Abstract.
The HFE (hidden field equations) cryptosystem is one of the most
interesting public-key multivariate schemes. It has been proposed
more than 10 years ago by Patarin and seems to withstand the attacks
that break many other multivariate schemes, since only
subexponential ones have been proposed. The public key is a system
of quadratic equations in many variables. These equations are
generated from the composition of the secret elements: two linear
mappings and a polynomial of small degree over an extension field.
In this paper we show that there exist weak keys in HFE when the
coefficients of the internal polynomial are defined in the ground
field. In this case, we reduce the secret key recovery problem to an
instance of the Isomorphism of Polynomials (IP) Problem between the
equations of the public key and themselves. Even though the hardness
of recovering the secret-key of schemes such as SFLASH or 
relies on the hardness of the IP Problem, this is normally not the
case for HFE, since the internal polynomial is kept secret. However,
when a weak key is used, we show how to recover all the components
of the secret key in practical time, given a solution to an instance
of the IP Problem. This breaks in particular a variant of HFE
proposed by Patarin to reduce the size of the public key and called
the “subfield variant”. Recovering the secret key takes a few
minutes.
© 2012 by Walter de Gruyter Berlin Boston
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
