Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

Bettale, Luk; Faugère, Jean-Charles; Perret, Ludovic

doi:10.1007/s10623-012-9617-2

Cited by 86 publications

(72 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The kernel routines run over small finite fields and are usually lifted over Z, Q or Z[X]. They are used in algebraic cryptanalysis [15,3], computational number theory [27], or integer linear programming [18] and they benefit from the experience in numerical linear algebra. In particular, a key point there is to embed the finite field elements in integers stored as floating point numbers, and then rely on the efficiency of the floating point matrix multiplication dgemm of the BLAS.…”

Section: Introductionmentioning

confidence: 99%

Recursion based parallelization of exact dense linear algebra routines for Gaussian elimination

et al. 2016

View full text Add to dashboard Cite

We present block algorithms and their implementation for the parallelization of sub-cubic Gaussian elimination on shared memory architectures. Contrarily to the classical cubic algorithms in parallel numerical linear algebra, we focus here on recursive algorithms and coarse grain parallelization. Indeed, sub-cubic matrix arithmetic can only be achieved through recursive algorithms making coarse grain block algorithms perform more efficiently than fine grain ones. This work is motivated by the design and implementation of dense linear algebra over a finite field, where fast matrix multiplication is used extensively and where costly modular reductions also advocate for coarse grain block decomposition. We incrementally build efficient kernels, for matrix multiplication first, then triangular system solving, on top of which a recursive PLUQ decomposition algorithm is built. We study the parallelization of these kernels using several algorithmic variants: either iterative or recursive and using different splitting strategies. Experiments show that recursive adaptive methods for matrix multiplication, hybrid recursive-iterative methods for triangular system solve and tile recursive versions of the PLUQ decomposition, together with various data mapping policies, provide the best performance on a 32 cores NUMA architecture. Overall, we show that the overhead of modular reductions is more than compensated by the fast linear algebra algorithms and that exact dense linear algebra matches the performance of full rank reference numerical software even in the presence of rank deficiencies.

show abstract

Section: Introductionmentioning

confidence: 99%

Recursion based parallelization of exact dense linear algebra routines for Gaussian elimination

et al. 2016

View full text Add to dashboard Cite

show abstract

“…We have implemented our attack in practice and verified that this assumption is reasonable. We highlight that our theoretical results work in characteristic 2 which is known to be the most difficult case to address in theory [17,18,19] for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key (the minus modifier).…”

Section: Our Contributionmentioning

confidence: 99%

“…In particular, one of the most important characteristic of MQ schemes that allows a successful key-recovery is connected to unexpected high rank defect on the matrices associated to the public-key. The attacks on TTM [12], STS [13,14], Rainbow [15], HFE and MultiHFE [16,17,18,19] are all in essence based on the problem of finding a low rank linear combination of matrices, known as MinRank in cryptography [20]. This problem is NP-hard [20] and was used to design a zero-knowledge authentication scheme [21].…”

Section: Introductionmentioning

confidence: 99%

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

Faugère

Gligoroski²,

Perret

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack. Our key-recovery attack finds an equivalent key using the idea of so-called good keys that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic 2 which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key, that is, using the minus modifier. This was not the case for previous MinRank like-attacks against MQ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of 80 bits security in less than 2 days, and one of the more conservative MQQ-ENC instances of 128 bits security in little bit over 9 days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure.

show abstract

“…For characteristic 2, HFE is vulnerable to the direct algebraic attack [10]. Recently, some authors improved the KS attack and were able to break certain HFE systems, over both odd and even characteristic [2].…”

Section: Introductionmentioning

confidence: 99%

“…One of the latest, Multi-HFE [11], proposes to use as core map a system of multivariate polynomials over K, instead of a single HFE polynomial. This cryptosystem was broken by means of a generalization of the Kipnis-Shamir MinRank attack [2].…”

Section: Introductionmentioning

confidence: 99%

New Candidates for Multivariate Trapdoor Functions

Porras

Baena

Ding

2015

Revista Colombiana de Matemáticas

View full text Add to dashboard Cite

Abstract. We present a new method for building pairs of HFE polynomials of high degree, such that the map constructed with such a pair is easy to invert. The inversion is accomplished using a low degree polynomial of Hamming weight three, which is derived from a special reduction via Hamming weight three polynomials produced by these two HFE polynomials. This allows us to build new candidates for multivariate trapdoor functions in which we use the pair of HFE polynomials to fabricate the core map. We performed the security analysis for the case where the base field is GF (2) and showed that these new trapdoor functions have high degrees of regularity, and therefore they are secure against the direct algebraic attack. We also give theoretical arguments to show that these new trapdoor functions over GF (2) are secure against the MinRank attack as well.

show abstract

Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic

Cited by 86 publications

References 38 publications

Recursion based parallelization of exact dense linear algebra routines for Gaussian elimination

Recursion based parallelization of exact dense linear algebra routines for Gaussian elimination

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

New Candidates for Multivariate Trapdoor Functions

Contact Info

Product

Resources

About