Applications of Finite Field Computation to Cryptology: Extension Field Arithmetic in Public Key Systems and Algebraic Attacks on Stream Ciphers Kenneth Koon-Ho Wong Bachelor of Applied Science (First Class Honours) Queensland University of Technology, 2003 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology 2008 ii Keywords algebraic attacks, clock control, cyclotomic fields, CEILIDH, extension fields, Gauss periods, Karatsuba multiplication, Pomaranch, RC4, stream ciphers, torus-based cryptography, XTR iii iv Abstract In this digital age, cryptography is largely built in computer hardware or software as discrete structures. One of the most useful of these structures is finite fields. In this thesis, we explore a variety of applications of the theory and applications of arithmetic and computation in finite fields in both the areas of cryptography and cryptanalysis. First, multiplication algorithms in finite extensions of prime fields are explored. A new algebraic description of implementing the subquadratic Karatsuba algorithm and its variants for extension field multiplication are presented. The use of cy- clotomic fields and Gauss periods in constructing suitable extensions of virtually all sizes for efficient arithmetic are described. These multiplication techniques are then applied on some previously proposed public key cryptosystem based on exten- sion fields. These include the trace-based cryptosystems such as XTR, and torus- based cryptosystems such as CEILIDH. Improvements to the cost of arithmetic were achieved in some constructions due to the capability of thorough optimisation using the algebraic description. Then, for symmetric key systems, the focus is on algebraic analysis and attacks of stream ciphers. Different techniques of computing solutions to an arbitrary system of boolean equations were considered, and a method of analysing and simplifying the system using truth tables and graph theory have been investigated. Algebraic analyses were performed on stream ciphers based on linear feedback shift registers where clock control mechanisms are employed, a category of ciphers that have not been previously analysed before using this method. The results are successful v vi algebraic attacks on various clock-controlled generators and cascade generators, and a full algebraic analyses for the eSTREAM cipher candidate Pomaranch. Some weaknesses in the filter functions used in Pomaranch have also been found. Finally, some non-traditional algebraic analysis of stream ciphers are presented. An algebraic analysis on the word-based RC4 family of stream ciphers is performed by constructing algebraic expressions for each of the operations involved, and it is concluded that each of these operations are significant in contributing to the overall security of the system. As far as we know, this is the first algebraic analysis on a stream cipher that is not based on linear feedback shift registers. The possibility of using binary extension fields and quotient rings for algebraic analysis of stream ciphers based on linear feedback shift registers are then investigated. Feasible algebraic attacks for generators with nonlinear filters are obtained and algebraic analyses for more complicated generators with multiple registers are presented. This new form of algebraic analysis may prove useful and thereby complement the traditional algebraic attacks. This thesis concludes with some future directions that can be taken and some open questions. Arithmetic and computation in finite fields will certainly be an important area for ongoing research as we are confronted with new developments in theory and exponentially growing computer power. Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made. Signed:............................................ Date:...................... vii viii Acknowledgements The quality and quantity of the research presented in this thesis would not have been achieved without my supervisors, Gary Carter and Ed Dawson, who have provided me with every help, support and encouragement throughout the seem- ingly. They have spent numerous hours with me on suggesting research directions, discussing problems and reviewing writings. I sincerely pay my highest regards to their kindness and professionalism. I have been fortunate to be able to work with many other researchers during my research. I would like to thank Winfried M¨uller, who warmly hosted my visit for three weeks at the Department of Mathematics, University of Klagenfurt, Austria. I have gained much from working with colleagues while being there. I would like to thank Sultan Al-Hinai, Lynn Batten, Bernard Colbert, and Subhamoy Maitra, whom I have had the honour to meet in the last few years. They have provided me comments and suggestions to improve on various aspects of my research. In particular, I have enjoyed the close collaboration with Sultan Al-Hinai, my fel- low PhD student, as well as his supervisors, Matt Henricksen, Bill Millan and Leonie Simpson, at the Information Security Institute. Together, Sultan and I have achieved two joint publications, where each of us contributed in our strength toward some nice results. The collaborative work appears in Sections 5.4-5.6 of this thesis. I would like to also thank Lynn Batten for her organisation in mak- ing the two publications possible, and also for inviting me to speak at one of her workshops. I would like to thank Gregory Bard and Richard Brent for providing valuable comments that have improved some of the work contained in Section 3.3 significantly. ix x My colleagues at both the Information Security Institute and the School of Math- ematical Sciences, Faculty of Science have undoubtedly given me a warm atmo- sphere under which I can comfortably work on my research. I greatly appreciate their friendship to me and discussions that inspire me much. I would like to thank the Australian Commonwealth Government, Queensland University of Technology, and the Information Security Institute for providing generous scholarships and subsidies for my studies. I would also like to thank the the Information Security Institute and the School of Software Engineering and Data Communications, Faculty of Information Technology for providing me with both the opportunities and funds for my local, interstate and overseas travels and studies at various conferences and workshops. I would also like to thank the internal review panel, comprising of Colin Boyd, Gary Carter, Ed Dawson and Ian Turner, for spending time to review my thesis and final seminar, and providing valuable comments to improve the quality of the thesis submission. Last but not least, I would like to give sincere appreciation the Dean’s Scholars Program offered to me through the Faculty of Science as part of my undergraduate studies, which has prepared me the skills and knowledge to conduct research at the academic level, and paved my way towards the completion of a doctoral degree. Previously Published Material • Sultan Al-Hinai, Lynn Batten, Bernard Colbert and Kenneth Koon-Ho Wong. Algebraic attacks on clock-controlled stream ciphers. In 11th Australasian Conference on Information Security and Privacy - ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 1-16, Melbourne, Australia, 2006. Springer. • Kenneth Koon-Ho Wong, Gary Carter and Ed Dawson. Implementation of extension field arithmetic with applications to torus-based cryptography. In Workshop on General Algebra, AAA 70, volume 17 of Contributions on General Algebra, Vienna, Austria, 2005. Johannes Heyn. • Kenneth Koon-Ho Wong, Bernard Colbert, Lynn Batten and Sultan Al- Hinai. Algebraic analysis on clock-controlled cascade ciphers. In Progress in Cryptology - Indocrypt 2006, volume 4329 of Lecture Notes in Computer Science, pages 32-47, Kolkata, India, 2006. Springer. xi xii Contents Keywords ................................... iii Abstract.................................... v Declaration .................................. vii Acknowledgements .............................. ix PreviouslyPublishedMaterial . xi 1 Introduction 1 1.1 ModernCryptology........................... 2 1.1.1 Finite Field Arithmetic in Prime Fields . 2 1.1.2 Algebraic Attacks in Binary Fields . 2 1.2 AimsandObjectives .......................... 3 1.2.1 ExtensionFieldArithmetic . 3 1.2.2 Algebraic Analysis and Attacks . 3 1.3 MainOutcomes............................. 4 1.4 StructureofThesis ........................... 5 xiii xiv CONTENTS 2 Solving Equations over Finite Fields 7 2.1 Introduction............................... 7 2.2 LinearSystems ............................. 8 2.2.1 GaussianElimination. 8 2.2.2 Solution Methods over Finite Fields . 9 2.3 UnivariatePolynomials. 9 2.3.1 Polynomial Factorisation and Root Finding . 10 2.3.2 Cantor-Zassenhaus Equal Degree Factorisation . 11 2.3.3 Common Roots of Univariate Polynomials . 13 2.4 Multivariate Polynomial Systems . 14 2.4.1 Linearisation .......................... 14 2.4.2 Gr¨obnerBases.......................... 16 2.4.3 TruthTablesandGraphs. 20 2.5 Summary ................................ 23 3 Finite Field Arithmetic 25 3.1 Introduction............................... 25 3.2 KaratsubaMultiplication. 27 3.2.1