Jean-Charles Faugère's research while affiliated with French National Centre for Scientific Research and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (173)
Let K be a field and (f1,…,fs,ϕ) be multivariate polynomials in K[x1,…,xn] (with s<n) each invariant under the action of Sn, the group of permutations of {1,…,n}. We consider the problem of computing the critical points of ϕ restricted to the algebraic set V(f), where f=(f1,…,fs). This is the same as computing the points at which f vanishes and the...
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp-Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding req...
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp–Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding req...
In this article, we present algebraic attacks against the Extension Field Cancellation (\(\texttt {EFC}\)) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge p...
Effective computation of resultants is a central problem in elimination theory and polynomial system solving. Commonly, we compute the resultant as a quotient of determinants of matrices and we say that there exists a determinantal formula when we can express it as a determinant of a matrix whose elements are the coefficients of the input polynomia...
The “quantum threat” to our current, convenient cryptographic algorithms is getting closer, with demonstrable progress by commercial quantum computing efforts. It is now more important than ever that we combine all of our tools into a new quantum-safe toolbox to develop the next generation of quantum-safe networking solutions. Here we combine an in...
Let $\mathbf{K}$ be a field and $\phi$, $\mathbf{f} = (f_1, \ldots, f_s)$ in $\mathbf{K}[x_1, \dots, x_n]$ be multivariate polynomials (with $s < n$) invariant under the action of $\mathcal{S}_n$, the group of permutations of $\{1, \dots, n\}$. We consider the problem of computing the points at which $\mathbf{f}$ vanish and the Jacobian matrix asso...
Symmetric tensor decomposition is an important problem with applications in several areas, for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in n variables of degree D as a sum of D-th powers of linear f...
In this document, we introduce : a Digital Signature Scheme based on the Permuted Kernel Problem (PKP) [23]. PKP is a simple NP-hard [10] combinatorial problem that consists of finding a kernel for a publicly known matrix, such that the kernel vector is a permutation of a publicly known vector. This problem was used to develop an Identification Sch...
The Berlekamp–Massey–Sakata algorithm and the Scalar-FGLM algorithm both compute the ideal of relations of a multidimensional linear recurrent sequence.
Whenever quering a single sequence element is prohibitive, the bottleneck of these algorithms becomes the computation of all the needed sequence terms. As such, having adaptive variants of these al...
Grö bner bases is one the most powerful tools in algorithmic nonlinear algebra. Their computation is an intrinsically hard problem with a complexity at least single exponential in the number of variables. However, in most of the cases, the polynomial systems coming from applications have some kind of structure. We consider sparse systems where the...
At STOC 2012, Aaronson and Christiano proposed a noisy and a noiseless version of the first public‐key quantum money scheme endowed with a security proof. This paper addresses the so‐called noisy hidden subspaces problem, on which the noisy version of their scheme is based. The first contribution of this work is a non‐quantum cryptanalysis of the a...
In 2017, NIST shook the cryptographic world by starting a process for standardizing post-quantum cryptography. Sixty-four submissions have been considered for the first round of the on-going NIST Post-Quantum Cryptography (PQC) process. Multivariate cryptography is a classical post-quantum candidate that turns to be the most represented in the sign...
Gr{\"o}bner bases is one the most powerful tools in algorithmic non-linear algebra. Their computation is an intrinsically hard problem with a complexity at least single exponential in the number of variables. However, in most of the cases, the polynomial systems coming from applications have some kind of structure. For example , several problems in...
Symmetric tensor decomposition is an important problem with applications in several areas for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in $n$ variables of degree $D$ as a sum of $D$-th powers of lin...
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp--Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding re...
One of the biggest open problems in computational algebra is the design of efficient algorithms for Gröbner basis computations that take into account the sparsity of the input polynomials. We can perform such computations in the case of unmixed polynomial systems, that is systems with polynomials having the same support, using the approach of Faugè...
The Berlekamp--Massey--Sakata algorithm and the Scalar-FGLM algorithm both compute the ideal of relations of a multidimensional linear recurrent sequence.Whenever quering a single sequence element is prohibitive, the bottleneck of these algorithms becomes the computation of all the needed sequence terms. As such, having adaptive variants of these a...
A fundamental problem in computational algebraic geometry is the computation of the resultant. A central question is when and how to compute it as the determinant of a matrix. whose elements are the coefficients of the input polynomials up-to sign. This problem is well understood for unmixed multihomogeneous systems, that is for systems consisting...
One of the biggest open problems in computational algebra is the design of efficient algorithms for Gr{\"o}bner basis computations that take into account the sparsity of the input polynomials. We can perform such computations in the case of unmixed polynomial systems, that is systems with polynomials having the same support, using the approach of F...
Computing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the point m-decomp...
We compare thoroughly the Berlekamp -- Massey -- Sakata algorithm and the Scalar-FGLM algorithm, which compute both the ideal of relations of a multi-dimensional linear recurrent sequence. Suprisingly, their behaviors differ. We detail in which way they do and prove that it is not possible to tweak one of the algorithms in order to mimic exactly th...
This paper is a position paper based on an invited talk at WISA’16 in Korea. We argue that Quantum-Safe Cryptography (QSC) will likely have a deep impact on the practice of IT professionals. We detail also in the second part a classical candidate for quantum-safe cryptography: multivariate cryptography. Finally, we conclude by presenting HFEBoost a...
The so-called Berlekamp–Massey–Sakata algorithm computes a Gröbner basis of a 0-dimensional ideal of relations satisfied by an input table. It extends the Berlekamp–Massey algorithm to n-dimensional tables, for n>1.
We investigate this problem and design several algorithms for computing such a Gröbner basis of an ideal of relations using linear alg...
Symmetric Tensor Decomposition is a major problem that arises in areas such as signal processing, statistics, data analysis and computational neuroscience. It is equivalent to write a homogeneous polynomial in $n$ variables of degree $D$ as a sum of $D$-th powers of linear forms, using the minimal number of summands. This minimal number is called t...
Given several n-dimensional sequences, we first present an algorithm for computing the Grobner basis of their module of linear recurrence relations.
A P-recursive sequence (ui)i ∈ Nⁿ satisfies linear recurrence relations with polynomial coefficients in i, as defined by Stanley in 1980. Calling directly the aforementioned algorithm on the tuple of s...
In 1965 Buchberger introduced an algorithmic approach to compute Gröbner bases. Later on, he and many others presented various attempts to improve the computation by removing useless elements a priori. One approach, initiated by Gebauer, Möller, Mora and Traverso in the 1990s, is to keep track of the corresponding syzygies which is related to the t...
B{\'e}zout 's theorem states that dense generic systems of n multivariate quadratic equations in n variables have 2 n solutions over algebraically closed fields. When only a small subset M of monomials appear in the equations (fewnomial systems), the number of solutions may decrease dramatically. We focus in this work on subsets of quadratic monomi...
Control theory has recently been involved in the field of nuclear magnetic resonance imagery. The goal is to control the magnetic field optimally in order to improve the contrast between two biological matters on the pictures.
Geometric optimal control leads us here to analyze meromorphic vector fields depending upon physical parameters, and having...
We formally treat cryptographic constructions based on the hardness of deciding ideal membership in multivariate polynomial rings. Of particular interest to us is a class of schemes known as "Polly Cracker." We start by formalising and studying the relation between the ideal membership problem and the problem of computing a Grobner basis. We show b...
This is a system paper about a new GPLv2 open source C library GBLA implementing and improving the idea of Faug\`ere and Lachartre (GB reduction). We further exploit underlying structures in matrices generated during Gr\"obner basis computations in algorithms like F4 or F5 taking advantage of block patterns by using a special data structure called...
Boneh et al. showed at Crypto 99 that moduli of the form \(N=p^rq\) can be factored in polynomial time when \(r \simeq \log p\). Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that \(N=p^rq^s\) can also be factored in polynomial time when r or s is at least \((\log p)^3\);...
The points of a moment variety are the vectors of all moments up to some
order of a family of probability distributions. We study this variety for
mixtures of Gaussians. Following up on Pearson's classical work from 1894, we
apply current tools from computational algebra to recover the parameters from
the moments. Our moment varieties extend object...
Toric (or sparse) elimination theory is a framework developped during the last decades to exploit monomial structures in systems of Laurent polynomials. Roughly speaking, this amounts to computing in a semigroup algebra, i.e. an algebra generated by a subset of Laurent monomials. In order to solve symbolically sparse systems, we introduce sparse Gr...
Sakata generalized the Berlekamp--Massey algorithm to n dimensions in~1988. The Berlekamp--Massey--Sakata (BMS) algorithm can be used for finding a Grbner basis of a 0-dimensional ideal of relations verified by a table. We investigate this problem usingö linear algebra techniques, with motivations such as accelerating change of basis algorithms (FG...
We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular , the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature sch...
We investigate the Hidden Subspace Problem (\(\mathrm{HSP}_q\)) over \({\mathbb {F}}_q\):
Input :
\(p_1,\ldots ,p_m,q_1,\ldots ,q_m\in {\mathbb {F}}_q[x_1,\ldots ,x_n]\) of degree \(d\ge 3\) (and \(n\le m\le 2n\)).
Find : a subspace \(A\subset {{\mathbb {F}}_q}^n\) of dimension \(n/2\) (\(n\) is even) such that $$\begin{aligned} p_i(A)=0\,\,\forall...
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic ( \(\mathrm{QC}\) ), quasi-dyadic ( \(\mathrm{QD}\) ), or quasi-monoidic ( \(\mathrm{QM}\) ) matrices. We show that the very same reason which allows t...
This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-b...
Solving polynomial systems arising from applications is frequently made
easier by the structure of the systems. Weighted homogeneity (or
quasi-homogeneity) is one example of such a structure: given a system of
weights $W=(w\_{1}, ...,w\_{n})$, $W$-homogeneous polynomials are polynomials
which are homogeneous w.r.t the weighted degree
$\deg\_{W}(X\_...
In this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose sol...
We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of error-correcting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem...
In 2004, an algorithm is introduced to solve the DLP for elliptic curves defined over a non-prime finite field \(\mathbb{F}_{q^{n}}\). One of the main steps of this algorithm requires decomposing points of the curve \(E(\mathbb{F}_{q^{n}})\) with respect to a factor base, this problem is denoted PDP. In this paper, we will apply this algorithm to t...
SILA: Synthèse et Identification pour les systèmes dynamiques linéaires paramétrés algébriquement 3 décembre 2004 Résumé L'identification et la synthèse des systèmes dynamiques paramétrés sont des problématiques qui, dans leur généralité, n'admettent pas de solutions construc-tivesàtivesà cause du manque de structure desprobì emes d'optimisation au...
The usual algorithm to solve polynomial systems using Gröbner bases consists of two steps: first computing the DRL Gröbner basis using the F5 algorithm then computing the LEX Gröbner basis using a change of ordering algorithm. When the Bézout bound is reached, the bottleneck of the total solving process is the change of ordering step. For 20 years,...
The main practical limitation of the McEliece cryptosystem is probably the size of its public-key. To overcome this issue, a famous trend is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a compact parity-check or generator matrix. For instance, a key-size reduction is obtained by taking alternant/Gop...
The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduct...
Decomposition-based index calculus methods are currently efficient only for elliptic curves E defined over non-prime finite fields of very small extension degree n. This corresponds to the fact that the Semaev summation polynomials, which encode the relation search (or “sieving”), grow over-exponentially with n. Actually, even their computation is...
This paper is a survey on the area of signature-based Gr\"obner basis
algorithms that was initiated by Faug\`ere's F5 algorithm in 2002. We explain
the general ideas behind the usage of signatures. We show how to classify the
various known variants by 3 different orderings. For this we give translations
between different notations and show that bes...
In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an...
Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0,1} ∗ or { − 1,0,1} ∗ . We present a variant of the BKW algorithm for binary-LWE and other small secret va...
In this paper, we investigate the security of a public-key encryption scheme introduced by Huang, Liu and Yang (HLY) at PKC'12. This new scheme can be provably reduced to the hardness of solving a set of quadratic equations whose coe cients of highest degree are chosen according to a discrete Gaussian distributions. The other terms being chosen uni...
Toric (or sparse) elimination theory is a framework developped during the
last decades to exploit monomial structures in systems of Laurent polynomials.
Roughly speaking, this amounts to computing in a \emph{semigroup algebra}, i.e.
an algebra generated by a subset of Laurent monomials. In order to solve
symbolically sparse systems, we introduce \e...
We study the complexity of Gr\"obner bases computation, in particular in the
generic situation where the variables are in simultaneous Noether position with
respect to the system.
We give a bound on the number of polynomials of degree d in a Gr\"obner basis
computed by Faug\`ere's F5 algorithm (Fau02) in this generic case for the
grevlex ordering (...
A new algebraic approach to investigate the security of the McEliece cryptosystem has been proposed by Faugère-Otmani-Perret-Tillich in Eurocrypt 2010. This paper is an extension of this work. The McEliece's scheme relies on the use of error-correcting codes. It has been proved that the private key of the cryptosystem satisfies a system of bi-homog...
Let and be two sets of nonlinear polynomials in ( being a field). We consider the computational problem of finding-if any-an invertible transformation on the variables mapping to . The corresponding equivalence problem is known as Isomorphism of Polynomials with one Secret (IP1S) and is a fundamental problem in multivariate cryptography. Amongst it...
We propose efficient algorithms to compute the Gröbner basis of an ideal I subset k[x1,...,xn] globally invariant under the action of a commutative matrix group G, in the non-modular case (where char(k) doesn't divide |G|). The idea is to simultaneously diagonalize the matrices in G, and apply a linear change of variables on I corresponding to the...
Polynomial system solving is a classical problem in mathematics with a wide
range of applications. This makes its complexity a fundamental problem in
computer science. Depending on the context, solving has different meanings. In
order to stick to the most general case, we consider a representation of the
solutions from which one can easily recover...
Given a zero-dimensional ideal I in K[x1,...,xn] of degree D, the
transformation of the ordering of its Groebner basis from DRL to LEX is
a key step in polynomial system solving and turns out to be the
bottleneck of the whole solving process. Thus it is of crucial
importance to design efficient algorithms to perform the change of
ordering. The main...
Let K be a field and (f1, ..., fn)\subset K[X1, ..., Xn] be a sequence of quasi-homogeneous polynomials of respective weighted degrees (d1, ..., dn) w.r.t a system of weights (w1,...,wn). Such systems are likely to arise from a lot of applications, including physics or cryptography.
We design strategies for computing Gröbner bases for quasi-homogen...
We describe a lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known. Inspired by the implicit oracle of May and Ritzenhofen presented in the context of RSA (PKC2009), we assume that the ephemeral keys share a certain amount of bits without knowing the value of the shared bits. Thi...
We study the problem of determining the probability that m vectors selected uniformly at random from the intersection of the full-rank lattice @L in R^n and the window [0,B)^n generate @L when B is chosen to be appropriately large. This problem plays ...
We propose an efficient algorithm to solve polynomial systems of which equations are globally invariant under an action of the symmetric group GN acting on the variable xi with σ(xi) = xσ(i) and the number of variables is a multiple of N. For instance, we can assume that swapping two variables (or two pairs of variables) in one equation gives rise...
The Polynomial System Solving (PoSSo) problem is a fundamental NP-Hard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate public-key schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of Po...
At CHES 2009, Renauld, Standaert and Veyrat-Charvillon introduced a new kind of attack called algebraic side-channel attacks (ASCA). They showed that side-channel information leads to effective algebraic attacks. These results are mostly experiments since strongly based on the use of a SAT solver. This article presents a theoretical study to explai...
The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a p...
We consider the problem of computing critical points of the restriction of a polynomial map to an algebraic variety. This is of first importance since the global minimum of such a map is reached at a critical point. Thus, these points appear naturally in non-convex polynomial optimization which occurs in a wide range of scientific applications (con...
Solving polynomial system is very common in various fields of mathematics, physics, and so on. The main tool for solving this problem is "Grobner basis". Practical complexity is at most exponential both in time and space. This kind of applications have a crucial needs in computing resources. We have developed at the University Paris 6 a parallel al...
A fundamental problem in computer science is to find all the common zeroes of
$m$ quadratic polynomials in $n$ unknowns over $\mathbb{F}_2$. The
cryptanalysis of several modern ciphers reduces to this problem. Up to now, the
best complexity bound was reached by an exhaustive search in $4\log_2 n\,2^n$
operations. We give an algorithm that reduces t...
We study the complexity of solving the \emph{generalized MinRank problem},
i.e. computing the set of points where the evaluation of a polynomial matrix
has rank at most $r$. A natural algebraic representation of this problem gives
rise to a \emph{determinantal ideal}: the ideal generated by all minors of size
$r+1$ of the matrix. We give new comple...
We initiate the formal treatment of cryptographic constructions ("Polly Cracker") based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. We start by formalising the relation between the ideal remainder problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the...
We present MQQ-SIG, a signature scheme based on “Multivariate Quadratic Quasigroups”. The MQQ-SIG signature scheme has a public key consisting of \(\frac{n}{2}\) quadratic polynomials in n variables where n = 160, 192, 224 or 256. Under the assumption that solving systems of \(\frac{n}{2}\) MQQ’s equations in n variables is as hard as solving syste...
Let I in K[x1,...,xn] be a 0-dimensional ideal of degree D where K is a field. It is well-known that obtaining efficient algorithms for change of ordering of Gröbner bases of I is crucial in polynomial system solving. Through the algorithm FGLM, this task is classically tackled by linear algebra operations in K[x1,...,n]/I. With recent progress on...
It is well known that in the computation of Gröbner bases arbitrarily small perturbations in the coefficients of polynomials may lead to a completely different staircase, even if the solutions of the polynomial system change continuously. This phenomenon is called artificial discontinuity in Kondratyev’s Ph.D. thesis. We show how such phenomenon ma...
We investigate the security of a generalization of HFE (multivariate and odd-characteristic variants). First, we propose an
improved version of the basic Kipnis-Shamir key recovery attack against HFE. Second, we generalize the Kipnis-Shamir attack
to Multi-HFE. The attack reduces to solve a MinRank problem directly on the public key. This leads to...
This paper presents a practical cryptanalysis of the Identification Schem e proposed by Patarin at Crypto 1996. This scheme relies on the hardness of the Isomorphism of Polynomial with One Secret (IP1S), and enjoys shorter key than many other schemes based on the hardness of a combinatorial problem (as opposed to number- theoretic problems). Patari...
Artificial discontinuity is a kind of singularity at a parametric point in computing the Gröbner basis of a specialized parametric ideal w.r.t. a certain term order. When it occurs, though parameters change continuously at the point and the properties of the parametric ideal have no sudden changes, the Gröbner basis will still have a jump at the pa...
The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are available to generate these matrices. It is well known th...
The Isomorphism of Polynomials (IP) is one of the most fundamental problems in multivariate public key cryptography (MPKC). In this paper, we introduce a new framework to study the counting problem associated to IP. Namely, we present tools of finite geometry allowing to investigate the counting problem associated to IP. Precisely, we focus on enum...
We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this shoul...
Cayley hash functions are a particular kind of cryptographic hash functions with very appealing properties. Unfortunately, their security is related to a mathematical problem whose hardness is not very well understood, the factorization problem in finite groups. Given a group G, a set of generators S for this group and an element g ∈ G, the factori...
MQQ is a multivariate public key cryptosystem (MPKC) based on multivariate quadratic quasigroups and a special transform called
“Dobbertin transformation” [17]. The security of MQQ, as well as any MPKC, reduces to the difficulty of solving a non-linear system of equations easily
derived from the public key. In [26], it has been observed that that t...
In this paper, we present an algebraic attack against the Flurry and Curry block ciphers [12,13]. Usually, algebraic attacks against block ciphers only require one message/ciphertext pair to be mounted. In this paper, we investigate a different approach. Roughly, the idea is to generate
an algebraic system from the knowledge of several well chosen...
Algebraic cryptanalysis is a general tool which permits one to assess the security of a wide range of cryptographic schemes.
Algebraic techniques have been successfully applied against a number of multivariate schemes and stream ciphers. Yet, their
feasibility against block ciphers remains the source of much speculation. In this context, algebraic...
This document contains the Intellectual Property Statement and the technical description of the MQQ-SIG - a new public key digital signature scheme. The complete scientific publication covering the design rationale and the security analysis will be given in a separate publication. MQQ-SIG consists of $n - \frac{n}{4}$ quadratic polynomials with $n$...
The purpose of this talk is to study the difficulty of the Goppa Code Distinguishing (GD) problem, which is the problem of distinguishing the public matrix in the McEliece cryptosystem from a random matrix. It is widely believed that this problem is computationally hard as proved by the increas-ing number of papers using this hardness assumption. O...
FGb is a high-performance, portable, C library for computing Gröbner bases over the integers and over finite fields. FGb provides high quality implementations of state-of-the-art algorithms (F
4 and F
5) for computing Gröbner bases. Currently, it is one of the best implementation of these algorithms, in terms of both speed and robustness. For insta...
In this paper, we present an efficient cryptanalysis of the so-called HM cryptosystem which was published at Asiacrypt’1999,
and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which
uses a differential property of the public key. This distinguisher permits to break one perturbed v...
Computing loci of rank defects of linear matrices (also called the MinRank problem) is a fundamental NP-hard problem of linear algebra which has applications in Cryptology, in Error Correcting Codes and in Geometry. Given a square linear matrix (i.e. a matrix whose entries are k-variate linear forms) of size n and an integer r, the problem is to fi...
We consider the composition f =g o h of two systems g= (g0, ..., gt) and h=(h0, ..., hs) of homogeneous multivariate polynomials over a field K, where each gj ∈ K[y0, ..., ys] has degree ℓ each hk ∈ K[x0, ..., xr] has degree m, and fi = gi(h0, ..., hs) ∈ K[x0, ..., xr] has degree n = ℓ · m, for 0 ≤ i ≤ t. The motivation of this paper is to...