7 research outputs found
A Key Substitution Attack on SFLASH^{v3}
A practical key substitution attack on SFLASH^{v3} is described: Given a valid (message, signature) pair (m,\sigma) for some public key v_0, one can derive another public key v_1 (along with matching secret data) such that (m,\sigma) is also valid for v_1. The computational effort needed for finding such a `duplicate\u27 key is comparable to the effort needed for ordinary key generation
A method of Weil sum in multivariate quadratic cryptosystem
A new cryptanalytic application is proposed for a number theoretic tool Weil sum
to the birthday attack against multivariate quadratic trapdoor function. This new
customization of the birthday attack is developed by evaluating the explicit Weil sum
of the underlying univariate polynomial and the exact number of solutions of the associated bivariate equation. I designed and implemented new algorithms for computing
Weil sum values so that I could explicitly identify some class of weak Dembowski-
Ostrom polynomials and the equivalent forms in the multivariate quadratic trapdoor
function. This customized attack, also regarded as an equation solving algorithm for
the system of some special quadratic equations over finite fields, is fundamentally
different from the Grobner basis methods. The theoretical observations and experiments show that the required computational complexity of the attack on these weak
polynomial instances can be asymptotically less than the square root complexity of
the common birthday attack by a factor as large as 2^(n/8) in terms of the extension degree n of F2n. I also suggest a few open problems that any MQ-based short signature
scheme must explicitly take into account for the basic design principles
Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis
This dissertation contains algorithms for solving linear and polynomial systems
of equations over GF(2). The objective is to provide fast and exact tools for algebraic
cryptanalysis and other applications. Accordingly, it is divided into two parts.
The first part deals with polynomial systems. Chapter 2 contains a successful
cryptanalysis of Keeloq, the block cipher used in nearly all luxury automobiles.
The attack is more than 16,000 times faster than brute force, but queries 0.62 × 2^32
plaintexts. The polynomial systems of equations arising from that cryptanalysis
were solved via SAT-solvers. Therefore, Chapter 3 introduces a new method of
solving polynomial systems of equations by converting them into CNF-SAT problems
and using a SAT-solver. Finally, Chapter 4 contains a discussion on how SAT-solvers
work internally.
The second part deals with linear systems over GF(2), and other small fields
(and rings). These occur in cryptanalysis when using the XL algorithm, which converts polynomial systems into larger linear systems. We introduce a new complexity
model and data structures for GF(2)-matrix operations. This is discussed in Appendix B but applies to all of Part II. Chapter 5 contains an analysis of "the Method
of Four Russians" for multiplication and a variant for matrix inversion, which is
log n faster than Gaussian Elimination, and can be combined with Strassen-like algorithms. Chapter 6 contains an algorithm for accelerating matrix multiplication
over small finite fields. It is feasible but the memory cost is so high that it is mostly
of theoretical interest. Appendix A contains some discussion of GF(2)-linear algebra
and how it differs from linear algebra in R and C. Appendix C discusses algorithms
faster than Strassen's algorithm, and contains proofs that matrix multiplication,
matrix squaring, triangular matrix inversion, LUP-factorization, general matrix in-
version and the taking of determinants, are equicomplex. These proofs are already
known, but are here gathered into one place in the same notation