On the last fall degree of zero-dimensional Weil descent systems

Abstract: Abstract. In this article we will discuss a new, mostly theoretical, method for solving (zero-dimensional) polynomial systems, which lies in between Gröbner basis computations and the heuristic first fall degree assumption and is not based on any heuristic. This method relies on the new concept of last fall degree.Let k be a finite field of cardinality q n and let k ′ be its subfield of cardinality q. Let F ⊂ k[X 0 , . . . , X m−1 ] be a finite subset generating a zero-dimensional ideal. We give an upper bound… Show more

“…Our bound on the last fall degree is inspired by the bound from Huang et al (2018). Our main result is Theorem 11, where we prove that the last fall degree of the Weil descent system of a set of polynomials over F q n is bounded by (q − 1) log q (d) + 1 + 1 for a certain d. When applied to HFE systems, this improves the bound given in Huang et al (2018) by approximately a factor of 2. The improvement in the bound is a consequence of Lemma 8, where we obtain a bound which is tighter than in previous work.…”

“…We will closely follow the notations in Huang et al (2018) and briefly recall some of its definitions, which we will need later. The reader is referred to Huang et al (2018) for more details.…”

“…Again, we closely follow the setup and notations from Huang et al (2018). Let q be a prime power and n ∈ Z ≥1 .…”

Stronger bounds on the cost of computing Gröbner bases for HFE systems

“…Our bound on the last fall degree is inspired by the bound from Huang et al (2018). Our main result is Theorem 11, where we prove that the last fall degree of the Weil descent system of a set of polynomials over F q n is bounded by (q − 1) log q (d) + 1 + 1 for a certain d. When applied to HFE systems, this improves the bound given in Huang et al (2018) by approximately a factor of 2. The improvement in the bound is a consequence of Lemma 8, where we obtain a bound which is tighter than in previous work.…”

“…We will closely follow the notations in Huang et al (2018) and briefly recall some of its definitions, which we will need later. The reader is referred to Huang et al (2018) for more details.…”

“…Again, we closely follow the setup and notations from Huang et al (2018). Let q be a prime power and n ∈ Z ≥1 .…”

Stronger bounds on the cost of computing Gröbner bases for HFE systems

“…The quadratic forms in multi-HFE are generated by a set of multivariate quadratic forms over an extension field of the basic field. Unfortunately, the multi-HFE is known to be insecure against the direct attack [2], the min-rank attack [3] and the attack using a diagonalization approach [4].…”

“…Recently in PQCrypto 2017, a vinegar variant of multi-HFE, called HMFEv, was proposed by Petzoldt et al [5]. This vinegar variant succeeds to enhance the security against the known attacks [2][3][4] and then HM-FEv had been expected to be one of signature schemes, secure and efficient enough under suitable parameter selections [5] (see Table 1). However, the security against the high-rank attack had not been studied yet at all.…”

High-rank attack on HMFEv

Recent Developments in Multivariate Public Key Cryptosystems