Roehm’s Virtual Territory

Happy Eid Al-Adha

26
Nov/090

Wish you all the blessing Eid Al-Adha

Filed under: Uncategorized

No Comments

Hair Complexities

18
Nov/090

“Anyone has a mirror ???”

Filed under: Uncategorized

No Comments

My-Wave :)

16
Nov/090

Filed under: Uncategorized

No Comments

Dialah, Purwaning Dumadi

7
Nov/090

Filed under: Refleksi

No Comments

It is interesting to see the property of Little-Dragon-2 (LD2)[1] as the improved version of Little-Dragon[2] developed based on MI (Matsumoto-Imai) scheme as the pioneer in MPKC. One of the known problem in construction Multivariate Public Key Cryptosystem (MPKC) is the possibility to have several equivalent private-keys. The equivalent private-keys in MPKC occur when two unequal private-keys produce the same public-keys (Since the construction of the public-key in MPKC is a composition of $L_1 \circ P \circ L_2$ , where $P$ is a multivariate polynomial of the degree > 1 (generally is 2) over a prime field $\mathbb{F}_q$ ( $q = p^n$ , where $p$ must be a prime. In case of binary field, $p = 2$ ), $L_1$ and $L_2$ are two invertible affine transformation of the form $L(x) = A(x) + C$ , where $A$ is the $(n \times n)$ invertible matrix over $\mathbb{F}_q$ and $C$ is a defined-constant on the same field).

The problem of equivalent keys in MPKC can be solved easily by generate permutation polynomial $P$ over $\mathbb{F}_q$ . Such characteristic is produced when the polynomial $p(x)$ in $\mathbb{F}_q[x]$ is a polynomial function from $\mathbb{F}_q$ onto $\mathbb{F}_q$ . Thus, there are four condition that make a polynomial $p(x)$ is a permutation polynomial over $\mathbb{F}_q$ , that are:

$p(x)$ is onto
$p(x)$ is one-to-one
$p(x)=a$ has a solution in $\mathbb{F}_q$ , for each $a \in \mathbb{F}_q$
$p(x)=a$ has a unique solution in $\mathbb{F}_q$ , for each $a \in \mathbb{F}_q$

Then, based on the fact that :

Every linear polynomial that is a polynomial of the form $ax + b$ with $a \neq 0$ over $\mathbb{F}_q$ is a permutation polynomial of $\mathbb{F}_q$
The monomial $x^n$ is a permutation polynomial of $\mathbb{F}_q$ if and only if $n$ and $q-1$ are coprime $(\gcd (n, q-1) = 1)$

It is proven that polynomial over $\mathbb{F}_q$ of the form $x^{\left(2^{2^rk }+ 2^r\right)} + x^{2^{2^rk}} + x^{2^r}$ , where $r, k \in \mathbb{Z}^+$ , is a permutation polynomial if and only if $2^{2^rk} + 2^r$ and $2^n-1$ are coprime, which $\gcd (2^{2^rk} + 2^r, 2^n-1) = 1$ . The extension of this idea is by having polynomial function of the form $g(x) = \left( x^{2^{2^r}k} + x^{2^r} + \alpha \right)^l + x$ , where $T(\alpha)$ is a trace function from $\mathbb{F}_{2^{m}}$ to $\mathbb{F}_2$ , in which $T(\alpha) = \alpha + \alpha^2 + \alpha^{2^2} + ... + \alpha^{2^{m-1}} = 1$ and $l \cdot \left( 2^{2^r k} + 2^r\right) = 1 \mod 2^n - 1$ . However, the question is how to choose the value of $r$ and $k$ so that the polynomial generated will satisfy the conditions above ?

Choosing $r$ and $k$

For the case of public-key cryptosystem, the permutation polynomial only exist where $l$ is of the form $2^t \pm 1$ . Specifically, for $r = 0$ , $\mathbb{F}_{2^{2m - 1}}$ , $k=m$ and $l = 2^m - 1$ , $g(x)$ is obviously a permutation polynomial, since $2^{2^r k} + 2^r = 2^m + 1$ , therefore $(2^m - 1) \cdot (2^m + 1) = 2^{2m} - 1 = 1 \mod 2^n - 1$ . So the public key is the form of $g(x) = \left( x^{2^m} + x + \alpha\right)^{2^m -1} + x$ where $\alpha$ is the hidden monomial and must be kept as the private keys, together with $L_1$ and $L_2$ as the two invertible linear affine transformation.

However, there is no much improvement on the size of public key and the complexity of the encryption process $\mathcal{O}(n^3)$ . Moreover, its resistance against many type of algorithm than can solve multivariate polynomial problem (Buchberger, XL, XSL, Linearization, Relinearization, $F_4$ and $F_5$ , Zhuang-Zhi, etc) as well as the key recovery attack against hidden monomial-based MPKC have not been examined that far.

So as the closing question : anyone interested ?

$\mathcal{ROEHM}$

[1]. R.P. Singh, A. Saikia, B.K.Sarma., Little Dragon Two: An efficient Multivariate Public Key Cryptosystem. IACR ePrint Archive.

[2]. J.Patarin. Asymmetric cryptography with a hidden monomial. Advances in Cryptology-Crypto ‘96, Springer-Verlag, pp. 4560.

[3] C. Wolf., B. Preenel., Equivalent Keys in Multivariate Quadratic Public Key Systems. IACR ePrint Archive.

Filed under: Kriptografi

4 Comments

My Public Key

29
Sep/090

Dear folks,

I’ve posted my public key in this blog. Just in case you need to send confidential information or files, I strongly encourage you to encrypt it before send it to my email.

Regards,

$\mathcal{ROEHM}$

Filed under: Kabar

No Comments

Selamat Hari Raya Idul Fitri

19
Sep/090

Taqabbalallah minna wa minkum

$\mathcal{ROEHM}$

Filed under: Uncategorized

No Comments

English is Not That Difficult

29
Aug/090

see more Engrish

$\mathcal{ROEHM}$

Filed under: Uncategorized

No Comments

When word speak more than a voice

10
Aug/090

Choose, either pay or pray ...

$\mathcal{ROEHM}$

Filed under: Refleksi

No Comments

Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds

4
Aug/090

Here we come everybody, an almost practical related-key attack against reduced round (10 rounds) of AES-256.

AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the $2^{128}$ complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require $2^{176}$ and $2^{119}$ time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems. In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and $2^{39}$ time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and $2^{120}$ time). Another attack can break a 10 round version of AES-256 in $2^{45}$ time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and $2^{172}$ time). While neither AES-128 nor AES-256 can be directly broken by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES-128 along with the larger key size from AES-256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems.