A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1
|
|
- Nathaniel Cook
- 6 years ago
- Views:
Transcription
1 MM Research Preprints, KLMM, AMSS, Academia Sinica Vol. 25, December 2006 A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1 Xiao-Shan Gao, Fengjuan Chai, and Chunming Yuan Key Laboratory of Mathematics Mechanization Institute of Systems Science, AMSS, Academia Sinica Beijing, , China Abstract. In this paper, we present a characteristic set method to solve polynomial equation systems in the finite field F 2. Due to the special property of F 2, the given characteristic set methods are much more efficient and simpler than the general characteristic set method. We also use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Keywords. Characteristic set method, polynomial equation system, finite field F 2, cryptanalysis, stream ciphers. 1. Introduction The characteristic set (CS) method is a tool for studying systems of polynomial or algebraic differential equations [9, 11]. The idea of the method is to reduce equation systems in general form to equation systems in a special triangular form, also called ascending chains. The zero-set of any finitely generated polynomial or algebraic differential polynomial systems of equations may be decomposed into the union of the zero-sets of ascending chains. With this method, solving an equation system can be reduced to solving univariate equations. We can also use the method to determine the dimension, the degree, and the order for a finitely generated polynomial or differential polynomial systems, to solve the radical ideal membership problem, and to prove theorems from elementary and differential geometries. Existing CS methods always consider the zeros of polynomial equations in an algebraically closed field which is an infinite field. No CS methods were proposed to take into the account of the special property of finite fields. In this paper, we extend the CS method to solve equations in the finite field F 2. More precisely, we consider polynomials in the ring R 2 = F 2 [x 1,..., x n ]/(H) where H = {x x 1,..., x 2 n + x n }. A polynomial in R 2 could be treated as a Boolean function. Therefore, solving a system of equations in R 2 can be considered as solving a system of Boolean function equations. Due to the special property of F 2, the proposed CS methods are much more efficient and simpler than the general CS method. Comparing to the general CS method, our CS method in R 2 has the following major improvements. 1) Partially supported by a National Key Basic Research Project of China.
2 Characteristic Set Method in F 2 43 We could decompose the zero set of a polynomial equation system in R 2 as the disjoint union of the zero sets of ascending chains consisting of monic polynomials. As a consequence, we could give an explicit formula for the number of solutions of the equation system. The well-ordering principle is a basic step of the CS method, which can be used to compute a so called characteristic set for a polynomial system. If the CS is nontrivial, it provides at least one solution to the original equation system. We prove that in R 2 the well-ordering principle can be executed in a polynomial number of steps. Equation solving in F 2 has many important applications in the cryptanalysis of ciphers [3, 4, 5], hardware verification [7], and SAT problem solution [6]. It is known that the problem of deciding whether an equation system in R 2 has a solution in F 2 is a NP-complete problem [10]. We use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Extensive experiments have been done for equation systems with variables ranging from 40 to 128. The purpose of the experiments are two folds: to compare different variants of our algorithms and to show that our algorithm could provide an effective tool for solving equations over F 2. The rest of this paper is organized as follows. In Section 2, we introduce the notations and give some preliminary results. In Section 3, we present the CS methods. In Section 4, we present a direct algorithm to decompose the zero set of a polynomial system into the zero sets of monic ascending chains. In Section 5, our methods are used to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. In Section 6, conclusions are given. 2. Notations and Preliminary Results Let F 2 be the field consisting of 0 and 1. We will consider the problem of solving a set of algebraic equations over F 2. Let X = {x 1,..., x n } be a set of indeterminants and where R 2 = F 2 [X]/(H) H = {x x 1,..., x 2 n + x n }. (1) Then R 2 is a ring with zero divisors. For instance, x i and x i +1 are zero divisors. An element P in R 2 has the following canonical representation: P = M s + + M 0 (2) where M i is a product of several distinct variables. To obtain such a canonical representation for a P Z[X], we will replace the sign by the + sign, replace an integer coefficients n by n mod 2, and replace x d i by x i. For instance, x 1 x 2 2 x can be represented as x 1 x 2 + x We still call an element in R 2 a polynomial. Let P be a set of polynomials in R 2. We use Zero(P) to denote the common zeros of the polynomials in P in the affine space F n 2, that is, Zero(P) = {(a 1,..., a n ), a i F 2, s.t. P P, P (a 1,..., a n ) = 0}.
3 44 X.S. Gao, F. Chai, and C. Yuan Let D be a polynomial in R 2. We define a quasi variety to be Zero(P/D) = Zero(P) \ Zero(D). Let P be a set of polynomials in F 2 [X]. Denote the zeros of P in an algebraically closed extension of F 2 as Zero(P). We use P to denote the image of P under the natural ring homomorphism: F 2 [X] R 2. Lemma 2.1 Use the notations just introduced. We have Zero(P H) = Zero(P), where H is defined in (1). Proof: Let P P. By the definition, we have P = P + i B i(x 2 i + x i), where B i are some polynomials. Note that any zero in Zero(P) is also a zero of x i (x i + 1). Then the formula to be proved is a direct consequence of the above relation between P and P. From Lemma 2.1, to solve a set of equations over F 2, we need only consider polynomials in R 2. In the rest of this paper, when we say polynomials, we mean an element of R 2 with the canonical representation (2). We will give some preliminary results about the polynomials in R 2. Lemmas 2.2 and 2.3 are known results [5]. We give proofs for them to the selfcontentness of the paper. Lemma 2.2 Let P R 2 and s an integer. Then P s = P. Proof: Since x 2 i = x i, we have x s i = x i. If m is a monomial in R 2, then m s = m. Let P = i m i where m i are monomials. We have P 2 = ( i m i) 2 = i m2 i = i m i = P. By induction on s, it is easy to prove that P s = P. Lemma 2.3 Let I be a polynomial ideal in R 2. (1) I = (x 0 + a 0,..., x n + a n ) if and only if (a 0,..., a n ) is the only solution of I. (2) I = (1) if any only I has no solutions. Proof: If I = (x 0 + a 0,..., x n + a n ), it is easy to see that (a 0,..., a n ) is the only solution of I. Conversely, let (a 0,..., a n ) be the only solution of I. By Lemma 2.1, we have x i + a i = 0 on Zero(I H) in F 2 [X], where H is defined in (1). By Hilbert s Nullstellensatz, there is an integer s such that (x i + a i ) s is in the ideal generated by I H. By Lemma 2.2, (x i + a i ) s = x i + a i I. This prove (1). For (2), if I has no solution, we have Zero(I H) =. By Hilbert s Nullstellensatz, 1 (I H). That is, 1 I. Lemma 2.4 Let U, V, and D be polynomials in R 2. We have Zero(UV ) = Zero(U) Zero(V ). (3) Zero( /D) = Zero(D + 1). (4) Zero(UV + 1) = Zero({U + 1, V + 1}). (5) Zero(UV + U + V ) = Zero({U, V }). (6) Zero(P) = Zero(P {U}) Zero(P {U + 1}). (7)
4 Characteristic Set Method in F 2 45 Proof: Since F 2 is a field, (3) is obviously true. For any element α F n 2, D(α) 0 implies D(α) = 1. This proves (4). For any element α F n 2, U(α)V (α) = 1 implies U(α) = 1 and V (α) = 1. This proves (5). To prove (6), let us note that f = UV + U + V = (V + 1)U + V. Thus if V = 0, f = 0 becomes U = 0. If V = 1, f = 1. This means f = 0 if and only if U = V = 0. This proves (6). Note that U(U + 1) 0. Then (7) is a consequence of (3). 3. A Characteristic Set Method in R 2 The existing CS methods are for infinite fields and do not take into account of the special property of finite fields. In our case, the polynomials are in R 2 and hence are much simpler than the case of characteristic zero. These conditions enable us to give a much simpler and more efficient algorithm to compute the characteristic set than in the case of characteristic zero Triangular Sets Let P R 2. The class of P, denoted by class(p ), is the least c such that x c occurs in P. If P F 2, we set class(p ) = 0. If class(p ) = c, we called x c the leading variable of P, denoted as lvar(p ). The leading coefficient of P as a univariate polynomial in lvar(p ) is called the initial of P, and is denoted as init(p ). If class(p ) = c, P can also be represented uniquely as the following form: P = Ix c + U (8) where I = init(p ) and U is polynomials with class less than c. A polynomial P 1 has higher ordering than a polynomial P 2, denoted as P 2 P 1, if class(p 1 ) > class(p 2 ). If class(p 1 ) = class(p 2 ), they are said to have the same ordering, denoted as P 1 P 2. It is easy to see that is a partial order on the polynomials in R 2. A sequence of nonzero polynomials A : A 1, A 2,..., A r (9) is a triangular set if either r = 1 and A 1 0 or class(a 1 ) < < class(a r ). A trivial triangulated set is a polynomial set consisting of 1. For a triangular A, we denote I A as the product of the initials of the polynomials in A. Let A : A 1, A 2,..., A r and A : A 1, A 2,..., A r be two triangular sets. A is said to be of lower ordering than A, denoted as A A, if either there is some k such that A 1 A 1,..., A k 1 A k 1, while A k A k ; or r > r and A 1 A 1,..., A r A r. We have the following basic property for triangular sets. Lemma 3.1 A sequence of triangular sets steadily lower in ordering is finite. More precisely, let A 1 A 2 A m be a strictly decreasing sequence of triangular sets in R 2. Then m 2 n 1. Proof: Since we only consider the ordering of the triangular sets, we may assume that the triangular sets consists of variables. We call the class of the first polynomial in a triangular set to be the class of that triangular set. The triangular set with the highest ordering is C 1 = x n. The next two triangular sets are C 2 = x n 1, C 3 = x n 1, x n. Following these triangular sets are the triangular sets with x n 2 as the first polynomial: C 4 = x n 2, C 5 = x n 2, x n, C 6 =
5 46 X.S. Gao, F. Chai, and C. Yuan x n 2, x n 1, C 7 = x n 2, x n 1, x n. Let C 1 C ak be the triangular sets with class k. Then the triangular sets with class k 1 are x n k+1, {x n k+1 } C 1,..., {x n k+1 } C ak. As a consequence, we have a k 1 = 2a k + 1 and a 1 = 2a = 2 2 a = a 3 a = 2 n = 2 n 1. Let A 1 A 2 A m be a strictly decreasing sequence of triangular sets and B i the triangular set obtained from A i by replacing a polynomial in A i by its leading variable. Then B 1 B 2 B m is also a strictly decreasing sequence of triangular sets. This sequence must be a sub-sequence of C 1 C 2 n 1. Hence, m 2 n 1. Let P be given in (8) with c > 0. For another polynomial Q, write Q as a polynomial in x c : Q = I 1 x c + U 1. Then the pseudo-remainder of Q wrt P is defined as prem(q, P ) = IQ + I 1 P = IU 1 + I 1 U. If P = 1, define prem(q, P ) = 0. For a triangular set A defined in (9), the pseudo-remainder of Q wrt A is defined recursively as prem(q, A) = prem(prem(q, A r ), A 1,..., A r 1 ) and prem(q, ) = Q. Let R = prem(q, A). By Lemma 2.2, we have I A G = i Q i A i + R (10) for some polynomials Q i. The above formula is called the remainder formula. A polynomial Q is reduced wrt P 0 if class(p ) = c > 0 and x c does not occur in Q. A polynomial Q is reduced wrt a triangular set A if P is reduced wrt to all the polynomials in A. It is clear that the pseudo-remainder of any polynomial wrt A is reduced wrt A. A triangulated set A is called monic if the initial of each polynomial in A is 1. A monic triangular set can be written as the following form: A 1 = x k1 + U 1 (U) A = (11) A p = x kp + U p (U) where U = {x i i k j } is called the parameter set of A. Let q = U. It is clear that p+q = n. The dimension of A is defined to be dim(a) = q = n A. We have Lemma 3.2 Let A be a monic triangular set. Then Zero(A) = 2 dim(a). Proof: The dimension of A is the number of parameters of A, that is, dim(a) = U. For any x i U, we assign x i values 0 and 1. Then, there are 2 dim(a) parametric values for U. For each of these parametric value, A = 0 has exactly one solution since A is monic. This proves the lemma. A triangular set is called conflict if prem(i A, A) = 0. Lemma 3.3 Let A be a non-conflict triangular set. Then Zero(A/I A ).
6 Characteristic Set Method in F 2 47 Proof: If I A = 1, A is a monic triangular set. By Lemma 3.2, Zero(A/I A ) = Zero(A). Otherwise, let A = A 1,..., A p and A i = I i x ni + U i. Denote B i = x ni + U i. By (10), I = prem(i A, A) = I 2 A + i Q ia i = I A + i Q ia i = I A + i R ib i + i R i(i i + 1) 0. Represent I as the standard form (8): I = I 0 x s + V. By (4) and (5), Zero(A/I A ) = Zero({A 1,..., A p, I A + 1}) = Zero({A 1,..., A p, I 1 + 1,..., I p + 1}) = Zero({B 1,..., B p, I 1 + 1,..., I p + 1}) = Zero({B 1,..., B p, I A + 1}) = Zero({B 1,..., B p, I + 1}) = Zero({B 1,..., B p, I 0 x s + V + 1}/I 0 ) Zero({B 1,..., B p, I 0, V + 1}). Since I is reduced wrt A, x s is not a leading variable of any A i. Then I 0 x s + V + 1, B 1,..., B p is also a triangular set. Note that I 0 is reduced wrt A. Repeat the above procedure for Zero({I 0 x s + V + 1, B 1,..., B p }/I 0 ), we will obtain a monic triangular set D such that Zero(D) Zero(A/I A ). By Lemma 3.2, we have Zero(A) Zero(D) Well-Ordering Principles A triangular set A in (9) is called an ascending chain, or simply a chain, if A j is reduced wrt A i for i < j. A basic set of a polynomial set P is any chain of lowest ordering contained in P. It is evident that any two basic sets of a polynomial set are of the same ordering. We have the following basic property for the basic set[9, 11]. Lemma 3.4 Let A be a basic set of a polynomial set P. If P is reduced wrt A, then the basic set of P {P } is of lower ordering than that of P. Let P be a polynomial set. We set P 0 = P and choose a basic set B 0 of P 0. Let R 0 be the nonzero remainders of polynomials in P 0 \ B 0 wrt B 0. Suppose that R 0. Then we form a new polynomial set P 1 = P B 0 R 0. Choose now an arbitrary basic set B 1 of P 1. By Lemma 3.4, B 1 is of lower ordering than B 0. Continuing in this way, we will obtain successively P i, B i, R i, i = 1, 2,..., for which B 0 B 1 B 2. By Lemma 3.1, the sequence can only be a finite one so that up to a certain stage m we should have R m =. The above procedure can be exhibited in the form of the scheme (12) below: P = P 0 P 1 P i P m B 0 B 1 B i B m = C (12) R 0 R 1 R i R m = where P i = P i 1 R i 1 (13) B i is a basic set of P i, and R i is the set of nonzero remainders of the polynomials in P i wrt B i.
7 48 X.S. Gao, F. Chai, and C. Yuan In scheme (12), the corresponding basic set B m = C verifies prem(p, C) = {0} and Zero(P) Zero(C). (14) Any chain C obtained from a polynomial set P by means of some procedures in accordance to the scheme (12) is called a characteristic set (CS) of P. More generally, any chain C verifying the property (14) is called a CS of the P. As a consequence of the remainder formula (10), we have the following key properties of the CS. Theorem 3.5 (Well-ordering principle) Let C be a CS of a polynomial set P. Then we have Zero(P) = Zero(C/I C ) p i=1 Zero(P C {I i}) (15) = Zero(C {I 1 + 1,..., I p + 1}) p i=1 Zero(P C {I i}) (16) = Zero(C {I 1 + 1,..., I p + 1}) p i=1 Zero(P C {I 1 + 1,..., I i 1 + 1, I i }) (17) where I i, i = 1,..., p are the initials of the polynomials in C. When i < 0, I i is assumed not occurring in the formula. This result is significant because it represents the zero set for a general polynomial set as the zero set of an ascending chain. By Lemma 3.3, if the CS is non-conflict, then Zero(P). In procedure (12), the size of P i could increase very fast. We may adopt the following way to compute P i and Theorem 3.5 is still valid. P i = P B i 1 R i 1 (18) A more drastic way to reduce the size of P i is give below. In [13], Wu proposed that instead of (18), we use the the following way to compute P i P i = B i 1 + R i 1. (19) Then P i is always less than or equal to P. In the case of characteristic zero, Wu proved the following theorem. Theorem 3.6 ([13]) Let C be a CS of a polynomials et P using scheme (12) and (19). Then Zero(P) = Zero(C/K m ) m k=0 Zero(P {J k}/k k 1 ). where J i is the product of initials of polynomials in B i, and K i = i j=0 J i. In R 2, the above theorem may fail because some of the J i or K j may become zero. This problem could be solved by modifying the formula as the following form.
8 Characteristic Set Method in F 2 49 Theorem 3.7 (Modified well-ordering principle) Let C be a chain computed from a polynomial set P with procedures (12) and (19), I j, j = 1,..., s the initials of the polynomials in B m,..., B 0 (note that the initials of polynomials in A m appear first in the sequence), and K m the product for all the I j. Then, we have Zero(P) = Zero(C/K m ) s i=1zero(p C {I 1 + 1,..., I i 1 + 1, I i }) (20) = Zero(C {I 1 + 1,..., I s + 1}) s i=1zero(p C {I 1 + 1,..., I i 1 + 1, I i }) (21) When i < 0, I i will not appear in the formula Zero Decomposition Theorems in R 2 We can now give the zero decomposition theorems. Theorem 3.8 (Zero Decomposition Theorem) There is an algorithm which permits to determine for a given polynomial set P in a finite number of steps non-conflict chains A j, j = 1,..., s such that Zero(P) = s j=1zero(a j /I Aj ). Proof: By Theorem 3.5, we obtain (15). If C is conflict, we have Zero(C/I C ) =. Otherwise, let A 1 = C. Since I i is reduced wrt C and C is a basic set of P C, by Lemma 3.4, the basic set of P = P C {I i } is of lower ordering than that of C. Repeat the well-ordering principle for P, we obtain a CS A 2 which has lower ordering than A 1. By Lemma 3.1, the procedure will terminate and gives the zero decomposition. In R 2, we may give the following simpler form of zero decomposition theorem. Theorem 3.9 (Monic Zero Decomposition Theorem) There is an algorithm which permits to determine for a given polynomial set P in a finite number of steps moninc chains A j, j = 1,..., t such that Zero(P) = t j=1zero(a j ). Proof: By Theorem 3.5, we have (16). One may repeat the procedure (12) for each C {I 1 1,..., I p 1} and P C {I i }. Since I i is reduced wrt C, according to Lemma 3.4, the new chains obtained in this way will be of lower ordering than that of C. By Lemma 3.1, the procedure will end in a finite number of steps. Note that we could also use (21) to obtain the decomposition. In (21), since the initials of C are always in the sets {I 1 + 1,..., I s + 1} and {I 1 + 1,..., I i 1 + 1, I i }, there exists a polynomial P in P = C {I 1 + 1,..., I s + 1} or P = P C {I 1 + 1,..., I i 1 + 1, I i } which is reduced wrt C. By Lemma 3.4, a basic set of P or P must be of lower ordering than that of C. Hence, when repeating the procedure (12) for P and P, the process will terminate in a finite number of steps. Example 3.10 Let P = x 1 x 2 x 3 1. By Theorem 3.8, we have Zero(P ) = Zero(P/x 1 x 2 ). By Theorem 3.9, or (16), Zero(P ) = Zero(x 1 + 1, x 2 + 1, P ) Zero(x 1, P ) Zero(x 2, P ) = Zero(x 1 +1, x 2 +1, x 3 +1). Of course, we can use Lemma 2.4 (4) to obtain the result directly. The following theorem gives a refined zero decomposition theorem which allows to compute the number of solutions for a finite set of polynomials.
9 50 X.S. Gao, F. Chai, and C. Yuan Theorem 3.11 (Disjoint Zero Decomposition Theorem) For a finite polynomial set P, we can find moninc chains A j, j = 1,..., s such that Zero(P) = s i=1zero(a i ) and Zero(A i ) Zero(A j ) = for i j. As a consequence, we have Zero(P) = s 2 dim(ai). i=1 Proof: The proof is similar to that of Theorem 3.9. We just need to use (17) instead of (16). Since the components are disjoint, by Lemma 3.2, the number of solutions are s i=1 2dim(Ai). Similar to Theorem 3.8, we could also use (21) to obtain the decomposition. Example 3.12 Let P = {x 1 x 2 +x 2 +x 1 +1}. Then By Theorem 3.11, Zero(P) = Zero(A 1 ) Zero(A 2 ), where A 1 = x 1, x 2 + 1; A 2 = x Then, Zero(P) = = Complexity Analysis of the Modified Well-ordering Principle We will show that the key step of the zero decomposition, the modified well-ordering principle, can be done in a polynomial number of steps and with a polynomial number of polynomial multiplications. This result shows that the CS method could be a potentially fast and feasible method for solving polynomial equations in F 2. For two polynomials in R 2, we call their multiplicity is a meta-operator. We will estimate the number of meta-operators needed in the modified well-ordering principle (Theorem 3.7). Note that to do a pseudo-remainder needs two polynomial multiplications. We repeat the modified well-ordering principle here. P = P 0 P 1 P i P m B 0 B 1 B i B m = C R 0 R 1 R i R m = where P i = B i 1 R i 1, B i is a basic set of P i, and R i is the set of nonzero remainders of the polynomials in P i wrt B i. The following lemma gives a bound for the length of procedure (22). Lemma 3.13 Let B 0 B 1 B m be the sequence of chains in procedure (22). Then m n. Proof: We denote by X (i) the set of the leading variables of polynomials occurring in B 0,..., B i. We will prove that X (0) < X (1) < < X (m 1) = X (m). Since there are at most n leading variables, the above formula implies that m n. Essentially, we need to prove that if X (i) = X (i+1) then R i+1 = and the procedure will end. First let us note that P i+1 = B i R i, and for x k X (i) there exists at most one polynomial in P i+1 with x k as the leading variable. If X (i) = X (i+1), we will show that the leading variables of (22)
10 Characteristic Set Method in F 2 51 the polynomials in R i are in X (i 1). Otherwise, let P be a polynomial with leading variable x i0 which is the one with the smallest order and not in X (i 1). We consider two cases: (1) x i0 x for x X (i). Then P is a polynomial in P S i+1 with smallest order and should be in the basic set B i+1, which contradicts to the fact X (i) = X (i+1). (2) B i = B 1,..., B s and x i0 B t B t 1 B 1. Take t to be the largest to satisfy the above condition. Since P i+1 = B i R i, when select a basic set for Pi + 1, B 1,..., B t could be first selected. Since P R i, it must be reduced wrt B i. Hence, the next polynomial to be selected is P and P will be in the basic set of P i+1, which again contradicts to X (i) = X (i+1). We have proved that if X (i) = X (i+1) then the leading variables of the polynomials in R i are in X (i 1). As mentioned before, for each x k X (i 1), there is at most one polynomial in P i involving x k. So R i is a chain. For the same reason, B i R i is also a chain which should be B i+1. Hence R i+1 = and we proved the result. Theorem 3.14 Let l = P. The modified well-ordering principle, or procedure (22), will stop for at most n iterations and needs O(n 2 l) polynomial multiplications. Proof: By Lemma 3.13, in procedure (22), m n. That is, the procedure will stop at most n + 1 iterations. To compute R i, since P i l, we need to do at most 2 R i B i 2nl multiplications. So the total number of multiplications is at most m (n + 1)l = 2n(n + 1)l Implementation of the Algorithms We implemented the zero decomposition algorithms reported in this paper with the C language. A triangular set A defined in (9) is said to be a Wu chain if init(a i ) is reduced wrt A i 1. A is called a weak chain if prem(init(a i ), A i 1 ) 0. Wu chain is defined in [12]. Weak chain is defined in [2]. Similar to [12] and [2], we can develop the zero decomposition theorems for these types of chains. The purpose of using these chains is to reduce the size of the polynomials that might occur in the algorithm. We have three ways to generate new polynomial sets in the well-ordering principle: (13), (18), and (19) and three types of chains. Therefore, we have nine types of combinations to do zero decomposition. We will compare these approaches in Section A Direct Algorithm for Monic Zero Decomposition In the preceding section, the zero decomposition for a polynomial set P repeatedly uses the well-ordering principle to P and to the enlarged set of polynomials obtained by adding the initials of the CS to P to obtain their CSs. In this section, we will give a more direct algorithm to obtain a monic zero decomposition. The algorithm is given as Algorithm DMZDA. Theorem 4.1 Algorithm DMZDA is correct and to obtain each chain of P, we need O(nl) polynomial arithmetic operations where l = P. Proof. We consider a set Q of polynomials. Q 1 Q is the set of polynomials with the highest class and Q Q 1 a polynomial whose initial is of the lowest ordering. Let c = class(q) and
11 52 X.S. Gao, F. Chai, and C. Yuan Algorithm 1 DMZDA(P) Input: A finite set of polynomials P. Output: A sequence of monic chains A i such that Zero(P) = i Zero(A i ). Set P = {P}, A =. While P do Choose a Q from P. Set A =. While Q do Let Q 1 Q be the polynomials with the highest class. Let Q Q 1 be a polynomial whose initial is of the lowest ordering. If Q = 1, Zero(QS) =. Set A = and skip this loop for Q. Let Q = Ix c + U such that class(q) = c, init(q) = I. If I = 1, do A = A {Q}. Q := (Q \ Q 1 ) {prem(p, Q) 0 P Q 1 }. Else, do Let Q 1 = x c + U, Q 2 = Q 1 \ {Q}. A = A {Q 1 }. Q := (Q \ Q 1 ) {I + 1} {prem(p, Q 1 ) 0 P Q 2 }. P 1 = (Q \ {Q}) {I, U}. P := P {P 1 }. If A =, do Set A := A {A}. Return A I = init(q). If I = 1, then for P = I 1 x c + U 1 Q 1 we have P 1 = prem(p, Q) = P + I 1 Q. As a consequence, Zero({Q, P }) = Zero({Q, P 1 }). Therefore, we have Zero(Q) = Zero((Q \ Q 1 ) {Q} {prem(p, Q) 0 P Q 1 }). If I 1 and Q = Ix c + U, by (4), we can split the zero set of Q as two parts: Zero(Q) = Zero(Q {I + 1}) Zero(Q {I}) = Zero((Q \ {Q}) {Q 1 }) Zero((Q \ {Q}) {I, U}). The first part can be treated similarly to the case of I = 1 and the second case will be treated recursively with algorithm DMZDA. This proves that if A i, i = 1,..., s are the output of the algorithm, then Zero(P) = i Zero(A i ). The termination of the algorithm can be proved in two steps. First, we will show the termination for the inner loop, that is, for each finite polynomial set Q, the algorithm will construct a chain. After each iteration of the loop, the polynomial Q will be added to A and the highest class of the polynomials in Q will be reduced. Hence, this loop will end and give a chain A. Second, we need to show the termination for the outer loop. For a polynomial set
12 Characteristic Set Method in F 2 53 P, we assign an index (c n,..., c 1 ) where c i is the number of polynomials in P and with class i. In the algorithm, there are essentially two cases where new polynomial sets are generated. In the first case, we replace Q with Q = (Q \ Q 1 ) {Q} {prem(p, Q) 0 P Q 1 }. In the second case, we add Q = (Q \ {Q}) {I, U} to P, where Q = Ix c + U. It is clear that the index of Q if less than the index of Q in the lexicographical ordering in both cases. It is easy to show that a strictly decreasing sequence of indexes must be finite. This proves the termination of the algorithm. Finally, we will analyze the complexity of the inner loop of the algorithm, that is, the complexity to obtain a chain from Q. After each iteration, the highest class of the polynomials in Q will be reduced at least by one. Then, this loop will execute at most n times. In each iteration, we need to select the polynomials with the highest class and the polynomials with lowest initials. These operations need O(n) comparison of integers. Let l = Q. If I = 1, then the new Q contains at most l 1 polynomials. If I 1, the new Q contains at most l polynomials. Then, after each iteration, the new Q contains at most l polynomials. In each iteration, we also need to compute at most l 1 pseudo-remainders. Since each pseudo-remainder takes at most three polynomial arithmetic operations, we need to do 3l polynomial arithmetic operations in each iteration. In all, the algorithm needs O(nl) polynomial arithmetic operations and O(n 2 ) comparison of integers. 5. Cryptanalysis of Stream Ciphers with the CS Method 5.1. Nonlinear Filter Generators Stream ciphers are an important class of encryption algorithms [8]. In this paper we consider stream ciphers based on the linear feedback shift register (LFSR). An LFSR of length L can be simply considered to be L numbers (c 1, c 2,..., c L ) from F 2 such that c L 0. For an initial state S 0 = (s 0, s 1,..., s L 1 ) F L 2, we can use the given LFSR to produce an infinite sequence satisfying s i = c 1 s i 1 + c 2 s i 2 + c L s i L, i = L, L + 1,. (23) A key property of an LFSR is that if the related feedback polynomial P (x) = c L x L + c L 1 x L c 1 X 1 is primitive, then the sequence (23) has period 2 L 1. Let m 0, m 1,... be the plaintext digits. We may use the sequence (23) as keystrems to generate the ciphertext digits: c i = m i s i, i = 0, 1,... where is the XOR function. Decryption is defined by m i = c i s i. For a given sequence s j of sufficient length, the Berlekamp-Massey algorithm may be used to recover the c i in polynomial time [8]. Then, to use s j as key-streams is not secure. An often used technique to enhance the security of an LFSR is to add a nonlinear filter to the LFSR. Let f(x 1,..., x m ) be a polynomial in R 2 with m variables. We assume that m L. Then we can use f and the sequence (23) to generate a new sequence as follows z i = f(s i m,..., s i 1 ), i = m, m + 1,. (24)
13 54 X.S. Gao, F. Chai, and C. Yuan L= chain time(s) #sols wuchain time(s) (13) #sols wchain time(s) * #sols chain time(s) x #sols x wuchain time(s) (18) #sols wchain time(s) #sols chain time(s) * #sols wuchain time(s) * (19) #sols wchain time(s) #sols Table 1. Cryptanalysis of Nonlinear Filter Generator based on Ganfil 6. A combination of an LFSR and a nonlinear polynomial f is called a nonlinear filter generator. The sequence (24) could be used as the key-streams. Since the sequence (23) has a period 2 L 1, the sequence (24) also has a period less than or equal to 2 L Algebraic Attack of Nonlinear Filter Generators with CS Method An algebraic attack of the nonlinear filter generator is to recover the initial state of the LFSR from a certain number of key-streams from (24). Equivalently, we need to solve the following equations for S 0 = (s 0, s 1,..., s L 1 ) with the c i, z i, and f given z i = f(s i m,..., s i 1 ), i = m,, m + k (25) where k is a positive integer and s i satisfy (23). Successful attacks on many kinds of stream ciphers were reported using the XL method [3, 4] and the Gröbner basis method [5]. We use the software packages based on the zero decomposition algorithms developed in this paper to solve the equation system (25). The statistic results are given in Tables 1 and 2. In these tables, L is the length of the LFSR. The running time is given in seconds. The parameter #sols is the number of solutions for the corresponding equation system. In Table 1, the parameters chain, wuchain, and wchain mean that we use the chain, the wu chain, and the weak chain in the computation respectively. The parameter in the first column means that we use (13), (18), or (19) in the well-ordering principle respectively. In some cases, the timing is marked with a. This means that the program is stopped after running one hour and the number of solutions found is given. In Table 2, the parameters in the first column gives the filter functions used in the computation.
14 Characteristic Set Method in F 2 55 n time(s) x x x x CanFil1 #sols x x x x #cs x x x x time(s) x x x CanFil2 #sols x x x #cs x x x time(s) x x x x x CanFil3 #sols x x x x x #cs x x x x x time(s) x x x x CanFil4 #sols x x x x #cs x x x x time(s) 26.6 x CanFil5 #sols 8 x #cs 1302 x time(s) CanFil6 #sols #cs time(s) 0.7 x x x 94.6 CanFil7 #sols 2 x 2 5 x x 20 #cs 40 x x x 568 time(s) x x CanFil8 #sols x x 20 #cs x x Table 2. Cryptanalysis of Nonlinear Filter Generators with DMZDA. In the experiments, we always set k = L 1 in (25). For such a system, the number of equations and the number of variables are the same. In our experiments, we use the equations generated with the original filter f. The methods introduced in [3, 4, 5] to generate lower degree equations are not used. The experiments were done on a PC with a 3.19G CPU and 2G memory. The filter functions are from [1, 5]: CanFil 1, x 1 x 2 x 3 + x 1 x 4 + x 2 x 5 + x 3 CanFil 2, x 1 x 2 x 3 + x 1 x 2 x 4 + x 1 x 2 x 5 + x 1 x 4 + x 2 x 5 + x 3 + x 4 + x 5 CanFil 3, x 2 x 3 x 4 x 5 + x 1 x 2 x 3 + x 2 x 4 + x 3 x 5 + x 4 + x 5 CanFil 4, x 1 x 2 x 3 + x 1 x 4 x 5 + x 2 x 3 + x 1 CanFil 5, x 2 x 3 x 4 x 5 + x 2 x 3 + x 1 CanFil 6, x 1 x 2 x 3 x 5 + x 2 x 3 + x 4 CanFil 7, x 1 x 2 x 3 + x 2 x 3 x 4 + x 2 x 3 x 5 + x 1 + x 2 + x 3
15 56 X.S. Gao, F. Chai, and C. Yuan CanFil 8, x 1 x 2 x 3 + x 2 x 3 x 6 + x 1 x 2 + x 3 x 4 + x 5 x 6 + x 4 + x 5 These are preliminary experimental results. Further experiments will be done later. 6. Conclusions In this paper, we present several methods to solve nonlinear equation systems over the finite field F 2 based on the idea of CSs. Due to the special property of F 2, the given CS methods are much more efficient and simpler than the general CS method. In particular, the well-ordering principle can be executed in a polynomial number of steps. We use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Extensive experiments have been done for equation systems with variables ranging from 40 to 128. The purpose of the experiments is two folds: to compare different variants of our algorithms and to show that our algorithm could provide an effective tool for solving equations over F 2. References [1] A. Canteaut and E. Filiol, Ciphertext only Reconstruction of Stream Ciphers Based on Combination Generators, Fast Software Encryption, LNCS 1978, , [2] S.C. Chou and X.S. Gao, Ritt-Wu s Decomposition Algorithm and Geometry Theorem Proving, Proc. of CADE-10, LNAI 449, , Springer, [3] N. Courtois, Higher Order Correlation Attacks, XL Algorithm, and Cryptanalysis of Toyocrypt, ICISC, LNCS 2587, , Springer, [4] N. Courtois, Algebraic Attacks on Stream Ciphers with Linear Feedback, EUROCRPYT 2003, LNCS 2656, , Springer, [5] J.C. Faugère and G. Ars, An Algebraic Cryptanalysis of Nonlinear Filter Generators Using Gröbner Bases, TR No. 4739, INRIA, [6] S. He and B. Zhang, Solving SAT by Algorithm Transform of Wu s Method, J. Comput. Sci. and Technnol., 14, , [7] W. Mao and J. Wu, Application of Wu s Method to Symbolic Model Checking, , Proc. ISSAC 05, ACM Press, New York, [8] A. Menezes, P. van Ooschot, and S. Vanstone, Hanndbook of Applied Cryptography, CRC Press, [9] J.F. Ritt, Differential Algebra, Amer. Math. Soc. Colloquium, [10] S. Smale, Mathematical Problems for The Next Century, Math. Intelligencer, 20, 7-15, [11] W.T. Wu, Basic Principle of Mechanical Theorem Proving in Geometries, (in Chinese) Science Press, Beijing, 1984; English translation, Springer, Wien, [12] W.T. Wu, On Zeros of Algebraic Equations - An Application of Ritt Principle, Chinese Science Bulletin, 31, 1-5, [13] W.T. Wu, Some Remarks on Characeteristic-Set Formation, MM-Preprints, Vol. 3, 27-29, 1989.
A Characteristic Set Method for Solving Boolean Equations and Applications in Cryptanalysis of Stream Ciphers 1
MM Research Preprints, 55 76 KLMM, AMSS, Academia Sinica Vol. 26, December 2007 55 A Characteristic Set Method for Solving Boolean Equations and Applications in Cryptanalysis of Stream Ciphers 1 Fengjuan
More informationEfficient Characteristic Set Algorithms for Equation Solving in Finite Fields and Application in Analysis of Stream Ciphers 1
Efficient Characteristic Set Algorithms for Equation Solving in Finite Fields and Application in Analysis of Stream Ciphers 1 Xiao-Shan Gao and Zhenyu Huang Key Laboratory of Mathematics Mechanization
More informationA Zero Structure Theorem for Differential Parametric Systems
A Zero Structure Theorem for Differential Parametric Systems XIAO-SHAN GAO Institute of Systems Science, Academia Sinica, Beijing SHANG-CHING CHOU Department of Computer Science Wichita State University,Wichita
More informationZero Decomposition Algorithms for System of Polynomial Equations 1)
MM Research Preprints, 200 207 No. 18, Dec. 1999. Beijing Zero Decomposition Algorithms for System of Polynomial Equations 1) D.K. Wang 2) Abstract. This paper will give the zero decomposition algorithms
More informationComputations with Differential Rational Parametric Equations 1)
MM Research Preprints,23 29 No. 18, Dec. 1999. Beijing 23 Computations with Differential Rational Parametric Equations 1) Xiao-Shan Gao Institute of Systems Science Academia Sinica, Beijing, 100080 Abstract.
More informationOn the Parameterization of Algebraic Curves
On the Parameterization of Algebraic Curves Xiao-Shan Gao Institute of Systems Science, Academia Sinica Shang-Ching Chou Wichita State University The paper is published on Journal of Applicable Algebra
More informationOn Partial Difference Coherent and Regular Ascending Chains
MM Research Preprints, 82 88 KLMM, AMSS, Academia Sinica No. 24, December 2005 On Partial Difference Coherent and Regular Ascending Chains Xiao-Shan Gao and Gui-Lin Zhang Key Laboratory of Mathematics
More informationarxiv: v1 [cs.sc] 19 May 2014
On the Efficiency of Solving Boolean Polynomial Systems with the Characteristic Set Method Zhenyu Huang, Yao Sun, Dongdai Lin SKLOIS, Institute of Information Engineering, CAS, Beijing 100093, China arxiv:1405.4596v1
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationarxiv: v3 [cs.sc] 21 Oct 2016
On the Efficiency of Solving Boolean Polynomial Systems with the Characteristic Set Method Zhenyu Huang, Yao Sun, Dongdai Lin SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences,
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationOn the Normal Parameterization of Curves and Surfaces
On the Normal Parameterization of Curves and Surfaces Xiao-Shan Gao Institute of Systems Science, Academia Sinica, Beijing Shang-Ching Chou The University of Texas at Austin, Austin, Texas 78712 USA International
More informationCounting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences
Counting Functions for the k-error inear Complexity of 2 n -Periodic Binary Sequences amakanth Kavuluru and Andrew Klapper Department of Computer Science, University of Kentucky, exington, KY 40506. Abstract
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More information4.3 General attacks on LFSR based stream ciphers
67 4.3 General attacks on LFSR based stream ciphers Recalling our initial discussion on possible attack scenarios, we now assume that z = z 1,z 2,...,z N is a known keystream sequence from a generator
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationMechanical Formula Derivation in Elementary Geometries
Mechanical Formula Derivation in Elementary Geometries Shang-Ching Chou and Xiao-Shan Gao Department of Computer Sciences The University of Texas at Austin, Austin, Texas 78712 USA Abstract A precise formulation
More informationComparison between XL and Gröbner Basis Algorithms
Comparison between XL and Gröbner Basis Algorithms Gwénolé Ars 1, Jean-Charles Faugère 2, Hideki Imai 3, Mitsuru Kawazoe 4, and Makoto Sugita 5 1 IRMAR, University of Rennes 1 Campus de Beaulieu 35042
More informationAlgebra Homework, Edition 2 9 September 2010
Algebra Homework, Edition 2 9 September 2010 Problem 6. (1) Let I and J be ideals of a commutative ring R with I + J = R. Prove that IJ = I J. (2) Let I, J, and K be ideals of a principal ideal domain.
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationOn the BMS Algorithm
On the BMS Algorithm Shojiro Sakata The University of Electro-Communications Department of Information and Communication Engineering Chofu-shi, Tokyo 182-8585, JAPAN Abstract I will present a sketch of
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More information1 The Algebraic Normal Form
1 The Algebraic Normal Form Boolean maps can be expressed by polynomials this is the algebraic normal form (ANF). The degree as a polynomial is a first obvious measure of nonlinearity linear (or affine)
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationThird-order nonlinearities of some biquadratic monomial Boolean functions
Noname manuscript No. (will be inserted by the editor) Third-order nonlinearities of some biquadratic monomial Boolean functions Brajesh Kumar Singh Received: April 01 / Accepted: date Abstract In this
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More information1-Resilient Boolean Function with Optimal Algebraic Immunity
1-Resilient Boolean Function with Optimal Algebraic Immunity Qingfang Jin Zhuojun Liu Baofeng Wu Key Laboratory of Mathematics Mechanization Institute of Systems Science, AMSS Beijing 100190, China qfjin@amss.ac.cn
More informationPolynomials, Ideals, and Gröbner Bases
Polynomials, Ideals, and Gröbner Bases Notes by Bernd Sturmfels for the lecture on April 10, 2018, in the IMPRS Ringvorlesung Introduction to Nonlinear Algebra We fix a field K. Some examples of fields
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationNonlinear Equivalence of Stream Ciphers
Sondre Rønjom 1 and Carlos Cid 2 1 Crypto Technology Group, Norwegian National Security Authority, Bærum, Norway 2 Information Security Group, Royal Holloway, University of London Egham, United Kingdom
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More information10. Noether Normalization and Hilbert s Nullstellensatz
10. Noether Normalization and Hilbert s Nullstellensatz 91 10. Noether Normalization and Hilbert s Nullstellensatz In the last chapter we have gained much understanding for integral and finite ring extensions.
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationImproved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5
Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 Anne Canteaut 1 and Michaël Trabbia 1,2 1 INRIA projet CODES B.P. 105 78153 Le Chesnay Cedex - France Anne.Canteaut@inria.fr
More informationNew Construction of Single Cycle T-function Families
New Construction of Single Cycle T-function Families Shiyi ZHANG 1, Yongjuan WANG, Guangpu GAO Luoyang Foreign Language University, Luoyang, Henan Province, China Abstract The single cycle T-function is
More informationF-FCSR: Design of a New Class of Stream Ciphers
F-FCSR: Design of a New Class of Stream Ciphers François Arnault and Thierry P. Berger LACO, Université de Limoges, 123 avenue A. Thomas, 87060 Limoges CEDEX, France {arnault, thierry.berger}@unilim.fr
More informationNotes on Systems of Linear Congruences
MATH 324 Summer 2012 Elementary Number Theory Notes on Systems of Linear Congruences In this note we will discuss systems of linear congruences where the moduli are all different. Definition. Given the
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationOptimal XOR based (2,n)-Visual Cryptography Schemes
Optimal XOR based (2,n)-Visual Cryptography Schemes Feng Liu and ChuanKun Wu State Key Laboratory Of Information Security, Institute of Software Chinese Academy of Sciences, Beijing 0090, China Email:
More informationBinary Additive Counter Stream Ciphers
Number Theory and Related Area ALM 27, pp. 1 23 c Higher Education Press and International Press Beijing Boston Binary Additive Counter Stream Ciphers Cunsheng Ding, Wenpei Si Abstract Although a number
More informationCourse 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra
Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra D. R. Wilkins Contents 3 Topics in Commutative Algebra 2 3.1 Rings and Fields......................... 2 3.2 Ideals...............................
More informationModular Algorithms for Computing Minimal Associated Primes and Radicals of Polynomial Ideals. Masayuki Noro. Toru Aoyama
Modular Algorithms for Computing Minimal Associated Primes and Radicals of Polynomial Ideals Toru Aoyama Kobe University Department of Mathematics Graduate school of Science Rikkyo University Department
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ.
ALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ. ANDREW SALCH 1. Hilbert s Nullstellensatz. The last lecture left off with the claim that, if J k[x 1,..., x n ] is an ideal, then
More information8. Prime Factorization and Primary Decompositions
70 Andreas Gathmann 8. Prime Factorization and Primary Decompositions 13 When it comes to actual computations, Euclidean domains (or more generally principal ideal domains) are probably the nicest rings
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationCharacterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity
Characterization of n -Periodic Binary Sequences with Fixed -error or 3-error Linear Complexity Ramakanth Kavuluru Department of Computer Science, University of Kentucky, Lexington, KY 40506, USA. Abstract
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationA New Class of Invertible Mappings
A New Class of Invertible Mappings Alexander Klimov and Adi Shamir Computer Science department, The Weizmann Institute of Science Rehovot 76100, Israel {ask,shamir}@wisdom.weizmann.ac.il Abstract. Invertible
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationCounting Zeros over Finite Fields with Gröbner Bases
Counting Zeros over Finite Fields with Gröbner Bases Sicun Gao May 17, 2009 Contents 1 Introduction 2 2 Finite Fields, Nullstellensatz and Gröbner Bases 5 2.1 Ideals, Varieties and Finite Fields........................
More informationFast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function
Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function Yindong Chen a,, Fei Guo a, Liu Zhang a a College of Engineering, Shantou University, Shantou 515063, China Abstract Boolean functions
More informationBerlekamp-Massey decoding of RS code
IERG60 Coding for Distributed Storage Systems Lecture - 05//06 Berlekamp-Massey decoding of RS code Lecturer: Kenneth Shum Scribe: Bowen Zhang Berlekamp-Massey algorithm We recall some notations from lecture
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationIntroduction to finite fields
Chapter 7 Introduction to finite fields This chapter provides an introduction to several kinds of abstract algebraic structures, particularly groups, fields, and polynomials. Our primary interest is in
More information3.8 MEASURE OF RUNDOMNESS:
Lec 10 : Data Security Stream Cipher Systems 1 3.8 MEASURE OF RUNDOMNESS: 3.9.1 DEFINITION: Run: sequence of identical bits (0 or 1) Ex.01110000111 Runs are 0,111, 0000, 111 Gap: runs of zeroes 1000011
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationWORKING WITH MULTIVARIATE POLYNOMIALS IN MAPLE
WORKING WITH MULTIVARIATE POLYNOMIALS IN MAPLE JEFFREY B. FARR AND ROMAN PEARCE Abstract. We comment on the implementation of various algorithms in multivariate polynomial theory. Specifically, we describe
More informationA Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity
A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity Ziran Tu and Yingpu deng Abstract In this paper, we propose a combinatoric conjecture
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationThe Polynomial Composition Problem in (Z/nZ)[X]
The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 1 1 Gemplus Card International Avenue du Jujubier, ZI Athélia IV, 13705 La Ciotat Cedex, France {marc.joye,
More information= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2
8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationAlgebraic Attacks on Stream Ciphers with Linear Feedback
Algebraic Attacks on Stream Ciphers with Linear Feedback Extended Version of the Eurocrypt 2003 paper, August 24, 2003 Nicolas T. Courtois 1 and Willi Meier 2 1 Cryptography Research, Schlumberger Smart
More informationPeriodicity and Distribution Properties of Combined FCSR Sequences
Periodicity and Distribution Properties of Combined FCSR Sequences Mark Goresky 1, and Andrew Klapper, 1 Institute for Advanced Study, Princeton NJ www.math.ias.edu/~goresky Dept. of Computer Science,
More informationModified Alternating Step Generators
Modified Alternating Step Generators Robert Wicik, Tomasz Rachwalik Military Communication Institute Warszawska 22A, 05-130 Zegrze, Poland {r.wicik, t.rachwalik}@wil.waw.pl Abstract. Irregular clocking
More informationMath 203A - Solution Set 1
Math 203A - Solution Set 1 Problem 1. Show that the Zariski topology on A 2 is not the product of the Zariski topologies on A 1 A 1. Answer: Clearly, the diagonal Z = {(x, y) : x y = 0} A 2 is closed in
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationLinear Ordinary Differential Equations Satisfied by Modular Forms
MM Research Preprints, 0 7 KLMM, AMSS, Academia Sinica Vol. 5, December 006 Linear Ordinary Differential Equations Satisfied by Modular Forms Xiaolong Ji Department of Foundation Courses Jiyuan Vocational
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationThe Radicans. James B. Wilson. April 13, 2002
The Radicans James B. Wilson April 13, 2002 1 Radices of Integers Computational mathematics has brought awareness to the use of various bases in representing integers. The standard for most number systems
More informationAlgebra for error control codes
Algebra for error control codes EE 387, Notes 5, Handout #7 EE 387 concentrates on block codes that are linear: Codewords components are linear combinations of message symbols. g 11 g 12 g 1n g 21 g 22
More informationModified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences
Loughborough University Institutional Repository Modified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences This item was submitted to Loughborough University's
More informationA new simple technique to attack filter generators and related ciphers
A new simple technique to attack filter generators and related ciphers Håkan Englund and Thomas Johansson Dept. of Information Techonolgy, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. This
More information12. Hilbert Polynomials and Bézout s Theorem
12. Hilbert Polynomials and Bézout s Theorem 95 12. Hilbert Polynomials and Bézout s Theorem After our study of smooth cubic surfaces in the last chapter, let us now come back to the general theory of
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationRevisiting Finite Field Multiplication Using Dickson Bases
Revisiting Finite Field Multiplication Using Dickson Bases Bijan Ansari and M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo, Ontario, Canada {bansari,
More information