Solving Systems of Multivariate Quadratic Equations over Finite Fields or: From Relinearization to MutantXL

In this article we investigate algorithms for solving non-linear multivariate equations over nite elds and the relation between them. For non binary elds usually computing the Gröbner basis of the corresponding ideal is the best choice in this context. One class of algorithms is based on Buchberger's algorithm. Today's best algorithms like F4 and F5 belong to this class. Another strategy to solve such systems is called eXtended Linearization (XL) from Eurocrypt 2000. In the past both strategies were treated as di erent ideas and there was a heated discussion which of them to prefer. Since Ars et al. proved in 2004 that XL is a redundant version of F4, the latter seemed to be the winner. But that was not the end of the line as piece for piece the idea emerged that both classes are only di erent views on the same problem. We even think that they are just di erent time-memory optimizations. One indication to that can be found in the PhD of Albrecht, who introduced MatrixF5, a F5 version of XL. A second indication can be found in the PhD of Mohamed, who introduced a memory-friendly version of XL using Wiedemanns algorithm. We want to give further evidence by providing a theoretical analysis of MutantXL. We show that MutantXL solves at the same degree of regularity as its competitors F4 and F5 for most instances. Thereby we also con rm recent results of Albrecht, who showed that MutantXL is a redundant version of F4, i.e. it never solves below the degree of regularity of F4. We show that MutantXL has, compared to WiedemannXL, to pay its gain in e ciency with memory. To enhance the understanding of the whole XL-family of algorithms we give a full overview from Relinearization over XL to MutantXL and provide some additional theoretical insights. 2 Enrico Thomae, Christopher Wolf