On the last fall degree of zero-dimensional Weil descent systems

Abstract

In this article we will discuss a mostly theoretical framework for solving zero-dimensional polynomial systems. Complexity bounds are obtained for solving such systems using a new parameter, called the last fall degree, which does not depend on the choice of a monomial order. The method is similar to certain MutantXL algorithms, but our abstract formulation has advantages. For example, we can prove that the cryptographic systems multi-HFE and HFE are insecure. More generally, let k be a finite field of cardinality qn and let k′ be the subfield of cardinality q. Let F⊂k[X0,…,Xm−1] be a finite subset generating a zero-dimensional ideal. We give an upper bound of the last fall degree of the Weil descent system of F from k to k′, which depends on q, m, the last fall degree of F, the degree of F and the number of solutions of F, but not on n. This shows that such Weil descent systems can be solved efficiently if n grows and the other parameters are fixed. In particular, one can apply these results to show a weakness in the cryptographic protocols HFE and multi-HFE.