Polynomial XL: A Variant of the XL Algorithm Using Macaulay Matrices over Polynomial Rings

Solving a system of m multivariate quadratic equations in n variables (the MQ problem) is one of the main challenges of algebraic cryptanalysis. The XL algorithm (XL for short) is a major approach for solving the MQ problem with linearization over a coefficient field. Furthermore, the hybrid approach with XL (h-XL) is a variant of XL guessing some variables beforehand. In this paper, we present a variant of h-XL, which we call the polynomial XL (PXL). In PXL, the whole n variables are divided into k variables to be fixed and the remaining n − k variables as “main variables”, and we generate the Macaulay matrix with respect to the n−k main variables over a polynomial ring of the k variables. By eliminating some columns of the Macaulay matrix over the polynomial ring before guessing k variables, the amount of manipulations required for each guessed value can be reduced. Our complexity analysis indicates that PXL is efficient on the system with n ≈ m. For example, on systems over F28 with n = m = 80, the number of manipulations required by the hybrid approaches with XL and Wiedemann XL and PXL is estimated as 2, 2, and 2, respectively.

[1]  Bo-Yin Yang,et al.  Analysis of QUAD , 2007, FSE.

[2]  Adi Shamir,et al.  Fast Exhaustive Search for Polynomial Systems in F2 , 2010, IACR Cryptol. ePrint Arch..

[3]  Matthias Aschenbrenner,et al.  Degree bounds for Gröbner bases in algebras of solvable type , 2007, 0710.4945.

[4]  Momonari Kudo,et al.  Automorphism groups of superspecial curves of genus 4 overF11 , 2017, Journal of Pure and Applied Algebra.

[5]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[6]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[7]  Wenjun Wu,et al.  Basic principles of mechanical theorem proving in elementary geometries , 1986, Journal of Automated Reasoning.

[8]  Martin R. Albrecht,et al.  On the relation between the MXL family of algorithms and Gröbner basis algorithms , 2012, J. Symb. Comput..

[9]  Bo-Yin Yang,et al.  All in the XL Family: Theory and Practice , 2004, ICISC.

[10]  Lajos Rónyai,et al.  Factoring polynomials over finite fields , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[11]  Manuela Wiesinger-Widi Gröbner bases and generalized sylvester matrices , 2011, ACCA.

[12]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[13]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[14]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[15]  Thomas Dubé,et al.  The Structure of Polynomial Ideals and Gröbner Bases , 2013, SIAM J. Comput..

[16]  N. Courtois,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[17]  Hideki Imai,et al.  Comparison Between XL and Gröbner Basis Algorithms , 2004, ASIACRYPT.

[18]  Alexander Maletzky,et al.  Formalization of Dubé's Degree Bounds for Gröbner Bases in Isabelle/HOL , 2019, CICM.

[19]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[20]  Vom Fachbereich,et al.  Improvements for the XL Algorithm with Applications to Algebraic Cryptanalysis , 2011 .

[21]  Bo-Yin Yang,et al.  On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis , 2004, ICICS.

[22]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[23]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[24]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.