Jean-Charles Faugère’s research while affiliated with French National Centre for Scientific Research and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (178)


Computing critical points for invariant algebraic systems
  • Article

October 2022

·

17 Reads

·

15 Citations

Journal of Symbolic Computation

Jean-Charles Faugère

·

·

Mohab Safey El Din

·

[...]

·

Thi Xuan Vu

Let K be a field and (f1,…,fs,ϕ) be multivariate polynomials in K[x1,…,xn] (with s<n) each invariant under the action of Sn, the group of permutations of {1,…,n}. We consider the problem of computing the critical points of ϕ restricted to the algebraic set V(f), where f=(f1,…,fs). This is the same as computing the points at which f vanishes and the Jacobian matrix associated to (f1,…,fs,ϕ) is rank deficient, provided that this set is finite. We exploit the invariance properties of the input to split the solution space according to the orbits of Sn. This allows us to design an algorithm which gives a triangular description of the solution space and which runs in time polynomial in ds, (n+dd) and (ns+1) where d is the maximum degree of the input polynomials. When d,s are fixed, this is polynomial in n while when s is fixed and d≃n this yields an exponential speed-up with respect to the usual polynomial system solving algorithms.



Polynomial-Division-Based Algorithms for Computing Linear Recurrence Relations

July 2021

·

16 Reads

Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp-Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding require guessing linear recurrence relations of a multivariate sequence.Several algorithms solve this problem. The so-called Berlekamp-Massey-Sakata algorithm (1988) uses polynomial additions and shifts by a monomial. The Scalar-FGLM algorithm (2015) relies on linear algebra operations on a multi-Hankel matrix, a multivariate generalization of a Hankel matrix. The Artinian Gorenstein border basis algorithm (2017) uses a Gram-Schmidt process.We propose a new algorithm for computing the Gr{\"o}bner basis of the ideal of relations of a sequence based solely on multivariate polynomial arithmetic. This algorithm allows us to both revisit the Berlekamp-Massey-Sakata algorithm through the use of polynomial divisions and to completely revise the Scalar-FGLM algorithm without linear algebra operations.A key observation in the design of this algorithm is to work on the mirror of the truncated generating series allowing us to use polynomial arithmetic modulo a monomial ideal. It appears to have some similarities with Pad{\'e} approximants of this mirror polynomial.As an addition from the paper published at the ISSAC conferance, we give an adaptive variant of this algorithm taking into account the shape of the final Gr{\"o}bner basis gradually as it is discovered. The main advantage of this algorithm is that its complexity in terms of operations and sequence queries only depends on the output Gr{\"o}bner basis.All these algorithms have been implemented in Maple and we report on our comparisons.


Polynomial-Division-Based Algorithms for Computing Linear Recurrence Relations

July 2021

·

20 Reads

·

2 Citations

Journal of Symbolic Computation

Sparse polynomial interpolation, sparse linear system solving or modular rational reconstruction are fundamental problems in Computer Algebra. They come down to computing linear recurrence relations of a sequence with the Berlekamp–Massey algorithm. Likewise, sparse multivariate polynomial interpolation and multidimensional cyclic code decoding require guessing linear recurrence relations of a multivariate sequence. Several algorithms solve this problem. The so-called Berlekamp–Massey–Sakata algorithm (1988) uses polynomial additions and shifts by a monomial. The Scalar-FGLM algorithm (2015) relies on linear algebra operations on a multi-Hankel matrix, a multivariate generalization of a Hankel matrix. The Artinian Gorenstein border basis algorithm (2017) uses a Gram-Schmidt process. We propose a new algorithm for computing the Gröbner basis of the ideal of relations of a sequence based solely on multivariate polynomial arithmetic. This algorithm allows us to both revisit the Berlekamp–Massey–Sakata algorithm through the use of polynomial divisions and to completely revise the Scalar-FGLM algorithm without linear algebra operations. A key observation in the design of this algorithm is to work on the mirror of the truncated generating series allowing us to use polynomial arithmetic modulo a monomial ideal. It appears to have some similarities with Padé approximants of this mirror polynomial. As an addition from the paper published at the ISSAC conference, we give an adaptive variant of this algorithm taking into account the shape of the final Gröbner basis gradually as it is discovered. The main advantage of this algorithm is that its complexity in terms of operations and sequence queries only depends on the output Gröbner basis. All these algorithms have been implemented in Maple and we report on our comparisons.


Degree of regularity observed in experiments over F2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {F}}_2$$\end{document} (DObs\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbf {D}}_{Obs}$$\end{document}), expected by [49] (DTheo\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbf {D}}_{Theo}$$\end{document}) and degree of semi-regularity (DSR\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbf {D}}_{SR}$$\end{document})
Cryptanalysis of the extension field cancellation cryptosystem
  • Article
  • Publisher preview available

June 2021

·

41 Reads

·

1 Citation

Designs Codes and Cryptography

In this article, we present algebraic attacks against the Extension Field Cancellation (EFC\texttt {EFC}) scheme, a multivariate public-key encryption scheme which was published at PQCRYPTO’2016. First, we present a successful Gröbner basis message-recovery attack on the first and second proposed parameters of the scheme. For the first challenge parameter, a Gröbner-based hybrid attack has a 2652^{65} bit complexity which beats the claimed 80 bit security level. We further show that the algebraic system arising from an EFC\texttt {EFC} public-key is much easier to solve than a random system of the same size. Briefly, this is due to the apparition of many lower degree equations during the Gröbner basis computation. We present a polynomial-time method to recover such lower-degree relations and also show their usefulness in improving the Gröbner basis attack complexity on EFC\texttt {EFC}. Thus, we show that there is an algebraic structural weakness in the system of equations coming from EFC\texttt {EFC} and hence makes the scheme not suitable for encryption.

View access options

Koszul-type determinantal formulas for families of mixed multilinear systems

May 2021

·

54 Reads

Effective computation of resultants is a central problem in elimination theory and polynomial system solving. Commonly, we compute the resultant as a quotient of determinants of matrices and we say that there exists a determinantal formula when we can express it as a determinant of a matrix whose elements are the coefficients of the input polynomials. We study the resultant in the context of mixed multilinear polynomial systems, that is multilinear systems with polynomials having different supports, on which determinantal formulas were not known. We construct determinantal formulas for two kind of multilinear systems related to the Multiparameter Eigenvalue Problem (MEP): first, when the polynomials agree in all but one block of variables; second, when the polynomials are bilinear with different supports, related to a bipartite graph. We use the Weyman complex to construct Koszul-type determinantal formulas that generalize Sylvester-type formulas. We can use the matrices associated to these formulas to solve square systems without computing the resultant. The combination of the resultant matrices with the eigenvalue and eigenvector criterion for polynomial systems leads to a new approach for solving MEP.


Combining a quantum random number generator and quantum-resistant algorithms into the GnuGPG open-source software

October 2020

·

99 Reads

·

2 Citations

Advanced Optical Technologies

The “quantum threat” to our current, convenient cryptographic algorithms is getting closer, with demonstrable progress by commercial quantum computing efforts. It is now more important than ever that we combine all of our tools into a new quantum-safe toolbox to develop the next generation of quantum-safe networking solutions. Here we combine an integrated quantum entropy source with quantum-resistant algorithms in the GnuGPG open-source software; leading to a fully quantum-safe version of GnuGPG. The quantum entropy source itself is capable of a raw rate of randomness in excess of 10 Gbps. After post-processing, quantum random numbers are used by the quantum-resistant algorithms to allow GnuGPG to perform its usual public-key cryptographic tasks, such as digitally signing documents, but now in a secure quantum-safe way.


Computing critical points for invariant algebraic systems

September 2020

·

26 Reads

Let K\mathbf{K} be a field and ϕ\phi, f=(f1,,fs)\mathbf{f} = (f_1, \ldots, f_s) in K[x1,,xn]\mathbf{K}[x_1, \dots, x_n] be multivariate polynomials (with s<ns < n) invariant under the action of Sn\mathcal{S}_n, the group of permutations of {1,,n}\{1, \dots, n\}. We consider the problem of computing the points at which f\mathbf{f} vanish and the Jacobian matrix associated to f,ϕ\mathbf{f}, \phi is rank deficient provided that this set is finite. We exploit the invariance properties of the input to split the solution space according to the orbits of Sn\mathcal{S}_n. This allows us to design an algorithm which gives a triangular description of the solution space and which runs in time polynomial in dsd^s, (n+dd){{n+d}\choose{d}} and (ns+1)\binom{n}{s+1} where d is the maximum degree of the input polynomials. When d,s are fixed, this is polynomial in n while when s is fixed and dnd \simeq n this yields an exponential speed-up with respect to the usual polynomial system solving algorithms.


A nearly optimal algorithm to decompose binary forms

June 2020

·

11 Reads

·

3 Citations

Journal of Symbolic Computation

Symmetric tensor decomposition is an important problem with applications in several areas, for example signal processing, statistics, data analysis and computational neuroscience. It is equivalent to Waring's problem for homogeneous polynomials, that is to write a homogeneous polynomial in n variables of degree D as a sum of D-th powers of linear forms, using the minimal number of summands. This minimal number is called the rank of the polynomial/tensor. We focus on decomposing binary forms, a problem that corresponds to the decomposition of symmetric tensors of dimension 2 and order D, that is, symmetric tensors of order D over the vector space K2. Under this formulation, the problem finds its roots in invariant theory where the decompositions are related to canonical forms. We introduce a superfast algorithm that exploits results from structured linear algebra. It achieves a softly linear arithmetic complexity bound. To the best of our knowledge, the previously known algorithms have at least quadratic complexity bounds. Our algorithm computes a symbolic decomposition in O(M(D)log⁡(D)) arithmetic operations, where M(D) is the complexity of multiplying two polynomials of degree D. It is deterministic when the decomposition is unique. When the decomposition is not unique, it is randomized. We also present a Monte Carlo variant as well as a modification to make it a Las Vegas one. From the symbolic decomposition, we approximate the terms of the decomposition with an error of 2−ε, in O(Dlog2⁡(D)(log2⁡(D)+log⁡(ε))) arithmetic operations. We use results from Kaltofen and Yagati (1989) to bound the size of the representation of the coefficients involved in the decomposition and we bound the algebraic degree of the problem by min⁡(rank,D−rank+1). We show that this bound can be tight. When the input polynomial has integer coefficients, our algorithm performs, up to poly-logarithmic factors, O˜B(Dℓ+D4+D3τ) bit operations, where τ is the maximum bitsize of the coefficients and 2−ℓ is the relative error of the terms in the decomposition.


PKP-DSS parameters sets
Key and signature sizes for PKP-DSS with the three proposed parameter sets.
Average cycle counts for key generation, signing and verification, for our implementation of PKP-DSS with the three proposed parameter sets.
Comparison of different post-quantum Fiat-Shamir schemes
PKP-Based Signature Scheme

November 2019

·

164 Reads

·

16 Citations

Lecture Notes in Computer Science

In this document, we introduce : a Digital Signature Scheme based on the Permuted Kernel Problem (PKP) [23]. PKP is a simple NP-hard [10] combinatorial problem that consists of finding a kernel for a publicly known matrix, such that the kernel vector is a permutation of a publicly known vector. This problem was used to develop an Identification Scheme (IDS) which has a very efficient implementation on low-cost smart cards. From this zero-knowledge identification scheme, we derive with the traditional Fiat-Shamir transform [9]. Thus, has a security that can be provably reduced, in the (classical) random oracle model, to the hardness of random instances of PKP (or, if wanted, to any specific family of instances). We propose parameter sets following the thorough analysis of the State-of-the-art attacks on PKP presented in [17]. We show that is competitive with other signatures derived from Zero-Knowledge identification schemes. In particular, PKP-DSS-128 gives a signature size of approximately 20 KBytes for 128 bits of classical security, which is approximately smaller than MQDSS. Moreover, our proof-of-concept implementation shows that PKP-DSS-128 is an order of magnitude faster than MQDSS which in its turn is faster than Picnic2, SPHINCS, ... Since the is NP-hard and since there are no known quantum attacks for solving PKP significantly better than classical attacks, we believe that our scheme is post-quantum secure.


Citations (75)


... By reducing the problem of working with to the smaller ring K[ 1 , . . . , ], we can leverage the structure of the basic invariants of G to perform symbolic computations more efficiently (see for examples [16,38,45,56] and references therein). Moreover, understanding the degrees of relative to ℎ and the basic invariants of G provides insight into the algebraic and geometric properties of the invariant ring. ...

Reference:

Computing Polynomial Representation in Subrings of Multivariate Polynomial Rings
Computing critical points for invariant algebraic systems
  • Citing Article
  • October 2022

Journal of Symbolic Computation

... In [12], we also showed that some multihomogeneous resultant matrices can be seen as an instance of the previous case by embedding their Newton polytopes and the mixed subdivisions of their Minkowski sum into an n-zonotope. Despite the existence of many exact determinantal formulas for some of these cases; see [4,5,10,19,33], we expect our approach to have an easier generalization to general sparse systems through the use of the type functions and the underlying combinatorics. On the other, we beleive that using non-affine lifting functions, one could possibly find the minimal matrices from one which one can have the Canny-Emiris formula for the sparse resultant. ...

Koszul-Type Determinantal Formulas for Families of Mixed Multilinear Systems
  • Citing Article
  • October 2021

SIAM Journal on Applied Algebra and Geometry

... Computing recurrence relations of multi-dimensional sequences (or equivalently computing the annihilator of the dual module elements) is an active research problem and there are several recent publications on this problem. Berthomieu, et al. presented an FGLM-style algorithms with the complexity bound O(r(r + |G|)m) [4], where G is the reduced Gröbner basis of the annihilator and m is the number of monomials that are less than the leading monomials of G (and hence m is the size of the border basis), and an improvement of this algorithm with the complexity bound O((r + |G|) l ) [6,7], where l is the size of the Minkowski sum of the staircase with itself. ...

Polynomial-Division-Based Algorithms for Computing Linear Recurrence Relations
  • Citing Article
  • July 2021

Journal of Symbolic Computation

... [27] implemented the concept of an equivalent public key to give a detailed security analysis of their proposed encryption scheme. Furthermore, [28] showed that the algebraic system of an EFC public key has lower degree equations during the Gröbner basis computation compared to a random system having the same size. Consequently, solving the algebraic system of an EFC public key becomes simpler and easier. ...

Cryptanalysis of the extension field cancellation cryptosystem

Designs Codes and Cryptography

... • a monomial, • a form with at most two variables, • a Vandermonde determinant, • x a (y b + z b ) with arbitrary a and b. In a subsequent work [28], Carlini, Catalisano and Oneto introduced the notion of a Waring locus motivated by Conjecture 1.1, which turned out to be of a considerable independent interest [7,30,78,109]. Also, the authors of [28] developed several of the sufficient conditions above to satisfy a natural stronger version of Conjecture 1.1. ...

A nearly optimal algorithm to decompose binary forms
  • Citing Article
  • June 2020

Journal of Symbolic Computation

... The EBMA takes the good parts of RS codes and enhances error correction while also making the process less complicated. It's useful especially in high-speed networks like ATM [5,6]. The potential of Hybrid Automatic Repeat reQuest (HARQ) is the topic of this research, which combines both FEC and ARQ to improve transmission reliability. ...

In-depth comparison of the Berlekamp–Massey–Sakata and the Scalar-FGLM algorithms: The adaptive variants
  • Citing Article
  • September 2019

Journal of Symbolic Computation

... In this context, solving methods based on numerical homotopies [24,28], resultants [11,32] and others [5,22] have been developed and have given birth to fruitful lines of works. During the last decades, new methods related to Gröbner bases have been proposed, expanding the symbolic toolbox for manipulating and solving sparse systems [6,18,29]. Our long-term goal is to expand the toolbox to the case of toric compactifications which do not necessarily correspond to the Newton polytopes of the equations. ...

Gröbner Basis over Semigroup Algebras: Algorithms and Applications for Sparse Polynomial Systems
  • Citing Conference Paper
  • July 2019

... Aaronson's scheme was later broken by Lutomirski et al. [24]. In the years since, several alternative constructions have been explored [2,17,30,19,20,23,31], yet each has either been broken [14,26,7,23] or relies on non-standard cryptographic assumptions. ...

Non-quantum Cryptanalysis of the Noisy Version of Aaronson-Christiano's Quantum Money Scheme

... The extension of Castelnuovo-Mumford regularity to the corresponding multihomogeneous ideals has attracted the interest of many researchers in the last three decades. The various related results concern the (suitable) definition of regularity and its main properties [12,36,42], its connection to multigraded local cohomology modules [9,17], its relation with Betti numbers and virtual resolutions [2,7], the special properties of ideals defining points and curves [18,37], bounds on (degree) regions that extend previous results from the classical single graded case [13,41,44], and, of course, the (efficient) computation of Gröbner bases [6,28]. ...

Towards Mixed Gröbner Basis Algorithms: the Multihomogeneous and Sparse Case
  • Citing Conference Paper
  • July 2018