Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solving Systems of Quadratic Equations

Published byKlara Hafner Modified over 6 years ago

Similar presentations

Presentation on theme: "Solving Systems of Quadratic Equations"— Presentation transcript:

1 Solving Systems of Quadratic Equations
I) General HFE Systems II) The Affine Multiple Attack Magnus Daum / Patrick Felke

2 Overview of Part I Review of HFE Systems:
parameters, hidden polynomial Solving by Using Buchberger Algorithm special properties of HFE systems simulations: 3) Number of solutions of HFE-Systems HFE polynomials  general polynomials systems of arbitrary quadratic equations HFE systems  Solving Systems of Quadratic Equations, Part I

3 Review of HFE Systems

4 Review: Parameters of an HFE System
public parameters n – number of polynomials and variables blocklength field extension degree q – cardinality of the smaller finite field (fields: Fq and Fq n) d – degree of the hidden polynomial Solving Systems of Quadratic Equations, Part I

5 Solving Systems of Quadratic Equations, Part I
Review: Example + secret affine transformations public key Solving Systems of Quadratic Equations, Part I

6 Review: Example - Decryption
Ciphertext: Solving Systems of Quadratic Equations, Part I

7 Review: Example - Decryption
Plaintext: ? ? ? ? ? Ciphertext: without secret key: solve system directly OR find transformation to univariate polynomial of low degree with secret key: transform back to univariate polyno- mial of low degree Solving Systems of Quadratic Equations, Part I

8 Review: Hidden Polynomial
transformation from univariate HFE-polynomial f to HFE-System is always possible (construction of the public key) transformation from system of quadratic equations to an univariate polynomial representing this system is always possible but: expected degree d= q2(n-1) finding zeros is not feasible Solving Systems of Quadratic Equations, Part I

9 Review: Example - Decryption
Plaintext: ? ? ? ? ? Ciphertext: without secret key: try to solve system directly OR try to find transformation to univariate polynomial of low degree with secret key: transform back to univariate polyno- mial of low degree Idee: nochmal Rückblick als Überleitung Solving Systems of Quadratic Equations, Part I

10 Solving HFE Systems Using Buchberger Algorithm
Oder: „(by) Applying Buchberger Algorithm“??

11 General Approach : Example
+1 Solving Systems of Quadratic Equations, Part I

12 General Approach : Example
Buchberger algorithm Solving Systems of Quadratic Equations, Part I

13 General Approach : Example
Solving Systems of Quadratic Equations, Part I

14 General Approach: Problems
in general only feasible for up to 10 variables degree of output poly-nomials may get very big Buchberger algorithm has exponential worst case complexity compute all solutions in algebraic closure Praktische Komplexität!!!!!!!! Solving Systems of Quadratic Equations, Part I

15 HFE Systems are Special
defined over a very small finite field include only quadratic polynomials need only solutions in the base field Fq hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

16 HFE Systems are Special
defined over a very small finite field include only quadratic polynomials need only solutions in the base field Fq hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

17 Solutions in the Base Field
solutions we are looking for fulfil Proposition: Solving Systems of Quadratic Equations, Part I

18 Solutions in the Base Field: Example
Buchberger algorithm Solving Systems of Quadratic Equations, Part I

19 Solutions in the Base Field: Example
Solving Systems of Quadratic Equations, Part I

20 Solutions in the Base Field: Example
Buchberger algorithm Advantages: we compute only informa-tion we need degree of polynomials involved in this compu-tation is bounded Solving Systems of Quadratic Equations, Part I

21 HFE Systems are Special
defined over a very small finite field include only quadratic polynomials need only solutions in the base field Fq hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

22 HFE Systems are Special
defined over a very small finite field include only quadratic polynomials need only solutions in the base field Fq hidden polynomial of low degree Solving Systems of Quadratic Equations, Part I

23 Solving Systems of Quadratic Equations, Part I
Hidden Polynomial Patarin / Courtois: if hidden polynomial is of low degree or special form there are many relations between the polynomials in the HFE system one main idea of Buchberger algorithm is to make use of such relations in a sophisticated way Vergleich relations mit gaussian elimination, easy to combine to eliminate variables Also: kleine d vielleicht schneller lösbar mit Buchberger algorithm Solving Systems of Quadratic Equations, Part I

24 HFE Systems are Special
defined over a very small finite field include only quadratic polynomials need only solutions in the base field Fq hidden polynomial Solving Systems of Quadratic Equations, Part I

25 Solving Systems of Quadratic Equations, Part I
Simulations 96000 simulations parameters: HFE systems and random quadratic systems in each simulation: generate system of quadratic equations (HFE or random) add polynomials solve by using Buchberger algorithm (with FGLM) Solving Systems of Quadratic Equations, Part I

26 Simulations: Dependency on n
random Solving Systems of Quadratic Equations, Part I

27 Simulations: Dependency on n
q=3 d=12 q=2 d=20 q=3 d=30 q=3 d=90 q=2 d=128 20,00 19,00 18,00 17,00 16,00 15,00 14,00 13,00 12,00 11,00 10,00 9,00 8,00 7,00 6,00 5,00 4,00 log(time) n Noch asymptotische Laufzeiten exponential time complexity not feasible for n greater than about 30-40 Solving Systems of Quadratic Equations, Part I

28 Simulations: Dependency on d
time An Tafel erklären wenn Zeit time depends on rather than on d Solving Systems of Quadratic Equations, Part I

29 Simulations: Dependency on logqd
random thresholds exist, so that for greater d the time needed to solve the HFE system is not significantly faster then for a random quadratic system Zufällig ersetzen durch random und „ungefähr gleich n“ if d is not too small (approx ) HFE systems behave like systems of random quadratic equations (at least concerning Buchberger algorithm) Solving Systems of Quadratic Equations, Part I

30 Conclusion of this Section
Buchberger algorithm is not feasible for solving HFE systems of usual parameters (small q, , ) but: if d is very small, computation is much faster HFE systems with usual parameters seem to be very similar to systems of random quadratic equations Solving Systems of Quadratic Equations, Part I

31 Number of Solutions of HFE Systems
Noch rein, eine oder zwei Folien mit ergebnissen aus simulationen, wichtig: HFE-Systeme entsprechen schon für relativ kleinen Grad einem allgemeinen quadratischen System Mass für Injektivität/Surjektivität

32 Distribution of Numbers of Solutions
0,0033 0,0160 0,0604 0,1832 0,3705 0,3665 share 250 1210 4565 13852 28012 27710 number of systems with k solutions >4 4 3 2 1 k very similar to Poisson distribution: 0,0153 0,0613 0,1839 0,3679 (k!e)-1 4 3 2 1 k Solving Systems of Quadratic Equations, Part I

33 Hints Supporting this Assumption
system’s number of solutions hidden polynomial’s number of zeros = numbers of zeros of general polynomials are distributed according to the Poisson distribution arithmetic mean and variance of the distribution of the numbers of zeros of HFE polynomials of bounded degree is very similar to that of a Poisson distribution Solving Systems of Quadratic Equations, Part I

34 Solving Systems of Quadratic Equations, Part I
Applications to HFE gives another hint that we may consider HFE systems as systems of arbitrary quadratic equations allows to estimate the probabilities that encryption or signing will fail and to compute the amount of redundancy needed Solving Systems of Quadratic Equations, Part I

35 Solving Systems of Quadratic Equations
I) General HFE Systems II) The Affine Multiple Attack

36 Solving Systems of Quadratic Equations
I) General HFE Systems II) The Affine Multiple Attack

Download ppt "Solving Systems of Quadratic Equations"

Similar presentations

Chapter 0 Review of Algebra.

Chapter 0 Review of Algebra.
Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Finding Zeros Given the Graph of a Polynomial Function Chapter 5.6.

Finding Zeros Given the Graph of a Polynomial Function Chapter 5.6.
Computing the Rational Univariate Reduction by Sparse Resultants Koji Ouchi, John Keyser, J. Maurice Rojas Department of Computer Science, Mathematics.

Computing the Rational Univariate Reduction by Sparse Resultants Koji Ouchi, John Keyser, J. Maurice Rojas Department of Computer Science, Mathematics.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
7.4 Solving Polynomial Equations Objectives: Solve polynomial equations. Find the real zeros of polynomial functions and state the multiplicity of each.

7.4 Solving Polynomial Equations Objectives: Solve polynomial equations. Find the real zeros of polynomial functions and state the multiplicity of each.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Solve Problems by Solving Polynomial Equations Chapter Six: the BIG PICTURE.

Solve Problems by Solving Polynomial Equations Chapter Six: the BIG PICTURE.
Role of Zero in Factoring

Role of Zero in Factoring
Solving Quadratic Equations by Factoring MATH 018 Combined Algebra S. Rook.

Solving Quadratic Equations by Factoring MATH 018 Combined Algebra S. Rook.
© 2013 Toshiba Corporation An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces Chiho Mihara (TOSHIBA Corp.)

© 2013 Toshiba Corporation An Estimation of Computational Complexity for the Section Finding Problem on Algebraic Surfaces Chiho Mihara (TOSHIBA Corp.)
Univariate Linear Regression Problem Model: Y=  0 +  1 X+  Test: H 0 : β 1 =0. Alternative: H 1 : β 1 >0. The distribution of Y is normal under both.

Univariate Linear Regression Problem Model: Y=  0 +  1 X+  Test: H 0 : β 1 =0. Alternative: H 1 : β 1 >0. The distribution of Y is normal under both.
ALGEBRA 1 SECTION 10.4 Use Square Roots to Solve Quadratic Equations Big Idea: Solve quadratic equations Essential Question: How do you solve a quadratic.

ALGEBRA 1 SECTION 10.4 Use Square Roots to Solve Quadratic Equations Big Idea: Solve quadratic equations Essential Question: How do you solve a quadratic.
Copyright 2012, Toshiba Corporation. A Survey on the Algebraic Surface Cryptosystems Koichiro Akiyama ( TOSHIBA Corporation ) Joint work with Prof. Yasuhiro.

Copyright 2012, Toshiba Corporation. A Survey on the Algebraic Surface Cryptosystems Koichiro Akiyama ( TOSHIBA Corporation ) Joint work with Prof. Yasuhiro.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.
Solve polynomial equations with complex solutions by using the Fundamental Theorem of Algebra. 5-6 THE FUNDAMENTAL THEOREM OF ALGEBRA.

Solve polynomial equations with complex solutions by using the Fundamental Theorem of Algebra. 5-6 THE FUNDAMENTAL THEOREM OF ALGEBRA.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus.

Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus.
Sec Math II 1.3.

Sec Math II 1.3.
Elimination Method - Systems. Elimination Method  With the elimination method, you create like terms that add to zero.

Elimination Method - Systems. Elimination Method  With the elimination method, you create like terms that add to zero.

Similar presentations

Ads by Google