Solving Binary \(\mathcal {MQ}\) with Grover’s Algorithm

The problem of solving a system of quadratic equations in multiple variables—known as multivariate-quadratic or \(\mathcal {MQ}\) problem—is the underlying hard problem of various cryptosystems. For efficiency reasons, a common instantiation is to consider quadratic equations over \(\mathbb {F}_2\). The current state of the art in solving the \(\mathcal {MQ}\) problem over \(\mathbb {F}_2\) for sizes commonly used in cryptosystems is enumeration, which runs in time \(\varTheta (2^n)\) for a system of n variables. Grover’s algorithm running on a large quantum computer is expected to reduce the time to \(\varTheta (2^{n/2})\). As a building block, Grover’s algorithm requires an “oracle”, which is used to evaluate the quadratic equations at a superposition of all possible inputs. In this paper, we describe two different quantum circuits that provide this oracle functionality. As a corollary, we show that even a relatively small quantum computer with as little as 92 logical qubits is sufficient to break \(\mathcal {MQ}\) instances that have been proposed for 80-bit pre-quantum security.


  • Grover’s algorithm
  • Multivariate quadratics
  • Quantum resource estimates

This work has been supported by the European Commission through the ICT program under contract ICT-645622 (PQCRYPTO); by the European Research Council under grant 320571 (QCLS) and by the Netherlands Organisation for Scientific Research (NWO) through Veni 2013 project 13114. Permanent ID of this document: 40eb0e1841618b99ae343ffa073d6c1e. Date: 2016-09-01.

Fig. 1.


  1. 1.

    The problem of factoring a number N is reduced to finding the order of an element x modulo N, which requires a bit more than \(2 \log _2 N\) qubits [NC10, §5.3.1].

  2. 2.

    Note that a SWAP gate can be written with CNOTs:

  3. 3.


The authors are grateful to Gauillaume Allais and Peter Selinger for their helpful suggestions. In particular, it was Peter Selinger’s suggestion to construct a counter from a primitive polynomial.

A  Example code

The following is Python code that generates the first oracle circuit, which we described informally in Sect. 4.

figure q

To turn this into a useful commandline util that converts a system of quadratic equations into a quantum circuit in Nielsen and Chuang’s QASM [Chu05] format, we need a few more lines of code.Footnote 3 One invokes the completed script as follows.

figure r

The second oracle is more complex and easier to synthesize in a special purpose language. The following is an implementation of the first and second oracle in the quipper programming language [GLR+13b, GLR+13a, Sel], which is based on Haskell.

figure s
figure t
figure u
figure v

The gate counts mentioned in the conclusion were generated by the build-in GateCount functionality of Quipper, which was invoked (for the first oracle) with the following code.

figure w

The variable sqe is set to the system of 85 equations in 81 variables where every coefficient is 1 as it requires most gates executed in our construction. We use the following implementation of Grover’s algorithm.

figure x
figure y

