Skip to main content
SpringerLink
Log in

Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Adams W.W., Loustaunau P.: An Introduction to Gröbner Bases, Graduate Studies in Mahematics, vol. 3. AMS, Providence (1994)

    Google Scholar 

  2. Bardet M., Faugère J.C., Salvy B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004).

  3. Bardet M., Faugère J.C., Salvy B., Yang B.Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005).

  4. Bettale L., Faugère J.C., Perret L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 177–197 (2009).

  5. Bettale L., Faugère J.C., Perret L.: Cryptanalysis of multivariate and odd-characteristic hfe variants. In: Public Key Cryptography—PKC 2011. Lecture Notes in Computer Science, vol. 6571, pp. 441–458. Springer, Berlin (2011).

  6. Billet O., Patarin J., Seurin Y.: Analysis of intermediate field systems. In: SCC 2008 (2008).

  7. Bogdanov A., Eisenbarth T., Rupp A., Wolf C.: Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? In: Cryptographic Hardware and Embedded Systems—CHES ’08, LNCS, pp. 45–61 (2008).

  8. Bosma W., Cannon J.J., Playoust C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  9. Buchberger B.: Ein algorithmus zum auffinden der basiselemente des restklassenringes nach einem nulldimensionalen polynomideal. PhD thesis, University of Innsbruck (1965).

  10. Buchberger B.: Bruno buchberger’s phd thesis 1965: an algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. J. Symb. Comput. 41(3–4), 475–511 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  11. Buchberger B.: Comments on the translation of my phd thesis. J. Symb. Comput. 41(3–4), 471–474 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  12. Buss W., Frandsen G., Shallit J.: The computational complexity of some problems of linear algebra. J. Comput. Syst. Sci. (1999).

  13. Chen C.H.O., Chen M.S., Ding J., Werner F., Yang B.Y.: Odd-char multivariate hidden field equations. Cryptology ePrint Archive (2008) http://eprint.iacr.org/2008/543.

  14. Chen A.I.T., Chen M.S., Chen T.R., Cheng C.M., Ding J., Kuo E.L.H., Lee F.Y.S., Yang B.Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Cryptographic Hardware and Embedded Systems—CHES 2009, Lecture Notes in Computer Science, vol. 5747, pp. 33–48. Springer, Berlin (2009).

  15. Courtois N.T.: Efficient zero-knowledge authentication based on a linear algebra problem MinRank. In: Advances in Cryptology—ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 402–421. Springer, Berlin (2001).

  16. Courtois N., Goubin L.: Cryptanalysis of the TTM cryptosystem. In: Advances in Cryptology—ASIACRYPT ’00, Lecture Notes in Computer Science, vol. 1976, pp. 44–57. Springer, Berlin (2000).

  17. Cox D.A., Little J.B., O’Shea D.: Ideals, Varieties and Algorithms. Sringer, Berlin (2005)

    Google Scholar 

  18. DeMillo R., Lipton R.: A probabilistic remark on algebraic program testing. Inf. Process. Lett. 7(4), 192–194 (1978)

    Article  Google Scholar 

  19. Ding J., Hodges T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway P. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 6841, pp. 724–742. Springer, Berlin (2011).

  20. Ding J., Schmidt D., Werner F.: Algebraic attack on HFE revisited. In: Information Security, Lecture Notes in Computer Science, vol. 5222, pp. 215–227. Springer, Berlin (2008).

  21. Dubois V., Gama N.: The degree of regularity of HFE systems. In: Advances in Cryptology—ASIACRYPT 2011, Lecture Notes in Computer Science, vol. 6477, pp. 557–576. Springer, Berlin (2011).

  22. Faugère J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  23. Faugère J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation ISSAC, pp. 75–83. ACM Press (2002).

  24. Faugère J.C.: Algebraic cryptanalysis of HFE using Gröbner bases. Reasearch report RR-4738, INRIA http://hal.inria.fr/inria-00071849/PDF/RR-4738.pdf (2003).

  25. Faugère J.C.: FGb: a library for computing Gröbner bases. In: Fukuda K., Hoeven J., Joswig M., Takayama N. (eds.) Mathematical Software—ICMS 2010, Lecture Notes in Computer Science, vol. 6327, pp. 84–87. Springer, Berlin. http://www-salsa.lip6.fr/~jcf/Papers/ICMS.pdf (2010).

  26. Faugère J.C., Joux A.: Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner bases. In: Advances in Cryptology—CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, pp. 44–60. Springer, Berlin (2003).

  27. Faugère J.C., Levy-dit-Vehel F., Perret L.: Cryptanalysis of MinRank. In: Advances in Cryptology—CRYPTO 2008, Lecture Notes in Computer Science, vol. 5157, pp. 280–296. Springer, Berlin (2008).

  28. Faugère J.C., Safey El Din M., Spaenlehauer P.J.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Koepf W. (eds.), ISSAC, pp. 257–264. ACM (2010).

  29. Faugère J.C., Safey El Din M., Spaenlehauer P.J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1,1): algorithms and complexity. J. Symb. Comput. 1–39 (2010).

  30. Faugère J.C., Safey El Din M., Spaenlehauer P.J.: On the complexity of the generalized minrank problem, preprint (2011).

  31. Fröberg R.: An inequality for Hilbert series of graded algebras. Math. Scand. 56, 117–144 (1985)

    MathSciNet  MATH  Google Scholar 

  32. Garey M.R., Johnson D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)

    MATH  Google Scholar 

  33. Granboulan L., Joux A., Stern J.: Inverting HFE is quasipolynomial. In: Advances in Cryptology—CRYPTO 2006, Lecture Notes in Computer Science, vol. 4117, pp. 345–356. Springer, Berlin (2006).

  34. Jiang X., Ding J., Hu L.: Kipnis-Shamir attack on HFE revisited. In: Information Security and Cryptology, Lecture Notes in Computer Science, vol. 4990, pp. 399–411. Springer, Berlin (2007).

  35. Kipnis A., Shamir A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Advances in Cryptology—CRYPTO ’99, Lecture Notes in Computer Science, vol. 1666, pp. 19–30. Springer, Berlin (1999).

  36. Kipnis A., Patarin J., Goubin L.: Unbalanced oil and vinegar signature schemes. In: Advances in Cryptology—EUROCRYPT ’99, Lecture Notes in Computer Science, vol. 1592, pp. 206–222. Springer, Berlin (1999).

  37. Matsumoto T., Imai H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Advances in Cryptology—EUROCRYPT ’88, Lecture Notes in Computer Science, vol. 330, pp. 419–453. Springer, Berlin (1988).

  38. Moh T.T.: A public key system with signature and master key functions. Commun. Algebra 27(5), 2207–2222 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  39. Nguyen P.: New trends in cryptology, european project stork: Strategic roadmap for advances in cryptology—crypto. ist-2002-38273. http://www.di.ens.fr/~pnguyen/pub.html#Ng03 (2003).

  40. Patarin J.: Cryptoanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88. In: Advances in Cryptology—CRYPTO ’95, pp. 248–261. Springer, Berlin (1995).

  41. Patarin J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Advances in Cryptology—EUROCRYPT ’96, Lecture Notes in Computer Science, vol. 1070, pp. 33–48. Springer, Berlin (1996).

  42. Schwartz J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)

    Article  MATH  Google Scholar 

  43. Szegö G.: Orthogonal Polynomials, 4th edn. American Mathematical Society, Providence (1939)

    Google Scholar 

  44. Wang L.C., Hu Y.H., Lai F., yen Chou C., Yang B.Y.: Tractable rational map signature. In: Public Key Cryptography—PKC ’05, Lecture Notes in Computer Science, vol. 3386, pp. 244–257. Springer, Berlin (2005).

  45. Wolf C., Preneel B.: Equivalent keys in HFE, C*, and variations. In: Progress in Cryptology—Mycrypt 2005, Lecture Notes in Computer Science, vol. 3715, pp. 33–49. Springer, Berlin (2005).

  46. Wolf C., Preneel B.: Large superfluous keys in multivariate quadratic asymmetric systems. In: Public Key Cryptography—PKC 2005, Lecture Notes in Computer Science, vol. 3386, pp. 275–287. Springer, Berlin (2005).

  47. Wolf C., Preneel B.: Equivalent keys in multivariate quadratic public key systems. J. Math. Cryptol. 4(4), 375–415 (2011)

    Article  MathSciNet  Google Scholar 

  48. Zippel R.: Probabilistic algorithms for sparse polynomials. In: Symbolic and Algebraic Computation (EUROSAM’79), International Symposium, Lecture Notes in Computer Science, vol. 72, pp. 216–226. Springer, Berlin (1979).

Download references

Author information

Authors and Affiliations

  1. INRIA, Paris-Rocquencourt Center, PolSys Project - UPMC Univ Paris 06, UMR 7606, LIP6 - CNRS, UMR 7606, LIP6, UFR Ingénierie 919, LIP6, Case 169 - 4, Place Jussieu, Paris, 75252, France

    Luk Bettale, Jean-Charles Faugère & Ludovic Perret

Authors
  1. Luk Bettale
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jean-Charles Faugère
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ludovic Perret
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luk Bettale.

Additional information

Communicated by I. Shparlinski.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bettale, L., Faugère, JC. & Perret, L. Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Cryptogr. 69, 1–52 (2013). https://doi.org/10.1007/s10623-012-9617-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-012-9617-2

Keywords

Mathematics Subject Classification (2000)

Search

Navigation