## Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases (2003)

### Cached

### Download Links

- [www.iacr.org]
- [www-spaces.lip6.fr]
- [www-salsa.lip6.fr]
- [www-calfor.lip6.fr]
- [www-polsys.lip6.fr]
- [www-polsys.lip6.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | In Advances in Cryptology — CRYPTO 2003 |

Citations: | 103 - 27 self |

### BibTeX

@INPROCEEDINGS{Faugère03algebraiccryptanalysis,

author = {Jean-charles Faugère and Antoine Joux},

title = {Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases},

booktitle = {In Advances in Cryptology — CRYPTO 2003},

year = {2003},

pages = {44--60},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this paper, we review and explain the existing algebraic cryptanalysis of multivariate cryptosystems from the hidden field equation (HFE) family. These cryptanalysis break cryptosystems in the HFE family by solving multivariate systems of equations. In this paper we present a new and efficient attack of this cryptosystem based on fast algorithms for computing Gröbner basis. In particular it was was possible to break the first HFE challenge (80 bits) in only two days of CPU time by using the new algorithm F5 implemented in C. From a theoretical point of view we study the algebraic properties of the equations produced by instance of the HFE cryptosystems and show why they yield systems of equations easier to solve than random systems of quadratic equations of the same sizes. Moreover we are able to bound the maximal degree occuring in the Gröbner basis computation. As a consequence, we gain a deeper understanding of the algebraic cryptanalysis against these cryptosystems. We use this understanding to devise a specific algorithm based on sparse linear algebra. In general, we conclude that the cryptanalysis of HFE can be performed in polynomial time. We also revisit the security estimates for existing schemes in the HFE family. 1

### Citations

346 |
Using Algebraic Geometry
- Cox, Little, et al.
- 2005
(Show Context)
Citation Context ...d D = 96. For this reason, throughout the rest of the paper, we focus on the study on HFE cryptosystems under the assumption that D remains fixed as n grows. 3 Gröbner Basis Cryptanalysis We refer to =-=[5,9]-=- for basic definitions. Let k be a field and R = k[x1,... ,xn] the ring of multivariate polynomials. To a system of equations f1(x1,... ,xn) =···= fm(x1,... ,xn) =0 we associate the ideal I generated ... |

248 | A New Efficient Algorithm for Computing Gröbner Basis without Reduction to Zero: F5
- Faugère
- 2002
(Show Context)
Citation Context ...lar, Macaulay, Gb, ... ); section 3.4 contains a comparison between them for the HFE problem. More recently, more efficient algorithms for computing Gröbner bases have been proposed. The first one F4 =-=[10]-=- reduces the computation to a (sparse) linear algebra problem (from a theoretical point of view the link between solving algebraic systems and linear algebra is very old, e.g., see [17,16]). More prec... |

202 |
Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen
- Buchberger
- 1965
(Show Context)
Citation Context ...ttack consists of general purpose algorithms that solve multivariate system of equations. In this class, we find the relinearization technique of [15], the XL algorithm [8] and also the Gröbner basis =-=[1,2,3]-=- approach. The relinearization technique of Kipnis and Shamir [15] is well suited to the basic HFE schemes without variations. The first step is to remark that some part of the secret key is a solutio... |

134 | Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations
- Courtois, Klimov, et al.
(Show Context)
Citation Context ...uation (HFE) Cryptosystems 45 attack consists of general purpose algorithms that solve multivariate system of equations. In this class, we find the relinearization technique of [15], the XL algorithm =-=[8]-=- and also the Gröbner basis [1,2,3] approach. The relinearization technique of Kipnis and Shamir [15] is well suited to the basic HFE schemes without variations. The first step is to remark that some ... |

98 | Public quadratic polynomial-tuples for efficient signatureverification and message-encryption
- Matsumoto, Imai
- 1988
(Show Context)
Citation Context ...existing schemes in the HFE family. 1 Introduction The idea of using multivariate quadratic equations as a basis for building public key cryptosystems appeared with the Matsumoto-Imai cryptosystem in =-=[18]-=-. This system was broken by Patarin in [20]. Shortly after, Patarin proposed to repair it and thus devised the hidden field equation (HFE) cryptosystem in [22]. While the basic idea of HFE is simple, ... |

91 | Cryptanalysis of the HFE public key cryptosystem by relinearization
- Kipnis, Shamir
- 1999
(Show Context)
Citation Context ...ysis of Hidden Field Equation (HFE) Cryptosystems 45 attack consists of general purpose algorithms that solve multivariate system of equations. In this class, we find the relinearization technique of =-=[15]-=-, the XL algorithm [8] and also the Gröbner basis [1,2,3] approach. The relinearization technique of Kipnis and Shamir [15] is well suited to the basic HFE schemes without variations. The first step i... |

67 |
A criterion for detecting unnecessary reductions in the construction of Grebner bases," Proceedings of the European Conference on Symbolic and Algebraic Computing, 3-21. (Available as Vol
- Buchberger
- 1979
(Show Context)
Citation Context ...ttack consists of general purpose algorithms that solve multivariate system of equations. In this class, we find the relinearization technique of [15], the XL algorithm [8] and also the Gröbner basis =-=[1,2,3]-=- approach. The relinearization technique of Kipnis and Shamir [15] is well suited to the basic HFE schemes without variations. The first step is to remark that some part of the secret key is a solutio... |

58 |
Solving homogeneous linear equations over GF[2] via block Wiedemann algorithm
- Coppersmith
- 1994
(Show Context)
Citation Context ...on of nonzero entries is small. Thus, the right approach is to use algorithms that take advantage of this sparsity. Over F2, we can for example use the block Wiedeman or block Lanczos algorithms (see =-=[6,19]-=-). T heir complexity to find O(n) elements in the kernel of M ′ in term of n-bit word operations is the product of the total number of non-zero entries in the matrix by its rank. Approximating the ran... |

39 |
An algorithmic criterion for the solvability of algebraic systems of equations 251
- Buchberger
- 1998
(Show Context)
Citation Context ...ttack consists of general purpose algorithms that solve multivariate system of equations. In this class, we find the relinearization technique of [15], the XL algorithm [8] and also the Gröbner basis =-=[1,2,3]-=- approach. The relinearization technique of Kipnis and Shamir [15] is well suited to the basic HFE schemes without variations. The first step is to remark that some part of the secret key is a solutio... |

26 | The security of Hidden Field Equations (HFE
- Courtois
(Show Context)
Citation Context ...ries per lines. The estimated complexity of the initial linear algebra step is 2 62 . While out of range, this is much lower than the estimated security bound of 2 80 triple DES announced in [24] and =-=[7]-=-. 6 Conclusion We have presented a very efficient attack on the basic HFE cryptosystem based on Gröbner bases computation. It is not only a theoretical attack with a good complexity but also a very pr... |

18 |
Gaussian elimination and resolution of systems of algebraic equations. EUROCAL
- Lazard, Gröbner-Bases
- 1983
(Show Context)
Citation Context ...e first one F4 [10] reduces the computation to a (sparse) linear algebra problem (from a theoretical point of view the link between solving algebraic systems and linear algebra is very old, e.g., see =-=[17,16]-=-). More precisely the algorithm F4 incrementally construct matrices in degree 2, 3, ... D: AD = momoms degree ≤ D in x1,... ,xn ⎛ ⎞ m1 × fi1 ... m2 × fi2 ⎜ ... ⎟ m3 × fi3 ⎝ ... ⎠ ··· ··· , where m1,m2... |

17 | Cryptanalysis of the oil and vinegar signature scheme
- Kipnis, Shamir
- 1998
(Show Context)
Citation Context ...first class consists of specific attacks which focus on one particular variation and breaks it due to specific properties. Typical examples are the attack of Kipnis and Shamir against Oil and Vinegar =-=[14]-=- and the attack by Gilbert and Minier [13] against the first version of the NESSIE proposal Sflash. The second class of D. Boneh (Ed.): CRYPTO 2003, LNCS 2729, pp. 44–60, 2003. c○ International Associ... |

13 | Cryptanalysis of SFLASH
- Gilbert, Minier
- 2002
(Show Context)
Citation Context ...hich focus on one particular variation and breaks it due to specific properties. Typical examples are the attack of Kipnis and Shamir against Oil and Vinegar [14] and the attack by Gilbert and Minier =-=[13]-=- against the first version of the NESSIE proposal Sflash. The second class of D. Boneh (Ed.): CRYPTO 2003, LNCS 2729, pp. 44–60, 2003. c○ International Association for Cryptologic Research 2003sAlgebr... |

9 |
Complexity of Gröbner basis computation for regular, overdetermined . in preparation
- Bardet, Faugère, et al.
- 2003
(Show Context)
Citation Context ...ccurring in these computations. As a consequence we have to describe theoretically the behavior of such a computation. This study is beyond the scope of this paper and is the subject of another paper =-=[4]-=- from which we extract the asymptotic behavior of the maximal degree n occurring in the computation is: d = max total degree ≈ 11.114... From this result we know that computing Gröbner bases of random... |

9 |
The algebraic theory of modular systems., volume xxxi
- Macaulay
- 1916
(Show Context)
Citation Context ...e first one F4 [10] reduces the computation to a (sparse) linear algebra problem (from a theoretical point of view the link between solving algebraic systems and linear algebra is very old, e.g., see =-=[17,16]-=-). More precisely the algorithm F4 incrementally construct matrices in degree 2, 3, ... D: AD = momoms degree ≤ D in x1,... ,xn ⎛ ⎞ m1 × fi1 ... m2 × fi2 ⎜ ... ⎟ m3 × fi3 ⎝ ... ⎠ ··· ··· , where m1,m2... |

7 |
Groebner Bases, a Computationnal Approach to Commutative Algebra. Graduate Texts in Mathematics
- Becker, Weispfenning
- 1993
(Show Context)
Citation Context ...d D = 96. For this reason, throughout the rest of the paper, we focus on the study on HFE cryptosystems under the assumption that D remains fixed as n grows. 3 Gröbner Basis Cryptanalysis We refer to =-=[5,9]-=- for basic definitions. Let k be a field and R = k[x1,... ,xn] the ring of multivariate polynomials. To a system of equations f1(x1,... ,xn) =···= fm(x1,... ,xn) =0 we associate the ideal I generated ... |

4 |
Algebraic cryptanalysis of HFE using Gröbner bases
- Faugère
- 2003
(Show Context)
Citation Context ...f m. 5 Performance Optimizations 5.1 Optimal Degree with Gröbner Basis Algorithms We have collected a lot of experimental data by running thousand of HFE systems for various D ≤ 1024 and n ≤ 160 (see =-=[11]-=-). In graph 3, the maximal degree mF5 occurring in the Gröbner basis computation of an algebraic system coming from HFE (resp. from a random system as described in table 1 section 3.3) is plotted. Thi... |