Gröbner Bases: a Tools for Cryptology · w1xj+1 ∈LT(Groebner(hf1,...,fk−1i),d −1) Structure inside Gröbner basis computation F4/F5 algorithms develop specific linear algebra

Gröbner Bases:a Tools for Cryptology

Jean-Charles FaugèrePolSys - INRIA/UPMC

ECRYPT II Summer School on Tools 2012

Plan

Gröbner Bases:a Tools for Cryptology

☞ Introduction to Algebraic Cryptanalysis and Gröbnerbases.

Part I Efficient algorithms and linear algebra.

Part II Complexity of computing Gröbner bases.

Polynomial System Solving and Applications

K ⊆ L

Multivariate Polynomial Problem (PoSSo)

Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m

Question: Find – if any – z ∈ Ln such that

f1(z) = ∙ ∙ ∙ = fm(z) = 0.

Denote by VL the set of solutions.

Focus

AlgebraicComputations

Exact methods

Approach

Algorithms and complexity analysis

Applications to validate the performance

Write efficient software (integration inMaple).

Gröbner BasesBuchberger (1965)

In this talk we focus on Gröbner bases methods.

One of the fastest method to solve polynomial equations whenK = L = Fq or K = Q and L = R or L = C

Other efficient methods:

Numerical methods: homotopy methods (continuation methods)

Resultants

Triangular Sets

SAT Solvers in the Boolean case K = L = F2

. . .

Gröbner BasesDefinition (Buchberger 65)

I a polynomial ideal . Gröbner basis (w.r.t. ≺ a monomial ordering):G ⊂ I a finite set of polynomials such that LM(I) = 〈LM(G)〉.

Bruno Buchberger

☞ definition of a reduction function

Theorem (Buchberger)

f∈ I iff Reduction(f , G) = 0

Gröbner Bases

Definition (Buchberger 65)


Theorem

VF2 = ∅ ( no solution) iff GF2 = [1].

VF2 has exactly one solution iff GF2 = [x1 − a1, . . . , xn − an] where(a1, . . . , an) ∈ Fn

2.

Most of the time, if #VK <∞ the shape of a Gröbner Basis for alexicographical ordering x1 > ∙ ∙ ∙ > xn is the following:

Gröbner Bases

Definition (Buchberger 65)


Theorem

VF2 = ∅ ( no solution) iff GF2 = [1].

VF2 has exactly one solution iff GF2 = [x1 − a1, . . . , xn − an] where(a1, . . . , an) ∈ Fn

2.

Most of the time, if #VK <∞ the shape of a Gröbner Basis for alexicographical ordering x1 > ∙ ∙ ∙ > xn is the following:

Shape Position

hn(xn)xn−1 − hn−1(xn)

...x1 − h1(xn)

Algorithms to compute GB

Usually a two steps process:

Input System

Gröbner Basis: total degree

Gröbner Basis: lexicographical

FGLM: ≈ minimal polynomialof some matrix

Buchberger

F4/F5 rely on linearalgebra

Algebraic Cryptanalysis

Crypto←→Computer Algebra


A General Method for Cryptanalysis

Security of a cryptosystem� hardness of solving a relatedmultivariate polynomial system

Cryptosystem(+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 05 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 06 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0

Secret

Modeling


A General Method for Cryptanalysis

Security of a cryptosystem� hardness of solving a relatedmultivariate polynomial system

Cryptosystem(+ messages, ciphertexts, ...)

4 x2 + 5 x + 6 y2 + 3 y z + 5 y + 1 = 05 x2 + x y + 2 x z + 6 z2 + 3 z + 3 = 06 x z + 5 y2 + 2 y + 4 z2 + 6 z + 5 = 0

x = 4y = 2z = 0

Secret

Modeling

Solving

New trend

Very often experiment is needed to test the efficiency of the solvingstep.

New trend

Theoretical complexity analysis to explain the behavior of the attack

� This is also useful to help the designers of new cryptosystems.

Roadmap:

Specificity of the Cryptosystem −→ Structured System

What is the complexity of solving Structured System ?

Polynomial System Solving: structured systems

K ⊆ L


Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m

Question: Find – if any – one z ∈ Ln such that

f1(z) = ∙ ∙ ∙ = fm(z) = 0.

NP-hard even when K = K2

Polynomial System Solving: structured systems

K ⊆ L


Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m


f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Polynomial System Solving: structured systemsK ⊆ L


Input: (f1, . . . , fm) ∈ K[x1, . . . , xn]m


f1(z) = ∙ ∙ ∙ = fm(z) = 0.

☞ Try to identify families of systems which are “easier to solve”:

Almost all systems occurring in applications have a special structure:

Symmetries: equations are left invariant by the action of a finitegroup.

Sparse equations

Overdetermined systems m� n

Multihomogeneous structure

. . .

Sparse Equations

Boolean Case K = L = F2

Sparse = each equation depends on ` variables, the expectedcomplexity of the Agreeing-Gluing Algorithm is:

O(20.711n) when ` = 6O(20.405n) when ` = 3 .

I. Semaev.Sparse algebraic equations over finite fields.SIAM J. Comput., 39(2):388–409, 2009.

Part I

Efficient algorithms and linear algebra.

Simple matrix F5 algorithm.

Fast Change of Ordering.

Structured linear algebra to speedup the computations.

F5 algorithm: simple matrix versionGet rid of the trivial relations:

fi fj − fj fi = 0f 2i − fi = 0 when K = F2

Incremental algorithm(f1) + Gprev

Incremental degree by degreeSpecial/Simpler version of F5 for dense/generic quadratic polynomials.the maximal degree D is a parameter of the algorithm.

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .w2fk 0 0 0 0 1 . . .

F5: compute Groebner(〈f1, . . . , fk〉), d + 1)

Already computedGroebner (〈f1, . . . , fk 〉), d)

Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .

if w1 = xα11 ∙ ∙ ∙ x

αjj


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .

if w1 = xα11 ∙ ∙ ∙ x

αjj

Matrix in degree d + 1

t1 t2 t3 t4 t5 . . .

.

.

. . . .w1xj fk 0 1 x x x . . .w1xj+1fk 0 0 1 x x . . .

.

.

....

.

.

....

.

.

....

.

.

.w1xnfk 0 0 0 1 x . . .

.

.

. . . .


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .

if w1 = xα11 ∙ ∙ ∙ x

αjj


t1 t2 t3 t4 t5 . . .

.

.

. . . .w1xj fk 0 1 x x x . . .

w1xj+1fk 0 0 1 x x . . .

.

.

....

.

.

....

.

.

....

.

.

.w1xnfk 0 0 0 1 x . . .

.

.

. . . .


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .

if w1 = xα11 ∙ ∙ ∙ x

αjj


t1 t2 t3 t4 t5 . . .

.

.

. . . .w1xj fk 0 1 x x x . . .

w1xj+1fk 0 0 1 x x . . .

.

.

....

.

.

....

.

.

....

.

.

.w1xnfk 0 0 0 1 x . . .

.

.

. . . .

Remove w1xj+1fk iffw1xj+1 ∈ LT(〈f1, . . . , fk−1〉)


Matrix in degree d

m1 m2 m3 m4 m5 . . .

u1f1 1 x x x x . . .

.

.

. 0. . . x x x . . .

ur1 f1 0 0 1 x x . . .

.

.

....

.

.

....

.

.

.... . . .

vrk−1 fk−1 0 0 1 x x . . .

w1fk 0 0 0 1 x . . .

w2fk 0 0 0 0 1 . . .

if w1 = xα11 ∙ ∙ ∙ x

αjj


t1 t2 t3 t4 t5 . . .

.

.

. . . .w1xj fk 0 1 x x x . . .

w1xj+1fk 0 0 1 x x . . .

.

.

....

.

.

....

.

.

....

.

.

.w1xnfk 0 0 0 1 x . . .

.

.

. . . .

Remove w1xj+1fk iffw1xj+1 ∈ LT(Groebner (〈f1, . . . , fk−1〉), d − 1)

Structure inside Gröbner basis computation

F4/F5 algorithms developspecific linear algebra algorithms and implementations.

linear algebra: akey step forGröbner bases

� take intoaccount thespecific propertiesof the matrices.

Minrank: [Issac2010] 935s −→[Pasco 2010] 73s

Sparse and Fast FGLMjoint work with C. Mou, L. Huot, P. Gaudry, PJ Spaenlehauer

Use the sparsity

Fast asymptotic version of FGLM

FGLM - Bottleneckwith C. Mou

Input System



Bottleneck!FGLM: ≈ minimal polynomialof some matrix

Buchberger



Input System




Buchberger


Magma MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2)D 4116 14112 214 215

Step 1 208.1s 3343.5s 7832.4s 74862.9sStep 2 1360.4s >1 day 84374.6s >15 days


Input System




Buchberger


Magma MinRank(9,7,4) MinRank(9,8,5) Random(14, 2) Random(15, 2)D 4116 14112 214 215

Step 1 208.1s 3343.5s 7832.4s 74862.9sStep 2 1360.4s >1 day 84374.6s >15 days

Goal : a faster algorithm for the change of ordering

FGLM in a nutshell

Input: some Gröbner basis G1 of I for some order <1

D is the number of solutionsNormalForm(f ) = 0⇔ f ∈ I

Step 1: Compute B = [b1, . . . , bD], the canonical basis ofK[x1, . . . , xn]/〈G1〉 ordered according to <1

Step 2: Construct multiplication matrices

Ti Multiplication matrix by xi : (D × D)-matrix represent:

bj 7−→ NormalForm(xibj), j = 1, . . . , D.

I change of ordering linear algebra on Ti

FGLM in a nutshell

Step 3: Handles terms in K[x1, . . . , xn] one by one according to <2

FGLM in a nutshell


monomial x s

s = (s1, . . . , sn)

xk1

=⇒

=⇒

coordinate vector

v s = T s11 ∙ ∙ ∙T

snn 1,

where 1 = (1, 0, . . . , 0)t

T k1 1

FGLM in a nutshell


monomial x s

s = (s1, . . . , sn)

xk1

=⇒

=⇒

coordinate vector

v s = T s11 ∙ ∙ ∙T

snn 1,

where 1 = (1, 0, . . . , 0)t

T k1 1

a polynomial in G2

f =∑

s cs x s∑

i λi xk1 ∈ I

⇐=⇐=

a linear dependency∑s csv s = 0∑

i λiT k1 1 = 0

FGLM in a nutshell


monomial x s

s = (s1, . . . , sn)

xk1

=⇒

=⇒

coordinate vector

v s = T s11 ∙ ∙ ∙T

snn 1,

where 1 = (1, 0, . . . , 0)t

T k1 1

a polynomial in G2

f =∑

s cs x s∑

i λi xk1 ∈ I

⇐=⇐=

a linear dependency∑s csv s = 0∑

i λiT k1 1 = 0

change of ordering linear algebra

O(nD3): Gaussian elimination

Sparse FGLM: Key observation 1with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 × 1000, 6.86%

DLP

EdwardsCyclic10

MinRank

(9,9,6)

D 4096 34940 41580

Sparsity 3.4% 1.0% 16%

Random(3, 14) Random(3, 40)

D 2744 64000

Sparsity 4.2% 1.6%

Sparse FGLM: Key observation 1with C. Mou

T1, . . . , Tn are sparse, especially T1.

T1 for Random(3, 10): 1000 × 1000, 6.86%

DLP

EdwardsCyclic10

MinRank

(9,9,6)

D 4096 34940 41580

Sparsity 3.4% 1.0% 16%

Random(3, 14) Random(3, 40)

D 2744 64000

Sparsity 4.2% 1.6%

Theorem (F., Mou, 2011)

n is fixed. For generic polynomial systems of

degree d:

% of nonzero entries ∼d→∞

√6π

1

d n12

Density: theoretical bound vs practice

10 20 30 40

1%

3%

5%

10%

Random equations of degree d in 3 variables

d

Density of T1

Theoretical bound

Experimental Sparsity

First case: Shape position case

Assume that I is in shape position:

Shape position[Becker, Mora, Marinari, and Traverso 1994]

Ideal I ⊂ K[x1, . . . , xn] is in shape position if its Gröbner basis w.r.t.LEX (x1 < ∙ ∙ ∙ < xn) is of the form

[f1(x1), x2 − f2(x1), . . . , xn − fn(x1)].




[f1(x1), x2 − f2(x1), . . . , xn − fn(x1)].

Recoverf1: Wiedemann algorithm

Construct s = [〈r , T i11〉 : i = 0, . . . , 2 D − 1], with r a random vector

⇓Compute f1 from s via Berlekamp–Massey algorithm

⇓Check deg(f1) = D




[f1(x1), x2 − f2(x1), . . . , xn − fn(x1)].

Recoverf1: Wiedemann algorithm

Construct s = [〈r , T i11〉 : i = 0, . . . , 2 D − 1], with r a random vector

⇓Compute f1 from s via Berlekamp–Massey algorithm

⇓Check deg(f1) = D shape position

Shape position caseSuppose fi =

∑D−1k=0 ci,kxk

1 ( for i = 2, . . . , n)

Recoverf2, . . . , fn: constructing linear equations

NormalForm(xi −∑D−1

k=0 ci,kxk1 ) = 0

⇓Ti1 =

∑D−1k=0 ci,k ∙ T k

1 1⇓

〈r , T j1Ti1〉 =

∑D−1k=0 ci,k ∙ 〈r , T k+j

1 1〉, j = 0, . . . , D − 1m

〈(T t1)

j r , Ti1〉 =∑D−1

k=0 ci,k ∙ 〈(T t1)

k+j r , 1〉, j = 0, . . . , D − 1


∑D−1k=0 ci,kxk

1 ( for i = 2, . . . , n)



k=0 ci,kxk1 ) = 0

⇓T j

1Ti1 =∑D−1

k=0 ci,k ∙ Tj1T k

1 1⇓

〈r , T j1Ti1〉 =

∑D−1k=0 ci,k ∙ 〈r , T k+j

1 1〉, j = 0, . . . , D − 1m

〈(T t1)

j r , Ti1〉 =∑D−1

k=0 ci,k ∙ 〈(T t1)

k+j r , 1〉, j = 0, . . . , D − 1


∑D−1k=0 ci,kxk

1 ( for i = 2, . . . , n)



k=0 ci,kxk1 ) = 0

⇓T j

1Ti1 =∑D−1

k=0 ci,k ∙ Tj1T k

1 1⇓

〈r , T j1Ti1〉 =

∑D−1k=0 ci,k ∙ 〈r , T k+j

1 1〉, j = 0, . . . , D − 1m

〈(T t1)

j r , Ti1〉 =∑D−1

k=0 ci,k ∙ 〈(T t1)

k+j r , 1〉, j = 0, . . . , D − 1


∑D−1k=0 ci,kxk

1 ( for i = 2, . . . , n)



k=0 ci,kxk1 ) = 0

⇓T j

1Ti1 =∑D−1

k=0 ci,k ∙ Tj1T k

1 1⇓

〈r , T j1Ti1〉 =

∑D−1k=0 ci,k ∙ 〈r , T k+j

1 1〉, j = 0, . . . , D − 1m

〈(T t1)

j r , Ti1〉 =∑D−1

k=0 ci,k ∙ 〈(T t1)

k+j r , 1〉, j = 0, . . . , D − 1

H=

〈(T t1)

0r , 1〉〈(T t1)

1r , 1〉 ∙ ∙ ∙ 〈(T t1)

D−1r , 1〉〈(T t

1)1r , 1〉〈(T t

1)2r , 1〉 ∙ ∙ ∙ 〈(T t

1)Dr , 1〉

......

. . ....

〈(T t1)

D−1r , 1〉〈(T t1)

Dr , 1〉 ∙ ∙ ∙ 〈(T t1)

2D−2r , 1〉

,b=

〈r , Ti1〉...

〈(T t1)

D−1r , Ti1〉

Shape position case

Solve: H ci = b with ci =t [ci,0, . . . , ci,D−1]

H =

〈(T t1)

0r , 1〉⟨(T t

1)1r, 1

⟩∙ ∙ ∙

⟨(T t

1)D−1r, 1

⟩⟨(T t

1)1r, 1

⟩〈(T t

1)2r , 1〉 ∙ ∙ ∙ 〈(T t

1)Dr , 1〉

......

. . ....⟨

(T t1)

D−1r, 1⟩〈(T t

1)Dr , 1〉 ∙ ∙ ∙ 〈(T t

1)2D−2r , 1〉

Matrix H is a Hankel matrix:

Shape position case


H =

〈(T t1)

0r , 1〉⟨(T t

1)1r, 1

⟩∙ ∙ ∙

⟨(T t

1)D−1r, 1

⟩⟨(T t

1)1r, 1

⟩〈(T t

1)2r , 1〉 ∙ ∙ ∙ 〈(T t

1)Dr , 1〉

......

. . ....⟨

(T t1)

D−1r, 1⟩〈(T t

1)Dr , 1〉 ∙ ∙ ∙ 〈(T t

1)2D−2r , 1〉


Its construction is free:s = [〈r , T i

11〉 = 〈(T t1)

i r , 1〉 : i = 0, . . . , (2 D − 2)]

It is invertible: relationship between linear recurring sequencesand Hankel matrices [Jonckheere and Ma 1989]

Solving efficiently H x = b: complexity O(D log2(D)) [Brent, Gustavson,

and Yun 1980].

Shape position case


H =

〈(T t1)

0r , 1〉⟨(T t

1)1r, 1

⟩∙ ∙ ∙

⟨(T t

1)D−1r, 1

⟩⟨(T t

1)1r, 1

⟩〈(T t

1)2r , 1〉 ∙ ∙ ∙ 〈(T t

1)Dr , 1〉

......

. . ....⟨

(T t1)

D−1r, 1⟩〈(T t

1)Dr , 1〉 ∙ ∙ ∙ 〈(T t

1)2D−2r , 1〉


Its construction is free:s = [〈r , T i

11〉 = 〈(T t1)

i r , 1〉 : i = 0, . . . , (2 D − 2)]

It is invertible: relationship between linear recurring sequencesand Hankel matrices [Jonckheere and Ma 1989]

Solving efficiently H x = b: complexity O(D log2(D)) [Brent, Gustavson,

and Yun 1980].

Construction of 〈(T t1)

j r , Ti1〉 is also free: v is also free.

Shape position case

Total complexity for ideals in shape position

O(D(#T1 + n log(D))): #T1 the number of nonzero entries in T1

compared with O(nD3) for FGLM

computing the minimal polynomial of T1.

Shape position case

Total complexity for ideals in shape position

O(D(#T1 + n log(D))): #T1 the number of nonzero entries in T1

compared with O(nD3) for FGLM

computing the minimal polynomial of T1.

Random polynomial systems

n be fixed / d → +∞: the complexity is O( 1√nD2+ n−1

n )

General case (non shape position)

Define a n-dimensional mapping E : Zn≥0 −→ K as

(s1, . . . , sn) 7−→ 〈r , T s11 ∙ ∙ ∙T

snn 1〉.



(s1, . . . , sn) 7−→ 〈r , T s11 ∙ ∙ ∙T

snn 1〉.

According to FGLM, a polynomial f = x l +∑

s 6=lcscl

x s in G2 isdetermined by ∑

s

csT s11 ∙ ∙ ∙T

snn 1 = 0.

Can be found using BMS:



(s1, . . . , sn) 7−→ 〈r , T s11 ∙ ∙ ∙T

snn 1〉.

According to FGLM, a polynomial f = x l +∑

s 6=lcscl

x s in G2 isdetermined by ∑

s

csT s11 ∙ ∙ ∙T

snn 1 = 0.

Can be found using BMS:

Sparse matrix =⇒Wiedemann algorithm =⇒ Berlekamp–Massey =⇒BMS (from Coding Theory)

multi-dimensional generalization of Berlekamp–Massey algorithm[Sakata 1988 & 1990; Saints and Heegard 2002]

General Algorithm

Overview Preparation Algorithm Experiments Conclusions Shape Position Case General Case Main Algorithm

Main Algorithm

Input: T1, . . . , Tn

Construct the linearlyrecurring sequence s

Compute f with BM

deg(f) = D?Yes No

Recover f2, . . . , fn Compute F with BMS

F = G2?Yes No

Compute G2 with FGLM

End

End

EndDeterministic algorithm

Fast FGLMIf the matrices are not sparse . . . (with P. Gaudry, L. Huot and G. Renault)

In the shape position case: we can apply the same algorithm.All wee need is to compute efficiently:

T ′1

1 r , T ′1

2 r , ∙ ∙ ∙ , T ′1

2 D−1 r with T ′1 = T t

1



T ′1

1 r , T ′1

2 r , ∙ ∙ ∙ , T ′1

2 D−1 r with T ′1 = T t

1

[Keller-Gehrig]: assuming that we can multiply two n × n matrices inO(nω) operations (with ω < 3).First we compute:

T ′1, T ′

12, T ′

14, T ′

18, ...., T ′

12k

with k = 1 + [log2(D)]



T ′1

1 r , T ′1

2 r , ∙ ∙ ∙ , T ′1

2 D−1 r with T ′1 = T t

1


T ′1, T ′

12, T ′

14, T ′

18, ...., T ′

12k


Then :

(T ′1

3 r, T ′1

2 r) = T ′1

2 (T ′1 r, r)

(T ′1

7 r, T ′1

6 r, T ′1

5 r, T ′1

4 r) = T ′1

4 (T ′1

3 r, T ′1

2 r, T ′1 r, r)

∙ ∙ ∙



T ′1

1 r , T ′1

2 r , ∙ ∙ ∙ , T ′1

2 D−1 r with T ′1 = T t

1


T ′1, T ′

12, T ′

14, T ′

18, ...., T ′

12k


Then :

(T ′1

3 r, T ′1

2 r) = T ′1

2 (T ′1 r, r)

(T ′1

7 r, T ′1

6 r, T ′1

5 r, T ′1

4 r) = T ′1

4 (T ′1

3 r, T ′1

2 r, T ′1 r, r)

∙ ∙ ∙

using only matrix multiplications in O(log(D) Dω) operations.

Fast FGLMwith P. Gaudry, L. Huot and G. Renault

Theorem

Let GDRL be the DRL Gröbner basis of an ideal I in shape position.Given T1 the multiplication matrix w.r.t. x1, computing the LEX Gröbnerbasis of I can be done in O(n D + Dω).


Theorem


☞ Theoretical/Practical Bottleneck: building the matrix T1


Theorem


☞ Theoretical/Practical Bottleneck: building the matrix T1

Generic Systems: T1 can be obtained in 0 arithmetic operations.

Non generic case: perform a random linear change of coordinates(Heuristic)

New Strategy I

GDRL

Easy to build T1 ?

GLEX

I ′

G′DRL =⇒ T ′

1

G′LEX

F4, F5

Fast

FGLM

YE

S

Randomization

NO

F4, F5

Fast FGLM

Experiments

D Density Build T1

GDRL(Build T1

+ Fast FGLM)Random n = 16 216 18.3% 228.6s 55410 s + 15005.3 s

Cyclic 7 924 2.0% 0.00s GDRL+0.04 sCyclic 10 31990 1.0% 5.67s GDRL + 525.5 s

Edwards n = 4 Sn + T2 512 27.6% 0.4 s 0.1 s + 0.42 sEdwards n = 4 Sn + T2 (rnd) 512 19.4% 0.0 s 0.1 s + 0.02 s

Edwards n = 5 Sn + T2 216 > 2 days 11228.2s+ > 2 daysEdwards n = 5 Sn + T2 (rnd) 216 9.3% 11.6 s 11228.2 s+7865.7 s

Bad Example, n = 11 211 31.9% 7520.9s 0s + 7543.5sBad Example, n = 11 (rnd) 211 21.5% 0.15s 5.0s + 0.2s

Bad Example, n = 16 216 > 2 days 0 s+ > 2 daysBad Example, n = 16 (rnd) 216 19.8% 195.0s 38066.5 s + 14492.2 s

Eco 14 212 11.5% 1100.1 s 926.7 s + 1102.5 sEco 14 (rnd) 212 26.4% 0.1 s 926.7 s + 2.0s

Multi-core implementation

Two parallel versions:

Using Openmp

Using pthreads

☞ have to rewrite the generation of the matrix T1 !

Comparing original C-code (Issac 2011) and the new code:

D % Magma Singular C C+SSEKatsura 12 4096 21.2% 1408s 2623.5s 18.1s 0.73s

Multi-core implementation

Two parallel versions:

Using Openmp

Using pthreads



D % Magma Singular C C+SSEKatsura 12 4096 21.2% 1408s 2623.5s 18.1s 0.73sRandom(n=3,d=19) 6859 3.50% 1084s 8248s 15.3s 0.74s

Multi-core implementationTwo parallel versions:

Using Openmp

Using pthreads



D % Magma Singular C C+SSEKatsura 12 4096 21.2% 1408s 2623.5s 18.1s 0.73sRandom(n=3,d=19) 6859 3.50% 1084s 8248s 15.3s 0.74s

More important: we can solve systems with D > 216 solutions.☞ Next Talk

Part II

Complexity of computing Gröbner bases.

Structured systems :several applicationsin Crypto

[F.,Perret,Safey,Spaenlehauer,Bettale]

MultivariatePublic Key

Crypto

HFE

[F.,Otmani,Perret,Tillich, EC]

McEliece

Error Correcting

Codes

[Gaudry, F.,Huot,Renault]

Curves

DLPEllipticcurves

Edwards or F2

[F., Lubicz, Robert, JA]

Curves

Computingmodular

correspondencesfor AbelianVarieties

Multi-HomogeneousSystems

Takes advantageof the symmetries

of the systemto speed up the resolution

Main results/examplesMotivation to use the structure !

For (regular) quadratic systems:

Overdetermined systems:

Semi-regularn variablesm = c nα equations

[Bardet, F.,Salvy]

−→

{Sub Exponential if 1 < α < 2Polynomial if α = 2

Main results/examplesMotivation to use the structure !

For (regular) quadratic systems:

Overdetermined systems:

Semi-regularn variablesm = c nα equations

[Bardet, F.,Salvy]

−→

{Sub Exponential if 1 < α < 2Polynomial if α = 2

Use the fact that we are over Fq:I [Bettale, F.,Perret, JMC] : Hybrid Method

direct Gröbner basis approachhybrid approach

∼ 21.8 n

UOV q = 28, n = 60 security 2160 → 276 (Gröbner)→ 259

MotivationBilinear systems:

fi(X, Y) =∑

x∈X,y∈Y

ci,x ,y x y where n = #X + #Y

� complexity is polynomial in #Solutions=( n#X

)� 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]Applications:I MinRank/HFE: [Crypto 2008] 328233s −→ [Issac 2010] 935sI Challenge A20 (Variant of McEliece):

24 hours (Magma) −→ 0.05 sec [EC2010, F., Otmani,]Perret, Tillich]

MotivationBilinear systems:

fi(X, Y) =∑

x∈X,y∈Y


� complexity is polynomial in #Solutions=( n#X

)� 2n

[JSC2011,F.,Safey El Din, Spaenlehauer]Applications:I MinRank/HFE: [Crypto 2008] 328233s −→ [Issac 2010] 935sI Challenge A20 (Variant of McEliece):

24 hours (Magma) −→ 0.05 sec [EC2010, F., Otmani,]Perret, Tillich]

Use the symmetries:I [JA, F.,Lubicz,Robert] : the action of the automorphisms

of the theta group> 24 hours −→ 0.1 sec

I [F.,Huot, Renault] symmetries related to twisted Edwards Curvesthis talk !

� divides by 2n−1 the number of solutions/complexityuntractable system−→ 4h25min

Complexity: introduction

The goal is to bound the maximal degree of the polynomials during thecomputation.

Theorem

Gröbner basis of the ideal I generated by (f1, . . . , fm) for a gradedmonomial ordering up to degree D in

O(

m D(

n + D − 1D

)ω)

, as D →∞

where ω is the exponent in the complexity of the matrix product over K.

Goal: bound D 6 dmax

Complexity of (overdetermined) systemswith M. Bardet and B. Salvy

F5 Criterion: t fj is in the matrix if t /∈ Id(LT<(Gj−1)), where Gj−1 is aGröbner basis of {f1, . . . , fj−1}.

Rd ,i(n) number of rows in the matrix generated by F5 when computinga Gröbner basis of [f1, . . . , fi ] in degree d .

Induction

When d ≥ 2 :

Rd ,i(n) = i ∙ Md−2(n)︸︷︷︸

number of monomialsdegree ≤ d − 2

−

i−1∑

j=1

Rd−2,j(n)

︸︷︷︸F5 criterion

Induction

When d ≥ 2 :

Rd ,i(n) = i ∙ Md−2(n)︸︷︷︸

number of monomialsdegree ≤ d − 2

−

i−1+δK,F2∑

j=1

Rd−2,j(n)

︸︷︷︸F5 criterion

End of the computation

#col= Md (n)

#row= Rd ,m(n)

Matrixgeneratedby F5


#col= Md (n)

#row= Rd ,m(n)

Matrixgenerated

by F5


#col= Md (n)

#row= Rd ,m(n)

Matrixgenerated

by F5

� When hd ,m(n) = #col −#row = 0 this end of the computation !

� we found dmax

Generating series

Theorem

fi of degree di semi-regular, i = 1, . . . , m finite field Fq then

Hm =∑∞

d=0 hd ,m zd =m∏

i=1

(1−(1−δK,F2

) zdi

1+δK,F2zdi

) (1−δK,F2

z2

1−z

)n

Generating series

Theorem

fi of degree di semi-regular, i = 1, . . . , m finite field Fq then

Hm =∑∞

d=0 hd ,m zd =m∏

i=1

(1−(1−δK,F2

) zdi

1+δK,F2zdi

) (1−δK,F2

z2

1−z

)n

Theorem (Particular case)

di = 2, F2, n = m semi-regular equations:

∞∑

d=0

hd ,n zd =

(1 + z1 + z2

)n

Generating series

Theorem (Particular case)

di = 2, F2, n = m semi-regular equations:

∞∑

d=0

hd ,n zd =

(1 + z1 + z2

)n

Example

F2, n = m = 50 semi-regular quadratic equations

(1+z1+z2

)50= 1 + 50 z + 1175 z2 + 17100 z3 + 170325 z4 + 1202510 z5

+5915475 z6 + 17831400 z7 + 9196475 z8−205886050 z9

+O(z10)

☞ Hence the maximal degree occurring in the computation is 9 .

Asymptotic estimate

biggest real root of

hd ,n =1

2iπ

∫

C

(1 + z1 + z2

)n dzzd+1

dn = 1λ0

n − λ1

λ430

n13 + O( 1

n13)

dn ≈ n11.11360 + 1.0034n

13 + O( 1

n13)

where λ0 = 3/2√

3 + 5/2 + 1/2√

72 + 42√

3 ≈ 11.13the expression of λ1 contains the biggest real root of the Airy function(solution of ∂2y

∂z2 − zy = 0)The formula is almost exact when n ≥ 3 !

Maximal degree

0

2

4

6

8

10

12

14

16

01 02 03 04 05 06 07 08 09 0 100

n

Maximal Degree in theGröbner basis computation

HFE 128<d<513HFE 16<d<129

HFE 3<d<17

random system

Complexity of overdetermined systemsSome examples

n variables, K any field m equations (semi-regular) of degree d :Under regularity assumption:

Specifications dmax

d = 2, m = n n+1



Specifications dmax

d = 2, m = n n+1d = 2, m = n + 1 n+1

2



Specifications dmax

d = 2, m = n n+1d = 2, m = n + 1 n+1

2d = 2, m = 2 n n

11.63



Specifications dmax

d = 2, m = n n+1d = 2, m = n + 1 n+1

2d = 2, m = 2 n n

11.63d = 2, m = 5 n n

35.71d = 2, m = 10 n n

76.92



Specifications dmax

d = 2, m = n n+1d = 2, m = n + 1 n+1

2d = 2, m = 2 n n

11.63d = 2, m = 5 n n

35.71d = 2, m = 10 n n

76.92d = αn, m = 2n α n if α < 0.29

Complexity: overdetermined systemsk is a constant (does not depend on n).di total degree of fi . Under regularity assumption:

m Degree dmax

m ≤ n K, di = 2 m + 1 ( Macaulay bound)

m ≤ n K 1 +n+1∑

i=1(di − 1) ( Macaulay bound)

n + k K, di = 2 m2 − hk ,1

√m2 + o(1)

n + k Kn+k∑

i=1

di−12 − hk ,1

√n+k∑

i=1

d2i −16 + o(1)

2 n K, di = 2 n11.6569 + 1.04 n

13 − 1.47 + 1.71 n− 1

3 + O(

n− 23

)

k n K, di = 2 (k − 12 −

√k(k − 1))n + −a1

2(k(k−1))16

n13 + O(1)

n F2, di = 2 n11.1360 + 1.0034 n

13 − 1.58 + O(n− 1

3 )

k n F2, di = 2(−k + 1

2 + 12

√2k(k − 5) − 1 + 2(k + 2)

√k(k + 2)

)n

Classification

Classification: m number of polynomials, n number of variables

Complexitym = cste n single exponentialm = cste nα sub exponentialm = cste n2 polynomial

Bilinear Equations in Algebraic Attacks: Motivation

Powerful attack somewhat similar to Lattice attacks: we consider kvectors

v i = [. . . , vi,j , . . .] with vi,j ∈ Z

Try to find: (λ1, . . . , λk ) ∈ Zk such that

k∑

i=1

λiv i is small


Powerful attack somewhat similar to Lattice attacks: we consider kvectors

v i = [. . . , vi,j , . . .] with vi,j ∈ Z

Try to find: (λ1, . . . , λk ) ∈ Zk such that

k∑

i=1

λiv i is small

using LLL : find a ≈ small vector in Polynomial Time


For k quadratic multivariate polynomials fi ∈ K[x1, . . . , xn]:

fl 7→ H(fl) = Ml =

[∂2fl

∂xi∂xj

]

16i,j6n

matrix representation of fi

Try to find: (λ1, . . . , λk ) ∈ Kk such that:

k∑

i=1

λiMi is “small”



fl 7→ H(fl) = Ml =

[∂2fl

∂xi∂xj

]

16i,j6n



k∑

i=1

λiMi is of small rank



fl 7→ H(fl) = Ml =

[∂2fl

∂xi∂xj

]

16i,j6n



k∑

i=1

λiMi is of rank r Minrank Problem



fl 7→ H(fl) = Ml =

[∂2fl

∂xi∂xj

]

16i,j6n



k∑

i=1

λiMi is of rank r Minrank Problem

That is to say: in some basis∑k

i=1 λi fi depends only on r variables.

Two algebraic modelings: structured equationsM = M0 −

∑ki=1 λiMi .

The minors modeling

Rank(M) ≤ rm

all minors of size (r + 1) of M vanish.

( mr+1

)2 equations of degree r + 1.

k variables.

Few variables, lots of equations, highdegree !!

The Kipnis-Shamir modeling

Rank(M) ≤ r ⇔ ∃x (1), . . . , x (m−r) ∈ Ker(M).

M ∙

Im−r

x (1)1 . . . x (m−r)

1...

......

x (1)r . . . x (m−r)

r

= 0.

m(m − r) bilinear equations.

k + r(m − r) variables.

Applications of bilinear equations in Crypto:Cryptanalysis of HFE and MinRank[CRYPTO’08, ISSAC’10, PKC’11].Cryptanalysis of McEliece[EUROCRYPT’10].

Bilinear systemsjoint work with M. Safey El Din and PJ Spaenlehauer

F = (f1, . . . , fm): system of homogeneous bilinear equations .

fi(X, Y) =∑

x∈X,y∈Y


jacX (Fi) =

∂f1∂x0

. . . ∂f1∂xnx

......

...∂fi∂x0

. . . ∂fi∂xnx

jacY (Fi) =

∂f1∂y0

. . . ∂f1∂yny

......

...∂fi∂y0

. . . ∂fi∂yny

Euler relations

f =∑

xj∂f∂xj

=∑

yj∂f∂yj

.

f1...fi

= jacX (Fi) ∙

x0...

xnx

= jacY (Fi) ∙

y0...

yny

Trivial Syzygies of Bilinear SystemsAn example with small parameters:nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as:

0 = f2f 1 − f1f 2 =

∣∣∣∣f 1 f 2

f1 f2

∣∣∣∣

Trivial Syzygies of Bilinear SystemsAn example with small parameters:nx = ny = 2, m = 4

We rewrite the usual trivial syzygie as:

0 = f2f 1 − f1f 2 =

∣∣∣∣f 1 f 2

f1 f2

∣∣∣∣

Theorem (Trivial Syzygies)

When nx = ny = 2, m = 4 the trivial syzygies of a generic bilinearsystem are:

∣∣∣∣f i f j

fi fj

∣∣∣∣ i 6= j ,

∣∣∣∣∣∣∣∣∣

f 1 f 2 f 3 f 4∂f1∂x0

∂f2∂x0

∂f3∂x0

∂f4∂x0

∂f1∂x1

∂f2∂x1

∂f3∂x1

∂f4∂x1

∂f1∂x2

∂f2∂x2

∂f3∂x2

∂f4∂x2

∣∣∣∣∣∣∣∣∣

,

∣∣∣∣∣∣∣∣

f 1 f 2 f 3 f 4

jacY (F4)

∣∣∣∣∣∣∣∣

Complexity of affine bilinear systems

In affine case: x0 = 1, y0 = 1 and the number of variables isn = nX + nY

Theorem: degree of regularity[JSC 2011]

Degree of regularity of a generic 0-dim affine bilinear system for thegrevlex ordering:

dreg 6 2 + min(nx , ny ).

Sharp bound in practice.

Complexity

Solving affine bilinear systems

The complexity of computing a grevlex Gröbner basis of azero-dimensional ideal generated by generic affine bilinearpolynomials is polynomial in the number of solutions

( nnx

)=( n

ny

)

O(Monomials(1 + min(nx , ny ))ω) ≈ O(

2ω min(nx ,ny ))

.

Consequences:

nx constant, ny grows =⇒ complexity polynomial in ny .

X and Y unbalanced⇒ easy to solve .

Better than Macaulay bound :O(Monomials(nx + ny + 1)ω) ≈ O

(2ω(nx+ny )

).

nX is a constant in the case of Minrank challenges, or nX is “small”in the case of McEliece variants !

Conclusion

Using the structures can improve (a lot) the complexity boundsand the practical behavior of Gröbner bases algorithms

Linear Algebra and Gröbner bases: speedup the algorithms;efficient (multicore) implementations.

Applications to several problems in cryptology.

Documents

Gröbner Bases: a Tools for Cryptology · w1xj+1 ∈LT(Groebner(hf1,...,fk−1i),d −1) Structure inside Gröbner basis computation F4/F5 algorithms develop specific linear algebra