Solving Systems of Quadratic Equations
Download
Report
Transcript Solving Systems of Quadratic Equations
Solving Systems of Quadratic
Equations
I) General HFE Systems
II) The Affine Multiple Attack
Magnus Daum / Patrick Felke
Overview of Part I
1) Review of HFE Systems:
parameters, hidden polynomial
2) Solving by Using Buchberger Algorithm
-
special properties of HFE systems
simulations:
systems of arbitrary
HFE systems quadratic equations
3) Number of solutions of HFE-Systems
18.07.2015
HFE polynomials general polynomials
Solving Systems of Quadratic Equations, Part I
Review of HFE Systems
Review: Parameters of an HFE System
n – number of polynomials
and variables
blocklength
field extension degree
q – cardinality of the
smaller finite field
(fields: Fq and Fq n)
d – degree of the
hidden polynomial
18.07.2015
Solving Systems of Quadratic Equations, Part I
public
parameters
Review: Example
+ secret affine
transformations
public key
18.07.2015
Solving Systems of Quadratic Equations, Part I
Review: Example - Decryption
Ciphertext:
0011
18.07.2015
Solving Systems of Quadratic Equations, Part I
Review: Example - Decryption
Plaintext:
????
Ciphertext:
with secret key:
transform back to
univariate polynomial of low degree
18.07.2015
?
without secret key:
solve system directly
OR
find transformation to
univariate polynomial
of low degree
Solving Systems of Quadratic Equations, Part I
0011
Review: Hidden Polynomial
• transformation from univariate HFE-polynomial f to
HFE-System is always possible
(construction of the public key)
• transformation from system of quadratic equations to
an univariate polynomial representing this system is
always possible
but: expected degree d= q2(n-1)
finding zeros is not feasible
18.07.2015
Solving Systems of Quadratic Equations, Part I
Review: Example - Decryption
Plaintext:
????
Ciphertext:
with secret key:
transform back to
univariate polynomial of low degree
18.07.2015
?
without secret key:
try to solve system directly
OR
try to find transformation to
univariate polynomial
of low degree
Solving Systems of Quadratic Equations, Part I
0011
Solving HFE Systems Using
Buchberger Algorithm
General Approach : Example
+1
0
0
18.07.2015
Solving Systems of Quadratic Equations, Part I
General Approach : Example
Buchberger algorithm
18.07.2015
Solving Systems of Quadratic Equations, Part I
General Approach : Example
18.07.2015
Solving Systems of Quadratic Equations, Part I
General Approach: Problems
• degree of output polynomials may get very big
• Buchberger algorithm has
exponential worst case
complexity
• compute all solutions in
algebraic closure
in general
only feasible for
up to 10
variables
• …
18.07.2015
Solving Systems of Quadratic Equations, Part I
HFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
18.07.2015
Solving Systems of Quadratic Equations, Part I
HFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
18.07.2015
Solving Systems of Quadratic Equations, Part I
Solutions in the Base Field
solutions we are looking for fulfil
Proposition:
18.07.2015
Solving Systems of Quadratic Equations, Part I
Solutions in the Base Field: Example
Buchberger algorithm
18.07.2015
Solving Systems of Quadratic Equations, Part I
Solutions in the Base Field: Example
18.07.2015
Solving Systems of Quadratic Equations, Part I
Solutions in the Base Field: Example
Buchberger algorithm
Advantages:
• we compute only informa-tion
we need
• degree of polynomials
involved in this compu-tation
is bounded
18.07.2015
Solving Systems of Quadratic Equations, Part I
HFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
18.07.2015
Solving Systems of Quadratic Equations, Part I
HFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial of low degree
18.07.2015
Solving Systems of Quadratic Equations, Part I
Hidden Polynomial
• Patarin / Courtois:
if hidden polynomial is of low degree or
special form there are many relations
between the polynomials in the HFE system
• one main idea of Buchberger algorithm is to
make use of such relations in a sophisticated
way
18.07.2015
Solving Systems of Quadratic Equations, Part I
HFE Systems are Special
•defined over a very small finite field
•include only quadratic polynomials
•need only solutions in the base field Fq
•hidden polynomial
18.07.2015
Solving Systems of Quadratic Equations, Part I
Simulations
•
96000 simulations
• parameters:
• HFE systems and random quadratic systems
• in each simulation:
– generate system of quadratic equations
(HFE or random)
– add polynomials
– solve by using Buchberger algorithm (with FGLM)
18.07.2015
Solving Systems of Quadratic Equations, Part I
Simulations: Dependency on n
random
18.07.2015
Solving Systems of Quadratic Equations, Part I
random
Simulations: Dependency on n
q=3 d=12
q=2 d=20
log(time)
q=3 d=30
q=3 d=90
n
q=2 d=128
4,00 6,00 8,00 10,00 12,00 14,00 16,00 18,00 20,00
5,00 7,00 9,00 11,00 13,00 15,00 17,00 19,00
•exponential time complexity
•not feasible for n greater than about 30-40
18.07.2015
Solving Systems of Quadratic Equations, Part I
Simulations: Dependency on d
time
time
time depends on
18.07.2015
rather than on d
Solving Systems of Quadratic Equations, Part I
Simulations: Dependency on logqd
random
if d is not too small (approx.
)
HFE systems behave like systems of random
quadratic equations
(at least concerning Buchberger algorithm)
18.07.2015
Solving Systems of Quadratic Equations, Part I
Conclusion of this Section
• Buchberger algorithm is not feasible for solving
HFE systems of usual parameters
(small q,
,
)
but:
if d is very small, computation is much faster
• HFE systems with usual parameters seem to be
very similar to systems of random quadratic
equations
18.07.2015
Solving Systems of Quadratic Equations, Part I
Number of Solutions
of HFE Systems
Distribution of Numbers of Solutions
k
0
1
2
3
4
>4
number of systems
with k solutions
27710
28012
13852
4565
1210
250
share
0,3665
0,3705
0,1832
0,0604
0,0160
0,0033
• very similar to Poisson distribution:
k
-1
(k!e)
18.07.2015
0
1
2
0,3679
0,3679
0,1839
3
0,0613
4
0,0153
Solving Systems of Quadratic Equations, Part I
Hints Supporting this Assumption
system’s number
of solutions
=
hidden polynomial’s
number of zeros
• numbers of zeros of general polynomials are
distributed according to the Poisson
distribution
• arithmetic mean and variance of the
distribution of the numbers of zeros of HFE
polynomials of bounded degree is very similar
to that of a Poisson distribution
18.07.2015
Solving Systems of Quadratic Equations, Part I
Applications to HFE
• gives another hint that we may consider HFE
systems as systems of arbitrary quadratic
equations
• allows to estimate the probabilities that
encryption or signing will fail and to compute
the amount of redundancy needed
18.07.2015
Solving Systems of Quadratic Equations, Part I
Solving Systems of Quadratic
Equations
I) General HFE Systems
II) The Affine Multiple Attack
Solving Systems of Quadratic
Equations
I) General HFE Systems
II) The Affine Multiple Attack