Improvement of Algebraic Attacks for Solving Superdetermined MinRank Instances

Abstract

The MinRank (MR) problem is a computational problem that arises in many cryptographic applications. In Verbel et al. [24], the authors introduced a new way to solve superdetermined instances of the MinRank problem, starting from the bilinear Kipnis-Shamir (KS) modeling. They use linear algebra on specific Macaulay matrices, considering only multiples of the initial equations by one block of variables, the so called “kernel” variables. Later, Bardet et al. [7] introduced a new Support Minors modeling (SM), that consider the Plücker coordinates associated to the kernel variables, i.e. the maximal minors of the Kernel matrix in the KS modeling. In this paper, we give a complete algebraic explanation of the link between the (KS) and (SM) modelings (for any instance). We then show that superdetermined MinRank instances can be seen as easy instances of the SM modeling. In particular, we show that performing computation at the smallest possible degree (the “first degree fall”) and the smallest possible number of variables is not always the best strategy. We give complexity estimates of the attack for generic random instances. We apply those results to the DAGS cryptosystem, that was submitted to the first round of the NIST standardization process. We show that the algebraic attack from Barelli and Couvreur [8], improved in Bardet et al. [5], is a particular superdetermined MinRank instance. Here, the instances are not generic, but we show that it is possible to analyse the particular instances from DAGS and provide a way to select the optimal parameters (number of shortened positions) to solve a particular instance.