Solving systems of quadratic equations
Download
1 / 36

Solving Systems of Quadratic Equations - PowerPoint PPT Presentation


  • 288 Views
  • Uploaded on

Solving Systems of Quadratic Equations. I) General HFE Systems II) The Affine Multiple Attack Magnus Daum / Patrick Felke. Overview of Part I. Review of HFE Systems: parameters, hidden polynomial Solving by Using Buchberger Algorithm special properties of HFE systems simulations:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Solving Systems of Quadratic Equations' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Solving systems of quadratic equations

Solving Systems of Quadratic Equations

I) General HFE Systems

II) The Affine Multiple Attack

Magnus Daum / Patrick Felke


Overview of part i
Overview of Part I

  • Review of HFE Systems:

    parameters, hidden polynomial

  • Solving by Using Buchberger Algorithm

    • special properties of HFE systems

    • simulations:

      3) Number of solutions of HFE-Systems

    • HFE polynomials  general polynomials

  • systems of arbitrary quadratic equations

HFE systems 

Solving Systems of Quadratic Equations, Part I



Review parameters of an hfe system

public

parameters

Review: Parameters of an HFE System

n – number of polynomials

and variables

blocklength

field extension degree

q – cardinality of the

smaller finite field

(fields: Fqand Fqn)

d – degree of the

hidden polynomial

Solving Systems of Quadratic Equations, Part I


Review example

+ secret affine

transformations

public key

Review: Example

Solving Systems of Quadratic Equations, Part I


Review example decryption

Ciphertext:

0 0 1 1

Review: Example - Decryption

Solving Systems of Quadratic Equations, Part I


Review example decryption1

Plaintext: ? ? ? ?

Ciphertext:

0 0 1 1

?

Review: Example - Decryption

without secret key:

solve system directly

OR

find transformation to univariate polynomial

of low degree

with secret key:

transform back to univariate polyno-

mial of low degree

Solving Systems of Quadratic Equations, Part I


Review hidden polynomial

but: expected degreed= q2(n-1)

finding zeros is not feasible

Review: Hidden Polynomial

  • transformation from univariate HFE-polynomialfto HFE-System is always possible

    (construction of the public key)

  • transformation from system of quadratic equationsto an univariate polynomial representing this system is always possible

Solving Systems of Quadratic Equations, Part I


Review example decryption2

Plaintext: ? ? ? ?

Ciphertext:

0 0 1 1

?

Review: Example - Decryption

without secret key:

try to solve system directly

OR

try to find transformation to univariate polynomial

of low degree

with secret key:

transform back to univariate polyno-

mial of low degree

Solving Systems of Quadratic Equations, Part I


Solving hfe systems using buchberger algorithm

Solving HFE Systems Using Buchberger Algorithm


General approach example

+1

0

0

General Approach : Example

Solving Systems of Quadratic Equations, Part I


General approach example1

Buchberger algorithm

General Approach : Example

Solving Systems of Quadratic Equations, Part I


General approach example2
General Approach : Example

Solving Systems of Quadratic Equations, Part I


General approach problems

degree of output poly-nomials may get very big

Buchberger algorithm has exponential worst case complexity

compute all solutions in algebraic closure

in general

only feasible for up to 10 variables

General Approach: Problems

Solving Systems of Quadratic Equations, Part I


Hfe systems are special
HFE Systems are Special

  • defined over a very small finite field

  • include only quadratic polynomials

  • need only solutions in the base field Fq

  • hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I


Hfe systems are special1
HFE Systems are Special

  • defined over a very small finite field

  • include only quadratic polynomials

  • need only solutions in the base field Fq

  • hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I


Solutions in the base field

solutions we are looking for fulfil

Proposition:

Solutions in the Base Field

Solving Systems of Quadratic Equations, Part I


Solutions in the base field example

Buchberger algorithm

Solutions in the Base Field: Example

Solving Systems of Quadratic Equations, Part I


Solutions in the base field example1
Solutions in the Base Field: Example

Solving Systems of Quadratic Equations, Part I


Solutions in the base field example2
Solutions in the Base Field: Example

Buchberger algorithm

  • Advantages:

  • we compute only informa-tion we need

  • degree of polynomials involved in this compu-tation is bounded

Solving Systems of Quadratic Equations, Part I


Hfe systems are special2
HFE Systems are Special

  • defined over a very small finite field

  • include only quadratic polynomials

  • need only solutions in the base field Fq

  • hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I


Hfe systems are special3
HFE Systems are Special

  • defined over a very small finite field

  • include only quadratic polynomials

  • need only solutions in the base field Fq

  • hidden polynomial of low degree

Solving Systems of Quadratic Equations, Part I


Hidden polynomial
Hidden Polynomial

  • Patarin / Courtois:

    if hidden polynomial is of low degree or special form there are many relations between the polynomials in the HFE system

  • one main idea of Buchberger algorithm is to make use of such relations in a sophisticated way

Solving Systems of Quadratic Equations, Part I


Hfe systems are special4
HFE Systems are Special

  • defined over a very small finite field

  • include only quadratic polynomials

  • need only solutions in the base field Fq

  • hidden polynomial

Solving Systems of Quadratic Equations, Part I


Simulations
Simulations

  • 96000 simulations

  • parameters:

  • HFE systems and random quadratic systems

  • in each simulation:

    • generate system of quadratic equations

      (HFE or random)

    • add polynomials

    • solve by using Buchberger algorithm (with FGLM)

Solving Systems of Quadratic Equations, Part I


Simulations dependency on n

random

random

Simulations: Dependency on n

Solving Systems of Quadratic Equations, Part I


Simulations dependency on n1

log(time)

q=3d=12

q=2 d=20

q=3d=30

n

q=3d=90

q=2 d=128

4,00

6,00

8,00

10,00

12,00

14,00

16,00

18,00

20,00

  • exponential time complexity

  • not feasible for n greater than about 30-40

5,00

7,00

9,00

11,00

13,00

15,00

17,00

19,00

Simulations: Dependency on n

Solving Systems of Quadratic Equations, Part I


Simulations dependency on d

time

time

time depends on rather than on d

Simulations: Dependency on d

Solving Systems of Quadratic Equations, Part I


Simulations dependency on log q d

random

if d is not too small (approx. )

HFE systems behave like systems of random quadratic equations

(at least concerning Buchberger algorithm)

Simulations: Dependency on logqd

Solving Systems of Quadratic Equations, Part I


Conclusion of this section
Conclusion of this Section

  • Buchberger algorithm is not feasible for solving HFE systems of usual parameters

  • (small q, , )

  • but:

  • if d is very small, computation is much faster

  • HFE systems with usual parameters seem to be very similar to systems of random quadratic equations

Solving Systems of Quadratic Equations, Part I


Number of solutions of hfe systems

Number of Solutions of HFE Systems


Distribution of numbers of solutions

k

0

1

2

3

4

>4

number of systems with k solutions

27710

28012

13852

4565

1210

250

share

0,3665

0,3705

0,1832

0,0604

0,0160

0,0033

  • very similar to Poisson distribution:

k

0

1

2

3

4

(k!e)-1

0,3679

0,3679

0,1839

0,0613

0,0153

Distribution of Numbers of Solutions

Solving Systems of Quadratic Equations, Part I


Hints supporting this assumption

system’s number

of solutions

hidden polynomial’s number of zeros

=

Hints Supporting this Assumption

  • numbers of zeros of general polynomials are distributed according to the Poisson distribution

  • arithmetic mean and variance of the distribution of the numbers of zeros of HFE polynomials of bounded degree is very similar to that of a Poisson distribution

Solving Systems of Quadratic Equations, Part I


Applications to hfe
Applications to HFE

  • gives another hint that we may consider HFE systems as systems of arbitrary quadratic equations

  • allows to estimate the probabilities that encryption or signing will fail and to compute the amount of redundancy needed

Solving Systems of Quadratic Equations, Part I


Solving systems of quadratic equations1

Solving Systems of Quadratic Equations

I) General HFE Systems

II) The Affine Multiple Attack


Solving systems of quadratic equations2

Solving Systems of Quadratic Equations

I) General HFE Systems

II) The Affine Multiple Attack


ad