This paper presents a hardware-optimized variant of the well-known Gaussian elimination over GF(2) and its highly efficient implementation. The proposed hardware architecture can solve any regular and (uniquely solvable) overdetermined linear system of equations (LSE) and is not limited to matrices of a certain structure. Besides solving LSEs, the architecture at hand can also accomplish the related problem of matrix inversion extremely fast. Its average running time for n x n binary matrices with uniformly distributed entries equals 2n (clock cycles) as opposed to about 1 4n3 in software. The average running time remains very close to 2n for matrices with densities much greater or lower than 0:5. The architecture has a worst-case time complexity of O(n2) and also a space complexity of O(n2). With these characteristics the architecture is particularly suited to effi ciently solve medium-sized LSEs as they for example appear in the cryptanalysis of certain stream cipher classes.

Moreover, we propose a hardware-optimized algorithm for matrix-by-matrix multiplication over GF(2) which runs in linear time and quadratic space on a similar architecture. This opens up the possibility of building a more complex architecture for efficiently solving larger LSEs by means of Strassen's algorithm which could significantly improve the time complexity of algebraic attacks on various ciphers. As proof-of-concept we realized our architecture on a contemporary low-cost FPGA. The implementation for a 50 x 50 LSE can be clocked with a frequency of up to 300 MHz and computes the solution in 0:33us on average.