Gröbner Bases. Applications in Cryptology

Size: px

Start display at page:

Download "Gröbner Bases. Applications in Cryptology"

Abel Summers
6 years ago
Views:

1 Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result Ecrypt Samos

2 Properties of Gröbner bases I K a eld, K[x 1,., x n ] polynomials in n variables. Gröbner - Crypto Plan J.-C. Faugère 8 < : Linear systems l 1 (x 1,., x n ) = 0 l m (x 1,., x n ) = 0 V = Vect K (l 1,., l m ) Triangular/diagonal basis of V 8 Polynomial equations < f 1 (x 1,., x n ) = 0 : f m (x 1,., x n ) = 0 Ideal generated by f i : I = Id(f 1,., f m ) Gröbner basis of I Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result De nition (Buchberger) < admissible ordering (lexicographical, total degree, DRL) G K[x 1,., x n ] is a Gröbner basis of an ideal I if 8f 2 I, exists g 2 G such that LT < (g) j LT < (f )

3 Properties of Gröbner bases II Solving algebraic systems: Computing the algebraic variety: K L (for instance L=K the algebraic closure) V L = f(z 1,., z n ) 2 L n j f i (z 1,., z n ) = 0, i = 1,., mg Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result Solutions in nite elds: We compute the Gröbner basis of G F2 of [f 1,., f m, x1 2 x 1,., xn 2 x n ], in F 2 [x 1,., x n ]. It is a description of all the solutions of V F2.

4 Properties of Gröbner bases III Theorem I V F2 = ( no solution) i G F2 = [1]. I V F2 has exactly one solution i G F2 = [x 1 a 1,., x n a n ] where (a 1,., a n ) 2 F n 2. Shape position: If m n and the number of solutions is nite ( #V K < ), then in general the shape of a lexicographical Gröbner basis: x 1 > > x n : 8 >< Shape Position >: h n (x n )(= 0) x n 1 h n 1 (x n )(= 0). x 1 h 1 (x n )(= 0) Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

5 Solving zero-dimensional system Gröbner - Crypto J.-C. Faugère Plan When dim(i ) = 0 ( nite number of solutions); in general: I It is easier to compute a Gröbner Basis of I for a total degree (< DRL ) ordering I Triangular structure of Gb valid only for a lex. ordering: 8 >< Shape Position >: h n (x n ) = 0 x n 1 = h n 1 (x n ). x 1 = h 1 (x n ) Dedicated Algorithm: e ciently change the ordering Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result FGLM, Gröbner Walk, LLL,.

6 FGLM Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Dedicated Algorithm: e ciently change the ordering FGLM = use only linear algebra. Theorem (FGLM) If dim(i ) = 0 and D=deg(I ). Assume that G a Gröbner basis of I is already computed, then G new a Gröbner basis for the same ideal I and a new ordering < new can be computed in O(n D 3 ). Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

7 Zero dim solve Gröbner - Crypto J.-C. Faugère Plan Initial System Gröbner bases: properties Zero dim solve Gröbner Basis DRL order Gröbner Basis Lexico order Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result RUR Factorization Real Roots isolation

8 Algorithms I Algorithms: for computing Gröbner bases. I Buchberger (1965,1979,1985) I F 4 using linear algebra (1999) (strategies) I F 5 no reduction to zero (2002) Linear Algebra and Matrices Trivial link: Linear Algebra $ Polynomials De nition: F = (f 1,., f m ), < ordering. A Matrix representation M F of F is such that Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result T F = M F. T X where X all the terms (sorted for <) occurring in F : M F = m 1 > m 2 > m f 1. f A f 3.

9 Algorithms II Gröbner - Crypto J.-C. Faugère Plan Linear Algebra and Matrices Trivial link: Linear Algebra $ Polynomials If Y is a vector of monomials, M a matrix then its polynomial representation is T [f 1,., f m ] = M Ṭ Y Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result Macaulay method Macaulay bound (for homogeneous polynomials): D = 1 + m i=1 (deg(f i ) 1)

10 Algorithms III We compute the matrix representation of ftf i, deg(t) D deg(f i ), i = 1,., mg, < DRL Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties M Mac = m 1 > m 2 > m 3 > > m r 0 1 t 1 f 1. t 1 0 f 1. t 0 2 f 2 B. C t 2 f A t 3 f 3. Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result Let M Mac be the result of Gaussian elimination. Theorem (Lazard 83) If F is regular then the polynomial representation of M Mac is a Gröbner basis.

11 E cient Algorithms Gröbner - Crypto J.-C. Faugère Plan F 4 (1999) linear algebra Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

12 E cient Algorithms Gröbner - Crypto J.-C. Faugère Plan F 4 (1999) linear algebra Small subset of rows: F 5 (2002) full rank matrix Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

13 E cient Algorithms Gröbner - Crypto J.-C. Faugère Plan F 4 (1999) linear algebra Small subset of rows: F 5 (2002) full rank matrix F 5 /2 (2002) full rank matrix GF(2) (includes Frobenius h 2 = h) A d = momoms degree d in x 1,., x n 0 1 monom f i1. monom f A monom f i3. Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

14 F 5 the idea I Gröbner - Crypto J.-C. Faugère Plan We consider the following example: (b parameter): S b 8 < : f 3 = x xy + 19 y xz + 5 yz + 7 z 2 f 2 = 3 x 2 + (7 + b) x y + 22 x z + 11 yz + 22 z y 2 f 1 = 6 x xy + 4 y xz + 9 yz + 7 z 2 Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result With Buchberger x > y > z: I I 5 useless reductions 5 useful pairs

15 F 5 the idea II Gröbner - Crypto J.-C. Faugère We proceed degree by degree. A 2 = x 2 x y y 2 x z y z z 2 f f f Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result fa 2 = x 2 x y y 2 x z y z z 2 f f f new polynomials f 4 = xy + 4 yz + 2 xz + 3 y 2 f 5 = y 2 11 xz 3 yz 5 z 2 z 2 and

16 F 5 the idea III Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties f 3 = x xy + 19 y xz + 5 yz + 7 z 2 f 2 = 3 x 2 + 7x y + 22 x z + 11 yz + 22 z y 2 f 1 = 6 x xy + 4 y xz + 9 yz + 7 z 2 f 4 = xy + 4 yz + 2 xz + 3 y 2 z 2 f 5 = y 2 11 xz 3 yz 5 z 2 Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result f 2! f 4 f 1! f 5

17 Degree 3 I Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

18 Degree 3 II Gröbner - Crypto J.-C. Faugère Plan x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

19 Degree 3 III Gröbner - Crypto J.-C. Faugère A 3 = x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

20 Degree 3 IV f 2 f 4 f 1 f 5 x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

21 Degree 3 V x 3 x 2 y xy2 y 3 x 2 z xyz y2z xz2 yz 2 z 3 z f y f x f z f y f fa 3 = x f z f y f x f Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result We have constructed 3 new polynomials f 6 = y y 2 z + xz yz z 3 f 7 = xz yz z 3 f 8 = yz z 3 We have the linear equivalences: x f 2 $ x f 4 $ f 6 and f 4! f 2

22 Degree 4: reduction to 0! Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Zero dim solve The matrix whose rows are x 2 f i, x yf i, y 2 f i, x zf i, y zf i, z 2 f i, i = 1, 2, 3 Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result is not full rank!

23 Why? Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Zero dim solve 6 3 = 18 rows but only x 4, x 3 y,., y z 3, z 4 15 columns Simple linear algebra theorem: 3 useless row (which ones?) Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

24 Trivial relations Gröbner - Crypto J.-C. Faugère Plan f 2 f 3 f 3 f 2 = 0 Gröbner bases: properties Zero dim solve can be rewritten 3 x 2 f 3 + (7 + b) xy f y 2 f xz f 3 Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result +11 yz f z 2 f 3 x 2 f 2 18 xy f 2 19 y 2 f 2 8 xz f 2 5 yz f 2 7 z 2 f 2 = 0 We can remove the row x 2 f 2 same way f 1 f 3 f 3 f 1 = 0! remove x 2 f 1 but f 1 f 2 f 2 f 1 = 0! remove x 2 f 1!???

25 Combining trivial relations Gröbner - Crypto J.-C. Faugère Plan 0 = (f 2 f 1 f 1 f 2 ) 3(f 3 f 1 f 1 f 3 ) 0 = (f 2 3f 3 )f 1 f 1 f 2 + 3f 1 f 3 0 = f 4 f 1 f 1 f 2 + 3f 1 f 3 0 = (1 b)xy + 4 yz + 2 xz + 3 y 2 z 2 f 1 (6x 2 + )f 2 + 3(6x 2 + )f 3 Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result I if b 6= 1 remove x y f 1 I if b = 1 remove y z f 1 Need some computation

26 New Criterion Any combination of the trivial relations f i f j = f j f i can always be written: u(f 2 f 1 f 1 f 2 ) + v(f 3 f 1 f 1 f 3 ) + w(f 2 f 3 f 3 f 2 ) where u, v, w are arbitrary polynomials. (u f 2 + v f 3 ) f 1 uf 1 f 2 vf 1 f 3 + wf 2 f 3 wf 3 f 2 Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result (trivial) relation hf 1 + = 0 $ h 2 Id(f 2, f 3 ) Compute a Gröbner basis of (f 2, f 3 )! G prev. Remove line h f 1 i LT(h) top reducible by G prev

27 Degree 4 I Gröbner - Crypto J.-C. Faugère Plan y 2 f 1, x zf 1, y zf 1, z 2 f 1, x yf 2, y 2 f 2, x zf 2, y zf 2, z 2 f 2, x 2 f 3, x yf 3, y 2 f 3, x zf 3, y zf 3, z 2 f 3 In order to use previous computations (degree 2 and 3): Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result xf 2! f 6 f 2! f 4 xf 1! f 8 yf 1! f 7 f 1! f 5 yf 7, zf 8, zf 7, z 2 f 5, yf 6, y 2 f 4, zf 6, y zf 4, z 2 f 4, x 2 f 3, x yf 3, y 2 f 3, x zf 3, y zf 3, z 2 f 3,

28 Degree 4 II Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

29 Degree 4 III Gröbner - Crypto J.-C. Faugère Sub matrix: xyz 2 y 2 z 2 xz 3 yz 3 z 4 z 2 f z 2 f z f z f y f Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

30 New algorithm Gröbner - Crypto J.-C. Faugère I I I Incremental algorithm (f ) + G old Incremental degree by degree Give a unique name to each row Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result Remove h f 1 + if LT(h) 2 LT(G old ) LT(h) signature/index of the row

31 F 5 matrix Gröbner - Crypto J.-C. Faugère Plan Special/Simpler version of F 5 for dense/generic polynomials. the maximal degree D is a parameter of the algorithm. degree d m = 2, deg(f i ) = 2 homogeneous quadratic polynomials, degree d: Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result We may assume that we have already computed: G i,d Gröbner basis [f 1,., f i ] up do degree d

32 In degree d Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x u 2 f x x x u 3 f x x v 1 f x v 2 f w 1 f w 2 f with deg(u i ) = deg(v i ) = deg(w i ) = d 2 Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

33 From degree d to d + 1 I Gröbner - Crypto J.-C. Faugère Plan Select a row in degree d: m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result w 1 f w 2 f

34 From degree d to d + 1 II Gröbner - Crypto J.-C. Faugère m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f t 1 t 2 t 3 t 4 t 5. w 1 x j f x x x w 1 x j 1 f x x w 1 x n f x. Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result if w 1 x1 1 x j j

35 From degree d to d + 1 III Gröbner - Crypto J.-C. Faugère m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f t 1 t 2 t 3 t 4 t 5. w 1 x j f x x x w 1 x j 1 f x x w 1 x n f x. Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result if w 1 x1 1 x j j Keep w 1 x i f 3 iff w 1 x i LT f 1 f 2

36 From degree d to d + 1 IV Gröbner - Crypto J.-C. Faugère m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f t 1 t 2 t 3 t 4 t 5. w 1 x j f x x x w 1x j 1 f x x w 1 x n f x. Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result if w 1 x1 1 x j j Keep w 1 x i f 3 iff w i x i not reducible by LT G 2 d 2

37 F 5 properties Gröbner - Crypto J.-C. Faugère Plan Full version of F 5 : D the maximal degree is not given. Theorem If F = [f 1,., f m ] is a (semi) regular sequence then all the matrices are full rank. I I I I Easy to adapt for the special case of F 2 (new trivial syzygy: fi 2 = f i ). Incremental in degree/equations (swap 2 loops) Fast in general (but not always) F 5 matrix: easy to implement, used in applications (HFE). Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

38 Classi cation I Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Zero dim solve (with M. Bardet, B. Salvy) Theorem Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

39 Classi cation II Pour une suite semi-régulière (f 1,., f m ), il n y a pas de réduction à 0 dans l algorithme F 5 en degré inférieur à son degré de régularité d reg ; de plus d reg est le degré en z du premier coe cient négatif de la série: m i=1 1 (1 δk,f2 ) z d i 1 δk,f2 z δ K,F2 z d i 1 z n Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result où d i est le degré total de f i. Par conséquent, le nombre total d opérations arithmétiques dans K nécessaire à F 5 (voir algorithme??) est borné par Cste M dreg (n) ω with ω 3 On considère une suite semi-régulière constituée d équations (f 1,., f m ). Le tableau suivant résume le résultat de

40 Classi cation III plusieurs théorèmes donne le développement asymptotique de d reg lorsque n! en fonction de la valeur du rapport entre le nombre d équations et le nombre de variables m n. Légende des symboles utilisés dans le tableau: k est une constante (qui ne dépend pas de n). d i est le degré total de f i. H k (X ) est le k ème polynôme d Hermite; h k,1 est le plus grand zéro de H k (tous les zéros de H k (X ) sont réels). a est le plus grand zéro de la fonction d Airy (solution de 2 y z y = 0). z 2 Φ(z) = z n z (1 log z) n m (1 z d i ) 1 = z 1 z 1 n m i=1 Φ(z 0 ) > 0. i=1 d i z d i 1 z d i et z 0 est la racine de Φ 0 (z) qui minimise Gröbner - Crypto Plan J.-C. Faugère Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result

41 Classi cation IV Gröbner - Crypto J.-C. Faugère m Degré d reg m < n K, d i = 2 m + 1 (Macaulay bound) n+1 d n + 1 K i 1 2 (A. Szanto) i=1 p m n + k K, d i = 2 2 h m k,1 2 + s o(1) n+k n+k d n + k K i 1 di 2 h k, o(1) i=1 i=1 Plan Gröbner bases: properties Zero dim solve Algorithms Buchberger and Macaulay E cient Algorithms F 5 algorithm Complexity result n 2 n K, d i = n n O n 2 3 p 1 k n K, d i = 2 (k 2 k(k 1))n + a 1 n 1 2(k(k 1)) O(1) 6 1 k n K Φ(z 0 ) n a 1 2 Φ00 (z 0 )z O n 3 1 n n F 2, d i = n O(n 3 1 ) q k n F 2, d i = 2 k k(k 5) 1 + 2(k + 2) p k(k + 2)

42 Fast Gröbner algorithms overdetermined systems Jean-Charles Faugère CNRS - Université Paris 6 - INRIA SPIRAL (LIP6) SALSA Project Samos 2007 Samos 2007 p. 1

43 Why do we need efficiency? Users have problems that they want to solve. Hot topic in Cryptography (L. Perret). The goal is to evaluate the security of a cryptosystem. Should be resistant to: differential cryptanalysts linear cryptanalysis Algebraic Cryptanalysis Samos 2007 p. 2

44 Algebraic cryptanalysis Convert the crypto-system algebraic problem. Evaluate the difficulty of the corresponding algebraic system S. To solve S: V z n 2 f z compute Gröbner bases. 0 f S Samos 2007 p. 3

45 Algebraic cryptanalysis Convert the crypto-system algebraic problem. Evaluate the difficulty of the corresponding algebraic system S. To solve S: V z n 2 f z compute Gröbner bases. exaustive search!! Complexity of exaustive O n2 n 0 f S n 80 Samos 2007 p. 3

46 Specific problems V 2 z Fn 2 fi z 0 i 1 In fact we have to add the field equations : x 2 i x i. m Ideal f i z 0 i 1 m x 2 i x i i 1 n we have M Hence variables. Sometimes m n. m n equations in n Samos 2007 p. 4

47 Specific solutions For several applications (Signal Theory, Crypto,. ) we have to solve an overdertimed system of equations. Improve algorithms for overdertimed systems. Improve complexity bound (Macaulay bound). Samos 2007 p. 5

48 Specific algorithm in Crypto From outside the perception of Gröbner bases is (often) bad: d 2 n 10 complexity. Very inefficient implementation of Gröbner bases in general CAS. Results on Complexity are not well known. develop new algorithms for solving algebraic equations. Samos 2007 p. 6

49 Other algorithms: XL In crypto: develop their own algorithms! f i initial equations (of degree 2) D a parameter 1 Multiply: Generate all the d j 1 x i j f i with d D 2 2 Linearize: Consider each monomial in the x i j as a new variable and perform Gaussian elimination on the equations obtained in 1. Ordering monomials such that all the terms containing one1 variable (say x 1 ) are eliminated last. 3 Solve: Assume that step 2. yields at least one univariate equation in the powers of x 1. Solve this equation over the finite field. Samos 2007 p. 7

50 Other algorithms: XL Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations N Courtois, A Klimov, J Patarin and A Shamir Abstract. [. ] Gröbner base algorithms have large exponential and cannot solve in practice systems with n complexity 15. Kipnis and Shamir [9] have recently introduced a new algorithm called relinearization. [. ] This is a challenge for Computer Algebra! Samos 2007 p. 7

51 I Complexity f 1 x 1 xn fm x 1 xn f x 1 xn f x 1 xn h h deg f x 1 h x n h I f 1 x 1 xn h f m x 1 xn h n nb of variables, m nb of equations D maximal degree occurring dimension/degree Hilbert function/regularity Samos 2007 p. 8

52 I Complexity (well known results) f 1 x 1 fm x 1 xn and deg f i d Hypotheses none ONE Explicit example: Mayr and Meyer Complexity d 2n Samos 2007 p. 9

53 Complexity (well known results) I f 1 x 1 fm x 1 xn and deg Hypotheses set of zeros at infinity is finite dim I 0 Gröbner basis (DRL ordering) [La83, Giu84] computed in time polynomial in 2 n degree maximal 1 when m n (Macaulay) Lemma 1: For almost all systems: polynomial in 2 n n f i 2 Samos 2007 p. 9

54 Complexity (well known results) I f 1 x 1 Hypotheses x i fm GF x 1 2 xn and deg f i 2 Gröbner bases: Lemma 2 complexity is always polynomial in 2 n. Samos 2007 p. 9

55 Efficient Algorithms Buchberger (1965) Involutive bases (Gerdt) F 4 (1999) linear algebra slim Gb (2005) momoms degree d in x 1 xn A d monom monom monom f i1 f i2 f i3 Samos 2007 p. 10

56 Efficient Algorithms F 5 (2002)full rank matrix momoms degree d in x 1 xn A d monom monom monom f i1 f i2 f i3 Samos 2007 p. 10

57 F 5 matrix Special/Simpler version of F 5 for dense/generic polynomials. the maximal degree D is a parameter of the degree d m algorithm. 2, deg f i 2 homogeneous quadratic polynomials, degree d: Samos 2007 p. 11

58 F 5 matrix m 2, deg f i 2 homogeneous quadratic polynomials, degree d: m 1 m 2 m 3 m 4 m 5 u 1 f 1 x x x x x u 2 f 1 x x x x x u 3 f 1 x x x x x v 1 f 2 x x x x x v 2 f 2 x x x x x deg u i deg v i d 2 Samos 2007 p. 11

59 Gauss Gauss reduction: m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x u 2 f x x x u 3 f x x v 1 f x v 2 f Samos 2007 p. 12

60 Samos 2007 p. 13 d 1 d m1 m2 m3 m4 m5 u1 f1 1 x x x x u2 f1 0 1 x x x u3 f x x v1 f x v2 f

61 Samos 2007 p. 13 t1 t2 t3 t4 t5 v1x j f2 f2 0 1 x x x v1x j x x v1xn f x d 1 d m1 m2 m3 m4 m5 u1 f1 1 x x x x u2 f1 0 1 x x x u3 f x x v1 f x v2 f xα j j if v1 x α 1 1

62 t1 t2 t3 t4 t5 v1x j f2 f2 0 1 x x x v1x j x x v1xn f x f1 Keep v1xi f2 iff vixi LT Samos 2007 p. 13 d 1 d m1 m2 m3 m4 m5 u1 f1 1 x x x x u2 f1 0 1 x x x u3 f x x v1 f x v2 f xα j j if v1 x α 1 1

63 Specific algorithms Nothing to do! more equations computation more efficient Gb Samos 2007 p. 14

64 f j fi f 2 Specific algorithms x 2 i Easy part: we can handle efficiently that all the monomials are squarefree (Boolean Gröbner bases) and to develop specific linear algebra packages (over 2). Moreover, we have new trivial syzygies: x i f i f j f F 5 2 (2003/2005) specific version for 2. Samos 2007 p. 14

65 Specific Complexity (with B. Salvy, M. Bardet, 2005) Goal: estimate d n maximal degree occurring Gröbner comput. Idea: we construct A d following step by step F 5 A d full rank number of rows. momoms degree d in x 1 xn A d monom d monom d monom d f i1 f i2 f i3 Samos 2007 p. 15

66 F 5 criterion Criterion: t f j is in the matrix if t Id where G j 1 is the Gröbner basis of LT f 1 G j f j 1,. 1 U d i n nb of rows when computing degree d. f 1 fi in Samos 2007 p. 16

67 For d 2 : Recurrence relation U d i n i n d d 2 2 i 1 U d j 1 2 j n number of monomials criterion of degree d 2 Samos 2007 p. 17

68 End of the computation col row degree d h[d,i]= row col h d m n 0 end of the Gröbner computation Compute biggest real root N d of h d m n. Samos 2007 p. 18

69 Theorem 1.1 fi degree di, i 2, GF(2) n nyd Generating series q: 1 m finite field H m d hd myd y q y n m i 1 1 y d i y d i q 1 y d i q 1 1 particular case: d i m eqs h d d 0 1 y 1 y 2 n Samos 2007 p. 19

70 Asymptotic expansion biggest real root of h d n 1 1 y 2iπ C 1 y 2 n dy y d 1 Samos 2007 p. 20

71 Asymptotic expansion 1 d n n λ0 n d n λ 1 n 1 λ 4 3 O n n 13 O where λ and λ 1 is expressed in term of the biggest zero of the Airy function (solution 2 y 0) Almost exact formula when n 3! z2 zy 1 n 1 3 Samos 2007 p. 20

72 Maximal Degree (F 2 ) degree n Samos 2007 p. 21

73 m Conclusion Classification: m number of polynomials, n variables cste n exponential complexity cstenlog n sub exponential complexity m csten 2 polynomial complexity Samos 2007 p. 22

74 HFE HFE = Hidden Fields Equations public key cryptosystem using polynomial operations over finite fields proposed by Jacques Patarin (96) very promising cryptosystem: signatures as short as 128, 100 and even 80 bits. Samos 2007 p. 23

75 HFE secret key P x x 2i c16 2 j c17x17 c16x16 c17 GF 2 n univariate polynomial structure is hidden Samos 2007 p. 23

76 x HFE secret key P x x 2i j 2 c17x17 c16x16 n i 1 0 x iw i GF 2 n, x i GF 2, w GF 2 n g 1 g n x 0 x 0 xn xn where g i coeff of w i in P n i 1 0 x iw i (degree 2) Samos 2007 p. 23

77 HFE secret key P x x 2i j 2 c17x17 c16x16 x n 1 i 0 x iw i GF 2 n, x i GF 2, w (Random) Change of coordinates GF 2 n x i n 1 a i j 0 jy j (Random) Mix of equations f i n j 1 b i jg jsamos 2007 p. 23

78 HFE secret key P x x 2i j 2 c17x17 c16x16 x n 1 i 0 x iw i Public key: GF 2 n, x i GF 2, w GF 2 n f 1 f n y 0 y 0 yn yn 1 1 Samos 2007 p. 23

79 HFE encryption Initial x 1 xn Samos 2007 p. 24

80 HFE encryption Initial Encryption z i x 1 f i x 1 xn xn Samos 2007 p. 24

81 HFE encryption Initial Encryption Send z i x 1 f i z 1 x 1 xn zn xn Samos 2007 p. 24

82 HFE decryption Initial Decryption Send z i x 1 f i z 1 x 1 xn zn xn secret Initial z 1 Decryption Solve P zn x z Samos 2007 p. 25

83 HFE decryption Initial Decryption Send z i x 1 f i z 1 x 1 xn zn xn secret Initial z 1 Decryption Solve P zn x z Enemy Initial Decryption z 1 f 1 z 1 f m z m zn Samos 2007 p. 25

84 HFE decryption Initial Decryption Send z i x 1 f i z 1 x 1 xn zn xn secret Initial z 1 Decryption Solve P zn x z Enemy Initial Decryption z 1 zn f 1 z 1 f m z m Hence, solving algebraic system. Samos 2007 p. 25

85 Degree of univariate polynomial Time to solve the univariate polynomial of degree d: O d log d operations in 2 n (MCA Gathen/Gerhard) M d n (80,129) (80,257) (80,513) NTL (CPU time) 0.6 sec 2.5 sec 6.4 sec n d (128,129) (128,257) (128,513) NTL (CPU time) 1.25 sec 3.1 sec 9.05 sec (NTL/Shoup PC Pentium III 1000 Mhz) d cannot be too big! Samos 2007 p. 26

86 Experiments Buchberger Maple slimgb Macaulay 2 Singular F 4 F 5 after 10m Samos 2007 p. 27

87 Experiments Buchberger Maple slimgb Macaulay 2 Singular F 4 F 5 after 10m after 2h Samos 2007 p. 27

88 Experiments Challenge 1 broken Recover Experimentally the complexity of HFE wrt degree of hidden polynomial Let D d n be the maximum degree occuring in the Gröbner computation of HFE polynomial degree d, 2 n. Samos 2007 p. 28

89 Challenge 1 Proposed by J. Patarin 80 equations in degree 2 Random? Average nb of terms: n n 1 2 n Samos 2007 p. 29

90 Challenge 1 But after F 5 2: 6.4 H can be detected that it is not random! After sec ( 2 days ) find 4 solutions (one proc Alpha 1000 Mhz + 4 Go RAM) Samos 2007 p. 29

91 X X X X X Challenge 1 (solutions) 80 x i 2 i i Samos 2007 p. 30

92 Maximal degree Maximal Degree in the Gröbner basis computation random system HFE 128<d<513 HFE 16<d<129 HFE 3<d< Samos 2007 p. 31 n

93 HFE Conclusion d D Exp comp d 17 3 n 6 17 d n d n 10 Complexity of HFE Samos 2007 p. 32

94 Conclusion Applications: Challenging problem for Computer Algebra. Need very powerful algorithm/implementation. Samos 2007 p. 33

95 F 4 An efficient algorithm for computing Gröbner using linear algebra Jean-Charles Faugère CNRS - INRIA - Université Paris 6 SALSA Project Samos 2007 Samos 2007 F 4 p. 1

96 Plan of the talk Goal of F 4 Description of the algorithm. Step by step example. Samos 2007 F 4 p. 2

97 Goal of F 4 Among other things 3 big difficulties: A crucial issue to be faced in implementing the Buchberger algorithm is the choice of a Strategy. An apparent difficulty is the growth of the coefficients when computing with big integers. It is difficult to parallelize this algorithm: f n depends strongly on f n 1, f n 2, (if you remove zero!). Samos 2007 F 4 p. 3

98 Goal of F 4 There are a lot of choices: select a critical pair in the list of critical pairs. choose one reductor among a list of reductors Buchberger theorem not important for the correctness of the algorithm Samos 2007 F 4 p. 3

99 P Notations R x 1 xn T the set of all terms. F T F f 1 fm the support of F. a critical pair Pair is the polynomial ring. algebraic equations f g τ t f f tg g t f tg T 2 tg LT g t f LT f τ lcm LT f the two projections Le ft Right Pair fg g t g Pair f g t f f, Samos 2007 F 4 p. 4

100 Linear Algebra and Matrices Trivial link: Linear Algebra Polynomials Definition: F f 1 fm, ordering. A Matrix representation M F of F is such that T F M F T X where X the monomials (sorted for ) T F : m 1 m2 m3 M F f 1 f 2 f 3 Samos 2007 F 4 p. 5

101 Linear Algebra and Matrices Trivial link: Linear Algebra Polynomials If Y is a vector of monomials, M a matrix then its polynomial representation is T f 1 fm M T Y Samos 2007 F 4 p. 6

102 Buchberger algorithm Can be rewritten using linear algebra (simultating Spoly and reductions) m 1 m 2 m 3 m 4 M F f 1 f 2 f 3 0 f f Samos 2007 F 4 p. 7

103 Macaulay method Macaulay bound (for homogeneous polynomials): D 1 m i 1 deg f i 1 We compute the matrix representation of t f i deg t D deg i 1 f i m, DRL Samos 2007 F 4 p. 8

104 Macaulay method m 1 m2 m3 mr M Mac t 1 f 1 t1 f 1 t2 f 2 t 2 f 2 t 3 f 3 Let M Mac the result of Gaussian elimination. Theorem: If F is regular then the polynomial representation of M Mac is a Gröbner basis. Samos 2007 F 4 p. 8

105 F 4 : The algorithm Algorithm F4 Input: F f 1 S el List fm Pairs G : F, d : 0, P : Pair while P /0 do d : d 1 P d : S el P, P : P P d F d : Reduction Le ft P d for h F d do P : P Pair h g g G : G h List f i f j Pairs i Right G j P d S el G l Samos 2007 F 4 p. 9

106 Reduction Input: Reduction L a finite subset of T P G a finite subset of P Output: a finite subset of P (possibly an empty set). F : Symbolic Preprocessing L G M the matrix representation of F. M : Gaussian elimination M F the polynomial representation of M. return f F HT f HT F Samos 2007 F 4 p. 10

107 Symbolic Symbolic Preprocessing Input: L T P G P F : t f tf L Done : LT F while T F Done do m an element of T F Done Done : Done if m top reducible modulo G then m m LT f for some f G and some m T F : F f Samos 2007 F return F 4 p. 11 m m

108 F 4 : Example G f 1 f 4 x 1 2x 2 2x 3 2x 4 1 f 3 x 2 2 2x 1 x 3 2x 2 x 4 x 3 f 2 2x 1 x 2 2x 2 x 3 2x 3 x 4 x 2 f 1 x 2 1 2x 2 2 2x 2 3 2x 2 4 x 1 f4 and two critical pairs of degree 2 x f1 x1 f4 x 1 x 2 1 f2 x2 f4 Samos 2007 F 4 p. 12

109 F 4 : Example f 4 x 1 2x 2 2x 3 2x 4 1 f 3 x 2 2 2x 1 x 3 2x 2 x 4 x 3 f 2 2x 1 x 2 2x 2 x 3 2x 3 x 4 x 2 f 1 x 2 1 2x 2 2 2x 2 3 2x 2 4 x 1 x f1 x1 f4 x 1 x 2 L 2 1 f1 x 1 f4 1 f2 x 2 symbolic reduction: L 2 and G: 1 f2 f4 x2 f4 F f 1 x1 f4 f2 x2 f4 Samos 2007 F 4 p. 12

110 Cont Done x 2 1 x1 x2 T(F)= x 2 1 x2 2 x2 3 x 2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 4 : cannot be reduced by G Samos 2007 F 4 p. 13

111 Cont Done x 2 1 x1 x2 T(F)= x 2 1 x2 2 x2 3 x 2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 4 : cannot be reduced by G T(F)= x 2 1 x2 2 x 2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 3 : cannot be reduced by G Samos 2007 F 4 p. 14

112 Cont Done x 2 1 x1 x2 T(F)= x 2 1 x2 2 x2 3 x 2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 4 : cannot be reduced by G T(F)= x 2 1 x2 2 x 2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 3 : cannot be reduced by G. T(F)= x 2 1 x2 2 x2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 x Select 1 : cannot be reduced by G Samos 2007 F 4 p. 15

113 Cont Done x 2 1 x1 x2 T(F)= x 2 1 x2 2 x2 3 x 2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x 2 4 : cannot be reduced by G T(F)= x 2 1 x2 2 x 2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select x3 2 : cannot be reduced by G. T(F)= x 2 1 x2 2 x2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 Select 1 : cannot be reduced by G T(F)= x 2 1 x 2 2 x2 3 x2 4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 x Select x 2 : reducible by 1 f Samos 2007 F 4 p. 16

114 Cont T(F)= Select x 1 x 3 : reducible by x 3 f 4 x 2 1 x2 2 x2 3 x2 4 x1 x1 x2 x1 x3 x1x4 x2x3 x3x4 x2 F f 1 x1 f4 f2 x2 f4 f3 x3 f4 Samos 2007 F 4 p. 17

115 Cont T(F)= Select x 1 x 3 : reducible by x 3 f 4 x 2 1 x2 2 x2 3 x2 4 x1 x1 x2 x1 x3 x1x4 x2x3 x3x4 x2 F f 1 x1 f4 f2 x2 f4 f3 x3 f4. T(F)= 1 x1 2x2 2 x2 3 x2 4 x3 x4 x1 x1 x2 x1x3 x1x4 x2x3 x3x4 x2 x F f 1 x1 f4 f2 x2 f4 f3 x3 f4 x4 f4 f4 Samos 2007 F 4 p. 18

116 Matrice The symbolic reduction returns: x 2 1 x 1 x 2 x 2 2 x 1 x 3 x 2 x 3 x 2 3 x 1 x 4 x 2 x 4 x 3 x 4 x 2 4 x 1 x 2 x 3 x 4 1 f x 4 f x 3 f f f x 2 f f x 1 f Samos 2007 F 4 p. 19

117 Matrice then the matrix is reduced to row echelon form: x 2 1 x 1 x 2 x 2 2 x 1 x 3 x 2 x 3 x 2 3 x 1 x 4 x 1 x 2 x 4 x 3 x 4 x 2 4 x 2 x 3 x 4 1 f x 4 f x 1 f x 2 f x 3 f f f f Samos 2007 F 4 p. 19

118 Degree 3 Let f i 3 be the polynomial corresponding to the i th row of this matrix (i 2 3 8). (for instance f 5 x 1 x 4 2x 2 x 4 ). The next degree is d 3 and L 3 x 2 f2 x 1 f3 x 3 f3 x 2 f6 x 2 f5 x 3 f6 Samos 2007 F 4 p. 20

119 F 4 : some matrices Samos 2007 F 4 p. 21

120 Matrix Samos 2007 F 4 p. 22

121 F 4 : some remarks Theorem 1 The algorithm F 4 computes a Gröbner basis G in P such that F G and Id G Id F. The algorithm computes successive truncated Gröbner bases. Designed for degree ordering. Replaces the classical Buchberger reduction by the simultaneous reduction of several polynomials. Samos 2007 F 4 p. 23

122 F 4 : some remarks The new reduction mechanism is achieved by means of a symbolic precomputation and by extensive used of sparse linear algebra methods. Even though the new algorithm does not improve the worst case complexity it is several times faster than the other algorithms/mplementations (both for integers and modulo p computations). symbolic reduction efficient complexity depends on the #the support the number Samos 2007 F of (non zero) elements in the final matrix A. 4 p. 23

123 Conclusion We have transformed the degree of freedom in the Buchberger algorithm into strategies for efficiently solving linear algebra systems. This is easier because we have constructed the matrix A and we can decide to begin the reduction of one row before another with a good reason. For integer coefficients it is a major advantage to be able to apply an iterative algorithm on the whole matrix. Samos 2007 F 4 p. 24

124 Conclusion Bad point: the matrix A is singular see F 5 Bad point: A is often huge. compression divide the size of A by Not efficient for monomials or binomials (Mayr/Meyer example). Difficult to implement (but. ) 10 Samos 2007 F 4 p. 24

125 F 5 An efficient algorithm for computing Gröbner bases without reduction to zero Jean-Charles Faugère CNRS - INRIA - Université Paris 6 SALSA Project Samos 2007 Samos 2007 F 5 p. 1

126 Plan of the talk Goal The idea Theorem Description of the algorithm Simple description for dense polynomials Experimental efficiency Number of useless critical pairs Samos 2007 F 5 p. 2

127 Goal of F 5 Computing Gröbner bases: Buchberger algorithm or F 4 with Buchberger Criteria 90% of the time is spent in computing zero Open issue remove useless computations. a more powerful criterion to remove useless critical pairs. Goal of F 5 : theoretical and practical answer. Samos 2007 F 5 p. 3

128 Goal of F 5 Goal of F 5 : theoretical and practical answer. Gröbner basis of f 1 fm what is a reduction to zero? m g i f i i 1 0 g 1 gm is a syzygy. Samos 2007 F 5 p. 3

129 Previous Work Buchberger 1979: A Criterion for Detecting Unnecessary Reductions in the Construction of Gröbner Basis. (two criteria remove 90% of useless critical pairs.) Gebauer and Moller 1986: Buchberger s Algorithm and Staggered Linear Bases. Möller, Mora and Traverso 1992 : Gröbner Bases Computation Using Syzygies Gerdt Blinkov 1998 Involutive Bases of Polynomial Ideals some reductions are forbidden Samos 2007 F 5 p. 4

130 Previous Work Buchberger 1979: A Criterion for Detecting Unnecessary Reductions in the Construction of Gröbner Basis. The efficiency of those algorithms is not yet satisfactory in theory and practice because a lot of useless critical pairs are not removed. Samos 2007 F 5 p. 4

131 The Idea S b f 3 f 2 f 1 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7 b xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 Samos 2007 F 5 p. 5

132 The Idea S 0 f 3 f 2 f 1 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 With Buchberger x y z: 5 useless reductions 5 useful pairs We proceed degree by degree. Samos 2007 F 5 p. 5

133 The Idea S 0 f 3 f 2 f 1 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 A 2 x 2 xy y 2 xz yz z 2 f f f Samos 2007 F 5 p. 5

134 The Idea S 0 B 2 f 3 f 2 f 1 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 x 2 xy y 2 xz yz z 2 f f f Samos 2007 F 5 p. 5

135 The Idea S 0 B 2 f 3 f 2 f 1 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 x 2 xy y 2 xz yz z 2 f f f new polynomials f 4 and f 5 y 2 11xz 3yz xy 4yz 2xz 3y 2 z 2 5z 2 Samos 2007 F5 p. 5

136 Degree 3 f 3 f 2 f 1 f 4 f 5 x 2 18xy 19y 2 8xz 5yz 7z 2 3x 2 7xy 22xz 11yz 22z 2 8y 2 6x 2 12xy 4y 2 14xz 9yz 7z 2 xy 4yz 2xz 3y 2 z 2 y 2 11xz 3yz 5z 2 and f 2 f 4 f 1 f 5 Samos 2007 F5 p. 6

137 Samos 2007 F 5 p. 6 Degree 3 x 3 x 2 y xy 2 y 3 x 2 z z f y f x f z f y f x f z f y f x f

138 Samos 2007 F 5 p. 6 Degree 3 x 3 x 2 y xy 2 y 3 x 2 z z f y f x f z f y f x f z f y f x f

139 Samos 2007 F 5 p. 6 Degree 3 x 3 x 2 y xy 2 y 3 x 2 z z f y f x f z f y f x f z f y f x f

140 Degree 3 f 2 f 4 f 1 f 5 x 3 x 2 y xy 2 y 3 x 2 z z f y f x f z f y f x f z f y f x f Samos 2007 F 5 p. 6

141 Degree 3 x 3 x 2 y xy 2 y 3 x 2 z xyz y 2 z xz 2 yz 2 z 3 z f y f x f z f y f x f z f y f x f Samos 2007 F 5 p. 7

142 Degree 3 x 3 x 2 y xy 2 y 3 x 2 z xyz y 2 z xz 2 yz 2 z 3 x f y f y f xf z f z f z f yf xf Samos 2007 F 5 p. 7

143 Degree 3 We have constructed 3 new polynomials f 6 f 7 f 8 y 3 8y 2 z xz 2 18yz 2 15z 3 xz 2 11yz 2 13z 3 yz 2 18z 3 We have the linear equivalences: x f 2 x f 4 f 6 f 4 f 2 Samos 2007 F 5 p. 7

144 Degree 4 The matrix whose rows are x 2 f i xy fi y2 fi xz fi yz fi z2 fi i is not full rank! Samos 2007 F 5 p. 8

145 Why? (1) x 4 x3 y rows yz3 z4 15 columns Samos 2007 F 5 p. 9

146 Why? (1) x 4 x3 y rows yz3 z4 15 columns Simple linear algebra theorem: 3 useless row (which ones?) Samos 2007 F 5 p. 9

147 Why (2) can be rewritten f 2 f 3 f 3 f 2 0 3x 2 f 3 7 b xy f 3 8y 2 f 3 22xz f 3 11yz f 3 22z 2 f 3 x 2 f 2 18xy f 2 19y 2 f 2 8xz f 2 5yz f 2 7z 2 f 2 0 Samos 2007 F 5 p. 10

148 Why (2) can be rewritten f 2 f 3 f 3 f 2 0 3x 2 f 3 7 b xy f 3 8y 2 f 3 22xz f 3 11yz f 3 22z 2 f 3 x 2 f 2 18xy f 2 19y 2 f 2 8xz f 2 5yz f 2 7z 2 f 2 0 We can remove the row x 2 f 2 Samos 2007 F 5 p. 10

149 Why (2) same way f 1 f 3 f 3 f 1 but f 1 f 2 f 2 f remove x 2 f 1 remove x 2 f 1! Samos 2007 F 5 p. 10

150 if b if b Why (2) x2 3 6x2 f2 f 2 f 1 f 1 f 2 3 f 3 f 1 f 1 f 3 f 2 3 f 3 f 1 f 1 f 2 3 f 1 f 3 f 4 f 1 f 1 f 2 3 f 1 f 3 1 b xy 4yz 2xz 3y 2 f 3 z 2 f 1 1 remove xy f 1 1 remove yz f 1 Need some computation Samos 2007 F 5 p. 10

151 Criterion Any combination of the trivial relations f i f j can always be written: f j f i u f 2 f 1 f 1 f 2 v f 3 f 1 f 1 f 3 w f 2 f 3 f 3 f 2 where u v w are arbitrary polynomials. Samos 2007 F 5 p. 11

152 Criterion Any combination of the trivial relations f i f j can always be written: f j f i u f 2 v f 3 f 1 u f 1 f 2 v f 1 f 3 w f 2 f 3 w f 3 f 2 Samos 2007 F 5 p. 11

153 Criterion Any combination of the trivial relations f i f j can always be written: f j f i u f 2 v f 3 f 1 u f 1 f 2 v f 1 f 3 w f 2 f 3 w f 3 f 2 (trivial) relation h f 1 0 h Id f 2 f3 Compute a Gröbner basis of f 2 Remove line h f 1 iff LT h f3 Gprev. top reducible by Gprev Samos 2007 F 5 p. 11

154 Degree 4 y 2 f 1 xz f1 yz f1 z2 f1 xy f 2 y2 f2 xz f2 yz f2 z2 f2 x 2 f 3 xy f3 y2 f3 xz f3 yz f3 z2 f3 Samos 2007 F 5 p. 12

155 Degree 4 y 2 f 1 xz f1 yz f1 xy f y2 2 f2 xz f2 x 2 f 3 xy f3 y2 f3 z2 f1 yz f2 z2 f2 xz f3 yz f3 z2 f3 In order to use previous computations (degree 2 and 3): x f 2 f 6 f 2 f 4 x f 1 f 8 y f 1 f 7 f 1 f 5 Samos 2007 F 5 p. 12

Gröbner Bases. Applications in Cryptology

Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break