In this article, we present algebraic attacks against the Extension Field Cancellation (\(\texttt {EFC}\)) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge parameter, a Gröbner-based hybrid attack has a \(2^{65}\) bit complexity which beats the claimed 80 bit security level. We further show that the algebraic system arising from an \(\texttt {EFC}\) public-key is much easier to solve than a random system of the same size. Briefly, this is due to the apparition of many lower degree equations during the Gröbner basis computation. We present a polynomial-time method to recover such lower-degree relations and also show their usefulness in improving the Gröbner basis attack complexity on \(\texttt {EFC}\). Thus, we show that there is an algebraic structural weakness in the system of equations coming from \(\texttt {EFC}\) and hence makes the scheme not suitable for encryption.

在本文中，我们介绍了针对扩展字段取消（\（\ texttt {EFC} \））方案的代数攻击，该方案是在PQCRYPTO'2016上发布的多变量公钥加密方案。首先，我们针对该方案的第一个和第二个建议参数提出了成功的基于Gröbner的消息恢复攻击。对于第一个挑战参数，基于Gröbner的混合攻击具有\（2 ^ {65} \）位复杂度，超过了声称的80位安全级别。我们进一步证明了由\（\ texttt {EFC} \）产生的代数系统与相同大小的随机系统相比，公共密钥更容易解决。简而言之，这是由于在Gröbner基计算过程中出现了许多低阶方程。我们提出了一种多项式时间方法来恢复这种低级关系，并且还展示了它们在改善\（\ texttt {EFC} \）上的Gröbner基攻击复杂度方面的有用性。因此，我们表明，方程组中的一个代数结构弱点来自\（\ texttt {EFC} \），因此使该方案不适合加密。