2004
DOI: 10.1007/978-3-540-30191-2_31
|View full text |Cite
|
Sign up to set email alerts
|

On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis

Abstract: Abstract. "Algebraic Cryptanalysis" against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard. The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equat… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

1
35
0

Year Published

2005
2005
2014
2014

Publication Types

Select...
8
1

Relationship

1
8

Authors

Journals

citations
Cited by 49 publications
(36 citation statements)
references
References 29 publications
1
35
0
Order By: Relevance
“…For example, a system of 256 polynomial equations of degree d = 16 in n = 256 variables over GF (2) is expected to have a unique solution, but in order to find it by linearization we have to increase the number of equations to the number of possible terms in these equations, which is about n d = 2 128 . There are several improved algorithms such as XL and XSL (see [3], [4], [5], [6] and [7]) which reduce the number of required equations and the time and space complexities, but they are still completely impractical for such sizes.…”
Section: Introductionmentioning
confidence: 99%
See 1 more Smart Citation
“…For example, a system of 256 polynomial equations of degree d = 16 in n = 256 variables over GF (2) is expected to have a unique solution, but in order to find it by linearization we have to increase the number of equations to the number of possible terms in these equations, which is about n d = 2 128 . There are several improved algorithms such as XL and XSL (see [3], [4], [5], [6] and [7]) which reduce the number of required equations and the time and space complexities, but they are still completely impractical for such sizes.…”
Section: Introductionmentioning
confidence: 99%
“…Third degree polynomials over six variables can have 6 3 + 6 2 + 6 1 + 6 0 = 42 possible terms, and thus there are 2 42 such polynomials over GF (2). To eliminate all the 35 possible nonlinear terms by Gauss elimination, we typically need 35 such polynomials.…”
Section: Introductionmentioning
confidence: 99%
“…By computing the exact value of the regularity degree, the conjectural running time still exceeds the brute force complexity for n = 200; see [1]. The best heuristic bound is of order 1.724 n [27], where the method was combined with variable guessing.…”
Section: Related Methodsmentioning
confidence: 99%
“…As discussed in [10], [11], and [12], XSL would not be expected to outperform a good Gröbner basis algorithm such as F4. Thus, Magma's builtin F4 algorithm is used, rather than XSL.…”
Section: Gf(2 8 ) Attacksmentioning
confidence: 99%