Efficient computation of zero-dimensional Gro¨bner bases by change of ordering
Journal of Symbolic Computation
Computers and Intractability: A Guide to the Theory of NP-Completeness
Computers and Intractability: A Guide to the Theory of NP-Completeness
Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations
EUROCAL '83 Proceedings of the European Computer Algebra Conference on Computer Algebra
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)
Proceedings of the 2002 international symposium on Symbolic and algebraic computation
Modern Computer Algebra
Algorithms for quantum computation: discrete logarithms and factoring
SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
An Algebraic Surface Cryptosystem
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
New recombination algorithms for bivariate polynomial factorization based on Hensel lifting
Applicable Algebra in Engineering, Communication and Computing
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Hi-index | 0.00 |
In this paper, we fully break the Algebraic Surface Cryptosystem (ASC for short) proposed at PKC’2009 [3]. This system is based on an unusual problem in multivariate cryptography: the Section Finding Problem. Given an algebraic surface $X(x,y,t)\in\mathbb{F}_p[x,y,t]$ such that $\deg_{xy} X(x,y,t)= w$, the question is to find a pair of polynomials of degree d, ux(t) and uy(t), such that X(ux(t),uy(t),t)=0. In ASC, the public key is the surface, and the secret key is the section. This asymmetric encryption scheme enjoys reasonable sizes of the keys: for recommended parameters, the size of the secret key is only 102 bits and the size of the public key is 500 bits. In this paper, we propose a message recovery attack whose complexity is quasi-linear in the size of the secret key. The main idea of this algebraic attack is to decompose ideals deduced from the ciphertext in order to avoid to solve the section finding problem. Experimental results show that we can break the cipher for recommended parameters (the security level is 2102) in 0.05 seconds. Furthermore, the attack still applies even when the secret key is very large (more than 10000 bits). The complexity of the attack is $\widetilde{\mathcal{O}}(w^{7} d \log(p))$ which is polynomial with respect to all security parameters. In particular, it is quasi-linear in the size of the secret key which is (2 d+2) log(p). This result is rather surprising since the algebraic attack is often more efficient than the legal decryption algorithm.