Algorithms to solve massively under-defined systems of multivariate quadratic equations

Similar documents
TitleCryptanalysis of the Quaternion Rai. IEICE Transactions on Fundamentals.

Cryptanalysis of multi-hfe

Lecture Note 3: Stationary Iterative Methods

Cryptanalysis of PKP: A New Approach

Minkowski sum based lattice construction for multivariate simultaneous Coppersmith s technique and applications to RSA

A Brief Introduction to Markov Chains and Hidden Markov Models

An Algorithm for Pruning Redundant Modules in Min-Max Modular Network

SUPPLEMENTARY MATERIAL TO INNOVATED SCALABLE EFFICIENT ESTIMATION IN ULTRA-LARGE GAUSSIAN GRAPHICAL MODELS

Sequential Decoding of Polar Codes with Arbitrary Binary Kernel

A. Distribution of the test statistic

CS229 Lecture notes. Andrew Ng

Math 124B January 17, 2012

XSAT of linear CNF formulas

Partial permutation decoding for MacDonald codes

SEMINAR 2. PENDULUMS. V = mgl cos θ. (2) L = T V = 1 2 ml2 θ2 + mgl cos θ, (3) d dt ml2 θ2 + mgl sin θ = 0, (4) θ + g l

Quantum Multicollision-Finding Algorithm

Efficiently Generating Random Bits from Finite State Markov Chains

BALANCING REGULAR MATRIX PENCILS

17 Lecture 17: Recombination and Dark Matter Production

Fitting affine and orthogonal transformations between two sets of points

An explicit Jordan Decomposition of Companion matrices

Stochastic Complement Analysis of Multi-Server Threshold Queues. with Hysteresis. Abstract

The EM Algorithm applied to determining new limit points of Mahler measures

New Directions in Multivariate Public Key Cryptography

CONGRUENCES. 1. History

Data Search Algorithms based on Quantum Walk

Unconditional security of differential phase shift quantum key distribution

Efficient Generation of Random Bits from Finite State Markov Chains

A proposed nonparametric mixture density estimation using B-spline functions

Convergence Property of the Iri-Imai Algorithm for Some Smooth Convex Programming Problems

Problem set 6 The Perron Frobenius theorem.

Nearly Optimal Constructions of PIR and Batch Codes

Simple Matrix Scheme for Encryption (ABC)

221B Lecture Notes Notes on Spherical Bessel Functions

Oil-Vinegar signature cryptosystems

(This is a sample cover image for this issue. The actual cover is not yet available at this time.)

Formulas for Angular-Momentum Barrier Factors Version II

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

A unified framework for Regularization Networks and Support Vector Machines. Theodoros Evgeniou, Massimiliano Pontil, Tomaso Poggio

Higher dimensional PDEs and multidimensional eigenvalue problems

SydU STAT3014 (2015) Second semester Dr. J. Chan 18

NIKOS FRANTZIKINAKIS. N n N where (Φ N) N N is any Følner sequence

Separation of Variables and a Spherical Shell with Surface Charge

Approximated MLC shape matrix decomposition with interleaf collision constraint

On generalized quantum Turing machine and its language classes

Rate-Distortion Theory of Finite Point Processes

Target Location Estimation in Wireless Sensor Networks Using Binary Data

A Graphical Approach for Solving Single Machine Scheduling Problems Approximately

How many random edges make a dense hypergraph non-2-colorable?

arxiv: v1 [cs.db] 1 Aug 2012

Research Article On the Lower Bound for the Number of Real Roots of a Random Algebraic Equation

More Scattering: the Partial Wave Expansion

6 Wave Equation on an Interval: Separation of Variables

Melodic contour estimation with B-spline models using a MDL criterion

Explicit overall risk minimization transductive bound

The Symmetric and Antipersymmetric Solutions of the Matrix Equation A 1 X 1 B 1 + A 2 X 2 B A l X l B l = C and Its Optimal Approximation

The Sorting Problem. Inf 2B: Sorting, MergeSort and Divide-and-Conquer. What is important? Insertion Sort

Integrality ratio for Group Steiner Trees and Directed Steiner Trees

On the Goal Value of a Boolean Function

Power Control and Transmission Scheduling for Network Utility Maximization in Wireless Networks

Schedulability Analysis of Deferrable Scheduling Algorithms for Maintaining Real-Time Data Freshness

Asynchronous Control for Coupled Markov Decision Systems

Akaike Information Criterion for ANOVA Model with a Simple Order Restriction

Testing for the Existence of Clusters

Timing Attacks on Cognitive Authentication Schemes

Math 124B January 31, 2012

Math-Net.Ru All Russian mathematical portal

$, (2.1) n="# #. (2.2)

Statistical Inference, Econometric Analysis and Matrix Algebra

Learning Fully Observed Undirected Graphical Models

Integrating Factor Methods as Exponential Integrators

MARKOV CHAINS AND MARKOV DECISION THEORY. Contents

The Shortest Signatures Ever

Approximated MLC shape matrix decomposition with interleaf collision constraint

arxiv: v1 [cs.ds] 12 Nov 2018

Structural Control of Probabilistic Boolean Networks and Its Application to Design of Real-Time Pricing Systems

Cryptanalysis of Simple Matrix Scheme for Encryption

Robust Sensitivity Analysis for Linear Programming with Ellipsoidal Perturbation

Efficient Algorithms for Pairing-Based Cryptosystems

Threshold Circuits for Multiplication and Related Problems

On Black-Box Ring Extraction and Integer Factorization

First-Order Corrections to Gutzwiller s Trace Formula for Systems with Discrete Symmetries

Two-sample inference for normal mean vectors based on monotone missing data

CONJUGATE GRADIENT WITH SUBSPACE OPTIMIZATION

Throughput Optimal Scheduling for Wireless Downlinks with Reconfiguration Delay

Statistical Learning Theory: A Primer

Week 6 Lectures, Math 6451, Tanveer

Coupling of LWR and phase transition models at boundary

Wave Equation Dirichlet Boundary Conditions

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Minimizing Total Weighted Completion Time on Uniform Machines with Unbounded Batch

Pattern Frequency Sequences and Internal Zeros

Copyright information to be inserted by the Publishers. Unsplitting BGK-type Schemes for the Shallow. Water Equations KUN XU

Stochastic Variational Inference with Gradient Linearization

On Non-Optimally Expanding Sets in Grassmann Graphs

Asymptotic Properties of a Generalized Cross Entropy Optimization Algorithm

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Efficient variant of Rainbow using sparse secret keys

Volume 13, MAIN ARTICLES

4 Separation of Variables

Transcription:

Agorithms to sove massivey under-defined systems of mutivariate quadratic equations Yasufumi Hashimoto Abstract It is we known that the probem to sove a set of randomy chosen mutivariate quadratic equations over a finite fied is P-hard. However, when the number of variabes is much arger than the number of equations, it is not necessariy difficut to sove equations. In fact, when n m(m+1) (n, m are the numbers of variabes and equations respectivey) and the fied is of even characteristic, there is an agorithm to sove equations in poynomia time (see [Kipnis et a, Eurocrypt 99] and aso [Courtois et a, PKC 02]). In the present paper, we give two agorithms to sove quadratic equations; one is for the case of n (about) m 2 2m 3/2 + 2m and the other is for the case of n m(m + 1)/2 + 1. The first agorithm soves equations over any finite fied in poynomia time. The second agorithm requires exponentia time operations. However, the number of required variabes is much smaer than that in the first one, and the compexity is much ess than the exhaustive search. 1 Introduction It is we known that the probem to sove a set of randomy chosen mutivariate quadratic equations over a finite fied is P-hard. Then the cryptosystems based on mutivariate quadratic equations (Matsumoto-Imai, HEF, UOV, STS, TTM and so on, see e.g. [5], [7] and their references) have been expected to be secure against the quantum attacks. However, not a quadratic equations are difficut to be soved whie the probem itsef is P-hard. In fact, some of such cryptosystems were aready broken and some others of them are weaker than expected when they were proposed. Thus it is important to study which quadratic equations are soved easiy and how to characterize its difficuty for the practica use of quadratic equations in cryptoogy. For this topic, there has been severa works in the view of the reation between the numbers of variabes and equations. In fact, Courtois et a. ([2] and [3]) have studied how to sove the equations when m is much arger than n (where m, n are the numbers Partiay supported by JSPS Grant-in-Aid for Young Scientists (B) no. 20740027. Keywords. under-defined mutivariate quadratic equations 1

2 Y. Hashimoto of equations and variabes respectivey). On the other hand, Kipnis et a. [6] studied the case when n is much arger than m. In fact, they found an agorithm to sove quadratic equations when n m(m + 1) and the characteristic of the fied is even. ote that the characteristic is odd, their agorithm requires the compexity O(2 m (poynomia)). Athough Courtois et a. [1] modified it more effectivey for odd characteristic cases, its modification requires much more variabes. In the present paper, we give two agorithms to sove quadratic equation when n is sufficienty arger than m. The first agorithm soves equations over any finite fied in poynomia time when n (about) m 2 2m 3/2 + 2m. The number of variabes required in this agorithm is ess than that in [6], and this works in poynomia time both for even and odd characteristic fieds. The second agorithm soves equations for n m(m + 1)/2 + 1. The compexity of the second agorithm is roughy estimated by O(2 m ) or O(3 m ). Whie it is in exponentia time, it is much better than the exhaustive search, especiay for arge order fieds, and furthermore the number of required variabes is much ess than that in the first agorithm. 2 Preparations 2.1 otations Throughout this paper, we use the foowing notations. q: a power of prime. k: a finite fied of order q. n, m 1: integers. x = (x 1,, x n ) t k n. x = (x 0, x 1,, x n ) t k n+1. f (x) k (1 m): a quadratic form of x. f ( x) k (1 m): the homogeneous quadratic form of x such that f (1, x 1,, x n ) = f (x 1,, x n ). e i := (0,, 0, 1, 0,, 0) k }{{} n (1 i n). i 1 ẽ i := (0,, 0, 1, 0,, 0) k n+1 (0 i n). } {{ } i a i = (a 1i,, a ni ) t k n (1 i n): a vector with a ii 0. ã i = (ã 0i,, ã ni ) t k n+1 (0 i n): a vector with ã ii 0. U i := (e 1,, e i 1, a i, e i+1,, e n ): an invertibe inear map such that x i a 1i x 1 + + a ni x n and x j x j for j i. Ũ i := (ẽ 0,, ẽ i 1, ã i, ẽ i+1,, ẽ n ): an invertibe inear map such that x i ã 0i x 0 +ã 1i x 1 + + ã ni x n and x j x j for j i. Ω(n): the compexity of the Gaussian eimination to sove n inear equations.

Agorithms to sove under-defined quadratic equations 3 2.2 Eementary facts For convenience, we prepare the foowing eementary facts in the undergraduate inear agebra. Fact 1. Let g(x) := 1 i,j n g ijx i x j be a homogeneous quadratic form of x = (x 1,, x n ) t over k (g ij k) and G = (G ij ) 1 i,j n an n n matrix over k (G ij k) with g ii = G ii and g ij = G ij + G ji for i j. Then g(x) = x t Gx. Fact 2. Let G, U be n n matrices and u 1,, u n k n the coumn vectors in U, namey U = (u 1,, u n ). Then the ij-entry of U t GU is u t igu j. Fact 1 and 2 yied the foowing fact. Fact 3. Let g(x), G be as in Fact 1 and U i as in Section 2.1. Denote by g(u x) = 1 i,j x g() ij x ix j. Then we have g () = a t Ga = g(u ), g () i = e t iga + a t Ge i (i ) and = g ij (i, j ). g () ij 3 Kipnis-Patarin-Goubin s agorithm for n m(m + 1) In this section, we give an agorithm proposed by Kipnis-Patarin-Goubin [6] to sove m quadratic equations with n variabes for n > m(m + 1). Step 1. Find U 2 such that the coefficients of x 1 x 2 in f 1 (U 2 x),, f m (U 2 x) are zero. According to Fact 3, we see that this requires to sove m homogeneous inear equations with n variabes. Step 2. Put f (2) (x) := f (U 2 x). Find U 3 such that the coefficients of x 1 x 3, x 2 x 3 in f (2) 1 (U 3 x),, f m (2) (U 3 x) are zero. Simiary, this requires to sove 2m homogeneous inear equations with n variabes. Step 3. Put f (3) (x) := f (2) (U 3 x). Find U 4 such that the coefficients of x 1 x 4, x 2 x 4, x 3 x 4 in f (3) 1 (U 4 x),, f m (3) (U 4 x) are zero. This requires to sove 3m homogeneous inear equations with n variabes. Continue simiar computations. Step m 1. f (m 1) (x) := f (m 2) (U m 1 x). Find U m such that the coefficients of x 1 x m, x 2 x m,, x m 1 x m in f (m) 1 (U m x),, f m (m) (U m x) are zero. This requires to sove m(m 1) homogeneous inear equations with n variabes. ote that, unti Step m 1, we have to sove at most m(m 1) homogeneous inear equations of n variabes. Then we need n > m(m 1) at this time. Step m. Put g (x) := f (U 2 U 3 U m x). The coefficients of x i x j (1 i < j m) in g (x) are zero. Substitute vaues into x m+1,, x n such that g 1 (x), g 2 (x),, g m (x) are inear combinations of x 2 1,, x 2 m and constants, without the monomias x 1,, x m. To find such x m+1,, x n, we have to sove m 2 inear equations of n m variabes. Then we need n m > m 2, namey n m(m + 1). Step m + 1. Since g (x) s are inear combinations of x 2 1,, x 2 m and constants, reduce the probem soving g (x) = 0 for 1 m to the probem soving x 2 1 = (const),, x 2 m = (const) by inear operations.

4 Y. Hashimoto After finding the square roots of them, we can find a soution of given equations. When q is even, this agorithm wi give a soution in poynomia time since any eement of k has a square root. On the other hand when q is odd, this wi require 2 m (poynomia) operations in average because amost haf eements of k do not have square roots. ote that Courtois et a. modified this agorithm for odd characteristic k. The compexity of the modified version is about 2 40 times(poynomia), however the number of required variabes is n 2 m/7 (m + 1). See [1] for the detai of its modification. 4 Soving quadratic equations for n (about) m 2 2m 3/2 + 2m In this section, we propose an agorithm to sove equations for n (about) m 2 2m 3/2 +2m. For the agorithm, we first prepare the foowing eementary fact. Fact 4. Let U = (u ij ) 0 i,j n be an invertibe matrix over k. If U satisfies that u 00 0 and the coefficient of x 2 0 of f (U x) are zero for 1 n, then (u 1 00 u 10,, u 1 00 u n0 ) is a soution of f 1 (x) = 0,, f m (x) = 0. This foows immediatey from Fact 1 and 2. Then, instead soving the equation, we wi give an agorithm to find such U in this section. Before it, we prepare the foowing two agorithms. Agorithm A. Aim. Let g(x) be a quadratic form x = (x 1,, x n ) t k n. Find an invertibe inear transformu : k n k n such that the coefficients of x i x j (i + j n) in g(ux) are zero. Step 1. Find U 1 such that the coefficients of x 2 1 is zero. Due to Fact 3, we see that this requires to sove a quadratic homogeneous equation of (a 11,, a n1 ). Step 2. Put g (1) (x) := g(u 1 x). Find U 2 such that the coefficients of x 1 x 2, x 2 2 in g (1) (U 2 x) are zero. Simiary, this requires to sove a homogeneous inear equation of (a 22,, a n2 ) and a homogeneous quadratic equation of (a 12,, a n2 ). Step 3. Put g (3) (x) := g (2) (U 2 x). Find U 3 such that the coefficients of x 1 x 3, x 2 x 3, x 2 3 in g (2) (U 3 x) are zero. Simiary, this requires to sove two homogeneous inear equation of (a 33,, a n3 ) and a homogeneous quadratic equation of (a 13,, a n3 ). Continue such operations unti the coefficient o x i x j for 1 i, j m/2 are reduced to be zero. ote that, to do so, we need to sove at most m/2 homogeneous inear equations of m + 1 m/2 variabes and a homogeneous quadratic equation. Then we see that the compexity of this agorithm unti Step m/2 is ess than m/2 Ω( m/2 ). Put V : k n k n be the inear transform such that the coefficients of x i x j (i, j m/2 ) in g(v x) are zero, and denote by g ( m/2 ) (x) := g(v x). Step m/2 +1. Find U m/2 +1 such that the coefficients of x 1 x m/2 +1,, x m/2 1 x m/2 +1 in g ( m/2 ) (U m/2 +1 x) are zero. This requires to sove m/2 1 homogeneous inear equations of (a m/2 +1, m/2 +1,, a m, m/2 +1 ). Step m/2 + 2. Put g ( m/2 +1) (x) := g ( m/2 ) (x)(u m/2 +1 x). Find U m/2 +2 such that the coefficients of x 1 x m/2 +2,, x m/2 2 x m/2 +2 in g ( m/2 +1) (U m/2 +2 x) are zero. This re-

Agorithms to sove under-defined quadratic equations 5 quires to sove m/2 2 homogeneous inear equations of (a m/2 +2, m/2 +2,, a m, m/2 +2 ). Continuing simiar operations, we can find a inear transform U as in Aim. After Step m/2 + 1, we need to sove at most m/2 1 inear equations. Then the compexity after Step m/2 + 1 is ess than m/2 Ω( m/2 ). Therefore the tota compexity of this agorithm is ess than mω( m/2 ). Agorithm B. Aim. Let n, L, M 1 be integers with L n/2, n L, n L 2 L, L 1 M L 1, L 2 L + 1 n L 2, L, n L 2 + 1, and g 1 (x),, g M (x) quadratic forms of x = (x 1,, x n ) t. Find an invertibe inear transform U : k n k n such that the coefficients of x i x j (1 i, j L) in g 1 (x),, g M (x) are zero. Step1. Find an invertibe inear transform V 1 : k n k n such that the coefficients of x i x j (1 i, j L) in g 1 (V 1 x) are zero. This can be done by Agorithm A. Put g (1) := g (V 1 x). In Step2, we want to find V 2 such that the coefficients of x i x j (1 i, j L) in g (1) 1 (V 2 x) and g (1) 2 (V 2 x) are zero, we want to find V 3 in Step 3 such that the coefficients of x i x j (1 i, j L) in g (2) 1 (V 3 x), g (2) 2 (V 3 x), g (2) 3 (V 3 x) are zero and so on. To consider recursivey, we assume that we can find V such that the coefficients of x i x j (1 i, j L) in g 1 (V x),, g 1 (V x) are zero unti Step 1. We wi describe how to find an invertibe V such that the coefficients of x i x j (1 i, j L) in g ( 1) 1 (V x),, g ( 1) (V x) are zero in Step. Step. Substep 1. Using Agorithm A, find an invertibe inear map W 1 : k L k L such ( that the ) coefficients of x i x j (1 i, j L, i + j L) in g ( 1) ( W 1 x) are zero, where W 1 := W1. ote that the coefficients of x I i x j (1 i, j L) in g ( 1) 1 ( W 1 x),, g ( 1) 1 ( W 1 x) are zero. and the compexity is ess than LΩ( L/2 ). Put h ( 1) (x) := g ( 1) ( W 1 x). ext, find U L such that the coefficients of x i x j (1 i, j L) in h ( 1,1) and of x 1 x L in h ( 1,1) (U L x) for 1 1 (U L x) are zero. Due to Fact 3, we see that this requires to sove (a) (L 1)( 1) homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous inear equation of (a L,L,, a n,l ), (c) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0. i=1 In order to sove the equations (a),(b) and (c), first sove (a) and find a L+1,L,, a n,l. Then a L,L is automaticay determined by (b). Substituting such vaues to (c), the quadratic

6 Y. Hashimoto equations (c) become 1 inear equation of (a 1,L,, a L 1,L ). Thus we can caim that when n L > (L 1)( 1) and L, this substep works with the compexity ess than LΩ( L/2 ) + Ω((L 1)( 1)) + Ω(L 1). Put g ( 1,1) (x) := h ( 1) (U L x). Substep 2. Using Agorithm A, find an invertibe inear map W 2 : k L 1 k L 1 such that the coefficients of x i x j (1 i, j L, i + j L + 1) in g ( 1,1) ( W 2 x) are zero, where 1 W 2 = W 2. This requires the compexity ess than (L 1)Ω( (L 1)/2 ). Put I h ( 1,1) (x) := g ( 1,1) ( W 2 x). ext, find U L such that the coefficients of x i x j (1 i, j L) in g ( 1,2) (U L x) for 1 1 and of x 1 x L, x 2 x L in g ( 1,2) (U L x) are zero. Finding such U L requires to sove (a) (L 1)( 1)+1 homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous inear equation of (a L,L,, a n,l ), (c) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0. i=1 Simiar to the previous substep, one can sove (a), (b) and (c) when n L > (L 1)( 1)+1 and L and the compexity in this substep is ess than (L 1)Ω( (L 1)/2 ) + Ω((L 1)( 1) + 1) + Ω(L 1). Put g ( 1,2) (x) := h ( 1,1) (U L x). Simiary in Substep 3, one reduces the coefficients of x i x j with i+j = n+2, i, j L and the coefficient of x 3 x L in g ( 1,2) (x) to be zero. Continue such operations and suppose that we can find a inear transform V unti Substep L 1 such that the coefficients of x i x j (i, j L) in g ( 1) 1 (V x),, g ( 1) 1 (V x) and the coefficients of x ix j (i, j L) except x 2 L in g( 1) (V x) are zero Put g ( 1,L 1) (x) := g ( 1) (V x). Substep L. Find U L such that the coefficients of x i x j (i, j L) in g ( 1,L 1) 1 (U L x),, g ( 1,L 1) (U L x) are zero. According to Fact 3, we see that this requires to sove (a) (L 1) homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0, i=1 (c) a homogeneous quadratic equation of (a 1,L,, a n,l ) in the form x 2 L + L a i,l ( inear form of (a L+1,L,, a n,l ) ) i=1 + ( quadratic form of (a L+1,L,, a n,l ) ) = 0, When n L > (L 1), we can find a non-trivia soution of (a). Putting it into (b), we can reduce the quadratic equations (b) to inear equations. If L, express a 1,L,, a L 1,L by inear combinations of a L,L and constants. Substitute them into (c)

Agorithms to sove under-defined quadratic equations 7 and sove the quadratic equation of a L,L. If it does not have soutions, change the choice of (a L+1,L,, a n,l ) or go back to the previous substep and try again unti the non-trivia a L,L is found. Then a soution of (a), (b) and (c) wi be found. On the other hand, when n L = (L 1), the soution of (a) is trivia, namey a L+1,L = = a n,l = 0. This means that (b) and (c) become homogeneous equations of (a 1,L,, a L,L ). Then < L is necessary. Thus, in this step, we need the condition that < (n L)/(L 1), L or = (n L)/(L 1), < L, namey n L, n L 2 L, L 1 L 1, L 2 L + 1 n L 2, L, n L 2 + 1. ote that the compexity in this substep is Ω((L 1))+Ω( 1), and the tota compexity in Step is ess than L(LΩ( L/2 )+Ω((L 1))+Ω( 1)). Summing this from = 1 to M, we see that the compexity of Agorithm B is ess than ML (LΩ( L/2 ) + Ω((L 1)M) + Ω(M 1)) <n (LΩ( L/2 ) + Ω(n M) + Ω(M 1)) O (nω(n)). Since Ω(n) n 3, we can caim that this agorithm works in poynomia time. Based on Agorithm B, we give an agorithm to sove quadratic equations for n (about) m 2 2m 3/2 + 2m Agorithm 1. Aim. Find a soution x k n of the equations f 1 (x) = 0,, f m (x) = 0. Step 1. Put L 0 := n + 1 and choose M 1 < L 0. Put L 1 := min ( L0 2, n + M1 M 1 + 1 Using Agorithm B, find an invertibe inear map V 1 : k L 0 k L 0 such that the coefficients of x i x j (0 i, j L 1 1) in f 1 (V 1 x),, f (1) M1 (V 1 x) are zero. Put f ( x) := f (V 1 x). Step 2. Choose M 2 < L 1. Put ( ) L1 n + M2 L 2 := min,. 2 M 2 + 1 Using Agorithm B, find an invertibe inear map V 2 : k L 1 k L 1 such that the coefficients ( ) (1) of x i x j (0 i, j L 2 1) in f M 1 +1 (Ṽ2 x),, f V2 M1 +M 2 (Ṽ2 x) are zero, where Ṽ2 :=. (2) (1) Put f ( x) := f (Ṽ2 x). Continuing such operations unti L t = 1, we can get an invertibe inear map U = (u ij ) 0 i,j n such that the coefficients of x 2 0 in f (U x) for 1 M 1 +M 2 + +M t are zero. From Fact 4, we see that this agorithm soves the equations when m M 1 + + M t ). I

8 Y. Hashimoto n 1/2 + n 1/4 +, namey n about m 2 2m 3/2 + 2m. The compexity of this agorithm is ess than O(n 4 ) + O(n 2 ) + O(n) + O(n 4 ). Then Agorithm 1 works in poynomia time. The foowing is the tabe of the number of variabes required to sove m equations. m 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 n 1 3 4 9 12 16 20 25 36 49 64 81 90 100 121 144 156 5 Soving quadratic equations for n m(m + 1)/2 + 1 In this section, we propose an agorithm to sove equations for n m(m + 1)/2 + 1. The agorithm is as foows. Agorithm 2. Aim. Find a soution x k n of the equations f 1 (x) = 0,, f m (x) = 0. Step 1. Find Ũ0 such that the coefficient of x 2 0 in f 1 (Ũ0 x) is zero. This requires to sove a homogeneous quadratic equation of n + 1 variabes. Then this can be done when n 2. (1) Put f (x) := f (Ũ0 x). Step 2. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 (1) 1 in f 1 (Ũ1 x) and the coefficient (1) of x 0 x 1 in f 2 (Ũ1 x) are zero. This requires to sove two homogeneous inear equations and a homogeneous quadratic equation of n + 1 variabes. Then we need n 2 + 2 = 4. Put f (1,1) (1) (1,1) ( x) := f (Ũ1 x). If there is a soution z 2 k of f 2 (1, z 2, 0,, 0) = 0, denote by 1 0 V 2 := z 2 1 (2) (1,1) and put f ( x) := f (V 2 x). If there are no such z 2, take another Ũ1 I and repeat unti such z 2 k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 1 (2) in f 1 ( x) and x 2 (2) 0 in f 2 ( x) are zero. ote that Step 1 and 2 soves 2 equations of at east 4 variabes. Step 3. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 (2) (2) 1 in f 1 (Ũ1 x), f 2 (Ũ1 x) and (2) the coefficient of x 0 x 1 in f 3 (Ũ1 x) are zero. This requires to sove 3 homogeneous inear equations and 2 homogeneous quadratic equations of n + 1 variabes. When n 3 + 4, (2,1) (2) this can be done by Step 1 and 2. Put f ( x) := f (Ũ1 x). If there is a soution z 3 k 1 0 (2,1) of f 3 (1, z 3, 0,, 0) = 0, denote by V 3 := z 3 1 (3) (2,1) and put f ( x) := f (V 3 x). If I there are no such z 3, take another Ũ1 and repeat unti such z 3 k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 (3) (3) 1 in f 1 ( x), f 2 ( x) and x 2 (3) 0 in f 3 ( x) are zero. ote that Step 1 to 3 soves 3 equations of at east 7 variabes. To consider recursivey, suppose that, unti Step 1, we can find an invertibe inear map U : k n+1 k n+1 such that the coefficients of x 2 0, x 0 x 1, x 2 1 in f 1 (U x),, f 2 (U x) and of x 2 0 in f 1 (U x) are zero when n ( 1)/2 + 1. This aso means that Step 1 to 1 soves 1 quadratic equations of at east n ( 1)/2 + 1 variabes. Put ( x) := f (U x). f ( 1)

Agorithms to sove under-defined quadratic equations 9 Step. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 ( 1) ( 1) 1 in f 1 (Ũ1 x),, f 1 (Ũ1 x) ( 1) and the coefficient of x 0 x 1 in f (Ũ1 x) are zero. This requires to sove homogeneous inear equations and 1 homogeneous quadratic equations of n + 1 variabes. If n ( 1,1) ( 1) ( + 1)/2 + 1, this can be done by Step 1 to 1. Put f ( x) := f (Ũ1 x). If 1 0 ( 1,1) there is a soution z k of f (1, z, 0,, 0) = 0, denote by V := z 1 I f () f ( 1,1) and put ( x) := (V x). If there are no such z, take another Ũ1 and repeat unti such z k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 () 1 in f ( x) for 1 1 and x 2 () 0 in f ( x) are zero. ote that Step 1 to soves equations of at east ( + 1)/2 + 1 variabes. Thus we can caim that Agorithm 2 soves quadratic equations when n m(m+1)/2+ 1. We now estimate the compexity of this agorithm. Let c be the compexity in the -th step. For simpicity, assume that one computes Ũ1 once if q is even and twice if q is odd in a steps, because the probabiity that univariate quadratic equation has a soution is amost 1 if q is even and 1/2 if q is odd. Since the -th step requires to sove 1 inear equations and 1 quadratic equations, we have c = { c 1 + c 2 + + c 1 + (poyn), (2 q), 2(c 1 + c 2 + + c 1 ) + (poyn), (2 q). Then c = O(2 ) when q is even and c = O(3 ) when q is odd. Since the compexity of this agorithm is c 1 + + c m, we can roughy estimate the compexity by O(2 m ) when q is even and O(3 m ) when q is odd. 6 Soving equations over sma fieds In Section 4 and 5, we propose agorithms to sove equations for genera finite fieds. When q is not very bigger than n and m, one can sove equations effectivey by combining Agorithm B and the exhaustive search if n is smaer than as described in the tabe at the end of Section 4. As exampes, we describe how to sove quadratic equations with (q, m, n) = (16, 64, 16) and (16, 48, 16), which are used for UOV suggested in [6]. For our convenience to estimate the compexities roughy, suppose that the compexity of Agorithm B is n(n M) 3 /3 since Ω(n) n 3 /3 for the cassica Gaussian eimination. 6.1 Soving equations of (q, m, n) = (16, 64, 16). Step 1. Use Agorithm B to find V 1 : k 65 k 65 such that the coefficients of x i x j (0 i, j 7) in f 1 (V 1 x),, f 8 (V 1 x) are zero. The compexity in this step is 65 57 3 /3. Put x (1) := (x 0,, x 7 ) t and f (1) (x (1) ) := f ( V1 (x 0,, x 7, 0,, 0) t). By the choice of V 1, we see that f (1) 1 (x (1) ) = = f (1) 8 (x (1) ) = 0 for any x (1).

10 Y. Hashimoto Step 2. Use Agorithm B to find V 2 : k 8 k 8 such that the coefficients of x i x j (0 i, j 2) in f (1) 9 (V 2 x (1) ), f (1) 10 (V 2 x (1) ) are zero. The compexity in this step is 8 5 4 /3. Put ( V2 (x 0, x 1, x 2, 0,, 0) t). By the choice of V 2, we x (2) := (x 0, x 1, x 2 ) t and f (2) (x (2) ) := f (1) see that f (2) 9 (x (2) ) = f (2) 10 (x (2) ) = 0 for any x (2). Step 3. Find x (2) = (1, x 1, x 2 ) t such that f (2) 11 (x (2) ) = 0. This can be done by the agorithm to find a square root. After that check whether f (2) 12 (x (2) ) = 0 for the same x (2). If so, go to the next step, and if not, change x (2) unti f (2) 12 (x (2) ) = 0. Since the probabiity that f (2) 12 (x (2) ) = 0 for randomy chosen x (2) is about q 1, the compexity in this step is roughy og q q = 2 5. Step 4. Check whether f (2) 13 (x (2) ) = f (2) 14 (x (2) ) = f (2) 15 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 2. Since the probabiity that f (2) 13 (x (2) ) = f (2) 14 (x (2) ) = f (2) 15 (x (2) ) = 0 is q 3, one may repeat it q 3 = 2 12 times on average. Step 5. Check whether f (2) 16 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 1. Since the probabiity that f (2) 16 (x (2) ) = 0 is q 1, one may repeat it q = 2 4 times on average. We finay note that the compexity of this approach is about 2 4 ( 65 57 3 /3 + 2 12 ( 8 5 4 /3 + 2 5)) 2 26.4. 6.2 Soving equations of (q, m, n) = (16, 48, 16). Step 1. Use Agorithm B to find V 1 : k 49 k 49 such that the coefficients of x i x j (0 i, j 6) in f 1 (V 1 x),, f 6 (V 1 x) are zero. The compexity in this step is 49 42 3 /3. Put x (1) := (x 0,, x 6 ) t and f (1) (x (1) ) := f ( V1 (x 0,, x 6, 0,, 0) t). By the choice of V 1, we see that f (1) 1 (x (1) ) = = f (1) 6 (x (1) ) = 0 for any x (1). Step 2. Use Agorithm B to find V 2 : k 7 k 7 such that the coefficients of x i x j (0 i, j 2) in f (1) 7 (V 2 x (1) ), f (1) 8 (V 2 x (1) ) are zero. The compexity in this step is 7 4 4 /3. Put x (2) := (x 0, x 1, x 2 ) t and f (2) (x (2) ) := f (1) see that f (2) 7 (x (2) ) = f (2) 8 (x (2) ) = 0 for any x (2). Step 3. Find x (2) = (1, x 1, x 2 ) t such that f (2) ( V2 (x 0, x 1, x 2, 0,, 0) t). By the choice of V 2, we 9 (x (2) ) = 0. This can be done by the agorithm to find a square root. After that chichi whether f (2) 10 (x (2) ) = 0 for the same x (2). If so, go to the next step, and if not, change x (2) unti f (2) 10 (x (2) ) = 0. Since the probabiity that f (2) 10 (x (2) ) = 0 for randomy chosen x (2) is about q 1, the compexity in this step is roughy og q q = 2 5. Step 4. Check whether f (2) 11 (x (2) ) = f (2) 12 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 2. Since the probabiity that f (2) 11 (x (2) ) = f (2) 12 (x (2) ) = 0 is q 2, one may repeat it q 2 = 2 8 times on average. Step 5. Check whether f (2) 13 (x (2) ) = = f (2) 16 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 1. Since the probabiity that f (2) 13 (x (2) ) = = f (2) 16 (x (2) ) = 0 is q 4, one may repeat it q = 2 16 times on average.

Agorithms to sove under-defined quadratic equations 11 We finay note that the compexity of this approach is about 2 16 ( 49 42 3 /3 + 2 8 ( 7 4 3 /3 + 2 5)) 2 36.4. We note that the compexity to sove the equations with (q, m, n) = (16, 64, 16) and (16, 48, 16) have been studied in [1] and [4] to anayze the security of UOV with such parameters. The foowing tabe summarizes the compexities of the attacks by [1], [4] and our approach. 7 Concusion (q, n, m) (16, 48, 16) (16, 64, 16) exhaustive 2 64 2 64 Courtois et a. [1] 2 46 2 42 Faugére-Perret [4] 2 40.5 2 40.5 Our attack 2 36.4 2 26.4 In the present paper, we propose two agorithms to sove quadratic equations when n is much arger than m. Though we reduce the required n compared to the works in [6] and [1], it is sti too arge to attack against most cryptosystems based on mutivariate quadratic equations. Then it is important to improve our agorithms and to study theoreticay the ower bound of n such that m equations can be soved in poynomia (or effective) time. References [1]. Courtois, L. Goubin, W. Meier and J. Tacier, Soving underdefined systems of mutivariate quadratic equations, PKC 02, LCS 2274, pp.211 227. [2]. Courtois, A. Kimov, J. Patarin and A. Shamir, Efficient agorithms for soving overdefined systems of mutivariate poynomia equations, Eurocrypt 00, LCS 1807, pp.392 407. [3]. Courtois and J. Pieprzyk, Cryptanaysis of Bock Ciphers with Overdefined Systems of Equations, Asiacrypt 02, LCS 2501, pp. 267 287. [4] J. Faugére and L. Perret, On the security of UOV, Proceedings of SCC 08, pp.103 109. [5] J. Ding, J. Gower and D. Schmidt, Mutivariate pubic key cryptosystems, Advances in Information Security, Springer, 2006. [6] A. Kipnis, J. Patarin and L. Goubin, Unbaanced Oi and Vinegar Signature Schemes, Eurocrypt 99, LCS 1592 (1999), pp. 206 222, extended in citeseer/ 231623.htm, 2003-06-11.

12 Y. Hashimoto [7] S. Tsujii, T. Kaneko, K. Tadaki and M. Gotaishi, Design Poicy of MPKC based on Piece in Hand Concept (in Japanese), IEICE Technica Report 108 (2008), pp.15 22. HASHIMOTO, Yasufumi Institute of Systems, Information Technoogies and anotechnoogies, 7F 2-1-22, Momochihama, Fukuoka 814-0001, JAPA e-mai:hasimoto@isit.or.jp

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback