# Multivariate polynomial systems

## 1.First manipulations and experiments

In order to manipulate multivariate polynomials over a finite field, we can start by creating the associated polynomial ring. When the number of variables is small, we can directly specify their names. 

In [1]:
R1.<x,y,z> = PolynomialRing(GF(7))
print(R1)
print((3*x+5*y)*(3*z+2*x+y)+(4*y+3*z)*(x+y+2*z))
print(5*x+2*x)

For larger numbers of variables, we specify a generic name, used only for printing outputs. The i-th variable of the ring `R` is called by the command `R.i` or `R.gen(i)`.

In [2]:
R=PolynomialRing(GF(7),30,'x')
print(R)
print(R.10*R.15+6*R.gen(28)*R.gen(7))
print(R(10)) #caution
print(x13) #error


**Exercise:** 
- Generate a random system (list `L`) of 5 quadratic polynomials in 5 variables with coefficients in the finite field $\mathbb F_7$. Try to compute its solutions with the command `ideal(L).variety()`.
- Experiment with other systems. What happens when there are more variables than equations?
- To circumvent this difficulty, append to the list `L`the "field equations" $x_i^p - x_i$. Check the results on various systems and various parameters.   


**Exercise (Boolean systems):** If $x\in \mathbb F_2$ then $x^k=x$ for all $k\geq 1$. This implies that when trying to solve polynomial systems over $\mathbb F_2$, we can replace every power $x_i^k$ of a variable by just $x_i$. This is implemented in Sagemath with `BooleanPolynomialRing`.
- Create a Boolean polynomial ring in $n=12$ variables, and test the product of Boolean polynomials.
- Create 100 systems of $m=12$ quadratic Boolean polynomials in 12 variables and solve them (command `ideal(L).variety()`). What is the average number of solutions?
- Same question with $m=11$, $m=10$ (underdetermined systems), $m=13$, $m=14$ (overdetermined systems).


**Exercise (extremely overdetermined systems):** 
- Generate a system of 300 quadratic polynomials in 23 variables with coefficients in $\mathbb F_{97}$, having _at least one_ solution.
- Explain why it is possible to find linear combinations of the equations that yield degree 1 polynomials.
- Compute such linear polynomials by performing Gaussian elimination, and recover the solution of the system.


## 2. Oil and Vinegar

**Preliminary:** 
- Construct a quadratic polynomial $f$ in $3$ variables $x,y,z$ over a field $K$. What is the output of the command $f(x,2,1)$? And $f(y,z,x)$?
- Construct a square matrix $M\in \mathcal M_3(K)$ from the list of its coefficients with the command `M = matrix(K,3,3,[.....])` and test the command `M*vector([x,y,z])`.
- Unpack the result of the last command using the star operator `*` and feed it to $f$. What is the result?

**Exercise:**
1. Generate a random (homogeneous) quadratic system $F$ of 20 equations in 40 variables over $\mathbb F_{2}$, such that there are no monomials of the form $x_ix_j$ with $i \geq 20$ and $j\geq 20$.

2. Generate a random 40x40 square matrix $S$ with coefficients in $\mathbb F_2$ and test if it is invertible. If not, start again until finding an invertible one. This is your private key. 

3. Compute the system $P=F\circ S$. This is your public key. What is its size? Is there a way to store it compactly?

4. Pick a random tuple $y\in \mathbb F_2^{20}$ and compute an $x$ such that $P(x)=y$ using your private key. Check your result.

5. Try to solve directly the system $P(x)=y$.

6. The trouble is that the system $P(x)=y$ is largely underdetermined and so has a lot of solutions, whereas we only need one. Try to solve the system by guessing the value of 20 variables (hint: the resolution is much faster if you cast the polynomials into a polynomial ring in the remaining 20 variables). 

7. Overdetermined systems are usually faster to solve than square systems. If we try to guess more than 20 variables, this speeds up the computation but deteriorates the probability of obtaining a solution, so that there is an optimal trade-off to be found.\
   Solve the system $P(x)=y$ by guessing repeatedly 25 variables until a solution is found. Is it faster than guessing 20 variables? Than guessing all 40 variables?


## 3. Kipnis-Shamir attack on Balanced Oil and Vinegar

In the original Oil and Vinegar scheme, there are as many oil variables as vinegar variables (i.e. $n=2m$). Kipnis and Shamir showed that this parameter choice is insecure ; their attack generalizes to $n$ slightly larger than $2m$. In modern implementations, $n \leq 3m$. We will explain the principle of this attack in the homogeneous case in odd characteristic. 


##### 1. Quadratic polynomials and symmetric matrices.
In what follows we assume that $n=2m$, and that we are working over of field of odd characteristic (e.g. $\mathbb F_{31}$).
- Let $f = \displaystyle \sum_{0\leq i,j<n} a_{ij} x_ix_j$ a homogeneous quadratic polynomial over a field of odd characteristic. Show that there is a (unique) symmetric matrix $A$ such that : $$\forall X = \begin{pmatrix} x_0 \\ \vdots \\ x_{n-1} \end{pmatrix},\ f(x_0,\dots,x_{n-1}) = X^T A X$$
- Write a function that outputs the symmetric matrix corresponding to a homogeneous quadratic polynomial (the relevant command is `f.coefficient(m)`, which returns the coefficient of the monomial $m$ in $f$). 
- Let $S$ be an invertible $n\times n$ matrix, and $p=f\circ S$. What is the symmetric matrix corresponding to $p$?

##### 2. Oil and Vinegar matrices
Let $f_0,\dots,f_{m-1}$ be quadratic homogeneous polynomials such that for all $k$, the polynomial $f_k$ has no term of the form $x_ix_j$ for $i,j \geq m$. Let $S$ be an invertible $n\times n$ matrix. 

We denote by $F$ the central Oil and Vinegar map $(f_0,\dots,f_{m-1}) : (\mathbb F_p)^n \to (\mathbb F_p)^m$, and by $P = (p_0,\dots,p_{m-1})$ the public quadratic map $F\circ S$, i.e. $p_k = f_k\circ S$ for all $0\leq k < m$. We also denote by $A_k$ (resp. $B_k$) the symmetric matrix corresponding to $f_k$ (resp. $p_k$). 

Finally, let $\mathcal O = S^{-1}(\{0\}^m\times(\mathbb F_p)^m)$ (the oil subspace) and $\mathcal V = S^T((\mathbb F_p)^m\times \{0\}^m)$.

- Generate such a system, for $m=20$ and $p=31$.
- What is the shape of the matrices $A_1,\dots,A_m$? 
- Show that $P$ vanishes on $\mathcal O$. 

##### 3. The attack
The goal of the attack is to recover $\mathcal O$, which is actually sufficient for computing preimages by $P$, i.e. forging signatures. We keep the above notations.

- Let $k\in \{0,\dots,m-1\}$. Show that *as a linear map*, $B_k$ sends $\mathcal O$ to $\mathcal V$, i.e. $B_k \,o \in \mathcal V$ for all $o \in \mathcal O$. \
If $B_k$ is nonsingular, deduce that $B_k^{-1} \mathcal V = \mathcal O$, i.e. $\mathcal O = \{B_k^{-1}v\ :\ v \in \mathcal V\}$. Hint: use $\dim(\mathcal V) = \dim (\mathcal O)$}.
- Deduce that $\mathcal O$ is a common invariant subspace of all the matrices $B_k^{-1}B_l$ for all pairs $0\leq k,l<m$ such that $B_k$ is nonsingular. 

For $k,l$ such that $B_k$ is invertible, we set $C_{kl} = B_k^{-1}B_l$, and denote by $g_{kl}$ the endomorphism induced by $C_{kl}$ on $\mathcal O$. Observing that $C_{kl}$ is similar to $A_k^{-1}A_l$, it is possible to show that the characteristic polynomial of $C_{kl}$ is actually the square of the characteristic polynomial of $g_{kl}$, i.e. $\chi_{C_{kl}} = (\chi_{g_{kl}})^2$.

- On your example system, test which of the $B_k$ matrices are invertible. Factor the characteristic polynomial (command `factor(M.characteristic_polynomial())`) of some $C_{kl}$ matrices and check that they are indeed squares.
- Using the Cayley-Hamilton theorem, show that $\mathcal O \subset \ker(\chi_{g_{kl}}(C_{kl}))$.
- To conclude the attack, choose a suitable pair $(k,l)$, compute the square root $\chi_{g_{kl}}$ of the characteristic polynomial of $C_{kl}$, then compute the kernel of $\chi_{g_{kl}}(C_{kl})$ with the command `right_kernel()`. If its dimension is $m$ then it is equal to $\mathcal O$; otherwise, choose another pair.\
Implement this attack and check that $P$ vanishes indeed on all vectors of a basis of $\mathcal O$.  
