Solving sparse linear equations over finite fields
IEEE Transactions on Information Theory
Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm
Mathematics of Computation
Journal of Symbolic Computation - Computer algebra: Selected papers from ISSAC 2001
Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations
EUROCAL '83 Proceedings of the European Computer Algebra Conference on Computer Algebra
Essential Algebraic Structure within the AES
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)
Proceedings of the 2002 international symposium on Symbolic and algebraic computation
MXL2: Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
PQCrypto '08 Proceedings of the 2nd International Workshop on Post-Quantum Cryptography
A block Lanczos algorithm for finding dependencies over GF(2)
EUROCRYPT'95 Proceedings of the 14th annual international conference on Theory and application of cryptographic techniques
Efficient algorithms for solving overdefined systems of multivariate polynomial equations
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt
ICISC'02 Proceedings of the 5th international conference on Information security and cryptology
Factorization of a 768-bit RSA modulus
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
All in the XL family: theory and practice
ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Improving the complexity of index calculus algorithms in elliptic curves over binary fields
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Hi-index | 0.00 |
Solving a system of multivariate quadratic equations (MQ) is an NP-complete problem whose complexity estimates are relevant to many cryptographic scenarios. In some cases it is required in the best known attack; sometimes it is a generic attack (such as for the multivariate PKCs), and sometimes it determines a provable level of security (such as for the QUAD stream ciphers). Under reasonable assumptions, the best way to solve generic MQ systems is the XL algorithm implemented with a sparse matrix solver such as Wiedemann's algorithm. Knowing how much time an implementation of this attack requires gives us a good idea of how future cryptosystems related to MQ can be broken, similar to how implementations of the General Number Field Sieve that factors smaller RSA numbers give us more insight into the security of actual RSA-based cryptosystems. This paper describes such an implementation of XL using the block Wiedemann algorithm. In 5 days we are able to solve a system with 32 variables and 64 equations over $\mathbb{F}_{16}$ (a computation of about 260.3 bit operations) on a small cluster of 8 nodes, with 8 CPU cores and 36 GB of RAM in each node. We do not expect system solvers of the F4/F5 family to accomplish this due to their much higher memory demand. Our software also offers implementations for $\mathbb{F}_{2}$ and $\mathbb{F}_{31}$ and can be easily adapted to other small fields. More importantly, it scales nicely for small clusters, NUMA machines, and a combination of both.