In ISSAC 2017, van der Hoeven and Larrieu showed that evaluating a polynomial P ∈ F q [x] of degree < n at all n-th roots of unity in F q d can essentially be computed d-time faster than evaluating Q ∈ F q d [x] at all these roots, assuming F q d contains a primitive n-th root of unity [vdHL17a]. Termed the Frobenius FFT, this discovery has a profound impact on polynomial multiplication, especially for multiplying binary polynomials, which finds ample application in coding theory and cryptography. In this paper, we show that the theory of Frobenius FFT beautifully generalizes to a class of additive FFT developed by Cantor and Gao-Mateer [Can89, GM10]. Furthermore, we demonstrate the power of Frobenius additive FFT for q = 2: to multiply two binary polynomials whose product is of degree < 256, the new technique requires only 29,005 bit operations, while the best result previously reported was 33,397. To the best of our knowledge, this is the first time that FFT-based multiplication outperforms Karatsuba and the like at such a low degree in terms of bit-operation count. CCS CONCEPTS• Mathematics of computing → Computations in finite fields; KEYWORDS addtitive FFT, Frobenius FFT, polynomial multiplication
Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proofing against Quantum Computers. In 2009, it was shown that hardware advances do not favor just "traditional" alternatives such as ECC and RSA, but also makes MPKCs faster and keeps them competitive at 80-bit security when properly implemented. These techniques became outdated due to emergence of new instruction sets and higher requirements on security.In this paper, we review how MPKC signatures changes from 2009 including new parameters (from a newer security level at 128-bit), cryptosafe implementations, and the impact of new AVX2and AESNI instructions. We also present new techniques on evaluating multivariate polynomials, multiplications of large finite fields by additive Fast Fourier Transforms, and constant time linear solvers.Polynomials p 1 , p 2 , . . . have (almost always) been quadratic. In public-key cryptography, we can let P(0) = 0.We need to discuss the security of MPKCs in order to set the parameters needed for the required security level(s). Public key of MPKCs are instances of solving multivariate quadratic equations, or instances. One can break all MPKCs if one is able to efficiently solve MQ problems.1.2.1 Class MQ(q, n, m) and the MQ Problem For given q, n, m, the class MQ(q, n, m) consists of all systems of m quadratic polynomials in F q with n variables. To choose a random system S from MQ(q, n, m),Solving S(x) = b for any MQ system S is then known as the "multivariate quadratic" problem. It is an NP-complete problem [GJ79]. However, it is not easy to base a proof on worst-case hardness. Often the premise used is the hereto unchallenged average-case MQ hardness assumption [BGP06, LLY08]: Assumption MQGiven any k and prime power q, for parameters n, m satisfying m/n = c + o(1), no probabilistic algorithm in subexponential(n)-time can solve S(x) = b with a non-neglible probability ε > 0, if the systems S are drawn from MQ(q, n, m), and a vector b = (b 1 , b 2 , . . . , b m ) drawn from S(U n ), where U n is the uniform distribution over (F q ) n . Hardness of generic MQThe complexity of solving a random instance out of MQ(n, m, q) is estimated using Gröbner basis methods, often XL with sparse matrices [CKPS00,YCBC07] or F5 [Fau02,BFSY05]. We simply use prior estimates for complexity of solving MQ. Effect of Quantum Computers on MQ signaturesSince we discuss MPKC as post-quantum, we must consider a direct quantum computer attack using Grover's algorithm [Gro96], which is considered in [WS16]. The summary of this attack is that a system of MQ equations with n-bits of inputs can be solved in 2 n 2 +1 n 3 quantum operating steps ("gates"). Note that this is not usually a problem because a signature scheme usually requires 2b-bit wide hashes for b-bit security, so usually a 128-bit secure digital signature scheme has 256 bits of input anyway. If we assume that a quantum step ("gate") can run at the speed as a CPU cycle (a very very aggressive assumption about quantum computers), solving a quadratic system with 210 bits of ...
No abstract
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.