equivalent keys in multivariate quadratic public key systems. Journal of Mathematical Cryptology 4, 375–415 (2011)CrossRefMathSciNetGoogle Scholar
  42. 42.
    Yang, B.-Y., Chen, J.-M., Chen, Y.-H.: TTS: high-speed signatures on a low-cost smart card. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 371–385. Springer, Heidelberg (2004) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.INRIA, Paris-Rocquencourt CenterParisFrance
  2. 2.Sorbonne Universités, UPMC Univ Paris 06 Équipe PolSys, LIP6ParisFrance
  3. 3.LIP6CNRS, UMR 7606ParisFrance
  4. 4.Department of TelematicsNTNUTrondheimNorway
  5. 5.FCSE, UKIMSkopjeMacedonia
  6. 6.Operational ServicesFrankfurtGermany

Personalised recommendations