Solving Multivariate Polynomial Systems and an Invariant from - PowerPoint PPT Presentation

Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra Alessio Caminata (Universitat de Barcelona) joint work with Elisa Gorla PQCrypto 2017 Utrecht, 26–28 June 2017

Algebraic attack with Gr¨ obner bases Multivariate cryptosystem F n q ∋ x = ( x 1 , . . . , x n ) �→ ( y 1 , . . . , y r ) := ( p 1 ( x ) , . . . , p r ( x )) ∈ F r q One can try to break it with an algebraic attack , i.e. by computing a Gr¨ obner basis of the associated ideal I = ( f 1 , . . . , f r ), where f i := y i − p i . Currently fastest algorithms to compute a Gr¨ obner basis ( F 4 / F 5 ) have complexity � � ω − 1 � � n + s − 1 O m s where m = � r � n + s − d i − 1 � , ω ∈ [2 , 3], d i = deg f i , and i =1 s − d i s = solv . deg( I ) is the solving degree of I , i.e. the highest degree of polynomials involved in the computation of the Gr¨ obner basis.

Solving degree and Castelnuovo-Mumford regularity In order to design a multivariate cryptosystem that is secure against algebraic attacks, one needs to know how the solving degree depends on the parameters of the system. Theorem (C.-Gorla) Let F be a field, let R := F [ x 1 , . . . , x n ] , and let I := ( f 1 , . . . , f r ) be an ideal of R. Assume that ˜ I := ( f h 1 , . . . , f h r ) is in generic coordinates in F [ x 1 , . . . , x n , t ] , where f h is the homogenization of i f i , then solv . deg DRL ( I ) ≤ reg(˜ I ) and equality holds if F has characteristics zero. Here reg(˜ I ) is the Castelnuovo-Mumford regularity of ˜ I and can be read from its minimal graded free resolution: ϕ 1 ϕ 0 R ( − j ) β p , j → · · · → � � R ( − j ) β 1 , j � R ( − j ) β 0 , j → ˜ 0 → − → − I → 0 j ∈ Z j ∈ Z j ∈ Z It is reg( I ) := max { j − i : β i , j � = 0 } .

Applications Use knowledge on the regularity from commutative algebra to produce bounds for the solving degree. 1 Zero-dimensional ideals. Let I := ( f 1 , . . . , f r ) ⊆ F [ x 1 , . . . , x n ] be an ideal generated in degree at most d . Assume that ˜ I := ( f h 1 , . . . , f h r ) is in generic coordinates and its projective zero-locus over F consists of a finite number of points, then solv . deg DRL ( I ) ≤ ( n + 1)( d − 1) + 1 . 2 MinRank Problem. Let M be an m × n matrix with m ≤ n whose entries are sufficiently general linear forms in a polynomial ring over a field. Then the solving degree of the corresponding MinRank Problem is solv . deg DRL I m ( M ) ≤ m .

Thank you!! Questions?

Essential bibliography D.J. Bernstein, J. Buchmann, E. Dahmen , Post-Quantum Cryptography , Springer Verlag, 2009 A. Caminata, E. Gorla , Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra , preprint 2017. J.C. Faug` ere , A new efficient algorithm for computing Gr¨ obner bases (F4) , Journal of Pure and Applied Algebra, vol. 139, pp. 61–88, 1999.