In [9], the authors proposed a new cryptosystem called 2R-scheme inspired by the C∗-cryptosystem, see [7]. In a 2R-scheme the space of plain texts and ciphertexts is IFmq , where IFqis a finite field ofqelements. The secret key items are three affine bijectionsr, s, t: IFmq −→IFmq and two applicationsφ, ψ: IFmq −→IFmq given by mquadratic equations over IFq. The public key is the polynomial representation of the applicationt◦ψ◦s◦φ◦r: IFmq −→IFmq . This representation consists of mpolynomials of degree 4.
The above applications φand ψ are chosen among easily invertible ones in order to make decryption easy. For all proposed easily invertible applications at that time, the one-round schemes were broken, i.e., the analogous cryptosystems with secret key s◦φ◦r. Therefore, the security of 2R-schemes was based on the difficulty of decomposing a list ofmpolynomials in IK[x] = IK[x1, . . . , xm], where IK is an arbitrary field. The paper [10] proposed efficient attacks that make the system insecure ifm or m−1 polynomials in the list are given. Inspired by these ideas, in [1], the authors presented and algorithm that given a list f= (f1, . . . , fu) ofuhomogeneous polynomials of degree 4 inmvariables, finds lists g = (g1, . . . , gu) and h = (h1, . . . , hm) of homogeneous polynomials of degree 2 in m variables such that fi = gi(h1, . . . , hm) for all i ∈ {1, . . . , u}, under some favourable circumstances. The algorithm was extended in [3] to a list of polynomialsf of arbitrary degree n=r·s. There is an improvement of the algorithm in [2], together with an algorithm for a listf of polynomials of degreesr1, . . . , ru respectively such thats >1 divides all degrees.
Computation of intermediate IK-algebras and (r, s)-decompositions
We aim here at finding the relation among the concept of (r, s)-decomposition of homogeneous polynomials proposed in [1] and the computation of intermediate IK-algebras and intermediate fields We shall start by the definition of (r, s)-decomposable polynomials:
Definition 1. Let f = (f1, . . . , fu) ∈ IK[x]u be a list of homogeneous polyno-mials of degree n = rs. We say that f is (r, s)-decomposable if there exist a list g = (g1, . . . , gu) ∈ IK[x]u of homogeneous polynomials of degree r and a list h = (h1, . . . , hm) ∈ IK[x]m of homogeneous polynomials of degree s such thatfi= gi(h1, . . . , hm), written f = g◦h. The tuple(g,h)is called an (r, s)-decomposition off.
If A is a regular matrix, then g◦h = g◦A−1◦A◦h. To avoid this am-biguity, two decompositions (g,h) and (g0,h0) of a polynomial are defined to be equivalent if there exists a regular matrix A such that h0T = AhT. By this equivalence relation, we guarantee that two non-equivalent decompositions provide two different intermediate IK-algebras.
It is easy to see thatf has an (r, s)-decomposition (g,h) if and only if IK[f]⊂ IK[h]. Moreover, this relation is bijective:
Proposition 1. Non-equivalent (r, s)-decompositions of a list of polynomials f = (f1, . . . , fu) correspond bijectively toIK-algebras in IK[f]⊂IK[x] generated bymhomogeneous polynomials of degrees.
This bijective relation does not extend to a bijective relation among the (r, s)-decompositions off and the proper fields in IK(f)⊂IK(x) generated by a listh of homogeneous polynomials of degreesin general.
The algoritm of Faug`ere and Perret only finds an (r, s)-decomposition off if f has only one non-equivalent decomposicion, i.e., it only finds a decomposition when there is exactly one intermediate IK-algebra (field) in IK[f] ⊂ IK[x] (in IK(f)⊂IK(x)) generated bymhomogeneous polynomials of degrees.
The dimension of (r, s)-decomposable polynomials
In [5], the dimension of the decomposable univariate polynomials over an alge-braically closed field is counted, and in [4], the author counts the dimension of the so called uni-multivariate decomposable polynomials, see [6], over an alge-braically closed field. Here, we try counting the dimension of (r, s)-decomposable polynomials inmvariables over an algebraically closed field.
From now on, IK will denote an algebraically closed field. Let Pm,n ={f ∈ IK[x] :f is homogeneous of degreen}be the vector space of homogeneous poly-nomials of degreeninmvariables of dimensionam,n= m+n−1n
By arranging the monomials of degree ninmvariables with respect to the lexicographical order>lex, m(1) = xn1, m(2) = xn−11 x2, . . . , m(am,n) = xnm, we can identify a polynomial in Pm,n sorted with respect to the lexicographical order with a tuple in IKam,n, thus identifiyingPm,nwith the affine space IKam,n.
Forn=rs, we have the composition map γm,n,r: Pm,r×Pm,sm
−→ Pm,n
(g, h1, . . . , hm) 7→ g(h1, . . . , hm)
Clearly, the set Dm,n,r of (r, s)-decomposable polynomials of degree n is Imγm,n,r. The mapγm,n,rcan be identified with a polynomial map
Γm,n,r: IKam,r×(IKam,s)m−→IKam,n
that sends the coefficients of g, h1, . . . , hm to the coefficients of g(h1, . . . , hm).
This map identifiesDm,n,r with Decm,n,r = ImΓm,n,r. We aim at finding the dimension of the Zariski closure of Decm,n,r, Decm,n,r.
A straightforward way to compute the dimension is to combine a suitable normalization in (r, s)-decomponsitions with the following theorem:
Theorem 1. ([8]) Let X, Y be algebraic sets over IK. If f : X −→ Y is a dominating polynomial map, i.e., such thatY =f(X), then there exists an open subsetU inY such thatf−1(y)has dimensiondimX−dimY for ally∈U.
As a consequence, if the map Γm,n,r|X : X −→ Decm,n,r is dominating and such that all polynomials in Decm,n,r\C have a finite number of (r, s)-decompositions, for a closed setC 6= Decm,n,r, then dim Decm,n,r= dimX.
It is clear that forX = IKam,r+m·am,s the hypothesis are not satisfied: when-ever a polynomialf has the (r, s)-decomposition f =g◦h, we can decompose f asf = (g◦A−1)◦(A◦h) for everyA∈GLm(IK).
Assume thatf =g(h1, . . . , hm) is an (r, s)-decomposition offwhereh1, . . . , hm
are linearly independent. Then, the vector space generated byh1, . . . , hm is also generated bymhomogeneous polynomialsh01, . . . , h0mof degreessuch that each polynomial is monic with respect to the lexicographical order, lm(h01)>lex>lex
. . . >lexlm(h0m), and coefflm(hi)(hj) = 0 fori6=j, where lm(t) denotes the lead-ing monomial of the polynomialtand coeffm(t) is the coefficient of the monomial min the polynomialt. Then, forh0= (h01, . . . , h0m), there exists an homogenous polynomialg0 inmvariables of degreersuch thatf =g0◦h0.
Let V(i1, . . . , im) be the set of vector spaces generated by m polynomials h1, . . . , hm, wherei1< i2 <· · ·< im, eachhj is monic with leading coefficient m(ij), and coefflm(hj)(hi) = 0 ifi6=j:
i1 i2 im
h1→ 0 1 · · · 0 · · · 0 · · · h2→ 0 0 0 1 · · · 0 · · · 0 0 0 0 · · · 0 · · · hm→ 0 0 0 0 0 0 1 · · ·
Each vector space in V(i1, . . . , im) can be determined by m·(am,s −m) coefficients in IK at most, thus identifyingV(i1, . . . , im) with IKm·(am,s−m).
Let ˆV =∪1≤i1<i2<...<im≤am,sV(i1, . . . , im) andV be the algebraic set corre-sponding to ˆV by the identification betweenPm,s and IKam,s. Then,Decm,n,r= ImΓm,n,r(IKam,r×Vˆ). Clearly, dim Decm,n,r= dim ImΓ(IKam,r×V)≤am,r+ m·(am,s−m). Therefore, if it could be proven that dim ImΓ(IKam,r×V(1,2, . . . , m)) = am,r+m·(am,s−m), then dim Decm,n,r=am,r+m·(am,s−m).
For (2,2)-decompositions in two variables it can be proven that dim Dec2,4,2= 3 + 2(3−2) = 5 by using Gr¨obner basis computations.
Counting the dimension of decomposable lists of homogeneous polynomials of the same degree is completely analogous. Let Decm,n,r,u be the set of lists f ofuhomogeneous polynomials in IK[x] of degreenthat are (r, s)-decomposable, and let
Γm,n,r,u: (IKam,r)u×V −→Decm,n,r,u
be the function that maps the coefficients of the normalized tuple (g,h) to the coefficients of g◦h. If the above normalization were the good one, then the dimension of Decm,n,r,uwould be dim((IKam,r)u×V) =u·am,r+m·(am,s−m).
References
1. Faug`ere, J.-C., Perret, L.: Cryptanalysis of 2R−schemes. Advances in cryptology—
CRYPTO 2006. Lecture Notes in Comput. Sci.4117(2006) 357–372
2. Faug`ere, J.-C., Perret, L.: High order derivatives and decomposition of multivari-ate polynomials. ISSAC ’09: Proceedings of the 2009 international symposium on Symbolic and algebraic computation (2009) 207–214
3. Faug`ere, J.-C., Perret, L.: An efficient algorithm for decomposing multivariate poly-nomials and its applications to cryptography. Journal of Symbolic Computation44 (2009) 1676–1689
4. von zur Gathen, J.: Counting decomposable multivariate polynomials. Technical Report arXiv:0811.4726 (2008)
5. von zur Gathen, J.: The number of decomposable univariate polynomials. ISSAC
’09: Proceedings of the 2009 international symposium on Symbolic and algebraic computation (2009) 359–366
6. von zur Gathen, J., Gutierrez, J. Rubio, R.: Multivariate polynomial decomposition.
Applicable Algebra in Engineering, Communication and Computing14, (2003) 11–
31,
7. Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. Advances in cryptology—EUROCRYPT ’88.
Lecture Notes in Comput. Sci.330(1988) 419–453
8. Mumford, D.: The red book of varieties and schemes. Lecture Notes in Mathematics 1358, Springer-Verlag (1988)
9. Patarin, J., Goubin, L.: Asymmetric Cryptography wiht S-Boxes. Proceedings of ICICS’97, Lecture Notes in Comput. Sci.1334(1997) 369–380
10. Ye, D., Dai, Z., Lam, K.-Y.: Decomposing attacks on asymmetric cryptography based on mapping compositions. Journal of Cryptology. The Journal of the Inter-national Association for Cryptologic Research14, (2001) 137–150