Dear Ludovic, designers of the Biscuit teams, other members of the mailing-list,
> We disagree on you statement that PowAff2 systems are
> computationally easier to solve than quadratic
> algorithms. [...] At this stage, your new ad-hoc algorithm has
> — in fact — roughly the same asymptotical complexity as
> general-purpose algorithms.
Let us look at what happens over the field with 2 elements.
For arbitrary Boolean quadratic systems, the best algorithm known to mankind at
this time, which is due to Dinur [1], requires 2^(0.6943*n) operations. The
simple algorithm outlined in my previous message, which is specific to the
"PowAff2" problem, requires 2^(0.5*n), and thus is exponentially better.
So, at least over the field with two elements, PowAff2 is much easier than the
problem of solving random quadratic systems.
Regarding concrete security levels, I agree that the naive algorithm I outlined
in my previous message was not enough to go beyond the pain threshold. However,
it is easy to improve upon. Combining it with the (self-proclaimed) dumbest
possible algorithm that beats brute force [2] yields the following:
1) perform a linear change of the n variables y == Mx that yields v_i(y) = y_i + cst for (0 <= i < n)
2') Set k := 0.5 * (n - sqrt(2*m - n + 1) + 1). Guess the first k variables
3') The first k quadratic equations become affine in the remaining n - k variables. Use these to eliminate k variables in the last m-k quadratic polynomials
[at this stage, m-k quadratic polynomials in n-2k variables remain]
4') Solve the resulting quadratic system by linearization (it has less than m-k monomials of degree <= 2).
5') Go back to step 2' until a solution is found
Step 4' costs O((m-k)^3) operations, which is 8 times more than before.
However, the number of iterations is decreased compared to my first message.
This results in:
| instance | n | m | k | #monomials (1) | log2(#operations) (2) |
|------------+-----+-----+----+----------------+-----------------------|
| biscuit128 | 64 | 67 | 29 | 27 | 130.2 |
| biscuit192 | 87 | 90 | 40 | 35 | 175.4 |
| biscuit256 | 118 | 121 | 54 | 65 | 234.0 |
|------------+-----+-----+----+----------------+-----------------------|
(1) There are 1/2*(n-2*k + 3)*(n-2*k) non-constant monomials of degree <= 2 in n-2*k variables
(2) This is (#monomials)^3 * q^k
This beats the claimed bit-security levels given in Table 11 of the submission
document by 30, 34 and 42 bits for biscuit128, biscuit192 and biscuit256,
respecticely, if I'm not mistaken.
Note that these results are obtained using the simplest possible methods, that
require no memory and just combine exhaustive search with small, dense linear
algebra. I consider this to be an indication that the "PowAff2" problem is
easier than arbitrary quadratic systems.
In any case, it seems likely that even better results will be obtained using
more sophisticated techniques. As such, if I were you, I would be conservative
in revising the parameters.
Best regards,
-----
Charles Bouillaguet
[1] Itai Dinur. Improved algorithms for solving polynomial systems over GF(2) by
multiple parity- counting. In Dániel Marx, editor, Proceedings of the 2021
ACM-SIAM Symposium on Discrete Algorithms, SODA 2021, Virtual Conference,
January 10 - 13, 2021, pages 2550–2564. SIAM, 2021.
[2] Charles Bouillaguet, Claire Delaplace, and Monika Trimoska. A simple
deterministic algorithm for systems of quadratic polynomials over GF(2) . In
Karl Bringmann and Timothy Chan, editors, 5th Symposium on Simplicity in
Algorithms, SOSA@SODA 2022, Virtual Conference, January 10-11, 2022, pages
285–296. SIAM, 2022.