Last fall degree, HFE, and Weil descent attacks on ECDLP

Weil descent methods have recently been applied to attack the Hidden Field Equation (HFE) public key systems and solve the elliptic curve discrete logarithm problem (ECDLP) in small characteristic. However the claims of quasi-polynomial time attacks on the HFE systems and the subexponential time algorithm for the ECDLP depend on various heuristic assumptions. In this paper we introduce the notion of the last fall degree of a polynomial system, which is independent of choice of a monomial order. We then develop complexity bounds on solving polynomial systems based on this last fall degree. We prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed. For the ECDLP over a finite field of characteristic 2, we provide computational evidence that raises doubt on the validity of the first fall degree assumption, which was widely adopted in earlier works and which promises sub-exponential algorithms for ECDLP. In addition, we construct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These examples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates. These results taken together underscore the importance of rigorously bounding last fall degrees of Weil descent systems, which remains an interesting but challenging open problem

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

International audienceWe investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack. Our key-recovery attack finds an equivalent key using the idea of so-called {\it good keys} that reveals the structure gradually. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic $2$ which is known to be the most difficult case to address in theory for MinRank attacks. Also, we emphasize that our attack works without any restriction on the number of polynomials removed from the public-key, that is, using the minus modifier. This was not the case for previous MinRank like-attacks against \MQ\ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of $80$ bits security in less than $2$ days, and one of the more conservative MQQ-ENC instances of $128$ bits security in little bit over $9$ days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure

Numerical Algebraic Geometry: A New Perspective on String and Gauge Theories

The interplay rich between algebraic geometry and string and gauge theories has recently been immensely aided by advances in computational algebra. However, these symbolic (Gr\"{o}bner) methods are severely limited by algorithmic issues such as exponential space complexity and being highly sequential. In this paper, we introduce a novel paradigm of numerical algebraic geometry which in a plethora of situations overcomes these short-comings. Its so-called 'embarrassing parallelizability' allows us to solve many problems and extract physical information which elude the symbolic methods. We describe the method and then use it to solve various problems arising from physics which could not be otherwise solved.Comment: 36 page

A Linear Algebra Approach for Detecting Binomiality of Steady State Ideals of Reversible Chemical Reaction Networks

Motivated by problems from Chemical Reaction Network Theory, we investigate whether steady state ideals of reversible reaction networks are generated by binomials. We take an algebraic approach considering, besides concentrations of species, also rate constants as indeterminates. This leads us to the concept of unconditional binomiality, meaning binomiality for all values of the rate constants. This concept is different from conditional binomiality that applies when rate constant values or relations among rate constants are given. We start by representing the generators of a steady state ideal as sums of binomials, which yields a corresponding coefficient matrix. On these grounds we propose an efficient algorithm for detecting unconditional binomiality. That algorithm uses exclusively elementary column and row operations on the coefficient matrix. We prove asymptotic worst case upper bounds on the time complexity of our algorithm. Furthermore, we experimentally compare its performance with other existing methods

Numerical elimination and moduli space of vacua

We propose a new computational method to understand the vacuum moduli space of (supersymmetric) field theories. By combining numerical algebraic geometry (NAG) and elimination theory, we develop a powerful, efficient, and parallelizable algorithm toextract important information such as the dimension, branch structure, Hilbert series and subsequent operator counting, as well as variation according to coupling constants and mass parameters. We illustrate this method on a host of examples from gauge theory, string theory, and algebraic geometry

Practical Algebraic Attack on DAGS

16 pages, accepted for publication in the 7th Code-Based Cryptography Workshop 2019International audienceDAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic alternant codes that was submitted to NIST standardization process for a quantum resistant public key algorithm. Recently an algebraic attack was devised by Barelli and Couvreur (Asi-acrypt 2018) that efficiently recovers the private key. It shows that DAGS can be totally cryptanalysed by solving a system of bilinear polynomial equations. However, some sets of DAGS parameters were not broken in practice. In this paper we improve the algebraic attack by showing that the original approach was not optimal in terms of the ratio of the number of equations to the number of variables. Contrary to the common belief that reducing at any cost the number of variables in a polynomial system is always beneficial, we actually observed that, provided that the ratio is increased and up to a threshold, the solving can be heavily improved by adding variables to the polynomial system. This enables us to recover the private keys in a few seconds. Furthermore, our experimentation also show that the maximum degree reached during the computation of the Gröbner basis is an important parameter that explains the efficiency of the attack. Finally, the authors of DAGS updated the parameters to take into account the algebraic cryptanalysis of Barelli and Couvreur.In the present article, we propose a hybrid approach that performs an exhaustive search on some variables and computes a Gröbner basis on the polynomial system involving the remaining variables. We then show that the updated set of parameters corresponding to 128-bit security can be broken with 283 operations