A geometric view of cryptographic equation solving

The apparent difficulty of finding a solution to a set of multivariate quadratic equations underlies the security of multivariate cryptography and can present an impediment to the successful application of algebraic attacks. Methods for finding such a solution are thus of considerable interest for the purposes of cryptanalysis. Several algebraic techniques for solving systems of multivariate quadratic equations have been proposed in the literature, including Relinearization [2] and the XL algorithm [1]. In this talk we show that considering the underlying geometry can provide additional insight into the behaviour of such techniques. Suppose that S = {f1, f2, . . . , fm} is a set of m homogeneous quadratic equations in n + 1 variables (x0, x1, . . . , xn) with a finite (up to scalar multiplication) number of common solutions over the algebraic closure of some finite field GF(q). The equation fi(x0, x1, . . . , xn) = 0 describes a (nonempty) set of points in the n-dimensional projective space over GF(q), referred to as a quadric; points that lie on all m quadrics correspond to solutions of the system of equations. Consider a change of coordinates induced by some invertible (n + 1)× (n + 1) matrix M with entries from GF(q) that sends a point P to the point M ·P . Such a transformation does not affect the behaviour of the system of quadrics: for instance, the number of common solutions is unaffected. This suggests that it might make sense to consider methods for solving such systems whose behaviour, like that of the system itself, does not depend on the choice of coordinates. The XL algorithm for solving a set S of quadratic equations involves finding a bivariate polynomial in the ideal generated by the polynomials of S, which is then factored in an attempt to find information about any solutions to the system. (We note that the orignal XL paper was phrased in terms of nonhomogeneous equations and finding a univariate equation in