TY - GEN
T1 - Cryptanalytic Applications of the Polynomial Method for Solving Multivariate Equation Systems over GF(2)
AU - Dinur, Itai
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021/1/1
Y1 - 2021/1/1
N2 - At SODA 2017 Lokshtanov et al. presented the first worst-case algorithms with exponential speedup over exhaustive search for solving polynomial equation systems of degree d in n variables over finite fields. These algorithms were based on the polynomial method in circuit complexity which is a technique for proving circuit lower bounds that has recently been applied in algorithm design. Subsequent works further improved the asymptotic complexity of polynomial method-based algorithms for solving equations over the field F2. However, the asymptotic complexity formulas of these algorithms hide significant low-order terms, and hence they outperform exhaustive search only for very large values of n. In this paper, we devise a concretely efficient polynomial method-based algorithm for solving multivariate equation systems over F2. We analyze our algorithm’s performance for solving random equation systems, and bound its complexity by about n2· 2 0.815n bit operations for d= 2 and n2· 2 (1 - 1 / 2.7 d)n for any d≥ 2. We apply our algorithm in cryptanalysis of recently proposed instances of the Picnic signature scheme (an alternate third-round candidate in NIST’s post-quantum standardization project) that are based on the security of the LowMC block cipher. Consequently, we show that 2 out of 3 new instances do not achieve their claimed security level. As a secondary application, we also improve the best-known preimage attacks on several round-reduced variants of the Keccak hash function. Our algorithm combines various techniques used in previous polynomial method-based algorithms with new optimizations, some of which exploit randomness assumptions about the system of equations. In its cryptanalytic application to Picnic, we demonstrate how to further optimize the algorithm for solving structured equation systems that are constructed from specific cryptosystems.
AB - At SODA 2017 Lokshtanov et al. presented the first worst-case algorithms with exponential speedup over exhaustive search for solving polynomial equation systems of degree d in n variables over finite fields. These algorithms were based on the polynomial method in circuit complexity which is a technique for proving circuit lower bounds that has recently been applied in algorithm design. Subsequent works further improved the asymptotic complexity of polynomial method-based algorithms for solving equations over the field F2. However, the asymptotic complexity formulas of these algorithms hide significant low-order terms, and hence they outperform exhaustive search only for very large values of n. In this paper, we devise a concretely efficient polynomial method-based algorithm for solving multivariate equation systems over F2. We analyze our algorithm’s performance for solving random equation systems, and bound its complexity by about n2· 2 0.815n bit operations for d= 2 and n2· 2 (1 - 1 / 2.7 d)n for any d≥ 2. We apply our algorithm in cryptanalysis of recently proposed instances of the Picnic signature scheme (an alternate third-round candidate in NIST’s post-quantum standardization project) that are based on the security of the LowMC block cipher. Consequently, we show that 2 out of 3 new instances do not achieve their claimed security level. As a secondary application, we also improve the best-known preimage attacks on several round-reduced variants of the Keccak hash function. Our algorithm combines various techniques used in previous polynomial method-based algorithms with new optimizations, some of which exploit randomness assumptions about the system of equations. In its cryptanalytic application to Picnic, we demonstrate how to further optimize the algorithm for solving structured equation systems that are constructed from specific cryptosystems.
UR - http://www.scopus.com/inward/record.url?scp=85111355362&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-77870-5_14
DO - 10.1007/978-3-030-77870-5_14
M3 - Conference contribution
AN - SCOPUS:85111355362
SN - 9783030778699
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 374
EP - 403
BT - Advances in Cryptology – EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Canteaut, Anne
A2 - Standaert, François-Xavier
PB - Springer Science and Business Media Deutschland GmbH
T2 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2021
Y2 - 17 October 2021 through 21 October 2021
ER -