Skip to main content
SpringerLink
Log in

An Estimator for the Hardness of the MQ Problem

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2022 (AFRICACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13503))

Included in the following conference series:

Abstract

The Multivariate Quadratic (\(\textsf {MQ}\)) problem consists in finding the solutions of a given system of m quadratic equations in n unknowns over a finite field, and it is an NP-complete problem of fundamental importance in computer science. In particular, the security of some cryptosystems against the so-called algebraic attacks is usually given by the hardness of this problem. Many algorithms to solve the \(\textsf {MQ}\) problem have been proposed and studied. Estimating precisely the complexity of all these algorithms is crucial to set secure parameters for a cryptosystem. This work collects and presents the most important classical algorithms and the estimates of their computational complexities. Moreover, it describes a software that we wrote and that makes possible to estimate the hardness of a given instance of the \(\textsf {MQ}\) problem.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Every row of the Macaulay matrix can be compute on the fly, but it will introduce an overhead in the time complexity.

  2. 2.

    The factor \(8k \log n\) comes from the expected complexity of the Valiant-Vazirani isolation’s algorithm with probability \(1 - 1/n\), see [16, Sec. 2.5] for more details.

  3. 3.

    For instance, for the Type IV parameters where \(n=66\), the authors used several Spartan-6 FPGAs to break the challenge. There the authors implemented the \(\textsf {FES}\) algorithm to solve a system with 48 variables and equations. Such particular implementation allowed them to test \(2^{10}\) potential solutions per clock cycle, which means they are computing at least \(2^{10}\) bit operations per clock cycle.

References

  1. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). https://eprint.iacr.org/2015/046

  2. Alman, J., Williams, V.V.: A refined laser method and faster matrix multiplication. In: Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 522–539 (2021)

    Google Scholar 

  3. Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison between XL and Gröbner basis algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_24

    Chapter  Google Scholar 

  4. Ayad, A.: A survey on the complexity of solving algebraic systems. Int. Math. Forum 5(5–8), 333–353 (2010)

    MathSciNet  MATH  Google Scholar 

  5. Barbero, S., Bellini, E., Sanna, C., Verbel, J.: Practical complexities of probabilistic algorithms for solving Boolean polynomial systems. Discret. Appl. Math. 309, 13–31 (2022)

    Article  MathSciNet  Google Scholar 

  6. Bard, G.V.: Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis. Theses, University of Maryland (2007)

    Google Scholar 

  7. Bardet, M., Faugère, J.C., Salvy, B.: On the complexity of the F5 Gröbner basis algorithm. J. Symb. Comput. 70, 49–70 (2015). https://doi.org/10.1016/j.jsc.2014.09.025

    Article  MATH  Google Scholar 

  8. Bardet, M., Faugère, J.C., Salvy, B., Spaenlehauer, P.J.: On the complexity of solving quadratic Boolean systems. J. Complex. 29(1), 53–75 (2013). https://doi.org/10.1016/j.jco.2012.07.001

    Article  MathSciNet  MATH  Google Scholar 

  9. Bellini, E., Makarim, R., Verbel, J.: An estimator for the complexity of the \({MQ}\) problem (2021). https://github.com/Crypto-TII/multivariate_quadratic_estimator

  10. Bellini, E., Esser, A.: Syndrome decoding estimator (2021). https://github.com/Crypto-TII/syndrome_decoding_estimator

  11. Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7

    Book  MATH  Google Scholar 

  12. Bernstein, D.J., Yang, B.-Y.: Asymptotically faster quantum algorithms to solve multivariate quadratic equations. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 487–506. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_23

    Chapter  Google Scholar 

  13. Beullens, W.: Sigma protocols for MQ, PKP and SIS, and fishy signature schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 183–211. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_7

    Chapter  Google Scholar 

  14. Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13

    Chapter  Google Scholar 

  15. Beullens, W.: MAYO: practical post-quantum signatures from oil-and-vinegar maps. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203, pp. 355–376. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_17

    Chapter  Google Scholar 

  16. Björklund, A., Kaski, P., Williams, R.: Solving systems of polynomial equations over GF(2) by a parity-counting self-reduction. In: Baier, C., Chatzigiannakis, I., Flocchini, P., Leonardi, S. (eds.) International Colloquium on Automata, Languages and Programming - ICALP 2019. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2019). https://doi.org/10.4230/LIPIcs.ICALP.2019.26

  17. Bouillaguet, C., et al.: Fast exhaustive search for polynomial systems in \({\mathbb{F}_2}\). In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_14

    Chapter  Google Scholar 

  18. Bouillaguet, C., Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Fast exhaustive search for quadratic systems in \(\mathbb{F}_{2}\) on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 205–222. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_11

    Chapter  Google Scholar 

  19. Buchmann, J.A., Ding, J., Mohamed, M.S.E., Mohamed, W.S.A.E.: MutantXL: solving multivariate polynomial equations for cryptanalysis. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009). https://drops.dagstuhl.de/opus/volltexte/2009/1945

  20. Casanova, A., Faugère, J.C., Macario-Rat, G., Patarin, J., Perret, L., Ryckeghem, J.: GeMSS: a great multivariate short signature. NIST CSRC (2017). https://www-polsys.lip6.fr/Links/NIST/GeMSS.html

  21. Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: SOFIA: \(\cal{MQ}\)-based signatures in the QROM. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 3–33. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_1

    Chapter  Google Scholar 

  22. Chen, M.S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: MQDSS specifications (2020). https://mqdss.org/specification.html

  23. Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with XL on parallel architectures. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 356–373. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_21

    Chapter  Google Scholar 

  24. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_27

    Chapter  Google Scholar 

  25. Courtois, N., Goubin, L., Meier, W., Tacier, J.-D.: Solving underdefined systems of multivariate quadratic equations. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 211–227. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_15

    Chapter  Google Scholar 

  26. Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e. Undergraduate Texts in Mathematics, Springer, New York (2007)

    Book  Google Scholar 

  27. Dickenstein, A., Emiris, I.Z.: Solving Polynomial Equations. Foundations, Algorithms, and Applications, Algorithms and Computation in Mathematics, vol. 14. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  28. Ding, J., Chen, M., Petzoldt, A., Schmidt, D., Yang, B.: Rainbow. NIST CSRC (2017). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions

  29. Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12

    Chapter  Google Scholar 

  30. Ding, J., Zhang, Z., Deaton, J.: How much can F5 really do. Cryptology ePrint Archive, Report 2021/051 (2021). https://eprint.iacr.org/2021/051

  31. Dinur, I.: Cryptanalytic applications of the polynomial method for solving multivariate equation systems over GF(2). In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 374–403. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_14

    Chapter  Google Scholar 

  32. Dinur, I.: Improved algorithms for solving polynomial systems over GF(2) by multiple parity-counting. In: ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 2550–2564 (2021). https://doi.org/10.1137/1.9781611976465.151

  33. Duarte, J.D.: On the complexity of the crossbred algorithm. Cryptology ePrint Archive, Report 2020/1058 (2020). https://eprint.iacr.org/2020/1058

  34. Eder, C., Faugère, J.C.: A survey on signature-based algorithms for computing Gröbner bases. J. Symb. Comput. 80, 719–784 (2017)

    Article  Google Scholar 

  35. Esser, A., Bellini, E.: Syndrome decoding estimator. Cryptology ePrint Archive, Report 2021/1243 (2021). https://ia.cr/2021/1243

  36. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1), 61–88 (1999)

    Article  MathSciNet  Google Scholar 

  37. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Association for Computing Machinery, New York (2002)

    Google Scholar 

  38. Faugère, J., Horan, K., Kahrobaei, D., Kaplan, M., Kashefi, E., Perret, L.: Fast quantum algorithm for solving multivariate quadratic equations. CoRR abs/1712.07211 (2017)

    Google Scholar 

  39. Faugère, J.C., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)

    Article  Google Scholar 

  40. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  41. Furue, H., Nakamura, S., Takagi, T.: Improving Thomae-Wolf algorithm for solving underdetermined multivariate quadratic polynomial problem. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 65–78. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_4

    Chapter  Google Scholar 

  42. Furue, H., Duong, D., Takagi, T.: An efficient MQ-based signature with tight security proof. Int. J. Netw. Comput. 10(2), 308–324 (2020). https://www.ijnc.org/index.php/ijnc/article/view/238

  43. Fusco, G., Bach, E.: Phase transition of multivariate polynomial systems. In: Cai, J.-Y., Cooper, S.B., Zhu, H. (eds.) TAMC 2007. LNCS, vol. 4484, pp. 632–645. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72504-6_58

    Chapter  MATH  Google Scholar 

  44. Gashkov, S.B., Sergeev, I.S.: Complexity of computations in finite fields. Fundam. Prikl. Mat. 17(4), 95–131 (2011/12)

    Google Scholar 

  45. Hashimoto, Y.: Algorithms to solve massively under-defined systems of multivariate quadratic equations. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94.A(6), 1257–1262 (2011). https://doi.org/10.1587/transfun.E94.A.1257

  46. Huang, H., Bao, W.: Algorithm for solving massively underdefined systems of multivariate quadratic equations over finite fields (2015)

    Google Scholar 

  47. Ito, T., Shinohara, N., Uchiyama, S.: An efficient \(F_4\)-style based algorithm to solve MQ problems. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 37–52. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_3

    Chapter  Google Scholar 

  48. Joux, A., Vitse, V.: A crossbred algorithm for solving Boolean polynomial systems. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 3–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76620-1_1

    Chapter  Google Scholar 

  49. Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15

    Chapter  Google Scholar 

  50. Lazard, D.: Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations. In: van Hulzen, J.A. (ed.) EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983). https://doi.org/10.1007/3-540-12868-9_99

    Chapter  Google Scholar 

  51. Lokshtanov, D., Paturi, R., Tamaki, S., Williams, R., Yu, H.: Beating brute force for systems of polynomial equations over finite fields. In: Symposium on Discrete Algorithms, SODA 2017, pp. 2190–2202. Society for Industrial and Applied Mathematics, USA (2017)

    Google Scholar 

  52. Makarim, R.H., Stevens, M.: M4GB: an efficient Gröbner-basis algorithm. In: Burr, M.A., Yap, C.K., Din, M.S.E. (eds.) Proceedings of the 2017 ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2017, Kaiserslautern, Germany, pp. 293–300. ACM (2017). https://doi.org/10.1145/3087604.3087638

  53. Miura, H., Hashimoto, Y., Takagi, T.: Extended algorithm for solving underdefined multivariate quadratic equations. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 118–135. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_8

    Chapter  Google Scholar 

  54. Moody, D.: The homestretch: the beginning of the end of the NIST PQC 3rd round. In: International Conference on Post-Quantum Cryptography (2021). https://pqcrypto2021.kr/download/program/2.2_PQCrypto2021.pdf

  55. Mou, C.: Solving Polynomial Systems over Finite Fields: Algorithms, Implementation and Applications. Theses, Université Pierre et Marie Curie (2013)

    Google Scholar 

  56. Niederhagen, R.: Parallel cryptanalysis. Ph.D. thesis, Eindhoven University of Technology (2012). https://polycephaly.org/thesis/index.shtml

  57. Ning, K.C.: An adaption of the crossbred algorithm for solving multivariate quadratic systems over \(\mathbb{F} _2\) on GPUs (2017). https://pure.tue.nl/ws/portalfiles/portal/91105984/NING.K_parallel_cb_v103.pdf

  58. NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2017). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

  59. Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_40

    Chapter  Google Scholar 

  60. Schwabe, P., Westerbaan, B.: Solving binary \(\cal{MQ}\) with Grover’s algorithm. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 303–322. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49445-6_17

    Chapter  Google Scholar 

  61. Seres, I.A., Horváth, M., Burcsi, P.: The Legendre pseudorandom function as a multivariate quadratic cryptosystem: security and applications. Cryptology ePrint Archive, Report 2021/182 (2021). https://ia.cr/2021/182

  62. Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)

    Article  MathSciNet  Google Scholar 

  63. Thomae, E., Wolf, C.: Solving underdetermined systems of multivariate quadratic equations revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 156–171. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_10

    Chapter  Google Scholar 

  64. Ullah, E.: New techniques for polynomial system solving. Theses, Universität Passau (2012)

    Google Scholar 

  65. Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_24

    Chapter  Google Scholar 

  66. Yasuda, T., Dahan, X., Huang, Y.J., Takagi, T., Sakurai, K.: MQ challenge: hardness evaluation of solving multivariate quadratic problems. In: NIST Workshop on Cybersecurity in a Post-Quantum World, Washington, D.C (2015). https://www.mqchallenge.org

Download references

Author information

Authors and Affiliations

  1. Cryptography Research Center, Technology Innovation Institute, Abu Dhabi, UAE

    Emanuele Bellini, Rusydi H. Makarim & Javier Verbel

  2. Department of Mathematical Sciences, Politecnico di Torino, Torino, Italy

    Carlo Sanna

Authors
  1. Emanuele Bellini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rusydi H. Makarim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carlo Sanna
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Javier Verbel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rusydi H. Makarim .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  2. Radboud University, Nijmegen, Gelderland, The Netherlands

    Joan Daemen

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bellini, E., Makarim, R.H., Sanna, C., Verbel, J. (2022). An Estimator for the Hardness of the MQ Problem. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17433-9_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17432-2

  • Online ISBN: 978-3-031-17433-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation