Conference Paper
Polly Cracker, Revisited
DOI: 10.1007/9783642253850_10 Conference: Advances in Cryptology  ASIACRYPT 2011  17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 48, 2011. Proceedings
Source: DBLP
Get notified about updates to this publication Follow publication 
Fulltext
Available from: Ludovic PerretPage 1
Page 2
Page 3
Page 4
Homomorphic Encryption II
I
Let I ⊂ P = F[x
0
, . . . , x
n−1
] be some ideal and denote by Encode()
an injective function, with inverse Decode(), that maps bits to
elements in the quotient ring P/I.
I
Assume that Decode(Encode(m
0
) ◦ Encode(m
1
)) = m
0
◦ m
1
for
◦ ∈ {+, ·}.
I
We can encrypt a message m as
c = f + Enco de(m) for f ∈ I.
I
Decryption is performed by computing remainders modulo I.
Page 5
Homomorphic Encryption III
I
This construction is somewhat homomorphic
c
0
+ c
1
= f
0
+ Encode(m
0
) + f
1
+ Encode(m
1
)
= f + Encode(m
0
) + Encode(m
1
) for some f ∈ I.
c
0
· c
1
= (f
0
+ Encode(m
0
)) · (f
1
+ Encode(m
1
))
= f
0
· f
1
+ f
0
· Encode(m
1
) + f
1
· Encode(m
0
)
+Encode(m
0
) · Encode(m
1
)
= f + Encode(m
0
) · Encode(m
1
) for some f ∈ I.
I
This construction is Polly Cracker.
Page 6
Homomorphic Encryption IV
I
However, our conﬁdence in Polly Crackerstyle schemes has been
shaken as almost all such proposals are broken.
I
It is a long standing open research challenge to propose a secure
Polly Crackerstyle encryption scheme,
I
. . . even better if we can make it somewhat homomorphic.
Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.
Why you cannot even hope to use Gr¨obner bases in Public Key
Cryptography: An open letter to a scientist who failed and a challenge to
those who have not yet failed.
Journal of Symbolic Computations, 18(6):497–501, 1994.
Page 7
Page 8
Page 9
Page 10
Page 11
Notation IV
Deﬁnition (Gr¨obner Basis)
Let I be an ideal of F[x
0
, . . . , x
n−1
] and ﬁx a monomial ordering. A ﬁnite
subset
G = {g
0
, . . . , g
m−1
} ⊂ I
is said to be a Gr¨obner basis of I if for any f ∈ I there exists g
i
∈ G
with
LM(g
i
)  LM(f ).
For each ideal I and monomial ordering there is a unique reduced
Gr¨obner basis which can be computed in polynomial time from any
Gr¨obner basis.
Gr¨obner bases allow to compute remainders modulo I: r = f
mod I = f mod G .
Page 12
Page 13
Characterisation of Gr¨obner bases II
Deﬁnition (tRepresentation)
Fix a monomial order and let F = {f
0
, . . . , f
m−1
} ⊂ P be an unordered
set of polynomials and let t be a monomial. Given a polynomial f ∈ P,
we say that f has a trepresentation if f can be written in the form
f = h
0
f
0
+ · · · + h
m−1
f
m−1
,
such that whenever h
i
f
i
6= 0, we have h
i
f
i
≤ t.
Furthermore, we write that f −→
F
0 if and only if f has an
LM(f )representation with respect to F .
Page 14
Page 15
Page 16
Page 17
Formalising the Problems I
proc. Initialize(1
λ
, P, d):
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f ←
$
P
≤b
;
f ← f − (f mod G );
return f ;
end
proc. Finalize(G
0
):
begin
return (G = G
0
);
end
Figure: Game GB
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 18
Formalising the Problems II
Deﬁnition (Gr¨obner Basis (GB) Problem)
The advantage of a ppt algorithm A in solving the Gr¨obner basis problem
with respect to basis generation algorithm GBGen(·) is deﬁned by
Adv
gb
P,GBGen(·),d,b,m(·),A
(λ) := Pr
h
GB
A
P,GBGen(·),d,b,m(·)
(λ) ⇒ T
i
,
where game GB
P,GBGen(·),d,b,m(·)
is shown in Figure 1.
Page 19
Formalising the Problems III
proc. Initialize(1
λ
, P, d):
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f ←
$
P
≤b
;
f ← f − (f mod G );
return f ;
end
proc. Challenge():
begin
f ←
$
P
≤b
;
return f ;
end
proc. Finalize(r
0
):
begin
return (r
0
= f mod G);
end
Figure: Game IR
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 20
Page 21
Formalising the Problems V
proc. Initialize(1
λ
, P, d):
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
c ←
$
{0, 1};
return (1
λ
, P);
end
proc. Sample():
begin
f ←
$
P
≤b
;
f ← f − (f mod G );
return f ;
end
proc. Challenge():
begin
f ←
$
P
≤b
;
if c =1 then
f ←f −(f mod G );
return f ;
end
proc. Finalize(c
0
):
begin
return (c = c
0
);
end
Figure: Game IM
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 22
Formalising the Problems VI
Deﬁnition (Ideal Membership (IM) Problem)
The advantage of a ppt algorithm A in solving the ideal membership
problem is deﬁned by
Adv
im
P,GBGen(·),d,b,m(·),A
(λ) := 2 · Pr
h
IM
A
P,GBGen(·),d,b,m(·)
(λ) ⇒ T
i
− 1,
where game IM
P,GBGen(·),d,b,m(·)
is shown in Figure 3.
Note
We can view the IM problem as the decisional version of the IR problem.
Page 23
Hardness I
Lemma (IR <=> GB)
For any ppt adversary A against the IR problem, there exists a ppt
adversary B against the GB problem such that
Adv
ir
P,GBGen(·),d,b,m,A
(λ)
poly(λ)
≤ Adv
gb
P,GBGen(·),d,b,m,B
(λ).
Conversely, for any ppt adversary B against the GB problem, there exists
a ppt adversary A against the IR problem such that
Adv
gb
P,GBGen(·),d,b,m,B
(λ) = Adv
ir
P,GBGen(·),d,b,m,A
(λ).
Page 24
Hardness II
Proof for ﬁrst direction.
Consider an arbitrary element g
i
in the Gr¨obner basis G. We can write g
i
as m
i
+ ˜g
i
for some ˜g
i
< g
i
and m
i
= LM(g
i
).
Now, assume the normal form of m
i
is r
i
and suppose that r
i
< m
i
. This
implies that m
i
=
P
n−1
j=0
h
j
g
j
+ r
i
for some h
i
∈ P. Hence, we have
m
i
− r
i
∈ hGi: an element ∈ hG i with leading monomial m
i
.
Repeat this process for all monomials up to and including degree d and
accumulate the results m
i
− r
i
in a list
˜
G.
The list
˜
G is a list of elements ∈ hG i with LM(
˜
G) ⊇ LM(G ) which
implies
˜
G is a Gr¨obner basis.
We cannot amplify our conﬁdence since we only have a limited number
of samples.
Page 25
Page 26
Hardness IV
Assuming that f
0
, . . . , f
m−1
is a random system, the complexity of
currently best known algorithms (i.e. with F
5
) to solve the GB problem is
given by
O
n + D
D
ω
= O
(n
D
)
ω
where 2 ≤ ω < 3 is the linear algebra constant, and D is given by the
index of the ﬁrst nonpositive coeﬃcient of:
X
k≥0
c
k
z
k
=
(1 − z
b
)
m
(1 − z)
n
.
Thus Gr¨obner bases are exponential in n, if D is polynomial in n.
Page 27
Hardness V
Corollary
Let c ≥ 0. Then for m(λ) = c · n(λ) or m(λ) = c · n(λ)
b
polynomials of
degree b in some ideal I, the Gr¨obner basis of I can be computed in
exponential or polynomial time in n(λ) respectively.
Deﬁnition (GB/IR/IM Assumption)
Let P be such that n(λ) = Ω(λ). Assume b − d > 0, b > 1, and that
m(λ) = c · n(λ) for a constant c ≥ 1. Then the advantage of any ppt
algorithm in solving the GB/IR/IM problem is negligible as function of λ.
Page 28
Page 29
Symmetric PollyCracker I
Algo. Gen
P,GBGen(·),d ,b
(1
λ
)
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
SK ← (G , P, b);
PK ← (P, b);
return (SK, PK);
end
Algo. Enc(m, SK):
begin
f ←
$
P
≤b
;
← f − (f mod G );
c ← m + f ;
return c;
end
Algo. Dec(c, SK):
begin
m ← c mod G ;
return m;
end
Algo. Eval(c
0
, . . . , c
t−1
, C , PK):
begin
apply the Add and Mult
gates of C over P;
return the result;
end
Figure: The noisefree symmetric Polly Cracker scheme SPC
P,GBGen(·),d ,b
.
Page 30
Security I
The m(·)time INDCPA security of a (homomorphic) symmetrickey
encryption scheme is deﬁned in the usual way by requiring that the
advantage of any probabilistic polynomialtime adversary A
Adv
indbcpa
m(·),SKE,A
(λ) := 2 · Pr
h
INDBCPA
A
m(·),SKE
(λ) ⇒ T
i
− 1
is negligible as a function of the security parameter λ. The diﬀerence
with the usual CPA security is that the adversary can query the
encryption oracle at most m(λ) times.
Page 31
Security II
Theorem
Let A be a ppt adversary against the mtime INDBCPA security of the
scheme described in Figure 4. Then there exists a ppt adversary B
against the IM problem such that for all λ ∈ N we have
Adv
indbcpa
m,SPC,A
(λ) = 2 · Adv
im
P,GBGen(·),d,b,m,B
(λ).
Conversely, let A be a ppt adversary against the IM problem. Then there
exists a ppt adversary B against the mtime INDBCPA security of the
scheme described in Figure 4 such that for all λ ∈ N we have
Adv
im
P,GBGen(·),d,b,m,A
(λ) = Adv
indbcpa
m,SPC,B
(λ).
Page 32
Page 33
Conversions in the Literature
I
There are a few techniques in the literature, which convert an
INDCPA symmetric additive homomorphic scheme to an INDCPA
publickey additive homomorphic scheme.
I
One such conversion is to publish N encryptions of zero f
0
, . . . , f
N−1
and to encrypt as
c =
X
s∈S
f
s
+ m
where S is a subset of {0, . . . , N − 1}.
While PollyCracker is additive homomorphic and secure up to some
bound, none of the proposed conversions give a secure scheme.
Page 34
Impossibility Result I
Theorem (Dickenstein, Fitchas, Giusti, and Sessa)
Let I = hf
0
, . . . , f
m−1
i be an ideal in P = F[x
0
, . . . , x
n−1
], h be such that
deg(h) ≤ D, and
h − (h mod I) =
m−1
X
i=0
h
i
f
i
,
where h
i
∈ P and deg(h
i
f
i
) ≤ D.
Let G be the output of some Gr¨obner basis computation algorithm up to
degree D (i.e. all computations with degree greater than D are ignored
and dropped). Then h mod I can be computed by polynomial reduction
of h via G .
Page 35
Impossibility Result II
Theorem
Let I = hf
0
, . . . , f
m−1
i be an ideal in P = F[x
0
, . . . , x
n−1
]. If there is a
ppt algorithm A which samples elements from I uniformly given only
(f
0
, . . . , f
m−1
) ∈ I, then there exists a ppt algorithm B which computes a
Gr¨obner basis for I.
Proof.
We can compute the normal forms of any f produced by A in polynomial
time since we know f
0
, . . . , f
m−1
. If f is arbitrary in the ideal I, we know
that normals forms are equivalent to Gr¨obner basis computations. Thus,
we have a polynomial time algorithm for computing Gr¨obner bases.
Page 36
Page 37
Discrete Gaussian
A noise distribution χ will parametrise various games below. The discrete
Gaussian distribution is of particular interest to us.
Deﬁnition (Discrete Gaussian Distribution)
Let α > 0 be a real number and q ∈ N. The discrete Gaussian
distribution χ
α,q
, is a Gaussian distribution rounded to the nearest
integer and reduced modulo q with mean zero and standard deviation αq.
Page 38
Page 39
Gr¨obner Bases with Noise II
Deﬁnition (Gr¨obner Basis with Noise (GBN) Problem)
The Gr¨obner Basis with Noise Problem is deﬁned through game
GBN
P,GBGen(·),d,b,χ
as shown in Figure 5. The advantage of a ppt
algorithm A in solving the GBN problem is
Adv
gbn
P,GBGen(·),d,b,χ,A
(λ) := Pr
h
GBN
A
P,GBGen(·),d,b,χ
(λ) ⇒ T
i
.
Note that we do not impose a restriction on the number of samples any
more.
Page 40
Ideal Remainders with Noise I
proc. Initialize(1
λ
, P, d):
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f ←
$
P
≤b
;
e ←
$
χ;
f ← f − (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f ←
$
P
≤b
;
return f ;
end
proc. Finalize(r
0
):
begin
return (r
0
= f mod G);
end
Figure: Game IRN
P,GBGen(·),d ,b,χ
.
Page 41
Ideal Remainders with Noise II
Deﬁnition (Ideal Remainder with Noise (IRN) Problem)
The Ideal Remainder with Noise Problem is deﬁned through game
IRN
P,GBGen(·),d,b,χ
as shown in Figure 6. The advantage of a ppt
algorithm A in solving the IRN problem is
Adv
irn
P,GBGen(·),d,b,χ,A
(λ) := Pr
h
IRN
A
P,GBGen(·),d,b,χ
(λ) ⇒ T
i
− 1/C (λ).
Lemma (IRN Hard ⇔ GBN Hard)
For any ppt adversary A against the IRN problem, there exists a ppt
adversary B against the GBN problem such that
Adv
irn
P,GBGen(·),d,b,χ,A
(λ) ≤ Adv
gbn
P,GBGen(·),d,b,χ,B
(λ).
. . . and vice versa.
Page 42
Ideal Membership with Noise (Ideal Coset) I
proc. Initialize(1
λ
, P, d):
begin
P ←
$
P
λ
;
G ←
$
GBGen(1
λ
, P, d);
c ←
$
{0, 1};
return (1
λ
, P);
end
proc. Sample():
begin
f ←
$
P
≤b
;
e ←
$
χ;
f ← f − (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f ,e ←
$
P
≤b
, χ;
if c = 0 then
f ← f − (f mod G ) + e;
return f ;
end
proc. Finalize(c
0
):
begin
return (c
0
= c);
end
Figure: Game IMN
P,GBGen(·),d ,b,χ
.
Page 43
Ideal Membership with Noise (Ideal Coset) II
Deﬁnition (Ideal Membership with Noise (IMN) Problem)
The Ideal Membership with Noise (IMN) Problem is deﬁned as a game,
denoted IMN
P,GBGen(·),d,b,χ
, shown in Figure 7. The advantage of a ppt
algorithm A in solving the ideal membership with noise problem is
deﬁned by
Adv
imn
P,GBGen(·),d,b,χ,A
(λ) := 2 · Pr
h
IMN
A
P,GBGen(·),d,b,χ
(λ) ⇒ T
i
− 1.
Lemma (IMN Hard ⇔ IRN Hard)
For any ppt adversary A against the IMN problem, there exists a ppt
adversary B against the IRN problem such that
Adv
imn
P,GBGen(·),d,b,χ,A
(λ) ≤ Adv
irn
P,GBGen(·),d,b,χ,B
(λ),
if q(λ)
dim
F
q
(P(λ)/GBGen(·))
is polynomial in λ.
. . . and vice versa.
Page 44
Security I
Lemma (LWE Hard ⇒ GBN Hard for d = 1, b = 1)
Let q be a prime number. Then for any ppt adversary A against the
GBN problem with b = d = 1, there exists a ppt adversary B against the
LWE problem such that
Adv
gbn
P,GBGen(·),1,1,χ,A
(λ) = Adv
lwe
n,q,χ,B
(λ).
Proof.
Whenever A calls its Sample oracle, B queries its own Sample oracle to
obtain (a, b) where a = (a
0
, . . . , a
n−1
). It returns
P
a
i
x
i
− b to A. When
A calls its Finalize on G, since d = 1, we may assume that G is of the
form [x
0
− s
0
, . . . , x
n−1
− s
n−1
] with s
i
∈ F
q
. Algorithm B terminates by
calling its Finalize oracle on s = (s
0
, . . . , s
n−1
).
Page 45
Security II
Lemma (GBN Hard for 2b ⇒ GBN Hard for b)
For any ppt adversary A against the GBN problem at degree b with noise
χ
α,q
, there exists a ppt adversary B against the GBN problem at degree
2b with noise χ
√
Nα
2
q,q
such that
Adv
gbn
P,GBGen(·),d,b,χ
α,q
,A
(λ) = Adv
gbn
P,GBGen(·),d,2b,χ
√
Nα
2
q,q
,B
(λ)
for N =
n+b
b
.
Proof.
Multiply samples f
i
, f
j
to get f
i,j
= f
i
· f
j
. To ensure suﬃcient randomness,
sum up N such products.
Page 46
Security III
Approximate GCD:
I
The GBN problem for n = 1 is the approx. GCD problem over F
q
[x].
I
This problem has not yet received much attention, and hence it is
unclear under which parameters it is hard.
I
However, the notion of a Gr¨obner basis can been extended to
Z[x
0
, . . . , x
n−1
].
I
This implies a version of the GBN problem over Z.
I
This can be seen as a direct generalisation of the approximate GCD
problem in Z.
Page 47
Security IV
GBN over F
2
:
I
For d = 1 and q = 2 we can reduce Max3SAT instances to GBN
instances by translating each clause individually to a Boolean
polynomial.
I
The Gr¨obner basis returned by an arbitrary algorithm A solving GBN
using a bounded number of samples will provide a solution to the
Max3SAT problem.
I
Vice versa, we may convert a GBN problem for d = 1 to a MaxSAT
problem (more precisely Partial MaxSat) by running an ANF to
CNF conversion algorithm.
Page 48
Security V
Best known attack (for d = 1):
I
We reduce GBN to a larger LWE instance.
I
Denote by N =
n+b
b
the number of monomials up to degree b.
I
Let M : P → F
N
q
be a function which maps polynomials in P to
vectors in F
N
q
by assigning the ith component of the image vector
the coeﬃcient of the ith monomial ∈ M
≤b
.
I
Reply to each Sample query by the LWE oracle by calling the GBN
Sample oracle to retrieve f , compute v = M(f ) and return (a, b)
with a = (v
N−1
, . . . , v
1
) and b = −v
0
.
I
When the LWE oracle queries its Finalize with s query the GBN
Finalize with [x
0
− s
0
, . . . , x
n−1
− s
n−1
].
Page 49
Polly Cracker with Noise
I
GBN/IRN/IMN allow to construct a noisy version of our symmetric
Polly Cracker scheme: SPCN .
I
SPCN is INDCPA under the GBN assumption.
I
Using any symmetrictoasymmetric conversion from literature this
leads to a publickey Polly Cracker scheme.
I
This scheme is somewhat homomorphic and can support a ﬁxed but
arbitrary number of multiplications.
I
This also implies that Regev’s publickey scheme based on LWE is
multiplicative homomorphic under some choice of parameters.
Remark
We implemented a toy version of this scheme.
Page 50
Page 51
Data provided are for informational purposes only. Although carefully collected, accuracy cannot be guaranteed. The impact factor represents a rough estimation of the journal's impact factor and does not reflect the actual current impact factor. Publisher conditions are provided by RoMEO. Differing provisions from the publisher's actual policy or licence agreement may be applicable.

 "The probability distribution used for error sampling implies that each of its components will have a small norm (w.r.t. the size of the field) with high probability. Since its introduction, LWE has proven to be a rich and versatile source of many innovative cryptosystems, such as the oblivious transfer protocol by Peikert et al. [37], a cryptosystem by Akavia et al. [1] that is secure even if almost the entire secret key is leaked, homomorphic encryption [2, 14, 31] and many others. Below we reproduce the definition of LWE from [38, 39]. "
[Show abstract] [Hide abstract] ABSTRACT: We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of errorcorrecting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem has proven to be a rich and versatile source of innovative cryptosystems, such as fully homomorphic encryption schemes. Despite the popularity of the LWE problem, the complexity of algorithms for solving it is not very well understood, particularly when variants of the original problem are considered. Here, we focus on and generalise a particular method for solving these systems, due to Arora \& Ge, which reduces the problem to nonlinear but noisefree system solving. Firstly, we provide a refined complexity analysis for the original AroraGe algorithm for LWE. Secondly, we study the complexity of applying algorithms for computing Gröbner basis, a fundamental tool in computational commutative algebra, to solving AroraGestyle systems of nonlinear equations. We show positive and negative results. On the one hand, we show that the use of Gröbner bases yields an exponential speedup over the basic AroraGe approach. On the other hand, we give a negative answer to the natural question whether the use of such techniques can yield a subexponential algorithm for the LWE problem. Under a mild algebraic assumption, we show that it is highly unlikely that such an improvement exists. We also consider a variant of LWE known as BinaryErrorLWE introduced by Micciancio and Peikert recently. By combining Gröbner basis algorithms with the AroraGe modelling, we show under a natural algebraic assumption that BinaryErrorLWE can be solved in subexponential time as soon as the number of samples is quasilinear, e.g.\ m=O(nloglogn)m=O(n \log \log n). We also derive precise complexity bounds for BinaryError\LWE with m=O(n)m=O(n), showing that this new approach yields better results than best currentlyknown generic (exact) CVP solver as soon as m/n≥6.6m/n \geq 6.6. More generally, our results provide a good picture of the hardness degradation of BinaryErrorLWE for a number of samples ranging from m=n(1+Ω(1/log(n))m=n\left(1+\Omega\big(1/{\rm log}(n)\right) (a case for which BinaryError\LWE{} is as hard as solving some lattice problem in the worst case) to m=O(n2)m=O(n^2) (a case for which it can be solved in polynomialtime). This addresses an open question from Micciancio and Peikert. Whilst our results do not contradict the hardness results obtained by Micciancio and Peikert, they should rule out BinaryError\LWE for many cryptographic applications. The results in this work depend crucially on the assumption the algebraic systems considered systems are not easier and not harder to solve than a random system of equations. We have verified experimentally such hypothesis. We also have been able to prove formally the assumptions is several restricted situations. We emphasize that these issues are highly nontrivial since proving our assumptions in full generality would allow to prove a famous conjecture in commutative algebra known as Fröberg's Conjecture. 
 "In cryptology, the hardness of PoSSo q is now a subject of major interest, e.g. [30] [23] [24] [16] [18] [14] [17] [25] [1] [29] [15] [34] [36] [21]. In one hand, this problem is used as a trapdoor to design many cryptographic primitives, mostly in multivariate cryptography [32] [33] [37]. "
Conference Paper: Solving Polynomial Systems over Finite Fields: Improved Analysis of the Hybrid Approach
[Show abstract] [Hide abstract] ABSTRACT: The Polynomial System Solving (PoSSo) problem is a fundamental NPHard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate publickey schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of PoSSo over finite fields. The goal of this paper is to further understand the influence of finite fields on the hardness of PoSSo. To this end, we consider the socalled hybrid approach. This is a polynomial system solving method dedicated to finite fields proposed by Bettale, Faugère and Perret (Journal of Mathematical Cryptography, 2009). The idea is to combine exhaustive search with Gröbner bases. The efficiency of the hybrid approach is related to the choice of a tradeoff between the two methods. We propose here an improved complexity analysis dedicated to quadratic systems. Whilst the principle of the hybrid approach is simple, its careful analysis leads to rather surprising and somehow unexpected results. We prove that the optimal tradeoff (i.e. number of variables to be fixed) allowing to minimize the complexity is achieved by fixing a number of variables proportional to the number of variables of the system considered, denoted n. Under some natural algebraic assumption, we show that the asymptotic complexity of the hybrid approach is 2(3.313.62 log2(q)1)n, where q is the size of the field (under the condition in particular that log(q) ≪ n). This is to date, the best complexity for solving PoSSo over finite fields (when q > 2). We have been able to quantify the gain provided by the hybrid approach compared to a direct Gröbner basis method. For quadratic systems, we show (assuming a natural algebraic assumption) that this gain is exponential in the number of variables. Asymptotically, the gain is 21.49n when both n and q grow to infinity and log(q) ≪ n. 
 "Setting all coefficients of X d j in g i to be 0 for i = j guarantees that G is a reduced Gröbner basis. Note that sampling these coefficients at random as well and then reducing the Gröbner basis afterward, as originally done in [1], gives the same output distribution. We denote by Q = P/I the quotient ring and identify it with a subspace Q ⊂ P as above, such that P = I ⊕ Q. "
Conference Paper: Polly Cracker, Revisited, Revisited
[Show abstract] [Hide abstract] ABSTRACT: In this paper, we consider the Polly Cracker with Noise (PCN) cryptosystem by Albrecht, Farshim, Faugère, and Perret (Asiacrypt 2011), which is a publickey cryptosystem based on the hardness of computing Gröbner bases for noisy random systems of multivariate equations. We examine four settings, covering all possible parameter ranges of PCN with zerodegree noise. In the first setting, the PCN cryptosystem is known to be equivalent to Regev's LWEbased scheme. In the second, it is known to be at most as secure as Regev's scheme. We show that for one other settings it is equivalent to a variants of Regev's with less efficiency and in the last setting it is completely insecure and we give an efficient keyrecovery attack. Unrelated to the attack, we also fix some flaws in the security proofs of PCN.