Solving Multivariate Polynomial Systems and an Invariant from - - PowerPoint PPT Presentation

▶

Jul 24, 2023 306 likes •377 views

Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra Alessio Caminata (Universitat de Barcelona) joint work with Elisa Gorla PQCrypto 2017 Utrecht, 2628 June 2017 Algebraic attack with Gr obner bases

SLIDE 1

Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra

Alessio Caminata (Universitat de Barcelona)

joint work with Elisa Gorla

PQCrypto 2017 Utrecht, 26–28 June 2017

SLIDE 2

Algebraic attack with Gr¨

bner bases

Multivariate cryptosystem Fn

q ∋ x = (x1, . . . , xn) → (y1, . . . , yr) := (p1(x), . . . , pr(x)) ∈ Fr q

One can try to break it with an algebraic attack, i.e. by computing a Gr¨

bner basis of the associated ideal

I = (f1, . . . , fr), where fi := yi − pi. Currently fastest algorithms to compute a Gr¨

bner basis

(F4/F5) have complexity O

n + s − 1 s ω−1 where m = r

i=1

n+s−di−1

s−di

, ω ∈ [2, 3], di = deg fi, and

s = solv. deg(I) is the solving degree of I, i.e. the highest degree of polynomials involved in the computation of the Gr¨

bner basis.

SLIDE 3

Solving degree and Castelnuovo-Mumford regularity

In order to design a multivariate cryptosystem that is secure against algebraic attacks, one needs to know how the solving degree depends on the parameters of the system. Theorem (C.-Gorla) Let F be a field, let R := F[x1, . . . , xn], and let I := (f1, . . . , fr) be an ideal of R. Assume that ˜ I := (f h

1 , . . . , f h r ) is in generic

coordinates in F[x1, . . . , xn, t], where f h

i

is the homogenization of fi, then

solv. degDRL(I) ≤ reg(˜

I) and equality holds if F has characteristics zero. Here reg(˜ I) is the Castelnuovo-Mumford regularity of ˜ I and can be read from its minimal graded free resolution: 0 →

j∈Z

R(−j)βp,j → · · · →

j∈Z

R(−j)β1,j

ϕ1

− →

j∈Z

R(−j)β0,j

ϕ0

− → ˜ I → 0 It is reg(I) := max{j − i : βi,j = 0}.

SLIDE 4

Applications

Use knowledge on the regularity from commutative algebra to produce bounds for the solving degree.

1 Zero-dimensional ideals. Let I := (f1, . . . , fr) ⊆ F[x1, . . . , xn]

be an ideal generated in degree at most d. Assume that ˜ I := (f h

1 , . . . , f h r ) is in generic coordinates and its projective

zero-locus over F consists of a finite number of points, then

solv. degDRL(I) ≤ (n + 1)(d − 1) + 1.

2 MinRank Problem. Let M be an m × n matrix with m ≤ n

whose entries are sufficiently general linear forms in a polynomial ring over a field. Then the solving degree of the corresponding MinRank Problem is

solv. degDRL Im(M) ≤ m.

SLIDE 5

Thank you!! Questions?

SLIDE 6

Essential bibliography

D.J. Bernstein, J. Buchmann, E. Dahmen, Post-Quantum Cryptography, Springer Verlag, 2009

A. Caminata, E. Gorla,

Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra, preprint 2017. J.C. Faug` ere, A new efficient algorithm for computing Gr¨

bner bases (F4),