Implementing Joux-Vitse’s Crossbred Algorithm for Solving \({\mathcal M\mathcal Q}\) Systems over \({\mathbb F}_2\) on GPUs

  • Ruben NiederhagenEmail author
  • Kai-Chun NingEmail author
  • Bo-Yin YangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


The hardness of solving multivariate quadratic (\(\mathcal {MQ}\)) systems is the underlying problem for multivariate-based schemes in the field of post-quantum cryptography. The concrete, practical hardness of this problem needs to be measured by state-of-the-art algorithms and high-performance implementations. We describe, implement, and evaluate an adaption of the Crossbred algorithm by Joux and Vitse from 2017 for solving \(\mathcal {MQ}\) systems over \(\mathbb {F}_{2}\). Our adapted algorithm is highly parallelizable and is suitable for solving \(\mathcal {MQ}\) systems on GPU architectures. Our implementation is able to solve an \(\mathcal {MQ}\) system of 134 equations in 67 variables in 98.39 hours using one single commercial Nvidia GTX 980 graphics card, while the original Joux-Vitse algorithm requires 6200 CPU-hours for the same problem size. We used our implementation to solve all the Fukuoka Type-I MQ challenges for \(n \in \{55, \dots , 74\}\). Based on our implementation, we estimate that the expected computation time for solving an \(\mathcal {MQ}\) system of 80 equations in 84 variables is about one year using a cluster of 3600 GTX 980 graphics cards. These parameters have been proposed for 80-bit security by, e.g., Sakumoto, Shirai, and Hiwatari at Crypto 2011.


Post-quantum cryptography Multivariate quadratic systems Parallel implementation GPU 



We would like to thank Daniel J. Bernstein for granting us access to his Saber GPU clusters at Eindhoven University of Technology and the University of Illinois at Chicago. This research was partially supported by the project MOST105-2923-E-001-003-MY3 of the Ministry of Science and Technology, Taiwan.


  1. 1.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: a practical stream cipher with provable security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J.: The saber cluster.
  3. 3.
    Bouillaguet, C., Chen, H.-C., Cheng, C.-M., Chou, T., Niederhagen, R., Shamir, A., Yang, B.-Y.: Fast exhaustive search for polynomial systems in \({\mathbb{F}_2}\). In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Bouillaguet, C., Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Fast exhaustive search for quadratic systems in \(\mathbb{F}_{2}\) on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 205–222. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Clough, C., Baena, J., Ding, J., Yang, B.-Y., Chen, M.: Square, a new multivariate encryption scheme. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 252–264. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (\(F_4\)). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (\(F_5\)). In: International Symposium on Symbolic and Algebraic Computation – ISSAC 2002, pp. 75–83. ACM Press (2002)Google Scholar
  9. 9.
    Fusco, G., Bach, E.: Phase transition of multivariate polynomial systems. Math. Struct. Comput. Sci. 19, 9–23 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Joux, A., Vitse, V.: A crossbred algorithm for solving boolean polynomial systems. IACR Cryptology ePrint Archive (2017).
  12. 12.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  13. 13.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 229–245. Springer, Cham (2014)Google Scholar
  15. 15.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  17. 17.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Szepieniec, A., Ding, J., Preneel, B.: Extension field cancellation: a new central trapdoor for multivariate quadratic systems. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 182–196. Springer, Cham (2016)CrossRefGoogle Scholar
  19. 19.
    Yang, B.-Y., Chen, J.-M.: All in the XL family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Yang, B.-Y., Chen, O.C.-H., Bernstein, D.J., Chen, J.-M.: Analysis of QUAD. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 290–308. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Fraunhofer SITDarmstadtGermany
  2. 2.Eindhoven University of TechnologyEindhovenThe Netherlands
  3. 3.IIS and CITIAcademia SinicaTaipeiTaiwan

Personalised recommendations