Experimental Results for Mutant Variants of the LA Algorithmthe LA Algorithm

In this section, we report on some experiments with the mutant variants of the LA Algorithm. This section is a continuation of Section 3.3. We follow the notation and terminology defined in Section 3.3 to report on experimental results. We try to see what can be improved using mutant strategy without exploiting possible sparseness of a system. In particular, we restrict ourself to dense matrix computations. More-over, we compare some of the timings we obtained to the straightforward Gr¨obner basis approach. We report experimental results using EF (see Section 3.3) for rank computations.

As in Section 3.3, the cryptosystems considered to construct algebraic systems of equations are HFE (Hidden Field Equations) and CTC (Courtois Toy Cipher). For more details about these cryptosystems and related algebraic systems of equations see

Section 2.3. Finally, note that the only time consuming step in the LA Algorithm is to solve linear systems. Throughout this section, we consider the timings only for calculating echelon forms. The timings for extracting linear systems are ignored, since they were not implemented efficiently and should be seen as a preprocessing step.

Throughout this section we measure time in seconds unless otherwise mentioned. All timings were obtained on a computer with a 2.1 GHz AMD Opteron 6172 processor and 64GB RAM. The implementations of the algorithms of Propositions 3.4.13 and 3.5.4 are available online as a part of the ApCoCoA [12] package charP. For more details about implementations see Appendix B.

3.6.1 Experimental Results for HFE

Consider algebraic systems of equations constructed from the HFE cryptosystem. Since these systems are determined, we represent the size of each system by using the number of variables in the system. For instance, HFE(6) means an instance of HFE with 6 equations and six variables. The systems were constructed to have a unique solution.

In Table 3.6 we compare the sizes of the resulting linear systems from three variations of the LA Algorithm. Note that Table 3.6 shows the size of the biggest linear system that was formed to solve a particular instance of HFE. The “∗” in the first column for a system means that there are some mutants in this system.

System Equations Variables LA MLA MLA2

HFE(6)^∗ 6 6 57×169 42×93 42×48

HFE(7)^∗ 7 7 99×253 64×98 64×69

HFE(8)^∗ 8 8 163×361 93×128 93×97

HFE(9) 9 9 256×496 256×441 130×333

HFE(10) 10 10 386×661 386×595 325×387

HFE(11) 11 11 562×859 562×781 562×756

HFE(12) 12 12 794×1093 794×1002 794×989

HFE(13)^∗ 13 13 2380×4915 1093×2886 1093×1247

Table 3.6: HFE size comparison using LA, MLA and MLA2 algorithms

In Table 3.7, we collect the sizes of the resulting polynomial systems from the HFE cryptosystem over F2 and compare the timings for their solution with different approaches. See the results in Table 3.7. Each timing represents the total time taken by EF to calculate echelon forms of all the matrices during the process of solving a particular instance of HFE. The fifth column shows the time taken by the computation

System LA MLA MLA2 GBasis

HFE(6)^∗ 0 0 0 0.01

HFE(7)^∗ 0 0 0 0.02

HFE(8)^∗ 0 0 0 0.13

HFE(9) 0 0 0 0.26

HFE(10) 0.05 0.06 0.04 0.8 HFE(11) 0.3 0.35 0.33 3.15

HFE(12) 0.6 0.6 0.7 31.24

HFE(13)^∗ 15 10 2 349

Table 3.7: HFE time comparison using LA, MLA and MLA2 algorithms

of a Lex Gr¨obner basis in CoCoA [51].

3.6.2 Experimental Results for CTC

Given the CTC cryptosystem and a plaintext-ciphertex pair, we construct an overde-termined algebraic system of equations in terms of the indeterminates representing key bits and certain intermediate quantities. The task is to solve the system for the key bits. As we saw in Section 3.3, substitution of linear and quadratic equations results in an equation system in the key variables only. We present our experimental results with this level of substitution as it is more suitable for computation with dense matrices.

System Equations Variables LA MLA MLA2

CTC(2,2)₂ 13 3 8×14 8×8 8×8

CTC(2,3)^∗₂ 28 6 64×197 64×91 42×61

CTC(3,2)^∗₂ 44 7 128×352 128×133 100×128

CTC(3,3)^∗₂ 42 9 512×1933 485×903 485×384

CTC(3,4)^∗₂ 42 9 512×1933 512×2663 256×309

Table 3.8: CTC(B,N)₂ size comparison using LA, MLA and MLA2 algorithms In Table 3.8, we compare the sizes of the resulting linear systems from three vari-ations of the LA Algorithm. As usual Table 3.8 shows the size of the biggest linear system that was formed to solve CTC(B,N)₂. The “∗” in the first column for a system means that there are some mutants in this system. The order of the biggest matrix to solve CTC(3,4)^∗₂ by MLA is 512×2663. Whereas the order of the biggest matrix to solve CTC(3,4)^∗₂ by LA is 512×1933. This is due to the reason that there are lots of mutants in this system. This issue is adjusted by MLA2.

System LA MLA MLA2 GBasis

CTC(2,2)₂ 0 0 0 0

CTC(2,3)^∗₂ 0 0 0 0.09

CTC(3,2)^∗₂ 0 0 0 0.14

CTC(3,3)^∗₂ 1 1 0.11 0.83 CTC(3,4)^∗₂ 0.7 1.5 0.3 2.99

Table 3.9: CTC(B,N)₂ time comparison using LA, MLA and MLA2 algorithms

Each timing in Table 3.9 represents the total time taken by EF to calculate echelon forms of all the matrices during the process of solving CTC(B,N)₂. The fifth column shows the time taken by the computation of a Lex Gr¨obner basis in CoCoA [51]. We see that in practice the improved mutant LA is an improvement for memory efficiency over the original mutant LA. For systems for which mutants are produced during the computation, the mutant LA is better than the LA. If no mutants occur, the mutant LA behaves identically to the LA. The improved mutant LA Algorithm is the most efficient even if there are no mutants.

Experimentally, we can conclude that the MLA2 algorithm is an improvement over the MLA algorithm. Not only can MLA2 solve multivariate systems at a lower degree than the usual LA but also can solve these systems using a smaller number of polyno-mials than the MLA algorithm, since we produce all possible new equations without enlarging the number of the terms. Therefore, the size of the matrix constructed by MLA2 is much smaller than the matrix constructed by MLA. This demonstrates the great potential of the mutant strategy to improve the LA Algorithm.

Chapter 4

Techniques From the Theory of