Skip to main content
SpringerLink
Log in

Operating Degrees for XL vs. F4/F5 for Generic \(\mathcal{M}Q\) with Number of Equations Linear in That of Variables

  • Chapter
Number Theory and Cryptography

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8260))

Abstract

We discuss the complexity of \(\mathcal{M}Q\), or solving multivariate systems of m equations in n variables over the finite field \(\mathbb{F}_q\) of q elements. \(\mathcal{M}Q\) is an important hard problem in cryptography. In particular, the complexity to solve overdetermined \(\mathcal{M}Q\) systems with randomly chosen coefficients when m = cn is related to the provable security of a number of cryptosystems.

In this context there are two basic approaches. One is to use XL (“eXtended Linearization”) with the solving step tailored to sparse linear algebra; the other is of the many variations of Jean-Charles Faugère’s F4/F5 algorithms.

Although F4/F5 has been the de facto standard in the cryptographic community, it was proposed (Yang-Chen, 2004) that XL with Sparse Solver may be superior in some cases, particularly the generic overdetermined case with m/n = c + o(1).

At the Steering Committee Meeting of the Post-Quantum Cryptography workshop in 2008, Johannes Buchmann listed several key research questions to all post-quantum cryptographers present. One problem in \(\mathcal{M}Q\) -based cryptography, he noted, is “if the difference between the operating degrees of XL(-with-Sparse-Solver) and F4/F5 approaches can be accurately bounded for random systems.”

We answer in the affirmative when m/n = c + o(1), using Saddle Point analysis:

  1. 1

    For instances with randomly drawn coefficients, the degrees of operation of XL and F4/F5 has the most pronounced differential in the large-field, “barely overdetermined” (m − n = c) cases, where the discrepancy is \(\propto \sqrt n\).

  2. 2

    In most other types of random systems with m/n = c + o(1), the expected difference in the operating degrees of XL and F4/F5 is constant which can be evaluated mathematically via asymptotic analysis.

Our conclusions are partially backed up using tests with Maple, MAGMA, and an XL implementation featuring Block Wiedemann as the sparse-matrix solver.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of the International Conference on Polynomial System Solving, pp. 71–74 (2004); Previously INRIA report RR-5049

    Google Scholar 

  2. Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic expansion of the degree of regularity for semi-regular systems of equations. In: Gianni, P. (ed.) MEGA 2005, Sardinia, Italy (2005)

    Google Scholar 

  3. Bardet, M., Faugère, J.-C., Salvy, B., Spaenlehauer, P.-J.: On the complexity of solving quadratic boolean systems. Journal of Complexity 29(1), 53–75 (2013) ISSN 0885-064X

    Google Scholar 

  4. Berbain, C., Gilbert, H., Patarin, J.: QUAD: A practical stream cipher with provable security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)

    Google Scholar 

  5. Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post Quantum Cryptography, 1st edn. Springer (2008) ISBN 3-540-88701-6

    Google Scholar 

  6. Bettale, L., Faugère, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. Journal of Mathematical Cryptology 3(3), 177–197 (2010)

    Google Scholar 

  7. Bouillaguet, C., Chen, H.-C., Cheng, C.-M., Chou, T., Niederhagen, R., Shamir, A., Yang, B.-Y.: Fast exhaustive search for polynomial systems in F 2. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010)

    Google Scholar 

  8. Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965)

    Google Scholar 

  9. Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with xl on parallel architectures. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 356–373. Springer, Heidelberg (2012)

    Google Scholar 

  10. Chester, C., Friedman, B., Ursell, F.: An extension of the method of steepest descents. Proceedings of Cambridge Philosophical Society 53, 599–611 (1957)

    Google Scholar 

  11. Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block wiedemann algorithm. Mathematics of Computation 62(205), 333–350 (1994)

    Google Scholar 

  12. Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000), http://www.minrank.org/xlfull.pdf

  13. Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)

    Google Scholar 

  14. Ding, J., Buchmann, J., Mohamed, M.S.E., Mohamed, W.S.A.E., Weinmann, R.-P.: Mutant XL. In: talk at the First International Conference on Symbolic Computation and Cryptography (SCC 2008), Beijing (2008)

    Google Scholar 

  15. Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008), http://eprint.iacr.org/2008/108

  16. Faugère, J.-C.: Solving efficiently structured polynomial systems and applications in cryptology (September 2011), http://ecc2011.loria.fr/slides/faugere.pdf ; Talk at ECC 2011, 9:30 AM (September 20, 2011)

  17. Gao, S., Guan, Y., Volny, F.: A new incremental algorithm for computing groebner bases. In: Koepf, W. (ed.) ISSAC, pp. 13–19. ACM (2010)

    Google Scholar 

  18. Joux, A., Vitse, V.: A variant of the F4 algorithm. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 356–375. Springer, Heidelberg (2011)

    Google Scholar 

  19. Lazard, D.: Gröbner-bases, Gaussian elimination and resolution of systems of algebraic equations. In: EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (March 1983)

    Google Scholar 

  20. Lupanov, O.B.: On rectifier and contact-rectifier circuits. Akademii Nauk SSSR 111, 1171–1174 (1956) ISSN 0002ąV3264

    Google Scholar 

  21. MAGMA project, Computational Algebra Group, University of Sydney. The MAGMA computational algebra system for algebra, number theory and geometry, http://magma.maths.usyd.edu.au/magma/

  22. Mohamed, M.S.E., Cabarcas, D., Ding, J., Buchmann, J., Bulygin, S.: MXL3: An efficient algorithm for computing Gröbner bases of zero-dimensional ideals. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 87–100. Springer, Heidelberg (2010)

    Google Scholar 

  23. Mohamed, M.S.E., Mohamed, W.S.A.E., Ding, J., Buchmann, J.: MXL2: Solving Polynomial Equations over GF(2) using an improved mutant strategy. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 203–215. Springer, Heidelberg (2008)

    Google Scholar 

  24. Mohamed, W.S.A., Ding, J., Kleinjung, T., Bulygin, S., Buchmann, J.: PWXL: A parallel Wiedemann-XL algorithm for solving polynomial equations over GF(2). In: Cid, C., Faugère, J.-C. (eds.) Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, pp. 89–100 (June 2010)

    Google Scholar 

  25. Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Transactions on Information Theory, IT-32(1), 54–62 (1976)

    Google Scholar 

  26. Williams, V.V.: Breaking the Coppersmith-Winograd barrier (2011), www.cs.berkeley.edu/~virgi/matrixmult.pdf

  27. Yang, B.-Y., Chen, J.-M.: All in the XL family: Theory and practice. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)

    Google Scholar 

  28. Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004)

    Google Scholar 

  29. Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)

    Google Scholar 

  30. Yang, B.-Y., Chen, O.C.-H., Bernstein, D.J., Chen, J.-M.: Analysis of QUAD. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 290–308. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  31. Yang, B.-Y., Chen, O.C.-H., Chen, J.-M.: The limit of XL implemented with sparse matrices. In: Workshop Record, PQCrypto Workshop, Leuven (2006), http://postquantum.cr.yp.to/pqcrypto2006record.pdf

Download references

Author information

Authors and Affiliations

  1. Academia Sinica, Taipei, Taiwan

    Jenny Yuan-Chun Yeh, Chen-Mou Cheng & Bo-Yin Yang

Authors
  1. Jenny Yuan-Chun Yeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chen-Mou Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bo-Yin Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technische Universität Darmstadt & CASED, Mornewegstraße 30, 64293, Darmstadt, Germany

    Marc Fischlin

  2. Technische Universität Darmstadt & CASED, Mornewegstraße 32, 64293, Darmstadt, Germany

    Stefan Katzenbeisser

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Yeh, J.YC., Cheng, CM., Yang, BY. (2013). Operating Degrees for XL vs. F4/F5 for Generic \(\mathcal{M}Q\) with Number of Equations Linear in That of Variables. In: Fischlin, M., Katzenbeisser, S. (eds) Number Theory and Cryptography. Lecture Notes in Computer Science, vol 8260. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42001-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-42001-6_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-42000-9

  • Online ISBN: 978-3-642-42001-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation