On Polynomial Systems Arising from a Weil Descent

In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugere, Perret, Petit and Renault. Based on new experimental results and heuristic evidence, we conjecture that their degrees of regularity are only slightly larger than the original degrees of the equations, resulting in a very low complexity compared to generic systems. We then revisit the application of these systems to the elliptic curve discrete logarithm problem (ECDLP) for binary curves. Our heuristic analysis suggests that an index calculus variant due to Diem requires a subexponential number of bit operations $(O2^{c\,n^{2/3}\log n})$ over the binary field ${\mathbb F}{2^n}$, where c is a constant smaller than 2. According to our estimations, generic discrete logarithm methods are outperformed for any n>N where N≈2000, but elliptic curves of currently recommended key sizes (n≈160) are not immediately threatened. The analysis can be easily generalized to other extension fields.

[1]  Mohab Safey El Din,et al.  Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1, 1): Algorithms and complexity , 2010, J. Symb. Comput..

[2]  Bo-Yin Yang,et al.  On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis , 2004, ICICS.

[3]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves made practical. Application to a seemingly secure curve over Fp6 , 2011, IACR Cryptol. ePrint Arch..

[4]  László Babai,et al.  On the diameter of permutation groups , 1992, Eur. J. Comb..

[5]  Antoine Joux,et al.  Inverting HFE Is Quasipolynomial , 2006, CRYPTO.

[6]  Antoine Joux,et al.  Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields , 2011, Journal of Cryptology.

[7]  Nicolas Gama,et al.  The Degree of Regularity of HFE Systems , 2010, ASIACRYPT.

[8]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[9]  Leonard M. Adleman,et al.  The function field sieve , 1994, ANTS.

[10]  Jean-Charles Faugère,et al.  Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial with One Secret Problem , 2011, International Conference on Theory and Practice of Public Key Cryptography.

[11]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[12]  E. Berlekamp Factoring polynomials over large finite fields* , 1971, SYMSAC '71.

[13]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[14]  Kristin E. Lauter,et al.  Cryptographic Hash Functions from Expander Graphs , 2008, Journal of Cryptology.

[15]  Luk Bettale,et al.  Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic , 2012, Designs, Codes and Cryptography.

[16]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[17]  Christophe Petit,et al.  On graph-based cryptographic hash functions , 2009 .

[18]  Jean-Charles Faugère,et al.  Complexity of Gröbner basis computation for Semi-regular Overdetermined sequences over F_2 with solutions in F_2 , 2002 .

[19]  H. Helfgott Growth and generation in $\mathrm{SL}_2(\mathbb{Z}/p \mathbb{Z})$ , 2008 .

[20]  Jean-Charles Faugère,et al.  Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology , 2010, ISSAC.

[21]  Jintai Ding,et al.  Inverting HFE Systems Is Quasi-Polynomial for All Fields , 2011, CRYPTO.

[22]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[23]  F. S. Macaulay Some Properties of Enumeration in the Theory of Modular Systems , 1927 .

[24]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[25]  Jintai Ding,et al.  Degree of regularity for HFE- , 2011, IACR Cryptol. ePrint Arch..

[26]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[27]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[28]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[29]  Leonard M. Adleman,et al.  A subexponential algorithm for the discrete logarithm problem with applications to cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[30]  Igor A. Semaev Summation polynomials and the discrete logarithm problem on elliptic curves , 2004, IACR Cryptol. ePrint Arch..

[31]  Jean-Charles Faugère,et al.  Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects , 2006, EUROCRYPT.

[32]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$ , 2012, EUROCRYPT.

[33]  Leonard M. Adleman,et al.  Algorithmic Number Theory, First International Symposium, ANTS-I, Ithaca, NY, USA, May 6-9, 1994, Proceedings , 1994, ANTS.

[34]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[35]  Jean-Jacques Quisquater,et al.  Rubik's for cryptographers , 2011, IACR Cryptol. ePrint Arch..

[36]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[37]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[38]  Jean-Charles Faugère,et al.  Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields , 2012, EUROCRYPT.

[39]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[40]  James R. Driscoll,et al.  On the diameter of permutation groups , 1983, STOC.

[41]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[42]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[43]  Luk Bettale,et al.  Cryptanalysis of Multivariate and Odd-Characteristic HFE Variants , 2011, Public Key Cryptography.

[44]  É. Lucas,et al.  Théorie des nombres , 1961 .

[45]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[46]  Christophe Petit,et al.  Towards factoring in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${SL(2,\,\mathbb{F}_{2^n})}$$\end{document} , 2012, Designs, Codes and Cryptography.

[47]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[48]  Daniel Lazard,et al.  Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations , 1983, EUROCAL.

[49]  Christophe Petit,et al.  Towards factoring in SL ( 2 , F 2 n ) , 2012 .

[50]  Nicolas Courtois,et al.  The Security of Hidden Field Equations (HFE) , 2001, CT-RSA.

[51]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[52]  H. A. Helfgott Growth and generation in SL_2(Z/pZ) , 2005 .

[53]  Jean-Charles Faugère,et al.  Algebraic Cryptanalysis of McEliece Variants with Compact Keys , 2010, EUROCRYPT.

[54]  Jean-Charles Faugère,et al.  New Subexponential Algorithms for Factoring in SL(2, fq) , 2011, IACR Cryptol. ePrint Arch..

[55]  Magali Bardet,et al.  Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie , 2004 .

[56]  F. S. Macaulay,et al.  The Algebraic Theory of Modular Systems , 1972 .

[57]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[58]  C. Diem On the discrete logarithm problem in elliptic curves II , 2013 .

[59]  Leonard M. Adleman,et al.  Function Field Sieve Method for Discrete Logarithms over Finite Fields , 1999, Inf. Comput..

[60]  George E. Collins,et al.  The Calculation of Multivariate Polynomial Resultants , 1971, JACM.

[61]  P. Gaudry,et al.  A general framework for subexponential discrete logarithm algorithms , 2002 .