Chosen ciphertext attack on ZHFE

抄録

HFE (Patarin, Eurocrypt'96) is one of the most famous multivariate public key cryptosystems. Unfortunately, HFE has a serious trade-off between security and efficiency, which lacks HFE's practicality. Recently, Porras et al. proposed a new encryption scheme ZHFE at PQCrypto 2014. While its construction is similar to HFE, the security seems more than HFE. The present paper proposes a chosen ciphertext attack (CCA) on ZHFE. The CCA reduces the problem of recovering the univariate polynomial for decryption to the min-rank problem on HFE. Thus the CCA security of ZHFE is almost the same as the security of HFE against the min-rank attack.