Solving Underdetermined Systems of Multivariate Quadratic Equations Revisited

Solving systems of m $\mathcal M$ ultivariate $\mathcal Q$ uadratic ( $\mathcal{MQ}$ ) equations in n variables is one of the main challenges of algebraic cryptanalysis. Although the associated $\mathcal{MQ}$ -problem is proven to be NP-complete, we know that it is solvable in polynomial time over fields of even characteristic if either m ≥n (n −1)/2 (overdetermined ) or n ≥m (m +1) (underdetermined ). It is widely believed that m =n has worst case complexity. Actually in the overdetermined case Grobner Bases algorithms show a gradual decrease in complexity from m =n to m ≥n (n −1)/2 as more and more equations are available. For the underdetermined case no similar behavior was known. Up to now the best way to deal with the case m $\mathcal{MQ}$ -system with m equations and n =ωm variables for some ω ∈ℚ>1 to the complexity of solving a $\mathcal{MQ}$ -system with only $(m-\left\lfloor \omega\right\rfloor+1)$ equations and variables, respectively. Our algorithm can be seen as an extension of the previously known algorithm from Kipnis-Patarin-Goubin (extended version of Eurocrypt '99) and improves an algorithm of Courtois et al. which eliminates $\left\lfloor \mbox{log}_2\omega\right\rfloor$ variables. For small ω we also adapt our algorithm to fields of odd characteristic. We apply our result to break current instances of the Unbalanced Oil and Vinegar public key signature scheme that uses n =3m and hence ω =3.

[1]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[2]  Jean-Charles Faugère,et al.  Algebraic Cryptanalysis of McEliece Variants with Compact Keys , 2010, EUROCRYPT.

[3]  Willi Meier,et al.  Algebraic Immunity of S-Boxes and Augmented Functions , 2007, FSE.

[4]  Ariel Shamir,et al.  Cryptanalysis of the oil and vinegar signature scheme , 1998 .

[5]  Chae Hoon Lim,et al.  Information Security and Cryptology — ICISC 2002 , 2003, Lecture Notes in Computer Science.

[6]  B. Salvy,et al.  Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems , 2022 .

[7]  Nicolas Courtois,et al.  Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt , 2002, ICISC.

[8]  Matthew J. B. Robshaw,et al.  Essential Algebraic Structure within the AES , 2002, CRYPTO.

[9]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[10]  Stanislav Bulygin,et al.  Small Public Keys and Fast Verification for $\mathcal{M}$ ultivariate $\mathcal{Q}$ uadratic Public Key Systems , 2011, CHES.

[11]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[12]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[13]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[14]  Willi Meier,et al.  Solving Underdefined Systems of Multivariate Quadratic Equations , 2002, Public Key Cryptography.

[15]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[16]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[17]  Magnus Daum,et al.  On the Security of HFE, HFEv- and Quartz , 2003, Public Key Cryptography.

[18]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[19]  Bart Preneel,et al.  Equivalent Keys in Hfe, C * , and Variations , 2005 .

[20]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[21]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[22]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[23]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[24]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes -extended Version , 1999 .

[25]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[26]  Bart Preneel,et al.  A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes , 2005, CT-RSA.

[27]  Hideki Imai,et al.  Algebraic Cryptanalysis of 58-Round SHA-1 , 2007, FSE.

[28]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[29]  Stanislav Bulygin,et al.  Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems , 2011, IACR Cryptol. ePrint Arch..

[30]  Bart Preneel,et al.  Equivalent keys in ℳultivariate uadratic public key systems , 2005, J. Math. Cryptol..

[31]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.