Solving Binary \(\mathcal {MQ}\) with Grover’s Algorithm

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10076)


The problem of solving a system of quadratic equations in multiple variables—known as multivariate-quadratic or \(\mathcal {MQ}\) problem—is the underlying hard problem of various cryptosystems. For efficiency reasons, a common instantiation is to consider quadratic equations over \(\mathbb {F}_2\). The current state of the art in solving the \(\mathcal {MQ}\) problem over \(\mathbb {F}_2\) for sizes commonly used in cryptosystems is enumeration, which runs in time \(\varTheta (2^n)\) for a system of n variables. Grover’s algorithm running on a large quantum computer is expected to reduce the time to \(\varTheta (2^{n/2})\). As a building block, Grover’s algorithm requires an “oracle”, which is used to evaluate the quadratic equations at a superposition of all possible inputs. In this paper, we describe two different quantum circuits that provide this oracle functionality. As a corollary, we show that even a relatively small quantum computer with as little as 92 logical qubits is sufficient to break \(\mathcal {MQ}\) instances that have been proposed for 80-bit pre-quantum security.


Grover’s algorithm Multivariate quadratics Quantum resource estimates 



The authors are grateful to Gauillaume Allais and Peter Selinger for their helpful suggestions. In particular, it was Peter Selinger’s suggestion to construct a counter from a primitive polynomial.

Supplementary material


  1. [AMG+16]
    Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. Preprint 2016.
  2. [BCC+14]
    Bouillaguet, C., Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Fast exhaustive search for quadratic systems in \(\mathbb{F}_{2}\) on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 205–222. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_11 CrossRefGoogle Scholar
  3. [BHT98]
    Brassard, G., HØyer, P., Tapp, A.: Quantum counting. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 820–831. Springer, Heidelberg (1998). doi: 10.1007/BFb0055105 CrossRefGoogle Scholar
  4. [Chu05]
    Chuang, I.: Quantum circuit viewer: qasm2circ (2005). Accessed 24 June 2016
  5. [DS05]
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). doi: 10.1007/11496137_12 CrossRefGoogle Scholar
  6. [GJ79]
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman and Company (1979)Google Scholar
  7. [GLR+13a]
    Green, A.S., Lumsdaine, P.L.F., Ross, N.J., Selinger, P., Valiron, B.: An introduction to quantum programming in quipper. In: Dueck, G.W., Miller, D.M. (eds.) RC 2013. LNCS, vol. 7948, pp. 110–124. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38986-3_10 CrossRefGoogle Scholar
  8. [GLR+13b]
    Green, A.S., Lumsdaine, P.L., Ross, N.J., Selinger, P., Valiron, B.: Quipper: a scalable quantum programming language. 48(6), 333–342 (2013).
  9. [GLRS16]
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-29360-8_3 CrossRefGoogle Scholar
  10. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
  11. [KPG99]
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_15 Google Scholar
  12. [MD03]
    Maslov, D., Dueck, G.W.: Improved quantum cost for n-bit Toffoli gates. Electron. Lett. 39(25), 1790–1791 (2003)CrossRefGoogle Scholar
  13. [NC10]
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2010)CrossRefzbMATHGoogle Scholar
  14. [PCG01]
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). doi: 10.1007/3-540-45353-9_21 CrossRefGoogle Scholar
  15. [PCY+15]
    Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_14 CrossRefGoogle Scholar
  16. [Sel]
    Selinger, P.: The quipper language. Accessed 09 Jan 2016
  17. [Sho94]
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In SFCS 1994 Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994).
  18. [Sho97]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26, 1484–1509 (1997). Google Scholar
  19. [SSH11]
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_40 CrossRefGoogle Scholar
  20. [Tof80]
    Toffoli, T.: Reversible Computing. Springer, Heidelberg (1980)CrossRefzbMATHGoogle Scholar
  21. [Wat62]
    Watson, E.J.: Primitive polynomials (mod 2). Math. Comput. 16(79), 368–369 (1962)MathSciNetzbMATHGoogle Scholar
  22. [YCC04]
    Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30191-2_31 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands

Personalised recommendations