## Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations (2000)

Venue: | IN ADVANCES IN CRYPTOLOGY, EUROCRYPT’2000, LNCS 1807 |

Citations: | 134 - 19 self |

### BibTeX

@INPROCEEDINGS{Courtois00efficientalgorithms,

author = {Nicolas Courtois and Alexander Klimov and Jacques Patarin and Adi Shamir},

title = {Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations},

booktitle = {IN ADVANCES IN CRYPTOLOGY, EUROCRYPT’2000, LNCS 1807},

year = {2000},

pages = {392--407},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NP-hard over any field. When the number of equations m is the same as the number of unknowns n the best known algorithms are exhaustive search for small fields, and a Gröbner base algorithm for large fields. Gröbner base algorithms have large exponential complexity and cannot solve in practice systems with n ≥ 15. Kipnis and Shamir [9] have recently introduced a new algorithm called ”relinearization”. The exact complexity of this algorithm is not known, but for sufficiently overdefined systems it was expected to run in polynomial time. In this paper we analyze the theoretical and practical aspects of relinearization. We ran a large number of experiments for various values of n and m, and analysed which systems of equations were actually solvable. We show that many of the equations generated by relinearization are linearly dependent, and thus relinearization is less efficient that one could expect. We then develop an improved algorithm called XL which is both simpler and more powerful than relinearization. For all 0 < ɛ ≤ 1/2, and m ≥ ɛn 2, XL and relinearization are expected to run in polynomial time of approximately n O(1/ √ ɛ). Moreover, we provide strong evidence that relinearization and XL can solve randomly generated systems of polynomial equations in subexponential time when m exceeds n by a number that increases slowly with n.

### Citations

123 | fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms
- Hidden
- 1996
(Show Context)
Citation Context ...plexity analysis of these algorithms is in general very difficult. 10 Cryptanalysis of HFE with XL/relinearization attacks The HFE (Hidden Field Equations) cryptosystem was proposed at Eurocrypt 1996 =-=[11]-=-. Two different attacks were recently developed against it [3, 9], but they do not compromise the practical security of HFE instances with well chosen parameters. Moreover it does not seem that these ... |

113 |
Finite fields, Encyclopedia of mathematics and its applications
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ...re linearly independent in XL (we will comment on this critical hypothesis below), we expect to succeed when α ≥ β, i.e. when We get the following evaluation 6.1 Case m ≈ n m ≥ n 2 D(D − 1) D ≥ about =-=(7)-=- n √ m . (8) If m ≈ n, and if we expect most of the equations to be independent, we expect the attack to succeed when D ≈ √ n. The complexity of the algorithm is thus lower bounded by the complexity o... |

87 |
Finding a small root of a univariate modular equation
- Coppersmith
- 1996
(Show Context)
Citation Context ...omogeneous quadratic equations, it suffices to use only monomials of odd (or even) degrees. Note 3: A related technique was used by Don Coppersmith to find small roots of univariate modular equations =-=[2]-=-. However, in that application he used LLL rather than Gauss elimination to handle the generated relations, and relied heavily on the fact that the solution is small (which plays no role in our applic... |

45 | Unbalanced Oil and Vinegar signature schemes
- Kipnis, Patarin, et al.
(Show Context)
Citation Context ... practical security of HFE instances with well chosen parameters. Moreover it does not seem that these attacks can be extended against variations of the HFE scheme such as HFEv or HFEv − described in =-=[8]-=-. The first type of attack (such as the affine multiple attack in [11]) tries to compute the cleartext from a given ciphertext. It is expected to be polynomial when the degree d of the hidden polynomi... |

23 |
The security of Hidden Field Equations
- Courtois
- 2001
(Show Context)
Citation Context ...lt. 10 Cryptanalysis of HFE with XL/relinearization attacks The HFE (Hidden Field Equations) cryptosystem was proposed at Eurocrypt 1996 [11]. Two different attacks were recently developed against it =-=[3, 9]-=-, but they do not compromise the practical security of HFE instances with well chosen parameters. Moreover it does not seem that these attacks can be extended against variations of the HFE scheme such... |

18 |
Faugère: A new efficient algorithm for computing Gröbner bases without reduction to zero
- Jean-Charles
- 2002
(Show Context)
Citation Context ...onential time, and on average its running time seems to be single exponential. The most efficient variant of this algorithm which we are aware of is due to Jean-Charles Faugere (private communication =-=[5, 6]-=-) whose complexity in the case of m = n quadratic equations is:s2 Courtois Klimov Patarin Shamir c○IACR – If K is big, the complexity is proved to be O(2 3n ) and is O(2 2.7n ) in practice. – When K =... |

6 |
Koblitz: ”Algebraic aspects of cryptography”; Springer-Verlag
- Neal
- 1998
(Show Context)
Citation Context ...le, the results do not give a precise estimation of C. (9)s10 Courtois Klimov Patarin Shamir c○IACR 6.5 Case m = ɛn 2 , ɛ > 0 Let 0 < ɛ ≤ 1/2 and m = ɛn 2 . We expect XL to succeed when D ≈ ⌈1/ √ ɛ⌉. =-=(10)-=- The working factor is in this case W F ≈ nω⌈1/√ ɛ⌉ (⌈1/ √ . So the algorithm is expected to be polynomial (in ɛ⌉)! n) with a degree of about ω/ √ ɛ. Remark: The fact that solving a system of ɛ · n2 e... |

4 |
Faugère: Computing Gröbner basis without reduction to 0, technical report LIP6, in preparation, source: private communication. Also presented at
- Jean-Charles
- 2002
(Show Context)
Citation Context ...onential time, and on average its running time seems to be single exponential. The most efficient variant of this algorithm which we are aware of is due to Jean-Charles Faugere (private communication =-=[5, 6]-=-) whose complexity in the case of m = n quadratic equations is:s2 Courtois Klimov Patarin Shamir c○IACR – If K is big, the complexity is proved to be O(2 3n ) and is O(2 2.7n ) in practice. – When K =... |

3 |
The HFE cryptosystem home page. Describes all aspects of HFE and allows to download an example of HFE challenge. http://hfe.minrank.org
- Courtois
(Show Context)
Citation Context ... expected to be polynomial when d is fixed but not polynomial when d = O(n). To test the practicality of these attacks, consider the HFE ”challenge 1” described in the extended version of [11] and in =-=[4]-=-. It is a trapdoor function over GF (2) with n = 80 variables and d = 96. A direct application of the FXL to these 80 quadratic equations requires Gaussian reductions on about 80 9 /9! ≈ 2 38 variable... |

1 |
Courtois “The security of HFE
- Nicolas
(Show Context)
Citation Context ...lt. 10 Cryptanalysis of HFE with XL/relinearization attacks The HFE (Hidden Field Equations) cryptosystem was proposed at Eurocrypt 1996 [11]. Two different attacks were recently developed against it =-=[3, 9]-=-, buts412 Nicolas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir they do not compromise the practical security of HFE instances with well chosen parameters. Moreover it does not seem that... |

1 |
The HFE cryptosystem web
- Courtois
(Show Context)
Citation Context ... expected to be polynomial when d is fixed but not polynomial when d = O(n). To test the practicality of these attacks, consider the HFE “challenge 1” described in the extended version of [11] and in =-=[4]-=-. It is a trapdoor function over GF (2) with n = 80 variables and d = 96. A direct application of the FXL to these 80 quadratic equations requires Gaussian reductions on about 80 9 /9! ≈ 2 38 variable... |