Abstract not found

In this paper, we investigate the difficulty of one of the most relevant problems in multivariate cryptography – namely MinRank – about which no real progress has been reported since [19, 9]. Our starting point is the Kipnis-Shamir attack [19]. We first show new properties of the ideal generated by Kipnis-Shamir’s equations. We then propose a new modeling of the problem. Concerning the practical resolution, we adopt a Gröbner basis approach that permitted us to actually solve challenges A and B proposed by Courtois in [8]. Using the multi-homogeneous structure of the algebraic system, we have been able to provide a theoretical complexity bound reflecting the practical behavior of our approach. Namely, when r ′ the dimension of the matrices minus the rank of the target matrix in the MinRank ( problem is constant, then we have a polynomial time at-3 tack: O ln (q) n r′2). For the challenge C, we obtain a theoretical bound of 2 66.3 operations.

Abstract. In this paper, we study the security of 2R − schemes [17,18], which are the “minus variant ” of two-round schemes. This variant consists in removing some of the n polynomials of the public key, and permits to thwart an attack described at Crypto’99 [25] against two-round schemes. Usually, the “minus variant ” leads to a real strengthening of the considered schemes. We show here that this is actually not true for 2R − schemes. We indeed propose an efficient algorithm for decomposing 2R − schemes. For instance, we can remove up to � n 2 � equations and still be able to recover a decomposition in O(n 12). We provide experimental results illustrating the efficiency of our approach. In practice, we have been able to decompose 2R − schemes in less than a handful of hours for most of the challenges proposed by the designers [18]. We believe that this result makes the principle of two-round schemes, including 2R − schemes, useless.

Computing loci of rank defects of linear matrices (also called the MinRank problem) is a fundamental NP-hard problem of linear algebra which has applications in Cryptology, in Error Correcting Codes and in Geometry. Given a square linear matrix (i.e. a matrix whose entries are k-variate linear forms) of size n and an integer r, the problem is to find points such that the evaluation of the matrix has rank less than r + 1. The aim of the paper is to obtain the most efficient algorithm to solve this problem. To this end, we give the theoretical and practical complexity of computing Gröbner bases of two algebraic formulations of the MinRank problem. Both modelings lead to structured algebraic systems. The first modeling, proposed by Kipnis and Shamir generates bihomogeneous equations of bi-degree (1,1). The second one is classically obtained by the vanishing of the (r + 1)-minors of the given

In this paper, we present an efficient and general algorithm for decomposing multivariate polynomials of the same arbitrary degree. This problem, also known as the Functional Decomposition Problem (FDP) (31), is classical in computer algebra. It is the first general method addressing the decomposition of multivariate polynomials (any degree, any number of polynomials). As a byproduct, our approach can be also used to recover an ideal I from its k-th power I k. The complexity of the algorithm depends on the ratio between the number of variables (n) and the number of polynomials (u). For example, polynomials of degree four can be decomposed in O(n 12), when this ratio is smaller than 1 2. This works was initially motivated by a cryptographic application, namely the cryptanalysis of 2R − schemes (16; 17). From a cryptographic point of view, the new algorithm is so efficient that the principle of two-round schemes, including 2R − schemes, becomes useless. Besides, we believe that our algorithm is of independent interest. Key words: Multivariate Polynomials Decomposition, Gröbner bases, Cryptography. 1.

The HFE (Hidden Field Equations) cryptosystem is one of the most interesting public-key multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) problem between the equations of the public key and themselves. Even though for schemes such as SFLASH or C ∗ the hardness of key-recovery relies on the hardness of the IP problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”.

Solving multihomogeneous systems, as a wide range of structured algebraic systems occurring frequently in practical problems, is of first importance. Experimentally, solving these systems with Gröbner bases algorithms seems to be easier than solving homogeneous systems of the same degree. Nevertheless, the reasons of this behaviour are not clear. In this paper, we focus on bilinear systems (i.e. bihomogeneous systems where all equations have bidegree (1,1)). Our goal is to provide a theoretical explanation of the aforementioned experimental behaviour and to propose new techniques to speed up the Gröbner basis computations by using the multihomogeneous structure of those systems. The contributions are theoretical and practical. First, we adapt the classical F5 criterion to avoid reductions to zero which occur when the input is a set of bilinear polynomials. We also prove an explicit form of the Hilbert series of bihomogeneous ideals generated by generic bilinear polynomials and give a new upper bound on the degree of regularity of generic affine bilinear systems. We propose also a variant of the F5 Algorithm dedicated to multihomogeneous systems which exploits a structural property of the Macaulay matrix which occurs on such inputs. Experimental results show that this variant requires less time and memory than the classical homogeneous F5 Algorithm. Lastly, we investigate the complexity of computing a Gröbner basis for the grevlex ordering of a generic 0-dimensional affine bilinear system over k[x1,...,xnx,y1,...,yny (]. In particular, we (nx+ny+min(nx+1,ny+1))ω show that this complexity is upper bounded by O, which is min(nx+1,ny+1) polynomial in nx +ny (i.e. the number of unknowns) when min(nx,ny) is constant.

Abstract. In this short note, we investigate the security of the Unbalanced Oil and Vinegar Scheme [16]. To do so, we use a hybrid approach for solving the algebraic systems naturally arising when mounting a signatureforgery attack. The basic idea is to compute Gröbner bases of several modified systems rather than a Gröbner basis of the initial system. It turns out that our approach is efficient in practice. We have obtained a complexity bounded from above by 2 40.3 (or 9 hours of computation) to forge a signature on a set of parameters proposed by the designers of UOV. 1

Abstract. In this paper, we present an algebraic attack against the Flurry and Curry block ciphers [12,13]. Usually, algebraic attacks against block ciphers only require one message/ciphertext pair to be mounted. In this paper, we investigate a different approach. Roughly, the idea is to generate an algebraic system from the knowledge of several well chosen correlated message/ciphertext pairs. Flurry and Curry are two families of ciphers which fully parametrizable and having a sound design strategy against the most common statistical attacks; i.e. linear and differential attacks. These ciphers are then targets of choices for algebraic attacks. It turns out that our new approach permits to go one step further in the (algebraic) cryptanalysis of difficult instances of Flurry and Curry. To explain the behavior of our attack, we have established an interesting connection between algebraic attacks and high order differential cryptanalysis [32]. From extensive experiments, we estimate that our approach – that we will call “algebraic-high order differential ” cryptanalysis – is polynomial when the Sbox is a power function. As a proof of concept, we have been able to break Flurry/Curry – up to 8 rounds – in few hours. We have also investigated the more difficult (and interesting case) of the inverse function. For such function, we have not been able to bound precisely the theoretical complexity, but our experiments indicate that our approach permits to obtain a significant practical gain. We have attacked Flurry/Curry using the inverse Sbox up to 8 rounds. 1

Recently some methods have been proposed to find the distance and weight distribution of cyclic codes using Gröbner bases. We identify a class of codes for which these methods can be generalized. We show that this class contains all interesting linear codes (i.e., with d ≥ 2) and we provide variants and improvements. This approach sometimes reveals an unexpected algebraic structure in the code. We also investigate the decoding for an interesting sub-class, proving the existence of general error locator polynomials.