Cryptanalysis of dragon scheme

Patarin proposed the dragon scheme, pointed out the insecurity of the dragon algorithm with one hidden monomial and suggested a candidate dragon signature algorithm with a complicated function. This paper presents an algebraic method to attack the candidate dragon signature algorithm. The attack borrows the basic idea of the attack due to Kipnis and Shamir, and utilizes the underlying algebraic structure of the candidate dragon signature algorithm over the extension field to derive a way to enable the variable Y be viewed as a fixed value. The attack recovers the private keys efficiently when the parameters are n≤25 and D = [logqd]≤3.