Hidden Field Equations

Hidden Fields Equations (HFE), also known as HFE trapdoor function, is a public key cryptosystem which was introduced at Eurocrypt in 1996 and proposed by Jacques Patarin following the idea of the Matsumoto and Imai system. It is based on polynomials over finite fields $\mathbb_q$ of different size to disguise the relationship between the private key and public key. HFE is in fact a family which consists of basic HFE and combinatorial versions of HFE. The HFE family of cryptosystems is based on the hardness of the problem of finding solutions to a system of multivariate quadratic equations (the so-called MQ problem) since it uses private affine transformations to hide the extension field and the private polynomials. Hidden Field Equations also have been used to construct digital signature schemes, e.g. Quartz and Sflash.Christopher Wolf and Bart Preneel, Asymmetric Cryptography: Hidden Field Equations
/ref>

Mathematical background

One of the central notions to understand how Hidden Field Equations work is to see that for two extension fields $\mathbb_$ $\mathbb_$ over the same base field $\mathbb_q$ one can interpret a system of $m$ multivariate polynomials in $n$ variables over $\mathbb_q$ as a function $\mathbb_ \to \mathbb_$ by using a suitable basis of $\mathbb_$ over $\mathbb_q$. In almost all applications the polynomials are quadratic, i.e. they have degree 2.Nicolas T. Courtois On Multivariate Signature-only public key cryptosystems
/ref> We start with the simplest kind of polynomials, namely monomials, and show how they lead to quadratic systems of equations.

Consider a finite field $\mathbb_q$, where $q$ is a power of 2, and an extension field $K$. Let 0 such that $h=q^+1$ for some $\theta$ and gcd$(h,q^n-1)=1$. The condition gcd$(h,q^n-1) =1$ is equivalent to requiring that the map $u \to u^h$ on $K$ is one to one and its inverse is the map $u \to u^$ where $h'$ is the multiplicative inverse of $h \ \bmod q^n-1$.

Take a random element $u\in \mathbb_$. Define $w\in \mathbb_$ by

:$w= u ^h = u^ u \ \ \ \ (1)$

Let $\beta_1,...,\beta_n$ to be a basis of $K$ as an $\mathbb_q$ vector space. We represent $u$ with respect to the basis as $u=(u_1,...,u_n)$ and $w=(w_1,...,w_n)$. Let $A^=$ be the matrix of the linear transformation $u \to u^$ with respect to the basis $\beta_1,...,\beta_n$, i.e. such that

:$\beta_^=\sum_^ a_^\beta_,\ \ a_^\in\mathbb_q$

for $1\le i,k\le n$. Additionally, write all products of basis elements in terms of the basis, i.e.:

:$\beta_i\beta_j=\sum_^m_\beta_,\ \ m_\in\mathbb_q$

for each $1\le i,j\le n$. The system of $n$ equations which is explicit in the $w_i$ and quadratic in the $u_j$ can be obtained by expanding (1) and equating to zero the coefficients of the $\beta_i$.

Choose two secret affine transformations $S$ and $T$ , i.e. two invertible $n\times n$ matrices $M_S=\$ and $M_T=\$ with entries in $\mathbb_q$ and two vectors $v_S$ and $v_T$ of length $n$ over $\mathbb_q$ and define $x$ and $y$ via:

:$u=Sx = M_Sx+v_S \ \ \ \ w= Ty = M_Ty+v_T \ \ \ \ (2)$

By using the affine relations in (2) to replace the $u_j, w_i$ with $x_k,y_l$, the system of $n$ equations is linear in the $y_l$ and of degree 2 in the $x_k$. Applying linear algebra it will give $n$ explicit equations, one for each $y_l$ as polynomials of degree 2 in the $x_k$.Ilia Toli Hidden Polynomial Cryptosystems
/ref>

Multivariate cryptosystem

The basic idea of the HFE family of using this as a multivariate cryptosystem is to build the secret key starting from a polynomial $P$ in one unknown $x$ over some finite field $\mathbb_$ (normally value $q=2$ is used). This polynomial can be easily inverted over $\mathbb_$, i.e. it is feasible to find any solutions to the equation $P(x)=y$ when such solution exist. The secret transformation either decryption and/or signature is based on this inversion. As explained above $P$ can be identified with a system of $n$ equations $(p_1,...,p_n)$ using a fixed basis. To build a cryptosystem the polynomial $(p_1,...,p_n)$ must be transformed so that the public information hides the original structure and prevents inversion. This is done by viewing the finite fields $\mathbb_$ as a vector space over $\mathbb_q$ and by choosing two linear affine transformations $S$ and $T$. The triplet $(S,P,T)$ constitute the private key. The private polynomial $P$ is defined over $\mathbb_$. Jean-Charles Faugère and Antoine Joux
Algebraic Cryptanalysis of Hidden Field Equations (HFE) Cryptosystems Using Gröbner Bases
The public key is $(p_1,...,p_n)$. Below is the diagram for MQ-trapdoor $(S,P,T)$ in HFE
:$\text x\to x=(x_1,...,x_n)\oversetx'\oversety'\overset\text y$

HFE polynomial

The private polynomial $P$ with degree $d$ over $\mathbb_$ is an element of \mathbb_ . If the terms of polynomial $P$ have at most quadratic terms over $\mathbb_$ then it will keep the public polynomial small. The case that $P$ consists of monomials of the form $x^$, i.e. with 2 powers of $q$ in the exponent
is the basic version of HFE, i.e. $P$ is chosen as

:$P(x)=\sum c_i x^$

The degree $d$ of the polynomial is also known as security parameter and the bigger its value the better for security since the resulting set of quadratic equations resembles a randomly chosen set of quadratic equations. On the other side large $d$ slows down the deciphering. Since $P$ is a polynomial of degree at most $d$ the inverse of $P$, denoted by $P^$ can be computed in $d^2(\ln d)^ n^2 \mathbb_q$ operations.

Encryption and decryption

The public key is given by the $n$ multivariate polynomials $(p_1,...,p_n)$ over $\mathbb_q$. It is thus necessary to transfer the message $M$ from $\mathbb_ \to \mathbb_q^n$ in order to encrypt it, i.e. we assume that $M$ is a vector $(x_1,...,x_n)\in \mathbb_q^n$. To encrypt message $M$ we evaluate each $p_i$ at $(x_1,...,x_n)$. The ciphertext is $(p_1(x_1,...,x_n), p_2(x_1,...,x_n), ... ,p_n(x_1,...,x_n))\in \mathbb_q^n$.

To understand decryption let us express encryption in terms of $S, T, P$. Note that these are ''not'' available to the sender. By evaluating the $p_i$ at the message we first apply $S$, resulting in $x'$. At this point $x'$ is transferred from $\mathbb_ \to \mathbb_$ so we can apply the private polynomial $P$ which is over $\mathbb_$ and this result is denoted by $y'\in \mathbb_$. Once again, $y'$ is transferred to the vector $(y_1',...,y_n')$ and the transformation $T$ is applied and the final output $y\in \mathbb_$ is produced from $(y_1,...,y_n)\in \mathbb_q^n$.

To decrypt $y$, the above steps are done in reverse order. This is possible if the private key $(S,P,T)$ is known. The crucial step in the deciphering is not the inversion of $S$ and $T$ but rather the computations of the solution of $P(x')=y'$. Since $P$ is not necessary a bijection, one may find more than one solution to this inversion (there exist at most d different solutions $X'=(x_1',...,x_d')\in\mathbb_$ since $P$ is a polynomial of degree d). The redundancy denoted as $r$ is added at the first step to the message $M$ in order to select the right $M$ from the set of solutions $X'$. The diagram below shows the basic HFE for encryption.
:$M\oversetx\oversetx'\oversety'\oversety$

HFE variations

Hidden Field Equations has four basic variations namely +,-,v and f and it is possible to combine them in various way. The basic principle is the following:

:01. The + sign consists of linearity mixing of the public equations with some random equations.
:02. The - sign is due to Adi Shamir and intends to remove the redundancy 'r' of the public equations.
:03. The f sign consists of fixing some $f$ input variables of the public key, this variant is sometimes called p for projection.
:04. The v sign is defined as a construction and sometimes quite complex such that the inverse of the function can be found only if some v of the variables called vinegar variables are fixed. This idea is due to Jacques Patarin.
:05. The IP sign means Internal perturbation, it consists in adding random quadratic polynomial to the secret equations. However the random quadratic polynomial is composed with a small rank linear map. Making it possible to invert.
:06. The LL' variant consist in adding a random linear combination of a small number of product of linear map to every public equations. It is meant to be used in encryption mode.

The operations above preserve to some extent the trapdoor solvability of the function.

HFE- and HFEv were useful in signature schemes as they prevent from slowing down the signature generation and also enhance the overall security of HFE whereas for encryption both HFE- and HFEv will lead to a rather slow decryption process so neither too many equations can be removed (HFE-) nor too many variables should be added (HFEv). Both HFE- and HFEv were used to obtain Quartz. However due to new Min-Ranks attack by Ding, Petzoldt and Tao it made these scheme obsolete.

For Signatures it is now recommended to use HFE IP- or HFE IPv. Indeed the IP variant is very effective against certain type of Min-Rank attacks (Min-Rank S) while v or - variant are effective against all other attacks (Mainly Min-Rank T or Gröbner Basis attacks).

For encryption, the only current recommended scheme is HFE LL'.https://eprint.iacr.org/2024/1999

HFE attacks

There are two famous attacks on HFE:

Recover the Private Key ( Shamir-Kipnis): The key point of this attack is to recover the private key as sparse univariate polynomials over the extension field $\mathbb_$. The attack only works for basic HFE and fails for all its variations.

Fast Gröbner Bases (Faugère): The idea of Faugère's attacks is to use fast algorithm to compute a Gröbner basis of the system of polynomial equations. Faugère broke the HFE challenge 1 in 96 hours in 2002, and in 2003 Faugère and Joux worked together on the security of HFE.

References

Nicolas T. Courtois, Magnus Daum and Patrick Felke, On the Security of HFE, HFEv- and Quartz

Andrey Sidorenko, Hidden Field Equations, EIDMA Seminar 2004 Technische Universiteit Eindhoven
* Yvo G. Desmet, Public Key Cryptography-PKC 2003,

{{Cryptography navbox , public-key

Public-key encryption schemes
Finite fields
Multivariate cryptography