## Section: New Results

### Solving Systems in Finite Fields, Applications in Cryptology and Algebraic Number Theory.

#### Algebraic Cryptanalysis of a Quantum Money Scheme β The Noisy Case.

At STOC 2012, Aaronson and Christiano proposed a noisy and a noiseless version of the first public-key quantum money scheme endowed with a security proof. [5] addresses the so-called noisy hidden subspaces problem, on which the noisy version of their scheme is based. The first contribution of this work is a non-quantum cryptanalysis of the above-mentioned noisy quantum money scheme extended to prime fields $\mathrm{\pi \x9d\x94\xbd}$, with $\left|\mathrm{\pi \x9d\x94\xbd}\right|\beta \x892$, that runs in randomised polynomial time. This finding is supported with experimental results showing that, in practice, the algorithm presented is efficient and succeeds with overwhelming probability. The second contribution is a non-quantum randomised polynomial-time cryptanalysis of the noisy quantum money scheme over ${\mathrm{\pi \x9d\x94\xbd}}_{2}$ succeeding with a certain probability for values of the noise lying within a certain range. This result disproves a conjecture made by Aaronson and Christiano about the non-existence of an algorithm that solves the noisy hidden subspaces problem over ${\mathrm{\pi \x9d\x94\xbd}}_{2}$ and succeeds with such probability.

#### On the Complexity of MQ in the Quantum Setting.

In August 2015 the cryptographic world was shaken by a sudden and surprising
announcement by the US National Security Agency NSA concerning plans to
transition to post-quantum algorithms. Since this announcement post-quantum
cryptography has become a topic of primary interest for several
standardization bodies. The transition from the currently deployed public-key
algorithms to post-quantum algorithms has been found to be challenging in many
aspects. In particular the problem of evaluating the quantum-bit security of
such post-quantum cryptosystems remains vastly open. Of course this question
is of primarily concern in the process of standardizing the post-quantum
cryptosystems. InΒ [21] we consider the quantum security
of the problem of solving a system of *$m$ Boolean multivariate quadratic
equations in $n$ variables* (MQb); a central problem in post-quantum
cryptography. When $n=m$, under a natural algebraic assumption, we present a
Las-Vegas quantum algorithm solving MQb that requires the evaluation of, on
average, $O\left({2}^{0.462n}\right)$ quantum gates. To our knowledge this is the fastest
algorithm for solving MQb.

`MQsoft` .

In 2017, NIST shook the cryptographic world by starting a process for
standardizing post-quantum cryptography. Sixty-four submissions have been
considered for the first round of the on-going NIST Post-Quantum Cryptography
(PQC) process. Multivariate cryptography is a classical post-quantum candidate
that turns to be the most represented in the signature category. At this stage
of the process, it is of primary importance to investigate efficient
implementations of the candidates. [17] presents `MQsoft` , an efficient library which permits to implement `HFE` -based
multivariate schemes submitted to the NIST PQC process such as *G**e**MSS*, `Gui` and *DualModeMS*. The library is implemented in
`C` targeting Intel 64-bit processors and using `avx2` set
instructions. We present performance results for our library and its
application to *G**e**MSS*, `Gui` and *DualModeMS*. In
particular, we optimize several crucial parts for these schemes. These include
root finding for `HFE` polynomials and evaluation of multivariate
quadratic systems in ${\mathrm{\pi \x9d\x94\xbd}}_{2}$. We propose a new method which accelerates root
finding for specific `HFE` polynomials by a factor of two. For *G**e**MSS* and `Gui` , we obtain a speed-up of a factor between 2 and 19
for the keypair generation, between $1.2$ and $2.5$ for the signature generation,
and between $1.6$ and 2 for the verifying process. We have also improved the
arithmetic in ${F}_{{2}^{n}}$ by a factor of 4 compared to the `NTL` library.
Moreover, a large part of our implementation is protected against timing
attacks.