A fundamental problem in computer science is to find all the common zeroes of
m quadratic polynomials in n unknowns over F2. The
cryptanalysis of several modern ciphers reduces to this problem. Up to now, the
best complexity bound was reached by an exhaustive search in 4log2n2n
operations. We give an algorithm that reduces the problem to a combination of
exhaustive search and sparse linear algebra. This algorithm has several
variants depending on the method used for the linear algebra step. Under
precise algebraic assumptions on the input system, we show that the
deterministic variant of our algorithm has complexity bounded by
O(20.841n) when m=n, while a probabilistic variant of the Las Vegas type
has expected complexity O(20.792n). Experiments on random systems show
that the algebraic assumptions are satisfied with probability very close to~1.
We also give a rough estimate for the actual threshold between our method and
exhaustive search, which is as low as~200, and thus very relevant for
cryptographic applications.Comment: 25 page