A multistep strategy for polynomial system solving over finite fields and a new algebraic attack on the stream cipher Trivium
Roberto La Scala, Federico Pintore, Sharwan K. Tiwari, Andrea Visconti
TL;DR
The paper introduces MultiSolve, a multistep generalization of guess-and-determine for solving multivariate polynomial systems over finite fields. By iteratively evaluating variable subsets and preprocessing with incomplete Grobner bases to extract linear eliminations, it reduces the overall number of full Grobner basis computations and achieves near-optimal complexity with the maximum number of steps. The approach is instantiated in an algebraic attack on the Trivium stream cipher, where average complexity improves over prior attacks though remains above brute-force on the private key. The work provides a probabilistic framework to estimate solving complexity via test sets, offering a flexible tool for cryptanalysis and security assessment across polynomial-system-based cryptosystems.
Abstract
In this paper we introduce a multistep generalization of the guess-and-determine or hybrid strategy for solving a system of multivariate polynomial equations over a finite field. In particular, we propose performing the exhaustive evaluation of a subset of variables stepwise, that is, by incrementing the size of such subset each time that an evaluation leads to a polynomial system which is possibly unfeasible to solve. The decision about which evaluation to extend is based on a preprocessing consisting in computing an incomplete Grobner basis after the current evaluation, which possibly generates linear polynomials that are used to eliminate further variables. If the number of remaining variables in the system is deemed still too high, the evaluation is extended and the preprocessing is iterated. Otherwise, we solve the system by a complete Grobner basis computation. Having in mind cryptanalytic applications, we present an implementation of this strategy in an algorithm called MultiSolve which is designed for polynomial systems having at most one solution. We prove explicit formulas for its complexity which are based on probability distributions that can be easily estimated by performing the proposed preprocessing on a testset of evaluations for different subsets of variables. We prove that an optimal complexity of MultiSolve is achieved by using a full multistep strategy with a maximum number of steps and in turn the standard guess-and-determine strategy, which essentially is a strategy consisting of a single step, is the worst choice. Finally, we extensively study the behaviour of MultiSolve when performing an algebraic attack on the well-known stream cipher Trivium.