50 research outputs found
QUAD: Overview and Recent Developments
We give an outline of the specification and provable security
features of the QUAD stream cipher proposed at Eurocrypt 2006.
The cipher relies on the iteration of a multivariate system of quadratic
equations over a finite field, typically GF(2) or a small extension. In the
binary case, the security of the keystream generation can be related, in
the concrete security model, to the conjectured intractability of the MQ
problem of solving a random system of m equations in n unknowns. We
show that this security reduction can be extended to incorporate the key
and IV setup and provide a security argument related to the whole stream
cipher.We also briefly address software and hardware performance issues
and show that if one is willing to pseudorandomly generate the systems
of quadratic polynomials underlying the cipher, this leads to suprisingly
inexpensive hardware implementations of QUAD
Tame transformation signatures with topsy-turvy hashes
[[conferencetype]]國內[[conferencedate]]20021030~2002103
Algorithms to solve massively under-defined systems of multivariate quadratic equations
It is well known that the problem to solve a set of randomly chosen multivariate quadratic equations over a finite field is NP-hard. However, when the number of variables is much larger than the number of equations, it is not necessarily difficult to solve equations. In fact, when n>m(m+1) (n,m are the numbers of variables and equations respectively) and the field is of even characteristic, there is an algorithm to solve equations in polynomial time (see [Kipnis et al, Eurocrypt\u2799] and also [Courtois et al, PKC\u2702]). In the present paper, we give two algorithms to solve quadratic equations; one is for the case of n>(about)m^2-2m^{3/2}+2m and the other is for the case of n>m(m+1)/2+1. The first algorithm solves equations over any finite field in polynomial time. The second algorithm requires exponential time operations. However, the number of required variables is much smaller than that in the first one, and the complexity is much less than the exhaustive search
Achieving a log(n) Speed Up for Boolean Matrix Operations and Calculating the Complexity of the Dense Linear Algebra step of Algebraic Stream Cipher Attacks and of Integer Factorization Methods
The purpose of this paper is to calculate the running time of dense boolean matrix operations,
as used in stream cipher cryptanalysis and integer factorization. Several variations of Gaussian
Elimination, Strassen\u27s Algorithm and the Method of Four Russians are analyzed. In particular,
we demonstrate that Strassen\u27s Algorithm is actually slower than the Four Russians algorithm for
matrices of the sizes encountered in these problems. To accomplish this, we introduce a new model
for tabulating the running time, tracking matrix reads and writes rather than field operations, and
retaining the coefficients rather than dropping them. Furthermore, we introduce an algorithm known
heretofore only orally, a ``Modified Method of Four Russians\u27\u27, which has not appeared in the literature
before. This algorithm is times faster than Gaussian Elimination for dense boolean
matrices. Finally we list rough estimates for the running time of several recent stream cipher cryptanalysis
attacks
A Simple Deterministic Algorithm for Systems of Quadratic Polynomials over
This article discusses a simple deterministic algorithm for solving quadratic
Boolean systems which is essentially a special case of more sophisticated
methods. The main idea fits in a single sentence: guess enough variables so
that the remaining quadratic equations can be solved by linearization
(i.e. by considering each remaining monomial as an independent
variable and solving the resulting linear system) and restart until the solution
is found. Under strong heuristic
assumptions, this finds all the solutions of quadratic polynomials in
variables with operations. Although the best
known algorithms require exponentially less time, the present technique has
the advantage of being simpler to describe and easy to implement. In strong
contrast with the state-of-the-art, it is also quite efficient in practice
NOVA, a Noncommutative-ring Based Unbalanced Oil and Vinegar Signature Scheme with Key-randomness Alignment
In this paper, we propose a noncommutative-ring based unbalanced oil and vinegar signature scheme with key-randomness alignment: NOVA (Noncommutative Oil and Vinegar with Alignment). Instead of fields or even commutative rings, we show that noncommutative rings can be used for algebraic cryptosystems. At the same or better level of security requirement, NOVA has a much smaller public key than UOV (Unbalanced Oil and Vinegar), which makes NOVA practical in most situations. We use Magma to actually implement and give a detailed security analysis against known major attacks
A Simple Noncommutative UOV Scheme
In this paper, we propose a simple noncommutative-ring based UOV signature scheme with key-randomness alignment: Simple NOVA, which can be viewed as a simplified version of NOVA[48]. We simplify the design of NOVA by skipping the perturbation trick used in NOVA, thus shortens the key generation process and accelerates the signing and verification. Together with a little modification accordingly, this alternative version of NOVA is also secure and may be more suitable for practical uses. We also use Magma to actually implement and give a detailed security analysis against known major attacks
MAYO: Optimized Implementation with Revised Parameters for ARMv7-M
We present an optimized constant-time implementation of the MAYO signature scheme on ARMv7-M. MAYO is a novel multivariate proposal based on the trapdoor function of the Unbalanced Oil and Vinegar scheme. Our implementation builds on existing techniques for UOV-based schemes and introduces a new approach for evaluating the polar forms of quadratic maps. We modify MAYO\u27s original parameters to achieve greater benefits from the proposed optimizations, resulting in slightly larger keys and shorter signatures for the same level of security. We evaluate the optimized implementation with the new parameters on the STM32H753ZIT6 microcontroller and measure its performance for the signing and verification procedures. At NIST security level I, signing requires approximately 43M cycles, and verification requires approximately 6M cycles. Both are 2.6 times faster than the results obtained from the original parameters