Solving binary MQ with Grover’s algorithm

Abstract

The problem of solving a system of quadratic equations in multiple variables—known as multivariate-quadratic or MQ problem— is the underlying hard problem of various cryptosystems. For efficiency reasons, a common instantiation is to consider quadratic equations over F2. The current state of the art in solving the MQ problem over F2 for sizes commonly used in cryptosystems is enumeration, which runs in time Θ(2n) for a system of n variables. Grover’s algorithm running on a large quantum computer is expected to reduce the time to Θ(2n/2). As a building block, Grover’s algorithm requires an “oracle”, which is used to evaluate the quadratic equations at a superposition of all possible inputs. In this paper, we describe two different quantum circuits that provide this oracle functionality. As a corollary, we show that even a relatively small quantum computer with as little as 92 logical qubits is sufficient to break MQ instances that have been proposed for 80-bit pre-quantum security.