On the last fall degree of zero-dimensional Weil descent systems

TL;DR

This paper introduces a new theoretical approach based on the last fall degree to analyze the complexity of solving zero-dimensional polynomial systems via Weil descent, with implications for cryptographic systems like multi-HFE.

Contribution

It provides an upper bound on the last fall degree of Weil descent systems that depends on certain parameters but not on the extension degree, showing potential for efficient solving.

Findings

Weil descent systems can be solved efficiently as n grows.

Multi-HFE cryptosystem is shown to be insecure under this analysis.

Degree of regularity may depend on n for certain systems.

Abstract

In this article we will discuss a new, mostly theoretical, method for solving (zero-dimensional) polynomial systems, which lies in between Gr\"obner basis computations and the heuristic first fall degree assumption and is not based on any heuristic. This method relies on the new concept of last fall degree. Let $k$ be a finite field of cardinality $q^n$ and let $k'$ be its subfield of cardinality $q$. Let $\mathcal{F} \subset k[X_0,\ldots,X_{m-1}]$ be a finite subset generating a zero-dimensional ideal. We give an upper bound of the last fall degree of the Weil descent system of $\mathcal{F}$, which depends on $q$, $m$, the last fall degree of $\mathcal{F}$, the degree of $\mathcal{F}$ and the number of solutions of $\mathcal{F}$, but not on $n$. This shows that such Weil descent systems can be solved efficiently if $n$ grows. In particular, we apply these results for multi-HFE and essentially show that multi-HFE is insecure. Finally, we discuss that the degree of regularity (or last fall degree) of Weil descent systems coming from summation polynomials to solve the elliptic curve discrete logarithm problem might depend on $n$, since such systems without field equations are not zero-dimensional.