A “Medium-Field” Multivariate Public-Key Encryption Scheme

  • Lih-Chung Wang
  • Bo-Yin Yang
  • Yuh-Hua Hu
  • Feipei Lai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


Electronic commerce fundamentally requires two different public-key cryptographical primitives, for key agreement and authentication. We present the new encryption scheme MFE, and provide a performance and security review. MFE belongs to the \(\mathcal{MQ}\) class, an alternative class of PKCs also termed Polynomial-Based, or multivariate. They depend on multivariate quadratic systems being unsolvable.

The classical trapdoors central to PKC’s are modular exponentiation for RSA and discrete logarithms for ElGamal/DSA/ECC. But they are relatively slow and will be obsoleted by the arrival of QC (Quantum Computers). The argument for \(\mathcal{MQ}\)-schemes is that they are usually faster, and there are no known QC-assisted attacks on them.

There are several \(\mathcal{MQ}\) digital signature schemes being investigated today. But encryption (or key exchange schemes) are another story — in fact, only two other \(\mathcal{MQ}\)-encryption schemes remain unbroken. They are both built along “big-field” lines. In contrast MFE uses medium-sized field extensions, which makes it faster. For security and efficiency, MFE employs an iteratively triangular decryption process which involves rational functions (called by some “tractable rational maps”) and taking square roots. We discuss how MFE avoids previously known pitfalls of this genre while addressing its security concerns.


multivariate (\(\mathcal{MQ}\)) public key cryptosystem Galois field extended triangular form tame-like map tractable rational map MFE 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ACD+03]
    Akkar, M., Courtois, N., Duteuil, R., Goubin, L.: A Fast and Secure Implementation of SFLASH. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 267–278. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. [AFS+04]
    Ars, G., Faugère, J.-C., Sugita, M., Kawazoe, M., Imai, H.: Comparison of XL and Gröbner Bases Algorithms over Finite Fields. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. [BFS04]
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computations for Regular Overdetermined Systems, INRIA report RR-5049, and presentation at the ICSPP conference honoring Daniel LazardGoogle Scholar
  4. [BFS+05]
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems, presentation at the MEGA 2005 conference and a chapter of Ph.D. thesis by M. Bardet (2004)Google Scholar
  5. [BWP05]
    Braeken, A., Wolf, C., Preneel, B.: A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 29–43. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. [CSV93]
    Coppersmith, D., Stern, J., Vaudenay, S.: Attacks on the Birational Permutation Signature Schemes. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 435–443. Springer, Heidelberg (1994)Google Scholar
  7. [Cou03]
    Courtois, N.: Generic Attacks and the Security of Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 351–364. Springer, Heidelberg (2002); Also see E-Print Archive 2004/143Google Scholar
  8. [CDF03]
    Courtois, N., Daum, M., Felke, P.: On the Security of HFE, HFEv-, and Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. [CKP+00]
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. [Die04]
    Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. [Din04]
    Ding, J.: A New Variant of the Matsumoto-Imai Cryptosystem through Perturbation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 305–318. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. [DG05]
    Ding, J., Gower, J.: Inoculating Multivariate Schemes Against Differential Attacks, private communication and manuscript, E-Print Archive, 2005/255Google Scholar
  13. [DS05]
    Ding, J., Schmidt, D.: Cryptanalysis of HFEv and Internal Perturbation of HFE. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 288–301. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. [DS05a]
    Ding, J., Schmidt, D.: Rainbow, a new Digitial Multivariate Signature Scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [DY04]
    Ding, J., Yin, Y.: Cryptanalysis of a TTS Implementation. In: Presentation at the IWAP, conference (2004)Google Scholar
  16. [Fau99]
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  17. [Fau02]
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: Proc. ISSAC. ACM Press, New York (2002)Google Scholar
  18. [FJ03]
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equations (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. [FGS05]
    Fouque, P.-A., Granboulan, L., Stern, J.: Differential Cryptanalysis for Multivariate Schemes. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 341–353. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. [GJ79]
    Garey, M., Johnson, D.: Computers and Intractability, A Guide to the Theory of NP-completeness, Freeman and Co., p. 251 (1979)Google Scholar
  21. [GM02]
    Gilbert, H., Minier, M.: Cryptanalysis of SFLASH. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 288–298. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. [GC00]
    Goubin, L., Courtois, N.: Cryptanalysis of the TTM Cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  23. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proc. 28th Annual ACM Symposium on Theory of Computing, pp. 212–220 (1996)Google Scholar
  24. [HNP+03]
    Howgrave-Graham, N., Nguyen, P., Pointcheval, D., Proos, J., Silverman, J., Singer, A., Whyte, W.: The Impact of Decryption Failures on the Security of NTRU decryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. [JKM+05]
    Joux, A., Kunz-Jacques, S., Muller, F., Ricordel, P.-M.: Cryptanalysis of the Tractable Rational Map Cryptosystem. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 258–274. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. [KO63]
    Karatsuba, A., Ofman, Y.: Multiplication of Many-Digital Numbers by Automatic Computers. In: Nauk, D.A. (ed.) SSSR, vol. 145, pp. 293–294 (1962); Translation in Physics-Doklady 7, p. 595-596 (1963)Google Scholar
  27. [KPG99]
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar Signature Schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  28. [KS98]
    Kipnis, A., Shamir, A.: Cryptanalysis of the Oil and Vinegar Signature Scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  29. [MI88]
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  30. [Moh99]
    Moh, T.: A Public Key System with Signature and Master Key Functions. Communications in Algebra 27, 2207–2222 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  31. [Nessie]
    NESSIE project homepage,
  32. [Pat95]
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  33. [Pat96]
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  34. [PGC98]
    Patarin, J., Goubin, L., Courtois, N.: C\(^*_{-+}\) and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–49. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  35. [PCG01]
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-Bit Long Digital Signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001); Update available at [Nessie]Google Scholar
  36. [PCG01a]
    Patarin, J., Courtois, N., Goubin, L.: FLASH, a Fast Multivariate Signature Algorithm. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2001); Update available at [Nessie]Google Scholar
  37. [Sho94]
    Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: Goldwasser, S. (ed.) Proc. 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar
  38. [WC04]
    L.-C.: Wang, and F.-H. Chang, Tractable Rational Map Cryptosystem, manuscript, E-Print Archive 2004/046Google Scholar
  39. [WC05]
    Wang, L.-C., Chang, F.-H.: Revision of Tractable Rational Map Cryptosystem, manuscript, on the E-Print ArchiveGoogle Scholar
  40. [WHL+05]
    Wang, L.-C., Hu, Y.-H., Lai, F.-P., Chou, C.-Y., Yang, B.-Y.: Tractable Rational Map Signature. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 244–257. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  41. [Wol04]
    Wolf, C.: Efficient Public Key Generation for Multivariate Cryptosystems. In: Proc. ERACOM Conference and Workshop on Cryptographic Algorithms and their Uses (July 5-6, 2004); also see E-Print Archive 2003/089Google Scholar
  42. [WBP04]
    Wolf, C., Braeken, A., Preneel, B.: Efficient Cryptanalysis of RSE(2)PKC and RSSE(2)PKC. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 294–309. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  43. [WP05]
    Wolf, C., Preneel, B.: Taxonomy of Public-Key Schemes based on the Problem of Multivariate Quadratic Equations, manuscript, E-Print Archive 2005/077Google Scholar
  44. [WP05a]
    Wolf, C., Preneel, B.: Superfluous keys in Multivariate Quadratic asymmetric systems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 275–287. Springer, Heidelberg (2005); Extended version at E-Print Archive 2004/361Google Scholar
  45. [YC04]
    Yang, B.-Y., Chen, J.-M.: All in the XL Family: Theory and Practice. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  46. [YC05]
    Yang, B.-Y., Chen, J.-M.: Rank Attacks and Defence in Tame-Like Multivariate PKC’s. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 518–531. Springer, Heidelberg (2005); Older version at E-Print Archive 2004/061Google Scholar
  47. [YCCh04]
    Yang, B.-Y., Chen, J.-M., Chen, Y.-H.: TTS: High-Speed Signatures from Low-End Smartcards. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 371–385. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  48. [YCCo04]
    Yang, B.-Y., Chen, J.-M., Courtois, N.: On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Lih-Chung Wang
    • 1
  • Bo-Yin Yang
    • 2
    • 3
  • Yuh-Hua Hu
    • 4
  • Feipei Lai
    • 4
  1. 1.Department of Applied MathematicsNational Donghua UniversityHualienTaiwan
  2. 2.Department of MathematicsTamkang UniversityTamsuiTaiwan
  3. 3.Taiwan Information Security CenterTaipei
  4. 4.Department of Computer Science and EngineeringNational Taiwan UniversityTaipeiTaiwan

Personalised recommendations