1 / 36

Solving Systems of Quadratic Equations

Solving Systems of Quadratic Equations. I) General HFE Systems II) The Affine Multiple Attack Magnus Daum / Patrick Felke. Overview of Part I. Review of HFE Systems: parameters, hidden polynomial Solving by Using Buchberger Algorithm special properties of HFE systems simulations:

niveditha
Download Presentation

Solving Systems of Quadratic Equations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack Magnus Daum / Patrick Felke

  2. Overview of Part I • Review of HFE Systems: parameters, hidden polynomial • Solving by Using Buchberger Algorithm • special properties of HFE systems • simulations: 3) Number of solutions of HFE-Systems • HFE polynomials  general polynomials • systems of arbitrary quadratic equations HFE systems  Solving Systems of Quadratic Equations, Part I

  3. Review of HFE Systems

  4. public parameters Review: Parameters of an HFE System n – number of polynomials and variables blocklength field extension degree q – cardinality of the smaller finite field (fields: Fqand Fqn) d – degree of the hidden polynomial Solving Systems of Quadratic Equations, Part I

  5. + secret affine transformations public key Review: Example Solving Systems of Quadratic Equations, Part I

  6. Ciphertext: 0 0 1 1 Review: Example - Decryption Solving Systems of Quadratic Equations, Part I

  7. Plaintext: ? ? ? ? Ciphertext: 0 0 1 1 ? Review: Example - Decryption without secret key: solve system directly OR find transformation to univariate polynomial of low degree with secret key: transform back to univariate polyno- mial of low degree Solving Systems of Quadratic Equations, Part I

  8. but: expected degreed= q2(n-1) finding zeros is not feasible Review: Hidden Polynomial • transformation from univariate HFE-polynomialfto HFE-System is always possible (construction of the public key) • transformation from system of quadratic equationsto an univariate polynomial representing this system is always possible Solving Systems of Quadratic Equations, Part I

  9. Plaintext: ? ? ? ? Ciphertext: 0 0 1 1 ? Review: Example - Decryption without secret key: try to solve system directly OR try to find transformation to univariate polynomial of low degree with secret key: transform back to univariate polyno- mial of low degree Solving Systems of Quadratic Equations, Part I

  10. Solving HFE Systems Using Buchberger Algorithm

  11. +1 0 0 General Approach : Example Solving Systems of Quadratic Equations, Part I

  12. Buchberger algorithm General Approach : Example Solving Systems of Quadratic Equations, Part I

  13. General Approach : Example Solving Systems of Quadratic Equations, Part I

  14. degree of output poly-nomials may get very big Buchberger algorithm has exponential worst case complexity compute all solutions in algebraic closure … in general only feasible for up to 10 variables General Approach: Problems Solving Systems of Quadratic Equations, Part I

  15. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

  16. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

  17. solutions we are looking for fulfil Proposition: Solutions in the Base Field Solving Systems of Quadratic Equations, Part I

  18. Buchberger algorithm Solutions in the Base Field: Example Solving Systems of Quadratic Equations, Part I

  19. Solutions in the Base Field: Example Solving Systems of Quadratic Equations, Part I

  20. Solutions in the Base Field: Example Buchberger algorithm • Advantages: • we compute only informa-tion we need • degree of polynomials involved in this compu-tation is bounded Solving Systems of Quadratic Equations, Part I

  21. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

  22. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

  23. Hidden Polynomial • Patarin / Courtois: if hidden polynomial is of low degree or special form there are many relations between the polynomials in the HFE system • one main idea of Buchberger algorithm is to make use of such relations in a sophisticated way Solving Systems of Quadratic Equations, Part I

  24. HFE Systems are Special • defined over a very small finite field • include only quadratic polynomials • need only solutions in the base field Fq • hidden polynomial Solving Systems of Quadratic Equations, Part I

  25. Simulations • 96000 simulations • parameters: • HFE systems and random quadratic systems • in each simulation: • generate system of quadratic equations (HFE or random) • add polynomials • solve by using Buchberger algorithm (with FGLM) Solving Systems of Quadratic Equations, Part I

  26. random random Simulations: Dependency on n Solving Systems of Quadratic Equations, Part I

  27. log(time) q=3d=12 q=2 d=20 q=3d=30 n q=3d=90 q=2 d=128 4,00 6,00 8,00 10,00 12,00 14,00 16,00 18,00 20,00 • exponential time complexity • not feasible for n greater than about 30-40 5,00 7,00 9,00 11,00 13,00 15,00 17,00 19,00 Simulations: Dependency on n Solving Systems of Quadratic Equations, Part I

  28. time     time   time depends on rather than on d Simulations: Dependency on d Solving Systems of Quadratic Equations, Part I

  29. random if d is not too small (approx. ) HFE systems behave like systems of random quadratic equations (at least concerning Buchberger algorithm) Simulations: Dependency on logqd Solving Systems of Quadratic Equations, Part I

  30. Conclusion of this Section • Buchberger algorithm is not feasible for solving HFE systems of usual parameters • (small q, , ) • but: • if d is very small, computation is much faster • HFE systems with usual parameters seem to be very similar to systems of random quadratic equations Solving Systems of Quadratic Equations, Part I

  31. Number of Solutions of HFE Systems

  32. k 0 1 2 3 4 >4 number of systems with k solutions 27710 28012 13852 4565 1210 250 share 0,3665 0,3705 0,1832 0,0604 0,0160 0,0033 • very similar to Poisson distribution: k 0 1 2 3 4 (k!e)-1 0,3679 0,3679 0,1839 0,0613 0,0153 Distribution of Numbers of Solutions Solving Systems of Quadratic Equations, Part I

  33. system’s number of solutions hidden polynomial’s number of zeros = Hints Supporting this Assumption • numbers of zeros of general polynomials are distributed according to the Poisson distribution • arithmetic mean and variance of the distribution of the numbers of zeros of HFE polynomials of bounded degree is very similar to that of a Poisson distribution Solving Systems of Quadratic Equations, Part I

  34. Applications to HFE • gives another hint that we may consider HFE systems as systems of arbitrary quadratic equations • allows to estimate the probabilities that encryption or signing will fail and to compute the amount of redundancy needed Solving Systems of Quadratic Equations, Part I

  35. Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack

  36. Solving Systems of Quadratic Equations I) General HFE Systems II) The Affine Multiple Attack

More Related