Exploiting Preprocessing for Quantum Search to Break Parameters for \(\mathcal {MQ}\) Cryptosystems

  • Benjamin PringEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11321)


In this paper we re-examine quantum search applied to the Multivariate Quadratic (\(\mathcal {MQ}\)) hardness problem over the finite field GF(2). This problem is key to the security of a number of proposed post-quantum public-key cryptosystems designed to be resistant against attacks from quantum computers and in this paper we give a warning of the dangers of extrapolating parameters based upon the efficiency of quantum search algorithms. Our methods demonstrate that by applying preprocessing to the \(\mathcal {MQ}\) problem, we can reduce the computational load on the quantum computer and, in a generalisation of multi-target search for single-targets, improve the efficiency of the basic quantum search oracle for the \(\mathcal {MQ}\) problem over GF(2). Our work builds upon the \(\mathcal {MQ}\) oracle introduced by Westerbaan and Schwabe [19] and improves it to the extent that it breaks all quantum-resistant security parameters for the Gui cryptosystem [16] proposed by the original authors [15]. Our results hold both in the logical gate model and when the algorithm is fully costed in terms of the Clifford+T universal gate set.


Quantum search Multivariate Quadratic Cryptography 



The author kindly thanks James Davenport and Christophe Petit for their helpful discussions. Benjamin Pring is funded by an EPRSC grant.


  1. 1.
    Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 317–337. Springer, Cham (2017). Scholar
  2. 2.
    Amy, M., Maslov, D., Mosca, M.: Polynomial-time T-depth optimization of Clifford+ T circuits via matroid partitioning. IEEE Trans. Comput.-Aided Des. Integr. Circ. Syst. 33(10), 1476–1489 (2014)CrossRefGoogle Scholar
  3. 3.
    Amy, M., Maslov, D., Mosca, M., Roetteler, M.: A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. IEEE Trans. Comput.-Aided Des. Integr. Circ. Syst. 32(6), 818–830 (2013)CrossRefGoogle Scholar
  4. 4.
    Bard, G.: Algebraic Cryptanalysis. Springer, New York (2009). Scholar
  5. 5.
    Bardet, M., Faugére, J.C., Salvy, B., Spaenlehauer, P.J.: On the complexity of solving quadratic boolean systems. J. Complex. 29(1), 53–75 (2013)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Barenco, A., et al.: Elementary gates for quantum computation. Phys. Rev. A 52(5), 3457 (1995)CrossRefGoogle Scholar
  7. 7.
    Bouillaguet, C., et al.: Fast exhaustive search for polynomial systems in \({\mathbb{F}_2}\). In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010). Scholar
  8. 8.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. arXiv quant-ph/9605034 (1996)Google Scholar
  9. 9.
    Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003). Scholar
  10. 10.
    Fowler, A.G., Mariantoni, M., Martinis, J.M., Cleland, A.N.: Surface codes: towards practical large-scale quantum computation. Phys. Rev. A 86(3), 032324 (2012)CrossRefGoogle Scholar
  11. 11.
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016). Scholar
  12. 12.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
  13. 13.
    Joux, A., Vitse, V.: A crossbred algorithm for solving boolean polynomial systems. IACR Cryptology ePrint Archive 2017, 372 (2017)Google Scholar
  14. 14.
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2010)CrossRefGoogle Scholar
  15. 15.
    Petzoldt, A., Chen, M.-S., Ding, J., Yang, B.-Y.: HMFEv - an efficient multivariate signature scheme. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 205–223. Springer, Cham (2017). Scholar
  16. 16.
    Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). Scholar
  17. 17.
    Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017). Scholar
  18. 18.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). Scholar
  19. 19.
    Schwabe, P., Westerbaan, B.: Solving binary \(\cal{MQ}\) with Grover’s algorithm. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 303–322. Springer, Cham (2016). Scholar
  20. 20.
    Selinger, P.: Quantum circuits of T-depth one. Phys. Rev. A 87(4), 042302 (2013)CrossRefGoogle Scholar
  21. 21.
    Thomae, E., Wolf, C.: Solving underdetermined systems of multivariate quadratic equations revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 156–171. Springer, Heidelberg (2012). Scholar
  22. 22.
    Toffoli, T.: Reversible computing. In: de Bakker, J., van Leeuwen, J. (eds.) ICALP 1980. LNCS, vol. 85, pp. 632–644. Springer, Heidelberg (1980). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University of BathBathUK

Personalised recommendations