Polynomials and Cryptography
Michele Elia Politecnico di Torino
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Preamble
Polynomials have always occupied a prominent position in mathematics. In recent time their use has become unavoidable in cryptography.
Part I: Short excursus on various types of polynomials used in cryptography.
Part II: Comments on computing roots, and on evaluating polynomials over finite fields.
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Part I
1) Nonlinear transformations over finite fields2) Rabin and RSA transformations3) Elliptic curves4) Secret-sharing schemes 5) Transformations in AES6) Deciphering in the McEliece scheme7) Key distribution in consumer systems8) Error-correcting-codes for bio-imprints
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
1) Nonlinear transformations over finite fields GF(q)
All functions from GF(q) into GF(q) are polynomials
A function f(x) over GF(2m) is APN (Almost Perfect Nonlinear) if
1. f(x+a)+f(x)+b has at most two zeros in the field for every a≠0 and b
2. x f(x+a)+f(x) is 2 to 1 in GF(2m) Until 2006, all known APN functions were monomials or binomials.
Examples: f(x)=x3 , f(x)=x6+x5 in GF(27)
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
KasamimkGFxxxf
GoldmkGFxxxfm
m
kk
k
,1),()2()(
,1),()2()(122
12
2
α primitive element in GF(2m) parity-check matrix of a (2m-1, 2m-1-2m, 5) code
R received vector R=S syndrome vector
System equations for finding error positions j and h αj + αh = S1 f(αj)+f(αh)= S2 → f(αh+S1)+f(αh)= S2
Unique solution ←→ f(x) is an APN function Primo Workshop Crittografia BunnyTN -
Trento 10 marzo 2011
)(,),(,),(),(),1(
,,,,,,1222
222
m
m
fffffH
j
j
John Dillon (2006) introduced APN functions which were trinomials, noting the relation existing between these functions and two-error correcting codes with parity-check matrix:
Recently, classes of polynomials with more than three terms have been found
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
)2(),2(),2(,1)2,(
)2()(
2
21
1
221212222
ki
kk
kk
ii
GFrGFbGFcks
GFxxrcxbxxbxfikikskskk
Examples: f(x)=x3 on GF(24) (BCH) f(x)=x3+x2+x on GF(24) (BCH ) f(x)=x5+x4+x3+x2+x on GF(27) (equivalent to a monomial) f(x)=α7x48(trinomial)
2) Rabin and RSA transformations
Operations in rings of residues modulo M=pq e (=2) divisor of φ(M)
f(X) = Xe = a mod MTo invert the function f(X) and to factor M are equivalent problems
E prime with φ(M)f(x) = xE = a mod M
Are f(x) inversion and M factorization equivalent problems?
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Power computationThe computation of Xm in any associative domain needs at most 2 log2 m products in
The minimum number of products is given by the minimum length L of an addition chain
a0, a1, … , aL , con a0 =1 e aj = ai+at i, t < jExample: m=47 min chain length < 2 log2 47 < 11.2
1) 1, 2, 4, 8, 16, 32, 40, 44, 46, 47 L=9
2) 1, 2, 4, 5, 10, 20, 40, 45, 47 L=8 minimum
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
sss
s mmmmmmmmm
ss
XXXXXX
mmmmm
)()()(
222222222
2210
22
102
210
3) Elliptic curves
E[F] elliptic curve over a finite field FY2+a1xy+a3y=x3+a2x2+a4x+a6 ai Є F
Q(x,y) point on E[F] x,y Є F Q kQ = (k0+ k1 2+ k2 2
2+…+as2s) Q Point Doubling Q 2Q Point Addition P,Q P+Q
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Sum and duplication of points
P(x1,y1), Q(x2,y2) points on E[F] Addition S=P+Q , Doubling 2P=P+P
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
3111
1141221
12
12
223,
axayyaaxaxm
xxyym
)( 1313313
21212
3
xxmyaxayxxamamx
4) Secret-sharing (Shamir)
A common secret m is “shared” between any group of k subjects out of n subjects The secret is encrypted and n private keys are generated:
- A random polynomial of degree k is selectedS(x)=xk+a1xk-1+…+ ak-1x+ m
- Xi Public identifier of a subject - s(xi)=yi Private key for sharing
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Recovering polynomial knowing the value of k pairs (xi, yi )
p(x) is rebuilt using the Lagrange interpolation
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
k
j jj
k
ii
xxxLyxS
xxxL
1
1
)()(
)()(
The common secret m is obtained as
k
j j
n
hh
j
k
j jj x
xy
xLyS
1
1
1 0)0()0(
5) AES: Sub-byte Transformation
The Sub-byte transformation is applied to all rows of the data matrixPolynomials over GF(28) :Data matrix row
Encryption polynomialEncrypted row
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
33
2210)( xXxXxXXxX iiiii
33
2210)( xaxaxaaxa
)1(mod)()()( 4 xxaxXxX ii
6) McEliece scheme deciphering
Deciphering: decoding the vector r, i.e. correction of t errors:
- Computation of R = Pr, P private permutation matrix
- Computation of 2t syndromes- Computation of the error locator polynomial σ(z) (Berlekamp-Massey)- Error location: evaluation of σ(z) in n points.
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Public key: binary n x k matrix G cyclic or Goppa (n,k,2t+1) code over GF(2) α primitive element of GF(2m), n=2m-1
Enciphering: information vector x error vector with t errors e
encrypted message r= Gx+ e
Decoding operations
R=(R1,R2,…,Rn) modified received vectorR(x)=Σ Ri x
i polynomial of degree n-1Computation of 2t syndromes Si =R(αi), i=1, …,
2tConstruction of σ(z) of degree t Vandermonde -> GPZ - >Berlekamp-Massey Evaluation of σ(z) in n points αj in GF(2m)
(Chien search): error in position j if
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
0)( j
7) Key distribution in consumer systems
Parameters: m common access key N number of users ku private key of user u Broadcast hash function h(x), and polynomial
User u actions: - h(ku ) evaluation - m = P(h(u)) evaluation of P(x) to get the key m
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
iN
u
n
iiu xpmkhxxP
1 0
))(()(
8) Error-correcting codes for bio-imprints
1) To store or distribute bio-imprints keeping the original imprint secret, i.e. it should be difficult to recover the original sample imprint from its stored version
2) Automatically recognizing a claimed identity, which requires fast checking of whether the imprint taken is among a stored set of encrypted sample imprints, given that the imprint taken is corrupted by sensor errors.
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Error-correcting codes for bio-imprints
x sample bio-imprint encoded as a binary stream of k bitsC code word of an (n,k) t-error correcting code in GF(q) t has the meaning of a thresholdz=C+(x,0)) encrypted bio-imprintCheck:y k-dimensional vector encoding the bio-imprint taken
d = (y, 0) → R=z+ d = e + C C code word corrupted by ℓ errors, i.e. vector (x-y)- the number of errors ℓ is computed and compared with t
if ℓ < t test passed, if ℓ > t test not passed - Operatively σ(z) is computed and it is checked whether all
roots are in GF(q), i.e. gcd(σ(z),zq-1) = σ(z)Primo Workshop Crittografia BunnyTN -
Trento 10 marzo 2011
Part II
- Computation of the roots of polynomials in their full splitting finite field. Application to decoding cyclic and Goppa codes.
- Evaluation of polynomials over finite fields: a fast algorithm that admits of asymptotic upper bounds to the number of products and sums, respectively equal to
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
)ln(',
nncnc
Roots of Polynomials over GF(q)
Two steps:1.Computation of the roots of σ(x), defined over GF(q) and full split in GF(qm) by means of the Cantor-Zassenhaus algorithm. The roots β are expressed in a polynomial basis of GF(qm)2.Computation of the exponential representation β = αj , given α, primitive in GF(qm), by means of Shanks’ algorithm
The usual method applied in decoders requires the evaluation of σ(x) in qm points, thus has complexity qm x complexity of σ(αi) evaluationto perform both tasks.
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
’
σ(x) polynomial of degree t in GF(22m) L=(22m-1)/3, ω random in GF(22m) ζ primitive cubic root of unity in GF(22m),Compute a(x)=(x+ ω )L mod σ(x)
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
If a(x) ≠ 1, ζ, ζ2 then σ has a common factor with at least one of the following polynomials, with probability greater than 8/9:
a(x), a(x)-1, a(x)- ζ, a(x)- ζ2 All roots are obtained with at most t repetitions
The largest computational cost is given by the computation of a(x) which entails computing powers of polynomial modulo another polynomial in finite fields
Discrete logarithm of β to base α αℓ=β
Let ℓ = ℓ0 + ℓ1 q with 0 ≤ ℓ0 , ℓ1 < q + 1Compute an ordered Table of the powers αℓ , 0 ≤ ℓ < q
+1Compute β (α- q)ℓ , 0 ≤ ℓ < q +1Table search: a match is found in at most m steps
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
The computational complexity of Shanks algorithm is 22m
Evaluation of a polynomial in the point α
The direct evaluation needs1)Computation of m powers αi
2)Computation of m products pi αi
3)Computation of m sums4)Total 2m-1 products and m sums
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
mm xpxpxppxp 2
210)(
Horner’s Rule
m and m This rule is universal, i.e., it holds in every field (associative rings )
)))((()( 1210 xppxpxpxpxp mm
In finite fields it is possible to do better
The exemplification is restricted to GF(2) and extensions
Three different problems:
1.To evaluate a polynomial in a single point 2.To evaluate a polynomial in s distinct points3.To evaluate f polynomials in the same point
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Evaluation of p(x) over GF(2) in a single point α in GF(2m)
Evaluation of p(α) requires - The evaluation of p00(α) and p01(α) of degree n/2 - The computation of 2 squares - The computation of 1 product α p01(α)2 - The computation of 1 sum
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
201
200
201
200
22
231
22
220
2210
)()()()()()(
)()(2
),2(,)(
pppxxpxpxpxpxppxxpxppxp
nGFpxpxpxppxp in
n
The procedure can be re-applied iteratively to every pij(α) and their descendants
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
The evaluation of p00(α) and p01(α) of degree n/2 can be done with-n/2 multiplications - n-1 additions
The total number of operations to obtain p(α) is- 3+n/2 multiplications - n additions
At each iteration the number of polynomials is doubled and their degrees are halved
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
0 P(x) 1
1 P00(x) P01(x)
2
2 P10(x)
P12(x)
P11(x)
P03(x)
4
… …
L PL0(x)
PLh(x)
PLj(x)
… PLsx)
2L
The reconstruction starts from the bottom level and ends with p(α) after L steps
Computational complexity
After L steps we have 2L polynomials of degreeNumber of operations
powers of αn additions for producing 2L polynomials pLj(α) 2L+1-2 = 2L + …+ 2 squares of the polynomials pij(α)2L-1 = 2L-1 + …+ 1 additions for reconstructing p(α)2L-1 = 2L-1 + …+ 1 products for reconstructing p(α)
Total number of arithmetic operations3 2L – 3+ productsn+ 2L-1 additions
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Ln2
Ln2
Ln2
Optimal value of L
The total number of products is approximately
The total number of sums can be reduced to about
re-utilizing sums in the evaluations of 2L polynomials at level L
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
32
223
n
n
L
LL
n32
)ln(nn
Polynomial with coefficients in GF(2s)
The computation is reduced to evaluating s polynomials with coefficients in GF(2)
Typical cases n = 2m o 2m-1
Asymptotic number of multiplications
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
)()()()()( 22
10 xpxpxpxpxp mm
))(ln( nnO
Open Problems
Find an upper bound to the multiplicative complexity necessary to evaluate a polynomial of degree n over finite fields (over infinite fields Horner’s rule is optimal, according to Borodin and Munro)Can the Berlekamp-Massey algorithm be improved when both t and n are large? (the complexity is t2 log(t) according to von zur Gathen)
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
Open Problems
Find the minimum number of additions necessary to evaluate a polynomial of degree n over finite fields (over infinite fields Horner’s rule is optimal, according to Borodin and Munro)Find the constant c(p) such that c(p) n/ln(n) is a tight upper bound to the additive complexity for evaluating a polynomial of degree n over finite field of characteristic p.
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011
References- Borodim A., Munro I., The Computational Complexity of Algebraic Numeric Problems, Elsevier Computer, New York, 1975 - Budaghyan L., Carlet C., Classes of Quadratic APN Trinomials and Hexanomials and Related Structures, IEEE Trans. Inform. Theory, 54 (2008), no. 5, 2354–2357;- Bracken C., Byrne E., Markin N., McGuire G., New families of quadratic almost perfect nonlinear trinomials and multinomials. Finite Fields Appl. 14 (2008), no. 3, 703–714. - Dillon J., APN polynomials and related codes, conference talk at Banff International Research Station, November, 2006. - Elia M., Schipani D., Improvements on the Cantor-Zassenhaus Factorization Algorithm, http://www.math.uzh.ch/fileadmin/user/davide/publikation/CantorZas26.pdf- Interlando J.C. , Byrne E., Rosenthal J., The Gate Complexity of Syndrome Decoding of Hamming Codes, Proceedings of the Tenth International Conference on Applications of Computer Algebra, 2004, pp. 33-37.- Knuth D., The Art of Computer programming, vol I, II, Academic Press, 1980.- Schipani D., Elia M., Rosenthal J., Efficient evaluations of polynomials over finite fields, http://arxiv.org/PS_cache/arxiv/pdf/1102/1102.4771v1.pdf
Primo Workshop Crittografia BunnyTN - Trento 10 marzo 2011