Let F be a finite field of q elements and P′ be a system of quadratic polynomials p₁, ... , p_m in n variables over F. Let S ∈ GL_n(F) and T ∈ GL_m(F) be linear transformations over F and P=S ˆ P′ ˆ T, where ˆ denotes the composition of functions considered here componentwise. The system P′ is called the private key and P the public key in the multivariate public key cryptoscheme.

In this note, the authors analyze that variant of multivariate PKC where P′ forms a stepwise triangular system, STS. This means that n=r₁ + ... + r_L and m=m₁ + ... + m_L with positive integers r₁, ... , r_L, m₁, ... , m_L such that p_{{m1+ ... + ml-1+i}, 1 ≤ i ≤ m_l contain only the variables x_k with k ≤ &Sgr;^l_j=1 r_j. The analysis is worked out in the special case when r₁= ... =r_L = m₁= ... = m_L=r.

There are two efficient cryptoanalytic attacks presented that break the STS-based multivariate PKC. The inversion attack recovers the message for given ciphertext in O(mn³Lq^r+n²Lrq^r) operations, while the structural attack computes an equivalent form of the secret key from the public key in O(mn³Lq^r+mn⁴) steps. Both attacks are based on the observation that, for STSs, the kernels of the linear transformations associated with the matrices of the homogenous quadratic parts of the polynomials p_i form a descending chain of subspaces. The proposed attacks are efficient from a theoretical point of view because the legitimate user needs O(q^r) time to decrypt the message. It works well in practice too, as shown through the solution of two challenges of Kasahara and Sakai [1].