Key Recovery on Hidden Monomial Multivariate Schemes

In this paper, we study the key recovery problem for the C* scheme and generalisations where the quadratic monomial of C* (the product of two linearized monomials) is replaced by a product of three or more linearized monomials. This problem has been further generalized to any system of multivariate polynomials hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin. Some cryptosystems have been built on this apparently hard problem such as an authentication protocol proposed by Patarin and a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate system is the projection of a quadratic monomial on a base finite field, as in C*, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(nd) where n is the number of variables and d is the degree of the public polynomials.

[1]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[2]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[3]  Marine Minier,et al.  Cryptanalysis of SFLASH , 2002, EUROCRYPT.

[4]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[5]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[6]  Bart Preneel,et al.  Equivalent Keys in Hfe, C * , and Variations , 2005 .

[7]  Eli Biham,et al.  Cryptanalysis of Patarin's 2-Round Public Key System with S Boxes (2R) , 2000, EUROCRYPT.

[8]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .

[9]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[10]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[11]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[12]  Olivier Billet,et al.  A Traceable Block Cipher , 2003, ASIACRYPT.

[13]  Bo-Yin Yang,et al.  l-Invertible Cycles for Multivariate Quadratic (MQ) Public Key Cryptography , 2007, Public Key Cryptography.

[14]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[15]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[16]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[17]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[18]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[19]  Jean-Charles Faugère,et al.  Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects , 2006, EUROCRYPT.

[20]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[21]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[22]  Niklaus Wirth,et al.  Advances in Cryptology — EUROCRYPT ’88 , 2000, Lecture Notes in Computer Science.

[23]  Jacques Stern,et al.  Cryptanalysis of SFLASH with Slightly Modified Parameters , 2007, EUROCRYPT.

[24]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[25]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[26]  Jacques Stern,et al.  Total Break of the l-IC Signature Scheme , 2008, Public Key Cryptography.

[27]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.

[28]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[29]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[30]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[31]  Jacques Patarin,et al.  Asymmetric Cryptography with a Hidden Monomial , 1996, CRYPTO.

[32]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[33]  Bart Preneel,et al.  Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations , 2005, IACR Cryptol. ePrint Arch..

[34]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[35]  Louis Goubin,et al.  Improved Algorithms for Isomorphisms of Polynomials , 1998, EUROCRYPT.

[36]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[37]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[38]  Adi Shamir,et al.  Efficient Signature Schemes Based on Birational Permutations , 1993, CRYPTO.

[39]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[40]  Louis Goubin,et al.  FLASH, a Fast Multivariate Signature Algorithm , 2001, CT-RSA.

[41]  Jacques Stern,et al.  Cryptanalysis of HFE with Internal Perturbation , 2007, Public Key Cryptography.

[42]  Jacques Stern,et al.  An Efficient Provable Distinguisher for HFE , 2006, ICALP.

[43]  Jacques Stern,et al.  Differential Cryptanalysis for Multivariate Schemes , 2005, EUROCRYPT.