Polynomial Equivalence Problem and Pencils: Application to Multivariate Cryptanalysis

In this paper, we study the Polynomial Linear Equivalence (PLE) Problem which is the problem of finding two linear transformations S and T such that B = T ◦ A ◦ S given two vectors of multivariate quadratic polynomials A and B. This problem is interesting since it is related to the problem of recovering the secret key of some multivariate cryptographic schemes given only the public key. Additionnaly, the problem is known to be Graph-Isomorphism hard. We show that pencils of matrices and pencils of quadratic forms are convenient tools to tackle these problems. Pencils have been studied since the 19th century by Weierstrass and Kronecker to solve calculus problems, such as finding extrema of some functions. Here, we efficiently solve classes of PLE instances arising from cryptographic schemes. We also show that in the case of the SFLASH cryptosystem, the vectors lying in the kernel of the bilinear symmetric form associated with a pencil of two public polynomials reveal enough information about the secret elements to recover them in polynomial-time, even when very little public information is available. This allows us to break the full range of parameters for SFLASH.