Solving underdetermined systems of multivariate quadratic equations revisited

Abstract

Solving systems of m Multivariate Quadratic (MQ) equations in n variables is one of the main challenges of algebraic cryptanalysis. Although the associated MQ-problem is proven to be NP-complete, we know that it is solvable in polynomial time over fields of even characteristic if either m ≥ n(n - 1)/2 (overdetermined) or n ≥ m(m + 1) (underdetermined). It is widely believed that m = n has worst case complexity. Actually in the overdetermined case Gröbner Bases algorithms show a gradual decrease in complexity from m = n to m ≥ n(n - 1)/2 as more and more equations are available. For the underdetermined case no similar behavior was known. Up to now the best way to deal with the case m < n 1 to the complexity of solving a MQ-system with only (m - ⌊ω⌋ + 1) equations and variables, respectively. Our algorithm can be seen as an extension of the previously known algorithm from Kipnis-Patarin-Goubin (extended version of Eurocrypt '99) and improves an algorithm of Courtois et al. which eliminates ⌊log 2ω⌋ variables. For small ω we also adapt our algorithm to fields of odd characteristic. We apply our result to break current instances of the Unbalanced Oil and Vinegar public key signature scheme that uses n = 3m and hence ω = 3. © 2012 International Association for Cryptologic Research.