Solving Quadratic Equations with XL on Parallel Architectures

  • Chen-Mou Cheng
  • Tung Chou
  • Ruben Niederhagen
  • Bo-Yin Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7428)

Abstract

Solving a system of multivariate quadratic equations (MQ) is an NP-complete problem whose complexity estimates are relevant to many cryptographic scenarios. In some cases it is required in the best known attack; sometimes it is a generic attack (such as for the multivariate PKCs), and sometimes it determines a provable level of security (such as for the QUAD stream ciphers).

Under reasonable assumptions, the best way to solve generic MQ systems is the XL algorithm implemented with a sparse matrix solver such as Wiedemann’s algorithm. Knowing how much time an implementation of this attack requires gives us a good idea of how future cryptosystems related to MQ can be broken, similar to how implementations of the General Number Field Sieve that factors smaller RSA numbers give us more insight into the security of actual RSA-based cryptosystems.

This paper describes such an implementation of XL using the block Wiedemann algorithm. In 5 days we are able to solve a system with 32 variables and 64 equations over \(\mathbb{F}_{16}\) (a computation of about 260.3 bit operations) on a small cluster of 8 nodes, with 8 CPU cores and 36 GB of RAM in each node. We do not expect system solvers of the F4/F5 family to accomplish this due to their much higher memory demand. Our software also offers implementations for \(\mathbb{F}_{2}\) and \(\mathbb{F}_{31}\) and can be easily adapted to other small fields. More importantly, it scales nicely for small clusters, NUMA machines, and a combination of both.

Keywords

XL Gröbner basis block Wiedemann sparse solver multivariate quadratic systems 

References

  1. 1.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison Between XL and Gröbner Basis Algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Coppersmith, D.: Solving Homogeneous Linear Equations Over GF(2) via Block Wiedemann Algorithm. Mathematics of Computation 62(205), 333–350 (1994)MathSciNetMATHGoogle Scholar
  3. 3.
    Courtois, N.T.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Courtois, N.T., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Diem, C.: The XL-Algorithm and a Conjecture from Commutative Algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetMATHCrossRefGoogle Scholar
  8. 8.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: ISSAC 2002, pp. 75–83. ACM (2002)Google Scholar
  9. 9.
    Faugère, J.-C., Perret, L., Petit, C., Renault, G.: Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 27–44. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-Bit RSA Modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010)Google Scholar
  11. 11.
    Lazard, D.: Gröbner-Bases, Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  12. 12.
    Macaulay, F.S.: The Algebraic Theory of Modular Systems. Cambridge Tracts in Mathematics and Mathematical Physics, vol. 19. Cambridge University Press (1916)Google Scholar
  13. 13.
    Moh, T.-T.: On the Method of XL and Its Inefficiency to TTM. Cryptology ePrint Archive, Report 2001/047 (2001), http://eprint.iacr.org/2001/047
  14. 14.
    Mohamed, M.S.E., Mohamed, W.S.A.E., Ding, J., Buchmann, J.: MXL2: Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 203–215. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Mohamed, W.S.A.E., Ding, J., Kleinjung, T., Bulygin, S., Buchmann, J.: PWXL: A Parallel Wiedemann-XL Algorithm for Solving Polynomial Equations Over GF(2). In: Cid, C., Faugère, J.-C. (eds.) SCC 2010, pp. 89–100 (2010)Google Scholar
  16. 16.
    Montgomery, P.L.: A Block Lanczos Algorithm for Finding Dependencies over GF(2). In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 106–120. Springer, Heidelberg (1995)Google Scholar
  17. 17.
    Murphy, S., Robshaw, M.J.B.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Niederhagen, R.: Parallel Cryptanalysis. Ph.D. thesis, Eindhoven University of Technology (2012), http://polycephaly.org/thesis/index.shtml
  19. 19.
    Thomé, E.: Subquadratic Computation of Vector Generating Polynomials and Improvement of the Block Wiedemann Algorithm. Journal of Symbolic Computation 33(5), 757–775 (2002)MathSciNetMATHCrossRefGoogle Scholar
  20. 20.
    Wiedemann, D.H.: Solving Sparse Linear Equations Over Finite Fields. IEEE Transactions on Information Theory 32(1), 54–62 (1986)MathSciNetMATHCrossRefGoogle Scholar
  21. 21.
    Yang, B.-Y., Chen, C.-H., Bernstein, D.J., Chen, J.-M.: Analysis of QUAD. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 290–308. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Yang, B.-Y., Chen, J.-M.: All in the XL Family: Theory and Practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Chen-Mou Cheng
    • 1
  • Tung Chou
    • 2
  • Ruben Niederhagen
    • 2
  • Bo-Yin Yang
    • 2
  1. 1.Intel-NTU Connected Context Computing CenterNational Taiwan UniversityTaipeiTaiwan
  2. 2.Institute of Information ScienceAcademia SinicaTaipeiTaiwan

Personalised recommendations