Jean-Charles Faugère

Transcription

1 ECC 2011 The 15th workshop on Elliptic Curve Cryptography INRIA, Nancy, France Solving efficiently structured polynomial systems and Applications in Cryptology Jean-Charles Faugère Joint work with: L Huot G Renault and M Safey El Din, L Perret, PJ Spaenlehauer, L Bettale

2 Polynomial System Solving and Applications K L Multivariate Polynomial Problem (PoSSo) Input: (f 1,, f m ) K[x 1,, x n ] m Question: Find if any z L n such that Denote by V L the set of solutions f 1 (z) = = f m (z) = 0 Focus Algebraic Computations Exact methods Approach Algorithms and complexity analysis Applications to validate the performance Write efficient software (integration in Maple)

3 Gröbner Bases Buchberger (1965) In this talk we focus on Gröbner bases methods One of the fastest method to solve polynomial equations when K = L = F q or K = Q and L = R or L = C Other efficient methods: Numerical methods: homotopy methods (continuation methods) Resultants Triangular Sets SAT Solvers in the Boolean case K = L = F 2

4 Gröbner Bases Definition (Buchberger 65) I a polynomial ideal Gröbner basis (wrt a monomial ordering): G I a finite set of polynomials such that LM(I) = LM(G)

5 Gröbner Bases Definition (Buchberger 65) I a polynomial ideal Gröbner basis (wrt a monomial ordering): G I a finite set of polynomials such that LM(I) = LM(G) Theorem V F2 = ( no solution) iff G F2 = [1] V F2 has exactly one solution iff G F2 = [x 1 a 1,, x n a n ] where (a 1,, a n ) F n 2 Most of the time, if #V K < the shape of a Gröbner Basis for a lexicographical ordering x 1 > > x n is the following: h n (x n ) x n 1 h n 1 (x n ) Shape Position x 1 h 1 (x n )

6 Algorithms to compute GB Usually a two steps process: Input System Buchberger Gröbner Basis: total degree F 4 /F 5 rely on linear algebra Gröbner Basis: lexicographical FGLM: minimal polynomial of some matrix

7 Algebraic Cryptanalysis Crypto Computer Algebra

8 Algebraic Cryptanalysis A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ) Secret Modeling 4 x x + 6 y y z + 5 y + 1 = 0 5 x 2 + x y + 2 x z + 6 z z + 3 = 0 6 x z + 5 y y + 4 z z + 5 = 0

9 Algebraic Cryptanalysis A General Method for Cryptanalysis Security of a cryptosystem hardness of solving a related multivariate polynomial system Cryptosystem (+ messages, ciphertexts, ) Secret Modeling 4 x x + 6 y y z + 5 y + 1 = 0 5 x 2 + x y + 2 x z + 6 z z + 3 = 0 6 x z + 5 y y + 4 z z + 5 = 0 Solving x = 4 y = 2 z = 0

10 New trend Very often experiment is needed to test the efficiency of the solving step New trend Theoretical complexity analysis to explain the behavior of the attack This is also useful to help the designers of new cryptosystems Roadmap: Specificity of the Cryptosystem Structured System What is the complexity of solving Structured System?

11 Polynomial System Solving: structured systems K L Multivariate Polynomial Problem (PoSSo) Input: (f 1,, f m ) K[x 1,, x n ] m Question: Find if any one z L n such that f 1 (z) = = f m (z) = 0 NP-hard even when K = K 2

12 Polynomial System Solving: structured systems K L Multivariate Polynomial Problem (PoSSo) Input: (f 1,, f m ) K[x 1,, x n ] m Question: Find if any one z L n such that f 1 (z) = = f m (z) = 0 Try to identify families of systems which are easier to solve :

13 Polynomial System Solving: structured systems K L Multivariate Polynomial Problem (PoSSo) Input: (f 1,, f m ) K[x 1,, x n ] m Question: Find if any one z L n such that f 1 (z) = = f m (z) = 0 Try to identify families of systems which are easier to solve : Almost all systems occurring in applications have a special structure: Symmetries: equations are left invariant by the action of a finite group Sparse equations Overdetermined systems m n Multihomogeneous structure

14 Structured systems : several applications in Crypto [F,Perret,Safey,Spaenlehauer,Bettale] [F,Otmani,Perret,Tillich, EC] Multivariate Public Key Crypto HFE Error Correcting Codes McEliece [F,Huot,Renault] Point decomposition problem Twisted Edwards Curves [FLubicz, Robert, JA] Computing modular correspondences for Abelian Varieties Curves Multi-Homogeneous Systems Takes advantage of the structure of the system to speed up the resolution Structure comes from the action of the automorphisms of the theta group or additional symmetries twisted Edwards Curves

15 Main results/examples Motivation to use the structure! For (regular) quadratic systems: Overdetermined systems: n variables Semi-regular m = c n α equations [Bardet, F,Salvy] { Sub Exponential if 1 < α < 2 Polynomial if α = 2

16 Main results/examples Motivation to use the structure! For (regular) quadratic systems: Overdetermined systems: n variables Semi-regular m = c n α equations [Bardet, F,Salvy] { Sub Exponential if 1 < α < 2 Polynomial if α = 2 Use the fact that we are over F q : [Bettale, F,Perret, JMC] : Hybrid Method direct Gröbner basis approach hybrid approach 2 18 n UOV q = 2 8, n = 60 security (Gröbner) 2 59 [Bardet, F,Salvy, Spaenlehauer] faster than exhaustive search over F 2 (K = L = F 2 ) complexity n n = faster

17 Motivation Bilinear systems: f i (X, Y) = c i,x,y x y where n = #X + #Y x X,y Y complexity is polynomial in #Solutions= ( ) n #X 2 n [JSC2011,F,Safey El Din, Spaenlehauer] Applications: MinRank/HFE: [Crypto 2008] s [Issac 2010] 935s Challenge A 20 (Variant of McEliece): 24 hours (Magma) 005 sec [EC2010, F, Otmani,] Perret, Tillich]

18 Motivation Bilinear systems: f i (X, Y) = c i,x,y x y where n = #X + #Y x X,y Y complexity is polynomial in #Solutions= ( ) n #X 2 n [JSC2011,F,Safey El Din, Spaenlehauer] Applications: MinRank/HFE: [Crypto 2008] s [Issac 2010] 935s Challenge A 20 (Variant of McEliece): 24 hours (Magma) 005 sec [EC2010, F, Otmani,] Perret, Tillich] Use the symmetries: [JA, F,Lubicz,Robert] : the action of the automorphisms of the theta group > 24 hours 01 sec [F,Huot, Renault] symmetries related to twisted Edwards Curves this talk! divides by 2 n 1 the number of solutions/complexity untractable system 4h25min

19 Sparse Equations Boolean Case K = L = F 2 Sparse = each equation depends on l variables, the expected complexity of the Agreeing-Gluing Algorithm is: O(2 0711n ) when l = 6 O(2 0405n ) when l = 3 I Semaev Sparse algebraic equations over finite fields SIAM J Comput, 39(2): , 2009

20 Structure inside Gröbner basis computation F 4 /F 5 algorithms develop specific linear algebra algorithms and implementations linear algebra: a key step for Gröbner bases take into account the specific properties of the matrices Minrank: [Issac 2010] 935s [Pasco 2010] 73s

21 Structure inside Gröbner basis computation matrices involved in FGLM are sparse (even for random system) Theorem (F-Mou, 2011) % of nonzero entries: 6 1 π d n d = deg(f i) Use of sparse algorithms Random: [Magma] 1084s [Issac 2011] 071s Systems with 2 16 solutions are tractable Random(n=3, d=10): , 686%

22 Sketch of the algorithms: Macaulay matrix in degree d I = F = f 1,, f p deg(f i ) = d i a monomial ordering Macaulay (F, d) is the following matrix: Rows: all products t f i where deg(t) (d d i ) Columns: monomials of degree d t 1 f k1 m 1 m l c i,j = coeff(t i f ki, m j ) t s f ks Row echelon forms of the Macaulay matrices = Gröbner basis

23 Sketch of the algorithms: Macaulay matrix in degree d I = F = f 1,, f p deg(f i ) = d i a monomial ordering Macaulay (F, d) is the following matrix: Rows: all products t f i where deg(t) (d d i ) Columns: monomials of degree d t 1 f k1 m 1 m l c i,j = coeff(t i f ki, m j ) t s f ks Row echelon forms of the Macaulay matrices = Gröbner basis Algorithmic Problem Rank defect = useless computations Goal: build full rank matrices (for instance F 5 ) for regular sequences

24 Complexity of Computing Gröbner Bases Definition Degree of regularity d reg : indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d st all monomials of degree d are in LM(I) maximal degree of a grevlex Gröbner basis is d reg

25 Complexity of Computing Gröbner Bases Definition Degree of regularity d reg : indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d st all monomials of degree d are in LM(I) maximal degree of a grevlex Gröbner basis is d reg Hilbert Series Generating series: HS(t) = d=0 r dt d, where r d = # Cols Rank(Macaulay(F, d)) Finite number of solution: HS(t) = d reg 1 d=0 r d t d

26 Complexity of Computing Gröbner Bases Definition Degree of regularity d reg : indicator of the complexity of GB algorithms for homogeneous polynomials: the lowest integer d st all monomials of degree d are in LM(I) maximal degree of a grevlex Gröbner basis is d reg Hilbert Series Generating series: HS(t) = d=0 r dt d, where r d = # Cols Rank(Macaulay(F, d)) Finite number of solution: HS(t) = d reg 1 d=0 r d t d Theorem Complexity of computing a grevlex (( Gröbner ) basis: n + ω ) dreg O n

27 Example of generating series Theorem n quadratic equations f i over Q then under some regularity assumption: HS(t) = (1 + t) n

28 Example of generating series Theorem n quadratic equations f i over Q then under some regularity assumption: HS(t) = (1 + t) n Consequently, d reg = n + 1 Example Q, n = m = 50 quadratic equations (1 + z) 50 = z + + z z 51 Hence the maximal degree occurring in the computation is 51

29 F 5 algorithm: simple matrix version Get rid of the trivial relations: Incremental algorithm f i f j f j f i = 0 fi 2 f i = 0 when K = F 2 (f 1 ) + G prev Incremental degree by degree Special/Simpler version of F 5 for dense/generic quadratic polynomials the maximal degree D is a parameter of the algorithm m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k

30 F5: compute Groebner ( f 1,, f k ), d + 1) Already computed Groebner ( f 1,, f k ), d) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k

31 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k

32 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k if w 1 = x α 1 1 x α j j

33 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k if w 1 = x α 1 1 x α j j Matrix in degree d + 1 t 1 t 2 t 3 t 4 t 5 w 1 x j f k 0 1 x x x w 1 x j+1 f k x x w 1 x nf k x

34 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k if w 1 = x α 1 1 x α j j Matrix in degree d + 1 t 1 t 2 t 3 t 4 t 5 w 1 x j f k 0 1 x x x w 1 x j+1 f k x x w 1 x nf k x

35 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k if w 1 = x α 1 1 x α j j Matrix in degree d + 1 t 1 t 2 t 3 t 4 t 5 w 1 x j f k 0 1 x x x w 1 x j+1 f k x x w 1 x nf k x Remove w 1 x j+1 f k iff w 1 x j+1 LT( f 1,, f k 1 )

36 F5: compute Groebner ( f 1,, f k ), d + 1) Matrix in degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x 0 x x x u r1 f x x v rk 1 f k x x w 1 f k x w 2 f k if w 1 = x α 1 1 x α j j Matrix in degree d + 1 t 1 t 2 t 3 t 4 t 5 w 1 x j f k 0 1 x x x w 1 x j+1 f k x x w 1 x nf k x Remove w 1 x j+1 f k iff w 1 x j+1 LT(Groebner ( f 1,, f k 1 ), d 1)

37 F 5 criterion complexity of overdetermined systems with M Bardet and B Salvy Criterion: t f j is in the matrix if t / Id(LT < (G j 1 )), where G j 1 is a Gröbner basis of {f 1,, f j 1 } R d,i (n) number of rows in the matrix generated by F 5 when computing a Gröbner basis of [f 1,, f i ] in degree d

38 Induction When d 2 : R d,i (n) = i M d 2 (n) }{{} number of monomials degree d 2 i 1 j=1 R d 2,j (n) } {{ } F 5 criterion

39 Induction When d 2 : R d,i (n) = i M d 2 (n) }{{} number of monomials degree d 2 i 1+δ K,F2 j=1 R d 2,j (n) } {{ } F 5 criterion

40 End of the computation #row= R d,m (n) #col= M d (n) Matrix generated by F5

41 End of the computation #row= R d,m (n) #col= M d (n) Matrix generated by F5

42 End of the computation #row= R d,m (n) #col= M d (n) Matrix generated by F5 When h d,m (n) = #col #row = 0 this end of the computation! We compute the biggest real root n > 0 of h d,m (n) = 0

43 Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0,i (n) = U 1,i (n) = 0 U 2,i (n) = i ( n 0) 0 = i U 3,i (n) = i ( n 1 ) i U 1,j (n) = i n j=1

44 Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0,i (n) = U 1,i (n) = 0 U 2,i (n) = i ( n 0) 0 = i U 3,i (n) = i ( n 1 Then: ) i U 1,j (n) = i n j=1 h 3,n (n) = M 3 (n) U 3,n (n) = ( ) n 3 n 2 = n(n2 9 n+2) 6

45 Example For quadratic equations, m = n over F 2 : using the previous relation we can compute explicitly: U 0,i (n) = U 1,i (n) = 0 U 2,i (n) = i ( n 0) 0 = i U 3,i (n) = i ( n 1 Then: ) i U 1,j (n) = i n j=1 h 3,n (n) = M 3 (n) U 3,n (n) = ( ) n 3 n 2 = n(n2 9 n+2) 6 The biggest real root of this polynomial: ( h 3,n (n)=n n 9/2 1/2 ) ( 73 n 9/2 + 1/2 ) 73

46 Example h 3,n (n)=n ( n 9/2 1/2 ) ( 73 n 9/2 + 1/2 ) 73 biggest real root is: 9/2 + 1/ so that N 3 = 9

47 Example h 3,n (n)=n ( n 9/2 1/2 ) ( 73 n 9/2 + 1/2 ) 73 biggest real root is: 9/2 + 1/ so that N 3 = 9 Hence d 3 when n 9 : d N d

48 Example h 3,n (n)=n ( n 9/2 1/2 ) ( 73 n 9/2 + 1/2 ) 73 biggest real root is: 9/2 + 1/ so that N 3 = 9 Hence d 3 when n 9 : d N d n < 9 = N 3 the maximal degree in F 5 is 3; the total complexity O(n 3ω ) 2 N 3 = 9 n < N 4 = 16 the maximal degree is 4 and complexity is O(n 4ω ) 3

49 Generating series Theorem f i of degree d i, i = 1,, m finite field F q then H m = d=0 h d,m z d = m i=1 ( 1 (1 δ K,F2 ) z d i 1+δ K,F2 z d i ) ( ) n 1 δ K,F2 z 2 1 z

50 Generating series Theorem f i of degree d i, i = 1,, m finite field F q then H m = d=0 h d,m z d = m i=1 ( 1 (1 δ K,F2 ) z d i 1+δ K,F2 z d i particular case: d i = 2, F 2, n = m equations h d,n z d = d=0 ( ) 1 + z n 1 + z 2 ) ( ) n 1 δ K,F2 z 2 1 z

51 Generating series particular case: d i = 2, F 2, n = m equations Example h d,n z d = d=0 ( ) 1 + z n 1 + z 2 F 2, n = m = 50 semi-regular quadratic equations ( 1+z 1+z 2 ) 50 = z z z z z z z z z 9 +O ( z 10) Hence the maximal degree occurring in the computation is 9

52 Asymptotic estimate biggest real root of h d,n = 1 ( ) 1 + z n dz 2iπ C 1 + z 2 z d+1 d n = 1 λ 0 n λ 1 n O( 1 ) 4 λ 3 0 n 1 3 d n n n O( 1 where λ 0 = 3/ /2 + 1/ the expression of λ 1 contains the biggest real root of the Airy function (solution of 2 y zy = 0) z 2 The formula is almost exact when n 3! n 1 3 )

53 Maximal degree 16 Maximal Degree in the Gröbner basis computation 14 random system HFE 128<d<513 HFE 16<d<129 HFE 3<d< n

54 Complexity: overdetermined systems k is a constant (does not depend on n) d i total degree of f i Under regularity assumption: m Degree d max m n K, d i = 2 m + 1 ( Macaulay bound) m n K 1 + n+1 (d i 1) ( Macaulay bound) i=1 n + k K, d i = 2 m 2 h k,1 n + k K n+k i=1 m d i 1 2 h k,1 2 + o(1) n+k i=1 d 2 i o(1) 2 n K, d i = 2 n n n O k n K, d i = 2 (k 1 2 k(k 1))n + a 1 2(k(k 1)) 1 6 n F 2, d i = 2 n n O(n 1 3 ) k n F 2, d i = 2 ( k ( ) n 2 3 n O(1) 2k(k 5) 1 + 2(k + 2) k(k + 2) ) n

55 Classification Classification: m number of polynomials, n number of variables m = cste n m = cste n α m = cste n 2 Complexity single exponential sub exponential polynomial

56 Bilinear Equations in Algebraic Attacks: Motivation Powerful attack somewhat similar to Lattice attacks: we consider k vectors v i = [, v i,j, ] with v i,j Z Try to find: (λ 1,, λ k ) Z k such that k λ i v i is small i=1

57 Bilinear Equations in Algebraic Attacks: Motivation Powerful attack somewhat similar to Lattice attacks: we consider k vectors v i = [, v i,j, ] with v i,j Z Try to find: (λ 1,, λ k ) Z k such that k λ i v i is small i=1 using LLL: find a small vector in Polynomial Time

58 Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i K[x 1,, x n ]: [ 2 ] f f l H(f l ) = M l = l x i x j 1 i,j n Try to find: (λ 1,, λ k ) K k such that: k λ i M i is small i=1 matrix representation of f i

59 Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i K[x 1,, x n ]: [ 2 ] f f l H(f l ) = M l = l x i x j 1 i,j n Try to find: (λ 1,, λ k ) K k such that: k λ i M i is of small rank i=1 matrix representation of f i

60 Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i K[x 1,, x n ]: [ 2 ] f f l H(f l ) = M l = l x i x j 1 i,j n matrix representation of f i Try to find: (λ 1,, λ k ) K k such that: k λ i M i is of rank r Minrank Problem i=1

61 Bilinear Equations in Algebraic Attacks: Motivation For k quadratic multivariate polynomials f i K[x 1,, x n ]: [ 2 ] f l f l H(f l ) = M l = x i x j 1 i,j n Try to find: (λ 1,, λ k ) K k such that: matrix representation of f i k λ i M i is of rank r Minrank Problem i=1 That is to say: in some basis k i=1 λ if i depends only on r variables

62 Two algebraic modelings: structured equations M = M 0 k i=1 λ im i The minors modeling Rank(M) r all minors of size (r + 1) of M vanish ( m r+1) 2 equations of degree r + 1 k variables The Kipnis-Shamir modeling Rank(M) r x (1),, x (m r) Ker(M) I m r M x (1) 1 x (m r) 1 = 0 x (1) r x (m r) r Few variables, lots of equations, high degree!! Applications of bilinear equations in Crypto: Cryptanalysis of HFE and MinRank [CRYPTO 08, ISSAC 10, PKC 11] Cryptanalysis of McEliece [EUROCRYPT 10] m(m r) bilinear equations k + r(m r) variables

63 Bilinear systems joint work with M Safey El Din and PJ Spaenlehauer F = (f 1,, f m ): system of homogeneous bilinear equations f i (X, Y) = x X,y Y f 1 x 0 jac X (F i ) = f i x 0 Euler relations c i,x,y x y where n = #X + #Y f 1 x n x f i x n x jac Y (F i) = f = f x j = f y j x j y j x 0 f 1 y 0 f i y 0 1 f = jac X (F i ) = jac Y (F i ) f i x nx y 0 y ny f 1 y n y f i y n y

64 Complexity of affine bilinear systems In affine case: x 0 = 1, y 0 = 1 and the number of variables is n = n X + n Y Theorem: degree of regularity [JSC 2011] Degree of regularity of a generic 0-dim affine bilinear system for the grevlex ordering: d reg 1 + min(n x, n y ) Sharp bound in practice

65 Degree of regularity: idea of the proof Affine: x 0 = 1 Choose the block of variables of smallest cardinality, we assume n X n Y I = f 1,, f n Bilinear system of K[X, Y ] J X x = f 1 f 1 x nx x 0 f n x 0 f n x nx 1 x 1 = 0 x nx

66 Degree of regularity: idea of the proof Affine: x 0 = 1 Choose the block of variables of smallest cardinality, we assume n X n Y I = f 1,, f n Bilinear system of K[X, Y ] J X x = f 1 f 1 x nx x 0 f n x 0 f n x nx 1 x 1 = 0 x nx J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0!

67 Degree of regularity: idea of the proof I = f 1,, f n Bilinear system of K[X, Y ] J X x = f 1 f 1 x nx x 0 f n x 0 f n x nx 1 x 1 = 0 x nx J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0! Determinantal miracle! A Theorem of Bernstein, Sturmfels and Zelevinski M a p q matrix whose entries are variables The maximal minors of M are a universal Gröbner basis

68 Degree of regularity: idea of the proof J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p q linear matrix with coefficients in K[y 1,, y ny ], the maximal minors of M are a grevlex Gröbner basis LM(Minors(J X )) = all monomials of degree n X + 1 in y 1,, y ny

69 Degree of regularity: idea of the proof J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p q linear matrix with coefficients in K[y 1,, y ny ], the maximal minors of M are a grevlex Gröbner basis LM(Minors(J X )) = all monomials of degree n X + 1 in y 1,, y ny Rewrite J X x = A(y) x 1 + b = 0 Cramer s rule : x 1 det(a(y)) x nx + Adj(A)b I x nx

70 Degree of regularity: idea of the proof J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p q linear matrix with coefficients in K[y 1,, y ny ], the maximal minors of M are a grevlex Gröbner basis LM(Minors(J X )) = all monomials of degree n X + 1 in y 1,, y ny Rewrite Cramer s rule : J X x = A(y) x 1 x nx x 1 x nx + b = 0 + det(a(y)) 1 Adj(A)b I

71 Degree of regularity: idea of the proof J X is singular! J X is a singular p q = (n X + 1) (n X + n Y ) matrix = all the maximal minors are = 0! Extension of the Theorem of Bernstein, Sturmfels and Zelevinski [JSC 2011] J X a p q linear matrix with coefficients in K[y 1,, y ny ], the maximal minors of M are a grevlex Gröbner basis LM(Minors(J X )) = all monomials of degree n X + 1 in y 1,, y ny Rewrite Cramer s rule : J X x = A(y) x 1 x nx x 1 x nx + b = 0 + det(a(y)) 1 Adj(A)b I Any n X j=1 x α j ny j k=1 y β k k n Y k=1 y γ k k mod Minors(J X ) with γ k n X

72 Trivial Syzygies of Bilinear Systems An example with small parameters: n x = n y = 2, m = 4 We rewrite the usual trivial syzygie as: 0 = f 2 f 1 f 1 f 2 = f 1 f 2 f 1 f 2

73 Trivial Syzygies of Bilinear Systems An example with small parameters: n x = n y = 2, m = 4 We rewrite the usual trivial syzygie as: 0 = f 2 f 1 f 1 f 2 = f 1 f 2 f 1 f 2 Theorem (Trivial Syzygies) When n x = n y = 2, m = 4 the trivial syzygies of a generic bilinear system are: f f 1 f 2 f 3 f 4 i f j f 1 f 2 f 3 f 4 f 1 f 2 f 3 f 4 f i f j i j, x 0 x 0 x 0 x 0 f 1 f 2 f 3 f 4, x 1 x 1 x 1 x 1 jac Y (F 4 ) f 1 f 2 f 3 f 4 x 2 x 2 x 2 x 2

74 Results 1 Variant of F 5 : avoid computing zero 2 Characterize a nice subclass of systems we defined a notion of biregularity Theorem Generically, bilinear systems are biregular, ie the set of biregular bilinear systems is a Zariski nonempty open subset 3 Generic Hilbert series HS I (t 1, t 2 ) = dim(k[x, Y ] α,β /I α,β )t α 1 tβ 2 We can compute it explicitly! 4 Complexity analysis

75 Complexity Solving affine bilinear systems The complexity of computing a grevlex Gröbner basis of a zero-dimensional ideal generated by generic affine bilinear polynomials is polynomial in the number of solutions ( n n x ) = ( n n y ) ( O(Monomials(1 + min(n x, n y )) ω ) O 2 ω min(nx,ny )) Consequences: n x constant, n y grows = complexity polynomial in n y X and Y unbalanced easy to solve Better than Macaulay bound: ( O(Monomials(n x + n y + 1) ω ) O 2 ω(nx +ny )) n X is a constant in the case of Minrank challenges!

76 Solving Systems with Symmetries G is a finite group Compute the roots of the system: V L = {z L n f 1 (z) = = f m (z) = 0} Two cases: Most difficult case: V L is invariant by G: if z V L then σ z V L for all σ G Open Issue to compute efficiently V L /G even if G = S n

77 Solving Systems with Symmetries G is a finite group Compute the roots of the system: V L = {z L n f 1 (z) = = f m (z) = 0} Two cases: Most difficult case: V L is invariant by G: if z V L then σ z V L for all σ G Open Issue to compute efficiently V L /G even if G = S n Each equation is invariant by G σ f i = f i for all σ G

78 Invariant ring Definition K[x 1,, x n ] and G GL(K, n) a linear group acting on K n K[x 1,, x n ] G = {p K[x 1,, x n ] σ p = p for all σ G} where (σ p)(v) = p(σ 1 v) for all v K n Hilbert s finiteness theorem If G is a linear group then its invariant ring is finitely generated Theorem K[x 1,, x n ] Sn = K[e 1,, e n ] where e k = x i1 x i2 x ik is the k th elementary symmetric polynomial 1 i 1 <i 2 <<i k n

79 Hironaka decomposition There exist G is a linear group = K[x 1,, x n ] G primary invariants θ 1,, θ n K[x 1,, x n ] G algebraically independent secondary invariants η 1,, η t K[x 1,, x n ] G Method proposed by [Sturmfels]: Each equation: f K[x 1,, x n ] G f (θ 1,, θ n, η 1,, η t )

80 Hironaka decomposition There exist G is a linear group = K[x 1,, x n ] G primary invariants θ 1,, θ n K[x 1,, x n ] G algebraically independent secondary invariants η 1,, η t K[x 1,, x n ] G Method proposed by [Sturmfels]: Each equation: f K[x 1,, x n ] G f (θ 1,, θ n, η 1,, η t ) OK : we compute a Gröbner basis of I(V L /G) NOK: the resulting system is often more difficult to solve than the original! we have n + t variables the η 1,, η t are not independent Add equations: F(η 1,, η t ) = 0

81 First easy case: each equation is invariant Example (Cyclic n problem) G = C n x x n = 0 x 1 x x i x i+1 + = 0 + x i x i+1 x i+k 1 + = 0 x 1 x 2 x n = 1 R(f ) = 1 #G σf Reynolds σ G

82 First easy case: each equation is invariant Example (Cyclic n problem) G = C n R(x 1 ) = 0 R(x 1 x 2 ) = 0 R(f ) = 1 R(x 1 x 2 x k 1 ) = 0 #G x 1 x 2 x n = 1 σf Reynolds σ G Very compact representation!

83 First easy case: each equation is invariant Example (Cyclic n problem) G = C n R(x 1 ) = 0 R(x 1 x 2 ) = 0 R(x 1 x 2 x k 1 ) = 0 x 1 x 2 x n = 1 R(f ) = 1 #G σf Reynolds σ G Very compact representation! Theory to adapt Gröbner basis theory: Subalgebra Analog to Gröbner Basis for Ideals = SAGBI LRobbiano and M Sweedler Subalgebra bases Commutative algebra, pp in LMM 1430, Springer, 1990 D Kapur and K Madlener, A completion procedure for computing a canonical basis for a k-subalgebra",

84 First easy case: each equation is invariant Example (Cyclic n problem) G = C n R(x 1 ) = 0 R(x 1 x 2 ) = 0 R(x 1 x 2 x k 1 ) = 0 x 1 x 2 x n = 1 R(f ) = 1 #G σf Reynolds σ G Very compact representation! SAGBI Gröbner Bases : in general infinite! Propose efficient algorithms (variants of F 5 and FGLM) to represent solutions of the system by another system in e 1,, e n Example Cyclic n = 5 Symmetric Gröbner basis: [e 1, 125 e 2 + e 3 4, e e 3, e 4, e 5 1]

85 Algorithm [F, Rahmany, 2009] D-Sagbi Matrix F 5 -Inv algorithm Input System in K[x 1,, x n ] G FGLM-Invariant algorithm no D := D + 1 Gröbner basis in the invariant ring K[e 1,, e n ] where e i is the i-th elementary symmetric polynomial D- Sym Gröbner basis in K[e 1,, e n ] Test Zero Dim? yes Solutions recovering L n solutions

86 Experiments n D F 5 -invariant Magma (F4) cyclic s 1361 s cyclic s "Killed" cyclic h 54 m cyclic h 34m

87 Experiments n D F 5 -invariant Magma (F4) cyclic s 1361 s cyclic s "Killed" cyclic h 54 m cyclic h 34m Reduced size of the computed objects: #Solutions #polynomials Max length of poly C 7 lex inv C 7 lex C 8 lex dim inv C 8 lex dim inv C 9 lex dim

88 Second easy case: G is a reflection group Theorem (Chevalley, Shepard, Todd) If char(k) #G then G is a reflection group = K[x 1,, x n ] G = K[θ 1,, θ n ] where θ 1,, θ n K[x 1,, x n ] are algebraically independent

89 Second easy case: G is a reflection group Theorem (Chevalley, Shepard, Todd) If char(k) #G then G is a reflection group = K[x 1,, x n ] G = K[θ 1,, θ n ] where θ 1,, θ n K[x 1,, x n ] are algebraically independent Example (DLP Edwards) Consider a set of symmetric equations In addition we assume that (y 1,, y n ) V L = ( y 1, y 2, y 3,, y n ) V L = (y 1, y 2, y 3,, y n ) V L even number change of signs on {y 1,, y n }

90 Second easy case: G is a reflection group Example (DLP Edwards) Consider a set of symmetric equations In addition we assume that (y 1,, y n ) V L = ( y 1, y 2, y 3,, y n ) V L = (y 1, y 2, y 3,, y n ) V L n 2 ( n ) i=0 2i = 2 n 1 even number change of signs on {y 1,, y n } Definition (Coxeter Group) D n is the symmetry group of the n-demi hypercube Theorem D n = (Z/2Z) n 1 S n = #D n = n! 2 n 1 F q [y 1,, y n ] Dn = F q [E 1,, E n 1, e n ] where E i = e i (y 2 1,, y 2 n ) the i th elementary symmetric polynomial in terms of y 2 i

91 DLP Discrete Logarithm Problem (DLP) Input: finite group G and g, h G, Question: Find if any an integer x such that h = [x] g For any G, generic algorithms O ( #G ) G = (F q, ), index calculus sub-exponential G = (J C (F q ), +) if g > 2 index calculus sub-exponential wrt q G = E(F q ) no sub-exponential algorithm (except for few weak curves) if q = p m, Diem // Gaudry index calculus attack

92 Adaptation of index calculus (Gaudry//Diem) Algorithm Input : P, Q E(F q n) Output : x such that Q = [x]p 1 Factor base : F = {(x, y) E(F q n) x F q } 2 Compute relations : [a j ]P [b j ]Q = P 1 P n, P i F ( proba = 1 ) n! until having #F + 1 such relations 3 Linear algebra j [λ j a j ]P [λ j b j ]Q = 0 E(Fq n )

93 Adaptation of index calculus (Gaudry//Diem) Algorithm Input : P, Q E(F q n) Output : x such that Q = [x]p 1 Factor base : F = {(x, y) E(F q n) x F q } 2 Compute relations : [a j ]P [b j ]Q = P 1 P n, P i F ( proba = 1 ) n! until having #F + 1 such relations 3 Linear algebra j [λ j a j ]P [λ j b j ]Q = 0 E(Fq n ) Complexity For n fixed, Õ(q2 2 n ) (Gaudry, pprint 2004 and JSC 2009 / Diem, ANTS 2006)

94 Problem : point decomposition (PDP) Given: R E(F q n) F = {(x, y) E(F q n) x F q } E(F q n) find P 1,, P n F such that R = P 1 P n Algebraic method Modeling the problem as a polynomial system {g 1,, g s } and solve this system

95 Related work [Joux, Vitse eprintiacrorg/2010/157] General approach Similar to hybrid approach (specialization of one point) decrease the cost of solving the algebraic system add an exhaustive search on F of size q In practice: limits the size of F q, q 2 30 Goal (joint work with L Huot and G Renault) Focus on Edwards curves Take advantage of the symmetries to decrease the cost of solving system (in comparison to Gaudry) No exhaustive search, complexity linear wrt log(q) for n fixed, (almost) no limit on q

96 Curve representations Weierstrass E : y 2 = x 3 + a x + b P = (x, y) E, P = (x, y) Twisted Edwards Edwards, Bulletin of the AMS 2007 Bernstein et al, AFRICACRYPT 2008 E a,d : a x 2 + y 2 = 1 + d x 2 y 2 where ad(a d) 0 P = (x, y) E a,d, P = ( x, y)

97 Summation polynomials in Weierstrass representation [Semaev, Technical report 2004] Projection of point decomposition problem f m (x 1,, x m ) = g 1,, g s F q n[x 1,, x m ] m 2 m th summation polynomial is defined by (x 1,, x m ) K m, f m (x 1,, x m ) = 0 (y 1,, y m ) K m st i, P i = (x i, y i ) E and P 1 P m = 0 E(K) Properties m > 2, f m is symmetric f n+1 (x 1,, x n, x R ) f n+1 (e 1,, e n ) If E is defined by a Weierstrass equation then deg xi (f m ) = 2 m 2

98 Summation polynomials for twisted Edwards curves We need to fix a small technical Issue: For all P = (x, y) E a,d we have P = ( x, y) P 1 P m = 0 Ea,d f m (x 1,, x m ) = 0 Fq n = ( P 1 ) ( P m ) = 0 Ea,d f m ( x 1,, x m ) = 0 Fq n Degree is too big! deg xi (f m ) = (2 m 2 ) 2 Trick : x y Summation polynomials for Edwards curves : f n+1 (y 1,, y n, y R ) Algorithm adaptation : F = {(x, y) E a,d (F q n) y F q }

99 Use that we are in some extension F q n Up to now we have only one equation: fn+1 (e 1,, e n ) = 0 but { xi F q f n+1 F q n[x 1,, x n ]

100 Use that we are in some extension F q n Up to now we have only one equation: fn+1 (e 1,, e n ) = 0 but { xi F q f n+1 F q n[x 1,, x n ] Weil restriction on summation polynomial F q n : n dimensional F q -vector space ] (0) fn+1 (e 1,, e n ) = 0 Fq n = [ f n+1 (e (n 1) 1,, e n ),, f n+1 (e 1,, e n ) - S = { f (0) n+1 - n variables, n equations - solutions in F q,, f (n 1) n+1 } F q[x 1,, x n ]

101 Semaev modeling: Weierstrass vs twisted Edwards Weierstrass LEX Gröbner Basis of S Sn : e 1 + h 1 (e n ) e 2 + h 2 (e n ) e n 2 + h n 2 (e n ) e n 1 + h n 1 (e n ) h n (e n ) Edwards LEX Gröbner Basis of S Sn : e 1 + h 1 (e n 1, e n ) e 2 + h 2 (e n 1, e n ) e n 2 + h n 2 (e n 1, e n ) h n 1 (e n 1, e n ) h n (e n ) deg(h n ) = 2 n(n 1) deg( S Sn ) = 2 n(n 1) deg(h n ) = 2 (n 1)2 deg en 1 (h n 1 ) = 2 n 1 deg( S Sn ) = 2 n(n 1)

102 Action of 2-torsion point Definition E a,d : ax 2 + y 2 = +dx 2 y 2 has a 2-torsion point T 2 = (0, 1) ie [2]T 2 = 0 Ea,d Property P = (x, y) E a,d (F q n), P T 2 = ( x, y)

103 Action of 2-torsion point Definition E a,d : ax 2 + y 2 = +dx 2 y 2 has a 2-torsion point T 2 = (0, 1) ie [2]T 2 = 0 Ea,d Property P = (x, y) E a,d (F q n), P T 2 = ( x, y) Action on the points (geometry) P 1 P n = R (P 1 T 2 ) (P 2 T 2 ) P 3 P n = R For any combination of an even number of T 2

104 Action of 2-torsion point Definition E a,d : ax 2 + y 2 = +dx 2 y 2 has a 2-torsion point T 2 = (0, 1) ie [2]T 2 = 0 Ea,d Property P = (x, y) E a,d (F q n), P T 2 = ( x, y) Action on the points (geometry) P 1 P n = R (P 1 T 2 ) (P 2 T 2 ) P 3 P n = R (y 1,, y n ) V R ( y 1, y 2, y 3,, y n ) V R For any combination of an even number of T 2 Theorem f n+1 (y 1,, y n, y R ) F q n[y 1,, y n ] Dn fn+1 (e 1,, e n ) ˆf n+1 (E 1,, E n 1, e n ) where E i = e i (y 2 1,, y 2 n )

105 New Semaev modeling: Weierstrass vs Edwards Weierstrass LEX Gröbner Basis of S Sn : e 1 + h 1 (e n ) e 2 + h 2 (e n ) e n 1 + h n 1 (e n ) h n (e n ) Edwards LEX Gröbner Basis of S Dn : E 1 + h 1 (e n ) E 2 + h 2 (e n ) E n 1 + h n 1 (e n ) h n (e n ) deg(h n ) = 2 n(n 1) deg(h n ) = 2 (n 1)2 new system such that deg( S Dn ) = deg( S ) #D n = deg( S S n ) 2 n 1 Much faster Gröbner basis computation Complexity of FGLM 2 ω(n 1) using the action of T 2

106 Some practical results #F q : 16 bits n DRL LEX Total Time Deg Time Time # ops W sym 6s s 466s FGb Edwards D n s 3s W sym FGb Edwards D n 12297s s 15953s 2 45 n = 4 #F q (bits) Total time (s) W sym 6922s 4717s 5837s 6898s Magma Edwards D n 43s 40s 53s 73s

107 Security domains parameters n log 2 (q) #E(F q n) Gen Algo DLPV Edwards W Edwards W Edwards W Edwards W ?? Edwards W 2?? Number of Boolean operations needed to solve the ECDLP defined over F q n for n = 4, 5 and 32 log 2 (q) 128

108 Conclusion Summary for DLP Edwards + Jacobi Intersections : action of 2-torsion point New change of variables symmetric group + 2-torsion point Practical improvements huge factor save to solve the systems decomposition in 5 points solved complexity of point decomposition problem linear wrt log(q) for n 5 Conclusion Use the structure can speedup Algebraic Attack Sometimes change the complexity of the attack Many Open Issues: Symmetries, Multihomogeneous, Sparse equations,