Key Generation of GB Polly Cracker
Cryptosystems
Jeaman Ahn, Eunjeong Lee*,
Hyungju Park (KIAS)
2006. 12. 21.
목차
• Polynomial-based cryptosystems
• Algorithm of key generation
• Security issues
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
2
다항식 기반 암호
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
3
GB Polly Cracker Cryptosystem
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
4
GB Polly Cracker Cryptosystem
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
5
예 (Graph 3-coloring)
Coloring=
{(1,0,0,0,1,0,0,0,1),
(1,0,0,0,0,1,0,1,0),
(0,1,0,1,0,0,0,0,1),
(0,1,0,0,0,1,1,0,0),
(0,0,1,1,0,0,0,1,0),
(0,0,1,0,1,0,1,0,0)}
F={x1+x2+x3+1, y1+y2+y3+1, z1+z2+z3+1,
x1x2, x1x3, x2x3, y1y2, y1y3, y2y3, z1z2, z1z3, z2z3
x1y1, x2y2, x3y3, y1z1, y2z2, y3z3, x1z1, x2z2, x3z3}
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
6
> std(I);
_[1]=z(3)^2+z(3)
_[2]=z(2)*z(3)
_[3]=z(2)^2+z(2)
_[4]=z(1)+z(2)+z(3)+1
_[5]=y(3)*z(3)
_[6]=y(3)^2+y(3)
_[7]=y(2)*z(3)+y(2)+y(3)*z(1)+z(1)
_[8]=y(2)*z(2)
_[9]=y(2)*y(3)
_[10]=y(2)^2+y(2)
_[11]=y(1)+y(2)+y(3)+1
_[12]=x(3)+y(2)*z(3)+y(2)+y(3)*z(1)+y(3)*z(3
)+y(3)+z(1)+z(3)+1
_[13]=x(2)+x(3)*y(2)*z(3)+x(3)*y(3)*z(3)+x(3
)*z(1)+x(3)*z(3)+y(2)*z(3)+y(3)*z(3)+z(1)+z(
3)
_[14]=x(1)+x(2)+x(3)+1
2006-12-21
in(I);
_[1]=z(3)^2
_[2]=z(2)*z(3)
_[3]=z(2)^2
_[4]=z(1)
_[5]=y(3)*z(3)
_[6]=y(3)^2
_[7]=y(2)*z(3)
_[8]=y(2)*z(2)
_[9]=y(2)*y(3)
_[10]=y(2)^2
_[11]=y(1)
_[12]=x(3)
_[13]=x(2)
_[14]=x(1)
2006 SNU-KMS Winter Workshop on
Cryptography
7
키생성
• Input : security parameter (T)
• Output : F, G where I=<F>=<G>,G:GB,
1. Set Dreg with NDreg2 ~ O(T)
–
–
Dreg = Castelnuovo-Mumford regularity
NDreg = maximal matrix size in F5 algorithm
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
8
2. Generate with Dreg
3. Generate a variety V randomly
– V = designed by
4. Construct a Groebner basis G
– <G> = I(V)
5. Generate a generating set F
– F={f: f=random combination of g’s, g G}
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
9
2. , Dreg-> J : monomial ideal
3. V = designed by
4. <G> = I(V)
G={f:f(a)=0,aV} and
<lt(G)>=J
V={ ( 1 , 0 ), ( 1 , 2 ),
( 3 , 1 ), ( 3 , 4 ),
(2 , 3 )}
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
10
예 : 3-coloring
Exponent(S) ={
z3 z2 z1 y3 y2 y1 x3 x2 x1
(0, 0, 0, 0, 0, 0, 0, 0, 0)
(0, 0, 0, 0, 1, 0, 0, 0, 0)
(0, 0, 0, 1, 0, 0, 0, 0, 0)
(0, 1, 0, 1, 0, 0, 0, 0, 0)
(0, 1, 0, 0, 0, 0, 0, 0, 0)
(1, 0, 0, 0, 0, 0, 0, 0, 0)
}
=>
S={1, y2, y3, z2y3, z2, z3}
2006-12-21
Coloring=
{(1,0,0,0,1,0,0,0,1),
(1,0,0,0,0,1,0,1,0),
(0,1,0,1,0,0,0,0,1),
(0,1,0,0,0,1,1,0,0),
(0,0,1,1,0,0,0,1,0),
(0,0,1,0,1,0,1,0,0)}
2006 SNU-KMS Winter Workshop on
Cryptography
11
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
12
Regularity and security
• Regularity of zero-dimensional ideal
– I : homogeneous ideal of R=k[x1,…,xn]
• dimK(R/I) < Rd=Id for dd0 for some d0
x1t1, x2t2,…, xntn in(I)
– m(I) :regularity of I
• dimK(R/I) < m(I) = min{d : dimK(R/I)d =0}
• Field equation
– V Fpn x1p-x1, x2p-x2 ,…, xnp-xn I(V)
dimK(R/I(V)) <
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
13
• Regularity of affine ideal
– Dreg(I) := Dreg (Ih), dim(Ih)≠0
Ih={fh|fh=x0deg(f)f(x1/x0,…,xn/x0)}
– Dreg(I) := Dreg (Ih) = Dreg (Ī),
• Ī = {fd|fd= sum of monomials of
max. deg of fI},
e.g. f(x,y,z)=x3+3xyz+3xz-2x-4, fd=x3+3xyz
• dim(I)=0 dim(Ī)=0
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
14
Security issue
• Security of private key
– Complexity of Groebner basis computation
– Complexity of F5-algorithm for ideal I
• K=F2 -> O(Nd2) : linear algebra of NdxNd matrix for d
≤m(I)
• Dreg = max degree of poly in GB if generators of I are
semi-regular sequence.
• NDreg = nCDreg ≤ nCn/2 ~O(2n)
– Dreg 예측?
– semi-regular sequence가 아니면?
– V : random ? Size?
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
15
예
>ideal I_h=homog(I,w);
> resolution mre_I_h=mres(I_h,0);
> print(betti(mre_I_h),"betti");
0
1
2
3
4
5
6
7
8
9 10
----------------------------------------------------0:
1
3
3
1
1:
- 18 102 243 306 210 72
9
2:
9 72 252 486 558 391 165 39
4
----------------------------------------------------total:
1 21 114 316 558 696 630 400 165 39
4
.;
> regularity(mre_I_h); //--- regularity of I
3
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
16
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
17
• 예: F2, n=80, deg(fk)=2 (HFE)
1 + 80z + 3080z2 + 75760z3 + 1331940z4+17720016z5
+183877240z6 +1506567920z7 + 9687269930z8+ 47105696560z9 +
152100910104z10 + 116968809360z11 - 2135475381260z12 15201837526480z13 +O(z14)
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
18
regularity
22.5
20
17.5
15
12.5
10
7.5
m
50
100
150
200
Expected regularity of m=n random polynomials over F2
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
19
regularity
40
35
30
25
20
15
m
10
20
40
60
80
100
120
Expected regularity of m random polynomials in 80 variables over F2
2006-12-21
2006 SNU-KMS Winter Workshop on
Cryptography
20
© Copyright 2026 Paperzz