Inverting bijective polynomial maps over finite fields Antonio Cafure Depto. de Matem´ atica, FCEyN, UBA, Ciudad Universitaria, Pabell´ on I, (C1428EHA) Buenos Aires, Argentina. Instituto del Desarrollo Humano, Universidad Nac. Gral. Sarmiento, J. M. Guti´ errez 1150 (1613) Los Polvorines, Argentina. Guillermo Matera Instituto del Desarrollo Humano, Universidad Nac. Gral. Sarmiento, J. M. Guti´ errez 1150 (1613) Los Polvorines, Argentina. CONICET, Argentina. Ariel Waissbein CoreLabs, CORE ST, Humboldt 1967 (C1414CTU) Cdad. de Bs. As., Argentina. Doctorado en Ingenier´ ıa, ITBA: Av. Eduardo Madero 399 (C1106ACD) Cdad. de Buenos Aires, Argentina. Abstract— We study the problem of inverting a bijective polynomial mapping F : F n q → F n q over a finite field Fq . Our interest mainly stems from the case where F encodes a permutation given by some public–key cryptographic scheme. Given this description and an element y ∈ F n q we are able to compute a value x ∈ F n q such that F (x)= y in time O(δ 4 ). Here δ denotes the degree of the affine variety defined by F (X) -Y =0, which is bounded by d n , where d is an upper bound on the total degree of F1,...,Fn. I. I NTRODUCTION Let F q be the finite field of q elements, where q is a prime power, and let F q denote its algebraic closure. Let X := (X 1 ,...,X n ) denote a vector of indeterminates over F q and let F 1 ,...,F n be polynomials in F q [X]. Assume that the map F : F n q → F n q defined by F (x) := ( F 1 (x),...,F n (x) ) is bijective. In this paper we exhibit an algorithm which, on input y ∈ F n q , computes the point x ∈ F n q such that F (x)= y holds. This problem is tightly related to classical algebraic geome- try (see, e.g., [1]) as it amounts to find an F q –rational solution for a system of the form F 1 (X) −y 1 =0,...,F n (X) −y n =0 where y 1 ,...,y n ∈ F q ; and has direct applications in the domain of public–key cryptography (see e.g. [2]). Throughout the last 20 years, algebrists and other computer scientists have tried to tackle polynomial equation solving in finite fields (see, e.g., [3], [4], [5]). It has been known for an even larger period that the problem is intractable, even when restricting to quadratic equations ([6], [7]). Indeed, the solutions proposed in [3] and [4] have superexponential runnning time, [8] has exponential running time, and only [5] can achieve efficient complexities (see also [9], [10], [11] for algorithms that run efficiently but only in special cases). In the case of cryptography, at least since [12] researchers have unsuccessfully tried to construct public-key schemes based on polynomial equation solving —mostly with underly- ing quadratic systems—, but proposals are typically whipped by ad hoc attacks (see, e.g., [13], [10]). There is further evidence (see, e.g., [14]) that polynomial equation systems from “practical problems” can be solved efficiently. In [9], Sturtivant and Zhang propose a method for inverting equation systems over finite fields in the case where F is an automorphism of F n q and its inverse can be represented by a polynomial mapping of degree polynomial in max i {deg F i } and the time-complexity of F . Explicitly, they exhibit an algorithm that computes the inverse F -1 := (F -1 1 ,...,F -1 n ) in (ndeL) O(1) arithmetic operations, where d and e are bounds for the degrees of F 1 ,...,F n and F -1 1 ,...,F -1 n , respectively, and L arithmetic operations are sufficient for evaluating F . We propose a solution that can be applied in wider cases, and provide sharper efficiency estimates. Explicitly Theorem 1.1: Let F be as above, and let be given a point y ∈ F n q . Assume we are given a straight-line program that evaluates F in F q [X] in time L. Assume further that the ring extension F q [Y ]  → F q [X, Y ]/(F (X) − Y ) is integral. There exists a (probabilistic) algorithm that computes the only point x ∈ F n q such that F (x)= y using O ( (L + n 3 + δ 2 )nM(Dδ) ) time (up to logarithmic factors), where L is the complexity of evaluating F , δ is the degree of the affine variety {(x, y) ∈ F q n × F q n ; F (x) − y =0} and F q is an algebraic closure of F q . The integrality assumption above is equivalent to asking that the fiber F -1 (y) are nonempty and finite for every y ∈ F n q ; and it is true for generic systems. Also, notice that δ can be estimated by δ ≤ deg F 1 · ... · deg F n by the B´ ezout bound ([15]); in fact, the bound is sharp in the worst case, but can be much smaller (cf. [1]). We remark that if the hypotheses of [9] hold, then it follows that e ≤ δ; therefore, our complexity estimates are sharper. On the other hand, it should be noticed that the parameter δ is a good measure of the “intrinsic difficulty” of the inversion problem —in the sense that the smaller δ is (e.g., δ ≪ deg F 1 · ... · deg F n ), the quicker our algorithm is— and should be taken into account as a security estimation parameter. II. NOTIONS AND NOTATIONS Throughout the paper, F q and F q will denote the finite field of q elements and its algebraic closure respectively, and K any subfield of F q containing F q . Let K[X 1 ,...,X n ] denote the ring of n–variate polynomials in indeterminates X 1 ,...,X n and coefficients in K. Let V be a K–definable affine subvariety of A n (a K–variety for short). We shall denote by I (V ) ⊂ K[X 1 ,...,X n ] its defining ideal and by K[V ] its coordinate ring, namely, the quotient ring K[V ] := K[X 1 ,...,X n ]/I (V ).