19 research outputs found
New algorithm for the discrete logarithm problem on elliptic curves
A new algorithms for computing discrete logarithms on elliptic curves defined over finite fields is suggested. It is based on a new method to find zeroes of summation polynomials. In binary elliptic curves one is to solve a cubic system of Boolean equations. Under a first fall degree assumption
the regularity degree of the system is at most . Extensive experimental data which supports the assumption is provided. An heuristic analysis suggests a new asymptotical complexity bound for computing discrete logarithms on an elliptic curve over a field of size . For several binary elliptic curves recommended by FIPS the new method performs better than Pollard\u27s. The asymptotical bound is correct under a weaker assumption that the regularity degree is bounded by though the conclusion on the security of FIPS curves does not generally hold in this case
On the first fall degree of summation polynomials
We improve on the first fall degree bound of polynomial systems that arise
from a Weil descent along Semaev's summation polynomials relevant to the
solution of the Elliptic Curve Discrete Logarithm Problem via Gr\"obner basis
algorithms.Comment: 12 pages, fina
Two philosophies for solving non-linear equations in algebraic cryptanalysis
Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, GrΓΆbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a βphase transitionβ and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis. In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker
Impact of randomization in VKO mechanisms on overall security level
ΠΠ΄Π½ΠΈΠΌ ΠΈΠ· ΡΠΈΡΠΎΠΊΠΎ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΡΡ
Π½Π° ΠΏΡΠ°ΠΊΡΠΈΠΊΠ΅ ΠΏΡΠΈ ΡΠ°Π±ΠΎΡΠ΅ Π² ΡΡΠ»ΠΎΠ²ΠΈΡΡ
ΡΠ»Π°Π±ΠΎΠ΄ΠΎΠ²Π΅ΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Π°ΡΠ°ΠΊΠ°ΠΌ Π½Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠ΅ Π² ΠΏΡΠΎΡΠ΅Π΄ΡΡΠ°Ρ
Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΠ±ΡΠΈΡ
ΡΠ΅ΠΊΡΠ΅ΡΠΎΠ² Π΄ΠΎΠ»Π³ΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ ΠΊΠ»ΡΡΠΈ ΡΠ²Π»ΡΠ΅ΡΡΡ ΡΠΌΠ½ΠΎΠΆΠ΅Π½ΠΈΠ΅ Π½Π° ΡΠ°Π½Π΄ΠΎΠΌΠΈΠ·ΠΈΡΡΡΡΠΈΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ Ρ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ΠΌ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΉ. ΠΠ°Π½Π½ΡΠΉ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ Π² ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠ°Ρ
ΡΠ΅ΠΌΠ΅ΠΉΡΡΠ²Π° VKO, Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΊΠΎΡΠΎΡΡΡ
ΡΡΡΠΎΡΡΡΡ ΡΠΎΡΡΠΈΠΉΡΠΊΠΈΠ΅ ΠΊΡΠΈΠΏΡΠΎΠ½Π°Π±ΠΎΡΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΡ
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ (Π² ΡΠΎΠΌ ΡΠΈΡΠ»Π΅ IPsec, TLS, CMS), ΡΡΠ°Π½Π΄Π°ΡΡΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ
Π² Π ΠΎΡΡΠΈΠΉΡΠΊΠΎΠΉ Π€Π΅Π΄Π΅ΡΠ°ΡΠΈΠΈ. Π ΡΠ°ΡΡΠ½ΠΎΡΡΠΈ, ΡΠ°ΠΊΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΡΡΡΡΠΎΠ΅Π½Π° Π²ΡΡΠ°Π±ΠΎΡΠΊΠ° ΠΎΠ±ΡΠΈΡ
ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² Π² ΡΠΎΡΡΠΈΠΉΡΠΊΠΈΡ
ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠ°Ρ
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° TLS 1.2, ΠΏΠΎΠ²ΡΠ΅ΠΌΠ΅ΡΡΠ½ΠΎ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ Π² ΠΌΠ°ΡΡΠΎΠ²ΡΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΡΡ
ΡΡΠ΅Π΄ΡΡΠ²Π°Ρ
Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ. Π ΡΠ°Π±ΠΎΡΠ΅ ΡΠ°ΡΡΠΌΠΎΡΡΠ΅Π½Ρ Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ Π°ΡΠΏΠ΅ΠΊΡΡ ΡΠ΅Π·ΡΠ»ΡΡΠΈΡΡΡΡΠ΅ΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΏΡΠΎΡΠ΅Π΄ΡΡ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΠ±ΡΠΈΡ
ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² Π² ΡΠ»ΡΡΠ°Π΅ ΠΎΡΠΈΠ±ΠΎΠΊ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ, ΠΈΠ·-Π·Π° ΠΊΠΎΡΠΎΡΡΡ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½Ρ ΡΠ±ΠΎΠΈ ΠΏΡΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡΡ
Π² Π³ΡΡΠΏΠΏΠ°Ρ
ΡΠΎΡΠ΅ΠΊ ΡΠΊΡΡΡΠ΅Π½Π½ΡΡ
ΠΊΡΠΈΠ²ΡΡ
ΠΠ΄Π²Π°ΡΠ΄ΡΠ° ΡΠΎΡΡΠ°Π²Π½ΠΎΠ³ΠΎ ΠΏΠΎΡΡΠ΄ΠΊΠ°, Π° ΡΠ°ΠΊΠΆΠ΅ Π² ΡΠ»ΡΡΠ°Π΅ ΠΎΡΡΡΡΡΡΠ²ΠΈΡ Π³Π°ΡΠ°Π½ΡΠΈΠΉ ΠΊΠΎΠ½ΡΡΠ°Π½ΡΠ½ΠΎΠ³ΠΎ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡ ΠΊΡΠ°ΡΠ½ΡΡ
ΡΠΎΡΠ΅ΠΊ
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
Polynomial time reduction from 3SAT to solving low first fall degree multivariable cubic equations system
Koster shows that the problem for deciding whether the value of Semaev\u27s formula is or not, is NP-complete. This result directly does not means ECDLP being NP-complete, but, it suggests ECDLP being NP-complete. Further, Semaev shows that the equations system using number of , which is equivalent to decide whether the value of Semaev\u27s formula
is or not, has constant(not depend on and ) first fall degree. So, under the first fall degree assumption, its complexity is poly in ().And so, suppose , which almost all researcher assume this, it has a contradiction and we see that first fall degree assumption is not true.
Koster shows the NP-completeness from the group belonging problem, which is NP-complete, reduces to the problem for deciding whether the value of Semaev\u27s formula is or not, in polynomial time.
In this paper, from another point of view, we discuss this situation.
Here, we construct some equations system defined over arbitrary field and its first fall degree is small, from any 3SAT problem.
The cost for solving this equations system is polynomial times under the first fall degree assumption. So, 3SAT problem, which is NP-complete, reduced to the problem in P under the first fall degree assumption.
Almost all researcher assume , and so, it concludes that the first fall degree assumption is not true. However, we can take K=\bR(not finite field. It means that 3SAT reduces to solving multivariable equations system defined over and there are many method for solving this by numerical computation.
So, I must point out the very small possibility that NP complete problem is reduces to solving cubic equations equations system over \bR which can be solved in polynomial time
ΠΡΠ°Π½ΠΈΡΡ ΡΠ±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ ΡΡΠ΅ΠΏΠ΅Π½ΠΈ Π²Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π΄Π»Ρ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΠΈ Π½Π° Π±ΠΈΠ»ΠΈΠ½Π΅ΠΉΠ½ΡΡ ΡΠΏΠ°ΡΠΈΠ²Π°Π½ΠΈΡΡ
ΠΠ²ΠΎΠ΄ΠΈΡΡΡ ΡΠΎΡΠΌΡΠ»Π° Π΄Π»Ρ ΡΠ°ΡΡΡΡΠ° Π³ΡΠ°Π½ΠΈΡ ΡΠ±Π°Π»Π°Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ ΡΡΠ΅ΠΏΠ΅Π½ΠΈ Π²Π»ΠΎΠΆΠ΅Π½ΠΈΡ Π³ΠΈΠΏΠ΅ΡΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΊΡΠΈΠ²ΠΎΠΉ. ΠΡΡΠΈΡΠ»Π΅Π½Ρ ΡΠ΅ΠΊΡΡΠΈΠ΅ Π³ΡΠ°Π½ΠΈΡΡ Π΄Π»Ρ ΠΊΡΠΈΠ²ΡΡ
ΡΠΎΠ΄Π° 1-3. ΠΠ»Ρ ΠΊΡΠΈΠ²ΡΡ
Ρ ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠΌΠΈ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ°ΠΌΠΈ Π³Π΅Π½Π΅ΡΠ°ΡΠΈΠΈ, Π½Π°ΠΈΠΌΠ΅Π½ΡΡΠΈΠΌΠΈ Ρ-Π·Π½Π°ΡΠ΅Π½ΠΈΡΠΌΠΈ ΠΈ ΡΡΠ΅ΠΏΠ΅Π½ΡΠΌΠΈ Π²Π»ΠΎΠΆΠ΅Π½ΠΈΡ ΠΎΡ 1 Π΄ΠΎ 10 Π²ΡΡΠΈΡΠ»Π΅Π½ Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π·Π½Π°ΡΠ΅Π½ΠΈΠΉ, ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΡΠΈΠ½Π°Π΄Π»Π΅ΠΆΠΈΡ ΡΡΠΎΠ²Π΅Π½Ρ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΊΡΠΈΠ²ΠΎΠΉ
Complexity of ECDLP under the First Fall Degree Assumption
Semaev shows that under the first fall degree assumption, the complexity
of ECDLP over \bF_{2^n}, where is the input size, is
.
In his manuscript, the cost for solving equations system is ,
where () is the number of decomposition
and is the linear algebra constant.
It is remarkable that the cost for solving equations system under the
first fall degree assumption, is poly in input size .
He uses normal factor base and the revalance of Probability that
the decomposition success and size of factor base is done.
%So that the result is induced.
Here, using disjoint factor base to his method,
Probability that the decomposition success becomes and
taking the very small size factor
base is useful for complexity point of view.
Thus we have the result that states \\
Under the first fall degree assumption,
the cost of ECDLP over \bF_{2^n}, where is the input size, is .
Moreover, using the authors results,
in the case of the field characteristic , the first fall
degree of desired equation system is estimated by .
(In case, Semaev shows it is . But it is exceptional.)
So we have similar result that states \\
Under the first fall degree assumption,
the cost of ECDLP over \bF_{p^n}, where is the input size and (small) is a constant, is