Key recovery on hidden monomial multivariate schemes

Abstract

In this paper, we study the key recovery problem for the C* scheme and generalisations where the quadratic monomial of C* (the product of two linearized monomials) is replaced by a product of three or more linearized monomials. This problem has been further generalized to any system of multivariate polynomials hidden by two invertible linear maps and named the Isomorphism of Polynomials (IP) problem by Patarin. Some cryptosystems have been built on this apparently hard problem such as an authentication protocol proposed by Patarin and a traitor tracing scheme proposed by Billet and Gilbert. Here we show that if the hidden multivariate system is the projection of a quadratic monomial on a base finite field, as in C*, or a cubic (or higher) monomial as in the traitor tracing scheme, then it is possible to recover an equivalent secret key in polynomial time O(n d ) where n is the number of variables and d is the degree of the public polynomials. © 2008 Springer-Verlag Berlin Heidelberg.