Gröbner Bases of Structured Systems and Their Applications in Cryptology

Gröbner Bases of Structured Systems and their Applications in Cryptology

Jean-Charles Faugère, Mohab Safey El Din Pierre-Jean Spaenlehauer

UPMC CNRS INRIA Paris - Rocquencourt LIP6 SALSA team

SCPQ Webinar 2012, 03/06

1/28 PJ Spaenlehauer modeling

System solving

Issues Which algebraic modeling ? Tradeo between the degree of the equations/number of variables ? Solving tools: Gröbner bases ? SAT-solvers ? ... Structure ?

Algebraic Cryptanalysis

Crypto primitive

2/28 PJ Spaenlehauer System solving

Issues Which algebraic modeling ? Tradeo between the degree of the equations/number of variables ? Solving tools: Gröbner bases ? SAT-solvers ? ... Structure ?

Algebraic Cryptanalysis

Crypto primitive

modeling

2/28 PJ Spaenlehauer Issues Which algebraic modeling ? Tradeo between the degree of the equations/number of variables ? Solving tools: Gröbner bases ? SAT-solvers ? ... Structure ?

Algebraic Cryptanalysis

Crypto primitive

modeling

System solving

2/28 PJ Spaenlehauer Algebraic Cryptanalysis

Crypto primitive

modeling

System solving

Issues Which algebraic modeling ? Tradeo between the degree of the equations/number of variables ? Solving tools: Gröbner bases ? SAT-solvers ? ... Structure ?

2/28 PJ Spaenlehauer Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0). Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure. Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

Impact on the solving process ? Complexity ? Dedicated algorithms ?

Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

3/28 PJ Spaenlehauer Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure. Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

Impact on the solving process ? Complexity ? Dedicated algorithms ?

Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0).

3/28 PJ Spaenlehauer Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

Impact on the solving process ? Complexity ? Dedicated algorithms ?

Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0). Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure.

3/28 PJ Spaenlehauer Impact on the solving process ? Complexity ? Dedicated algorithms ?

Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0). Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure. Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

3/28 PJ Spaenlehauer Complexity ? Dedicated algorithms ?

Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0). Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure. Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

Impact on the solving process ?

3/28 PJ Spaenlehauer Motivations: Algebraic Structures in Cryptology

Where does the structure come from ?

Non-linearity → Security Sometimes bi(or multi)-linear (e.g. AES S-boxes: x · y − 1 = 0 for x 6= 0). Asymmetric encryption/signature:

trapdoor (e.g. HFE, Multi-HFE, McEliece). Reducing the key sizes is a common issue → potential weaknesses due to the structure. Symmetries, invariants:

invariance of the solutions under some transformations (e.g. MinRank). ...

Impact on the solving process ? Complexity ? Dedicated algorithms ?

3/28 PJ Spaenlehauer Determinantal systems MinRank authentication scheme. Cryptosystems based on rank metric codes. Hidden Field Equations and variants. ...

Systems invariant by symmetries Discrete log on elliptic and hyperelliptic curves.

Families of structured algebraic systems

Multi-homogeneous systems McEliece PKC. MinRank authentication scheme. ...

4/28 PJ Spaenlehauer Systems invariant by symmetries Discrete log on elliptic and hyperelliptic curves.

Families of structured algebraic systems

Multi-homogeneous systems McEliece PKC. MinRank authentication scheme. ...

Determinantal systems MinRank authentication scheme. Cryptosystems based on rank metric codes. Hidden Field Equations and variants. ...

4/28 PJ Spaenlehauer Families of structured algebraic systems

Multi-homogeneous systems McEliece PKC. MinRank authentication scheme. ...

Determinantal systems MinRank authentication scheme. Cryptosystems based on rank metric codes. Hidden Field Equations and variants. ...

Systems invariant by symmetries Discrete log on elliptic and hyperelliptic curves.

4/28 PJ Spaenlehauer Outline

1 Polynomial System Solving using Gröbner Bases

2 Bilinear Systems and Application to McEliece

3 Determinantal Systems and Applications to MinRank and HFE

5/28 PJ Spaenlehauer 0-dimensional system solving

F4/F5 FGLM Polynomial system −−−−→ grevlexGB −−−−→ lexGB .

XL/MXL Most of the complexity results also valid for XL/MXL Buchman/Bulygin/Cabarcas/Ding/Mohamed/Mohamed PQCrypto 2008, Africacrypt 2010,. . . Ars/Faugère/Imai/Kawazoe/Sugita, Asiacrypt 2004 Albrecht/Cid/Faugère/Perret, eprint

Gröbner bases (I)

Gröbner bases I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering): G ⊂ I a nite set of polynomials such that LM(I) = hLM(G)i. Buchberger [Buchberger Ph.D. 65].

F4 [Faugère J. of Pure and Appl. Alg. 99].

F5 [Faugère ISSAC'02]. FGLM [Faugère/Gianni/Lazard/Mora JSC. 93, Faugère/Mou ISSAC'11].

6/28 PJ Spaenlehauer XL/MXL Most of the complexity results also valid for XL/MXL Buchman/Bulygin/Cabarcas/Ding/Mohamed/Mohamed PQCrypto 2008, Africacrypt 2010,. . . Ars/Faugère/Imai/Kawazoe/Sugita, Asiacrypt 2004 Albrecht/Cid/Faugère/Perret, eprint

Gröbner bases (I)

Gröbner bases I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering): G ⊂ I a nite set of polynomials such that LM(I) = hLM(G)i. Buchberger [Buchberger Ph.D. 65].

F4 [Faugère J. of Pure and Appl. Alg. 99].

F5 [Faugère ISSAC'02]. FGLM [Faugère/Gianni/Lazard/Mora JSC. 93, Faugère/Mou ISSAC'11].

0-dimensional system solving

F4/F5 FGLM Polynomial system −−−−→ grevlexGB −−−−→ lexGB .

6/28 PJ Spaenlehauer Gröbner bases (I)

Gröbner bases I a polynomial ideal. Gröbner basis (w.r.t. a monomial ordering): G ⊂ I a nite set of polynomials such that LM(I) = hLM(G)i. Buchberger [Buchberger Ph.D. 65].

F4 [Faugère J. of Pure and Appl. Alg. 99].

F5 [Faugère ISSAC'02]. FGLM [Faugère/Gianni/Lazard/Mora JSC. 93, Faugère/Mou ISSAC'11].

0-dimensional system solving

F4/F5 FGLM Polynomial system −−−−→ grevlexGB −−−−→ lexGB .

6/28 PJ Spaenlehauer Find the roots of univariate polynomials =⇒ → easy in nite elds.

Gröbner bases (II)

0-dimensional system solving

F4/F5 FGLM Polynomial system −−−−→ grevlexGB −−−−→ lexGB .

Lexicographical Gröbner basis of 0-dimensional systems Equivalent system in triangular shape:  f1(x1,..., xn) = 0   .  .    f`(x1,..., xn) = 0  f`+1(x2,..., xn) = 0  .  .  .   f x x 0  m−1( n−1, n) =   fm(xn) = 0

7/28 PJ Spaenlehauer Gröbner bases (II)

0-dimensional system solving

F4/F5 FGLM Polynomial system −−−−→ grevlexGB −−−−→ lexGB .

Lexicographical Gröbner basis of 0-dimensional systems Equivalent system in triangular shape:  f1(x1,..., xn) = 0   .  .    f`(x1,..., xn) = 0  Find the roots of univariate polynomials f x x 0 `+1( 2,..., n) = =⇒ easy in nite elds.  . →  .  .   f x x 0  m−1( n−1, n) =   fm(xn) = 0

7/28 PJ Spaenlehauer Problems Degree falls.

Rank defect useless computations. Hilbert series: generating series of the rank defects of the Macaulay matrices. Which d ? degree of regularity.

Macaulay matrix in degree d

I = hf1,..., fpi deg(fi ) = di a monomial ordering

Rows: all products tfi where t is a monomial of degree at most d − di . Columns: monomials of degree at most d.

m1 · · · m`   t1f1 .   .     tk fp row echelon form of the Macaulay matrix with d suciently high

=⇒ Gröbner basis.

8/28 PJ Spaenlehauer Macaulay matrix in degree d

I = hf1,..., fpi deg(fi ) = di a monomial ordering

Rows: all products tfi where t is a monomial of degree at most d − di . Columns: monomials of degree at most d.

m1 · · · m`   t1f1 .   .     tk fp row echelon form of the Macaulay matrix with d suciently high

=⇒ Gröbner basis.

Problems Degree falls.

Rank defect useless computations. Hilbert series: generating series of the rank defects of the Macaulay matrices. Which d ? degree of regularity.

8/28 PJ Spaenlehauer System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

Classical bounds (sharp for generic systems)

Let f1,..., fn ∈ K[x1,..., xn] be a "generic" system. X Macaulay bound:d reg ≤ 1 + (di − 1). 1≤i≤n Y Bézout bound: deg(hf1,..., fni) ≤ di . 1≤i≤n

Are there sharper bounds for structured systems ?

Complexity of Gröbner bases computations

Two main indicators of the complexity

Degree of regularity dreg degree that has to be reached to compute the grevlex GB. Degree of the ideal I = hf1,... fmi Number of solutions of the system (counted with multiplicities). Gives the rank of the Macaulay matrix.

9/28 PJ Spaenlehauer Classical bounds (sharp for generic systems)

Let f1,..., fn ∈ K[x1,..., xn] be a "generic" system. X Macaulay bound:d reg ≤ 1 + (di − 1). 1≤i≤n Y Bézout bound: deg(hf1,..., fni) ≤ di . 1≤i≤n

Are there sharper bounds for structured systems ?

Complexity of Gröbner bases computations

Two main indicators of the complexity

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

9/28 PJ Spaenlehauer Are there sharper bounds for structured systems ?

Complexity of Gröbner bases computations

Two main indicators of the complexity

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

Classical bounds (sharp for generic systems)

Let f1,..., fn ∈ K[x1,..., xn] be a "generic" system. X Macaulay bound:d reg ≤ 1 + (di − 1). 1≤i≤n Y Bézout bound: deg(hf1,..., fni) ≤ di . 1≤i≤n

9/28 PJ Spaenlehauer Complexity of Gröbner bases computations

Two main indicators of the complexity

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

Classical bounds (sharp for generic systems)

Let f1,..., fn ∈ K[x1,..., xn] be a "generic" system. X Macaulay bound:d reg ≤ 1 + (di − 1). 1≤i≤n Y Bézout bound: deg(hf1,..., fni) ≤ di . 1≤i≤n

Are there sharper bounds for structured systems ? 9/28 PJ Spaenlehauer Plan

1 Polynomial System Solving using Gröbner Bases

2 Bilinear Systems and Application to McEliece

3 Determinantal Systems and Applications to MinRank and HFE

10/28 PJ Spaenlehauer Example:

2 2 2 2 2 2 3x1 y1 + 4x1x2y1 − 3x2 y1 − x1 y2 + 8x1x2y2 − 5x2 y2 + 10x1 y3 − 2x1x2y3 − 3x2 y3 is a bi-homogeneous polynomial of bi-degree (2, 1) in F11[x1, x2, y1, y2, y3]. Bilinear system: multi-homogeneous of multi-degree (1, 1) f1,..., fq ∈ K[X , Y ]: bilinear forms. f P a(k)x y . k = i,j i j

Multi-homogeneous systems

Multi-homogeneous polynomial f X (1) X (`) is multi-homogeneous of multi-degree d d if ∈ K[ ,..., ] ( 1,..., `) for all λ1, . . . , λ`,

1 d d 1 f X ( ) X (`) 1 ` f X ( ) X (`) (λ1 , . . . , λ` ) = λ1 . . . λ` ( ,..., ).

11/28 PJ Spaenlehauer Bilinear system: multi-homogeneous of multi-degree (1, 1) f1,..., fq ∈ K[X , Y ]: bilinear forms. f P a(k)x y . k = i,j i j

Multi-homogeneous systems

Multi-homogeneous polynomial f X (1) X (`) is multi-homogeneous of multi-degree d d if ∈ K[ ,..., ] ( 1,..., `) for all λ1, . . . , λ`,

1 d d 1 f X ( ) X (`) 1 ` f X ( ) X (`) (λ1 , . . . , λ` ) = λ1 . . . λ` ( ,..., ).

Example:

2 2 2 2 2 2 3x1 y1 + 4x1x2y1 − 3x2 y1 − x1 y2 + 8x1x2y2 − 5x2 y2 + 10x1 y3 − 2x1x2y3 − 3x2 y3 is a bi-homogeneous polynomial of bi-degree (2, 1) in F11[x1, x2, y1, y2, y3].

11/28 PJ Spaenlehauer Multi-homogeneous systems

Multi-homogeneous polynomial f X (1) X (`) is multi-homogeneous of multi-degree d d if ∈ K[ ,..., ] ( 1,..., `) for all λ1, . . . , λ`,

1 d d 1 f X ( ) X (`) 1 ` f X ( ) X (`) (λ1 , . . . , λ` ) = λ1 . . . λ` ( ,..., ).

Example:

11/28 PJ Spaenlehauer X ∂fk X ∂fk fk = xi = yj . xi yj i ∂ j ∂

f f  ∂f1 ∂f1   ∂ 1 ∂ 1  ... y ... y ∂x1 ∂xnx ∂ 1 ∂ ny  . . .   . . .  jacx (F )=  . . .  jacy (F )=  . . . .  f f   f f  ∂ q ... ∂ q ∂ q ... ∂ q ∂x1 ∂xnx ∂y1 ∂yny

f1  x1   y1  . . .  .  jac F  .  jac F  .  =⇒  .  = x ( ) ·  .  = y ( ) ·  . . fq xnx yny

Structure of bilinear systems

Euler relations

f1,..., fq ∈ K[X , Y ]: bilinear forms. f P a(k)x y . k = i,j i j

12/28 PJ Spaenlehauer f f  ∂f1 ∂f1   ∂ 1 ∂ 1  ... y ... y ∂x1 ∂xnx ∂ 1 ∂ ny  . . .   . . .  jacx (F )=  . . .  jacy (F )=  . . . .  f f   f f  ∂ q ... ∂ q ∂ q ... ∂ q ∂x1 ∂xnx ∂y1 ∂yny

f1  x1   y1  . . .  .  jac F  .  jac F  .  =⇒  .  = x ( ) ·  .  = y ( ) ·  . . fq xnx yny

Structure of bilinear systems

Euler relations

f1,..., fq ∈ K[X , Y ]: bilinear forms. f P a(k)x y . k = i,j i j

X ∂fk X ∂fk fk = xi = yj . xi yj i ∂ j ∂

12/28 PJ Spaenlehauer Structure of bilinear systems

Euler relations

f1,..., fq ∈ K[X , Y ]: bilinear forms. f P a(k)x y . k = i,j i j

X ∂fk X ∂fk fk = xi = yj . xi yj i ∂ j ∂

f1  x1   y1  . . .  .  jac F  .  jac F  .  =⇒  .  = x ( ) ·  .  = y ( ) ·  . . fq xnx yny

12/28 PJ Spaenlehauer Bernstein/Sturmfels/Zelevinski, Adv. in Math. 1993 M a p × q matrix whose entries are variables. For any monomial ordering, the maximal minors of M are a Gröbner basis of the associated ideal.

Faugère/Safey El Din/S., J. of Symb. Comp. 2011 M a k-variate q × p linear matrix (with q > p). Generically, a grevlex GB of hMinors(M)i: linear combination of the generators.

dreg (MaxMinors(jacx (F ))) = nx .

Something special happens with minors...

f1  x1  . .  .  jac F  .   .  = x ( ) ·  . .

fq xnx

If (x1,..., xnx , y1,..., yny ) is a non-trivial solution of F , then jacx (F ) is rank defective. y y is a zero of the maximal minors of jac F . ( 1,..., ny ) x ( )

13/28 PJ Spaenlehauer Faugère/Safey El Din/S., J. of Symb. Comp. 2011 M a k-variate q × p linear matrix (with q > p). Generically, a grevlex GB of hMinors(M)i: linear combination of the generators.

dreg (MaxMinors(jacx (F ))) = nx .

Something special happens with minors...

f1  x1  . .  .  jac F  .   .  = x ( ) ·  . .

fq xnx

If (x1,..., xnx , y1,..., yny ) is a non-trivial solution of F , then jacx (F ) is rank defective. y y is a zero of the maximal minors of jac F . ( 1,..., ny ) x ( ) Bernstein/Sturmfels/Zelevinski, Adv. in Math. 1993 M a p × q matrix whose entries are variables. For any monomial ordering, the maximal minors of M are a Gröbner basis of the associated ideal.

13/28 PJ Spaenlehauer Something special happens with minors...

f1  x1  . .  .  jac F  .   .  = x ( ) ·  . .

fq xnx

Faugère/Safey El Din/S., J. of Symb. Comp. 2011 M a k-variate q × p linear matrix (with q > p). Generically, a grevlex GB of hMinors(M)i: linear combination of the generators.

dreg (MaxMinors(jacx (F ))) = nx .

13/28 PJ Spaenlehauer Consequences The complexity of computing a grevlex GB is polynomial in the number of solutions !! Bilinear systems with unbalanced sizes of blocks of variables are easy to solve !!

Complexity

Ane bilinear polynomial f x x y y is said to be ane bilinear if there exists a bilinear ∈ K[ 1,..., nx , 1,..., ny ] polynomial f˜ in x x y y such that K[ 0,..., nx , 0,..., ny ] ˜ f (x1,..., xnx , y1,..., yny ) = f (1, x1,..., xnx , 1, y1,..., yny ).

Faugère/Safey El Din/S., J. of Symb. Comp. 2011 Degree of regularity Let f f be an ane bilinear system in x x y y . Then the 1,..., nx +ny K[ 1,..., nx , 1,..., ny ] highest degree reached during the computation of a Gröbner basis for the grevlex ordering is upper bounded by

min(nx, ny) + 1 nx + ny + 1.

14/28 PJ Spaenlehauer Complexity

min(nx, ny) + 1 nx + ny + 1.

Consequences The complexity of computing a grevlex GB is polynomial in the number of solutions !! Bilinear systems with unbalanced sizes of blocks of variables are easy to solve !!

14/28 PJ Spaenlehauer Problem Given G, nd H such that H · G t = 0 ! i j g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = . ⇒ Bi-homogeneous structure !!

Modeling of McEliece cryptosystem

Based on alternant codes:

secret key: a parity-check matrix of the form

 y0 y1 ... yn−1  y x y x y x  0 0 1 1 ... n−1 n−1 H  . . .  =  . . .. .  ,  . . . .  t−1 t−1 t−1 y0x0 y1x1 ... ynxn

where xi , yj ∈ F2m , with x0,..., xn pairwise distinct and yj 6= 0. public key: a generator matrix G of the same code.

15/28 PJ Spaenlehauer i j g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = . ⇒ Bi-homogeneous structure !!

Modeling of McEliece cryptosystem

Based on alternant codes:

secret key: a parity-check matrix of the form

 y0 y1 ... yn−1  y x y x y x  0 0 1 1 ... n−1 n−1 H  . . .  =  . . .. .  ,  . . . .  t−1 t−1 t−1 y0x0 y1x1 ... ynxn

where xi , yj ∈ F2m , with x0,..., xn pairwise distinct and yj 6= 0. public key: a generator matrix G of the same code.

Problem Given G, nd H such that H · G t = 0 !

15/28 PJ Spaenlehauer Modeling of McEliece cryptosystem

Based on alternant codes:

secret key: a parity-check matrix of the form

 y0 y1 ... yn−1  y x y x y x  0 0 1 1 ... n−1 n−1 H  . . .  =  . . .. .  ,  . . . .  t−1 t−1 t−1 y0x0 y1x1 ... ynxn

where xi , yj ∈ F2m , with x0,..., xn pairwise distinct and yj 6= 0. public key: a generator matrix G of the same code.

Problem Given G, nd H such that H · G t = 0 ! i j g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = . ⇒ Bi-homogeneous structure !!

15/28 PJ Spaenlehauer Faugère/Otmani/Perret/Tilich, Eurocrypt'2010

⇒ add redundancy to the polynomial system linear equations less variables. Moreover, the system is still over-determined and one can extract a subsystem containing only powers of two:

i j a power of two !! g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = .

Decomposing the subsystem over the eld F2

⇒ Bilinear system with nx ny !!! Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!

Cryptanalysis of compact variants of McEliece

Compact variants Goal: reduce the size of the keys. Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09; Dyadic variant: Misoczy/Barreto SAC'09.

16/28 PJ Spaenlehauer Moreover, the system is still over-determined and one can extract a subsystem containing only powers of two:

i j a power of two !! g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = .

Decomposing the subsystem over the eld F2

⇒ Bilinear system with nx ny !!! Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!

Cryptanalysis of compact variants of McEliece

Compact variants Goal: reduce the size of the keys. Quasi-cyclic variant: Berger/Cayrel/Gaborit/Otmani Africacrypt'09; Dyadic variant: Misoczy/Barreto SAC'09. Faugère/Otmani/Perret/Tilich, Eurocrypt'2010

⇒ add redundancy to the polynomial system linear equations less variables.

16/28 PJ Spaenlehauer Decomposing the subsystem over the eld F2

⇒ Bilinear system with nx ny !!! Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!

Cryptanalysis of compact variants of McEliece

⇒ add redundancy to the polynomial system linear equations less variables. Moreover, the system is still over-determined and one can extract a subsystem containing only powers of two:

i j a power of two !! g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = .

16/28 PJ Spaenlehauer Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!

Cryptanalysis of compact variants of McEliece

⇒ add redundancy to the polynomial system linear equations less variables. Moreover, the system is still over-determined and one can extract a subsystem containing only powers of two:

i j a power of two !! g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = .

Decomposing the subsystem over the eld F2

⇒ Bilinear system with nx ny !!!

16/28 PJ Spaenlehauer Cryptanalysis of compact variants of McEliece

⇒ add redundancy to the polynomial system linear equations less variables. Moreover, the system is still over-determined and one can extract a subsystem containing only powers of two:

i j a power of two !! g y x j g y x j 0 ∀ , , i,0 0 0 + ··· + i,n−1 n−1 n−1 = .

Decomposing the subsystem over the eld F2

⇒ Bilinear system with nx ny !!! Theoretical and Practical attacks on the quasi-cyclic and dyadic variants of McEliece !!

16/28 PJ Spaenlehauer Plan

1 Polynomial System Solving using Gröbner Bases

2 Bilinear Systems and Application to McEliece

3 Determinantal Systems and Applications to MinRank and HFE

17/28 PJ Spaenlehauer The MinRank problem

r ∈ N. M0,..., Mk : k + 1 matrices of size m × m. MinRank

nd λ1,...,λ k such that

k ! X Rank M0 − λi Mi ≤ r. i=1

Multivariate generalization of the Eigenvalue problem. Applications in cryptology, coding theory, ... Kipnis/Shamir Crypto'99, Courtois Asiacrypt'01 Faugère/Levy-dit-Vehel/Perret Crypto'08,... Fundamental NP-hard problem of linear algebra.

Buss, Frandsen, Shallit. The computational complexity of some problems of linear algebra.

18/28 PJ Spaenlehauer The minors modeling The Kipnis-Shamir modeling

Rank(M) ≤ r Rank(M) ≤ r ⇔ ∃x(1),..., x(m−r) ∈ Ker(M).   m Im−r all minors of size r 1 of M vanish.   ( + )    (1) (m−r) M x1 ... x1  0 ·   = .  . . .  m 2 equations of degree r 1.  . . .  r 1 +   + (1) (m−r) k variables. xr ... xr

Few variables, lots of equations, high m(m − r) bilinear equations. degree!! k + r(m − r) variables.

Complexity of solving MinRank using Gröbner bases techniques ? Comparison of the two modelings ? Number of solutions ?

Two algebraic modelings k X M = M0 − λi Mi . i=1

19/28 PJ Spaenlehauer The Kipnis-Shamir modeling

Rank(M) ≤ r ⇔ ∃x(1),..., x(m−r) ∈ Ker(M).   Im−r      (1) (m−r) M x1 ... x1  0 ·   = .  . . .   . . .    (1) (m−r) xr ... xr

m(m − r) bilinear equations. k + r(m − r) variables.

Complexity of solving MinRank using Gröbner bases techniques ? Comparison of the two modelings ? Number of solutions ?

Two algebraic modelings k X M = M0 − λi Mi . i=1

The minors modeling

Rank(M) ≤ r m all minors of size (r + 1) of M vanish.

m 2 equations of degree r 1. r+1 + k variables.

Few variables, lots of equations, high degree!!

19/28 PJ Spaenlehauer Complexity of solving MinRank using Gröbner bases techniques ? Comparison of the two modelings ? Number of solutions ?

Two algebraic modelings k X M = M0 − λi Mi . i=1

The minors modeling The Kipnis-Shamir modeling

Few variables, lots of equations, high m(m − r) bilinear equations. degree!! k + r(m − r) variables.

19/28 PJ Spaenlehauer Two algebraic modelings k X M = M0 − λi Mi . i=1

The minors modeling The Kipnis-Shamir modeling

Few variables, lots of equations, high m(m − r) bilinear equations. degree!! k + r(m − r) variables.

Complexity of solving MinRank using Gröbner bases techniques ? Comparison of the two modelings ? Number of solutions ?

19/28 PJ Spaenlehauer r(m − r) + 1

O(mωk ) O(mω(k+1))

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity when k = (m − r)2 # Sol Complexity

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

20/28 PJ Spaenlehauer r(m − r) + 1

O(mωk ) O(mω(k+1))

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity Macaulay bound: when k = (m − r)2 ≤ m(m − r) + 1 m−r m! # Sol MH. Bézout: ≤ r Complexity

20/28 PJ Spaenlehauer r(m − r) + 1

O(mωk ) O(mω(k+1))

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity ≤ (m − r)2 + 1 when k = (m − r)2 m−r m! # Sol MH. Bézout: ≤ r Complexity

20/28 PJ Spaenlehauer O(mωk ) O(mω(k+1))

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity r(m − r) + 1 ≤ (m − r)2 + 1 when k = (m − r)2 m−r m! # Sol MH. Bézout: ≤ r Complexity

20/28 PJ Spaenlehauer O(mωk ) O(mω(k+1))

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity r(m − r) + 1 ≤ (m − r)2 + 1 when k = (m − r)2 m−r−1 i m i # Sol Y !( + )! (m − 1 − i)!(m − r + i)! i=0 Complexity

20/28 PJ Spaenlehauer Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Modeling: Minors Kipnis-Shamir Degree of regularity r(m − r) + 1 ≤ (m − r)2 + 1 when k = (m − r)2 m−r−1 i m i # Sol Y !( + )! (m − 1 − i)!(m − r + i)! i=0 Complexity O(mωk ) O(mω(k+1))

20/28 PJ Spaenlehauer Main results

System −→ grevlex GB −→ lex GB. Algorithms grevlex GB Change of Ordering ω n + dreg Complexity O O (n · #Solω) dreg

m: size of the matrices, k: number of matrices, r: target rank. k = (m − r)2.

Both modelings → polynomial complexity when k = (m − r)2 is xed. New Crypto challenge broken: 10 generic matrices of size 11 × 11 target rank 8, K = GF(65521). Courtois, Asiacrypt 2001.

20/28 PJ Spaenlehauer Bilinear systems ↔ determinantal systems f1,..., fq ∈ K[X , Y ]: bilinear forms.

f f  ∂ 1 ... ∂ 1   x  f  ∂x0 ∂xnx 0 1  . . .  . .  . .. .  ·  .  =  .        ∂fq ∂fq ... xnx fq ∂x0 ∂xnx

f1 = ... = fq = 0 ⇐⇒ MaxMinors (JacX (f1,..., fq)) = 0.

Minors modeling

Minors modeling:

Rank(M) ≤ r m all minors of size (r + 1) of M vanish.

Determinantal ideal

21/28 PJ Spaenlehauer Minors modeling

Minors modeling:

Rank(M) ≤ r m all minors of size (r + 1) of M vanish.

Determinantal ideal

Bilinear systems ↔ determinantal systems f1,..., fq ∈ K[X , Y ]: bilinear forms.

f f  ∂ 1 ... ∂ 1   x  f  ∂x0 ∂xnx 0 1  . . .  . .  . .. .  ·  .  =  .        ∂fq ∂fq ... xnx fq ∂x0 ∂xnx

f1 = ... = fq = 0 ⇐⇒ MaxMinors (JacX (f1,..., fq)) = 0.

21/28 PJ Spaenlehauer Determinantal ideals

What is known Determinantal ideals: Bernstein/Zelevinsky J. of Alg. Comb. 93, Bruns/Conca 98, Sturmfels/Zelevinsky Adv. Math. 98, Conca/Herzog AMS'94, Lascoux 78, Abhyankar 88... Geometry of determinantal varieties: Room 39, Fulton Duke Math. J. 91, Giusti/Merle Int. Conf. on Alg. Geo. 82... Polar varieties: Bank/Giusti/Heintz/Safey/Schost AAECC'10,Bank/Giusti/Heintz/Pardo J. of Compl. 05, Safey/Schost ISSAC'03, Teissier Pure and Appl. Math. 91...

22/28 PJ Spaenlehauer ISSAC'2010 The degree of I is

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

ISSAC'2010 The Hilbert series of I is det(A(t)) HS t I ( ) = r . 2 t 2 (1 − t)k−(m−r)

 f1,1 ... f1,m  . . . I = Minorsr 1  . . .  +  . . .  fm,1 ... fm,m

transfer of properties of D by adding hvi,j − fi,j i

Properties of Determinantal Ideals

 v1,1 ... v1,m  . . . D = Minorsr 1  . . .  +  . . .  vm,1 ... vm,m Thom, Porteous, Giambelli, Harris-Tu, ... The degree of D is

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

Conca/Herzog, Abhyankar The Hilbert series of D is det(A(t)) HS t D( ) = r . t 2 (1 − t)(2m−r)r

m i m j X − − ` Ai j (t) = t . , ` ` `

23/28 PJ Spaenlehauer ISSAC'2010 The degree of I is

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

ISSAC'2010 The Hilbert series of I is det(A(t)) HS t I ( ) = r . 2 t 2 (1 − t)k−(m−r)

transfer of properties of D by adding hvi,j − fi,j i

Properties of Determinantal Ideals

 v1,1 ... v1,m   f1,1 ... f1,m  ...... D = Minorsr 1  . . .  I = Minorsr 1  . . .  +  . . .  +  . . .  vm,1 ... vm,m fm,1 ... fm,m Thom, Porteous, Giambelli, Harris-Tu, ... The degree of D is

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

Conca/Herzog, Abhyankar The Hilbert series of D is det(A(t)) HS t D( ) = r . t 2 (1 − t)(2m−r)r

m i m j X − − ` Ai j (t) = t . , ` ` `

23/28 PJ Spaenlehauer ISSAC'2010 The degree of I is

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

ISSAC'2010 The Hilbert series of I is det(A(t)) HS t I ( ) = r . 2 t 2 (1 − t)k−(m−r)

Properties of Determinantal Ideals

m−r−1 Y i!(m + i)! . (m − 1 − i)!(m − r + i)! i=0

Conca/Herzog, Abhyankar The Hilbert series of D is det(A(t)) HS t D( ) = r . t 2 (1 − t)(2m−r)r

m i m j X − − ` Ai j (t) = t . , ` ` `

transfer of properties of D by adding hvi,j − fi,j i

23/28 PJ Spaenlehauer Properties of Determinantal Ideals

 v1,1 ... v1,m   f1,1 ... f1,m  ...... D = Minorsr 1  . . .  I = Minorsr 1  . . .  +  . . .  +  . . .  vm,1 ... vm,m fm,1 ... fm,m Thom, Porteous, Giambelli, Harris-Tu, ... ISSAC'2010 The degree of D is The degree of I is

m−r−1 m−r−1 Y i!(m + i)! Y i!(m + i)! . . (m − 1 − i)!(m − r + i)! (m − 1 − i)!(m − r + i)! i=0 i=0

Conca/Herzog, Abhyankar ISSAC'2010 The Hilbert series of D is The Hilbert series of I is det(A(t)) det(A(t)) HS t HS t D( ) = r . I ( ) = r . 2 t 2 (1 − t)(2m−r)r t 2 (1 − t)k−(m−r)

m i m j X − − ` Ai j (t) = t . , ` ` `

transfer of properties of D by adding hvi,j − fi,j i

23/28 PJ Spaenlehauer Number of matrices and rank defect xed. 0-dimensional case. Corollary: asymptotic complexity When k = (m − r)2 is xed, then the complexity of the Gröbner basis computation of the minors modeling is O mωk .

Complexity of the minors formulation (ISSAC'2010)

Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series. Corollary The degree of regularity of I is generically equal to

dreg = r(m − r) + 1.

24/28 PJ Spaenlehauer Complexity of the minors formulation (ISSAC'2010)

Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series. Corollary The degree of regularity of I is generically equal to

dreg = r(m − r) + 1.

Number of matrices and rank defect xed. 0-dimensional case. Corollary: asymptotic complexity When k = (m − r)2 is xed, then the complexity of the Gröbner basis computation of the minors modeling is O mωk .

24/28 PJ Spaenlehauer Complexity of the Change of Ordering (ISSAC 2010) The complexity of FGLM is upper bounded by O (#Sol ω) . If k = (m − r)2, then k O (#Sol ω) = O mω .

Complexity of the Change of Ordering

Corollary: generic number of solutions The number of solutions of a generic MinRank problem with k = (m − r)2 is

m−r−1 Y i!(m + i)! #Sol = (m − 1 − i)!(m − r + i)! i=0 m−r−1 k Y i! ∼ m . m→∞ (m − r + i)! i=0

25/28 PJ Spaenlehauer Complexity of the Change of Ordering

Corollary: generic number of solutions The number of solutions of a generic MinRank problem with k = (m − r)2 is

m−r−1 Y i!(m + i)! #Sol = (m − 1 − i)!(m − r + i)! i=0 m−r−1 k Y i! ∼ m . m→∞ (m − r + i)! i=0

Complexity of the Change of Ordering (ISSAC 2010) The complexity of FGLM is upper bounded by O (#Sol ω) . If k = (m − r)2, then k O (#Sol ω) = O mω .

25/28 PJ Spaenlehauer Computational bottleneck: computing the minors. Computing eort needed for solving Challenge C: 238 days on 64 quadricore processors.

Experimental results

Courtois. Asiacrypt'01. Ecient zero-knowledge authentication based on a linear algebra problem MinRank. K = GF(65521)( m, k, r): k matrices of size m × m. Target rank: r. Challenge A B C (6, 9, 3) (7, 9, 4) (8, 9, 5) (9, 9, 6) (11, 9, 8) degree 980 4116 14112 41580 259545 Minors modeling dreg 10 13 16 19 F5 time 1.1s 28.4s 544s 9048s - F5 mem 488 MB 587 MB 1213 MB 5048 MB - log2(Nb op.) 21.5 25.9 29.2 32.7 FGLM time 0.5s 28.5s 1033s 22171s - Kipnis-Shamir modeling dreg 5 6 7 F5 time 30s 3795s 328233s ∞ F5 mem 407 MB 3113 MB 58587 MB log2(Nb op.) 30.5 37.1 43.4 FGLM time 35s 2580s ∞

26/28 PJ Spaenlehauer Experimental results

26/28 PJ Spaenlehauer masked by linear transforms!!

⇒ the secret polynomial can be recovered by solving a MinRank problem. Bettale/Faugère/Perret, PKC 2011 The complexity of solving this MinRank problem is upper bounded by

r 1 O n( + )ω .

algebraic attack with polynomial complexity in n !! attacks on odd-characteristic variants; generalizations to multi-HFE.

Algebraic cryptanalysis of (multi-)HFE

Patarin, Eurocrypt'96 Billet/Patarin/Seurin, ICSCC'08 Ding/Schmitt/Werner, Information Security, 2008

i j X q +q P x p x n with r n ( ) = i,j ∈ Fq , 0≤i,j≤r n n low-rank quadratic form (Fq) → (Fq)

27/28 PJ Spaenlehauer ⇒ the secret polynomial can be recovered by solving a MinRank problem. Bettale/Faugère/Perret, PKC 2011 The complexity of solving this MinRank problem is upper bounded by

r 1 O n( + )ω .

algebraic attack with polynomial complexity in n !! attacks on odd-characteristic variants; generalizations to multi-HFE.

Algebraic cryptanalysis of (multi-)HFE

Patarin, Eurocrypt'96 Billet/Patarin/Seurin, ICSCC'08 Ding/Schmitt/Werner, Information Security, 2008

i j X q +q P x p x n with r n ( ) = i,j ∈ Fq , 0≤i,j≤r n n low-rank quadratic form (Fq) → (Fq) masked by linear transforms!!

27/28 PJ Spaenlehauer Algebraic cryptanalysis of (multi-)HFE

Patarin, Eurocrypt'96 Billet/Patarin/Seurin, ICSCC'08 Ding/Schmitt/Werner, Information Security, 2008

i j X q +q P x p x n with r n ( ) = i,j ∈ Fq , 0≤i,j≤r n n low-rank quadratic form (Fq) → (Fq) masked by linear transforms!!

⇒ the secret polynomial can be recovered by solving a MinRank problem. Bettale/Faugère/Perret, PKC 2011 The complexity of solving this MinRank problem is upper bounded by

r 1 O n( + )ω .

algebraic attack with polynomial complexity in n !! attacks on odd-characteristic variants; generalizations to multi-HFE.

27/28 PJ Spaenlehauer Other possible applications in Crypto of structured systems Rank metric codes (Gabidulin/Ourivski/Honary/Ammar IEEE IT, 2003). classical McEliece PKC (McEliece 1978).

Algorithmic problems

Dedicated F5 algorithm for multi-homogeneous systems. (Faugère, Safey, S., J. of Symb. Comp. 2011) Dedicated algorithm for determinantal systems ?

Conclusion and Perspectives

Structures have an impact on the complexity of the solving process in algebraic cryptanalysis !

Structure Design, key size reduction,. . . ←→ potential algebraic attacks.

28/28 PJ Spaenlehauer Algorithmic problems

Dedicated F5 algorithm for multi-homogeneous systems. (Faugère, Safey, S., J. of Symb. Comp. 2011) Dedicated algorithm for determinantal systems ?

Conclusion and Perspectives

Structures have an impact on the complexity of the solving process in algebraic cryptanalysis !

Structure Design, key size reduction,. . . ←→ potential algebraic attacks.

Other possible applications in Crypto of structured systems Rank metric codes (Gabidulin/Ourivski/Honary/Ammar IEEE IT, 2003). classical McEliece PKC (McEliece 1978).

28/28 PJ Spaenlehauer Conclusion and Perspectives

Structures have an impact on the complexity of the solving process in algebraic cryptanalysis !

Structure Design, key size reduction,. . . ←→ potential algebraic attacks.

Other possible applications in Crypto of structured systems Rank metric codes (Gabidulin/Ourivski/Honary/Ammar IEEE IT, 2003). classical McEliece PKC (McEliece 1978).

Algorithmic problems

Dedicated F5 algorithm for multi-homogeneous systems. (Faugère, Safey, S., J. of Symb. Comp. 2011) Dedicated algorithm for determinantal systems ?

28/28 PJ Spaenlehauer