14,893 research outputs found
On the Complexity of Solving Quadratic Boolean Systems
A fundamental problem in computer science is to find all the common zeroes of
quadratic polynomials in unknowns over . The
cryptanalysis of several modern ciphers reduces to this problem. Up to now, the
best complexity bound was reached by an exhaustive search in
operations. We give an algorithm that reduces the problem to a combination of
exhaustive search and sparse linear algebra. This algorithm has several
variants depending on the method used for the linear algebra step. Under
precise algebraic assumptions on the input system, we show that the
deterministic variant of our algorithm has complexity bounded by
when , while a probabilistic variant of the Las Vegas type
has expected complexity . Experiments on random systems show
that the algebraic assumptions are satisfied with probability very close to~1.
We also give a rough estimate for the actual threshold between our method and
exhaustive search, which is as low as~200, and thus very relevant for
cryptographic applications.Comment: 25 page
Quantum Algorithms for Boolean Equation Solving and Quantum Algebraic Attack on Cryptosystems
Decision of whether a Boolean equation system has a solution is an NPC
problem and finding a solution is NP hard. In this paper, we present a quantum
algorithm to decide whether a Boolean equation system FS has a solution and
compute one if FS does have solutions with any given success probability. The
runtime complexity of the algorithm is polynomial in the size of FS and the
condition number of FS. As a consequence, we give a polynomial-time quantum
algorithm for solving Boolean equation systems if their condition numbers are
small, say polynomial in the size of FS. We apply our quantum algorithm for
solving Boolean equations to the cryptanalysis of several important
cryptosystems: the stream cipher Trivum, the block cipher AES, the hash
function SHA-3/Keccak, and the multivariate public key cryptosystems, and show
that they are secure under quantum algebraic attack only if the condition
numbers of the corresponding equation systems are large. This leads to a new
criterion for designing cryptosystems that can against the attack of quantum
computers: their corresponding equation systems must have large condition
numbers
Fast Quantum Algorithm for Solving Multivariate Quadratic Equations
In August 2015 the cryptographic world was shaken by a sudden and surprising
announcement by the US National Security Agency NSA concerning plans to
transition to post-quantum algorithms. Since this announcement post-quantum
cryptography has become a topic of primary interest for several standardization
bodies. The transition from the currently deployed public-key algorithms to
post-quantum algorithms has been found to be challenging in many aspects. In
particular the problem of evaluating the quantum-bit security of such
post-quantum cryptosystems remains vastly open. Of course this question is of
primarily concern in the process of standardizing the post-quantum
cryptosystems. In this paper we consider the quantum security of the problem of
solving a system of {\it Boolean multivariate quadratic equations in
variables} (\MQb); a central problem in post-quantum cryptography. When ,
under a natural algebraic assumption, we present a Las-Vegas quantum algorithm
solving \MQb{} that requires the evaluation of, on average,
quantum gates. To our knowledge this is the fastest algorithm for solving
\MQb{}
Eliminating Variables in Boolean Equation Systems
Systems of Boolean equations of low degree arise in a natural way when
analyzing block ciphers. The cipher's round functions relate the secret key to
auxiliary variables that are introduced by each successive round. In algebraic
cryptanalysis, the attacker attempts to solve the resulting equation system in
order to extract the secret key. In this paper we study algorithms for
eliminating the auxiliary variables from these systems of Boolean equations. It
is known that elimination of variables in general increases the degree of the
equations involved. In order to contain computational complexity and storage
complexity, we present two new algorithms for performing elimination while
bounding the degree at , which is the lowest possible for elimination.
Further we show that the new algorithms are related to the well known \emph{XL}
algorithm. We apply the algorithms to a downscaled version of the LowMC cipher
and to a toy cipher based on the Prince cipher, and report on experimental
results pertaining to these examples.Comment: 21 pages, 3 figures, Journal pape
Qualitative Analysis of Concurrent Mean-payoff Games
We consider concurrent games played by two-players on a finite-state graph,
where in every round the players simultaneously choose a move, and the current
state along with the joint moves determine the successor state. We study a
fundamental objective, namely, mean-payoff objective, where a reward is
associated to each transition, and the goal of player 1 is to maximize the
long-run average of the rewards, and the objective of player 2 is strictly the
opposite. The path constraint for player 1 could be qualitative, i.e., the
mean-payoff is the maximal reward, or arbitrarily close to it; or quantitative,
i.e., a given threshold between the minimal and maximal reward. We consider the
computation of the almost-sure (resp. positive) winning sets, where player 1
can ensure that the path constraint is satisfied with probability 1 (resp.
positive probability). Our main results for qualitative path constraints are as
follows: (1) we establish qualitative determinacy results that show that for
every state either player 1 has a strategy to ensure almost-sure (resp.
positive) winning against all player-2 strategies, or player 2 has a spoiling
strategy to falsify almost-sure (resp. positive) winning against all player-1
strategies; (2) we present optimal strategy complexity results that precisely
characterize the classes of strategies required for almost-sure and positive
winning for both players; and (3) we present quadratic time algorithms to
compute the almost-sure and the positive winning sets, matching the best known
bound of algorithms for much simpler problems (such as reachability
objectives). For quantitative constraints we show that a polynomial time
solution for the almost-sure or the positive winning set would imply a solution
to a long-standing open problem (the value problem for turn-based deterministic
mean-payoff games) that is not known to be solvable in polynomial time
- …