Preliminary Cryptanalysis of the Biscuit Signature Scheme

. Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.


Introduction
Biscuit is a multivariate digital signature scheme recently designed by Bettale, Kahrobaei, Perret and Verbel [BKPV23,BKPV24].It has been submitted in July 2023 to the competition organised by NIST in order to standardize additional "post-quantum" signature schemes not based on lattices.
In Biscuit, the public key is a system of quadratic multivariate equations while the secret key is a solution of this system.Biscuit builds upon a multi-party protocol in which N parties each holding a share of a vector x determine if x is a solution of a structured polynomial system.This protocol is converted into a Zero-Knowledge Proof-of-Knowledge (ZKPoK) using the "Multi-Party Computation in the Head" paradigm.Finally, the Fiat-Shamir heuristic turns this interactive proof-of-knowledge protocol into a signature scheme.Producing a new signature is akin to proving knowledge of the solution of the polynomial system in the public key, using fresh randomness extracted from the message to sign.
The security of Biscuit thus relies on the computational hardness of solving the underlying system of multivariate quadratic equations.Indeed, finding a solution of the polynomial system that forms the public key yields an equivalent secret key and enables an attacker to produce valid signatures using the normal signing procedure.In general, solving multivariate quadratic systems over finite fields (the MQ problem) is well-known to be NP-hard [GJ79].The practical computational hardness of the problem is well-established, and documented by a public collection of challenges that enables everyone to monitor the progress, or lack therefof, of available polynomial solving software [YDH + 15].
Several digital signature schemes rely on the hardness of the general MQ problem such as MQDSS [CHR + 16, SCH + 19] or MQOM [BFR23].Another common choice is to rely on the hardness of a special class of systems; this is notably the case in HFE [Pat96], UOV [KPG99], SFLASH [CGP03], ... In this case, the actual underlying computational problem, which is a special case of MQ, could potentially be easier.This has notably been demonstrated in the case of HFE, where an 80-bit public key has been practically broken by a Gröbner basis computation [FJ03].In contrast, solving a random, unstructured system of 80 Boolean quadratic equations is still a formidable challenging and has not been done in practice yet.
Biscuit belongs to the second category of multivariate cryptosystems.To reduce the size of signatures, its designers use polynomials of a special shape.Each (quadratic) public polynomial can be written f + g × h, where f, g and h are affine forms in n variables.The point is that evaluating this on some input vector x requires a single multiplication by a non-constant in the finite field.This is a very strong structure: while a generic quadratic polynomial is described by (n + 1)(n + 2)/2 coefficients, a "Biscuit-style" polynomial is fully described by only 3n + 1 coefficients.
The designers observed that this structure enable better attack algorithms than in the case of the general MQ problem.In the submission document [BKPV23], they propose a simple combinatorial algorithm that solves Biscuit-style polynomial systems in n variables over a finite field with q elements using Õ q 3n/4 operations.This is exponentially better than exhaustive search -it would require Õ (q n ) operations.No such improved combinatorial algorithm is known in the general case, and this is a strong hint that the additional structure makes the problem easier.

Contribution
We first describe a very simple combinatorial algorithm to solve "Biscuit-style" polynomial systems using only exhaustive search and linear algebra.It requires Õ q n/2 operations.We then combine it with the use of the F 5 algorithm [Fau02] to obtain an improved "hybrid method" that combines exhaustive search and Gröbner basis computation.This improved algorithm breaks the three parameter sets initially proposed by the designers of Biscuit, showing that they do not reach the claimed 128, 192 and 256 bits of security.Our new algorithms also improve the efficiency of the forgery attack proposed by Kales and Zaverucha in [KZ20], and we study the consequences on the security of Biscuit.
The designers of Biscuit updated the specification of their scheme following preliminary versions of our findings, and gave improved parameters in [BKPV24], that we find to be secure.
Lastly, we analyze the asymptotic complexity of our algorithm for solving Biscuit-style polynomial systems and discuss additional algebraic properties of these special polynomial systems.

Preliminaries
Let F q denote the finite field with q elements and F q [x 1 , . . ., x n ] denote the ring of multivariate polynomials in n variables.We usually consider a sequence of m polynomials f 1 , . . ., f m in n variables with coefficients in F q .We write vectors in boldface letters, so that x = (x 1 , . . ., x n ) and f = (f 1 , . . ., f m ).We write ⟨a, x⟩ for the dot product of the two vectors a and x.

Succinct Description of Biscuit
We provide a very high-level description of the Biscuit signature scheme and introduce the relevant notations.A first version of Biscuit has been submitted to the NIST competition for additional post-quantum signatures [BKPV23].We refer to it as "Biscuit v1".An improved version appears in [BKPV24] with different parameters and we refer to it as "Biscuit v2".Biscuit has two sets of parameters for each security level: the "short" one produces the shortest possible signatures and the "fast" one yields faster signing and verification.Tables 1 and 2 show the parameters.
The security of Biscuit fundamentally relies on the hardness of solving structured polynomial systems.Given a sequence of constants c i ∈ F q and sequences of vectors u i , v i , w i ∈ F n q , define the sequence of quadratic polynomials f = f 1 , . . ., f m in n variables with coefficients over F q : where + and × denote the usual addition and multiplication in F q .
In the sequel, we refer to polynomials of the shape described by (1) as "Biscuit-style polynomials".Evaluating f i (x) requires a single multiplication by a non-constant in the finite field.In the context of multi-party computation, this is an advantage: multiplying an additively-shared variable by a constant is a local operation (each party multiplies her share by the constant), while multiplying two such variables together is much more complex and requires some communication.
Given f 1 , . . ., f m , the authors of Biscuit refer to the problem of finding a solution to an arbitrary subset of {f 1 , . . ., f m } of size m − u as the "PowAff2 u (f ) problem".The security of Biscuit relies on the assumption that this problem is computationally hard.
It is straightforward that deciding if a system of Biscuit-style polynomials has a solution is NP-hard.Take an arbitrary quadratic polynomial g(x) Introduce n 2 new variables y ij .Then, there exist x such that g(x) = 0 if and only if there exist x, y such that: This is a system of Biscuit-style polynomials.Therefore, deciding if an arbitrary system of quadratic polynomial admits a solution reduces to a (polynomially larger) instance of the same problem on Biscuit-style polynomials.The former problem is NP-hard, and therefore the latter has to be.This reduction yields quadratically larger instances; an anonymous reviewer pointed out that this could be an indication that the problem is easier than the general version.Suppose that a secret vector x ∈ F n q has been additively shared between a set of N parties.Biscuit is designed around an efficient MPC protocol Π that enables the parties to check whether f (x) = 0 (in this case, the parties "accept" x).It is shown in [BKPV24, Proposition 1] that if f (x) ̸ = 0, then the parties accept x with probability q −u if x is the solution of a subset of size exactly m − u of the polynomials.This probability is taken over the randomness used in the protocol: the parties need m common random elements of F q .
This multi-party protocol is transformed into an interactive 5-pass zero-knowledge proof of knowledge protocol for x using the "MPC-in-the-Head" paradigm: 1. [commitment] The prover P performs an additive sharing of the secret x among N fictitious parties and commits the share of each party.

[challenge 1]
The verifier V sends the randomness to use in the MPC protocol (m elements of F q ).

[response 1]
P completes the execution of the MPC protocol for the N parties and commits their views.

[response 2]
P opens the shares and the views of all other parties.
Using x as the secret key, this ZKPoK protocol can be seen as a 5-pass identification scheme by iterating it τ times in order to increase its soundness.Finally, it is turned into a signature scheme using the Fiat-Shamir heuristic.The public key is a collection of Biscuit-style polynomials f 1 , . . ., f m , the secret is a vector x ∈ F n q such that f (x) = 0.The challenges sent by the verifier are instead generated deterministically from the message to sign and the round number.
A slightly simplified description of the signing procedure follows.To produce a signature for a given message: 1. Choose a random seed.Derive from it τ pseudo-random additive sharings of the secret key x among N parties.Hash all the shares of all the N parties for all the τ rounds toghether along with the message m; call h 1 the result.
2. Generate the first challenge of all τ rounds: derive τ m pseudo-random element of F q from h 1 .
3. Run the MPC protocol τ times.Hash together the views of all the N parties in all the τ rounds along with h 1 , the message and the public key; call the result h 2 .
5. The signature is made of h 1 , h 2 and the opened views of all parties except the i k -th in round k.

Gröbner Bases and Semi-Regular Polynomial Systems
Some of the best methods to solve systems of polynomial equations use Gröbner bases.A Gröbner basis of some polynomial ideal I is a set of generators of I that enjoy additional desirable properties.It is beyond the scope of this paper to discuss Gröbner bases; we refer the interested reader to a standard textbook such as [CLO91].
We will just point out that in some cases, solutions of the corresponding polynomial system can be easily read off a Gröbner basis.This is in particular the case when the polynomial system f 1 = • • • = f m = 0 has a single solution in the algebraic closure of the field.In this specific case, any Gröbner basis of the ideal spanned by the f i 's is x 1 − a 1 , . . ., x n − a n , where a is the unique solution of the system.Obtaining any Gröbner basis thus reveals the solution of the system.
The classic method to compute such bases is known as Buchberger's algorithm [Buc65].Nowadays, the most efficient method to compute Gröbner bases is the F 5 algorithm [Fau02].If the degree of regularity of the ideal is D, then this algorithm terminates in less than where w denote the linear algebra constant.In general, finding the degree of regularity D of a given polynomial ideal is difficult.However, when the input polynomials satisfy certain genericity assumptions, then the degree of regularity can be deduced from n and m.These assumptions imply that the Hilbert series of the ideal is a function of m, n and the degrees of the input polynomials, but that it does not depend from the actual values of their coefficients.When all the input polynomials are quadratic, then the "generic" degree of regularity depends only on n and m, and we denote it by d reg (n, m).These genericity assumptions essentially mean that the polynomials are not bound by "unexpected" algebraic relations.They are usually well-verified in practice on unstructured systems, and are therefore standard in all the cryptographic literature.The interested reader is referred to [Bar04,BFS15] for more details.
If m ≤ n and the polynomials form a regular sequence, then the degree of regularity is given by the Macaulay bound: D = 1 + i (deg f i − 1).This implies in particular that if m = n, then the degree of regularity of a sequence of regular quadratic polynomials is When m > n, i.e. when the system is overdetermined, the polynomials cannot form a regular sequence.The concept has been extended to semi-regular sequence in [Bar04,BFS15].The degree of regularity of a semi-regular sequence of polynomials can also be easily determined from m and n.One can write the series expansion of The smallest index j such that a j < 0 is the degree of regularity of the semi-regular sequence f 1 , . . ., f m .This provides an algorithm to compute d reg (n, m) effectively.
It is important to note that if n is fixed, then it is a decreasing function of m: the more overdetermined the system, the easier it is to solve.[Bar04] gives an asymptotic equivalent of the degree of regularity for quadratic polynomials when n → +∞: If a polynomial system forms a semi-regular sequence, the complexity of the F 5 algorithm is:

The Hybrid Method
The "hybrid method" [BFP09, BFP12] is usually the best technique for solving polynomial systems over finite fields.Its principle is simple: 2. "Guess" the value of k variables.
3. Compute a Gröbner basis of the remaining system of m equations n − k variables using the F 5 algorithm.
4. If no solution has been found, return to step 2.
The point is that the sub-systems that are actually solved in step 3 are more overdetermined than the input system, and therefore computing a Gröbner basis is faster.With the optimal choice of k, the complexity of the resulting algorithm is: This is necessarily less than or equal to C F5 (n, m).The asymptotic complexity of this procedure is determined in [BFP12] when n → +∞ with q and α = m/n fixed.Define β = k/n; we have C hyb (n, αn) ∼ 2 Kn with: Given values of q and α, the best choice of β is one that minimizes the value of K.It can easily be found numerically.For example, with α = 1, i.e. n = m and q = 16, we have an asymptotic complexity of 2 2.01n with β = 0.182.When q = 256, we have an asymptotic complexity of 2 2.39n with β = 0.049.

Concrete Hardness of Solving Polynomial Systems
While the global asymptotic complexity of solving systems of semi-regular quadratic polynomials is relatively well-understood, estimating the concrete number of operations that is required to solve a given system is difficult.
Several software tools provide estimates of the number of operations required to execute polynomial system solving algorithms.The MQEstimator [BMSV22] that is notably available in the CryptographicEstimators software library [EVZB23] has been used by the designers of Biscuit to estimate the complexity of attacks that involve solving polynomial systems.
The estimates provided by these tools are crude at best.One of the main obstacles is that the asymptotic expression of the number of operations is only known up to some constant factors.These factors depend on the actual implementation of the algorithm, on the choice of data structures, etc. and also on the hardware.The MQEstimator for instance ignores these constants and assumes that they are very small (all equal to one).This yields meaningful lower-bounds on the hardness of running the corresponding algorithms, and this is usually the conservative approach used by the designers of multivariate cryptographic schemes.Note that sometimes, in addition, potentially significant lower-order terms are ignored asymptotically, as in (3).
The MQEstimator estimates the number of arithmetic operations (call it N ) in F q .It then estimates the total number of bit operations as N log θ 2 q, where θ = 2 by default.The log θ 2 q term approximates the cost of multiplication in the finite field.Considering that these finite fields are usually small, the choice of θ = 2 is reasonable and amounts to schoolbook multiplication.However, this induces an other inaccuracy: not all arithmetic operations are multiplications, and the constant is arbitrarily set to 1.
Another potential issue is the linear algebra constant.The best known value is w = 2.3728596 [AW21] but it is well-known that algorithms that multiply matrices in O (n w ) operations are so impractical that they have never been implemented.The MQEstimator uses w = 2, which is again a safe lower-bound.This can in fact be realistic: when the polynomial system is overdetermined, and therefore likely has a single solution, simpler algorithms can be used to solve it, such as variants of XL [CKPS00].They enjoy the same time bound as F 5 in this case.When these algorithms are implemented using the Block-Wiedemann algorithm [Cop94] to solve linear systems, as in [CCNY12], the linear algebra constant is actually w = 2.
In this paper, we will take the same approach as the designers of Biscuit and take the crude estimates provided by these tools as an order of magnitude of the number of operations required to solve a polynomial system.

The Kales-Zaverucha Forgery Attack Against Signatures Derived From Five-Pass Identification Schemes
Kales and Zaverucha proposed in [KZ20] a forgery attack on signature schemes derived from 5-pass Fiat-Shamir identification schemes, provided that they meet certain mild conditions.This attack can be adapted to Biscuit and it was taken into account in the choice of parameters.We summarize it in this section.The main idea of the attack is that a cheating prover can convince a honest verifier to accept x in the ZKPoK protocol by either guessing the first or the second challenge correctly.Suppose that the adversary knows a vector x that solves a subset of size m − u of the polynomial equations in the public-key.Obtaining such an x gets easier when u increases.This x is accepted by the N parties in the MPC protocol with probability q −u .To run the attack, the adversary chooses an integer partition τ = τ 1 + τ 2 and proceeds as follows: 1. Choose a random seed.Run the signature algorithm until the first response.
2. Set R ← 0 ≤ i < τ the N parties accept x in the i-th iteration of the MPC protocol .
4. Guess the second challenge (i.e. the identity of the single party whose view remains concealed) for all rounds not in R.
5. Produce a forgery by running the protocol normally in all rounds in R and exploiting knowledge of the second challenge in the other rounds.
6.If this is not successful, return to step 4.
The cardinality of R follows a binomial distribution of parameters (τ, q −u ).The probability that |R| ≥ τ 1 is therefore The probability of guessing correctly the τ 2 second challenges is simply 1/N τ2 .It follows that the expected time complexity of this attack is of order To each value of u corresponds an optimal choice of (τ 1 , τ 2 ).The concrete cost of the attack can be estimated by trying all possible 1 ≤ u ≤ m and all 0 ≤ τ 1 ≤ τ .

Simple Combinatorial Algorithms for Biscuit-Style Polynomial Systems
In this section, we present simple algorithms to solve systems of Biscuit-style polynomials, i.e., polynomials of the shape described by equation (1).

Main Idea
The usual hybrid method to solve such polynomial systems consists in "guessing" k variables, which brings a system of m polynomials in n − k variables.Suppose that We observe that if we "guess" the value of ⟨v i , x⟩, which is an element of F q (let us call it a i ), then we end up with two linear equations: From this two linear equations we can eliminate two of the n variables.The resulting system has m − 1 polynomials in n − 2 variables.Losing a polynomial is regrettable, but it is more than compensated for by the elimination of two variables, as the resulting system is even more overdetermined.
A direct application of this idea would be to "guess" a i for 1 ≤ i ≤ n/2.This yields a system of n linear equations, plus m − n/2 extra quadratic equations.Solving the linear system takes time O n 3 ; if it does not have any solution, then the initial guess was wrong.If it has a single solution, then it is sufficient to test this solution against the original polynomial system.Otherwise, the set of its solution is expected to have a small dimension d, so that the remaining quadratic part can be reduced to only d variables and can most likely be solved by linearization.The process has to be repeated until a solution of the original system is found.The expected complexity of this simple algorithm is O n 3 q n/2 .This improves upon a more complex algorithm of complexity Õ q 3n/4 given by the designers of Biscuit in [BKPV23].

Application to Underdetermined Systems
If there are more variables than polynomial equations (n ≤ m), then the same idea can be used even more efficiently.In this case, the expected number of solutions is q n−m and therefore with high probability a solution will remain even if we impose n − m extra linear constraints.
Denote by e = n − m the excess, namely the number of extra variables.To find a solution, set h ← min(e, m) and choose a 1 , . . ., a h at random.Impose that ⟨v i , x⟩ = a i for 1 ≤ i ≤ h.This yields 2h linear equations using (7) and this enable us to eliminate 2h variables.This yields a smaller system of m − h polynomials in n − 2h variables, that has a solution with high probability.Note that as soon as n ≥ 2m, there is nothing more to do since no equation remains.In that case, a random solution of the system can be found in time O n 3 .
If n < 2m, any technique can be used to solve the resulting subsystem, including the one discussed in Section 3.1.This yields an algorithm of expected complexity O n 3 q m−n/2 that produces a random solution of the system.

Application to the "PowAff2 u " Problem
Given a sequence of Biscuit-style polynomial equations f 1 = • • • = f m = 0, we consider the problem of finding a vector that satisfies at least m − u equations.This is relevant in the context of the Kales-Zaverucha attack described in Section 2.5.
If m − u ≤ n, then we are in the domain of underdetermined systems and the technique of Section 3.2 can be applied.It follows from the discussion in the previous section that the problem can be solved in polynomial time as soon as u ≥ m − n/2.Therefore we assume in the sequel that u < m − n/2, and in particular that n < 2m.
In [BKPV23], the designers of Biscuit exploit the following idea.Suppose that x is known to satisfy the first m − ℓ polynomial equations; it heuristically satisfies each of the ℓ remaining equation with probability 1/q.Therefore x can be assumed to solve approximately ℓ/q extra equations out of chance, in addition to the m − ℓ that it is already known to satisfy.
We combine this observation with the algorithm of Section 3.2 to obtain another simple algorithm for the PowAff2 u problem: Otherwise, return to step 2.
Solving the subsystem in step 3 takes time O n 3 .We heuristically assume that x, being a random solution of the first h equations, is sufficiently random to satisfy each of the remaining ones with probability 1/q.The problem thus appears to be very easy if Denote by Y the random variable that gives the number of equations satisfied by x among the m − h last ones.By hypothesis, Y follows a binomial distribution of parameters (m − h, 1/q).The probability of success of each iteration is therefore and the expected number of iterations is 1/ Pr(Y ≥ u).
The special case where m = n and u = αn with α < 1 2 1 − 1 q is both relevant, non-trivial and more amenable to analysis.
First, we note that directly using the technique of the previous section to solve the underdetermined system of (1 − α)n polynomials in n variables formed by f 1 , . . ., f m−u yields an asymptotic time complexity of n 3 q ( 1 2 −α)n .In the technique presented above, the lower-bound on the tail of the binomial distribution given in [Ash90, Lemma 4.7.2]tells us that: where D(a, p) = a ln a p + (1 − a) ln 1 − a 1 − p denotes the Kullback-Leibler divergence between an a-coin and a p-coin.This yields an exponential algorithm of asymptotic complexity and α = 1/3 for instance, this is e 0.1654n = q 0.05964n , and this improves significantly over the direct use of the technique of the previous section that yields q n/6 .

4:
Assemble the resulting subsystem S of m − k polynomials in n − 2k variables 5: Solve S using the F 5 algorithm 6: for each solution x of S do 7: if x satisfies the original equations then

Hybrid Combination With the F 5 Algorithm
In this section, we extend the mostly combinatorial algorithms of Section 3 beyond simple linear algebra by hybridizing them with the F 5 algorithm.Instead of guessing values until a full linear system has been obtained, we will use the F 5 algorithm after a judicious number of guesses.These algorithms take extra parameters (k, ℓ, . . . ) that describe how many values should be "guessed".

Zero-Dimensional Biscuit-Style Polynomial Systems
Assume that f 1 , . . ., f m is a semi-regular sequence of biscuit-style polynomials, with m ≥ n.Therefore they span an ideal of dimension zero.Figure 1 shows our fundamental procedure to solve such systems.It takes an additional parameter k, which is the number of values to "guess".We assume that adding extra linear equations to f 1 , . . ., f m−k still yields a semi-regular sequence, i.e. that S is a semi-regular sequence.An equivalent hypothesis is made in the analysis of the hybrid method in [BFP12] or in [BFSS13] where it is called "strong semi-regularity".Under this assumption, the complexity of using the F 5 algorithm in step 5 can be assumed to be C F 5 (n − 2k, m − k).The complexity of BiscuitZero is therefore The problem is to find the optimal value of k.Given a concrete input system of n variables and m polynomial, finding the best k is not difficult: just try all possible values, estimate the running time of the F 5 algorithm (for instance using the MQEstimator) and pick the best solution.

General Biscuit-Style Polynomial Systems
The BiscuitSolve algorithm, shown in Figure 2, is capable of dealing with underdetermined polynomial systems that do not span ideals of dimension zero.The algorithm is again parametrized by the number k of values to "guess".
The number of iterations of the loop is heuristically expected to be small, for reasons exposed in Section 3.2.If n ≥ m, then its running time is and again, there is an optimal value of k.If n < m, then its running time is the same as that of BiscuitZero.

PowAff2 u Problem
The strategy is the same as in Section 3.3: choose a parameter ℓ ≥ u, sample a random solutions to a random subset of m − ℓ polynomials equations and check them against the  remaining ℓ ones, hoping that some of them will stochastically be satisfied.Repeat the process until at least m − u equations are satisfied in total.
Denote again by Y the random variable that gives number of equations satisfied by x among the ℓ ones that are not known to be deterministically satisfied.The same reasoning as in Section 3.3 shows that the probability of success of each iteration is and the expected number of iterations is 1/ Pr(Y ≥ ℓ − u).The complexity is dominated by the calls to BiscuitSolve, and their cost depends on whether m − ℓ is greater or smaller than n.Let us assume that m − ℓ ≤ n, so that solving the subsystems uses the strategy of Section 3.2.Then the total complexity is Given n, m and u, there are optimal values of ℓ and k that minimize this complexity.

Asymptotic Complexity Analysis of BiscuitZero
We now provide an asymptotic equivalent when n → +∞ of the complexity of BiscuitZero that we will denote C ′ hyb .This will show that BiscuitZero is asymptotically better than applying the classic hybrid method.Our analysis follows the lines of [BFP12].We define α and β such that m = αn, with α ≥ 1, and we guess k = βn variables, with 0 ≤ β ≤ 1 2 .Given the complexity of BiscuitZero given in Section 4.1, we find that with the optimal choice of the number of "guessed values": To estimate asymptotically the cost of running the F 5 algorithm, we first need an asymptotic equivalent of the degree of regularity for the reduced Biscuit system.Applying (3), we have: We define γ = α − 1 2 − (α − β)(α + β − 1) to ease notations.
Theorem 1.The asymptotic complexity of BiscuitZero is Õ 2 Kn , with: Proof.We need an asymptotic equivalent for C F5 given that the degree of regularity is asymptotically γn.With equation ( 4) and Stirling's approximation, namely n! ∼ √ 2πn n e n , we get that: Appling this to equation ( 9) gives: Taking logarithms and ignoring the multiplicative constant gives: Most of the log 2 n terms cancel each other.This expression simplifies to: When n → ∞, the 1 n terms vanish, and we obtain: We have a formula for the asymptotic complexity of our new hybrid approach when q and α are given.We consider that ω = 2.We now claim that finding the value of β that minimizes K(β) is easy.Indeed, we can simply use the golden section method to find a local minimum.This in fact reveals the global minimum of K because of the following.The proof of this technical result is in appendix A. In practice, we used the scipy library [VGO + 20], and more precisely the scipy.optimize.minimize_scalarfunction that uses this method with some optimizations.We provide some examples of complexity in Table 3.These examples match the parameters used in Biscuit.
We can see that the structure of Biscuit systems has a great impact on its asymptotic security, especially when q is small.When q = 16, the number of variables should be increased by about 25% to compensate for the new algorithm.

Discussion
The fact that structured polynomial systems, such as those used in Biscuit, can be solved more efficiently than generic, random systems, does not come as a surprise to anyone familiar with the literature about algebraic cryptanalysis.
There are both (heuristic) theoretical arguments and empirical evidence that suggest that sequence of random Biscuit-style polynomials form regular or semi-regular sequence.Empirical evidence is given in [ACF + 15] and [BKPV23].In particular, under this assumption, their degree of regularity is the same as that of a completely random (semi-regular) polynomial system.As such systems of Biscuit-style polynomials should not be much easier to solve than unstructured ones by directly a Gröbner basis computation.This was one of the main arguments of the designers of Biscuit to use them.
Despite this fact, the algorithms presented in this paper exploit the specific structure of Biscuit-style polynomial systems in a different way, and obtain an exponential speedup compared to the state-of-the-art for fully random systems.
Reasoning about the degree of regularity of a polynomial system, and claiming that it is high, shows that a direct Gröbner basis computation will be hard.But this does not rule out the possibility that different algorithms can be more efficient, as it is the case here.The designers of Biscuit made this observation themselves in [BKPV23] when they presented their Õ q 3n/4 algorithm for Biscuit-style polynomial systems.
What is even more remarkable is the fact that one can solve Biscuit-style polynomial systems more efficiently than by directly computing a Gröbner basis with the F 5 algorithm, while we only apply the F 5 algorithm on semi-regular systems in a black-box way.

Application to the Security of Biscuit
We now use the algorithms of Section 4 to study the security of Biscuit.We rely on estimates provided by the MQEstimator, just like the designers.

Key-Recovery Attack
Solving the Biscuit-style polynomial system exposed by a Biscuit public-key reveals the secret key.These systems are slightly overdetermined, so that using BiscuitZero is Table 4: Key-recovery attacks on Biscuit.v1 denotes the version of Biscuit in [BKPV23] and v2 is in [BKPV24].The "Hybrid method" is the algorithm of [BFP12].Column T shows the log in base 2 of the required number of bit operation, computed using the estimator for the MQ problem available in the CryptographicEstimators software library [EVZB23].Column k shows the number of "guessed" values.Bit complexities have been rounded to the closest integer.sufficient for a direct key-recovery attack on Biscuit.To choose the number of variables to guess (the k parameter of BiscuitZero), we simply did an exhaustive search.

Version
The SageMath program that we used to determine the complexity of our attacks is available as supplementary material.
We see in Table 4 that, as a consequence of the algorithms presented in this article, Biscuit v1 (as in [BKPV23]) loses 36 to 62 bits of security, depending of the version.The initial sets of parameters thus does not provide the expected security level.
As a consequence of preliminary versions of our results, the designers of Biscuit proposed a new set of parameters in [BKPV24].These new parameters are more secure and essentially resist a direct key-recovery attack using BiscuitZero.Increasing the size of the finite field has the effect of diminishing the efficiency of hybrid methods: guessing values gets more costly and the advantage this provides compared to a direct Gröbner basis computation is reduced.
In some cases, our estimates of the cost of our attacks are slightly below the security claims of Biscuit.Recall, however, that these are crude estimates, as discussed in Section 2.4, and we believe that the difference falls within the error margin.

Universal Forgery Attack
We discuss the consequence of the Kales-Zaverucha forgery attack described in Section 2.5 combined with the BiscuitPowAff2 algorithm of Figure 3.The attack has two phases, and depends on four parameters (u, k, ℓ and τ 1 ): Online Given m and x, run the Kales-Zaverucha attack of Section 2.5 with τ = τ 1 + τ 2 .
We estimate the cost of the attack as the maximum of the running times of these two phases.The cost of the offline phase is given by (8) and that of the online phase is given by (6).Only u enables a trade-off between the two phases; choosing the best k and ℓ speeds up the offline phase, while choosing the best τ 1 speeds up the online phase.Given concrete parameters m, n, q, we find the values of all parameters of the attack by trying all Table 5 shows the results.This forgery attack costs almost as much as recovering the secret key.Here are a few comments.When u = ℓ = 0 then the forgery attack degenerates into the key-recovery attack.When ℓ ≈ n/2 and k ≈ 0 (as in the first two rows), then the algorithm of Section 4.1 degenerates into its simpler version of Section 3.3, that does not use the F 5 algorithm.

Other Properties of Biscuit-Style Polynomial Systems
We mention in this section other interesting properties of Biscuit-Style polynomial systems.Both hint at the fact that the structure they contain is so strong that it can potentially be exploited.The two properties we demonstrate below rely on well-chosen linear changes of variables.

Free Gröbner Basis in the Underdetermined Case
If n ≥ 2m (underdetermined system), we observed in Section 3.2 that it is possible to sample random solutions in polynomial time.But in fact, there is more: with high probability, a well-chosen linear change of variables directly yields a Gröbner basis.Indeed, suppose that the 2m vectors v 1 , . . ., v m , w 1 , . . ., w m ∈ F n q are linearly independent (this happens with high probability if they are randomly chosen).Then consider the linear change of variable that sends ⟨v i , x⟩ to a new variable y i as well as ⟨w j , x⟩ to z j .Write y = (y 1 , . . ., y m ) and z = (z 1 , . . ., z m ).This change of variables turns the k-th polynomial of the system into where u ′ k and v ′ k are vectors with coordinates in F q .
Lemma 2. Let G denote the collection of polynomials f ′ 1 , . . ., f ′ m described by (10).G is a Gröbner basis for the lexicographic order (and any graded order).
Proof.In the lexicographic order (or any graded order), the leading monomials of f ′ k is automatically y k z k .It follows that the leading monomials of all polynomials in G only contain distinct variables, and therefore the S-polynomial of any two polynomials f ′ i and f ′ j is simply Let us compute the multivariate division of g := y i z i f ′ j − y j z j by the ordered sequence of polynomials G. g contains monomials of the shape y i y k z i and y i z i z k .These can only be reduced by f ′ i -they are divisible by the leading monomial of f ′ i and not divisible by the leading monomial of any other polynomial in G.It follows that the result of running the division algorithm is: (the remainder is the second summand).The division algorithm is linear [CLO91, exercise 2.3.12], and this implies that the multivariate division of the S-polynomial by G yields: And the remainder is zero.By Buchberger's criterion [CLO91, Thm.2.6.6],G is then a Gröbner basis.

Free Elimination of One Third the Variables
For simplicity, assume that n is a multiple of 3, set ℓ := n/3 and m ≥ n/3.Suppose that the n vectors u 1 , . . .u ℓ , v 1 , . . ., v ℓ , w 1 , . . ., w ℓ are linearly independent.Then consider the change of variable that sends ⟨u i , x⟩ to a new variable r i , ⟨v i , x⟩ to s i as well as ⟨w i , x⟩ to t i .Write r = (r 1 , . . ., r ℓ ), s = (s 1 , . . ., s ℓ ) and t = (t 1 , . . ., t ℓ ).This change of variables turns the first ℓ polynomials of the system into In a solution of the polynomial system, we therefore have r k = −s k t k − c k for 1 ≤ k ≤ ℓ.Therefore, in the remaining m−ℓ polynomials, we replace all occurences of r k by −s k t k −c k .This eliminates n/3 variables and yields a new polynomial system with m−n/3 polynomials of degree up to 4 in 2n/3 variables (the s i 's and the t i 's).Call S the resulting system.Note that no known technique is capable of obtaining this result starting from an arbitrary system of quadratic polynomials in polynomial time.
Unfortunately, we could not find any way to solve S faster than the original problem.Naively trying to attack S directly does not yield any improvement.It can be solved in q 2n/3 operations by exhaustive search, but this is worse than the simple technique discussed in Section 3.2.It is also not easier to solve than the original system using algebraic techniques, as the increase in degree offsets the reduction in the number of variables.
S is nevertheless quite structured.Consider the following kind of polynomials: We say that ρ k is a polynomial in "shortbread form".This is quite reminiscent of the canonical form of quadratic polynomials over fields of characteristic two.Note that this is different from the "Biscuit form" of (1) -the shortbread structure is even stronger.Polynomials in S can be written as f k = u k +v k ×w k where u k , v k and w k are in shortbread form (the s i t i terms come from the replacement of r i by s i t i ).
Our attemps at exploiting this structure also proved unsuccessful.Guessing all the s i 's turns S back into a collection of Biscuit-style polynomials in n/3 variables -but we could have obtained the exact same result by applying the technique of Section 3.
Consider the following variant.Guess n/3 scalars α k such that v k − α k = 0.This yields 2n/3 polynomial equations in shortbread form in 2n/3 variables (s 1 , . . ., s n/3 , t 1 , . . ., t n/3 ).Because of the shortbread structure, only n/3 distinct quadratic monomials occur in these 2n/3 polynomials.Performing linear combinations of the polynomials to eliminate the quadratic terms yield n/3 linear equations -for instance this allows to express the s i as linear functions of the t i .But this again yields a collection of n/3 Biscuit-style polynomials in n/3 variables.

Conclusion and Future Work
We proposed an improved hybrid approach for solving Biscuit-style polynomial system.As a direct application, we have shown that the first set of parameters proposed by the Biscuit design team signature scheme does not offer the security level expected by NIST.The designers of Biscuit updated the specification of their scheme following preliminary versions of our findings.Biscuit is still a competitive signature scheme, but parameters had to be enlarged and the new version is slightly less efficient.
Biscuit-style polynomial systems are similar to the those one obtain by applying the Arora-Ge algebraic attack [AG11] to LWE with binary error.One possible future work could be to design a specific hybrid method to run algebraic attacks on LWE with binary error, with the aim of improving the results presented in [ACF + 15].

A Proof of lemma 1
Recall that: K is well-defined on [0, 1 2 ), and it can be extended to a continuous function on the closed interval [0; 1 2 ] because lim β→ 1 2 K = 1 2 log 2 q.We also denote by K the extended function.
Our goal is to show that K ′′ (β) ≥ 0 when 0 ≤ β ≤ 1 2 , for any fixed α ≥ 1.We first compute the first derivative of K and do some manipulations to obtain: so that ∂K ∂β = log 2 (q) + w log 2 (u − 2v).K will be shown to be convex if ∂ ∂β (u − 2v) ≥ 0, and this already takes w and q out of the picture.The problem boils down to the computation of the derivatives of u and v.We find: We rearrange the terms as: We claim that p ≥ q ≥ n, and this implies that K is convex.The fact that p ≥ q is a standard logarithmic inequality (x/(1 + x) ≤ log x) that enables us to get rid of the logarithm.A sequence of elementary manipulations allows us to simplify the expression of n: Therefore, q ≥ n is equivalent to The initial problem is thus reduced to an inequality without logarithms.Before advancing any further, we try to simplify it.It is easy to prove that, for any α ≥ 1, And since γ is a convex function, 1 − 2β ≥ 0 and γ ≥ 0, (13) is therefore equivalent to: At this stage, we compute the derivatives of γ: And plug them in to obtain (after a few simplifications): We flush all denominators: At this stage, our plan is to prove that (15) holds for any α ≥ 1 and all 0 ≤ β ≤ 1 2 using off-the-shelf mechanized tools available inside a computer algebra system.To this end, we observe that our goal can be attained by showing that the following system has no real solutions: we get rid of the square root by introducing two new variables x and y such that x 4 = (α − β)(α + β − 1) and we have α − 1 2 − γ = x as well as √ γ = y.Equipped with these, ( 16) is equivalent to: At this stage, we have obtained a semi-algebraic system, i.e., a set of equations, inequations and inequalities given by polynomials.These can be processed automatically (see [CDL + 11] and the references therein).In our case, the RealTriangularize function of the Maple computer algebra system determined that (17) has no real solutions in a matter of seconds.
It follows that K ′′ ≥ 0, and K is convex.

Figure 1 :
Figure 1: Hybrid algorithm for Biscuit-style polynomial systems with m ≥ n.

Figure 2 :
Figure 2: Hybrid algorithm for arbitrary Biscuit-style polynomial systems.

Table 3 :
Comparison of the asymptotic of the "classic" hybrid method with BiscuitZero on Biscuit-style polynomial system with m = n

Table 5 :
[BMSV22]attacks on Biscuit.v1denotes the version of Biscuit in[BKPV23]and v2 is in[BKPV24].The "sec."columnshows the level of bit-security claimed in[BKPV23]and[BKPV24].Column T shows the log in base 2 of the required number of bit operation, as provided by the MQEstimator software[BMSV22].Bit complexities have been rounded to the closest integer.for each value of u, we find the best possible (k, ℓ) on the one hand, and the best possible τ 1 on the other hand.