Table of Contents Author Guidelines Submit a Manuscript
Journal of Applied Mathematics
Volume 2013, Article ID 872962, 8 pages
http://dx.doi.org/10.1155/2013/872962
Research Article

Sieve Method for Polynomial Linear Equivalence

1State Key Laboratory of Integrated Service Networks, Xidian University, Xi'an 710071, China
2Guangxi Experiment Center of Information Science, Guilin University of Electronic Technology, Guilin, Guangxi 541004, China
3Guangxi Key Lab of Wireless Wide Band Communication and Signal Processing, Guilin University of Electronic Technology, Guilin 541004, China

Received 5 August 2013; Accepted 2 November 2013

Academic Editor: Jacek Rokicki

Copyright © 2013 Baocang Wang and Yupu Hu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

We consider the polynomial linear equivalence (PLE) problem arising from the multivariate public key cryptography, which is defined as to find an invertible linear transformation satisfying for given nonlinear polynomial maps and over a finite field . Some cryptographic and algebraic properties of PLE are discussed, and from the properties we derive three sieves called multiplicative, differential, and additive sieves. By combining the three sieves, we propose a sieve method for the PLE problem. As an application of our sieve method, we show that it is infeasible to construct public key encryption schemes from the PLE problem.

1. Introduction

With the rapid development of information technology, privacy and authentication have become two important issues that we must resolve in communication networks. Public key cryptography is undoubtedly one of the most important tools to resolve both problems in the area of information and network security engineering. Tremendous efforts had been made to achieve more practical and efficient public key ciphers in the cryptographic literature [1]. However, we should note that only a small number of them survived the serious security scrutiny, amongst which are the two widelyused cryptosystems RSA based on the integer factorization problem [1] and ECC based on the discrete logarithm problem on elliptic curves over finite fields [1, 2]. However, there exist polynomial-time algorithms for factoring large integers and solving the discrete logarithm problems on any finite cyclic group [3, 4]. Therefore, RSA and ECC are at the risk of being totally broken by quantum algorithms if practical quantum computing devices are available. Based on the considerations, cryptographers began to construct some alternative postquantum (i.e., quantum-resistant) public key cryptosystems from other mathematically intractable problems, especially those proven NP-complete or NP-hard problems.

Multivariate public key cryptography (MPKC) is an important kind of postquantum public key ciphers [5]. The security of MPKC resides in the proven fact that it is NP-hard to solve a random system of nonlinear equations over finite fields [6]. MPKC was once considered very attractive and interesting also due to its high speed in key generation, encryption, and decryption, easy implementation on both hardware and software, and its simple mathematical description [5]. In a multivariate public key cryptosystem, we first define a nonlinear easy-to-invert map called central map, then we randomly choose two invertible affine transformations and , and finally we publish the nonlinear map as the public key and keep , , and as the secret key. Sometimes the central map may have a very special structure, which makes it useless to keep the central map secret. One important problem in MPKC is the problem of isomorphism of polynomials (IP) [715]; namely, given nonlinear maps and , find two invertible linear transformations and such that . The IP problem lies at the core of MPKC in which many multivariate cryptosystems were constructed based on the assumed intractability of IP problem [1622]. The IP problem is widely believed as an intractable problem, and known algorithms for the IP problem achieve exponential complexity [715].

In the IP problem, if is known or equal to the identity transformation, the IP problem turns out to be the isomorphism of polynomials with one secret (IP1s) problem [7, 8, 12, 13, 15, 2325], which had been used in MPKC [7, 17, 2628]. The IP1s problem was shown to be at least as difficult as the graph isomorphism problem [8, 29]. The graph isomorphism problem had been extensively studied for about half century, and no efficient algorithm was known for it, so the IP1s problem was also widely believed to be an intractability problem. When we restrict the invertible affine transformation to be a linear one, the special IP1s problem was renamed as polynomial linear equivalence (PLE) problem in [24]. In [24], it was shown that the PLE problem is not a restriction on IP1s, and in fact PLE and IP1s are polynomial-time equivalent. In [23], an algorithm was developed to solve the IP1s problem used in the construction of the identification scheme in [7], and the algorithm breaks some challenges of the scheme in [7]. In [24], the differential properties of PLE were fully explored to derive an algorithm for PLE, which transforms the PLE problem into a linear algebraic problem. Some other algorithms were also developed to solve the IP1s problem [12, 13, 15, 25]. These algorithms perform efficiently in some special cases of the IP1s problem.

Previous results about the IP and IP1s problems were established by considering the underlying problems as mathematical problems. However, some cryptographic properties of the cryptographic IP1s problem are maybe overlooked. For example, the central map used in MPKC is required to be easy-to-invertible, and the cryptographic property may help us establish some other algorithms for solving the IP1s problem. In this paper, we utilize the cryptographic property to develop an algorithm for solving the PLE problem and hence the IP1s problem. We fully explore the multiplicative, differential, and additive cryptographic properties existing in the PLE problem. Based on the three properties, we provide a sieve algorithm for the PLE problem. Assume that the central map only has polynomially bounded pre-images; the proposed sieve algorithm is a polynomial-time algorithm. Apart from previously known algorithms based on differential analysis, Gröbner basis, exhaustive search, and linear algebraic methods, we provide a new type of algorithm. The sieve method may be of independent interests and may provide some new insights into the IP-like problems.

The rest of the paper is organized as follows. In Section 2, we formalize the notations, review MPKC in a conceptual level, and define IP-like problems. In Section 3, we elaborate on the proposed sieve method for the PLE problem. Section 4 provides some concluding remarks.

2. Preliminaries

2.1. Notations

Throughout this paper, the following notations will be used. We use to denote a finite field with order being a prime power. In this paper, we only consider the PLE problem over with . We use bold lowercase letters for vectors and bold capital letters for matrices. The generalized linear group over is denoted as which consists of all -dimensional invertible matrices over . For two sets and , we define and . For a set and a nonzero element , we define and , where stands for the inverse of in . For a map and a vector , we use the symbol to denote the preimages set of under the map ; namely, .

2.2. Multivariate Public Key Cryptosystems

The multivariate public key cryptosystems almost always follow the following designs [5]; namely, first define an easy-to-invert central map and then disguise the central map as a seeminglyhard nonlinear map via two invertible affine transformations.

Key Generation. Let be a finite field with order being a prime power. Firstly, define a nonlinear central map ; namely, for , . In case of a public key encryption scheme, we require that for any , all the solutions (if the solutions exist) to the system of nonlinear equations can be efficiently determined; namely, . In case of a digital signature scheme, we require that for any , we can efficiently find one solution (if the solutions exist) to the system of nonlinear equations . Secondly, randomly choose two invertible affine transformations and ; namely, choose invertible matrices (, resp.) uniformly and at random from (, resp.) and two vectors (, resp.) uniformly and at random from (, resp.), and define the two affine transformations and as for , , and for , . Thirdly, compute the inverses and of and ; namely, for , , and for , . Finally, compute ; namely, for , . The public key is the nonlinear map , and the secret key consists of , , and .

Encryption. For a plaintext , the corresponding ciphertext is computed via .

Decryption. Given a ciphertext , we firstly compute . Secondly, compute all the preimages of under the nonlinear map ; namely, . Thirdly, for all the vectors , we compute to obtain a set of candidate plaintexts. Finally, we use some redundant information to exactly pick out the plaintext .

The design also applies to digital signature schemes.

Signature. To sign a message , we firstly compute then invert to get a pre-image and finally compute . The vector is the signature on the message .

Verification. The verifier decides whether or not. If the equations are satisfied, the verifier accepts as the valid signature of . Otherwise, the verifier refuses to accept as the valid signature of .

Remarks. The central map always has a special structure in that it allows us to efficiently find the pre-images. So in some cases, it is useless to keep the central map secret. For example, the MI [16] central map is , which makes it meaningless to keep secret. Several paddings were suggested on the basic construction of MPKC in order to obtain a higher level of security [30], for example, the plus method [30], the minus method [30], and so on.

2.3. Definitions

The following definitions are closely related to the key recovery attacks on multivariate public key cryptosystems.

Definition 1 (IP [7]). Given two nonlinear polynomial maps and , find two invertible affine transformations and such that . Equivalently, find two invertible matrices and and two vectors and such that .

When is known or equal to the identity transformation, we get the definition of the IP1s problem [8, 23].

Definition 2 (IP1s). Given two nonlinear polynomial maps and , find an invertible affine transformation such that . Equivalently, find an invertible matrix and a vector such that .

It was shown in [24] that the IP1s problem and the PLE problem are polynomial-time equivalent. So we only need to discuss the following PLE problem in order to discuss the IP1s problem.

Definition 3 (PLE). Given two nonlinear polynomial maps and , find an invertible linear transformation such that . Equivalently, find an invertible matrix such that .

3. The Proposed Sieve Method for PLE

We pay our attention to a special case of the PLE problem: the preimages of the central map are easy to determine. Namely, we are given two nonlinear polynomial maps and and an efficient algorithm to solve the preimages of the central map . We want to find an invertible matrix such that

3.1. Case of Being Injective

If is an easy-to-invert injective polynomial map, the PLE problem turns out to be very easy. We randomly choose linearly dependent row vectors and denote the matrix consisting of the vectors as For , we compute . Note that , so is a solution to the system of equations . Further noting that is an easy-to-invert injective polynomial map, we conclude that is the unique solution to the system of equations . So we can apply the algorithm to determine the unique solution to the system of equations . We denote the matrix consisting of the row vectors as We rewrite the equations for in terms of matrix, so we have , from which we immediately get .

3.2. General Case

We consider a more general case; namely, is an easy-to-invertible noninjective polynomial map.

3.2.1. Basic Idea

The basic idea for the sieve method to solve the PLE problem is to firstly randomly choose linearly dependent row vectors , and then for , compute . Note that the system of nonlinear equations must have at least a solution in that . Secondly, we apply the algorithm to get the nonempty set of the solutions to ; namely, However, the noninjectivity of the central polynomial map says that the solutions set may include some other solutions except . We are only interested in the targeted solution and want to develop a method to pick out the vector from all the solutions in . If for we can determine the corresponding , we just denote the matrices consisting of the row vectors and as and , respectively. Similarly to the discussions in Section 3.1, we can solve the PLE problem just by computing .

In what follows, we will design three types of sieves called multiplicative sieve, differential sieve, and additive sieve, respectively. When we apply the three sieves to , we hope that the targeted solution can pass the sieves, and other useless solutions in are distilled out as many as possible. Now we discuss some properties of the PLE problem.

3.2.2. Sieve Strategies

Let be linearly dependent row vectors, the set of solutions to the equations be , and . We have the following results.

Theorem 4 (multiplicative strategy). For any in , is also a solution to the system of nonlinear equations ; namely, , or equivalently, .

Proof. We first note that , so . Therefore, we have , namely, ; or equivalently, . Note that , so we have .

The theorem of Multiplicative Strategy implies a method to sieve out some useless vectors from a set of vectors containing the targeted vector . More precisely, we let such that the targeted vector . The multiplicative sieve algorithm MulSieve given in Algorithm1 takes input as and outputs a subset of ; namely, MulSieve. From the proof of Multiplicative Strategy theorem, we know that the targeted vector can pass the multiplicative sieve. So the set output by MulSieve is not empty.

alg1
Algorithm 1: Multiplicative sieve: MulSieve.

We note that if and hence are homogeneous polynomials, all the preimages in can pass the multiplicative sieve. So in this case, we must have . In general cases, is not homogeneous, and the multiplicative sieve method can sieve out some preimages of .

Theorem 5 (additive strategy). For , one must have that is a solution to the system of equations . That is, if one denotes the solutions set to the system of nonlinear equations as , one must have

Proof. It is obvious that . So we just need to verify ; namely, . Recalling , , and , we immediately have .

The theorem of Additive Strategy implies another sieve method called additive sieve method AddSieve in Algorithm 2. The input of the additive sieve algorithm AddSieve consists of , where , (, resp.) is a subset of (, resp.), and (, resp.). The output of AddSieve is two nonempty sets and ; namely, From the proof of Multiplicative Strategy theorem, we know that the targeted vectors and can pass the additive sieve. So the sets and output by AddSieve are not empty.

alg2
Algorithm 2: Additive sieve: AddSieve.

In lines 6–8 of Algorithm 2, if or had been put into or , the algorithm does nothing.

Theorem 6 (differential strategy). For any nonzero vector and any element in , let the set of the solutions to the system of nonlinear equations and be and , respectively. One must have

Proof. Note that , so we have . From , we get . So we have ; namely, We further notice that , so we conclude that Combining (8) and (9) implies from which we complete the proof.

The theorem of Differential Strategy implies another sieve method called differential sieve method DifSieve in Algorithm 3. The input of the differential sieve algorithm DifSieve consists of , where is a subset of and . The output of DifSieve is a nonempty set ; namely, DifSieve. From the proof of Differential Strategy theorem, we know that the targeted vectors can pass the differential sieve. So the set output by the DifSieve algorithm is nonempty.

alg3
Algorithm 3: Differential sieve: DifSieve.

3.3. The Sieve Method

We elaborate on the novel sieve algorithm SieAlg for solving the PLE problem as in Algorithm 4. The input for the sieve algorithm contains the description of the finite field and two multivariate nonlinear polynomial maps and . The output of the sieve algorithm is either an invertible matrix such that or a failure symbol . We assume that the central map is easy to invert; namely, there exists an efficient algorithm to compute all the preimages of . The proposed sieve algorithm runs as in Algorithm 4.

alg4
Algorithm 4: The sieve algorithm for PLE: SieAlg.

3.4. Analysis

We analyze the computational complexity of the proposed sieve algorithm for the PLE problem. We denote the computational costs for determining the preimages set of the polynomial central map as . Note that we assume that the central map is easy to invert, so is upper-bounded by a polynomial about the number of the variables and the number of the involved equations. We let the computational costs for computing for any as . Note that , so for any , it requires about the same computational costs to compute . We denote the upper bound for the number of preimages of a vector under the central map as ; namely, the preimages set has at most vectors. Note that we assume that is a polynomial-time algorithm to find all the preimages for the central map , so is also polynomially bounded.

In the algorithm initialization phase of the sieve algorithm SieAlg for the PLE problem, we need to compute and the pre-image set for each . So in the algorithm initialization phase, the computational costs are measured as .

In the multiplicative sieve phase, for each , we need to compute , which costs . Then for each , we need to compute , so the computational costs are . So the total costs in the multiplicative sieve phase are .

In the additive sieve phase, for , we need to compute , which costs . For , for each and for each , we need to compute , which cost . So the computational costs in the additive sieve phase are .

In the differential sieve phase, for each , we need to compute , , and the preimages sets and . In this step, the computational costs are . We also need to do exhaustive search for , which costs . So during the differential sieve phase, we need to do computations.

Finally, the sieve method needs to compute , which costs .

To summarize, the computational costs for the sieve algorithm are the sum of the aforementioned computational costs. So the computational complexity of the sieve algorithm is . Therefore, the proposed sieve algorithm is polynomial-time if there exists a polynomial-time algorithm to determine the preimages set of the central map .

We remark on the sieve algorithm as follows. In the sieve algorithm, we assume that the order of the underlying finite field is . If the PLE problem is defined over , we can consider the PLE problem over some extension field of in order to make the proposed sieve algorithm applicable. The proposed sieve algorithm does not sieve out the satisfying . In other words, the proposed sieve algorithm does not sieve out the right answer for the PLE problem. When the algorithm quits and fails to output the right answer, we can reimplement the sieve algorithm one more time in order to increase the probability that we can solve the PLE problem.

4. Conclusions

In this paper, we developed a new method for solving the IP1s problem. It is shown that if there exists a polynomial-time algorithm for determining all the preimages of the central map , the proposed sieve algorithm for the PLE problem is efficient. As an application of the proposed sieve algorithm for the IP1s problem, we can show that it is infeasible to construct multivariate public key encryption schemes from the IP1s problem due to the following reasons.(i)Multivariate public key encryption schemes require that the central map must be easy-to-invert.(ii)Multivariate public key encryption schemes require that ciphertext must be decipherable. So for any vector , it must be computationally feasible to determine all the preimages of under the central map . This means that the number of the preimages of the central map must be polynomially bounded. The above both things demonstrate that the proposed sieve algorithm is applicable to the IP1s problem used in multivariate public key encryption schemes.

As a new method for solving the IP-like problems, the proposed sieve method is far from perfect. So further discussions on the new method belong to our future work.

Conflict of Interests

The authors declares that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (nos. 61173152 and 61173151), the 111 Project (no. B08038), the ISN Foundation (no. ISN1103007), the Fundamental Research Funds for the Central Universities (no. JY10000901009), and the Natural Science Basic Research Plan in Shaanxi Province of China (Program no. 2012JM8005).

References

  1. N. Koblitz and A. J. Menezes, “A survey of public-key cryptosystems,” SIAM Review, vol. 46, no. 4, pp. 599–634, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus
  2. P. Wang and F. Zhang, “An efficient collision detection method for computing discrete logarithms with pollard's rho,” Journal of Applied Mathematics, vol. 2012, Article ID 635909, 15 pages, 2012. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus
  3. P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at Scopus
  4. D. Cheung, D. Maslov, J. Mathew, and D. K. Pradhan, “On the design and optimization of a quantum polynomial-time attack on elliptic curve cryptography,” in Proceedings of the 3rd Workshop on Theory of Quantum Computation, Communication, and Cryptography (TQC '08), vol. 5016 of LNCS, pp. 96–104, Springer, Tokyo, Japan, 2008.
  5. J. Ding, J. E. Gower, and D. S. J. Schmidt, Multivariate Public Key Cryptosystems, vol. 25 of Advances in Information Security, Springer, Berlin, Germany, 2006.
  6. M. R. Garey and D. S. Johnson, Computers and Intractability, A Guide to the Theory of NP-Completeness, Freeman, San Francisco, Calif, USA, 1979.
  7. J. Patarin, “Hidden fields equations (HFE) and isomorphism of polynomials (IP): two new families of asymmetric algorithms,” in Proceedings of Advances in Cryptology-Eurocrypt 1996, vol. 1070 of LNCS, pp. 33–48, Springer, Saragossa, Spain, 1996.
  8. J. Patarin, L. Goubin, and N. Courtois, “Improved algorithms for isomorphisms of polynomials,” in Proceedings of Advances in Cryptology- Eurocrypt 1998, vol. 1403 of LNCS, pp. 184–200, Springer, Espoo, Finland, 1998.
  9. F. Levy-dit-Vehel and L. Perret, “Polynomial equivalence problems and applications to multivariate cryptosystems,” in Proceedings of the Conference on Progress in Cryptology (INDOCRYPT '03), vol. 2904 of LNCS, pp. 235–251, Thomas Johansson, Subhamoy Maitra, New Delhi, India, 2003.
  10. L. Perret and A. Bayad, “A differential approach to a polynomial equivalence problem,” in Proceedings of International Symposium on Information Theory (ISIT '04), p. 140, IEEE Press, Chicago, Ill, USA, July 2004. View at Scopus
  11. J. Faugere and L. Perret, “Polynomial equivalence problems: algorithmic and theoretical aspects,” in Proceedings of Advances in Cryptology (Eurocrypt '06), vol. 4004 of LNCS, pp. 30–47, Springer, St. Petersburg, Russia, 2006.
  12. C. Bouillaguet, J. Faugere, P. Fouque, and L. Perret, “Isomorphism of polynomials: new results,” http://citeseerx.ist.psu.edu.
  13. C. Bouillaguet, J. Faugere, P. Fouque, and L. Perret, “Differentialalgebraic algorithms for the isomorphism of polynomials problem,” IACR Cryptology ePrint Archive 2009, http://eprint.iacr.org/2009/583.
  14. C. Bouillaguet, P. Fouque, and A. Veber, “Graph-theoretic algorithms for the isomorphism of polynomials ‘problem’,” in Proceedings of Ad- vances in Cryptology (Eurocrypt '13), vol. 7881 of LNCS, pp. 211–227, Springer, Athens, Greece, 2013.
  15. J. Berthomieu, J. Faugere, and L. Perret, “Polynomial-time algorithms for quadratic isomorphism of polynomials,” 2013, http://arxiv.org/abs/1307.4974.
  16. T. Matsumoto and H. Imai, “Public quadratic polynomial-tuples for efficient signature-verification and message-encryption,” in Proceedings of the Advances in Cryptology (Eurocrypt '88), vol. 330 of LNCS, pp. 419–453, Springer, Davos, Switzerland, 1988.
  17. A. Kipnis, J. Patarin, and L. Goubin, “Unbalanced oil and vinegar signature schemes,” in Proceedings of the Advances in Cryptology (Eurocrypt '99), vol. 1592 of LNCS, pp. 206–222, Springer, Prague, Czech Republic, 1999.
  18. J. Patarin, N. Courtois, and L. Goubin, “Flash, a fast multivariate signature algorithm,” in Proceedings of the Cryptographers Track at RSA Conference (CT-RSA '01), vol. 2020 of LNCS, pp. 298–307, Springer, San Francisco, Calif, USA, 2001.
  19. O. Billet and H. Gilbert, “A traceable block cipher,” in Proceedings of Advances in Cryptology (Asiacrypt '00), vol. 2894 of LNCS, pp. 331–346, Springer, Taipei, Taiwan, 2003.
  20. J. Ding, C. Wolf, and B. Y. Yang, “l-invertible cycles for multivariate quadratic public key cryptography,” in Proceedings of the 10th IACR International Conference on Practice and Theory of Public Key Cryptography (PKC '07), vol. 4450 of LNCS, pp. 266–281, Springer, Beijing, China, 2007.
  21. J. Baena, C. Clough, and J. Ding, “Square-vinegar signature scheme,” in Proceedings of the 2nd International Workshop on Post-Quantum Cryptography (PQCrypto '08), vol. 5299 of LNCS, pp. 17–30, Springer, Cincinnati, Ohio, USA, 2008.
  22. C. Clough, J. Baena, J. Ding, B. Y. Yang, and M. S. Chen, “Square, a new multivariate encryption scheme,” in Proceedings of the Cryptogra- phers Track at RSA Conference (CT-RSA '09), vol. 5473 of LNCS, pp. 252–264, Springer, San Francisco, Calif, USA, 2009.
  23. W. Geiselmann, W. Meier, and S. Rainer, “An attack on the isomorphisms of polynomials problem with one secret,” International Journal of Information Security, vol. 2, no. 1, pp. 59–64, 2003. View at Google Scholar
  24. L. Perret, “A fast cryptanalysis of the isomorphism of polynomials with one secret problem,” in Proceedings of Advances in Cryptology (Eurocrypt '05), vol. 3439 of LNCS, pp. 354–370, Springer, Aarhus, Denmark, 2005.
  25. C. Bouillaguet, J. Faugere, P. Fouque, and L. Perret, “Practical cryptanalysis of the identification scheme based on the isomorphism of polynomial with one secret problem,” in Proceedings of the 14th IACR International Conference on Practice and Theory of Public Key Cryptography (PKC '11), vol. 6571 of LNCS, pp. 473–493, Springer, Taormina, Italy, 2011.
  26. K. Sakumoto, T. Shirai, and H. Hiwatari, “Public-key identification schemes based on multivariate quadratic polynomials,” in Proceedings of Advances in Cryptology (Crypto '11), vol. 6841 of LNCS, pp. 706–723, Springer, Santa Barbara, Calif, USA, 2011.
  27. S. Tang and L. Xu, “Proxy signature scheme based on isomorphisms of polynomials,” in Proceedings of the 6th International Conference on Network and System Security (NSS '12), vol. 7645 of LNCS, pp. 113–125, Springer, Fujian, China, 2012.
  28. S. Tang and L. Xu, “Towards provably secure proxy signature scheme based on isomorphisms of polynomials,” Future Generation Computer Systems, 2013. View at Google Scholar
  29. M. Agrawal and N. Saxena, “Equivalence of f-algebras and cubic forms,” in Proceedings of the 23rd Annual Symposium on Theoretical Aspects of Computer Science (STACS '06), vol. 3884 of LNCS, pp. 115–126, Springer, Marseille, France, 2006.
  30. C. Wolf and B. Preneel, “Taxonomy of public key schemes based on the problem of multivariate quadratic equations,” IACR Cryptology ePrint Archive 2005, https://eprint.iacr.org/2005/077.