# Solving Underdefined Systems of Multivariate Quadratic Equations

- 34 Citations
- 1.6k Downloads

## Abstract

The security of several recent digital signature schemes is based on the difficulty of solving large systems of quadratic multivariate polynomial equations over a finite field **F**. This problem, sometimes called MQ, is known to be NP-hard. When the number *m* of equations is equal to the number *n* of variables, and if *n* < 15, Gröbner base algorithms have been applied to solve MQ. In the overdefined case *n* 《 *m*, the techniques of relinearization and XL, due to A. Shamir et. al., have shown to be successful for solving MQ. In signature schemes, we usually have *n* 》 *m*. For example signature schemes Flash and Sflash submitted to Nessie call for primitives or the UOV scheme published at Eurocrypt 1999. Little is known about the security of such underdefined systems. In this paper, three new and different methods are presented for solving underdefined multivariate systems of quadratic equations. As already shown at Eurocrypt 1999, the problem MQ becomes polynomial when *n* ≥ *m*(*m*+1) for fields **F** of characteristic 2. We show that for any field, for about *n* ≥ 2^{m/7}(*m* + 1), exponential but quite small in practice, the problem becomes polynomial in *n*.

When *n* → *m* the complexity of all our 3 algorithms tends to *q* ^{m}. However for practical instances of cryptosystems with *n* ≈ *O*(*m*), we show how to achieve complexities significantly lower than exhaustive search. For example we are able break Unbalanced Oil and Vinegar signature schemes for some “bad” choices of the parameters (but not for the parameters proposed in [4]).

## Keywords

Quadratic Form Linear Form Quadratic Equation Exhaustive Search Signature Scheme## References

- 1.N. Courtois, A. Klimov, J. Patarin, A. Shamir,
*Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations*, Advances in Cryptology — EUROCRYPT’2000, Proceedings, B. Preneel (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1807, pp. 392–407.Google Scholar - 2.J.-Ch. Faugère,
*A new efficient algorithm for computing Gröbner bases*(*F*_{4}), Journal of Pure and Applied Algebra 139 (1999), pp. 61–88. See http://www.elsevier.com/locate/jpaa.zbMATHCrossRefMathSciNetGoogle Scholar - 3.M. R. Garey, D. S. Johnson,
*Computers and Intractability, A Guide to the Theory of NP-completeness*, W. H. Freeman and Company, New York, 1979.zbMATHGoogle Scholar - 4.A. Kipnis, J. Patarin, L. Goubin,
*Unbalanced Oil and Vinegar Signature Schemes*, Advances in Cryptology — EUROCRYPT’99, Proceedings, J. Stern (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1592, pp. 206–222.Google Scholar - 5.A. Kipnis, A. Shamir,
*Cryptanalysis of the Oil and Vinegar Signature Scheme*, Advances in Cryptology — CRYPTO’98, Proceedings, H. Krawczyk (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1462, pp. 257–266.Google Scholar - 6.A. Kipnis, A. Shamir,
*Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization*, Advances in Cryptology — CRYPTO’99, Proceedings, M. Wiener (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1666, pp. 19–30.Google Scholar - 7.R. Lidl, R. Niederreiter,
*Finite fields, Encyclopedia of mathematics and its applications*, vol. 20, 1997.Google Scholar - 8.A.J. Menezes, P.C. van Oorschot, S.A. Vanstone,
*Handbook of applied cryptography*, CRC Press, 1996.Google Scholar - 9.J. Patarin, N. Courtois, L. Goubin,
*FLASH, a Fast Multivariate Signature Algorithm*, in Progress in Cryptology—CT-RSA 2001, D. Nacchache, ed., vol 2020, Springer Lecture Notes in Computer Science, pp. 298–307.CrossRefGoogle Scholar - 10.J. Patarin, L. Goubin, N. Courtois,
*Quartz*,**1**28-*bit long digital signatures*, Cryptographers’ Track RSA Conference 2001, San Francisco 8–12 Avril 2001, LNCS2020, Springer-Verlag. Also published in Proceedings of the First Open NESSIE Workshop, 13-14 November 2000, Leuven, Belgium.Google Scholar