2011
DOI: 10.1007/978-3-642-19379-8_27
|View full text |Cite
|
Sign up to set email alerts
|

Cryptanalysis of Multivariate and Odd-Characteristic HFE Variants

Abstract: Abstract. We investigate the security of a generalization of HFE (multivariate and odd-characteristic variants). First, we propose an improved version of the basic Kipnis-Shamir key recovery attack against HFE. Second, we generalize the Kipnis-Shamir attack to Multi-HFE. The attack reduces to solve a MinRank problem directly on the public key. This leads to an improvement of a factor corresponding to the square of the degree of the extension field. We used recent results on MinRank to show that our attack is p… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
26
0

Year Published

2011
2011
2024
2024

Publication Types

Select...
7

Relationship

1
6

Authors

Journals

citations
Cited by 20 publications
(27 citation statements)
references
References 23 publications
1
26
0
Order By: Relevance
“…After the present paper was submitted, a paper by Bettale, Faugère and Perret [2] was published that has some commonality with ours. In this article, the authors come to similar conclusions on the security of the HFE systems, but with respect only to the Kipnis-Shamir attack.…”
Section: Y N )mentioning
confidence: 57%
“…After the present paper was submitted, a paper by Bettale, Faugère and Perret [2] was published that has some commonality with ours. In this article, the authors come to similar conclusions on the security of the HFE systems, but with respect only to the Kipnis-Shamir attack.…”
Section: Y N )mentioning
confidence: 57%
“…On the other hand, the reduction provided by the algorithm in [17] to remove the projection modifier succeeds in transforming pSFLASH into an HF E − scheme. Although the transformation removes the C * properties of the core map, it may well prove to be the case that the extra structure the resultant particular HF E − scheme retains may reveal a weakness.…”
Section: Resultsmentioning
confidence: 99%
“…We recall that in [11] it was established that pSFLASH with appropriately chosen parameters has no general linear differential symmetries and is thus immune to any type of differential attack relying on the accumulation of linear equations involving the differential of the public key. While it has been established in [17] that the projection in pSFLASH can be removed, the structure when the projection modifier is removed is no longer that of a C * function; rather, it is an HF E − scheme. Thus pSFLASH is no more secure than HF E − , which remains unbroken.…”
Section: Invariant Properties Under Projectionmentioning
confidence: 99%
“…We have implemented our attack in practice and verified that this assumption is reasonable. We highlight that our theoretical results work in characteristic 2 which is known to be the most difficult case to address in theory [17,18,19] for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key (the minus modifier).…”
Section: Our Contributionmentioning
confidence: 99%
“…In particular, one of the most important characteristic of MQ schemes that allows a successful key-recovery is connected to unexpected high rank defect on the matrices associated to the public-key. The attacks on TTM [12], STS [13,14], Rainbow [15], HFE and MultiHFE [16,17,18,19] are all in essence based on the problem of finding a low rank linear combination of matrices, known as MinRank in cryptography [20]. This problem is NP-hard [20] and was used to design a zero-knowledge authentication scheme [21].…”
Section: Introductionmentioning
confidence: 99%