The MinRank Problem asks to find an element of least rank in a given space of matrices. In its classical formulation, one searches for a matrix of minimum rank in a vector space, given via a system of generators.
Classical MinRank Problem.
Let be a field and let be positive integers. Given as input matrices with entries in , find such that the corresponding linear combination satisfies
The entries of the matrix are linear polynomials in the variables . The following is a natural generalization of the MinRank Problem.
Generalized MinRank Problem.
Let be a field and let be positive integers. Given as input a matrix with entries in , compute the set of points in at which the evaluation of has rank at most .
Both of these problems arise naturally within cryptography and coding theory, as well as in numerous other applications. Within multivariate cryptography, the MinRank Problem plays a central role in the cryptanalysis of several systems, including HFE and its variants [KS99, BFP13, CSV17, VS17, DPPS18], the TTM Cryptosystem [GC00], and the ABC Cryptosystem [MPS14, MPS17]. Within coding theory, the problem of decoding a linear rank-metric code is an instance of the classical MinRank Problem.
Following [KS99], we distinguish the following three situations.
A MinRank Problem is under-defined if , well-defined if , and over-determined if .
There are at least two ways of approaching the MinRank Problem: the Kipnis-Shamir modeling introduced in [KS99] and the minors modeling. We concentrate on the second one.
The minors modeling relies on the following observation: A vector is a solution of the (classic or generalized) MinRank Problem for a matrix if and only if all minors of size of vanish at this point. Thus we can find the solutions of the MinRank Problem by solving the polynomial system consisting of all minors of size of . This is a system of multivariate polynomial equations , so one may attempt to solve it by means of the usual Gröbner bases methods. The complexity of these methods is controlled by the solving degree of , that is the highest degree of polynomials appearing during the computation of a degree reverse lexicographic Gröbner basis.
In this paper, we take another look at the complexity of solving the MinRank Problem. We focus on the under-defined and well-defined situations, which we treat with a unified approach. Notice that no fully provable, general results on the complexity of the over-determined case are currently available.
The results from [CG19]
, in combination with classical commutative algebra results, provide us with a simple provable estimate for the complexity of the homogeneous version of the generalized MinRank Problem. More generally, Theorem2.5 holds in the situation when the minors of the matrix obtained by homogenizing the entries of are the homogenization of the minors of . As a special case of our main result, we obtain a simple and concise proof of the main results from [FSS10, FSS13], which avoids lengthy technical computations.
2. Main Results
We fix a field and positive integers . Without loss of generality, we assume that and . We focus on the MinRank Problem in the under-defined and well-defined case. We state our results in increasing order of generality.
The solving degree of the minors modeling of a generic classical well-defined square MinRank Problem ( and ) is upper bounded by
Let be an matrix whose entries are generic linear polynomials in and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
Let be an matrix whose entries are generic homogeneous polynomials of degree in and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
We consider an matrix , whose entry in position is a polynomial of degree in , for all . Up to permuting the rows of , we may assume that . Moreover, assume that the following two conditions hold:
for all .
for all .
Finally, we assume that the entries of are generic polynomials. One may think of this assumption as the coefficients of each polynomial being randomly chosen.
Let be an matrix as above and assume . Let be the polynomial system of the minors of size of . Then the solving degree of is upper bounded by
Notice that, because of the assumption on the degrees of the entries of , the homogenizations of the -minors of are the -minors of the matrix obtained from by homogenizing its entries. Therefore, we may assume without loss of generality that the entries of are generic homogeneous polynomials. The main result of [CG19, Section 3.3] implies that
where is the ideal generated by the polynomials of and denotes the Castelnuovo-Mumford regularity of . We can compute it as follows.
First, observe that since the polynomials of are generic and the matrix is homogeneous, the quotient ring is Cohen-Macaulay of Krull dimension by Eagon-Northcott’s Theorem [EN62]. Let , where is a matrix of size whose entries are distinct variables, , and is the polynomial ring over with variables the entries of . By [BV88, Theorem 3.5] one has . Moreover by [BH98, Examples 3.6.15], we have
where denotes the -invariant. By [BH92, Corollary 1.5]
where in the notation of [BH92]. Finally, putting everything together we obtain
Luk Bettale, Jean-Charles Faugère, Ludovic Perret,
Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic, Des. Codes Cryptogr. vol. 69, no. 1, 1–52, 2013.
- [BH92] Winfried Bruns, Jürgen Herzog, On the computation of a-invariants, Manuscripta Mathematica vol. 77, pp. 201–213, 1992.
- [BH98] Winfried Bruns, Jürgen Herzog, Cohen-Macaulay rings. Revised edition, Cambridge Studies in Advanced Mathematics, vol. 39, Cambridge University Press, 1998.
- [BV88] Winfried Bruns, Udo Vetter, Determinantal Rings, Lecture Notes in Mathematics, 1327, Springer-Verlag, Berlin, 1988.
- [CSV17] Daniel Cabarcas, Daniel Smith-Tone, Javier A. Verbel, Key Recovery Attack for ZHFE, Post-quantum cryptography, 289–308, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
- [CG19] Alessio Caminata, Elisa Gorla, Solving Multivariate Polynomial Systems and an Invariant from Commutative Algebra, preprint arXiv:1706.06319.
- [DPPS18] Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone, Improved cryptanalysis of via projection, Post-quantum cryptography, 375–395, Lecture Notes in Comput. Sci., 10786, Springer, Cham, 2018.
- [EN62] John A. Eagon, Douglas G. Northcott, Ideals Defined by Matrices and a Certain Complex Associated with Them, Proceedings of the Royal Society of London. Series A, Mathematical and Physical Sciences, vol. 269, n. 1337, pp. 188–204 , 1962.
- [FSS10] Jean-Charles Faugère, Mohab Safey El Din, Pierre-Jean Spaenlehauer, Computing Loci of Rank Defects of Linear Matrices using Gröbner Bases and Applications to Cryptology, Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC ’10, pp. 257–264, Munich, Germany, 2010.
- [FSS13] Jean-Charles Faugère, Mohab Safey El Din, Pierre-Jean Spaenlehauer, On the Complexity of the Generalized MinRank Problem, Journal of Symbolic Computation, vol. 55, pp. 30–58, 2013.
- [GC00] Louis Goubin, Nicolas T. Courtois, Cryptanalysis of the TTM Cryptosystem, Advances in Cryptology, Proceedings of ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, Springer-Verlag, pp. 44–57, 2000.
- [KS99] Aviad Kipnis, Adi Shamir, Cryptanalysis of the HFE public key cryptosystem, Advances in Cryptology, Proceedings of Crypto ’99, LNCS no. 1666, Springer-Verlag, pp. 19–30, 1999.
- [MPS14] Dustin Moody, Ray Perlner, Daniel Smith-Tone, An asymptotically optimal structural attack on the ABC multivariate encryption scheme, Post-quantum cryptography, 180–196, Lecture Notes in Comput. Sci., 8772, Springer, Cham, 2014.
- [MPS17] Dustin Moody, Ray Perlner, Daniel Smith-Tone, Improved attacks for characteristic-2 parameters of the cubic ABC simple matrix encryption scheme, Post-quantum cryptography, 255–271, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.
- [VS17] Jeremy Vates, Daniel Smith-Tone, Key recovery attack for all parameters of , Post-quantum cryptography, 272–288, Lecture Notes in Comput. Sci., 10346, Springer, Cham, 2017.