Applications of Finite Field Computation to Cryptology: Extension Field Arithmetic in Public Key Systems and Algebraic Attacks on Stream Ciphers Kenneth Koon-Ho Wong Bachelor of Applied Science (First Class Honours) Queensland University of Technology, 2003 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology 2008 ii Keywords algebraic attacks, clock control, cyclotomic fields, CEILIDH, extension fields, Gauss periods, Karatsuba multiplication, Pomaranch, RC4, stream ciphers, torus-based cryptography, XTR iii iv Abstract In this digital age, cryptography is largely built in computer hardware or software as discrete structures One of the most useful of these structures is finite fields In this thesis, we explore a variety of applications of the theory and applications of arithmetic and computation in finite fields in both the areas of cryptography and cryptanalysis First, multiplication algorithms in finite extensions of prime fields are explored A new algebraic description of implementing the subquadratic Karatsuba algorithm and its variants for extension field multiplication are presented The use of cyclotomic fields and Gauss periods in constructing suitable extensions of virtually all sizes for efficient arithmetic are described These multiplication techniques are then applied on some previously proposed public key cryptosystem based on extension fields These include the trace-based cryptosystems such as XTR, and torusbased cryptosystems such as CEILIDH Improvements to the cost of arithmetic were achieved in some constructions due to the capability of thorough optimisation using the algebraic description Then, for symmetric key systems, the focus is on algebraic analysis and attacks of stream ciphers Different techniques of computing solutions to an arbitrary system of boolean equations were considered, and a method of analysing and simplifying the system using truth tables and graph theory have been investigated Algebraic analyses were performed on stream ciphers based on linear feedback shift registers where clock control mechanisms are employed, a category of ciphers that have not been previously analysed before using this method The results are successful v vi algebraic attacks on various clock-controlled generators and cascade generators, and a full algebraic analyses for the eSTREAM cipher candidate Pomaranch Some weaknesses in the filter functions used in Pomaranch have also been found Finally, some non-traditional algebraic analysis of stream ciphers are presented An algebraic analysis on the word-based RC4 family of stream ciphers is performed by constructing algebraic expressions for each of the operations involved, and it is concluded that each of these operations are significant in contributing to the overall security of the system As far as we know, this is the first algebraic analysis on a stream cipher that is not based on linear feedback shift registers The possibility of using binary extension fields and quotient rings for algebraic analysis of stream ciphers based on linear feedback shift registers are then investigated Feasible algebraic attacks for generators with nonlinear filters are obtained and algebraic analyses for more complicated generators with multiple registers are presented This new form of algebraic analysis may prove useful and thereby complement the traditional algebraic attacks This thesis concludes with some future directions that can be taken and some open questions Arithmetic and computation in finite fields will certainly be an important area for ongoing research as we are confronted with new developments in theory and exponentially growing computer power Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made Signed: Date: vii viii Acknowledgements The quality and quantity of the research presented in this thesis would not have been achieved without my supervisors, Gary Carter and Ed Dawson, who have provided me with every help, support and encouragement throughout the seemingly They have spent numerous hours with me on suggesting research directions, discussing problems and reviewing writings I sincerely pay my highest regards to their kindness and professionalism I have been fortunate to be able to work with many other researchers during my research I would like to thank Winfried M¨ uller, who warmly hosted my visit for three weeks at the Department of Mathematics, University of Klagenfurt, Austria I have gained much from working with colleagues while being there I would like to thank Sultan Al-Hinai, Lynn Batten, Bernard Colbert, and Subhamoy Maitra, whom I have had the honour to meet in the last few years They have provided me comments and suggestions to improve on various aspects of my research In particular, I have enjoyed the close collaboration with Sultan Al-Hinai, my fellow PhD student, as well as his supervisors, Matt Henricksen, Bill Millan and Leonie Simpson, at the Information Security Institute Together, Sultan and I have achieved two joint publications, where each of us contributed in our strength toward some nice results The collaborative work appears in Sections 5.4-5.6 of this thesis I would like to also thank Lynn Batten for her organisation in making the two publications possible, and also for inviting me to speak at one of her workshops I would like to thank Gregory Bard and Richard Brent for providing valuable comments that have improved some of the work contained in Section 3.3 significantly ix x My colleagues at both the Information Security Institute and the School of Mathematical Sciences, Faculty of Science have undoubtedly given me a warm atmosphere under which I can comfortably work on my research I greatly appreciate their friendship to me and discussions that inspire me much I would like to thank the Australian Commonwealth Government, Queensland University of Technology, and the Information Security Institute for providing generous scholarships and subsidies for my studies I would also like to thank the the Information Security Institute and the School of Software Engineering and Data Communications, Faculty of Information Technology for providing me with both the opportunities and funds for my local, interstate and overseas travels and studies at various conferences and workshops I would also like to thank the internal review panel, comprising of Colin Boyd, Gary Carter, Ed Dawson and Ian Turner, for spending time to review my thesis and final seminar, and providing valuable comments to improve the quality of the thesis submission Last but not least, I would like to give sincere appreciation the Dean’s Scholars Program offered to me through the Faculty of Science as part of my undergraduate studies, which has prepared me the skills and knowledge to conduct research at the academic level, and paved my way towards the completion of a doctoral degree B.2 LIST OF GAUSSIAN NORMAL BASES n 2 2 3 3 4 4 5 5 5 6 6 k 14 12 20 13 15 12 14 20 10 r 11 13 19 29 13 19 37 61 13 29 37 53 61 11 31 41 61 71 101 13 19 37 61 11 67 7 7 9 9 10 16 18 18 29 43 71 113 127 19 37 73 163 20 181 10 61 10 10 101 10 13 131 10 18 181 11 11 11 11 12 12 18 23 67 89 199 37 61 12 15 181 13 13 13 13 14 14 14 10 12 14 53 79 131 157 29 43 197 14 15 211 163 l 0, 1, 0, 1, 3, 4, 5, 0, 1, 3, 4, 9, 10, 12 0, 1, 4, 5, 6, 7, 9, 11, 16, 17 0, 1, 4, 5, 6, 7, 9, 13, 16, 20, 22, 23, 24, 25, 28 0, 1, 0, 1, 5, 8, 12 0, 1, 7, 8, 11, 12, 18 0, 1, 6, 8, 10, 11, 14, 23, 26, 27, 29, 31, 36 0, 1, 3, 8, 9, 11, 20, 23, 24, 27, 28, 33, 34, 37, 38, 41, 50, 52, 53, 58, 60 0, 1, 3, 4, 9, 10, 12 0, 1, 4, 5, 6, 7, 9, 13, 16, 20, 22, 23, 24, 25, 28 0, 1, 3, 4, 7, 9, 10, 11, 12, 16, 21, 25, 26, 27, 28, 30, 33, 34, 36 0, 1, 4, 6, 7, 9, 10, 11, 13, 15, 16, 17, 24, 25, 28, 29, 36, 37, 38, 40, 42, 43, 44, 46, 47, 49, 52 0, 1, 3, 4, 5, 9, 12, 13, 14, 15, 16, 19, 20, 22, 25, 27, 34, 36, 39, 41, 42, 45, 46, 47, 48, 49, 52, 56, 57, 58, 60 0, 1, 10 0, 1, 5, 6, 25, 26, 30 0, 1, 3, 9, 14, 27, 32, 38, 40 0, 1, 11, 13, 14, 21, 29, 32, 40, 47, 48, 50, 60 0, 1, 20, 23, 26, 30, 32, 34, 37, 39, 41, 45, 48, 51, 70 0, 1, 6, 10, 14, 17, 32, 36, 39, 41, 44, 57, 60, 62, 65, 69, 84, 87, 91, 95, 100 0, 1, 3, 4, 5, 8, 9, 10, 12 0, 1, 4, 5, 6, 7, 8, 9, 11, 12, 16, 17, 18 0, 1, 3, 4, 6, 7, 8, 9, 10, 11, 12, 14, 16, 21, 23, 25, 26, 27, 28, 29, 30, 31, 33, 34, 36 0, 1, 3, 4, 5, 8, 9, 11, 12, 13, 14, 15, 16, 19, 20, 22, 23, 24, 25, 27, 28, 33, 34, 36, 37, 38, 39, 41, 42, 45, 46, 47, 48, 49, 50, 52, 53, 56, 57, 58, 60 0, 1, 3, 4, 5, 6, 8, 9, 10, 14, 15, 16, 17, 19, 21, 22, 23, 24, 25, 26, 27, 29, 33, 35, 36, 37, 39, 40, 42, 43, 45, 47, 49, 52, 53, 54, 55, 56, 58, 59, 60, 62, 64, 65, 66 0, 1, 12, 17, 28 0, 1, 6, 7, 36, 37, 42 0, 1, 5, 14, 17, 25, 46, 54, 57, 66, 70 0, 1, 15, 18, 35, 40, 42, 44, 48, 65, 69, 71, 73, 78, 95, 98, 112 0, 1, 19, 20, 22, 24, 28, 37, 52, 59, 68, 75, 90, 99, 103, 105, 107, 108, 126 0, 1, 7, 8, 11, 12, 18 0, 1, 6, 8, 10, 11, 14, 23, 26, 27, 29, 31, 36 0, 1, 3, 7, 8, 9, 10, 17, 21, 22, 24, 27, 30, 43, 46, 49, 51, 52, 56, 63, 64, 65, 66, 70, 72 0, 1, 5, 6, 8, 13, 17, 21, 22, 23, 25, 27, 28, 30, 31, 36, 37, 38, 40, 48, 53, 58, 59, 61, 64, 65, 77, 78, 85, 86, 98, 99, 102, 104, 105, 110, 115, 123, 125, 126, 127, 132, 133, 135, 136, 138, 140, 141, 142, 146, 150, 155, 157, 158, 162 0, 1, 5, 6, 7, 8, 19, 22, 25, 26, 27, 29, 30, 31, 35, 36, 40, 42, 46, 48, 49, 51, 56, 59, 64, 67, 68, 71, 74, 82, 86, 95, 99, 107, 110, 113, 114, 117, 122, 125, 130, 132, 133, 135, 139, 141, 145, 146, 150, 151, 152, 154, 155, 156, 159, 162, 173, 174, 175, 176, 180 0, 1, 3, 4, 5, 9, 11, 12, 13, 14, 15, 16, 19, 20, 21, 22, 25, 27, 29, 32, 34, 36, 39, 40, 41, 42, 45, 46, 47, 48, 49, 50, 52, 56, 57, 58, 60 0, 1, 4, 5, 6, 9, 10, 13, 14, 16, 17, 19, 20, 21, 22, 23, 24, 25, 30, 31, 32, 33, 36, 37, 39, 41, 43, 44, 45, 47, 49, 52, 54, 56, 57, 58, 60, 62, 64, 65, 68, 69, 70, 71, 76, 77, 78, 79, 80, 81, 82, 84, 85, 87, 88, 91, 92, 95, 96, 97, 100 0, 1, 3, 4, 5, 7, 9, 11, 12, 13, 15, 16, 18, 19, 20, 21, 24, 25, 27, 28, 32, 33, 34, 35, 36, 38, 39, 41, 43, 44, 45, 46, 47, 48, 49, 51, 52, 53, 55, 58, 59, 60, 61, 62, 63, 64, 65, 68, 69, 71, 74, 75, 77, 79, 80, 81, 84, 86, 89, 91, 92, 94, 99, 100, 101, 102, 105, 107, 108, 109, 112, 113, 114, 117, 121, 123, 125, 129, 130 0, 1, 3, 4, 5, 7, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 25, 26, 27, 29, 32, 33, 34, 36, 37, 38, 39, 42, 43, 44, 45, 46, 48, 49, 52, 55, 56, 59, 60, 61, 62, 64, 65, 67, 70, 72, 73, 75, 79, 80, 81, 82, 87, 88, 89, 92, 93, 94, 99, 100, 101, 102, 106, 108, 109, 111, 114, 116, 117, 119, 120, 121, 122, 125, 126, 129, 132, 133, 135, 136, 137, 138, 139, 142, 143, 144, 145, 147, 148, 149, 152, 154, 155, 156, 161, 162, 164, 165, 166, 167, 168, 169, 170, 172, 174, 176, 177, 178, 180 0, 1, 22 0, 1, 29, 30, 37, 38, 66 0, 1, 12, 34, 37, 52, 55, 77, 88 0, 1, 19, 21, 24, 37, 43, 58, 92, 93, 106, 107, 141, 156, 162, 175, 178, 180, 198 0, 1, 3, 4, 6, 7, 8, 9, 10, 11, 12, 14, 16, 21, 23, 25, 26, 27, 28, 29, 30, 31, 33, 34, 36 0, 1, 3, 4, 5, 8, 9, 11, 12, 13, 14, 15, 16, 19, 20, 22, 23, 24, 25, 27, 28, 33, 34, 36, 37, 38, 39, 41, 42, 45, 46, 47, 48, 49, 50, 52, 53, 56, 57, 58, 60 0, 1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 19, 20, 22, 25, 26, 27, 29, 30, 31, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 48, 49, 51, 52, 55, 56, 59, 60, 62, 64, 65, 67, 68, 70, 71, 73, 74, 75, 79, 80, 81, 82, 86, 87, 94, 95, 99, 100, 101, 102, 106, 107, 108, 110, 111, 113, 114, 116, 117, 119, 121, 122, 125, 126, 129, 130, 132, 133, 135, 136, 137, 138, 139, 141, 142, 143, 144, 145, 146, 147, 148, 150, 151, 152, 154, 155, 156, 159, 161, 162, 165, 166, 167, 168, 169, 170, 172, 173, 174, 175, 176, 177, 178, 180 0, 1, 23, 30, 52 0, 1, 23, 24, 55, 56, 78 0, 1, 42, 53, 58, 61, 70, 73, 78, 89, 130 0, 1, 12, 13, 22, 28, 50, 107, 129, 135, 144, 145, 156 0, 1, 4, 5, 6, 7, 9, 12, 13, 16, 17, 20, 22, 23, 24, 25, 28 0, 1, 4, 6, 7, 9, 10, 11, 13, 14, 15, 16, 17, 21, 23, 24, 25, 31, 35, 36, 37, 38, 40, 41, 42 0, 1, 4, 6, 7, 9, 10, 14, 15, 16, 19, 20, 22, 23, 24, 25, 26, 28, 29, 33, 34, 36, 37, 39, 40, 41, 42, 43, 47, 49, 51, 53, 54, 55, 59, 60, 61, 62, 63, 64, 65, 68, 69, 70, 76, 77, 81, 83, 84, 85, 87, 88, 90, 92, 93, 96, 97, 100, 101, 104, 105, 107, 109, 110, 112, 113, 114, 116, 120, 121, 127, 128, 129, 132, 133, 134, 135, 136, 137, 138, 142, 143, 144, 146, 148, 150, 154, 155, 156, 157, 158, 160, 161, 163, 164, 168, 169, 171, 172, 173, 174, 175, 177, 178, 181, 182, 183, 187, 188, 190, 191, 193, 196 0, 1, 4, 5, 6, 9, 10, 11, 13, 14, 15, 16, 19, 20, 21, 23, 24, 25, 30, 34, 36, 37, 43, 44, 45, 46, 47, 49, 51, 52, 53, 54, 55, 56, 58, 59, 61, 62, 64, 65, 66, 69, 70, 71, 73, 74, 76, 77, 78, 79, 80, 81, 82, 83, 84, 87, 93, 95, 96, 99, 100, 101, 103, 104, 105, 107, 109, 111, 113, 114, 117, 119, 120, 121, 122, 123, 125, 126, 128, 134, 136, 137, 139, 140, 143, 144, 148, 150, 151, 154, 156, 161, 163, 169, 170, 171, 172, 173, 176, 178, 179, 180, 182, 183, 184, 185, 188, 189, 190, 192, 193, 194, 196, 197, 199, 201, 203, 204, 208, 209, 210 Table B.2: Gaussian Normal Bases for ≤ n ≤ 14 164 APPENDIX B TABLES Bibliography [1] Sultan Al-Hinai, Lynn Batten, and Bernard Colbert Mutually clockcontrolled feedback shift registers provide resistance to algebraic attacks In Finite Fields and Applications - FQ8, Melbourne, Australia, 2007 [2] Sultan Al-Hinai, Lynn Batten, Bernard Colbert, and Kenneth Koon-Ho Wong Algebraic attacks on clock-controlled stream ciphers In Lynn Margaret Batten and Reihaneh Safavi-Naini, editors, 11th Australasian Conference on Information Security and Privacy — ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 1–16, Melbourne, Australia, 2006 Springer [3] Frederik Armknecht Improving fast algebraic attacks In Bimal Roy and Willi Meier, editors, Fast Software Encryption, volume 3017 of Lecture Notes in Computer Science, pages 65–82, Delhi, India, 2004 Springer [4] Frederik Armknecht and Matthias Krause Algebraic attacks on combiners with memory In Dan Boneh, editor, Advances in Cryptology - Crypto 2003, volume 2729 of Lecture Notes in Computer Science, pages 162–175, Santa Barbara, California, USA, 2003 Springer [5] Daniel V Bailey and Christof Paar Efficient arithmetic in finite field extensions with application in elliptic curve cryptography Journal of Cryptology, 14(3):153–176, 2001 [6] Thomas Becker and Volker Weispfenning Gr¨obner bases: A computational approach to commutative algebra Springer, New York, USA, 1993 165 166 BIBLIOGRAPHY [7] Daniel J Bernstein Multidigit multiplication for mathematicians, 2001 http://cr.yp.to/papers/m3.pdf [8] Thomas Beth and Fred C Piper The stop-and-go generator In Thomas Beth, Norbert Cot, and Ingemar Ingemarsson, editors, Advances in Cryptology: Eurocrypt ’84, volume 209 of Lecture Notes in Computer Science, pages 88–92, Paris, France, 1984 Springer [9] Dan Boneh and Matt Franklin Identity-based encryption from the Weil pairing In Joe Kilian, editor, Advances in Cryptology - Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229 Springer, 2001 [10] Wieb Bosma, John Cannon, and Catherine Playoust The MAGMA algebra system I The user language Journal of Symbolic Computation, 24(3-4):235– 265, 1997 [11] Wieb Bosma, James Hutton, and Eric R Verheul Looking beyond XTR In Y Zheng, editor, Advances in Cryptology - ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 46–63 Springer, 2002 [12] Bruno Buchberger Ein Algorithmus zum Auffinden der Basiselemente des Restklassenrings nach einem nulldimensionalen Polynomideal Phd thesis, University of Innsbruck, 1965 [13] William G Chambers and Dieter Gollmann Lock-in effect in cascades of clock-controlled shift-registers In Christoph G G¨ unther, editor, Advances in Cryptology - Eurocrypt ’88, volume 330 of Lecture Notes in Computer Science, pages 331–344, Davos, Switzerland, 1988 Springer [14] William G Chambers and Dieter Gollmann Two stream ciphers In Ross Anderson, editor, Fast Software Encryption, volume 809 of Lecture Notes in Computer Science, pages 51–55, Cambridge, United Kingdom, 1993 Springer [15] R T Chien Cyclic decoding procedure for the Bose-ChaudhuriHocquenghem codes IEEE Transactions on Information Theory, IT-10:357– 363, 1964 BIBLIOGRAPHY 167 [16] Joo Yeon Cho and Josef Pieprzyk Algebraic attacks on SOBER-t32 and SOBER-t16 without stuttering In Bimal Roy and Willi Meier, editors, Fast Software Encryption, volume 3017 of Lecture Notes in Computer Science, pages 49–64, Delhi, India, 2004 Springer [17] Carlos Cid, Henri Gilbert, and Thomas Johansson Cryptanalysis of Pomaranch IEE Proceedings on Information Security, 153(2):51–53, 2005 [18] Don Coppersmith and Samuel Winograd Matrix multiplication via arithmetic progressions In Alfred V Aho, editor, The Nineteenth Annual ACM Conference on Theory of Computing, pages 1–6, New York, United States of America, 1987 The Association of Computing Machinery [19] Nicholas Courtois The security of hidden field equations (HFE) In David Naccache, editor, Topics in Cryptology - CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 266–281, San Franciso, California, USA, 2001 Springer [20] Nicholas Courtois Fast algebraic attacks on stream ciphers with linear feedback In Dan Boneh, editor, Advances in Cryptology - Crypto 2003, volume 2729 of Lecture Notes in Computer Science, pages 176–194, Santa Barbara, California, USA, 2003 Springer [21] Nicholas Courtois Algebraic attacks on combiners with memory and several outputs In Choonsik Park and Seongtaek Chee, editors, Information Security and Cryptology - ICISC 2004, volume 3506 of Lecture Notes in Computer Science, Seoul, Korea, 2004 Springer [22] Nicholas Courtois On exact algebraic [non-]immunity of s-boxes based on power functions In Lynn Batten and Reihaneh Safavi-Naini, editors, Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 76–86, Melbourne, Australia, 2006 Springer [23] Nicholas Courtois and Gregory Bard Algebraic cryptanalysis, DES and SAT solvers In Advances in Cryptology - Asiacrypt 2006, Shanghai, China, 2006 Rump Session 168 BIBLIOGRAPHY [24] Nicholas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir Efficient algorithms for solving overdefined systems of multivariate polynomial equations In Bart Preenel, editor, Advances in Cryptology - Eurocrypt 2000, volume 1807 of Lecture Notes in Computer Science, pages 392–407, Bruges, Belgium, 2000 Springer [25] Nicholas Courtois and Willi Meier Algebraic attacks on stream cipher with linear feedback In Eli Biham, editor, Advances in Cryptology - Eurocrypt 2003, volume 2656 of Lecture Notes in Computer Science, Warsaw, Poland, 2003 Springer [26] Nicholas Courtois and Jacques Patarin About the XL algorithm over GF(2) In Marc Joye, editor, Topics in Cryptology - CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 141–157, San Francisco, California, USA, 2003 Springer [27] Nicholas Courtois and Josef Pieprzyk Cryptanalysis of block ciphers with overdefined systems of equations In Yuliang Zheng, editor, Advances in Cryptology - Asiacrypt 2001, volume 2501 of Lecture Notes in Computer Science, pages 267–287, Queenstown, New Zealand, 2002 Springer [28] Ed Dawson, Andrew Clark, Jovan Dj Goli´c, William Millan, and Leonie Simpson LILI keystream generator In Douglas R Stinson and Stafford Tavares, editors, Seventh Annual Workshop on Selected Areas in Cryptology - SAC 2000, volume 2012 of Lecture Notes in Computer Science, pages 248– 261, Waterloo, Ontario, Canada, 2000 Springer [29] Whitfield Diffie and Martin E Hellman New directions in cryptography IEEE Transactions in Information Theory, IT-22(6):644–654, 1976 [30] Taher ElGamal A public-key cryptosystem and a signature scheme based on discrete logarithms IEEE Transactions in Information Theory, IT31(4):469–472, 1985 [31] Jean-Charles Faug`ere A new efficient algorithm for computer Gr¨obner bases (f4 ) Journal of Pure and Applied Algebra, 139:61–88, 1999 BIBLIOGRAPHY 169 [32] Jean-Charles Faug`ere A new efficient algorithm for computer Gr¨obner bases without reduction to zero (f5 ) In International Symposium on Symbolic and Algebraic Computation — ISSAC 2002, pages 75–83, Lille, France, 1999 ACM Press [33] Scott R Fluhrer and David A McGrew Statistical analysis of the alleged rc4 keystream generator In Bruce Schneier, editor, Fast Software Encryption, volume 1978 of Lecture Notes in Computer Science, pages 19–30, New York, USA, 2000 Springer [34] Shuhong Gao and Hendrik W Lenstra Optimal normal bases Designs, Codes and Cryptography, 2(4):315–323, 1992 [35] Shuhong Gao, Joachim von zur Gathen, Daniel Panario, and Victor Shoup Algorithms for exponentiation in finite fields Journal of Symbolic Computation, 29(6):879–889, 2000 [36] Keith O Geddes, Stephen R Czapor, and George Labahn Algorithms for Computer Algebra Kluwer, 1992 [37] Jovan Dj Goli´c Linear statistical weakness of alleged RC4 keystream generator In Walter Fumy, editor, Advances in Cryptology - Eurocrypt ’97, volume 1233 of Lecture Notes in Computer Science, pages 226–238, Konstanz, Germany, 1997 Springer [38] Jovan Dj Goli´c and Renato Menicocci Edit distance correlation attack on the alternating step generator In Burton S Jr Kaliski, editor, Advances in Cryptology - Crypto ’97, volume 1294 of Lecture Notes in Computer Science, pages 499–512, Santa Barbara, USA, 1997 Springer [39] Jovan Dj Goli´c and Renato Menicocci Correlation analysis of the alternating step generator Design, Codes and Cryptography, 31(1):51–74, 2004 [40] Dieter Gollmann Pseudo random properties of cascade connections of clock controlled shift registers In Advances in Cryptology - Eurocrypt ’84, volume 209 of Lecture Notes in Computer Science, pages 93–98, Paris, France, 1984 Springer 170 BIBLIOGRAPHY [41] Dieter Gollmann and William G Chambers Clock-controlled shift registers: A review IEEE Journal on Selected Areas in Communications, 7(4):525– 533, 1989 [42] Guang Gong, Kishan Chand Gupta, Martin Hell, and Yassir Nawaz Towards a general RC4-like keystream generator In Dengguo Feng, Dongdai Lin, and Moti Yung, editors, Information Security and Cryptology - CISC 2005, volume 3822 of Lecture Notes in Computer Science, pages 162–174, Beijing, China, 2005 Springer [43] Guang Gong, Lein Harn, and Huapeng Wu The GH public key cryptosystem In Serge Vaudenay and Amr M Youssef, editors, Eighth Annual Worshop on Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 284–300, Toronto, Canada, 2001 Springer [44] Mark Goresky and Andrew Klapper Fibonacci and Galois representations of feedback with carry shift registers IEEE Transactions on Information Theory, 48(11):2826–2836, 2002 [45] R Granger, D Page, and M Stam A comparison of CEILIDH and XTR In Duncan Buell, editor, Algorithmic Number Theory, 6th International Symposium, volume 3076 of Lecture Notes in Computer Science, pages 235–249 Springer, 2004 [46] R Granger and F Vercauteren On the discrete logarithm problem on algebraic tori In Victor Shoup, editor, Advances in Cryptology - CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 66–85 Springer, 2005 [47] Christoph G G¨ unther Alternating step generators controlled by de Bruijn sequences In David Chaum and Wyn L Price, editors, Advances in Cryptology - Eurocrypt ’87, volume 304, pages 5–14, Amsterdam, The Netherlands, 1988 Springer [48] Mahdi Hasanzadeh, Shahram Khazaei, and Alexander Kholosha On IV setup of Pomaranch Technical Report 2005/082, The ECRYPT Stream Cipher Project, 2005 http://www.ecrypt.eu.org/stream/papersdir/082.pdf BIBLIOGRAPHY 171 [49] Tor Helleseth, Cees J A Jansen, and Alexander Kholosha Pomaranch - design and analysis of a family of stream ciphers Technical Report 2006/008, The ECRYPT Stream Cipher Project, 2006 http://www.ecrypt.eu.org/stream/papersdir/2006/008.pdf [50] Cees J A Jansen, Tor Helleseth, and Alexander Kholosha Cascade jump controlled sequence generator (CJCSG) Technical Report 2005/022, The ECRYPT Stream Cipher Project, 2005 http://www.ecrypt.eu.org/stream/papersdir/022.pdf [51] Cees J A Jansen, Tor Helleseth, and Alexander Kholosha Cascade jump controlled sequence generator and Pomaranch stream cipher (version 3) Technical report, The ECRYPT Stream Cipher Project, 2006 http://www.ecrypt.eu.org/stream/p3ciphers/pomaranch/pomaranch p3.pdf [52] Antoine Joux and Reynald Lercier The function field sieve in the medium prime case In Serge Vaudenay, editor, Advances in Cryptology - Eurocrypt 2006, volume 4004 of Lecture Notes in Computer Science, pages 254–270 Springer, 2006 [53] Antoine Joux, Reynald Lercier, Nigel Smart, and Frederik Vercauteren The number field sieve in the medium prime case In Cynthia Dwork, editor, Advances in Cryptology - Crypto 2006, volume 4117 of Lecture Notes in Computer Science, pages 326–344 Springer, 2006 [54] Ali A Kanso Clock-controlled generators PhD thesis, Royal Holloway and Bedford New College, University of London, 1999 [55] A Karatsuba and Yu Ofman Multiplication of many-digital numbers by automatic computers Physics-Doklady, 7:595–596, 1963 [56] Shahram Khazaei Cryptanalysis of pomaranch Technical Report 2005/065, The ECRYPT Stream Cipher Project, October 2005 http://www.ecrypt.eu.org/stream/papersdir/060.pdf [57] Lars Knudsen, Willi Meier, Bart Preneel, Vincent Rijmen, and Sven Verdoolaege Analysis methods for (alleged) RC4 In Ohta, editor, Advances 172 BIBLIOGRAPHY in Cryptology - Asiacrypt ’98, volume 1514, pages 327–341, Beijing, China, 1998 Springer [58] Donald Ervin Knuth The art of computer programming - Seminumerical algorithms, volume Addison-Wesley, Reading, Massachusetts, 1973 [59] Neal Koblitz Elliptic curve cryptosystems Mathematics of Computation, 48:203–209, 1987 [60] Soonhak Kwon, Chang Hoon Kim, and Chun Pyo Hong Fast irreducibility testing for xtr using a gaussian normal basis of low complexity In H Handschuh and A Hasan, editors, Selected Areas in Cryptography - SAC 2004, volume 3357, pages 144–158 Springer-Verlag Berlin Heidelberg, 2004 [61] B A LaMacchia and A M Odlyzko Solving large sparse systems over finite fields In Alfred J Menezes and Scott A Vanstone, editors, Advances in Cryptology - CRYPTO ’90, volume 537 of Lecture Notes in Computer Science, pages 109–133, New York, USA, 1991 Springer [62] Cornelius Lanczos An iteration method for the solution of the eigenvalue problem of linear differential an integral operators Journal of Reserach of the National Bureau of Standards, 45(4):225–281, 1950 [63] Arjen K Lenstra and Martijn Stam Speeding up XTR In Colin Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 125–143, Gold Coast, Australia, 2001 Springer [64] Arjen K Lenstra and E R Verheul The XTR public key system In Mihir Bellare, editor, Advances in Cryptology - CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 1–20 Springer, 2000 [65] Arjen K Lenstra and Eric R Verheul Key improvments to XTR In T Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 220–233 Springer-Verlag, 2000 BIBLIOGRAPHY 173 [66] Arjen K Lenstra and Eric R Verheul Fast irreducibility and subgroup membership testing in XTR In Kwangjo Kim, editor, Public Key Cryptography: 4th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2001, volume 1992 of Lecture Notes in Computer Science, pages 73–86 Springer, 2001 [67] Arjen K Lenstra and Eric R Verheul An overview of the XTR public key system In Public Key Cryptography and Computational Number Theory, Warschau, Polen, 2001 http://www.win.tue.nl/˜klenstra/xtrsurvey.pdf [68] Rudolf Lidl and Harald Niederreiter Finite Fields, volume 20 of Encyclopedia of Mathematics Addison-Wesley, 1983 [69] Seongan Lim, Seungjoo Kim, Ikkwon Yie, Jaemoon Kim, and Hongsub Lee XTR extended to GF(p6m ) In S Vaudenay and A Youssef, editors, Selected Areas in Cryptography, 8th Annual International Workshop, volume 2259 of Lecture Notes in Computer Science, pages 301–312 Springer-Verlag, 2001 [70] Itsik Mantin and Adi Shamir A practical attack on broadcast RC4 In Mitsuru Matsui, editor, Fast Software Encryption, volume 2355 of Lecture Notes in Computer Science, pages 152–164, Yokohama, Japan, 2001 Springer [71] Alexander Maximov Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers In Henri Gilbert and Helena Handschuh, editors, Fast Software Encryption, volume 3557 of Lecture Notes in Computer Science, pages 342–359, Paris, France, 2005 Springer [72] Renato Menicocci Cryptanalysis of a two stage Gollmann cascade generator In W Wolfowiez, editor, 3rd Symposium on State and Progress of Research in Cryptography, pages 62–69, Rome, Italy, 1993 [73] Victor S Miller Use of elliptic curves in cryptography In Hugh C Williams, editor, Advances in Cryptology - CRYPTO ’85, volume 218 of Lecture Notes in Computer Science, pages 73–86, Santa Barbara, California, 1985 Springer-Verlag 174 BIBLIOGRAPHY [74] H˚ avard Molland Improved linear consistency attack on irregular clocked keystream generators In Bimal Roy and Willi Meier, editors, Fast Software Encryption, volume 3017 of Lecture Notes in Computer Science, pages 109– 126, Delhi, India, 2004 Springer [75] Peter Montgomery Five, six and seven-term Karatsuba-like formulae IEEE Transactions on Computers, 54(3):362–369, 2005 [76] R C Mullin, I M Onyszchuk, S A Vanstone, and R M Wilson Optimal normal bases in GF(pn ) Discrete Applied Mathematics, 22:149–161, 1988 [77] A M Odlyzko Discrete logarithms in finite fields and their cryptographic significance In Thomas Beth, Norbert Cot, and Ingemar Ingemarsson, editors, Advances in Cryptology - Eurocrypt ’84, volume 209 of Lecture Notes in Computer Science, pages 224–314 Springer, 1984 [78] Sang-Joon Park, Sang-Jin Lee, and Seung-Cheol Goh On the security of the Gollmann cascades In Don Coppersmith, editor, Advances in Cryptology Crypto ’95, volume 963 of Lecture Notes in Computer Science, pages 148– 156, Santa Barbara, California, USA, 1995 Springer [79] Souradyuti Paul and Bart Preneel Analysis of non-fortuitous predicative states of the RC4 keystream generator In Thomas Johansson and Subhamoy Maitra, editors, Progress in Cryptology - Indocrypt 2003, volume 2904 of Lecture Notes in Computer Science, pages 52–67, Delhi, India, 2003 Springer [80] Souradyuti Paul and Bart Preneel A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher In Bimal Roy and Willi Meier, editors, Fast Software Encryption, volume 3017 of Lecture Notes in Computer Science, pages 245–259, Delhi, India, 2004 Springer [81] H˚ avard Raddum Cryptanalytic results on Trivium Technical Report 2006/039, The ECRYPT Stream Cipher Project, 27 March 2006 http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps BIBLIOGRAPHY 175 [82] Bjarke Hammersholt Roune The F4 algorithm - speeding up Gr¨obner basis computation using linear algebra Technical report, University of Minnesota http://www.broune.com/papers/f4.pdf [83] Karl Rubin and Alice Silverberg Torus-based cryptography In Dan Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 349–365, Santa Barbara, USA, 2003 Springer [84] Rainer A Rueppel New approaches to stream ciphers PhD thesis, Swiss Federal Institute of Technology, 1984 [85] Rainer A Rueppel When shift registers clock themselves In David Chaum and Wyn L Price, editors, Advances in Cryptography - Eurocrypt ’87, volume 304 of Lecture Notes in Computer Science, pages 53–56 Springer, 1988 [86] Bruce Schneier Applied cryptography: protocols, algorithms, and source code in C John Wiley and Sons, New York, USA, 2nd edition, 1996 [87] Arnold Sch¨onhage and Volker Strassen Zahlen Computing, 7:281–292, 1971 Schnelle Multiplikation großer [88] Claude Elwood Shannon Communication theory of secrecy systems Bell System Technical Journal, 28:656–715, 1949 [89] Peter Smith and Michael J J Lennon LUC: A new public key system In IFIP/Sec ’93 Elsevier Science Publications, 1993 [90] Martijn Stam and Arjen K Lenstra Efficient subgroup exponentiation in quadratic and sixth degree extensions In B S Jr Kaliski et al., editor, Cryptographic Hardware and Embedded Systems - CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 318–332, Redwood Shores, CA, 2003 Springer [91] Volker Strassen Gaussian elimination is not optimal Numerical Mathematics, 13:354–356, 1969 176 BIBLIOGRAPHY [92] Qi Sun An algorithm on the multiplication table of the normal basis over finite fields Journal of the Sichuan University (Natrual Science Edition), 40(3):442–446, 2003 2000 MSC 11T [93] Yukiyasu Tsunoo, Teruo Saito, Hiroyasu Kubo, Maki Shigeri, Tomoyasu Suzaki, and Takeshi Kawabata The most efficient distinguishing attack on VMPC and RC4A In Symmetric Key Encryption Workshop - SKEW 2005, Aarhus, Denmark, 2005 http://www.ecrypt.eu.org/stream/papersdir/037.pdf [94] Marten van Dijk, Robert Granger, Dan Page, Karl Rubin, Alice Silverberg, Martijn Stam, and David Woodruff Practical cryptography in high dimensional tori In Ronald Cramer, editor, Advances in Cryptology - Eurocrypt 2005, volume 3494 of Lecture Notes in Computer Science, pages 234–250, Aarhus, Denmark, 2005 Springer [95] Marten van Dijk and David Woodruff Asymptotically optimal communication for torus-based cryptography In Matt Franklin, editor, Advances in Cryptology - CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, University of California, Santa Barbara, 2004 Springer [96] Joachim van zur Gathen and Michael N¨ocker Polynomial and normal bases for finite fields Journal of Cryptology, 18:337–355, 2005 [97] V E Voskresenski˘ı Algebraic Groups and Their Birational Invariants Translations of Mathematical Monographs American Mathematical Society, Providence, Rhode Island, 1999 [98] Andr´e Weimerskirch and Christof Paar Generalizations of the Karatsuba algorithm for polynomial multiplication Technical report, Cryptology ePrint Archive, 2002 http://eprint.iacr.org/2006/224.pdf [99] Douglas H Wiedemann Solving sparse linear equations over finite fields IEEE Transactions in Information Theory, IT-32(1):54–62, 1986 [100] Kenneth Wong The XTR public key system Honours Thesis, Queensland University of Technology, 2003 BIBLIOGRAPHY 177 [101] Kenneth Wong, Gary Carter, and Ed Dawson Implementation of extension field arithmetic with applications to torus-based cryptography In Workshop on General Algebra, AAA 70, volume 17 of Contributions on General Algebra, Vienna, Austria, 2005 Johannes Heyn [102] Kenneth Koon-Ho Wong, Bernard Colbert, Lynn Batten, and Sultan AlHinai Algebraic attacks on clock-controlled cascade ciphers In Rana Barua and Tanja Lange, editors, Progress in Cryptology - Indocrypt 2006, volume 4329 of Lecture Notes in Computer Science, pages 32–47, Kolkata, India, 2006 Springer [103] Bo-Yin Yang and Jiun-Ming Chen All in the XL family: theory and practice In Choonsik Park and Seongtaek Chee, editors, Information Security and Cryptology - ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 67–86, Seoul, Korea, 2004 Springer [104] Kencheng Zeng, Chung-Huang Yang, and T R N Rao An improved linear syndrome algorithm in cryptanalysis with applications In Alfred J Menezes and Scott A Vanstone, editors, Advances in Cryptology - Crypto ’90, volume 537 of Lecture Notes in Computer Science, pages 34–47 Springer, 1990 [105] Erik Zenner On the efficiency of the clock control guessing attack In Pil Joong Lee and Chae Hoon Lim, editors, The 5th International Conference on Information Security and Cryptology - ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 200–212, Seoul, Korea, 2002 Springer [106] M V Zivkovic An algorithm for the initial state reconstruction of the clock-controlled shift register IEEE Transactions on Information Theory, 37(5):1488–1490, 1991 [107] Bartosz Zoltak VMPC one-way function and stream cipher In Bimal Roy and Willi Meier, editors, Fast Software Encryption, volume 3017 of Lecture Notes in Computer Science, pages 210–225, Delhi, India, 2004 Springer [108] Dan Zuras More on squaring and multiplying large integers IEEE Transactions on Computers, 43(8):899–908, 1994 ... analysis to a suite of ciphers and to develop improved means of generating and solving systems of equations representing the actions of ciphers 1.2.1 Extension Field Arithmetic The arithmetic of finite... Journal of Combinatorics and the proceedings of Finite Fields and Applications held in 2007 in Melbourne, Australia Finally, Chapter summaries the main findings of the research, and draws conclusions... variety of applications of the theory and applications of arithmetic and computation in finite fields in both the areas of cryptography and cryptanalysis First, multiplication algorithms in finite extensions