Solving Binary \(\mathcal {MQ}\) with Grover’s Algorithm

Conference paper

DOI: 10.1007/978-3-319-49445-6_17

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10076)
Cite this paper as:
Schwabe P., Westerbaan B. (2016) Solving Binary \(\mathcal {MQ}\) with Grover’s Algorithm. In: Carlet C., Hasan M., Saraswat V. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2016. Lecture Notes in Computer Science, vol 10076. Springer, Cham

Abstract

The problem of solving a system of quadratic equations in multiple variables—known as multivariate-quadratic or \(\mathcal {MQ}\) problem—is the underlying hard problem of various cryptosystems. For efficiency reasons, a common instantiation is to consider quadratic equations over \(\mathbb {F}_2\). The current state of the art in solving the \(\mathcal {MQ}\) problem over \(\mathbb {F}_2\) for sizes commonly used in cryptosystems is enumeration, which runs in time \(\varTheta (2^n)\) for a system of n variables. Grover’s algorithm running on a large quantum computer is expected to reduce the time to \(\varTheta (2^{n/2})\). As a building block, Grover’s algorithm requires an “oracle”, which is used to evaluate the quadratic equations at a superposition of all possible inputs. In this paper, we describe two different quantum circuits that provide this oracle functionality. As a corollary, we show that even a relatively small quantum computer with as little as 92 logical qubits is sufficient to break \(\mathcal {MQ}\) instances that have been proposed for 80-bit pre-quantum security.

Keywords

Grover’s algorithm Multivariate quadratics Quantum resource estimates 

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands

Personalised recommendations