Solving Quadratic Equations with XL on Parallel Architectures

  • Chen-Mou Cheng
  • Tung Chou
  • Ruben Niederhagen
  • Bo-Yin Yang
Conference paper

DOI: 10.1007/978-3-642-33027-8_21

Volume 7428 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Cheng CM., Chou T., Niederhagen R., Yang BY. (2012) Solving Quadratic Equations with XL on Parallel Architectures. In: Prouff E., Schaumont P. (eds) Cryptographic Hardware and Embedded Systems – CHES 2012. CHES 2012. Lecture Notes in Computer Science, vol 7428. Springer, Berlin, Heidelberg

Abstract

Solving a system of multivariate quadratic equations (MQ) is an NP-complete problem whose complexity estimates are relevant to many cryptographic scenarios. In some cases it is required in the best known attack; sometimes it is a generic attack (such as for the multivariate PKCs), and sometimes it determines a provable level of security (such as for the QUAD stream ciphers).

Under reasonable assumptions, the best way to solve generic MQ systems is the XL algorithm implemented with a sparse matrix solver such as Wiedemann’s algorithm. Knowing how much time an implementation of this attack requires gives us a good idea of how future cryptosystems related to MQ can be broken, similar to how implementations of the General Number Field Sieve that factors smaller RSA numbers give us more insight into the security of actual RSA-based cryptosystems.

This paper describes such an implementation of XL using the block Wiedemann algorithm. In 5 days we are able to solve a system with 32 variables and 64 equations over \(\mathbb{F}_{16}\) (a computation of about 260.3 bit operations) on a small cluster of 8 nodes, with 8 CPU cores and 36 GB of RAM in each node. We do not expect system solvers of the F4/F5 family to accomplish this due to their much higher memory demand. Our software also offers implementations for \(\mathbb{F}_{2}\) and \(\mathbb{F}_{31}\) and can be easily adapted to other small fields. More importantly, it scales nicely for small clusters, NUMA machines, and a combination of both.

Keywords

XL Gröbner basis block Wiedemann sparse solver multivariate quadratic systems 
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Chen-Mou Cheng
    • 1
  • Tung Chou
    • 2
  • Ruben Niederhagen
    • 2
  • Bo-Yin Yang
    • 2
  1. 1.Intel-NTU Connected Context Computing CenterNational Taiwan UniversityTaipeiTaiwan
  2. 2.Institute of Information ScienceAcademia SinicaTaipeiTaiwan