Jean-Charles Faugre Joint work with: L. Huot G. Renault and M. - - PowerPoint PPT Presentation

Solving efficiently structured polynomial systems and Applications in Cryptology

Jean-Charles Faugère

Joint work with: L. Huot

• G. Renault

and M. Safey El Din, L Perret, P .J. Spaenlehauer, L. Bettale

ECC 2011 The 15th workshop on Elliptic Curve Cryptography INRIA, Nancy, France Sep 19 – 21, 2011

Polynomial System Solving and Applications

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0. Denote by VL the set of solutions. Focus Algebraic Computations Exact methods Approach Algorithms and complexity analysis Applications to validate the performance Write efficient software (integration in Maple).

Gröbner Bases

Buchberger (1965)

In this talk we focus on Gröbner bases methods. One of the fastest method to solve polynomial equations when K = L = Fq or K = Q and L = R or L = C Other efficient methods: Numerical methods: homotopy methods (continuation methods) Resultants Triangular Sets SAT Solvers in the Boolean case K = L = F2 . . .

Gröbner Bases

Definition (Buchberger 65) I a polynomial ideal. Gröbner basis (w.r.t. ≺ a monomial ordering): G ⊂ I a finite set of polynomials such that LM(I) = LM(G).

Gröbner Bases

Definition (Buchberger 65) I a polynomial ideal. Gröbner basis (w.r.t. ≺ a monomial ordering): G ⊂ I a finite set of polynomials such that LM(I) = LM(G). Theorem VF2 = ∅ ( no solution) iff GF2 = [1]. VF2 has exactly one solution iff GF2 = [x1 − a1, . . . , xn − an] where (a1, . . . , an) ∈ Fn

2.

Most of the time, if #VK < ∞ the shape of a Gröbner Basis for a lexicographical ordering x1 > ∙ ∙ ∙ > xn is the following: Shape Position          hn(xn) xn−1 − hn−1(xn) . . . x1 − h1(xn)

Algorithms to compute GB

Usually a two steps process: Input System Gröbner Basis: total degree Gröbner Basis: lexicographical FGLM: ≈ minimal polynomial

• f some matrix

Buchberger F4/F5 rely on linear algebra

Algebraic Cryptanalysis

Crypto ← →Computer Algebra

Algebraic Cryptanalysis

A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 0 5 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 0 6 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0

Secret Modeling

Algebraic Cryptanalysis

A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 0 5 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 0 6 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0 x = 4 y = 2 z = 0

Secret Modeling Solving

New trend

Very often experiment is needed to test the efficiency of the solving step. New trend Theoretical complexity analysis to explain the behavior of the attack

This is also useful to help the designers of new cryptosystems.

Roadmap: Specificity of the Cryptosystem − → Structured System What is the complexity of solving Structured System ?

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0. NP-hard even when K = K2

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Polynomial System Solving: structured systems

K ⊆ L Multivariate Polynomial Problem (PoSSo) Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m Question: Find – if any – one z ∈ Ln such that f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Almost all systems occurring in applications have a special structure: Symmetries: equations are left invariant by the action of a finite group. Sparse equations Overdetermined systems m ≫ n Multihomogeneous structure . . .

Structured systems : several applications in Crypto

[F .,Perret,Safey,Spaenlehauer,Bettale]

Multivariate Public Key Crypto

HFE

[F .,Otmani,Perret,Tillich, EC]

McEliece

Error Correcting

Codes

[F .,Huot,Renault]

Curves Point decomposition problem Twisted Edwards

[F .Lubicz, Robert, JA]

Curves

Computing modular correspondences for Abelian Varieties

Multi-Homogeneous Systems Takes advantage

• f the structure of the system

to speed up the resolution. Structure comes from the action

• f the automorphisms
• f the theta group
• r additional symmetries

twisted Edwards Curves

Main results/examples

Motivation to use the structure !

For (regular) quadratic systems: Overdetermined systems:

Semi-regular

n variables m = c nα equations

[Bardet, F.,Salvy]

− →

• Sub Exponential

if 1 < α < 2

Polynomial

if α = 2

Main results/examples

Motivation to use the structure !

For (regular) quadratic systems: Overdetermined systems:

Semi-regular

n variables m = c nα equations

[Bardet, F.,Salvy]

− →

• Sub Exponential

if 1 < α < 2

Polynomial

if α = 2 Use the fact that we are over Fq:

◮ [Bettale, F

.,Perret, JMC] : Hybrid Method direct Gröbner basis approach hybrid approach ∼ 21.8 n UOV q = 28, n = 60 security 2160 → 276 (Gröbner) → 259

◮ [Bardet, F

.,Salvy, Spaenlehauer] faster than exhaustive search over F2 (K = L = F2) complexity 20.792n n = 512 − → 2−52.3 faster

Motivation

Bilinear systems: fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y complexity is polynomial in #Solutions= n

#X

• ≪ 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]

Applications:

◮ MinRank/HFE: [Crypto 2008] 328233s −

→ [Issac 2010] 935s

◮ Challenge A20 (Variant of McEliece):

24 hours (Magma) − → 0.05 sec [EC2010, F., Otmani,] Perret, Tillich]

Motivation

Bilinear systems: fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y complexity is polynomial in #Solutions= n

#X

• ≪ 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]

Applications:

◮ MinRank/HFE: [Crypto 2008] 328233s −

→ [Issac 2010] 935s

◮ Challenge A20 (Variant of McEliece):

24 hours (Magma) − → 0.05 sec [EC2010, F., Otmani,] Perret, Tillich]

Use the symmetries:

◮ [JA, F.,Lubicz,Robert] : the action of the automorphisms

• f the theta group

> 24 hours − → 0.1 sec

◮ [F.,Huot, Renault] symmetries related to twisted Edwards Curves

this talk ! divides by 2n−1 the number of solutions/complexity untractable system− → 4h25min

Sparse Equations

Boolean Case K = L = F2 Sparse = each equation depends on ℓ variables, the expected complexity of the Agreeing-Gluing Algorithm is: O(20.711n) when ℓ = 6 O(20.405n) when ℓ = 3 .

• I. Semaev.

Sparse algebraic equations over finite fields. SIAM J. Comput., 39(2):388–409, 2009.

Structure inside Gröbner basis computation

F4/F5 algorithms develop specifjc linear algebra algorithms and implementations. linear algebra: a key step for Gröbner bases

take into

account the specific properties

• f the matrices.

Minrank: [Issac 2010] 935s − → [Pasco 2010] 73s

Structure inside Gröbner basis computation

matrices involved in FGLM are sparse (even for random system) Theorem (F.-Mou, 2011) % of nonzero entries: ∼

• 6

π 1 d√n d = deg(fi)

Use of sparse

algorithms. Random: [Magma] 1084s − → [Issac 2011] 0.71s Systems with 216 solutions are tractable

Random(n=3, d=10): 1000 × 1000, 6.86%

Sketch of the algorithms: Macaulay matrix in degree d

I = F = f1, . . . , fp deg(fi) = di ≻ a monomial ordering Macaulay≻(F, d) is the following matrix: Rows: all products t fi where deg(t) (d − di). Columns: monomials of degree d. m1 ≻ . . . ≻ mℓ t1 fk1 . . . ts fks   ci,j = coeff(ti fki, mj)   Row echelon forms of the Macaulay matrices = ⇒ Gröbner basis.

Sketch of the algorithms: Macaulay matrix in degree d

I = F = f1, . . . , fp deg(fi) = di ≻ a monomial ordering Macaulay≻(F, d) is the following matrix: Rows: all products t fi where deg(t) (d − di). Columns: monomials of degree d. m1 ≻ . . . ≻ mℓ t1 fk1 . . . ts fks   ci,j = coeff(ti fki, mj)   Row echelon forms of the Macaulay matrices = ⇒ Gröbner basis. Algorithmic Problem Rank defect = ⇒ useless computations. Goal: build full rank matrices (for instance F5) for regular sequences.

Complexity of Computing Gröbner Bases

Definition Degree of regularity dreg: indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d s.t. all monomials of degree d are in LM(I).

☞ maximal degree of a grevlex Gröbner basis is dreg.

Complexity of Computing Gröbner Bases

Definition Degree of regularity dreg: indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d s.t. all monomials of degree d are in LM(I).

☞ maximal degree of a grevlex Gröbner basis is dreg.

Hilbert Series Generating series: HS(t) = ∞

d=0 rdtd, where

rd = # Cols − Rank(Macaulay(F, d))

Finite number of solution: HS(t) = dreg−1

d=0

rdtd

Complexity of Computing Gröbner Bases

Definition Degree of regularity dreg: indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d s.t. all monomials of degree d are in LM(I).

☞ maximal degree of a grevlex Gröbner basis is dreg.

Hilbert Series Generating series: HS(t) = ∞

d=0 rdtd, where

rd = # Cols − Rank(Macaulay(F, d))

Finite number of solution: HS(t) = dreg−1

d=0

rdtd Theorem Complexity of computing a grevlex Gröbner basis: O n + dreg n ω

Example of generating series

Theorem n quadratic equations fi over Q then under some regularity assumption: HS(t) = (1 + t)n

Example of generating series

Theorem n quadratic equations fi over Q then under some regularity assumption: HS(t) = (1 + t)n Consequently, dreg = n + 1. Example Q, n = m = 50 quadratic equations (1 + z)50 = 1 + 50 z + ∙ ∙ ∙ + z50 + 0 z51 Hence the maximal degree occurring in the computation is 51 .

F5 algorithm: simple matrix version

Get rid of the trivial relations: fifj − fjfi = 0 f 2

i − fi = 0 when K = F2

Incremental algorithm (f1) + Gprev Incremental degree by degree Special/Simpler version of F5 for dense/generic quadratic polynomials. the maximal degree D is a parameter of the algorithm.

               m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .               

F5: compute Groebner (f1, . . . , fk), d + 1)

Already computed Groebner (f1, . . . , fk), d) Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                    

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                    

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

Remove w1xj+1fk iff

w1xj+1 ∈ LT(f1, . . . , fk−1)

F5: compute Groebner (f1, . . . , fk), d + 1)

Matrix in degree d

                    m1 m2 m3 m4 m5 . . . u1f1 1 x x x x . . . . . . ... x x x . . . ur1 f1 1 x x . . . . . . . . . . . . . . . . . . . . . . . . vrk−1 fk−1 1 x x . . . w1fk 1 x . . . w2fk 1 . . .                     if w1 = xα1

1

· · · x

αj j

Matrix in degree d + 1

                  t1 t2 t3 t4 t5 . . . . . . . . . w1xj fk 1 x x x . . . w1xj+1fk 1 x x . . . . . . . . . . . . . . . . . . . . . . . . w1xnfk 1 x . . . . . . . . .                  

Remove w1xj+1fk iff

w1xj+1 ∈ LT(Groebner (f1, . . . , fk−1), d − 1)

F5 criterion − → complexity of overdetermined systems

with M. Bardet and B. Salvy

Criterion: t fj is in the matrix if t / ∈ Id(LT<(Gj−1)), where Gj−1 is a Gröbner basis of {f1, . . . , fj−1}. Rd,i(n) number of rows in the matrix generated by F5 when computing a Gröbner basis of [f1, . . . , fi] in degree d.

Induction

When d ≥ 2 : Rd,i(n) = i∙ Md−2(n)

• number of monomials

degree ≤ d − 2 −

i−1

• j=1

Rd−2,j(n)

• F5 criterion

Induction

When d ≥ 2 : Rd,i(n) = i∙ Md−2(n)

• number of monomials

degree ≤ d − 2 −

i−1+δK,F2

• j=1

Rd−2,j(n)

• F5 criterion

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

End of the computation

#col= Md(n) #row= Rd,m(n)    Matrix generated by F5   

When hd,m(n) = #col − #row = 0 this end of the computation !

We compute the biggest real root n > 0 of hd,m(n) = 0.

Example For quadratic equations, m = n over F2: using the previous relation we can compute explicitly: U0,i(n) = U1,i(n) = 0 U2,i(n) = i n

• − 0 = i

U3,i(n) = i n

1

• −

i

• j=1

U1,j(n) = i n

Example For quadratic equations, m = n over F2: using the previous relation we can compute explicitly: U0,i(n) = U1,i(n) = 0 U2,i(n) = i n

• − 0 = i

U3,i(n) = i n

1

• −

i

• j=1

U1,j(n) = i n Then: h3,n(n) = M3(n) − U3,n(n) = n

3

• − n2

=

n(n2−9 n+2) 6

Example For quadratic equations, m = n over F2: using the previous relation we can compute explicitly: U0,i(n) = U1,i(n) = 0 U2,i(n) = i n

• − 0 = i

U3,i(n) = i n

1

• −

i

• j=1

U1,j(n) = i n Then: h3,n(n) = M3(n) − U3,n(n) = n

3

• − n2

=

n(n2−9 n+2) 6

The biggest real root of this polynomial:

h3,n(n)=n

• n − 9/2 − 1/2

√ 73 n − 9/2 + 1/2 √ 73

Example h3,n(n)=n

• n − 9/2 − 1/2

√ 73 n − 9/2 + 1/2 √ 73

• biggest real root is: 9/2 + 1/2

√ 73 ≈ 8.772 so that N3 = 9.

Example h3,n(n)=n

• n − 9/2 − 1/2

√ 73 n − 9/2 + 1/2 √ 73

• biggest real root is: 9/2 + 1/2

√ 73 ≈ 8.772 so that N3 = 9. Hence d ≤ 3 when n ≤ 9 : d 3 4 5 6 7 8 9 Nd 9 16 24 32 41 49 58

Example h3,n(n)=n

• n − 9/2 − 1/2

√ 73 n − 9/2 + 1/2 √ 73

• biggest real root is: 9/2 + 1/2

√ 73 ≈ 8.772 so that N3 = 9. Hence d ≤ 3 when n ≤ 9 : d 3 4 5 6 7 8 9 Nd 9 16 24 32 41 49 58

1

n < 9 = N3 the maximal degree in F5 is 3; the total complexity O(n3ω).

2

N3 = 9 ≤ n < N4 = 16 the maximal degree is 4 and complexity is O(n4ω).

3

. . .

Generating series

Theorem fi of degree di, i = 1, . . . , m finite field Fq then Hm = ∞

d=0 hd,m zd = m

• i=1
• 1−(1−δK,F2) zdi

1+δK,F2zdi 1−δK,F2 z2 1−z

n

Generating series

Theorem fi of degree di, i = 1, . . . , m finite field Fq then Hm = ∞

d=0 hd,m zd = m

• i=1
• 1−(1−δK,F2) zdi

1+δK,F2zdi 1−δK,F2 z2 1−z

n particular case: di = 2, F2, n = m equations

∞

• d=0

hd,n zd = 1 + z 1 + z2 n

Generating series

particular case: di = 2, F2, n = m equations

∞

• d=0

hd,n zd = 1 + z 1 + z2 n Example F2, n = m = 50 semi-regular quadratic equations

• 1+z

1+z2

50 = 1 + 50 z + 1175 z2 + 17100 z3 + 170325 z4 + 1202510 z5 +5915475 z6 + 17831400 z7 + 9196475 z8−205886050 z9 +O

• z10

Hence the maximal degree occurring in the computation is 9 .

Asymptotic estimate

biggest real root of hd,n = 1 2iπ

• C

1 + z 1 + z2 n dz zd+1 dn =

1 λ0 n − λ1 λ

4 3

n

1 3 + O( 1

n

1 3 )

dn ≈

n 11.11360 + 1.0034n

1 3 + O( 1

n

1 3 )

where λ0 = 3/2 √ 3 + 5/2 + 1/2

• 72 + 42

√ 3 ≈ 11.13 the expression of λ1 contains the biggest real root of the Airy function (solution of ∂2y

∂z2 − zy = 0)

The formula is almost exact when n ≥ 3 !

Maximal degree

2 4 6 8 10 12 14 16 01 02 03 04 05 06 07 08 09 100

n

Maximal Degree in the Gröbner basis computation

HFE 128<d<513 HFE 16<d<129 HFE 3<d<17

random system

Complexity: overdetermined systems

k is a constant (does not depend on n). di total degree of fi. Under regularity assumption: m Degree dmax m ≤ n K, di = 2 m + 1 ( Macaulay bound) m ≤ n K 1 +

n+1

• i=1

(di − 1) ( Macaulay bound) n + k K, di = 2

m 2 − hk,1

• m

2 + o(1)

n + k K

n+k

• i=1

di−1 2

− hk,1

• n+k
• i=1

d2

i −1

6

+ o(1) 2 n K, di = 2

n 11.6569 + 1.04 n

1 3 − 1.47 + 1.71 n− 1 3 + O

• n− 2

3

• k n

K, di = 2 (k − 1

2 −

• k(k − 1))n +

−a1 2(k(k−1))

1 6 n 1 3 + O(1)

n F2, di = 2

n 11.1360 + 1.0034 n

1 3 − 1.58 + O(n− 1 3 )

k n F2, di = 2

• −k + 1

2 + 1 2

• 2k(k − 5) − 1 + 2(k + 2)
• k(k + 2)
• n

Classification

Classification: m number of polynomials, n number of variables Complexity m = cste n single exponential m = cste nα sub exponential m = cste n2 polynomial

Bilinear Equations in Algebraic Attacks: Motivation

Powerful attack somewhat similar to Lattice attacks: we consider k vectors vi = [. . . , vi,j, . . .] with vi,j ∈ Z Try to find: (λ1, . . . , λk) ∈ Zk such that

k

• i=1

λivi is small

Bilinear Equations in Algebraic Attacks: Motivation

Powerful attack somewhat similar to Lattice attacks: we consider k vectors vi = [. . . , vi,j, . . .] with vi,j ∈ Z Try to find: (λ1, . . . , λk) ∈ Zk such that

k

• i=1

λivi is small using LLL: find a ≈ small vector in Polynomial Time

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is “small”

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is of small rank

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is

• f rank r

Minrank Problem

Bilinear Equations in Algebraic Attacks: Motivation

For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]: fl → H(fl) = Ml = ∂2fl ∂xi∂xj

• 1i,jn

matrix representation of fi Try to find: (λ1, . . . , λk) ∈ Kk such that:

k

• i=1

λiMi is

• f rank r

Minrank Problem That is to say: in some basis k

i=1 λifi depends only on r variables.

Two algebraic modelings: structured equations

M = M0 − k

i=1 λiMi.

The minors modeling Rank(M) ≤ r

• all minors of size (r + 1) of M vanish.

m

r+1

2 equations of degree r + 1. k variables. Few variables, lots of equations, high degree !!

The Kipnis-Shamir modeling

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

M ∙

         

Im−r

x(1)

1

. . . x(m−r)

1

. . . . . . . . . x(1)

r

. . . x(m−r)

r

         

= 0.

m(m − r) bilinear equations. k + r(m − r) variables.

Applications of bilinear equations in Crypto: Cryptanalysis of HFE and MinRank [CRYPTO’08, ISSAC’10, PKC’11]. Cryptanalysis of McEliece [EUROCRYPT’10].

Bilinear systems

joint work with M. Safey El Din and PJ Spaenlehauer

F = (f1, . . . , fm): system of homogeneous bilinear equations. fi(X, Y) =

• x∈X,y∈Y

ci,x,y x y where n = #X + #Y jacX(Fi) =    

∂f1 ∂x0

. . .

∂f1 ∂xnx

. . . . . . . . .

∂fi ∂x0

. . .

∂fi ∂xnx

    jacY(Fi) =    

∂f1 ∂y0

. . .

∂f1 ∂yny

. . . . . . . . .

∂fi ∂y0

. . .

∂fi ∂yny

    Euler relations f =

• xj

∂f ∂xj =

• yj

∂f ∂yj .    f1 . . . fi    = jacX(Fi) ∙    x0 . . . xnx    = jacY(Fi) ∙    y0 . . . yny   

Complexity of affine bilinear systems

In affine case: x0 = 1, y0 = 1 and the number of variables is n = nX + nY Theorem: degree of regularity [JSC 2011] Degree of regularity of a generic 0-dim affjne bilinear system for the grevlex ordering: dreg 1 + min(nx, ny). Sharp bound in practice.

Degree of regularity: idea of the proof

Affine: x0 = 1 Choose the block of variables of smallest cardinality, we assume nX ≤ nY . I = f1, ∙ ∙ ∙ , fn Bilinear system of K[X, Y] ⇐ ⇒ JX x =   

∂f1 ∂x0

. . .

∂f1 ∂xnx

. . . ... . . .

∂fn ∂x0

. . .

∂fn ∂xnx

   ∙    

1 x1 . . . xnx

    = 0.

Degree of regularity: idea of the proof

Affine: x0 = 1 Choose the block of variables of smallest cardinality, we assume nX ≤ nY . I = f1, ∙ ∙ ∙ , fn Bilinear system of K[X, Y] ⇐ ⇒ JX x =   

∂f1 ∂x0

. . .

∂f1 ∂xnx

. . . ... . . .

∂fn ∂x0

. . .

∂fn ∂xnx

   ∙    

1 x1 . . . xnx

    = 0. JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 !

Degree of regularity: idea of the proof

I = f1, ∙ ∙ ∙ , fn Bilinear system of K[X, Y] ⇐ ⇒ JX x =   

∂f1 ∂x0

. . .

∂f1 ∂xnx

. . . ... . . .

∂fn ∂x0

. . .

∂fn ∂xnx

   ∙    

1 x1 . . . xnx

    = 0. JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 !

Determinantal miracle !

A Theorem of Bernstein, Sturmfels and Zelevinski M a p × q matrix whose entries are variables. The maximal minors of M are a universal Gröbner basis.

Degree of regularity: idea of the proof

JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] JX a p × q linear matrix with coefficients in K[y1, . . . , ynY ], the maximal minors of M are a grevlex Gröbner basis. LM(Minors(JX)) = all monomials of degree nX + 1 in y1, . . . , ynY .

Degree of regularity: idea of the proof

JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] JX a p × q linear matrix with coefficients in K[y1, . . . , ynY ], the maximal minors of M are a grevlex Gröbner basis. LM(Minors(JX)) = all monomials of degree nX + 1 in y1, . . . , ynY . Rewrite JX x = A(y)    x1 . . . xnx    + b = 0 Cramer’s rule : det(A(y))    x1 . . . xnx    + Adj(A)b ∈ I

Degree of regularity: idea of the proof

JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] JX a p × q linear matrix with coefficients in K[y1, . . . , ynY ], the maximal minors of M are a grevlex Gröbner basis. LM(Minors(JX)) = all monomials of degree nX + 1 in y1, . . . , ynY . Rewrite JX x = A(y)    x1 . . . xnx    + b = 0 Cramer’s rule :    x1 . . . xnx    + det(A(y))−1Adj(A)b ∈ I

Degree of regularity: idea of the proof

JX is singular ! JX is a singular p × q = (nX + 1) × (nX + nY) matrix. = ⇒ all the maximal minors are = 0 ! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] JX a p × q linear matrix with coefficients in K[y1, . . . , ynY ], the maximal minors of M are a grevlex Gröbner basis. LM(Minors(JX)) = all monomials of degree nX + 1 in y1, . . . , ynY . Rewrite JX x = A(y)    x1 . . . xnx    + b = 0 Cramer’s rule :    x1 . . . xnx    + det(A(y))−1Adj(A)b ∈ I Any nX

j=1 x αj j

nY

k=1 yβk k

− → nY

k=1 yγk k

mod Minors(JX) with γk ≤ nX

Trivial Syzygies of Bilinear Systems

An example with small parameters: nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as: 0 = f2f 1 − f1f 2 =

• f 1

f 2 f1 f2

Trivial Syzygies of Bilinear Systems

An example with small parameters: nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as: 0 = f2f 1 − f1f 2 =

• f 1

f 2 f1 f2

• Theorem (Trivial Syzygies)

When nx = ny = 2, m = 4 the trivial syzygies of a generic bilinear system are:

• f i

f j fi fj

• i = j,
• f 1

f 2 f 3 f 4

∂f1 ∂x0 ∂f2 ∂x0 ∂f3 ∂x0 ∂f4 ∂x0 ∂f1 ∂x1 ∂f2 ∂x1 ∂f3 ∂x1 ∂f4 ∂x1 ∂f1 ∂x2 ∂f2 ∂x2 ∂f3 ∂x2 ∂f4 ∂x2

• ,
• f 1

f 2 f 3 f 4 jacY(F4)

Results

1

Variant of F5: avoid computing zero.

2

Characterize a “nice” subclass of systems. we defined a notion of biregularity. Theorem Generically, bilinear systems are biregular, i.e. the set of biregular bilinear systems is a Zariski nonempty open subset.

3

Generic Hilbert series. HSI(t1, t2) =

• dim(K[X, Y]α,β/Iα,β)tα

1 tβ 2

We can compute it explicitly!

4

Complexity analysis.

Complexity

Solving affine bilinear systems The complexity of computing a grevlex Gröbner basis of a zero-dimensional ideal generated by generic affine bilinear polynomials is polynomial in the number of solutions n

nx

• =

n

ny

• O(Monomials(1 + min(nx, ny))ω) ≈ O
• 2ω min(nx,ny)

. Consequences: nx constant, ny grows = ⇒ complexity polynomial in ny. X and Y unbalanced ⇒ easy to solve. Better than Macaulay bound: O(Monomials(nx + ny + 1)ω) ≈ O

• 2ω(nx+ny)

. nX is a constant in the case of Minrank challenges !

Solving Systems with Symmetries

G is a finite group. Compute the roots of the system: VL = {z ∈ Ln | f1(z) = ∙ ∙ ∙ = fm(z) = 0} Two cases: Most difficult case: VL is invariant by G: if z ∈ VL then σ . z ∈ VL for all σ ∈ G Open Issue to compute efficiently VL/G even if G = Sn

Solving Systems with Symmetries

G is a finite group. Compute the roots of the system: VL = {z ∈ Ln | f1(z) = ∙ ∙ ∙ = fm(z) = 0} Two cases: Most difficult case: VL is invariant by G: if z ∈ VL then σ . z ∈ VL for all σ ∈ G Open Issue to compute efficiently VL/G even if G = Sn Each equation is invariant by G σ . fi = fi for all σ ∈ G

Invariant ring

Definition K[x1, . . . , xn] and G ⊂ GL(K, n) a linear group acting on Kn. K[x1, . . . , xn]G = {p ∈ K[x1, . . . , xn] | σ ∙ p = p for all σ ∈ G} where (σ ∙ p)(v) = p(σ−1 ∙ v) for all v ∈ Kn. Hilbert’s finiteness theorem If G is a linear group then its invariant ring is finitely generated. Theorem K[x1, . . . , xn]Sn = K[e1, . . . , en] where ek =

• 1≤i1<i2<...<ik≤n

xi1xi2 ∙ ∙ ∙ xik is the kth elementary symmetric polynomial.

Hironaka decomposition

G is a linear group = ⇒ K[x1, . . . , xn]G There exist primary invariants θ1, . . . , θn ∈ K[x1, . . . , xn]G algebraically independent secondary invariants η1, . . . , ηt ∈ K[x1, . . . , xn]G Method proposed by [Sturmfels]: Each equation: f ∈ K[x1, . . . , xn]G − → f(θ1, . . . , θn, η1, . . . , ηt)

Hironaka decomposition

G is a linear group = ⇒ K[x1, . . . , xn]G There exist primary invariants θ1, . . . , θn ∈ K[x1, . . . , xn]G algebraically independent secondary invariants η1, . . . , ηt ∈ K[x1, . . . , xn]G Method proposed by [Sturmfels]: Each equation: f ∈ K[x1, . . . , xn]G − → f(θ1, . . . , θn, η1, . . . , ηt) OK : we compute a Gröbner basis of I(VL/G) NOK: the resulting system is often more difficult to solve than the

• riginal !

◮ we have n + t variables ◮ the η1, . . . , ηt are not independent

Add equations: F(η1, . . . , ηt) = 0

First easy case: each equation is invariant

Example (Cyclic n problem) G = Cn                x1 + ∙ ∙ ∙ + xn = 0 x1x2 + ∙ ∙ ∙ + xixi+1 + ∙ ∙ ∙ = 0 ∙ ∙ ∙ ∙ ∙ ∙ + xixi+1 ∙ ∙ ∙ xi+k−1 + ∙ ∙ ∙ = 0 ∙ ∙ ∙ x1x2 ∙ ∙ ∙ xn = 1 R(f) = 1 #G

• σ∈G

σ.f Reynolds

First easy case: each equation is invariant

Example (Cyclic n problem) G = Cn                R(x1) = 0 R(x1x2) = 0 ∙ ∙ ∙ R(x1x2 ∙ ∙ ∙ xk−1) = 0 ∙ ∙ ∙ x1x2 ∙ ∙ ∙ xn = 1 R(f) = 1 #G

• σ∈G

σ.f Reynolds Very compact representation !

First easy case: each equation is invariant

Example (Cyclic n problem) G = Cn                R(x1) = 0 R(x1x2) = 0 ∙ ∙ ∙ R(x1x2 ∙ ∙ ∙ xk−1) = 0 ∙ ∙ ∙ x1x2 ∙ ∙ ∙ xn = 1 R(f) = 1 #G

• σ∈G

σ.f Reynolds Very compact representation ! Theory to adapt Gröbner basis theory: Subalgebra Analog to Gröbner Basis for Ideals = SAGBI

L.Robbiano and M. Sweedler. Subalgebra bases. Commutative algebra, pp. 61–87 in LMM. 1430, Springer, 1990.

• D. Kapur and K. Madlener,

A completion procedure for computing a canonical basis for a k-subalgebra",

• pp. 1-11 in Computers and Mathematics (Cambridge, MA, 1989), edited

First easy case: each equation is invariant

Example (Cyclic n problem) G = Cn                R(x1) = 0 R(x1x2) = 0 ∙ ∙ ∙ R(x1x2 ∙ ∙ ∙ xk−1) = 0 ∙ ∙ ∙ x1x2 ∙ ∙ ∙ xn = 1 R(f) = 1 #G

• σ∈G

σ.f Reynolds Very compact representation ! SAGBI Gröbner Bases : in general infinite ! Propose efficient algorithms (variants of F5 and FGLM) to represent solutions of the system by another system in e1, . . . , en. Example Cyclic n = 5 Symmetric Gröbner basis: [e1, 125 e2 + e34, e36 + 3125 e3, e4, e5 − 1]

Algorithm [F., Rahmany, 2009]

Input System in K[x1, . . . , xn]G

✻

D-Sagbi Matrix F5-Inv algorithm

✲

FGLM-Invariant algorithm D- Sym Gröbner basis in K[e1, . . . , en]

❄ ✛ ✚ ✘ ✙

Test Zero Dim ?

✛

no D := D + 1 yes

✲ Solutions

Ln recovering solutions Gröbner basis in the invariant ring K[e1, . . . , en] where ei is the i-th elementary symmetric polynomial.

Experiments ...

n D F5-invariant Magma 2.15-7 (F4) cyclic 9 15 10.4 s 136.1 s cyclic 10 16 206.1 s "Killed" cyclic 11 17 1 h 54 m cyclic 12 18 16 h 34m

Experiments ...

n D F5-invariant Magma 2.15-7 (F4) cyclic 9 15 10.4 s 136.1 s cyclic 10 16 206.1 s "Killed" cyclic 11 17 1 h 54 m cyclic 12 18 16 h 34m Reduced size of the computed objects: #Solutions #polynomials Max length of poly C7 lex 924 35 132 inv C7 lex 57 4 9 C8 lex dim 1 57 2545 inv C8 lex dim 1 15 87 inv C9 lex dim 2 7 41

Second easy case: G is a reflection group

Theorem (Chevalley, Shepard, Todd) If char(K) ∤ #G then G is a reflection group = ⇒ K[x1, . . . , xn]G = K[θ1, . . . , θn] where θ1, . . . , θn ∈ K[x1, . . . , xn] are algebraically independent.

Second easy case: G is a reflection group

Theorem (Chevalley, Shepard, Todd) If char(K) ∤ #G then G is a reflection group = ⇒ K[x1, . . . , xn]G = K[θ1, . . . , θn] where θ1, . . . , θn ∈ K[x1, . . . , xn] are algebraically independent. Example (DLP Edwards) Consider a set of symmetric equations. In addition we assume that (y1, . . . , yn) ∈ VL = ⇒ (−y1, −y2, y3, . . . , yn) ∈ VL = ⇒ (y1, −y2, −y3, . . . , yn) ∈ VL even number change of signs on {y1, . . . , yn} .

Second easy case: G is a reflection group

Example (DLP Edwards) Consider a set of symmetric equations. In addition we assume that (y1, . . . , yn) ∈ VL = ⇒ (−y1, −y2, y3, . . . , yn) ∈ VL = ⇒ (y1, −y2, −y3, . . . , yn) ∈ VL ⌊ n

2⌋

i=0

n

2i

• = 2n−1 even number change of signs on {y1, . . . , yn} .

Definition (Coxeter Group) Dn is the symmetry group of the n-demi hypercube. Dn = (Z/2Z)n−1 ⋊ Sn = ⇒ #Dn = n! ∙ 2n−1 Theorem Fq[y1, . . . , yn]Dn = Fq[E1, . . . , En−1, en] where Ei = ei(y2

1, . . . , y2 n) the ith elementary symmetric polynomial in

terms of y2

i .

DLP

Discrete Logarithm Problem (DLP) Input: finite group G and g, h ∈ G, Question: Find – if any – an integer x such that h = [x] g. For any G, generic algorithms O √#G

• .

G = (F×

q , ×), index calculus sub-exponential.

G = (JC(Fq), +) if g > 2 index calculus sub-exponential w.r.t. q. G = E(Fq) no sub-exponential algorithm (except for few weak curves)

if q = pm, Diem // Gaudry index calculus attack.

Adaptation of index calculus (Gaudry//Diem)

Algorithm Input : P, Q ∈ E(Fqn) Output : x such that Q = [x]P

• 1. Factor base : F = {(x, y) ∈ E(Fqn) | x ∈ Fq}
• 2. Compute relations :

[aj]P ⊕ [bj]Q = P1 ⊕ ∙ ∙ ∙ ⊕ Pn, Pi ∈ F

• proba = 1

n!

• until having #F + 1 such relations
• 3. Linear algebra
• j

[λj ∙ aj]P ⊕ [λj ∙ bj]Q = 0E(Fqn)

Adaptation of index calculus (Gaudry//Diem)

Algorithm Input : P, Q ∈ E(Fqn) Output : x such that Q = [x]P

• 1. Factor base : F = {(x, y) ∈ E(Fqn) | x ∈ Fq}
• 2. Compute relations :

[aj]P ⊕ [bj]Q = P1 ⊕ ∙ ∙ ∙ ⊕ Pn, Pi ∈ F

• proba = 1

n!

• until having #F + 1 such relations
• 3. Linear algebra
• j

[λj ∙ aj]P ⊕ [λj ∙ bj]Q = 0E(Fqn) Complexity For n fixed, O(q2− 2

n ) (Gaudry, pprint 2004 and JSC 2009 / Diem, ANTS 2006)

Problem : point decomposition (PDP)

Given: R ∈ E(Fqn) F = {(x, y) ∈ E(Fqn) | x ∈ Fq} ⊂ E(Fqn) find P1, . . . , Pn ∈ F such that R = P1 ⊕ . . . ⊕ Pn Algebraic method Modeling the problem as a polynomial system {g1, . . . , gs} and solve this system.

Related work

[Joux, Vitse eprint.iacr.org/2010/157] General approach. Similar to hybrid approach (specialization of one point)

➘ decrease the cost of solving the algebraic system ➚ add an exhaustive search on F of size ∼ q In practice: limits the size of Fq, q ∼ 230

Goal (joint work with L. Huot and G. Renault) Focus on Edwards curves Take advantage of the symmetries to decrease the cost of solving system (in comparison to Gaudry). No exhaustive search, complexity linear w.r.t. log(q).

for n fixed, (almost) no limit on q

Curve representations

Weierstrass E : y2 = x3 + a x + b ∀P = (x, y) ∈ E, ⊖P = (x, −y). Twisted Edwards

Edwards, Bulletin of the AMS 2007 Bernstein et al., AFRICACRYPT 2008

Ea,d : a x2 + y2 = 1 + d x2y2 where ad(a − d) = 0. ∀P = (x, y) ∈ Ea,d, ⊖P = (−x, y).

Summation polynomials in Weierstrass representation

[Semaev, Technical report 2004]

Projection of point decomposition problem fm(x1, . . . , xm) = g1, . . . , gs ∩ Fqn[x1, . . . , xm] ∀m ≥ 2 mth summation polynomial is defined by ∀(x1, . . . , xm) ∈ K

m,

fm(x1, ..., xm) = 0

• ∃(y1, ..., ym) ∈ K

m s.t. ∀i, Pi = (xi, yi) ∈ E and P1 ⊕ ∙ ∙ ∙ ⊕ Pm = 0E(K)

Properties ∀m > 2, fm is symmetric fn+1(x1, . . . , xn, xR) − → ˜ fn+1(e1, . . . , en) If E is defined by a Weierstrass equation then degxi(fm) = 2m−2.

Summation polynomials for twisted Edwards curves

We need to fix a small technical Issue: For all P = (x, y) ∈ Ea,d we have ⊖P = (−x, y).

• P1 ⊕ ∙ ∙ ∙ ⊕ Pm = 0Ea,d

fm(x1, . . . , xm) = 0Fqn = ⇒

• (⊖P1) ⊕ ∙ ∙ ∙ ⊕ (⊖Pm) = 0Ea,d

fm(−x1, . . . , −xm) = 0Fqn Degree is too big ! degxi(fm) = (2m−2)2 Trick : x ↔ y Summation polynomials for Edwards curves : fn+1(y1, . . . , yn, yR). Algorithm adaptation : F = {(x, y) ∈ Ea,d(Fqn) | y ∈ Fq}

Use that we are in some extension Fqn

Up to now we have only one equation: ˜ fn+1(e1, . . . , en) = 0 but xi ∈ Fq fn+1 ∈ Fqn[x1, . . . , xn]

Use that we are in some extension Fqn

Up to now we have only one equation: ˜ fn+1(e1, . . . , en) = 0 but xi ∈ Fq fn+1 ∈ Fqn[x1, . . . , xn] Weil restriction on summation polynomial Fqn : n dimensional Fq-vector space ˜ fn+1(e1, . . . , en) = 0Fqn =

• ˜

f (0)

n+1(e1, . . . , en), ∙ ∙ ∙ ,˜

f (n−1)

n+1 (e1, . . . , en)

• 

 

• S = {˜

f (0)

n+1, . . . ,˜

f (n−1)

n+1 } ⊂ Fq[x1, . . . , xn]

• n variables, n equations
• solutions in Fq

Semaev modeling: Weierstrass vs. twisted Edwards

Weierstrass LEX Gröbner Basis of SSn :                  e1 + h1(en) e2 + h2(en) . . . en−2 + hn−2(en) en−1 + hn−1(en) hn(en) deg(hn) = 2n(n−1) deg(SSn) = 2n(n−1) Edwards LEX Gröbner Basis of SSn :                  e1 + h1(en−1, en) e2 + h2(en−1, en) . . . en−2 + hn−2(en−1, en) hn−1(en−1, en) hn(en) deg(hn) = 2(n−1)2 degen−1(hn−1) = 2n−1 deg(SSn) = 2n(n−1)

Action of 2-torsion point

Definition Ea,d : ax2 + y2 = +dx2y2 has a 2-torsion point T2 = (0, −1) i.e. [2]T2 = 0Ea,d. Property ∀P = (x, y) ∈ Ea,d(Fqn), P ⊕ T2 = (−x, −y).

Action of 2-torsion point

Definition Ea,d : ax2 + y2 = +dx2y2 has a 2-torsion point T2 = (0, −1) i.e. [2]T2 = 0Ea,d. Property ∀P = (x, y) ∈ Ea,d(Fqn), P ⊕ T2 = (−x, −y). Action on the points (geometry) P1 ⊕ ∙ ∙ ∙ ⊕ Pn = R ⇐ ⇒ (P1 ⊕ T2) ⊕ (P2 ⊕ T2) ⊕ P3 ⊕ ∙ ∙ ∙ ⊕ Pn = R For any combination of an even number of T2.

Action of 2-torsion point

Definition Ea,d : ax2 + y2 = +dx2y2 has a 2-torsion point T2 = (0, −1) i.e. [2]T2 = 0Ea,d. Property ∀P = (x, y) ∈ Ea,d(Fqn), P ⊕ T2 = (−x, −y). Action on the points (geometry) P1 ⊕ ∙ ∙ ∙ ⊕ Pn = R ⇐ ⇒ (P1 ⊕ T2) ⊕ (P2 ⊕ T2) ⊕ P3 ⊕ ∙ ∙ ∙ ⊕ Pn = R (y1, . . . , yn) ∈ VR ⇐ ⇒ (−y1, −y2, y3, . . . , yn) ∈ VR For any combination of an even number of T2. Theorem fn+1(y1, . . . , yn, yR) ∈ Fqn[y1, . . . , yn]Dn ˜ fn+1(e1, . . . , en) − → ˆ fn+1(E1, . . . , En−1, en) where Ei = ei(y2

1, . . . , y2 n)

New Semaev modeling: Weierstrass vs. Edwards

Weierstrass LEX Gröbner Basis of SSn :              e1 + h1(en) e2 + h2(en) . . . en−1 + hn−1(en) hn(en) deg(hn) = 2n(n−1) Edwards LEX Gröbner Basis of SDn :              E1 + h1(en) E2 + h2(en) . . . En−1 + hn−1(en) hn(en) deg(hn) = 2(n−1)2 new system such that deg(SDn) = deg(S) #Dn = deg(SSn) 2n−1 .

• Much faster Gröbner basis computation

Complexity of FGLM ÷2ω(n−1) using the action of T2.

Some practical results

#Fq : 16 bits n DRL LEX Total # ops Time Deg Time Time 4

• W. sym

6s 4096 460s 466s 229 FGb Edwards Dn 512 3s 3s 223 5

• W. sym

∞ ∞

FGb Edwards Dn 12297s 65536 3656s 15953s 245 n = 4 #Fq (bits) 32 64 128 160 Total time (s)

• W. sym

6922s 4717s 5837s 6898s Magma Edwards Dn 43s 40s 53s 73s

Security domains parameters

n log2(q) #E(Fqn) Gen Algo DLPV 4 32 2128 W. 268 Edwards 265 64 2256 W. 2134 2117 Edwards 2114 128 2512 W. 2264 2214 Edwards 2211 5 32 2160 285 64 2320 W. 2167 2?? Edwards 2127 128 2640 W. 2329 2?? Edwards 2231 Number of Boolean operations needed to solve the ECDLP defined over Fqn for n = 4, 5 and 32 ≤ log2(q) ≤ 128.

Conclusion

Summary for DLP Edwards + Jacobi Intersections : action of 2-torsion point New change of variables ← − symmetric group + 2-torsion point Practical improvements

⊲ huge factor save to solve the systems ⊲ decomposition in 5 points solved ⊲ complexity of point decomposition problem linear w.r.t. log(q) for n ≤ 5

Conclusion Use the structure can speedup Algebraic Attack Sometimes change the complexity of the attack Many Open Issues: Symmetries, Multihomogeneous, Sparse equations, . . .