1,022 research outputs found
A Discrete Logarithm-based Approach to Compute Low-Weight Multiples of Binary Polynomials
Being able to compute efficiently a low-weight multiple of a given binary
polynomial is often a key ingredient of correlation attacks to LFSR-based
stream ciphers. The best known general purpose algorithm is based on the
generalized birthday problem. We describe an alternative approach which is
based on discrete logarithms and has much lower memory complexity requirements
with a comparable time complexity.Comment: 12 page
Finding low-weight polynomial multiples using discrete logarithm
Finding low-weight multiples of a binary polynomial is a difficult problem
arising in the context of stream ciphers cryptanalysis. The classical algorithm
to solve this problem is based on a time memory trade-off. We will present an
improvement to this approach using discrete logarithm rather than a direct
representation of the involved polynomials. This gives an algorithm which
improves the theoretical complexity, and is also very flexible in practice
Attacking the combination generator
We present one of the most efficient attacks against the combination
generator. This attack is inherent to this system as its only assumption is
that the filtering function has a good autocorrelation. This is usually the
case if the system is designed to be resistant to other kinds of attacks. We
use only classical tools, namely vectorial correlation, weight 4 multiples and
Walsh transform
Computing sparse multiples of polynomials
We consider the problem of finding a sparse multiple of a polynomial. Given f
in F[x] of degree d over a field F, and a desired sparsity t, our goal is to
determine if there exists a multiple h in F[x] of f such that h has at most t
non-zero terms, and if so, to find such an h. When F=Q and t is constant, we
give a polynomial-time algorithm in d and the size of coefficients in h. When F
is a finite field, we show that the problem is at least as hard as determining
the multiplicative order of elements in an extension field of F (a problem
thought to have complexity similar to that of factoring integers), and this
lower bound is tight when t=2.Comment: Extended abstract appears in Proc. ISAAC 2010, pp. 266-278, LNCS 650
Some Notes on Code-Based Cryptography
This thesis presents new cryptanalytic results in several areas of coding-based cryptography. In addition, we also investigate the possibility of using convolutional codes in code-based public-key cryptography. The first algorithm that we present is an information-set decoding algorithm, aiming towards the problem of decoding random linear codes. We apply the generalized birthday technique to information-set decoding, improving the computational complexity over previous approaches. Next, we present a new version of the McEliece public-key cryptosystem based on convolutional codes. The original construction uses Goppa codes, which is an algebraic code family admitting a well-defined code structure. In the two constructions proposed, large parts of randomly generated parity checks are used. By increasing the entropy of the generator matrix, this presumably makes structured attacks more difficult. Following this, we analyze a McEliece variant based on quasi-cylic MDPC codes. We show that when the underlying code construction has an even dimension, the system is susceptible to, what we call, a squaring attack. Our results show that the new squaring attack allows for great complexity improvements over previous attacks on this particular McEliece construction. Then, we introduce two new techniques for finding low-weight polynomial multiples. Firstly, we propose a general technique based on a reduction to the minimum-distance problem in coding, which increases the multiplicity of the low-weight codeword by extending the code. We use this algorithm to break some of the instances used by the TCHo cryptosystem. Secondly, we propose an algorithm for finding weight-4 polynomials. By using the generalized birthday technique in conjunction with increasing the multiplicity of the low-weight polynomial multiple, we obtain a much better complexity than previously known algorithms. Lastly, two new algorithms for the learning parities with noise (LPN) problem are proposed. The first one is a general algorithm, applicable to any instance of LPN. The algorithm performs favorably compared to previously known algorithms, breaking the 80-bit security of the widely used (512,1/8) instance. The second one focuses on LPN instances over a polynomial ring, when the generator polynomial is reducible. Using the algorithm, we break an 80-bit security instance of the Lapin cryptosystem
Concrete quantum cryptanalysis of binary elliptic curves
This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor’s polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates. For an elliptic curve over a field of 2n elements, this paper reduces the number of qubits to 7n + ⌊log2 (n)⌋ + 9. At the same time this paper reduces the number of Toffoli gates to 48n3 + 8nlog2(3)+1 + 352n2 log2 (n) + 512n2 + O(nlog2(3)) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography
Computation of a 30750-Bit Binary Field Discrete Logarithm
This paper reports on the computation of a discrete logarithm in the finite
field , breaking by a large margin the previous record,
which was set in January 2014 by a computation in . The
present computation made essential use of the elimination step of the
quasi-polynomial algorithm due to Granger, Kleinjung and Zumbr\"agel, and is
the first large-scale experiment to truly test and successfully demonstrate its
potential when applied recursively, which is when it leads to the stated
complexity. It required the equivalent of about 2900 core years on a single
core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is
comparable to the approximately 3100 core years expended for the discrete
logarithm record for prime fields, set in a field of bit-length 795, and
demonstrates just how much easier the problem is for this level of
computational effort. In order to make the computation feasible we introduced
several innovative techniques for the elimination of small degree irreducible
elements, which meant that we avoided performing any costly Gr\"obner basis
computations, in contrast to all previous records since early 2013. While such
computations are crucial to the complexity algorithms,
they were simply too slow for our purposes. Finally, this computation should
serve as a serious deterrent to cryptographers who are still proposing to rely
on the discrete logarithm security of such finite fields in applications,
despite the existence of two quasi-polynomial algorithms and the prospect of
even faster algorithms being developed.Comment: 22 page
Concrete quantum cryptanalysis of binary elliptic curves
This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor’s polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates. For an elliptic curve over a field of 2n elements, this paper reduces the number of qubits to 7n + ⌊log2 (n)⌋ + 9. At the same time this paper reduces the number of Toffoli gates to 48n3 + 8nlog2(3)+1 + 352n2 log2 (n) + 512n2 + O(nlog2(3)) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography
- …