Public quadratic polynomial-tuples for efficient signature-verification and message-encryption
Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
Solving systems of algebraic equations
ACM SIGSAM Bulletin
The Security of Hidden Field Equations (HFE)
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations
EUROCAL '83 Proceedings of the European Computer Algebra Conference on Computer Algebra
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Cryptoanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Short Signatures from the Weil Pairing
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)
Proceedings of the 2002 international symposium on Symbolic and algebraic computation
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
An efficient provable distinguisher for HFE
ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Differential cryptanalysis for multivariate schemes
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Kipnis-Shamir Attack on HFE Revisited
Information Security and Cryptology
Algebraic Attack on HFE Revisited
ISC '08 Proceedings of the 11th international conference on Information Security
SSE Implementation of Multivariate PKCs on Modern x86 CPUs
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Cryptanalysis of the Square Cryptosystems
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of HFE with internal perturbation
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
Cryptanalysis of the hidden matrix cryptosystem
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
Cryptanalysis of multivariate and odd-characteristic HFE variants
PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
Inverting HFE systems is quasi-polynomial for all fields
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
On provable security of UOV and HFE signature schemes against chosen-message attack
PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Improving the complexity of index calculus algorithms in elliptic curves over binary fields
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
On polynomial systems arising from a weil descent
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
| Hi-index | 0.00 |
In the last ten years, multivariate cryptography has emerged as a possible alternative to public key cryptosystems based on hard computational problems from number theory. Notably, the HFE scheme [17] appears to combine efficiency and resistance to attacks, as expected from any public key scheme. However, its security is not yet completely understood. On one hand, since the security is related to the hardness of solving quadratic systems of multivariate binary equations, an NP complete problem, there were hopes that the system could be immune to subexponential attacks. On the other hand, several lines of attacks have been explored, based on so-called relinearization techniques [12,5], or on the use of Gröbner basis algorithms [7]. The latter approach was used to break the first HFE Challenge 1 in 96 hours on a 833 MHz Alpha workstation with 4 Gbytes of memory. At a more abstract level, Faugère and Joux discovered an algebraic invariant that explains why the computation finishes earlier than expected. In the present paper, we pursue this line and study the asymptotic behavior of these Gröbner basis based attacks. More precisely, we consider the complexity of the decryption attack which uses Gröbner bases to recover the plaintext and the complexity of a related distinguisher. We show that the decryption attack has a quasipolynomial complexity, where quasipolynomial denotes an subexponential expression much smaller than the classical subexponential expressions encountered in factoring or discrete logarithm computations. The same analysis shows that the related distinguisher has provable quasipolynomial complexity.