## Section: New Results

### Solving Systems in Finite Fields, Applications in Cryptology and Algebraic Number Theory

#### Polynomial-Time Algorithms for Quadratic Isomorphism of Polynomials: The Regular Case

Let $\mathbf{f}=({f}_{1},...,{f}_{m})$ and $\mathbf{g}=({g}_{1},...,{g}_{m})$ be
two sets of $m\ge 1$ nonlinear polynomials in
$\mathbb{K}[{x}_{1},...,{x}_{n}]$ ($\mathbb{K}$ being a field).
In [3] , we
consider the computational
problem of finding – if any – an invertible transformation on
the variables mapping $\mathbf{f}$ to $\mathbf{g}$. The
corresponding equivalence problem is known as *Isomorphism of
Polynomials with one Secret* (`IP1S` ) and is a fundamental
problem in multivariate cryptography. Amongst its applications, we
can cite Graph Isomorphism (`GI` ) which reduces to
equivalence of cubic polynomials with respect to an invertible
linear change of variables, according to Agrawal and Saxena.
The main result is a randomized polynomial-time
algorithm for solving `IP1S` for quadratic instances, a
particular case of importance in cryptography.
To this end, we show that `IP1S` for quadratic polynomials
can be reduced to a variant of
the classical module isomorphism problem in representation theory.
We show that we can essentially *linearize* the problem by
reducing quadratic-`IP1S` to test
the orthogonal simultaneous similarity of symmetric matrices; this
latter problem was shown by Chistov, Ivanyos and Karpinski
(ISSAC 1997) to be
equivalent to finding an invertible matrix in the linear space
${\mathbb{K}}^{n\times n}$ of $n\times n$ matrices over
$\mathbb{K}$ and
to compute the square root in a certain representation
in a matrix algebra. While computing
square roots of matrices can be done efficiently using numerical
methods, it seems difficult to control the bit complexity of such
methods. However, we present exact and polynomial-time algorithms
for computing a representation of the square root of a matrix in
${\mathbb{K}}^{n\times n}$, for
various fields (including finite fields), as a product of two
matrices. Each
coefficient of these matrices lie in an extension field of
$\mathbb{K}$ of polynomial degree. We then consider
#`IP1S` , the counting version of `IP1S` for quadratic
instances. In particular, we provide a (complete) characterization
of the automorphism group of homogeneous quadratic polynomials.
Finally, we also consider the more general *Isomorphism of
Polynomials* (`IP` ) problem where we allow an invertible
linear transformation on the variables *and* on the set of
polynomials. A randomized polynomial-time algorithm for solving
`IP` when $\mathbf{f}=({x}_{1}^{d},...,{x}_{n}^{d})$ is
presented. From an algorithmic point of view, the problem boils
down to factoring the determinant of a linear matrix (*i.e.* a matrix whose components are linear polynomials). This extends
to `IP` a result of Kayal obtained for `PolyProj` .

#### Factoring $N={p}^{r}{q}^{s}$ for Large $r$ and $s$

Boneh *et al.* showed at Crypto 99 that moduli of the form $N={p}^{r}q$ can
be factored in polynomial time when $r\simeq logp$. Their algorithm is
based on Coppersmith's technique for finding small roots of polynomial
equations. In [15] we show that $N={p}^{r}{q}^{s}$ can also be
factored in polynomial time when $r$ or $s$ is at least ${(logp)}^{3}$;
therefore we identify a new class of integers that can be efficiently
factored.
We also generalize our algorithm to moduli with $k$ prime
factors $N={\prod}_{i=1}^{k}{p}_{i}^{{r}_{i}}$; we show that a non-trivial
factor of $N$ can be extracted in polynomial-time if one of the
exponents ${r}_{i}$ is large enough.

#### On the Complexity of the `BKW` Algorithm on
`LWE`

This work [1]
presents a study of the complexity of the
Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning
with Errors (`LWE` ) problem, by providing refined
estimates for the data and computational effort requirements for
solving concrete instances of the LWE problem. We apply this
refined analysis to suggested parameters
for various `LWE` -based cryptographic schemes from the
literature and compare with alternative approaches based on
lattice reduction. As a result, we provide
new upper bounds for the concrete hardness of these LWE-based
schemes. Rather surprisingly, it appears that BKW algorithm
outperforms known estimates for
lattice reduction algorithms starting in dimension $n\approx 250$
when `LWE` is reduced to `SIS` .
However, this assumes access to an unbounded number of `LWE` samples.

#### Structural Cryptanalysis of McEliece Schemes with Compact Keys

A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices. In [5] , we show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor p on the public-key. The fundamental remark is that from the $k\times n$ public generator matrix of a compact McEliece, one can construct a $k/p\times n/p$ generator matrix which is - from an attacker point of view - as good as the initial public-key. We call this new smaller code the folded code. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called “structural elimination" which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the harder case requires less than 2 hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach for the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive from the public key a much smaller public key corresponding to the folding of the original QM or QD code, where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.

#### A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

In [16] , we investigate the security of the family of MQQ public key cryptosystems using multivariate quadratic quasigroups (MQQ). These cryptosystems show especially good performance properties. In particular, the MQQ-SIG signature scheme is the fastest scheme in the ECRYPT benchmarking of cryptographic systems (eBACS). We show that both the signature scheme MQQ-SIG and the encryption scheme MQQ-ENC, although using different types of MQQs, share a common algebraic structure that introduces a weakness in both schemes. We use this weakness to mount a successful polynomial time key-recovery attack that finds an equivalent key using the idea of so-called good keys. In the process we need to solve a MinRank problem that, because of the structure, can be solved in polynomial-time assuming some mild algebraic assumptions. We highlight that our theoretical results work in characteristic 2 which is known to be the most difficult case to address in theory for MinRank attacks and also without any restriction on the number of polynomials removed from the public-key. This was not the case for previous MinRank like-attacks against $\mathrm{\mathcal{M}\mathcal{Q}}$ schemes. From a practical point of view, we are able to break an MQQ-SIG instance of 80 bits security in less than 2 days, and one of the more conservative MQQ-ENC instances of 128 bits security in little bit over 9 days. Altogether, our attack shows that it is very hard to design a secure public key scheme based on an easily invertible MQQ structure.

#### Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case

In [14] , we investigate the Hidden Subspace Problem (${\mathrm{HSP}}_{q}$) over ${\mathbb{F}}_{q}$ which is as follows:

**Input :
**${p}_{1},...,{p}_{m},{q}_{1},...,{q}_{m}\in {\mathbb{F}}_{q}[{x}_{1},...,{x}_{n}]$ of
degree $d\ge 3$ (and $n\le m\le 2n$).

**Find : ** a subspace $A\subset {{\mathbb{F}}_{q}}^{n}$ of
dimension $n/2$ ($n$ is even) such that

where ${A}^{\perp}$ denotes the orthogonal complement of $A$ with respect to the usual scalar product in ${\mathbb{F}}_{q}$.

This problem underlies the security of the first public-key quantum money scheme that is proved to be cryptographically secure under a non quantum but classic hardness assumption. This scheme was proposed by S. Aaronson and P. Christiano at STOC'12. In particular, it depends upon the hardness of ${\mathrm{HSP}}_{2}$. More generally, Aaronson and Christiano left as an open problem to study the security of the scheme for a general field ${\mathbb{F}}_{q}$. We present a randomized polynomial-time algorithm that solves the ${\mathrm{HSP}}_{q}$ for $q>d$ with success probability $\approx 1-1/q$. So, the quantum money scheme extended to ${\mathbb{F}}_{q}$ is not secure for big $q$. Finally, based on experimental results and a structural property of the polynomials that we prove, we conjecture that there is also a randomized polynomial-time algorithm solving the ${\mathrm{HSP}}_{2}$ with high probability. To support our theoretical results we also present several experimental results confirming that our algorithms are very efficient in practice. We emphasize that S. Aaronson and P. Christiano proposes a non-noisy and a noisy version of the public-key quantum money scheme. The noisy version of the quantum money scheme remains secure.

#### Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups

The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result [4] is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold: the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. Dür). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.

#### Improved Sieving on Algebraic Curves

The best algorithms for discrete logarithms in Jacobians of algebraic curves of small genus are based on index calculus methods coupled with large prime variations. For hyperelliptic curves, relations are obtained by looking for reduced divisors with smooth Mumford representation (Gaudry); for non-hyperelliptic curves it is faster to obtain relations using special linear systems of divisors (Diem, Diem and Kochinke). Recently, Sarkar and Singh have proposed a sieving technique, inspired by an earlier work of Joux and Vitse, to speed up the relation search in the hyperelliptic case. In [20] , we give a new description of this technique, and show that this new formulation applies naturally to the non-hyperelliptic case with or without large prime variations. In particular, we obtain a speed-up by a factor approximately 3 for the relation search in Diem and Kochinke's methods.