Jean-Charles Faugre Joint work with: L. Huot G. Renault and M. - PowerPoint PPT Presentation

Complexity of Computing Gröbner Bases Definition Degree of regularity d reg : indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d s.t. all monomials of degree d are in LM ( I ) . ☞ maximal degree of a grevlex Gröbner basis is � d reg . Hilbert Series Generating series: HS ( t ) = � ∞ d = 0 r d t d , where r d = # Cols − Rank ( Macaulay ( F , d )) Finite number of solution: HS ( t ) = � d reg − 1 r d t d d = 0

Complexity of Computing Gröbner Bases Definition Degree of regularity d reg : indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d s.t. all monomials of degree d are in LM ( I ) . ☞ maximal degree of a grevlex Gröbner basis is � d reg . Hilbert Series Generating series: HS ( t ) = � ∞ d = 0 r d t d , where r d = # Cols − Rank ( Macaulay ( F , d )) Finite number of solution: HS ( t ) = � d reg − 1 r d t d d = 0 Theorem Complexity of computing a grevlex Gröbner basis: �� n + d reg � ω � O n

Example of generating series Theorem n quadratic equations f i over Q then under some regularity assumption: HS ( t ) = ( 1 + t ) n

Example of generating series Theorem n quadratic equations f i over Q then under some regularity assumption: HS ( t ) = ( 1 + t ) n Consequently, d reg = n + 1. Example Q , n = m = 50 quadratic equations ( 1 + z ) 50 = 1 + 50 z + ∙ ∙ ∙ + z 50 + 0 z 51 Hence the maximal degree occurring in the computation is 51 .

F 5 algorithm: simple matrix version Get rid of the trivial relations: f i f j − f j f i = 0 f 2 i − f i = 0 when K = F 2 Incremental algorithm ( f 1 ) + G prev Incremental degree by degree Special/Simpler version of F 5 for dense/generic quadratic polynomials. the maximal degree D is a parameter of the algorithm. m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1 1 x x x x . . .   . ...   .   . 0 x x x . . .     u r 1 f 1 0 0 1 x x . . .       . . . . . .   . . . . . .   . . . . . . . . .     v rk − 1 f k − 1 0 0 1 x x . . .     w 1 f k  0 0 0 1 x . . .  w 2 f k 0 0 0 0 1 . . .

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Already computed Groebner ( � f 1 , . . . , f k � ) , d ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1  1 x x x x . . .  . ...   .   . 0 x x x . . .     u r 1 f 1 0 0 1 x x . . .       . . . . . .   . . . . . .   . . . . . .  . . .    v rk − 1 f k − 1 0 0 1 x x  . . .          w 1 f k 0 0 0 1 x . . .       w 2 f k 0 0 0 0 1 . . .

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1  1 x x x x . . .  .  ...  .   . 0 x x x . . .     u r 1 f 1 0 0 1 x x . . .       . . . . . .   . . . . . .   . . . . . . . . .     v rk − 1 f k − 1 0 0 1 x x . . .           w 1 f k 0 0 0 1 x . . .       w 2 f k 0 0 0 0 1 . . .

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1  1 x x x x . . .  .  ...  .   . 0 x x x . . .     u r 1 f 1 0 0 1 x x . . .       . . . . . .   . . . . . .   . . . . . . . . .     v rk − 1 f k − 1 0 0 1 x x . . .           w 1 f k 0 0 0 1 x . . .       w 2 f k 0 0 0 0 1 . . . α j w 1 = x α 1 if · · · x 1 j

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1  1 x x x x . . .  .  ...  .   Matrix in degree d + 1 . 0 x x x . . .     u r 1 f 1 0 0 1 x x . . .     t 1 t 2 t 3 t 4 t 5 . . .   . . . . . .   . . . . . .     . . . . . . . . . .     . v rk − 1 f k − 1 0 0 1 x x . . .   . . . .         w 1 x j f k 0 1 x x x . . .         w 1 x j + 1 f k 0 0 1 x x . . .   w 1 f k 0 0 0 1 x . . .         . . . . . . .     . . . . . . .   w 2 f k 0 0 0 0 1 . . . . . . . . . .     w 1 x n f k 0 0 0 1 x . . .       .   . α j w 1 = x α 1 if · · · x . . . . 1 j

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1 1 x x x x  . . .  . ...   Matrix in degree d + 1 .   . 0 x x x  . . .    u r 1 f 1 0 0 1 x x . . .   t 1 t 2 t 3 t 4 t 5 . . .     . . . . . .     . . . . . . .   . . . . . . . . . .     . . . .   v rk − 1 f k − 1 0 0 1 x x . . .       w 1 x j f k 0 1 x x x . . .             w 1 x j + 1 f k 0 0 1 x x . . .   w 1 f k 0 0 0 1 x . . .             . . . . . . .   w 2 f k 0 0 0 0 1 . . . . . . . . . .   .  . . . . . .    w 1 x n f k  0 0 0 1 x . . .      . α j w 1 = x α 1   if · · · x . 1 j . . . .

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1 1 x x x x  . . .  . ...   Matrix in degree d + 1 .   . 0 x x x  . . .    u r 1 f 1 0 0 1 x x . . .   t 1 t 2 t 3 t 4 t 5 . . .     . . . . . .     . . . . . . .   . . . . . . . . . .     . . . .   v rk − 1 f k − 1 0 0 1 x x . . .       w 1 x j f k 0 1 x x x . . .             w 1 x j + 1 f k 0 0 1 x x . . .   w 1 f k 0 0 0 1 x . . .             . . . . . . .   w 2 f k 0 0 0 0 1 . . . . . . . . . .   .  . . . . . .    w 1 x n f k  0 0 0 1 x . . .      . α j w 1 = x α 1   if · · · x . 1 j . . . . Remove w 1 x j + 1 f k iff w 1 x j + 1 ∈ LT ( � f 1 , . . . , f k − 1 � )

F5: compute Groebner ( � f 1 , . . . , f k � ) , d + 1 ) Matrix in degree d m 1 m 2 m 3 m 4 m 5 . . . u 1 f 1 1 x x x x  . . .  . ...   Matrix in degree d + 1 .   . 0 x x x  . . .    u r 1 f 1 0 0 1 x x . . .   t 1 t 2 t 3 t 4 t 5 . . .     . . . . . .     . . . . . . .   . . . . . . . . . .     . . . .   v rk − 1 f k − 1 0 0 1 x x . . .       w 1 x j f k 0 1 x x x . . .             w 1 x j + 1 f k 0 0 1 x x . . .   w 1 f k 0 0 0 1 x . . .             . . . . . . .   w 2 f k 0 0 0 0 1 . . . . . . . . . .   .  . . . . . .    w 1 x n f k  0 0 0 1 x . . .      . α j w 1 = x α 1   if · · · x . 1 j . . . . Remove w 1 x j + 1 f k iff w 1 x j + 1 ∈ LT ( Groebner ( � f 1 , . . . , f k − 1 � ) , d − 1 )

F 5 criterion − → complexity of overdetermined systems with M. Bardet and B. Salvy Criterion: t f j is in the matrix if t / ∈ Id ( LT < ( G j − 1 )) , where G j − 1 is a Gröbner basis of { f 1 , . . . , f j − 1 } . R d , i ( n ) number of rows in the matrix generated by F 5 when computing a Gröbner basis of [ f 1 , . . . , f i ] in degree d .

Induction When d ≥ 2 : i − 1 � R d , i ( n ) = i ∙ M d − 2 ( n ) − R d − 2 , j ( n ) � �� � j = 1 � �� � number of monomials F 5 criterion degree ≤ d − 2

Induction When d ≥ 2 : i − 1 + δ K , F 2 � R d , i ( n ) = i ∙ M d − 2 ( n ) − R d − 2 , j ( n ) � �� � j = 1 � �� � number of monomials F 5 criterion degree ≤ d − 2

End of the computation #col = M d ( n )   Matrix   #row = R d , m ( n )   generated by F5

End of the computation #col = M d ( n )   Matrix   #row = R d , m ( n )   generated by F5

End of the computation #col = M d ( n )   Matrix   #row = R d , m ( n )   generated by F5 � When h d , m ( n ) = # col − # row = 0 this end of the computation ! We compute the biggest real root n > 0 of h d , m ( n ) = 0.

Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0 , i ( n ) = U 1 , i ( n ) = 0 � n � U 2 , i ( n ) = i − 0 = i 0 � n � � i U 3 , i ( n ) = i − U 1 , j ( n ) = i n 1 j = 1

Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0 , i ( n ) = U 1 , i ( n ) = 0 � n � U 2 , i ( n ) = i − 0 = i 0 � n � � i U 3 , i ( n ) = i − U 1 , j ( n ) = i n 1 j = 1 Then: h 3 , n ( n ) = M 3 ( n ) − U 3 , n ( n ) � n � − n 2 = 3 n ( n 2 − 9 n + 2 ) = 6

Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0 , i ( n ) = U 1 , i ( n ) = 0 � n � U 2 , i ( n ) = i − 0 = i 0 � n � � i U 3 , i ( n ) = i − U 1 , j ( n ) = i n 1 j = 1 Then: h 3 , n ( n ) = M 3 ( n ) − U 3 , n ( n ) � n � − n 2 = 3 n ( n 2 − 9 n + 2 ) = 6 The biggest real root of this polynomial: � � � � √ √ h 3 , n ( n )= n n − 9 / 2 − 1 / 2 73 n − 9 / 2 + 1 / 2 73

Example � � � � √ √ h 3 , n ( n )= n n − 9 / 2 − 1 / 2 73 n − 9 / 2 + 1 / 2 73 √ 73 ≈ 8 . 772 so that N 3 = 9 . biggest real root is: 9 / 2 + 1 / 2

Example � � � � √ √ h 3 , n ( n )= n n − 9 / 2 − 1 / 2 73 n − 9 / 2 + 1 / 2 73 √ 73 ≈ 8 . 772 so that N 3 = 9 . biggest real root is: 9 / 2 + 1 / 2 Hence d ≤ 3 when n ≤ 9 : d 3 4 5 6 7 8 9 N d 9 16 24 32 41 49 58

Example � � � � √ √ h 3 , n ( n )= n n − 9 / 2 − 1 / 2 73 n − 9 / 2 + 1 / 2 73 √ 73 ≈ 8 . 772 so that N 3 = 9 . biggest real root is: 9 / 2 + 1 / 2 Hence d ≤ 3 when n ≤ 9 : d 3 4 5 6 7 8 9 N d 9 16 24 32 41 49 58 n < 9 = N 3 the maximal degree in F 5 is 3; the total complexity 1 O ( n 3 ω ) . N 3 = 9 ≤ n < N 4 = 16 the maximal degree is 4 and complexity is 2 O ( n 4 ω ) . . . . 3

Generating series Theorem f i of degree d i , i = 1 , . . . , m finite field F q then � � � � n H m = � ∞ � m 1 − ( 1 − δ K , F 2 ) z di 1 − δ K , F 2 z 2 d = 0 h d , m z d = 1 + δ K , F 2 z di 1 − z i = 1

Generating series Theorem f i of degree d i , i = 1 , . . . , m finite field F q then � � � � n H m = � ∞ � m 1 − ( 1 − δ K , F 2 ) z di 1 − δ K , F 2 z 2 d = 0 h d , m z d = 1 + δ K , F 2 z di 1 − z i = 1 particular case: d i = 2, F 2 , n = m equations � 1 + z � n ∞ � h d , n z d = 1 + z 2 d = 0

Generating series particular case: d i = 2, F 2 , n = m equations � 1 + z � n ∞ � h d , n z d = 1 + z 2 d = 0 Example F 2 , n = m = 50 semi-regular quadratic equations � � 50 = 1 + 50 z + 1175 z 2 + 17100 z 3 + 170325 z 4 + 1202510 z 5 1 + z 1 + z 2 + 5915475 z 6 + 17831400 z 7 + 9196475 z 8 − 205886050 z 9 � z 10 � + O Hence the maximal degree occurring in the computation is 9 .

Asymptotic estimate biggest real root of � 1 + z � n � 1 dz h d , n = 1 + z 2 z d + 1 2 i π C 1 λ 0 n − λ 1 1 3 + O ( 1 d n = n 3 ) 4 1 n 3 λ 0 1 n 3 + O ( 1 d n ≈ 11 . 11360 + 1 . 0034n 3 ) 1 n � √ √ 3 ≈ 11 . 13 where λ 0 = 3 / 2 3 + 5 / 2 + 1 / 2 72 + 42 the expression of λ 1 contains the biggest real root of the Airy function (solution of ∂ 2 y ∂ z 2 − zy = 0) The formula is almost exact when n ≥ 3 !

Maximal degree 16 Maximal Degree in the Gröbner basis computation random system 14 12 10 8 6 HFE 128<d<513 HFE 16<d<129 4 HFE 3<d<17 2 n 0 01 02 03 04 05 06 07 08 09 0 100

Complexity: overdetermined systems k is a constant (does not depend on n ). d i total degree of f i . Under regularity assumption: m Degree d max m ≤ n K , d i = 2 m + 1 ( Macaulay bound) n + 1 � m ≤ n K 1 + ( d i − 1 ) ( Macaulay bound) i = 1 � m m n + k K , d i = 2 2 − h k , 1 2 + o ( 1 ) � n + k � n + k � d 2 i − 1 d i − 1 n + k K − h k , 1 + o ( 1 ) 2 6 i = 1 i = 1 � � 1 3 − 1 . 47 + 1 . 71 n − 1 n − 2 n 3 + O 2 n K , d i = 2 11 . 6569 + 1 . 04 n 3 � 1 − a 1 ( k − 1 3 + O ( 1 ) k n K , d i = 2 2 − k ( k − 1 )) n + 6 n 1 2 ( k ( k − 1 )) 3 − 1 . 58 + O ( n − 1 1 n 3 ) n F 2 , d i = 2 11 . 1360 + 1 . 0034 n � � � k n F 2 , d i = 2 − k + 1 2 + 1 � 2 k ( k − 5 ) − 1 + 2 ( k + 2 ) k ( k + 2 ) n 2

Classification Classification: m number of polynomials, n number of variables Complexity m = cste n single exponential m = cste n α sub exponential m = cste n 2 polynomial

Bilinear Equations in Algebraic Attacks: Motivation Powerful attack somewhat similar to Lattice attacks: we consider k vectors v i = [ . . . , v i , j , . . . ] with v i , j ∈ Z Try to find: ( λ 1 , . . . , λ k ) ∈ Z k such that k � λ i v i is small i = 1

Bilinear Equations in Algebraic Attacks: Motivation Powerful attack somewhat similar to Lattice attacks: we consider k vectors v i = [ . . . , v i , j , . . . ] with v i , j ∈ Z Try to find: ( λ 1 , . . . , λ k ) ∈ Z k such that k � λ i v i is small i = 1 using LLL : find a ≈ small vector in Polynomial Time

Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i ∈ K [ x 1 , . . . , x n ] : � ∂ 2 f l � f l �→ H ( f l ) = M l = matrix representation of f i ∂ x i ∂ x j 1 � i , j � n Try to find: ( λ 1 , . . . , λ k ) ∈ K k such that: k � λ i M i is “small” i = 1

Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i ∈ K [ x 1 , . . . , x n ] : � ∂ 2 f l � f l �→ H ( f l ) = M l = matrix representation of f i ∂ x i ∂ x j 1 � i , j � n Try to find: ( λ 1 , . . . , λ k ) ∈ K k such that: k � λ i M i is of small rank i = 1

Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i ∈ K [ x 1 , . . . , x n ] : � ∂ 2 f l � f l �→ H ( f l ) = M l = matrix representation of f i ∂ x i ∂ x j 1 � i , j � n Try to find: ( λ 1 , . . . , λ k ) ∈ K k such that: k � λ i M i is of rank r Minrank Problem i = 1

Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i ∈ K [ x 1 , . . . , x n ] : � ∂ 2 f l � f l �→ H ( f l ) = M l = matrix representation of f i ∂ x i ∂ x j 1 � i , j � n Try to find: ( λ 1 , . . . , λ k ) ∈ K k such that: k � λ i M i is of rank r Minrank Problem i = 1 That is to say: in some basis � k i = 1 λ i f i depends only on r variables.

Two algebraic modelings: structured equations M = M 0 − � k i = 1 λ i M i . The Kipnis-Shamir modeling The minors modeling Rank ( M ) ≤ r ⇔ ∃ x ( 1 ) , . . . , x ( m − r ) ∈ Ker ( M ) . Rank ( M ) ≤ r �  I m − r  all minors of size ( r + 1 ) of M vanish.       M ∙ x ( 1 ) x ( m − r ) = 0 .   1 1  . . .  . . .   � m � 2 equations of degree r + 1. . . .   . . .   r + 1   x ( 1 ) x ( m − r ) k variables. r r . . . Few variables, lots of equations, high m ( m − r ) bilinear equations. degree !! k + r ( m − r ) variables. Applications of bilinear equations in Crypto: Cryptanalysis of HFE and MinRank [CRYPTO’08, ISSAC’10, PKC’11]. Cryptanalysis of McEliece [EUROCRYPT’10].

Bilinear systems joint work with M. Safey El Din and PJ Spaenlehauer F = ( f 1 , . . . , f m ) : system of homogeneous bilinear equations . � f i ( X , Y ) = c i , x , y x y where n = # X + # Y x ∈ X , y ∈ Y     ∂ f 1 ∂ f 1 ∂ f 1 ∂ f 1 . . . . . . ∂ y 0 ∂ y ny ∂ x 0 ∂ x nx     . . . . . .     . . . . . . jac X ( F i ) = jac Y ( F i ) = . . . . . .     ∂ f i ∂ f i ∂ f i ∂ f i . . . . . . ∂ x 0 ∂ x nx ∂ y 0 ∂ y ny Euler relations � � ∂ f ∂ f f = x j = y j . ∂ x j ∂ y j       f 1 x 0 y 0       . . . . . .  = jac X ( F i ) ∙  = jac Y ( F i ) ∙     . . . f i x n x y n y

Complexity of affine bilinear systems In affine case: x 0 = 1, y 0 = 1 and the number of variables is n = n X + n Y Theorem : degree of regularity [JSC 2011] Degree of regularity of a generic 0-dim affjne bilinear system for the grevlex ordering: d reg � 1 + min ( n x , n y ) . Sharp bound in practice.

Degree of regularity: idea of the proof Affine: x 0 = 1 Choose the block of variables of smallest cardinality , we assume n X ≤ n Y .     1 ∂ f 1 ∂ f 1 ∂ x 0 . . . ∂ x nx  x 1  I = � f 1 , ∙ ∙ ∙ , f n �   . . ...   Bilinear system of K [ X , Y ] ⇐ ⇒ J X x =  ∙ . .  = 0 .  . . .  . . ∂ f n ∂ f n ∂ x 0 ∂ x nx x n x . . .

Degree of regularity: idea of the proof Affine: x 0 = 1 Choose the block of variables of smallest cardinality , we assume n X ≤ n Y .     1 ∂ f 1 ∂ f 1 ∂ x 0 . . . ∂ x nx   x 1 I = � f 1 , ∙ ∙ ∙ , f n �   . .   ... Bilinear system of K [ X , Y ] ⇐ ⇒ J X x =  ∙  = 0 .  . . .  . . . . ∂ f n ∂ f n ∂ x 0 ∂ x nx x n x . . . J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. = ⇒ all the maximal minors are = 0 !

Degree of regularity: idea of the proof     1 ∂ f 1 ∂ f 1 ∂ x 0 . . . ∂ x nx   x 1 I = � f 1 , ∙ ∙ ∙ , f n �   . .   ... Bilinear system of K [ X , Y ] ⇐ ⇒ J X x =  ∙  = 0 .  . . .  . . . . ∂ f n ∂ f n ∂ x 0 ∂ x nx x n x . . . J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. = ⇒ all the maximal minors are = 0 ! Determinantal miracle ! A Theorem of Bernstein, Sturmfels and Zelevinski M a p × q matrix whose entries are variables . The maximal minors of M are a universal Gröbner basis.

Degree of regularity: idea of the proof J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p × q linear matrix with coefficients in K [ y 1 , . . . , y n Y ] , the maximal minors of M are a grevlex Gröbner basis. LM ( Minors ( J X )) = � all monomials of degree n X + 1 in y 1 , . . . , y n Y � .

Degree of regularity: idea of the proof J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p × q linear matrix with coefficients in K [ y 1 , . . . , y n Y ] , the maximal minors of M are a grevlex Gröbner basis. LM ( Minors ( J X )) = � all monomials of degree n X + 1 in y 1 , . . . , y n Y � .   x 1   . . Rewrite J X x = A ( y )  + b = 0  . x n x Cramer’s rule :   x 1  .  . det ( A ( y ))  + Adj ( A ) b ∈ I  . x n x

Degree of regularity: idea of the proof J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p × q linear matrix with coefficients in K [ y 1 , . . . , y n Y ] , the maximal minors of M are a grevlex Gröbner basis. LM ( Minors ( J X )) = � all monomials of degree n X + 1 in y 1 , . . . , y n Y � .   x 1   . . Rewrite J X x = A ( y )  + b = 0  .   x n x x 1 Cramer’s rule :   .  + det ( A ( y )) − 1 Adj ( A ) b ∈ I .  . x n x

Degree of regularity: idea of the proof J X is singular ! J X is a singular p × q = ( n X + 1 ) × ( n X + n Y ) matrix. ⇒ all the maximal minors are = 0 ! = Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p × q linear matrix with coefficients in K [ y 1 , . . . , y n Y ] , the maximal minors of M are a grevlex Gröbner basis. LM ( Minors ( J X )) = � all monomials of degree n X + 1 in y 1 , . . . , y n Y � .   x 1   . . Rewrite J X x = A ( y )  + b = 0  .   x n x x 1 Cramer’s rule :   .  + det ( A ( y )) − 1 Adj ( A ) b ∈ I .  . x n x Any � n X � n Y → � n Y mod Minors ( J X ) with � γ k ≤ n X α j k = 1 y β k k = 1 y γ k j = 1 x − j k k

Trivial Syzygies of Bilinear Systems An example with small parameters: n x = n y = 2 , m = 4 We rewrite the usual trivial syzygie as: � � � � f 1 f 2 � � 0 = f 2 f 1 − f 1 f 2 = � � f 1 f 2

Trivial Syzygies of Bilinear Systems An example with small parameters: n x = n y = 2 , m = 4 We rewrite the usual trivial syzygie as: � � � � f 1 f 2 � � 0 = f 2 f 1 − f 1 f 2 = � � f 1 f 2 Theorem (Trivial Syzygies) When n x = n y = 2 , m = 4 the trivial syzygies of a generic bilinear system are: � � � � � � f 1 f 2 f 3 f 4 � � f 1 f 2 f 3 f 4 � � � � � � � � ∂ f 1 ∂ f 2 ∂ f 3 ∂ f 4 � � � � f i f j � � ∂ x 0 ∂ x 0 ∂ x 0 ∂ x 0 � � � � � i � = j , , � � � ∂ f 1 ∂ f 2 ∂ f 3 ∂ f 4 � � jac Y ( F 4 ) f i f j � � � � ∂ x 1 ∂ x 1 ∂ x 1 ∂ x 1 � � � � � ∂ f 1 ∂ f 2 ∂ f 3 ∂ f 4 � ∂ x 2 ∂ x 2 ∂ x 2 ∂ x 2

Results Variant of F 5 : avoid computing zero . 1 Characterize a “nice” subclass of systems. 2 we defined a notion of biregularity. Theorem Generically, bilinear systems are biregular , i.e. the set of biregular bilinear systems is a Zariski nonempty open subset . Generic Hilbert series . 3 � 1 t β dim ( K [ X , Y ] α,β / I α,β ) t α HS I ( t 1 , t 2 ) = 2 We can compute it explicitly! Complexity analysis. 4

Complexity Solving affine bilinear systems The complexity of computing a grevlex Gröbner basis of a zero-dimensional ideal generated by generic affine bilinear � n � � n � polynomials is polynomial in the number of solutions = n x n y � 2 ω min ( n x , n y ) � O ( Monomials ( 1 + min ( n x , n y )) ω ) ≈ O . Consequences: n x constant, n y grows = ⇒ complexity polynomial in n y . X and Y unbalanced ⇒ easy to solve . Better than Macaulay bound : � 2 ω ( n x + n y ) � O ( Monomials ( n x + n y + 1 ) ω ) ≈ O . n X is a constant in the case of Minrank challenges !

Solving Systems with Symmetries G is a finite group. Compute the roots of the system: V L = { z ∈ L n | f 1 ( z ) = ∙ ∙ ∙ = f m ( z ) = 0 } Two cases: Most difficult case: V L is invariant by G : if z ∈ V L then σ . z ∈ V L for all σ ∈ G Open Issue to compute efficiently V L / G even if G = S n

Solving Systems with Symmetries G is a finite group. Compute the roots of the system: V L = { z ∈ L n | f 1 ( z ) = ∙ ∙ ∙ = f m ( z ) = 0 } Two cases: Most difficult case: V L is invariant by G : if z ∈ V L then σ . z ∈ V L for all σ ∈ G Open Issue to compute efficiently V L / G even if G = S n Each equation is invariant by G σ . f i = f i for all σ ∈ G

Invariant ring Definition K [ x 1 , . . . , x n ] and G ⊂ GL ( K , n ) a linear group acting on K n . K [ x 1 , . . . , x n ] G = { p ∈ K [ x 1 , . . . , x n ] | σ ∙ p = p for all σ ∈ G } where ( σ ∙ p )( v ) = p ( σ − 1 ∙ v ) for all v ∈ K n . Hilbert’s finiteness theorem If G is a linear group then its invariant ring is finitely generated. Theorem K [ x 1 , . . . , x n ] S n = K [ e 1 , . . . , e n ] � x i 1 x i 2 ∙ ∙ ∙ x i k is the k th elementary symmetric where e k = 1 ≤ i 1 < i 2 <...< i k ≤ n polynomial.

Hironaka decomposition ⇒ K [ x 1 , . . . , x n ] G G is a linear group = There exist primary invariants θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] G algebraically independent secondary invariants η 1 , . . . , η t ∈ K [ x 1 , . . . , x n ] G Method proposed by [Sturmfels]: Each equation: f ∈ K [ x 1 , . . . , x n ] G − → f ( θ 1 , . . . , θ n , η 1 , . . . , η t )

Hironaka decomposition ⇒ K [ x 1 , . . . , x n ] G G is a linear group = There exist primary invariants θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] G algebraically independent secondary invariants η 1 , . . . , η t ∈ K [ x 1 , . . . , x n ] G Method proposed by [Sturmfels]: Each equation: f ∈ K [ x 1 , . . . , x n ] G − → f ( θ 1 , . . . , θ n , η 1 , . . . , η t ) OK : we compute a Gröbner basis of I ( V L / G ) NOK: the resulting system is often more difficult to solve than the original ! ◮ we have n + t variables ◮ the η 1 , . . . , η t are not independent Add equations: F ( η 1 , . . . , η t ) = 0

First easy case: each equation is invariant Example (Cyclic n problem) G = C n  x 1 + ∙ ∙ ∙ + x n = 0     x 1 x 2 + ∙ ∙ ∙ + x i x i + 1 + ∙ ∙ ∙ = 0    � 1 ∙ ∙ ∙ R ( f ) = σ. f Reynolds ∙ ∙ ∙ + x i x i + 1 ∙ ∙ ∙ x i + k − 1 + ∙ ∙ ∙ = 0  # G   σ ∈ G   ∙ ∙ ∙   x 1 x 2 ∙ ∙ ∙ x n = 1

First easy case: each equation is invariant Example (Cyclic n problem) G = C n  R ( x 1 ) = 0     R ( x 1 x 2 ) = 0    � ∙ ∙ ∙ 1 R ( f ) = σ. f Reynolds R ( x 1 x 2 ∙ ∙ ∙ x k − 1 ) = 0  # G   σ ∈ G   ∙ ∙ ∙   x 1 x 2 ∙ ∙ ∙ x n = 1 Very compact representation !

First easy case: each equation is invariant Example (Cyclic n problem) G = C n  R ( x 1 ) = 0     R ( x 1 x 2 ) = 0    � ∙ ∙ ∙ 1 R ( f ) = σ. f Reynolds R ( x 1 x 2 ∙ ∙ ∙ x k − 1 ) = 0  # G   σ ∈ G  ∙ ∙ ∙    x 1 x 2 ∙ ∙ ∙ x n = 1 Very compact representation ! Theory to adapt Gröbner basis theory: S ubalgebra A nalog to G röbner B asis for I deals = SAGBI L.Robbiano and M. Sweedler. Subalgebra bases. Commutative algebra, pp. 61–87 in LMM. 1430, Springer, 1990. D. Kapur and K. Madlener, A completion procedure for computing a canonical basis for a k -subalgebra", pp. 1-11 in Computers and Mathematics (Cambridge, MA, 1989), edited

First easy case: each equation is invariant Example (Cyclic n problem) G = C n  R ( x 1 ) = 0     R ( x 1 x 2 ) = 0    � ∙ ∙ ∙ 1 R ( f ) = σ. f Reynolds R ( x 1 x 2 ∙ ∙ ∙ x k − 1 ) = 0  # G   σ ∈ G  ∙ ∙ ∙    x 1 x 2 ∙ ∙ ∙ x n = 1 Very compact representation ! SAGBI Gröbner Bases : in general infinite ! Propose efficient algorithms (variants of F 5 and FGLM) to represent solutions of the system by another system in e 1 , . . . , e n . Example Cyclic n = 5 Symmetric Gröbner basis: [ e 1 , 125 e 2 + e 34 , e 36 + 3125 e 3 , e 4 , e 5 − 1 ]

Algorithm [F., Rahmany, 2009] Gröbner basis in the invariant ring K [ e 1 , . . . , e n ] where e i is the i -th elementary symmetric polynomial. FGLM-Invariant algorithm D - Sym Gröbner basis ✲ D -Sagbi in K [ e 1 , . . . , e n ] ✻ ✛ ✘ ❄ Matrix Test ✲ Solutions no yes ✛ F 5 -Inv ? ✚ ✙ L n Zero Dim recovering algorithm D := D + 1 solutions Input System in K [ x 1 , . . . , x n ] G

Experiments ... n D F 5 -invariant Magma 2.15-7 (F4) cyclic 9 15 10.4 s 136.1 s cyclic 10 16 206.1 s "Killed" cyclic 11 17 1 h 54 m cyclic 12 18 16 h 34m

Experiments ... n D F 5 -invariant Magma 2.15-7 (F4) cyclic 9 15 10.4 s 136.1 s cyclic 10 16 206.1 s "Killed" cyclic 11 17 1 h 54 m cyclic 12 18 16 h 34m Reduced size of the computed objects: #Solutions #polynomials Max length of poly C 7 lex 924 35 132 inv C 7 lex 57 4 9 C 8 lex dim 1 57 2545 inv C 8 lex dim 1 15 87 inv C 9 lex dim 2 7 41

Second easy case: G is a reflection group Theorem (Chevalley, Shepard, Todd) If char ( K ) ∤ # G then ⇒ K [ x 1 , . . . , x n ] G = K [ θ 1 , . . . , θ n ] G is a reflection group = where θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] are algebraically independent.

Second easy case: G is a reflection group Theorem (Chevalley, Shepard, Todd) If char ( K ) ∤ # G then ⇒ K [ x 1 , . . . , x n ] G = K [ θ 1 , . . . , θ n ] G is a reflection group = where θ 1 , . . . , θ n ∈ K [ x 1 , . . . , x n ] are algebraically independent. Example (DLP Edwards) Consider a set of symmetric equations. In addition we assume that ( y 1 , . . . , y n ) ∈ V L = ⇒ ( − y 1 , − y 2 , y 3 , . . . , y n ) ∈ V L = ⇒ ( y 1 , − y 2 , − y 3 , . . . , y n ) ∈ V L even number change of signs on { y 1 , . . . , y n } .

Second easy case: G is a reflection group Example (DLP Edwards) Consider a set of symmetric equations. In addition we assume that ( y 1 , . . . , y n ) ∈ V L ⇒ ( − y 1 , − y 2 , y 3 , . . . , y n ) ∈ V L = = ⇒ ( y 1 , − y 2 , − y 3 , . . . , y n ) ∈ V L � ⌊ n � n � 2 ⌋ = 2 n − 1 even number change of signs on { y 1 , . . . , y n } . i = 0 2 i Definition (Coxeter Group) D n is the symmetry group of the n -demi hypercube. D n = ( Z / 2 Z ) n − 1 ⋊ S n = ⇒ # D n = n ! ∙ 2 n − 1 Theorem F q [ y 1 , . . . , y n ] D n = F q [ E 1 , . . . , E n − 1 , e n ] n ) the i th elementary symmetric polynomial in where E i = e i ( y 2 1 , . . . , y 2 terms of y 2 i .

DLP Discrete Logarithm Problem (DLP) Input: finite group G and g , h ∈ G , Question: Find – if any – an integer x such that h = [ x ] g . � √ # G � For any G , generic algorithms O . G = ( F × q , × ) , index calculus sub-exponential. G = ( J C ( F q ) , +) if g > 2 index calculus sub-exponential w.r.t. q . G = E ( F q ) no sub-exponential algorithm (except for few weak curves) � if q = p m , Diem // Gaudry index calculus attack.

Adaptation of index calculus (Gaudry//Diem) Algorithm Input : P , Q ∈ E ( F q n ) Output : x such that Q = [ x ] P 1. Factor base : F = { ( x , y ) ∈ E ( F q n ) | x ∈ F q } 2. Compute relations : � � proba = 1 [ a j ] P ⊕ [ b j ] Q = P 1 ⊕ ∙ ∙ ∙ ⊕ P n , P i ∈ F n ! until having # F + 1 such relations � 3. Linear algebra [ λ j ∙ a j ] P ⊕ [ λ j ∙ b j ] Q = 0 E ( F qn ) j

Adaptation of index calculus (Gaudry//Diem) Algorithm Input : P , Q ∈ E ( F q n ) Output : x such that Q = [ x ] P 1. Factor base : F = { ( x , y ) ∈ E ( F q n ) | x ∈ F q } 2. Compute relations : � � proba = 1 [ a j ] P ⊕ [ b j ] Q = P 1 ⊕ ∙ ∙ ∙ ⊕ P n , P i ∈ F n ! until having # F + 1 such relations � 3. Linear algebra [ λ j ∙ a j ] P ⊕ [ λ j ∙ b j ] Q = 0 E ( F qn ) j Complexity O ( q 2 − 2 For n fixed, � n ) (Gaudry, pprint 2004 and JSC 2009 / Diem, ANTS 2006)

Problem : point decomposition (PDP) Given: R ∈ E ( F q n ) F = { ( x , y ) ∈ E ( F q n ) | x ∈ F q } ⊂ E ( F q n ) find P 1 , . . . , P n ∈ F such that R = P 1 ⊕ . . . ⊕ P n Algebraic method Modeling the problem as a polynomial system { g 1 , . . . , g s } and solve this system.

Related work [Joux, Vitse eprint.iacr.org/2010/157] General approach. Similar to hybrid approach (specialization of one point) ➘ decrease the cost of solving the algebraic system ➚ add an exhaustive search on F of size ∼ q � In practice: limits the size of F q , q ∼ 2 30 Goal (joint work with L. Huot and G. Renault) Focus on Edwards curves � Take advantage of the symmetries to decrease the cost of solving system (in comparison to Gaudry). No exhaustive search, complexity linear w.r.t. log ( q ) . � for n fixed, (almost) no limit on q

Curve representations Twisted Edwards Weierstrass Edwards, Bulletin of the AMS 2007 Bernstein et al., AFRICACRYPT 2008 E : y 2 = x 3 + a x + b E a , d : a x 2 + y 2 = 1 + d x 2 y 2 ∀ P = ( x , y ) ∈ E , ⊖ P = ( x , − y ) . where ad ( a − d ) � = 0. ∀ P = ( x , y ) ∈ E a , d , ⊖ P = ( − x , y ) .

Summation polynomials in Weierstrass representation [Semaev, Technical report 2004] Projection of point decomposition problem � f m ( x 1 , . . . , x m ) � = � g 1 , . . . , g s � ∩ F q n [ x 1 , . . . , x m ] ∀ m ≥ 2 m th summation polynomial is defined by ∀ ( x 1 , . . . , x m ) ∈ K m , f m ( x 1 , ..., x m ) = 0 � m s.t. ∀ i , P i = ( x i , y i ) ∈ E and P 1 ⊕ ∙ ∙ ∙ ⊕ P m = 0 E ( K ) ∃ ( y 1 , ..., y m ) ∈ K Properties → ˜ ∀ m > 2 , f m is symmetric f n + 1 ( x 1 , . . . , x n , x R ) − f n + 1 ( e 1 , . . . , e n ) If E is defined by a Weierstrass equation then deg x i ( f m ) = 2 m − 2 .

Summation polynomials for twisted Edwards curves We need to fix a small technical Issue: For all P = ( x , y ) ∈ E a , d we have ⊖ P = ( − x , y ) . � � � � P 1 ⊕ ∙ ∙ ∙ ⊕ P m = 0 E a , d ( ⊖ P 1 ) ⊕ ∙ ∙ ∙ ⊕ ( ⊖ P m ) = 0 E a , d � � = ⇒ � � f m ( x 1 , . . . , x m ) = 0 F qn f m ( − x 1 , . . . , − x m ) = 0 F qn Degree is too big ! deg x i ( f m ) = ( 2 m − 2 ) 2 Trick : x ↔ y Summation polynomials for Edwards curves : f n + 1 ( y 1 , . . . , y n , y R ) . Algorithm adaptation : F = { ( x , y ) ∈ E a , d ( F q n ) | y ∈ F q }

Use that we are in some extension F q n Up to now we have only one equation: � x i ∈ F q ˜ f n + 1 ( e 1 , . . . , e n ) = 0 but f n + 1 ∈ F q n [ x 1 , . . . , x n ]

Use that we are in some extension F q n Up to now we have only one equation: � x i ∈ F q ˜ f n + 1 ( e 1 , . . . , e n ) = 0 but f n + 1 ∈ F q n [ x 1 , . . . , x n ] Weil restriction on summation polynomial F q n : n dimensional F q -vector space � � ˜ ˜ f ( 0 ) n + 1 ( e 1 , . . . , e n ) , ∙ ∙ ∙ , ˜ f ( n − 1 ) f n + 1 ( e 1 , . . . , e n ) = 0 F qn = n + 1 ( e 1 , . . . , e n )  f ( 0 ) f ( n − 1 ) S = { ˜ n + 1 , . . . , ˜  - n + 1 } ⊂ F q [ x 1 , . . . , x n ] � - n variables, n equations  solutions in F q -