Polynomial XL: A Variant of the XL Algorithm Using Macaulay Matrices over Polynomial Rings
share
Solving a system of m multivariate quadratic equations in n variables (the ℳQ problem) is one of the main challenges of algebraic cryptanalysis. The XL algorithm (XL for short) is a major approach for solving the ℳQ problem with linearization over a coefficient field. Furthermore, the hybrid approach with XL (h-XL) is a variant of XL guessing some variables beforehand. In this paper, we present a variant of h-XL, which we call the polynomial XL (PXL). In PXL, the whole n variables are divided into k variables to be fixed and the remaining n-k variables as "main variables", and we generate the Macaulay matrix with respect to the n-k main variables over a polynomial ring of the k variables. By eliminating some columns of the Macaulay matrix over the polynomial ring before guessing k variables, the amount of manipulations required for each guessed value can be reduced. Our complexity analysis indicates that PXL is efficient on the system with n ≈ m. For example, on systems over 𝔽_2^8 with n=m=80, the number of manipulations required by the hybrid approaches with XL and Wiedemann XL and PXL is estimated as 2^252, 2^234, and 2^220, respectively.
READ FULL TEXT