Gro¨bner bases: a computational approach to commutative algebra
Gro¨bner bases: a computational approach to commutative algebra
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)
Proceedings of the 2002 international symposium on Symbolic and algebraic computation
Algebraic attacks on stream ciphers with linear feedback
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Computing the algebraic immunity efficiently
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
Efficient computation of algebraic immunity for algebraic and fast algebraic attacks
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
Algebraic attacks have proved to be an effective threat to block and stream cipher systems. In the realm of algebraic attacks, there is one major concern that, for a given Boolean polynomial f, if f or f+1 has low degree annihilators. Existing methods for computing all annihilators within degree d of f in n variables, such as Gauss elimination and interpolation, have a complexity based on the parameter $k_{n, d} = \sum_{i=0}^{d}{{{n}\choose{i}}}$, which increases dramatically with n. As a result, these methods are impractical when dealing with sparse polynomials with a large n, which widely appear in modern cipher systems. In this paper, we present a new tool for computing annihilators, the characters w.r.t. a Boolean polynomial. We prove that the existence of annihilators of f and f+1 resp. relies on the zero characters and the critical characters w.r.t.f. Then we present a new algorithm for computing annihilators whose complexity relies on k′f,d, the number of zero or critical characters within degree dw.r.t.f. Since k′f,d≪kn, d when f is sparse, this algorithm is very efficient for sparse polynomials with a large n. In our experiments, all low degree annihilators of a random balanced sparse polynomial in 256 variables can be found in a few minutes.