Computing Loci of Rank Defects of Linear Matrices using ... · 2/13 PJ Spaenlehauer. Two algebaicr...

Computing Loci of Rank Defects of Linear Matrices

using Gröbner Bases and Applications to Cryptology

Jean�Charles Faugère Mohab Safey El DinPierre�Jean Spaenlehauer

UPMC � CNRS � INRIA Paris - RocquencourtLIP6 � SALSA team

ISSAC 2010July 28, 2010

1/13 PJ Spaenlehauer

The MinRank problem

r ∈ N. M0, . . . ,Mk : k + 1 matrices of size m ×m.

MinRank

�nd λ1, . . . , λk such that

(M0 −

k∑i=1

)≤ r .

Multivariate generalization of the EigenValue problem.

Applications in cryptology, coding theory, geometry, ...Kipnis/Shamir Crypto'99Faugère/Levy-dit-Vehel/Perret Crypto'08,...

Fundamental NP-hard problem of linear algebra.

Buss, Frandsen, Shallit.J. of Computer and System Sciences. 1999.The computational complexity of some problems of linear algebra.

Two algebraic modelings

M = M0 −∑k

i=1 λiMi .

The minors modeling

Rank(M) ≤ r

mall minors of size (r + 1) of M vanish.

´2equations of degree r + 1.

k variables.

Few variables, lots of equations, high

degree !!

The Kipnis-Shamir modeling

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

0BBBBBBB@

Im−r

x(1)1 . . . x

(m−r)1

......

x(1)r . . . x

(m−r)r

1CCCCCCCA= 0.

m(m − r) bilinear equations.

k + r(m − r) variables.

Complexity of solving MinRank using Gröbner bases techniques ?

Comparison of the two modelings ?

Number of solutions ?

M = M0 −∑k

i=1 λiMi .

The minors modeling

Rank(M) ≤ r

k variables.

degree !!

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

0BBBBBBB@

Im−r

x(1)1 . . . x

(m−r)1

......

x(1)r . . . x

(m−r)r

1CCCCCCCA= 0.

M = M0 −∑k

i=1 λiMi .

The minors modeling

Rank(M) ≤ r

k variables.

degree !!

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

0BBBBBBB@

Im−r

x(1)1 . . . x

(m−r)1

......

x(1)r . . . x

(m−r)r

1CCCCCCCA= 0.

M = M0 −∑k

i=1 λiMi .

The minors modeling

Rank(M) ≤ r

k variables.

degree !!

Rank(M) ≤ r ⇔ ∃x(1), . . . , x(m−r) ∈ Ker(M).

0BBBBBBB@

Im−r

x(1)1 . . . x

(m−r)1

......

x(1)r . . . x

(m−r)r

1CCCCCCCA= 0.

Main results

System −→ grevlex GB −→Change of ordering

lex GB.

Complexity O

„“n + dreg

”ω«O (n ·#Solω)

m: size of the matrices, k: number of matrices, r: target rank. k = (m− r)2.

Minors Kipnis-ShamirDegree of regularity

when k = (m − r)2

r(m− r) + 1

dreg ≤ m(m − r) + 1

!m−r

Complexity

O(mωk) O(mω(k+1))

Both modelings → polynomial complexity when k = (m− r)2 is �xed.

New Crypto challenge broken: 10 generic matrices of size 11× 11

target rank 8, K = GF(65521).

Main results

lex GB.

Complexity O

„“n + dreg

when k = (m − r)2

r(m− r) + 1

dreg ≤ m(m − r) + 1

!m−r

Complexity

O(mωk) O(mω(k+1))

Main results

lex GB.

Complexity O

„“n + dreg

when k = (m − r)2New

r(m− r) + 1

New old

dreg ≤(m− r)2 + 1�m(m − r) + 1

New oldm−r−1Yi=0

i!(m + i)!

(m− 1− i)!(m− r + i)!<

!m−r

Complexity

O(mωk) O(mω(k+1))

Main results

lex GB.

Complexity O

„“n + dreg

r(m− r) + 1

New old

dreg ≤(m− r)2 + 1�m(m − r) + 1

i!(m + i)!

(m− 1− i)!(m− r + i)!<

!m−r

Complexity O(mωk) O(mω(k+1))

Main results

lex GB.

Complexity O

„“n + dreg

r(m− r) + 1

New old

dreg ≤(m− r)2 + 1�m(m − r) + 1

i!(m + i)!

(m− 1− i)!(m− r + i)!<

!m−r

Gröbner bases of bilinear systems

Faugère/Safey/S.Gröbner bases of bihomogeneous ideals generated by polynomials ofbidegree (1,1): Algorithms and Complexity. arXiv:1001.4004

Theorem

For a generic a�ne 0-dimensional bilinear system overK[x1, . . . , xnx , y1, . . . , yny ],

dreg ≤ min(nx , ny ) + 1.

Sharp bound in practice !

Asymptotic complexity

Assumption: KS systems behave like generic a�ne bilinear systems.When k = (m − r)2 is �xed, the complexity of the Gröbner basis computationof the Kipnis-Shamir modeling is

((2k + m(m − r) + 1

(m − r)2 + 1

m→∞O

ω(k+1)).

Gröbner bases of bilinear systems

Faugère/Safey/S.Gröbner bases of bihomogeneous ideals generated by polynomials ofbidegree (1,1): Algorithms and Complexity. arXiv:1001.4004

Theorem

For a generic a�ne 0-dimensional bilinear system overK[x1, . . . , xnx , y1, . . . , yny ],

dreg ≤ min(nx , ny ) + 1.

Sharp bound in practice !

Asymptotic complexity

Assumption: KS systems behave like generic a�ne bilinear systems.When k = (m − r)2 is �xed, the complexity of the Gröbner basis computationof the Kipnis-Shamir modeling is

((2k + m(m − r) + 1

(m − r)2 + 1

m→∞O

ω(k+1)).

f1 = . . . = fq = 0Bilinear system of K[X ,Y ]

⇐⇒

∂f1∂x0

. . . ∂f1∂xnx

.... . .

...∂fq∂x0

. . .∂fq

∂xnx

A Theorem of Bernstein, Sturmfels and Zelevinski

M a p × q matrix whose entries are variables. The maximal minors of Mare a universal Gröbner basis of the associated ideal.

Theorem (Faugère/Safey/S. 2010)

M a k-variate p × q linear matrix. Generically, a grevlex GB of〈Minors(M)〉: linear combination of the generators.

Cramer's rule + elimination ideal → dreg ≤ min(nx , ny ) + 1.

⇐⇒

∂f1∂x0

. . . ∂f1∂xnx

.... . .

...∂fq∂x0

. . .∂fq

∂xnx

⇐⇒

∂f1∂x0

. . . ∂f1∂xnx

.... . .

...∂fq∂x0

. . .∂fq

∂xnx

⇐⇒

∂f1∂x0

. . . ∂f1∂xnx

.... . .

...∂fq∂x0

. . .∂fq

∂xnx

The minors modeling

Related to Determinantal ideals.

What is known

Determinantal ideals: Bernstein/Zelevinsky J. of Alg. Comb. 93,Bruns/Conca 98, Sturmfels/Zelevinsky Adv. Math. 98,Conca/Herzog AMS'94, Lascoux 78, Abhyankar 88...

Geometry of determinantal varieties: Room 39, Fulton Duke Math.J. 91, Giusti/Merle Int. Conf. on Alg. Geo. 82...

Polar varieties: Bank/Giusti/Heintz/Safey/SchostAAECC'10,Bank/Giusti/Heintz/Pardo J. of Compl. 05, Safey/SchostISSAC'03, Teissier Pure and Appl. Math. 91...

Properties of determinantal ideals

D = Minorsr+1

0B@v1,1 . . . v1,m

.... . .

...vm,1 . . . vm,m

1CAThom/Porteous 71, Giambelli 04,Harris/Tu 84The degree of D is

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

Conca/Herzog AMS'94, Abhyankar '88The Hilbert series of D is

HSD(t) =det(A(t))

”(1− t)(2m−r)r

I = Minorsr+1

0B@ f1,1 . . . f1,m

.... . .

...fm,1 . . . fm,m

The degree of I is

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

The Hilbert series of I is

HSI(t) =det(A(t))

”(1− t)k−(m−r)2

Ai,j (t) =X

“m − i

”“m − j

”t`.

transfer of properties of D by adding 〈vi ,j − fi ,j〉

D = Minorsr+1

0B@v1,1 . . . v1,m

.... . .

...vm,1 . . . vm,m

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSD(t) =det(A(t))

”(1− t)(2m−r)r

I = Minorsr+1

0B@ f1,1 . . . f1,m

.... . .

...fm,1 . . . fm,m

The degree of I is

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSI(t) =det(A(t))

”(1− t)k−(m−r)2

Ai,j (t) =X

“m − i

”“m − j

”t`.

transfer of properties of D by adding 〈vi ,j − fi ,j〉

D = Minorsr+1

0B@v1,1 . . . v1,m

.... . .

...vm,1 . . . vm,m

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSD(t) =det(A(t))

”(1− t)(2m−r)r

I = Minorsr+1

0B@ f1,1 . . . f1,m

.... . .

...fm,1 . . . fm,m

The degree of I is

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSI(t) =det(A(t))

”(1− t)k−(m−r)2

Ai,j (t) =X

“m − i

”“m − j

”t`.

transfer of properties of D by adding 〈vi ,j − fi ,j〉8/13 PJ Spaenlehauer

D = Minorsr+1

0B@v1,1 . . . v1,m

.... . .

...vm,1 . . . vm,m

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSD(t) =det(A(t))

”(1− t)(2m−r)r

I = Minorsr+1

0B@ f1,1 . . . f1,m

.... . .

...fm,1 . . . fm,m

1CAThe degree of I is

m−r−1Yi=0

i!(m + i)!

(m − 1− i)!(m − r + i)!.

HSI(t) =det(A(t))

”(1− t)k−(m−r)2

Ai,j (t) =X

“m − i

”“m − j

”t`.

transfer of properties of D by adding 〈vi ,j − fi ,j〉8/13 PJ Spaenlehauer

Complexity of the minors formulation

Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series.

Corollary

The degree of regularity of I is generically equal to

dreg = r(m − r) + 1.

Number of matrices and rank defect �xed. 0-dimensional case.

Corollary: asymptotic complexity

When k = (m − r)2 is �xed, then the complexity of the Gröbner basis

computation of the minors modeling is

((k +m(m − r) + 1

m→∞O(m

Complexity of the minors formulation

Degree of regularity for a 0-dim ideal = 1+ degree of the Hilbert series.

Corollary

The degree of regularity of I is generically equal to

dreg = r(m − r) + 1.

Number of matrices and rank defect �xed. 0-dimensional case.

Corollary: asymptotic complexity

When k = (m − r)2 is �xed, then the complexity of the Gröbner basis

computation of the minors modeling is

((k +m(m − r) + 1

m→∞O(m

Complexity of the change of ordering

Generic number of solutions

The number of solutions of a genericMinRank problem with k = (m − r)2 is

#Sol =m−r−1∏i=0

i !(m + i)!

(m − 1− i)!(m − r + i)!

∼m→∞

mkm−r−1∏i=0

(m − r + i)!.

Complexity of the change of ordering

The complexity of FGLM is O (#Solω) . If k = (m − r)2, then

O (#Solω) = O(mωk

Summary

lex GB.

Complexity O

„“n + dreg

when k = (m − r)2r(m − r) + 1 ≤ (m − r)2 + 1

m−r−1Yi=0

i !(m + i)!

(m − 1− i)!(m − r + i)!

Complexity of the change of ordering: O(mωk

Over-determined systems: k < (m − r)2.

Summary

lex GB.

Complexity O

„“n + dreg

when k = (m − r)2r(m − r) + 1 ≤ (m − r)2 + 1

m−r−1Yi=0

i !(m + i)!

(m − 1− i)!(m − r + i)!

Summary

lex GB.

Complexity O

„“n + dreg

when k = (m − r)2r(m − r) + 1 ≤ (m − r)2 + 1

m−r−1Yi=0

i !(m + i)!

(m − 1− i)!(m − r + i)!

Experimental results

Courtois. Asiacrypt'01.

E�cient zero-knowledge authentication based on a linear algebra problem

MinRank.

K = GF(65521) (m, k, r): k + 1 matrices of size m ×m. Target rank: r .Challenge A B C

(6, 9, 3) (7, 9, 4) (8, 9, 5) (9, 9, 6) (10, 9, 7) (11, 9, 8)degree 980 4116 14112 41580 108900 259545

MH Bézout 8000 42875 175616 592704 1728000 4492125Minors

F5 time 1.1s 37s 935s 18122s 229094s

F5 mem 488 MB 587 MB 1213 MB 5048 MB 25719MB

log2(Nb op.) 21.5 25.9 29.2 32.7 35.2

FGLM time 1.7s 97.2s

Kipnis-Shamir

F5 time 30s 3795s 328233s ∞F5 mem 407 MB 3113 MB 58587 MB

log2(Nb op.) 30.5 37.1 43.4

FGLM time 35s 2580s

Computational bottleneck: computing the minors.

Computing e�ort needed for solving Challenge C:

238 days on 64 quadricore processors.

MinRank.

(6, 9, 3) (7, 9, 4) (8, 9, 5) (9, 9, 6) (10, 9, 7) (11, 9, 8)degree 980 4116 14112 41580 108900 259545

MH Bézout 8000 42875 175616 592704 1728000 4492125Minors

F5 time 1.1s 37s 935s 18122s 229094s

F5 mem 488 MB 587 MB 1213 MB 5048 MB 25719MB

log2(Nb op.) 21.5 25.9 29.2 32.7 35.2

Kipnis-Shamir

log2(Nb op.) 30.5 37.1 43.4

FGLM time 35s 2580s

MinRank.

(6, 9, 3) (7, 9, 4) (8, 9, 5) (9, 9, 6) (10, 9, 7) (11, 9, 8)degree 980 4116 14112 41580 108900 259545

MH Bézout 8000 42875 175616 592704 1728000 4492125Minors

F5 time 1.1s 37s 935s 18122s 229094s

F5 mem 488 MB 587 MB 1213 MB 5048 MB 25719MB

log2(Nb op.) 21.5 25.9 29.2 32.7 35.2

Kipnis-Shamir

log2(Nb op.) 30.5 37.1 43.4

FGLM time 35s 2580s

Conclusion

Comparison of two algebraic formulations.Complexity results on the MinRank problem from the Gröbner basisviewpoint.Lead to signi�cant algorithmic improvements con�rmed byexperiments.Algebraic cryptanalysis of the Courtois authenti�cation scheme.

Further algorithmic improvements

Minrank Challenge (8, 9, 5)[Crypto 2008] 328233s −→ [Issac 2010] 935s −→ [Pasco 2010] 73s

Multi-homogeneous variant of the F5 algorithm.

Perspectives

Practical bottleneck for MinRank: computing the minors.

Extension to polynomial matrices/Computation of critical points.

Symmetric matrices.

Conclusion

Perspectives

Symmetric matrices.

Conclusion

Perspectives

Symmetric matrices.

Computing Loci of Rank Defects of Linear Matrices using ... · 2/13 PJ Spaenlehauer. Two algebaicr...

Documents

Transcript of Computing Loci of Rank Defects of Linear Matrices using ... · 2/13 PJ Spaenlehauer. Two algebaicr...