Matrix multiplication via arithmetic progressions
Journal of Symbolic Computation - Special issue on computational algebraic complexity
Computers and Intractability; A Guide to the Theory of NP-Completeness
Computers and Intractability; A Guide to the Theory of NP-Completeness
The Security of Hidden Field Equations (HFE)
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Solving Underdefined Systems of Multivariate Quadratic Equations
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Efficient algorithms for solving overdefined systems of multivariate polynomial equations
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Hardware and Software Normal Basis Arithmetic for Pairing-Based Cryptography in Characteristic Three
IEEE Transactions on Computers
High-speed hardware implementations of Elliptic Curve Cryptography: A survey
Journal of Systems Architecture: the EUROMICRO Journal
Versatile hardware architectures for GF(pm) arithmetic in public key cryptography
Integration, the VLSI Journal - Special issue: Embedded cryptographic hardware
Efficient Implementation of Tate Pairing on a Mobile Phone Using Java
Computational Intelligence and Security
Arithmetic Operators for Pairing-Based Cryptography
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Pairing '08 Proceedings of the 2nd international conference on Pairing-Based Cryptography
A versatile Montgomery multiplier architecture with characteristic three support
Computers and Electrical Engineering
New left-to-right minimal weight signed-digit radix-r representation
Computers and Electrical Engineering
Reduction Optimal Trinomials for Efficient Software Implementation of the ηT Pairing
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Secure signed radix-r recoding methods for constrained-embedded devices
ISPEC'07 Proceedings of the 3rd international conference on Information security practice and experience
Multiplication over Fpm on FPGA: a survey
ARC'07 Proceedings of the 3rd international conference on Reconfigurable computing: architectures, tools and applications
Reduction optimal trinomials for efficient software implementation of the ηT pairing
IWSEC'07 Proceedings of the Security 2nd international conference on Advances in information and computer security
A flexible processor for the characteristic 3 ηT pairing
International Journal of High Performance Systems Architecture
A new bit-serial multiplier over GF(pm) using irreducible trinomials
Computers & Mathematics with Applications
Hardware acceleration of the tate pairing in characteristic three
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Efficient hardware for the tate pairing calculation in characteristic three
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Instruction set extensions for pairing-based cryptography
Pairing'07 Proceedings of the First international conference on Pairing-Based Cryptography
SPA countermeasure based on unsigned left-to-right recodings
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Parallel GF(3m) multiplier for trinomials
Information Processing Letters
| Hi-index | 0.00 |
Several public key cryptosystems (HFE, Quartz, Sflash, etc.) are based on the problem MQ of solving a system of multivariate quadratic equations over a finite field. At Asiacrypt 2002, Courtois and Pieprzyk show that the MQ problem is also relevant to the security of AES. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir introduced the XL algorithm for solving MQ. They show that if the number of equations m is much larger than the number of variables n, such overdefined MQ systems can be easily solved. From their simplified and heuristic analysis it seemed that even when m = n, a variant of XL could still be subexponential. The exact complexity of the XL algorithm remained an open problem. Moreover, all their simulations has been done over GF(127) and with D D being the parameter of the XL algorithm. At Asiacrypt 2002, an algorithm XSL, derived from XL, is introduced for the cryptanalysis of block ciphers [5]. Very little is known about the behaviour of XSL and we believe that one should study the XL algorithm itself first. In this paper we study the behaviour of XL for systems of quadratic equations over GF(2). We show that the possibility to use the equations of the field GF(2): xi2= xi that are also quadratic, makes that the XL algorithm works better. We also introduce two improved versions of XL, called XL' and XL2, with an improved final step of the algorithm (that also can be used in XSL). We present an explanation for the linear dependencies that appear in the XL algorithm, and derive a formula for the number of linearly independent equations in XL or XL2. Then we run various computer simulations and observe that this formula is always verified. Apparently we are able to predict exactly the behaviour of XL, XL' and XL2 for random systems of equations. Due to the entanglement of linear dependencies, the analysis of XL becomes increasingly difficult, and XL may be really exponential for m = n.