On Polynomial Systems Arising from a Weil Descent

In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. % Seeing these systems as natural generalizations of HFE systems, we provide experimental and theoretical evidence that their degrees of regularity are only slightly larger than the original degre of the equations, resulting in a very low complexity compared to generic systems. % We then revisit the applications of these systems to the elliptic curve discrete logarithm problem (ECDLP) for binary curves, to the factorization problem in $SL(2,\mathbf{F}_{2^n})$ and to other discrete logarithm problems. As a main consequence, we provide a heuristic analysis showing that Diem\u27s variant of index calculus for ECDLP requires a \emph{subexponential} number of bit operations $O(2^{c\,n^{2/3}\log n})$ over the binary field $\mathbf{F}_{2^n}$, where $c$ is a constant smaller than $2$. % According to our estimations, generic discrete logarithm methods are outperformed for any $n>N$ where $N\approx2000$, but elliptic curves of currently recommended key sizes ($n\approx160$) are not immediately threatened. % The analysis can be easily generalized to other extension fields

On the first fall degree of summation polynomials

We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev's summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gr\"obner basis algorithms.Comment: 12 pages, fina

Impact of randomization in VKO mechanisms on overall security level

Одним из широко применяемых на практике при работе в условиях слабодоверенного окружения механизмов противодействия атакам на используемые в процедурах выработки общих секретов долговременные ключи является умножение на рандомизирующие множители с последующим применением хэш-функций. Данный подход применяется в механизмах семейства VKO, на основе которых строятся российские криптонаборы основных протоколов криптографической защиты информации (в том числе IPsec, TLS, CMS), стандартизированных в Российской Федерации. В частности, таким образом устроена выработка общих параметров в российских механизмах протокола TLS 1.2, повсеместно применяемого в массовых программных средствах защиты информации. В работе рассмотрены некоторые аспекты результирующей безопасности процедур выработки общих параметров в случае ошибок реализации, из-за которых возможны сбои при вычислениях в группах точек скрученных кривых Эдвардса составного порядка, а также в случае отсутствия гарантий константного времени вычисления кратных точек

Polynomial time reduction from 3SAT to solving low first fall degree multivariable cubic equations system

Koster shows that the problem for deciding whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, is NP-complete. This result directly does not means ECDLP being NP-complete, but, it suggests ECDLP being NP-complete. Further, Semaev shows that the equations system using $m-2$ number of $S_3(x_1,x_2,x_3)$, which is equivalent to decide whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, has constant(not depend on $m$ and $n$) first fall degree. So, under the first fall degree assumption, its complexity is poly in $n$ ($O(n^{Const})$).And so, suppose $P\ne NP$, which almost all researcher assume this, it has a contradiction and we see that first fall degree assumption is not true. Koster shows the NP-completeness from the group belonging problem, which is NP-complete, reduces to the problem for deciding whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, in polynomial time. In this paper, from another point of view, we discuss this situation. Here, we construct some equations system defined over arbitrary field $K$ and its first fall degree is small, from any 3SAT problem. The cost for solving this equations system is polynomial times under the first fall degree assumption. So, 3SAT problem, which is NP-complete, reduced to the problem in P under the first fall degree assumption. Almost all researcher assume $P \ne NP$, and so, it concludes that the first fall degree assumption is not true. However, we can take K=\bR(not finite field. It means that 3SAT reduces to solving multivariable equations system defined over $\R$ and there are many method for solving this by numerical computation. So, I must point out the very small possibility that NP complete problem is reduces to solving cubic equations equations system over \bR which can be solved in polynomial time

On Generalized First Fall Degree Assumptions

The first fall degree assumption provides a complexity approximation of Gröbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater\u27s to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play. In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater\u27s analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences. Our results shed light on a Gröbner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP

Complexity of ECDLP under the First Fall Degree Assumption

Semaev shows that under the first fall degree assumption, the complexity of ECDLP over \bF_{2^n}, where $n$ is the input size, is $O(2^{n^{1/2+o(1)}})$. In his manuscript, the cost for solving equations system is $O((nm)^{4w})$, where $m$ ($2 \le m \le n$) is the number of decomposition and $w \sim 2.7$ is the linear algebra constant. It is remarkable that the cost for solving equations system under the first fall degree assumption, is poly in input size $n$. He uses normal factor base and the revalance of Probability that the decomposition success and size of factor base is done. %So that the result is induced. Here, using disjoint factor base to his method, Probability that the decomposition success becomes $\sim 1$ and taking the very small size factor base is useful for complexity point of view. Thus we have the result that states \\ Under the first fall degree assumption, the cost of ECDLP over \bF_{2^n}, where $n$ is the input size, is $O(n^{8w+1})$. Moreover, using the authors results, in the case of the field characteristic $\ge 3$, the first fall degree of desired equation system is estimated by $\le 3p+1$. (In $p=2$ case, Semaev shows it is $\le 4$. But it is exceptional.) So we have similar result that states \\ Under the first fall degree assumption, the cost of ECDLP over \bF_{p^n}, where $n$ is the input size and (small) $p$ is a constant, is $O(n^{(6p+2)w+1})$

Bit Coincidence Mining Algorithm

Here, we propose new algorithm for solving ECDLP named Bit Coincidence Mining Algorithm! , from which ECDLP is reduced to solving some quadratic equations system. In this algorithm, ECDLP of an elliptic curve $E$ defined over \bF_q ($q$ is prime or power of primes) reduces to solving quadratic equations system of $d-1$ variables and $d+C_0-1$ equations where $C_0$ is small natural number and $d \sim C_0 \, \log_2 q$. This equations system is too large and it can not be solved by computer. However, we can show theoritically the cost for solving this equations system by xL algorithm is subexponential under the reasonable assumption of xL algorithm