# Operating Degrees for XL vs. F4/F5 for Generic $$\mathcal{M}Q$$ with Number of Equations Linear in That of Variables

• Jenny Yuan-Chun Yeh
• Chen-Mou Cheng
• Bo-Yin Yang
Chapter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8260)

## Abstract

We discuss the complexity of $$\mathcal{M}Q$$, or solving multivariate systems of m equations in n variables over the finite field $$\mathbb{F}_q$$ of q elements. $$\mathcal{M}Q$$ is an important hard problem in cryptography. In particular, the complexity to solve overdetermined $$\mathcal{M}Q$$ systems with randomly chosen coefficients when m = cn is related to the provable security of a number of cryptosystems.

In this context there are two basic approaches. One is to use XL (“eXtended Linearization”) with the solving step tailored to sparse linear algebra; the other is of the many variations of Jean-Charles Faugère’s F4/F5 algorithms.

Although F4/F5 has been the de facto standard in the cryptographic community, it was proposed (Yang-Chen, 2004) that XL with Sparse Solver may be superior in some cases, particularly the generic overdetermined case with m/n = c + o(1).

At the Steering Committee Meeting of the Post-Quantum Cryptography workshop in 2008, Johannes Buchmann listed several key research questions to all post-quantum cryptographers present. One problem in $$\mathcal{M}Q$$ -based cryptography, he noted, is “if the difference between the operating degrees of XL(-with-Sparse-Solver) and F4/F5 approaches can be accurately bounded for random systems.”

We answer in the affirmative when m/n = c + o(1), using Saddle Point analysis:

1. 1

For instances with randomly drawn coefficients, the degrees of operation of XL and F4/F5 has the most pronounced differential in the large-field, “barely overdetermined” (m − n = c) cases, where the discrepancy is $$\propto \sqrt n$$.

2. 2

In most other types of random systems with m/n = c + o(1), the expected difference in the operating degrees of XL and F4/F5 is constant which can be evaluated mathematically via asymptotic analysis.

Our conclusions are partially backed up using tests with Maple, MAGMA, and an XL implementation featuring Block Wiedemann as the sparse-matrix solver.

## Keywords

sparse solver Gröbner basis XL MQ asymptotic analysis F4 F5

## References

1. 1.
Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of the International Conference on Polynomial System Solving, pp. 71–74 (2004); Previously INRIA report RR-5049Google Scholar
2. 2.
Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic expansion of the degree of regularity for semi-regular systems of equations. In: Gianni, P. (ed.) MEGA 2005, Sardinia, Italy (2005)Google Scholar
3. 3.
Bardet, M., Faugère, J.-C., Salvy, B., Spaenlehauer, P.-J.: On the complexity of solving quadratic boolean systems. Journal of Complexity 29(1), 53–75 (2013) ISSN 0885-064XGoogle Scholar
4. 4.
Berbain, C., Gilbert, H., Patarin, J.: QUAD: A practical stream cipher with provable security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)Google Scholar
5. 5.
Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post Quantum Cryptography, 1st edn. Springer (2008) ISBN 3-540-88701-6Google Scholar
6. 6.
Bettale, L., Faugère, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. Journal of Mathematical Cryptology 3(3), 177–197 (2010)Google Scholar
7. 7.
Bouillaguet, C., Chen, H.-C., Cheng, C.-M., Chou, T., Niederhagen, R., Shamir, A., Yang, B.-Y.: Fast exhaustive search for polynomial systems in F 2. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010)Google Scholar
8. 8.
Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965)Google Scholar
9. 9.
Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with xl on parallel architectures. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 356–373. Springer, Heidelberg (2012)Google Scholar
10. 10.
Chester, C., Friedman, B., Ursell, F.: An extension of the method of steepest descents. Proceedings of Cambridge Philosophical Society 53, 599–611 (1957)Google Scholar
11. 11.
Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block wiedemann algorithm. Mathematics of Computation 62(205), 333–350 (1994)Google Scholar
12. 12.
Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000), http://www.minrank.org/xlfull.pdf
13. 13.
Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)Google Scholar
14. 14.
Ding, J., Buchmann, J., Mohamed, M.S.E., Mohamed, W.S.A.E., Weinmann, R.-P.: Mutant XL. In: talk at the First International Conference on Symbolic Computation and Cryptography (SCC 2008), Beijing (2008)Google Scholar
15. 15.
Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008), http://eprint.iacr.org/2008/108
16. 16.
Faugère, J.-C.: Solving efficiently structured polynomial systems and applications in cryptology (September 2011), http://ecc2011.loria.fr/slides/faugere.pdf; Talk at ECC 2011, 9:30 AM (September 20, 2011)
17. 17.
Gao, S., Guan, Y., Volny, F.: A new incremental algorithm for computing groebner bases. In: Koepf, W. (ed.) ISSAC, pp. 13–19. ACM (2010)Google Scholar
18. 18.
Joux, A., Vitse, V.: A variant of the F4 algorithm. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 356–375. Springer, Heidelberg (2011)Google Scholar
19. 19.
Lazard, D.: Gröbner-bases, Gaussian elimination and resolution of systems of algebraic equations. In: EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (March 1983)Google Scholar
20. 20.
Lupanov, O.B.: On rectifier and contact-rectifier circuits. Akademii Nauk SSSR 111, 1171–1174 (1956) ISSN 0002ąV3264Google Scholar
21. 21.
MAGMA project, Computational Algebra Group, University of Sydney. The MAGMA computational algebra system for algebra, number theory and geometry, http://magma.maths.usyd.edu.au/magma/
22. 22.
Mohamed, M.S.E., Cabarcas, D., Ding, J., Buchmann, J., Bulygin, S.: MXL3: An efficient algorithm for computing Gröbner bases of zero-dimensional ideals. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 87–100. Springer, Heidelberg (2010)Google Scholar
23. 23.
Mohamed, M.S.E., Mohamed, W.S.A.E., Ding, J., Buchmann, J.: MXL2: Solving Polynomial Equations over GF(2) using an improved mutant strategy. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 203–215. Springer, Heidelberg (2008)Google Scholar
24. 24.
Mohamed, W.S.A., Ding, J., Kleinjung, T., Bulygin, S., Buchmann, J.: PWXL: A parallel Wiedemann-XL algorithm for solving polynomial equations over GF(2). In: Cid, C., Faugère, J.-C. (eds.) Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, pp. 89–100 (June 2010)Google Scholar
25. 25.
Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Transactions on Information Theory, IT-32(1), 54–62 (1976)Google Scholar
26. 26.
Williams, V.V.: Breaking the Coppersmith-Winograd barrier (2011), www.cs.berkeley.edu/~virgi/matrixmult.pdf
27. 27.
Yang, B.-Y., Chen, J.-M.: All in the XL family: Theory and practice. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)Google Scholar
28. 28.
Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004)Google Scholar
29. 29.
Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004)Google Scholar
30. 30.
Yang, B.-Y., Chen, O.C.-H., Bernstein, D.J., Chen, J.-M.: Analysis of QUAD. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 290–308. Springer, Heidelberg (2007)
31. 31.
Yang, B.-Y., Chen, O.C.-H., Chen, J.-M.: The limit of XL implemented with sparse matrices. In: Workshop Record, PQCrypto Workshop, Leuven (2006), http://postquantum.cr.yp.to/pqcrypto2006record.pdf

## Authors and Affiliations

• Jenny Yuan-Chun Yeh
• 1
• Chen-Mou Cheng
• 1
• Bo-Yin Yang
• 1