On the Complexity of Solving Quadratic Boolean Systems

TL;DR

This paper introduces a new algorithm for solving quadratic Boolean systems over _2, reducing complexity from exhaustive search to a more efficient combination of search and linear algebra, with implications for cryptanalysis.

Contribution

The authors present an algorithm that improves the complexity bounds for solving quadratic Boolean systems, combining exhaustive search with sparse linear algebra under certain algebraic assumptions.

Findings

Deterministic complexity bounded by O(2^{0.841n}) for m=n.

Probabilistic Las Vegas variant has expected complexity O(2^{0.792n}).

Experiments confirm algebraic assumptions hold with high probability.

Abstract

A fundamental problem in computer science is to find all the common zeroes of $m$ quadratic polynomials in $n$ unknowns over $\mathbb{F}_2$. The cryptanalysis of several modern ciphers reduces to this problem. Up to now, the best complexity bound was reached by an exhaustive search in $4\log_2 n\,2^n$ operations. We give an algorithm that reduces the problem to a combination of exhaustive search and sparse linear algebra. This algorithm has several variants depending on the method used for the linear algebra step. Under precise algebraic assumptions on the input system, we show that the deterministic variant of our algorithm has complexity bounded by $O(2^{0.841n})$ when $m=n$, while a probabilistic variant of the Las Vegas type has expected complexity $O(2^{0.792n})$. Experiments on random systems show that the algebraic assumptions are satisfied with probability very close to~1. We also give a rough estimate for the actual threshold between our method and exhaustive search, which is as low as~200, and thus very relevant for cryptographic applications.