Loading…

Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a...

Full description

Saved in:

Bibliographic Details
Published in:	Designs, codes, and cryptography codes, and cryptography, 2013-10, Vol.69 (1), p.1-52
Main Authors:	Bettale, Luk, Faugère, Jean-Charles, Perret, Ludovic
Format:	Article
Language:	English
Subjects:	Algebra Applied sciences Circuits Coding and Information Theory Computer Science Computer science control theory systems Cryptography Cryptography and Security Cryptology Data Structures and Information Theory Discrete Mathematics in Computer Science Exact sciences and technology Field theory and polynomials Information and Communication Information, signal and communications theory Linear and multilinear algebra, matrix theory Mathematics Memory and file management (including protection and security) Memory organisation. Data processing Sciences and techniques of general use Signal and communications theory Software Telecommunications and information theory
Citations:	Items that this one cites Items that cite this one
Online Access:	Get full text
Tags:	Add Tag No Tags, Be the first to tag this record!

cited_by	cdi_FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633
cites	cdi_FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633
container_end_page	52
container_issue	1
container_start_page	1
container_title	Designs, codes, and cryptography
container_volume	69
creator	Bettale, Luk Faugère, Jean-Charles Perret, Ludovic
description	We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).
doi_str_mv	10.1007/s10623-012-9617-2
format	article
fullrecord	<record><control><sourceid>hal_cross</sourceid><recordid>TN_cdi_hal_primary_oai_HAL_hal_00776072v1</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>oai_HAL_hal_00776072v1</sourcerecordid><originalsourceid>FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633</originalsourceid><addsrcrecordid>eNp9kEFLw0AQhRdRsFZ_gLdcPAiuzmya3eRYSmuFgBc9L9PNrk1Jk7KbFvrv3RjxKAzMMPPeY_gYu0d4RgD1EhCkSDmg4IVExcUFm2CmUq6yXF6yCRQi4whCXLObEHYAgCmICSsX_nzoqaXmHOqQdC5Zr5ZPyf7Y9DWPY0JtlZzI19T2IXGdT7qq-lnak20TsyVPpre-Dn1tbtmVoybYu98-ZZ-r5cdizcv317fFvORmJrHnosgdZdUGncqKDWFubOWkUiYDm6tiJjNLEH8tTAoqddYKROEqpJnaiEqm6ZQ9jrlbavTB13vyZ91RrdfzUg-7SERJUOKEUYuj1vguBG_dnwFBD-j0iE5HdHpAp0X0PIyeAwVDjfPUmjr8GYWSsWD4Q4y6EE_tl_V61x19ZBn-Cf8G1Ol8Uw</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic</title><source>Springer Nature</source><creator>Bettale, Luk ; Faugère, Jean-Charles ; Perret, Ludovic</creator><creatorcontrib>Bettale, Luk ; Faugère, Jean-Charles ; Perret, Ludovic</creatorcontrib><description>We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).</description><identifier>ISSN: 0925-1022</identifier><identifier>EISSN: 1573-7586</identifier><identifier>DOI: 10.1007/s10623-012-9617-2</identifier><language>eng</language><publisher>Boston: Springer US</publisher><subject>Algebra ; Applied sciences ; Circuits ; Coding and Information Theory ; Computer Science ; Computer science; control theory; systems ; Cryptography ; Cryptography and Security ; Cryptology ; Data Structures and Information Theory ; Discrete Mathematics in Computer Science ; Exact sciences and technology ; Field theory and polynomials ; Information and Communication ; Information, signal and communications theory ; Linear and multilinear algebra, matrix theory ; Mathematics ; Memory and file management (including protection and security) ; Memory organisation. Data processing ; Sciences and techniques of general use ; Signal and communications theory ; Software ; Telecommunications and information theory</subject><ispartof>Designs, codes, and cryptography, 2013-10, Vol.69 (1), p.1-52</ispartof><rights>Springer Science+Business Media, LLC 2012</rights><rights>2014 INIST-CNRS</rights><rights>Distributed under a Creative Commons Attribution 4.0 International License</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633</citedby><cites>FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>230,314,780,784,885,27924,27925</link.rule.ids><backlink>$$Uhttp://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=27627603$$DView record in Pascal Francis$$Hfree_for_read</backlink><backlink>$$Uhttps://inria.hal.science/hal-00776072$$DView record in HAL$$Hfree_for_read</backlink></links><search><creatorcontrib>Bettale, Luk</creatorcontrib><creatorcontrib>Faugère, Jean-Charles</creatorcontrib><creatorcontrib>Perret, Ludovic</creatorcontrib><title>Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic</title><title>Designs, codes, and cryptography</title><addtitle>Des. Codes Cryptogr</addtitle><description>We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).</description><subject>Algebra</subject><subject>Applied sciences</subject><subject>Circuits</subject><subject>Coding and Information Theory</subject><subject>Computer Science</subject><subject>Computer science; control theory; systems</subject><subject>Cryptography</subject><subject>Cryptography and Security</subject><subject>Cryptology</subject><subject>Data Structures and Information Theory</subject><subject>Discrete Mathematics in Computer Science</subject><subject>Exact sciences and technology</subject><subject>Field theory and polynomials</subject><subject>Information and Communication</subject><subject>Information, signal and communications theory</subject><subject>Linear and multilinear algebra, matrix theory</subject><subject>Mathematics</subject><subject>Memory and file management (including protection and security)</subject><subject>Memory organisation. Data processing</subject><subject>Sciences and techniques of general use</subject><subject>Signal and communications theory</subject><subject>Software</subject><subject>Telecommunications and information theory</subject><issn>0925-1022</issn><issn>1573-7586</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><recordid>eNp9kEFLw0AQhRdRsFZ_gLdcPAiuzmya3eRYSmuFgBc9L9PNrk1Jk7KbFvrv3RjxKAzMMPPeY_gYu0d4RgD1EhCkSDmg4IVExcUFm2CmUq6yXF6yCRQi4whCXLObEHYAgCmICSsX_nzoqaXmHOqQdC5Zr5ZPyf7Y9DWPY0JtlZzI19T2IXGdT7qq-lnak20TsyVPpre-Dn1tbtmVoybYu98-ZZ-r5cdizcv317fFvORmJrHnosgdZdUGncqKDWFubOWkUiYDm6tiJjNLEH8tTAoqddYKROEqpJnaiEqm6ZQ9jrlbavTB13vyZ91RrdfzUg-7SERJUOKEUYuj1vguBG_dnwFBD-j0iE5HdHpAp0X0PIyeAwVDjfPUmjr8GYWSsWD4Q4y6EE_tl_V61x19ZBn-Cf8G1Ol8Uw</recordid><startdate>20131001</startdate><enddate>20131001</enddate><creator>Bettale, Luk</creator><creator>Faugère, Jean-Charles</creator><creator>Perret, Ludovic</creator><general>Springer US</general><general>Springer</general><general>Springer Verlag</general><scope>IQODW</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>1XC</scope><scope>VOOES</scope></search><sort><creationdate>20131001</creationdate><title>Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic</title><author>Bettale, Luk ; Faugère, Jean-Charles ; Perret, Ludovic</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Algebra</topic><topic>Applied sciences</topic><topic>Circuits</topic><topic>Coding and Information Theory</topic><topic>Computer Science</topic><topic>Computer science; control theory; systems</topic><topic>Cryptography</topic><topic>Cryptography and Security</topic><topic>Cryptology</topic><topic>Data Structures and Information Theory</topic><topic>Discrete Mathematics in Computer Science</topic><topic>Exact sciences and technology</topic><topic>Field theory and polynomials</topic><topic>Information and Communication</topic><topic>Information, signal and communications theory</topic><topic>Linear and multilinear algebra, matrix theory</topic><topic>Mathematics</topic><topic>Memory and file management (including protection and security)</topic><topic>Memory organisation. Data processing</topic><topic>Sciences and techniques of general use</topic><topic>Signal and communications theory</topic><topic>Software</topic><topic>Telecommunications and information theory</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Bettale, Luk</creatorcontrib><creatorcontrib>Faugère, Jean-Charles</creatorcontrib><creatorcontrib>Perret, Ludovic</creatorcontrib><collection>Pascal-Francis</collection><collection>CrossRef</collection><collection>Hyper Article en Ligne (HAL)</collection><collection>Hyper Article en Ligne (HAL) (Open Access)</collection><jtitle>Designs, codes, and cryptography</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Bettale, Luk</au><au>Faugère, Jean-Charles</au><au>Perret, Ludovic</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic</atitle><jtitle>Designs, codes, and cryptography</jtitle><stitle>Des. Codes Cryptogr</stitle><date>2013-10-01</date><risdate>2013</risdate><volume>69</volume><issue>1</issue><spage>1</spage><epage>52</epage><pages>1-52</pages><issn>0925-1022</issn><eissn>1573-7586</eissn><abstract>We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this should make the classical direct algebraic (message-recovery) attack proposed by Faugère and Joux on HFE no longer efficient against Multi-HFE. We consider here the hardness of the key-recovery in Multi-HFE and its variants, but also in HFE (both for odd and even characteristic). We first improve and generalize the basic key recovery proposed by Kipnis and Shamir on HFE. To do so, we express this attack as matrix/vector operations. In one hand, this permits to improve the basic Kipnis-Shamir (KS) attack on HFE. On the other hand, this allows to generalize the attack on Multi-HFE. Due to its structure, we prove that a Multi-HFE scheme has much more equivalent keys than a basic HFE. This induces a structural weakness which can be exploited to adapt the KS attack against classical modifiers of multivariate schemes such as minus and embedding. Along the way, we discovered that the KS attack as initially described cannot be applied against HFE in characteristic 2. We have then strongly revised KS in characteristic 2 to make it work. In all cases, the cost of our attacks is related to the complexity of solving MinRank. Thanks to recent complexity results on this problem, we prove that our attack is polynomial in the degree of the extension field for all possible practical settings used in HFE and Multi-HFE. This makes then Multi-HFE less secure than basic HFE for equally-sized keys. As a proof of concept, we have been able to practically break the most conservative proposed parameters of multi-HFE in few days (256 bits security broken in 9 days).</abstract><cop>Boston</cop><pub>Springer US</pub><doi>10.1007/s10623-012-9617-2</doi><tpages>52</tpages><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 0925-1022
ispartof	Designs, codes, and cryptography, 2013-10, Vol.69 (1), p.1-52
issn	0925-1022 1573-7586
language	eng
recordid	cdi_hal_primary_oai_HAL_hal_00776072v1
source	Springer Nature
subjects	Algebra Applied sciences Circuits Coding and Information Theory Computer Science Computer science control theory systems Cryptography Cryptography and Security Cryptology Data Structures and Information Theory Discrete Mathematics in Computer Science Exact sciences and technology Field theory and polynomials Information and Communication Information, signal and communications theory Linear and multilinear algebra, matrix theory Mathematics Memory and file management (including protection and security) Memory organisation. Data processing Sciences and techniques of general use Signal and communications theory Software Telecommunications and information theory
title	Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic
url	http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-29T03%3A00%3A21IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-hal_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Cryptanalysis%20of%20HFE,%20multi-HFE%20and%20variants%20for%20odd%20and%20even%20characteristic&rft.jtitle=Designs,%20codes,%20and%20cryptography&rft.au=Bettale,%20Luk&rft.date=2013-10-01&rft.volume=69&rft.issue=1&rft.spage=1&rft.epage=52&rft.pages=1-52&rft.issn=0925-1022&rft.eissn=1573-7586&rft_id=info:doi/10.1007/s10623-012-9617-2&rft_dat=%3Chal_cross%3Eoai_HAL_hal_00776072v1%3C/hal_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c461t-298fa5db1f759ba18cedf677c50e879465ea01029c3073fee2112fd1a47b2d633%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true