Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multivariate polynomial hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin et al. Some cryptosystems have been built on this appearing hard problem such as a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate monomial is a quadratic monomial, as in SFLASH, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d) where n is the number of variables and d is the degree of the public polynomials. 1

Abstract not found

Abstract. The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an e cient attack was nally found in 2007. In this paper, we review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large eld. As the attack demonstrates, this richer structure can be accessed by an attacker by using the speci c symmetry of the core function being used. Then, we investigate the e ect of restricting this large eld to a purely linear subset and we nd that the symmetries exploited by the attack are no longer present. At a purely defensive level, this de nes a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of limitations of the recent attack and raises interesting remarks about the design itself of multivariate schemes.