Algebraic cryptanalysis of HFE and Filter Generators

Jean-Charles Faugère 1
1 SPACES - Solving problems through algebraic computation and efficient software
INRIA Lorraine, LORIA - Laboratoire Lorrain de Recherche en Informatique et ses Applications
Abstract : HFE (Hidden Fields Equations) is a public key cryptosystem using polynomial operations over finite fields. It has been proposed by Jacques Patarin at Eurocrypt 96 following the ideas of Matsumoto and Imai. It has long been regarded as a very promising cryptosystem because it can be used to produce signatures as short as 128, 100 and even 80 bits. HFE gives the shortest (unbroken) signatures known except with the recent McEliece signature scheme. The idea of HFE is the following: a univariate polynomial $P(X)$ is chosen (the secret key). Next the univariate polynomial structure is hidden by replacing $x$ by $\sum_{i=0} x_i w^i$ where $w$ is a primitive root of $GF(2^n)$ and $f_i$ is the coefficient of $w^i$ in the previous expression. Now if $P$ is of hamming weight $2$ (resp. $d$) we obtain an algebraic system of degree $2$ (resp. $d$) (it is the public key): $$\{f_0=f_1=\cdots,f_{n-1}=0\}$$ More precisely if $y\in GF(2^n)$ is the original message then $z_i=f_i(y)$ is the encrypted message. Recover the original message knowing the secret key is easy since it is equivalent to find the roots of a univariate polynomial; on the other hand with only the public key it is a difficult problem since it is equivalent to solve the {\em polynomial system}: $z_i=f_i(x_1,\ldots,x_n)$. Hence to study HFE it is necessary to study and to solve polynomial system of equations. One of the most efficient tool for solving algebraic system is Gröbner bases (Buchberger). By computing a Gröbner basis of $$ V =\{(x_1,\ldots,x_n)\in GF(2)^n\,|\, f_1(x_1,\ldots,x_n)=\cdots=f_n(x_1,\ldots,x_n)\} $$ one can find the solutions of any system. More generally, in Cryptography (or even some decoding problems in Error-Correcting Codes): most of the cryptosystems can be rewritten into algebraic equations; thus it is necessary to evaluate theoretically and practically the complexity of computing Gröbner bases over $GF(2)$. Note that this method («algebraic cryptanalysis») is completely automatic. Another example of this reduction to algebraic equations is nonlinear filter generators. In such a device, a pseudo random sequence is generated as a non linear function $f$ of the stages of a Linear Feedback Shift Register (LFSR). Thus, it is obvious that we can describe the generator by an algebraic system of $N$ equations of degree $d$ where $N$ is the size of the output sequence and $d$ the degree of the boolean function. In this talk we present several new results: \begin{itemize} \item we describe briefly a new efficient algorithm for computing computing Gröbner bases over GF(2). This algorithm is several order of magnitude faster than any other algorithms. This is a fundamental tool for testing real size cryptosystems but also to derive useful theoretical bounds. \item by using this tool we can break the {\em first HFE Challenge} of Patarin (corresponding to n=80,d=96) in only two days of CPU time. We are also able to find {\em experimentally} the complexity for solving HFE: for instance, when $16 < d < 129$ (resp. $128
Type de document :
Communication dans un congrès
Pascale Charpin. International Workshop on Coding and Cryptography - WCC 2003, 2003, Versailles, France, 3 p, 2003
Liste complète des métadonnées
Contributeur : Publications Loria <>
Soumis le : mardi 26 septembre 2006 - 09:40:46
Dernière modification le : jeudi 11 janvier 2018 - 06:20:00


  • HAL Id : inria-00099733, version 1



Jean-Charles Faugère. Algebraic cryptanalysis of HFE and Filter Generators. Pascale Charpin. International Workshop on Coding and Cryptography - WCC 2003, 2003, Versailles, France, 3 p, 2003. 〈inria-00099733〉



Consultations de la notice