Recently, an article by Felke appeared in Cryptography and Communications discussing the security of biquadratic $C^*$ and a further generalization, k-ary $C^*$. The article derives lower bounds for the complexity of an algebraic attack, directly inverting the public key, under an assumption that the first-fall degree is a good approximation of the solving degree, an assumption that the paper notes requires ``greater justification and clarification.'' In this work, we provide a practical attack breaking all k-ary $C^*$ schemes. The attack is based on differential techniques and requires nothing but the ability to evaluate the public key and solve linear systems. In particular, the attack breaks the parameters provided in CryptoChallenge 11 by constructing and solving linear systems of moderate size in a few minutes.
Cryptology ePrint Archive
Multivariate Cryptography, k-ary C*, differential attack