Paper 2007/024

Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers

Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson.

Abstract

The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Groebner-bases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomial-system-solving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability (CNF-SAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than by exhaustive search if beta < 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.

Note: New experiments will be added shortly.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Submitted to a Conference.
Keywords
Algebraic CryptanalysisLogical CryptanalysisSAT SolversMQQuadratic Polynomials over GF(2)
Contact author(s)
gregory bard @ ieee org
History
2007-01-26: last of 3 revisions
2007-01-26: received
See all versions
Short URL
https://ia.cr/2007/024
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2007/024,
      author = {Gregory V.  Bard and Nicolas T.  Courtois and Chris Jefferson.},
      title = {Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers},
      howpublished = {Cryptology ePrint Archive, Paper 2007/024},
      year = {2007},
      note = {\url{https://eprint.iacr.org/2007/024}},
      url = {https://eprint.iacr.org/2007/024}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.