Solving Quadratic Equations with XL on Parallel Architectures
|
|
- Jody Moore
- 5 years ago
- Views:
Transcription
1 Solving Quadratic Equations with XL on Parallel Architectures Cheng Chen-Mou 1, Chou Tung 2, Ni Ru-Ben 2, Yang Bo-Yin 2 1 National Taiwan University 2 Academia Sinica Taipei, Taiwan Leuven, Sept. 11, 2012
2 Solving Quadratic Equations with XL on Parallel Architectures Chen-Mou Cheng 1, Tung Chou 2, Ruben Niederhagen 2, Bo-Yin Yang 2 1 National Taiwan University 2 Academia Sinica Taipei, Taiwan Leuven, Sept. 11, 2012
3 The XL algorithm Some cryptographic systems can be attacked by solving a system of multivariate quadratic equations, e.g.: AES: 8000 quadratic equations with 1600 variables over F 2 (Courtois and Pieprzyk, 2002) 840 sparse quadratic equations and 1408 linear equations over 3968 variables of F 256 (Murphy and Robshaw, 2002) multivariate cryptographic systems, e.g. QUAD stream cipher (cryptanalysis by Yang, Chen, Bernstein, and Chen, 2007)
4 The XL algorithm XL is an acronym for extended linearization: extend a quadratic system by multiplying with appropriate monomials linearize by treating each monomial as an independent variable solve the linearized system special case of Gröbner basis algorithms first suggested by Lazard (1983) reinvented by Courtois, Klimov, Patarin, and Shamir (2000) alternative to Gröbner basis solvers like Faugère s F 4 (1999, e.g., Magma) and F 5 (2002) algorithms
5 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: choose: extend: linearize: solve: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] operational degree D N system A to the system R (D) = {x b l i = 0 : b D 2, l i A} consider x d, d D a new variable to obtain a linear system M linear system M
6 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M
7 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}
8 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational degree D N How? extend: system A to the system R (D) = {x b l i = 0 : b D 2, l i A} linearize: consider x d, d D a new variable to obtain a linear system M solve: linear system M How? minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}
9 The XL algorithm For b N n denote by x b the monomial x b 1 1 x b x n bn b = b 1 + b b n the total degree of x b. and by given: finite field K = F q system A of m multivariate quadratic equations: l 1 = l 2 = = l m = 0, l i K[x 1, x 2,..., x n ] choose: operational We use the degree Wiedemann D N algorithm How? extend: system insteada of toathe Gauss system solver. Thus, we R do (D) not = {x compute b l i = 0 : a b complete D 2, Gröbner l i A} consider basis but x d distinguished, d D a new solutions! variable linearize: to obtain a linear system M solve: linear system M How? minimum degree D 0 for reliable termination (Yang and Chen): D 0 := min{d : ((1 λ) m n 1 (1 + λ) m )[D] 0}
10 The Wiedemann algorithm the basic idea given: A K N N wanted: v K N such that Av = 0 solution: compute minimal polynomial f of A of degree d: f (A) = 0 d f i A i = 0 i=0 d f i A i z = 0 i=0 d f i A i z + f 0 z = 0 i=1 d f i A i z = 0 since f 0 = 0 i=1 ( d ) A f i A i 1 z = 0 i=1 } {{ } =v choose z K N randomly
11 The Wiedemann algorithm the basic idea given: A K N N wanted: v K N such that Av = 0 How? solution: compute minimal polynomial f of A of degree d: f (A) = 0 d f i A i = 0 i=0 d f i A i z = 0 i=0 d f i A i z + f 0 z = 0 i=1 d f i A i z = 0 since f 0 = 0 i=1 ( d ) A f i A i 1 z = 0 i=1 } {{ } =v choose z K N randomly
12 The Berlekamp Massey algorithm Given a linearly recurrent sequence S = {a i } i=0, a i K, compute an annihilating polynomial f of degree d such that d f i a j+i = 0, for all j N. i=0 The Berlekamp Massey algorithm requires the first 2 d elements of S as input and computes f i K, 0 i d.
13 The Berlekamp Massey algorithm Given a linearly recurrent sequence a i = xa i z, x K 1 N S = {a i } i=0, a i K, compute an annihilating polynomial f of degree d such that d f i a j+i = 0, for all j N. i=0 The Berlekamp Massey algorithm requires the first 2 d elements of S as input and computes f i K, 0 i d.
14 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1).
15 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) )
16 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) ) BW2: Use block Berlekamp Massey to compute polynomial f with coefficients in K n n. Coppersmith s version: O(N 2 n) Thomé s version: O(N log 2 N n)
17 The block Wiedemann algorithm Due to Coppersmith (1994), three steps: Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). BW1: Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az. O ( N 2 (w A + m) ) BW2: Use block Berlekamp Massey to compute polynomial f with coefficients in K n n. Coppersmith s version: O(N 2 n) Thomé s version: O(N log 2 N n) BW3: Evaluate the reverse of f : W = deg(f ) j=0 A j z(f deg(f ) j ) T. O ( N 2 (w A + n) )
18 Parallelization of BW1 Input: A K N N, parameters m, n N, κ N of size N/m + N/n + O(1). Compute sequence {a i } κ i=0 of matrices a i K n m using random matrices x K m N and z K N n a i = (xa i y) T, for y = Az using {t i } κ i=0, t i K N n, { y = Az for i = 0 t i = At i 1 for 0 < i κ, a i = (xt i ) T.
19 Parallelization of BW1 INPUT: macaulay_matrix<n, N> A; sparse_matrix<n, n> z; matrix<n, n> t_new, t_old; matrix<m, n> a[n/m + N/n + O(1)]; sparse_matrix<m, N, weight> x; x.rand(); t_old = z; for (unsigned i = 0; i <= N/m + N/n + O(1); i++) { t_new = A * t_old; a[i] = x * t_new; swap(t_old, t_new); } RETURN a
20 Parallelization of BW1 multicore processor t i = A t i 1
21 Parallelization of BW1 multicore processor 2 cores t i = A t i 1
22 Parallelization of BW1 multicore processor 4 cores t i = A t i 1
23 Parallelization of BW1 multicore processor 4 cores t i = A t i 1
24 Parallelization of BW1 multicore processor 4 cores t i = A t i 1 OpenMP
25 Parallelization of BW1 cluster system t i = A t i 1
26 Parallelization of BW1 cluster system 2 computing nodes t i = A t i 1
27 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1
28 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1
29 Parallelization of BW1 cluster system 4 computing nodes a (i) K n m n t i = A t i 1
30 Parallelization of BW1 cluster system BW1 BW2 Thomé BW2 Coppersmith BW3 Runtime [s] Block Width: m = n
31 Parallelization of BW1 cluster system Memory [GB] BW2 Thomé BW2 Coppersmith 36 GB Block Width: m = n
32 Parallelization of BW1 cluster system t i = A t i 1
33 Parallelization of BW1 cluster system 2 computing nodes t i = A t i 1
34 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1
35 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1
36 Parallelization of BW1 cluster system 4 computing nodes t i = A t i 1
37 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i 1 t i 1
38 Parallelization of BW1 cluster system 4 computing nodes t i t i 1 = A t i 1 t i 1
39 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
40 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1 MPI: ISend, IRecv,...
41 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
42 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
43 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
44 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
45 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1
46 Parallelization of BW1 cluster system 4 computing nodes t i t i = A t i t i 1 InfiniBand Verbs
47 Parallelization of BW1 cluster system Verbs API MPI Ratio Number of Nodes
48 Parallelization of BW1 cluster system Communication Computation Sent per Node Runtime Number of Cluster Nodes (InfiniBand MT26428, 2 ports of 4 QDR, 32 Gbit/s)
49 Runtime n = 16, m = 18, F 16 Runtime [min] BW1 BW2 Tho. BW2 Cop. BW Cluster NUMA Number of Cores
50 Comparison to Magma F 4 Time [hrs] XL (64 cores) XL (scaled) Magma F n, m = 2n Memory [GB] XL Magma F n, m = 2n
51 Conclusions XL with block Wiedemann as system solver is an alternative for Gröbner basis solvers, because and in about 80% of the cases it operates on the same degree, it scales well on multicore systems and moderate cluster sizes, it has a relatively small memory demand.
52 Thank you!
Solving Multivariate Polynomial Systems
Solving Multivariate Polynomial Systems Presented by: Bo-Yin Yang work with Lab of Yang and Cheng, and Charles Bouillaguet, ENS Institute of Information Science and TWISC, Academia Sinica Taipei, Taiwan
More informationOwen (Chia-Hsin) Chen, National Taiwan University
Analysis of QUAD Owen (Chia-Hsin) Chen, National Taiwan University March 27, FSE 2007, Luxembourg Work at Academia Sinica supervised by Dr. Bo-Yin Yang Jointly with Drs. Dan Bernstein and Jiun-Ming Chen
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationComparison between XL and Gröbner Basis Algorithms
Comparison between XL and Gröbner Basis Algorithms Gwénolé Ars 1, Jean-Charles Faugère 2, Hideki Imai 3, Mitsuru Kawazoe 4, and Makoto Sugita 5 1 IRMAR, University of Rennes 1 Campus de Beaulieu 35042
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationCRYPTOGRAPHIC COMPUTING
CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven,
More informationThe XL-Algorithm and a Conjecture from Commutative Algebra
The XL-Algorithm and a Conjecture from Commutative Algebra Claus Diem Institute for Experimental Mathematics, University of Duisburg-Essen Essen, Germany Abstract. The XL-algorithm is a computational method
More informationAlgebraic Attacks on. Stream Ciphers
Algebraic Attacks on Stream Ciphers Nicolas T. Courtois University College London, UK Part -1 Stream Ciphers 2 Stream Ciphers: No clear frontier between Block Cipher and Stream Cipher Encryption A different
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationOn the Existence of Semi-Regular Sequences
On the Existence of Semi-Regular Sequences Sergio Molina 1 joint work with T. J. Hodges 1 J. Schlather 1 Department of Mathematics University of Cincinnati DIMACS, January 2015 Sergio Molina (UC) Semi-Regular
More informationMXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy Mohamed Saied Emam Mohamed 1, Wael Said Abd Elmageed Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB
More informationEfficient implementation of the overlap operator on multi-gpus
Efficient implementation of the overlap operator on multi-gpus Andrei Alexandru Mike Lujan, Craig Pelissier, Ben Gamari, Frank Lee SAAHPC 2011 - University of Tennessee Outline Motivation Overlap operator
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationAlgebraic Cryptanalysis of Curry and Flurry using Correlated Messages
Algebraic Cryptanalysis of Curry and Flurry using Correlated Messages Jean-Charles Faugère and Ludovic Perret SALSA Project INRIA, Centre Paris-Rocquencourt UPMC, Univ Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationAn Implementation of SPELT(31, 4, 96, 96, (32, 16, 8))
An Implementation of SPELT(31, 4, 96, 96, (32, 16, 8)) Tung Chou January 5, 2012 QUAD Stream cipher. Security relies on MQ (Multivariate Quadratics). QUAD The Provably-secure QUAD(q, n, r) Stream Cipher
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationAdvanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany
Advanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany frank.quedenfeld@googlemail.com 2 Research center Jülich,
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationStatic-scheduling and hybrid-programming in SuperLU DIST on multicore cluster systems
Static-scheduling and hybrid-programming in SuperLU DIST on multicore cluster systems Ichitaro Yamazaki University of Tennessee, Knoxville Xiaoye Sherry Li Lawrence Berkeley National Laboratory MS49: Sparse
More informationAsymptotically faster quantum algorithms to solve multivariate quadratic equations
Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J. Bernstein 1 and Bo-Yin Yang 2 1 Department of Computer Science University of Illinois at Chicago Chicago, IL
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationMultiplicative Complexity
Nicolas T. Courtois University College London, UK Roadmap bi-linear and tri-linear problems such as complex / matrix multiplication general case arbitrary vectorial Boolean functions in cryptography called
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationUsing Wiedemann s algorithm to compute the immunity against algebraic and fast algebraic attacks
Using Wiedemann s algorithm to compute the immunity against algebraic and fast algebraic attacks Frédéric Didier Projet CODES, INRIA Rocquencourt, Domaine de Voluceau, 78153 Le Chesnay cédex frederic.didier@inria.fr
More informationOn solving sparse algebraic equations over finite
On solving sparse algebraic equations over finite fields II Igor Semaev Department of Informatics, University of Bergen, Norway Abstract. A system of algebraic equations over a finite field is called sparse
More informationAnalysis of Trivium Using Compressed Right Hand Side Equations
5.3 Analysis of Trivium Using Compressed Right Hand Side Equations 65 Analysis of Trivium Using Compressed Right Hand Side Equations Thorsten Ernst Schilling, Håvard Raddum thorsten.schilling@ii.uib.no,havard.raddum@ii.uib.no
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationAlgebraic Attacks vs. Design of Block and Stream Ciphers. Nicolas T. Courtois - University College London
Algebraic Attacks vs. Design of Block and Stream Ciphers Nicolas T. Courtois - University College London A New Frontier in Symmetric Cryptanalysis Modern Symmetric Cryptanalysis: number of ciphers broken
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationGröbner Bases. Applications in Cryptology
Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break
More informationHigh Performance Computing techniques for attacking reduced version of AES using XL and XSL methods
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods Elizabeth
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationOn the relation of the Mutant strategy and the Normal Selection strategy
On the relation of the Mutant strategy and the Normal Selection strategy Martin Albrecht 1 Carlos Cid 2 Jean-Charles Faugère 1 Ludovic Perret 1 1 SALSA Project -INRIA, UPMC, Univ Paris 06 2 Information
More informationMPI at MPI. Jens Saak. Max Planck Institute for Dynamics of Complex Technical Systems Computational Methods in Systems and Control Theory
MAX PLANCK INSTITUTE November 5, 2010 MPI at MPI Jens Saak Max Planck Institute for Dynamics of Complex Technical Systems Computational Methods in Systems and Control Theory FOR DYNAMICS OF COMPLEX TECHNICAL
More informationMultiplicative Complexity
Nicolas T. Courtois University College London, UK Definition [informal] Every function can be represented as a number of multiplications + linear functions over a finite field/ring. We call MC () the minimum
More informationAlgebraic Cryptanalysis of the Data Encryption Standard
Algebraic Cryptanalysis of the Data Encryption Standard Nicolas T. Courtois 1 and Gregory V. Bard 2 1 University College of London, Gower Street, London, UK, n.courtois@ucl.ac.uk 2 Fordham University,
More informationAlgebraic analysis of Trivium-like ciphers (Poster)
Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo 1 Kenneth Koon-Ho Wong 1 Harry Bartlett 2 Leonie Simpson 2 Ed Dawson 1 1 Institute for Future Environments 2 Science and Engineering Faculty
More informationSparse Boolean equations and circuit lattices
Sparse Boolean equations and circuit lattices Igor Semaev Department of Informatics, University of Bergen, Norway igor@ii.uib.no Abstract. A system of Boolean equations is called sparse if each equation
More informationAlgebraic Attacks and Decomposition of Boolean Functions
Algebraic Attacks and Decomposition of Boolean Functions Willi Meier 1, Enes Pasalic 2, and Claude Carlet 2 1 FH Aargau, CH-5210 Windisch, Switzerland meierw@fh-aargau.ch 2 INRIA, projet CODES, Domaine
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationBlock ciphers sensitive to Gröbner Basis Attacks
Block ciphers sensitive to Gröbner Basis Attacks Johannes Buchmann, Andrei Pychkine, Ralf-Philipp Weinmann {buchmann,pychkine,weinmann}@cdc.informatik.tu-darmstadt.de Technische Universität Darmstadt Abstract.
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationVersion of block Lanczos-type algorithm for solving sparse linear systems
Bull Math Soc Sci Math Roumanie Tome 53(101) o 3, 2010, 225 230 Version of block Lanczos-type algorithm for solving sparse linear systems by MA Cherepniov Dedicated to the memory of Laurenţiu Panaitopol
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationOn Implementing the Symbolic Preprocessing Function over Boolean Polynomial Rings in Gröbner Basis Algorithms Using Linear Algebra
On Implementing the Symbolic Preprocessing Function over Boolean Polynomial Rings in Gröbner Basis Algorithms Using Linear Algebra Yao Sun a, Zhenyu Huang a, Dongdai Lin a, Dingkang Wang b a SKLOIS, Institute
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationOn Existence and Invariant of Algebraic Attacks
On Existence and Invariant of Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationDecoding linear codes via systems solving: complexity issues and generalized Newton identities
Decoding linear codes via systems solving: complexity issues and generalized Newton identities Stanislav Bulygin (joint work with Ruud Pellikaan) University of Valladolid Valladolid, Spain March 14, 2008
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationF-FCSR: Design of a New Class of Stream Ciphers
F-FCSR: Design of a New Class of Stream Ciphers François Arnault and Thierry P. Berger LACO, Université de Limoges, 123 avenue A. Thomas, 87060 Limoges CEDEX, France {arnault, thierry.berger}@unilim.fr
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationA Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1
MM Research Preprints, 42 56 KLMM, AMSS, Academia Sinica Vol. 25, December 2006 A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1 Xiao-Shan Gao,
More informationSolving Underdetermined Systems of Multivariate Quadratic Equations Revisited
Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited Enrico Thomae and Christopher Wolf Horst Görtz Institute for IT-security Faculty of Mathematics Ruhr-University of Bochum,
More information3.8 MEASURE OF RUNDOMNESS:
Lec 10 : Data Security Stream Cipher Systems 1 3.8 MEASURE OF RUNDOMNESS: 3.9.1 DEFINITION: Run: sequence of identical bits (0 or 1) Ex.01110000111 Runs are 0,111, 0000, 111 Gap: runs of zeroes 1000011
More informationAnalysis of XSL Applied to BES. By: Lim Chu Wee, Khoo Khoong Ming.
Analysis of XSL Applied to BES By: Lim Chu Wee, Khoo Khoong Ming. History (2002) Courtois and Pieprzyk announced a plausible attack (XSL) on Rijndael AES. Complexity of 2 225 for AES-256. Later Murphy
More informationShortest Lattice Vector Enumeration on Graphics Cards
Shortest Lattice Vector Enumeration on Graphics Cards Jens Hermans 1 Michael Schneider 2 Fréderik Vercauteren 1 Johannes Buchmann 2 Bart Preneel 1 1 K.U.Leuven 2 TU Darmstadt SHARCS - 10 September 2009
More informationAlgebraic Attacks on Stream Ciphers with Linear Feedback
Algebraic Attacks on Stream Ciphers with Linear Feedback Extended Version of the Eurocrypt 2003 paper, August 24, 2003 Nicolas T. Courtois 1 and Willi Meier 2 1 Cryptography Research, Schlumberger Smart
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationReconstructing Chemical Reaction Networks by Solving Boolean Polynomial Systems
Reconstructing Chemical Reaction Networks by Solving Boolean Polynomial Systems Chenqi Mou Wei Niu LMIB-School of Mathematics École Centrale Pékin and Systems Science Beihang University, Beijing 100191,
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationBlack Box Linear Algebra with the LinBox Library. William J. Turner North Carolina State University wjturner
Black Box Linear Algebra with the LinBox Library William J. Turner North Carolina State University www.math.ncsu.edu/ wjturner Overview 1. Black Box Linear Algebra 2. Project LinBox 3. LinBox Objects 4.
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Antoine Joux 1,2 and Vanessa Vitse 2 1 Direction Générale de l Armement (DGA) 2 Université de Versailles Saint-Quentin, Laboratoire PRISM, 45 av. des États-Unis, 78035 Versailles
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationAlmost polynomial Complexity for Zero-dimensional Gröbner Bases p.1/17
Almost polynomial Complexity for Zero-dimensional Gröbner Bases Amir Hashemi co-author: Daniel Lazard INRIA SALSA-project/ LIP6 CALFOR-team http://www-calfor.lip6.fr/ hashemi/ Special semester on Gröbner
More informationALGEBRAIC CRYPTANALYSIS OF SMS4
ALGEBRAIC CRYPTANALYSIS OF SMS4 JEREMY ERICKSON, TAYLOR UNIVERSITY Abstract. The SMS4 block cipher is part of the Chinese WAPI wireless standard. It is a 32-round block cipher with 128-bit blocks and 128-bit
More informationEfficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks
Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks Frederik Armknecht 1, Claude Carlet 2, Philippe Gaborit 3, Simon Künzli 4, Willi Meier 4, and Olivier Ruatta 3 1 Universität
More informationOn the BMS Algorithm
On the BMS Algorithm Shojiro Sakata The University of Electro-Communications Department of Information and Communication Engineering Chofu-shi, Tokyo 182-8585, JAPAN Abstract I will present a sketch of
More information