# Download Advances in Cryptology – EUROCRYPT 2012: 31st Annual by Antoine Joux (auth.), David Pointcheval, Thomas Johansson PDF

By Antoine Joux (auth.), David Pointcheval, Thomas Johansson (eds.)

ISBN-10: 3642290116

ISBN-13: 9783642290114

This e-book constitutes the refereed court cases of the thirty first Annual overseas convention at the conception and purposes of Cryptographic suggestions, EUROCRYPT 2012, held in Cambgridge, united kingdom, in April 2012.

The forty-one papers, offered including 2 invited talks, have been conscientiously reviewed and chosen from 195 submissions. The papers are geared up in topical sections on index calculus, symmetric structures, safe computation, protocols, lossy trapdoor capabilities, instruments, symmetric cryptanalysis, totally homomorphic encryption, uneven cryptanalysis, effective savings, public-key schemes, defense versions, and lattices.

Xm ) ∈ V m such that Sm+1 (x1 , . . , xm , (R)x ) = 0. Clearly, this problem is a particular instance of Problem 2. 2 A Linearization Strategy for Solving ECDLP over F2n We now apply the analysis of Section 3 to Problem 3. Let α, 1/2 < α < 1. be a parameter that will be optimized later. We set n := nα and m := n1−α as in Lemma 2. According to Proposition 1, the (m + 1)th Semaev’s polynomial Sm+1 can be computed in time O(2t1 ), where t1 ≈ m2 ≈ n2(1−α) . For each relation computed in the sieving stage, we generate and solve an instance of Problem 2 where f has degree 2m−1 with respect to each of the m variables.

Following Diem [14], we use summation polynomials in the sieving stage of an index calculus algorithm. Let V be a vector subspace of F2n /F2 with a dimension n to be ﬁxed later. We deﬁne the factor basis FV as FV := {(x, y) ∈ E(F2n )|x ∈ V }. Since the abscissas of points ∈ E are uniformly distributed in Fqn [13,14], we can assume that the set FV has size about 2n . During the sieving stage, we compute about 2n relations P∞ = ai P + bi Q + Pj ∈FV eij Pj with Pj ∈ FV for randomly chosen integer couples (ai , bi ).

Mf )V ]↓n for all monomials in Mon(d) with d is the smallest integer with M (d) < E(d) . 3. We want to demonstrate that a random square submatrix of size M × M of M is full rank. We recall that the probability that a random N × M boolean matrix has rank r is P (N, M, r) = 2−N M r−1 r−1 (2N − 2j ) j=0 r−1 (2M − 2j )/ j=0 (2r − 2j ). 9%. For this reason, we consider submatrices M of M of size (M + 5) × M . 999982%. We repeated the test 100 times and deduced an approximation of the success probability.