1 Introduction

Computationally difficult algebraic problems, e.g. the discrete logarithm problem (DLP) and the integer factorisation problem (IP), have historically been successfully exploited to construct secure cryptographic protocols, such as RSA, Diffie-Hellmann and ECDSA. An interested reader can find details on these schemes and the underlying algebraic problems in [1] or [2]. The advent of quantum algorithms, for example Shor’s algorithm [3], has, however, incited several established primitives vulnerable to quantum attackers, thus encouraging researchers to design and analyse new families of cryptosystems based on NP-hard problems, since no quantum algorithm is known to be able to efficiently solve them. Post-Quantum Cryptography [4] refers to the the class of cryptographic primitives built upon computational problems not readily solvable by quantum computers. Among these, of particular interest we list lattice-based, code-based and multivariate-based cryptosystems, namely, systems whose security is intertwined with the computational complexity of solving problems over lattices, e.g. the shortest vector problem (SVP) or the closest vector problem (CVP) [5], problems based on coding theory, e.g. the Maximum Likelihood Decoding Problem (MLD) [6], and problems over polynomial ideals, e.g. the problem of deciding whether a quadratic Boolean polynomial system admits a solution, usually referred to as Multivariate Quadratic Problem (MQ) [7].

This massive research effort is still ongoing, as can be noticed by the wide participation to the NIST standardisation process for post-quantum primitivesFootnote 1. The round-3 finalists for key-encapsulation mechanisms (KEM) are Classic McEliece [8], CRYSTALS-KYBER [9], NTRU [10] and SABER [11], while the round-3 finalists for digital signature schemes are CRYSTALS-DILITHIUM [12], FALCON [13] and Rainbow [14]. Notably, the only round-3 finalists which are not lattice-based are Classic McEliece and Rainbow, which are, respectively, code-based and multivariate-based.

As briefly stated above, code-based schemes are designed by exploiting computational and decision problems obtained by questions arising from Coding Theory, such as for example the Maximum-Likelihood Decoding problem (MLD) for linear codes. Using the words of Guruswami and Vardy, “MLD is one of the central (perhaps, the central) algorithmic problems in coding theory" [15]. This problem, given here in Definition 1, has been proven to be NP-complete in 1978 by Berlekamp, McEliece and van Tilborg in [6], where the authors provide a reduction from the Three-Dimensional Matching problem for graphs [16]. Then, in 1990, MLD was proven to be in P/Poly by Bruck and Naor [17] and by Lobstein [18]. Other interesting results on the complexity of MLD were then given by several authors, and an interested reader can find more information in [6, 19] for the general case and in [15, 20,21,22] for specific classes of codes.

In the context of post-quantum code-based cryptography, the most famous cryptosystem is that proposed by McEliece in 1978 [23]. This scheme has been studied for over forty years, proving its resilience and security, and it was then used, together with the Niederreiter scheme [24], as a building block for the NIST round-3 finalist Classic McEliece. We remark that the security of each of these primitives is related to both MLD and the problem of distinguishing between apparently-random codes and permuted versions of algebraic codes. In this work, we focus on the first of these two problems. A presentation of code-based cryptography and the underlying problems can be found in the chapter Code-based cryptography by Overbeck and Sendrier in [4].

Before stating MLD, we provide some basics on binary linear codes. An [nk] linear code C is a k dimensional subspace of \(\left( {\mathbb {F}}_q \right) ^n\). The parameters n and k are called the length and dimension of the code. Since we are interested in binary codes, throughout this paper we only consider the case \(q=2\), hence with \({\mathbb {F}}\) we mean \({\mathbb {F}}_2\) and we often omit the term binary whenever we use the term code. A codeword is any vector in the code. A generator matrix G of C is a \(k\times n\) matrix whose rows span C. Similarly, a parity-check matrix of C is a generator matrix of the dual of C. Due to this definition, a vector c is a codeword if and only if \(H\cdot c^{\top } = 0\). We recall that if G is systematic, i.e. \(G=\begin{bmatrix}I_k\mid R\end{bmatrix}\), then \(H=\begin{bmatrix}-R^{T}\mid I_{n-k}\end{bmatrix}\). The (Hamming) weight of a vector v is the number \(\mathrm {w}(v)\) of its nonzero components.

Definition 1

(MLD) Let \(H=[h_{i,j}]_{i=1,\ldots m,j=1,\ldots ,n}\) be an \(m\times n\) binary matrix, let \(s\in {\mathbb {F}}^m\) and let \(t\le n\) be a positive integer. Decide whether there is a vector \(v \in {\mathbb {F}}^n\) of weight at most t, such that \(Hv^\top = s^\top \).

We denote with \(I_{\mathrm {MLD}}\) a generic instance of MLD, determined by the triple \(I_{\mathrm {MLD}} = (H,s,t)\). The values (nm) determine the memory space required to store \(I_{\mathrm {MLD}}\), indeed, we need a total of \(nm+m+\left\lfloor \log _2n\right\rfloor +1\) bits to write a given instance (Hst). We call (nm) the complexity parameters of \(I_{\mathrm {MLD}}\), and \(|I_{\mathrm {MLD}}|=nm+m+\left\lfloor \log _2n\right\rfloor +1\) the size of \(I_{\mathrm {MLD}}\). We can assume that \(m\le n\), since this case has the same hardness as the general case.

The second problem we consider is to decide whether a multivariate-quadratic Boolean system admits a solution. This problem, known as the “multivariate quadratic equation system problem” (MQ) is linked to the security of multivariate-based cryptosystems (e.g. Oil and Vinegar [25], Rainbow [14], GeMSS [26]).

Let I be an ideal of a polynomial ring \(\mathcal {R}\) over a field \({\mathbb {K}}\) and let \({\mathbb {E}}\) be an extension field of \({\mathbb {K}}\), we denote by

$$\begin{aligned}\mathcal {V}_{{\mathbb {E}}}(I)= \left\{ A \in {\mathbb {E}}^{\mathsf {n}} \mid f(A) = 0 \; \forall f \in I\right\} \end{aligned}$$

the set of all the zeroes of I in \({\mathbb {E}}^{\mathsf {n}}\). \(\mathcal {V}_{{\mathbb {E}}}(I)\) is called the variety of I over \({\mathbb {E}}\). An MQ-system of equations over \({\mathbb {F}}\) is a set of \(\mathsf {m}\) polynomial equations of degree at most 2 in \({\mathbb {F}}[x_1,\ldots ,x_{\mathsf {n}}]\) of the form:

$$\begin{aligned} S = \left\{ \begin{array}{c} f_1(x_1,\ldots ,x_{\mathsf {n}}) = 0 \\ f_2(x_1,\ldots ,x_{\mathsf {n}}) = 0 \\ \vdots \\ f_{\mathsf {m}}(x_1,\ldots ,x_{\mathsf {n}}) = 0 \end{array} \right. \end{aligned}$$
(1)

where for every \(h \in \{1,\ldots ,\mathsf {m}\}\)

$$\begin{aligned} f_h(x_1,\ldots ,x_{\mathsf {n}}) = \sum _{1\le i < j \le \mathsf {n}}\gamma _{ij}^{(h)}x_ix_j + \sum _{1\le i \le \mathsf {n}}\lambda _i^{(h)}x_i + \delta ^{(h)} \end{aligned}$$
(2)

with \(\gamma _{ij}^{(h)}, \lambda _i^{(h)}, \delta ^{(h)} \in {\mathbb {F}}\). The (decision) multivariate quadratic equation system problem (MQ) can now be stated as

Definition 2

(MQ) Consider a polynomial system \(S = \{f_1,\ldots ,f_{\mathsf {m}}\}\) as in (1) of degree at most 2 over \({\mathbb {F}}\) and let I be the ideal generated by S.

Decide whether \(\mathcal {V}_{{\mathbb {F}}}(I)\) is non-empty.

We denote with \(I_{\mathrm {MQ}}\) a generic instance of MQ, determined by the polynomial system S. Similarly to the case of MLD, the values \((\mathsf {n},\mathsf {m})\) determine the memory space required to store an instance \(I_{\mathrm {MQ}}\). In this case, we need a total of \(\mathsf {m}\left( \left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) +\mathsf {n}+1\right) \) bits to write S. We call \((\mathsf {n},\mathsf {m})\) the complexity parameters of \(I_{\mathrm {MQ}}\), and \(|I_{\mathrm {MQ}}|=\mathsf {m}\left( \left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) +\mathsf {n}+1\right) \) its size.

MQ has been proven to be NP-hard over any field [7], and many cryptosystems rely their security on such problem [25, 27, 28]. Several mathematical approaches have been employed to tackle this problem, such as the Newton and the tensor-based algorithms [29, 30], Gröbner bases, resultants and eigenvalues/eigenvectors of companion matrices [31], semidefinite relaxations [32,33,34], numerical homotopy [35, 36], low-rank matrix recovery [37], and symbolic computation [38].

The most established method to perform cryptanalysis of public-key systems is to focus on the algebraic problems underlying them. In this work we look at it from a slightly different perspective, establishing a link between MLD and MQ, and thus providing new directions in the analysis of both code-based and multivariate-based primitives. More precisely, the aim of this paper is to show explicit reductions between the two previous problems. Since both are NP-complete problems, one might be reduced to the other, but it is not obvious how to do it explicitly without losing their algebraic nature.

MQ and MLD are problems of a purely algebraic nature, naturally stated and studied in the context of vector spaces and polynomial rings over \({\mathbb {F}}_2\), the smallest possible field. Interestingly, their complexity and the complexity of the numerous related problems (including search problems) is at the heart of research for the mathematical community working in coding theory and cryptography. Yet, known results about their complexity are obtained via techniques of a rather different nature, such as graph theory. As far as we know, this is the first paper that investigates their direct explicit complexity links, using only languages and tools familiar to standard research in coding theory and cryptography alike. To be more precise, we will establish in Sect. 3 an explicit reduction from MLD to MQ, while in Sect. 4 we will present a reduction from MQ to MLD. The remainder of this paper contains Sect. 2, where we provide preliminaries and our notation, Sect. 6, where we leave some open problems, and notably Sect. 5. In this latter section we draw some significant conclusions, among which we report our proof of the existence of a polynomial-time isomorphism between NP and MQ, and thus between code-based and multivariate-based primitives.

2 Preliminary results and definitions

Before introducing the reductions between MLD and MQ we need some preliminary notation. Throughout this paper we consider vectors to be row vectors, unless otherwise specified. Moreover, we denote with \(\bar{\cdot }\) each element of a set which is not a variable (regardless it being an element of fields or vector spaces), whereas without the notation \(\bar{\cdot }\) we mean variables. As an example, if f(x) is a polynomial in the variable x then \(f(\bar{x})\) is to be considered as the evaluation of f at the point \(\bar{x}\). In Sect. 4, we will also use the notation \(\widehat{\cdot }\) and \(\widetilde{\cdot }\) instead of \(\bar{\cdot }\) to distinguish between elements belonging to distinct spaces. As an example, in Sect. 4 we will define two distinct sets \(\widehat{\Sigma }\) and \(\widetilde{\Sigma }\), which are somewhat linked. In this case, to distinguish between their elements, we will use \(\widehat{v}\in \widehat{\Sigma }\) and \(\widetilde{v}\in \widetilde{\Sigma }\).

Let l be a positive integer. We define the map \(\mathtt {int}:{\mathbb {F}}^l \rightarrow {\mathbb {Z}}\) as

$$\begin{aligned} \mathtt {int}(a)=\mathtt {int}\left( \left( a_1,\ldots ,a_l\right) \right) :=\sum _{j=1}^l{a_j \cdot 2^{j-1}}\; , \end{aligned}$$

where the sum on the right-hand side is over the integers. In this way, \(\mathtt {int}(\bar{a})\) is the integer value corresponding to the input vector of bits \(\bar{a}=(\bar{a}_1,\ldots ,\bar{a}_l)\in {\mathbb {F}}^l\). When we regard a vector in \({\mathbb {F}}^l\) as the binary representation of an integer, we list its bits from the least-significant to the most-significant, e.g. if \(l=4\) then \(3=(1,1,0,0)\). From now on we will often use the binary representation of the parameter t of an MLD instance (Hst) as a vector of \(\ell =\lfloor \log _2n\rfloor +1\) bits \((t_1,\ldots ,t_{\ell })\), and therefore we will use both \(\mathrm {w}(v)\le t\) and \(\mathrm {w}(v)\le \mathtt {int}(t_1,\ldots ,t_{\ell })\).

Let \({\textbf {1}}\) be the vector \((1,\ldots ,1)\). We define the map \(\mathtt {increase}:{\mathbb {F}}^l \rightarrow {\mathbb {F}}^l\) such that, for all \(\bar{a}\ne {\textbf {1}}\), we have

$$\begin{aligned} \mathtt {int}(\mathtt {increase}(\bar{a})) = \mathtt {int}(\bar{a}) +1\;, \end{aligned}$$

namely, if \(\bar{a}=\left( \bar{a}_1,\ldots , \bar{a}_z,\ldots ,\bar{a}_l\right) \), where \(\bar{a}_z=0\) is the left-most 0 bit of \(\bar{a}\), then

$$\begin{aligned} \mathtt {increase}(\bar{a}) = {\left\{ \begin{array}{ll} \begin{array}{ll} \left( 0,\ldots ,0,1,\bar{a}_{z+1},\ldots ,\bar{a}_l\right) &{} \text { if } \bar{a} \ne {\textbf {1}} \\ \bar{a} &{} \text { if } \bar{a} = {\textbf {1}}\;. \end{array} \end{array}\right. } \end{aligned}$$

Finally, we introduce the projection and truncation maps \(\pi \) and \(\tau \). Let \(i\le l\) be a non-negative integer, and let \(\pi _i:{\mathbb {F}}^l \rightarrow {\mathbb {F}}^l\) the projection defined as

$$\begin{aligned} \pi _i\left( \bar{v}_1,\ldots ,\bar{v}_l \right) = \left( \bar{v}_1, \ldots ,\bar{v}_i,0,\ldots ,0 \right) \end{aligned}$$

for \(1\le i\le l\) and

$$\begin{aligned} \pi _0\left( \bar{v}_1,\ldots ,\bar{v}_l \right) = \left( 0,\ldots ,0 \right) \;. \end{aligned}$$

Similarly, let \(i\le l\) be a positive integer. We define the truncation \(\tau _i:{\mathbb {F}}^l \rightarrow {\mathbb {F}}^i\) as

$$\begin{aligned} \tau _i\left( \bar{v}_1,\ldots ,\bar{v}_l \right) = \left( \bar{v}_1, \ldots ,\bar{v}_i\right) \;. \end{aligned}$$

Consider now a polynomial equation \(f=0\), where \(f \in {\mathbb {F}}[x_1,\ldots ,x_l]\) with \(\mathrm {deg}(f) = d >2\). The goal of the algorithm described in the following fact is to reduce this equation to a set of equations of degree at most 2. We use an idea similar to that described by Kipnis and Shamir [39] in their relinearization technique.

Fact 1

Let \(x_{i_1}x_{i_2}\cdots x_{i_d}\) be a monomial with degree d. We introduce a set of new \(d-2\) variables as follows

$$\begin{aligned} \left\{ \begin{array}{ll} y_1=x_{i_1}x_{i_2}\\ y_2=y_1x_{i_3}\\ \vdots \\ y_{d-2}=y_{d-3}x_{i_{d-1}} \end{array} \right. \end{aligned}$$

and thus rewrite \(x_{i_1}x_{i_2}\cdots x_{i_d}\) as \(y_{d-2}x_{i_d}\). With this procedure, a monomial of degree d is substituted by a set of \(d-1\) quadratic equations by introducing \(d-2\) variables.

By applying the same argument to each monomial of f, we obtain a system of quadratic equations, as required.

For convenience, given a polynomial equation \(f=0\) we denote with \(\mathtt {quadr}(f)\) the quadratic polynomial system obtained by applying the procedure in Fact 1 to f. Similarly, given a polynomial system S, we denote with \(\mathtt {quadr}(S)\) the quadratic system obtained by applying the procedure to each of the polynomials in S and joining all the systems of equations, formally

$$\begin{aligned} \mathtt {quadr}(S) = \bigcup _{f\in S}\mathtt {quadr}(f). \end{aligned}$$
(3)

Example 1

Let \(S=\{f_1,f_2\}\) be the polynomial system

$$\begin{aligned} S= \left\{ \begin{array}{l} f_1= x_1x_2x_4+x_1x_3x_4+x_2x_3+x_1=0\\ f_2=x_1x_2x_3x_4+1=0 \end{array} \right. \end{aligned}$$

To compute \(\mathtt {quadr}(S)\) we start with computing \(\mathtt {quadr}(f_1)\). There are two monomials of degree larger than 2 in \(f_1\), namely \(x_1x_2x_4\) and \(x_1x_3x_4\), which have degree \(d_1=3\). When dealing with a monomial with degree \(d_1=3\), as stated in Fact 1, we introduce \(d_1-2=1\) variable and then we obtain a set of \(d_1-1=2\) quadratic equations (including the rewriting of the starting equation \(f_1=0\) in terms of the new variables).

We start from \(x_1x_2x_4\), we call the new variable \(y_1\), and we create the quadratic equation \(y_1=x_1x_2\). Due to this new equation, we can substitute \(x_1x_2\) with \(y_1\) into \(f_1=0\), obtaining

$$\begin{aligned} f_1=0 \quad \Leftrightarrow \quad \left\{ \begin{array}{l} y_1=x_1x_2\\ y_1x_4+x_1x_3x_4+x_2x_3+x_1=0 \end{array} \right. \end{aligned}$$

Similarly, we deal with the monomial \(x_1x_3x_4\) by introducing \(y_2=x_1x_3\). The system becomes

$$\begin{aligned} \mathtt {quadr}(f_1)=\left\{ \begin{array}{l} y_1=x_1x_2\\ y_2=x_1x_3\\ y_1x_4+y_2x_4+x_2x_3+x_1=0 \end{array} \right. \end{aligned}$$

We proceed now with the second equation. In \(f_2\) only \(x_1x_2x_3x_4\) has degree larger than 2, and in this case we need to introduce two variables \(z_1,z_2\) and transform \(f_2=0\) into a system of 3 quadratic equations:

$$\begin{aligned} \mathtt {quadr}(f_1)= \left\{ \begin{array}{l} z_1=x_1x_2\\ z_2=z_1x_3 z_2x_4+1=0 \end{array} \right. \end{aligned}$$

Thus \(\mathtt {quadr}(S) = \mathtt {quadr}(f_1) \cup \mathtt {quadr}(f_2)\) is a quadratic system equivalent to S.

Definition 3

A system of equations is said to be in standard form if

  • it contains equations of the form \(xy + z =0\) which do not share any variable;

  • it contains linear equations with up to three monomials, that is, of the form \(x+\bar{\delta }=0\), \(x+y+\bar{\delta }=0\) or \(x+y+z+\bar{\delta }=0\), with \(\bar{\delta }\in {\mathbb {F}}\);

  • each variable that appears in a linear equation appears also in exactly one quadratic equation;

  • it does not contain any other kind of equation.

In Lemma 1, we will show that any system of quadratic equations can be brought to standard form by adding (a bounded number of) new variables and equations. A preliminary result for the case of linear equations is the following:

Fact 2

Let us consider a linear equation with l variables

$$\begin{aligned} x_1+x_2+x_3+\ldots +x_l=0 \;. \end{aligned}$$

If we define \(y_i\) to be the sum of the the first i variables \(x_1+\ldots + x_i\), then \(x_1+x_2+x_3+\ldots +x_l=0\) is equivalent to the linear system

$$\begin{aligned} \left\{ \begin{array}{l} x_1+x_2+y_2=0 \\ y_2+x_3+y_3=0 \\ y_3+x_4+y_4=0\\ \vdots \\ y_{l-3}+x_{l-2}+y_{l-2}=0\\ y_{l-2}+x_{l-1}+x_{l}=0 \end{array} \right. \end{aligned}$$

which has \(l-2\) equations, each one involving exactly three variables, and a total of \(2l-3\) variables.

2.1 Our computational model

To establish reductions’ performances between MLD and MQ we need a computational model that defines the computational cost of operations performed in the reduction. In our case, the set of operations we need in order to perform a reduction are the sum and multiplication in the finite field \({\mathbb {F}}\). The two operations can be identified with \(\mathrm {OR}\) and \(\mathrm {AND}\) logical operators, respectively, to which we assign cost 1. We also need to carefully consider the memory requirements of our method, so we assign cost 1 to every coefficient required to express a single polynomial. Notice that the number of bits required to completely define a single quadratic polynomial is approximately the square of the number of variables.

In Sect. 3 we will present a reduction \(\alpha : \mathrm {MLD}\rightarrow \mathrm {MQ}\), whose memory analysis will be based on the number of equations and variables required to describe the related polynomials (i.e. the complexity parameters of the resulting \(\mathrm {MQ}\) instance). In Sect. 4 we present a reduction \(\beta : \mathrm {MQ}\rightarrow \mathrm {MLD}\) whose memory analysis is based on the size of the generated parity-check matrix in the reduction (i.e. the complexity parameters of the resulting \(\mathrm {MLD}\) instance).

The following lemma, together with Fact 2, implies that every instance of MQ can be reduced to an instance in which the polynomial system is given in standard form.

Lemma 1

Consider a polynomial system \(S = \lbrace f_1,\ldots ,f_{\mathsf {m}} \rbrace \) with \(f_i \in {\mathbb {F}}[x_1,\ldots ,x_{\mathsf {n}}]\) and \(\mathrm {deg}(f_i)=2\) for each \(i=1,\ldots ,\mathsf {m}\). S can be taken to standard form in \(\mathcal {O}(\mathsf {m}\mathsf {n}^2)\) operations.

More precisely, the number of quadratic equations is at most \(\mathsf {m}\left( \frac{\mathsf {n}(\mathsf {n}-1)}{2}\right) \) and the number of linear equations is at most \(\mathsf {m}\left( \frac{3\mathsf {n}^2-\mathsf {n}}{2}-2\right) \).

Proof

Assume first \(S=\lbrace f \rbrace \). In the worst case

$$\begin{aligned} f = \sum _{i< j \in \{1,\ldots ,\mathsf {n}\}}x_ix_j + \sum _{i\in \{1,\ldots ,\mathsf {n}\}}x_i + \bar{\delta }\;, \end{aligned}$$

with \(\bar{\delta }\in {\mathbb {F}}\). Clearly, f has \(\left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) =\frac{\mathsf {n}(\mathsf {n}-1)}{2}\) quadratic monomials \(x_ix_j\). As a first step, we introduce \(\left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) \) new variables, along with a set of \(\left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) \) equations of the form \(x_{ij} +x_ix_j = 0\). These newly introduced variables are then substituted into f, obtaining in this way a linear polynomial \(f'\) with \(\frac{\mathsf {n}(\mathsf {n}+1)}{2}\) variables.

Notice that the quadratic equations we just introduced share some variables \(x_i\): for each i, \(x_i\) appears indeed in \(\mathsf {n}-1\) such equations. However, our aim is to have variables in degree-2 monomials appearing in exactly one monomial. This is achieved in a second step by introducing new variables and new linear equations: if \(x_i\) appears in both \(x_{1,i}+x_1x_i=0\) and \(x_{2,i}+x_2x_i=0\) then we define a new variable \(x_i'\) and write

$$\begin{aligned} \left\{ \begin{array}{lll} x_{1,i}+x_1x_i&{}=&{}0\\ x_{2,i}+x_2x_i'&{}=&{}0\\ x_i+x_i'=&{}0&{}\;. \end{array} \right. \end{aligned}$$

By doing this for all shared variables, we add a set of \(\mathsf {n}(\mathsf {n}-1)\) linear equations of the form \(x_i'+x_i=0\), each one introducing a new variable.

With the first step we have produced a linear polynomial \(f'\) with \(\frac{\mathsf {n}(\mathsf {n}+1)}{2}\) variables. However, for the system to be in standard form, each linear equation has to involve at most three variables. As in Fact 2, this can be done in a third step by substituting \(f'\) with \(\frac{\mathsf {n}(\mathsf {n}+1)}{2}-2\) linear equations involving each one three variables, for a total of \(2\left( \frac{\mathsf {n}(\mathsf {n}+1)}{2}\right) -3\) variables.

We end up with a set of \(\frac{\mathsf {n}(\mathsf {n}-1)}{2}\) quadratic equations and a set of \(\frac{3\mathsf {n}^2-\mathsf {n}}{2}-2\) linear equations. The total number of variables is \(\frac{5\mathsf {n}^2-\mathsf {n}}{2}-3\).

Now let S contain \(\mathsf {m}\) equations. We perform the same transformation as above for each of them; however, the sets of quadratic equations of the polynomials might share variables. To solve this problem, we rename the variables of each quadratic polynomial: if the h-th polynomial contains the variable \(x_k\) then we substitute \(x_k\) with a new variable \(X_{h,k}\). We also need to track this substitution, therefore add a new set of linear equations \(X_{h,k} + x_k = 0\) for \(h=1,\ldots ,\mathsf {m}\) and \(k=1,\ldots ,\mathsf {n}\). In this way, the quadratic equations do not share variables, and we can substitute each one of them with a system in standard form, as we did in the first part of this proof. As a consequence, the total number of quadratic equations is bounded by \(\mathsf {m}\left( \frac{\mathsf {n}(\mathsf {n}-1)}{2}\right) \) and the number of linear equations is at most \(\mathsf {m}\left( \frac{3\mathsf {n}^2-\mathsf {n}}{2}-2\right) \). Similarly, the number of variables is bounded by \(\mathsf {m}\left( \frac{5\mathsf {n}^2-\mathsf {n}}{2}-3\right) \).

Putting everything together, we obtain \(\mathcal {O}(\mathsf {m}\mathsf {n}^2)\) new variables and equations. \(\square \)

3 MLD to MQ reduction

In this section, we provide an explicit reduction \(\alpha \), which maps an instance \(I_{\mathrm {MLD}}\) of the MLD problem to an instance \(I_{\mathrm {MQ}}\) of the MQ problem. More precisely, for any pair of complexity parameters (nm) we are going to define a reduction \(\alpha _{n,m}\), which deals with binary codes of length n and dimension at least \(n-m\).

An MLD instance \(I_{\mathrm {MLD}} = (\bar{H},\bar{s},\bar{t})\) can be thought of as the union of two requirements:

  1. 1.

    parity-check constraint; the solution \(\bar{v}\) has to satisfy \(\bar{H}\bar{v}^{\top }=\bar{s}^{\top }\);

  2. 2.

    weight constraint; the solution \(\bar{v}\) has to satisfy \(\mathrm {w}(\bar{v})\le \bar{t}\). To obtain our reduction, we split this constraint in two parts: \(\mathrm {w}(\bar{v})=w\) and \(w\le \bar{t}\).

We propose three encodings, each one parametrised by the complexity parameters m and n of MLD, which together correspond to a reduction from MLD to MQ. Here the term encoding has nothing to do with the mapping of a message to a codeword, instead it is the the rewriting of a constraint in terms of quadratic equations. The set of quadratic Boolean polynomials \(\mathtt {pcce}_{n,m}\) is the encoding of the parity-check constraint \(\bar{H}v^\top =\bar{s}^\top \). A complete description is provided in Sect. 3.1. The polynomial system \(\mathtt {hwce}_{n,m}\), detailed in Sect. 3.2, corresponds to the Hamming weight computation of \(\bar{v}\). The third encoding \(\mathtt {wce}_{n,m}\), in Sect. 3.3, is a polynomial system corresponding to the weight constraint \(\mathrm {w}(v)\le \bar{t}\).

We define the map \(\alpha _{n,m}=\mathtt {pcce}_{n,m} \cup \mathtt {hwce}_{n,m}\cup \mathtt {wce}_{n,m}\), where we mean that, given a specific instance \(I_{\mathrm {MLD}}= (\bar{H},\bar{s},\bar{t})\), the actual reduction is given by \(I_{\mathrm {MQ}}=\alpha _{n,m}(I_{\mathrm {MLD}})=\mathtt {pcce}_{n,m}(\bar{H},\bar{s},\bar{t}) \cup \mathtt {hwce}_{n,m}(\bar{H},\bar{s},\bar{t}) \cup \mathtt {wce}_{n,m}(\bar{H},\bar{s},\bar{t})\).

Observe that \(\alpha _{n,m}\) is a system of polynomial equations depending only on n and m, and whose evaluation on a specific MLD instance gives us an MQ instance.

3.1 Parity-check constraint encoding

We claim that the parity-check matrix constraint \(Hv^{\top }=s\) is equivalent to a set of m linear equations corresponding to polynomials

$$\begin{aligned} f_i \in {\mathbb {F}}[h_{i,1},\ldots ,h_{i,n},v_1,\ldots ,v_n, s_i] \end{aligned}$$

of the form \(f_i=\sum _{j=1}^n h_{i,j}v_j + s_i\). Indeed, \(\bar{H}\bar{v}^{\top }=\bar{s}\) if and only if \(f_i(\bar{H},\bar{v},\bar{s})=0\) for every \(1\le i\le m\). Thus, we can define \(\mathtt {pcce}_{n,m}\) as

$$\begin{aligned} \lbrace f_i=0 \rbrace _{i=1,\ldots , m}\;, \end{aligned}$$

and so

$$\begin{aligned} \mathtt {pcce}_{n,m}(\bar{H},\bar{s},\bar{t})=\{f_i(\bar{H},v,\bar{s})=0\}_{i=1,\ldots ,m}\;. \end{aligned}$$

Observe that \(f_i(\bar{H},v,\bar{s})\) belongs to \({\mathbb {F}}[v_1,\ldots ,v_n]\).

We explicitly state the following trivial result for completeness.

Lemma 2

Let \(I_{\mathrm {MLD}}\) be an instance with complexity parameters n and m. Then, \(\mathtt {pcce}_{n,m}(I_{\mathrm {MLD}})\) contains m linear equations in n variables.

3.2 Weight-computation encoding

Let \(\bar{v} \in {\mathbb {F}}^n\) and \( \ell = \lfloor \mathrm {log}_2(n) \rfloor + 1\), so that the weight of a length-n vector can be written as a length-\(\ell \) vector. For \(i=0,\ldots ,n\) and \(j=1,\ldots ,\ell \) we want to define some functions \(a^{(i)}:{\mathbb {F}}^n\rightarrow {\mathbb {F}}^{\ell }\) and their component functions \(a^{(i)}(\bar{v}) = (a^{(i)}_1(\bar{v}),\ldots ,a^{(i)}_{\ell }(\bar{v})) \in {\mathbb {F}}^{\ell }\). We set \(a^{(0)}(\bar{v}) = (0,\ldots ,0)\) for any \(\bar{v}\) (for convenience), and we define \(a^{(i)}\) recursively for \(i=1,\ldots ,n\) by computing its coefficients \(a^{(i)}_j\) as the polynomials in \({\mathbb {F}}[v_1,\ldots ,v_n]={\mathbb {F}}[v]\)

$$\begin{aligned} a^{(i)}_j(v) = a^{(i-1)}_j(v) + \left( \prod _{h=1}^{j-1}a^{(i-1)}_h(v) \right) v_i\;. \end{aligned}$$

The following lemma and theorem prove that \(a^{(i)}(\bar{v})\) is the implementation of a counter that stores the Hamming weight of \(\bar{v}\) until the i-th coordinate.

Lemma 3

Let \(0\le k\le n-1\). If \(\bar{v}_{k+1} =1\) then \(a^{(k+1)}(\bar{v}) = \mathtt {increase}(a^{(k)}(\bar{v}))\). If \(\bar{v}_{k+1} =0\) then \(a^{(k+1)}(\bar{v})=a^{(k)}(\bar{v})\).

Proof

Let \(a^{(k)}_z(\bar{v})\) be the leftmost 0 in \(a^{(k)}(\bar{v})\), \(1\le z\le \ell \), and let \(\Lambda \in {\mathbb {N}}\). Observe that

$$\begin{aligned} \prod _{h=1}^{\Lambda }a^{(k)}_h = {\left\{ \begin{array}{ll} 1 &{} \text {if } \Lambda <z\\ 0 &{} \text { otherwise}. \end{array}\right. } \end{aligned}$$

We start with the case \(\bar{v}_{k+1}=1\) and we compute \(a^{(k+1)}_j(\bar{v})\) according to the value of j.

  • if \(1\le j\le z-1\) then \(a^{(k+1)}_j(\bar{v}) =a^{(k)}_j(\bar{v}) + \left( \prod _{h=1}^{j-1}a^{(k)}_h(\bar{v}) \right) \bar{v}_{k+1} = 1 + (1) \cdot 1=0\);

  • if \(j=z\) we have \(a^{(k+1)}_z(\bar{v}) =a^{(k)}_z(\bar{v}) + \left( \prod _{h=1}^{z-1}a^{(k)}_h(\bar{v}) \right) \cdot 1 = 0+(1)\cdot 1=1\);

  • if \(j\ge z+1\) then \(a^{(k+1)}_j(\bar{v}) =a^{(k)}_j(\bar{v}) + \left( \prod _{h=1}^{j-1}a^{(k)}_h(\bar{v}) \right) \cdot 1 = a^{(k)}_j(\bar{v}) + (0) \cdot 1=a^{(k)}_j(\bar{v})\).

The procedure we described flips every 1-bit (until the \((z-1)\)-th bit) and the first 0-bit, while leaving all the other bits unchanged, which is the behaviour of the function \(\mathtt {increase}()\).

The second possible case is \(\bar{v}_{k+1}=0\). Observe that, regardless of j, the value \(a_j^{(k+1)}(\bar{v})\) is given by

$$\begin{aligned} a^{(k+1)}_j(\bar{v}) =a^{(k)}_j(\bar{v}) + \left( \prod _{h=1}^{j-1} a^{(k)}_h(\bar{v}) \right) \bar{v}_{k+1}\;, \end{aligned}$$

which, since \(\bar{v}_{k+1}=0\), is simply

$$\begin{aligned} a^{(k+1)}_j(\bar{v}) =a^{(k)}_j(\bar{v}) + \left( \prod _{h=1}^{j-1} a^{(k)}_h(\bar{v}) \right) \cdot 0=a^{(k)}_j(\bar{v})\;. \end{aligned}$$

\(\square \)

Theorem 4

Let \(\bar{v} \in {\mathbb {F}}^n\) and let \(1\le i\le n\). Then

$$\begin{aligned} \mathrm {w}(\pi _i(\bar{v})) = \mathtt {int}\left( a^{(i)}_1(\bar{v}), \ldots , a^{(i)}_{\ell }(\bar{v})\right) \;. \end{aligned}$$

Proof

We proceed by induction on i. Let \(i=1\), then \(a^{(1)}_1(\bar{v}) = a^{(0)}_1(\bar{v}) + \bar{v}_1 = \bar{v}_1\), while \(a^{(1)}_j(\bar{v}) = 0+0\cdot 0=0\) for every \(j=2,\ldots ,\ell \). Therefore \(\mathtt {int}(a^{(1)}(\bar{v}))=\mathtt {int}(\bar{v}_1,0,\ldots ,0) = \mathrm {w}(\pi _1(\bar{v}))\).

Assume that \(\mathtt {int}(a^{(i)}(\bar{v})) = \mathrm {w}(\pi _i(\bar{v}))\) holds for a certain value of \(1\le i\le n-1\), then we are going to prove \(\mathtt {int}(a^{(i+1)}(\bar{v})) = \mathrm {w}(\pi _{i+1}(\bar{v}))\). We have two cases: either \(\bar{v}_{i+1} = 0\) or \(\bar{v}_{i+1} = 1\).

  1. 1.

    If \(\bar{v}_{i+1} = 0\) then by Lemma 3\(a^{(i+1)}(\bar{v}) = a^{(i)}(\bar{v})\), in accordance with \(\pi _{i+1}(\bar{v})= \pi _i(\bar{v})\).

  2. 2.

    If \(\bar{v}_{i+1} = 1\) then, by Lemma 3, we have \(a^{(i+1)}(\bar{v}) = \mathtt {increase}(a^{(i)}(\bar{v}))\) and therefore \(\mathtt {int}(a^{(i+1)}(\bar{v})) = \mathtt {int}(\mathtt {increase}(a^{(i)}(\bar{v}))) = \mathtt {int}(a^{(i)}(\bar{v})) + 1 = \mathrm {w}(\pi _{i}(\bar{v})) +1 = \mathrm {w}(\pi _{i+1}(\bar{v}))\), where the last equality comes from obvious properties of weights.

\(\square \)

The following corollary states that the Hamming weight of a vector \(\bar{v} \in {\mathbb {F}}^n\) is exactly the integer represented by the vector \(\left( a^{(n)}_1(\bar{v}), \ldots , a^{(n)}_{\ell }(\bar{v})\right) \).

Corollary 5

Let \(\bar{v} \in {\mathbb {F}}^n\) then

$$\begin{aligned} \mathrm {w}(\bar{v}) = \mathtt {int}\left( a^{(n)}_1(\bar{v}), \ldots , a^{(n)}_{\ell }(\bar{v})\right) \end{aligned}$$
(4)

Proof

It follows from Theorem 4 by noticing that \(\pi _n(\bar{v}) = (\bar{v}_1,\ldots ,\bar{v}_n) = \bar{v}\). \(\square \)

Observe that, for \(1\le j\le \ell \) and for any \(1\le i\le n\), Formula (4) is an equation of degree j of the form \(x+y+M=0\) where M is a degree-j monomial. By using the procedure described in Remark 1 each equation can be reduced to a system of less than \(\ell \) quadratic equations by adding less than \(\ell \) new variables. Indeed, \(\mathtt {quadr}(x+y+M=0)\) is a quadratic system with \(j-1<\ell \) equations in \(j-2< \ell \) variables.

By performing this procedure to each of \(n\cdot \ell \) equations we obtain a system of quadratic equations. We remark that many variables were shared between equations, so there are several possible optimisations to be applied instead of applying \(\mathtt {quadr}()\) to each Eq. (4). However, since the degree of each Eq. (4) is bounded by \(\ell \), even without optimising the procedure, we end up with a system with a manageable number of quadratic equations, as stated by the following lemma.

Lemma 6

The number of quadratic equations in

$$\begin{aligned} \mathtt {quadr}\left( \left\{ a^{(i)}_j = a^{(i-1)}_j + \left( \prod _{h=1}^{j-1}a^{(i-1)}_h \right) v_i \right\} _{ i = 1,\ldots ,n \textit{, } j=1,\ldots ,\ell } \right) \end{aligned}$$

is \(\mathcal {O}(n\ell ^2\)). The total number of variables is \(\mathcal {O}(n\ell ^2)\).

Proof

Each of the \(n\ell \) equations is transformed into a set of less than \(\ell \) quadratic equations by adding less than \(\ell \) variables. \(\square \)

We are finally ready to construct the set of equations corresponding to the (Hamming) weight-computation encoding, which contains the polynomials corresponding to the weight-computation procedure depicted in this section. We define

$$\begin{aligned} \mathtt {hwce}_{n,m} = \mathtt {quadr}\left( \left\{ a^{(i)}_j = a^{(i-1)}_j + \left( \prod _{h=1}^{j-1}a^{(i-1)}_h \right) v_i \right\} _{ i = 1,\ldots ,n \textit{, } j=1,\ldots ,\ell } \right) \;, \end{aligned}$$

where the variables \(a_j^{(i)}\) obviously play the role of the previously defined functions. From Theorem 4 and Corollary 5, it follows that by evaluating \(\mathtt {hwce}_{n,m}\) at \(\bar{v}\) we obtain the vector \((a_1^{(n)}(\bar{v}),\ldots ,a_{\ell }^{(n)}(\bar{v}))\) containing the binary expansion of \(\mathrm {w}(\bar{v})\).

3.3 Weight constraint encoding

The idea for the construction of this encoding is the definition of a quadratic Boolean polynomial capable of comparing two Boolean vectors according to the values of these two vectors when seen as integers. More precisely, in this section we construct a polynomial whose evaluation at a pair of Boolean vectors \(\bar{u}\) and \(\bar{v}\) is 0 if and only if \(\mathtt {int}(\bar{u})\le \mathtt {int}(\bar{v})\). For the sake of completeness, we define the claimed polynomial for a more general situation, and in the end we specify the parameters useful in the context of our reduction from MLD to MQ.

Consider two binary vectors \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\), where the most significant bits are \(\bar{u}_l\) and \(\bar{v}_l\), respectively. To compare the integers associated to \(\bar{u}\) and \(\bar{v}\) we can follow the following procedure, which outputs 0 when \(\mathtt {int}(\bar{u}) \le \mathtt {int}(\bar{v})\) and 1 otherwise, starting from \(j=l\):

  • if \(\bar{u}_j=\bar{v}_j\), then we move to the next bits \(\bar{u}_{j-1}\) and \(\bar{v}_{j-1}\);

  • if \(\bar{u}_j\ne \bar{v}_j\), we output \(\bar{u}_j\), since \(\mathtt {int}(\bar{u}) \le \mathtt {int}(\bar{v})\) if \(\bar{u}_j=0\);

  • if we reach \(j=1\) and \(\bar{u}_1=\bar{v}_1\), then we output 0.

We make use of this procedure to define a polynomial \(F \in {\mathbb {F}}[u_1,\ldots ,u_l,v_1,\ldots ,v_l]\) such that

$$\begin{aligned} F(\bar{u},\bar{v}) = {\left\{ \begin{array}{ll} 0 \quad \mathrm { if }\; \mathtt {int}(\bar{u}) \le \mathtt {int}(\bar{v})\\ 1 \quad \mathrm { if }\; \mathtt {int}(\bar{u}) > \mathtt {int}(\bar{v})\;. \end{array}\right. } \end{aligned}$$
(5)

Define \(g_h(u,v) = (u_h + v_h) \in {\mathbb {F}}[u_h,v_h]\) for every \(h=1,\ldots ,l\) and notice that \(g_h(\bar{u},\bar{v})=0\) if and only if \(\bar{u}_h=\bar{v}_h\). Moreover, for \(j=1,\ldots ,l\), define the polynomials

$$\begin{aligned} f_j = g_j\prod _{h=j+1}^l(g_h + 1)\;, \end{aligned}$$
(6)

where \(f_j \in {\mathbb {F}}[u_1,\ldots ,u_l,v_1,\ldots ,v_l]\). Clearly in the special case \(j=l\) we have \(f_l=g_l\). Observe that the degree of \(f_j\) is \(l-j+1\).

Given two vectors \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\), the purpose of the set of polynomials \(\lbrace f_j \rbrace _{j=1}^l\) in (6) is to locate the most significant bit in which \(\bar{u}\) and \(\bar{v}\) differ. We prove this in the following lemmas.

Lemma 7

Let \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\), then \(f_j(\bar{u}, \bar{v}) = 1\) for at most one value of j.

Proof

Assume by contradiction that \(f_j(\bar{u}, \bar{v}) = f_i(\bar{u}, \bar{v}) = 1\) for \(i \ne j\). We can assume, without loss of generality, that \(i < j\). By construction of \(f_j\) we must have that \(g_j(\bar{u}, \bar{v}) = 1\). But \((g_j + 1) \mid f_i\) since \(i < j\), \((g_j+1)(\bar{u},\bar{v})=0\), and therefore \(f_i(\bar{u},\bar{v})=0\), which is a contradiction. \(\square \)

Lemma 8

Let \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\), then \(f_j(\bar{u}, \bar{v}) = 0 \quad \forall \quad j=1,\ldots ,l\) if and only if \(\bar{u} = \bar{v}\).

Proof

We show the first implication. Since \(f_l(\bar{u},\bar{v}) = g_l(\bar{u},\bar{v})=0\), then \(\bar{u}_l=\bar{v}_l\).

We claim that, for any \(1\le k\le l-1\), \(\bar{u}_{k}\) is equal to \(\bar{v}_{k}\), provided that \(\bar{u}_h = \bar{v}_h\) for any \(k+1 \le h \le l\). Notice that \((g_{h}+1) \mid f_{k}\) for every value \(h = k+1,\ldots ,l\). Since \(\bar{u}_{h} = \bar{v}_{h}\) then \((g_{h} + 1)(\bar{u}, \bar{v}) = 1\), for \(h = k+1,\ldots ,l\). This implies \(0 = f_{k}(\bar{u}, \bar{v}) = g_{k}(\bar{u}, \bar{v})\cdot 1=\bar{u}_k+\bar{v}_k\) and therefore \(\bar{u}_{k} = \bar{v}_{k}\).

The first implication follows by an iterated application of our claim from \(k=l-1\) until \(k=1\).

As regards the second implication, \(\bar{u} = \bar{v}\) implies \(\bar{u}_j = \bar{v}_j\) for every \(j = 1,\ldots ,l\), and so \(g_j(\bar{u}, \bar{v}) = 0\). Observe also that, by construction in (6), \(g_j \mid f_j\) for every \(j = 1,\ldots ,l\), which forces \(f_j(\bar{u}, \bar{v})=0\). \(\square \)

Lemma 9

Let \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\) with \(\bar{u} \ne \bar{v}\), then there exists a unique j such that \(f_j(\bar{u},\bar{v}) = 1\). Moreover \(\bar{u}_j\ne \bar{v}_j\) while \(\bar{u}_k = \bar{v}_k\) for every \(k = j+1, \ldots ,l\).

Proof

If \(\bar{u} \ne \bar{v}\) then there exists j such that \(\bar{u}_j \ne \bar{v}_j\). Let j be such that \(\bar{u}_j \ne \bar{v}_j\) and \(\bar{u}_k = \bar{v}_k\) for every \(k>j\). This implies \((g_k +1)(\bar{u} , \bar{v}) = 1\) for each \(k>j\), as well as \(g_j(\bar{u} , \bar{v})=1\), thus \(f_j(\bar{u} , \bar{v}) = 1\). The uniqueness of j follows from Lemma 7.

For the second part of the statement, if there exists \(k > j\) such that \(\bar{u}_k \ne \bar{v}_k\), then \(g_k(\bar{u}_k, \bar{v}_k) = 1\). However, \((g_k +1)\mid f_j\) and \((g_k + 1)(\bar{u}, \bar{v}) = 0\) imply \(f_j(\bar{u}, \bar{v}) = 0\), which is a contradiction. \(\square \)

We are ready to define our function F as in Eq. (5).

Proposition 10

Let \(F = \sum _{j=1}^l f_j\cdot (v_j+1) \in {\mathbb {F}}[u_1,\ldots ,u_l,v_1,\ldots ,v_l]\) and let \(\bar{u}, \bar{v} \in {\mathbb {F}}^l\). Then \(F(\bar{u},\bar{v}) = 0\) if and only if \(\mathtt {int}(\bar{u}) \le \mathtt {int}(\bar{v})\).

Proof

We have two cases: either \(f_j(\bar{u}, \bar{v}) = 0\) for every value \(j = 1,\ldots ,l\), or there exists a (by Lemma 9) unique k such that \(f_k(\bar{u},\bar{v}) = 1\).

The first case, due to Lemma 8, is equivalent to \(\bar{u}= \bar{v}\) and thus it corresponds to the equality \(\mathtt {int}(\bar{u})=\mathtt {int}(\bar{v})\). By definition of F, the first case also implies \(F(\bar{u},\bar{v})=0\).

We have proved that \(\mathtt {int}(\bar{u})=\mathtt {int}(\bar{v})\) implies \(F(\bar{u},\bar{v})=0\), while \(F(\bar{u},\bar{v})=0\) implies either that \(\mathtt {int}(\bar{u})=\mathtt {int}(\bar{v})\) or that we are not in the first case.

In the second case, let \(f_k(\bar{u}, \bar{v}) = 1\) for a certain value k. Lemma 8 implies that \(\mathtt {int}(\bar{u})\ne \mathtt {int}(\bar{v})\), and by Lemma 9 we have \(\bar{u}_j=\bar{v}_j\) for \(k+1\le j\le l\) and \(\bar{u}_k\ne \bar{v}_k\).

If \(\bar{u}_k=0\) and \(\bar{v}_k=1\), then \(\mathtt {int}(\bar{u})<\mathtt {int}(\bar{v})\) and

$$\begin{aligned} F(\bar{u},\bar{v}) = \sum _{j\ne k}f_j(\bar{u},\bar{v})\cdot (\bar{v}_j +1)+f_k(\bar{u},\bar{v})\cdot (\bar{v}_k+1) = \sum _{j\ne k}0\cdot (\bar{v}_j +1)+1\cdot (\bar{v}_k+1)=\bar{v}_k+1=0\;. \end{aligned}$$

If instead \(\bar{u}_k=1\) and \(\bar{v}_k=0\), then \(\mathtt {int}(\bar{u})>\mathtt {int}(\bar{v})\) and

$$\begin{aligned} F(\bar{u},\bar{v}) = \sum _{j\ne k}f_j(\bar{u},\bar{v})\cdot (\bar{v}_j +1)+f_k(\bar{u},\bar{v})\cdot (\bar{v}_k+1) = \sum _{j\ne k}0\cdot (\bar{v}_j +1)+1\cdot (\bar{v}_k+1)=\bar{v}_k+1=1\;. \end{aligned}$$

Either way, if \(\mathtt {int}(\bar{u})\ne \mathtt {int}(\bar{v})\) then \(F(\bar{u},\bar{v})=0\) if and only if \(\mathtt {int}(\bar{u}) < \mathtt {int}(\bar{v})\). \(\square \)

Observe that the degree of F is equal to \(\deg (f_1)+1=l+1\). Observe also that the degree of f evaluated at \(\bar{v}_1,\ldots ,\bar{v}_l\), which is a polynomial in \({\mathbb {F}}[u_1,\ldots ,u_l]\), is at most l.

Let \(I_{\mathrm {MLD}}=(\bar{H},\bar{s},\bar{t})\), let \(\bar{v}\) be a vector for which \(\bar{H}\bar{v}^{\top }=\bar{s}^{\top }\) and let \(\bar{t}=(\bar{t}_1,\ldots ,\bar{t}_{\ell })\). We recall that in Sect. 3.2 we defined a set of \(\ell \) Boolean functions \(a_1^{(n)},\ldots ,a_{\ell }^{(n)}\) representing the weight of a length-n vector v, i.e. by Corollary 5\(\mathtt {int}(a_1^{(n)}(\bar{v}),\ldots ,a_{\ell }^{(n)}(\bar{v}))=\mathrm {w}(\bar{v})\).

Then, by Corollary 5 and Proposition 10,

$$\begin{aligned} F\left(a_1^{(n)}(\bar{v}),\ldots ,a_{\ell }^{(n)}(\bar{v}),\bar{t}_1,\ldots ,\bar{t}_{\ell }\right)=0 \end{aligned}$$

if and only if

$$\begin{aligned} \mathrm {w}(\bar{v})\le \mathtt {int}(\bar{t})\;. \end{aligned}$$

Let us consider the following polynomial

$$\begin{aligned} F_{\ell }\in {\mathbb {F}}\left[a_1^{(n)},\ldots ,a_{\ell }^{(n)},t_1,\ldots ,t_{\ell }\right]\;, \end{aligned}$$

which is obtained by rewriting F in the variables \(a_1^{(n)},\ldots ,a_{\ell }^{(n)}\) and in (the new variables of) \(t_1,\ldots ,t_{\ell }\). Clearly, \(F_{\ell }(a_1^{(n)},\ldots ,a_{\ell }^{(n)},t_1,\ldots ,t_{\ell })=0\) encodes the constraint \(\mathrm {w}(\bar{v})\le \mathtt {int}(\bar{t})\). Obviously, the degree of \(F_{\ell }(a_1^{(n)},\ldots ,a_{\ell }^{(n)},\bar{t}_1,\ldots , \bar{t}_{\ell })\in {\mathbb {F}}[a_1^{(n)},\ldots ,a_{\ell }^{(n)}]\) is at most \(\ell \). By applying the map \(\mathtt {quadr}()\) to \(F_{\ell }\) (see Remark 1) we obtain the system of quadratic equations

$$\begin{aligned} \mathtt {wce}_{n,m} = \mathtt {quadr}\left( \lbrace F_{\ell } \rbrace \right) \;. \end{aligned}$$

Lemma 11

\(\mathtt {wce}_{n,m}(I_{\mathrm {MLD}})\) is a system of \(\mathcal {O}(n\ell )\) quadratic equations in \(\mathcal {O}(n\ell )\) variables.

Proof

Since the degree of \(F_{\ell }\) is at most \(\ell \) and the size of its support, i.e. the number of monomials, is at most \(2^{\ell }\), by applying \(\mathtt {quadr}()\) we obtain a system with at most \(2^{\ell }\ell \) equations in \(2^{\ell }\ell \) variables. However, \(2^{\ell }\le 2n\), and so the system contains \(\mathcal {O}(n\ell )\) equations in \(\mathcal {O}(n\ell )\) variables. \(\square \)

3.4 MLD to MQ

By combining the results of Sects. 3.1, 3.2 and 3.3, we construct the reduction \(\alpha _{n,m}\), a function mapping MLD instances to MQ instances.

Theorem 12

Let \(I_{\mathrm {MLD}} = (\bar{H},\bar{s},\bar{t})\) and let \(\alpha _{n,m}:\mathrm {MLD} \rightarrow \mathrm {MQ}\) be defined by

$$\begin{aligned} \alpha _{n,m}(\bar{H},\bar{s},\bar{t}) = \mathtt {pcce}_{n,m}(\bar{H},\bar{s},\bar{t}) \cup \mathtt {hwce}_{n,m}(\bar{H},\bar{s},\bar{t}) \cup \mathtt {wce}_{n,m}(\bar{H},\bar{s},\bar{t})\, ; \end{aligned}$$

If \(\bar{u}\) is a witness of \(\alpha _{n,m}(I_{\mathrm {MLD}})\) then it is also a witness of \(I_{\mathrm {MLD}}\).

Proof

By ordering the variables according to their first appearance in this paper, the first n variables in \(\alpha _{n,m}(I_{\mathrm {MLD}})\) are \(v_1,\ldots ,v_n\) and the first n bits of a witness u for \(\alpha _{n,m}(I_{\mathrm {MLD}})\) are the values \(\bar{v}_1,\ldots ,\bar{v}_n\). Let us call \(\bar{v}=(\bar{v}_1,\ldots ,\bar{v}_n)\).

The set \(\mathtt {pcce}_{n,m}(\bar{H},\bar{s},\bar{t})\) contains only equations in the variables \(v_1,\ldots ,v_n\). Therefore, since \(\bar{u}\) is a witness for \(\alpha _{n,m}(I_{\mathrm {MLD}})\), we have \(f(\bar{u})=0\) for \(f \in \mathtt {pcce}_{n,m}(\bar{H},\bar{s},\bar{t})\), meaning that \(\bar{H}\bar{v}^{\top }= \bar{s}\).

From Corollary 5, we can use the polynomials in \(\mathtt {hwce}_{n,m}(\bar{H},\bar{s},\bar{t})\) to compute a binary expansion of the weight of \(\mathrm {w}(\bar{v})\). More precisely, we have that

$$\begin{aligned} \mathtt {int}\left( a^{(n)}_1(\bar{v}), \ldots , a^{(n)}_l(\bar{v})\right) = \mathrm {w}(\bar{v})\;. \end{aligned}$$

Finally, since \(F_{\ell }\left( a^{(n)}_1(\bar{v}), \ldots , a^{(n)}_l(\bar{v}), \bar{t}\right) = 0\), by Proposition 10 we have \(\mathrm {w}(\bar{v}) \le \mathtt {int}(\bar{t})\). \(\square \)

Theorem 13

Let (nm) be the complexity parameters of \(I_{\mathrm {MLD}}\) and let \(I_{\mathrm {MQ}}=\alpha _{n,m}(I_{\mathrm {MLD}})\). Then, the complexity parameters \((\mathsf {n},\mathsf {m})\) of \(I_{\mathrm {MQ}}\) are in \(\mathcal {O}(n\log _2^2n)\).

Proof

We analyse the 3 sub-problems separately.

  • According to Lemma 2, \(\mathtt {pcce}_{n,m}(I_{\mathrm {MLD}})\) is a linear system with m equations and n variables.

  • As described by Lemma 6, \(\mathtt {hwce}_{n,m}(I_{\mathrm {MLD}})\) is a quadratic system of \(\mathcal {O}(n\ell ^2)\) equations in \(\mathcal {O}(n\ell ^2)\) variables.

  • In the weight-constraint step described in Sect. 3.3, we introduce a quadratic system \(\mathtt {wce}_{n,m}(I_{\mathrm {MLD}})\) containing \(\mathcal {O}(n\ell )\) equations and variables, as stated in Lemma 11.

By putting everything together we can compute the complexity parameters \((\mathsf {n},\mathsf {m})\) of \(\alpha _{n,m}(I_{\mathrm {MLD}})\). \(\square \)

4 MQ to MLD reduction

In this section we construct a reduction \(\beta :\mathrm {MQ}\rightarrow \mathrm {MLD}\). We consider a general system of equations and we take it to standard form S, as defined in Definition 3, by using the procedure hinted in the Proof of Lemma 1. The result of the process will be an instance \(\beta (I_{\mathrm {MQ}}) = (H,s,t)\in \mathrm {MLD}\), with \(H \in {\mathbb {F}}^{m\times n}\) for some \(m,n,t \in {\mathbb {Z}}^+\), \(s \in {\mathbb {F}}^m\). The key idea is to regard the two different types of equations in S separately. First we create one part of the MLD instance according to the quadratic equations in S, and then we complete the work by integrating the linear ones. We also build a transformation that takes as input a solution of \(\beta (I_{\mathrm {MQ}})\) and outputs a solution of \(I_{\mathrm {MQ}}\), proving that \(\beta \) is actually a reduction between the two problems.

4.1 Quadratic equations

Consider a system S containing solely the equation \(xy+z =0\) and let \(I= \langle xy+z\rangle \subset {\mathbb {F}}[x,y,z]\) be the principal ideal generated by S. The associated variety \(\mathcal {V}_{{\mathbb {F}}}(I) \subset {\mathbb {F}}^3\) is

$$\begin{aligned} \mathcal {V}_{{\mathbb {F}}}(I) = \lbrace (0,0,0), (1,0,0),(0,1,0),(1,1,1)\rbrace . \end{aligned}$$
(7)

Lemma 14

Let \(\widehat{C}\) be the linear code generated by the generator matrix

$$\begin{aligned} \widehat{G} = \begin{bmatrix} 1&{}\quad 0&{}\quad 0&{}\quad 1&{}\quad 1&{}\quad 0&{}\quad 0&{}\quad 1&{}\quad 1&{}\quad 1\\ 0&{}\quad 1&{}\quad 0&{}\quad 0&{}\quad 0&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1\\ 0&{}\quad 0&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1&{}\quad 1 \end{bmatrix}\;, \end{aligned}$$
(8)

let

$$\begin{aligned} \widehat{\epsilon } = (0,0,0,0,0,0,0,1,1,1)\;, \end{aligned}$$

let \(\widehat{\Sigma }\) be the coset \(\widehat{\epsilon }+\widehat{C}\subseteq {\mathbb {F}}^{10}\) and let \(v\in \widehat{\Sigma }\).

Then, v has weight at most 3 if and only if \(\tau _3(v)\in \mathcal {V}_{{\mathbb {F}}}(I)\) as in (7).

Proof

It follows by direct inspection of the 8 vectors in \(\widehat{\Sigma }\). \(\square \)

The truncation map present in the statement of the previous Lemma, \(\tau _3 : {\mathbb {F}}^{10} \rightarrow {\mathbb {F}}^{3}\) defined as \(\tau _3(\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_4,\bar{v}_5,\bar{v}_6, \bar{v}_7,\bar{v}_8,\bar{v}_9,\bar{v}_{10}) = (\bar{v}_1, \bar{v}_2, \bar{v}_3)\), can be represented in matrix form as

$$\begin{aligned} M_{\tau _3} = \left[ \begin{array}{c} {\mathbb {I}}_3\\ \hline \mathbf {0} \end{array}\right] \;, \end{aligned}$$

where \({\mathbb {I}}_3\) is the identity matrix of dimension 3 and \(\mathbf {0}\) is the \(3 \times 7\) zero matrix, namely

$$\begin{aligned} \tau _3(\bar{v})=\bar{v}M_{\tau _3}\;. \end{aligned}$$

Proposition 15

Let \(\widehat{H}\) be a parity-check matrix for the code \(\widehat{C}\) generated by \(\widehat{G}\) as defined in Lemma 14, let \(\widehat{s}=\widehat{H}\cdot \widehat{\epsilon }^{\top }\) and let \(\widehat{t}=3\). Let \(\widehat{W}\subset \widehat{\Sigma }\) be the set of witnesses of the MLD instance \(I_{\mathrm {MLD}}=(\,\widehat{H},\widehat{s},\widehat{t}\,)\) and let \(\mathcal {V}_{{\mathbb {F}}}(I)\) be as in (7). Then \(\mathcal {V}_{{\mathbb {F}}}(I)=\tau _3(\widehat{W})\).

Proof

It follows by Lemma 14 and the well-known bijection between cosets and syndromes (once the parity-check matrix has been chosen). \(\square \)

Remark 1

The witnesses of the MLD instance \((\,\widehat{H},\widehat{s},\widehat{t}\,)\) we constructed, i.e. solutions of \(\widehat{H}v^{\top }=\widehat{s}^{\top }\) with weight at most \(\widehat{t}=3\), have Hamming weight exactly 3, which is the weight of any coset leader (e.g. \(\widehat{\epsilon }\)). Notice that the remaining solutions of \(\widehat{H}v^{\top }=\widehat{s}^{\top }\) have weight at least 5. This gap in the weight is crucial for the generalisation we are going to give next.

We now extend the construction in Proposition 15 to a standard-form system S that contains more than one quadratic equation. Assume that S contains q quadratic equations \(f_i\)’s of the form \(x_iy_i+z_i=0\), for \(i = 1,\ldots ,q\). Recall that by Definition 3, such equations do not share any variable with each other. Consider the ideal \(J = \langle f_1, \ldots f_q \rangle \subset {\mathbb {F}}[\{x_i,y_i,z_i\}_{i=1,\ldots ,q}]\). The variety \(\mathcal {V}_{{\mathbb {F}}}(J)\) can be seen as

$$\begin{aligned} \mathcal {V}_{{\mathbb {F}}}(J) = \underbrace{\mathcal {V}_{{\mathbb {F}}}(I) \times \mathcal {V}_{{\mathbb {F}}}(I) \times \cdots \times \mathcal {V}_{{\mathbb {F}}}(I) }_\text {q} \subset {\mathbb {F}}^{3q}\;, \end{aligned}$$
(9)

where \(\mathcal {V}_{{\mathbb {F}}}(I)\) is as in (7). To address the case of standard-form systems consisting of only quadratic equations, we construct a new parity-check matrix as the diagonal block matrix \(\widetilde{H}\) of size \(7q\times 10q\)

$$\begin{aligned} \widetilde{H} = \begin{bmatrix} \widehat{H} &{} \cdots &{} 0\\ \vdots &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} \widehat{H} \end{bmatrix}\;, \end{aligned}$$

where \(\widehat{H}\) is a parity-check matrix for the code generated by \(\widehat{G}\) in Eq. (8). Obviously, the null space of \(\widetilde{H}\) is the direct product of q copies of \(\widehat{C}\), i.e.

$$\begin{aligned} \underbrace{\widehat{C} \times \widehat{C} \times \cdots \times \widehat{C} }_\text {q} \subset {\mathbb {F}}^{10q}\;. \end{aligned}$$

Define \(\widetilde{\Sigma } = \overbrace{\widehat{\Sigma } \times \widehat{\Sigma } \times \cdots \times \widehat{\Sigma } }^\text {q}\), \(\widetilde{t} = 3q\) and \(\widetilde{\epsilon } = (\,\overbrace{\widehat{\epsilon } \Vert \widehat{\epsilon } \Vert \cdots \Vert \widehat{\epsilon }}^\text {q}\,)\) where \(\Vert \) denotes vector concatenation. With this setting, for any \(\widetilde{v}\in \widetilde{\Sigma }\), we can write \(\widetilde{v} = \left( \widehat{v}^{(1)} \Vert \widehat{v}^{(2)} \Vert \cdots \Vert \widehat{v}^{(q)}\right) \) with \(\widehat{v}^{(i)} \in \widehat{\Sigma }\) for any i. In the following lemma \(\widehat{W}\) is the set of vectors in \(\widehat{\Sigma }\) with weight at most \(\widehat{t}\), as defined in Proposition 15.

Lemma 16

Let \(\widetilde{W} = \lbrace \widehat{v} \in \widetilde{\Sigma } \mid \mathrm {w}(\widehat{v}) \le \widetilde{t} \rbrace \). Then \(\widetilde{W} = \underbrace{\widehat{W}\times \widehat{W}\times \cdots \times \widehat{W}}_\text {q}\).

Proof

Notice that, by Remark 1, \(\mathrm {w}(\widehat{v})=\widehat{t}= 3\) for every \(\widehat{v} \in \widehat{W}\). So \(\mathrm {w}(\widetilde{v}) = \tilde{t} = 3q\) for every \(\widetilde{v} \in \widehat{W}\times \widehat{W}\times \cdots \times \widehat{W}\). Therefore \(\widetilde{W} \supseteq \widehat{W}\times \widehat{W}\times \cdots \times \widehat{W}\).

To prove the other inclusion consider \(\widetilde{v} \in \widetilde{W} \).

Then \(\widetilde{v}\) can be written as a concatenation of q vectors in \(\widehat{\Sigma }\) and, by Remark 1, each of such vectors has Hamming weight at least 3, and \(\mathrm {w}(\widetilde{v}) =\sum _{i=1}^q\mathrm {w}(\widehat{v}^{(i)})\). If there is a \(\widehat{v}^{(i)}\) with weight more than 3, then the weight of \(\widetilde{v}\) is strictly larger that 3q. Therefore, all \(\widehat{v}^{(i)}\) must have weight exactly 3. This proves \(\widetilde{W} \subseteq \widehat{W}\times \widehat{W}\times \cdots \times \widehat{W}\). \(\square \)

Consider the truncation map \(\tau : {\mathbb {F}}^{10q} \rightarrow {\mathbb {F}}^{3q}\) whose matrix representation is

$$\begin{aligned} M_{\tau } = \begin{bmatrix} M_{\tau _3} &{} \cdots &{} 0\\ \vdots &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} M_{\tau _3} \end{bmatrix}\;. \end{aligned}$$
(10)

The following lemma proves a useful property of \(\tau \) that comes at hand to prove the subsequent theorem.

Lemma 17

Let \(\widetilde{v} \in \widetilde{\Sigma }\) then \(\tau (\widetilde{v}) = \left( \tau _3(\widehat{v}^{(1)}),\ldots , \tau _3(\widehat{v}^{(q)})\right) \) where \(\widehat{v}^{(i)} \in \widehat{\Sigma }\) for every \(i=1,\ldots ,q\).

Proof

Considering the matrix representation of \(\tau \), we obtain

$$\begin{aligned} \begin{aligned} \tau (\widetilde{v})&= \widetilde{v}M_{\tau } \\&= \begin{pmatrix} \widehat{v}^{(1)} \Vert \cdots \Vert \widehat{v}^{(q)} \end{pmatrix} \begin{bmatrix} M_{\tau _3} &{} \cdots &{} 0\\ \vdots &{} \ddots &{} \vdots \\ 0 &{} \cdots &{} M_{\tau _3} \end{bmatrix} \\&= \left( \widehat{v}^{(1)}M_{\tau _3},\ldots ,\widehat{v}^{(q)}M_{\tau _3}\right) \\&= \left( \tau _3(\widehat{v}^{(1)}),\ldots , \tau _3(\widehat{v}^{(q)})\right) \;. \end{aligned} \end{aligned}$$

\(\square \)

Proposition 18

Set \(\widetilde{s} = \widetilde{H}\widetilde{\epsilon }^{\top }\), then \(\widetilde{W}\) solves the MLD instance \(\left( \widetilde{H},\widetilde{s},\widetilde{t} \right) \). Moreover \(\mathcal {V}_{{\mathbb {F}}}(J) = \tau (\widetilde{W})\).

Proof

We need to prove that given \(\widetilde{v} \in \widetilde{W}\) it holds \(\widetilde{H}\widetilde{v}^\top = \widetilde{s}\) and \(\mathrm {w}(\widetilde{v}) \le \widetilde{t}\). The null space of \(\widetilde{H}\) is \(\widetilde{H}^\bot = \widehat{C} \times \widehat{C} \times \cdots \times \widehat{C} \). Observe that

$$\begin{aligned} \begin{aligned} \widetilde{\Sigma }&= \widehat{\Sigma } \times \widehat{\Sigma } \times \cdots \times \widehat{\Sigma } \\&= \left( \widehat{C}+\widehat{\epsilon } \right) \times \left( \widehat{C}+\widehat{\epsilon } \right) \times \cdots \times \left( \widehat{C}+\widehat{\epsilon } \right) \\&= \left( \widehat{C} \times \widehat{C} \times \cdots \times \widehat{C} \right) + \widetilde{\epsilon } \\&= \widetilde{H}^\bot + \widetilde{\epsilon } = \lbrace v + \widetilde{\epsilon } \mid v \in \widehat{C} \times \widehat{C} \times \cdots \times \widehat{C} \rbrace \end{aligned} \end{aligned}$$

Therefore, for every \(\widetilde{v} \in \widetilde{\Sigma }\), we have \(\widetilde{H}^\bot \widetilde{v}^\top = \widetilde{H}^\bot \widetilde{v}^\top + \widetilde{H}^\bot \widetilde{\epsilon }^\top = \widetilde{s}\). Considering \(\widetilde{v} \in \widetilde{W} \subset \widetilde{\Sigma }\) we also obtain \(\mathrm {w}(\widetilde{v}) \le \widetilde{t}\).

For the second claim we have, by Lemmas 16 and 17, that

$$\begin{aligned} \begin{aligned} \tau \left( \widetilde{W} \right)&= \tau \left( \widehat{W}\times \widehat{W}\times \cdots \times \widehat{W} \right) \\&= \tau _3(\widehat{W})\times \ldots \times \tau _3(\widehat{W}) \\&= \mathcal {V}_{{\mathbb {F}}}(I) \times \mathcal {V}_{{\mathbb {F}}}(I) \times \cdots \times \mathcal {V}_{{\mathbb {F}}}(I) \\&= \mathcal {V}_{{\mathbb {F}}}(J)\;, \end{aligned} \end{aligned}$$

where the last two equalities hold due to Proposition 15 and Eq. (9). \(\square \)

4.2 Linear equations

Let S be a standard-form system containing q quadratic equations. Due to Definition 3, S is a system in exactly 3q variables. We can thus write \(S \subset {\mathbb {F}}[x_1, \ldots , x_{3q}]\).

Remark 2

Consider a linear polynomial f in \({\mathbb {F}}[x_1,\ldots ,x_{3q}]\) for some value of \(q \in {\mathbb {Z}}^+\). We can write \(f = \sum _{i=1}^{3q}a_ix_i + \delta \) and define the vector of its coefficients \(a_f = (a_1,\ldots ,a_{3q}) \in {\mathbb {F}}^{3q}\). Notice that the vector \(a_f\) contains only the coefficients of \(x_1,\ldots ,x_{3q}\) and not the term \(\delta \). With this notation we observe that \(\bar{w} \in {\mathbb {F}}^{3q}\) belongs to \(\mathcal {V}_{{\mathbb {F}}}(\langle f \rangle )\) if and only if the product \(\bar{w}\cdot a_f^\top = \delta \).

The reduction introduced in Sect. 4.1 deals with standard-form systems that include only quadratic equations. This reduction is formalised in Proposition 18 as a map taking as input a system of q equations in 3q variables and outputting an MLD instance corresponding to a \(3q\times 10q\) parity-check matrix. To deal with linear equations we need a map \(\nu \) sending a linear polynomial in \({\mathbb {F}}[x_1,\ldots ,x_{3q}]\) to a vector in \({\mathbb {F}}^{10q}\). We define \(\nu \) as

$$\begin{aligned} \nu (f) = a_fM_{\tau }^\top \;, \end{aligned}$$

with \(M_{\tau }\) as in (10).

Example 2

Assume \(q=2\), then we are working in \({\mathbb {F}}[x_1,\ldots ,x_{6}]\). Let \(f = x_1 + x_3 + x_5\) and \(a_f = (1,0,1,0,1,0)\). Since \(q=2\) then \(M_{\tau }^\top \) is the matrix

$$\begin{aligned} M_{\tau }^\top = \left[ \begin{array}{cc|cc} {\mathbb {I}}_3 &{} \mathbf {0}&{} \mathbf {0}&{} \mathbf {0}\\ \hline \mathbf {0}&{} \mathbf {0} &{}{\mathbb {I}}_3 &{}\mathbf {0} \end{array}\right] \;. \end{aligned}$$

We obtain

$$\begin{aligned} \nu (f) = a_fM_{\tau }^\top = (1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0) \end{aligned}$$

The following lemma will be used to prove the correctness of our reduction.

Lemma 19

Let \(f = \sum _{i=1}^{3q}a_ix_i + \delta \in {\mathbb {F}}[x_1,\ldots ,x_{3q}]\) be a linear polynomial. Let \(\widetilde{v} \in {\mathbb {F}}^{10q}\). \(\widetilde{v}\cdot \nu (f)^\top =\delta \) if and only if \( \tau (\widetilde{v}) \in \mathcal {V}_{{\mathbb {F}}}(\langle f \rangle ). \)

Proof

By Remark 2, observing that

$$\begin{aligned} \widetilde{v}\cdot \nu (f)^\top = \widetilde{v}\cdot \left( a_fM_{\tau }^\top \right) ^\top = \widetilde{v}M_{\tau }a_f^\top = \left( \widetilde{v} M_{\tau }\right) \cdot a_f^\top = \tau (\widetilde{v})\cdot a_f^\top = f(\tau (\widetilde{v}))\;. \end{aligned}$$

\(\square \)

We construct now the MLD instance \(\left( H,s,t \right) \) for a general MQ system. The basic idea is to see the parity-check matrix \(\widetilde{H}\) we built so far as a matrix of coefficients for an equation system. Adding rows to the matrix means adding new equations to the system and thus reducing the solution space. Consider a standard-form system \(S \in {\mathbb {F}}[x_1,\ldots , x_{3q}]\) containing q quadratic equations and \(\lambda \) linear equations, as in Definition 3. Let \(K = \langle S \rangle \) and \(\mathcal {V}_{{\mathbb {F}}}(K) \subset {\mathbb {F}}^{10q}\) be its variety. Denote by \(S_Q \subset S\) the subset of quadratic equations in S, and by \(\langle S_Q \rangle \) the ideal generated by it.

Let also \(\left( \widetilde{H}, \widetilde{s}, \widetilde{t}\right) \) be the MLD instance corresponding to \(S_Q\). Let \(\lbrace f_1,\ldots ,f_{\lambda } \rbrace \subset S\) be the set of linear equations of S. We build a parity-check matrix H as follows

$$\begin{aligned} H = \begin{bmatrix} \widetilde{H}\\ \nu (f_1)\\ \vdots \\ \nu (f_\lambda ) \end{bmatrix} \in {\mathbb {F}}^{(7q+\lambda ) \times 10q} \end{aligned}$$
(11)

Consider the following syndrome vector

$$\begin{aligned} s = \widetilde{s} \Vert \delta _1 \Vert \cdots \Vert \delta _{\lambda }\;, \end{aligned}$$

where \(f_i(0)=\delta _i\) for any i, and set \(t = \widetilde{t} = 3q\).

Consider furthermore the set \(W = \lbrace \widetilde{v} \in \widetilde{W} \mid \widetilde{v}\cdot \nu (f_i)^\top = \delta _i \;\forall i=1,\ldots ,\lambda \rbrace \subset \widetilde{W}\).

Theorem 20

W is the set of witnesses for the MLD instance \(\left( H,s,t\right) \). Moreover \(\mathcal {V}_{{\mathbb {F}}}(K) = \tau \left( W \right) \).

Proof

We need to prove that given \(\widetilde{v} \in W\) it holds \(H\widetilde{v}^\top = s^\top \) and \(\mathrm {w}(\widetilde{v}) \le t\). By definition of W, we obtain that \(\widetilde{v}\in W\) implies \(\widetilde{v} \in \widetilde{W}\), which means \(\mathrm {w}(\widetilde{v}) \le \widetilde{t}\) and also \(\widetilde{H}\widetilde{v}^\top = \widetilde{s}^\top \). Moreover we have \(\widetilde{v}\cdot \nu (f_i)^\top = \delta _i\) for every \(i=1,\ldots ,\lambda \) implying

$$\begin{aligned} \begin{bmatrix} \widetilde{H}\\ \nu (f_1)\\ \vdots \\ \nu (f_{\lambda }) \end{bmatrix} \widetilde{v}^\top = \begin{pmatrix}\widetilde{s}\\ \delta _1\\ \vdots \\ \delta _{\lambda }\end{pmatrix} = s^\top \;. \end{aligned}$$

Due to Lemma 19 we have \(\tau (\widetilde{v}) \in \mathcal {V}_{{\mathbb {F}}}(\langle f_i\rangle )\) for \(i=1,\ldots ,\lambda \). Therefore \(\tau (\widetilde{v}) \in \bigcap _{i=1}^{\lambda } \mathcal {V}_{{\mathbb {F}}}(\langle f_i\rangle ) = \mathcal {V}_{{\mathbb {F}}}(\langle f_1,\ldots ,f_{\lambda }\rangle )\). Since by Proposition 18 we have \(\tau (\widetilde{v}) \in \mathcal {V}_{{\mathbb {F}}}(S_q)\), then \(\tau (\widetilde{v})\in \mathcal {V}_{{\mathbb {F}}}(\langle S_q \rangle ) \cap \mathcal {V}_{{\mathbb {F}}}(\langle f_1,\ldots ,f_{\lambda }\rangle ) = \mathcal {V}_{{\mathbb {F}}}(\langle S \rangle ) = \mathcal {V}_{{\mathbb {F}}}(K)\).

On the other hand let \(z \in \mathcal {V}_{{\mathbb {F}}}(\langle K \rangle ) = \mathcal {V}_{{\mathbb {F}}}(\langle S_q \rangle ) \cap \mathcal {V}_{{\mathbb {F}}}(\langle f_1,\ldots ,f_{\lambda }\rangle ) = \tau (\widetilde{W})\cap \mathcal {V}_{{\mathbb {F}}}(\langle f_1,\ldots ,f_{\lambda }\rangle ) \subseteq \tau (\widetilde{W})\), where the last equality comes from Proposition 18. Therefore there exists \(z' \in \tau (\widetilde{W})\) such that \(z = \tau (z')\). Since \(a_{f_i}\cdot z^\top = a_{f_i}\cdot \tau (z')^\top = \delta _i\) for every \(i=1,\ldots ,\lambda \), this implies \(\nu (a_{f_i})\cdot z'^\top = \delta _i\) and therefore \(z \in \tau (W)\). \(\square \)

We can now define the map \(\beta : \mathrm {MQ} \rightarrow \mathrm {MLD}\) as follows

$$\begin{aligned} \beta (S) = \left( H,s,t\right) \; \end{aligned}$$

where H, s and t are as in Theorem 20. We now prove that a witness of such instance can be transformed into a witness of S by applying the truncation \(\tau \).

Theorem 21

Let \(I_{\mathrm {MQ}} =S\) where S is a standard form system of quadratic equations. If \(\widetilde{v} \in {\mathbb {F}}^{10q}\) is a solution of \(\beta (I_{\mathrm {MQ}})\) then \(\tau (\widetilde{v})\) is a solution of \(I_{\mathrm {MQ}}\).

Proof

Let \(K = \langle S \rangle \) and apply Theorem 20. If \(\widetilde{v}\) solves \(\beta (I_{\mathrm {MQ}}) = \left( H,s,t \right) \) then \(\tau (\widetilde{v}) \in \mathcal {V}_{{\mathbb {F}}}(K)\), i.e. \(\tau (\widetilde{v})\) is a solution of S. \(\square \)

Theorem 22

Given a MQ system \(S \in {\mathbb {F}}[x_1,\ldots ,x_{\mathsf {n}}]\) consisting of \(\mathsf {m}\) equations, the reduction \(\beta \) runs in polynomial space bounded by \(\mathcal {O}(\mathsf {n}^4\mathsf {m}^2)\).

Proof

Recall that by Lemma 1 we can transform S into a standard form system \(S'\) in \(\mathcal {O}(\mathsf {n}^2\mathsf {m})\) operations. This process produces \(S' = S'_Q \cup S'_L\) where \(S'_Q\) and \(S'_L\) are sets of quadratic and linear equations, namely. Let \(q= |S'_Q| \le \mathsf {m}\left( \frac{\mathsf {n}(\mathsf {n}-1)}{2}\right) \le \mathsf {m}\mathsf {n}^2\) and \(\lambda = |S'_L| \le \mathsf {m}\left( \frac{3\mathsf {n}^2-\mathsf {n}}{2}-2\right) \le \frac{3}{2}\mathsf {m}\mathsf {n}^2\). We estimate only the construction of the matrix H since s and t have a significant smaller size.

The matrix H generated via \(\beta \) has dimension \((7q+\lambda ) \times 10q\) as in (11), therefore it takes space at most

$$\begin{aligned} \left(7(\mathsf {m}\mathsf {n}^2\right) + \frac{3}{2}\mathsf {m}\mathsf {n}^2) \cdot 10\mathsf {m}\mathsf {n}^2= 85\mathsf {m}^2\mathsf {n}^4 \in \mathcal {O}(\mathsf {m}^2\mathsf {n}^4). \end{aligned}$$

\(\square \)

5 Conclusions

In this work we introduced two polynomial-time reductions: \(\alpha \), from MLD to MQ, and \(\beta \), from MQ to MLD. Therefore, the composition of \(\alpha \) and \(\beta \) is a polynomial-time auto-reduction in \(\mathrm {MLD}\), while \(\alpha \circ \beta \) is a polynomial-time auto-reduction in \(\mathrm {MQ}\). Hence each MLD instance can be solved if we are able to solve each MLD instance defined by \(\beta \circ \alpha \) and even more so if we are able to solve those defined by \(\beta \). Similarly, each MQ instance can be solved if we are able to solve each MQ instance defined by \(\alpha \circ \beta \), or even only defined by \(\alpha \). So if we can decide in polynomial time the existence of solutions for all systems in the image of \(\alpha \), then we can solve MQ in polynomial time. Notice that the same property holds for systems in standard form. So we can identify two families of systems which play a special role in the MQ problem: one is classical and the other comes from our reduction.

In the case of MLD there exist families of codes that plays a similar role in the MLD context, for example the one obtained via the reductions in [6] and the one obtained with our results. We can formalise this in the following theorem.

Theorem 23

Let \(\mathcal {C}\) be the family of codes defined by parity-check matrices as in (11).

If we can solve all MLD instances for \(\mathcal {C}\) in polynomial time, then we can solve in polynomial time all instances of MLD, and so, P=NP.

Regarding the relation between MLD and MQ, we remark that two NP-complete problems might be not isomorphic (see [40] for a formal definition of polynomial-time isomorphism and for the Berman-Hartmanis conjecture on isomorphic NP problems). We rephrase here [40,  Th.1] since it is needed in our subsequent discussion.

Theorem 24

([40,  Th.1]) If there are two length-increasing invertible p-reductions, one of A to B and the other of B to A, then A and B are isomorphic.

In our case A and B are MLD and MQ, while the two reductions are \(\alpha \) and \(\beta \), which are polynomial-time length-increasing reductions. However, only \(\alpha \) can be inverted, since \(\beta \) requires the reduction in MQ instances into standard-form systems (a many-to-one reduction), hence the hypotheses of Theorem 24 are not completely satisfied. To obtain a one-to-one reduction from MQ to MLD, we can modify the definition of standard-form systems by adding new equations containing the information about the original MQ instance. For example, we can consider an additional set of \(\mathsf {m}\left( \left( {\begin{array}{c}\mathsf {n}\\ 2\end{array}}\right) +\mathsf {n}+1\right) \) equations and new variables of the form

$$\begin{aligned} \left\{ \begin{array}{ll} \bar{\gamma }_{ij}^{(h)}+\gamma _{ij}^{(h)}=0&{} \qquad 1\le h\le \mathsf {m}, 1\le i<j\le \mathsf {n}\\ \bar{\lambda }_{i}^{(h)}+\lambda _{i}^{(h)}=0&{} \qquad 1\le h\le \mathsf {m},1\le i\le \mathsf {n}\\ \bar{\delta }^{(h)}+\delta ^{(h)}=0&{}\qquad 1\le h\le \mathsf {m}\\ \end{array} \right. \end{aligned}$$

namely, these equations specify the monomials’ coefficients of the polynomials in the original MQ instance (see (2)).

Once we modify the definition of standard-form instance (and \(\beta \) accordingly), we obtain a one-to-one reduction from MQ to MLD. In this way both \(\alpha \) and \(\beta \) satisfy the hypotheses of Theorem 24, thus proving the existence of an isomorphism between MLD and MQ.

Theorem 25

MLD and MQ are isomorphic.

This isomorphism shows our claimed equivalence and it implies the importance of studying the security of code-based and multivariate-based schemes by meaning of both methods from Coding Theory and Computational Algebra.

6 Open problems

We highlight here a few directions for future works.

  • An investigation of the image of \(\alpha \). Polynomial systems obtained via \(\alpha \) have a special form, and by analysing them new hints on the difficulty of MLD could be determined. Similarly for polynomials coming from \(\alpha \circ \beta \). In particular, MLD instances obtained from code-based cryptosystems are of particular interests. We recall that, in terms of MLD, most cryptographic code-based schemes are modelled as triples (Hst) with H defined as a permuted version of the parity-check matrix of an algebraic code (for instance, in Classic McEliece [8], H hides the parity-check matrix of a binary irreducible Goppa code). Loosely speaking, only who can solve the instance can decrypt a ciphertext, and, to the current knowledge, this is feasible only to those who know the hidden Goppa code. However, some vulnerabilities may be revealed by looking at the associated MQ instance.

  • Analogously, for codes coming from the image of \(\beta \) and \(\beta \circ \alpha \). In particular, similar to above, it would be interesting to focus on MQ instances corresponding to multivariate-based cryptosystems. For instance, in the Digital Signature Scheme Rainbow [14] the public key is a masked version of a quadratic Boolean polynomial system for which there exists a fast solving algorithm based on Gaussian elimination. It appears that only those who know the original form of the polynomial system are capable of signing messages. However, it may be the case that hidden vulnerabilities are disclosed by applying \(\beta \) to these instances.

  • Even though apparently similar to the directions hinted above, the third future work we propose is even more linked to the security of code-based and multivariate-based cryptosystems. As already introduced, both post-quantum cryptographic families rely on the security of two kinds of problems, the first is the NP-hard problem of solving a generic instance (i.e. MLD for code-based ciphers and MQ for multivariate-based ciphers), the second is the ability of distinguishing between a generic instance and the masked easy-to-solve underlying algebraic instance (e.g. the Goppa code hidden inside a Classic McEliece public key or the multi-level Oil &Vinegar system hidden inside a Rainbow public key). Instead of blindly applying our reductions to cryptographic public keys, it would be important to model the precise problem of extrapolating the private keys from the public keys, and thus study the complexity of attacking code-based and multivariate-based schemes by understanding their key-generation algorithms.