Please stop the hype and move away from discipling things you don’t understand. ðŸ™‚

]]>Lexicon:

AIDA == Cube

t: [i_1,..i_n] on p.2, l.2 == C_I, with I={i_1,..,i_n}

Instead of [ ] read “less” and “more”, which do not make it into the preview.

]]>http://eprint.iacr.org/2007/413

([27] in Dinur/Shamir)

Maybe, this paper is a bit of help to understand the AIDA/Cube attack. Please note that (shame on me ðŸ˜‰ I was not aware of the ANF concept in 2007, hence the ENF I “introduced” there is thus the ANF.

What remains unsolved, and also by Dinur/Shamir, is how to find some linear (in the key vars) parts of the full ANF (algebraic normal form) in some poly-bounded time.

This is what I call Phase A, and which takes “several weeks” also with D/S, (Sect. 7.3, l. 3).

Lexicon:

AIDA == Cube

t: on p.2, l.2 == C_I, with I={i_1,..,i_n}

Prop. 3 == Thm. 1

Prop. 3 == Thm. 2 (equivalent to Thm 1 with C_I replaced by C_I union {x_j})

Table p.5 (for t >= 625), last l. of Sect 7. (for t=640) == Tables 1,2 (for t >= 672, 770, resp.)

Personally, I prefer to be proud and happy to have anticipated Adi Shamir by almost a year, instead of mumbling about plagiarism. Anyway, now OUR attack receives the deserved public attention.

]]>Still thinking on this one part’s of me say “bl***y obvious” which begs the question “why has it not been thought of before”. Which my gut tells me is a sure indicator that it’s a little fissure that is going to get a very sharp wedge driven into it and therefore turn into a very big crack quite unexpectadly.

My other thought is it explains why GCHQ amongst others has been looking for maths bods with theoretical FWT type skills.

]]>(3) Yes, k needs to be large – but that is not in itself news; too small k just make brute-force key guessing possible. However a large k does not ensure that the polynomial degree will be high. (Consider treehouse cryptography: a 128-bit key is xored into each 128-bit plaintext bit for bit. Here n+k is 256, but all polynomials have degree 1!) The key to resilience against this attack is to get the *actual* degree of the polynomial closer to the n+k maximum.

(4) I don’t think it is a good description of the attack to say that algebraic manipulations reduce the degree of the original polynomials. The degrees need to be low to begin with, and in the black-box mode the original polynomials are never known exactly at all.

]]>(1) Digital cryptosystems are bit-vector-valued functions of an m-bit message M and a k-bit key K;

(2) All such functions are representable by sets of m+k-order polynomial functions of M and K, one polynomial for each ciphertext bit, in consequence of the x*x=x property;

(3) A necessary condition for practical security is that k be “large”, ensuring that the order of the polynomials is high, making the system of equations difficult to invert;

(4) “Large” k is not a sufficient condition for security, because a poorly designed cryptosystem may be subjected to chosen-plaintext attacks that permit the attacker to carry out algebraic operations that reduce the order of some of the polynomials. Potentially drastic reductions are possible;

(5) This sort of attack had been known for some special cryptosystems, but Dinur and Shamir have now developed a general methodology that can apply this order-reduction attack to any cryptosystem.

(6) This methodology can be applied to validate cryptosystems, by verifying that all the ciphertext bits correspond to irreducibly high-order polynomials.

Is that about right?

]]>So I will print the paper and, with it in hand, make some hapless mathematician’s life a burden to him/her by demanding a translation of the “good parts” at every opportunity.

This practice has some unanticipated side benefits — sometimes I will go for weeks without even the sight of a mathematician and can clear the crowd from in front of the coffeemaker by waving any sheaf of paper with an excited “Hey, I’ve been looking for you …” ðŸ™‚

— Ishmael

]]>“Posted by: 2’s complement at September 14, 2008 8:23 PM”

There, fixed that for you, Mr. Mathematical Background. Jerk.

]]>