Analysis of the MQQ Public Key Cryptosystem

  • Jean-Charles Faugère
  • Rune Steinsmo Ødegård
  • Ludovic Perret
  • Danilo Gligoroski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6467)


MQQ is a multivariate public key cryptosystem (MPKC) based on multivariate quadratic quasigroups and a special transform called “Dobbertin transformation” [17]. The security of MQQ, as well as any MPKC, reduces to the difficulty of solving a non-linear system of equations easily derived from the public key. In [26], it has been observed that that the algebraic systems obtained are much easier to solve that random non-linear systems of the same size. In this paper we go one step further in the analysis of MQQ. We explain why systems arising in MQQ are so easy to solve in practice. To do so, we consider the so-called the degree of regularity; which is the exponent in the complexity of a Gröbner basis computation. For MQQ systems, we show that this degree is bounded from above by a small constant. This is due to the fact that the complexity of solving the MQQ system is the minimum complexity of solving just one quasigroup block or solving the Dobbertin transformation. Furthermore, we show that the degree of regularity of the Dobbertin transformation is bounded from above by the same constant as the bound observed on MQQ system. We then investigate the strength of a tweaked MQQ system where the input of the Dobbertin transformation is replaced with random linear equations. It appears that the degree of regularity of this tweaked system varies both with the size of the quasigroups and the number of variables. We conclude that if a suitable replacement for the Dobbertin transformation is found, MQQ can possibly be made strong enough to resist pure Gröbner attacks for adequate choices of quasigroup size and number of variables.


multivariate cryptography Gröbner bases public-key multivariate quadratic quasigroups algebraic cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. PhD thesis, Université de Paris VI (2004)Google Scholar
  2. 2.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity study of Gröbner basis computation. Technical report, INRIA (2002),
  3. 3.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner basis computation for semi-regular overdetermined sequences over F2 with solutions in F2. Technical report, Institut national de recherche en informatique et en automatique (2003)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  5. 5.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  6. 6.
    Billet, O., Ding, J.: Overview of cryptanalysis techniques in multivariate public key cryptography. In: Sala, M., Mora, T., Perret, L., Sakata, S., Traverso, C. (eds.) Gröbner Bases, Coding and Cryptography, pp. 263–283. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Bouillaguet, C., Fouque, P.-A., Joux, A., Treger, J.: A family of weak keys in hfe (and the corresponding practical key-recovery). Cryptology ePrint Archive, Report 2009/619 (2009)Google Scholar
  8. 8.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Leopold-Franzens University (1965)Google Scholar
  9. 9.
    Chen, Y., Knapskog, S.J., Gligoroski, D.: Multivariate Quadratic Quasigroups (MQQ): Construction, Bounds and Complexity. Submitted to ISIT 2010 (2010)Google Scholar
  10. 10.
    Cox, D., Little, J., O’Shea, D.: Using Algebraix Geometry. Springer, Heidelberg (2005)MATHGoogle Scholar
  11. 11.
    Levy dit Vehel, F., Marinari, M.G., Perret, L., Traverso, C.: A survey on polly cracker system. In: Sala, M., Mora, T., Perret, L., Sakata, S., Traverso, C. (eds.) Gröbner Bases, Coding and Cryptography, pp. 263–283. Springer, Heidelberg (2009)Google Scholar
  12. 12.
    Dobbertin, H.: One-to-one highly nonlinear power functions on GF(2\(^{\mbox{n}}\)). Appl. Algebra Eng. Commun. Comput. 9(2), 139–152 (1998)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases \(({F}\sb 4)\). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero \(({F}\sb 5)\). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation. ACM, New York (2002)Google Scholar
  15. 15.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Fouque, P.-A., Macario-Rat, G., Stern, J.: Key recovery on hidden monomial multivariate schemes. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 19–30. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Gligoroski, D., Markovski, S., Knapskog, S.J.: Multivariate quadratic trapdoor functions based on multivariate quadratic quasigroups. In: Proceedings of the American Conference on Applied Mathematics, MATH 2008, Stevens Point, Wisconsin, USA, pp. 44–49. World Scientific and Engineering Academy and Society (WSEAS), Singapore (2008)Google Scholar
  18. 18.
    Goubin, L., Courtois, N.T., Cp, S.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Kipnis, A., Hotzvim, H.S.H., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Kipnis, A., Shamir, A.: Cryptanalysis of the oil & vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  22. 22.
    MAGMA. High performance software for algebra, number theory, and geometry — a large commercial software package,
  23. 23.
    Markovski, S.: Quasigroup string processing and applications in cryptography. In: Proc. 1st Inter. Conf. Mathematics and Informatics for Industry MII 2003, Thessaloniki, April 14-16, pp. 278–290 (2003)Google Scholar
  24. 24.
    Markovski, S., Gligoroski, D., Bakeva, V.: Quasigroup string processing. In: Part 1, Contributions, Sec. Math. Tech. Sci., MANU, XX, pp. 1–2 (1999)Google Scholar
  25. 25.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  26. 26.
    Mohamed, M.S., Ding, J., Buchmann, J., Werner, F.: Algebraic attack on the MQQ public key cryptosystem. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 392–401. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  28. 28.
    Patarin, J.: Hidden field equations (hfe) and isomorphisms of polynomials (ip): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  29. 29.
    Patarin, J.: The oil & vinegar signature scheme (1997)Google Scholar
  30. 30.
    Patarin, J., Goubin, L., Courtois, N.T.: C* − + and HM: Variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–49. Springer, Heidelberg (1998)Google Scholar
  31. 31.
    Shamir, A.: Efficient signature schemes based on birational permutations. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 1–12. Springer, Heidelberg (1994)Google Scholar
  32. 32.
    Smith, J.D.H.: An introduction to quasigroups and their representations. Chapman & Hall/CRC, Boca Raton (2007)MATHGoogle Scholar
  33. 33.
    Wolf, C., Preneel, B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jean-Charles Faugère
    • 2
  • Rune Steinsmo Ødegård
    • 1
  • Ludovic Perret
    • 2
  • Danilo Gligoroski
    • 3
  1. 1.Centre for Quantifiable Quality of Service in Communication SystemsNorwegian University of Science and TechnologyTrondheimNorway
  2. 2.SALSA Project - INRIA (Centre Paris-Rocquencourt)UPMC, Univ Paris 06 - CNRS, UMR 7606, LIP6ParisFrance
  3. 3.Department of TelematicsNorwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations