Paper 2024/196

Subfield attack: leveraging composite-degree extensions in the Quotient Ring transform

Pierre Pébereau, Laboratoire de Recherche en Informatique de Paris 6, Thales (France)

In this note, we show that some of the parameters of the Quotient-Ring transform proposed for VOX are vulnerable. More precisely, they were chosen to defeat an attack in the field extension $\mathbb F_{q^l}$ obtained by quotienting $\mathbb F_q[X]$ by an irreducible polynomial of degree $l$. We observe that we may use a smaller extension $\mathbb F_{q^{l'}}$ for any $l'|l$, in which case the attacks apply again. We also introduce a simple algebraic attack without the use of the MinRank problem to attack the scheme. These attacks concern a subset of the parameter sets proposed for VOX: I, Ic, III, IIIa, V, Vb. We estimate the cost of our attack on these parameter sets and find costs of at most $2^{67}$ gates, and significantly lower in most cases. In practice, our attack requires $0.3s, 1.35s, 0.56s$ for parameter sets I,III,V for the initial VOX parameters, and $56.7s, 6.11s$ for parameter sets IIIa, Vb proposed after the rectangular MinRank attack.

Available format(s)
Attacks and cryptanalysis
Publication info
Multivariate cryptography
Contact author(s)
pierre pebereau @ lip6 fr
2024-02-12: approved
2024-02-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Pierre Pébereau},
      title = {Subfield attack: leveraging composite-degree extensions in the Quotient Ring transform},
      howpublished = {Cryptology ePrint Archive, Paper 2024/196},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.