Grbner Bases: a Tools for Cryptology Jean-Charles Faugre PolSys - - - PowerPoint PPT Presentation

Gröbner Bases: a Tools for Cryptology

Jean-Charles Faugère PolSys - INRIA/UPMC

ECRYPT II Summer School on Tools 2012

Plan

Gröbner Bases: a Tools for Cryptology

☞ Introduction to Algebraic Cryptanalysis and Gröbner bases. Part I Efficient algorithms and linear algebra. Part II Complexity of computing Gröbner bases.

Polynomial System Solving and Applications

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0. Denote by VL the set of solutions. Focus Algebraic Computations Exact methods Approach Algorithms and complexity analysis Applications to validate the performance Write efficient software (integration in Maple).

Gröbner Bases

Buchberger (1965)

In this talk we focus on Gröbner bases methods. One of the fastest method to solve polynomial equations when K = L = Fq or K = Q and L = R or L = C Other efficient methods: Numerical methods: homotopy methods (continuation methods) Resultants Triangular Sets SAT Solvers in the Boolean case K = L = F2 . . .

Gröbner Bases

Definition (Buchberger 65) I a polynomial ideal. Gröbner basis (w.r.t. ≺ a monomial ordering): G ⊂ I a finite set of polynomials such that LM(I) = LM(G). Bruno Buchberger

☞ definition of a reduction function

Theorem (Buchberger) f∈ I iff Reduction(f, G) = 0

Gröbner Bases

Definition (Buchberger 65) I a polynomial ideal. Gröbner basis (w.r.t. ≺ a monomial ordering): G ⊂ I a finite set of polynomials such that LM(I) = LM(G). Theorem VF2 = ∅ ( no solution) iff GF2 = [1]. VF2 has exactly one solution iff GF2 = [x1 − a1, . . . , xn − an] where (a1, . . . , an) ∈ Fn

2.

Most of the time, if #VK < ∞ the shape of a Gröbner Basis for a lexicographical ordering x1 > ∙ ∙ ∙ > xn is the following:

Gröbner Bases

Definition (Buchberger 65) I a polynomial ideal. Gröbner basis (w.r.t. ≺ a monomial ordering): G ⊂ I a finite set of polynomials such that LM(I) = LM(G). Theorem VF2 = ∅ ( no solution) iff GF2 = [1]. VF2 has exactly one solution iff GF2 = [x1 − a1, . . . , xn − an] where (a1, . . . , an) ∈ Fn

2.

Most of the time, if #VK < ∞ the shape of a Gröbner Basis for a lexicographical ordering x1 > ∙ ∙ ∙ > xn is the following: Shape Position          hn(xn) xn−1 − hn−1(xn) . . . x1 − h1(xn)

Algorithms to compute GB

Usually a two steps process: Input System Gröbner Basis: total degree Gröbner Basis: lexicographical FGLM: ≈ minimal polynomial

• f some matrix

Buchberger F4/F5 rely on linear algebra

Algebraic Cryptanalysis

Crypto ← →Computer Algebra

Algebraic Cryptanalysis

A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 0 5 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 0 6 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0

Secret Modeling

Algebraic Cryptanalysis

A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 0 5 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 0 6 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0 x = 4 y = 2 z = 0

Secret Modeling Solving

New trend

Very often experiment is needed to test the efficiency of the solving step. New trend Theoretical complexity analysis to explain the behavior of the attack

This is also useful to help the designers of new cryptosystems.

Roadmap: Specificity of the Cryptosystem − → Structured System What is the complexity of solving Structured System ?

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0. NP-hard even when K = K2

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Almost all systems occurring in applications have a special structure: Symmetries: equations are left invariant by the action of a finite group. Sparse equations Overdetermined systems m ≫ n Multihomogeneous structure . . .

Sparse Equations

Boolean Case K = L = F2 Sparse = each equation depends on ℓ variables, the expected complexity of the Agreeing-Gluing Algorithm is: O(20.711n) when ℓ = 6 O(20.405n) when ℓ = 3 .

• I. Semaev.

Sparse algebraic equations over finite fields. SIAM J. Comput., 39(2):388–409, 2009.

Part I

Efficient algorithms and linear algebra.

Simple matrix F5 algorithm. Fast Change of Ordering. Structured linear algebra to speedup the computations.

F5 algorithm: simple matrix version

Get rid of the trivial relations: fifj − fjfi = 0 f 2

i − fi = 0 when K = F2

Incremental algorithm (f1) + Gprev Incremental degree by degree Special/Simpler version of F5 for dense/generic quadratic polynomials. the maximal degree D is a parameter of the algorithm.

               m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .               

F5: compute Groebner (f1, . . . , fk), d + 1)

Already computed Groebner (f1, . . . , fk), d) Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                    

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                    

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

Remove w1xj+1fk iff

w1xj+1 ∈ LT(f1, . . . , fk−1)

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

Remove w1xj+1fk iff

w1xj+1 ∈ LT(Groebner (f1, . . . , fk−1), d − 1)

Structure inside Gröbner basis computation

F4/F5 algorithms develop specifjc linear algebra algorithms and implementations. linear algebra: a key step for Gröbner bases

take into

account the specific properties

• f the matrices.

Minrank: [Issac 2010] 935s − → [Pasco 2010] 73s

Sparse and Fast FGLM

joint work with C. Mou, L. Huot, P. Gaudry, PJ Spaenlehauer

Use the sparsity Fast asymptotic version of FGLM

FGLM - Bottleneck

with C. Mou

Input System Gröbner Basis: total degree Gröbner Basis: lexicographical Bottleneck! FGLM: ≈ minimal polynomial

• f some matrix

Buchberger F4/F5 rely on linear algebra

FGLM - Bottleneck

with C. Mou

Input System Gröbner Basis: total degree Gröbner Basis: lexicographical Bottleneck! FGLM: ≈ minimal polynomial

• f some matrix

Buchberger F4/F5 rely on linear algebra

Magma

MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2) D 4116 14112 214 215 Step 1 208.1s 3343.5s 7832.4s 74862.9s Step 2 1360.4s >1 day 84374.6s >15 days

FGLM - Bottleneck

with C. Mou

Input System Gröbner Basis: total degree Gröbner Basis: lexicographical Bottleneck! FGLM: ≈ minimal polynomial

• f some matrix

Buchberger F4/F5 rely on linear algebra

Magma

MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2) D 4116 14112 214 215 Step 1 208.1s 3343.5s 7832.4s 74862.9s Step 2 1360.4s >1 day 84374.6s >15 days Goal: a faster algorithm for the change of ordering

FGLM in a nutshell

Input: some Gröbner basis G1 of I for some order <1 D is the number of solutions NormalForm(f) = 0 ⇔ f ∈ I Step 1: Compute B = [b1, . . . , bD], the canonical basis of K[x1, . . . , xn]/G1 ordered according to <1 Step 2: Construct multiplication matrices Ti Multiplication matrix by xi : (D × D)-matrix represent: bj − → NormalForm(xibj), j = 1, . . . , D.

◮ change of ordering ⇋ linear algebra on Ti

FGLM in a nutshell

Step 3: Handles terms in K[x1, . . . , xn] one by one according to <2

FGLM in a nutshell

Step 3: Handles terms in K[x1, . . . , xn] one by one according to <2 monomial xs s = (s1, . . . , sn) xk

1

= ⇒ = ⇒ coordinate vector vs = T s1

1 ∙ ∙ ∙ T sn n 1,

where 1 = (1, 0, . . . , 0)t T k

1 1

FGLM in a nutshell

Step 3: Handles terms in K[x1, . . . , xn] one by one according to <2 monomial xs s = (s1, . . . , sn) xk

1

= ⇒ = ⇒ coordinate vector vs = T s1

1 ∙ ∙ ∙ T sn n 1,

where 1 = (1, 0, . . . , 0)t T k

1 1

a polynomial in G2 f =

s cs xs

• i λixk

1 ∈ I

⇐ = ⇐ = a linear dependency

• s csvs = 0
• i λiT k

1 1 = 0

FGLM in a nutshell

Step 3: Handles terms in K[x1, . . . , xn] one by one according to <2 monomial xs s = (s1, . . . , sn) xk

1

= ⇒ = ⇒ coordinate vector vs = T s1

1 ∙ ∙ ∙ T sn n 1,

where 1 = (1, 0, . . . , 0)t T k

1 1

a polynomial in G2 f =

s cs xs

• i λixk

1 ∈ I

⇐ = ⇐ = a linear dependency

• s csvs = 0
• i λiT k

1 1 = 0

change of ordering ⇋ linear algebra O(nD3): Gaussian elimination

Sparse FGLM: Key observation 1

with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 × 1000, 6.86%

DLP Edwards Cyclic10 MinRank (9,9,6) D 4096 34940 41580 Sparsity 3.4% 1.0% 16% Random(3, 14) Random(3, 40) D 2744 64000 Sparsity 4.2% 1.6%

Sparse FGLM: Key observation 1

with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 × 1000, 6.86%

DLP Edwards Cyclic10 MinRank (9,9,6) D 4096 34940 41580 Sparsity 3.4% 1.0% 16% Random(3, 14) Random(3, 40) D 2744 64000 Sparsity 4.2% 1.6% Theorem (F., Mou, 2011) n is fixed. For generic polynomial systems of degree d: % of nonzero entries

∼ d→∞

• 6

π 1 d n

1 2

Density: theoretical bound vs practice

10 20 30 40

1% 3% 5% 10%

Random equations of degree d in 3 variables d Density of T1 Theoretical bound Experimental Sparsity

First case: Shape position case

Assume that I is in shape position: Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I ⊂ K[x1, . . . , xn] is in shape position if its Gröbner basis w.r.t. LEX (x1 < ∙ ∙ ∙ < xn) is of the form [f1(x1), x2 − f2(x1), . . . , xn − fn(x1)].

First case: Shape position case

Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I ⊂ K[x1, . . . , xn] is in shape position if its Gröbner basis w.r.t. LEX (x1 < ∙ ∙ ∙ < xn) is of the form [f1(x1), x2 − f2(x1), . . . , xn − fn(x1)]. Recover f1: Wiedemann algorithm Construct s = [r, T i

11 : i = 0, . . . , 2 D − 1], with r a random vector

⇓ Compute ˜ f1 from s via Berlekamp–Massey algorithm ⇓ Check deg(˜ f1) = D

First case: Shape position case

Shape position [Becker, Mora, Marinari, and Traverso 1994] Ideal I ⊂ K[x1, . . . , xn] is in shape position if its Gröbner basis w.r.t. LEX (x1 < ∙ ∙ ∙ < xn) is of the form [f1(x1), x2 − f2(x1), . . . , xn − fn(x1)]. Recover f1: Wiedemann algorithm Construct s = [r, T i

11 : i = 0, . . . , 2 D − 1], with r a random vector

⇓ Compute ˜ f1 from s via Berlekamp–Massey algorithm ⇓ Check deg(˜ f1) = D shape position

Shape position case

Suppose fi = D−1

k=0 ci,kxk 1 ( for i = 2, . . . , n)

Recover f2, . . . , fn: constructing linear equations NormalForm(xi − D−1

k=0 ci,kxk 1 ) = 0

⇓ Ti1 = D−1

k=0 ci,k ∙ T k 1 1

⇓ r, T j

1Ti1 = D−1 k=0 ci,k ∙ r, T k+j 1

1, j = 0, . . . , D − 1

• (T t

1)jr, Ti1 = D−1 k=0 ci,k ∙ (T t 1)k+jr, 1,

j = 0, . . . , D − 1

Shape position case

Suppose fi = D−1

k=0 ci,kxk 1 ( for i = 2, . . . , n)

Recover f2, . . . , fn: constructing linear equations NormalForm(xi − D−1

k=0 ci,kxk 1 ) = 0

⇓ T j

1Ti1 = D−1 k=0 ci,k ∙ T j 1T k 1 1

⇓ r, T j

1Ti1 = D−1 k=0 ci,k ∙ r, T k+j 1

1, j = 0, . . . , D − 1

• (T t

1)jr, Ti1 = D−1 k=0 ci,k ∙ (T t 1)k+jr, 1,

j = 0, . . . , D − 1

Shape position case

Suppose fi = D−1

k=0 ci,kxk 1 ( for i = 2, . . . , n)

Recover f2, . . . , fn: constructing linear equations NormalForm(xi − D−1

k=0 ci,kxk 1 ) = 0

⇓ T j

1Ti1 = D−1 k=0 ci,k ∙ T j 1T k 1 1

⇓ r, T j

1Ti1 = D−1 k=0 ci,k ∙ r, T k+j 1

1, j = 0, . . . , D − 1

• (T t

1)jr, Ti1 = D−1 k=0 ci,k ∙ (T t 1)k+jr, 1,

j = 0, . . . , D − 1

Shape position case

Suppose fi = D−1

k=0 ci,kxk 1 ( for i = 2, . . . , n)

Recover f2, . . . , fn: constructing linear equations NormalForm(xi − D−1

k=0 ci,kxk 1 ) = 0

⇓ T j

1Ti1 = D−1 k=0 ci,k ∙ T j 1T k 1 1

⇓ r, T j

1Ti1 = D−1 k=0 ci,k ∙ r, T k+j 1

1, j = 0, . . . , D − 1

• (T t

1)jr, Ti1 = D−1 k=0 ci,k ∙ (T t 1)k+jr, 1,

j = 0, . . . , D − 1 H=      (T t

1)0r, 1

(T t

1)1r, 1

∙ ∙ ∙ (T t

1)D−1r, 1

(T t

1)1r, 1

(T t

1)2r, 1

∙ ∙ ∙ (T t

1)Dr, 1

. . . . . . ... . . . (T t

1)D−1r, 1

(T t

1)Dr, 1

∙ ∙ ∙ (T t

1)2D−2r, 1

     ,b=    r, Ti1 . . . (T t

1)D−1r, Ti1

  

Shape position case

Solve: H ci = b with ci =t [ci,0, . . . , ci,D−1] H =      (T t

1)0r, 1

• (T t

1)1r, 1

• ∙ ∙ ∙
• (T t

1)D−1r, 1

• (T t

1)1r, 1

• (T t

1)2r, 1

∙ ∙ ∙ (T t

1)Dr, 1

. . . . . . ... . . .

• (T t

1)D−1r, 1

• (T t

1)Dr, 1

∙ ∙ ∙ (T t

1)2D−2r, 1

     Matrix H is a Hankel matrix:

Shape position case

Solve: H ci = b with ci =t [ci,0, . . . , ci,D−1] H =      (T t

1)0r, 1

• (T t

1)1r, 1

• ∙ ∙ ∙
• (T t

1)D−1r, 1

• (T t

1)1r, 1

• (T t

1)2r, 1

∙ ∙ ∙ (T t

1)Dr, 1

. . . . . . ... . . .

• (T t

1)D−1r, 1

• (T t

1)Dr, 1

∙ ∙ ∙ (T t

1)2D−2r, 1

     Matrix H is a Hankel matrix: Its construction is free: s = [r, T i

11 = (T t 1)ir, 1 : i = 0, . . . , (2 D − 2)]

It is invertible: relationship between linear recurring sequences and Hankel matrices [Jonckheere and Ma 1989] Solving efficiently H x = b: complexity O(D log2(D)) [Brent, Gustavson,

and Yun 1980].

Shape position case

Solve: H ci = b with ci =t [ci,0, . . . , ci,D−1] H =      (T t

1)0r, 1

• (T t

1)1r, 1

• ∙ ∙ ∙
• (T t

1)D−1r, 1

• (T t

1)1r, 1

• (T t

1)2r, 1

∙ ∙ ∙ (T t

1)Dr, 1

. . . . . . ... . . .

• (T t

1)D−1r, 1

• (T t

1)Dr, 1

∙ ∙ ∙ (T t

1)2D−2r, 1

     Matrix H is a Hankel matrix: Its construction is free: s = [r, T i

11 = (T t 1)ir, 1 : i = 0, . . . , (2 D − 2)]

It is invertible: relationship between linear recurring sequences and Hankel matrices [Jonckheere and Ma 1989] Solving efficiently H x = b: complexity O(D log2(D)) [Brent, Gustavson,

and Yun 1980].

Construction of (T t

1)jr, Ti1 is also free: v is also free.

Shape position case

Total complexity for ideals in shape position O(D(#T1 + n log(D))): #T1 the number of nonzero entries in T1 compared with O(nD3) for FGLM computing the minimal polynomial of T1.

Shape position case

Total complexity for ideals in shape position O(D(#T1 + n log(D))): #T1 the number of nonzero entries in T1 compared with O(nD3) for FGLM computing the minimal polynomial of T1. Random polynomial systems n be fixed / d → +∞: the complexity is O( 1

√nD2+ n−1

n )

General case (non shape position)

Define a n-dimensional mapping E : Zn

≥0 −

→ K as (s1, . . . , sn) − → r, T s1

1 ∙ ∙ ∙ T sn n 1.

General case (non shape position)

Define a n-dimensional mapping E : Zn

≥0 −

→ K as (s1, . . . , sn) − → r, T s1

1 ∙ ∙ ∙ T sn n 1.

According to FGLM, a polynomial f = xl +

s=l cs cl xs in G2 is

determined by

• s

csT s1

1 ∙ ∙ ∙ T sn n 1 = 0.

Can be found using BMS:

General case (non shape position)

Define a n-dimensional mapping E : Zn

≥0 −

→ K as (s1, . . . , sn) − → r, T s1

1 ∙ ∙ ∙ T sn n 1.

According to FGLM, a polynomial f = xl +

s=l cs cl xs in G2 is

determined by

• s

csT s1

1 ∙ ∙ ∙ T sn n 1 = 0.

Can be found using BMS: Sparse matrix = ⇒ Wiedemann algorithm = ⇒ Berlekamp–Massey = ⇒ BMS (from Coding Theory) multi-dimensional generalization of Berlekamp–Massey algorithm

[Sakata 1988 & 1990; Saints and Heegard 2002]

General Algorithm

Main Algorithm

Input: T1, . . . , Tn Construct the linearly recurring sequence s Compute ˜ f with BM deg( ˜ f) = D? Yes No Recover f2, . . . , fn Compute F with BMS F = G2? Yes No Compute G2 with FGLM End End End

Deterministic algorithm

Fast FGLM

If the matrices are not sparse ...(with P. Gaudry, L. Huot and G. Renault)

In the shape position case: we can apply the same algorithm. All wee need is to compute efficiently: T ′

1 1 r, T ′ 1 2 r, ∙ ∙ ∙ , T ′ 1 2 D−1 r with T ′ 1 = T t 1

Fast FGLM

If the matrices are not sparse ...(with P. Gaudry, L. Huot and G. Renault)

In the shape position case: we can apply the same algorithm. All wee need is to compute efficiently: T ′

1 1 r, T ′ 1 2 r, ∙ ∙ ∙ , T ′ 1 2 D−1 r with T ′ 1 = T t 1

[Keller-Gehrig]: assuming that we can multiply two n × n matrices in O(nω) operations (with ω < 3). First we compute: T ′

1, T ′ 1 2, T ′ 1 4, T ′ 1 8, ...., T ′ 1 2k with k = 1 + [log2(D)]

Fast FGLM

If the matrices are not sparse ...(with P. Gaudry, L. Huot and G. Renault)

In the shape position case: we can apply the same algorithm. All wee need is to compute efficiently: T ′

1 1 r, T ′ 1 2 r, ∙ ∙ ∙ , T ′ 1 2 D−1 r with T ′ 1 = T t 1

[Keller-Gehrig]: assuming that we can multiply two n × n matrices in O(nω) operations (with ω < 3). First we compute: T ′

1, T ′ 1 2, T ′ 1 4, T ′ 1 8, ...., T ′ 1 2k with k = 1 + [log2(D)]

Then : (T ′

1 3 r, T ′ 1 2 r) = T ′ 1 2 (T ′ 1 r, r)

(T ′

1 7 r, T ′ 1 6 r, T ′ 1 5 r, T ′ 1 4 r) = T ′ 1 4 (T ′ 1 3 r, T ′ 1 2 r, T ′ 1 r, r)

∙ ∙ ∙

Fast FGLM

If the matrices are not sparse ...(with P. Gaudry, L. Huot and G. Renault)

In the shape position case: we can apply the same algorithm. All wee need is to compute efficiently: T ′

1 1 r, T ′ 1 2 r, ∙ ∙ ∙ , T ′ 1 2 D−1 r with T ′ 1 = T t 1

[Keller-Gehrig]: assuming that we can multiply two n × n matrices in O(nω) operations (with ω < 3). First we compute: T ′

1, T ′ 1 2, T ′ 1 4, T ′ 1 8, ...., T ′ 1 2k with k = 1 + [log2(D)]

Then : (T ′

1 3 r, T ′ 1 2 r) = T ′ 1 2 (T ′ 1 r, r)

(T ′

1 7 r, T ′ 1 6 r, T ′ 1 5 r, T ′ 1 4 r) = T ′ 1 4 (T ′ 1 3 r, T ′ 1 2 r, T ′ 1 r, r)

∙ ∙ ∙ using only matrix multiplications in O(log(D) Dω) operations.

Fast FGLM

with P. Gaudry, L. Huot and G. Renault

Theorem Let GDRL be the DRL Gröbner basis of an ideal I in shape position. Given T1 the multiplication matrix w.r.t. x1, computing the LEX Gröbner basis of I can be done in O(n D + Dω).

Fast FGLM

with P. Gaudry, L. Huot and G. Renault

Theorem Let GDRL be the DRL Gröbner basis of an ideal I in shape position. Given T1 the multiplication matrix w.r.t. x1, computing the LEX Gröbner basis of I can be done in O(n D + Dω).

☞ Theoretical/Practical Bottleneck: building the matrix T1

Fast FGLM

with P. Gaudry, L. Huot and G. Renault

Theorem Let GDRL be the DRL Gröbner basis of an ideal I in shape position. Given T1 the multiplication matrix w.r.t. x1, computing the LEX Gröbner basis of I can be done in O(n D + Dω).

☞ Theoretical/Practical Bottleneck: building the matrix T1

Generic Systems: T1 can be obtained in 0 arithmetic operations. Non generic case: perform a random linear change of coordinates (Heuristic)

New Strategy

I GDRL Easy to build T1 ? GLEX I′ G′

DRL =

⇒ T ′

1

G′

LEX

F4, F5 F a s t F G L M Y E S

Randomization

NO F4, F5 Fast FGLM

Experiments

D Density Build T1 GDRL (Build T1 + Fast FGLM) Random n = 16 216 18.3% 228.6s 55410 s + 15005.3 s Cyclic 7 924 2.0% 0.00s GDRL+0.04 s Cyclic 10 31990 1.0% 5.67s GDRL + 525.5 s Edwards n = 4 Sn + T2 512 27.6% 0.4 s 0.1 s + 0.42 s Edwards n = 4 Sn + T2 (rnd) 512 19.4% 0.0 s 0.1 s + 0.02 s Edwards n = 5 Sn + T2 216 > 2 days 11228.2s+ > 2 days Edwards n = 5 Sn + T2 (rnd) 216 9.3% 11.6 s 11228.2 s+7865.7 s Bad Example, n = 11 211 31.9% 7520.9s 0s + 7543.5s Bad Example, n = 11 (rnd) 211 21.5% 0.15s 5.0s + 0.2s Bad Example, n = 16 216 > 2 days 0 s+ > 2 days Bad Example, n = 16 (rnd) 216 19.8% 195.0s 38066.5 s + 14492.2 s Eco 14 212 11.5% 1100.1 s 926.7 s + 1102.5 s Eco 14 (rnd) 212 26.4% 0.1 s 926.7 s + 2.0s

Multi-core implementation

Two parallel versions: Using Openmp Using pthreads

☞ have to rewrite the generation of the matrix T1 !

Comparing original C-code (Issac 2011) and the new code: D % Magma Singular C C+SSE

Katsura 12

4096 21.2% 1408s 2623.5s 18.1s 0.73s

Multi-core implementation

Two parallel versions: Using Openmp Using pthreads

☞ have to rewrite the generation of the matrix T1 !

Comparing original C-code (Issac 2011) and the new code: D % Magma Singular C C+SSE

Katsura 12

4096 21.2% 1408s 2623.5s 18.1s 0.73s

Random(n=3,d=19)

6859 3.50% 1084s 8248s 15.3s 0.74s

Multi-core implementation

Two parallel versions: Using Openmp Using pthreads

☞ have to rewrite the generation of the matrix T1 !

Comparing original C-code (Issac 2011) and the new code: D % Magma Singular C C+SSE

Katsura 12

4096 21.2% 1408s 2623.5s 18.1s 0.73s

Random(n=3,d=19)

6859 3.50% 1084s 8248s 15.3s 0.74s More important: we can solve systems with D 216 solutions.

☞ Next Talk

Part II

Complexity of computing Gröbner bases.

Structured systems : several applications in Crypto

[F .,Perret,Safey,Spaenlehauer,Bettale]

Multivariate Public Key Crypto

HFE

[F.,Otmani,Perret,Tillich, EC]

McEliece

Error Correcting

Codes

[Gaudry, F.,Huot,Renault]

Curves DLP Elliptic curves Edwards or F2

[F ., Lubicz, Robert, JA]

Curves

Computing modular correspondences for Abelian Varieties

Multi-Homogeneous Systems Takes advantage

• f the symmetries
• f the system

to speed up the resolution

Main results/examples

Motivation to use the structure !

For (regular) quadratic systems: Overdetermined systems:

Semi-regular

n variables m = c nα equations

[Bardet, F.,Salvy]

− →

• Sub Exponential

if 1 < α < 2

Polynomial

if α = 2

Main results/examples

Motivation to use the structure !

For (regular) quadratic systems: Overdetermined systems:

Semi-regular

n variables m = c nα equations

[Bardet, F.,Salvy]

− →

• Sub Exponential

if 1 < α < 2

Polynomial

if α = 2 Use the fact that we are over Fq:

◮ [Bettale, F

.,Perret, JMC] : Hybrid Method direct Gröbner basis approach hybrid approach ∼ 21.8 n UOV q = 28, n = 60 security 2160 → 276 (Gröbner) → 259

Motivation

Bilinear systems: fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y complexity is polynomial in #Solutions= n

#X

• ≪ 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]

Applications:

◮ MinRank/HFE: [Crypto 2008] 328233s −

→ [Issac 2010] 935s

◮ Challenge A20 (Variant of McEliece):

24 hours (Magma) − → 0.05 sec [EC2010, F., Otmani,] Perret, Tillich]

Motivation

Bilinear systems: fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y complexity is polynomial in #Solutions= n

#X

• ≪ 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]

Applications:

◮ MinRank/HFE: [Crypto 2008] 328233s −

→ [Issac 2010] 935s

◮ Challenge A20 (Variant of McEliece):

24 hours (Magma) − → 0.05 sec [EC2010, F., Otmani,] Perret, Tillich]

Use the symmetries:

◮ [JA, F.,Lubicz,Robert] : the action of the automorphisms

• f the theta group

> 24 hours − → 0.1 sec

◮ [F.,Huot, Renault] symmetries related to twisted Edwards Curves

this talk ! divides by 2n−1 the number of solutions/complexity untractable system− → 4h25min

Complexity: introduction

The goal is to bound the maximal degree of the polynomials during the computation. Theorem Gröbner basis of the ideal I generated by (f1, . . . , fm) for a graded monomial ordering up to degree D in O

• m D

n + D − 1 D ω , as D → ∞ where ω is the exponent in the complexity of the matrix product over K. Goal: bound D dmax

Complexity of (overdetermined) systems

with M. Bardet and B. Salvy

F5 Criterion: t fj is in the matrix if t / ∈ Id(LT<(Gj−1)), where Gj−1 is a Gröbner basis of {f1, . . . , fj−1}. Rd,i(n) number of rows in the matrix generated by F5 when computing a Gröbner basis of [f1, . . . , fi] in degree d.

Induction

When d ≥ 2 : Rd,i(n) = i∙ Md−2(n)

• number of monomials

degree ≤ d − 2 −

i−1

• j=1

Rd−2,j(n)

• F5 criterion

Induction

When d ≥ 2 : Rd,i(n) = i∙ Md−2(n)

• number of monomials

degree ≤ d − 2 −

i−1+δK,F2

• j=1

Rd−2,j(n)

• F5 criterion

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

When hd,m(n) = #col − #row = 0 this end of the computation ! we found dmax

Generating series

Theorem fi of degree di semi-regular, i = 1, . . . , m finite field Fq then Hm = ∞

d=0 hd,m zd = m

• i=1
• 1−(1−δK,F2) zdi

1+δK,F2zdi 1−δK,F2 z2 1−z

n

Generating series

Theorem fi of degree di semi-regular, i = 1, . . . , m finite field Fq then Hm = ∞

d=0 hd,m zd = m

• i=1
• 1−(1−δK,F2) zdi

1+δK,F2zdi 1−δK,F2 z2 1−z

n Theorem (Particular case) di = 2, F2, n = m semi-regular equations:

∞

• d=0

hd,n zd = 1 + z 1 + z2 n

Generating series

Theorem (Particular case) di = 2, F2, n = m semi-regular equations:

∞

• d=0

hd,n zd = 1 + z 1 + z2 n Example F2, n = m = 50 semi-regular quadratic equations

• 1+z

1+z2

50 = 1 + 50 z + 1175 z2 + 17100 z3 + 170325 z4 + 1202510 z5 +5915475 z6 + 17831400 z7 + 9196475 z8−205886050 z9 +O

• z10

☞ Hence the maximal degree occurring in the computation is 9 .

Asymptotic estimate

biggest real root of hd,n = 1 2iπ

• C

1 + z 1 + z2 n dz zd+1 dn =

1 λ0 n − λ1 λ

4 3

n

1 3 + O( 1

n

1 3 )

dn ≈

n 11.11360 + 1.0034n

1 3 + O( 1

n

1 3 )

where λ0 = 3/2 √ 3 + 5/2 + 1/2

• 72 + 42

√ 3 ≈ 11.13 the expression of λ1 contains the biggest real root of the Airy function (solution of ∂2y

∂z2 − zy = 0)

The formula is almost exact when n ≥ 3 !

Maximal degree

2 4 6 8 10 12 14 16 01 02 03 04 05 06 07 08 09 100

n

Maximal Degree in the Gröbner basis computation

HFE 128<d<513 HFE 16<d<129 HFE 3<d<17

random system

Complexity of overdetermined systems

Some examples

n variables, K any field m equations (semi-regular) of degree d: Under regularity assumption: Specifications dmax d = 2, m = n n+1

Complexity of overdetermined systems

Some examples

n variables, K any field m equations (semi-regular) of degree d: Under regularity assumption: Specifications dmax d = 2, m = n n+1 d = 2, m = n + 1

n+1 2

Complexity of overdetermined systems

Some examples

n variables, K any field m equations (semi-regular) of degree d: Under regularity assumption: Specifications dmax d = 2, m = n n+1 d = 2, m = n + 1

n+1 2

d = 2, m = 2 n

n 11.63

Complexity of overdetermined systems

Some examples

n variables, K any field m equations (semi-regular) of degree d: Under regularity assumption: Specifications dmax d = 2, m = n n+1 d = 2, m = n + 1

n+1 2

d = 2, m = 2 n

n 11.63

d = 2, m = 5 n

n 35.71

d = 2, m = 10 n

n 76.92

Complexity of overdetermined systems

Some examples

n variables, K any field m equations (semi-regular) of degree d: Under regularity assumption: Specifications dmax d = 2, m = n n+1 d = 2, m = n + 1

n+1 2

d = 2, m = 2 n

n 11.63

d = 2, m = 5 n

n 35.71

d = 2, m = 10 n

n 76.92

d = αn, m = 2n α n if α < 0.29

Complexity: overdetermined systems

k is a constant (does not depend on n). di total degree of fi. Under regularity assumption: m Degree dmax m ≤ n K, di = 2 m + 1 ( Macaulay bound) m ≤ n K 1 +

n+1

• i=1

(di − 1) ( Macaulay bound) n + k K, di = 2

m 2 − hk,1

• m

2 + o(1)

n + k K

n+k

• i=1

di−1 2

− hk,1

• n+k
• i=1

d2

i −1

6

+ o(1) 2 n K, di = 2

n 11.6569 + 1.04 n

1 3 − 1.47 + 1.71 n− 1 3 + O

• n− 2

3

• k n

K, di = 2 (k − 1

2 −

• k(k − 1))n +

−a1 2(k(k−1))

1 6 n 1 3 + O(1)

n F2, di = 2

n 11.1360 + 1.0034 n

1 3 − 1.58 + O(n− 1 3 )

k n F2, di = 2

• −k + 1

2 + 1 2

• 2k(k − 5) − 1 + 2(k + 2)
• k(k + 2)
• n

Classification

Classification: m number of polynomials, n number of variables Complexity m = cste n single exponential m = cste nα sub exponential m = cste n2 polynomial

Bilinear Equations in Algebraic Attacks: Motivation

Powerful attack somewhat similar to Lattice attacks: we consider k vectors vi = [. . . , vi,j, . . .] with vi,j ∈ Z Try to find: (λ1, . . . , λk) ∈ Zk such that

k

• i=1

λivi is small

Bilinear Equations in Algebraic Attacks: Motivation

Powerful attack somewhat similar to Lattice attacks: we consider k vectors vi = [. . . , vi,j, . . .] with vi,j ∈ Z Try to find: (λ1, . . . , λk) ∈ Zk such that

k

• i=1

λivi is small using LLL: find a ≈ small vector in Polynomial Time

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is “small”

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is of small rank

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is

• f rank r

Minrank Problem

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is

• f rank r

Minrank Problem That is to say: in some basis k

i=1 λifi depends only on r variables.

Two algebraic modelings: structured equations

M = M0 − k

i=1 λiMi.

The minors modeling Rank(M) ≤ r

• all minors of size (r + 1) of M vanish.

m

r+1

2 equations of degree r + 1. k variables. Few variables, lots of equations, high degree !!

The Kipnis-Shamir modeling

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

M ∙

         

Im−r

x(1)

1

. . . x(m−r)

1

. . . . . . . . . x(1)

r

. . . x(m−r)

r

         

= 0.

m(m − r) bilinear equations. k + r(m − r) variables.

Applications of bilinear equations in Crypto: Cryptanalysis of HFE and MinRank [CRYPTO’08, ISSAC’10, PKC’11]. Cryptanalysis of McEliece [EUROCRYPT’10].

Bilinear systems

joint work with M. Safey El Din and PJ Spaenlehauer

F = (f1, . . . , fm): system of homogeneous bilinear equations. fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y jacX(Fi) =    

∂f1 ∂x0

. . .

∂f1 ∂xnx

. . . . . . . . .

∂fi ∂x0

. . .

∂fi ∂xnx

    jacY(Fi) =    

∂f1 ∂y0

. . .

∂f1 ∂yny

. . . . . . . . .

∂fi ∂y0

. . .

∂fi ∂yny

    Euler relations f =

• xj

∂f ∂xj =

• yj

∂f ∂yj .    f1 . . . fi    = jacX(Fi) ∙    x0 . . . xnx    = jacY(Fi) ∙    y0 . . . yny   

Trivial Syzygies of Bilinear Systems

An example with small parameters: nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as: 0 = f2f 1 − f1f 2 =

• f 1

f 2 f1 f2

Trivial Syzygies of Bilinear Systems

An example with small parameters: nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as: 0 = f2f 1 − f1f 2 =

• f 1

f 2 f1 f2

• Theorem (Trivial Syzygies)

When nx = ny = 2, m = 4 the trivial syzygies of a generic bilinear system are:

• f i

f j fi fj

• i = j,
• f 1

f 2 f 3 f 4

∂f1 ∂x0 ∂f2 ∂x0 ∂f3 ∂x0 ∂f4 ∂x0 ∂f1 ∂x1 ∂f2 ∂x1 ∂f3 ∂x1 ∂f4 ∂x1 ∂f1 ∂x2 ∂f2 ∂x2 ∂f3 ∂x2 ∂f4 ∂x2

• ,
• f 1

f 2 f 3 f 4 jacY(F4)

Complexity of affine bilinear systems

In affine case: x0 = 1, y0 = 1 and the number of variables is n = nX + nY Theorem: degree of regularity [JSC 2011] Degree of regularity of a generic 0-dim affjne bilinear system for the grevlex ordering: dreg 2 + min(nx, ny). Sharp bound in practice.

Complexity

Solving affine bilinear systems The complexity of computing a grevlex Gröbner basis of a zero-dimensional ideal generated by generic affine bilinear polynomials is polynomial in the number of solutions n

nx

• =

n

ny

• O(Monomials(1 + min(nx, ny))ω) ≈ O
• 2ω min(nx,ny)

. Consequences: nx constant, ny grows = ⇒ complexity polynomial in ny. X and Y unbalanced ⇒ easy to solve. Better than Macaulay bound: O(Monomials(nx + ny + 1)ω) ≈ O

• 2ω(nx+ny)

. nX is a constant in the case of Minrank challenges, or nX is “small” in the case of McEliece variants !

Conclusion

Using the structures can improve (a lot) the complexity bounds and the practical behavior of Gröbner bases algorithms Linear Algebra and Gröbner bases: speedup the algorithms; efficient (multicore) implementations. Applications to several problems in cryptology.