Ask Your Question

Solving underdetermined system of quadratic equations over GF(2)

asked 2018-07-05 17:21:25 +0100

Chewie gravatar image

updated 2018-07-05 23:06:36 +0100

tmonteil gravatar image

Hi folks!

All of the following operations are done over GF(2).

I want introduce you to my problem with a little example: I have two algebraic expressions of the keystream bits Z0 and Z1 of a stream cipher. The algebraic expressions just consist of key bits (key bits are named with X). For example:



In this little example we have, m = 2 = number_of_equations and n = 13 = number_of_unknown_variables. If I would now have konwledge about the Z0 and Z1 bit (e.g. Z0 = Z1 = 0), it must be possible to gain knowledge about key bits again by solving these underdetermined system of equations. My normal approach would be guessing 11 of the 13 and try to solve equation system for the unknown 2. If the system has a solution I know that could be the right answer.

At the moment my sage script says the following:

F=GF(2) //Define the Galois Field

M=Matrix(F, [[0, 1, 0, 1, 0,    1, 0, 1, 0, 1, 0, 1, 1],  [1,0, 1, 0, 1,0, 1, 0, 1, 0, 1, 1, 0]]) //Define the equation system

v = vector(F, (0,0)) //Define vector for solve_right()


My abstract algorithm is the following to make it more clear:

for all 2^13 possible values:

  1. Guess variables till m = n.
  2. Try to solve the system. If system has a solution, save it.

How would get the guessing of the variables realized in a smart way (matrice syntax or symbolic syntax?), that automatically all possible values of the variables will be guessed and what would be the normal approach for that problem?

A little syntax example will be appreciated!

Greetings Chewie

edit retag flag offensive close merge delete


Could you please provide the actual equtions, not the toy one, which are linear ?

tmonteil gravatar imagetmonteil ( 2018-07-06 00:03:09 +0100 )edit

Hi, these are the real first 17 keystream bit equations,

m: 17
n_s (Number variables single occurences): 38
n_m (Number variables multiple occurences): 31
n_o (Number of variables overall): 69

Z14=X70+X57+X45+X24+X18+X16+X15 ...
Chewie gravatar imageChewie ( 2018-07-06 10:35:38 +0100 )edit

I just wanted to make it as simple as it could be at first with just two linear equations. If that works, it shouldn't be that hard to expand the working example. That was the reason, why I just posted the first two linear equations of the system. With my guessing approach, I think it should be also possible to find a possible solution but just considering the first two equations.

Greetings Chewie

Chewie gravatar imageChewie ( 2018-07-06 10:49:00 +0100 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-11-05 00:28:09 +0100

slelievre gravatar image
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-07-05 17:21:25 +0100

Seen: 736 times

Last updated: Nov 05 '18