Isomorphism of Polynomials : New Results

In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S. The Isomorphism of Polynomials is a well-known problem studied in multivariate cryptography. It is related to the hardness of the key recovery of some cryptosystems. The problem is the following: given two families of multivariate polynomials a and b, find two invertible linear (or affine) mappings S and T such that b = T ◦a◦S. For IP1S, we suppose that T is the identity. It is known that the difficulty of such problems depends on the structure of the polynomials (i.e., homogeneous, or not) and the nature of the transformations (affine, or linear). Here, we analyze the different cases and propose improved algorithms. We precisely describe the situation in term of complexity and sufficient conditions so that the algorithms work. The algorithms presented here combine linear algebra techniques, including the use of differentials, together with Gröbner bases. We show that random instances of IP1S with quadratic polynomials can be broken in time O ` n ́ , where n is the number of variables, independently of the number of polynomials. For IP1S with cubic polynomials, as well as for IP, we propose new algorithms of complexity O ` n ́ if the polynomials of a are inhomogeneous and S, T linear. In all the other cases, we propose an algorithm that requires O ` nq ́ computation. Finally, if a and b have a small number of non-trivial zeros, the complexity solving the IP instance is reduced to O ` n + q ́ . This allows to break a public-key authentication scheme based on IP1S, and to break all the IP challenges proposed by Patarin in 1996 in practical time: the more secure parameters require less than 6 months of computations on 10 inexpensive GPUs. A consequence of our results is that HFE can be broken in polynomial time if the secret transforms S and T are linear and if the internal polynomial is made public and contains linear and constant terms.