... : Variations around two schemes of T. Matsumoto and H. Imai

In 4], H. Imai and T. Matsumoto presented some new candidate trapdoor one-way permutations with a public key given as multivariate polynomials over a nite eld. One of these schemes was later presented in 7] under the name C , and was based on the idea of hiding a monomial eld equation. This scheme was broken in 8] by Jacques Patarin, due to unexpected algebraic properties.) some schemes to repair C , but this was done at the cost of slightly more complex public key or secret key computations. In part I of this paper, we will study some very simple variations of the C scheme, where the attack of 8] is avoided, and where the very simple secret key computations are kept. The C ?+ scheme will be one of these variations. We will design some new cryptanalysis that are eecient against some of { but not all { these variations. Another scheme of 4], very diierent from C (despite the name), was called C] and was based on the idea of hiding a monomial matrix equation. No cryptanalysis has been published so far for this scheme. In part II of this paper, we will show how to attack this scheme C]. We will then study more general schemes, still using the idea of hiding matrix equations. The HM scheme will be one of these variations.