# Jean-Charles Faugère's research while affiliated with French National Centre for Scientific Research and other places

## Publications (173)

Article
Let K be a field and (f1,…,fs,ϕ) be multivariate polynomials in K[x1,…,xn] (with s<n) each invariant under the action of Sn, the group of permutations of {1,…,n}. We consider the problem of computing the critical points of ϕ restricted to the algebraic set V(f), where f=(f1,…,fs). This is the same as computing the points at which f vanishes and the...
Preprint
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp-Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding req...
Article
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp–Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding req...
Article
Full-text available
In this article, we present algebraic attacks against the Extension Field Cancellation ($$\texttt {EFC}$$) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge p...
Preprint
Full-text available
Effective computation of resultants is a central problem in elimination theory and polynomial system solving. Commonly, we compute the resultant as a quotient of determinants of matrices and we say that there exists a determinantal formula when we can express it as a determinant of a matrix whose elements are the coefficients of the input polynomia...
Article
The “quantum threat” to our current, convenient cryptographic algorithms is getting closer, with demonstrable progress by commercial quantum computing efforts. It is now more important than ever that we combine all of our tools into a new quantum-safe toolbox to develop the next generation of quantum-safe networking solutions. Here we combine an in...
Preprint
Let $\mathbf{K}$ be a field and $\phi$, $\mathbf{f} = (f_1, \ldots, f_s)$ in $\mathbf{K}[x_1, \dots, x_n]$ be multivariate polynomials (with $s < n$) invariant under the action of $\mathcal{S}_n$, the group of permutations of $\{1, \dots, n\}$. We consider the problem of computing the points at which $\mathbf{f}$ vanish and the Jacobian matrix asso...
Article
Symmetric tensor decomposition is an important problem with applications in several areas, for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in n variables of degree D as a sum of D-th powers of linear f...
Chapter
Full-text available
In this document, we introduce : a Digital Signature Scheme based on the Permuted Kernel Problem (PKP) [23]. PKP is a simple NP-hard [10] combinatorial problem that consists of finding a kernel for a publicly known matrix, such that the kernel vector is a permutation of a publicly known vector. This problem was used to develop an Identification Sch...
Article
The Berlekamp–Massey–Sakata algorithm and the Scalar-FGLM algorithm both compute the ideal of relations of a multidimensional linear recurrent sequence. Whenever quering a single sequence element is prohibitive, the bottleneck of these algorithms becomes the computation of all the needed sequence terms. As such, having adaptive variants of these al...
Conference Paper
Grö bner bases is one the most powerful tools in algorithmic nonlinear algebra. Their computation is an intrinsically hard problem with a complexity at least single exponential in the number of variables. However, in most of the cases, the polynomial systems coming from applications have some kind of structure. We consider sparse systems where the...
Article
Full-text available
At STOC 2012, Aaronson and Christiano proposed a noisy and a noiseless version of the first public‐key quantum money scheme endowed with a security proof. This paper addresses the so‐called noisy hidden subspaces problem, on which the noisy version of their scheme is based. The first contribution of this work is a non‐quantum cryptanalysis of the a...
Article
Full-text available
In 2017, NIST shook the cryptographic world by starting a process for standardizing post-quantum cryptography. Sixty-four submissions have been considered for the first round of the on-going NIST Post-Quantum Cryptography (PQC) process. Multivariate cryptography is a classical post-quantum candidate that turns to be the most represented in the sign...
Preprint
Gr{\"o}bner bases is one the most powerful tools in algorithmic non-linear algebra. Their computation is an intrinsically hard problem with a complexity at least single exponential in the number of variables. However, in most of the cases, the polynomial systems coming from applications have some kind of structure. For example , several problems in...
Preprint
Symmetric tensor decomposition is an important problem with applications in several areas for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in $n$ variables of degree $D$ as a sum of $D$-th powers of lin...
Conference Paper
Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp--Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding re...
Conference Paper
One of the biggest open problems in computational algebra is the design of efficient algorithms for Gröbner basis computations that take into account the sparsity of the input polynomials. We can perform such computations in the case of unmixed polynomial systems, that is systems with polynomials having the same support, using the approach of Faugè...
Preprint
The Berlekamp--Massey--Sakata algorithm and the Scalar-FGLM algorithm both compute the ideal of relations of a multidimensional linear recurrent sequence.Whenever quering a single sequence element is prohibitive, the bottleneck of these algorithms becomes the computation of all the needed sequence terms. As such, having adaptive variants of these a...
Preprint
A fundamental problem in computational algebraic geometry is the computation of the resultant. A central question is when and how to compute it as the determinant of a matrix. whose elements are the coefficients of the input polynomials up-to sign. This problem is well understood for unmixed multihomogeneous systems, that is for systems consisting...
Preprint
One of the biggest open problems in computational algebra is the design of efficient algorithms for Gr{\"o}bner basis computations that take into account the sparsity of the input polynomials. We can perform such computations in the case of unmixed polynomial systems, that is systems with polynomials having the same support, using the approach of F...
Article
Computing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the point m-decomp...
Article
We compare thoroughly the Berlekamp -- Massey -- Sakata algorithm and the Scalar-FGLM algorithm, which compute both the ideal of relations of a multi-dimensional linear recurrent sequence. Suprisingly, their behaviors differ. We detail in which way they do and prove that it is not possible to tweak one of the algorithms in order to mimic exactly th...
Conference Paper
This paper is a position paper based on an invited talk at WISA’16 in Korea. We argue that Quantum-Safe Cryptography (QSC) will likely have a deep impact on the practice of IT professionals. We detail also in the second part a classical candidate for quantum-safe cryptography: multivariate cryptography. Finally, we conclude by presenting HFEBoost a...
Article
The so-called Berlekamp–Massey–Sakata algorithm computes a Gröbner basis of a 0-dimensional ideal of relations satisfied by an input table. It extends the Berlekamp–Massey algorithm to n-dimensional tables, for n>1. We investigate this problem and design several algorithms for computing such a Gröbner basis of an ideal of relations using linear alg...
Conference Paper
Symmetric Tensor Decomposition is a major problem that arises in areas such as signal processing, statistics, data analysis and computational neuroscience. It is equivalent to write a homogeneous polynomial in $n$ variables of degree $D$ as a sum of $D$-th powers of linear forms, using the minimal number of summands. This minimal number is called t...
Conference Paper
Given several n-dimensional sequences, we first present an algorithm for computing the Grobner basis of their module of linear recurrence relations. A P-recursive sequence (ui)i ∈ Nⁿ satisfies linear recurrence relations with polynomial coefficients in i, as defined by Stanley in 1980. Calling directly the aforementioned algorithm on the tuple of s...
Article
In 1965 Buchberger introduced an algorithmic approach to compute Gröbner bases. Later on, he and many others presented various attempts to improve the computation by removing useless elements a priori. One approach, initiated by Gebauer, Möller, Mora and Traverso in the 1990s, is to keep track of the corresponding syzygies which is related to the t...
Conference Paper
B{\'e}zout 's theorem states that dense generic systems of n multivariate quadratic equations in n variables have 2 n solutions over algebraically closed fields. When only a small subset M of monomials appear in the equations (fewnomial systems), the number of solutions may decrease dramatically. We focus in this work on subsets of quadratic monomi...
Article
Control theory has recently been involved in the field of nuclear magnetic resonance imagery. The goal is to control the magnetic field optimally in order to improve the contrast between two biological matters on the pictures. Geometric optimal control leads us here to analyze meromorphic vector fields depending upon physical parameters, and having...
Article
We formally treat cryptographic constructions based on the hardness of deciding ideal membership in multivariate polynomial rings. Of particular interest to us is a class of schemes known as "Polly Cracker." We start by formalising and studying the relation between the ideal membership problem and the problem of computing a Grobner basis. We show b...
Conference Paper
This is a system paper about a new GPLv2 open source C library GBLA implementing and improving the idea of Faug\ere and Lachartre (GB reduction). We further exploit underlying structures in matrices generated during Gr\"obner basis computations in algorithms like F4 or F5 taking advantage of block patterns by using a special data structure called...
Conference Paper
Boneh et al. showed at Crypto 99 that moduli of the form $$N=p^rq$$ can be factored in polynomial time when $$r \simeq \log p$$. Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that $$N=p^rq^s$$ can also be factored in polynomial time when r or s is at least $$(\log p)^3$$;...
Article
Full-text available
The points of a moment variety are the vectors of all moments up to some order of a family of probability distributions. We study this variety for mixtures of Gaussians. Following up on Pearson's classical work from 1894, we apply current tools from computational algebra to recover the parameters from the moments. Our moment varieties extend object...
Article
Toric (or sparse) elimination theory is a framework developped during the last decades to exploit monomial structures in systems of Laurent polynomials. Roughly speaking, this amounts to computing in a semigroup algebra, i.e. an algebra generated by a subset of Laurent monomials. In order to solve symbolically sparse systems, we introduce sparse Gr...
Conference Paper
Sakata generalized the Berlekamp--Massey algorithm to n dimensions in~1988. The Berlekamp--Massey--Sakata (BMS) algorithm can be used for finding a Grbner basis of a 0-dimensional ideal of relations verified by a table. We investigate this problem usingö linear algebra techniques, with motivations such as accelerating change of basis algorithms (FG...
Conference Paper
Full-text available
We investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular , the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature sch...
Conference Paper
Full-text available
We investigate the Hidden Subspace Problem ($$\mathrm{HSP}_q$$) over $${\mathbb {F}}_q$$: Input : $$p_1,\ldots ,p_m,q_1,\ldots ,q_m\in {\mathbb {F}}_q[x_1,\ldots ,x_n]$$ of degree $$d\ge 3$$ (and $$n\le m\le 2n$$). Find : a subspace $$A\subset {{\mathbb {F}}_q}^n$$ of dimension $$n/2$$ ($$n$$ is even) such that \begin{aligned} p_i(A)=0\,\,\forall...
Article
Full-text available
A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic ( $$\mathrm{QC}$$ ), quasi-dyadic ( $$\mathrm{QD}$$ ), or quasi-monoidic ( $$\mathrm{QM}$$ ) matrices. We show that the very same reason which allows t...
Article
Full-text available
This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-b...
Article
Solving polynomial systems arising from applications is frequently made easier by the structure of the systems. Weighted homogeneity (or quasi-homogeneity) is one example of such a structure: given a system of weights $W=(w\_{1}, ...,w\_{n})$, $W$-homogeneous polynomials are polynomials which are homogeneous w.r.t the weighted degree $\deg\_{W}(X\_... Conference Paper Full-text available In this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose sol... Article Full-text available We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of error-correcting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem... Article In 2004, an algorithm is introduced to solve the DLP for elliptic curves defined over a non-prime finite field $$\mathbb{F}_{q^{n}}$$. One of the main steps of this algorithm requires decomposing points of the curve $$E(\mathbb{F}_{q^{n}})$$ with respect to a factor base, this problem is denoted PDP. In this paper, we will apply this algorithm to t... Technical Report Full-text available SILA: Synthèse et Identification pour les systèmes dynamiques linéaires paramétrés algébriquement 3 décembre 2004 Résumé L'identification et la synthèse des systèmes dynamiques paramétrés sont des problématiques qui, dans leur généralité, n'admettent pas de solutions construc-tivesàtivesà cause du manque de structure desprobì emes d'optimisation au... Conference Paper The usual algorithm to solve polynomial systems using Gröbner bases consists of two steps: first computing the DRL Gröbner basis using the F5 algorithm then computing the LEX Gröbner basis using a change of ordering algorithm. When the Bézout bound is reached, the bottleneck of the total solving process is the change of ordering step. For 20 years,... Conference Paper The main practical limitation of the McEliece cryptosystem is probably the size of its public-key. To overcome this issue, a famous trend is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a compact parity-check or generator matrix. For instance, a key-size reduction is obtained by taking alternant/Gop... Article Full-text available The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduct... Conference Paper Full-text available Decomposition-based index calculus methods are currently efficient only for elliptic curves E defined over non-prime finite fields of very small extension degree n. This corresponds to the fact that the Semaev summation polynomials, which encode the relation search (or “sieving”), grow over-exponentially with n. Actually, even their computation is... Article This paper is a survey on the area of signature-based Gr\"obner basis algorithms that was initiated by Faug\ere's F5 algorithm in 2002. We explain the general ideas behind the usage of signatures. We show how to classify the various known variants by 3 different orderings. For this we give translations between different notations and show that bes... Conference Paper Full-text available In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an... Conference Paper Full-text available Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0,1} ∗ or { − 1,0,1} ∗ . We present a variant of the BKW algorithm for binary-LWE and other small secret va... Conference Paper Full-text available In this paper, we investigate the security of a public-key encryption scheme introduced by Huang, Liu and Yang (HLY) at PKC'12. This new scheme can be provably reduced to the hardness of solving a set of quadratic equations whose coe cients of highest degree are chosen according to a discrete Gaussian distributions. The other terms being chosen uni... Article Full-text available Toric (or sparse) elimination theory is a framework developped during the last decades to exploit monomial structures in systems of Laurent polynomials. Roughly speaking, this amounts to computing in a \emph{semigroup algebra}, i.e. an algebra generated by a subset of Laurent monomials. In order to solve symbolically sparse systems, we introduce \e... Article We study the complexity of Gr\"obner bases computation, in particular in the generic situation where the variables are in simultaneous Noether position with respect to the system. We give a bound on the number of polynomials of degree d in a Gr\"obner basis computed by Faug\`ere's F5 algorithm (Fau02) in this generic case for the grevlex ordering (... Article Full-text available A new algebraic approach to investigate the security of the McEliece cryptosystem has been proposed by Faugère-Otmani-Perret-Tillich in Eurocrypt 2010. This paper is an extension of this work. The McEliece's scheme relies on the use of error-correcting codes. It has been proved that the private key of the cryptosystem satisfies a system of bi-homog... Article Let and be two sets of nonlinear polynomials in ( being a field). We consider the computational problem of finding-if any-an invertible transformation on the variables mapping to . The corresponding equivalence problem is known as Isomorphism of Polynomials with one Secret (IP1S) and is a fundamental problem in multivariate cryptography. Amongst it... Conference Paper We propose efficient algorithms to compute the Gröbner basis of an ideal I subset k[x1,...,xn] globally invariant under the action of a commutative matrix group G, in the non-modular case (where char(k) doesn't divide |G|). The idea is to simultaneously diagonalize the matrices in G, and apply a linear change of variables on I corresponding to the... Article Full-text available Polynomial system solving is a classical problem in mathematics with a wide range of applications. This makes its complexity a fundamental problem in computer science. Depending on the context, solving has different meanings. In order to stick to the most general case, we consider a representation of the solutions from which one can easily recover... Article Given a zero-dimensional ideal I in K[x1,...,xn] of degree D, the transformation of the ordering of its Groebner basis from DRL to LEX is a key step in polynomial system solving and turns out to be the bottleneck of the whole solving process. Thus it is of crucial importance to design efficient algorithms to perform the change of ordering. The main... Article Let K be a field and (f1, ..., fn)\subset K[X1, ..., Xn] be a sequence of quasi-homogeneous polynomials of respective weighted degrees (d1, ..., dn) w.r.t a system of weights (w1,...,wn). Such systems are likely to arise from a lot of applications, including physics or cryptography. We design strategies for computing Gröbner bases for quasi-homogen... Conference Paper We describe a lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known. Inspired by the implicit oracle of May and Ritzenhofen presented in the context of RSA (PKC2009), we assume that the ephemeral keys share a certain amount of bits without knowing the value of the shared bits. Thi... Article We study the problem of determining the probability that m vectors selected uniformly at random from the intersection of the full-rank lattice @L in R^n and the window [0,B)^n generate @L when B is chosen to be appropriately large. This problem plays ... Article Full-text available Conference Paper We propose an efficient algorithm to solve polynomial systems of which equations are globally invariant under an action of the symmetric group GN acting on the variable xi with σ(xi) = xσ(i) and the number of variables is a multiple of N. For instance, we can assume that swapping two variables (or two pairs of variables) in one equation gives rise... Conference Paper Full-text available The Polynomial System Solving (PoSSo) problem is a fundamental NP-Hard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate public-key schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of Po... Article Full-text available At CHES 2009, Renauld, Standaert and Veyrat-Charvillon introduced a new kind of attack called algebraic side-channel attacks (ASCA). They showed that side-channel information leads to effective algebraic attacks. These results are mostly experiments since strongly based on the use of a SAT solver. This article presents a theoretical study to explai... Conference Paper Full-text available The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a p... Article Full-text available We consider the problem of computing critical points of the restriction of a polynomial map to an algebraic variety. This is of first importance since the global minimum of such a map is reached at a critical point. Thus, these points appear naturally in non-convex polynomial optimization which occurs in a wide range of scientific applications (con... Article Solving polynomial system is very common in various fields of mathematics, physics, and so on. The main tool for solving this problem is "Grobner basis". Practical complexity is at most exponential both in time and space. This kind of applications have a crucial needs in computing resources. We have developed at the University Paris 6 a parallel al... Article A fundamental problem in computer science is to find all the common zeroes of$m$quadratic polynomials in$n$unknowns over$\mathbb{F}_2$. The cryptanalysis of several modern ciphers reduces to this problem. Up to now, the best complexity bound was reached by an exhaustive search in$4\log_2 n\,2^n$operations. We give an algorithm that reduces t... Article We study the complexity of solving the \emph{generalized MinRank problem}, i.e. computing the set of points where the evaluation of a polynomial matrix has rank at most$r$. A natural algebraic representation of this problem gives rise to a \emph{determinantal ideal}: the ideal generated by all minors of size$r+1$of the matrix. We give new comple... Conference Paper Full-text available We initiate the formal treatment of cryptographic constructions ("Polly Cracker") based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. We start by formalising the relation between the ideal remainder problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the... Conference Paper Full-text available We present MQQ-SIG, a signature scheme based on “Multivariate Quadratic Quasigroups”. The MQQ-SIG signature scheme has a public key consisting of $$\frac{n}{2}$$ quadratic polynomials in n variables where n = 160, 192, 224 or 256. Under the assumption that solving systems of $$\frac{n}{2}$$ MQQ’s equations in n variables is as hard as solving syste... Conference Paper Let I in K[x1,...,xn] be a 0-dimensional ideal of degree D where K is a field. It is well-known that obtaining efficient algorithms for change of ordering of Gröbner bases of I is crucial in polynomial system solving. Through the algorithm FGLM, this task is classically tackled by linear algebra operations in K[x1,...,n]/I. With recent progress on... Article It is well known that in the computation of Gröbner bases arbitrarily small perturbations in the coefficients of polynomials may lead to a completely different staircase, even if the solutions of the polynomial system change continuously. This phenomenon is called artificial discontinuity in Kondratyev’s Ph.D. thesis. We show how such phenomenon ma... Conference Paper Full-text available We investigate the security of a generalization of HFE (multivariate and odd-characteristic variants). First, we propose an improved version of the basic Kipnis-Shamir key recovery attack against HFE. Second, we generalize the Kipnis-Shamir attack to Multi-HFE. The attack reduces to solve a MinRank problem directly on the public key. This leads to... Conference Paper Full-text available This paper presents a practical cryptanalysis of the Identification Schem e proposed by Patarin at Crypto 1996. This scheme relies on the hardness of the Isomorphism of Polynomial with One Secret (IP1S), and enjoys shorter key than many other schemes based on the hardness of a combinatorial problem (as opposed to number- theoretic problems). Patari... Article Artificial discontinuity is a kind of singularity at a parametric point in computing the Gröbner basis of a specialized parametric ideal w.r.t. a certain term order. When it occurs, though parameters change continuously at the point and the properties of the parametric ideal have no sudden changes, the Gröbner basis will still have a jump at the pa... Article Full-text available The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are available to generate these matrices. It is well known th... Article The Isomorphism of Polynomials (IP) is one of the most fundamental problems in multivariate public key cryptography (MPKC). In this paper, we introduce a new framework to study the counting problem associated to IP. Namely, we present tools of finite geometry allowing to investigate the counting problem associated to IP. Precisely, we focus on enum... Article Full-text available We investigate in this paper the security of HFE and Multi-HFE schemes as well as their minus and embedding variants. Multi-HFE is a generalization of the well-known HFE schemes. The idea is to use a multivariate quadratic system—instead of a univariate polynomial in HFE—over an extension field as a private key. According to the authors, this shoul... Article Full-text available Cayley hash functions are a particular kind of cryptographic hash functions with very appealing properties. Unfortunately, their security is related to a mathematical problem whose hardness is not very well understood, the factorization problem in finite groups. Given a group G, a set of generators S for this group and an element g ∈ G, the factori... Conference Paper Full-text available MQQ is a multivariate public key cryptosystem (MPKC) based on multivariate quadratic quasigroups and a special transform called “Dobbertin transformation” [17]. The security of MQQ, as well as any MPKC, reduces to the difficulty of solving a non-linear system of equations easily derived from the public key. In [26], it has been observed that that t... Conference Paper Full-text available In this paper, we present an algebraic attack against the Flurry and Curry block ciphers [12,13]. Usually, algebraic attacks against block ciphers only require one message/ciphertext pair to be mounted. In this paper, we investigate a different approach. Roughly, the idea is to generate an algebraic system from the knowledge of several well chosen... Conference Paper Full-text available Algebraic cryptanalysis is a general tool which permits one to assess the security of a wide range of cryptographic schemes. Algebraic techniques have been successfully applied against a number of multivariate schemes and stream ciphers. Yet, their feasibility against block ciphers remains the source of much speculation. In this context, algebraic... Article Full-text available This document contains the Intellectual Property Statement and the technical description of the MQQ-SIG - a new public key digital signature scheme. The complete scientific publication covering the design rationale and the security analysis will be given in a separate publication. MQQ-SIG consists of$n - \frac{n}{4}$quadratic polynomials with$n\$...
Article
Full-text available
The purpose of this talk is to study the difficulty of the Goppa Code Distinguishing (GD) problem, which is the problem of distinguishing the public matrix in the McEliece cryptosystem from a random matrix. It is widely believed that this problem is computationally hard as proved by the increas-ing number of papers using this hardness assumption. O...
Conference Paper
FGb is a high-performance, portable, C library for computing Gröbner bases over the integers and over finite fields. FGb provides high quality implementations of state-of-the-art algorithms (F 4 and F 5) for computing Gröbner bases. Currently, it is one of the best implementation of these algorithms, in terms of both speed and robustness. For insta...
Conference Paper
Full-text available
In this paper, we present an efficient cryptanalysis of the so-called HM cryptosystem which was published at Asiacrypt’1999, and one perturbed version of HM. Until now, this scheme was exempt from cryptanalysis. We first present a distinguisher which uses a differential property of the public key. This distinguisher permits to break one perturbed v...
Conference Paper
Full-text available
Computing loci of rank defects of linear matrices (also called the MinRank problem) is a fundamental NP-hard problem of linear algebra which has applications in Cryptology, in Error Correcting Codes and in Geometry. Given a square linear matrix (i.e. a matrix whose entries are k-variate linear forms) of size n and an integer r, the problem is to fi...
Conference Paper
Full-text available
We consider the composition f =g o h of two systems g= (g0, ..., gt) and h=(h0, ..., hs) of homogeneous multivariate polynomials over a field K, where each gj ∈ K[y0, ..., ys] has degree &ell; each hk ∈ K[x0, ..., xr] has degree m, and fi = gi(h0, ..., hs) ∈ K[x0, ..., xr] has degree n = &ell; · m, for 0 ≤ i ≤ t. The motivation of this paper is to...