All in the XL Family: Theory and Practice

摘要

The XL (EETENDED.LINEARIZATION) equation-solving algorithm belongs to the same extended family as the advanced Groebner Bases methods F_4/F_5. XL and its relatives may be used as direct attacks against multivariate Public-Key Cryptosystems and as final stages for many "algebraic cryptanalysis" used today. We analyze the applicability and performance of XL and its relatives, particularly for generic systems of equations over medium-sized finite fields. In examining the extended family of Groebner Bases and XL from theoretical, empirical and practical viewpoints, we add to the general understanding of equation-solving. Moreover, we give rigorous conditions for the successful termination of XL, Groebner Bases methods and relatives. Thus we have a better grasp of how such algebraic attacks should be applied. We also compute revised security estimates for multivariate cryptosystems. For example, the schemes SFLASH~(v2) and HFE Challenge 2 are shown to be unbroken by XL variants.