Hardness estimates of the Code Equivalence Problem in the Rank Metric

In this paper, we analyze the hardness of the Matrix Code Equiva-lence ( MCE ) problem for matrix codes endowed with the rank metric, and provide the ﬁrst algorithms for solving it. We do this by making a connection to another well-known equivalence problem from multivariate cryptography - the Isomorphism of Polynomials ( IP ). Under mild assumptions, we give tight reductions from MCE to the homogenous version of the Quadratic Maps Linear Equivalence ( QMLE ) problem, and vice versa. Furthermore, we present reductions to and from similar problems in the sum-rank metric, showing that MCE is at the core of code equivalence problems. On the practical side, using birthday techniques known for IP , we present two algorithms: a probabilistic algorithm for MCE running in time q 23 ( n + m ) up to a polynomial factor, and a deterministic algorithm for MCE with roots, running in time q min { m,n,k } up to a polynomial factor. Lastly, to conﬁrm these ﬁndings, we solve randomly-generated instances of MCE using these two algorithms.


Introduction
Given two mathematical objects of the same type, an equivalence problem asks the question whether there exists an equivalence map between these objects -and how to find it -that preserves some important property of the objects. These kind of problems come in different flavors depending on the objects -groups, graphs, curves, codes, quadratic forms, etc. and quite often the interesting maps are isomorphisms or isometries. Interestingly, equivalence problems are one of the core hard problems underlying the security of many public-key cryptosystems, especially post-quantum ones. Many multivariate and code-based systems employ an equivalence transformation as a hiding technique, and thus intrinsically rely on the assumption that a particular equivalence problem is intractable, for example [1][2][3][4][5][6]. In addition, quite remarkably, a hard equivalence problem gives rise to a Sigma protocol and, through the Fiat-Shamir transform, a provably secure digital signature scheme [7]. This idea has been revisited many times, being the basis of several signature schemes [1,[8][9][10][11][12]. Two such schemes actually appeared during the writing of this manuscript [13,14] as a result of NIST's announcement for an additional fourth round on signatures in the post quantum standardization process [15]. Understanding the hardness of these equivalence problems is an essential task in choosing appropriate parameters that attain a certain security level of these cryptographic schemes.
One of these problems is the Code Equivalence problem, which given two codes (with the Hamming metric), asks for an isometry (equivalence transformation that preserves the metric) that maps one code to the other. It was first studied by Leon [16] who proposed an algorithm that takes advantage of the Hamming weight being invariant under monomial permutations. It was improved very recently by Beullens [17] using collision-based techniques. Sendrier [18] proposed another type of algorithm, the Support Splitting Algorithm (SSA), that is exponential in the dimension of the hull (the intersection of a code and its dual). Interestingly, in low characteristic, random codes have very small hull, rendering the problem easy.
In this work, we focus on the code equivalence problem, but for matrix codes (an F q -linear subspace of the space of m × n matrices over F q ) endowed with the rank metric -Matrix Code Equivalence (MCE). Evaluating the hardness of this problem is only natural -rank-based cryptography has become serious competition for its Hamming-based counterpart, showing superiority in key sizes for the same security level [19][20][21][22]. This problem, and variations of it, has been introduced by Berger in [23], but it was only recently that the first concrete statements about its hardness were shown in two concurrent independent works publicly available as preprints 1 . Couvreur et al. [25] showed that MCE is at least as hard as the (Monomial) Code Equivalence problem in the Hamming metric, while for only right equivalence, or when the codes are F q m -linear, the problem becomes easy. Grochow and Qiao [24] show the same reduction from (Monomial) Code Equivalence to MCE but using a completely different technique of linear algebra coloring gadgets which makes the reduction looser than the one in [25].

Our contributions
In this paper, we investigate the theoretical and practical hardness of the Matrix Code Equivalence (MCE) problem. Our contributions can be summarized as follows: First, we link in a straightforward manner the MCE problem to hard problems on systems of polynomials by showing that MCE is polynomial-time equivalent to the Bilinear Maps Linear Equivalence (BMLE) problem. We then extend this result by proving that MCE is polynomial-time equivalent to the Quadratic Maps Linear Equivalence (QMLE) problem, under a mild assumption of trivial automorphism groups of the codes in question. While our technique fails to give a proof without this assumption, we consider it to be reasonable for randomly generated codes and for cryptographic purposes. As the QMLE problem is considered to be the hardest equivalence problem for systems of multivariate polynomials, it is essential to understand under which conditions MCE and QMLE reduce to one another. Note that previous work 2 requires much stronger assumptions for related results [24,26,27], such as algebraically closed fields or existence of square or third roots. Our reduction to QMLE is tight and gives a tight upper bound on the hardness of MCE. Furthermore, it is very simple, thus establishing connection between code equivalence problems and polynomial equivalence problems that is usable in practice. This is the basis of our contributions on the practical hardness of MCE.
Second, using similar techniques, and under the same assumptions, we show that MCE is polynomial-time equivalent to other code equivalence problems, such as Matrix Sum-Rank Code Equivalence Problem, and at least as hard as the Vector Sum-Rank Code Equivalence Problem. All these connections and our results are visualized in Figure 1.
On the practical side, we provide the first two non-trivial algorithms for solving MCE using the connection to QMLE. The first algorithm is a generalization of a known birthday-based algorithm for QMLE [28,29] for systems of polynomials with the same number of variables as equations. We show that this algorithm extends to different invariance properties and code dimensions, which helps us to prove a complexity for MCE of O * (q regarding such solvers, and show that for parameter sets of cryptographical interest the above complexities hold, even if such solvers do not achieve polynomial time. Our second algorithm uses the bilinear structure of the polynomials arising from MCE and runs in time O * (q m ). This algorithm is deterministic and does not require a polynomial-time solver for the inhomogeneous QMLE instance, but the weaker assumption that the solver has a complexity of O(q m ) at most. This algorithm works only for code dimensions up to m + n. We analyse the performance of solvers for these parameter sets, which shows that the specific assumption on the solver holds for codes of dimension m to m + n.
Lastly, to verify the results and performance of these algorithms in practice, we have implemented both and solved randomly generated instances of MCE for different parameter sets.

Preliminaries
Let Fq be the finite field of q elements. GLn(q) and AGLn(q) denote respectively the general linear group and the general affine group of degree n over Fq.
We use bold letters to denote vectors a, c, x, . . . , and matrices A, B, . . . . The entries of a vector a are denoted by a i , and we write a = (a 1 , . . . , an) for a (row) vector of dimension n over some field and a ⊤ = (a 1 , . . . , an) ⊤ for the respective column vector. Similarly, the entries of a matrix A are denoted by A ij . A matrix A is called symmetric if A ⊤ = A and skew-symmetric if A ⊤ = −A. The space of matrices over Fq of size m × n is denoted Mm,n(q).
Random sampling from a set S is denoted by a $ ← − − S. We use the notation O * (·) when polynomial factors of the complexity are omitted.

The Matrix Code Equivalence problem.
This section introduces basic notions on matrix codes and their equivalences. A more thorough introduction on matrix codes can be found in [31]. The usual choice for measuring distance between matrices over a finite field is the so called rank metric, defined as follows.
Definition 1 Let Rank(M) denote the rank of a matrix M ∈ Mm,n(q). The rank distance between two m × n matrices A and B over Fq is defined as An isometry is a map µ : Mm,n(q) → Mm,n(q) that preserves the rank, i.e. Rank(µ(M)) = Rank(M) for all M ∈ Mm,n(q).
By symmetry, without loss of generality, in the rest of the text we assume n ⩾ m.
Definition 2 A matrix code is a subspace C of m × n matrices over Fq endowed with the rank metric. Let k denote the dimension of C as a subspace of F m×n q and its basis by ⟨C 1 , . . . , C k ⟩, with C i ∈ F m×n q linearly independent. Two matrix codes C, D ⊂ Mm,n(q) are said to be equivalent if there exists an isometry µ with µ(C) = D.
An isometry from C to D is always of the form M → AMB, M → M ⊤ or a composition of these two, where A ∈ GLm(q) and B ∈ GLn(q) [32,33]. We restrict our attention to the isometries of the first form and we will say that two matrix codes are equivalent if there exists a map C → ACB from C to D where A ∈ GLm(q) and B ∈ GLn(q). We will denote this map as a pair (A, B). When n = m, If there exists a map (A, A ⊤ ) : C → ACA ⊤ from C to D, where A ∈ GLm(q), we will say that the codes C and D are congruent. This is a direct generalization of the notion of congruent matrices. An automorphism of a code is a map (A, B) : C → C, i.e. for each C ∈ C, we get ACB ∈ C. The automorphism group of C contains all the automorphisms of C. If the automorphism group contains only the maps (λI, νI) for constants λ, ν ∈ Fq, we say the automorphism group is trivial.
The main focus of this article will be the Matrix Code Equivalence(MCE) problem which is formally defined as follows: Problem 3 MCE(n, m, k, C, D): Input: Two k-dimensional matrix codes C, D ⊂ Mm,n(q) Question: Find -if any -a map (A, B), where A ∈ GLm(q), B ∈ GLn(q) such that for all C ∈ C, it holds that ACB ∈ D.
This is the computational version of MCE which, similarly to its counterpart in the Hamming metric [11,12,34], seems to be more interesting for cryptographic applications than its decisional variant. We will thus be interested in evaluating the practical hardness only of MCE, and present algorithms only for MCE and not its decisional variant. It is also interesting to consider the following variant of MCE: Problem 4 MCEbase(n, m, k, C, D): Input: The bases (C (1) , . . . , C (k) ) and (D (1) , . . . , D (k) ) of two k-dimensional matrix codes C, D ⊂ Mm,n(q) Question: Find -if any -a map (A, B), where A ∈ GLm(q), B ∈ GLn(q) such that for all C (i) , it holds that AC (i) B = D (i) .
Intuitively, MCEbase seems easier than MCE, and as a matter of fact, we will show later that it can be solved in polynomial time. Another variant of the MCE problem is the Matrix Codes Right Equivalence problem (MCRE) (left equivalence could be defined similarly): Problem 5 MCRE(n, m, k, C, D): Input: Two k-dimensional matrix codes C, D ⊂ Mm,n(q) Question: Find -if any -B ∈ GLn(q) such that for all C ∈ C, it holds that CB ∈ D.
It has been shown in [25] that MCE is at least as hard as code equivalence in the Hamming metric, Hamming Code Equivalence (HCE), also known as Linear or Monomial Equivalence. Interestingly, the same paper shows that MCRE is actually easy and can always be solved in probabilistic-polynomial time.
For vector rank codes C ⊂ F n q m , isometries are similar to the case of matrix codes. We get the Vector Rank Code Equivalence (VRCE) problem. Question: Find -if any -a pair (α, B) where α ∈ F * q m , B ∈ GLn(q) such that for all c ∈ C, it holds that αcB ∈ D.
Given a vector rank code C ⊂ F n q m and a basis Γ for F q m over Fq, each vector c ∈ C can be expanded to a matrix Γ(c) ∈ Mm,n(q), giving rise to a matrix code Γ(C). For any two bases Γ and Γ ′ , an equivalence between two vector rank codes C and D implies an equivalence between the matrix codes Γ(C) and Γ ′ (D) [31], so VRCE is trivially a subproblem of MCE. However, using the F q m -linearity of vector rank codes, VRCE reduces non-trivially to MCRE [25].

Systems of quadratic polynomials.
Let P = (p 1 , p 2 , . . . , p k ) : F N q → F k q be a vectorial function of k quadratic polynomials in N variables x 1 , . . . , x N , where It is common to represent the quadratic homogeneous part of the components of P using symmetric matrices, but unfortunately, a natural correspondence only exists for finite fields of odd characteristic. For the case of even characteristic, we will adopt a technical representation that is a common workaround in the literature of multivariate cryptography and will still be good for our purposes. Let γ ij x i x j be a quadratic form over Fq. Then, for fields of odd characteristic, we can associate to p a symmetric matrix P = P + P ⊤ , where P is an upper triangular matrix with coefficients P ij = γ ij /2 for i ⩽ j.
Clearly, there is a one-to-one correspondence between quadratic forms and symmetric matrices, since for x = (x 1 , . . . , x N ) it holds that Now, all operations on quadratic forms naturally transform into operations on matrices since the one-to-one correspondence between quadratic forms and symmetric matrices is actually an isomorphism. Note that, in matrix form, change of variables (basis) works as: In what follows, we will interchangeably work with both the quadratic form p and its matrix representation P.
Over fields Fq of even characteristic, the relation (1) does not hold, since for a symmetric matrix P we have (P ij + P ji )x i x j = 2P ij x i x j = 0. The nice correspondence between quadratic forms and symmetric matrices is broken, but we would still like to be able to use some sort of matrix representation for quadratic forms. Thus, in even characteristic we associate to p a symmetric matrix P = P + P ⊤ , where P is an upper triangular matrix with coefficients P ij = γ ij for i ⩽ j. This representation can also be used in odd characteristic when it comes to linear operations and changes of basis, as the correspondence p → P is a homomorphism. However, it is not a bijection, since all the quadratic forms in the set i | γ ii ∈ Fq} map to the same symmetric matrix (note that it has zeros on the diagonal). In practical, cryptographic applications, this typically does not pose a problem, and can be overcome. The same holds for our purpose of solving equivalence problems for systems of quadratic polynomials.

Differential of quadratic functions.
Given a non-zero a ∈ F N q , a well studied object in multivariate cryptology is the differential of P at a (see [35,36]): Note that the differential of a quadratic function is closely related to the bilinear form β(x, y) = q(x + y) − q(x) − q(y) associated to a quadratic form q. In this work we are especially interested in the kernel of DaP, as DaP(x) = 0 implies P(x + a) = P(x) + P(a). So P behaves linear on the kernel of DaP.

Isomorphism of polynomials.
The Isomorphism of Polynomials (IP) problem (or Polynomial Equivalence (PE) [37]) was first defined by Patarin in [1] for the purpose of designing a "graph isomorphism"like identification scheme and a digital signature using the Fiat-Shamir transform [7]. It is defined as follows.
Problem 7 IP(N, k, F, P): The variant of the problem where (T, t) is trivial is known as the Isomorphism of Polynomials with one secret (IP1S), whereas if P and F are quadratic and both s and t are the null vector, the problem is known as Quadratic Maps Linear Equivalence (QMLE) problem.
The decisional version of IP is not N P-complete [30], but it is known that even IP1S is at least as difficult as the Graph Isomorphism problem [30]. The IP problem has been investigated by several authors, initially for the security of the C * scheme [30]. In [38] it was shown that the IP1S is polynomially solvable for most of the instances with k ≥ N , and Bouillaguet et al. [39] gave an algorithm with running time of O(N 6 ) for random instances of the IP1S problem, thus fully breaking Patarin's identification scheme [1]. The authors of [30] gave an algorithm for solving the general IP, called To-and-Fro, that runs in time O(q 2N ) for q > 2 and O(q 3N ) for q = 2. It was noted in [28] that the algorithm is only suited for bijective mappings F and P. Getting rid of the bijectivity constraint has been explored in [29] with the conclusion that the proposed workarounds either have a non-negligible probability of failure or it is unclear how greatly they affect the complexity of the algorithm.
Regarding QMLE, the linear variant of IP, an empirical argument was given in [37] that random inhomogeneous instances are solvable in O(N 9 ) time, but a rigorous proof for this case still remains an open problem. Under this assumption, the same paper provides an algorithm of complexity O(N 9 q N ) for the homogeneous case which is considered the hardest, that was subsequently improved to O(N 9 q 2N/3 ) in [28]. Both works reduce a homogenous instance to an inhomogenous instance and assume the obtained inhomogeneous instance behaves as a random instance. This, however, is a wrong assumption which questions the claimed complexity of the algorithm.
In this work, we will be interested in the homogeneous variant of QMLE, that we denote hQMLE, as the hardest and most interesting instance of QMLE. Formally, the hQMLE problem is defined as follows.

Problem 8 hQMLE(N, k, F, P):
Input: Two k-tuples of homogeneous multivariate polynomials of degree 2 Interestingly, the case of k = 1, which we will call Quadratic Form Equivalence (QFE) has been completely solved for more than 80 years already in the works of Witt [40] and Arf [41]. It is known that every quadratic form is equivalent to a unique canonical diagonal (for odd characteristic) or block diagonal (for even characteristic) form which can be obtained in time O(N 3 ). Thus, QFE can also be solved in time O(N 3 ) by first calculating the transformations to the canonical forms of the two quadratic forms. If the canonical forms are the same, by composition, one can find the equivalence. If the canonical forms are not the same, the two quadratic forms are not equivalent.
In this work we also consider a variant of QMLE where F and P are bilinear forms. We call this problem Bilinear Maps Linear Equivalence (BMLE). In this variant, F and P are k-tuples of homogeneous polynomials of degree 2 in two sets of variables [x 1 , . . . , xn] and [y 1 , . . . , ym], where each monomial is of the form x i y j . Formally, the BMLE problem is defined as follows.
Problem 9 BMLE(n, m, k, F, P): Input: Two k-tuples of bilinear forms The inhomogenous versions of QMLE and BMLE will be referred to as inhQMLE and inhBMLE respectively. We write inh(Q/B)MLE when it does not matter if we are referring to the quadratic or the bilinear version.

How hard is MCE?
In this section we investigate the relation of the MCE problem to other known problems that we notably split in two groups -equivalence problems for systems of multivariate quadratic polynomials and equivalence problems for codes.

Relations to equivalence problems for qaudratic polynomials
We start with establishing a straightforward link between MCE and polynomial equivalence problems by proving that the MCE and BMLE problems are equivalent.

Theorem 10
The MCE problem is at least as hard as the BMLE problem.
Proof In order to prove our claim, we need to show that an algorithm A solving any instance of the MCE problem can be transformed in polynomial time to an algorithm B solving any instance of the BMLE problem. Suppose B is given an instance I BMLE (n, m, k, F, P) of BMLE, where F = (f 1 , f 2 , . . . , f k ), P = (p 1 , p 2 , . . . , p k ) ∈ Fq[x, y] k are k-tuples of bilinear forms. Without loss of generality, we assume f 1 , f 2 , . . . , f k (respectively p 1 , p 2 , . . . , p k ) are linearly independent. B can efficiently construct an instance of the MCE problem as follows.
B represents the components fs and ps, s ∈ {1, . . . , k} of the mappings F and P as n × m matrices F (s) and to be a basis of a matrix code C and (P (1) , . . . , P (k) ) a basis of a matrix code D, B obtains an instance I MCE (n, m, k, C, D) of MCE.
B gives the instance I MCE (n, m, k, C, D) as an input to A. After time t and advantage ϵ, A outputs a solution (A, B) to the MCE instance. From here, B constructs the matrices R (s) = AF (s) B ∈ D and solves the following system of equations in the variables t i,j : The system has always a solution, since (R (1) , . . . , R (k) ) is a basis of the code D. B sets T = t i,j , and outputs (A, B ⊤ , T) as the solution to I BMLE (n, m, k, F, P). B has the same advantage ϵ as A and runs in time t + O(k 6 ). □ Theorem 11 BMLE is at least as hard as MCE.
Proof We proceed similarly as in the other direction -Given an algorithm A solving any instance of BMLE, we can construct in polynomial time an algorithm B that can solve any instance of MCE. Suppose B is given an instance I MCE (n, m, k, C, D) of MCE. B takes arbitrary bases (C (1) , . . . , C (k) ) and (D (1) , . . . , D (k) ) of the codes C and D respectively. For each of the matrices C (s) B constructs the bilinear forms cs(x, y) = B gives the instance I BMLE (n, m, k, F, P) to A which in time t and with probability ϵ outputs a solution (S 1 , S 2 , T) to the BMLE instance. This immediately gives a solution (S 1 , S ⊤ 2 ) to the MCE instance. □ In order to prove the connection of MCE to the more general problem hQMLE we first need to establish some properties of matrix codes.
Lemma 12 Let C and D be matrix codes generated by the bases = (C 1 , . . . , C k ) and (D 1 , . . . , D k ) of (skew-)symmetric matrices, and assume that C and D have trivial automorphism groups. Then C is equivalent to D if and only if C is congruent to D.
Proof Clearly, by definition if C is congruent to D, then C is equivalent to D.
For the opposite direction, let C be equivalent to D. Then there exist nonsingular matrices A, B and T such that Since C i and D i are (skew-)symmetric the last rewrites as Combining the two, and since A and B are non-singular, we obtain The automorphism group being trivial implies A = λB ⊤ for some λ ∈ Fq which in turn implies that C is congruent to D. □

Remark 13
The result of Lemma 12 has already been known for algebraically closed fields of non-even characteristic [27,42]. Since finite fields are not algebraically closed, this result is not useful in our context. On the other hand, requiring a trivial automorphism group for the codes is not a huge restriction, and we typically expect the automorphism group to be trivial for randomly chosen matrix codes. Specifically for cryptographic purposes with regards to MCE, one wants the orbit of C to be maximal under the action of suitable isometries, which happens when the automorphism group of C is trivial. Similar requirements for trivial or small automorphism groups occur in the Hamming metric, where it is known that without this requirement there might exist weak keys [43,44]. Now, we are ready to show the following.

Theorem 14
The MCE problem is at least as hard as the hQMLE problem for systems of polynomials whose symmetric matrix representations have trivial automorphism groups.
Proof We perform the reduction in a similar manner as previously. Suppose B is given an instance I hQMLE (N, k, F, P) of hQMLE, where F = (f 1 , f 2 , . . . , f k ), P = (p 1 , p 2 , . . . , p k ) ∈ Fq[x, y] k are k-tuples of linearly independent quadratic forms. B can efficiently construct an instance of the MCE problem as follows.
B forms the N × N symmetric matrices F (s) and P (s) associated to the components fs and ps, s ∈ {1, . . . , k} of the mappings F and P. Taking (P (1) , . . . , P (k) ) to be a basis of a matrix code D and (F (1) , . . . , F (k) ) a basis of a matrix code C, B obtains an instance I MCE (N, N, k, C, D) of MCE. Per assumption, the matrix codes C and D have trivial automorphism groups.
B gives the instance I MCE (N, N, k, C, D) as an input to A. After time t and advantage ϵ, A outputs a solution (A, B) to the MCE instance. From Lemma 12, since the matrices are symmetric, A = B ⊤ . Now, B applies the change of variables xA to F and obtains R(x) = F(xA). It then solves the system k j=1 t j,s · r j = ps, ∀s ∈ {1, . . . , k} The system has a solution if I hQMLE (N, k, F, P) is a positive instance. This is always the case in odd characteristic, because there is a one-to-one correspondence between polynomials and their symmetric matrix representation. Over characteristic 2, it may happen that the I hQMLE (N, k, F, P) is not a positive instance while its symmetric matrix representation I MCE (N, N, k, C, D) is. In this case, the system (7) does not have a solution.
If the system has a solution, B sets T = t i,j , and outputs (A, T) as the solution to I hQMLE (N, k, F, P). Oterwise, it outputs ⊥. B has the same advantage ϵ as A and runs in time t + O(k 6 ). □ For the following theorem, we define the symmetric matrix representation of a matrix code C as the code Theorem 15 The hQMLE problem is at least as hard as the MCE problem for codes whose symmetric matrix representations have trivial automorphism groups.
Proof We show that an algorithm A that solves the hQMLE problem can be transformed in polynomial time to an algorithm B that solves the MCE problem if we assume that codes of symmetric matrices have trivial automorphism groups. Suppose B is given an instance I MCE (n, m, k, C, D) of MCE. B can efficiently construct an instance of the hQMLE problem as follows.
B gives the instance I hQMLE (n + m, k, F, P) to A which in time t and with probability ϵ outputs a solution (S, T) to the hQMLE instance.
We argue that this solution can be transformed to a solution to the MCE instance, if it is a positive instance. The symmetric matrix representation of the codes C and D is given by The solution (S, T) means If the given MCE instance is positive, then there exist matrices A, B, L such that The last two imply By assumption, the automorphism group of the 0 (D (i) ) ⊤ D (i) 0 matrices is trivial, which means S necessarily equals B ⊤ 0 0 A up to scalar multiplication. For such an S, the MCE solution can immediately be extracted. B then outputs the extracted solution.
If on the other hand, S is not of such block-diagonal form, B outputs ⊥. B has the same advantage ϵ as A and runs in the same time t. □ Remark 16 Using the above reduction between MCE and hQMLE, we can reduce the MCEbase problem to and from a special case of IP known as IP1S. Interestingly, Perret [38] shows IP1S is polynomially solvable for most instances k ≥ N , and later work [39] gives an algorithm with running time of O(N 6 ) for random instances. This implies that the MCEbase problem can be solved in polynomial time for most cryptographically interesting parameters.

Relations to equivalence problems for linear codes
In this section, we show that MCE is at the heart of code equivalence problems. Equivalence problems for different metrics, such as the Hamming metric or the sumrank metric, reduce to MCE, making the hardness analysis of MCE the more exciting.
From this, we define Hamming code equivalence (HCE) as the existence of an isometry between two Hamming codes C and D.
Problem 17 HCE(k, n, C, D): Input: Two k-dimensional Hamming codes C, D ⊂ F n q Question: Find -if any -α ∈ F * q n , π ∈ Sn such that απ(c) ∈ D holds for all c ∈ C.
The subproblem where α is trivial is called the monomial equivalence problem. It is easy to turn an HCE-instance into a MCE-instance [25], given the description of isometries in Equation (12). First, define Φ : F n q → Mn(Fq) by The map Φ is an isometry from the Hamming metric to the rank metric: codewords with weigh t are mapped to matrices of rank t. From this, we quickly get the reduction: Writing π as a matrix P ∈ GLn(q), Φ translates a Hamming isometry τ to a rank-metric isometry by A second reduction from HCE to MCE is given later in [25], which concerns the search variant of the problem, and is more explicit. Both reductions however do not help with solving HCE in practice: both the permutational (A is trivial) and the linear variant of code equivalence in the Hamming metric have algorithms [12,45] that perform much better for an HCE-instance τ than the algorithms we propose for solving Φ(τ ) as an MCE-instance.

Sum-rank code equivalence.
The sum-rank metric [46] is a metric that is gaining in popularity in coding theory. It is commonly given as a generalization of the vector-rank metric, but one can also define a variant that generalizes matrix-rank metric. We will reduce both vector and matrix sum-rank equivalence problems to MCE. The idea is the same as for HCE, we find the right isometry from sum-rank metric to rank metric to get the reduction.
Definition 18 Let n be partitioned as n = n 1 +.
Let Γ be a basis for F q m over Fq. Then the vector sum-rank of v is defined as Let m be partitioned as m = m 1 + . . . + m ℓ . Let V (i) ∈ M mi×ni (Fq) and V = (V (1) , . . . , V (ℓ) ). Then the matrix sum-rank of V is defined as The sum-rank generalizes both the Hamming metric and the rank metric: taking ℓ = n gives the Hamming metric, whereas ℓ = 1 gives the rank metric. We define isometries again as maps that preserve the sum-rank. Sum-rank isometries are simple generalisations of rank isometries (see Problem 6). Proposition 19 ([47,Thm. 3.7]) Isometries with respect to the vector sum-rank metric are given by vector rank isometries µ (i) : , and suitable permutations π of such blocks if n i = n j for i ̸ = j, so is a general description of a vector sum-rank isometry.
Generalizing to matrix sum-rank codes is achieved by simply replacing [48,Prop. 4.25]. This gives us the Vector Sum-Rank Code Equivalence (VSRCE) and Matrix Sum-Rank Code Equivalence (MSRCE) problems.
Problem 20 VSRCE(n, m, k, C, D): and a permuation π such that for all c ∈ C, it holds that µ(c) ∈ D.
Problem 21 MSRCE(n, m, k, C, D): Input: Two k-dimensional matrix sum-rank codes C, D ⊂ (M mi×ni (Fq)) i Question: Find -if any -A (i) ∈ GLm i (q), B (i) ∈ GLn i (q) and a permuation π such that for all C ∈ C, it holds that µ(C) ∈ D.
This gives a reduction to matrix isometries, by the same trick as for HCE. First, we define a 'nice' map Ψ : F n q → M ℓ·m×n (Fq) by It is clear that Ψ is an isometry from the vector sum-rank metric to the rank metric, as it preserves the weight. We get the following reduction.

Theorem 22
Assuming trivial automorphism groups, MCE is at least as hard as VSRCE.
Proof Suppose B is given an instance I VSRCE (n, m, k, C, D) of VSRCE, where C and D are k-dimensional vector sum-rank codes. B can efficiently construct an instance of the MCE problem as follows. By writing the permutation π of the 'blocks' by a matrix representation P, B can translate a vector sum-rank isometry µ into a matrix code isometry Ψ(µ) by (1) . . .
with A ∈ GL ℓ (q m ), B ∈ GLn(q). Hence, Ψ(µ) is an (n, m, k, C, D)-instance of MCE which B gives to A. In time t and with probability ε, A outputs a solution (A ′ , B ′ ) to this MCE instance. As the automorphism group is trivial, B computes λA ′ = P −1 A and λB ′ = BP for λ ∈ Fq, and therefore solves I VSRCE with the same advantage ε as A and in the same time t. □ From vector sum-rank code equivalence to matrix sum-rank code equivalence is only a small step. Given a partition m = m 1 + . . . + m ℓ , the map we need is only slightly different from Ψ, namelyΨ : (M mi×ni (Fq)) i → M m×n (Fq) by . . .
Theorem 23 Assuming trivial automorphism groups, MCE is at least as hard as MSRCE.
Proof This is a simple generalization of Theorem 22: Replace α (i) by A (i) ∈ GLm i (q) so that A ∈ GLm(q). Then again, for a matrix sum-rank µ we getΨ(µ) by Ψ(x) → P −1 AΨ(x)BP. □ The link between such instances Ψ(µ) andΨ(µ) is given by a representation ρ : F * q m → GLm(q). We map a vector sum-rank instance to a matrix sum-rank instance by A (i) = ρ(α (i) ), so that A ∈ GL ℓ·m (q).
To show the equivalences between the rank and sum-rank instances, we need to show that an MCE-instances is also a MSRCE-instance. But this is trivial: the sumrank metric generalizes the rank metric, thus an MCE-instance is an MSRCE-instance with ℓ = 1. So we get the following theorem for free.
Theorem 24 MSRCE is at least as hard as MCE.

Solving Matrix Code Equivalence
In this section, we analyze the complexity of solving an instance of MCE. As a baseline we have a straightforward algorithm that uses a result from [25] that MCRE can be solved in polynomial time. By enumerating either A or B, we obtain an instance of MCRE. This means the dominating complexity is the enumeration resulting in an overall complexity of O * (q m 2 ) for MCE. The approach we oultine in the section makes use of the reduction of MCE to hQMLE (see Theorem 15). This means that we use techniques already applied for solving hQMLE, but generalize and improve them by making use of the specific structure that MCE instances show when viewed as hQMLE instances.

Solving MCE as QMLE
At Eurocrypt 2013, Bouillaguet et al. [28] proposed an algorithm for solving hQMLE using techniques from graph theory. Their main idea was to reduce the homogeneous case to the inhomogeneous case, which they assume is efficiently solvable (e.g. using the heuristic algebraic approach of [37]). Starting from an instance of hQMLE, they build two exponentially-large graphs that correspond to the given maps F and P such that, finding an isomorphism between the two graphs is equivalent to finding an isomorphism between the two quadratic maps. Since the graphs are exponentially large, a technique is provided to walk through the graphs without constructing them. Walking through the graphs consists of finding adjacent vertices and computing the degree of a vertex, both in polynomial time. The algorithm consists in finding pairs of vertices from the first and the second graph that have the same degree and making queries to an inhomogenous QMLE solver. If the solver finds an isomorphism by which two vertices are related, then the isomorphism between the two graphs, and thus the isomorphism between the two quadratic maps, is found.

First algorithm for solving MCE
The algorithm for solving hQMLE from [28] considers a graph arising from the differential of a given polynomial map -a vertex a is connected to all the vertices that vanish at the differential at a. It is, however, not entirely clear how the property we choose to construct such graphs impacts the complexity of the algorithm. We revisit the algorithm, and show how it can be generalized, i.e. abstracted from the property used in [28], under certain conditions. In this section we present this generalizationa birthday-based algorithm for finding an isomorphism between two objects when a specific solver exists. In this form, it can be applied to a broader type of equivalence problems, using more general invariants, here implemented as a predicate P.
Let S 1 and S 2 be subsets of a universe U of equal size N . Algorithm 1 finds an equivalence function ϕ : S 1 → S 2 . We assume there exists a predicate P : U → {⊤, ⊥} that can be computed in polynomial time, and we denote the cost C P . We assume P is invariant under the equivalence ϕ, i.e. P(x) = ⊤ ↔ P(ϕ(x)) = ⊤. Let U ⊤ = {x ∈ U | P(x) = ⊤}, and d = |U ⊤ |/|U |. We will call d the density of the predicate P and we assume the density on S 1 and S 2 is approximately equal to d. We further assume the existence of an algorithm FindFunction, that given x ∈ S 1 , y ∈ S 2 returns ϕ if y = ϕ(x) and ⊥ otherwise. We denote the cost of a query to FindFunction by C FF .  return ⊥ 20: end function to build the list L 1 (resp. L 2 ) of elements a ∈ S 1 (resp. b ∈ S 2 ) such that P(a) (resp. P(b)) holds is ℓ/d, which gives a complexity of O( N/d) to build these lists L i .
The total running time is optimal when these two quantities N/d and d·N ·C FF are equal, which holds when FF . Such a density gives complexity of O(N As said earlier, the algorithm presented in [28] is a special case of Algorithm 1. Their algorithm can be seen as an instantiation of Algorithm 1 by defining G F (resp. G P ) to be the linearity graph of F (resp. P), where a vertex a is connected to all vertices x such that DaF(x) = 0 (resp. DaP(x) = 0), taking the predicate Pκ(a) : dim ker DaF = κ on the universe M k,N (q), and taking for FindFunction the assumed polynomial-time solver from [37] for inhQMLE. Finding a collision (α, β) such that β = αS makes the instance P(x + α) = F(xS + β)T an inhomogeneous instance by defining P ′ (x) = P(x+α) and F ′ (x) = F(x+β). Running FindFunction on P ′ and F ′ then returns S and T. In this case, Lemma 25 gives the precise result from [28, Thm. 1], which we present as a corollary to our Lemma 25, for completeness. Proof Let G F (i.e. G P ) be the linearity graph of F (i.e. P), where a vertex a is connected to all x such that DaF(x) = 0 (i.e. DxP(a) = 0). We use the predicate Pκ(a) : dim ker DaF = κ we have that deg(a) = q κ . The density of the predicate dκ in the universe of N ×N matrices is independent of F and P, and is therefore the same as the density of linear maps with kernel of dimension κ. Thus, dκ is approximately a monotonic decreasing function in κ, going from 1 to 0. Hence, by Lemma 25, there exists some optimal κ for which we get that dκ ≈ |G P | −1/3 = q −N/3 , which gives a total time complexity of q 2 3 N and a memory complexity of q 1 3 N . □

Remark 27
The assumption on a polynomial-time solver in [28] turns out to be too strong: such a solver exists for random instances, however, for inhQMLE instances as obtained in Corollary 26 the running time is probably not polynomial [29]. Nevertheless, the algorithm and result are valid, but require a different rebalancing depending on C FF . Section 5 analyzes C FF in detail for different instances.
To apply this approach to MCE instances, we need to generalize to the case of N not necessarily equal to k. For an MCE instance I MCE (n, m, k, C, D), we get an hQMLE instance I QMLE (n + m, k, F, P) by Theorem 15. We take again the predicate Pκ(a) : dim ker DaF = κ, but this time on the universe M k,n+m (q), where DaF lives. To get a similar result to Corollary 26, we need to show two things. a), that this predicate satisfies the assumptions required for Algorithm 1. b), that there is a κ such that the density dκ of Pκ is optimal as described in Lemma 25. If both are satisfied, we get a complexity of O(q  2. Let P(x) = F(xS)T be the equivalence. If x ∈ ker DaP then xS ∈ ker F aS and vice versa, as T does not affect the kernel. As S is invertible, we get a one-to-one correspondence x → xS between the kernels, so Pκ(D aS F) = Pκ(DaP).
3. For F coming from an MCE-instance, we always have −a ∈ ker DaF. We want to show that the distribution of the rank of DaF follows the ranks of linear maps vanishing at −a. This is given by [35,Thm. 2] for even characteristic and easily adapted to odd characteristic, which shows dκ is independent of F. □ We now continue with b): we show that there is a κ such that dκ is optimal. For now, existence of κ is enough to derive a complexity on MCE. We will explicitely compute κ later, in Section 5, when we have a detailed view of C FF for specific parameter sets (k, n, m).
The general density dκ for the predicate Pκ is given by the following lemma, taking a = k and b = n + m to avoid confusion with regards to n, m and n + m. Proof There are |U | = q ab matrices in M a,b (q), out of which From Lemma 29 we can conclude that for some κ, the density dκ is optimal. This means we satisfy both a) and b) and we can apply Lemma 25.
In conclusion, we get our first result on the hardness of MCE, which significantly impoves straightforward enumeration. This requires that such a κ exists, which happens when k ⩽ 2(n + m), by Lemma 29. Note that, in contrast to [28, Thm. 1], we do not assume a polynomial-time solver for the inhomogeneous case of QMLE. Instead, we write this cost as C FF and explore the precise cost in Section 5. We will show in Section 5 that, even though C FF is not polynomial-time, the complexity of Algorithm 1 is still O * (q 2 3 (n+m) ) for some optimal κ.

Remark 31
When k ≥ 2(n + m) we can no longer assume elements with dim ker DaF > 1 exist, as practically all differentials DaF will have only the trivial kernel spanned by −a. In such a scenario, the best we can do is to take a single element a and run FindFunction on (a, b) for all b ∈ F n+m q until we find the isometry. This deterministic process has a time complexity of O(q (n+m) · C FF ). The memory requirements of this algorithm are negligible, since we do not build lists of elements.

Second algorithm
The algorithm that we presented in the previous section does not take advantage of the bilinear structure of an instance of MCE when viewed as hQMLE. In such a case, the differential D (a,b) F of a k-dimensional bilinear form admits a special structure. Let F(x, y) be a k-dimensional bilinear form with x ∈ F m q and y ∈ F n q . Let Fa denote the k × n matrix of the linear map F(a, −) : F n q → F k q for a fixed a ∈ F m q . Similarly let F b denote the k × m matrix of the linear map F(−, b) : F m q → F k q for a fixed b ∈ F n q . Then

Lemma 32
Similarly for P, we use the notation Pa and P b . The equivalence in such a case becomes P(x, y) = F(xA, yB ⊤ )T, with A, B precisely the matrices from the MCE instance. Then, as F and P are bilinear, one can see SampleSet in Algorithm 1 as sampling both a ∈ F n q and b ∈ F m q at the same time as one (a, b) ∈ F n+m q , until D (a,b) F has a kernel of dimension κ. However in the bilinear case, a influences only the matrix Fa, and b influences only F b . Hence, we can sample a ∈ F m q and b ∈ F n q separately. This hints that we can apply ideas from Algorithm 1 to the smaller universes Ua = M k,n (q) and U b = M k,m (q), where Fa and F b live. By finding well-chosen predicates in these smaller universes, we hope to find collisions faster. We first analyse the preoperties of Fa and F b a bit more. Let Fa be the set of elements a for which dim ker Fa is non-trivial, and F b similarly, i.e.
For P, we define Pa and P b similarly. For isomorphic bilinear forms F and P, these sets have special properties.
Lemma 33 Let (A, B, T) : F → P be an isomorphism between two k-tuples of bilinear homogenous quadratic polynomials F and P, such that P(x, y) = F(xA, yB ⊤ )T. We have the following properties: 1. Given a ∈ Fa and any b ∈ ker Fa, we get F(a, b) = 0.
2. F b is completely determined by Fa, as F b = a∈Fa ker Fa.
3. For a ∈ F n q and y ∈ F m q , we have Pa(y) = F aA (yB ⊤ )T. 4. For a ∈ F n q , we get ker Pa = ker F aA · B ⊤ . 5. The isomorphism (A, B, T) induces the bijections 2. This follows directly from 1.: b ∈ F b only if there exists an a ∈ Fa such that F(a, b) = 0. But then b ∈ ker Fa for this specific a.
4. This follows directly from 3.: as T is invertible, it does not affect the kernels, so y ∈ ker Pa if and only if yB ⊤ ∈ ker F aA 5. This follows directly from 4.: Given a ∈ Pa we get aA ∈ Fa and vice versa as A ∈ GLm(q). A similar argument gives F b → P b . □ Lemma 33 shows that a ∈ Fa and b ∈ F b describe all non-trivial roots (a, b) of a given F. For an instance (A, B, T) : F → P, Item 5 shows that non-trivial roots are mapped bijectively by (A, B, T). Such non-trivial roots can be used to find collisions more easily between F and P. However, this requires that instances F → P have non-trivial roots. We can get an estimate on the sizes of Fa, F b , Pa, and P b for given parameters n, m, and k, in the following way.
Proof By Lemma 33 we get |Fa| = |Pa|. Then, using Lemma 29 we see that the size of these sets is dominated by elements a with κ = dim ker Fa = 1 (a onedimensional kernel). From the same lemma, the density of κ = dim ker Fa = 1 elements is d 1 = q −(1+1·(k−n)) . Hence we expect d 1 · q n = q 2n−k−1 such elements. A similar argument gives Summarizing specifically for parameters of cryptographical interest, this means Corollary 35 Assuming n = m as the hardest case, an MCE instance I MCE (n, m, k, F, P) over Fq has non-trivial roots with very high probability, when k < 2n, with probability 1 q , when k = 2n, with very low probability, when k > 2n.
From these results, we can expect non-trivial roots for an MCE instance (k, n, m, F, P) over Fq with k ≤ n + m. These non-trivial roots can be seen as a suitable predicate on the smaller universes Ua and U b : we search for collisions (a, b) × (aA, bB ⊤ ), where (a, b) is a non-trivial root of P, and (aA, bB ⊤ ) of F. Given such a collision, we proceed as in Section 4.2.
The following result shows that we always find such a collision if F and P have non-zero roots.
Lemma 36 Let Fa, F b and Pa, P b describe the non-trivial roots of an MCE instance I MCE (n, m, k, F, P) over Fq. Let x = (a, b) ∈ Fa ×F b , then looping over y ∈ Pa ×P b gives a collision (x, y) with certainty.
Proof This follows quickly from Lemma 33. We have x = (a, b) and two bijections Fa → Pa and F b → P b , so x is mapped to some y ∈ Pa × P b . As this set is finite, we can loop over it in a finite number of steps until we find the collision. □ Therefore, as soon as we have non-trivial roots, we can use a single one of them to find a collision. This leads to the following pseudo-algorithm: if F b is non-empty, compute Fa using Lemma 33-2. Same for Pa and Pa.
3. sample a single x ∈ Fa × F b 4. loop over y ∈ Pa × P b with FindFunction(x, y) until the solver finds µ.

Corollary 37
Assuming m ⩽ n, the above algorithm terminates successfully and has a total complexity of O(q m ·C Pκ +q 2(n+m−k−1) ·C FF ), where C P denotes the cost of computing ker F b and C FF denotes the cost of a single query to FindFunction.
Proof Building F b and P b has a complexity of O(q m · C Pκ ), and these give us Fa and Pa by Lemma 33. Then for every step in the loop we get a query to FindFunction. By Lemma 34, the size of Pa × P b is at most O(q 2(n+m−k−1) ). □ We will see later in Section 5 that the dominating complexity is q m · C Pκ as for specific parameters (k, n, m) the number of queries z can be reduced so that z·C FF < q m . As C Pκ is polynomial, we get a complexity of O * (q m ) for such instances.
For efficiency, one can decrease further the number of queries to FindFunction by applying other, secondary predicates. For example, the sets Fa × F b and Pa × P b can be split into zeros F 0 = {x ∈ F n+m q |F(x) = 0} and non-zeros F = Fa × F b \ F 0 , which reduces the collision search to each of these sets. Another secondary predicate is to only use elements a with dim ker Fa = κ for some specific value κ > 0.
We summarize the MCE solver for instances with roots in Algorithm 2. Practi-Algorithm 2 Bilinear MCE-Solver, assuming n ⩾ m. if dim ker F b > 0 then 5: return ⊥ 23: end function cally, since the algorithm is deterministic, we do not need to build and store the list F. We only need to find one element from it. However, for iterating through the list P, Sa and S b need to be stored. The estimated size of these lists is q n+m−k−1 .
The next theorem summarises this subsection on using bilinearity to solve MCE.
Theorem 38 Assuming a solver for the inhomogenous case of QMLE with cost C FF , an MCE instance (n, m, k, F, P) over Fq with n ⩾ m and roots existing for F and P can be solved using Algorithm 2 with O (q m · C Pκ ) operations in Sam-pleZeroes and z queries to the solver. This amounts to a total time complexity of O (q m · C Pκ + z · C FF ). The memory complexity of the algorithm is O(q n+m−k−1 ).
We will show in Section 5 that, even though C FF is not polynomial-time, the dominating factor in this complexity is still q m ·C Pκ , where C Pκ is the cost to compute the kernel of an m × k matrix.

Filling the gaps in the complexity analysis
The cost C P is polynomial in all of the cases because it either requires computing the rank of a linear map or sampling a random element from a set. The FindFunction in Algorithms 1 and 2 checks whether a given pair of vectors is a collision, and if so, it returns the solution to the MCE instance. This is done by solving an instance of the inhBMLE that has the same solutions as the input MCE instance. Thus, to estimate the value of C FF , we analyse the complexity of inhBMLE on these instances, by relying on algorithms that have been developed for the inhQMLE case with N = k.

Algorithms for inhQMLE
The two algorithms described in this section have been used for tackling the inhQMLE problem within the birthday-based algorithm for hQMLE [28,29]. Their analysis is thus important to estimate C FF . In Section 5.2 we adapt this analysis for the inhBMLE case with arbitrary k and N and we see how this affects Algorithms 1 and 2 for different parameter sets.

The Gröbner attack
The algebraic attack on the inhQMLE problem starts by reducing P(x)T −1 = F(xS), with S and T unknown, to a system of polynomial equations. By rewriting the problem in matrix form we obtain the following constraints 1⩽r⩽k TrsP (r) = SF (s) S ⊤ , ∀s, 1 ⩽ s ⩽ k, where F [1] ∈ F N ×k q and P [1] ∈ F N ×k q describe the degree-1 homogeneous part of an inh(Q/B)MLE instance and F [0] ∈ F k q and P [0] ∈ F k q describe the degree-0 part. We will denote the subsystem of equations derived from the degree-d homogeneous part as S d . The resulting system can be solved using Gröbner basis algorithms and this is referred to as the Gröbner attack [37]. The observation that S and T are common solutions to homogeneous parts of separate degrees of an inhQMLE instance (also proven in [39,Lemma 1]) and the idea that moving T to the other side of the equality results in a lower degree system where we solve for T −1 originate from this work.
The complexity of Gröbner basis algorithms depends foremost on the degree of regularity, which is usually hard to estimate, but it can sometimes be observed through experimental work. Such experiments applied to inhQMLE instances imply that the system is solved at degree three. A degree-three linearized system in n variables is represented by a matrix of size roughly n 3 and thus, Gaussian Elimination on such a system is performed in O(n 3ω ) operations, where ω is the linear algebra constant. This reasoning leads to the assumption that there exists a polynomial-time solver for the inhomogeneous case of QMLE. Another empirical observation made in [37] is that the time to construct the system exceeds the time of the Gröbner basis computation. Since the generation of the system is known to be polynomial, this suggests that the Gröbner basis computation is performed in polynomial time as well. However, these experiments are performed on random inhomogeneous instances of the QMLE problem. In the birthday-based approach for solving QMLE, F [1] , P [1] , F [0] and P [0] are obtained from a collision [28]. Specifically, if we have a collision on x ∈ F N q and y ∈ F N q such that y = xS, they are obtained as Instances of inhQMLE derived from a collision are, on average, harder to solve than random inhQMLE instances. Recall that in Algorithm 1 the instances of inhQMLE are chosen such that dim ker DyF = dim ker DxP = κ. Hence, the number of linearly independent equations in S 1 is exactly k(N − κ), instead of the expected kN on average. The size of S 0 can also depend on the predicate that we choose for the birthday-based algorithm. For instance, when we use the predicate of searching for a collision between the non-trivial roots of P and F, we obtain no equations in S 0 . Additionally, since F [1] (i.e. P [1] ) and F [0] (i.e. P [0] ) are obtained respectively from computing the differential of and evaluating F (i.e P) at a given point, S 1 and S 0 are not as independent from S 2 as they would be in the random case. It is difficult to estimate the complexity of solving these instances compared to solving random instances with the same structure. Figure 2 shows experiments confirming our intuition that the complexity of collision-derived instances is worse than that of random ones. This implies that we can not rely on the experimental observations in [37] to estimate the complexity of these specific instances. We conclude that, in contrast with the literature, we can not assume that C FF is polynomial when the Gröbner attack is used.

The matrix-pencil attack
The matrix-pencil attack was proposed in Bouillaguet's thesis [29] and used for the implementation of the birthday-based attack [28]. This algorithm has a complexity of O(N 6 ) with non-negligible probability for random inhQMLE instances where N = k. Its complexity for inhQMLE instances derived from a collision attack depends strongly on the parameter κ. We give a general description of the approach. For details on how it relates to the matrix pencil equivalence problem, we refer to [29,Ch. 14].
The first step is to retrieve a basis of the solution space V of the subsystem of linear equations S 1 . Let ℓ = dim V and let (S [1] , T [1] ), . . . , (S [ℓ] , T [ℓ] ) be a basis of V . Once the solution space of S 1 is known, in order to find the solution space of the overall system one rewrites S 2 as a system in ℓ variables. Concretely, this is done by replacing S and T by (13) and then looking for solutions in variables x 1 , . . . , x ℓ . This standard approach is also described in [39]. A key idea in the matrix-pencil attack is to use the knowledge of F [1] /P [1] and F [0] /P [0] to find a (second) collision and double the number of linear equations in S 1 . Supposing that there exists x ′ such that x ′ P [1] = P [0] , we infer that there also exists y ′ such that y ′ F [1] = F [0] and that y ′ = x ′ S. We can thus append the equations obtained from (D x' P)T −1 = S(D y' F) to S 1 . After applying this technique, the resulting system is usually highly overdetermined and can be solved through direct linearization. The most favorable case is when x ′ and y ′ are uniquely identified. However, if dim ker F [1] = κ > 1, then x ′ is chosen arbitrarily and we loop through the q κ possible values for y ′ . The complexity of the algorithm is O(q κ ℓ 2 N 4 ), under the condition that ℓ(ℓ + 1)/2 ≤ |S 2 |. Another condition for the success of this approach is that P(x) ̸ = 0 and ∃x, xDxP = P(x), because this assumption is used to find the second collision. As per the analysis in [29], the probability that the condition for success is met is 1 − 1/q + 1/q 3 + O(1/q 6 ).

The complexity of inhBMLE for three parameter sets
In the following analysis, we use the matrix-pencil algorithm as the inhBMLE solver, as it seems to outperform the Gröbner attack and we have a better understanding of its complexity for these specific instances.

The case k ≤ n + m
The case when k ≤ n + m uses Algorithm 2, where the complexity is dominated by the SampleZeroes function, as long as the complexity of the inhBMLE solver does not surpass O(q m ). In the matrix-pencil algorithm, we can not use the zero subsets F 0 and P 0 , as this contradicts its condition for success P(x) ̸ = 0. The non-zeros subsets F and P can be used with a small adjustment to the algorithm: after finding a basis of the solution space of S 1 , we rewrite and solve through linearization the system comprised of both S 2 and S 0 . Note that F and P are non-empty only when the instance has at least two roots. Since in Algorithm 2 we do not restrict the value of κ, we will approximate to the one that has the highest probability, which for the case of k ≤ n + m is κ = (m + n) − k. Hence, C FF is approximated to O(q m+n−k · (m + n) 6 ).
When k ≥ m, this is always smaller than O(q m ).

5.2.2
The case n + m < k < 2(n + m) In this case we use Algorithm 1. Since the complexity of the inhBMLE solver contains a non-negligible factor of q κ , the choice of κ needs to be adapted, so that the running times of SampleSet and CollisionFind are equal. Let N = n+m and let r = N −k. The optimal κ is chosen such that q N −(κ 2 +κr) 2 · q κ 2 +κr ≈ q N −(κ 2 +κr) · q κ . This gives us κ = k−(n+m+ √ δ) 2 + 1 3 , with δ = (k − (n + m)) 2 + 4 3 (k + 1 3 ). The complexity of the overall algorithm with this optimal choice for κ is then We get that √ δ ⩾ |k −(n+m)| and so for all values of k between n+m and 2(n+m), the term k − √ δ is bounded by n+m, and hence this gives a bound on the complexity by O(q 2 3 (n+m)+ 1 9 ). The term 1 9 adds a few bits at most to this complexity, but is negligible for most cryptographic purposes.

The case k ≥ 2(n + m)
When k ≥ 2(n + m), as per Lemma 29, the probability that there exist elements with dim ker D (a,b) F > 1 is extremely small, which is why we can not define a distinguishing predicate for Algorithm 1 and κ = 1 with overwhelming probability. In this case, the complexity of the matrix-pencil algorithm is O(q · (m + n) 6 ), as with random inhBMLE instances.

Summary of results
After determining the value of C P and C FF for all parameter sets, we can summarize the results on the hardness of MCE as follows.

Experimental results
To confirm our theoretical findings, we solved randomly generated positive instances of the MCE problem, using the two approaches presented in this paper. First, we implement the birthday-based Algorithm 1 in three steps. (1) We randomly generate a positive instance (k, n, m, C, D) of MCE and reduce it to an instance (m+n, k, F, P) of hBMLE. (2) We build the two sample sets for a predefined predicate P and we combine them to create pairs of potential collisions. (3) For each pair we create an inhBMLE instance and we query an inhBMLE solver until it outputs a solution for the maps S and T. Our implementation is built on top of the open source birthday-based hQMLE solver from [29], which is implemented in MAGMA [50]. Table 2 shows running times for solving the MCE problem using Algorithm 1. The goal of this first experiments was to confirm that there is a parameter choice where the probability of success of the algorithm surpasses 1 − 1/e and that our running times are comparable to the ones given in [28]. These experiments are done with the parameter q = 2 and all results are an average of 50 runs. The second approach, described in Section 4.3 uses the bilinear structure of hQMLE instances derived from MCE instances to have an improved algorithm for building the sample sets and a more precise predicate that results in fewer queries to the inhQMLE solver. The consequence of these two improvements to the runtime can be observed in Table 3 where we show experimental results of Algorithm 2 using the non-zeros subsets. Recall that, this approach can be used only when there exist at least two roots of F and P. Otherwise, the sampled sets contain only the trivial root and the instance is solved using Algorithm 1. Table 3 shows results of the case when the sets are non-trivial and the probability of this case for the given parameters is shown in the last column. For efficiency, we take the minimal subset with a common dimension of the kernel of F b , and when looking for collisions, we are careful to skip pairs (ab, a ′ b ′ ) where dim ker F b = dim ker P b ′ but dim ker D (a,b) F ̸ = dim ker D (a ′ ,b ′ ) P. In these experiments, q = 3 and all results are an average of 50 runs. Our experiments confirm that Algorithm 2 outperforms Algorithm 1 for solving MCE instances with non-trivial roots.