slides - ISSAC 2009

Download PDF
Comment
Report 4 Downloads 77 Views
High Order Derivatives and Decomposition of Multivariate Polynomials Jean-Charles Faugère, and Ludovic Perret SALSA LIP6, Université Paris 6 & INRIA Paris-Rocquencourt [email protected], [email protected]

ISSAC 2009

Outline

1

Functional Decomposition Symbolic Computation & Cryptography

2

New Algorithm for FDP

Outline

1

Functional Decomposition Symbolic Computation & Cryptography

2

New Algorithm for FDP

Functional Decomposition Problem – 1/2 Definition Let h = (h1 , . . . , hu ) ∈ K[x1 , . . . , xn ]u . We shall say that:  f = (f1 , . . . , fu ), g = (g1 , . . . , gn ) ∈ K[x1 , . . . , xn ]u × K[x1 , . . . , xn ]n , is a decomposition of h if:  h = (f ◦ g) = f1 (g1 , . . . , gn ), . . . , fu (g1 , . . . , gn ) .

Remark A decomposition (f, g) of h is never unique, ∀S ∈ GLn (K) :  h(x) = f g(x) · S −1 S .  ⇒ f(x · S), g(x) · S −1 is also a decomposition of h.

Functional Decomposition Problem – 2/2 FDP(df , dg ) Input: h = (h1 , . . . , hu ) ∈ K[x1 , . . . , xn ]u and integers df , dg > 1 Find: a decomposition: f = (f1 , . . . , fu ) ∈ K[x1 , . . . , xn ]u g = (g1 , . . . , gn ) ∈ K[x1 , . . . , xn ]n , such that: 

 h = (f ◦ g) = f1 (g1 , . . . , gn ), . . . , fu (g1 , . . . , gn ) , deg(f) = df , and deg(g) = dg

Remark f = (f1 , . . . , fu ) are supposed to be of the same degree df g = (g1 , . . . , gn ) are supposed to be of the same degree dg

Related Works J. von zur Gathen. “Functional decomposition of polynomials: the tame case." “Functional decomposition of polynomials: the wild case". J. Symb. Comput., 1990. J. von zur Gathen. “Counting decomposable univariate polynomials". ISSAC’09. J. von zur Gathen, J. Gutierrez, R. Rubio. “Multivariate Polynomial Decomposition." AAECC, 2004. E.-W. Chionh, X.-S. Gao, L.-Y. Shen. Inherently Improper Surface Parametric Supports. Computer Aided Geometric Design, 2006. S. M. Watt. Functional Decomposition of Symbolic Polynomials. ICCSA’08.

Outline

1

Functional Decomposition Symbolic Computation & Cryptography

2

New Algorithm for FDP

Multivariate Cryptograhy : 2R− Schemes Secret key L0 , L1 , L2 in GLn (K) two sets of polynomials ψ and φ of K[x1 , . . . , xn ]n Public key   h(x) = (h1 (x), . . . , hu (x) = ψ φ(x · L0 ) · L1 · L2 . L. Goubin, J. Patarin. Asymmetric Cryptography with S-Boxes. ICICS’97. J.-C. Faugère. Symbolic Computation and Cryptography. Tutorial, ISSAC 2009.

Related Works D.F. Ye, Z.D. Dai, K.Y. Lam. (FDP(2,2),u = n) Decomposing Attacks on Asymmetric Cryptography Based on Mapping Compositions. Journal of Cryptology, 2001. J.-C. Faugère, L. Perret. (FDP(2,2), u < n) Cryptanalysis of 2R− schemes. CRYPTO 2006. J.-C. Faugère, L. Perret. (FDP(df , dg )) An Efficient Algorithm for Decomposing Multivariate Polynomials and its Applications to Cryptography. Special Issue of J. Symb. Comput. on “Gröbner Bases Techniques in Coding Theory and Cryptography". Old algorithm FDP(df , dg ) –> (FDP(df − 1, dg ),FDP(df − 2, dg ),. . . , FDP(2, dg ))

Outline

1

Functional Decomposition Symbolic Computation & Cryptography

2

New Algorithm for FDP

Preliminary Remarks – 1/2

Let:  f = (f1 , . . . , fu ), g = (g1 , . . . , gn ) ∈ K[x]u × K[x]n , be a decomposition of h = (h1 , . . . , hu ) ∈ K[x]u . For all i, 1 ≤ i ≤ u, we have: hi = fi (g1 , . . . , gn ).

⇒ f can be obtained from g by solving a linear system. f O(u · Cdn+d ) equations f f u · Cdn+d unknowns f

Preliminary Remarks – 2/2 We suppose that the polynomials (f, g) of a decomposition of h are homogenous of the same degrees df and dg . Remark A decomposition (f, g) of h is never unique, ∀S ∈ GLn (K) :  h(x) = f g(x) · S −1 S .  ⇒ f(x · S), g(x) · S −1 is also a decomposition of h. Goal Find a basis: L(g) = VectK (g1 , . . . , gn ).

Intuition – 1/2 Example : we consider FDP(3,2).  Let f = (f1 , . . . , fu ), g = (g1 , . . . , gn ) ∈ K[x]u × K[x]n be a (3, 2) decomposition of h = (h1 , . . . , hu ) ∈ K[x]u . For all i, 1 ≤ i ≤ u: X (i) hi = fi (g1 , . . . , gn ) = fk ,`,m gk g` gm , 1≤k ,`,m≤n

with fi = ∂hi = ∂xj

(i) 1≤k ,`,m≤n fk ,` xk x` xm .

P

X 1≤k ,`,m≤n

(i)



fk ,`,m g` gm

We have then:

∂gk ∂g` ∂gm + gk gm + gk · g` ∂xj ∂xj ∂xj

 .

Thus:  ∂Ih =

∂hi | 1 ≤ i ≤ u, 1 ≤ j, r ≤ n ∂xj ∂xr Old idea

 ⊆ hxk ·g` ·gm i1≤k ,`,m≤n .

Intuition – 1/2 Example : we consider FDP(3,2).  Let f = (f1 , . . . , fu ), g = (g1 , . . . , gn ) ∈ K[x]u × K[x]n be a (3, 2) decomposition of h = (h1 , . . . , hu ) ∈ K[x]u . For all i, 1 ≤ i ≤ u: X (i) hi = fi (g1 , . . . , gn ) = fk ,`,m gk g` gm , 1≤k ,`,m≤n

∂ 2 hi = ∂xj ∂xr

X

(i) fk ,`,m



∂gk ∂g` ∂xj ∂xr gm

` ∂gm + gk ∂g ∂xj ∂xr +

∂gk ∂gm ∂xj ∂xr g`

+

1≤k ,`,m≤n ∂gk ∂g` ∂xr ∂xj gm ∂ 2 gk ∂xj ∂xr g` gm

` ∂gm + gk ∂g ∂xr ∂xj +

+

New approach

∂ 2 g` ∂xj ∂xr gm gk

+

∂gk ∂gm ∂xr ∂xj g` ∂ 2 gm ∂xj ∂xr gk g`

 .

Intuition – 2/2 Example : we consider FDP(3,2).  Let f = (f1 , . . . , fu ), g = (g1 , . . . , gn ) ∈ K[x]u × K[x]n be a (3, 2) decomposition of h = (h1 , . . . , hu ) ∈ K[x]u .  X ∂ 2 hi (i) ∂gk ∂g` ∂g` ∂gm ∂gk ∂gm = fk ,`,m ∂xj ∂xr gm + gk ∂xj ∂xr + ∂xj ∂xr g` + ∂xj ∂xr 1≤k ,`,m≤n

∂gk ∂g` ∂xr ∂xj gm ∂ 2 gk ∂xj ∂xr g` gm

` ∂gm + gk ∂g ∂xr ∂xj +

+

∂ 2 g` ∂xj ∂xr gm gk

+

∂gk ∂gm ∂xr ∂xj g` ∂ 2 gm ∂xj ∂xr gk g`

 .

Thus: 2

∂ Ih =



∂ 2 hi | 1 ≤ i ≤ u, 1 ≤ j, r ≤ n ∂xj ∂xr

 ⊆ hxk ·x` ·gm i1≤k ,`,m≤n .

u=n

∂ 2 hi = ∂xj ∂xr

(i) fk ,`,m

X



∂gk ∂g` ∂xj ∂xr gm

` ∂gm + gk ∂g ∂xj ∂xr +

∂gk ∂gm ∂xj ∂xr g`

+

1≤k ,`,m≤n ∂gk ∂g` ∂xr ∂xj gm ∂ 2 gk ∂xj ∂xr

···  .. .  ∂ 2 hi  ∂xj ∂xr  A= ..  .   .. .

···

` ∂gm + gk ∂g ∂xr ∂xj +

g` gm +

∂ 2 g` ∂xj ∂xr

xk · xm · g`

gm gk +

···

∂gk ∂gm ∂xr ∂xj g` ∂ 2 gm ∂xj ∂xr

 gk g` .

···

··· ··· ··· ···

If Rank(A) = n3 , then xn2 · gi ∈ ∂Ih2 , for all i, 1 ≤ i ≤ n.

      

u
Recommend Documents