Saied Emam Mohamed

MXL2: Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy

MutantXL is an algorithm for solving systems of polynomial equations that was proposed at SCC 2008. This paper proposes two substantial improvements to this algorithm over GF(2) that result in significantly reduced memory usage. We present experimental results comparing MXL2to the XL algorithm, the MutantXL algorithm and Magmas implementation of F 4 . For this comparison we have chosen small, randomly generated instances of the MQ problem and quadratic systems derived from HFE instances. In both cases, the largest matrices produced by MXL2are substantially smaller than the ones produced by MutantXL and XL. Moreover, for a significant number of cases we even see a reduction of the size of the largest matrix when we compare MXL2against Magmas F 4 implementation.

MXL 3 : an efficient algorithm for computing gröbner bases of zero-dimensional ideals

This paper introduces a new efficient algorithm, called MXL3, for computing Grobner bases of zero-dimensional ideals. The MXL3 is based on XL algorithm, mutant strategy, and a new sufficient condition for a set of polynomials to be a Grobner basis. We present experimental results comparing the behavior of MXL3 to F4 on HFE and random generated instances of the MQ problem. In both cases the first implementation of the MXL3 algorithm succeeds faster and uses less memory than Magmas implementation of F4.

Improved algebraic side-channel attack on AES

In this paper, we present improvements of the algebraic side-channel analysis of the Advanced Encryption Standard (AES) proposed in the works of M. Renauld and F.-X. Standaert. In particular, we optimize the algebraic representation of both the AES block cipher and obtained side-channel information, in the form of Hamming weights of intermediate states, in order to speed up the attack and increase its success rate. We study the performance of our improved attack in both known and unknown plaintext/ciphertext attack scenarios. Our experiments indicate that in both cases the amount of required side-channel information is less than the one required in the attacks introduced earlier. Furthermore, we introduce a method for handling erroneous side-channel information, which allows our improved algebraic side-channel attack (IASCA) to partially escape the assumption of an error-free environment and thus become applicable in practice. We demonstrate the practical use of our IASCA by inserting predictions from a single-trace template attack.

Algebraic Attack on the MQQ Public Key Cryptosystem

In this paper, we present an efficient attack on the multivariate Quadratic Quasigroups (MQQ) public key cryptosystem. Our cryptanalysis breaks the MQQ cryptosystem by solving a system of multivariate quadratic polynomial equations using both the MutantXL algorithm and the F4 algorithm. We present the experimental results that show that MQQ systems is broken up to size n equal to 300. Based on these results we show also that MutantXL solves MQQ systems with much less memory than the F4 algorithm implemented in Magma.

Using SAT Solving to Improve Differential Fault Analysis of Trivium

Combining different cryptanalytic methods to attack a cryptosystem became one of the hot topics in cryptanalysis. In particular, algebraic methods in side channel and differential fault analysis (DFA) attracted a lot of attention recently. In [9], Hojsik and Rudolf used DFA to recover the inner state of the stream cipher Trivium which leads to recovering the secret key. For this attack, they required 3.2 one-bit fault injections on average and 800 keystream bits. In this paper, we give an example of combining DFA attacks and algebraic attacks. We use algebraic methods to improve the DFA of Trivium [9]. Our improved DFA attack recovers the inner state of Trivium by using only 2 fault injections and only 420 keystream bits.

Flexible partial enlargement to accelerate gröbner basis computation over F 2

Recent developments in multivariate polynomial solving algorithms have made algebraic cryptanalysis a plausible threat to many cryptosystems. However, theoretical complexity estimates have shown this kind of attack unfeasible for most realistic applications. In this paper we present a strategy for computing Grobner basis that challenges those complexity estimates. It uses a flexible partial enlargement technique together with reduced row echelon forms to generate lower degree elements–mutants. This new strategy surpasses old boundaries and obligates us to think of new paradigms for estimating complexity of Grobner basis computation. The new proposed algorithm computed a Grobner basis of a degree 2 random system with 32 variables and 32 equations using 30 GB which was never done before by any known Grobner bases solver.

Towards Algebraic Cryptanalysis of HFE Challenge 2

In this paper, we present an experimental analysis of HFE Challenge 2 (144 bit) type systems. We generate scaled versions of the full challenge fixing and guessing some unknowns. We use the MXL3 algorithm, an efficient algorithm for computing Grobner basis, to solve these scaled versions. We review the MXL3 strategy and introduce our experimental results.

Mutant Differential Fault Analysis of Trivium MDFA

In this paper we present improvements to the differential fault analysis (DFA) of the stream cipher Trivium proposed in the work of M. Hojsik and B. Rudolf. In particular, we optimize the algebraic representation of obtained DFA information applying the concept of Mutants, which represent low degree equations derived after processing of DFA information. As a result, we are able to minimize the number of fault injections necessary for retrieving the secret key. Therefore, we introduce a new algebraic framework that combines the power of different algebraic techniques for handling additional information received from a physical attack. Using this framework, we are able to recover the secret key by only an one-bit fault injection. In fact, this is the first attack on stream ciphers utilizing minimal amount of DFA information. We study the efficiency of our improved attack by comparing the size of gathered DFA information with previous attacks.

RingRainbow – An Efficient Multivariate Ring Signature Scheme

Multivariate Cryptography is one of the main candidates for creating post-quantum cryptosystems. Especially in the area of digital signatures, there exist many practical and secure multivariate schemes. However, there is a lack of more advanced schemes, such as schemes for oblivious transfer and signature schemes with special properties. While, in the last years, a number of multivariate ring signature schemes have been proposed, all of these have weaknesses in terms of security or efficiency. In this paper we propose a simple and efficient technique to extend arbitrary multivariate signature schemes to ring signature schemes and illustrate it using the example of Rainbow. The resulting scheme provides perfect anonymity for the signer (as member of a group), as well as shorter ring signatures than all previously proposed post-quantum ring signature schemes.

MQSAS - A Multivariate Sequential Aggregate Signature Scheme

(Sequential) Aggregate signature schemes enable a group of users \(u_1, \dots , u_k\) with messages \(m_1, \dots , m_k\) to produce a single signature \(\varSigma \) which states the integrity and authenticity of all the messages \(m_1, \dots , m_k\). The length of the signature \(\varSigma \) is thereby significantly shorter than a concatenation of individual signatures. Therefore, aggregate signatures can improve the efficiency of numerous applications, e.g. the BGPsec protocol of Internet routing and the development of new efficient aggregate signature schemes is an important task for cryptographic research. On the other hand, most of the existing schemes for aggregate signatures are based on number theoretic problems and therefore become insecure as soon as large enough quantum computers come into existence. In this paper, we propose a technique to extend multivariate signature schemes such as HFEv- to sequential aggregate signature schemes. By doing so, we create the first multivariate signature scheme of this kind, which is, at the same time, also one of the first post-quantum aggregate signature schemes. Our scheme is very efficient and offers compression rates that outperform current lattice-based constructions for practical parameters.