Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology

Abstract

Computing loci of rank defects of linear matrices (also called the MinRank problem) is a fundamental NP-hard problem of linear algebra which has applications in Cryptology, in Error Correcting Codes and in Geometry. Given a square linear matrix (i.e. a matrix whose entries are k-variate linear forms) of size n and an integer r, the problem is to find points such that the evaluation of the matrix has rank less than r + 1. The aim of the paper is to obtain the most efficient algorithm to solve this problem. To this end, we give the theoretical and practical complexity of computing Grobner bases of two algebraic formulations of the MinRank problem. Both modelings lead to structured algebraic systems.The first modeling, proposed by Kipnis and Shamir generates bi-homogeneous equations of bi-degree (1, 1). The second one is classically obtained by the vanishing of the (r + 1)-minors of the given matrix, giving rise to a determinantal ideal. In both cases, under genericity assumptions on the entries of the considered matrix, we give new bounds on the degree of regularity of the considered ideal which allows us to estimate the complexity of the whole Grobner bases computations. For instance, the exact degree of regularity of the determinantal ideal formulation of a generic well-defined MinRank problem is r(n - r) + 1. We also give optimal degree bounds of the loci of rank defect which are reached under genericity assumptions; the new bounds are much lower than the standard multi-homogeneous Bezout bounds (or mixed volume of Newton polytopes).TAs a by-product, we prove that the generic MinRank problem could be solved in polynomial time in n (when n - r is fixed) as announced in a previous paper of Faugere, Levy-dit-Vehel and Perret. Moreover, using the determinantal ideal formulation, these results are used to break a cryptographic challenge (which was untractable so far) and allow us to evaluate precisely the security of the cryptosystem w.r.t. n, r and k. Our practical results suggest that, up to the software state of the art, this latter formulation is more adapted in the context of Grobner bases computations.