Algorithms to solve massively under-defined systems of multivariate quadratic equations

Transcription

1 Agorithms to sove massivey under-defined systems of mutivariate quadratic equations Yasufumi Hashimoto Abstract It is we known that the probem to sove a set of randomy chosen mutivariate quadratic equations over a finite fied is P-hard. However, when the number of variabes is much arger than the number of equations, it is not necessariy difficut to sove equations. In fact, when n m(m+1) (n, m are the numbers of variabes and equations respectivey) and the fied is of even characteristic, there is an agorithm to sove equations in poynomia time (see [Kipnis et a, Eurocrypt 99] and aso [Courtois et a, PKC 02]). In the present paper, we give two agorithms to sove quadratic equations; one is for the case of n (about) m 2 2m 3/2 + 2m and the other is for the case of n m(m + 1)/ The first agorithm soves equations over any finite fied in poynomia time. The second agorithm requires exponentia time operations. However, the number of required variabes is much smaer than that in the first one, and the compexity is much ess than the exhaustive search. 1 Introduction It is we known that the probem to sove a set of randomy chosen mutivariate quadratic equations over a finite fied is P-hard. Then the cryptosystems based on mutivariate quadratic equations (Matsumoto-Imai, HEF, UOV, STS, TTM and so on, see e.g. [5], [7] and their references) have been expected to be secure against the quantum attacks. However, not a quadratic equations are difficut to be soved whie the probem itsef is P-hard. In fact, some of such cryptosystems were aready broken and some others of them are weaker than expected when they were proposed. Thus it is important to study which quadratic equations are soved easiy and how to characterize its difficuty for the practica use of quadratic equations in cryptoogy. For this topic, there has been severa works in the view of the reation between the numbers of variabes and equations. In fact, Courtois et a. ([2] and [3]) have studied how to sove the equations when m is much arger than n (where m, n are the numbers Partiay supported by JSPS Grant-in-Aid for Young Scientists (B) no Keywords. under-defined mutivariate quadratic equations 1

2 2 Y. Hashimoto of equations and variabes respectivey). On the other hand, Kipnis et a. [6] studied the case when n is much arger than m. In fact, they found an agorithm to sove quadratic equations when n m(m + 1) and the characteristic of the fied is even. ote that the characteristic is odd, their agorithm requires the compexity O(2 m (poynomia)). Athough Courtois et a. [1] modified it more effectivey for odd characteristic cases, its modification requires much more variabes. In the present paper, we give two agorithms to sove quadratic equation when n is sufficienty arger than m. The first agorithm soves equations over any finite fied in poynomia time when n (about) m 2 2m 3/2 + 2m. The number of variabes required in this agorithm is ess than that in [6], and this works in poynomia time both for even and odd characteristic fieds. The second agorithm soves equations for n m(m + 1)/ The compexity of the second agorithm is roughy estimated by O(2 m ) or O(3 m ). Whie it is in exponentia time, it is much better than the exhaustive search, especiay for arge order fieds, and furthermore the number of required variabes is much ess than that in the first agorithm. 2 Preparations 2.1 otations Throughout this paper, we use the foowing notations. q: a power of prime. k: a finite fied of order q. n, m 1: integers. x = (x 1,, x n ) t k n. x = (x 0, x 1,, x n ) t k n+1. f (x) k (1 m): a quadratic form of x. f ( x) k (1 m): the homogeneous quadratic form of x such that f (1, x 1,, x n ) = f (x 1,, x n ). e i := (0,, 0, 1, 0,, 0) k }{{} n (1 i n). i 1 ẽ i := (0,, 0, 1, 0,, 0) k n+1 (0 i n). } {{ } i a i = (a 1i,, a ni ) t k n (1 i n): a vector with a ii 0. ã i = (ã 0i,, ã ni ) t k n+1 (0 i n): a vector with ã ii 0. U i := (e 1,, e i 1, a i, e i+1,, e n ): an invertibe inear map such that x i a 1i x a ni x n and x j x j for j i. Ũ i := (ẽ 0,, ẽ i 1, ã i, ẽ i+1,, ẽ n ): an invertibe inear map such that x i ã 0i x 0 +ã 1i x ã ni x n and x j x j for j i. Ω(n): the compexity of the Gaussian eimination to sove n inear equations.

3 Agorithms to sove under-defined quadratic equations Eementary facts For convenience, we prepare the foowing eementary facts in the undergraduate inear agebra. Fact 1. Let g(x) := 1 i,j n g ijx i x j be a homogeneous quadratic form of x = (x 1,, x n ) t over k (g ij k) and G = (G ij ) 1 i,j n an n n matrix over k (G ij k) with g ii = G ii and g ij = G ij + G ji for i j. Then g(x) = x t Gx. Fact 2. Let G, U be n n matrices and u 1,, u n k n the coumn vectors in U, namey U = (u 1,, u n ). Then the ij-entry of U t GU is u t igu j. Fact 1 and 2 yied the foowing fact. Fact 3. Let g(x), G be as in Fact 1 and U i as in Section 2.1. Denote by g(u x) = 1 i,j x g() ij x ix j. Then we have g () = a t Ga = g(u ), g () i = e t iga + a t Ge i (i ) and = g ij (i, j ). g () ij 3 Kipnis-Patarin-Goubin s agorithm for n m(m + 1) In this section, we give an agorithm proposed by Kipnis-Patarin-Goubin [6] to sove m quadratic equations with n variabes for n > m(m + 1). Step 1. Find U 2 such that the coefficients of x 1 x 2 in f 1 (U 2 x),, f m (U 2 x) are zero. According to Fact 3, we see that this requires to sove m homogeneous inear equations with n variabes. Step 2. Put f (2) (x) := f (U 2 x). Find U 3 such that the coefficients of x 1 x 3, x 2 x 3 in f (2) 1 (U 3 x),, f m (2) (U 3 x) are zero. Simiary, this requires to sove 2m homogeneous inear equations with n variabes. Step 3. Put f (3) (x) := f (2) (U 3 x). Find U 4 such that the coefficients of x 1 x 4, x 2 x 4, x 3 x 4 in f (3) 1 (U 4 x),, f m (3) (U 4 x) are zero. This requires to sove 3m homogeneous inear equations with n variabes. Continue simiar computations. Step m 1. f (m 1) (x) := f (m 2) (U m 1 x). Find U m such that the coefficients of x 1 x m, x 2 x m,, x m 1 x m in f (m) 1 (U m x),, f m (m) (U m x) are zero. This requires to sove m(m 1) homogeneous inear equations with n variabes. ote that, unti Step m 1, we have to sove at most m(m 1) homogeneous inear equations of n variabes. Then we need n > m(m 1) at this time. Step m. Put g (x) := f (U 2 U 3 U m x). The coefficients of x i x j (1 i < j m) in g (x) are zero. Substitute vaues into x m+1,, x n such that g 1 (x), g 2 (x),, g m (x) are inear combinations of x 2 1,, x 2 m and constants, without the monomias x 1,, x m. To find such x m+1,, x n, we have to sove m 2 inear equations of n m variabes. Then we need n m > m 2, namey n m(m + 1). Step m + 1. Since g (x) s are inear combinations of x 2 1,, x 2 m and constants, reduce the probem soving g (x) = 0 for 1 m to the probem soving x 2 1 = (const),, x 2 m = (const) by inear operations.

4 4 Y. Hashimoto After finding the square roots of them, we can find a soution of given equations. When q is even, this agorithm wi give a soution in poynomia time since any eement of k has a square root. On the other hand when q is odd, this wi require 2 m (poynomia) operations in average because amost haf eements of k do not have square roots. ote that Courtois et a. modified this agorithm for odd characteristic k. The compexity of the modified version is about 2 40 times(poynomia), however the number of required variabes is n 2 m/7 (m + 1). See [1] for the detai of its modification. 4 Soving quadratic equations for n (about) m 2 2m 3/2 + 2m In this section, we propose an agorithm to sove equations for n (about) m 2 2m 3/2 +2m. For the agorithm, we first prepare the foowing eementary fact. Fact 4. Let U = (u ij ) 0 i,j n be an invertibe matrix over k. If U satisfies that u 00 0 and the coefficient of x 2 0 of f (U x) are zero for 1 n, then (u 1 00 u 10,, u 1 00 u n0 ) is a soution of f 1 (x) = 0,, f m (x) = 0. This foows immediatey from Fact 1 and 2. Then, instead soving the equation, we wi give an agorithm to find such U in this section. Before it, we prepare the foowing two agorithms. Agorithm A. Aim. Let g(x) be a quadratic form x = (x 1,, x n ) t k n. Find an invertibe inear transformu : k n k n such that the coefficients of x i x j (i + j n) in g(ux) are zero. Step 1. Find U 1 such that the coefficients of x 2 1 is zero. Due to Fact 3, we see that this requires to sove a quadratic homogeneous equation of (a 11,, a n1 ). Step 2. Put g (1) (x) := g(u 1 x). Find U 2 such that the coefficients of x 1 x 2, x 2 2 in g (1) (U 2 x) are zero. Simiary, this requires to sove a homogeneous inear equation of (a 22,, a n2 ) and a homogeneous quadratic equation of (a 12,, a n2 ). Step 3. Put g (3) (x) := g (2) (U 2 x). Find U 3 such that the coefficients of x 1 x 3, x 2 x 3, x 2 3 in g (2) (U 3 x) are zero. Simiary, this requires to sove two homogeneous inear equation of (a 33,, a n3 ) and a homogeneous quadratic equation of (a 13,, a n3 ). Continue such operations unti the coefficient o x i x j for 1 i, j m/2 are reduced to be zero. ote that, to do so, we need to sove at most m/2 homogeneous inear equations of m + 1 m/2 variabes and a homogeneous quadratic equation. Then we see that the compexity of this agorithm unti Step m/2 is ess than m/2 Ω( m/2 ). Put V : k n k n be the inear transform such that the coefficients of x i x j (i, j m/2 ) in g(v x) are zero, and denote by g ( m/2 ) (x) := g(v x). Step m/2 +1. Find U m/2 +1 such that the coefficients of x 1 x m/2 +1,, x m/2 1 x m/2 +1 in g ( m/2 ) (U m/2 +1 x) are zero. This requires to sove m/2 1 homogeneous inear equations of (a m/2 +1, m/2 +1,, a m, m/2 +1 ). Step m/ Put g ( m/2 +1) (x) := g ( m/2 ) (x)(u m/2 +1 x). Find U m/2 +2 such that the coefficients of x 1 x m/2 +2,, x m/2 2 x m/2 +2 in g ( m/2 +1) (U m/2 +2 x) are zero. This re-

5 Agorithms to sove under-defined quadratic equations 5 quires to sove m/2 2 homogeneous inear equations of (a m/2 +2, m/2 +2,, a m, m/2 +2 ). Continuing simiar operations, we can find a inear transform U as in Aim. After Step m/2 + 1, we need to sove at most m/2 1 inear equations. Then the compexity after Step m/2 + 1 is ess than m/2 Ω( m/2 ). Therefore the tota compexity of this agorithm is ess than mω( m/2 ). Agorithm B. Aim. Let n, L, M 1 be integers with L n/2, n L, n L 2 L, L 1 M L 1, L 2 L + 1 n L 2, L, n L 2 + 1, and g 1 (x),, g M (x) quadratic forms of x = (x 1,, x n ) t. Find an invertibe inear transform U : k n k n such that the coefficients of x i x j (1 i, j L) in g 1 (x),, g M (x) are zero. Step1. Find an invertibe inear transform V 1 : k n k n such that the coefficients of x i x j (1 i, j L) in g 1 (V 1 x) are zero. This can be done by Agorithm A. Put g (1) := g (V 1 x). In Step2, we want to find V 2 such that the coefficients of x i x j (1 i, j L) in g (1) 1 (V 2 x) and g (1) 2 (V 2 x) are zero, we want to find V 3 in Step 3 such that the coefficients of x i x j (1 i, j L) in g (2) 1 (V 3 x), g (2) 2 (V 3 x), g (2) 3 (V 3 x) are zero and so on. To consider recursivey, we assume that we can find V such that the coefficients of x i x j (1 i, j L) in g 1 (V x),, g 1 (V x) are zero unti Step 1. We wi describe how to find an invertibe V such that the coefficients of x i x j (1 i, j L) in g ( 1) 1 (V x),, g ( 1) (V x) are zero in Step. Step. Substep 1. Using Agorithm A, find an invertibe inear map W 1 : k L k L such ( that the ) coefficients of x i x j (1 i, j L, i + j L) in g ( 1) ( W 1 x) are zero, where W 1 := W1. ote that the coefficients of x I i x j (1 i, j L) in g ( 1) 1 ( W 1 x),, g ( 1) 1 ( W 1 x) are zero. and the compexity is ess than LΩ( L/2 ). Put h ( 1) (x) := g ( 1) ( W 1 x). ext, find U L such that the coefficients of x i x j (1 i, j L) in h ( 1,1) and of x 1 x L in h ( 1,1) (U L x) for 1 1 (U L x) are zero. Due to Fact 3, we see that this requires to sove (a) (L 1)( 1) homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous inear equation of (a L,L,, a n,l ), (c) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0. i=1 In order to sove the equations (a),(b) and (c), first sove (a) and find a L+1,L,, a n,l. Then a L,L is automaticay determined by (b). Substituting such vaues to (c), the quadratic

6 6 Y. Hashimoto equations (c) become 1 inear equation of (a 1,L,, a L 1,L ). Thus we can caim that when n L > (L 1)( 1) and L, this substep works with the compexity ess than LΩ( L/2 ) + Ω((L 1)( 1)) + Ω(L 1). Put g ( 1,1) (x) := h ( 1) (U L x). Substep 2. Using Agorithm A, find an invertibe inear map W 2 : k L 1 k L 1 such that the coefficients of x i x j (1 i, j L, i + j L + 1) in g ( 1,1) ( W 2 x) are zero, where 1 W 2 = W 2. This requires the compexity ess than (L 1)Ω( (L 1)/2 ). Put I h ( 1,1) (x) := g ( 1,1) ( W 2 x). ext, find U L such that the coefficients of x i x j (1 i, j L) in g ( 1,2) (U L x) for 1 1 and of x 1 x L, x 2 x L in g ( 1,2) (U L x) are zero. Finding such U L requires to sove (a) (L 1)( 1)+1 homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous inear equation of (a L,L,, a n,l ), (c) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0. i=1 Simiar to the previous substep, one can sove (a), (b) and (c) when n L > (L 1)( 1)+1 and L and the compexity in this substep is ess than (L 1)Ω( (L 1)/2 ) + Ω((L 1)( 1) + 1) + Ω(L 1). Put g ( 1,2) (x) := h ( 1,1) (U L x). Simiary in Substep 3, one reduces the coefficients of x i x j with i+j = n+2, i, j L and the coefficient of x 3 x L in g ( 1,2) (x) to be zero. Continue such operations and suppose that we can find a inear transform V unti Substep L 1 such that the coefficients of x i x j (i, j L) in g ( 1) 1 (V x),, g ( 1) 1 (V x) and the coefficients of x ix j (i, j L) except x 2 L in g( 1) (V x) are zero Put g ( 1,L 1) (x) := g ( 1) (V x). Substep L. Find U L such that the coefficients of x i x j (i, j L) in g ( 1,L 1) 1 (U L x),, g ( 1,L 1) (U L x) are zero. According to Fact 3, we see that this requires to sove (a) (L 1) homogeneous inear equations of (a L+1,L,, a n,l ), (b) 1 homogeneous quadratic equations of (a 1,L,, a n,l ) in the forms L a i,l ( inear form of (a L+1,L,, a n,l ) ) + ( ) quadratic form of (a L+1,L,, a n,l = 0, i=1 (c) a homogeneous quadratic equation of (a 1,L,, a n,l ) in the form x 2 L + L a i,l ( inear form of (a L+1,L,, a n,l ) ) i=1 + ( quadratic form of (a L+1,L,, a n,l ) ) = 0, When n L > (L 1), we can find a non-trivia soution of (a). Putting it into (b), we can reduce the quadratic equations (b) to inear equations. If L, express a 1,L,, a L 1,L by inear combinations of a L,L and constants. Substitute them into (c)

7 Agorithms to sove under-defined quadratic equations 7 and sove the quadratic equation of a L,L. If it does not have soutions, change the choice of (a L+1,L,, a n,l ) or go back to the previous substep and try again unti the non-trivia a L,L is found. Then a soution of (a), (b) and (c) wi be found. On the other hand, when n L = (L 1), the soution of (a) is trivia, namey a L+1,L = = a n,l = 0. This means that (b) and (c) become homogeneous equations of (a 1,L,, a L,L ). Then < L is necessary. Thus, in this step, we need the condition that < (n L)/(L 1), L or = (n L)/(L 1), < L, namey n L, n L 2 L, L 1 L 1, L 2 L + 1 n L 2, L, n L ote that the compexity in this substep is Ω((L 1))+Ω( 1), and the tota compexity in Step is ess than L(LΩ( L/2 )+Ω((L 1))+Ω( 1)). Summing this from = 1 to M, we see that the compexity of Agorithm B is ess than ML (LΩ( L/2 ) + Ω((L 1)M) + Ω(M 1)) <n (LΩ( L/2 ) + Ω(n M) + Ω(M 1)) O (nω(n)). Since Ω(n) n 3, we can caim that this agorithm works in poynomia time. Based on Agorithm B, we give an agorithm to sove quadratic equations for n (about) m 2 2m 3/2 + 2m Agorithm 1. Aim. Find a soution x k n of the equations f 1 (x) = 0,, f m (x) = 0. Step 1. Put L 0 := n + 1 and choose M 1 < L 0. Put L 1 := min ( L0 2, n + M1 M Using Agorithm B, find an invertibe inear map V 1 : k L 0 k L 0 such that the coefficients of x i x j (0 i, j L 1 1) in f 1 (V 1 x),, f (1) M1 (V 1 x) are zero. Put f ( x) := f (V 1 x). Step 2. Choose M 2 < L 1. Put ( ) L1 n + M2 L 2 := min,. 2 M Using Agorithm B, find an invertibe inear map V 2 : k L 1 k L 1 such that the coefficients ( ) (1) of x i x j (0 i, j L 2 1) in f M 1 +1 (Ṽ2 x),, f V2 M1 +M 2 (Ṽ2 x) are zero, where Ṽ2 :=. (2) (1) Put f ( x) := f (Ṽ2 x). Continuing such operations unti L t = 1, we can get an invertibe inear map U = (u ij ) 0 i,j n such that the coefficients of x 2 0 in f (U x) for 1 M 1 +M 2 + +M t are zero. From Fact 4, we see that this agorithm soves the equations when m M M t ). I

8 8 Y. Hashimoto n 1/2 + n 1/4 +, namey n about m 2 2m 3/2 + 2m. The compexity of this agorithm is ess than O(n 4 ) + O(n 2 ) + O(n) + O(n 4 ). Then Agorithm 1 works in poynomia time. The foowing is the tabe of the number of variabes required to sove m equations. m n Soving quadratic equations for n m(m + 1)/2 + 1 In this section, we propose an agorithm to sove equations for n m(m + 1)/ The agorithm is as foows. Agorithm 2. Aim. Find a soution x k n of the equations f 1 (x) = 0,, f m (x) = 0. Step 1. Find Ũ0 such that the coefficient of x 2 0 in f 1 (Ũ0 x) is zero. This requires to sove a homogeneous quadratic equation of n + 1 variabes. Then this can be done when n 2. (1) Put f (x) := f (Ũ0 x). Step 2. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 (1) 1 in f 1 (Ũ1 x) and the coefficient (1) of x 0 x 1 in f 2 (Ũ1 x) are zero. This requires to sove two homogeneous inear equations and a homogeneous quadratic equation of n + 1 variabes. Then we need n = 4. Put f (1,1) (1) (1,1) ( x) := f (Ũ1 x). If there is a soution z 2 k of f 2 (1, z 2, 0,, 0) = 0, denote by 1 0 V 2 := z 2 1 (2) (1,1) and put f ( x) := f (V 2 x). If there are no such z 2, take another Ũ1 I and repeat unti such z 2 k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 1 (2) in f 1 ( x) and x 2 (2) 0 in f 2 ( x) are zero. ote that Step 1 and 2 soves 2 equations of at east 4 variabes. Step 3. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 (2) (2) 1 in f 1 (Ũ1 x), f 2 (Ũ1 x) and (2) the coefficient of x 0 x 1 in f 3 (Ũ1 x) are zero. This requires to sove 3 homogeneous inear equations and 2 homogeneous quadratic equations of n + 1 variabes. When n 3 + 4, (2,1) (2) this can be done by Step 1 and 2. Put f ( x) := f (Ũ1 x). If there is a soution z 3 k 1 0 (2,1) of f 3 (1, z 3, 0,, 0) = 0, denote by V 3 := z 3 1 (3) (2,1) and put f ( x) := f (V 3 x). If I there are no such z 3, take another Ũ1 and repeat unti such z 3 k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 (3) (3) 1 in f 1 ( x), f 2 ( x) and x 2 (3) 0 in f 3 ( x) are zero. ote that Step 1 to 3 soves 3 equations of at east 7 variabes. To consider recursivey, suppose that, unti Step 1, we can find an invertibe inear map U : k n+1 k n+1 such that the coefficients of x 2 0, x 0 x 1, x 2 1 in f 1 (U x),, f 2 (U x) and of x 2 0 in f 1 (U x) are zero when n ( 1)/ This aso means that Step 1 to 1 soves 1 quadratic equations of at east n ( 1)/2 + 1 variabes. Put ( x) := f (U x). f ( 1)

9 Agorithms to sove under-defined quadratic equations 9 Step. Find Ũ1 such that the coefficients of x 0 x 1 and x 2 ( 1) ( 1) 1 in f 1 (Ũ1 x),, f 1 (Ũ1 x) ( 1) and the coefficient of x 0 x 1 in f (Ũ1 x) are zero. This requires to sove homogeneous inear equations and 1 homogeneous quadratic equations of n + 1 variabes. If n ( 1,1) ( 1) ( + 1)/2 + 1, this can be done by Step 1 to 1. Put f ( x) := f (Ũ1 x). If 1 0 ( 1,1) there is a soution z k of f (1, z, 0,, 0) = 0, denote by V := z 1 I f () f ( 1,1) and put ( x) := (V x). If there are no such z, take another Ũ1 and repeat unti such z k appears. It is easy to see that the coefficients of x 2 0, x 0 x 1, x 2 () 1 in f ( x) for 1 1 and x 2 () 0 in f ( x) are zero. ote that Step 1 to soves equations of at east ( + 1)/2 + 1 variabes. Thus we can caim that Agorithm 2 soves quadratic equations when n m(m+1)/2+ 1. We now estimate the compexity of this agorithm. Let c be the compexity in the -th step. For simpicity, assume that one computes Ũ1 once if q is even and twice if q is odd in a steps, because the probabiity that univariate quadratic equation has a soution is amost 1 if q is even and 1/2 if q is odd. Since the -th step requires to sove 1 inear equations and 1 quadratic equations, we have c = { c 1 + c c 1 + (poyn), (2 q), 2(c 1 + c c 1 ) + (poyn), (2 q). Then c = O(2 ) when q is even and c = O(3 ) when q is odd. Since the compexity of this agorithm is c c m, we can roughy estimate the compexity by O(2 m ) when q is even and O(3 m ) when q is odd. 6 Soving equations over sma fieds In Section 4 and 5, we propose agorithms to sove equations for genera finite fieds. When q is not very bigger than n and m, one can sove equations effectivey by combining Agorithm B and the exhaustive search if n is smaer than as described in the tabe at the end of Section 4. As exampes, we describe how to sove quadratic equations with (q, m, n) = (16, 64, 16) and (16, 48, 16), which are used for UOV suggested in [6]. For our convenience to estimate the compexities roughy, suppose that the compexity of Agorithm B is n(n M) 3 /3 since Ω(n) n 3 /3 for the cassica Gaussian eimination. 6.1 Soving equations of (q, m, n) = (16, 64, 16). Step 1. Use Agorithm B to find V 1 : k 65 k 65 such that the coefficients of x i x j (0 i, j 7) in f 1 (V 1 x),, f 8 (V 1 x) are zero. The compexity in this step is /3. Put x (1) := (x 0,, x 7 ) t and f (1) (x (1) ) := f ( V1 (x 0,, x 7, 0,, 0) t). By the choice of V 1, we see that f (1) 1 (x (1) ) = = f (1) 8 (x (1) ) = 0 for any x (1).

10 10 Y. Hashimoto Step 2. Use Agorithm B to find V 2 : k 8 k 8 such that the coefficients of x i x j (0 i, j 2) in f (1) 9 (V 2 x (1) ), f (1) 10 (V 2 x (1) ) are zero. The compexity in this step is /3. Put ( V2 (x 0, x 1, x 2, 0,, 0) t). By the choice of V 2, we x (2) := (x 0, x 1, x 2 ) t and f (2) (x (2) ) := f (1) see that f (2) 9 (x (2) ) = f (2) 10 (x (2) ) = 0 for any x (2). Step 3. Find x (2) = (1, x 1, x 2 ) t such that f (2) 11 (x (2) ) = 0. This can be done by the agorithm to find a square root. After that check whether f (2) 12 (x (2) ) = 0 for the same x (2). If so, go to the next step, and if not, change x (2) unti f (2) 12 (x (2) ) = 0. Since the probabiity that f (2) 12 (x (2) ) = 0 for randomy chosen x (2) is about q 1, the compexity in this step is roughy og q q = 2 5. Step 4. Check whether f (2) 13 (x (2) ) = f (2) 14 (x (2) ) = f (2) 15 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 2. Since the probabiity that f (2) 13 (x (2) ) = f (2) 14 (x (2) ) = f (2) 15 (x (2) ) = 0 is q 3, one may repeat it q 3 = 2 12 times on average. Step 5. Check whether f (2) 16 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 1. Since the probabiity that f (2) 16 (x (2) ) = 0 is q 1, one may repeat it q = 2 4 times on average. We finay note that the compexity of this approach is about 2 4 ( / ( / )) Soving equations of (q, m, n) = (16, 48, 16). Step 1. Use Agorithm B to find V 1 : k 49 k 49 such that the coefficients of x i x j (0 i, j 6) in f 1 (V 1 x),, f 6 (V 1 x) are zero. The compexity in this step is /3. Put x (1) := (x 0,, x 6 ) t and f (1) (x (1) ) := f ( V1 (x 0,, x 6, 0,, 0) t). By the choice of V 1, we see that f (1) 1 (x (1) ) = = f (1) 6 (x (1) ) = 0 for any x (1). Step 2. Use Agorithm B to find V 2 : k 7 k 7 such that the coefficients of x i x j (0 i, j 2) in f (1) 7 (V 2 x (1) ), f (1) 8 (V 2 x (1) ) are zero. The compexity in this step is /3. Put x (2) := (x 0, x 1, x 2 ) t and f (2) (x (2) ) := f (1) see that f (2) 7 (x (2) ) = f (2) 8 (x (2) ) = 0 for any x (2). Step 3. Find x (2) = (1, x 1, x 2 ) t such that f (2) ( V2 (x 0, x 1, x 2, 0,, 0) t). By the choice of V 2, we 9 (x (2) ) = 0. This can be done by the agorithm to find a square root. After that chichi whether f (2) 10 (x (2) ) = 0 for the same x (2). If so, go to the next step, and if not, change x (2) unti f (2) 10 (x (2) ) = 0. Since the probabiity that f (2) 10 (x (2) ) = 0 for randomy chosen x (2) is about q 1, the compexity in this step is roughy og q q = 2 5. Step 4. Check whether f (2) 11 (x (2) ) = f (2) 12 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 2. Since the probabiity that f (2) 11 (x (2) ) = f (2) 12 (x (2) ) = 0 is q 2, one may repeat it q 2 = 2 8 times on average. Step 5. Check whether f (2) 13 (x (2) ) = = f (2) 16 (x (2) ) = 0. If so, go to the next step, and if not, go back to Step 1. Since the probabiity that f (2) 13 (x (2) ) = = f (2) 16 (x (2) ) = 0 is q 4, one may repeat it q = 2 16 times on average.

11 Agorithms to sove under-defined quadratic equations 11 We finay note that the compexity of this approach is about 2 16 ( / ( / )) We note that the compexity to sove the equations with (q, m, n) = (16, 64, 16) and (16, 48, 16) have been studied in [1] and [4] to anayze the security of UOV with such parameters. The foowing tabe summarizes the compexities of the attacks by [1], [4] and our approach. 7 Concusion (q, n, m) (16, 48, 16) (16, 64, 16) exhaustive Courtois et a. [1] Faugére-Perret [4] Our attack In the present paper, we propose two agorithms to sove quadratic equations when n is much arger than m. Though we reduce the required n compared to the works in [6] and [1], it is sti too arge to attack against most cryptosystems based on mutivariate quadratic equations. Then it is important to improve our agorithms and to study theoreticay the ower bound of n such that m equations can be soved in poynomia (or effective) time. References [1]. Courtois, L. Goubin, W. Meier and J. Tacier, Soving underdefined systems of mutivariate quadratic equations, PKC 02, LCS 2274, pp [2]. Courtois, A. Kimov, J. Patarin and A. Shamir, Efficient agorithms for soving overdefined systems of mutivariate poynomia equations, Eurocrypt 00, LCS 1807, pp [3]. Courtois and J. Pieprzyk, Cryptanaysis of Bock Ciphers with Overdefined Systems of Equations, Asiacrypt 02, LCS 2501, pp [4] J. Faugére and L. Perret, On the security of UOV, Proceedings of SCC 08, pp [5] J. Ding, J. Gower and D. Schmidt, Mutivariate pubic key cryptosystems, Advances in Information Security, Springer, [6] A. Kipnis, J. Patarin and L. Goubin, Unbaanced Oi and Vinegar Signature Schemes, Eurocrypt 99, LCS 1592 (1999), pp , extended in citeseer/ htm,

12 12 Y. Hashimoto [7] S. Tsujii, T. Kaneko, K. Tadaki and M. Gotaishi, Design Poicy of MPKC based on Piece in Hand Concept (in Japanese), IEICE Technica Report 108 (2008), pp HASHIMOTO, Yasufumi Institute of Systems, Information Technoogies and anotechnoogies, 7F , Momochihama, Fukuoka , JAPA