Gröbner Bases of Structured Systems
and their Applications in Cryptology
Jean-Charles Faugère, Mohab Safey El Din
Pierre-Jean Spaenlehauer
UPMC CNRS INRIA Paris - Rocquencourt
LIP6 SALSA team
SCPQ Webinar
2012, 03/06
1/28
PJ Spaenlehauer
Algebraic Cryptanalysis
Crypto primitive
2/28
PJ Spaenlehauer
Algebraic Cryptanalysis
Crypto primitive
modeling
2/28
PJ Spaenlehauer
Algebraic Cryptanalysis
Crypto primitive
modeling
System solving
2/28
PJ Spaenlehauer
Algebraic Cryptanalysis
Crypto primitive
modeling
System solving
Issues
Which algebraic modeling ?
Tradeo between the degree of the equations/number of variables ?
Solving tools: Gröbner bases ? SAT-solvers ? ...
Structure ?
2/28
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
3/28
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
Non-linearity → Security
Sometimes bi(or multi)-linear
(e.g. AES S-boxes:
3/28
x · y − 1 = 0 for x 6= 0).
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
Non-linearity → Security
Sometimes bi(or multi)-linear
(e.g. AES S-boxes:
x · y − 1 = 0 for x 6= 0).
Asymmetric encryption/signature:
trapdoor (e.g. HFE, Multi-HFE, McEliece).
Reducing the key sizes is a common issue
→
3/28
potential
weaknesses
due to the structure.
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
Non-linearity → Security
Sometimes bi(or multi)-linear
(e.g. AES S-boxes:
x · y − 1 = 0 for x 6= 0).
Asymmetric encryption/signature:
trapdoor (e.g. HFE, Multi-HFE, McEliece).
Reducing the key sizes is a common issue
→
potential
weaknesses
due to the structure.
Symmetries, invariants:
invariance of the solutions
under some transformations (e.g.
MinRank).
...
3/28
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
Non-linearity → Security
Sometimes bi(or multi)-linear
(e.g. AES S-boxes:
x · y − 1 = 0 for x 6= 0).
Asymmetric encryption/signature:
trapdoor (e.g. HFE, Multi-HFE, McEliece).
Reducing the key sizes is a common issue
→
potential
weaknesses
due to the structure.
Symmetries, invariants:
invariance of the solutions
under some transformations (e.g.
MinRank).
...
Impact on the solving process ?
3/28
PJ Spaenlehauer
Motivations: Algebraic Structures in Cryptology
Where does the structure come from ?
Non-linearity → Security
Sometimes bi(or multi)-linear
(e.g. AES S-boxes:
x · y − 1 = 0 for x 6= 0).
Asymmetric encryption/signature:
trapdoor (e.g. HFE, Multi-HFE, McEliece).
Reducing the key sizes is a common issue
→
potential
weaknesses
due to the structure.
Symmetries, invariants:
invariance of the solutions
under some transformations (e.g.
MinRank).
...
Impact on the solving process ?
Complexity ? Dedicated algorithms ?
3/28
PJ Spaenlehauer
Families of structured algebraic systems
Multi-homogeneous systems
McEliece PKC.
MinRank authentication scheme.
...
4/28
PJ Spaenlehauer
Families of structured algebraic systems
Multi-homogeneous systems
McEliece PKC.
MinRank authentication scheme.
...
Determinantal systems
MinRank authentication scheme.
Cryptosystems based on rank metric codes.
Hidden Field Equations and variants.
...
4/28
PJ Spaenlehauer
Families of structured algebraic systems
Multi-homogeneous systems
McEliece PKC.
MinRank authentication scheme.
...
Determinantal systems
MinRank authentication scheme.
Cryptosystems based on rank metric codes.
Hidden Field Equations and variants.
...
Systems invariant by symmetries
Discrete log on elliptic and hyperelliptic curves.
4/28
PJ Spaenlehauer
Outline
1
Polynomial System Solving using Gröbner Bases
2
Bilinear Systems and Application to McEliece
3
Determinantal Systems and Applications to MinRank and HFE
5/28
PJ Spaenlehauer
Gröbner bases (I)
Gröbner bases
I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering):
of polynomials such that LM(I) = hLM(G )i.
Buchberger [Buchberger Ph.D. 65].
F4 [Faugère J. of Pure and Appl. Alg. 99].
F5 [Faugère ISSAC'02].
FGLM [Faugère/Gianni/Lazard/Mora JSC. 93,
6/28
PJ Spaenlehauer
Faugère/Mou
G
⊂ I a nite set
ISSAC'11].
Gröbner bases (I)
Gröbner bases
I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering):
of polynomials such that LM(I) = hLM(G )i.
Buchberger [Buchberger Ph.D. 65].
F4 [Faugère J. of Pure and Appl. Alg. 99].
F5 [Faugère ISSAC'02].
FGLM [Faugère/Gianni/Lazard/Mora JSC. 93,
0-dimensional
⊂ I a nite set
ISSAC'11].
system solving
Polynomial system
6/28
Faugère/Mou
G
F4 /F5
−−−−→
grevlex GB
PJ Spaenlehauer
FGLM
−−−−→
lex GB.
Gröbner bases (I)
Gröbner bases
I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering):
of polynomials such that LM(I) = hLM(G )i.
Buchberger [Buchberger Ph.D. 65].
F4 [Faugère J. of Pure and Appl. Alg. 99].
F5 [Faugère ISSAC'02].
FGLM [Faugère/Gianni/Lazard/Mora JSC. 93,
0-dimensional
Faugère/Mou
G
⊂ I a nite set
ISSAC'11].
system solving
Polynomial system
F4 /F5
−−−−→
grevlex GB
FGLM
−−−−→
lex GB.
XL/MXL
Most of the complexity results also valid for XL/MXL
Buchman/Bulygin/Cabarcas/Ding/Mohamed/Mohamed PQCrypto 2008, Africacrypt
2010,. . .
Ars/Faugère/Imai/Kawazoe/Sugita, Asiacrypt 2004
Albrecht/Cid/Faugère/Perret, eprint
6/28
PJ Spaenlehauer
Gröbner bases (II)
0-dimensional
system solving
Polynomial system
F4 /F5
−−−−→
grevlex GB
Lexicographical Gröbner basis of 0-dimensional systems
Equivalent system in triangular shape:





























7/28
( , . . . , xn )
=
0
( , . . . , xn )
( , . . . , xn )
=
=
0
0
=
=
0
0
f1 x1
f` x1
f`+1 x2
fm−1 xn−1 xn
(
, )
( )
fm xn
..
.
..
.
PJ Spaenlehauer
FGLM
−−−−→
lex GB.
Gröbner bases (II)
0-dimensional
system solving
Polynomial system
F4 /F5
−−−−→
grevlex GB
FGLM
−−−−→
lex GB.
Lexicographical Gröbner basis of 0-dimensional systems
Equivalent system in triangular shape:





























7/28
( , . . . , xn )
=
0
( , . . . , xn )
( , . . . , xn )
=
=
0
0
=
=
0
0
f1 x1
f` x1
f`+1 x2
fm−1 xn−1 xn
(
, )
( )
fm xn
..
.
..
.
=⇒
Find the roots of univariate polynomials
→ easy in nite elds.
PJ Spaenlehauer
Macaulay matrix in degree d
I = hf1 , . . . , fp i
deg(fi ) = di
a monomial ordering
Rows: all products tfi where t is a monomial of degree at most
Columns: monomials of degree at most d.
t1 f1
..
.
tk fp
d
m1 · · · m`






row echelon form of the Macaulay matrix with d suciently high
=⇒
8/28
Gröbner basis.
PJ Spaenlehauer
− di .
Macaulay matrix in degree d
I = hf1 , . . . , fp i
deg(fi ) = di
a monomial ordering
Rows: all products tfi where t is a monomial of degree at most
Columns: monomials of degree at most d.
t1 f1
..
.
tk fp
d
− di .
m1 · · · m`






row echelon form of the Macaulay matrix with d suciently high
=⇒
Gröbner basis.
Problems
Degree falls.
Rank defect
useless computations.
Hilbert series: generating series of the rank defects of the Macaulay matrices.
Which d ?
degree of regularity.
8/28
PJ Spaenlehauer
Complexity of Gröbner bases computations
Two main indicators of the complexity
dreg
degree that has to be reached to compute the
Degree of regularity
Degree of the ideal
I = hf1 , . . . fm i
Number of solutions
the Macaulay matrix.
9/28
grevlex GB.
of the system (counted with multiplicities). Gives the
PJ Spaenlehauer
rank
of
Complexity of Gröbner bases computations
Two main indicators of the complexity
dreg
degree that has to be reached to compute the
Degree of regularity
Degree of the ideal
Number of solutions
the Macaulay matrix.
of the system (counted with multiplicities). Gives the
−→
System
Algorithms
Complexity
9/28
grevlex GB.
I = hf1 , . . . fm i
O
n
+ dreg ω
−→
grevlex GB
grevlex GB
Change of Ordering
dreg
PJ Spaenlehauer
O
(n · #Solω )
rank
lex GB.
of
Complexity of Gröbner bases computations
Two main indicators of the complexity
dreg
degree that has to be reached to compute the
Degree of regularity
Degree of the ideal
Number of solutions
the Macaulay matrix.
of the system (counted with multiplicities). Gives the
−→
System
Algorithms
O
n
+ dreg ω
Change of Ordering
O
dreg
Classical bounds (sharp for generic systems)
Let f1 , . . . , fn ∈ K[x1 , . . . , xn ] be a "generic" system.
Macaulay bound:
Bézout bound:
9/28
dreg ≤ 1 +
X
1≤i ≤n
deg(hf1 , . . . , fn i) ≤
−→
grevlex GB
grevlex GB
Complexity
grevlex GB.
I = hf1 , . . . fm i
(di − 1).
Y
1≤i ≤n
i.
d
PJ Spaenlehauer
(n · #Solω )
rank
lex GB.
of
Complexity of Gröbner bases computations
Two main indicators of the complexity
dreg
degree that has to be reached to compute the
Degree of regularity
Degree of the ideal
Number of solutions
the Macaulay matrix.
of the system (counted with multiplicities). Gives the
−→
System
Algorithms
O
n
−→
grevlex GB
grevlex GB
Complexity
grevlex GB.
I = hf1 , . . . fm i
+ dreg ω
Change of Ordering
O
dreg
(n · #Solω )
Classical bounds (sharp for generic systems)
Let f1 , . . . , fn ∈ K[x1 , . . . , xn ] be a "generic" system.
Macaulay bound:
Bézout bound:
9/28
dreg ≤ 1 +
X
1≤i ≤n
deg(hf1 , . . . , fn i) ≤
(di − 1).
Y
1≤i ≤n
i.
d
Are there sharper bounds for structured systems ?
PJ Spaenlehauer
rank
lex GB.
of
Plan
1
Polynomial System Solving using Gröbner Bases
2
Bilinear Systems and Application to McEliece
3
Determinantal Systems and Applications to MinRank and HFE
10/28
PJ Spaenlehauer
Multi-homogeneous systems
Multi-homogeneous polynomial
∈ K[X (1) , . . . , X (`) ] is multi-homogeneous of multi-degree (d1 , . . . , d` ) if
for all λ1 , . . . , λ` ,
f
f
11/28
d
(λ1 X (1) , . . . , λ` X (`) ) = λd11 . . . λ` ` f (X (1) , . . . , X (`) ).
PJ Spaenlehauer
Multi-homogeneous systems
Multi-homogeneous polynomial
∈ K[X (1) , . . . , X (`) ] is multi-homogeneous of multi-degree (d1 , . . . , d` ) if
for all λ1 , . . . , λ` ,
f
f
d
(λ1 X (1) , . . . , λ` X (`) ) = λd11 . . . λ` ` f (X (1) , . . . , X (`) ).
Example:
3x12 y1 + 4x1 x2 y1 − 3x22 y1 − x12 y2 + 8x1 x2 y2 − 5x22 y2 + 10x12 y3 − 2x1 x2 y3 − 3x22 y3
is a bi-homogeneous polynomial of bi-degree (2, 1) in F11 [x1 , x2 , y1 , y2 , y3 ].
11/28
PJ Spaenlehauer
Multi-homogeneous systems
Multi-homogeneous polynomial
∈ K[X (1) , . . . , X (`) ] is multi-homogeneous of multi-degree (d1 , . . . , d` ) if
for all λ1 , . . . , λ` ,
f
f
d
(λ1 X (1) , . . . , λ` X (`) ) = λd11 . . . λ` ` f (X (1) , . . . , X (`) ).
Example:
3x12 y1 + 4x1 x2 y1 − 3x22 y1 − x12 y2 + 8x1 x2 y2 − 5x22 y2 + 10x12 y3 − 2x1 x2 y3 − 3x22 y3
is a bi-homogeneous polynomial of bi-degree (2, 1) in F11 [x1 , x2 , y1 , y2 , y3 ].
Bilinear system: multi-homogeneous of multi-degree (1, 1)
f1
, . . . , fq ∈ K[X , Y ]: bilinear forms.
fk
11/28
=
P
a
(k )
, xi yj .
i j
PJ Spaenlehauer
Structure of bilinear systems
Euler relations
f1
12/28
, . . . , fq ∈ K[X , Y ]: bilinear forms.
P (k )
fk =
a
i ,j xi yj .
PJ Spaenlehauer
Structure of bilinear systems
Euler relations
f1
, . . . , fq ∈ K[X , Y ]: bilinear forms.
P (k )
fk =
a
i ,j xi yj .
fk
12/28
=
X ∂ fk
X ∂ fk
xi =
yj .
∂ xi
∂ yj
i
PJ Spaenlehauer
j
Structure of bilinear systems
Euler relations
f1
, . . . , fq ∈ K[X , Y ]: bilinear forms.
P (k )
fk =
a
i ,j xi yj .
fk
 ∂ f1
∂ x1
 .
.
jacx (F ) = 
 .
∂ fq
∂ x1
 
f1
=
X ∂ fk
X ∂ fk
xi =
yj .
∂ xi
∂ yj
i
...
∂ f1
∂ xnx
...
∂ fq
∂ xnx
..
.
j
12/28
∂ y1
.. 
. 


 

=⇒  ...  = jacx (F ) · 
fq
 ∂ f1

 .
.
jacy (F ) = 
 .
∂ fq
∂ y1
x1
.
.
.

..
.
PJ Spaenlehauer

.. 
. 
.
...
∂ fq
∂ yny




 = jacy (F ) · 
xnx
∂ f1
∂ yny
...
y1
.
.
.
yny

.
Something special happens with minors...
 
f1

x1

 .. 
 . 
 .  = jacx (F ) ·  .. .
fq
xnx
If (x1 , . . . , xn , y1 , . . . , yn ) is a non-trivial solution of F , then jacx (F ) is rank defective.
(y1 , . . . , yn ) is a zero of the maximal minors of jacx (F ).
x
y
y
13/28
PJ Spaenlehauer
Something special happens with minors...
 
f1

x1

 .. 
 . 
 .  = jacx (F ) ·  .. .
fq
xnx
If (x1 , . . . , xn , y1 , . . . , yn ) is a non-trivial solution of F , then jacx (F ) is rank defective.
(y1 , . . . , yn ) is a zero of the maximal minors of jacx (F ).
x
y
y
Bernstein/Sturmfels/Zelevinski, Adv. in Math. 1993
a p × q matrix whose entries are variables. For any monomial ordering, the
maximal minors of M are a Gröbner basis of the associated ideal.
M
13/28
PJ Spaenlehauer
Something special happens with minors...
 
f1

x1

 .. 
 . 
 .  = jacx (F ) ·  .. .
fq
xnx
If (x1 , . . . , xn , y1 , . . . , yn ) is a non-trivial solution of F , then jacx (F ) is rank defective.
(y1 , . . . , yn ) is a zero of the maximal minors of jacx (F ).
x
y
y
Bernstein/Sturmfels/Zelevinski, Adv. in Math. 1993
a p × q matrix whose entries are variables. For any monomial ordering, the
maximal minors of M are a Gröbner basis of the associated ideal.
M
Faugère/Safey El Din/S., J. of Symb. Comp. 2011
a k -variate q × p linear matrix (with q > p ). Generically, a grevlex GB of
hMinors(M )i: linear combination of the generators.
M
dreg (MaxMinors(jacx (F )))
13/28
PJ Spaenlehauer
= nx .
Complexity
Ane bilinear polynomial
∈ K[x1 , . . . , xn , y1 , . . . , yn ] is said to be ane bilinear if there exists a bilinear
polynomial f˜ in K[x0 , . . . , xn , y0 , . . . , yn ] such that
f
x
y
x
f
y
(x1 , . . . , xn , y1 , . . . , yn ) = f˜(1, x1 , . . . , xn , 1, y1 , . . . , yn ).
x
y
x
y
Faugère/Safey El Din/S., J. of Symb. Comp. 2011
Degree of regularity
Let f1 , . . . , fn
+n be an ane bilinear system in K[x1 , . . . , xn , y1 , . . . , yn ]. Then the
highest degree reached during the computation of a Gröbner basis for the grevlex
x
y
x
ordering is upper bounded by
min(nx , ny ) + 1 nx + ny + 1.
14/28
PJ Spaenlehauer
y
Complexity
Ane bilinear polynomial
∈ K[x1 , . . . , xn , y1 , . . . , yn ] is said to be ane bilinear if there exists a bilinear
polynomial f˜ in K[x0 , . . . , xn , y0 , . . . , yn ] such that
f
x
y
x
f
y
(x1 , . . . , xn , y1 , . . . , yn ) = f˜(1, x1 , . . . , xn , 1, y1 , . . . , yn ).
x
y
x
y
Faugère/Safey El Din/S., J. of Symb. Comp. 2011
Degree of regularity
Let f1 , . . . , fn
+n be an ane bilinear system in K[x1 , . . . , xn , y1 , . . . , yn ]. Then the
highest degree reached during the computation of a Gröbner basis for the grevlex
x
y
x
y
ordering is upper bounded by
min(nx , ny ) + 1 nx + ny + 1.
Consequences
The complexity of computing a grevlex GB is polynomial in the number of
solutions !!
Bilinear systems with unbalanced sizes of blocks of variables are easy to solve !!
14/28
PJ Spaenlehauer
Modeling of McEliece cryptosystem
Based on alternant codes:
secret key: a parity-check matrix of the form

H


=

y0
y1
y0 x0
y1 x1
..
.
t −1
y0 x0
..
.
t −1
y1 x1
...
...
..
.
...
yn−1
yn−1 xn−1
..
.
t −1



,

yn xn
where xi , yj ∈ F2 , with x0 , . . . , xn pairwise distinct and yj 6= 0.
public key: a generator matrix G of the same code.
m
15/28
PJ Spaenlehauer
Modeling of McEliece cryptosystem
Based on alternant codes:
secret key: a parity-check matrix of the form

H


=

y0
y1
y0 x0
y1 x1
..
.
t −1
y0 x0
..
.
t −1
y1 x1
...
...
..
.
...
yn−1
yn−1 xn−1
..
.
t −1



,

yn xn
where xi , yj ∈ F2 , with x0 , . . . , xn pairwise distinct and yj 6= 0.
public key: a generator matrix G of the same code.
m
Problem
Given
15/28
G
, nd
H
such that
H
· Gt = 0 !
PJ Spaenlehauer
Modeling of McEliece cryptosystem
Based on alternant codes:
secret key: a parity-check matrix of the form

H


=

y0
y1
y0 x0
y1 x1
..
.
..
.
t −1
t −1
y0 x0
y1 x1
...
...
..
yn−1
yn−1 xn−1
..
.
.
...
t −1



,

yn xn
where xi , yj ∈ F2 , with x0 , . . . , xn pairwise distinct and yj 6= 0.
public key: a generator matrix G of the same code.
m
Problem
Given
G
, nd
H
such that
H
∀i , j ,
· Gt = 0 !
j
gi ,0 y0 x0
+ · · · + gi ,n−1 yn−1 xnj −1 = 0.
⇒ Bi-homogeneous structure !!
15/28
PJ Spaenlehauer
Cryptanalysis of compact variants of McEliece
Compact variants
Goal: reduce the size of the keys.
Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09;
Dyadic variant: Misoczy/Barreto SAC'09.
16/28
PJ Spaenlehauer
Cryptanalysis of compact variants of McEliece
Compact variants
Goal: reduce the size of the keys.
Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09;
Dyadic variant: Misoczy/Barreto SAC'09.
Faugère/Otmani/Perret/Tilich, Eurocrypt'2010
⇒ add redundancy to the polynomial system
linear equations
16/28
less variables.
PJ Spaenlehauer
Cryptanalysis of compact variants of McEliece
Compact variants
Goal: reduce the size of the keys.
Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09;
Dyadic variant: Misoczy/Barreto SAC'09.
Faugère/Otmani/Perret/Tilich, Eurocrypt'2010
⇒ add redundancy to the polynomial system
linear equations less variables.
Moreover, the system is still over-determined and one can extract a subsystem
containing only powers of two:
∀i , j a power of two !!,
16/28
j
gi ,0 y0 x0
+ · · · + gi ,n−1 yn−1 xnj −1 = 0.
PJ Spaenlehauer
Cryptanalysis of compact variants of McEliece
Compact variants
Goal: reduce the size of the keys.
Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09;
Dyadic variant: Misoczy/Barreto SAC'09.
Faugère/Otmani/Perret/Tilich, Eurocrypt'2010
⇒ add redundancy to the polynomial system
linear equations less variables.
Moreover, the system is still over-determined and one can extract a subsystem
containing only powers of two:
∀i , j a power of two !!,
j
gi ,0 y0 x0
+ · · · + gi ,n−1 yn−1 xnj −1 = 0.
Decomposing the subsystem over the eld F2
⇒
16/28
Bilinear system with
PJ Spaenlehauer
nx
ny
!!!
Cryptanalysis of compact variants of McEliece
Compact variants
Goal: reduce the size of the keys.
Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09;
Dyadic variant: Misoczy/Barreto SAC'09.
Faugère/Otmani/Perret/Tilich, Eurocrypt'2010
⇒ add redundancy to the polynomial system
linear equations less variables.
Moreover, the system is still over-determined and one can extract a subsystem
containing only powers of two:
∀i , j a power of two !!,
j
gi ,0 y0 x0
+ · · · + gi ,n−1 yn−1 xnj −1 = 0.
Decomposing the subsystem over the eld F2
⇒
Bilinear system with
nx
ny
!!!
Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!
16/28
PJ Spaenlehauer
Plan
1
Polynomial System Solving using Gröbner Bases
2
Bilinear Systems and Application to McEliece
3
Determinantal Systems and Applications to MinRank and HFE
17/28
PJ Spaenlehauer
The
r
∈ N.
MinRank
M0
, . . . , Mk :
MinRank
k
problem
+ 1 matrices of size
m
× m.
nd λ1 , . . . , λk such that
Rank
M0
−
k
X
i =1
!
λi Mi
≤ r.
Multivariate generalization of the Eigenvalue problem.
Applications in cryptology, coding theory, ...
Crypto'99, Courtois Asiacrypt'01
Crypto'08,...
Fundamental NP-hard problem of linear algebra.
Kipnis/Shamir
Faugère/Levy-dit-Vehel/Perret
Buss, Frandsen, Shallit.
The computational complexity of some problems of linear algebra.
18/28
PJ Spaenlehauer
Two algebraic modelings
M = M0 −
19/28
k
X
i =1
λi Mi .
PJ Spaenlehauer
Two algebraic modelings
M = M0 −
k
X
i =1
λi Mi .
The minors modeling
Rank(M)
≤r
m
all minors of size (r + 1) of M vanish.
m 2
r +1
k
equations of degree r + 1.
variables.
Few variables, lots of equations, high
degree !!
19/28
PJ Spaenlehauer
Two algebraic modelings
M = M0 −
k
X
i =1
λi Mi .
The Kipnis-Shamir modeling
The minors modeling
Rank(M)
≤r
m
all minors of size (r + 1) of M vanish.
m 2
r +1 equations of degree
k
r
+ 1.
M
variables.
Few variables, lots of equations, high
degree !!
19/28
≤ r ⇔ ∃x (1) , . . . , x (m−r ) ∈ Ker(M).


I −




 (1)
(m−r ) 

x
. . . x1
· 1
.


 .
.
.

 .
.
.
 .
.
. 
(1)
(m−r )
xr
. . . xr
Rank(M)
(
m m
k
PJ Spaenlehauer
m r
=0
− r ) bilinear equations.
+ r (m − r ) variables.
Two algebraic modelings
M = M0 −
k
X
i =1
λi Mi .
The Kipnis-Shamir modeling
The minors modeling
Rank(M)
≤r
m
all minors of size (r + 1) of M vanish.
m 2
r +1 equations of degree
k
≤ r ⇔ ∃x (1) , . . . , x (m−r ) ∈ Ker(M).


I −




 (1)
(m−r ) 

x
. . . x1
· 1
.


 .
.
.

 .
.
.
 .
.
. 
(1)
(m−r )
xr
. . . xr
Rank(M)
r
+ 1.
M
variables.
Few variables, lots of equations, high
degree !!
(
m m
k
m r
=0
− r ) bilinear equations.
+ r (m − r ) variables.
Complexity of solving MinRank using Gröbner bases techniques ?
Comparison of the two modelings ?
Number of solutions ?
19/28
PJ Spaenlehauer
Main results
System
Algorithms
Complexity
20/28
O
−→
−→
grevlex GB
GB
grevlex
n + d ω reg
dreg
PJ Spaenlehauer
Change of Ordering
O
(n · #Solω )
lex GB.
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
+ dreg ω
lex GB.
Change of Ordering
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
Minors
Macaulay bound:
≤ m (m − r ) + 1
= ( m − r )2
# Sol
MH. Bézout: ≤
Complexity
20/28
Kipnis-Shamir
PJ Spaenlehauer
m
r
!m−r
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
lex GB.
Change of Ordering
+ dreg ω
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
Minors
= (m − r )2
# Sol
≤ (m − r )2 + 1
!m−r
MH. Bézout: ≤
Complexity
20/28
Kipnis-Shamir
PJ Spaenlehauer
m
r
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
lex GB.
Change of Ordering
+ dreg ω
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
= (m − r )2
# Sol
Minors
(
r m
− r) + 1
≤ (m − r )2 + 1
!m−r
MH. Bézout: ≤
Complexity
20/28
Kipnis-Shamir
PJ Spaenlehauer
m
r
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
lex GB.
Change of Ordering
+ dreg ω
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
= (m − r )2
# Sol
Complexity
20/28
Minors
(
r m
− r) + 1
m−
r −1
Y
i =0
Kipnis-Shamir
≤ (m − r )2 + 1
i !(m + i )!
(m − 1 − i )!(m − r + i )!
PJ Spaenlehauer
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
lex GB.
Change of Ordering
+ dreg ω
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
= (m − r )2
# Sol
Complexity
20/28
Minors
(
r m
− r) + 1
m−
r −1
Y
i =0
(
O m
Kipnis-Shamir
≤ (m − r )2 + 1
i !(m + i )!
(m − 1 − i )!(m − r + i )!
ωk
PJ Spaenlehauer
)
(
O m
ω(k +1)
)
Main results
−→
System
Complexity
O
n
−→
grevlex GB
grevlex GB
Algorithms
lex GB.
Change of Ordering
+ dreg ω
O
dreg
(n · #Solω )
m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2 .
Modeling:
Degree of regularity
when
k
= (m − r )2
# Sol
Complexity
Minors
(
r m
− r) + 1
m−
r −1
Y
i =0
(
O m
Kipnis-Shamir
≤ (m − r )2 + 1
i !(m + i )!
(m − 1 − i )!(m − r + i )!
ωk
)
(
O m
ω(k +1)
)
Both modelings → polynomial complexity when k = (m − r)2 is xed.
New Crypto challenge broken: 10 generic matrices of size 11 × 11
target rank 8, K = GF(65521).
Courtois, Asiacrypt 2001.
20/28
PJ Spaenlehauer
Minors modeling
Minors modeling:
Rank(M)
≤r
m
all minors of size
(r + 1)
of M vanish.
Determinantal ideal
21/28
PJ Spaenlehauer
Minors modeling
Minors modeling:
Rank(M)
≤r
m
all minors of size
(r + 1)
of M vanish.
Determinantal ideal
Bilinear systems ↔ determinantal systems
f1
, . . . , fq ∈ K[X , Y ]: bilinear forms.
 ∂ f1
∂ x0
 .
 .
 .
∂ fq
∂ x0
f1
21/28
...
..
.
...
∂ f1
∂ xnx
    
x0
f1
.. 
 .. 
.. 
·
=



. 
.
.
∂ fq
∂ xnx
xnx
fq
= . . . = fq = 0 ⇐⇒ MaxMinors (JacX (f1 , . . . , fq )) = 0.
PJ Spaenlehauer
Determinantal ideals
What is known
Determinantal ideals:
Bernstein/Zelevinsky J. of Alg. Comb. 93, Bruns/Conca
98, Sturmfels/Zelevinsky Adv. Math. 98, Conca/Herzog AMS'94, Lascoux 78,
Abhyankar 88...
Geometry of determinantal varieties: Room 39, Fulton Duke Math. J. 91,
Giusti/Merle Int. Conf. on Alg. Geo. 82...
Polar varieties: Bank/Giusti/Heintz/Safey/Schost
AAECC'10,Bank/Giusti/Heintz/Pardo J. of Compl. 05, Safey/Schost ISSAC'03,
Teissier Pure and Appl. Math. 91...
22/28
PJ Spaenlehauer
Properties of Determinantal Ideals

v1,1
 .
D = Minorsr +1  ..
v
m ,1
m
...
..
v1,

.. 
. 
vm,m
.
...
Thom, Porteous, Giambelli, Harris-Tu, ...
The
degree
m−
r −1
Y
i =0
of D is
i !(m + i )!
.
(m − 1 − i )!(m − r + i )!
Conca/Herzog, Abhyankar
The
Hilbert series
of D is
det(A(t ))
HSD (t ) =
r
t
2
(1 − t )(2m−r )r
A
.
i ,j (t ) =
X m − i m − j `
23/28
`
PJ Spaenlehauer
`
t
`
.
Properties of Determinantal Ideals

v1,1
 .
D = Minorsr +1  ..
v
m ,1
m
...
..
v1,


.. 
. 
.
...
v
degree
m−
r −1
Y
i =0
m,m
of D is
i !(m + i )!
.
(m − 1 − i )!(m − r + i )!
Hilbert series
of D is
det(A(t ))
HSD (t ) =
r
t
2
(1 − t )(2m−r )r
A
.
i ,j (t ) =
X m − i m − j `
23/28
m,1
...
f
Conca/Herzog, Abhyankar
The
...
 .
I = Minorsr +1  ..
Thom, Porteous, Giambelli, Harris-Tu, ...
The
f1,1
`
PJ Spaenlehauer
`
t
`
.
..
.

m
.. 
. 
fm,m
f1,
Properties of Determinantal Ideals

v1,1
 .
D = Minorsr +1  ..
v
m ,1
m
...
..
v1,


.. 
. 
.
...
v
f1,1
...
m,1
...
 .
I = Minorsr +1  ..
m,m
f
..
.
Thom, Porteous, Giambelli, Harris-Tu, ...
The
degree
m−
r −1
Y
i =0
of D is
i !(m + i )!
.
(m − 1 − i )!(m − r + i )!
Conca/Herzog, Abhyankar
The
Hilbert series
of D is
det(A(t ))
HSD (t ) =
r
t
2
(1 − t )(2m−r )r
A
.
i ,j (t ) =
X m − i m − j `
transfer of properties of
23/28
t
`
.
`
`
D
by adding
PJ Spaenlehauer
hvi ,j − fi ,j i

m
.. 
. 
fm,m
f1,
Properties of Determinantal Ideals

v1,1
 .
D = Minorsr +1  ..
v
m ,1
m
...
..
v1,

.
...
v
degree
m−
r −1
Y
i =0
of D is
m−
r −1
Y
!(m + i )!
.
(m − 1 − i )!(m − r + i )!
i =0
ISSAC'2010
The Hilbert
of D is
det(A(t ))
HSD (t ) =
r
t
2
(1 − t )(2m−r )r
A
series
X m − i m − j transfer of properties of
.
t
`
det(A(t ))
r
2
(1 − t )k −(m−r )
.
`
`
D
by adding
PJ Spaenlehauer
of I is
t
`
23/28
...
i !(m + i )!
.
(m − 1 − i )!(m − r + i )!
HSI (t ) =
.
i ,j (t ) =
m,1
..

m
.. 
. 
fm,m
f1,
ISSAC'2010
The degree of I is
i
Hilbert series
...
f
Conca/Herzog, Abhyankar
The
f1,1
 .
I = Minorsr +1  ..
m,m
Thom, Porteous, Giambelli, Harris-Tu, ...
The

.. 
. 
hvi ,j − fi ,j i
2
.
Complexity of the minors formulation (ISSAC'2010)
Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series.
Corollary
The degree of regularity of I is generically equal to
dreg = r (m − r ) + 1.
24/28
PJ Spaenlehauer
Complexity of the minors formulation (ISSAC'2010)
Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series.
Corollary
The degree of regularity of I is generically equal to
dreg = r (m − r ) + 1.
Number of matrices and rank defect xed. 0-dimensional case.
Corollary: asymptotic complexity
When k = (m − r )2 is xed, then the complexity of the Gröbner basis computation of
the minors modeling is
O mω
24/28
k
PJ Spaenlehauer
.
Complexity of the Change of Ordering
Corollary: generic number of solutions
The number of solutions of a generic MinRank problem with k = (m − r )2 is
#Sol
=
∼
m→∞
25/28
m−
r −1
Y
i !(m + i )!
(m − 1 − i )!(m − r + i )!
i =0
m−
r −1
Y
i!
k
.
m
(m − r + i )!
i =0
PJ Spaenlehauer
Complexity of the Change of Ordering
Corollary: generic number of solutions
The number of solutions of a generic MinRank problem with k = (m − r )2 is
#Sol
=
∼
m→∞
m−
r −1
Y
i !(m + i )!
(m − 1 − i )!(m − r + i )!
i =0
m−
r −1
Y
i!
k
.
m
(m − r + i )!
i =0
Complexity of the Change of Ordering (ISSAC 2010)
The complexity of FGLM is upper bounded by O (#Sol ω ) .
If k = (m − r )2 , then
O
25/28
(#Sol ω ) = O
PJ Spaenlehauer
m
ωk
.
Experimental results
Courtois. Asiacrypt'01.
Ecient zero-knowledge authentication based on a linear algebra problem
MinRank.
K = GF(65521)
(m, k, r): k matrices of size m × m. Target rank: r .
Challenge
degree
dreg
time
F5 mem
log2 (Nb op.)
FGLM time
F5
dreg
time
F5 mem
log2 (Nb op.)
FGLM time
F5
26/28
A
B
(6, 9, 3)
(7, 9, 4)
980
4116
(8, 9, 5)
(9, 9, 6)
14112
41580
Minors modeling
10
13
16
19
1.1s
28.4s
544s
9048s
488 MB
587 MB
1213 MB
5048 MB
21.5
25.9
29.2
32.7
0.5s
28.5s
1033s
22171s
Kipnis-Shamir modeling
5
6
30s
3795s
328233s
7
407 MB
3113 MB
58587 MB
30.5
37.1
43.4
35s
2580s
∞
PJ Spaenlehauer
∞
C
(11, 9, 8)
259545
-
Experimental results
Courtois. Asiacrypt'01.
Ecient zero-knowledge authentication based on a linear algebra problem
MinRank.
K = GF(65521)
(m, k, r): k matrices of size m × m. Target rank: r .
Challenge
degree
dreg
time
F5 mem
log2 (Nb op.)
FGLM time
F5
dreg
time
F5 mem
log2 (Nb op.)
FGLM time
F5
26/28
A
B
(6, 9, 3)
(7, 9, 4)
980
4116
(8, 9, 5)
(9, 9, 6)
14112
41580
Minors modeling
10
13
16
19
1.1s
28.4s
544s
9048s
488 MB
587 MB
1213 MB
5048 MB
21.5
25.9
29.2
32.7
0.5s
28.5s
1033s
22171s
Kipnis-Shamir modeling
5
6
30s
3795s
328233s
7
407 MB
3113 MB
58587 MB
30.5
37.1
43.4
35s
2580s
∞
∞
Computational bottleneck: computing the minors.
Computing eort needed for solving Challenge C:
238 days on 64 quadricore processors.
PJ Spaenlehauer
C
(11, 9, 8)
259545
-
Algebraic cryptanalysis of (multi-)HFE
Patarin, Eurocrypt'96
Billet/Patarin/Seurin, ICSCC'08
Ding/Schmitt/Werner, Information Security, 2008
( )=
P x
X
0≤i ,j ≤r
pi ,j x
q +q
i
j
∈ Fq , with
low-rank quadratic form (Fq )n → (Fq )n
27/28
PJ Spaenlehauer
n
r
n
Algebraic cryptanalysis of (multi-)HFE
Patarin, Eurocrypt'96
Billet/Patarin/Seurin, ICSCC'08
Ding/Schmitt/Werner, Information Security, 2008
X
( )=
P x
0≤i ,j ≤r
pi ,j x
q +q
i
j
∈ Fq , with
low-rank quadratic form (Fq )n → (Fq )n
masked by linear transforms !!
27/28
PJ Spaenlehauer
n
r
n
Algebraic cryptanalysis of (multi-)HFE
Patarin, Eurocrypt'96
Billet/Patarin/Seurin, ICSCC'08
Ding/Schmitt/Werner, Information Security, 2008
X
( )=
P x
0≤i ,j ≤r
pi ,j x
q +q
i
j
∈ Fq , with
n
r
n
low-rank quadratic form (Fq )n → (Fq )n
masked by linear transforms !!
⇒ the secret polynomial can be recovered by solving a MinRank problem.
Bettale/Faugère/Perret, PKC 2011
The complexity of solving this MinRank problem is upper bounded by
O
n
(r +1)ω
.
algebraic attack with polynomial complexity in n !!
attacks on odd-characteristic variants;
generalizations to multi-HFE.
27/28
PJ Spaenlehauer
Conclusion and Perspectives
Structures have an impact on the complexity of
the solving process in algebraic cryptanalysis !
Structure
Design, key size reduction,. . . ←→ potential algebraic attacks.
28/28
PJ Spaenlehauer
Conclusion and Perspectives
Structures have an impact on the complexity of
the solving process in algebraic cryptanalysis !
Structure
Design, key size reduction,. . . ←→ potential algebraic attacks.
Other possible applications in Crypto of structured systems
Rank metric codes (Gabidulin/Ourivski/Honary/Ammar
classical McEliece PKC (McEliece 1978 ).
28/28
PJ Spaenlehauer
IEEE IT, 2003
).
Conclusion and Perspectives
Structures have an impact on the complexity of
the solving process in algebraic cryptanalysis !
Structure
Design, key size reduction,. . . ←→ potential algebraic attacks.
Other possible applications in Crypto of structured systems
Rank metric codes (Gabidulin/Ourivski/Honary/Ammar
classical McEliece PKC (McEliece 1978 ).
Algorithmic problems
Dedicated F5 algorithm for multi-homogeneous systems.
(Faugère, Safey, S., J. of Symb. Comp. 2011 )
Dedicated algorithm for determinantal systems ?
28/28
PJ Spaenlehauer
IEEE IT, 2003
).