## Key Recovery on Hidden Monomial Multivariate Schemes

Citations: | 10 - 4 self |

### BibTeX

@MISC{Fouque_keyrecovery,

author = {Pierre-alain Fouque and Gilles Macario-rat and Jacques Stern},

title = {Key Recovery on Hidden Monomial Multivariate Schemes},

year = {}

}

### OpenURL

### Abstract

Abstract. The problem we study in this paper is the key recovery problem on the C ∗ schemes and generalizations where the quadratic monomial of C ∗ (the product of two linear monomials) is replaced by a product of three or more linear monomials. This problem has been further generalized to any multivariate polynomial hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin et al. Some cryptosystems have been built on this appearing hard problem such as a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate monomial is a quadratic monomial, as in SFLASH, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d) where n is the number of variables and d is the degree of the public polynomials. 1

### Citations

130 | Hidden equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms
- Patarin
- 1996
(Show Context)
Citation Context ...such as in the Traitor Tracing scheme proposed by Billet and Gilbert in [1]. 1.1 Related Works The IP problem. The Isomorphism of Polynomials (IP) problem has been introduced by Patarin since 1996 in =-=[14]-=- to capture the key recovery problemsof some multivariate schemes such as C ∗ since Patarin’s attack allows only to inverse the public key and not to recover the secret key. Patarin, Goubin and Courto... |

84 |
Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88
- Patarin
- 1995
(Show Context)
Citation Context ... require exponential time and memory. One rich family of multivariate scheme is derived from a cryptosystem proposed by Matsumoto and Imai since 1988. Even though this scheme was broken by Patarin in =-=[12]-=- since 1995, Patarin proposed various countermeasures to increase the security. One variation is the Minus transformation, suggested by Shamir in [17], and is a classical solution to avoid Patarin’s o... |

34 | Efficient Signature Scheme Based on Birational Permutations
- Shamir
- 1993
(Show Context)
Citation Context ... Even though this scheme was broken by Patarin in [12] since 1995, Patarin proposed various countermeasures to increase the security. One variation is the Minus transformation, suggested by Shamir in =-=[17]-=-, and is a classical solution to avoid Patarin’s or Gröbner basis attack. The SFLASH signature scheme comes from this variation. Another scheme solution is to use a hidden monomial of higher degree su... |

33 | Taxonomy of public key schemes based on the problem of multivariate quadratic equations,” Cryptology ePrint Archive, Report 2005/077 - Wolf, Preneel - 2005 |

27 | Differential Cryptanalysis for Multivariate Schemes
- Fouque, Granboulan, et al.
- 2005
(Show Context)
Citation Context ... ◦ ϕi ◦ π ◦ S ′ ). 3 Differential and Properties for Monomials The differential of the public key of a multivariate scheme has been introduced in a systematic cryptanalytic method by Fouque et al. in =-=[9]-=-. Later, this method has been developed and extended in [6, 7, 5, 4] to attack various systems.s3.1 Differential of Polynomials For a general polynomial P , the differential in some point a, denoted b... |

26 | Asymmetric cryptography with a hidden monomial - Patarin - 1996 |

22 | Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects
- Faugère, Perret
- 2006
(Show Context)
Citation Context ...of the AES cryptosystem, the Sbox can be viewed as polynomial of high degree, namely 7, since the inverse in GF (256) can be explained as the polynomial P (x) = x q−2 . Finally, Faugère and Perret in =-=[8]-=- also studied this problem and conjecture that in some cases, Gröbner basis algorithms are subexponential and give some parameters that they were able to solve. Differential Attack on SFLASH. Recently... |

21 | a Fast Multivariate Signature Algorithm - Flash - 2001 |

19 | Practical Cryptanalysis of SFLASH
- Dubois, Fouque, et al.
- 2007
(Show Context)
Citation Context ...parameters that they were able to solve. Differential Attack on SFLASH. Recently, some breakthrough results have been published on the cryptanalysis of the SFLASH signature scheme by Dubois et al. in =-=[5, 4]-=-. SFLASH comes from the C∗ family, i.e. the internal quadratic monomial of the form P (x) = x1+qθ over an extension F of degree n of the base finite field K is hidden by two linear bijective mappings ... |

19 | Improved algorithms for isomorphisms of polynomials. EUROCRYPT
- Patarin, Goubin, et al.
- 1998
(Show Context)
Citation Context ...ltivariate schemes such as C ∗ since Patarin’s attack allows only to inverse the public key and not to recover the secret key. Patarin, Goubin and Courtois investigate the hardness of this problem in =-=[16]-=- and conclude that the best algorithm, called To and Fro, for the C ∗ family requires exponential time in O(q n/2 ) where q is the size of the base finite field and n is the degree of the extension of... |

17 | Cryptanalysis of SFLASH with Slightly Modified Parameters
- Dubois, Fouque, et al.
(Show Context)
Citation Context ... )(DyP(x)) Multiplicative Property for Higher Degree. For degree 3 or 4, similar expressions for this property can be derived, by considering respectively: Dx,yP(Nz(u)) + Dx,uP(Nz(y)) + Dy,uP(Nz(x)), =-=(5)-=- Dx,y,uP(Nz(v)) + Dx,y,vP(Nz(u)) + Dx,u,vP(Nz(y)) + Dy,u,vP(Nz(x))). (6) Multiplicative Property is a Characterization. The property (3) and the ones infered for higher degree are indeed a characteriz... |

15 |
ℓ-Invertible Cycles for Multivariate Quadratic Public Key Cryptography
- Ding, Wolf, et al.
- 2007
(Show Context)
Citation Context ...y on the public key, N can be easily found.sMultiplicative Property for SFLASH. For P (x) = x1+qθ there is an interesting property of the differential: DxP (Mz(y)) + DyP (Mz(x)) = M z+z q θ (DyP (x)) =-=(3)-=- where Mz is the multiplication by z in F. We can also rewrite this equation as DP (xz, y) + DP (x, yz) = (z + z qθ )DP (x, y). How is this property (3) transfered to the public system? Firstly for th... |

13 | Cryptanalysis of SFLASH
- Gilbert, Minier
- 2002
(Show Context)
Citation Context ... and T . The public key is P = T ◦ P ◦ S and if some polynomials of the public key are removed, we get a SFLASH public key. In[5], the authors consider the case where gcd(θ, n) > 1. The basic idea of =-=[10, 5, 4]-=- is to recover some of these polynomials or of equivalent polynomials by noticing that the internal polynomial P ◦ S over F forms a set of n polynomials over K. Then, the action of T consists of linea... |

12 | A Traceable Block Cipher
- Billet, Gilbert
- 2003
(Show Context)
Citation Context ...ck. The SFLASH signature scheme comes from this variation. Another scheme solution is to use a hidden monomial of higher degree such as in the Traitor Tracing scheme proposed by Billet and Gilbert in =-=[1]-=-. 1.1 Related Works The IP problem. The Isomorphism of Polynomials (IP) problem has been introduced by Patarin since 1996 in [14] to capture the key recovery problemsof some multivariate schemes such ... |

12 | A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
- Biryukov, Cannière, et al.
- 2003
(Show Context)
Citation Context ...quires exponential time in O(q n/2 ) where q is the size of the base finite field and n is the degree of the extension of the large field. Biryukov et al. propose another solutions to this problem in =-=[2]-=- with complexity O(n 3 ·2 n ) over GF (2) which is very efficient when n ≤ 32. They introduce these algorithms to study linear equivalence of Sbox. For our purpose, n can be 128. In the case of the AE... |

7 | An efficient provable distinguisher for HFE
- Dubois, Granboulan, et al.
- 2006
(Show Context)
Citation Context ...als The differential of the public key of a multivariate scheme has been introduced in a systematic cryptanalytic method by Fouque et al. in [9]. Later, this method has been developed and extended in =-=[6, 7, 5, 4]-=- to attack various systems.s3.1 Differential of Polynomials For a general polynomial P , the differential in some point a, denoted by DaP , is formally defined by: DaP (x) = P (x + a) − P (x) − P (a) ... |

6 | Cryptanalysis of HFE with Internal Perturbation
- Dubois, Granboulan, et al.
- 2007
(Show Context)
Citation Context ...als The differential of the public key of a multivariate scheme has been introduced in a systematic cryptanalytic method by Fouque et al. in [9]. Later, this method has been developed and extended in =-=[6, 7, 5, 4]-=- to attack various systems.s3.1 Differential of Polynomials For a general polynomial P , the differential in some point a, denoted by DaP , is formally defined by: DaP (x) = P (x + a) − P (x) − P (a) ... |

5 | Public quadratic polynominal-tuples for efficient signature-verification and message-encryption - Matsumoto, Imai - 1988 |

5 | Equivalent keys in HFE, C ∗ , and variations
- Wolf, Preneel
- 2005
(Show Context)
Citation Context ...tic polynomial forms, hence here deg(P) = 2. In the same manner, for P (x) = x1+qθ1 +...+q θd−1 , deg(P) will be at most d. 2.2 Equivalent Keys Solutions to the IP Problem are in fact not unique. See =-=[18]-=- for a discussion about equivalent keys. For instance, let’s analyze the case P (x) = x1+qθ . Let’s note Mz (multiplications) and ϕi (Frobenius) defined by Mz(x) = zx and ϕi(x) = xqi. So if (T ′ , S ′... |

1 | A Traceable Block Cipher. In Asiacrypt '03, volume 2894 - Billet, Gilbert - 2003 |