This document describes a signature scheme based on the finite field isomorphism (FFI) problem and presents an attack on it. It begins by defining notation used, including q as a prime, β as a size parameter, p as a smaller prime, Fq as a finite field, and f(x) and F(y) as irreducible polynomials. It then summarizes the signature scheme and FFI problem. The attack targets the pqFFsign signature scheme, which generates keys using a finite field isomorphism between polynomials f(x) and F(y). The attack aims to recover the secret polynomials a(x) and b(x) used to generate signatures.

1. Attacks on signature schemes based on the nite
eld isomorphism problem
Amshuman Hegde
IISER - Trivandrum
22/07/2019

2. Notation
We will follow the following notation -
q - a moderately sized prime

3. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2

4. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q

5. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements

6. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter

7. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n

8. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)

9. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)

10. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y

11. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y
ψ = φ−1

12. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y
ψ = φ−1
χβ - a distribution that produces samples with bounded length
less than β

13. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:

14. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys

15. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied

16. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)

17. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S

18. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S
A verication algorithm(V) - that tests whether σ(M, S) is a
valid signature for the message M with public key P

19. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.

20. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.

21. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).

22. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).
Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.

23. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).
Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.
We will assume henceforth that both CFFI and DFFI are
computationally hard to solve.

24. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm

25. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i

26. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk

27. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk
Observation : Fix 1 ≤ β ≤ q/2, and sample f (x), F(y) from
the set of all n degree monic irreducible polynomials mod q.
Then the image in Y of polynomials in X sampled from χβ is
computationally hard to distinguish from a collection of
polynomials sampled uniformly at random from Y.

28. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows

29. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1

30. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.

31. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]

32. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]

33. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]

34. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β

35. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β
Compute h(x) = (pa(x))−1
b(x)(modf (x))

36. Compute H(y) = h(φ(y)), image of h(x) in Y

37. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)

38. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
where all the elements are bounded by β.

39. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
where all the elements are bounded by β.
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y

40. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U





c1(x)
c2(x)
...
cn (x)





≡





x
x2
...
xn





(mod q, f (x))
where all the elements are bounded by β.
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y
Output the signing key sk and verication key pk as follows
pk = {σ, F(y), H(y), C1(y), C2(y), . . . Cn (y)}
sk = {σ, f (x), φ, ψ, U, a(x), b(x), c1(x), c2(x), . . . cn (x)}

41. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature

42. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )

43. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))

44. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))
Finally output the signature pair σ = (δ, )

45. A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)

46. A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)
Now we provide an algorithm ( AL1 ) to nd the coecients
of s0(x), t0(x)

47. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)

48. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned

49. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.

50. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.
It has been shown that this algorithm has a high conclusion
rate for appropriately chosen parameters [3]

51. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.

52. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)

53. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.

54. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.

55. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.
Note that this method converges for the same reason that AL1
converges.

56. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.
Note that this method converges for the same reason that AL1
converges.
Hence we have constructed the required signature (δ, )

57. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.

58. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.

59. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.

60. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y

61. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y
If all the three conditions are met the algorithm outputs
ACCEPT, else the output is REJECT

62. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.

63. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.

64. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.

65. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).

66. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).
First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.

67. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).
First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.
We will now outline an algorithm to nd these coecients:

68. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).

69. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))

70. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.

71. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.

72. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.
Note that this algorithm converges at a high rate for similar
conditions as AL1 [3] Since we are working in a eld
isomorphic to the one in which AL1 was applied, the requisite
conditions remain the same and our algorithm also converges
with high probability.

73. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)

74. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.

75. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))

76. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))
Now we have a relation between u(x) and v(x), we can write
this explicitly as follows :
(
n
1
δ
(u)
j
Cj (y))H(y) =
n
1
δ
(v )
j
Cj (y) (0.3)

77. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).

78. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).

79. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)

80. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.

81. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.
Note that this algorithm converges with a high probability for
appropriately chosen parameters, i.e if |B − pK
√
n| ∼ 0 where
K = max|aij |, aij are entries in the matrix U. [3]

82. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.
Note that this algorithm converges with a high probability for
appropriately chosen parameters, i.e if |B − pK
√
n| ∼ 0 where
K = max|aij |, aij are entries in the matrix U. [3]
We expect however that it will also converge for a wider range
of parameters, since we have a convergence probability of
∼ 0.835 for toy examples.

83. Attack on signature scheme
Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.

84. Attack on signature scheme
Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.
Hence we can construct an appropriate message µ, sign it with
a forged signature σ and the recepient cannot know the
dierence.

85. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]

86. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack

87. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack
The scheme has also not been implemented yet

88. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack
The scheme has also not been implemented yet
Schemes based on FFI appear to have the property of
homomorphic encryption [1] and this is precisely what our
attack relies on, the connection between homomorphic
encryption and susceptibility to this sort of attack can be
further explored.

89. References
Doröz, Y., Hostein, J., Pipher, J., Silverman, J. H., Sunar, B.,
Whyte, W., Zhang, Z. (2018, March). Fully homomorphic
encryption from the nite eld isomorphism problem. In IACR
International Workshop on Public Key Cryptography (pp.
125-155). Springer, Cham.
Goldwasser, S., Micali, S., Rivest, R. L. (1988). A digital
signature scheme secure against adaptive chosen-message
attacks. SIAM Journal on Computing, 17(2), 281-308..
Hostein, J., Silverman, J. H., Whyte, W., Zhang, Z.
(2018). A signature scheme from the nite eld isomorphism
problem. IACR Cryptology ePrint Archive, 2018, 675.
Couveignes, J. M., Lercier, R. (2013). Fast construction of
irreducible polynomials over nite elds. Israel Journal of
Mathematics, 194(1), 77-105.

90. References
Lenstra, H. W. (1991). Finding isomorphisms between nite
elds.
Brieulle, L., De Feo, L., Doliskani, J., Flori, J. P., Schost, É.
(2019). Computing isomorphisms and embeddings of nite
elds. Mathematics of Computation, 88(317), 1391-1426.
Hostein, J., Pipher, J., Schanck, J. M., Silverman, J. H.,
Whyte, W. (2014, October). Transcript secure signatures based
on modular lattices. In International Workshop on
Post-Quantum Cryptography (pp. 142-159). Springer, Cham.