Results 1  10
of
32
On polynomial systems arising from a Weil Descent
"... In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are nat ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are natural generalizations of HFE systems, we provide experimental and theoretical evidence that their degrees of regularity are only slightly larger than the original degres of the equations, resulting in a very low complexity compared to generic systems. We then revisit applications to the elliptic curve discrete logarithm problem (ECDLP) for binary curves, to the factorization problem in SL(2, F2n) and to other discrete logarithm problems. As a main consequence, our heuristic analysis implies that Diem’s variant of index calculus for ECDLP requires a subexponential number of bit operations O(2 c n2/3 log n) over the binary field F2n, where c is a constant smaller than 2. According to our estimations, generic discrete logarithm methods are outperformed for any n> N where N ≈ 2000, but elliptic curves of currently recommended key sizes (n ≈ 160) are not immediately threatened. The analysis can be easily generalized to other extension fields.
Preimages for the TillichZémor hash function
"... After 15 years of unsuccessful cryptanalysis attempts by the research community, Grassl et al. have recently broken the collision resistance property of the TillichZémor hash function. In this paper, we extend their cryptanalytic work and consider the preimage resistance of the function. We pres ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
After 15 years of unsuccessful cryptanalysis attempts by the research community, Grassl et al. have recently broken the collision resistance property of the TillichZémor hash function. In this paper, we extend their cryptanalytic work and consider the preimage resistance of the function. We present two algorithms for computing preimages, each algorithm having its own advantages in terms of speed and preimage lengths. We produce theoretical and experimental evidence that both our algorithms are very efficient and succeed with a very large probability on the function parameters. Furthermore, for an important subset of these parameters, we provide a full proof that our second algorithm always succeeds in deterministic cubic time. Our attacks definitely break the TillichZémor hash function and show that it is not even oneway. Nevertheless, we point out that other hash functions based on a similar design may still be secure.
Hashing with Polynomials
 Proceedings of ICISC 2006
, 2006
"... Abstract. In this paper, we explore potential mathematical principles and structures that can provide the foundation for cryptographic hash functions, and also present a simple and efficiently computable hash function based on a nonassociative operation with polynomials over a finite field of chara ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we explore potential mathematical principles and structures that can provide the foundation for cryptographic hash functions, and also present a simple and efficiently computable hash function based on a nonassociative operation with polynomials over a finite field of characteristic 2. 1
Full Cryptanalysis of LPS and Morgenstern Hash
"... Abstract Collisions in the LPS cryptographic hash function of Charles, Goren and Lauter have been found by Zémor and Tillich [16], but it was not clear whether computing preimages was also easy for this hash function. We present a probabilistic polynomial time algorithm solving this problem. Subsequ ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract Collisions in the LPS cryptographic hash function of Charles, Goren and Lauter have been found by Zémor and Tillich [16], but it was not clear whether computing preimages was also easy for this hash function. We present a probabilistic polynomial time algorithm solving this problem. Subsequently, we study the Morgenstern hash, an interesting variant of LPS hash, and break this function as well. Our attacks build upon the ideas of Zémor and Tillich but are not straightforward extensions of it. Finally, we discuss fixes for the Morgenstern hash function and other applications of our results. 1
Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies
"... ..."
(Show Context)
Pseudorandom numbers and hash functions from iterations of multivariate polynomials’, Cryptography and Communications
"... Abstract. Dynamical systems generated by iterations of multivariate polynomials with slow degree growth have proved to admit good estimates of exponential sums along their orbits which in turn lead to rather stronger bounds on the discrepancy for pseudorandom vectors generated by these iterations. H ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Dynamical systems generated by iterations of multivariate polynomials with slow degree growth have proved to admit good estimates of exponential sums along their orbits which in turn lead to rather stronger bounds on the discrepancy for pseudorandom vectors generated by these iterations. Here we add new arguments to our original approach and also extend some of our recent constructions and results to more general orbits of polynomial iterations which may involve distinct polynomials as well. Using this construction we design a new class of hash functions from iterations of polynomials and use our estimates to motivate their “mixing ” properties. Subject Classification (2000). 11K45; 11T23; 11T71; 94A60 1.
Hash Functions from Sigma Protocols and Improvements to VSH
, 2008
"... We present a general way to get a provably collisionresistant hash function from any (suitable) Σprotocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the FiatShamir protocol, the fastest known hash fu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We present a general way to get a provably collisionresistant hash function from any (suitable) Σprotocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the FiatShamir protocol, the fastest known hash function that is provably collisionresistant based on the standard factoring assumption. In the second category, we provide a modified version VSH * of VSH which is faster when hashing short messages. (Most Internet packets are short.) We also show that Σhash functions are chameleon, thereby obtaining several new and efficient chameleon hash functions with applications to online/offline
Efficiency and PseudoRandomness of a Variant of ZémorTillich Hash Function
"... Recent breakthroughs concerning the current standard SHA1 prompted NIST to launch a competition for a new secure hash algorithm [1,13]. Provably secure hash functions (in the sense that their security relates to the hardness of some mathematical problems [5,7,9,12]) are particularly interesting fro ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Recent breakthroughs concerning the current standard SHA1 prompted NIST to launch a competition for a new secure hash algorithm [1,13]. Provably secure hash functions (in the sense that their security relates to the hardness of some mathematical problems [5,7,9,12]) are particularly interesting from a theoretical point of view but are often much slower than heuristic functions like SHA. In this paper, we consider a variant of ZT hash, a provably secure hash function designed by Zémor and Tillich proposed in 1994 [12]. Despite some attack proposals, its security has not been fundamentally challenged to this day. Our function is twice as fast as ZT hash and has enhanced security properties. We propose optimized parameters and algorithms to increase the speed of both hash functions. This makes our function one of the most efficient “provably secure” hash functions to this day. Finally, we show that our hash function successfully passes most pseudorandomness tests in the Dieharder suite [2]. 1