Inverting HFE Is Quasipolynomial

Granboulan, Louis; Joux, Antoine; Stern, Jacques

doi:10.1007/11818175_20

Cited by 41 publications

(72 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Solving HFE directly is considered to be sub-exponential [22], and a "standard" HFE implementation for 2 80 security works over F 2 103 with degree d = 129. We know of no timings below 100 million cycles on a modern processor like a Core 2.…”

Section: Hidden Field Equation (Hfe) Encryption Schemesmentioning

confidence: 99%

SSE Implementation of Multivariate PKCs on Modern x86 CPUs

Chen

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proofing against Quantum Computers. It also has been known for efficiency compared to "traditional" alternatives. However, this advantage seems to erode with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to Elliptic Curve Cryptography (ECC). In this paper, we show that hardware advances do not just favor ECC. Modern commodity CPUs also have many small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction sets, that are useful for MPKCs. In particular, Intel's SSSE3 instructions can speed up both public and private maps over prior software implementations of Rainbow-type systems up to 4×. Furthermore, MPKCs over fields of relatively small odd prime characteristics can exploit SSE2 instructions, supported by most modern 64-bit Intel and AMD CPUs. For example, Rainbow over F31 can be up to 2× faster than prior implementations of similarly-sized systems over F16. Here a key advance is in using Wiedemann (as opposed to Gauss) solvers to invert the small linear systems in the central maps. We explain the techniques and design choices in implementing our chosen MPKC instances over fields such as F31, F16 and F256. We believe that our results can easily carry over to modern FPGAs, which often contain a large number of small multipliers, usable by odd-field MPKCs.

show abstract

Section: Hidden Field Equation (Hfe) Encryption Schemesmentioning

confidence: 99%

SSE Implementation of Multivariate PKCs on Modern x86 CPUs

Chen

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This line of research dates back to the mid eighties with the design of C * [35], later followed by many other proposals, e.g., [44,30,14,41,28,49,50]. While this family of designs is commonly considered to be an interesting alternative to constructions based on number-theoretic problems (in the post-quantum setting), it suffers from a lack of clear security reductions to well-understood problems, leading to a series of attacks, e.g., [29,13,18,24,20,17,19,15].…”

Section: Introductionmentioning

confidence: 99%

Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions

Albrecht

Faugère

Fitzpatrick

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we investigate the security of a public-key encryption scheme introduced by Huang, Liu and Yang (HLY) at PKC'12. This new scheme can be provably reduced to the hardness of solving a set of quadratic equations whose coefficients of highest degree are chosen according to a discrete Gaussian distributions. The other terms being chosen uniformly at random. Such a problem is a variant of the classical problem of solving a system of non-linear equations (PoSSo), which is known to be hard for random systems. The main hypothesis of Huang, Liu and Yang is that their variant is not easier than solving PoSSo for random instances. In this paper, we disprove this hypothesis. To this end, we exploit the fact that the new problem proposed by Huang, Liu and Yang reduces to an easy instance of the Learning With Errors (LWE) problem. The main contribution of this paper is to show that security and efficiency are essentially incompatible for the HLY proposal. That is, one cannot find parameters which yield a secure and a practical scheme. For instance, we estimate that a public-key of at least 1.03 GB is required to achieve 80-bit security against known attacks. As a proof of concept, we present practical attacks against all the parameters proposed Huang, Liu and Yang. We have been able to recover the private-key in roughly one day for the first challenge i.e. Case 1 proposed by HLY and in roughly three days for the second challenge i.e. Case 2 .

show abstract

“…The notions of degree of regularity and semi-regularity in [2] can be generalized to the case when q is odd. However, the asymptotic analysis on which the results of [15] depend, has not yet been generalized to this situation. The work in [11] seemed to suggest that HFE systems over a field of odd characteristic could resist the attack of Gröbner basis algorithms even when D is small.…”

Section: Introductionmentioning

confidence: 99%

“…A breakthrough in case of general q came in the recent work of Dubois and Gama [12]. They first refined and gave a rigorous mathematical foundation for the arguments in [15]. They then derived a new method to compute the degree of regularity over any field similar to that in [2].…”

Section: Introductionmentioning

confidence: 99%