×

Efficient algorithms for solving overdefined systems of multivariate polynomial equations. (English) Zbl 1082.94514

Preneel, Bart (ed.), Advances in cryptology - EUROCRYPT 2000. 19th international conference on the theory and application of cryptographic techniques, Bruges, Belgium, May 14–18, 2000. Proceedings. Berlin: Springer (ISBN 3-540-67517-5). Lect. Notes Comput. Sci. 1807, 392-407 (2000).
The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NP-hard over any field. When the numnber of equations \(m\) is the same as the number of unknowns in the best known algorithms are exhaustive search for small fields, and a Gröbner base algorithm for large fields. Gröbner base algorithms have large exponential complexity and cannot solve in practice systems with \(n \geq 15\). Kipnis and Shamir have recently introduced a new algorithm called “relinearization”. The exact complexity of this algorithm is not known, but for sufficiently overdefined systems it was expected to run in polynomial time.
In this paper we analyze the theoretical and practical aspects of relinearization. We ran a large number of experiments for various values of \(n\) and \(m\), and analysed which systems of equations were actually solvable. We show that many of the equations generated by relinearization are linearly dependent, and thus relinearization is less efficient that one could expect. We then develop an improved algorithm called XL which is both simpler and more powerful than relinearization. For all \(0 < \varepsilon \leq 1/2\), and \(m\geq \varepsilon n^2\) XL and relinearization are expected to run in polynomial time of approximately \(n^{{\mathcal O}(1/\sqrt\varepsilon)}\). Moreover, we provide strong evidence that relinearization and XL can solve randomly generated systems of polynomial equations in subexponential time when \(m\) exceeds \(n\) by a number that increases slowly with \(n\).
For the entire collection see [Zbl 0939.00052].

MSC:

94A60 Cryptography
68W30 Symbolic computation and algebraic computation
12Y05 Computational aspects of field theory and polynomials (MSC2010)

Software:

FGb
PDF BibTeX XML Cite