International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers

Authors:
Gregory V. Bard
Nicolas T. Courtois
Chris Jefferson.
Download:
URL: http://eprint.iacr.org/2007/024
Search ePrint
Search Google
Abstract: The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Groebner-bases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomial-system-solving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability (CNF-SAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than by exhaustive search if beta < 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.
BibTeX
@misc{eprint-2007-13306,
  title={Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers},
  booktitle={IACR Eprint archive},
  keywords={Secret-Key Cryptography / Algebraic Cryptanalysis, Over-Defined Sparse Multivariate Systems of Equations, Logical Cryptanalysis, SAT Solvers, MQ, Quadratic Polynomials over GF(2)},
  url={http://eprint.iacr.org/2007/024},
  note={Submitted to a Conference. gregory.bard@ieee.org 13539 received 25 Jan 2007, last revised 26 Jan 2007},
  author={Gregory V. Bard and Nicolas T. Courtois and Chris Jefferson.},
  year=2007
}