Efficient GF(pm) Arithmetic Architectures for Cryptographic Applications

Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D < 127, with D being the parameter of the XL algorithm. At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): xi2= xi that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL' and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL' and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.

[1]  Willi Meier,et al.  Solving Underdefined Systems of Multivariate Quadratic Equations , 2002, Public Key Cryptography.

[2]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[3]  Gerardo Orlando,et al.  Efficient Elliptic Curve Processor Architectures for Field Programmable Logic , 2002 .

[4]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[5]  Nigel P. Smart,et al.  Hardware Implementation of Finite Fields of Characteristic Three , 2002, CHES.

[6]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[7]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[8]  Jorge Guajardo Thomas Wollinger Christof Paar AREA EFFICIENT GF ( p ) ARCHITECTURES FOR GF ( p m ) MULTIPLIERS , 2002 .

[9]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[10]  Keshab K. Parhi,et al.  Efficient standard basis Reed-Solomon encoder , 1996, 1996 IEEE International Conference on Acoustics, Speech, and Signal Processing Conference Proceedings.

[11]  Neal Zierler,et al.  On Primitive Trinomials (Mod 2) , 1968, Inf. Control..

[12]  Hu Chuan-Gan,et al.  On The Shift Register Sequences , 2004 .

[13]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[14]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[15]  Ian F. Blake,et al.  Constructive problems for irreducible polynominals over finite fields , 1993, Information Theory and Applications.

[16]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[17]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[18]  Neal Koblitz,et al.  An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm , 1998, CRYPTO.

[19]  Joachim von zur Gathen,et al.  Exponentiation in Finite Fields: Theory and Practice , 1997, AAECC.

[20]  W. J. Thron,et al.  Encyclopedia of Mathematics and its Applications. , 1982 .

[21]  Don Coppersmith,et al.  Matrix multiplication via arithmetic progressions , 1987, STOC.

[22]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[23]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[24]  Dong-Young Park,et al.  Efficient multiplier architecture using optimized irreducible polynomial over GF((3/sup n/)/sup 3/) , 1999, Proceedings of IEEE. IEEE Region 10 Conference. TENCON 99. 'Multimedia Technology for Asia-Pacific Information Infrastructure' (Cat. No.99CH37030).

[25]  Christof Paar,et al.  Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms , 1998, CRYPTO.

[26]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[27]  Christof Paar,et al.  A High Performance Reconfigurable Elliptic Curve Processor for GF(2m) , 2000, CHES.

[28]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[29]  M. Benaissa,et al.  GF(p/sup m/) multiplication using polynomial residue number systems , 1995 .

[30]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[31]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[32]  Rudolf Lide,et al.  Finite fields , 1983 .

[33]  Neal Zierler On x^n + x + 1 over GF(2) , 1970, Inf. Control..

[34]  Nicolas Courtois,et al.  The Security of Hidden Field Equations (HFE) , 2001, CT-RSA.

[35]  Christof Paar,et al.  Area efficient GF(p) architectures for GF(p/sup m/) multipliers , 2002, The 2002 45th Midwest Symposium on Circuits and Systems, 2002. MWSCAS-2002..

[36]  Gilles Brassard,et al.  A generalization of Hellman's extension to Shannon's approach to cryptography , 1988, Journal of Cryptology.

[37]  Eric R. Verheul,et al.  Self-Blindable Credential Certificates from the Weil Pairing , 2001, ASIACRYPT.

[38]  Oscar H. IBARm Information and Control , 1957, Nature.

[39]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[40]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[41]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[42]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[43]  David Naccache,et al.  Why You Cannot Even Hope to use Gröbner Bases in Public Key Cryptography: An Open Letter to a Scientist Who Failed and a Challenge to Those Who Have Not Yet Failed , 1994, J. Symb. Comput..

[44]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[45]  Pierre Loidreau On the Factorization of Trinomials over F3 , 1999 .

[46]  Vassilis Paliouras,et al.  A low-complexity combinatorial RNS multiplier , 2001 .

[47]  Keshab K. Parhi,et al.  Low-Energy Digit-Serial/Parallel Finite Field Multipliers , 1998 .

[48]  Joachim von zur Gathen,et al.  Irreducible trinomials over finite fields , 2001, ISSAC '01.

[49]  Christof Paar,et al.  Itoh-Tsujii Inversion in Standard Basis and Its Application in Cryptography and Codes , 2002, Des. Codes Cryptogr..

[50]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[51]  Nigel P. Smart Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic , 1999, Journal of Cryptology.

[52]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[53]  Francesco Piazza,et al.  Fast Combinatorial RNS Processors for DSP Applications , 1995, IEEE Trans. Computers.