18 research outputs found
On Polynomial Systems Arising from a Weil Descent
In the last two decades, many computational problems arising in cryptography
have been successfully reduced to various systems of polynomial equations. In
this paper, we revisit a class of polynomial systems introduced by Faugère,
Perret, Petit and Renault.
%
Seeing these systems as natural generalizations of HFE systems, we provide
experimental and theoretical evidence that their degrees of regularity are
only slightly larger than the original degre of the equations, resulting in a
very low complexity compared to generic systems.
%
We then revisit the applications of these systems to the elliptic curve
discrete logarithm problem (ECDLP) for binary curves, to the factorization
problem in and to other discrete logarithm problems.
As a main consequence, we provide a heuristic analysis showing that Diem\u27s
variant of index calculus for
ECDLP
requires a \emph{subexponential} number of bit operations over the binary field , where is a constant smaller
than .
%
According to our estimations, generic discrete logarithm methods are
outperformed for any where , but elliptic curves of
currently recommended key sizes () are not immediately
threatened.
%
The analysis can be easily generalized to other extension fields
On the first fall degree of summation polynomials
We improve on the first fall degree bound of polynomial systems that arise
from a Weil descent along Semaev's summation polynomials relevant to the
solution of the Elliptic Curve Discrete Logarithm Problem via Gr\"obner basis
algorithms.Comment: 12 pages, fina
Impact of randomization in VKO mechanisms on overall security level
ΠΠ΄Π½ΠΈΠΌ ΠΈΠ· ΡΠΈΡΠΎΠΊΠΎ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΡΡ
Π½Π° ΠΏΡΠ°ΠΊΡΠΈΠΊΠ΅ ΠΏΡΠΈ ΡΠ°Π±ΠΎΡΠ΅ Π² ΡΡΠ»ΠΎΠ²ΠΈΡΡ
ΡΠ»Π°Π±ΠΎΠ΄ΠΎΠ²Π΅ΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠΎΠ² ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ Π°ΡΠ°ΠΊΠ°ΠΌ Π½Π° ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠ΅ Π² ΠΏΡΠΎΡΠ΅Π΄ΡΡΠ°Ρ
Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΠ±ΡΠΈΡ
ΡΠ΅ΠΊΡΠ΅ΡΠΎΠ² Π΄ΠΎΠ»Π³ΠΎΠ²ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ ΠΊΠ»ΡΡΠΈ ΡΠ²Π»ΡΠ΅ΡΡΡ ΡΠΌΠ½ΠΎΠΆΠ΅Π½ΠΈΠ΅ Π½Π° ΡΠ°Π½Π΄ΠΎΠΌΠΈΠ·ΠΈΡΡΡΡΠΈΠ΅ ΠΌΠ½ΠΎΠΆΠΈΡΠ΅Π»ΠΈ Ρ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠΈΠΌ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ΠΌ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΉ. ΠΠ°Π½Π½ΡΠΉ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ Π² ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠ°Ρ
ΡΠ΅ΠΌΠ΅ΠΉΡΡΠ²Π° VKO, Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΊΠΎΡΠΎΡΡΡ
ΡΡΡΠΎΡΡΡΡ ΡΠΎΡΡΠΈΠΉΡΠΊΠΈΠ΅ ΠΊΡΠΈΠΏΡΠΎΠ½Π°Π±ΠΎΡΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΡ
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ (Π² ΡΠΎΠΌ ΡΠΈΡΠ»Π΅ IPsec, TLS, CMS), ΡΡΠ°Π½Π΄Π°ΡΡΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΡΡ
Π² Π ΠΎΡΡΠΈΠΉΡΠΊΠΎΠΉ Π€Π΅Π΄Π΅ΡΠ°ΡΠΈΠΈ. Π ΡΠ°ΡΡΠ½ΠΎΡΡΠΈ, ΡΠ°ΠΊΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΡΡΡΡΠΎΠ΅Π½Π° Π²ΡΡΠ°Π±ΠΎΡΠΊΠ° ΠΎΠ±ΡΠΈΡ
ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² Π² ΡΠΎΡΡΠΈΠΉΡΠΊΠΈΡ
ΠΌΠ΅Ρ
Π°Π½ΠΈΠ·ΠΌΠ°Ρ
ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° TLS 1.2, ΠΏΠΎΠ²ΡΠ΅ΠΌΠ΅ΡΡΠ½ΠΎ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ Π² ΠΌΠ°ΡΡΠΎΠ²ΡΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΡΡ
ΡΡΠ΅Π΄ΡΡΠ²Π°Ρ
Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ. Π ΡΠ°Π±ΠΎΡΠ΅ ΡΠ°ΡΡΠΌΠΎΡΡΠ΅Π½Ρ Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ Π°ΡΠΏΠ΅ΠΊΡΡ ΡΠ΅Π·ΡΠ»ΡΡΠΈΡΡΡΡΠ΅ΠΉ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ ΠΏΡΠΎΡΠ΅Π΄ΡΡ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΎΠ±ΡΠΈΡ
ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² Π² ΡΠ»ΡΡΠ°Π΅ ΠΎΡΠΈΠ±ΠΎΠΊ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ, ΠΈΠ·-Π·Π° ΠΊΠΎΡΠΎΡΡΡ
Π²ΠΎΠ·ΠΌΠΎΠΆΠ½Ρ ΡΠ±ΠΎΠΈ ΠΏΡΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡΡ
Π² Π³ΡΡΠΏΠΏΠ°Ρ
ΡΠΎΡΠ΅ΠΊ ΡΠΊΡΡΡΠ΅Π½Π½ΡΡ
ΠΊΡΠΈΠ²ΡΡ
ΠΠ΄Π²Π°ΡΠ΄ΡΠ° ΡΠΎΡΡΠ°Π²Π½ΠΎΠ³ΠΎ ΠΏΠΎΡΡΠ΄ΠΊΠ°, Π° ΡΠ°ΠΊΠΆΠ΅ Π² ΡΠ»ΡΡΠ°Π΅ ΠΎΡΡΡΡΡΡΠ²ΠΈΡ Π³Π°ΡΠ°Π½ΡΠΈΠΉ ΠΊΠΎΠ½ΡΡΠ°Π½ΡΠ½ΠΎΠ³ΠΎ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΡ ΠΊΡΠ°ΡΠ½ΡΡ
ΡΠΎΡΠ΅ΠΊ
Polynomial time reduction from 3SAT to solving low first fall degree multivariable cubic equations system
Koster shows that the problem for deciding whether the value of Semaev\u27s formula is or not, is NP-complete. This result directly does not means ECDLP being NP-complete, but, it suggests ECDLP being NP-complete. Further, Semaev shows that the equations system using number of , which is equivalent to decide whether the value of Semaev\u27s formula
is or not, has constant(not depend on and ) first fall degree. So, under the first fall degree assumption, its complexity is poly in ().And so, suppose , which almost all researcher assume this, it has a contradiction and we see that first fall degree assumption is not true.
Koster shows the NP-completeness from the group belonging problem, which is NP-complete, reduces to the problem for deciding whether the value of Semaev\u27s formula is or not, in polynomial time.
In this paper, from another point of view, we discuss this situation.
Here, we construct some equations system defined over arbitrary field and its first fall degree is small, from any 3SAT problem.
The cost for solving this equations system is polynomial times under the first fall degree assumption. So, 3SAT problem, which is NP-complete, reduced to the problem in P under the first fall degree assumption.
Almost all researcher assume , and so, it concludes that the first fall degree assumption is not true. However, we can take K=\bR(not finite field. It means that 3SAT reduces to solving multivariable equations system defined over and there are many method for solving this by numerical computation.
So, I must point out the very small possibility that NP complete problem is reduces to solving cubic equations equations system over \bR which can be solved in polynomial time
On Generalized First Fall Degree Assumptions
The first fall degree assumption provides a complexity approximation of GrΓΆbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater\u27s to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play.
In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater\u27s analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences.
Our results shed light on a GrΓΆbner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP
Complexity of ECDLP under the First Fall Degree Assumption
Semaev shows that under the first fall degree assumption, the complexity
of ECDLP over \bF_{2^n}, where is the input size, is
.
In his manuscript, the cost for solving equations system is ,
where () is the number of decomposition
and is the linear algebra constant.
It is remarkable that the cost for solving equations system under the
first fall degree assumption, is poly in input size .
He uses normal factor base and the revalance of Probability that
the decomposition success and size of factor base is done.
%So that the result is induced.
Here, using disjoint factor base to his method,
Probability that the decomposition success becomes and
taking the very small size factor
base is useful for complexity point of view.
Thus we have the result that states \\
Under the first fall degree assumption,
the cost of ECDLP over \bF_{2^n}, where is the input size, is .
Moreover, using the authors results,
in the case of the field characteristic , the first fall
degree of desired equation system is estimated by .
(In case, Semaev shows it is . But it is exceptional.)
So we have similar result that states \\
Under the first fall degree assumption,
the cost of ECDLP over \bF_{p^n}, where is the input size and (small) is a constant, is
Bit Coincidence Mining Algorithm
Here, we propose new algorithm for solving ECDLP named Bit Coincidence Mining Algorithm! , from which ECDLP is reduced to solving some quadratic equations system.
In this algorithm, ECDLP of an elliptic curve defined over \bF_q ( is prime or power of primes) reduces to solving quadratic equations system of variables and equations where is small natural number and .
This equations system is too large and it can not be solved by computer.
However, we can show theoritically the cost for solving this equations system by xL algorithm is subexponential under the reasonable assumption of xL algorithm