Solving systems of algebraic equations over finite commutative rings and applications

Abstract

Several problems in algebraic geometry and coding theory over finite rings are modeled by systems of algebraic equations. Among these problems, we have the rank decoding problem, which is used in the construction of public-key cryptosystems. A finite chain ring is a finite ring admitting exactly one maximal ideal and every ideal being generated by one element. In 2004, Nechaev and Mikhailov proposed two methods for solving systems of polynomial equations over finite chain rings. These methods used solutions over the residue field to construct all solutions step by step. However, for some types of algebraic equations, one simply needs partial solutions. In this paper, we combine two existing approaches to show how Gröbner bases over finite chain rings can be used to solve systems of algebraic equations over finite commutative rings. Then, we use skew polynomials and Plücker coordinates to show that some algebraic approaches used to solve the rank decoding problem and the MinRank problem over finite fields can be extended to finite principal ideal rings.

1 Introduction

Solving systems of algebraic equations has always been of high interest in algorithmic algebra. Indeed, many algebraic problems have their solution sets contained in those of systems of algebraic equations. A tangible example is the rank decoding problem [25], which has attracted a lot of attention this last decade in view of its application in cryptography. This problem is generally defined over finite fields and therefore, leads to the problem of solving systems of algebraic equations over finite fields when modeled appropriately. But it should be remembered that this latest problem has been studied for a long time and has a wide variety of algorithms that can be used to solve it and also estimate the solving complexities [14, 17, 20, 21, 26].

Most recently, the rank decoding problem has been extended to finite principal ideal rings in [29] where the authors, after having justified the interest of studying this problem over finite rings, show that it is at least as hard as the rank decoding problem over finite fields, and also provide a combinatorial type algorithm for solving this new problem. The translation of the rank decoding problem over finite rings as a system of algebraic equations naturally induces the problem of solving systems of algebraic equations over finite rings.

Contrary to the problem of solving systems of algebraic equations over finite fields, the previous problem over finite rings has not experienced much development. The most advanced and recent work is the paper of Mikhailov and Nechaev [40], who proposed two approaches for solving systems of polynomial equations over finite chain rings. One of these approaches uses canonical generating systems, which are not Gröbner bases in general. An algebraic modeling of the rank decoding problem over finite chain rings that we will use is a system of algebraic equations with some parameters, and we just need a partial solution. Note that Gröbner bases over fields are generally used to solve these kinds of systems. A natural question is therefore to know whether Gröbner bases can be used to solve systems of algebraic equations over finite chain rings in general, as in the case of finite fields.

Independently, Gröbner bases over finite chain rings have been much studied and implemented in some mathematical software systems like Magma [9], SageMath [51], etc. Indeed, similar to Buchberger’s algorithm over fields [11], Norton and Salagean [45] gave an algorithm for computing Gröbner bases over finite chain rings. This algorithm has been improved in [28] by adding the product criterion and the chain criterion. In the Magma handbook [9], it was specified that the \(F_{4}\) algorithm [20] was extended over Euclidean rings,¹ taking into account the elimination criteria given in [41]. Moreover, the elimination theorem, which is the main property used to solve systems of algebraic equations, can be extended over finite chain rings. However, the elimination theorem does not hold in general on other types of finite rings. But we must not forget that low-rank parity-check codes which are potential linear codes for rank-based cryptography have been extended to finite commutative rings [30, 32, 49]. Thus, it also becomes necessary to tackle the resolution of systems of algebraic equations over finite commutative rings.

According to the structure theorem for finite commutative rings [39], every finite commutative ring is isomorphic to a product of finite commutative local rings. Thus, solving systems of algebraic equations over finite commutative rings is reduced to finite local rings. In [13], Bulyovszky and Horváth gave a good method for solving systems of linear equations over finite local rings. Indeed, they transformed systems of linear equations from local rings to Galois rings and used the Hermite normal form to solve it. In this work we show that this transformation can be applied to systems of algebraic equations, and we then use Gröbner bases to solve the resulting equation since Galois rings are specific cases of finite chain rings.

Before one can use Gröbner bases over finite chain rings to solve the rank decoding problem, it is first necessary to give an algebraic modeling. As specified in [29], some properties of the rank for matrices over fields do not extend to matrices over rings in general due to zero divisors. Therefore, the algebraic modeling of the rank decoding problem given in [5] using the MaxMinors cannot be directly applied to rings. However, in [25] other algebraic modeling using linearized polynomials has been given and some main properties of linearized polynomials have been extended in [31] over finite principal ideal rings. We will use these results to prove that the algebraic modeling done in [25] using linearized polynomials can be generalized over finite principal ideal rings. Furthermore, as the rank decoding problem reduces to the MinRank problem [23], we also study possible algebraic modelings of the MinRank problem over finite rings.

The MinRank problem have several algebraic modelings over fields. For example, the MaxMinors modeling [22], the Kipnis–Shamir modeling [34], or the Support-Minors modeling [5]. Over finite chain rings, the rank of a matrix is not generally equal to the order of the highest order non-vanishing minor. Thus, the MaxMinors modeling cannot directly extend over rings. However, we will use the rank decomposition and the Plücker coordinates to show that the Kipnis–Shamir modeling and the Support-Minors modeling can be extended to finite principal ideal rings.

The rest of the paper is organized as follows. In Sect. 2, we give some preliminary notions on Gröbner bases over finite chain rings, followed by the use of Gröbner bases for solving systems of algebraic equations over finite chain rings in Sect. 3. In Sect. 4 we show how to solve systems of algebraic equations over finite commutative local rings by decomposing them as a direct sum of cyclic modules over Galois rings. Section 5 uses the fact that the row span of a matrix is contained in a free module of the same rank to prove that the Kipnis–Shamir Modeling and the Support Minors Modeling of the MinRank problem can be extended to finite principal ideal rings. In Sect. 6, skew polynomials are used to give an algebraic modeling of the rank decoding problem over finite principal ideal rings, and to finish, we conclude the paper and give some perspectives in Sect. 7.

2 Preliminaries

2.1 Finite chain rings

A chain ring is a ring whose ideals are linearly ordered by inclusion, and a local ring is a ring with exactly one maximal ideal. By [39], a finite ring is a chain ring if and only if it is a local principal ideal ring, that is to say a finite ring admitting exactly one maximal ideal and every ideal being generated by one element. A basic example of finite chain rings is the ring \(\mathbb {Z}_{p^{k}}=\mathbb {Z}/p^{k}\mathbb {Z}\) of integers modulo a power of a prime number p. Its maximal ideal is \(p\mathbb {Z}_{p^{k}}\). Other examples of finite chain rings that we will use to give a representation of finite commutative local rings in Sect. 4 are Galois rings. A Galois ring of characteristic \(p^{k}\) and rank r, denoted by \(GR\left( p^{k},r\right) \), is the ring \(\mathbb {Z}_{p^{k}}[ X] /\left( f\right) \), where f \(\in \) \(\mathbb {Z}_{p^{k}}[ X] \) is a monic polynomial of degree r, irreducible modulo p, and \(\left( f \right) \) being the ideal of \(\mathbb {Z}_{p^{k}}[X] \) generated by f. Thus, \(GR\left( p^{k},r\right) \) is a degree r Galois extension of \(\mathbb {Z}_{p^{k}}\) and is a finite chain ring with maximal ideal generated by p and residue field \( \mathbb {F}_{p^{r}}=GR\left( p^{k},r\right) /pGR\left( p^{k},r\right) \) [39].

In this section, we assume that R is a finite commutative chain ring with maximal ideal \(\mathfrak {m}\) and residue field \(\mathbb {F}_{q}=R/\mathfrak {m} \). We denote by \(\pi \) a generator of \(\mathfrak {m}\), and \(\nu \) the nilpotency index of \(\pi \), i.e., the smallest positive integer such that \( \pi ^{\nu }=0\). An important property of finite chain rings is the structure of their ideals. Every ideal of R is of the form \(\pi ^{i}R\), for \(i=0,\ldots ,\nu \). A direct consequence is the following decomposition of any element from R. Let \(a,b\in R\). We say that a is congruent to b modulo \(\pi \) and denote it by \(a\equiv b\left( mod\ \pi \right) \), if there exists c in R such that \(a=b+c\pi \). This relation is equivalent to \(\varphi \left( a\right) =\varphi \left( b\right) \) where \(\varphi :\) \(R\longrightarrow R/\mathfrak {m}\) is the canonical projection. Let \(\Gamma \) be a complete set of representatives of the equivalence classes of R under the congruence modulo \(\pi \). As in [40], we have for example \(\Gamma =\left\{ a\in R:a^{q}=a\right\} \).

Proposition 1

Let c in R, then c has a unique representation in the form

$$\begin{aligned} c=\sum _{j=0}^{\nu -1}c_{j}\pi ^{j} \end{aligned}$$

(1)

where \(c_{j}\in \) \(\Gamma \), for \(j=0,\ldots ,\nu -1\).

The representation of c given by Eq. (1) is called the \( \pi -\)adic decomposition of c. Let \(j\in \{0,\ldots ,\nu -1\}\), and the map \( \gamma _{j}:R\longrightarrow \Gamma \) given by \(c\longmapsto c_{j}\), that is to say \(\gamma _{j}(c):=c_{j}\) and \(c=\sum _{j=0}^{\nu -1}\gamma _{j}(c)\pi ^{j}\). For l in \(\{1,\ldots ,\nu -1\}\) we set \( c^{[l]}=\sum _{j=0}^{l-1}\gamma _{j}(c)\pi ^{j}\). The \(\pi -\)adic decomposition will be used is Sect. 3 to solve algebraic equations. Note that this decomposition depends on the choice of \(\pi \).

Example 1

The ring \(\mathbb {Z}_{8}\) is a finite chain ring where the maximal ideal is generated by 2, with nilpotency index 3. The residue field of \(\mathbb {Z}_{8}\) is \(\mathbb {F}_{2}=\mathbb {Z}_{8}/2\mathbb {Z}_{8}\) and a complete set of representatives of the equivalence classes of \(\mathbb {Z}_{8}\) under the congruence modulo 2 is \(\Gamma =\left\{ 0,1\right\} \). The \(2-\)adic decomposition of 6 is \(6=0\times 2^{0}+1\times 2^{1}+1\times 2^{2} \). The maximal ideal is also generated by 6 and the \(6-\)adic decomposition of 6 is \(6=0\times 6^{0}+1\times 6^{1}+0\times 6^{2}\).

2.2 Gröbner bases

The ring of polynomials with k indeterminates \(x_{1},\ldots ,x_{k}\) and coefficients in R is denoted \(R\left[ x_{1},\ldots ,x_{k}\right] \). A monomial is an element of \(R\left[ x_{1},\ldots ,x_{k}\right] \) of the form \( x^{\alpha }:=x_{1}^{d_{1}}\cdots x_{k}^{d_{k}}\) where the \(d_{i}\)’s are non-negative integers and \(\alpha =\left( d_{1},\ldots , d_{k}\right) \). If “>” is an admissible order on the set of monomials, then any element f in \(R \left[ x_{1},\ldots ,x_{k}\right] \backslash \left\{ 0\right\} \) can be written uniquely as \(f=\sum _{i=1}^{s}c_{i}x^{\alpha _{i}}\) where each \(x^{\alpha _{i}}\) is a monomial, \(c_{i}\in R\), and \(x^{\alpha _{1}}>\cdots >x^{\alpha _{s}}\). The leading term of f is defined by \(lt\left( f\right) :=c_{1}x^{\alpha _{1}}\). For \( W\subset R\left[ x_{1},\ldots ,x_{k}\right] \), we denote by \(lt\left( W\right) \) the ideal generated by \(\left\{ lt\left( w\right) \ |\ w\in W\right\} \). According to [46, Definition 3.8], we have the following definition.

Definition 1

Let I be an ideal in \(R\left[ x_{1},\ldots ,x_{k}\right] \) and G a subset of I.

1. (a)

   G is called a Gröbner basis for I if \(lt(G)=lt(I)\).

2. (b)

   G is called a strong Gröbner basis for I if for all \(f\in I\) there exists \(g\in G\) such that \(\ lt(g)\) divides \(lt\left( f\right) \), that is to say \(lt\left( f\right) =cx^{\alpha }lt(g)\) where \(c\in R\) and \(x^{\alpha }\) is a monomial.

In [46, Proposition 3.9] a connection between Gröbner bases and strong Gröbner bases was given over finite chain rings.

Proposition 2

A subset of \(R\left[ x_{1},\ldots ,x_{k} \right] \) is a Gröbner basis if and only if it is a strong Gröbner basis.

Similar to Buchberger’s algorithm over fields, Norton and Salagean gave an algorithm in [45, Algorithme 3.9] to compute Gröbner bases over finite chain rings. This algorithm has been improved in [28] by adding the product criterion and the chain criterion. An algorithm for computing Gröbner bases on certain classes of finite rings has been implemented in Magma [9] and SageMath [51].

Example 2

A Gröbner basis for the ideal generated by \(\{4x^{2}y+y^{3}+2y+4,4xy^{2}\}\) in \( \mathbb {Z}_{8}[x,y]\) with lexicographic order \(x>y\) can be computed using SageMath, and we get \(\{4x^{2}y+y^{3}+2y+4,4xy^{2},y^{4}+2y^{2}+4y,2y^{3}+4y\}\).

3 Solving systems of algebraic equations over finite chain rings

In this section, we assume as in Sect. 2 that R is a finite commutative chain ring with maximal ideal \(\mathfrak {m}\) generated by \(\pi \), residue field \(\mathbb {F}_{q}=R/\mathfrak {m}\), and that \(\nu \) is the nilpotency index of \(\pi \). In order to solve systems of polynomial equations, Mikhailov and Nechaev [40] used the lifting approach, which consists of using solutions in the residue field \(R/\mathfrak {m}\) to construct solutions in the ring R. However, in some cases this approach is not appropriate in practice, specifically for parametric systems. As an illustration, consider the following system over \( \mathbb {Z} _{8}\):

$$\begin{aligned} \left\{ \begin{array}{c} 4x^{2}y+y^{3}+2y+4=0 \\ 4xy^{2}=0 \end{array} \right. \end{aligned}$$

(2)

This system has 16 solutions. So when we use the lifting approach to solve it, we have to compute each solution step by step, and this is computationally tedious. We will see in this section that one can easily obtain all these solutions using Gröbner bases (see Example 3). The following proposition from [54, Theorem 244], called the elimination theorem, is a direct consequence of Proposition 2.

Proposition 3

Let G be a Gröbner basis for an ideal I in \(R\left[ x_{1},\ldots ,x_{k}\right] \) with the lexicographic order \( x_{1}>\cdots >x_{k}\). Then, for all i in \(\left\{ 1,\ldots ,k\right\} \), \( G\cap R\left[ x_{i},\ldots ,x_{k}\right] \) is a Gröbner basis of \(I\cap R \left[ x_{i},\ldots ,x_{k}\right] \).

The elimination theorem makes it possible to iteratively solve algebraic systems by eliminating variables. Indeed, consider a system of polynomial equations of the form

$$\begin{aligned} f_{i}\left( x_{1},\ldots ,x_{k}\right) =0,\ \ i=1,\ldots ,d. \end{aligned}$$

(3)

where \(f_{i}\left( x_{1},\ldots ,x_{k}\right) \in R\left[ x_{1},\ldots x_{k} \right] \). By Proposition 3, if we compute a Gröbner basis G of the ideal \( I=\left( f_{1},\ldots ,f_{d}\right) \) associated to (3) with the lexicographic order \(x_{1}>\cdots >x_{k}\), then G will be of the form \(G=G_{1}\cup G_{2}\cup \cdots \cup G_{k}\), where \(G_{1}=\left\{ g_{1,1}\left( x_{k}\right) ,\ldots ,g_{1,j_{1}}\left( x_{k}\right) \right\} \), \(G_{2}=\left\{ g_{2,1}\left( x_{k-1},x_{k}\right) ,\ldots ,g_{2,j_{2}}\left( x_{k-1},x_{k}\right) \right\} \), \(\ldots ,\) \(G_{k}=\left\{ g_{k,1}\left( x_{1},\ldots ,x_{k}\right) ,\ldots ,g_{k,j_{k}}\left( x_{1},\ldots ,x_{k}\right) \right\} \). So, (3) is equivalent to:

$$\begin{aligned} \left\{ \begin{array}{c} g_{1,1}\left( x_{k}\right) =\cdots =g_{1,j_{1}}\left( x_{k}\right) =0 \\ g_{2,1}\left( x_{k-1},x_{k}\right) =\cdots =g_{2,j_{2}}\left( x_{k-1},x_{k}\right) =0 \\ \vdots \\ g_{k,1}\left( x_{1},\ldots ,x_{k}\right) =\cdots =g_{k,j_{k}}\left( x_{1},\ldots ,x_{k}\right) =0 \end{array} \right. \end{aligned}$$

(4)

If for all i in \(\{1,\ldots ,k\}\) there exists an element in the Gröbner basis G whose the leading monomial is a pure power of \(x_i\), then each \(G_{i}\) is non-empty and, solving (4) is reduced to successively solving systems of univariate polynomial equations. Recall that this process is similar to the case of fields for zero-dimensional algebraic systems [12, 36]. Note in our case that one can always add some univariate polynomial equations to the system using the following remark.

Remark 1

In [42, Theorem 5.14], the monic polynomial \(F_{m}\) with smaller degree satisfying \(F_{m}\left( x\right) =0\) for all x in R, has been defined. Thus, as in the case of finite fields, to simplify the resolution of (3), one can add the following equations \( F_{m}\left( x_{1}\right) =\cdots =F_{m}\left( x_{k}\right) =0\). For illustration, see Example 4.

We will now show how to use Gröbner bases over finite chain rings to solve systems of univariate polynomial equations. Recall that a Gröbner basis G is called minimal if no proper subset of G is a Gröbner basis for the ideal generated by G. In [45, Theorem 4.2], a characterization of minimal Gröbner bases in one variable over finite chain rings has been given.

Proposition 4

Let \(G\subset R[x]\backslash \left\{ 0\right\} \). Then G is a minimal Gröbner basis if and only if \(G=\left\{ u_{0}\pi ^{a_{0}}g_{0},\ldots ,u_{s}\pi ^{a_{s}}g_{s}\right\} \) for some \(0\le s\le \nu -1\), \(u_{i}\in R\) and \(g_{i}\in R[x]\) for \(i=0,\ldots ,s\) and such that:

1. (i)

   \(0\le a_{0}<a_{1}<\cdots <a_{s}\le \nu -1\) and for \(i=0,\ldots ,s\), \(u_{i}\) is a unit;

2. (ii)

   for \(i=0,\ldots ,s\), \(g_{i}\) is monic;

3. (iii)

   \(\deg \left( g_{i}\right) >\deg \left( g_{i+1}\right) \) for any \(i \in \{0,\ldots ,s-1\}\);

4. (iv)

   for \(i=0,\ldots ,s-1\), \(\pi ^{a_{i+1}}g_{i}\) is in the ideal generated by \(\left\{ \pi ^{a_{i+1}}g_{i+1},\ldots ,\pi ^{a_{s}}g_{s}\right\} \).

As specified in [40], a minimal Gröbner basis in one variable over finite chain rings is a canonical generating system. Therefore, according to Proposition 4, we can use [40, Algorithm 2] to solve systems of univariate polynomial equations over finite chain rings using Gröbner bases. Specifically, consider a system of univariate polynomial equations of the form

$$\begin{aligned} f_{i}\left( x\right) =0,\ \ \ \ \ i=1,\ldots ,r \end{aligned}$$

(5)

where \(f_{i}\left( x\right) \in R\left[ x\right] \). Assume that a minimal Gröbner basis of the ideal generated by \(\left\{ f_{1}\left( x\right) ,\ldots ,f_{r}\left( x\right) \right\} \) is \(G=\left\{ u_{0}\pi ^{a_{0}}g_{0},\ldots ,u_{s}\pi ^{a_{s}}g_{s}\right\} \) as in Proposition 4. As specified in [40, page 64] we can assume that \(a_{0}=0\). Set \(h_{j}=g_{i}\), for \(0\le i\le s\) and \( a_{i}\le j<\) \(a_{i+1}\), where \(a_{s+1}=\nu \). Then, Eq. (5) is equivalent to the following system of polynomial equations:

$$\begin{aligned} \pi ^{j}h_{j}\left( x\right) =0,\ \ \ \ \ j=0,\ldots ,\nu -1. \end{aligned}$$

(6)

Like in [40, Theorem 8] and [40, Equation (54)], we will use the derivation \(Dh_{j}\left( x\right) \) of \(h_{j}\left( x\right) \) to solve Eq. (6). As specified in Proposition 1, every element c in R, has a unique \(\pi -\)adic decomposition \(c=\sum _{j=0}^{\nu -1}\pi ^{j}\gamma _{j}\left( c\right) \) where \(\gamma _{j}\left( c\right) \in \Gamma \).

Proposition 5

An element c in R, is a solution of ( 6) if and only if \(\gamma _{0}\left( c\right) \) is a solution in \(\Gamma \) of the polynomial equation

$$\begin{aligned} h_{\nu -1}\left( x\right) \equiv 0\ \left( mod\ \pi \right) , \end{aligned}$$

and for \(j\in \left\{ 1,\ldots ,\nu -1\right\} \), \(\gamma _{j}\left( c\right) \) is a solution in \(\Gamma \) of the linear equation:

$$\begin{aligned} Dh_{\nu -j-1}\left( \gamma _{0}\left( c\right) \right) x\equiv -\gamma _{j}\left( h_{\nu -j-1}\left( c^{[j]}\right) \right) \ \ \left( mod\ \pi \right) . \end{aligned}$$

According to Propositions 3 and 5, to solve a system of multivariate polynomial equations over finite chain rings, we can compute a Gröbner basis of the associated system with the lexicographic order and find the solutions by successively solving the resulting systems of univariate polynomial equations. We will see in Sects. 5 and 6 that this approach is appropriate for some systems of algebraic equations when we just need a partial solution.

Example 3

Let us solve System (2) over \(\mathbb {Z}_{8}\) using Gröbner bases. According to Example 2, a Gröbner basis with the lexicographic order \(x>y\) of the ideal I generated by \(\left\{ 4x^{2}y+y^{3}+2y+4,4xy^{2}\right\} \) is \(G=\left\{ g_{1,1},g_{1,2},g_{2,1},g_{2,2}\right\} \) where \(g_{1,1}\left( y\right) =y^{4}+2y^{2}+4y\), \(g_{1,2}\left( y\right) =2y^{3}+4y\), \(g_{2,1}\left( x,y\right) =4x^{2}y+y^{3}+2y+4\), \(g_{2,2}\left( x,y\right) =4xy^{2}\). By Proposition 3, a Gröbner basis of \(I\cap R\left[ y \right] \) is \(G_{1}=G\cap R\left[ y\right] =\left\{ g_{1,1}\left( y\right) ,g_{1,2}\left( y\right) \right\} \). So, we can use \(G_{1}\) to find the partial solution y of (2). The system

$$\begin{aligned} g_{1,1}\left( y\right) =g_{1,2}\left( y\right) =0 \end{aligned}$$

is equivalent to

$$\begin{aligned} h_{1,1}\left( y\right) =2h_{1,2}\left( y\right) =4h_{1,3}\left( y\right) =0 \end{aligned}$$

(7)

where \(h_{1,1}\left( y\right) =g_{1,1}\left( y\right) \) and \(h_{1,2}\left( y\right) =h_{1,3}\left( y\right) =y^{3}+2y\). Let c be a solution of (7). We have \(c=\gamma _{0}\left( c\right) +2\gamma _{1}\left( c\right) +4\gamma _{2}\left( c\right) \) where \(\gamma _{j}\left( c\right) \in \Gamma =\left\{ 0,1\right\} \) for \(j\in \left\{ 0,1,2\right\} \). By Proposition 5, \(\gamma _{0}\left( c\right) \) is a solution in \(\Gamma \) of the equation \(h_{1,3}\left( c\right) \equiv 0\ \left( mod\ 2\right) \). So, \(\gamma _{0}\left( c\right) =0\). By Proposition 5, \(\gamma _{1}\left( c\right) \) is a solution in \(\Gamma \) of the equation \(Dh_{1,2}\left( \gamma _{0}\left( c\right) \right) y\equiv -\gamma _{1}\left( h_{1,2}\left( c^{[1]}\right) \right) \ \left( mod\ 2\right) \). We have \(c^{[1]}=\gamma _{0}\left( c\right) =0\), \(h_{1,2}\left( c^{[1]}\right) =0\), \(\gamma _{1}\left( h_{1,2}\left( c^{[1]}\right) \right) =0\), \(Dh_{1,2}\left( y\right) =3y^{2}+2\), and \(Dh_{1,2}\left( \gamma _{0}\left( c\right) \right) =2\). Therefore, \( \gamma _{1}\left( c\right) \) is a solution of \(2y\equiv 0\ \left( mod\ 2\right) \). So, \(\gamma _{1}\left( c\right) \in \left\{ 0,1\right\} \). Using the same reasoning, for \(\gamma _{1}\left( c\right) =0\) or \(\gamma _{1}\left( c\right) =1\), we compute \(\gamma _{2}\left( c\right) \in \left\{ 0,1\right\} \). Therefore, \(c\in \left\{ 0,2,4,6\right\} \). Thus, the partial solution y of (2) is in \(\left\{ 0,2,4,6\right\} \). To find the partial solution x corresponding for example to \(y=0\), we must first compute a Gröbner basis of \(\left\{ g_{2,1}\left( x,0\right) ,g_{2,2}\left( x,0\right) \right\} \). But for all x in \(\mathbb {Z}_{8}\), \(g_{2,1}\left( x,0\right) =4\ne 0\), \(g_{2,1}\left( x,4\right) =4\ne 0\), \(g_{2,1}\left( x,2\right) =g_{2,2}\left( x,2\right) =0\), and \( g_{2,1}\left( x,6\right) =g_{2,2}\left( x,6\right) =0\). Thus, y is in \( \left\{ 2,6\right\} \) and the solution set of (2) is \(\left\{ \left( t,2\right) ,\left( t,6\right) ,t\in \mathbb {Z}_{8}\right\} \).

As noted in Remark 1, in certain cases it is necessary to add some equations to solve the system. The following example is an illustration.

Example 4

Consider again the system (2) over \(\mathbb {Z}_{8}\). A Gröbner basis with the lexicographic order \(y>x\) of the ideal I generated by \(\left\{ 4x^{2}y+y^{3}+2y+4,4xy^{2}\right\} \) is once again the set \(\left\{ 4x^{2}y+y^{3}+2y+4,4xy^{2}\right\} \). Consequently, \(I\cap \mathbb {Z}_{8}[x]=\left\{ 0\right\} \). So, we cannot solve Eq. (2) directly by using only Proposition 5 with the lexicographic order \(y>x\). However, according to [42, Theorem 5.14], the monic polynomial \(F_{m}\) for the ring \(\mathbb {Z}_{8}\) is defined by \(F_{m}\left( x\right) =\left( x^{2}-x\right) ^{2}-2\left( x^{2}-x\right) .\) A Gröbner basis with the lexicographic order \(y>x\) of the ideal generated by \(\left\{ 4x^{2}y+y^{3}+2y+4,4xy^{2},F_{m}\left( x\right) ,F_{m}\left( y\right) \right\} \) is \(\left\{ y^{2}+4,2y+4,F_{m}\left( x\right) \right\} \). Therefore, (2) is equivalent to \(y^{2}+4=2y+4=0\). We solve the system \(y^{2}+4=2y+4=0\) using Proposition 5, and we obtain \(y=2\) or \(y=6\). Thus, the solutions of (2) are the elements of \(\left\{ \left( t,2\right) ,\left( t,6\right) ,t\in \mathbb {Z}_{8}\right\} \).

4 Solving systems of algebraic equations over finite commutative local rings

In the previous section, we have used Gröbner bases to show how one can solve systems of algebraic equations over finite chain rings. We will now show that solving systems of algebraic equations over finite commutative rings can be reduced to finite chain rings. According to [39, Theorem VI.2], if R is a finite commutative ring, then R can be decomposed as a direct sum of local rings, that is to say \(R \cong R_{(1)}\times \cdots \times R_{(\rho )}\) where for \(j=1,\ldots ,\rho \), \(R_{(j)}\) is a finite commutative local ring. Thus, the problem of solving systems of algebraic equations over R can be reduced to solving systems of algebraic equations over the various \(R_{(j)}\). However, Grö bner basis are not generally equal to strong Gröbner bases over local rings. Therefore, we will use Galois rings, which are specific classes of finite chain rings to represent finite local rings. As specified in [1, 7], finite rings have several representations (the table representation, the basis representation, and the polynomial representation). Galois rings can be used to give the basis representation and the polynomial representation of finite commutative local rings [39, Theorems XVI.2 and XVII.1]. In [13], Bulyovszky and Horváth used the basis representation to give a good method for solving systems of linear equations over finite local rings. We are going to extend this method to systems of multivariate polynomial equations.

In this section, we assume that R is a finite commutative local ring with maximal ideal \(\mathfrak {m}\) and residue field \(\mathbb {F}_{q}=R/ \mathfrak {m}\). Set \(q=p^{\mu }\) where p is a prime number. Then the characteristic of R is \(p^{\varsigma }\) where \(\varsigma \) is a non-negative integer and by [39, Theorem XVII.1] there is a sub-ring \(R_{0}\) of R such that \(R_{0}\) is isomorphic to the Galois ring of characteristic \(p^{\varsigma }\) and cardinality \(p^{\mu \varsigma }\). Considering R as a \(R_{0}-\)module, there exist \(\theta _{1},\ldots ,\theta _{\gamma }\) in R such that

$$\begin{aligned} R=R_{0}\theta _{1}\oplus \cdots \oplus R_{0}\theta _{\gamma }. \end{aligned}$$

(8)

Let j in \(\left\{ 1,\ldots ,\gamma \right\} \). Since every ideal in \(R_{0}\) is generated by a power of p, then there is \(\varsigma _{j}\) in \(\left\{ 1,\ldots ,\varsigma \right\} \) such that

$$\begin{aligned} p^{\varsigma _{j}}R_{0}=Ann\left( \theta _{j}\right) =\left\{ a\in R_{0}:a\theta _{j}=0\right\} . \end{aligned}$$

According to [13, Subsection 2.2] we have the following lemma.

Lemma 1

Let u in R and \(u_{j}\) in \(R_{0}\) such that \( u=\sum _{j=1}^{\gamma }u_{j}\theta _{j}\). The following statements are equivalent:

1. (a)

   \(u=0\);

2. (b)

   for all \(j\in \left\{ 1,\ldots ,\gamma \right\} \), \(\ \theta _{j}u_{j}=0\);

3. (c)

   for all \(j\in \left\{ 1,\ldots ,\gamma \right\} \), \(\ p^{\varsigma -\varsigma _{j}}u_{j}=0\).

Moreover, each element \(u_{j}\) is unique modulo \(p^{\varsigma _{j}}\).

Lemma 1 and the basis decomposition (8) can be used to transform a system of multivariate polynomial equations over finite local rings to Galois rings. Specifically, we have the following:

Theorem 1

Consider a system of polynomial equations of the form

$$\begin{aligned} f_{r}\left( \left( x_{i}\right) _{1\le i\le k}\right) =0,\ \ r=1,\ldots ,d \end{aligned}$$

(9)

where \(f_{r}\) are multivariate polynomial functions with coefficients in R and \(\left( x_{i}\right) _{1\le i\le k}\in R^{k}\). Set

$$\begin{aligned} x_{i}=\sum _{j=1}^{\gamma }x_{i,j}\theta _{j},\ \ i=1,\ldots ,k \end{aligned}$$

where \(x_{i,j}\in R_{0}\) and

$$\begin{aligned} f_{r}\left( \left( x_{i}\right) _{1\le i\le k}\right) =\sum _{s=1}^{\gamma }f_{r,s}\left( \left( x_{i,j}\right) _{1\le i\le k,1\le j\le \gamma }\right) \theta _{s},\ \ r=1,\ldots ,d \end{aligned}$$

where \(f_{r,s}\) are multivariate polynomial functions with coefficients in \( R_{0}\). Then Eq. (9) is equivalent to

$$\begin{aligned} p^{\varsigma -\varsigma _{s}}f_{r,s}\left( \left( x_{i,j}\right) _{1\le i\le k,1\le j\le \gamma }\right) =0,\ \ r=1,\ldots ,d,\ s=1,\ldots ,\gamma . \end{aligned}$$

(10)

Since Galois rings are specific cases of finite chain rings, we can use the methods described in Sect. 3 to solve (10 ).

Example 5

In this example we consider a local ring of size 16 which is not a finite chain ring. As specified in [38], we can choose \(R= \mathbb {Z} _{8}\left[ X\right] /I\) where I is the ideal generated by \(X^{2}+4\) and 2X. Then R is a local ring with the maximal ideal generated by \(2+I\) and \(X+I\). Set \(\theta =X+I\), then a maximal Galois sub-ring of R is \(R_{0}= \mathbb {Z} _{8}\) and we have \(R=\theta _{1}R_{0}\oplus \theta _{2}R_{0}\) where \(\theta _{1}=1\) and \(\theta _{2}=\theta \). Moreover, \(Ann\left( \theta _{1}\right) =\left\{ 0\right\} =2^{3}R_{0}\) and \(Ann\left( \theta _{2}\right) =2R_{0}\). We would like to find the roots of the polynomial function defined over R by

$$\begin{aligned} P\left( x\right) =x^{3}+2x+4. \end{aligned}$$

The residue field of R is \(\mathbb {F}_{2}\) and the projection over \( \mathbb {F}_{2}\) of \(P\left( x\right) \) is \({\overline{P}}\left( x\right) =x^{3}\) which is not square-free. Therefore, we are not able to find the roots of P using methods based on the Hensel’s lemma [39, Theorem XIII.4] or the Newton-Hensel’s lemma [24, Proposition 2.1.9]. Thus, an alternative method is to use Theorem 1. Set \(x=x_{1}+x_{2}\theta \) where \(x_{1}\) and \(x_{2}\) are in \(R_{0}\). Then,

$$\begin{aligned} P\left( x_{1}+x_{2}\theta \right) =x_{1}^{3}+4x_{1}x_{2}^{2}+2x_{1}+4+\theta x_{1}^{2}x_{2}. \end{aligned}$$

Therefore, equation

$$\begin{aligned} x^{3}+2x+4=0 \end{aligned}$$

is equivalent to the system

$$\begin{aligned} \left\{ \begin{array}{c} x_{1}^{3}+4x_{1}x_{2}^{2}+2x_{1}+4=0 \\ 4x_{1}^{2}x_{2}=0 \end{array} \right. \end{aligned}$$

(11)

Thanks to Example 3, we deduce that the solutions of (11) are the couples \( \left( x_{1},x_{2}\right) \) in \(\left\{ \left( 2,t\right) ,\left( 6,t\right) ,t\in \mathbb {Z} _{8}\right\} \). As \(2\theta =0\) and \(x=x_{1}+x_{2}\theta \), then \(x_{2}\) is unique modulo 2. We can therefore choose \(x_{2}\) in \(\left\{ 0,1\right\} \). Thus, the roots of P are 2, 6, \(2+\theta \), and \(6+\theta \).

Example 5 gave a method for finding the roots of polynomials over finite local rings. Another type of local rings are valuation rings, and some methods based on the truncation orders have been described in [8, 43] for the univariate case and in [15, 35, 52] for the multivariate case.

5 MinRank problem over finite principal ideal rings

In this section, we first justify the interest of studying the algebraic resolution of the MinRank problem over finite principal ideal rings by establishing the fact that it is an NP-complete problem. We then extend some known algebraic modelings of the classical MinRank problem to the MinRank problem over finite principal ideal rings. In what follow, we assume that R is a finite commutative principal ideal ring. The set of all \(m\times n\) matrices with entries in the ring R will be denoted by \(R^{m\times n}\). Let \( \textbf{A}\in R^{m\times n}\), we denote by \(row\left( \textbf{A}\right) \) the \(R-\)submodule of \(R^n\) generated by the row vectors of \(\textbf{A}\). The transpose of \(\textbf{A}\) is denoted by \(\textbf{A}^{\top }\) and the \( k\times k\) identity matrix is denoted by \(\textbf{I}_{k}\).

5.1 MinRank problem

Definition 2

Let \(\ \textbf{A}\in R^{m\times n}\). The rank of \(\textbf{A}\), denoted by \(rk_{R}\left( \textbf{A}\right) \) or simply by \(rk\left( \textbf{A }\right) \) is the smallest number of elements in \(row(\textbf{A})\) which generate \(row(\textbf{A})\) as a \(R-\)module.

As specified in [31, Proposition 3.4], the Smith normal form can be used to compute the rank of a matrix. Moreover, as in the case of fields, the map \(R^{m\times n}\times R^{m\times n}\rightarrow \mathbb {N} \), given by \(\left( \textbf{A,B}\right) \mapsto rk\left( \mathbf {A-B} \right) \) is a metric. However, some properties of the rank of a matrix over fields generally do not extend to rings due to zero divisors.

Example 6

Consider the matrix \(\mathbf {A}=\left( \begin{array}{cc} 2 &{} 0 \\ 0 &{} 4 \end{array} \right) \) over \(\mathbb {Z}_{8}\). Then, \(rk\left( \textbf{A}\right) =2\), \( rk\left( 6\textbf{A}\right) =1\) and \(det(\textbf{A})=0\). Thus, \(rk\left( \textbf{A}\right) \ne rk\left( 6\textbf{A}\right) \) and \(rk\left( \textbf{A} \right) \) is not equal to the order of the highest-order non-vanishing minor.

The MinRank Problem over the ring R can then be defined as follows.

Definition 3

Let \(\textbf{M}_{0}\), \(\textbf{M}_{1}\), \(\ldots \), \(\textbf{M}_{k}\) in \( R^{m\times n}\) and r in \({{\mathbb {N}}}^{*}\). The MinRank problem is to find \(x_{1},\ldots ,x_{k}\) in R such that \(rk(\textbf{M} _{0}+\sum _{i=1}^{k}x_{i}\textbf{M}_{i})\le r\). The homogeneous MinRank problem corresponds to the case where \(\textbf{M}_{0}=\textbf{0}\).

In general, an instance of the MinRank problem has several solutions. But if r is not greater than the error correction capability of the \(R-\)linear code generated by \(\textbf{M}_{1},\ldots ,\textbf{M}_{k}\) (assuming \(\textbf{M}_{1},\ldots ,\textbf{M}_{k}\) are \(R-\)linearly independent), then the problem has a unique solution \(\left( x_{1},\ldots ,x_{k} \right) \). In the homogeneous case, for any solution \(\left( x_{1},\ldots ,x_{k}\right) \) and for any \(\alpha \in R\), \(\left( \alpha x_{1},\ldots ,\alpha x_{k}\right) \) is also a solution. Thus, if R is a field, one of the components of a non-zero solution of the homogeneous MinRank problem can always be assumed to be 1. However, if R is not a field, this assumption is not true in some cases (see Example 8).

In [16] Nicolas Courtois used a connection between the Hamming metric and the rank metric to prove that the MinRank problem over fields is NP-complete. We will extend this result to finite principal ideal rings. As in Sect. 4, the finite principal ideal ring R can be decomposed as a direct sum of finite chain rings. So, assume that \(R=R_{(1)}\times \cdots \times R_{(\rho )}\) where \(R_{(j)}\) is a finite chain ring for \(j\in \left\{ 1,\ldots ,\rho \right\} \). We denote by \(\Phi _{(j)}\) the j-th projection map from R to \(R_{(j)}\). We also extend \( \Phi _{(j)}\) coefficient-by-coefficient as a map from \(R^{m\times n}\) to \( R_{(j)}^{m\times n}\). We have the following result from [18].

Lemma 2

Let \(\textbf{A}\) in \(R^{m\times n}\), then

$$\begin{aligned} rk_{R}\left( \textbf{A}\right) =\max _{1\le j\le \rho }\left\{ rk_{R_{(j)}}\left( \Phi _{(j)}\left( \textbf{A}\right) \right) \right\} . \end{aligned}$$

Since \(R_{(j)}\) is a finite chain ring, if a and b are in \(R_{(j)}\) then a divides b, or b divides a. Therefore, according to [31, Proposition 3.4], we have the following:

Lemma 3

Let \(\mathbf {x}=\left( x_{r}\right) _{1\le r\le n}\in R_{(j)}^{n}\), and \(\textbf{D}_{\textbf{x}}\) the \(n\times n\) diagonal matrix with the entries of \(\textbf{x}\) on the diagonal, that is, \(\textbf{D} _{\textbf{x}}=\left( d_{r,s}\right) \) where \(d_{r,r}=x_{r}\) and \(d_{r,s}=0\) if \(r\ne s\). Then, the Hamming weight² of \(\textbf{x}\) is equal to the rank of \(\textbf{D}_{\textbf{x }}\).

Proposition 6

The MinRank problem over finite commutative principal ideal rings is NP-complete.

Proof

From Lemma 2, the MinRank Problem over the principal ideal ring R is equivalent to the same problem over the finite chain rings \( R_{(j)}\), for \(j\in \left\{ 1,\ldots ,\rho \right\} \). By Lemma 3 the decoding problem in the Hamming metric³ over \( R_{(j)}\) is reduced to the MinRank Problem. According to [6] or [53] the decoding problem in Hamming metric over \(R_{(j)}\) is NP-complete.⁴ Thus, the result follows. \(\square \)

Since the MinRank problem over finite principal ideal rings is a hard problem, the study of its algebraic resolution deserves attention for cryptographic applications. From a modelling perspective, the MinRank problem over finite fields can be transformed into a system of algebraic equations using the maximum minors while over finite principal ideal rings, the rank of a matrix is usually not equal to the order of the highest order non-vanishing minor. As a consequence, the MaxMinor modelling does not apply in general when dealing with rings. In the following subsections, we will prove that the Kipnis–Shamir Modelling and the Support Minors Modelling can be extended over finite principal ideal rings. A natural consequence is that the methods proposed above for solving systems of algebraic equations over finite commutative rings can be applied to solve the MinRank Problem Over Finite Principal Ideal Rings.

5.2 Kipnis–Shamir modeling

We start with some lemmas which will be used to give the Kipnis–Shamir modeling over finite principal ideal rings. According to [31, Proposition 3.2], we have the following:

Lemma 4

Let \(\textbf{E} \in R^{m\times n}\) such that \(rk\left( \textbf{E}\right) \le r\). Then, there exists a rank r free submodule F of \(R^{n}\) such that \(row\left( \textbf{E}\right) \subset F\).

Remark 2

Let \(\textbf{E}\) and F as in Lemma 4. If \( row\left( \textbf{E}\right) \) is a free module and \(rk\left( \textbf{E} \right) =r\) then F is unique and \(row\left( \textbf{E}\right) =F\). But if \( row\left( \textbf{E}\right) \) is not a free module, then F is generally not unique.

Example 7

Consider the matrix \(\mathbf {E}=\left( \begin{array}{ccc} 2&0&4 \end{array} \right) \) over \( \mathbb {Z}_{8}\). Then \(rk\left( \textbf{E}\right) =1\) and there exist four free submodules F of \( \mathbb {Z} _{8}^{3}\) of rank 1 such that \(row\left( \textbf{E}\right) \subset F\). These four submodules are respectively generated by \(\left( 1,0,2\right) \), \( \left( 1,4,2\right) \), \(\left( 1,0,6\right) \), and \(\left( 1,4,6\right) \).

Let F be a free submodule of \(R^{n}\) of rank r and \(F^{\perp }\) the dual of F with respect to the canonical inner-product of \(R^{n}\). Then, by [19, Proposition 2.9], \(F^{\perp }\) is also a free module of rank \(n-r\) and \(\left( F^{\perp }\right) ^{\perp }=F\). Thus, we have the following:

Lemma 5

A subset F of \(R^{n}\) is a free submodule of \(R^{n}\) of rank r if and only if there exists \(\textbf{Z}\in R^{n\times (n-r)}\) with linearly independent column vectors and satisfying:

$$\begin{aligned} \forall ~\textbf{y}\in R^{n},~\textbf{y}\in F~\Longleftrightarrow ~\textbf{yZ }=\textbf{0}. \end{aligned}$$

(12)

Proof

Assume that F is a free submodule of \(R^{n}\) of rank r. Then, by [19, Proposition 2.9], \(F^{\perp }\) is a free module of rank \(n-r\). Let \(\textbf{Z}\in R^{n\times (n-r)}\) such that the rows of \(\textbf{Z}^{\top }\) generates \(F^{\perp }\). Then the column vectors of \(\textbf{Z}\) are linearly independent and (12) holds.

Conversely, assume that there exists \(\textbf{Z}\in R^{n\times (n-r)}\) with linearly independent column vectors. Let \(F=\{\textbf{y}\in R^{n}:~\textbf{yZ }=\textbf{0}\}\). Then, by [19, Proposition 2.9], F is a free module of rank r. \(\square \)

If a and b are two elements of a finite chain ring, then a divides b or b divides a. This property was used in [44, Proposition 3.2] to prove the existence of the generator matrices in standard form over finite chain rings. So, we have the following:

Lemma 6

Assume that R is a finite chain ring. Let \(\textbf{Z}\in R^{n\times (n-r)}\) with column vectors that are linearly independent. Then there exists a size n permutation matrix \(\textbf{P}\), an invertible matrix \(\textbf{Q}\in R^{(n-r)\times (n-r)}\), and a matrix \(\textbf{Z} ^{\prime }\in R^{r\times (n-r)}\) such that

$$\begin{aligned} \textbf{Z}=\textbf{P}\left( \begin{array}{c} \textbf{I}_{n-r} \\ \textbf{Z}^{\prime } \end{array} \right) \textbf{Q}. \end{aligned}$$

The above Lemma 6 is not generally true when R is not a finite chain ring. Indeed, consider the matrix

$$\begin{aligned} \mathbf {Z}=\left( \begin{array}{c} 2 \\ 3 \end{array} \right) \end{aligned}$$

over \( \mathbb {Z} _{6}\). The column vector of \(\textbf{Z}\) is \( \mathbb {Z} _{6}-\)linearly independent. But \(\textbf{Z}\) cannot be decomposed as in Lemma 6. Lemmas 4, 5 and 6 allow to extend the Kipnis–Shamir Modeling to finite principal ideal rings.

Theorem 2

Let \(\textbf{M}_{0}\), \(\textbf{M}_{1},\ldots , \textbf{M}_{k}\) in \(R^{m\times n}\), \(x_{1},\ldots ,x_{k}\) in R and r in \( {{\mathbb {N}}}^{*}\). For \(M_{x}=\textbf{M}_{0}+\sum _{i=1}^{k}x_{i} \textbf{M}_{i}\), the following statements are equivalent.

1. (i)

   \(rk(\textbf{M}_{x})\le r\).

2. (ii)

   There exists \(\textbf{Z}\in R^{n\times (n-r)}\), with column vectors that are linearly independent and such that

   $$\begin{aligned} \textbf{M}_{x}\mathbf {Z=0}. \end{aligned}$$

   (13)

Moreover, if R is a finite chain ring then, up to a permutation of columns of \(\textbf{M}_{x}\), we can assume that \(\textbf{Z}\) is into the form

$$\begin{aligned} \mathbf {Z}=\left( \begin{array}{c} \textbf{I}_{n-r} \\ \textbf{Z}^{\prime } \end{array} \right) \end{aligned}$$

where \(\textbf{Z}^{\prime }\in R^{r\times (n-r)}\).

Proof

The proof is similar to the case of fields. Indeed, assume that \(rk(\textbf{M }_{x})\le r\). Then, by Lemma 4, there exists a free submodule F of \(R^{n}\) of rank r such that \(row\left( \textbf{M}_{x}\right) \subset F\). Thus, by Lemma 5, there is \(\textbf{Z}\in R^{n\times (n-r)}\), with column vectors that are linearly independent and such that (13) holds. Conversely, assume that (ii) holds. Then, by Lemma 5, all row vectors of \(\textbf{M}_{x}\) are in a free module of rank r. Therefore, by [31, Proposition 3.2], \(rk(\textbf{M}_{x})\le r\). \(\square \)

As specified in Remark 2, the free submodule F is generally not unique. Therefore, \(\textbf{Z}^{\prime }\) is generally not unique.

Example 8

Consider the following MinRank problem that is to find \(x_{1}\), \(x_{2}\) and \(x_{3}\) in \(\mathbb {Z}_{8}\) such that

$$\begin{aligned} rk\left( x_{1}\textbf{M}_{1}+x_{2}\textbf{M}_{2}+x_{3}\textbf{M}_{3}\right) \le 1 \end{aligned}$$

(14)

with

$$\begin{aligned} M_{1}=\left( \begin{array}{rrrr} 0 &{} 0 &{} 0 &{} 7 \\ 1 &{} 0 &{} 0 &{} 5 \\ 0 &{} 1 &{} 0 &{} 2 \\ 0 &{} 0 &{} 1 &{} 4 \end{array} \right) ,\ M_{2}=\left( \begin{array}{rrrr} 0 &{} 0 &{} 7 &{} 4 \\ 0 &{} 0 &{} 5 &{} 3 \\ 1 &{} 0 &{} 2 &{} 5 \\ 0 &{} 1 &{} 4 &{} 2 \end{array} \right) ,\ M_{3}=\left( \begin{array}{rrrr} 2 &{} 2 &{} 0 &{} 4 \\ 4 &{} 2 &{} 0 &{} 6 \\ 0 &{} 4 &{} 2 &{} 4 \\ 0 &{} 6 &{} 6 &{} 0 \end{array} \right) . \end{aligned}$$

Since \(r=1\), by Theorem 2, (14) is equivalent to

$$\begin{aligned} \left( x_{1}\textbf{M}_{1}+x_{2}\textbf{M}_{2}+x_{3}\textbf{M}_{3}\right) \left( \begin{array}{ccc} 1 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 \\ 0 &{} 0 &{} 1 \\ z_{1} &{} z_{2} &{} z_{3} \end{array} \right) =\textbf{0} \end{aligned}$$

(15)

A Gröbner basis associated to (15) with the lexicographic order \(z_{1}>z_{2}\) \(>z_{3}>x_{1}>x_{2}>x_{3}\) is \(2z_{1}x_{3}+6x_{3}\), \( 2z_{2}x_{3}+6x_{3}\), \(2z_{3}x_{3}+6x_{3}\), \(x_{1}+2x_{3}\), \(x_{2}+2x_{3}\), \( 4x_{3}\). According to Proposition 5, the solutions of the system \(x_{1}+2x_{3}=x_{2}+2x_{3}=4x_{3}=0\) are the triples \(\left( x_{1},x_{2},x_{3}\right) \) in \( \left\{ \left( 0,0,0\right) ,\left( 4,4,2\right) ,\left( 0,0,4\right) ,\left( 4,4,6\right) \right\} \). Furthermore, each of these solutions satisfies Eq. (14). So we conclude that we have exactly four solutions.

In the simulations, we observe that in some cases, to simplify the resolution of (13) it is necessary to add some equations as specified in Remark 1.

Example 9

Consider the MinRank problem that is to find \(x_{1}\), \(x_{2}\), \(x_{3}\) in \(\mathbb {Z}_{8}\) such that

$$\begin{aligned} rk(\textbf{M}_{x})\le 1 \end{aligned}$$

(16)

where \(\textbf{M}_{x}=\textbf{M}_{0}+\sum _{i=1}^{3}x_{i}\textbf{M}_{i}\) and

$$\begin{aligned} \textbf{M}_{0}=\left( \begin{array}{rrr} 5 &{} 2 &{} 3 \\ 5 &{} 1 &{} 4 \\ 4 &{} 3 &{} 6 \end{array} \right) ,\ \ \ \textbf{M}_{1}=\left( \begin{array}{rrr} 1 &{} 2 &{} 0 \\ 0 &{} 1 &{} 3 \\ 0 &{} 2 &{} 1 \end{array} \right) ,\ \ \ \textbf{M}_{2}=\left( \begin{array}{rrr} 0 &{} 2 &{} 1 \\ 1 &{} 0 &{} 3 \\ 0 &{} 5 &{} 5 \end{array} \right) ,\ \ \ \textbf{M}_{3}=\left( \begin{array}{rrr} 0 &{} 5 &{} 5 \\ 0 &{} 1 &{} 0 \\ 1 &{} 2 &{} 5 \end{array} \right) \end{aligned}$$

According to Theorem 2, (16) is equivalent to

$$\begin{aligned} \textbf{M}_{x}\textbf{Z}=\textbf{0}. \end{aligned}$$

(17)

When we choose \(\textbf{Z}\) in the form \(\mathbf {Z}=\left( \begin{array}{cc} 1 &{} 0 \\ 0 &{} 1 \\ z_{1} &{} z_{2} \end{array} \right) \) we do not get the solution. Thus, it is necessary to choose the switchable permutation. In our simulations, we observed that we can choose \(\mathbf {Z}=\left( \begin{array}{cc} z_{1} &{} z_{2} \\ 1 &{} 0 \\ 0 &{} 1 \end{array} \right) \). In this case, when we compute a Gröbner basis associated to (17) with the lexicographic order \(z_{1}>z_{2}\) \(>x_{1}>x_{2}>x_{3}\), the resolution requires a search for the solution among several potential candidates. But when we add the polynomial expressions \(F_{m}\left( z_{1}\right) \), \(F_{m}\left( z_{2}\right) \), \(F_{m}\left( x_{1}\right) \), \(F_{m}\left( x_{2}\right) \), \( F_{m}\left( x_{3}\right) \) as in Example 4, we get the Gröbner basis \(z_{1}^{4}-z_{1}^{2}\), \(2z_{1}\), \(z_{2}^{4}+3z_{2}^{2}+4\), \( 2z_{2}+4\), \(x_{1}+7\), \(x_{2}+5\), \(x_{3}+2\). Thus, we directly obtain the solution of (16) which is \(x_{1}=1\), \(x_{2}=3\), \(x_{3}=6\).

5.3 Support-minors modeling

In this subsection, we will show that the Support-Minors modeling of the MinRank problem given in [3] over fields can be extended to finite principal ideal rings.

Lemma 7

Let \(\textbf{A}\in R^{r\times n}\) with row vectors that are linearly independent, and \(\mathbf {y\in }R^{n}\). Then \(\textbf{y}\in row\left( \textbf{A}\right) \) if and only if

$$\begin{aligned} Minors_{r+1}\left( \begin{array}{c} \textbf{y} \\ \textbf{A} \end{array} \right) \mathbf {=0,} \end{aligned}$$

(18)

where (18) means that all minors of the matrix \(\left( \begin{array}{c} \textbf{y} \\ \textbf{A} \end{array} \right) \) of size \(r+1\) are equal to zero.

Proof

As the row vectors of \(\textbf{A}\) are linearly independent, by [19, Corollary 2.7] there is an invertible matrix \(\textbf{P}\in R^{n\times n}\) such that\(\mathbf {AP}=\left( \begin{array}{cc} \textbf{I}_{r}&\textbf{0} \end{array} \right) \). Set \(\textbf{P}=\left( \begin{array}{cc} \textbf{P}_{1}&\textbf{P}_{2} \end{array} \right) \) where \(\textbf{P}_{1}\) and \(\textbf{P}_{2}\) are submatrices of \( \textbf{P}\) of sizes \(n\times r\) and \(n \times ( n-r)\), respectively. Assume that (18) holds. Then, using the Cauchy–Binet formula, we get

$$\begin{aligned} Minors_{r+1}\left( \left( \begin{array}{c} \textbf{y} \\ \textbf{A} \end{array} \right) \textbf{P}\right) \mathbf {=0}, \end{aligned}$$

that is to say,

$$\begin{aligned} Minors_{r+1}\left( \begin{array}{cc} \textbf{yP}_{1} &{} \textbf{yP}_{2} \\ \textbf{I}_{r} &{} \textbf{0} \end{array} \right) =\textbf{0}. \end{aligned}$$

For any entry u of \(\textbf{yP}_2\), the minor \( \det \begin{pmatrix} \textbf{y P}_1 &{} u \\ \textbf{I}_r &{} \textbf{0} \end{pmatrix}\) is equal to \((-1)^{r}u\), which is equal to 0 by the assumption. We then deduce that \(\textbf{yP}_{2}=\textbf{0}\). Thus, by Lemma 5, \(\textbf{y}\in row\left( \textbf{A}\right) \). Conversely, if \(\textbf{y}\in row\left( \textbf{A}\right) \) then (18) holds, since \(\textbf{y}\) is a linear combination of the rows of \(\textbf{A}\). \(\square \)

Let \(\textbf{A}\) and \(\textbf{y}\) as in Lemma 7. For any sequence of r positive integers \(1\le j_{1}<\cdots <j_{r}\le n\), let \( a_{j_{1},\ldots ,j_{r}}\) be the determinant of the \(r\times r\) submatrix of \( \textbf{A}\) with column index in \(\left\{ j_{1},\ldots ,j_{r}\right\} .\) The set \(\left\{ a_{j_{1},\ldots ,j_{r}}:1\le j_{1}<\cdots <j_{r}\le n\right\} \) is said to be a Plücker coordinates [10] of the free \(R-\)module \(row\left( \textbf{A} \right) \). By [27, Remark 2.12], if \(\ \textbf{B}\in R^{r\times n}\) and \(row\left( \textbf{A}\right) =row\left( \textbf{B}\right) \), then there is an invertible matrix \(\textbf{Q}\in R^{r\times r}\) such that \(\textbf{B}=\textbf{QA}\). Thus, as in the case of fields, the \(R-\)module \(row\left( \textbf{A}\right) \) may admit several sets of Plücker coordinates, but they are all equal up to a unit multiplicative factor. Moreover, if R is a finite chain ring, then according to Lemma 6, at least one component in any Plücker coordinates is a unit. Furthermore, by setting \(\textbf{y}=\left( y_{j_{\alpha }}\right) _{1\le \alpha \le n}\) where \(y_{j_{\alpha }}\in R\), and using the Laplace expansion along the first row, Eq. (18) is equivalent to

$$\begin{aligned} \sum _{\alpha =1}^{r+1}\left( -1\right) ^{\alpha +1}y_{j_{\alpha }}a_{j_{1},\ldots ,j_{\alpha -1},j_{\alpha +1},\ldots j_{r+1}}=0, \end{aligned}$$

(19)

for all sequence of \(r+1\) positive integers \(1\le j_{1}<\cdots <j_{r+1}\le n\).

Notice that, when the row vectors of \(\textbf{A}\) are not linearly independent, the “only if” part of Lemma 7 may not be true. Indeed, consider the matrix \(\mathbf {A}=\left( \begin{array}{cc} 2&0 \end{array} \right) \) over \( \mathbb {Z} _{4}\). Then

$$\begin{aligned} Minors_{2}\left( \begin{array}{cc} 0 &{} 2 \\ 2 &{} 0 \end{array} \right) =0. \end{aligned}$$

But \(\left( 0,2\right) \notin row\left( \textbf{A}\right) \).

Similar to the Support-Minors modeling given in [3], we have the following:

Theorem 3

Let \(\textbf{M}_{0}\), \(\textbf{M}_{1},\ldots , \textbf{M}_{k}\) in \(R^{m\times n}\), \(x_{1},\ldots ,x_{k}\) in R and r in \( {{\mathbb {N}}}^{*}\).

Set \(\textbf{M}_{x}=\textbf{M}_{0}+ \sum _{l=1}^{k}x_{l}\textbf{M}_{l}\). Then, the following statements are equivalent.

1. (i)

   \(rk(\textbf{M}_{x})\le r\).

2. (ii)

   There exist Plücker coordinates \(\left\{ z_{j_{1},\ldots ,j_{r}}:1\le j_{1}<\cdots <j_{r}\le n\right\} \) of a free submodule of \(R^{n}\) of rank r such that

   $$\begin{aligned} \sum _{\alpha =1}^{r+1}\left( -1\right) ^{\alpha +1}\textbf{M} _{x}[i,j_{\alpha }]z_{j_{1},\ldots ,j_{\alpha -1},j_{\alpha +1},\ldots j_{r+1}}=0, \end{aligned}$$

   (20)

   for all \(i=1,\ldots ,n\) and all sequences of \(r+1\) positive integers \(1\le j_{1}<\cdots <j_{r+1}\le n\), where \(\textbf{M}_{x}[i,j_{\alpha }]\) is the entry at the \(i^{th}\) row and \(j_{\alpha }^{th}\) column of \(\textbf{M}_x\).

Proof

Assume that \(rk(\textbf{M}_{x})\le r\). Then, by Lemma 4, there exists a free submodule F of \(R^{n}\) of rank r such that \(row\left( \textbf{M}_{x}\right) \subset F\). Let \(\left\{ z_{j_{1},\ldots ,j_{r}}:1\le j_{1}<\cdots <j_{r}\le n\right\} \) be a Plücker coordinates of F. Then, by Lemma 7 and (19), we get (20).

Conversely, assume that (ii) holds. Then, by Lemma 7, all row vectors of \(\textbf{M}_{x}\) are in a free module of rank r. Therefore, by [31, Proposition 3.2], \(rk(\textbf{M}_{x})\le r\). \(\square \)

As stated in Remark 2, the free submodule F is generally not unique. Consequently, there are usually several Plücker coordinates associated to different free submodules, and which all satisfy Eq. (20). Equation (20) is a system of polynomial equations with unknowns \(x_{l}\) and \(z_{j_{1},\ldots ,j_{r}}\). Thus, as specified in the previous sections, we can use Gröbner bases to solve (20). But in some cases, it is possible to use linear algebra as in [3].

Example 10

Consider the MinRank problem (14) of Example 8. Since \(r=1\), then by Theorem 3, there exist Plücker coordinates \(\left( z_{1},z_{2},z_{3},z_{4}\right) \) of a free submodule of \(\mathbb {Z}_{8}^4\) of rank 1 such that (14) is equivalent to

$$\begin{aligned} \left\{ \begin{array}{c} \textbf{M}_{x}[i,1]z_{2}-\textbf{M}_{x}[i,2]z_{1}=0 \\ \textbf{M}_{x}[i,1]z_{3}-\textbf{M}_{x}[i,3]z_{1}=0 \\ \textbf{M}_{x}[i,1]z_{4}-\textbf{M}_{x}[i,4]z_{1}=0 \\ \textbf{M}_{x}[i,2]z_{3}-\textbf{M}_{x}[i,3]z_{2}=0 \\ \textbf{M}_{x}[i,2]z_{4}-\textbf{M}_{x}[i,4]z_{2}=0 \\ \textbf{M}_{x}[i,3]z_{4}-\textbf{M}_{x}[i,4]z_{3}=0 \end{array} \right. ,\ \ \ i=1,...,4 \end{aligned}$$

(21)

where \(\textbf{M}_{x}=x_{1}\textbf{M}_{1}+x_{2}\textbf{M}_{2}+x_{3}\textbf{M} _{3}\). Since \(\mathbb {Z}_{8}\) is a finite chain ring, at least one component of the Plücker coordinates \(\left( z_{1},z_{2},z_{3},z_{4}\right) \) is a unit. Without loss of generality, assume that \(z_{4}\) is a unit, then in order to recover \(x_{1}\), \( x_{2}\) and \(x_{3},\) we rewrite (21) as

$$\begin{aligned} \mathbf {AX=0} \end{aligned}$$

(22)

where \(\textbf{X}^{\top }=\left( \begin{array}{cccccccccccc} x_{1}z_{1}&x_{2}z_{1}&x_{3}z_{1}&x_{1}z_{2}&x_{2}z_{2}&x_{3}z_{2}&x_{1}z_{3}&x_{2}z_{3}&x_{3}z_{3}&x_{1}z_{4}&x_{2}z_{4}&x_{3}z_{4} \end{array} \right) \) and \(\textbf{A}\) is a matrix with entries in \(\mathbb {Z}_{8}\). Using SageMath [51], we can compute the row echelon form \(\widetilde{\textbf{A}}\) of \(\textbf{A}\) and get

$$\begin{aligned} \widetilde{\textbf{A}}=\left( \begin{array}{rrrrrrrrrrrr} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 2 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 &{} 0 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 2 \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 4 \end{array} \right) \end{aligned}$$

Therefore, (22) is equivalent to

$$\begin{aligned} \widetilde{\textbf{A}}\mathbf {X=0} \end{aligned}$$

Thus, \(x_{1}z_{4}+2x_{3}z_{4}=\) \(x_{2}z_{4}+2x_{3}z_{4}=4x_{3}z_{4}=0\). Since we assumed that \(z_{4}\) is a unit, we get \(\left( x_{1},x_{2},x_{3}\right) \in \left\{ \left( 0,0,0\right) ,\left( 4,4,2\right) ,\left( 0,0,4\right) ,\left( 4,4,6\right) \right\} \).

In the case of fields, some conditions have been given in [3, 4] to solve (20) using linear algebra. It will be interesting to study if these conditions can be extended to rings.

It is important to note that, according to [31, Proposition 3.4], the rank of a matrix and its transpose are equal. Therefore, the MinRank problem defined with \( \textbf{M}_{0}\), \(\textbf{M}_{1}\), \(\ldots \), \(\textbf{M}_{k}\) shares the same solution set with the one defined with \(\textbf{M}_{0}^{\top }\), \(\textbf{M} _{1}^{\top }\), \(\ldots \), \(\textbf{M}_{k}^{\top }\). Thus, in order to reduce the number of variables in the algebraic modeling, one can transpose the matrices before solving the MinRank problem, as stated for example in [2].

6 Rank decoding problems over finite principal ideal rings

In this section, we study the algebraic approach for solving the rank decoding problem over finite principal ideal rings. Note that this problem was recently shown in [29] to be at least as hard as the rank decoding problem over finite fields, and a combinatorial-like algorithm was also proposed for solving the problem. Over finite fields, the rank decoding problem has several algebraic modeling. As specified in [29, Section 4], the Ourivski-Johansson modeling [48] and the MaxMinors modeling [5] cannot extend directly to rings due to zero divisors. We show here that the Support-Minors modeling [4] and the modeling using linearized polynomials [25] can be extended in the case of finite principal ideal rings.

6.1 Rank decoding problem

To define the rank decoding problem, we must first recall the construction of a Galois extension of a finite principal ideal ring R. As we specified in Sect. 4, R can be decomposed into a direct sum of local rings. Thus, in the following, we assume that \( R=R_{(1)}\times \cdots \times R_{(\rho )}\) where each \(R_{(j)}\) is a finite chain ring with maximal ideal \(\mathfrak {m}_{(j)}\) and residue field \(\mathbb {F} _{q_{(j)}}\), for \(j=1,\ldots ,\rho \). Let m be a non-zero positive integer and \(h_{(j)}\in \) \(R_{(j)}\left[ X\right] \) a monic polynomial of degree m such that its projection onto \(\mathbb {F}_{q_{(j)}}\left[ X\right] \) is irreducible. If we set \(S_{(j)}=R_{(j)}\left[ X\right] /\left( h_{(j)}\right) \) then, by [39], \(S_{(j)}\) is a Galois extension of \( R_{(j)} \) of degree m with Galois group that is cyclic of order m. Moreover, \( S_{(j)}\) is also a finite chain ring with maximal ideal \(\mathfrak {M}_{(j)}= \mathfrak {m}_{(j)}S_{(j)}\) and residue field \(\mathbb {F}_{q_{(j)}^{m}}\). Let us denote by \(\sigma _{(j)}\) a generator of the Galois group of \(S_{(j)}\), \( \sigma =\left( \sigma _{(j)}\right) _{1\le j\le \rho }\) and \( S=S_{(1)}\times \cdots \times S_{(\rho )}\). Then, as specified in [31], S is a Galois extension of R of degree m with Galois group generated by \(\sigma \). Moreover, there exists \(h\in R\left[ X \right] \) such that \(S\cong R\left[ X\right] /\left( h\right) \). An example of construction of a Galois extension of \( \mathbb {Z} _{40}\) of degree 4 was given in [29, Example 2.2]. The following example shows how one can construct a generator of the Galois group in practice using the Hensel lifting of a primitive polynomial.

Example 11

Let us construct a degree 3 Galois extension of \(R = \mathbb {Z}_{8}\), and its Galois group. The residue field of R is \(\mathbb {F}_{q} =\mathbb {F}_{2} \) and the polynomial \(g=X^{3}+X+1\) is a primitive polynomial in \(\mathbb {F}_{q} \left[ X\right] \). Using the Hensel’s lemma, we can construct the polynomial \( h=X^{3}+6X^{2}+5X+7\ \ \in R\left[ X\right] \), such that \({\overline{h}}=g\) and h divides \(X^{q^{m}-1}-1\). Therefore,\(\ S=R\left[ X\right] /\left( h\right) =R\left[ \alpha \right] \) is a Galois extension of R of degree \( m=3\), where \(\alpha =X+\left( h\right) \). Moreover, \(\alpha ^{q^{m}-1}=1\) and \(\alpha ^{i}\ne 1\), for \(0<i<q^{m}-1\). Thus, the Galois group is generated by the map \(\sigma :S\rightarrow S\) given by \(\alpha \mapsto \alpha ^{q}\), that is to say, for all \(x=\sum _{i=0}^{m-1}x_{i}\alpha ^{i}\), where \(x_{i}\in R\), \(\sigma \left( x\right) =\sum _{i=0}^{m-1}x_{i}\alpha ^{iq}\).

Definition 4

Let \(\ \textbf{u}=\left( u_{1},\ldots ,u_{n}\right) \in S^{n}\).

1. a)

   The support of \(\textbf{u}\), denoted by \(supp(\textbf{u})\), is the \(R-\)submodule of S generated by \(\{ u_{1},\ldots ,u_{n} \} \).

2. b)

   The rank of \(\textbf{u},\) denoted by \(rk_{R}\left( \textbf{u} \right) ,\) or simply by \(rk\left( \textbf{u}\right) \) is the smallest number of elements in \(supp(\textbf{u})\) which generate \(supp(\textbf{u})\) as a \(R-\)module.

Since S is a free \(R-\)module, computing the rank of a vector \( \textbf{u}\in S^{n}\) can be done by using its matrix representation in a \(R-\)basis of S as in the case of finite fields (for more details see [31, Proposition 3.13]).

Definition 5

Let \(\mathcal {C}\) be a \(S-\)submodule of \(S^{n}\), \(\textbf{y}\) an element of \(S^{n}\) and \(r\in {{\mathbb {N}}}^{*}\). The rank decoding problem is to find (if there exist) \(\textbf{e}\) in \(S^{n}\) and \(\textbf{c}\) in \(\mathcal {C}\) such that \(\textbf{y}=\textbf{c}+\textbf{e}\) with \(rk(\textbf{e})\le r\).

Using the representation of elements in \(S^{n}\) as elements of \(R^{m\times n} \), the rank decoding problem can be reduced to the MinRank problem, as in the case of finite fields [23].

Example 12

Let us consider the rings \(R=\mathbb {Z}_{8}\) and \(\ S=R\left[ \alpha \right] \) as in Example 11. Let \(\mathcal {C} \subset S^{3}\) be the \(S-\)linear code generated by:

$$\begin{aligned} \textbf{g}=\left( 1,2\alpha ^{2}+\alpha +2,\alpha ^{2}+3\alpha \right) . \end{aligned}$$

Set \(\mathbf {y}=\left( 4\alpha ^{2}+3\alpha +3,\,5\alpha ^{2}+7\alpha +6,\,2\alpha ^{2}+4\alpha +5\right) \) and consider the instance of the rank decoding problem consisting of finding \(\textbf{c}\in \mathcal {C} \) such that

$$\begin{aligned} rk\left( \textbf{y}-\textbf{c}\right) \le 1. \end{aligned}$$

(23)

Eq. (23) is equivalent to finding \(x_{1}\), \(x_{2}\), \(x_{3}\) in R such that

$$\begin{aligned} rk\left( \textbf{y}-\left( x_{1}+x_{2}\alpha +x_{3}\alpha ^{2}\right) \textbf{g}\right) \le 1 \end{aligned}$$

(24)

Since \(\mathcal {C}\) is generated by \(\textbf{g}\), then the matrix representation of \(\mathcal {C}\) in the basis \(\left( 1,\alpha ,\alpha ^{2}\right) \) is the \(R-\)linear code generated by \(\textbf{M}_{1}\), \(\textbf{ M}_{2}\), \(\textbf{M}_{3}\) which are respectively the representation matrices of \(\textbf{g}\), \(\alpha \textbf{g}\), \(\alpha ^{2}\textbf{g}\) in the basis \( \left( 1,\alpha ,\alpha ^{2}\right) \). Let \(\textbf{M}_{0}\) be the matrix representation of \(-\textbf{y}\) in the basis \(\left( 1,\alpha ,\alpha ^{2}\right) \). Then, the rank decoding problem (24) is equivalent to the MinRank problem (16) defined in Example 9. The solution of (16) is \(x_{1}=1\), \( x_{2}=3\), \(x_{3}=6\). Thus, \(\mathbf {c}=\left( 1+3\alpha +6\alpha ^{2}\right) \) \(\textbf{g}\).

6.2 Support-Minors modeling

According to [31, Proposition 3.14] we have the following:

Lemma 8

For any \(\textbf{u}\in S^{n}\) with \(rk\left( \textbf{u}\right) \le r\), there exists \(\textbf{b} \in S^{r}\) and \(\textbf{ A} \in R^{r\times n}\) such that \(row\left( \textbf{A}\right) \) is a free module of rank r and \(\textbf{u}=\textbf{bA}\).

The following result is a generalization of the Support-Minors modeling for the rank decoding problem given in [4].

Theorem 4

Let \(\mathcal {C}\) be a \(S-\)submodule of \( S^{n}\) with a generator matrix \(\textbf{G}=\left( g_{i,j}\right) _{1\le i\le k,1\le j\le n}\), \(\mathbf {y}=\left( y_{i}\right) _{1\le i\le n}\in \) \(S^{n}\) and \(r\in {{\mathbb {N}}}\). Assume that there exists \(\textbf{x} =\left( x_{i}\right) _{1\le i\le k}\in S^{k}\) such that \(rk\left( \textbf{y }-\textbf{xG}\right) \le r\). Then, there exists a set \(\left\{ z_{j_{1},\ldots ,j_{r}}:1\le j_{1}<\cdots <j_{r}\le n\right\} \) of Plücker coordinates of a free submodule of \(R^{n}\) of rank r such that

$$\begin{aligned} \sum _{s=1}^{r+1}\sum _{i=1}^{k}\left( -1\right) ^{s+1}\left( x_{i}g_{i,_{j_{s}}}-y_{j_{s}}\right) z_{j_{1},\ldots ,j_{s-1},j_{s+1},\ldots j_{r+1}}=0, \end{aligned}$$

(25)

for all sequence of \(r+1\) positive integers \(1\le j_{1}<\cdots <j_{r+1}\le n.\)

Proof

Using Lemmas 7 and 8, the proof is similar to the one from [4, Section 3]. \(\square \)

Equation (25) is a system of algebraic equations over S with unknowns \(x_{i}\in S\) and \(z_{j_{1},\ldots ,j_{s-1},j_{s+1},\ldots j_{r+1}}\in R\). To solve this equation using Gröbner bases, we must first expand this equation to R.

Example 13

Consider the rank decoding problem (23) of Example 12. Set \(\mathbf {g}= \left( g_{1,}g_{2},g_{3}\right) \) and \(\mathbf {y}=\left( y_{1,}y_{2},y_{3}\right) \). Then, by Theorem 4, there are x in S and \(z_{1}\), \(z_{2}\), \(z_{3}\) in R such that

$$\begin{aligned} \left\{ \begin{array}{c} \left( xg_{1}-y_{1}\right) z_{2}-\left( xg_{2}-y_{2}\right) z_{1}=0 \\ \left( xg_{1}-y_{1}\right) z_{3}-\left( xg_{3}-y_{3}\right) z_{1}=0 \\ \left( xg_{2}-y_{2}\right) z_{3}-\left( xg_{3}-y_{3}\right) z_{2}=0 \end{array} \right. \end{aligned}$$

(26)

Since \(R= \mathbb {Z} _{8}\) is a finite chain ring, at least one of the elements in the Plücker coordinates \(\left( z_{1},z_{2},z_{3}\right) \) is a unit. Without loss of generality, assume that \(z_{1}=1\). Set \(x=x_{0}+x_{1}\alpha +x_{2}\alpha ^{2}\) where \(x_{i} \in R\), for \(i \in \{ 0, 1, 2 \}\). Using SageMath [51], we substitute x and \(z_{1}\) in (26) and expand the resulting equations over R using the basis \(\left( 1,\alpha ,\alpha ^{2}\right) \), then we obtain a system of equations of the form

$$\begin{aligned} \left\{ \begin{array}{l} -z_{2}x_{0}+3z_{2}+2x_{0}+2x_{1}+5x_{2}+2=0 \\ -z_{2}x_{1}+3z_{2}+x_{0}+x_{2}+1=0 \\ -z_{2}x_{2}+4z_{2}+2x_{0}+5x_{1}+2x_{2}+3=0 \\ -z_{3}x_{0}+3z_{3}+x_{1}+5x_{2}+3=0 \\ -z_{3}x_{1}+3z_{3}+3x_{0}+3x_{1}+4=0 \\ -z_{3}x_{2}+4z_{3}+x_{0}+5x_{1}+5x_{2}+6=0 \\ z_{2}x_{1}+5z_{2}x_{2}+3z_{2}+6z_{3}x_{0}+6z_{3}x_{1}+3z_{3}x_{2}+6z_{3}=0 \\ 3z_{2}x_{0}+3z_{2}x_{1}+4z_{2}-z_{3}x_{0}-z_{3}x_{2}-z_{3}=0 \\ z_{2}x_{0}+5z_{2}x_{1}+5z_{2}x_{2}+6z_{2}+6z_{3}x_{0}+3z_{3}x_{1}+6z_{3}x_{2}+5z_{3}=0 \end{array} \right. \end{aligned}$$

(27)

As in Example 9, when we compute a Gröbner basis associated to (27) with the lexicographic order \(z_{2}>z_{3}\) \(>x_{0}>x_{1}>x_{2}\), the resolution requires a search for the solution among several potential candidates. So, to simplify the resolution, we add the polynomial expressions \(F_{m}\left( z_{2}\right) \), \(F_{m}\left( z_{3}\right) \), \( F_{m}\left( x_{0}\right) \), \(F_{m}\left( x_{1}\right) \), \(F_{m}\left( x_{2}\right) \) as in Example 4, and get the Gröbner basis: \(z_{2}^{4}-z_{2}^{2}\), \(2z_{2}\), \(z_{3}^{4}+3z_{3}^{2}+4\), \(2z_{3}+4\), \(x_{0}+7\), \(x_{1}+5\), \(x_{2}+2\). Thus, \(x_{0}=1\), \(x_{1}=3\), \(x_{2}=6\).

6.3 Algebraic modeling with skew polynomials

Skew polynomials [47] generalize linearized polynomials, and some properties of linearized polynomials have been extended to skew polynomials in [31].

Definition 6

The skew polynomial ring over S with automorphism \(\sigma \), denoted by \(S[X,\sigma ]\), is the ring of all polynomials in S[X] such that

• the addition is defined to be the usual addition of polynomials;

• the multiplication is defined by the basic rule \(Xa=\sigma \left( a\right) X\), for all \(a\in S\).

Notation 5

(Evaluation Map) Let \(f=a_{0}+a_{1}X+\cdots + a_{k}X^{k}\in S[X,\sigma ]\), \(x\in S\) and \( \textbf{u}=\left( u_{i}\right) _{1\le i\le n}\in S^{n}\).

1. 1.

   \(f\left( x\right) :=a_{0}x+a_{1}\sigma \left( x\right) +\cdots +a_{k}\sigma ^{k}\left( x\right) \).

2. 2.

   \(f\left( \textbf{u}\right) :=\left( f\left( u_{i}\right) \right) _{1\le i\le n}\).

According to [31, Propositions 3.15, 3.16 and Corollary 2.7], we have the following proposition.

Proposition 7

For all \(\textbf{u}\in S^{n}\), \(rk\left( \textbf{u}\right) \le r\) if and only if there exists a monic skew polynomial \(f \in S[X,\sigma ]\) of degree r such that, \(f\left( \textbf{u}\right) =\textbf{0}.\) Moreover, if \(supp(\textbf{u})\) is a free module and \(rk\left( \textbf{u}\right) =r\), then f is unique.

Remark 3

To construct the skew polynomial f of Proposition 7, one generally uses a free \(R-\)submodule of S which contains \( supp(\textbf{u})\). Hence, as we pointed out in Remark 2, there are generally more than one free \(R-\)submodule of S which contains \(supp(\textbf{u})\). Thus, f is generally not unique.

Example 14

Consider again \(R=\mathbb {Z}_{8}\) and \(\ S=R\left[ \alpha \right] \) as in Example 11.

The rank of \(\textbf{u}=\left( 2+6\alpha ^{2},0,4+4\alpha ^{2}\right) \) is 1 and we would like to find all the monic skew polynomials \(f\in S[X,\sigma ]\) of degree 1 such that \(f\left( \textbf{u}\right) =\textbf{0}\). So, \(f=X+w\), where \(w\in S\) and can be written as \(w=w_{0}+w_{1}\alpha +w_{2}\alpha ^{2}\) with \(w_{0}\), \(w_{1}\), \(w_{2}\) in R. When we solve the equation \(f\left( \textbf{u}\right) =\textbf{0}\), we get \(w_{0} \in \{ 3,7\}\), \(w_{1} \in \{0,4 \}\), \(w_{2} \in \{3,7 \}\). Thus, there are eight monic skew polynomials \(f\in S[X,\sigma ]\) with degree 1 such that \(f\left( \textbf{u}\right) =\textbf{0}.\)

Notation 6

If \(\textbf{B}=\left( b_{i,j}\right) \) is a matrix with entries in S and l is a positive integer then,

$$\begin{aligned} \sigma ^{l}\left( \textbf{B}\right) :=\left( \sigma ^{l}\left( b_{i,j}\right) \right) . \end{aligned}$$

The following result is a generalization of the result given in [25, Section V].

Theorem 7

Let \(\mathcal {C}\) be a \(S-\)submodule of \(S^{n}\) with generator matrix \(\textbf{G}=\left( g_{i,j}\right) _{1\le i\le k,1\le j\le n},\) \(r\in {{\mathbb {N}}}\) and \(\mathbf {y}=\left( y_{i}\right) _{1\le i\le n}\in \) \(S^{n}\). The following statements are equivalent.

1. (i)

   There exists \(\textbf{c}\in \mathcal {C}\) such that \(rk\left( \textbf{y}-\textbf{c}\right) \le r\).

2. (ii)

   There are \(\left( z_{l}\right) _{0\le l\le r}\in S^{r+1}\), \( z_{r}=1\), and \(\textbf{x}=\left( x_{i}\right) _{1\le i\le k}\in S^{k}\) such that

   $$\begin{aligned} \sum _{l=0}^{r}z_{l}\sigma ^{l}\left( \textbf{y}\right) =\sum _{l=0}^{r}z_{l}\sigma ^{l}\left( \textbf{xG}\right) \end{aligned}$$

   (28)

Moreover, if \(\mathcal {C}\) is a free \(S-\)submodule of rank k and \(r\le t\), where t is the error correction capability of \(\mathcal {C}\), then \( \textbf{x}\) is unique.

Proof

By Proposition 7, \(rk\left( \textbf{y}-\textbf{c}\right) \le r\) if and only if there exists a monic skew polynomial \(P=\sum _{l=0}^{r}z_{l}X^{l} \in S[X,\sigma ]\) of degree r such that \(P\left( \textbf{y}-\textbf{c} \right) =\textbf{0}\). Since \(\textbf{c}\in \mathcal {C}\), then there exists \( \textbf{x}=\left( x_{i}\right) _{1\le i\le k}\in S^{k}\), such that \( \mathbf {c=xG}\). Thus, the result follows. \(\square \)

According to Remark 3, when the support of the error is not a free module, the unknowns \(z_{i}\)’s, \(i=0,\ldots ,r-1\) are not unique, even if \(\textbf{x}\) is unique. So in general, (28) has many solutions. This is the main difference compared to the same result over finite fields. Note that to solve the rank decoding problem, we don’t need the unknowns \(z_{i}\). We just need \(\textbf{x}\), since we can use it to recover \(\textbf{c}\).

6.3.1 Solving by linearization

In this subsection, we will show that in some cases, the unknowns \(\textbf{x}\) in (28) can be recovered using linear algebra. Eq. (28) is equivalent to

$$\begin{aligned} \textbf{Au}=\textbf{0} \end{aligned}$$

(29)

where

$$\begin{aligned} \textbf{A}=\left( \begin{array}{ccccccc} -\sigma ^{0}\left( \textbf{y}^{\top }\right)&\cdots&-\sigma ^{r-1}\left( \textbf{y}^{\top }\right)&\sigma ^{0}\left( \textbf{G}^{\top }\right)&\cdots&\sigma ^{r}\left( \textbf{G}^{\top }\right)&-\sigma ^{r}\left( \textbf{y}^{\top }\right) \end{array} \right) \end{aligned}$$

and

$$\begin{aligned} \textbf{u}^{\top }\mathbf {}=\left( \begin{array}{ccccccc} z_{0}&\cdots&z_{r-1}&z_{0}\sigma ^{0}\left( \textbf{x}\right)&\cdots&z_{r}\sigma ^{r}\left( \textbf{x}\right)&z_{r} \end{array} \right) . \end{aligned}$$

In the same way as the row echelon form over fields, the matrix \(\textbf{A}\) can be decomposed as \(\mathbf {A=PT}\) where \(\textbf{P}\) is an invertible matrix and \(\mathbf {T}=\left( t_{i,j}\right) \) is an upper triangular matrix, that is to say \(t_{i,j}=0\) if \(i>j\) [33, Theorem 3.5]. The matrix \(\textbf{T}\) is usually called the Hermite normal form of \(\textbf{A}\). One can compute the Hermite normal form using the same methods as the Gaussian elimination algorithm, see for example [13, 33, 50]. As \( z_{r}=1\), the following proposition shows that if \(\textbf{T}\) has a specific form, then \(\textbf{x}\) can be recovered.

Proposition 8

With the above notations, assume that (28) has a solution and that \(\textbf{T}\) is of the form

$$\begin{aligned} \textbf{T}=\left( \begin{array}{cc} \textbf{T}_{1} &{} \textbf{T}_{2} \\ \textbf{0} &{} \textbf{T}_{3} \\ \textbf{0} &{} \textbf{0} \end{array} \right) \end{aligned}$$

(30)

where \(\textbf{T}_{1}\) is an \(r(k+1)\times r(k+1)\) upper triangular matrix, \( \textbf{T}_{2}\) being a \(r(k+1)\times (k+1)\) matrix and \(\textbf{T} _{3}=\left( \begin{array}{cc} \textbf{I}_{k}&\textbf{b} \end{array} \right) \) where \(\textbf{b}\) is a \(k\times 1\) matrix, then

$$\begin{aligned} \mathbf {x}=-\sigma ^{-r}\left( \textbf{b}^{\top }\right) . \end{aligned}$$

Note that (29) is a homogeneous system of n linear equations with \((k+1)(r+1)\) unknowns. So, a necessary condition for \(\textbf{ T}\) to have the form (30) is \(n\ge (k+1)(r+1)-1\). The same condition was given in [25, Theorem 12] in the case of finite fields. With this condition, we observed in our simulations that, when \(\mathcal {C}\) is a random free submodule, \(\textbf{x}\) can be recovered in many cases. It will be therefore interesting to study the probability of this observation.

Example 15

Consider the rank decoding problem of Example 12. Then there are \(x\in S\) and \(\mathbf {e\in }S^{3}\) such that

$$\begin{aligned} \textbf{y}=x\textbf{g}+\textbf{e} \end{aligned}$$

(31)

with \(rk\left( \textbf{e}\right) =r=1\). So, the skew polynomial \(P\in S[X,\sigma ]\), such that

$$\begin{aligned} P\left( \textbf{e}\right) =\textbf{0} \end{aligned}$$

(32)

is of the form \(P=z_{0}+z_{1}X\) where \(z_{0},z_{1}\in S\) with \(z_{1}=1\). By setting \(\mathbf {g}=\left( g_{1,}g_{2},g_{3}\right) \) and \(\mathbf {y}=\left( y_{1,}y_{2},y_{3}\right) \), (31) and (32) imply

$$\begin{aligned} z_{0}\left( xg_{j}-y_{j}\right) +z_{1}\sigma \left( xg_{j}-y_{j}\right) =0,\ \ \ \ j=1,...,3. \end{aligned}$$

(33)

which means that

$$\begin{aligned} \textbf{A}\left( \begin{array}{c} z_{0} \\ z_{0}x \\ z_{1}\sigma \left( x\right) \\ z_{1} \end{array} \right) =\left( \begin{array}{c} 0 \\ 0 \\ 0 \\ 0 \end{array} \right) \end{aligned}$$

(34)

where

$$\begin{aligned} \textbf{A}=\left( \begin{array}{cccc} -y_{1} &{} g_{1} &{} \sigma \left( g_{1}\right) &{} -\sigma \left( y_{1}\right) \\ -y_{2} &{} g_{2} &{} \sigma \left( g_{2}\right) &{} -\sigma \left( y_{2}\right) \\ -y_{3} &{} g_{3} &{} \sigma \left( g_{3}\right) &{} -\sigma \left( y_{3}\right) \end{array} \right) . \end{aligned}$$

Using Magma [9], we compute the row echelon form of \(\textbf{A}\) and get:

$$\begin{aligned} \textbf{T}=\left( \begin{array}{cccc} 1 &{} \alpha ^{2}+\alpha &{} 0 &{} 2\alpha ^{2}+4 \\ 0 &{} 2 &{} 0 &{} 6\alpha ^{2}+4\alpha \\ 0 &{} 0 &{} 1 &{} 3\alpha ^{2}+6\alpha +3 \end{array} \right) \end{aligned}$$

Thus,

$$\begin{aligned} x= & {} -\sigma ^{-1}\left( 3\alpha ^{2}+6\alpha +3\right) \\= & {} 1+3\alpha +6\alpha ^{2} \end{aligned}$$

6.3.2 Solving with Gröbner bases

When S is a finite field, Eq. (28) is a system of multivariate polynomial equations in the variables \(z_{l}\) and \(x_{i}\), and such a system was solved directly with Gröbner bases in [25, Section VII]. However, when S is not a field, the expression \(\sigma ^{l}\left( x_{i}g_{i,j}\right) \) is not a polynomial function in the variable \(x_{i}\). So, to transform (28) into a system of multivariate polynomial equations, we will expand this equation in R. Let \(\left( \beta _{u}\right) _{1\le u\le m}\) be a \(R-\)basis of S. Using the notations of Theorem 7, set \(x_{i}=\sum _{u=1}^{m}x_{i,u}\beta _{u}\) and \(z_{l}=\sum _{v=1}^{m}z_{l,v} \beta _{v}\) where \(x_{i,u}\) and \(z_{l,v}\) are in R. If we substitute \(x_{i} \) and \(z_{l}\) in (28) and expand the resulting equations over R using the basis \(\left( \beta _{u}\right) _{1\le u\le m}\), then we obtain a system of equations of the form:

$$\begin{aligned} \left( \widetilde{\textbf{x}}\otimes \widetilde{\textbf{z}}\right) \textbf{A} +\widetilde{\textbf{x}}\textbf{B}+\widetilde{\textbf{z}}\textbf{C}+\textbf{D} =\textbf{0} \end{aligned}$$

(35)

where

$$\begin{aligned} \widetilde{\textbf{x}}=\left( x_{1,1},\ldots x_{1,m},\ldots ,x_{k,1},\ldots x_{k,m}\right) , \widetilde{\textbf{z}}=\left( z_{0,1},\ldots z_{0,m},\ldots ,z_{r-1,1},\ldots z_{r-1,m}\right) , \end{aligned}$$

and \( \textbf{A}\), \(\textbf{B}\), \(\textbf{C}\), \(\textbf{D}\) are matrices with mn columns and entries in R.

Assume that \(\mathcal {C}\) is a free \(S-\)submodule and \(r\le t\), where t is the error correction capability of \(\mathcal {C}\). Then, according to Theorem 7, Eq. (35) has a unique solution in the variables \(\widetilde{\textbf{x}}\) that we denote by \( \widetilde{\textbf{x}}_{0}\). Remember that when the support of the error is not a free module, Eq. (35) has many solutions in the variables \(\widetilde{\textbf{z}}\). But also note that we do not need all the solutions of (35). We just need the partial solution \(\widetilde{ \textbf{x}}_{0}\). Therefore, to solve (35) we can use the elimination theorem as specified in Sect. 3 to simply find the partial solution \(\widetilde{\textbf{x}}_{0}\) using Gröbner bases.

Example 16

Consider Eq. (33) of Example 15. Set \(x=x_{0}+x_{1}\alpha +x_{2}\alpha ^{2}\) and \( z_{0}=t_{0}+t_{1}\alpha +t_{2}\alpha ^{2}\) where \(x_{i}\) and \(t_{i}\) are in R for \(i=1,\ldots ,3\). Using SageMath, we substitute x, \(z_{0}\) and \( z_{1}=1\) in (33) and expand the resulting equations over R using the basis \(\left( 1,\alpha ,\alpha ^{2}\right) \) to finally obtain a system of equations of the form

$$\begin{aligned} \tiny { \left\{ \begin{array}{l} x_{0}t_{0}+x_{2}t_{1}+x_{1}t_{2}+2x_{2}t_{2}+x_{0}+2x_{2}+5t_{0}+4t_{1}+5t_{2}+5=0 \\ x_{1}t_{0}+x_{0}t_{1}+3x_{2}t_{1}+3x_{1}t_{2}-x_{2}t_{2}-x_{2}+5t_{0}+t_{1}+3t_{2}+4=0 \\ x_{2}t_{0}+x_{1}t_{1}+2x_{2}t_{1}+x_{0}t_{2}+2x_{1}t_{2}-x_{2}t_{2}+x_{1}-x_{2}+4t_{0}+5t_{1}+3t_{2}+1=0 \\ 2x_{0}t_{0}+2x_{1}t_{0}+5x_{2}t_{0}+2x_{0}t_{1}+5x_{1}t_{1}+2x_{2}t_{1}+5x_{0}t_{2}+2x_{1}t_{2}+5x_{2} t_{2}+6x_{0}+4x_{1}+x_{2}+2t_{0}+3t_{1}-t_{2}=0 \\ x_{0}t_{0}+x_{2}t_{0}+x_{1}t_{1}+3x_{2}t_{1}+x_{0}t_{2}+3x_{1}t_{2}+x_{2}t_{2}+6x_{0}+3x_{1}+6x_{2} +t_{0}+3t_{1}+5=0 \\ 2x_{0}t_{0}+5x_{1}t_{0}+2x_{2}t_{0}+5x_{0}t_{1}+2x_{1}t_{1}+5x_{2}t_{1}+2x_{0}t_{2}+5x_{1}t_{2} +5x_{2}t_{2}-x_{0}+3x_{1}-x_{2}+3t_{0}-t_{1}+t_{2}+6=0 \\ x_{1}t_{0}+5x_{2}t_{0}+x_{0}t_{1}+5x_{1}t_{1}+5x_{2}t_{1}+5x_{0}t_{2}+5x_{1}t_{2}+2x_{2}t_{2} +2x_{0}+3x_{1}-x_{2}+3t_{0}+6t_{1}+7=0 \\ 3x_{0}t_{0}+3x_{1}t_{0}+3x_{0}t_{1}+4x_{2}t_{1}+4x_{1}t_{2}+3x_{2}t_{2}-x_{0}+3x_{1}+3x_{2} +4t_{0}+5t_{1}+6t_{2}+2=0 \\ x_{0}t_{0}+5x_{1}t_{0}+5x_{2}t_{0}+5x_{0}t_{1}+5x_{1}t_{1}+2x_{2}t_{1}+5x_{0}t_{2}+2x_{1}t_{2} +2x_{0}+6x_{1}+3x_{2}+6t_{0}+5t_{2}+6=0 \end{array} \right. } \end{aligned}$$

(36)

Using SageMath [51], we compute a Gröbner basis of (36) and get:

$$\begin{aligned} \left\{ x_{0}+7,x_{1}+5,x_{2}+2,2t_{0}+2,2t_{1},2t_{2}+2\right\} \text {.} \end{aligned}$$

Thus, \(x=x_{0}+x_{1}\alpha +x_{2}\alpha ^{2}=1+3\alpha +6\alpha ^{2}\).

The SageMath code used for all the examples in this paper is available at https://github.com/hervekalachi/Ring_RSD-MinRank.

7 Conclusion

In this work, we have shown that solving systems of algebraic equations over finite commutative rings reduces to the same problem over Galois rings. Then, using the elimination theorem and some properties of canonical generating systems, we have also shown how Gröbner bases can be used to solve systems of algebraic equations over finite chain rings. As applications, these results have been used to give some algebraic approaches for solving the MinRank problem and the rank decoding problem over finite principal ideal rings.

The above work clearly opens the door to an important complexity question, namely the real coast of Gröbner bases computation over finite chain rings, or at least the cost when dealing with the MinRank and rank decoding problems over finite chain rings.

Another metric used in coding theory and cryptography is the Lee metric [37]. This metric is usually defined over integer residue rings, which are specific cases of finite principal ideal rings. Another interesting perspective will be to study the possibility of using algebraic techniques for solving the decoding problem in the Lee metric.