A family of weak keys in HFE and the corresponding practical key-recovery

Abstract. The HFE (hidden field equations) cryptosystem is one of the most interesting public-key multivariate schemes. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) Problem between the equations of the public key and themselves. Even though the hardness of recovering the secret-key of schemes such as SFLASH or relies on the hardness of the IP Problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP Problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”. Recovering the secret key takes a few minutes.

[1]  Jean-Charles Faugère,et al.  Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects , 2006, EUROCRYPT.

[2]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[3]  Bart Preneel,et al.  Equivalent keys in ℳultivariate uadratic public key systems , 2005, J. Math. Cryptol..

[4]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[5]  Tao Renji,et al.  Two varieties of finite automaton public key cryptosystem and digital signatures , 1986, Journal of Computer Science and Technology.

[6]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[7]  Claus Diem,et al.  The XL-Algorithm and a Conjecture from Commutative Algebra , 2004, ASIACRYPT.

[8]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[9]  B. Salvy,et al.  Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems , 2022 .

[10]  Joachim von zur Gathen,et al.  Functional Decomposition of Polynomials: The Tame Case , 1990, J. Symb. Comput..

[11]  Louis Goubin,et al.  Improved Algorithms for Isomorphisms of Polynomials , 1998, EUROCRYPT.

[12]  Jacques Stern,et al.  Key Recovery on Hidden Monomial Multivariate Schemes , 2008, EUROCRYPT.

[13]  Marine Minier,et al.  Cryptanalysis of SFLASH , 2002, EUROCRYPT.

[14]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[15]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[16]  David A. Cox,et al.  Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e (Undergraduate Texts in Mathematics) , 2007 .

[17]  Antoine Joux,et al.  Inverting HFE Is Quasipolynomial , 2006, CRYPTO.

[18]  Nicolas Gama,et al.  The Degree of Regularity of HFE Systems , 2010, ASIACRYPT.

[19]  Leonhard Euler Public-Key Cryptosystem , 2011, Encyclopedia of Cryptography and Security.

[20]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[21]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[22]  David Naccache Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA , 2001 .

[23]  Pil Joong Lee Advances in cryptology - ASIACRYPT 2004 : 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004 : proceedings , 2004 .

[24]  J. Ritt,et al.  Prime and composite polynomials , 1922 .

[25]  Joachim von zur Gathen,et al.  Functional Decomposition of Polynomials: The Wild Case , 1990, J. Symb. Comput..

[26]  Jintai Ding,et al.  Algebraic Attack on HFE Revisited , 2008, ISC.

[27]  Renji Tao,et al.  Two varieties of finite automaton public key cryptosystem and digital signatures , 2008, Journal of Computer Science and Technology.

[28]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[29]  David Naccache,et al.  Topics in Cryptology - CT-RSA 2001: The Cryptographer's Track at RSA Conference 2001 San Francisco, CA, USA, April 8-12, 2001 Proceedings , 2001 .

[30]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[31]  V. Hardman Author Information , 2021, Disability and Health Journal.

[32]  O. Ore Contributions to the theory of finite fields , 1934 .

[33]  Jean-Charles Faugère,et al.  Isomorphism of Polynomials : New Results , 2009 .

[34]  Bart Preneel,et al.  A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes , 2005, CT-RSA.

[35]  Louis Goubin,et al.  Asymmetric cryptography with S-Boxes , 1997, ICICS.

[36]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[37]  Jacques Stern,et al.  Cryptanalysis of SFLASH with Slightly Modified Parameters , 2007, EUROCRYPT.

[38]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[39]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[40]  Louis Goubin,et al.  FLASH, a Fast Multivariate Signature Algorithm , 2001, CT-RSA.

[41]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[42]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[43]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[44]  Jeffrey Shallit,et al.  The Computational Complexity of Some Problems of Linear Algebra , 1996, J. Comput. Syst. Sci..

[45]  Bart Preneel,et al.  Large Superfluous Keys in Multivariate Quadratic Asymmetric Systems , 2005, Public Key Cryptography.