 The next talk is entitled inverting HFE systems is quasi-pollinomial for all fields by Gene Tiding and Timothy Hodges, and the talk will be made by both of them. Okay, thank you. So we want to present a new result on the complexity of the direct algebraic attack on HFE systems over fields of arbitrary characteristics. So this generalizes a result that was announced crypto 2006 by Grambolin, Juin Stern, and I thank the previous speaker for the introduction to multivariate crypto systems, and I won't discuss too much about that. So I'll present an introduction and then Gene Tiding will step in and talk about the main results in some future work. Okay, so basics of the hidden field public key crypto systems. We have a pair of fields, f and k. A base field has order q and k is of degree n over the base field. The private key is a univariate polynomial defined on the larger field k. And this algebraic structure of that larger field is kept secret. So the other part of the private key has two invertible affine linear maps from k to fn. The public key then is the composition of these three maps, which in terms of the underlying space f to the n is a set of n multivariate polynomials in the base field. So at this point I want to emphasize that we'll always consider these polynomials as functions, so they'll be in the polynomial algebras factored out by the field equations. Okay, so an effective implementation of this was given by Petra 15 years ago. So we required that the polynomial have low total degree d. This enables us to do efficient decryption using standard algorithms for solving univariate polynomials. And we also require that it p should be quadratic over the small field f, so that the public key polynomials p are quadratic, which enables efficient encryption and relatively small key size. So putting all this together, it means that the polynomial has to have this form here, because these x to the qi are functions on k, which are not linear over k, but they're linear over the base field f. And so the quadratic functions are the products of two of those functions, so they look like x to the qi plus q to the j. And our condition here is the condition on the degree of the total degree of the polynomial, that its total degree should be less than or equal to d. So that's the basic setup that we want to analyze. What's the attack? So the attack is just the basic grobner basis solution of the system of equations that we get. From any ciphertext, y1 up to yn, that gives us a set of n quadratic equations, which we would like to solve to get back the plaintext xi. Now in general, if this were a random system of n quadratic polynomials, this would be a very hard problem. But for HFE systems, they're not random systems. So the algorithm terminates significantly quicker on HFE systems than it would on random systems. So the problem for assessing the complexity is to try to understand how the restriction on the degree of the big polynomial p affects the complexity of this grobner basis algorithm. So as I said, this was done in 2006 by GJS. And they showed that it was quasi polynomial when q is equal to 2. Now that techniques didn't adapt very well to the general base field situation. So it's remained open for a little while. And so we want to generalize this result to an arbitrary base field and introduce some new techniques. So how do we even get a grip of the complexity of a grobner basis algorithm? Well, we use something called the degree of regularity. Essentially the grobner basis algorithm is roughly kind of looking through the ideal generated by the PIs for equations of smaller degree, which can help us solve quickly the system. So what we want to do is look for the first point at which we find a non-trivial degree force. So we find a combination of the PIs, which is a smaller degree than we would expect. So some real cancellation going on. And we want to avoid the trivial degree falls where we get a combination equal to 0 or a degree fall caused by the fact that Pi raised to the power q is equal to Pi. So avoiding those trivial degree falls, we're looking for the first point at which we have non-trivial degree falls. And it's been shown experimentally that most of the time the grobner basis algorithms terminate shortly after this degree. So this is a good marker for how quickly the grobner basis algorithms are going to terminate. Just a little bit of technical stuff that we need. This is really a question about the highest degree part of everything. So we can reduce to the associated graded ring, this truncated polynomial ring, and just look at the highest degree part of the PIs. This translates the concept of degree of regularity into a question about the existence of non-trivial relations in this algebra, which is much easier to deal with algebraically. So the degree of regularity now is the first degree at which non-trivial relations occur between these PiHs. And we have the similar kind of trivial relations that we're trying to avoid in this case. OK, so these are the same thing. So that's what we're trying to find is still, we don't know a whole lot about these Pi functions. So that's not a good place to look for a solution. What we have to do is lift back up to the larger field. And this is actually not such a complicated operation. It's just tensoring with the larger field and using a little Galois theory. It enables us to re-express the degree of regularity of these Pi's in terms of the original function and its translates under the Galois group or the Frobenius maps. In addition, we need to use this kind of intuitive but not completely obvious how to prove a result that the degree of regularity of a set is bounded by the degree of regularity of any subset. So this was a basis of the ideas in GGS's result, and it was recently very neatly detailed by Du Bois and Gamma in their recent paper about this subject. OK, so now we combine that with this extension of the field. And so let's bring back our original polynomial, p of x, and look at p0 of x, which is the quadratic form associated to this part of p of x. OK, so the degree of regularity that we're looking for is actually equal to the degree of regularity of p0, and it translates under the Galois group in this algebra here. So putting all this together, we get the kind of rather unexpected result of the degree of regularity that we're looking for is bounded by the degree of regularity of this single quadratic form here. Now, this doesn't look as if it would give us interesting information, but it turns out to give us very useful information, and I'll now pass it on to Gentile to tell the rest of the story. So what Tim has talked about by now is what's everything done before. So what I will talk about is what we have done after that. I'll present first our main theorem. OK, basically what we did is we give a global upper bound on the degree of regularity in the sense of Du Bois and Gamma for the HFE system, and the mentoring are given as the following. So the degree of regularity of the system defined by p is bounded by the following formula. Rank of p0, so remember the p0 introduced earlier is by linear form, so if you view it as a matrix and it has a rank, and then times q minus 1 over 2 plus 2. So this is the main result I was. So here I would like to really especially point out the importance of q here. In the previous result, this q was never used in any form, and in the result presented by Ju and the 4j on the algebraic attacks on HFE system, where they only discussed a case q equal 2, but what they said seemed to suggest it works for all the q's, which means the degree of regularity is independent of the size of the field, and our formula suggests otherwise. So those are universal bounds that require no additional assumption, which means we prove this formula without any additional mathematical assumption on the degree of regularity. Before I present the basic idea of the proof, I would like to say a little bit more what I was done before. So GGS, what they did basically, they outlined a new way to study or to bound the degree of the case q equal 2, and their approach is very interesting in the sense that what they realized that since HFE design is over the bigger field, therefore you must lift the problem back to the bigger field to look at what's going on. And they sketch a way to connect the degree of regularity of the HFE system to the degree of regularity of the lifted system over the bigger field. So here I would like to emphasize the word I used as sketched. And with this idea, they used the following mathematical assumption, which I will not say one by one due to a time constraint, and the key things, they derived a heuristic and asymptotic bounds for the degree of regularity for the case q equal 2. That's what they did, okay? And to study the case for general q is still a very open problem. And after the work was done, me, with my colleagues, Dieter Schmidt, and Fabio Warder, and a student at TU Dammstadt, we found something very interesting, which means we did some experiments. What we found out is that the prediction of Jue and Fojie didn't work for the case if q is a final field of other characteristics, for example, 13, 31. And why so? What we realized that is what is called the role of the field equation. So in the algebra attacks presented by Fojie and Jue, they implicitly used the field equation. Namely, they're not solving equations with n variables, n equations. They're solving equations with n variables, 2n equations. And if q change, which means that if q is large, you can do the same. But in the case of gf2, your field equation is also degree 2. Therefore, it can be efficiently used. But if q is 31, then you will have 10 additional n degree q equations. And they cannot be efficiently used because of degree constraints. But mathematics being, that means you're not solving the equation of the final field. Instead, you are solving the equation of the extension field of the final field. And in that case, the number of solutions actually is 2 to the n. Therefore, it becomes a much harder problem. So also, in terms of understanding the degree of rarity, there's no and sometimes only for the case of other q. And in terms of my own opinion, the real breakthrough happened in the case of Fojie and Jue is the work done by Dubois and Gamma. What they did in the A-script last year is to present a very rigorous mathematical foundation for the argument of GGS. And they present a new method to compute the degree of rarity. This is an inductive computing method. But it does not give us a closed formula to tell us the behavior of the degree of rarity. And our approach is the following simple observation. What we realize is that because the theorem previously presented is the degree rarity of this set of polynomials is less than the degree of the single polynomial p0. So what we did is that we just tried to find the bound for the degree rarity of the single polynomial, which is a p0. And our proof is also very different from what was done before. The proof done before resides on the continuum dimension of certain spaces. What we did is we just did a construction, which means we construct explicitly nontrivial sausages. And to show that the degree indeed falls at this point. So the constructor means I will find a low degree nontrivial annihilator in the associated greater algebra for p0. And this set of construction relies on the following mathematical structure, which means we're used to the classification of quadratic forms of a finite field. And this is where the rank comes in greater rows. I just give a brief idea of how the proof is done. So given the polynomial, quadratic polynomial, you have the following theorem in the case of q is even that there must be the following canonical form. Let's look at the case when the rank is 4. If the rank is 4, given any quadratic polynomial you can convert in this form, which means x1 times x2 plus x3 times x4. The question is how to construct the nontrivial sausages. And it's pretty simple. Those are the guys. Those are the annihilators, which is x1 to the q minus 1 times x3 to the q minus 1 and the rest are very similar. What you do here is basically you find the crossing terms. You choose one term from the first one and another term from the second one and you raise the power q minus 1. And then here you can observe easily that if you multiply this point by this guy, they will become zero because after you multiply them, you can see here that you have x1 to the q here and the x3 to the q here and there's a degree 4 that occurs. And that's it. So this is the basis of our proof. And this basically implies all the idea we use here. Of course, in terms of the mathematical writtenness, we must prove that a annihilator is nontrivial, which is a little bit hard in general cases. So now what is the implication of our result? If you look at the degree of regularity formula, you realize if you fix q, the degree of regularity is all log q to the d. Let me emphasize again if q is fixed. In this case, you can see that the complexity is indeed a quasi-pornomial. But what we've shown is something very different here in terms of our theory is if you make the q change, as in the case of lattice cryptosystems, let's assume if q itself is of the scale for all n, then suppose the bound is good, then we have a very different conclusion, which means inverse HFV systems will be exponential instead of quasi-pornomial. So we present a very different idea to look at the HFV now, which means when you design HFV, you should not fix the size of the field. Instead, you should change your size of the field q according to the size of the vector space, which is the n. And now I want to point out a few things related to our bound. First, I want to emphasize our bound is not optimal. Why is so? Because in the proof itself, you notice we only use one polynomial P0. There are P0, P1, and the other polynomials. We never use it. So therefore, this is definitely not optimal. And in the work of Dubois and Gamma, they made a very detailed list of the degree of regularity computed. So we did a comparison of their result with our result. Of course, their result should be better than ours because their result is global. We only use one polynomial, and they use all the polynomials. But however, we find something very interesting, which means in the other result, we have seen as n becomes large, and our bounds have become very close to their bound. So we don't know exactly what's happening, but I think it's very important that we should study what has been the connection between these two bounds. Now I was finishing the talk with a little bit mentioned of future work. So after this was done, I did some work in the case of if you are polynomial with px equal to x squared. In this case, I can actually prove not our upper bound, but the lower bound, or exact the bound, which means I can prove in the case of a square where px equal to x squared inverting the HVV system algebraically is actual exponential. And in another joint work with Clio, we now can prove the degree of regularity for the case of HV minus. And Hodges and did some other work related to the extension of our result. What is really important, I think, in the future is that we need to really do a very good comparison with the DG's result, which means we want to know how good our bound is. And it's possible we can find better bounds. And also, we feel there's possibility we can apply our techniques to other systems and the proven security-related problems. And of course, I have to thank the people who prime me with money to do this. And here I would, in particular, thank Vivian Dubois and Nicolas Gammar because they sent me the paper before it was published and for numerous discussions with them. And it was extremely helpful. And thank you very much. So we have time for one question. Three weeks ago, Petale, Fugire and Peret published complete cryptanalysis on FHFE. Do you know that result? What's the result again? Complete cryptanalysis with a practical break. After nine days, they break the most conservative parameters with N256. Which system? HFE. What is the D? What is the D? HFE. Yeah, HFE has a degree D there. What is the D? I don't know what is the D. I think, if I ask her, does the paper attack the D equal to 2? Yeah, yeah, yeah. That's a mean run. Yeah, that's a mean run. That's a mean run attack. My question is how that work relates with your work. So what we say here is, remember, I said it is a complexity of algebraic attack on HFE system. For HFE, there's another major attack, which was developed first by Kibli Shamir, and which I can call it mean run attack. And if you look at the queue, as I said, the rank Q0 I used earlier, if the rank is very low, 1, 2. And there's an attack due to Kibli Shamir, which is that we should use the property of no rank to attack the problem. And there's a work done by myself to show that actually Kibli Shamir attack doesn't work, again, due to the field equations. And then for J and the parade, and they also did some work to show that, in one of the instances of the square system, it was broken. In this case, the rank is equal to 2, or equal to 1, Fx equal to x square. And actually it's very interesting in that if you read the paper very carefully that they showed attack on the system, mean run attack system, and they show the complexity, and realize the complexity actually has exponential growth. That only means, to me, that only means the parameter we choose was too conservative. So if we choose the parameter properly, it should be no problem. This is my opinion. OK, thanks. Let's thank the speaker again. The speaker. Thank you.