Wansu Bao,Heliang Huang

DOI: https://doi.org/10.48550/arXiv.1507.03480

2015-07-13

Abstract:Algebraic cryptanalysis usually requires to recover the secret key by solving polynomial equations. Grobner bases algorithm is a well-known method to solve this problem. However, a serious drawback exists in the Grobner bases based algebraic attacks, namely, any information won't be got if we couldn't work out the Grobner bases of the polynomial equations system. In this paper, firstly, a generalized model of Grobner basis algorithms is presented, which provides us a platform to analyze and solve common problems of the algorithms. Secondly, we give and prove the degree bound of the polynomials appeared during the computation of Grobner basis after field polynomials is added. Finally, by detecting the temporary basis during the computation of Grobner bases and then extracting the univariate polynomials contained unique solution in the temporary basis, a heuristic strategy named Middle-Solving is presented to solve these polynomials at each iteration of the algorithm. Farther, two specific application mode of Middle-Solving strategy for the incremental and non-incremental Grobner bases algorithms are presented respectively. By using the Middle-Solving strategy, even though we couldn't work out the final Grobner bases, some information of the variables still leak during the computational process.

Cryptography and Security,Symbolic Computation

Yier Jin,Haibin Shen

DOI: https://doi.org/10.1109/icsict.2006.306633

2006-01-01

Abstract:A new unbalanced exponent modular reduction over GF(2m) is proposed. The algorithm can achieve high efficiency when computing on a certain class of fields generated by f(x) = xm + T(x) where deg[T(x)] Lt C m. The algorithm is applied in modular multiplication on the basis of scalable polynomial basis(SPB) to form scalable modular multiplication. Most of irreducible polynomials used in elliptic curve cryptography(ECC) fulfil the characteristic mentioned above well. So the scalable algorithm is implemented in ECC computation with high flexibility and efficiency both in theoretic calculation and application

J Ding,D Cabarcas,D Schmidt,J Buchmann,S Tohaneanu

2008-01-01

Abstract:This paper explores how to use the concept of mutants in the computation of a Gröbner basis for polynomial equations. We compare our approach to the algorithm F4 of Faugère, and we perform experiments on polynomials system coming from multivariate public key cryptosystems in comparison with the experimental results from Magma implementation of F4. The experimental results demonstrate that the mutant strategy could indeed work better in the case of polynomial systems with underlying structures that could be fully exploited by the mutant strategy.

Matías Bender,Jean-Charles Faugère,Elias Tsigaridas

DOI: https://doi.org/10.48550/arXiv.1902.00208

2019-02-01

Abstract:Gr{ö}bner bases is one the most powerful tools in algorithmic non-linear algebra. Their computation is an intrinsically hard problem with a complexity at least single exponential in the number of variables. However, in most of the cases, the polynomial systems coming from applications have some kind of structure. For example , several problems in computer-aided design, robotics, vision, biology , kinematics, cryptography, and optimization involve sparse systems where the input polynomials have a few non-zero terms. Our approach to exploit sparsity is to embed the systems in a semigroup algebra and to compute Gr{ö}bner bases over this algebra. Up to now, the algorithms that follow this approach benefit from the sparsity only in the case where all the polynomials have the same sparsity structure, that is the same Newton polytope. We introduce the first algorithm that overcomes this restriction. Under regularity assumptions, it performs no redundant computations. Further, we extend this algorithm to compute Gr{ö}bner basis in the standard algebra and solve sparse polynomials systems over the torus $(C*)^n$. The complexity of the algorithm depends on the Newton polytopes.

Symbolic Computation

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

Jintai Ding,Daniel Cabarcas

2011-01-01

Abstract:Gröbner bases are the single most important tool in applicable algebraic geometry. They are used to compute standard representatives in the residue classes of a polynomial ring modulo an ideal and they can be used as a step towards solving a system of polynomial equations. Applications in science and technology are abundant, particularly in cryptography and coding theory. Computation of Gröbner bases is challenging. It has computational complexity double exponential in the worst-case and exponential in average. Although this makes Gröbner bases intractable in many cases, a great deal of effort has been devoted to improve algorithms to compute faster larger Gröbner bases.The concept of mutant polynomials, introduced by Ding in 2006, quantifies the deviation from the average case, leading to faster algorithms that profit on this degeneration.In this dissertation we introduce three algorithms aiming at improving Gröbner bases computation that are inspired by mutant polynomials. The MutantF4 algorithm modifies Faugère's F4 by exploiting the presence of mutant polynomials. The MXL3 algorithm introduces a termination condition based on the absence of mutant polynomials. And the MGB algorithm combines MXL3 with the idea of preempted reduction to avoid storing large sets of polynomials. Each new idea achieved gains in speed and/or memory usage. The MGB algorithm is particularly successful, which was demonstrated by being the first algorithm to be able to compute a Gröbner basis for a random system of 32 quadratic polynomials in 32 variables over GF(2).We also propose LASyz, a method to avoid redundant computation in Gröbner bases computation, that is compatible with mutant algorithms. LASyz is a simple yet effective method to significantly reduce unproductive reductions to zero. It uses linear algebra to maintain a set of generators for the module of syzygies. LASyz is compatible with mutant Gröbner basis algorithms thanks to its simplicity and the use of linear algebra for reducing both polynomials and syzygies.Finally, we establish some theoretical results for mutant polynomials. We define the concept of mutant space, and study its dimension. We demonstrate that the mutant space is trivial in generic situations. We link the concept of mutants to the notions of regular sequences and syzygies. And we conjecture that the dimension of the mutant space constitutes a generic property of sequences of polynomials.

Jérémy Berthomieu,Christian Eder,Mohab Safey El Din

2023-07-27

Abstract:This paper is concerned with linear algebra based methods for solving exactly polynomial systems through so-called Gröbner bases, which allow one to compute modulo the polynomial ideal generated by the input equations. This is a topical issue in non-linear algebra and more broadly in computational mathematics because of its numerous applications in engineering and computing sciences. Such applications often require geometric computing features such as representing the closure of the set difference of two solution sets to given polynomial systems. Algebraically, this boils down to computing Gröbner bases of colon and/or saturation polynomial ideals. In this paper, we describe and analyze new Gröbner bases algorithms for this task and present implementations which are more efficient by several orders of magnitude than the state-of-the-art software.

Symbolic Computation,Commutative Algebra

Hiroshi Kera,Yuki Ishihara,Yuta Kambe,Tristan Vaccon,Kazuhiro Yokoyama

2024-02-13

Abstract:Solving a polynomial system, or computing an associated Gröbner basis, has been a fundamental task in computational algebra. However, it is also known for its notoriously expensive computational cost - doubly exponential time complexity in the number of variables in the worst case. In this paper, we achieve for the first time Gröbner basis computation through the training of a Transformer. The training requires many pairs of a polynomial system and the associated Gröbner basis, raising two novel algebraic problems: random generation of Gröbner bases and the transformation of them into non-Gröbner polynomial systems, termed as backward Gröbner problem. We resolve these problems with zero-dimensional radical ideals, the ideals appearing in various applications. The experiments show that the proposed dataset generation method is three to six orders of magnitude faster than a naive approach, overcoming a crucial challenge in learning to compute Gröbner bases.

Commutative Algebra,Machine Learning

Manuel Hauke,Lukas Lamster,Reinhard Lüftenegger,Christian Rechberger

DOI: https://doi.org/10.48550/arXiv.2208.00844

2022-08-01

Commutative Algebra

Abstract:Gr\"obner bases are an important tool in computational algebra and, especially in cryptography, often serve as a boilerplate for solving systems of polynomial equations. Research regarding (efficient) algorithms for computing Gr\"obner bases spans a large body of dedicated work that stretches over the last six decades. The pioneering work of Bruno Buchberger in 1965 can be considered as the blueprint for all subsequent Gr\"obner basis algorithms to date. Among the most efficient algorithms in this line of work are signature-based Gr\"obner basis algorithms, with the first of its kind published in the late 1990s by Jean-Charles Faug\`ere under the name F5. In addition to signature-based approaches, Rusydi Makarim and Marc Stevens investigated a different direction to efficiently compute Gr\"obner bases, which they published in 2017 with their algorithm M4GB. The ideas behind M4GB and signature-based approaches are conceptually orthogonal to each other because each approach addresses a different source of inefficiency in Buchberger's initial algorithm by different means. We amalgamate those orthogonal ideas and devise a new Gr\"obner basis algorithm, called M5GB, that combines the concepts of both worlds. In that capacity, M5GB merges strong signature-criteria to eliminate redundant S-pairs with concepts for fast polynomial reductions borrowed from M4GB. We provide proofs of termination and correctness and a proof-of-concept implementation in C++ by means of the Mathic library. The comparison with a state-of-the-art signature-based Gr\"obner basis algorithm (implemented via the same library) validates our expectations of an overall faster runtime for quadratic overdefined polynomial systems that have been used in comparisons before in the literature and are also part of cryptanalytic challenges.

Matthias Johann Steiner

2024-05-08

Abstract:Ciminion and Hydra are two recently introduced symmetric key Pseudo-Random Functions for Multi-Party Computation applications. For efficiency both primitives utilize quadratic permutations at round level. Therefore, polynomial system solving-based attacks pose a serious threat to these primitives. For Ciminion we construct a quadratic degree reverse lexicographic (DRL) Gröbner basis for the iterated polynomial model via affine transformations. For Hydra we provide a computer-aided proof in SageMath that a quadratic DRL Gröbner basis is already contained within the iterated polynomial system for the Hydra heads after affine transformations and a linear change of coordinates.

Cryptography and Security

Sriram Gopalakrishnan,Vincent Neiger,Mohab Safey El Din

2024-02-12

Abstract:Given polynomials $g$ and $f_1,\dots,f_p$, all in $\Bbbk[x_1,\dots,x_n]$ for some field $\Bbbk$, we consider the problem of computing the critical points of the restriction of $g$ to the variety defined by $f_1=\cdots=f_p=0$. These are defined by the simultaneous vanishing of the $f_i$'s and all maximal minors of the Jacobian matrix associated to $(g,f_1, \ldots, f_p)$. We use the Eagon-Northcott complex associated to the ideal generated by these maximal minors to gain insight into the syzygy module of the system defining these critical points. We devise new $F_5$-type criteria to predict and avoid more reductions to zero when computing a Gr\"obner basis for the defining system of this critical locus. We give a bound for the arithmetic complexity of this enhanced $F_5$ algorithm and compare it to the best previously known bound for computing critical points using Gr\"obner bases.

Symbolic Computation,Commutative Algebra

Alain Couvreur,Rocco Mora,Jean-Pierre Tillich

2023-08-24

Abstract:We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gröbner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gröbner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

Cryptography and Security

Clemens Hofstadler,Thibaut Verron

DOI: https://doi.org/10.1016/j.jsc.2022.04.001

IF: 0.97

2022-11-01

Journal of Symbolic Computation

Abstract:Signature-based algorithms have become a standard approach for computing Gröbner bases in commutative polynomial rings. However, so far, it was not clear how to extend this concept to the setting of noncommutative polynomials in the free algebra. In this paper, we present a signature-based algorithm for computing Gröbner bases in precisely this setting. The algorithm is an adaptation of Buchberger's algorithm including signatures. We prove that our algorithm correctly enumerates a signature Gröbner basis as well as a Gröbner basis of the module generated by the leading terms of the generators' syzygies, and that it terminates whenever the ideal admits a finite signature Gröbner basis. Additionally, we adapt well-known signature-based criteria eliminating redundant reductions, such as the syzygy criterion, the F5 criterion and the singular criterion, to the case of noncommutative polynomials. We also generalise reconstruction methods from the commutative setting that allow to recover, from partial information about signatures, the coordinates of elements of a Gröbner basis in terms of the input polynomials, as well as a basis of the syzygy module of the generators. We have written a toy implementation of all the algorithms in the Mathematica package OperatorGB and we compare our signature-based algorithm to the classical Buchberger algorithm for noncommutative polynomials.

mathematics, applied,computer science, theory & methods

Mohamed Saied Emam Mohamed,Daniel Cabarcas,Jintai Ding,Johannes Buchmann,Stanislav Bulygin

DOI: https://doi.org/10.1007/978-3-642-14423-3_7

2010-01-01

Abstract:This paper introduces a new efficient algorithm, called MXL3, for computing Gröbner bases of zero-dimensional ideals. The MXL3 is based on XL algorithm, mutant strategy, and a new sufficient condition for a set of polynomials to be a Gröbner basis. We present experimental results comparing the behavior of MXL3 to F4 on HFE and random generated instances of the MQ problem. In both cases the first implementation of the MXL3 algorithm succeeds faster and uses less memory than Magma's implementation of F4.

Sriram Gopalakrishnan

2024-05-03

Abstract:Let $M$ be an $n\times n$ matrix of homogeneous linear forms over a field $\Bbbk$. If the ideal $\mathcal{I}_{n-2}(M)$ generated by minors of size $n-1$ is Cohen-Macaulay, then the Gulliksen-Negård complex is a free resolution of $\mathcal{I}_{n-2}(M)$. It has recently been shown that by taking into account the syzygy modules for $\mathcal{I}_{n-2}(M)$ which can be obtained from this complex, one can derive a refined signature-based Gröbner basis algorithm DetGB which avoids reductions to zero when computing a grevlex Gröbner basis for $\mathcal{I}_{n-2}(M)$. In this paper, we establish sharp complexity bounds on DetGB. To accomplish this, we prove several results on the sizes of reduced grevlex Gröbner bases of reverse lexicographic ideals, thanks to which we obtain two main complexity results which rely on conjectures similar to that of Fröberg. The first one states that, in the zero-dimensional case, the size of the reduced grevlex Gröbner basis of $\mathcal{I}_{n-2}(M)$ is bounded from below by $n^{6}$ asymptotically. The second, also in the zero-dimensional case, states that the complexity of DetGB is bounded from above by $n^{2\omega+3}$ asymptotically, where $2\le\omega\le 3$ is any complexity exponent for matrix multiplication over $\Bbbk$.

Symbolic Computation,Commutative Algebra

Wanting Xu,Lan Hu,Manolis C. Tsakiris,Laurent Kneip

2024-01-18

Abstract:Over the past decade, the Gröbner basis theory and automatic solver generation have lead to a large number of solutions to geometric vision problems. In practically all cases, the derived solvers apply a fixed elimination template to calculate the Gröbner basis and thereby identify the zero-dimensional variety of the original polynomial constraints. However, it is clear that different variable or monomial orderings lead to different elimination templates, and we show that they may present a large variability in accuracy for a certain instance of a problem. The present paper has two contributions. We first show that for a common class of problems in geometric vision, variable reordering simply translates into a permutation of the columns of the initial coefficient matrix, and that -- as a result -- one and the same elimination template can be reused in different ways, each one leading to potentially different accuracy. We then prove that the original set of coefficients may contain sufficient information to train a classifier for online selection of a good solver, most notably at the cost of only a small computational overhead. We demonstrate wide applicability at the hand of generic dense polynomial problem solvers, as well as a concrete solver from geometric vision.

Computer Vision and Pattern Recognition

Morten Øygarden,Patrick Felke,Håvard Raddum

DOI: https://doi.org/10.1007/s00145-024-09501-w

2024-04-20

Journal of Cryptology

Abstract:A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the and Dobbertin central maps, with the internal perturbation ( ip ), and modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for . The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Jiangtao Han,Haining Fan

DOI: https://doi.org/10.1109/tc.2013.2297106

IF: 3.183

2015-01-01

IEEE Transactions on Computers

Abstract:Besides Karatsuba's algorithm, optimal Toeplitz matrix-vector product (TMVP) formulae is another approach to design GF(2(n)) subquadratic multipliers. However, when GF(2(n)) elements are represented using a polynomial basis or its generalization-shifted polynomial basis-this approach is currently appliable only to fields GF(2(n)) generated by an irreducible trinomial or a special type of irreducible pentanomials, but not to a general irreducible pentanomial. The reason is that no transformation matrix, which transforms the Mastrovito matrix into a Toeplitz matrix, has been found. In this article, we propose such a transformation matrix and its inverse matrix for an arbitrary irreducible pentanomial.

Daoji Huang,Matt Larson

2024-11-26

Abstract:We give a criterion for a collection of polynomials to be a universal Gröbner basis for an ideal in terms of the multidegree of the closure of the corresponding affine variety in $(\mathbb{P}^1)^N$. This criterion can be used to give simple proofs of several existing results on universal Gröbner bases. We introduce fine Schubert polynomials, which record the multidegrees of the closures of matrix Schubert varieties in $(\mathbb{P}^1)^{n^2}$. We compute the fine Schubert polynomials of permutations $w$ where the coefficients of the Schubert polynomials of $w$ and $w^{-1}$ are all either 0 or 1, and we use this to give a universal Gröbner basis for the ideal of the matrix Schubert variety of such a permutation.

Algebraic Geometry,Commutative Algebra,Combinatorics