## No full-text available

To read the full-text of this research,

you can request a copy directly from the authors.

To read the full-text of this research,

you can request a copy directly from the authors.

... 2. By utilizing a simple version of the crossbred algorithm [JV17] proposed in [BDT22] to solve an overdefined quadratic equation system, our attacks on 3-round LowMC require negligible memory and can achieve better time-memory tradeoffs than Dinur's algorithm [Din21]. ...

... In our attacks, we will adopt a simple version of the crossbred algorithm [JV17] to solve an overdefined system of quadratic equations, which is described in [BDT22]. This algorithm fits very well with our attacks on LowMC for its simplicity to bound the time complexity and to implement in practice. ...

... The first attack is a new and simple guess-and-determine (GnD) attack on 3-round LowMC by using Banik et al.'s strategy [BBDV20] to linearize the 3-bit S-box, where we solve a system of quadratic equations with the standard linearization technique. The second attack is a much simpler yet more efficient GnD attack on 3-round LowMC by using a naive guess strategy to linearize the 3-bit S-box, where we solve quadratic equations with the simplified version of the crossbred algorithm [BDT22]. The third attack is for full-round (4-round) LowMC, where we still adopt the naive guess strategy but use Dinur's algorithm [Din21] to solve equations of degree 4. ...

The security of the post-quantum signature scheme Picnic is highly related to the difficulty of recovering the secret key of LowMC from a single plaintext-ciphertext pair. Since Picnic is one of the alternate third-round candidates in NIST post-quantum cryptography standardization process, it has become urgent and important to evaluate the security of LowMC in the Picnic setting. The best attacks on LowMC with full S-box layers used in Picnic3 were achieved with Dinur’s algorithm. For LowMC with partial nonlinear layers, e.g. 10 S-boxes per round adopted in Picnic2, the best attacks on LowMC were published by Banik et al. with the meet-in-the-middle (MITM) method.
In this paper, we improve the attacks on LowMC in a model where memory consumption is costly. First, a new attack on 3-round LowMC with full S-box layers with negligible memory complexity is found, which can outperform Bouillaguet et al.’s fast exhaustive search attack and can achieve better time-memory tradeoffs than Dinur’s algorithm. Second, we extend the 3-round attack to 4 rounds to significantly reduce the memory complexity of Dinur’s algorithm at the sacrifice of a small factor of time complexity. For LowMC instances with 1 S-box per round, our attacks are shown to be much faster than the MITM attacks. For LowMC instances with 10 S-boxes per round, we can reduce the memory complexity from 32GB (238 bits) to only 256KB (221 bits) using our new algebraic attacks rather than the MITM attacks, while the time complexity of our attacks is about 23.2 ∼ 25 times higher than that of the MITM attacks. A notable feature of our new attacks (apart from the 4-round attack) is their simplicity. Specifically, only some basic linear algebra is required to understand them and they can be easily implemented.

We analyze how fast we can solve general systems of multivariate equations of various low degrees over \({\mathbb{F}_{2}}\); this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive search technique, our improved approach is more efficient both asymptotically and practically. We implemented several optimized versions of our techniques on CPUs and GPUs. Our technique runs more than 10 times faster on modern graphic cards than on the most powerful CPU available. Today, we can solve 48+ quadratic equations in 48 binary variables on a 500-dollar NVIDIA GTX 295 graphics card in 21 minutes. With this level of performance, solving systems of equations supposed to ensure a security level of 64 bits turns out to be feasible in practice with a modest budget. This is a clear demonstration of the computational power of GPUs in solving many types of combinatorial and cryptanalytic problems.

In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV, . . .). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be choosen for multivariate schemes.

According to a folk theorem, every program can be trans-formed into a program that produces the same output and only has one loop. We generalize this to a form where the resulting program has one loop and no other branches than the one associated with the loop con-trol. For this branch, branch prediction is easy even for a static branch predictor. If the original program is of length κ, measured in the number of assembly-language instructions, and runs in t(n) time for an input of size n, the transformed program is of length O(κ) and runs in O(κt(n)) time. Normally sorting programs are short, but still κ may be too large for practical purposes. Therefore, we provide more efficient hand-tailored heapsort and mergesort programs. Our programs retain most features of the original programs—e.g. they perform the same number of element comparisons—and they induce O(1) branch mispredictions. On comput-ers where branch mispredictions were expensive, some of our programs were, for integer data and small instances, faster than the counterparts in the GNU implementation of the C++ standard library.

The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NP-hard over any field. When the number of equations m is the same as the number of unknowns n the best known algorithms are exhaustive search for small fields, and a Gröbner base algorithm for large fields. Gröbner base algorithms have large exponential complexity and cannot solve in practice systems with n ≥ 15. Kipnis and Shamir [9] have recently introduced a new algorithm called “relinearization”. The exact complexity of this algorithm is not known, but for sufficiently overdefined systems it was expected to run in polynomial time.
In this paper we analyze the theoretical and practical aspects of relinearization. We ran a large number of experiments for various values of n and m, and analysed which systems of equations were actually solvable. We show that many of the equations generated by relinearization are linearly dependent, and thus relinearization is less efficient that one could expect. We then develop an improved algorithm called XL which is both simpler and more powerful than relinearization. For all 0 < ε ≤ 1/2, and m ≥ εn
2, XL and relinearization are expected to run in polynomial time of approximately \(
n^{\mathcal{O}(1/\sqrt \varepsilon )}
\). Moreover, we provide strong evidence that relinearization and XL can solve randomly generated systems of polynomial equations in subexponential time when m exceeds n by a number that increases slowly with n.

The security of several recent digital signature schemes is based on the difficulty of solving large systems of quadratic multivariate polynomial equations over a finite field F. This problem, sometimes called MQ, is known to be NP-hard. When the number m of equations is equal to the number n of variables, and if n < 15, Gröbner base algorithms have been applied to solve MQ. In the overdefined case n 《 m, the techniques of relinearization and XL, due to A. Shamir et. al., have shown to be successful for solving MQ. In signature schemes, we usually have n 》 m. For example signature schemes Flash and Sflash submitted to Nessie call for primitives or the UOV scheme published at Eurocrypt 1999. Little is known about the security of such underdefined systems. In this paper, three new and different methods are presented for solving underdefined multivariate systems of quadratic equations. As already shown at Eurocrypt 1999, the problem MQ becomes polynomial when n ≥ m(m+1) for fields F of characteristic 2. We show that for any field, for about n ≥ 2m/7(m + 1), exponential but quite small in practice, the problem becomes polynomial in n.
When n → m the complexity of all our 3 algorithms tends to q
m. However for practical instances of cryptosystems with n ≈ O(m), we show how to achieve complexities significantly lower than exhaustive search. For example we are able break Unbalanced Oil and Vinegar signature schemes for some “bad” choices of the parameters (but not for the parameters proposed in [4]).

Andreas Björklund, Petteri Kaski, and Ryan Williams; licensed under Creative Commons License CC-BY We consider the problem of finding solutions to systems of polynomial equations over a finite field. Lokshtanov et al. [SODA'17] recently obtained the first worst-case algorithms that beat exhaustive search for this problem. In particular for degree-d equations modulo two in n variables, they gave an O∗2(1−1/(5d))n time algorithm, and for the special case d = 2 they gave an O∗20.876n time algorithm. We modify their approach in a way that improves these running times to O∗2(1−1/(27d))n and O∗20.804n, respectively. In particular, our latter bound - that holds for all systems of quadratic equations modulo 2 - comes close to the O∗20.792n expected time bound of an algorithm empirically found to hold for random equation systems in Bardet et al. [J. Complexity, 2013]. Our improvement involves three observations: 1. The Valiant-Vazirani lemma can be used to reduce the solution-finding problem to that of counting solutions modulo 2. 2. The monomials in the probabilistic polynomials used in this solution-counting modulo 2 have a special form that we exploit to obtain better bounds on their number than in Lokshtanov et al. [SODA'17]. 3. The problem of solution-counting modulo 2 can be “embedded” in a smaller instance of the original problem, which enables us to apply the algorithm as a subroutine to itself.

At SODA 2017 Lokshtanov et al. presented the first worst-case algorithms with exponential speedup over exhaustive search for solving polynomial equation systems of degree d in n variables over finite fields. These algorithms were based on the polynomial method in circuit complexity which is a technique for proving circuit lower bounds that has recently been applied in algorithm design. Subsequent works further improved the asymptotic complexity of polynomial method-based algorithms for solving equations over the field F2. However, the asymptotic complexity formulas of these algorithms hide significant low-order terms, and hence they outperform exhaustive search only for very large values of n. In this paper, we devise a concretely efficient polynomial method-based algorithm for solving multivariate equation systems over F2. We analyze our algorithm’s performance for solving random equation systems, and bound its complexity by about n2·20.815n bit operations for d=2 and n2·21-1/2.7dn for any d≥2. We apply our algorithm in cryptanalysis of recently proposed instances of the Picnic signature scheme (an alternate third-round candidate in NIST’s post-quantum standardization project) that are based on the security of the LowMC block cipher. Consequently, we show that 2 out of 3 new instances do not achieve their claimed security level. As a secondary application, we also improve the best-known preimage attacks on several round-reduced variants of the Keccak hash function. Our algorithm combines various techniques used in previous polynomial method-based algorithms with new optimizations, some of which exploit randomness assumptions about the system of equations. In its cryptanalytic application to Picnic, we demonstrate how to further optimize the algorithm for solving structured equation systems that are constructed from specific cryptosystems.

After initial publication of the book, various errors were identified that needed correction. The following corrections have been updated within the current version, along with all known typographical errors.

We consider the problem of solving systems of multivariate polynomial equations of degree k over a finite field. For every integer k ≤ 2 and finite field q where q = pd for a prime p, we give, to the best of our knowledge, the first algorithms that achieve an exponential speedup over the brute force O(qⁿ) time algorithm in the worst case. We present two algorithms, a randomized algorithm with running time qn+o(n) · q−n/O(k) time if q < 24ekd, and otherwise, where e = 2.718… is Napier's constant, and a deterministic algorithm for counting solutions with running time qn+o(n) · q−n/O(kq6/7d). For the important special case of quadratic equations in F2, our randomized algorithm has running time O(20.8765n).
For systems over 2 we also consider the case where the input polynomials do not have bounded degree, but instead can be efficiently represented as a ΣΠΣ circuit, i.e., a sum of products of sums of variables. For this case we present a deterministic algorithm running in time 2n-dn for δ = 1/O(log(s/n)) for instances with s product gates in total and n variables.
Our algorithms adapt several techniques recently developed via the polynomial method from circuit complexity. The algorithm for systems of ΣΠΣ polynomials also introduces a new degree reduction method that takes an instance of the problem and outputs a subexponential-sized set of instances, in such a way that feasibility is preserved and every polynomial among the output instances has degree O(log(s/n)).

This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations (\(\mathcal {MQ}\) problem). In order to construct this scheme we give a new security reduction for the Fiat-Shamir transform from a large class of 5-pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS-31-64 achieves 128 bits of post-quantum security. Finally, we describe an optimized implementation of MQDSS-31-64 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.

We study the complexity of Gr\"obner bases computation, in particular in the
generic situation where the variables are in simultaneous Noether position with
respect to the system.
We give a bound on the number of polynomials of degree d in a Gr\"obner basis
computed by Faug\`ere's F5 algorithm (Fau02) in this generic case for the
grevlex ordering (which is also a bound on the number of polynomials for a
reduced Gr\"obner basis), and use it to bound the exponent of the complexity of
the F5 algorithm.

This paper introduces a new efficient algorithm for computin g Grobner bases. To avoid as much as possible intermediate computation, the algorithm computes successive truncated Grobner bases and it replaces the classical polynomial reduction found in the Buchberger algorithm by the simultaneous reduction of several polynomials. This powerful reduction mechanism is achieved by means of a symbolic precomputation and by extensive use of sparse linear algebra methods. Current techniques in linear algebra used in Computer Al- gebra are reviewed together with other methods coming from the numerical field. Some previously untractable problems (Cyclic 9) are presented as well as an empirical comparison of a first implementation of this algorithm with other well kn own programs. This compari- son pays careful attention to methodology issues. All the benchmarks and CPU times used in this paper are frequently updated and available on a Web page. Even though the new algorithm does not improve the worst case complexity it is several times faster than previous implementations both for integers and modulo computations.

This paper introduces a new efficient algorithm for computing Gröbner bases. We replace the Buchberger criteria by an optimal criteria. We give a proof that the resulting algorithm (called F5) generates no useless critical pairs if the input is a regular sequence. This a new result by itself but a first implementation of the algorithm F5 shows that it is also very efficient in practice: for instance previously untractable problems can be solved (cyclic 10). In practice for most examples there is no reduction to zero. We illustrate this algorithm by one detailed example.

In [16], J. Patarin designed a new scheme, called “Oil and Vinegar”, for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called “oil” and v = n unknowns called “vinegar” over a finite field K, with linear secret functions. This original scheme was broken in [10] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where v > n (instead of v = n). These schemes are called “Unbalanced Oil and Vinegar” (UOV), since we have more “vinegar” unknowns than “oil” unknowns. We show that, when v ⋍ n, the attack of [10] can be extended, but when v ≥ 2n for example, the security of the scheme is still an open problem. Moreover, when \(
v \simeq \tfrac{{n^2 }}
{2}\)
, the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in \(
\tfrac{{n^2 }}
{2}\) unknowns (with no trapdoor). However, we show that (in characteristic 2) when v ≥ n
2, finding a solution is generally easy. Then we will see that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of [14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. The length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits.

In this paper, we review and explain the existing algebraic cryptanalysis of multivariate cryptosystems from the hidden field equation (HFE) family. These cryptanalysis break cryptosystems in the HFE family by solving multivariate systems of equations. In this paper we present a new and efficient attack of this cryptosystem based on fast algorithms for computing Gröbner basis. In particular it was was possible to break the first HFE challenge (80 bits) in only two days of CPU time by using the new algorithm F5 implemented in C.
From a theoretical point of view we study the algebraic properties of the equations produced by instance of the HFE cryptosystems and show why they yield systems of equations easier to solve than random systems of quadratic equations of the same sizes. Moreover we are able to bound the maximal degree occuring in the Gröbner basis computation.
As a consequence, we gain a deeper understanding of the algebraic cryptanalysis against these cryptosystems. We use this understanding to devise a specific algorithm based on sparse linear algebra. In general, we conclude that the cryptanalysis of HFE can be performed in polynomial time. We also revisit the security estimates for existing schemes in the HFE family.

XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent). Prior discussions of XL are usually heavy in simulations, which are of course valuable but we would like more attention to theory, because theory and simulations must validate each other, and there are some nuances not easily discerned from simulations. More effort was made in this direction of recent, but much of it was restricted to a large base field of size q, which is usually equal to 2 k . By conducting an analysis of XL variants in general, we try to derive rigorous “termination conditions”, minimal degree requirements for reliable, successful operation of XL and its relatives, hence better security estimates. Our work is applicable to small q, in particular the significant q=2 case. Armed with this analysis, we reexamine previously announced results. We conclude that XL and variants represent a theoretical advance that is especially significant over small fields (in particular over GF(2)). However, its applicability and efficacy are occasionally overestimated slightly. We discuss possible future research directions. Much remains to be done.

In the rst of two papers on Magma, a new system for computational algebra, we present the Magma language, outline the design principles and theoretical background, and indicate its scope and use. Particular attention is given to the constructors for structures, maps, and sets. c 1997 Academic Press Limited Magma is a new software system for computational algebra, the design of which is based on the twin concepts of algebraic structure and morphism. The design is intended to provide a mathematically rigorous environment for computing with algebraic struc- tures (groups, rings, elds, modules and algebras), geometric structures (varieties, special curves) and combinatorial structures (graphs, designs and codes). The philosophy underlying the design of Magma is based on concepts from Universal Algebra and Category Theory. Key ideas from these two areas provide the basis for a gen- eral scheme for the specication and representation of mathematical structures. The user language includes three important groups of constructors that realize the philosophy in syntactic terms: structure constructors, map constructors and set constructors. The util- ity of Magma as a mathematical tool derives from the combination of its language with an extensive kernel of highly ecient C implementations of the fundamental algorithms for most branches of computational algebra. In this paper we outline the philosophy of the Magma design and show how it may be used to develop an algebraic programming paradigm for language design. In a second paper we will show how our design philoso- phy allows us to realize natural computational \environments" for dierent branches of algebra. An early discussion of the design of Magma may be found in Butler and Cannon (1989, 1990). A terse overview of the language together with a discussion of some of the implementation issues may be found in Bosma et al. (1994).

A fundamental problem in computer science is to find all the common zeroes of
$m$ quadratic polynomials in $n$ unknowns over $\mathbb{F}_2$. The
cryptanalysis of several modern ciphers reduces to this problem. Up to now, the
best complexity bound was reached by an exhaustive search in $4\log_2 n\,2^n$
operations. We give an algorithm that reduces the problem to a combination of
exhaustive search and sparse linear algebra. This algorithm has several
variants depending on the method used for the linear algebra step. Under
precise algebraic assumptions on the input system, we show that the
deterministic variant of our algorithm has complexity bounded by
$O(2^{0.841n})$ when $m=n$, while a probabilistic variant of the Las Vegas type
has expected complexity $O(2^{0.792n})$. Experiments on random systems show
that the algebraic assumptions are satisfied with probability very close to~1.
We also give a rough estimate for the actual threshold between our method and
exhaustive search, which is as low as~200, and thus very relevant for
cryptographic applications.

In [6] T. Matsumoto and H. Imai described a new asymmet- ric algorithm based on multivariate polynomials of degree two over a finite field, which was subsequently broken in [9]. Here we present two new families of Asymmetric Algorithms that so far have resisted all at- tacks, if properly used: Hidden Field Equations (HFE) and Isomorphism of Polynomials (IP). These algorithms can be seen as two candidate ways to repair the Matsumoto-Imai Algorithm. HFE can be used to do sig- natures, encryption or authentication in an asymmetric way, with very short signatures and short encryptions of short messages. IP can be used for signatures and for zero knowledge authentication.
An extended version of this paper can be obtained from the author. Another way to repair the Matsumoto-Imai Algorithm will be presented in [10].

GeMSS: A Great Multivariate Short Signature

- Antoine Casanova
- Jean-Charles Faugère
- Gilles Macario-Rat
- Jacques Patarin
- Ludovic Perret
- Jocelyn Ryckeghem

Antoine Casanova, Jean-Charles Faugère, Gilles Macario-Rat, Jacques Patarin, Ludovic Perret, and Jocelyn
Ryckeghem. GeMSS: A Great Multivariate Short Signature. Research report, UPMC -Paris 6 Sorbonne Universités
; INRIA Paris Research Centre, MAMBA Team, F-75012, Paris, France ; LIP6 -Laboratoire d'Informatique de Paris
6, December 2017. URL: https://hal.inria.fr/hal-01662158.

A Crossbred Algorithm for Solving Boolean Polynomial Systems

- Antoine Joux
- Vanessa Vitse

Antoine Joux and Vanessa Vitse. A Crossbred Algorithm for Solving Boolean Polynomial Systems. In NuTMiC,
volume 10737 of Lecture Notes in Computer Science, pages 3-21. Springer, 2017. https://eprint.iacr.org/2017/
372.pdf.