Algebraic cryptanalysis of the PKC’2009 algebraic surface cryptosystem

Authors:
Jean-Charles Faugère;Pierre-Jean Spaenlehauer
Affiliations:
UPMC, Université Paris 06, LIP6, INRIA Centre Paris-Rocquencourt, SALSA Project, CNRS, UMR 7606, LIP6, Paris Cedex 05, France;UPMC, Université Paris 06, LIP6, INRIA Centre Paris-Rocquencourt, SALSA Project, CNRS, UMR 7606, LIP6, Paris Cedex 05, France
Venue:
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Year:
2010

Citing 9
Cited 0

Efficient computation of zero-dimensional Gro¨bner bases by change of ordering

Journal of Symbolic Computation
Computers and Intractability: A Guide to the Theory of NP-Completeness

Computers and Intractability: A Guide to the Theory of NP-Completeness
Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations

EUROCAL '83 Proceedings of the European Computer Algebra Conference on Computer Algebra
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)

Proceedings of the 2002 international symposium on Symbolic and algebraic computation
Modern Computer Algebra

Modern Computer Algebra
Algorithms for quantum computation: discrete logarithms and factoring

SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
An Algebraic Surface Cryptosystem

Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
New recombination algorithms for bivariate polynomial factorization based on Hensel lifting

Applicable Algebra in Engineering, Communication and Computing
Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we fully break the Algebraic Surface Cryptosystem (ASC for short) proposed at PKC’2009 [3]. This system is based on an unusual problem in multivariate cryptography: the Section Finding Problem. Given an algebraic surface $X(x,y,t)\in\mathbb{F}_p[x,y,t]$ such that $\deg_{xy} X(x,y,t)= w$, the question is to find a pair of polynomials of degree d, ux(t) and uy(t), such that X(ux(t),uy(t),t)=0. In ASC, the public key is the surface, and the secret key is the section. This asymmetric encryption scheme enjoys reasonable sizes of the keys: for recommended parameters, the size of the secret key is only 102 bits and the size of the public key is 500 bits. In this paper, we propose a message recovery attack whose complexity is quasi-linear in the size of the secret key. The main idea of this algebraic attack is to decompose ideals deduced from the ciphertext in order to avoid to solve the section finding problem. Experimental results show that we can break the cipher for recommended parameters (the security level is 2102) in 0.05 seconds. Furthermore, the attack still applies even when the secret key is very large (more than 10000 bits). The complexity of the attack is $\widetilde{\mathcal{O}}(w^{7} d \log(p))$ which is polynomial with respect to all security parameters. In particular, it is quasi-linear in the size of the secret key which is (2 d+2) log(p). This result is rather surprising since the algebraic attack is often more efficient than the legal decryption algorithm.