Abstract
We consider the basic version of the asymmetric cryptosy- stem HFE from Eurocrypt 96.
We propose a notion of non-trivial equations as a tentative to account for a large class of attacks on one-way functions. We found equations that give experimental evidence that basic HFE can be broken in expected polynomial time for any constant degree d. It has been independently proven by Shamir and Kipnis [Crypto’99].
We designed and implemented a series of new advanced attacks that are much more efficient that the Shamir-Kipnis attack. They are practical for HFE degree d ≤ 24 and realistic up to d = 128. The 80-bit, 500$ Patarin’s 1st challenge on HFE can be broken in about 262.
Our attack is subexponential and requires n 32log d computations. The original Shamir-Kipnis attack was in at least n log2 d. We show how to improve the Shamir-Kipnis attack, by using a better method of solving the involved algebraical problem MinRank. It becomes then in n 3 log d+O(1).
All attacks fail for modified versions of HFE: HFE- (Asiacrypt’98), vHFE (Eurocrypt’99), Quartz (RSA’2000) and even for Flash (RSA’2000).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Don Coppersmith, Jacques Stern, Serge Vaudenay: Attacks on the birational permutation signature schemes; CRYPTO 93, Springer-Verlag, pp. 435–443.
Don Coppersmith, Samuel Winograd: “Matrix multiplication via arithmetic progressions”; J. Symbolic Computation (1990), 9, pp. 251–280.
Nicolas Courtois: La séxcurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhD thesis, Paris 6 University, to appear in 2001, partly in English.
Nicolas Courtois: The HFE cryptosystem home page. Describes all aspects of HFE and allows to download an example of HFE challenge. http://www.hfe.minrank.org
Nicolas Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at http://www.minrank.org
Michael Garey, David Johnson: Computers and Intractability, a guide to the theory of NP-completeness, Freeman, p. 251.
J. von zur Gathen, Victor Shoup, “Computing Fröbenius maps and factoring polynomials”, Proceedings of the 24th Annual ACM Symposium in Theory of Computation, ACM Press, 1992.
Neal Koblitz: “Algebraic aspects of cryptography”; Springer-Verlag, ACM3, 1998, Chapter 4: “Hidden Monomial Cryptosystems”, pp. 80–102.
Tsutomu Matsumoto, Hideki Imai: “Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption”, Eurocrypt’88, Springer-Verlag 1998, pp. 419–453.
Tsutomu Matsumoto, Hideki Imai: “A class of asymmetric cryptosystems based on polynomials over finite rings”; 1983 IEEE International Symposium on Information Theory, Abstract of Papers, pp.131–132, September 1983.
http://www.minrank.org, a non-profit web site dedicated to MinRank and Multi-variate Cryptography in general.
Peter L. Montgomery: A Block Lanczos Algorithm for Finding Dependencies over GF(2); Eurocrypt’95, LNCS, Springer-Verlag.
Jacques Patarin: “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88”; Crypto’95, Springer-Verlag, pp. 248–261.
Jacques Patarin: “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms”; Eurocrypt’96, Springer Verlag, pp. 33–48. The extended version can be found at http://www.minrank.org/scourtois/hfe.ps
Jacques Patarin: La Cryptographie Multivariable; Mémoire d’habilitation à diriger des recherches de l’Université Paris 7, 1999.
Jacques Patarin, Nicolas Courtois, Louis Goubin: “C*-+ and HM-Variations around two schemes of T. Matsumoto and H. Imai”; Asiacrypt 1998, Springer-Verlag, pp. 35–49.
Jacques Patarin, Aviad Kipnis, Louis Goubin: “Unbalanced Oil and Vinegar Signature Schemes”; Eurocrypt 1999, Springer-Verlag.
Jacques Patarin, Louis Goubin: “Asymmetric Cryptography with Multivariate Polynomials over Finite Fields”; a draft with a compilation of various papers and some unpublished work, Bull PTS, ask from authors.
Jacques Patarin, Louis Goubin, Nicolas Courtois: Quartz, 128-bit long digital signatures; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.
Jacques Patarin, Louis Goubin, Nicolas Courtois: Flash, a fast multivariate signature algorithm; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, to appear in Springer-Verlag.
Adi Shamir, Nicolas Courtois, Jacques Patarin, Alexander Klimov, Efficient Algorithms for solving Over defined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n˚1807, Springer, 2000, pp. 392–407.
Adi Shamir, Aviad Kipnis: “Cryptanalysis of the Oil and Vinegar Signature Scheme”; Crypto’98, Springer-Verlag.
Adi Shamir, Aviad Kipnis: “Cryptanalysis of the HFE Public Key Cryptosystem”; Crypto’99. Can be found at http://www.minrank.org/~courtois/hfesubreg.ps
J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at http://www.brics.dk/RS/96/33
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Courtois, N.T. (2001). The Security of Hidden Field Equations (HFE). In: Naccache, D. (eds) Topics in Cryptology — CT-RSA 2001. CT-RSA 2001. Lecture Notes in Computer Science, vol 2020. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45353-9_20
Download citation
DOI: https://doi.org/10.1007/3-540-45353-9_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41898-6
Online ISBN: 978-3-540-45353-6
eBook Packages: Springer Book Archive