1. Introduction
The MinRank Problem asks to find an element of least rank in a given space of matrices. In its classical formulation, one searches for a matrix of minimum rank in a vector space, given via a system of generators.
Classical MinRank Problem.
Let be a field and let be positive integers. Given as input matrices with entries in , find such that the corresponding linear combination satisfies
The entries of the matrix are linear polynomials in the variables . The following is a natural generalization of the MinRank Problem.
Generalized MinRank Problem.
Let be a field and let be positive integers. Given as input a matrix with entries in , compute the set of points in at which the evaluation of has rank at most .
Both of these problems arise naturally within cryptography and coding theory, as well as in numerous other applications. Within multivariate cryptography, the MinRank Problem plays a central role in the cryptanalysis of several systems, including HFE and its variants [KS99, BFP13, CSV17, VS17, DPPS18], the TTM Cryptosystem [GC00], and the ABC Cryptosystem [MPS14, MPS17]. Within coding theory, the problem of decoding a linear rankmetric code is an instance of the classical MinRank Problem.
Following [KS99], we distinguish the following three situations.
Definition 1.1.
A MinRank Problem is underdefined if , welldefined if , and overdetermined if .
There are at least two ways of approaching the MinRank Problem: the KipnisShamir modeling introduced in [KS99] and the minors modeling. We concentrate on the second one.
The minors modeling relies on the following observation: A vector is a solution of the (classic or generalized) MinRank Problem for a matrix if and only if all minors of size of vanish at this point. Thus we can find the solutions of the MinRank Problem by solving the polynomial system consisting of all minors of size of . This is a system of multivariate polynomial equations , so one may attempt to solve it by means of the usual Gröbner bases methods. The complexity of these methods is controlled by the solving degree of , that is the highest degree of polynomials appearing during the computation of a degree reverse lexicographic Gröbner basis.
In this paper, we take another look at the complexity of solving the MinRank Problem. We focus on the underdefined and welldefined situations, which we treat with a unified approach. Notice that no fully provable, general results on the complexity of the overdetermined case are currently available.
The results from [CG19]
, in combination with classical commutative algebra results, provide us with a simple provable estimate for the complexity of the homogeneous version of the generalized MinRank Problem. More generally, Theorem
2.5 holds in the situation when the minors of the matrix obtained by homogenizing the entries of are the homogenization of the minors of . As a special case of our main result, we obtain a simple and concise proof of the main results from [FSS10, FSS13], which avoids lengthy technical computations.2. Main Results
We fix a field and positive integers . Without loss of generality, we assume that and . We focus on the MinRank Problem in the underdefined and welldefined case. We state our results in increasing order of generality.
Theorem 2.1.
The solving degree of the minors modeling of a generic classical welldefined square MinRank Problem ( and ) is upper bounded by
Theorem 2.2.
Let be an matrix whose entries are generic linear polynomials in and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
Theorem 2.3.
Let be an matrix whose entries are generic homogeneous polynomials of degree in and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
Remark 2.4.
The previous theorems recover the main results of [FSS10, FSS13]. We obtain them as a consequence of our more general Theorem 2.5, by letting (Theorems 2.1 and 2.2) and (Theorem 2.3).
We consider an matrix , whose entry in position is a polynomial of degree in , for all . Up to permuting the rows of , we may assume that . Moreover, assume that the following two conditions hold:

for all .

for all .
Finally, we assume that the entries of are generic polynomials. One may think of this assumption as the coefficients of each polynomial being randomly chosen.
Theorem 2.5.
Let be an matrix as above and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
Proof.
Notice that, because of the assumption on the degrees of the entries of , the homogenizations of the minors of are the minors of the matrix obtained from by homogenizing its entries. Therefore, we may assume without loss of generality that the entries of are generic homogeneous polynomials. The main result of [CG19, Section 3.3] implies that
where is the ideal generated by the polynomials of and denotes the CastelnuovoMumford regularity of . We can compute it as follows.
First, observe that since the polynomials of are generic and the matrix is homogeneous, the quotient ring is CohenMacaulay of Krull dimension by EagonNorthcott’s Theorem [EN62]. Let , where is a matrix of size whose entries are distinct variables, , and is the polynomial ring over with variables the entries of . By [BV88, Theorem 3.5] one has . Moreover by [BH98, Examples 3.6.15], we have
where denotes the invariant. By [BH92, Corollary 1.5]
where in the notation of [BH92]. Finally, putting everything together we obtain
∎
References

[BFP13]
Luk Bettale, JeanCharles Faugère, Ludovic Perret,
Cryptanalysis of HFE, multiHFE and variants for odd and even characteristic
, Des. Codes Cryptogr. vol. 69, no. 1, 1–52, 2013.  [BH92] Winfried Bruns, Jürgen Herzog, On the computation of ainvariants, Manuscripta Mathematica vol. 77, pp. 201–213, 1992.
 [BH98] Winfried Bruns, Jürgen Herzog, CohenMacaulay rings. Revised edition, Cambridge Studies in Advanced Mathematics, vol. 39, Cambridge University Press, 1998.
 [BV88] Winfried Bruns, Udo Vetter, Determinantal Rings, Lecture Notes in Mathematics, 1327, SpringerVerlag, Berlin, 1988.
 [CSV17] Daniel Cabarcas, Daniel SmithTone, Javier A. Verbel, Key Recovery Attack for ZHFE, Postquantum cryptography, 289–308, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
 [CG19] Alessio Caminata, Elisa Gorla, Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra, preprint arXiv:1706.06319.
 [DPPS18] Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel SmithTone, Improved cryptanalysis of via projection, Postquantum cryptography, 375–395, Lecture Notes in Comput. Sci., 10786, Springer, Cham, 2018.
 [EN62] John A. Eagon, Douglas G. Northcott, Ideals Defined by Matrices and a Certain Complex Associated with Them, Proceedings of the Royal Society of London. Series A, Mathematical and Physical Sciences, vol. 269, n. 1337, pp. 188–204 , 1962.
 [FSS10] JeanCharles Faugère, Mohab Safey El Din, PierreJean Spaenlehauer, Computing Loci of Rank Defects of Linear Matrices using Gröbner Bases and Applications to Cryptology, Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC ’10, pp. 257–264, Munich, Germany, 2010.
 [FSS13] JeanCharles Faugère, Mohab Safey El Din, PierreJean Spaenlehauer, On the Complexity of the Generalized MinRank Problem, Journal of Symbolic Computation, vol. 55, pp. 30–58, 2013.
 [GC00] Louis Goubin, Nicolas T. Courtois, Cryptanalysis of the TTM Cryptosystem, Advances in Cryptology, Proceedings of ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, SpringerVerlag, pp. 44–57, 2000.
 [KS99] Aviad Kipnis, Adi Shamir, Cryptanalysis of the HFE public key cryptosystem, Advances in Cryptology, Proceedings of Crypto ’99, LNCS no. 1666, SpringerVerlag, pp. 19–30, 1999.
 [MPS14] Dustin Moody, Ray Perlner, Daniel SmithTone, An asymptotically optimal structural attack on the ABC multivariate encryption scheme, Postquantum cryptography, 180–196, Lecture Notes in Comput. Sci., 8772, Springer, Cham, 2014.
 [MPS17] Dustin Moody, Ray Perlner, Daniel SmithTone, Improved attacks for characteristic2 parameters of the cubic ABC simple matrix encryption scheme, Postquantum cryptography, 255–271, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
 [VS17] Jeremy Vates, Daniel SmithTone, Key recovery attack for all parameters of , Postquantum cryptography, 272–288, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
Comments
There are no comments yet.