Solving Underdefined Systems of Multivariate Quadratic Equations

  • Nicolas Courtois
  • Louis Goubin
  • Willi Meier
  • Jean-Daniel Tacier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2274)


The security of several recent digital signature schemes is based on the difficulty of solving large systems of quadratic multivariate polynomial equations over a finite field F. This problem, sometimes called MQ, is known to be NP-hard. When the number m of equations is equal to the number n of variables, and if n < 15, Gröbner base algorithms have been applied to solve MQ. In the overdefined case nm, the techniques of relinearization and XL, due to A. Shamir et. al., have shown to be successful for solving MQ. In signature schemes, we usually have nm. For example signature schemes Flash and Sflash submitted to Nessie call for primitives or the UOV scheme published at Eurocrypt 1999. Little is known about the security of such underdefined systems. In this paper, three new and different methods are presented for solving underdefined multivariate systems of quadratic equations. As already shown at Eurocrypt 1999, the problem MQ becomes polynomial when nm(m+1) for fields F of characteristic 2. We show that for any field, for about n ≥ 2m/7(m + 1), exponential but quite small in practice, the problem becomes polynomial in n.

When nm the complexity of all our 3 algorithms tends to q m. However for practical instances of cryptosystems with nO(m), we show how to achieve complexities significantly lower than exhaustive search. For example we are able break Unbalanced Oil and Vinegar signature schemes for some “bad” choices of the parameters (but not for the parameters proposed in [4]).


Quadratic Form Linear Form Quadratic Equation Exhaustive Search Signature Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    N. Courtois, A. Klimov, J. Patarin, A. Shamir, Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations, Advances in Cryptology — EUROCRYPT’2000, Proceedings, B. Preneel (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1807, pp. 392–407.Google Scholar
  2. 2.
    J.-Ch. Faugère, A new efficient algorithm for computing Gröbner bases (F 4), Journal of Pure and Applied Algebra 139 (1999), pp. 61–88. See Scholar
  3. 3.
    M. R. Garey, D. S. Johnson, Computers and Intractability, A Guide to the Theory of NP-completeness, W. H. Freeman and Company, New York, 1979.zbMATHGoogle Scholar
  4. 4.
    A. Kipnis, J. Patarin, L. Goubin, Unbalanced Oil and Vinegar Signature Schemes, Advances in Cryptology — EUROCRYPT’99, Proceedings, J. Stern (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1592, pp. 206–222.Google Scholar
  5. 5.
    A. Kipnis, A. Shamir, Cryptanalysis of the Oil and Vinegar Signature Scheme, Advances in Cryptology — CRYPTO’98, Proceedings, H. Krawczyk (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1462, pp. 257–266.Google Scholar
  6. 6.
    A. Kipnis, A. Shamir, Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization, Advances in Cryptology — CRYPTO’99, Proceedings, M. Wiener (Ed.), Lecture Notes in Computer Science, Springer Verlag, vol. 1666, pp. 19–30.Google Scholar
  7. 7.
    R. Lidl, R. Niederreiter, Finite fields, Encyclopedia of mathematics and its applications, vol. 20, 1997.Google Scholar
  8. 8.
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of applied cryptography, CRC Press, 1996.Google Scholar
  9. 9.
    J. Patarin, N. Courtois, L. Goubin, FLASH, a Fast Multivariate Signature Algorithm, in Progress in Cryptology—CT-RSA 2001, D. Nacchache, ed., vol 2020, Springer Lecture Notes in Computer Science, pp. 298–307.CrossRefGoogle Scholar
  10. 10.
    J. Patarin, L. Goubin, N. Courtois, Quartz, 128-bit long digital signatures, Cryptographers’ Track RSA Conference 2001, San Francisco 8–12 Avril 2001, LNCS2020, Springer-Verlag. Also published in Proceedings of the First Open NESSIE Workshop, 13-14 November 2000, Leuven, Belgium.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Nicolas Courtois
    • 1
  • Louis Goubin
    • 1
  • Willi Meier
    • 2
  • Jean-Daniel Tacier
    • 2
  1. 1.CP8 Crypto LabSchlumbergerSemaLouveciennes CedexFrance
  2. 2.FH AargauWindisch

Personalised recommendations