Results 1  10
of
363
Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases
"... ..."
(Show Context)
On the complexity of Gröbner basis computation of semiregular overdetermined . . .
, 2004
"... ..."
Cube Attacks on Tweakable Black Box Polynomials
 in Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, LNCS 5479
, 2009
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 91 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.
Numerical Decomposition of the Solution Sets of Polynomial Systems into Irreducible Components
, 2001
"... In engineering and applied mathematics, polynomial systems arise whose solution sets contain components of different dimensions and multiplicities. In this article we present algorithms, based on homotopy continuation, that compute much of the geometric information contained in the primary decomposi ..."
Abstract

Cited by 76 (36 self)
 Add to MetaCart
In engineering and applied mathematics, polynomial systems arise whose solution sets contain components of different dimensions and multiplicities. In this article we present algorithms, based on homotopy continuation, that compute much of the geometric information contained in the primary decomposition of the solution set. In particular, ignoring multiplicities, our algorithms lay out the decomposition of the set of solutions into irreducible components, by finding, at each dimension, generic points on each component. As byproducts, the computation also determines the degree of each component and an upper bound on itsmultiplicity. The bound issharp (i.e., equal to one) for reduced components. The algorithms make essential use of generic projection and interpolation, and can, if desired, describe each irreducible component precisely as the common zeroesof a finite number of polynomials.
Minimizing polynomial functions
 PROCEEDINGS OF THE DIMACS WORKSHOP ON ALGORITHMIC AND QUANTITATIVE ASPECTS OF REAL ALGEBRAIC GEOMETRY IN MATHEMATICS AND COMPUTER SCIENCE
, 2003
"... We compare algorithms for global optimization of polynomial functions in many variables. It is demonstrated that existing algebraic methods (Gröbner bases, resultants, homotopy methods) are dramatically outperformed by a relaxation technique, due to N.Z. Shor and the first author, which involves su ..."
Abstract

Cited by 60 (3 self)
 Add to MetaCart
(Show Context)
We compare algorithms for global optimization of polynomial functions in many variables. It is demonstrated that existing algebraic methods (Gröbner bases, resultants, homotopy methods) are dramatically outperformed by a relaxation technique, due to N.Z. Shor and the first author, which involves sums of squares and semidefinite programming. This opens up the possibility of using semidefinite programming relaxations arising from the Positivstellensatz for a wide range of computational problems in real algebraic geometry.
Asymptotic Behaviour of the Degree of Regularity of SemiRegular Polynomial Systems
 In MEGA’05, 2005. Eighth International Symposium on Effective Methods in Algebraic Geometry
"... We compute the asymptotic expansion of the degree of regularity for overdetermined semiregular sequences of algebraic equations. This degree implies bounds for the generic complexity of Gröbner bases algorithms, in particular the F5 [Fau02] algorithm. Bounds can also be derived for the XL [SPCK00] ..."
Abstract

Cited by 46 (25 self)
 Add to MetaCart
(Show Context)
We compute the asymptotic expansion of the degree of regularity for overdetermined semiregular sequences of algebraic equations. This degree implies bounds for the generic complexity of Gröbner bases algorithms, in particular the F5 [Fau02] algorithm. Bounds can also be derived for the XL [SPCK00] family of algorithms used by the cryptographic community. 1 Motivations and Results The worstcase complexity of Gröbner bases has been the object of extensive studies. In the most general case, it is well known after work by Mayr and Meyer that the complexity is doubly exponential in the number of variables. For subclasses of polynomial systems, the complexity may be much smaller. Of particular importance is the class of regular sequences of polynomials. There, it is known that after a generic linear change of variables the complexity of the computation for the degreereverselexicographic order is simply exponential in the number of variables. Moreover, in characteristic 0, these systems are generic. Our goal is to give similar complexity bounds for overdetermined systems, for a class of systems that we
Using monodromy to decompose solution sets of polynomial systems into irreducible components
 PROCEEDINGS OF A NATO CONFERENCE, FEBRUARY 25  MARCH 1, 2001, EILAT
, 2001
"... ..."
(Show Context)
Newton’s method with deflation for isolated singularities of polynomial systems
 Theor. Comp. Sci. 359
"... We present a modification of Newton’s method to restore quadratic convergence for isolated singular solutions of polynomial systems. Our method is symbolicnumeric: we produce a new polynomial system which has the original multiple solution as a regular root. We show that the number of deflation sta ..."
Abstract

Cited by 45 (12 self)
 Add to MetaCart
(Show Context)
We present a modification of Newton’s method to restore quadratic convergence for isolated singular solutions of polynomial systems. Our method is symbolicnumeric: we produce a new polynomial system which has the original multiple solution as a regular root. We show that the number of deflation stages is bounded by the multiplicity of the isolated root. Our implementation performs well on a large class of applications. 2000 Mathematics Subject Classification. Primary 65H10. Secondary 14Q99, 68W30. Key words and phrases. Newton’s method, deflation, numerical homotopy algorithms, symbolicnumeric computations. 1
Algebraic Cryptanalysis of McEliece Variants with Compact Keys
 In Proceedings of Eurocrypt 2010
"... Abstract. In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of errorcorrecting codes. Since its invention thirty years ago, no efficient attack had been devised that managed to recover the private key ..."
Abstract

Cited by 45 (11 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of errorcorrecting codes. Since its invention thirty years ago, no efficient attack had been devised that managed to recover the private key. We prove that the private key of the cryptosystem satisfies a system of bihomogeneous polynomial equations. This property is due to the particular class of codes considered which are alternant codes. We have used these highly structured algebraic equations to mount an efficient keyrecovery attack against two recent variants of the McEliece cryptosystems that aim at reducing public key sizes. These two compact variants of McEliece managed to propose keys with less than 20,000 bits. To do so, they proposed to use quasicyclic or dyadic structures. An implementation of our algebraic attack in the computer algebra system MAGMA allows to find the secretkey in a negligible time (less than one second) for almost all the proposed challenges. For instance, a private key designed for a 256bit security has been found in 0.06 seconds with about 2 17.8 operations. 1