Advances in Cryptology – EUROCRYPT 2012: 31st Annual by Antoine Joux (auth.), David Pointcheval, Thomas Johansson

By Antoine Joux (auth.), David Pointcheval, Thomas Johansson (eds.)

This publication constitutes the refereed complaints of the thirty first Annual overseas convention at the conception and functions of Cryptographic ideas, EUROCRYPT 2012, held in Cambgridge, united kingdom, in April 2012.
The forty-one papers, offered including 2 invited talks, have been rigorously reviewed and chosen from 195 submissions. The papers are prepared in topical sections on index calculus, symmetric structures, safe computation, protocols, lossy trapdoor services, instruments, symmetric cryptanalysis, absolutely homomorphic encryption, uneven cryptanalysis, effective discount rates, public-key schemes, safeguard versions, and lattices.

From these structures, we deduce the following result. Lemma 1. Let f ∈ F2n [x1 , . . , xm ] be a multivariate polynomial with degree ei be a monomial < 2t in each variable. Let e1 , . . , em ∈ N and m = m i=1 xi of F2n [x1 , . . , xm ]. There exist polynomials pj,k ∈ F2 [y1,1 , . . , ym,n ] such that ↓ n ↓ [(mf )V ]k = j=1 pj,k [fV ]j . Each polynomial pj,k has degree ≤ W (ei ) with respect to every block of variables Xi = {yi,1 , . . yi,n }, 1 ≤ i ≤ m. t. each block of variables Xi , 1 ≤ i ≤ m.

K ∈ F2n \ {(0, . . , 0)} such that β1 (g2 )V + β2 (g2 )V + · · · + i βk (g2 k )V = 0. This simple example can be easily generalized to g = mf with m a monomial. Such linear dependency can be clearly prevented during the ei generation of equations [(mf )V ]↓i ’s by considering monomials m = m i=1 xi , with 0 ≤ ei < 2n < 2n . 4 Description of the Linearization Algorithm For any positive integer d, let MLinMonB(d) be the set of multi-linear monomials in F2 [y1,1 , . . , ym,n ] of degrees ≤ d with respect to each block Xi = {yi,1 , .

This simple algorithm, that we call Sub-Macaulay, is not aimed to be optimal in practice but to derive complexity bounds. The general linearization strategy and our analysis below rely on a heuristic assumption formalized below: Assumption 1. With a probability exponentially close to one, the equations generated by Algorithm 1 are linearly independent. Particularly, the assumption states that the solutions of Slin are in one-to-one correspondence with the solutions of Problem 2. 5 Complexity Bounds for Solving Problem 2 We now derive an upper bound on the complexity of Algorithm 1.

