The Security of Hidden Field Equations (HFE)

We consider the basic version of the asymmetric cryptosystem HFE from Eurocrypt 96.We propose a notion of non-trivial equations as a tentative to account for a large class of attacks on one-way functions. We found equations that give experimental evidence that basic HFE can be broken in expected polynomial time for any constant degree d. It has been independently proven by Shamir and Kipnis [Crypto'99].We designed and implemented a series of new advanced attacks that are much more efficient that the Shamir-Kipnis attack. They are practical for HFE degree d ? 24 and realistic up to d = 128. The 80-bit, 500$ Patarin's 1st challenge on HFE can be broken in about 262.Our attack is subexponential and requires n3/2 log d computations. The original Shamir-Kipnis attack was in at least nlog2 d. We show how to improve the Shamir-Kipnis attack, by using a better method of solving the involved algebraical problem MinRank. It becomes then in n3 log d+O(1). All attacks fail for modified versions of HFE: HFE- (Asiacrypt'98), vHFE (Eurocrypt'99), Quartz (RSA'2000) and even for Flash (RSA'2000).

[1]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[2]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[3]  Jacques Stern,et al.  Attacks on the Birational Permutation Signature Schemes , 1993, CRYPTO.

[4]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[5]  Adi Shamir,et al.  Cryptanalysis of the Oil & Vinegar Signature Scheme , 1998, CRYPTO.

[6]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[7]  Neal Koblitz Hidden Monomial Cryptosystems , 1998 .

[8]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[9]  Peter L. Montgomery,et al.  A Block Lanczos Algorithm for Finding Dependencies Over GF(2) , 1995, EUROCRYPT.

[10]  Jeffrey Shallit,et al.  The Computational Complexity of Some Problems of Linear Algebra , 1996 .

[11]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[12]  A. Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem , 1999 .

[13]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[14]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[15]  N. Courtois,et al.  La sécurité des primitives cryptographiques basées sur des problèmes algébriques multivariables MQ, IP, MinRank, HFE , 2001 .

[16]  Louis Goubin,et al.  FLASH, a Fast Multivariate Signature Algorithm , 2001, CT-RSA.

[17]  Ariel Shamir,et al.  Cryptanalysis of the oil and vinegar signature scheme , 1998 .

[18]  Louis Goubin,et al.  C*-+ and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai , 1998, ASIACRYPT.

[19]  Don Coppersmith,et al.  Matrix multiplication via arithmetic progressions , 1987, STOC.