## Hybrid approach for solving multivariate systems over finite fields (2009)

### Cached

### Download Links

Venue: | JOURNAL OF MATHEMATICAL CRYPTOLOGY |

Citations: | 22 - 9 self |

### BibTeX

@ARTICLE{Bettale09hybridapproach,

author = {Luk Bettale and Jean-charles Faugère and Ludovic Perret},

title = { Hybrid approach for solving multivariate systems over finite fields},

journal = {JOURNAL OF MATHEMATICAL CRYPTOLOGY},

year = {2009},

pages = {177--197}

}

### OpenURL

### Abstract

In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV,...). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be chosen for multivariate schemes.

### Citations

254 |
An Introduction to Gröbner Bases
- Adams, Loustaunau
- 1994
(Show Context)
Citation Context ...2 Polynomial system solving In this section, we recall all the necessary material to understand our approach. We present the mathematical object used to solve polynomial systems, namely Gröbner basis =-=[10, 1, 13]-=-, and briefly survey the algorithms to compute this object. We also present the notion of semi-regular sequences which will be useful to measure the efficiency of our approach. All this material has a... |

251 | A new efficient algorithm for computing Gröbner bases without reduction to zero (F5
- Faugère
- 2002
(Show Context)
Citation Context ...lts. The historical method for computing Gröbner bases was introduced by Buchberger in [10, 11]. Many improvements have been done leading to more efficient algorithms such as F4 and F5 due to Faugère =-=[16, 17]-=-. The algorithm F4 for example is the default algorithm for computing Gröbner bases in the computer algebra softwares MAGMA and MAPLE. The F5 algorithm 2 is even more efficient. We have mainly used th... |

207 |
Ideals, Varieties and Algorithms
- Cox, Little, et al.
- 1992
(Show Context)
Citation Context ...2 Polynomial system solving In this section, we recall all the necessary material to understand our approach. We present the mathematical object used to solve polynomial systems, namely Gröbner basis =-=[10, 1, 13]-=-, and briefly survey the algorithms to compute this object. We also present the notion of semi-regular sequences which will be useful to measure the efficiency of our approach. All this material has a... |

204 |
Ein Algorithmus zum Auffinden der Basiselemente des Restklassenrings nach einem nulldimensionalen Polynomideal
- Buchberger
- 1965
(Show Context)
Citation Context ...2 Polynomial system solving In this section, we recall all the necessary material to understand our approach. We present the mathematical object used to solve polynomial systems, namely Gröbner basis =-=[10, 1, 13]-=-, and briefly survey the algorithms to compute this object. We also present the notion of semi-regular sequences which will be useful to measure the efficiency of our approach. All this material has a... |

156 |
Efficient Computation of Zero-dimensional Gröbner Bases by Change of Ordering
- Faugère, Gianni, et al.
- 1993
(Show Context)
Citation Context ...hic order (Lex). For zero-dimensional systems, it is usually less costly to first compute a DRL-Gröbner basis, and then to compute the Lex-Gröbner basis using a change ordering algorithm such as FGLM =-=[18]-=-. This strategy called zero-dim solving is performed blindly in modern computer algebra softwares (for instance in MAGMA, MAPLE). This is convenient for the user, but can be an issue for advanced user... |

134 | Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations
- Courtois, Klimov, et al.
(Show Context)
Citation Context ...ty parameters. We give, at the end of the paper, suitable parameters to make multivariate schemes resistant to our approach (complexity of the attack above 2 80 ). A similar idea has been proposed in =-=[12]-=- for the XL algorithm, the so-called FXL algorithm. The authors have remarked that guessing at few variables decreases the complexity of solving the system. In [36] the authors studied the asymptotic ... |

99 | Public Quadratic Polynomial-Tuples for Efficient Signature
- Matsumoto, Imai
- 1989
(Show Context)
Citation Context ...30, 94A60. 1 Overview Multivariate Cryptography comprises all the cryptographic schemes that use multivariate polynomials. The use of polynomial systems in cryptography dates back to the mid eighties =-=[25]-=-. The most interesting one way function used in this context is the evaluation of multivariate polynomials. Namely, let f = (f1(x1, . . . , xn), . . . , fm(x1, . . . , xn)) ∈ K[x1, . . . , xn] m , the... |

86 |
Algebraic aspects of Cryptography
- Koblitz
- 1998
(Show Context)
Citation Context ...ature s ∈ K n of a message m ∈ K m , we check whether the equality f(s) = m holds. To generate the signature of a message m ∈ K m , we apply the decryption process to m. There are plenty of proposals =-=[26, 28, 27, 23, 35]-=- based on this principle which differ only in the way of constructing the polynomials of g. Such schemes are attractive because they offer the possibility to have short asymmetric signatures and requi... |

79 | On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations
- Bardet, Faugère, et al.
- 2004
(Show Context)
Citation Context ...compute this object. We also present the notion of semi-regular sequences which will be useful to measure the efficiency of our approach. All this material has already been introduced (for example in =-=[4]-=-). This section may be skipped if the reader is familiar with theses notions.180 Luk Bettale, Jean-Charles Faugère and Ludovic Perret 2.1 Zero-dim solving strategy The general problem of polynomial s... |

48 |
Computer Algebra Symbolic and Algebraic Computation
- Buchberger, Collins, et al.
- 1992
(Show Context)
Citation Context ...sively eliminating variables, namely computing solutions of univariate polynomials and back-substituting the results. The historical method for computing Gröbner bases was introduced by Buchberger in =-=[10, 11]-=-. Many improvements have been done leading to more efficient algorithms such as F4 and F5 due to Faugère [16, 17]. The algorithm F4 for example is the default algorithm for computing Gröbner bases in ... |

46 |
Etude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie
- Bardet
- 2004
(Show Context)
Citation Context ...o study random systems, we need to formalize the definition of “random systems”. To do so, the notion of regular sequences and semi-regular sequences (for over-defined systems) has been introduced in =-=[3]-=-. We give the definition here. Definition 2.4. Let {p1, . . . , pm} ⊂ K[x1, . . . , xn] be homogeneous polynomials of degrees d1, . . . , dm respectively. This sequence is semi-regular if • • 〈p1, . .... |

31 | B.: Taxonomy of Public Key Schemes based on Problem of Multivariate Quadratic Equations
- Wolf, Preneel
- 2005
(Show Context)
Citation Context ...ature s ∈ K n of a message m ∈ K m , we check whether the equality f(s) = m holds. To generate the signature of a message m ∈ K m , we apply the decryption process to m. There are plenty of proposals =-=[26, 28, 27, 23, 35]-=- based on this principle which differ only in the way of constructing the polynomials of g. Such schemes are attractive because they offer the possibility to have short asymmetric signatures and requi... |

18 |
Gaussian elimination and resolution of systems of algebraic equations. EUROCAL
- Lazard, Gröbner-Bases
- 1983
(Show Context)
Citation Context ...ow for example that when there is only one variable less than the number of equations, the degree of regularity will be divided by 2 [29] instead of the generic bound n(d − 1) + 1 for a square system =-=[24, 21]-=-. Moreover the number of solutions of an over-defined system will be generally 1 even in the algebraic closure. The cost of the change ordering algorithm can be neglected. Let dreg(n, m, d) be the deg... |

17 | A study of the security of Unbalanced Oil and Vinegar signature schemes
- Braeken, Wolf, et al.
- 2005
(Show Context)
Citation Context ...se, the security can be reduced to the difficulty of solving a “random” multivariate system with fairly low degree (≪ size of the field). We present an algorithm to solve efficiently such systems. In =-=[9]-=-, Braeken, Wolf 1 https://www.cosic.esat.kuleuven.be/nessie/Hybrid approach for solving multivariate systems over finite fields 179 and Preneel did not succeed to attack UOV with Gröbner bases. Indee... |

17 | On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis, Information and Communications Security
- Yang, Chen, et al.
(Show Context)
Citation Context ...A similar idea has been proposed in [12] for the XL algorithm, the so-called FXL algorithm. The authors have remarked that guessing at few variables decreases the complexity of solving the system. In =-=[36]-=- the authors studied the asymptotic complexity of FXL. In [2], the authors showed that XL is a special case of Gröbner bases algorithms and that XL is less efficient than F5. Still their results are n... |

11 |
The Oil and Vinegar Signature Scheme, presented at the Dagstuhl Workshop on Cryptography
- Patarin
- 1997
(Show Context)
Citation Context ...ature s ∈ K n of a message m ∈ K m , we check whether the equality f(s) = m holds. To generate the signature of a message m ∈ K m , we apply the decryption process to m. There are plenty of proposals =-=[26, 28, 27, 23, 35]-=- based on this principle which differ only in the way of constructing the polynomials of g. Such schemes are attractive because they offer the possibility to have short asymmetric signatures and requi... |

9 | C (2008) Time-area optimized public-key engines: MQcryptosystems as replacement for elliptic curves
- Bogdanov, Eisenbarth, et al.
(Show Context)
Citation Context ...ever, this area is still appealing since we have a great deals of schemes. For instance QUARTZ [27] allows to get 128-bit long signatures and has a public key of 71 kB. It is worth to mention that in =-=[8]-=- the authors claim that multivariate signature schemes can outperform some ECC implementations in terms of efficiency for comparable sizes, especially when the field K is big. The arrival of these mul... |

8 | T.: On building hash functions from multivariate quadratic equations
- Billet, Robshaw, et al.
- 2007
(Show Context)
Citation Context ...oach for solving multivariate systems over finite fields 191 4.3 Multivariate hash functions The problem of solving a polynomial system can lead to the construction of hash functions. For example, in =-=[14, 7]-=-, the authors proposed to build a hash function with an iterative Merkle–Damgård structure whose compression function is explicitly described by a multivariate polynomial system. It is known that the ... |

7 | Multivariate subresultants using Jouanolou’s resultant matrices, accepted to Journal of Pure and Applied Algebra
- Szanto
- 2001
(Show Context)
Citation Context ...nds on the number of variables, equations, and their degrees. We know for example that when there is only one variable less than the number of equations, the degree of regularity will be divided by 2 =-=[29]-=- instead of the generic bound n(d − 1) + 1 for a square system [24, 21]. Moreover the number of solutions of an over-defined system will be generally 1 even in the algebraic closure. The cost of the c... |

5 | C ∗ −+ and HM: Variations Around Two Schemes of T.Matsumoto and H.Imai - Patarin, Goubin, et al. - 1998 |

2 |
Some Effectivity Problems
- Giusti
- 1984
(Show Context)
Citation Context ...ow for example that when there is only one variable less than the number of equations, the degree of regularity will be divided by 2 [29] instead of the generic bound n(d − 1) + 1 for a square system =-=[24, 21]-=-. Moreover the number of solutions of an over-defined system will be generally 1 even in the algebraic closure. The cost of the change ordering algorithm can be neglected. Let dreg(n, m, d) be the deg... |

1 |
Ludovic Perret, Cryptanalysis of the TRMS Signature Scheme of PKC’05
- Bettale, Faugère
- 2008
(Show Context)
Citation Context ... Section 4 some experimental results obtained by analyzing several multivariate schemes. The first one is a signature scheme called TRMS. It is the first scheme cryptanalysed with our hybrid approach =-=[5]-=-. The study of TRMS encouraged us to try the approach to some other schemes. We present our results on UOV which is considered today one of the most resistant multivariate schemes. We were able to bre... |

1 |
Faugère and Ludovic Perret, On the security of UOV
- Jean-Charles
(Show Context)
Citation Context ...ed us to try the approach to some other schemes. We present our results on UOV which is considered today one of the most resistant multivariate schemes. We were able to break some proposed parameters =-=[20]-=-. Finally, we applied our approach on multivariate hash functions [6]. We conclude in Section 5 by giving the parameters that we consider secure against our approach. 2 Polynomial system solving In th... |

1 |
Unbalanced Oil and Vinegar Signature
- Kipnis, Patarin, et al.
- 1999
(Show Context)
Citation Context ...to be noted that a signature forgery here would only take 51 hours assuming an access to 2 16 = 65536 processors (which is very reasonable). 4.2 UOV UOV is a multivariate signature scheme proposed in =-=[22]-=-. It shares the same basic as TRMS, namely it uses a polynomial map easy to invert hidden with linear transformations. The set of variables {x1, . . . , xn} is partitioned in two sets V = {x1, . . . ,... |

1 |
Feipei Lai Yuh-Hua Hu, Chun-Yen Chou, and Bo-Yin Yang, Tractable Rational Map Signature. PKC 05, 2005. approach for solving multivariate systems over finite fields 197
- Wang
(Show Context)
Citation Context ...ntal results using this approach on various multivariate schemes which illustrate the relevancy of our approach. 4.1 TRMS TRMS (for Tractable Rational Map Signature) is a signature scheme proposed in =-=[30]-=-. The scheme is based on a Tractable Rational Map (TRM) which is a special construction of a mapping which can be efficiently inverted. The specific details are not important for our approach. We refe... |

1 | Feipei Lai Yuh-Hua Hu - Wang - 2005 |