Formal Power Series on Algebraic Cryptanalysis
FFormal Power Series on Algebraic Cryptanalysis
Shuhei Nakamura ∗ Abstract
In cryptography, attacks that utilize a Gr¨obner basis have broken sev-eral cryptosystems. The complexity of computing a Gr¨obner basis domi-nates the overall computing and its estimation is important for such crypt-analysis. The complexity is given by using the solving degree, but it ishard to decide this value of a large scale system arisen from cryptography.Thus the degree of regularity and the first fall degree are used as proxiesfor the solving degree based on a wealth of experiments. If a given systemis semi-regular, the complexity is estimated by using the degree of reg-ularity derived from a certain power series, otherwise, by using the firstfall degree derived from a construction of a syzygy. The degree of regu-larity is also defined on a non-semi-regular system and is experimentallylarger than the first fall degree, but those relation is not clear theoretically.Moreover, in contrast to the degree of regularity, the first fall degree hasbeen investigated specifically for each cryptosystem and its discussion ongeneric systems is not given. In this paper, we show an upper bound forthe first fall degree of a polynomial system over a sufficiently large field.In detail, we prove that this upper bound for a non-semi-regular systemis the degree of regularity. Moreover, we prove that the upper boundfor a multi-graded polynomial system is a certain value only decided byits multi-degree. Furthermore, we show that the condition for the orderof a field in our results is satisfied in attacks against actual multivariatecryptosystems. Consequently, under a reasonable condition for the orderof a field, we clear a relation between the first fall degree and the degreeof regularity and provide a theoretical method using a multivariate powerseries for cryptanalysis.
A Gr¨obner basis algorithm that computes a Gr¨obner basis of the ideal generatedby a given polynomial system was discovered by B. Buchberger. It gives not onlya foundation of computation in commutative ring theory and algebraic geometry ∗ Department of Liberal Arts and Basic Sciences, Nihon University, 1-2-1 Izumi-cho,Narashino, Chiba 275-8575, Japan (E-mail: [email protected] ) a r X i v : . [ c s . S C ] J u l ut also applications in several other fields (e.g. code theory, cryptography,statics, robotics). In particular, in multivariate cryptography, there exist severalattacks using a Gr¨obner basis algorithm.Multivariate cryptography [9] is based on an NP-complete problem of solvinga system of quadratic equations, that is called the MQ problem [19]. It is espe-cially expected to have potential in building post-quantum signature schemes,and has been considered in NIST PQC standardization project [24]. A Gr¨obnerbasis algorithm is used in attacks such as the direct attack [2], the Rainbow-Band-Separation attack [10], the MinRank attack with the Kipnis-Shamir mod-eling [20] and the Minors modeling [17]. Since the complexity of computing aGr¨obner basis often dominates the overall complexity of an attack, its estimationis important to security analysis against such attacks.A Gr¨obner basis algorithm in an attack is used for solving a system of poly-nomial equations derived from a cryptosystem. Its complexity depends on the solving degree , that is the maximal degree required to compute the Gr¨obnerbasis, but it is an experimental value. In order to estimate the complexity ofsolving a large scale polynomial system derived from a cryptosystem, we needto consider a theoretical proxy for the solving degree. The degree of regularity[1] and the first fall degree [13] are well-known as such proxies.For a semi-regular polynomial system which generalizes a regular sequence inan overdetermined case, the degree of regularity introduced by M. Barded et al.[1] is given by the degree D reg of the first term whose coefficient is non-positivein the power series (cid:81) mi =1 (1 − t d i )(1 − t ) n , where d , . . . , d m and n are the degrees and the number of the variables of thesystem, respectively. By the concept, a Gr¨obner basis for a semi-regular systemis computed within D reg . Since the value D reg approximates its solving degreetightly and is simply computed by the power series, the degree of regularityis widely used for complexity estimation. On the other hand, there exist non-semi-regular systems in cryptography such as the public quadratic system of theHFE scheme [25] and quadratic systems solved in the Rainbow-Band-Separationattack and the MinRank attack with the Kipnis-Shamir modeling.For a non-semi-regular system appeared in cryptography, its Gr¨obner ba-sis is often computed within a smaller degree than the degree of regularity.Namely, its solving degree is smaller than the degree of regularity. For a poly-nomial system whose components have the same degree, the first fall degreeintroduced by V. Dubois and N. Gama [13] is defined by using its syzygiesand captures the first degree at which occurs a non-trivial degree fall duringthe computing a Gr¨obner basis. Since it often approximates the solving degreeof a non-semi-regular system appeared in cryptography, the first fall degree is2sed for complexity estimation, but deciding its actual value is hard. Thus, inprevious estimations [11, 28], an upper bound for the first fall degree has beeninvestigated by constructing a non-trivial syzygy. These estimations depend oneach cryptosystem and there is no a general estimation for the first fall degree.Moreover, a relation with the degree of regularity is not clear theoretically. In this paper, we show an upper bound for the first fall degree of a polynomialsystem over a sufficiently large field. In detail, we prove that this upper boundfor a non-semi-regular system is the degree of regularity. Moreover, we introducea value D Z s ≥ using a multivariate power series and prove that the upper boundfor a multi-graded polynomial system is this value D Z s ≥ . Polynomial systemssolved in the Rainbow-Band-Separation attack and the MinRank attack withthe Kipnis-Shamir modeling are multi-graded, and we further show that thecondition for the order of a field in our results is satisfied in these attacks againstmultivariate cryptosystems proposed in NIST PQC 2nd round. In particular,our result gives a theoretical background for the precise security analysis in[22, 23] since their values are specific cases of D Z s ≥ . Consequently, under areasonable condition for the order of a field, we clear a relation between the firstfall degree and the degree of regularity and provide a theoretical method usinga multivariate power series for cryptanalysis. In this paper is organized as follows. In Section 2, we recall some fundamen-tal concepts in commutative ring theory and the complexity estimation for aGr¨obner basis algorithm in multivariate cryptography. In Section 3, we provethat the first fall degree of a non-semi-regular system is smaller than the degreeof regularity if the order of the field is sufficiently large. In Section 4, we provethat the first fall degree of a multi-graded polynomial system is bounded by acertain value derived from its multi-degree if the order of the field is sufficientlylarge. In Section 5, we conclude our results.
In this section, we recall some fundamental concepts in commutative ring theoryand the complexity estimation for a Gr¨obner basis algorithm.3 .1 Fundamental concepts in commutative ring theory
A (finite generated) commutative ring R is said to be Z s -graded if it has adecomposition R = (cid:76) d ∈ Z s R d such that R d R d ⊆ R d + d for any d i ∈ Z s . Inthis paper, we assume always that R d = { } if d ∈ Z s has a negative component.Then we call R a Z s ≥ -graded commutative ring . An element h in R d is said tobe Z s ≥ -homogeneous , or simply homogeneous and then we denote d by deg Z s ≥ h and call it the Z s ≥ -degree of h . If R is a field, putHS R ( t ) = (cid:88) d ∈ Z s ≥ (dim R R d ) · t d ∈ Z ≥ [[ t , . . . , t s ]] , where d = ( d , . . . , d s ) and t d = t d · · · t d s s which is called a (multivariate)Hilbert series . For a Z s ≥ -graded commutative ring R , its quotient ring with anideal generated by Z s ≥ -homogeneous elements is Z s ≥ -graded. For example, thepolynomial ring F [ x , . . . , x s ] is Z s ≥ -graded by deg Z s ≥ x ij = (0 , . . . , , i , , . . . , , where x i = { x i , . . . , x in i } . Then we have a decomposition F [ x , . . . , x s ] = (cid:76) d ∈ Z s ≥ F [ x , . . . , x s ] d where F [ x , . . . , x s ] d is the vector space over F gen-erated by the monomials of Z s ≥ -degree d . When s = 1, for a polynomial f in F [ x , . . . , x n ] and a well-ordering < on Z ≥ , we consider a expression f = (cid:80) d f d where f d ∈ F [ x , . . . , x n ] d and call its homogeneous component ofdegree max < { d | f d (cid:54) = 0 } its top homogeneous component . When deg Z ≥ x i = 1,the polynomial ring is said to be standard graded and we denote deg Z ≥ f asdeg f . In this paper, we mainly treat with a homogeneous case and call an ele-ment of F [ x , . . . , x n ] m a system . Moreover, we call a system whose componentsare homogeneous a homogeneous system .Let R be a commutative ring. For ( h , . . . , h m ) ∈ R m , we define an R -modulehomomorphism R m → R, ( b , . . . , b m ) (cid:55)→ m (cid:88) i =1 b i h i . Then we denote by Syz R ( h , . . . , h m ), or simply Syz( h , . . . , h m ), the kernelof this homomorphism and its element is called a syzygy of ( h , . . . , h m ). Forexample, π ij := (0 , . . . , , − h ji , , . . . , , h ij , , . . . , , where 1 ≤ i < j ≤ m , is such an element. Here, we denote by KSyz( h , . . . , h m )the submodule generated by the elements π ij and its element is called a Koszulsyzygy . Let R be a Z s ≥ -graded commutative ring. For Z s ≥ -homogeneous ele-ments h , . . . , h m ∈ R with d i = deg Z s ≥ h i and the free module E = R m withthe standard basis { e , . . . , e m } , we denote by K i the i -th exterior power (cid:86) i E and give the Koszul complex K ( h , . . . , h m ) • : · · · δ → K δ → K δ → K δ → R → δ l ( e i ∧ · · · ∧ e i l ) = (cid:80) lk =1 ( − k +1 h i k e i ∧ · · · ∧ e i k − ∧ e i k +1 ∧ · · · ∧ e i l . Thenwe denote by H i ( K ( h , . . . , h m ) • ) the i -th homology group of the complex andby H i ( K ( h , . . . , h m ) • ) d its component of degree d . Note that H ( K ( h , . . . , h m ) • ) d = Syz( h , . . . , h m ) d / KSyz( h , . . . , h m ) d . Define K ( h , . . . , h s )( − d ) as K ( h , . . . , h s )( − d ) d := K ( h , . . . , h s ) d − d for any d . Since K ( h , . . . , h m ) • is the mapping cone of K ( h , . . . , h m − ) • ( − d m ) × h m → K ( h , . . . , h m − ) • , we have the short exact sequence (see [7, 27]):0 → K ( h , . . . , h m − ) • → K ( h , . . . , h m ) • → K ( h , . . . , h m − ) • ( − d m )[ − → . Thus we can obtain the following long exact sequence: · · · → H ( K ( h , . . . , h m − ) • )( − d m ) × h m → H ( K ( h , . . . , h m − ) • ) → H ( K ( h , . . . , h m ) • ) → H ( K ( h , . . . , h m − ) • )( − d m ) × h m → H ( K ( h , . . . , h m − ) • ) → H ( K ( h , . . . , h m ) • ) → R/ (cid:104) h , . . . , h m − (cid:105) ( − d m ) × h m → R/ (cid:104) h , . . . , h m − (cid:105) → R/ (cid:104) h , . . . , h m (cid:105) → (1) In this subsection, we discuss in the standard graded polynomial ring.A Gr¨obner basis algorithm that computes a Gr¨obner basis of the ideal gen-erated by a given polynomial system was discovered by Buchberger [4]. Inmultivariate cryptography, it is used as an algorithm for solving a system ofpolynomial equations and there exist several attacks using a Gr¨obner basis al-gorithm. The complexity of computing a Gr¨obner basis often dominates theoverall complexity of a attack and its estimation is important to security anal-ysis against such attacks. For example, the complexity of the Gr¨obner basisalgorithm F4 [15] with a polynomial system in n variables is estimated by (cid:18) n + d slv d slv (cid:19) ω , where 2 < ω ≤ d slv is the solving degree thatis the maximal degree required to compute the Gr¨obner basis. However, thesolving degree is an experimental value. In order to estimate the complexity ofsolving a large scale polynomial system appeared in cryptography, we need toconsider a theoretical proxy for the solving degree.The degree of regularity introduced by Bardet et al. [1] is well-known assuch a proxy. For polynomials f , . . . , f m in the (standard graded) polynomialring F [ x , . . . , x n ] with d i = deg f i , the following d reg is called the degree ofregularity : d reg ( f , . . . , f m ) = inf { d | (cid:104) f top , . . . , f topm (cid:105) d = F [ x , . . . , x n ] d } ∪ {∞} , f topi is its top homogeneous component of f i . When the top homogeneouscomponent of the system ( f , . . . , f m ) is semi-regular [1] (also see Remark 3.6),the degree of regularity coincides with the degree D reg of the first term whosecoefficient is non-positive in the power series (cid:81) mi =1 (1 − t d i )(1 − t ) n . For any polynomials g , . . . , g m in F [ x , . . . , x n ] such that deg g i = d i , it is knownthat the following inequality holds [7, 18]: D reg ≤ d reg ( g , . . . , g m ) . For a semi-regular system, the degree of regularity D reg tightly approximates thesolving degree. However, for a non-semi-regular system such as a multi-gradedpolynomial system, it is known that its Gr¨obner basis is computed within asmaller degree than the degree of regularity (for example [22]).The first fall degree introduced by Dubois and Gama [13] is well-known asa theoretical proxy for the solving degree of a non-semi-regular system. Let B = F q [ x , . . . , x n ] / (cid:104) x q , . . . , x qn (cid:105) with the standard graded decomposition B = ⊕ d ≥ B d . For any h ∈ F [ x , . . . , x n ], we denote by h the image of h under thenatural surjection F q [ x , . . . , x n ] → F q [ x , . . . , x n ] / (cid:104) x q , . . . , x qn (cid:105) . Let d be apositive integer and h , . . . , h m ∈ F q [ x , . . . , x n ] d . For a positive integer d , weconsider ϕ d : B md − d → B d , ( b , . . . , b m ) (cid:55)→ b h + · · · + b m h m . Then, for π ij := (0 , . . . , , − h j , , . . . , , h i , , . . . , , τ i := (0 , . . . , , h q − i , , . . . , , we define the following subspace of Syz B ( h , . . . , h m ) d = Ker ϕ d :TSyz B ( h , . . . , h m ) d := (cid:104) b ij π ij , b i τ i | b ij ∈ B d − d , b i ∈ B d − d ( q − (cid:105) F q . For any f , . . . , f m ∈ F [ x , . . . , x n ] such that deg f i = d , the first fall degree d ff ( f , . . . , f m ) is defined by d ff ( f , . . . , f m ) = inf { d | Syz B ( f top , . . . , f topm ) d (cid:54) = TSyz B ( f top , . . . , f topm ) d }∪{∞} . Ding and Hodges [11] give an upper bound for the first fall degree by construct-ing a non-trivial syzygy for HFE [25] and prove that it is solved in a quasilogarithmic time. Verbel et al. [28] construct a non-trivial syzygy of a quadraticsystem in the Kipnis-Shamir method [20] for the MinRank problem [17] andgives a new complexity estimation with the first fall degree for this method.These evaluations for the first fall degree depend on each cryptosystem, and itis hard to apply to others. 6or a given polynomial system, the degree of regularity and the first falldegree is defined on its top homogeneous component. It suffices to show ahomogeneous case for discussing them. Thus, in this paper, we always assumethat a polynomial is homogeneous where a considering grading is not necessarythe standard grading.
In this section, we introduce a certain value for a polynomial system whichcoincides with the first fall degree of a polynomial system over a sufficientlylarge field. Then we prove that the first fall degree of a non-semi-regular systemover such a field is smaller than the degree of regularity. d (cid:48) ff In this section, for a polynomial in F [ x , . . . , x n ], we only use the standardgrading, i.e. deg Z ≥ x i = 1.We introduce the following definition for computing the first fall degree. Definition 3.1.
For homogeneous polynomials h , . . . , h m in the polynomialring F [ x , . . . , x n ] , we define d (cid:48) ff as d (cid:48) ff ( h , . . . , h m ) = inf { d | Syz( h , . . . , h m ) d (cid:54) = KSyz( h , . . . , h m ) d } ∪ {∞} . Let π : F q [ x , . . . , x n ] → F q [ x , . . . , x n ] / (cid:104) x q , . . . , x qn (cid:105) . By the following lem-mas, we see that d (cid:48) ff coincides with the first fall degree d ff for a sufficiently large q . Lemma 3.2.
For homogeneous polynomials h , . . . , h m ∈ F q [ x , . . . , x n ] suchthat deg h i = d , if q > d ff ( h , . . . , h m ) , then we have d ff ( h , . . . , h m ) ≥ d (cid:48) ff ( h , . . . , h m ) .Proof. Let B = F q [ x , . . . , x n ] / (cid:104) x q , . . . , x qn (cid:105) . Put d = d ff ( h , . . . , h m ). Thereexists ρ = ( ρ , . . . , ρ m ) ∈ B md − d such that ρ ∈ Syz B ( h , . . . , h m ) d \ TSyz B ( h , . . . , h m ) d , where deg ρ i = d − d holds as a representative. Then, since (cid:80) mi =1 ρ i h i =0 ∈ B d , we have ρ h + · · · + ρ m h m ∈ (cid:104) x q , . . . , x qn (cid:105) . Since deg ρ i + deg h i = d < q , it follows that ρ h + · · · + ρ m h m = 0. If ρ ∈ KSyz R ( h , . . . , h m ), weobtain a contradiction ρ ∈ TSyz B ( h , . . . , h m ). Thus ρ ∈ Syz R ( h , . . . , h m ) \ KSyz R ( h , . . . , h m ). Therefore, we have d ≥ d (cid:48) ff ( h , . . . , h m ). Lemma 3.3.
For homogeneous polynomials h , . . . , h m ∈ F q [ x , . . . , x n ] suchthat deg h i = d ≥ , if q > d (cid:48) ff ( h , . . . , h m ) , then we have d ff ( h , . . . , h m ) ≤ d (cid:48) ff ( h , . . . , h m ) . roof. Let B = F q [ x , . . . , x n ] / (cid:104) x q , . . . , x qn (cid:105) . Put d = d (cid:48) ff ( h , . . . , h m ). There ex-ists ρ ∈ Syz R ( h , . . . , h m ) d \ KSyz R ( h , . . . , h m ) d . In particular, ρ ∈ Syz B ( h , . . . , h m ) d .Although an element b i τ i for b i ∈ B d − d ( q − is contained in TSyz B ( h , . . . , h m ) d as generators, they do not appear since B d − d ( q − = 0 by d ≥ q > d .Thus, if there exists ρ ∈ TSyz B ( h , . . . , h m ) d , then ρ = (cid:80) i,j b ij π ij for some b ij where deg b ij = d − d as a representative. Namely, ρ − (cid:80) i,j b ij π ij ∈(cid:104) x q , . . . , x qn (cid:105) m . By d < q , we have ρ − (cid:80) i,j b ij π ij = (0 , . . . , ρ = (cid:80) i,j b ij π ij ∈ KSyz( h , . . . , h m ) d . Therefore, d ff ( h , . . . , h m ) ≤ d . Proposition 3.4.
For homogeneous polynomials h , . . . , h m ∈ F q [ x , . . . , x n ] such that deg h i = d ≥ , if q > min { d ff ( h , . . . , h m ) , d (cid:48) ff ( h , . . . , h m ) } , thenwe have d ff ( h , . . . , h m ) = d (cid:48) ff ( h , . . . , h m ) .Proof. When q > d ff , we have d ff ≥ d (cid:48) ff by Lemma 3 .
2. Then q > d ff ≥ d (cid:48) ff ,and we have d ff ≤ d (cid:48) ff by Lemma 3 .
3. Thus d ff = d (cid:48) ff . Similarly, when q > d (cid:48) ff ,we have the same result.In Section 4.2, we show that the assumption in this proposition, i.e. q > min { d ff ( h , . . . , h m ) , d (cid:48) ff ( h , . . . , h m ) } , is satisfied in attacks against actual cryp-tosystems. In the next subsection, we see that the first fall degree of a non-semi-regular system is smaller than its degree of regularity under the assumption. In the article [7], Diem investigates a relation between the regularity of a poly-nomial system and its syzygies.The following definition is introduced in [7].
Definition 3.5 ([7]) . A homogeneous system h , . . . , h m ∈ F [ x , . . . , x n ] is reg-ular up to degree d if the following multiplication map × h i by h i is injective foreach i = 1 , . . . , m . × h i : ( S/ (cid:104) h , . . . , h i − (cid:105) ) d − deg h i → ( S/ (cid:104) h , . . . , h i − (cid:105) ) d , ∀ d ≤ d Remark 3.6.
In their article [1], Bardet et al. define a semi-regular system fora homogeneous system. Note that a homogeneous system is semi-regular if andonly if is regular up to degree D reg − Definition 3.7.
Let (cid:22) be a well-ordering on Z s ≥ .1. For two elements a, b of the formal power series ring Z [[ t , . . . , t s ]] , wedenote a ≡ (cid:22) d b if the coefficients of these monomials of degree less thanor equal to d with respect to (cid:22) are the same. . For a Z s ≥ -graded module M over a Z s ≥ -graded commutative ring R , i.e.it has M = (cid:76) d ∈ Z s ≥ M d such that R d M d ⊆ M d + d for any d i , we put M (cid:22) d = (cid:76) d (cid:22) d M d . The regularity in Definition 3.5 is characterized as follows:
Proposition 3.8 ([7]) . Let S be the standard graded polynomial ring F [ x , . . . , x n ] with F [ x , . . . , x n ] = (cid:76) d ∈ Z ≥ F [ x , . . . , x n ] d . For a homogeneous system h , . . . , h m ∈ S with deg h i (cid:54) = 0 , the following conditions are equivalent:1. h , . . . , h m is regular up to degree d HS S/ (cid:104) h ,...,h m (cid:105) ( t ) ≡ ≤ d (cid:81) mi =1 (1 − t deg h i )HS S ( t ) H ( K ( h , . . . , h m ) • ) ≤ d = { } Since H ( K ( h , . . . , h m ) • ) d = Syz( h , . . . , h m ) d / KSyz( h , . . . , h m ) d , for thevalue d (cid:48) ff in Definition 3.1, note that we have d (cid:48) ff ( f , . . . , f m ) = inf { d | H ( K ( f top , . . . , f topm ) • ) d (cid:54) = 0 } ∪ {∞} . Then we obtain the following theorem:
Theorem 3.9.
For a non-semi-regular system h , . . . , h m ∈ F q [ x , . . . , x n ] , wehave d (cid:48) ff ( h , . . . , h m ) + 1 ≤ D reg ( h , . . . , h m ) . Moreover, if deg h i = d ≥ and q > min { d ff ( h , . . . , h m ) , d (cid:48) ff ( h , . . . , h m ) } , wehave d ff ( h , . . . , h m ) + 1 ≤ D reg ( h , . . . , h m ) . In particular, d ff ( h , . . . , h m ) + 1 ≤ d reg ( h , . . . , h m ) .Proof. Since there is no a non-Koszul syzygy of degree less than or equal to d (cid:48) ff ( h , . . . , h m ) −
1, we have H ( K ( h , . . . , h m ) • ) ≤ d (cid:48) ff − = { } . By Proposition 3.8, this means that h , . . . , h m is regular up to degree d (cid:48) ff −
1. If h , . . . , h m is regular up to degree D reg −
1, it is semi-regular whichcontradicts the assumption (see Remark 3.6). Therefore d (cid:48) ff ( h , . . . , h m )
For a given polynomial system, a standard signature-basedalgorithm avoids zero-reductions caused by its Koszul syzygies and is possibleto give a set of generators for the syzygy module (see [14]). In particular, fora polynomial system which has a non-Koszul syzygy, such an algorithm mustcompute up to the value d (cid:48) ff . Remark 3.12.
Suppose that the complexity of solving a system in F [ x , . . . , x n ]deduced from an attack against a cryptosystem is given by (cid:18) n + d slv d slv (cid:19) ω , and that the complexity at d slv = q satisfies a security. Then, in order to knowthe security on d ff , it suffices to compute d (cid:48) ff . Indeed, if q > min { d (cid:48) ff , d ff } that is the assumption of Theorem 3.9, we have d ff = d (cid:48) ff , otherwise d ff ≥ min { d (cid:48) ff , d ff } ≥ q which means secure from the attack by q . A more actualdiscussion for q is given in Section 4.2. In this section, we introduce a value using a multi-degree to approximate thesolving degree and, by extending Proposition 3.8 to a multi-grading, prove thatthe first fall degree of a multi-graded polynomial system over a sufficiently largefield is bounded by this value. Moreover, we show that the assumption for thefield order q of our results is satisfied in attacks against actual cryptosystems. In this subsection, we show that a value in the following definition gives anupper bound for the first fall degree of a multi-graded polynomial system.
Definition 4.1.
Let S be the Z s ≥ -graded polynomial ring. For Z s ≥ -homogeneouspolynomials h , . . . , h m in S , we put (cid:88) d ∈ Z s ≥ a d t d = m (cid:89) i =1 (1 − t deg h i )HS S ( t ) , (2) where (cid:93) x i = n i and t d = t d · · · t d s s for d = ( d , . . . , d s ) , and define D Z s ≥ ( h , . . . , h m ) :=inf {| d | : a d < } ∪ {∞} . Moreover, for a well-ordering ≺ on Z s ≥ , we define D Z s ≥ , ≺ ( h , . . . , h m ) := inf ≺ { d | a d < } ∪ {∞} where d ≺ ∞ for any d . D Z s ≥ in Definition 4.1 is similar to D mgd in [23], but our value isalso available for a wighted degree and is a more general concept. Moreover, weextend Definition 3.1 to the following: Definition 4.2.
For Z s ≥ -homogeneous polynomial h , . . . , h m in the Z s ≥ -gradedpolynomial ring S with a well-ordering ≺ on Z s ≥ , we define d (cid:48) ff , ≺ as d (cid:48) ff , ≺ ( h , . . . , h m ) = inf ≺ { d | Syz( h , . . . , h m ) d (cid:54) = KSyz( h , . . . , h m ) d } ∪ {∞} . If s = 1 , we denote this by d (cid:48) ff , ≺ . For the standard grading, i.e. deg Z ≥ x i = 1, the value d (cid:48) ff ,< coincides with d (cid:48) ff in Definition 3.1. We can extend Definition 3.5 and Proposition 3.8 to amulti-grading as follows. Definition 4.3.
Let S be the Z s ≥ -graded polynomial ring and (cid:22) be a well-ordering on Z s ≥ . Then, Z s ≥ -homogeneous system h , . . . , h m is regular up todegree d if the following multiplication map × h i by h i is injective for each i = 1 , . . . , m . × h i : ( S/ (cid:104) h , . . . , h i − (cid:105) ) d − deg h i → ( S/ (cid:104) h , . . . , h i − (cid:105) ) d , ∀ d (cid:22) d . Lemma 4.4.
Let S be the Z s ≥ -graded polynomial ring and ≺ be a well-orderingon Z s ≥ compatible with < on Z ≥ such that a ≺ b if | a | < | b | , a , b ∈ Z s ≥ .For Z s ≥ -homogeneous system h , . . . , h m with d i := deg h i (cid:54) = , the followingconditions are equivalent:1. h , . . . , h m is regular up to degree d HS S/ (cid:104) h ,...,h m (cid:105) ( t ) ≡ (cid:22) d (cid:81) mi =1 (1 − t deg h i )HS S ( t ) H ( K ( h , . . . , h m ) • ) (cid:22) d = { } Proof.
The proof proceeds in the same way as Proposition 3.8 ([7]). For theassertion 1 ⇒
2, we suppose that the assertion holds for m −
1. Then, for any d (cid:22) d , by the injection × h m : ( S/ (cid:104) h , . . . , h m − (cid:105) ) d − d m → ( S/ (cid:104) h , . . . , h m − (cid:105) ) d , we have HS S/ (cid:104) h ,...,h m (cid:105) ( t ) = HS R ( t ) − HS (cid:104) h m (cid:105) R ( t ) ≡ (cid:22) d HS R ( t ) − HS R ( t ) · t deg h m = (1 − t deg h m )HS R ( t ) where R = S/ (cid:104) h , . . . , h m − (cid:105) .For the assertion 2 ⇒
3, we suppose that the assertion holds for m −
1. Forany d (cid:22) d , the long exact sequence (1) induces an exact sequence · · · → H ( K ( h , . . . , h m − ) • ) d → H ( K ( h , . . . , h m ) • ) d →→ ( S/ (cid:104) h , . . . , h m − (cid:105) )( − d m ) d × h m → ( S/ (cid:104) h , . . . , h m − (cid:105) ) d . × h m , we have H ( K ( h , . . . , h m ) • ) d = 0 . For the assertion 3 ⇒
1, it suffices to prove the following statement and thecase l = m − H ( K ( h , . . . , h m )) (cid:22) d = 0 ⇒ H ( K ( h , . . . , h l )) (cid:22) d = 0 , ≤ ∀ l ≤ m. Indeed, by the long exact sequence · · · → H ( K ( h , . . . , h l ) • ) → ( S/ (cid:104) h , . . . , h l − (cid:105) )( − d l ) × h l → S/ (cid:104) h , . . . , h l − (cid:105) , the right hand condition for each 1 ≤ l ≤ m gives the injection × h l : ( S/ (cid:104) h , . . . , h l − (cid:105) )( − d l ) d × h l → ( S/ (cid:104) h , . . . , h l − (cid:105) ) d , ∀ d (cid:22) d Suppose that there exists the minimum d (cid:48) such that H ( K ( h , . . . , h m − ) • ) d (cid:48) (cid:54) =0. Then, by | d m | > d (cid:48) (cid:31) d (cid:48) − d m , H ( K ( h , . . . , h m − ) • )( − d m ) d (cid:48) = H ( K ( h , . . . , h m − ) • ) d (cid:48) − d m = 0 . Hence we have H ( K ( h , . . . , h m ) • ) d (cid:48) (cid:54) = 0 by the short exact sequence H ( K ( h , . . . , h m − ) • )( − d m ) d (cid:48) × h m → H ( K ( h , . . . , h m − ) • ) d (cid:48) → H ( K ( h , . . . , h m ) • ) d (cid:48) , in the long exact sequence (1). Since H ( K ( h , . . . , h m ) • ) (cid:22) d = 0, we have d ≺ d (cid:48) . Therefore H ( K ( h , . . . , h m − ) • ) (cid:22) d = 0.By this lemma, we see that the values in Definition 4.3 is an upper boundfor the first fall degree of a multi-graded polynomial system. Theorem 4.5.
Let S be a the Z s ≥ -graded polynomial ring. Then S is Z ≥ -graded with S d = ⊕ d = | d | S d . For Z s ≥ -homogeneous polynomials h , . . . , h m with deg Z s ≥ h i (cid:54) = , we have d (cid:48) ff ,< ( h , . . . , h m ) ≤ D Z s ≥ ( h , . . . , h m ) . Moreover, if S = F [ x , . . . , x s ] with deg Z s ≥ x ij = e i , deg h i = d ≥ and q > min { d ff ( h , . . . , h m ) , d (cid:48) ff ( h , . . . , h m ) } , we have d ff ( h , . . . , h m ) ≤ D Z s ≥ ( h , . . . , h m ) . Proof.
Since the assertion is on S d = ⊕ d = | d | S d , we may fix a well-ordering ≺ on Z s ≥ in Lemma 4.4 as the graded lexicographic monomial ordering. When D Z s ≥ = ∞ , the statement is obviously. If D Z s ≥ < ∞ , the power series (2) hasa negative coefficient at a certain d such that | d | = D Z s ≥ ( h , . . . , h m ). Then,12y Lemma 4.4 and the positivity of the coefficients in the Hilbert series, thereexists a non-Koszul syzygy of Z s ≥ -degree equal to or less than d with respectto ≺ . Thus d (cid:48) ff ,< ≤ D Z s ≥ ( h , . . . , h m ) on Z ≥ -graded S with S d = ⊕ d = | d | S d .Assume that S = F [ x , . . . , x s ] and it is Z s ≥ -graded by deg Z s ≥ x ij = e i . For thestandard grading, when d ≥ q > min { d ff ( h , . . . , h m ) , d (cid:48) ff ( h , . . . , h m ) } ,we have the last assertion since d ff ( h , . . . , h m ) = d (cid:48) ff ,< ( h , . . . , h m ) by Lemma3.4.The following theorem is a more general statement of Theorem 4.5, but ithas an application (see Subsection 4.2). Theorem 4.6.
Let S be the Z s ≥ -graded polynomial ring and ≺ be a well-ordering on Z s ≥ compatible with < on Z ≥ such that a ≺ b if | a | < | b | , a , b ∈ Z s ≥ . Then, for Z s ≥ -homogeneous polynomials h , . . . , h m , we have d (cid:48) ff , ≺ ( h , . . . , h m ) (cid:22) D Z s ≥ , ≺ ( h , . . . , h m ) . Proof.
Since it is obviously for D Z s ≥ , ≺ = ∞ , we may assume that d := D Z s ≥ , ≺ ( h , . . . , h m ) ∈ Z s ≥ . By Lemma 4.4 with the same well-ordering as thestatement, we have H ( K ( h , . . . , h m ) • ) (cid:22) d (cid:54) = { } . It follows that d (cid:48) ff , ≺ ( h , . . . , h m ) (cid:22) d . In the previous section, we give an upper bound for the first fall degree d ff of a polynomial system f , . . . , f m whose top homogeneous component is Z s ≥ -homogeneous under the assumption that deg f i = d ≥ q > min { d ff ( f , . . . , f m ) , d (cid:48) ff ( f , . . . , f m ) } . (3)In this section, we show that this assumption is satisfied in attacks againstmultivariate public key signature schemes Rainbow [12] and G e MSS [5] proposedin NIST PQC standardization project [24] (see the appendix for notation in thissection).The Rainbow scheme is a multilayered version of the UOV scheme [21]. TheRainbow-Band-Separation attack [10] is an attack recovering a secret key ofRainbow and its complexity is dominated by that of a Gr¨obner basis algorithmfor solving a certain system, say the RBS dominant system. Let v, o and o beRainbow parameters. For n × n matrices M p , . . . , M p m corresponding a publicquadratic system ( p , . . . , p m ) where n = v + o + o and m = o + o , the RBSdominant system is a quadratic system in F [ x , . . . , x v + o , y , . . . , y o ] m + n − consisting of( x , . . . , x v + o , , . . . , , M p i t ( x , . . . , x v + o , , . . . , , , ≤ i ≤ m, n − x , . . . , x v + o , , . . . , , M p + o (cid:88) j =1 y j ( x , . . . , x v + o , , . . . , , M p o j . Since ( x , . . . , x v + o , , . . . , ,
1) and t (1 , , . . . , , y , . . . , y o ) correspond a rowand a column of secret linear transformations, the Rainbow-Band-Separation at-tack can recover a part of the secret key by solving the system. Since the polyno-mial ring S = F q [ x , . . . , x v + o , y , . . . , y o ] is Z ≥ -graded by deg Z ≥ x i = (1 , Z ≥ y i = (0 , S n − , ⊕ S m (2 , and is Z ≥ -homogeneous. Then, for the Z ≥ -graded polynomial ring S , the power series (2) in Definition 4.1 is(1 − t t ) v + o + o − (1 − t ) o + o (1 − t ) v + o (1 − t ) o . (4)The paper [22] experimentally shows that the solving degree of the RBS domi-nant system is tightly approximated by D Z ≥ in Definition 4.1 which is writtenas D bgd in [22]. According to [22], for the Rainbow parameters Ia and IIIc/Vc[12] proposed in NIST PQC 2nd round, the best complexities of the Rainbow-Based-Separation attack are given by D Z ≥ = 15 and 23 /
30, respectively. Since q = 16 and 256 for the parameter Ia and IIIc/Vc, it follows that q > D Z ≥ holds. In particular, since q > d (cid:48) ff by Theorem 4.5, the assumption (3) holdsand the second half of Theorem 4.5 holds. Namely, the value D Z ≥ in the paper[22] gives an upper bound for the first fall degree d ff . Furthermore, Perlner andSmith-Tone [26] propose a Gr¨obner basis algorithm that arranges polynomialsarisen from the RBS dominant system with respect to a well-ordering on Z ≥ and further improves the complexity of the attack. Then we can use Theorem4.6 as a theoretical background of this algorithm. Here note that their theoret-ical value in [26] is defined by a non-positive coefficient appeared in (4), i.e. itis different from our value D Z ≥ , and has another theoretical background basedon such as a big conjecture in Diem [6].Multivariate signature scheme G e MSS [5] is a minus and vinegar modifi-cation of the HFE scheme [25]. The MinRank attack with the Kipnis-Shamirmodeling [20] is an attack recovering a secret key of a multivariate cryptosystemsuch as G e MSS and Rainbow. Although a public quadratic system of G e MSS isdefined over the field F of order two, the complexity of the attack is dominatedby that of a Gr¨obner basis algorithm for solving a certain system over a verylarge field, say the KS system. Let n, D, a and v be G e MSS parameters. For( n + v ) × ( n + v ) matrices M p , . . . , M p n − a over F corresponding the publicquadratic system ( p , . . . , p n − a ), the MinRank attack finds x , . . . , x n − a in F n (cid:32) n − a (cid:88) i =1 x i M p i (cid:33) ≤ r, where r = (cid:100) log ( D − (cid:101) + a + v . Then, since a found vector ( x , . . . , x n − a )corresponds to a column vector of a certain linear transform over F n , the Min-Rank attack can recover a part of a secret key. For finding x , . . . , x n − a , theKinis-Shamir modeling solves the KS system in F n which is a quadratic systemin F [ x , k , . . . , k c ] c ( n − a ) and is the components of(0 , . . . , , j , , . . . , , k j , . . . , k jr ) (cid:32) n − a (cid:88) i =1 x i M p i (cid:33) , ≤ j ≤ c, where x = { x , . . . , x n − a } , k j = { k j , . . . , k jr } and c ≤ n − a − r . Since thepolynomial ring S = F [ x , k , . . . , k c ] is Z c +1 ≥ -graded bydeg Z c +1 ≥ x i = (1 , , . . . ,
0) and deg Z c +1 ≥ k jl = (0 , . . . , , j +1 , , . . . , , the top homogeneous component of the KS system is contained in (cid:76) c +1 j =2 S n − a e + e j and is Z c +1 ≥ -homogeneous where e j = (0 , . . . , , j , , . . . , Z c +1 ≥ -graded polynomial ring S , the power series (2) in Definition 4.1 is(1 − t t ) n − a · · · (1 − t t c ) n − a (1 − t ) m (1 − t ) r · · · (1 − t c ) r . (5)The paper [23] experimentally shows that the solving degree of the KS systemfrom the Minrank problem [17] is approximated by D Z c +1 ≥ in Definition 4.1 whichis written as D mdg in [23]. Then they also show that the value D Z c +1 ≥ whichis smaller than the order q = 256, i.e. the assumption (3) holds, improves thecomplexity of the MinRank attack with the Kipnis-Shamir modeling againstRainbow. In particular, the value D Z c +1 ≥ in [23] gives an upper bound for thefirst fall degree d ff . On the other hand, the G e MSS parameter sets for a securityof 2 , 2 and 2 proposed in NIST PQC 2nd round take n ≈ ,
265 and354 [5], respectively. Thus, for these proposed parameter sets, the order q in thedefinition of the first fall degree d ff is around 2 , and 2 , respectively,and the complexities at c = 1 of the Kipnis-Shamir modeling are given by D Z c +1 ≥ = 26 ,
44 and 65, respectively. It follows that q (cid:29) D Z c +1 ≥ holds. Inparticular, q > d (cid:48) ff by Theorem 4.5, and the second half of Theorem 4.5 holds.Therefore, this D Z c +1 ≥ gives an upper bound for the first fall degree d ff . In thiscase, since each order q satisfies a desired security, we see that it suffices tocompute d (cid:48) ff by Remark 3.12. 15 Conclusion
In this paper, we introduced the value d (cid:48) ff and saw that the first fall degree d ff coincides with d (cid:48) ff for sufficiently large fields. By using this, for computing thefirst fall degree, we are able to use C. Diem’s result in 2015 [7] which characterizesthe regularity by the syzygies. Then we proved that an upper bound for the firstfall degree of a non-semi-regular system is the degree of regularity. Moreover,we introduced a value D Z s ≥ using a multivariate power series and proved thatan upper bound for the first fall degree of a multi-graded polynomial system isthis value D Z s ≥ by extending Diem’s result to the multi-grading.We showed that the condition for the order of a field in our results is sat-isfied in the Rainbow-Band-Separation attack and the MinRank attack withthe Kipnis-Shamir modeling against multivariate signature systems proposed inNIST PQC 2nd round. In particular, our result gives a theoretical backgroundfor the precise security analysis in [22, 23] since their values are specific cases of D Z s ≥ . Consequently, under a reasonable condition for the order of a field, wecleared a relation between the first fall degree and the degree of regularity andprovided a theoretical method using a multivariate power series for cryptanaly-sis. As future works, it is possible to extend the result in this paper to more gen-eral grading. We need to consider the complexity of a Gr¨obner basis algorithmwithin this grading and to investigate its influence on the security of severalother schemes. Acknowledgement
The authors are grateful to Y. Wang and Y. Ikematsu for comments on thepaper.
References [1] Bardet, M., Faug`ere, J.C. and Salvy, B.: On the complexity of Gr¨obner basis computationof semi-regular overdetermined algebraic equations, In: Proc. International Conference onPolynomial System Solving (ICPSS), pp. 71–75 (2004).[2] Bettale, L., Faug`ere, J. C. and Perret, L.: hybrid approach for solving multivariate systemsover finite fields. J. Math. Crypt., vol. 3, pp. 177–197 (2009).[3] Bettale, L., Faug`ere, J. and Perret, L.: Cryptanalysis of HFE, multi-HFE and variantsfor odd and even characteristic. Des. Codes Cryptogr. vol. 69, pp. 1–52 (2013).[4] Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringsnach einem nulldimensionalen Polynomideal. PhD thesis, Universit¨at Innsbruck (1965)[5] Casanova, A., Faugere, J.-C., Macario-Rat, G., Patarin, J., Perret, L., Ryckeghem, J.:G e MSS: A Gr e at Multivariate Short Signature. Specification document of NIST PQC2nd round submission package (2019) [6] Diem C.: The XL-Algorithm and a Conjecture from Commutative Algebra. In: Lee P.J.(eds) ASIACRYPT 2004. LNCS, vol. 3329. Springer, Berlin, Heidelberg (2004).
7] Diem, C.: Bound of Regularity, J. Algebra, vol. 423, pp. 1143–1160 (2015).[8] Ding, J. and Schmidt, D. S.: Rainbow, a new multivariable polynomial signature scheme.In: Ioannidis, J., Keromytis, A. D., Yung, M. (eds.) ACNS 2005, LNCS, vol. 3531, pp.164–175. Springer (2005).[9] Ding, J., Gower, J. E., Schmidt, D. S.: Multivariate Public Key Cryptosystems, Springer(2006)[10] Ding, J., Yang, B.-Y., Chen, C.-H. O., Chen, M.-S. and Cheng, C.-M.: New differential-algebraic attacks and reparametrization of Rainbow. In: Bellovin, S.M., Gennaro, R.,Keromytis, A.D., Yung, M. (eds.) ACNS 2008, LNCS, vol. 5037, pp. 242–257. Springer(2008).[11] Ding, J. and Hodges, T. J.: Inverting hfe systems is quasi-polynomial for all fields. In:Rogaway, P. (Ed.) CRYPTO 2011, LNCS, vol. 6841, pp. 724–742. Springer (2011).[12] Ding, J., Chen, M.-S., Petzoldt, A., Schmidt, D., Yang, B.-Y.: Rainbow - AlgorithmSpecification and Documentation. Specification document of NIST PQC 2nd round sub-mission package (2019)[13] Dubois, V., Gama, N.: The degree of regularity of HFE systems. In: Abe, M. (ed.)ASIACRYPT 2010, LNCS, vol. 6477, pp. 557–576. Springer, Berlin (2010).[14] Eder, C. and Faug`ere, J. C.: A survey on signature-based algorithms for computingGr¨obner bases, Journal of Symbolic Computation, vol. 80, pp. 719–784. (2017)[15] Faug`ere, J. C.: A new efficient algorithm for computing Gr¨obner bases (F4). J. PureApp. Algebra, (1), 61–88 (1999)[16] Faug`ere, J. C.: A new efficient algorithm for computing Gr¨obner Bases without reductionto zero (F5). In: Bose, P., Morin, P. (eds.) ISSAC 2002, pp. 75–83. (2002).[17] Faug`ere, J.C., Levy-dit-Vehel, F. and Perret, L.: Cryptanalysis of minrank. CRYPTO2008, pp. 280–296 (2008).[18] Fr¨oberg, R.: An inequality for Hilbert series of graded algebras, Math. Scand., vol. 56,No. 2, pp. 117–144, (1985).[19] Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory ofNP-Completeness. W. H. Freeman & Co., New York (1979)[20] Kipnis, A., Shamir, A.: Cryptanalysis of the Oil and Vinegar signature scheme. In:Krawczyk H. (ed.) CRYPTO 1998, LNCS, vol. 1462, pp. 257–266. Springer (1998).[21] Kipnis A., Patarin J., Goubin L.: Unbalanced Oil and Vinegar Signature Schemes. In:Stern J. (eds) EUROCRYPT 1999. LNCS, vol 1592. Springer, Berlin, Heidelberg (1999).[22] Nakamura, Shuhei, Ikematsu, Y., Wang, Y., Ding, J. and Takagi, T.: New ComplexityEstimation on the Rainbow-Band-Separation Attack, IACR Cryptology ePrint Archive,Report 2020/703 (2020). https://eprint.iacr.org/2020/703.pdf [23] Nakamura, Shuhei, Wang, Y. and Ikematsu, Y.: Analysis on the MinRank attack usingthe Kipnis-Shamir method against Rainbow, preprint.[24] NIST: Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptog-raphy Standardization Process (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf [25] Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): twonew families of asymmetric algorithms. EUROCRYPT 1996, LNCS, vol. 1070, pp. 33–48,(1996).[26] Perlner, R. and Smith-Tone, D.: Rainbow Band Separation is Better than we Thought,Report 2020/702 (2020). https://eprint.iacr.org/2020/702.pdf [27] Schenck, H.: Computational Algebraic Geoemtry, London Mathematical Society StudentTexts, vol. 58, Cambridge University Press (2003).[28] Verbel, J., Baena, J., Cabarcas, D., Perlner, R. and Smith-Tone, D.: On the Complex-ity of “Superdetermined” Minrank Instances, IACR Cryptology ePrint Archive, Report2019/731 (2019). https://eprint.iacr.org/2019/731.pdf [29] Yang, B.-Y. and Chen, J.-M.: All in the XL family: Theory and practice. In: Park, C.,Chee, S. (eds.) ICISC 2004, LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2007). ppendix For simplicity, we treat only homogeneous polynomials as polynomials and as-sume that the characteristic of the field F is odd. Then, a quadratic homoge-neous polynomial in F [ x , . . . , x n ] corresponds to a symmetric n × n matrix over F . A polynomial system ( f , . . . , f m ) of F [ x , . . . , x n ] m gives a map F n → F m by a (cid:55)→ ( f ( a ) , . . . , f m ( a )) which is called a polynomial map . A multivariatepublic key signature scheme consists of the following three algorithms:Key generation: We construct two invertible linear maps U : F n → F n and T : F m → F m randomly and an easily invertible quadratic map F : F n → F m which is called a central map , and then compute the composition P := T ◦ F ◦ U. The public key is given as P . The tuple ( T, F, U ) is a secretkey .Signature generation: For a message b ∈ F m , we compute b (cid:48) = T − ( b ).Next, we can compute an element a (cid:48) of F − ( { b (cid:48) } ) since F is easily invert-ible. Consequently, we obtain a signature a = U − ( a (cid:48) ) ∈ F n .Verification: We verify whether P ( a ) = b holds.For a given public key P , the key recovery attack recovers U, T and F suchthat P = T ◦ F ◦ U and forges a signature for any message. For matrices M p i , M f i , M U and M T corresponding p i , f i , U and T where P = ( p , . . . , p m ) and F = ( f , . . . , f m ), respectively, we have( M p , . . . , M p m ) = ( M U M f t M U , . . . , M U M f m t M U ) M T . The Rainbow-Band-Separation attack takes time to recover a part of M S and M T of the UOV scheme or its mulit-layerization, i.e. Rainbow. For a public key P = ( p , . . . , p m ) of the HFE scheme and a central n × n matrix M c = ( c ij ) i,j over F q n , we have( M p , . . . , M p m ) = ( M U M ϕ M t M ϕt M U , . . . , M U M ϕ M mt M ϕt M U ) M − ϕ M T , where M ϕ = ( θ ( i − q j − ) ≤ i,j ≤ n , F q n = F q [ θ ] and M k = ( c q k i − k,j − k ). The Min-Rank attack with the Kipnis-Shamir modeling takes time to recover a columnof M − ϕ M T of the HFE scheme or its modifications, e.g. G ee