Loading in 5 sec....

Solving Systems of Quadratic EquationsPowerPoint Presentation

Solving Systems of Quadratic Equations

- 288 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Solving Systems of Quadratic Equations' - niveditha

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Solving Systems of Quadratic Equations

### Solving HFE Systems Using Buchberger Algorithm

HFE Systems are Special

### Number of Solutions of HFE Systems

I) General HFE Systems

II) The Affine Multiple Attack

Magnus Daum / Patrick Felke

Overview of Part I

- Review of HFE Systems:
parameters, hidden polynomial

- Solving by Using Buchberger Algorithm
- special properties of HFE systems
- simulations:
3) Number of solutions of HFE-Systems

- HFE polynomials general polynomials

- systems of arbitrary quadratic equations

HFE systems

Solving Systems of Quadratic Equations, Part I

parameters

Review: Parameters of an HFE Systemn – number of polynomials

and variables

blocklength

field extension degree

q – cardinality of the

smaller finite field

(fields: Fqand Fqn)

d – degree of the

hidden polynomial

Solving Systems of Quadratic Equations, Part I

transformations

public key

Review: ExampleSolving Systems of Quadratic Equations, Part I

Plaintext: ? ? ? ?

Ciphertext:

0 0 1 1

?

Review: Example - Decryptionwithout secret key:

solve system directly

OR

find transformation to univariate polynomial

of low degree

with secret key:

transform back to univariate polyno-

mial of low degree

Solving Systems of Quadratic Equations, Part I

but: expected degreed= q2(n-1)

finding zeros is not feasible

Review: Hidden Polynomial- transformation from univariate HFE-polynomialfto HFE-System is always possible
(construction of the public key)

- transformation from system of quadratic equationsto an univariate polynomial representing this system is always possible

Solving Systems of Quadratic Equations, Part I

Plaintext: ? ? ? ?

Ciphertext:

0 0 1 1

?

Review: Example - Decryptionwithout secret key:

try to solve system directly

OR

try to find transformation to univariate polynomial

of low degree

with secret key:

transform back to univariate polyno-

mial of low degree

Solving Systems of Quadratic Equations, Part I

General Approach : Example

Solving Systems of Quadratic Equations, Part I

degree of output poly-nomials may get very big

Buchberger algorithm has exponential worst case complexity

compute all solutions in algebraic closure

…

in general

only feasible for up to 10 variables

General Approach: ProblemsSolving Systems of Quadratic Equations, Part I

HFE Systems are Special

- defined over a very small finite field

- include only quadratic polynomials

- need only solutions in the base field Fq

- hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I

HFE Systems are Special

- defined over a very small finite field

- include only quadratic polynomials

- need only solutions in the base field Fq

- hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I

solutions we are looking for fulfil

Proposition:

Solutions in the Base FieldSolving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example

Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example

Solving Systems of Quadratic Equations, Part I

Solutions in the Base Field: Example

Buchberger algorithm

- Advantages:
- we compute only informa-tion we need
- degree of polynomials involved in this compu-tation is bounded

Solving Systems of Quadratic Equations, Part I

HFE Systems are Special

- defined over a very small finite field

- include only quadratic polynomials

- need only solutions in the base field Fq

- hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I

- defined over a very small finite field

- include only quadratic polynomials

- need only solutions in the base field Fq

- hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I

Hidden Polynomial

- Patarin / Courtois:
if hidden polynomial is of low degree or special form there are many relations between the polynomials in the HFE system

- one main idea of Buchberger algorithm is to make use of such relations in a sophisticated way

Solving Systems of Quadratic Equations, Part I

HFE Systems are Special

- defined over a very small finite field

- include only quadratic polynomials

- need only solutions in the base field Fq

- hidden polynomial

Solving Systems of Quadratic Equations, Part I

Simulations

- 96000 simulations
- parameters:
- HFE systems and random quadratic systems
- in each simulation:
- generate system of quadratic equations
(HFE or random)

- add polynomials
- solve by using Buchberger algorithm (with FGLM)

- generate system of quadratic equations

Solving Systems of Quadratic Equations, Part I

q=3d=12

q=2 d=20

q=3d=30

n

q=3d=90

q=2 d=128

4,00

6,00

8,00

10,00

12,00

14,00

16,00

18,00

20,00

- exponential time complexity
- not feasible for n greater than about 30-40

5,00

7,00

9,00

11,00

13,00

15,00

17,00

19,00

Simulations: Dependency on nSolving Systems of Quadratic Equations, Part I

time

time depends on rather than on d

Simulations: Dependency on dSolving Systems of Quadratic Equations, Part I

if d is not too small (approx. )

HFE systems behave like systems of random quadratic equations

(at least concerning Buchberger algorithm)

Simulations: Dependency on logqdSolving Systems of Quadratic Equations, Part I

Conclusion of this Section

- Buchberger algorithm is not feasible for solving HFE systems of usual parameters
- (small q, , )
- but:
- if d is very small, computation is much faster

- HFE systems with usual parameters seem to be very similar to systems of random quadratic equations

Solving Systems of Quadratic Equations, Part I

0

1

2

3

4

>4

number of systems with k solutions

27710

28012

13852

4565

1210

250

share

0,3665

0,3705

0,1832

0,0604

0,0160

0,0033

- very similar to Poisson distribution:

k

0

1

2

3

4

(k!e)-1

0,3679

0,3679

0,1839

0,0613

0,0153

Distribution of Numbers of SolutionsSolving Systems of Quadratic Equations, Part I

of solutions

hidden polynomial’s number of zeros

=

Hints Supporting this Assumption- numbers of zeros of general polynomials are distributed according to the Poisson distribution
- arithmetic mean and variance of the distribution of the numbers of zeros of HFE polynomials of bounded degree is very similar to that of a Poisson distribution

Solving Systems of Quadratic Equations, Part I

Applications to HFE

- gives another hint that we may consider HFE systems as systems of arbitrary quadratic equations
- allows to estimate the probabilities that encryption or signing will fail and to compute the amount of redundancy needed

Solving Systems of Quadratic Equations, Part I

Download Presentation

Connecting to Server..