Skip to main content
SpringerLink
Log in

Asymptotically Faster Quantum Algorithms to Solve Multivariate Quadratic Equations

  • Conference paper
  • First Online:
Post-Quantum Cryptography (PQCrypto 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10786))

Included in the following conference series:

Abstract

This paper designs and analyzes a quantum algorithm to solve a system of m quadratic equations in n variables over a finite field \({\mathbf {F}}_q\). In the case \(m=n\) and \(q=2\), under standard assumptions, the algorithm takes time \(2^{(t+o(1))n}\) on a mesh-connected computer of area \(2^{(a+o(1))n}\), where \(t\approx 0.45743\) and \(a\approx 0.01467\). The area-time product has asymptotic exponent \(t+a\approx 0.47210\).

For comparison, the area-time product of Grover’s algorithm has asymptotic exponent 0.50000. Parallelizing Grover’s algorithm to reach asymptotic time exponent 0.45743 requires asymptotic area exponent 0.08514, much larger than 0.01467.

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the European Commission under Contract ICT-645622 PQCRYPTO; by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; and by the U.S. National Science Foundation under grant 1314919. This work also was supported by Taiwan Ministry of Science and Technology (MoST) grant 105-2923-E-001-003-MY3 and an Academia Sinica Investigator Award. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: c77423932ceeda61ddf009049efc0749daadd023. Date: 2018.01.25.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    One can object to the circuit model of computation as being too restrictive: (1) in the algorithms literature it is common to treat random access to an arbitrarily large array as a single operation taking a single unit of “time”; (2) the algorithms literature also allows “branches”. However, (1) for any particular size of array, random access can be implemented as a series of NANDs—which is essentially how physical RAM devices work; (2) branches are equivalent to—and physically implemented as—random access to an array of instructions.

  2. 2.

    Part of the literature suggests, incorrectly, that this requires computing echelon form. In fact, it simply requires solving linear equations. Specifically, finding x such that Mx is zero outside \(n+1\) positions is the same as finding x such that \(M'x=0\), where \(M'\) removes those positions from M. To find a uniform random r such that \(M'r=0\), one can take a uniform random v, compute \(M'v\), use any method to find a solution x to \(M'x=M'v\), and compute \(r=x-v\). Then Mr is sampled uniformly at random from the space of vectors Mx that are zero outside the specified positions. If the space has positive dimension then each r has at least a 50% chance of discovering this.

  3. 3.

    As q grows, one has to account for the growing cost of reading, writing, and arithmetic on field elements. For simplicity we focus on asymptotic statements as \(n\rightarrow \infty \) with q fixed.

References

  1. Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18, 766–776 (1989). Cited in §3.1, §3.2

    Article  MathSciNet  MATH  Google Scholar 

  2. Bernstein, D.J.: Circuits for integer factorization: a proposal (2001). https://cr.yp.to/papers.html#nfscircuit. Cited in §2.6

  3. Brent, R.P., Kung, H.T.: The area-time complexity of binary multiplication. J. ACM 28, 521–534 (1981). http://wwwmaths.anu.edu.au/~brent/pub/pub055.html. Cited in §2.6

  4. Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with XL on parallel architectures. In: CHES 2012 [21], pp. 356–373 (2012). https://eprint.iacr.org/2016/412. Cited in §2.5

  5. Chester, C.R., Friedman, B., Ursell, F.: An extension of the method of steepest descents. In: Proceedings of Cambridge Philosophical Society, vol. 53, pp. 599–611 (1957). Cited in §4.5

    Google Scholar 

  6. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Eurocrypt 2000 [20], pp. 392–407 (2000). http://minrank.org/xlfull.pdf. Cited in §2.1, §2.7

  7. Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Asiacrypt 2004 [14], pp. 323–337 (2004). Cited §4.5

    Google Scholar 

  8. Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Eurocrypt 2010 [10], pp. 279–298 (2010). https://www.iacr.org/archive/eurocrypt2010/66320290/66320290.pdf. Cited in §1.1

  9. Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009). ISBN 978-0-521-89806-5. http://ac.cs.princeton.edu/home/. Cited in §2.4, §2.4, §2.4

    Book  MATH  Google Scholar 

  10. Gilbert, H. (ed.): Advances in Cryptology-EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5. ISBN 978-3-642-13189-9. See [8]

    MATH  Google Scholar 

  11. Klein, P.N. (ed.): Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017, Barcelona, Spain, Hotel Porta Fira, 16–19 January. SIAM (2017). See [15]

    Google Scholar 

  12. Knill, E.: An analysis of Bennett’s pebble game (1995). http://arxiv.org/abs/math/9508218. Cited in §3.2, §3.3

  13. Lazard, D.: Résolution des systèmes d’équations algébriques. Theoret. Comput. Sci. 15, 77–110 (1981). https://www.sciencedirect.com/science/article/pii/0304397581900645. Cited in §2.1

    Article  MathSciNet  MATH  Google Scholar 

  14. Lee, P.J. (ed.): Advances in Cryptology-ASIACRYPT 2004. LNCS, vol. 3329. Springer, Heidelberg (2004). https://doi.org/10.1007/b104116. See [7]

    MATH  Google Scholar 

  15. Lokshtanov, D., Paturi, R., Tamaki, S., Williams, R.R., Yu, H.: Beating brute force for systems of polynomial equations over finite fields. In: SODA 2017 [11], pp. 2190–2202 (2017). http://theory.stanford.edu/~yuhch123/files/polyEq.pdf. Cited in §1.2, §1.2

  16. Lopez, J., Qing, S., Okamoto, E. (eds.): Information and Communications Security, ICICS 2004. LNCS, vol. 3269. Springer, Cham (2004). https://doi.org/10.1007/b101042. ISBN 3-540-23563-9. See [26]

    MATH  Google Scholar 

  17. Maurer, U.M. (ed.): Advances in Cryptology-EUROCRYPT 1996. LNCS, vol. 1070. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9. ISBN 3-540-61186-X. MR 97g:94002. See [18]

    MATH  Google Scholar 

  18. Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Eurocrypt 1996 [17], pp. 33–48 (1996). See also newer version [19]

    Google Scholar 

  19. Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, extended version (1998). See also older version [18]. http://minrank.org/hfe.pdf. Cited in §1.1

  20. Preneel, B. (ed.): Advances in Cryptology-EUROCRYPT 2000. LNCS, vol. 1807. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6. See [6]

    MATH  Google Scholar 

  21. Prouff, E., Schaumont, P. (eds.): Cryptographic Hardware and Embedded Systems-CHES 2012. LNCS, vol. 7428. Springer, Heidelberg (2012). ISBN 978-3-642-33026-1. See [4]

    MATH  Google Scholar 

  22. Wang, H., Pieprzyk, J., Varadharajan, V. (eds.): Information Security and Privacy. LNCS, vol. 3108. Springer, Heidelberg (2004). https://doi.org/10.1007/b98755. ISBN 3-540-22379-7. See [25]

    Google Scholar 

  23. Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32, 54–62 (1986). MR 87g:11166. Cited in §2.5, §2.5

    Article  MathSciNet  MATH  Google Scholar 

  24. Wong, R.: Asymptotic Approximations of Integrals. Academic Press, Cambridge (1989). ISBN 0-12-762535-6. Cited in §2.4

    MATH  Google Scholar 

  25. Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: ACISP 2004 [22], pp. 277–288 (2004). http://precision.moscito.org/by-publ/recent/xxl2-update.pdf. Cited in §2.5, §4.5

  26. Yang, B.-Y., Chen, J.-M., Courtois, N.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: ICICS 2004 [16], pp. 401–413 (2004). http://www.iis.sinica.edu.tw/papers/byyang/2384-F.pdf. Cited in §1.2, §2.5, §4.5, §4.5, §4.7

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, Chicago, IL, 60607-7045, USA

    Daniel J. Bernstein

  2. Institute of Information Science, Academia Sinica, 128 Section 2 Academia Road, Taipei, 115-29, Taiwan

    Bo-Yin Yang

Authors
  1. Daniel J. Bernstein
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo-Yin Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Daniel J. Bernstein or Bo-Yin Yang .

Editor information

Editors and Affiliations

  1. Technische Universiteit Eindhoven, Eindhoven, The Netherlands

    Tanja Lange

  2. Florida Atlantic University, Boca Raton, Florida, USA

    Rainer Steinwandt

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bernstein, D.J., Yang, BY. (2018). Asymptotically Faster Quantum Algorithms to Solve Multivariate Quadratic Equations. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-79063-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-79062-6

  • Online ISBN: 978-3-319-79063-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation