Jean-Charles Faugère’s research while affiliated with French National Centre for Scientific Research and other places

Let K be a field and (f1,…,fs,ϕ) be multivariate polynomials in K[x1,…,xn] (with s<n) each invariant under the action of Sn, the group of permutations of {1,…,n}. We consider the problem of computing the critical points of ϕ restricted to the algebraic set V(f), where f=(f1,…,fs). This is the same as computing the points at which f vanishes and the Jacobian matrix associated to (f1,…,fs,ϕ) is rank deficient, provided that this set is finite. We exploit the invariance properties of the input to split the solution space according to the orbits of Sn. This allows us to design an algorithm which gives a triangular description of the solution space and which runs in time polynomial in ds, (n+dd) and (ns+1) where d is the maximum degree of the input polynomials. When d,s are fixed, this is polynomial in n while when s is fixed and d≃n this yields an exponential speed-up with respect to the usual polynomial system solving algorithms.

Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp-Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding require guessing linear recurrence relations of a multivariate sequence.Several algorithms solve this problem. The so-called Berlekamp-Massey-Sakata algorithm (1988) uses polynomial additions and shifts by a monomial. The Scalar-FGLM algorithm (2015) relies on linear algebra operations on a multi-Hankel matrix, a multivariate generalization of a Hankel matrix. The Artinian Gorenstein border basis algorithm (2017) uses a Gram-Schmidt process.We propose a new algorithm for computing the Gr{\"o}bner basis of the ideal of relations of a sequence based solely on multivariate polynomial arithmetic. This algorithm allows us to both revisit the Berlekamp-Massey-Sakata algorithm through the use of polynomial divisions and to completely revise the Scalar-FGLM algorithm without linear algebra operations.A key observation in the design of this algorithm is to work on the mirror of the truncated generating series allowing us to use polynomial arithmetic modulo a monomial ideal. It appears to have some similarities with Pad{\'e} approximants of this mirror polynomial.As an addition from the paper published at the ISSAC conferance, we give an adaptive variant of this algorithm taking into account the shape of the final Gr{\"o}bner basis gradually as it is discovered. The main advantage of this algorithm is that its complexity in terms of operations and sequence queries only depends on the output Gr{\"o}bner basis.All these algorithms have been implemented in Maple and we report on our comparisons.

Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp–Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding require guessing linear recurrence relations of a multivariate sequence. Several algorithms solve this problem. The so-called Berlekamp–Massey–Sakata algorithm (1988) uses polynomial additions and shifts by a monomial. The Scalar-FGLM algorithm (2015) relies on linear algebra operations on a multi-Hankel matrix, a multivariate generalization of a Hankel matrix. The Artinian Gorenstein border basis algorithm (2017) uses a Gram-Schmidt process. We propose a new algorithm for computing the Gröbner basis of the ideal of relations of a sequence based solely on multivariate polynomial arithmetic. This algorithm allows us to both revisit the Berlekamp–Massey–Sakata algorithm through the use of polynomial divisions and to completely revise the Scalar-FGLM algorithm without linear algebra operations. A key observation in the design of this algorithm is to work on the mirror of the truncated generating series allowing us to use polynomial arithmetic modulo a monomial ideal. It appears to have some similarities with Padé approximants of this mirror polynomial. As an addition from the paper published at the ISSAC conference, we give an adaptive variant of this algorithm taking into account the shape of the final Gröbner basis gradually as it is discovered. The main advantage of this algorithm is that its complexity in terms of operations and sequence queries only depends on the output Gröbner basis. All these algorithms have been implemented in Maple and we report on our comparisons.

In this article, we present algebraic attacks against the Extension Field Cancellation ($\texttt {EFC}$) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge parameter, a Gröbner-based hybrid attack has a $2^{65}$ bit complexity which beats the claimed 80 bit security level. We further show that the algebraic system arising from an $\texttt {EFC}$ public-key is much easier to solve than a random system of the same size. Briefly, this is due to the apparition of many lower degree equations during the Gröbner basis computation. We present a polynomial-time method to recover such lower-degree relations and also show their usefulness in improving the Gröbner basis attack complexity on $\texttt {EFC}$. Thus, we show that there is an algebraic structural weakness in the system of equations coming from $\texttt {EFC}$ and hence makes the scheme not suitable for encryption.

Effective computation of resultants is a central problem in elimination theory and polynomial system solving. Commonly, we compute the resultant as a quotient of determinants of matrices and we say that there exists a determinantal formula when we can express it as a determinant of a matrix whose elements are the coefficients of the input polynomials. We study the resultant in the context of mixed multilinear polynomial systems, that is multilinear systems with polynomials having different supports, on which determinantal formulas were not known. We construct determinantal formulas for two kind of multilinear systems related to the Multiparameter Eigenvalue Problem (MEP): first, when the polynomials agree in all but one block of variables; second, when the polynomials are bilinear with different supports, related to a bipartite graph. We use the Weyman complex to construct Koszul-type determinantal formulas that generalize Sylvester-type formulas. We can use the matrices associated to these formulas to solve square systems without computing the resultant. The combination of the resultant matrices with the eigenvalue and eigenvector criterion for polynomial systems leads to a new approach for solving MEP.

The “quantum threat” to our current, convenient cryptographic algorithms is getting closer, with demonstrable progress by commercial quantum computing efforts. It is now more important than ever that we combine all of our tools into a new quantum-safe toolbox to develop the next generation of quantum-safe networking solutions. Here we combine an integrated quantum entropy source with quantum-resistant algorithms in the GnuGPG open-source software; leading to a fully quantum-safe version of GnuGPG. The quantum entropy source itself is capable of a raw rate of randomness in excess of 10 Gbps. After post-processing, quantum random numbers are used by the quantum-resistant algorithms to allow GnuGPG to perform its usual public-key cryptographic tasks, such as digitally signing documents, but now in a secure quantum-safe way.

Let $\mathbf{K}$ be a field and $\phi$, $\mathbf{f} = (f_1, \ldots, f_s)$ in $\mathbf{K}[x_1, \dots, x_n]$ be multivariate polynomials (with $s < n$) invariant under the action of $\mathcal{S}_n$, the group of permutations of $\{1, \dots, n\}$. We consider the problem of computing the points at which $\mathbf{f}$ vanish and the Jacobian matrix associated to $\mathbf{f}, \phi$ is rank deficient provided that this set is finite. We exploit the invariance properties of the input to split the solution space according to the orbits of $\mathcal{S}_n$. This allows us to design an algorithm which gives a triangular description of the solution space and which runs in time polynomial in $d^s$, ${{n+d}\choose{d}}$ and $\binom{n}{s+1}$ where d is the maximum degree of the input polynomials. When d,s are fixed, this is polynomial in n while when s is fixed and $d \simeq n$ this yields an exponential speed-up with respect to the usual polynomial system solving algorithms.

Symmetric tensor decomposition is an important problem with applications in several areas, for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in n variables of degree D as a sum of D-th powers of linear forms, using the minimal number of summands. This minimal number is called the rank of the polynomial/tensor. We focus on decomposing binary forms, a problem that corresponds to the decomposition of symmetric tensors of dimension 2 and order D, that is, symmetric tensors of order D over the vector space K2. Under this formulation, the problem finds its roots in invariant theory where the decompositions are related to canonical forms. We introduce a superfast algorithm that exploits results from structured linear algebra. It achieves a softly linear arithmetic complexity bound. To the best of our knowledge, the previously known algorithms have at least quadratic complexity bounds. Our algorithm computes a symbolic decomposition in O(M(D)log⁡(D)) arithmetic operations, where M(D) is the complexity of multiplying two polynomials of degree D. It is deterministic when the decomposition is unique. When the decomposition is not unique, it is randomized. We also present a Monte Carlo variant as well as a modification to make it a Las Vegas one. From the symbolic decomposition, we approximate the terms of the decomposition with an error of 2−ε, in O(Dlog2⁡(D)(log2⁡(D)+log⁡(ε))) arithmetic operations. We use results from Kaltofen and Yagati (1989) to bound the size of the representation of the coefficients involved in the decomposition and we bound the algebraic degree of the problem by min⁡(rank,D−rank+1). We show that this bound can be tight. When the input polynomial has integer coefficients, our algorithm performs, up to poly-logarithmic factors, O˜B(Dℓ+D4+D3τ) bit operations, where τ is the maximum bitsize of the coefficients and 2−ℓ is the relative error of the terms in the decomposition.

In this document, we introduce : a Digital Signature Scheme based on the Permuted Kernel Problem (PKP) [23]. PKP is a simple NP-hard [10] combinatorial problem that consists of finding a kernel for a publicly known matrix, such that the kernel vector is a permutation of a publicly known vector. This problem was used to develop an Identification Scheme (IDS) which has a very efficient implementation on low-cost smart cards. From this zero-knowledge identification scheme, we derive with the traditional Fiat-Shamir transform [9]. Thus, has a security that can be provably reduced, in the (classical) random oracle model, to the hardness of random instances of PKP (or, if wanted, to any specific family of instances). We propose parameter sets following the thorough analysis of the State-of-the-art attacks on PKP presented in [17]. We show that is competitive with other signatures derived from Zero-Knowledge identification schemes. In particular, PKP-DSS-128 gives a signature size of approximately 20 KBytes for 128 bits of classical security, which is approximately smaller than MQDSS. Moreover, our proof-of-concept implementation shows that PKP-DSS-128 is an order of magnitude faster than MQDSS which in its turn is faster than Picnic2, SPHINCS, ... Since the is NP-hard and since there are no known quantum attacks for solving PKP significantly better than classical attacks, we believe that our scheme is post-quantum secure.