Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Dawson, Ed / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

CiteScore 2017: 1.43

SCImago Journal Rank (SJR) 2017: 0.293
Source Normalized Impact per Paper (SNIP) 2017: 1.117

Mathematical Citation Quotient (MCQ) 2017: 0.51

See all formats and pricing
More options …
Volume 5, Issue 3-4


A family of weak keys in HFE and the corresponding practical key-recovery

Charles Bouillaguet / Pierre-Alain Fouque / Antoine Joux / Joana Treger
  • Agence Nationale de la Sécurité des Systèmes d'Information; and Université de Versailles, Saint-Quentin-en-Yveline, France
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
Published Online: 2012-01-25 | DOI: https://doi.org/10.1515/jmc.2011.012


The HFE (hidden field equations) cryptosystem is one of the most interesting public-key multivariate schemes. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) Problem between the equations of the public key and themselves. Even though the hardness of recovering the secret-key of schemes such as SFLASH or relies on the hardness of the IP Problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP Problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”. Recovering the secret key takes a few minutes.

Keywords.: Cryptanalysis; multivariate cryptography; HFE; weak keys; Gröbner bases

About the article

Received: 2010-06-01

Revised: 2011-08-01

Accepted: 2011-08-10

Published Online: 2012-01-25

Published in Print: 2012-02-01

Citation Information: Journal of Mathematical Cryptology, Volume 5, Issue 3-4, Pages 247–275, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976, DOI: https://doi.org/10.1515/jmc.2011.012.

Export Citation

Comments (0)

Please log in or register to comment.
Log in