Revisiting algebraic attacks on MinRank and on the rank decoding problem

The Rank Decoding problem (RD) is at the core of rank-based cryptography. Cryptosystems such as ROLLO and RQC, which made it to second round NIST Post-Quantum Standardization Process, well Durandal signature scheme, rely on or its variants. This can also be seen a structured version MinRank, ubiquitous in multivariate Recently, Bardet et al. (in: Canteaut Ishai, Advances cryptology—EUROCRYPT 2020, Springer, Cham, 2020; cryptology—ASIACRYPT international conference theory application cryptology information security, 2020. Proceedings, 2020) proposed attacks based two new algebraic modelings, namely MaxMinors modeling specific RD Support-Minors applies MinRank general. Both improved significantly complexity these problems. In case contrarily what was believed up now, were shown able outperform combinatorial this even for very small field sizes. However, we prove here that analysis performed one consists mixing with solve too optimistic leads underestimate overall complexity. done by exhibiting linear dependencies between equations considering an $${{\mathbb {F}}}_{q^m}$$ modelings turns out instrumental getting better understanding both systems. Moreover, working over rather than {F}}}_{q}$$ , are drastically reduce number variables system (i) still keep enough system, (ii) analyze rigorously our approach. approach may improve older from certain parameters. We introduce hybrid whose impact much more general since any problem. technique improves moderate