Abstract
This paper designs and analyzes a quantum algorithm to solve a system of m quadratic equations in n variables over a finite field \({\mathbf {F}}_q\). In the case \(m=n\) and \(q=2\), under standard assumptions, the algorithm takes time \(2^{(t+o(1))n}\) on a mesh-connected computer of area \(2^{(a+o(1))n}\), where \(t\approx 0.45743\) and \(a\approx 0.01467\). The area-time product has asymptotic exponent \(t+a\approx 0.47210\).
For comparison, the area-time product of Grover’s algorithm has asymptotic exponent 0.50000. Parallelizing Grover’s algorithm to reach asymptotic time exponent 0.45743 requires asymptotic area exponent 0.08514, much larger than 0.01467.
Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the European Commission under Contract ICT-645622 PQCRYPTO; by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; and by the U.S. National Science Foundation under grant 1314919. This work also was supported by Taiwan Ministry of Science and Technology (MoST) grant 105-2923-E-001-003-MY3 and an Academia Sinica Investigator Award. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: c77423932ceeda61ddf009049efc0749daadd023. Date: 2018.01.25.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
One can object to the circuit model of computation as being too restrictive: (1) in the algorithms literature it is common to treat random access to an arbitrarily large array as a single operation taking a single unit of “time”; (2) the algorithms literature also allows “branches”. However, (1) for any particular size of array, random access can be implemented as a series of NANDs—which is essentially how physical RAM devices work; (2) branches are equivalent to—and physically implemented as—random access to an array of instructions.
- 2.
Part of the literature suggests, incorrectly, that this requires computing echelon form. In fact, it simply requires solving linear equations. Specifically, finding x such that Mx is zero outside \(n+1\) positions is the same as finding x such that \(M'x=0\), where \(M'\) removes those positions from M. To find a uniform random r such that \(M'r=0\), one can take a uniform random v, compute \(M'v\), use any method to find a solution x to \(M'x=M'v\), and compute \(r=x-v\). Then Mr is sampled uniformly at random from the space of vectors Mx that are zero outside the specified positions. If the space has positive dimension then each r has at least a 50% chance of discovering this.
- 3.
As q grows, one has to account for the growing cost of reading, writing, and arithmetic on field elements. For simplicity we focus on asymptotic statements as \(n\rightarrow \infty \) with q fixed.
References
Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18, 766–776 (1989). Cited in §3.1, §3.2
Bernstein, D.J.: Circuits for integer factorization: a proposal (2001). https://cr.yp.to/papers.html#nfscircuit. Cited in §2.6
Brent, R.P., Kung, H.T.: The area-time complexity of binary multiplication. J. ACM 28, 521–534 (1981). http://wwwmaths.anu.edu.au/~brent/pub/pub055.html. Cited in §2.6
Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with XL on parallel architectures. In: CHES 2012 [21], pp. 356–373 (2012). https://eprint.iacr.org/2016/412. Cited in §2.5
Chester, C.R., Friedman, B., Ursell, F.: An extension of the method of steepest descents. In: Proceedings of Cambridge Philosophical Society, vol. 53, pp. 599–611 (1957). Cited in §4.5
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Eurocrypt 2000 [20], pp. 392–407 (2000). http://minrank.org/xlfull.pdf. Cited in §2.1, §2.7
Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Asiacrypt 2004 [14], pp. 323–337 (2004). Cited §4.5
Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Eurocrypt 2010 [10], pp. 279–298 (2010). https://www.iacr.org/archive/eurocrypt2010/66320290/66320290.pdf. Cited in §1.1
Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009). ISBN 978-0-521-89806-5. http://ac.cs.princeton.edu/home/. Cited in §2.4, §2.4, §2.4
Gilbert, H. (ed.): Advances in Cryptology-EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5. ISBN 978-3-642-13189-9. See [8]
Klein, P.N. (ed.): Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017, Barcelona, Spain, Hotel Porta Fira, 16–19 January. SIAM (2017). See [15]
Knill, E.: An analysis of Bennett’s pebble game (1995). http://arxiv.org/abs/math/9508218. Cited in §3.2, §3.3
Lazard, D.: Résolution des systèmes d’équations algébriques. Theoret. Comput. Sci. 15, 77–110 (1981). https://www.sciencedirect.com/science/article/pii/0304397581900645. Cited in §2.1
Lee, P.J. (ed.): Advances in Cryptology-ASIACRYPT 2004. LNCS, vol. 3329. Springer, Heidelberg (2004). https://doi.org/10.1007/b104116. See [7]
Lokshtanov, D., Paturi, R., Tamaki, S., Williams, R.R., Yu, H.: Beating brute force for systems of polynomial equations over finite fields. In: SODA 2017 [11], pp. 2190–2202 (2017). http://theory.stanford.edu/~yuhch123/files/polyEq.pdf. Cited in §1.2, §1.2
Lopez, J., Qing, S., Okamoto, E. (eds.): Information and Communications Security, ICICS 2004. LNCS, vol. 3269. Springer, Cham (2004). https://doi.org/10.1007/b101042. ISBN 3-540-23563-9. See [26]
Maurer, U.M. (ed.): Advances in Cryptology-EUROCRYPT 1996. LNCS, vol. 1070. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9. ISBN 3-540-61186-X. MR 97g:94002. See [18]
Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Eurocrypt 1996 [17], pp. 33–48 (1996). See also newer version [19]
Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, extended version (1998). See also older version [18]. http://minrank.org/hfe.pdf. Cited in §1.1
Preneel, B. (ed.): Advances in Cryptology-EUROCRYPT 2000. LNCS, vol. 1807. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6. See [6]
Prouff, E., Schaumont, P. (eds.): Cryptographic Hardware and Embedded Systems-CHES 2012. LNCS, vol. 7428. Springer, Heidelberg (2012). ISBN 978-3-642-33026-1. See [4]
Wang, H., Pieprzyk, J., Varadharajan, V. (eds.): Information Security and Privacy. LNCS, vol. 3108. Springer, Heidelberg (2004). https://doi.org/10.1007/b98755. ISBN 3-540-22379-7. See [25]
Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32, 54–62 (1986). MR 87g:11166. Cited in §2.5, §2.5
Wong, R.: Asymptotic Approximations of Integrals. Academic Press, Cambridge (1989). ISBN 0-12-762535-6. Cited in §2.4
Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: ACISP 2004 [22], pp. 277–288 (2004). http://precision.moscito.org/by-publ/recent/xxl2-update.pdf. Cited in §2.5, §4.5
Yang, B.-Y., Chen, J.-M., Courtois, N.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: ICICS 2004 [16], pp. 401–413 (2004). http://www.iis.sinica.edu.tw/papers/byyang/2384-F.pdf. Cited in §1.2, §2.5, §4.5, §4.5, §4.7
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Bernstein, D.J., Yang, BY. (2018). Asymptotically Faster Quantum Algorithms to Solve Multivariate Quadratic Equations. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-79063-3_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-79062-6
Online ISBN: 978-3-319-79063-3
eBook Packages: Computer ScienceComputer Science (R0)