In this Section, we will give an example to show how to use our technique to find all the polynomial isomorphism classes. In this example, we will restrict our polynomial to be over finite fieldF4.
Let P be the set of all homogeneous quadratic polynomial systems overF4
with 3 variables and 3 polynomials, that is P=
f1(x1, x2, x3) f2(x1, x2, x3) f3(x1, x2, x3)
|fi(x1, x2, x3)∈F4[x1, x2, x3] is homogeneous and quadratic
Following our convention, we ”lift”PfromF43onto extension fieldF43 by the standard isomorphismφ:F43 →F43. In φ−1◦P◦φ, the univariate polynomial
14
Using the technique introduced in last section, we can divide P into four parts which are determine the number of linearly equivalence classes of the 236 polynomials in P. And it is known that|GL3(F4)|= 181440.
5.1 Experiment results
Now we show the results of the example:
Step 1ClassifyP using matrix equivalence relation.
As we know polynomials inG ∪{0}can not be linearly equivalent to polynomials in F andM. And the polynomials inG ∪ {0}are all in one matrix equivalence class. Therefore in the first step actually we classify P/(G ∪ {0}), i.e. F ∪ M, using matrix equivalence relation. ForΨ1(F) =Ψ1(F), actually we classifyF.
Experiment results show thatFis divided into 43 matrix equivalence classes, suppose that
By theorem 4 (i) we know that
|A1|=|GL3(F4)|/|Stab(Ψ1(A1))|= 181440/1 = 181440
15 Step 2Classify{A1+G ∪ {0}}using linearly equivalence relation.
By the analysis in previous section and|Stab(Ψ1(A1))|= 1 we know that for any polynomial in {A1+G ∪ {0}}, sayh=f +g with f ∈ A1 and g∈ {G ∪ {0}},
|Stab(h)| = 1. Thus every element in {A1+G ∪ {0}} is in different linearly equivalence class which has exact 181440 polynomials, which means{A1+G ∪ {0}}is divided into 49 linearly equivalence classes.
Step 3 Classify {Bi+G ∪ {0}} for 1 ≤ i ≤ 21 using linearly equivalence relation.
It is easy to compute that the cardinality of{Bi+G ∪ {0}}is|Bi| × |G ∪ {0}|= 3780×49for 1≤i≤21.
Experiment results show that {Bi+G ∪ {0}} is divided into 6742 linearly equivalence classes, which are in four sorts. There are 160 linearly equivalence classes in the first sort and the order of polynomial stabilizer of the elements in any of these classes is 4. In the second sort, there is only one linearly equivalence class whose polynomial stabilizer has 3 elements. In the third sort, there are 2320 linearly equivalence classes and any class has polynomial stabilizer with order 2. At last in the forth sort, there are 4261 linearly equivalence classes and the polynomial stabilizer of each class has only one element, i.e. the identical transformationX. Thus we can suppose that
{Bi+G ∪ {0}}=
Thus the number of polynomials in the 6742 linearly equivalence classes is 160×181440
Experiment results show that {Cj +G ∪ {0}} is divided into 274 linearly equivalence classes, which are in ten sorts. In the equation below we use the
16
notationC(k)to denote the equivalence classes in thekth sort:
{Cj+G ∪ {0}}=[
Thus the number of polynomials in the 274 linearly equivalence classes is 181440×( 1 Step 5ClassifyG ∪ {0}using linearly equivalence relation.
Experiments show that G ∪ {0} is divided into 44 linearly equivalence classes which are in four sorts:
17
3. |G(3)j |= 181440/2880 for 1≤j≤21;
Thus the number of polynomials in the 44 linearly equivalence classes is 1×181440 + 21×181440
48 + 21×181440
2880 + 1×1 = 49 which means
|G ∪ {0}|=|G(1)1 |+ X21
i=1
|G(2)i |+ X21 j=1
|G(3)j |+|{0}|
ThereforeP is divided into
49+ 21×6742 + 21×274 + 43 + 1 = 409524 different linearly equivalence classes.
Table 1.Classification ofP
A1+G ∪ {0} Bi+G ∪ {0} Ci+G ∪ {0} G ∪ {0} Cardinality 181440×49 3780×49 63×49 49
No. of classes 49 6742 274 44
|Stab(Ψ1(f))| 1 48 2880 181440
In the above table the index iis between 1 and 21.
Table 2.Classification ofBi+G ∪ {0}(1≤i≤21)
Bi,j(1)1 B(2)i,1 Bi,j(3)3 Bi,j(4)4 No. of classes 160 1 2320 4261
|Stab(f)| 4 3 2 1
No. ofg 12 16 24 48
No. of polys 45360 60480 90720 181440
5.2 Brief analysis of the results
We analyze the complexity of this example briefly as the argument for that the algorithms given in this paper is much more effective than the exhaustive search algorithm. The exhaustive search algorithm is straightforward, that is we randomly pick a polynomial from P and let l run though all the invertible transformations, then we get one linearly equivalence class and remove it from P. We repeat this process until all polynomials inP are considered.
18
Table 3.Classification ofCj+G ∪ {0}(1≤j≤21)
Cj,1(1) Cj,1(2) Cj,i(3)3 Cj,1(4) Cj,i(5)5
No. of classes 1 1 30 1 53
|Stab(f)| 480 288 96 60 48
No. ofg 6 10 30 48 60
No. of polys 378 630 1890 3024 3780 Cj,i(6)6 Cj,i(7)7 Cj,i(8)8 Cj,i(9)9 Cj,i(10)10 No. of classes 20 20 5 120 23
|Stab(f)| 10 6 4 2 1 No. ofg 288 480 720 1440 2880 No. of polys 18144 30240 45360 90720 181440
From the experiment results we know that there are totally 409524 different linearly equivalence classes and |GL3(F4)| = 181440 which is the number of all invertible linear transformations, thus for the exhaustive search algorithm we have to do 409524×181440 ≈236 operations. We note that one operation involves composition and comparison of two polynomials.
Then let us consider the algorithms given in this paper. In the first step, using algorithm 1, it is also exhaustive search algorithm, however, in this step we just consider the matrix equivalence classes, thus according to the result of step 1 we know that we have done 44×181440≈223operations. By theoretical analysis in step 2 we do nothing. In step 3, by algorithm 2 and result of step 1, we need 21×6742×48 ≈ 223 operations. In step 4, the process is similar to that in step 3, we need 21×274×2880 ≈224 operations. In the last step, it uses exhaustive search algorithm which needs 44×181440≈223 operations by its result. Therefore the total operations needed for the algorithms are 223+ 223+ 224+ 223 ≈225.3 which is less than 226. By analysis above we get that the algorithms given in this paper are much more effective than the exhaustive search algorithm for this example.
There are some improvements in the algorithms given in this paper compared with the naive exhaustive search algorithm. In step 1 we use algorithm 1 which is actually an exhaustive search algorithm, but it is in the set of triangular polynomials, i.e.F as opposed toP. FornF ¿nP, it is more feasible. And the theoretical analyses in step 2 save us the most time. In step 3 and 4, we use algorithm 2 in which the cycle forl is in a subgroup as opposed to all invertible linear transformations. Thus the two step are more effective. In the last step, similar to step 1, the exhaustive search is inG ∪ {0}which is more feasible when qandnis small.
6 Conclusion
In this article, we present an efficient method to decide the exact number of equivalence classes in the case of IP1S problem for even characteristic ground
19 field exceptF2. This algorithm is far more efficient than the exhaustive search method. However the efficiency of the algorithm is not totally understood. More research will be needed.
References
1. Dongdai Lin, Jean-Charles Faug`ere, Ludovic Perret, and Tianze Wang. On enumer-ation of polynomial equivalence classes and their applicenumer-ation to mpkc. manuscript, 2009.
2. T. Matsumoto and H. Imai. Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption. InEurocrypt, volume 88, pages 419–
453. Springer.
3. A.S. Fraenkel and Y. Yesha. Complexity of solving algebraic equations.Information Processing Letters, 10(4-5):178–179, 1980.
4. C. Wolf and B. Preneel. Large superfluous keys in multivariate quadratic asymmetric systems. Proceedings of Public Key Cryptography-PKC 2005, 3386:275–287.
5. V. Dubois, P.A. Fouque, and J. Stern. Cryptanalysis of sflash with slightly modified parameters. Lecture Notes in Computer Science, 4515:264, 2007.
6. V. Dubois, P. Fouque, A. Shamir, and J. Stern. Practical cryptanalysis of SFLASH.
LECTURE NOTES IN COMPUTER SCIENCE, 4622:1, 2007.
7. C. Bouillaguet, P.A. Fouque, A. Joux, and J. Treger. A Family of Weak Keys in HFE (and the Corresponding Practical Key-Recovery).
8. J. Patarin. Hidden fields equations (HFE) and isomorphisms of polynomials (IP):
Two new families of asymmetric algorithms. Lecture Notes in Computer Science, 1070:33–48, 1996.
9. A. Kipnis and A. Shamir. Cryptanalysis of the HFE public key cryptosystem by relinearization. Lecture Notes in Computer Science, pages 19–30, 1999.