The goal of this paper is to study the complexity of solving systems of Boolean multivariate quadratic equations (MQ) in the quantum setting. This classical NP-hard problem  is stated as follows:
Find – if any – a vectorsuch that:
MQ is a fundamental problem with many applications in cryptography, coding theory and beyond. Typically, the security of multivariate schemes is directly related to the hardness of MQ, e.g. [20, 27, 9, 5, 16, 17]. MQ is then central to evaluating the security of such multivariate cryptosystems. Besides multivariate cryptography, the security of a wide variety of cryptosystems is related to MQ, via algebraic cryptanalysis . This includes post-quantum cryptosystems  such as code-based cryptography [19, 18], lattice-based cryptography [2, 1],
The status of post-quantum cryptography is currently completely evolving. It is quickly moving from a purely academic theme to a topic of major industrial interest. This is mainly driven by the fact that post-quantum cryptography has recently received much attention from the standardization and policy sectors. The triggering event appears to be the announcement in August by the National Security Agency (NSA) of preliminary plans to transition the existing systems to quantum resistant algorithms111https://www.nsa.gov/ia/programs/suiteb_cryptography/:
“Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA
’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS). Below, we announce preliminary plans for transitioning to quantum resistant algorithms.”
This was quickly followed by an announcement by NIST, detailing the transition process . NIST then released in January a call to select standards for post-quantum public-key cryptosystems: public-key exchange, signature and public-key encryption . The threat to see a large computer in a medium term was considered to be sufficient by NIST to organize a renewal of the public-key cryptosystems deployed in practice.
A key issue for the wide adoption of quantum-safe standards in the future is our confidence in their security. There is, therefore, a great need to develop quantum cryptanalysis against post-quantum cryptosystems. It is clear that a challenge in the next years will be to precisely evaluate the quantum-bit security of post-quantum cryptosystems submitted to the NIST standardization process.
We study here how quantum techniques can be used to improve the complexity of solving MQ; an important problem in post-quantum cryptography. In , the authors provide a theoretical upper limit on the speed-up that can be obtained in the quantum setting. They demonstrated that – relative to an oracle chosen uniformly at random – a problem in NP can not be decided by any quantum algorithm in . On the other hand, Grover’s algorithm  is a quantum algorithm than can decide any problem of NP in ; including MQ. Thus, Grover’s algorithm is essentially optimal in the setting of . We emphasize that this does not rule out the possibility of a greater than quadratic speed-up in the quantum setting. However, it is mandatory to take advantage of the problem structure to achieve this.
In this paper, we present an algorithm that beats the bound for solving MQ. To do so, we combine Grover’s technique with a Gröbner basis-based algorithm.
1.1 State of the Art
1.1.1 Classical Setting.
The question of solving MQ has been investigated with various algorithmic techniques in the literature. We list below those techniques with the best asymptotic complexity.
The first, most obvious, technique for solving PoSSo is exhaustive search. For , the authors of  describe a fast exhaustive search for MQ and provide the exact cost of this approach :
A classical (and challenging) theme for MQ is to design algorithms that are asymptotically faster than exhaustive search, i.e. that beat the barrier.
Recently, the authors of  proposed new techniques which solve MQ faster than a direct exhaustive search. The techniques from  allows for the approximation of a system by a single, high-degree, multivariate polynomial over variables. The polynomial is constructed such that it vanishes on the same zeroes as the original system
with high probability. We then must perform an exhaustive search onto recover, with high probability, the zeroes . This leads to an algorithm for solving MQ with complexity
The notation omits polynomial factors.
To date, the best methods for solving MQ are based on Gröbner bases [13, 12]. More precisely, the fastest methods are hybrid techniques which combine exhaustive search and Gröbner bases algorithms [8, 7, 3]. BooleanSolve, an algorithm originally presented in , falls into this category and is the asymptotically fastest approach to solving MQ(Section 2.1). When , the deterministic variant of BooleanSolve has complexity bounded by , while a Las-Vegas variant has expected complexity
We emphasize that all stated complexities for BooleanSolve are obtained under the assumption of a natural algebraic hypothesis on the input system. In contrast, the complexities of [10, 28] do not rely on any such assumption.
1.1.2 Quantum Setting.
Quantum exhaustive search.
In , the authors proposed simple quantum algorithms for solving MQ
. The principle is to perform a fast exhaustive search by using Grover’s algorithm. The authors derive precise resource estimates for their algorithms, demonstrating that we can solvebinary quadratic equations in binary variables using qubits and requiring the evaluation of quantum gates. The authors also describe a variant using qubits but with twice as many quantum gates required, when compared to the first approach. In essence, this work constructs a quantum oracle to be used along with amplitude amplification performed by Grover’s algorithm. The oracle is fairly simple and takes advantage of the structure of the MQ problem, developing a straightforward way to evaluate a system of equations on a superposition of all possible boolean variable assignments. Then, Grover’s algorithm is utilized to amplify those inputs which satisfy all provided equations.
Quantum hybrid approach.
The main goal of  is to construct a multivariate signature scheme based on random instances of MQ and MQ (for field bigger than ). However, in order to derive secure parameters, the authors considered a quantum variant of the hybrid approach from [8, 7] using Grover’s algorithm. They used this approach to explicitly compute the quantum-bit security of random instances of MQ for given parameters. However, the authors of 
do not provide the asymptotic complexity of their approach. In this paper, we provide such an asymptotic analysis and build our quantum algorithm on top ofBooleanSolve. It should be mentioned that BooleanSolve is inspired, but different, from [8, 7]. So, the quantum algorithm presented here is different from the one sketched in .
1.2 Organization of the Paper and Main Results
Overview of the results.
The main result of this paper is the fastest known quantum algorithm algorithm for solving MQ (Section 3.1). More precisely:
Theorem 1.1 (summarized from Section 4)
There is a quantum algorithm that solves MQ and requires to
evaluate quantum gates for the deterministic variant,
evaluate an expected number of quantum gates for the probabilistic variant.
Overview of the results.
A natural step towards developing a quantum algorithm for the MQ problem which outperforms quantum exhaustive search via Grover’s algorithm  would be the quantization of a classical algorithm for MQ which outperforms classical exhaustive search. A first candidate for such quantization is the approximation algorithm  described above. The quantization of such algorithm for use in Grover’s algorithm requires building a quantum circuit. Unfortunately, a basic approach to quantize the approximation algorithm mentioned does not seem to be possible, even for MQ.
Fortunately, we have been able to quantize BooleanSolve using amplitude amplification techniques [25, 11]. Under a natural algebraic assumption the new algorithm beats quantum exhaustive search, i.e. . This is arguably a significant complexity result for a central problem in post-quantum cryptography, but more generally in computer science. The originality of our algorithm is to instantiate Grover’s algorithm with a non-trivial oracle that implements the quantum circuit corresponding essentially to a simplified Gröbner basis computation (Section 3.2). We construct the quantum circuit required to implement the simplified Gröbner basis computation.
The complexity analysis is especially important for selecting parameters in multivariate cryptography. It shows that in order to reach a quantum security level of , one has to consider an instance of MQ with at least variables. In the table below, we provide the minimal number of variables (second column) required to reach a precise security level (first column) The public-key in a multivariate cryptosystem is usually given by set of boolean equations. We report in the last column the minimum size required for a given security level.
|quantum sec. level|
Finally, we mention that in the signature scheme from , the authors proposed to use an instance of MQ with variables to achieve a quantum security level of bits. According to our new result, the quantum security is slightly less, i.e. bits.
After this introduction, the paper is organized as follows. In Section 2, we first review the two main components of our quantum algorithm : BooleanSolve (Section 2.1) and Grover’s algorithm (Section 2.2). We describe the new quantum algorithm, QuantumBooleanSolve, in Section 3.1. We construct the quantum circuit for a simplified Gröbner basis computation, used as Grover’s oracle, in Section 3.2. Finally, we derive in Section 4 the complexity of our algorithm.
In the following we assume familiarity with standard classical and quantum computational notation, such as the standard bra-ket notation for specifying a quantum state. We use the following subsections to overview the classical and quantum algorithms which will be of use in this paper.
2.1 Classical BooleanSolve
As explained in the introduction, BooleanSolve  is the fastest asymptotic algorithm for MQ. From now on, we will refer to this algorithm as ClassicalBooleanSolve. We will indeed present a quantum version of this algorithm, QuantumlBooleanSolve, in Section 3.
Essentially, ClassicalBooleanSolve first specializes a subset of the variables and then checks the consistency of the specialized system using Macaulay matrices (Definition 1). If the specialized system is found to be consistent, the original algebraic system is determined to have no solution. If the specialized system is inconsistent then the algorithm conducts an exhaustive search on the remaining variables and recovers the solutions for the MQ instance.
We cover the more relevant aspects of the theory behind the algorithm in an effort to keep this paper self contained, and refer the reader to additional preliminary and theoretical information which can be found in the original work .
Let , and be the square-free part of , i.e. the reduction of modulo . The Boolean Macaulay matrix of degree for a set of polynomials , denoted by , has the following structure: the rows are the coefficients of polynomials where , is a square-free monomial, and the columns are the square free monomials in the polynomial ring of degree at most ordered descendingly with respect to Degree Reverse Lexicographic (DRL) ordering.
We recall below some bounds on boolean Macaulay matrices that will be useful in the complexity analysis.
() Let . Denote by (resp. ) the number of rows (resp. columns, number of nonzero entries) of the associated boolean Macaulay matrix . If <, then
ClassicalBooleanSolve  is based on a fundamental property of Macaulay matrices. Let and be the corresponding boolean Macaulay matrix in degree . It holds that if the linear system
has a solution then does not have a solution in . This reduces the problem of deciding the consistency of non-linear equations to the problem of solving a linear system.
We now need to determine which degree of the Macaulay matrix should be considered. This degree is the so-called witness degree defined below:
() Let and be the ideal defined by . We set:
The witness degree for , denoted , is the smallest integer such that
where is the leading monomial of the polynomial with respect to DRL ordering.
Alternatively, the witness degree for can be defined as the degree where any polynomial in a (minimal) Gröbner basis of the system is obtained as a linear combination of the rows of the Macaulay matrix in this degree. Therefore, given , the witness degree provides an upper bound on the degree of required to adequately determine the consistency of .
Under some algebraic assumptions, the witness degree can be computed explicitly from the Hilbert series:
The witness degree, denoted by , is given by the index of the first nonzero coefficient of (1).
Now that we have reviewed all necessary background information, we can present the algorithm from  for solving MQ.
Input: with for all .
Output: All boolean solutions to
There are two variants of ClassicalBooleanSolve : deterministic and Las-Vegas. The only difference is on the algorithm used in SparseLinearSystemSolver, presented in Section 3.2, which can be deterministic or probabilistic. The computational complexity of ClassicalBooleanSolve is lower bounded by the complexity of the consistency check of the Macaulay matrices in degree . Therefore, a complete complexity analysis will merely determine the time required to complete the consistency check in term of the input parameters. This yields:
This complexity is obtained by evaluating the cost of checking the consistency of Macaulay matrices.
To derive the asymptotic complexity, we need to assume a certain algebraic condition on the systems considered during the algorithm.
Let be quadratic polynomials in and . The system is called -strong semi-regular if both the set of its solutions and the set
have cardinality at most , with and as in Theorem 2.1.
Under this assumption, we can now minimize, in term of , the complexities of Theorem 2.1. The results are provided for various values of : which is the upper bound, which is the current best theoretical bound , and which requires careful consideration of the linear algebra problem.
Let the notations be as in Theorem 2.1. The function is bounded by:
, when and ,
, when and ,
, when and .
ClassicalBooleanSolve is correct and solves MQ. If , then the algorithm has complexity , if the system is -strong semi-regular, for the deterministic variant, and of expectation , if the the system is -strong semi-regular, for the Las-Vegas probabilistic variant.
This is essentially the cost of the first step, i.e. testing the Macaulay matrices, since the second step, i.e. exhaustive search, has negligible cost when compared to the consistency check.
2.2 Grover’s Algorithm
Grover’s algorithm , often called database search, is a quantum algorithm that can be implemented to reduce computation time for the exhaustive search of a function over the entire function domain. The problem solved by Grover’s algorithm is as follows: given a function , determine the unique such that .
Determining such a with a classical computer requires exhaustive search on the entire function domain of . Classical computation techniques cannot do better than evaluating over every possible input, resulting in time complexity of . Grover’s quantum algorithm can determine with merely evaluations of , the quantum circuit which evaluates the function .
Grover’s algorithm can be extended to perform exhaustive search over a function where with , as well as searching over a function where the preimage of has arbitrary size. Here we present a simple version of the algorithm.
In the quantum oracle model, when presented with a quantum oracle for the evaluation of , the problem is to locate an such that . The algorithm utilizes two unitary operations. First, a rotation which flips the sign of the phase of the desired .
Second, a diffusion operator which rotates the state around the average amplitude, of ,
Successive application of these two oracles performs amplitude amplification on the quantum computer, essentially taking the state of the computer from a uniform superposition over all inputs to a state that, when measured, with high probability will return . To converge to such a final state the oracles and must be applied times.
The algorithm proceeds as follows: begin by using a Hadamard gate, , to prepare the quantum computer in a uniform superposition over all possible inputs, . Following this, apply to the quantum state times. Finally, measure to obtain with high probability. The computational complexity of Grover’s algorithm is where is the complexity of the quantum oracle for .
Theorem 2.3 (Amplitude Amplification ())
Let be a quantum algorithm that, with no measurement, produces a superposition . Let be the probability of obtaining, after measurement, a state in the good subspace . Then, there exists a quantum algorithm that calls and as subroutines times and produces an outcome with a probability at least .
The key to successfully performing Grover’s algorithm for the function is to determine the quantum circuit for the function, in order to construct . It is sufficient to provide an oracle that computes the function , i.e. provide a unitary operator in the form of a quantum circuit which calculates , evaluating the function at a superposition of all possible inputs. Then, Grover’s algorithm can be used to amplify the desired output for measurement. What remains is to show that the quantum analog of ClassicalBooleanSolve is reversible and computable on a quantum computer. In the following section, we will construct the quantum circuit for the algorithm ClassicalBooleanSolve and analyze the complexity of the circuit.
2.3 Quantum Gates
The following gates are quantum gates of interest which operate on qubits, each directly corresponding to reversible classical gates. For qubits the gates perform the following operations:
CNOT (XOR, Feynman)
n-qubit Toffoli (AND)
It is important to note that , CNOT and . In terms of computational complexity, X, SWAP and CNOT gates are relatively cheap to compute, while the n-qubit Toffoli gates are more expensive; is equivalent to computing CNOT gates. Accounting for these equivalences can change the reported computational complexity of a given circuit. Additionally, it is important to note that one can emulate a Toffoli gate over using basic gates, in order to determine the additional resources required for any general extension of quantum computations over to quantum computations over .
3 A Quantum Version of BooleanSolve
We explain here how to combine the ClassicalBooleanSolve algorithm (Section 2.1) with Grover’s algorithm (Section 2.2). ClassicalBooleanSolve conducts two exhaustive searches over the variables. The first exhaustive search is over the last variables, specializing and projecting to the last components of a solution. The second exhaustive search, when necessary, is on the first variables, and allows the algorithm to determine the entire solution. It is clear that one can utilize Grover’s algorithm, as in , to quantize the second exhaustive search and obtain a speed up over the classical complexity. In what follows, will refer to the quantum algorithm  that solves MQ. We will see that Grover’s algorithm can be used to speed-up the first exhaustive search as well. Essentially, we will quantize the consistency check on Macaulay matrices by providing a quantum circuit which can be used as the function oracle in Grover’s algorithm.
Let . We consider the function which evaluates on with and returns only if the non-linear system defined below is consistent :
This is reduced to check whether the linear system below has a solution:
In order to quantize ClassicalBooleanSolve, we then proceed in two steps. We first use Grover’s algorithm, along with the quantum circuit which evaluates to determine such that , i.e. is such that the non-linear system below is consistent:
The then corresponds to the variable assignments of the last components in a solution for the system . We can then use Grover’s algorithm, via QuantumSearch on to find the remainder of a complete solution corresponding to .
The most essential part of determining the advantage of using Grover’s algorithm to improve the computational complexity of ClassicalBooleanSolve is to construct the quantum circuit for . Below, we construct the quantum circuit that solves (2).
3.2 Quantum Oracle
QuantumBooleanSolve consists of constructing a quantum oracle for the consistency check of Macaulay matrices, i.e. for . We provide the classical complete sparse linear system solver for classical consistency checks below, as presented by Giesbrecht et al. , and then provide an outline of the quantum circuit. Classical algorithm complexity is provided in a black-box model, where we assume access to a black-box for computing matrix-matrix and matrix-vector products. Then, the complexity is given as the number of calls to such black boxes, as well as the number of additional field operations required.
3.2.1 Classical case.
SparseLinearSystemSolver is the classical algorithm employed to determine the consistency of the Macaulay matrices in degree . The algorithm takes as input a matrix , a vector and a subset of the field or a field extension , and outputs either a solution to or a certificate of inconsistency, . This classical algorithm requires evaluations of black box algorithms for matrix-vector multiplications, as well as an additional additional field operations. Subroutines of the SparseLinearSystemSolver can be found below.
Input: with >
Output: Any of the following return values, as an evaluation of the matrix : (nonsingular, ) where , (singular-consistent, ) with a random element of the solution space, (singular-inconsistent, ) with and , certifying the inconsistency of the system.
RandomSol: a subroutine of SparseLinearSystemSolver, intended to return a random element of the solution space to the system . The algorithm is stated to require evaluations of the black-box for matrix-vector product, and additional field operations.
Input: with , and with >
Output: One of the following two return values: (False) indicating no solution, (True, ) with a random solution to the system .
Wiedemann: a subroutine of SparseLinearSystemSolver. The deterministic version of the Wiedemann algorithm is presented below, as seen in .
Input: , ,
Output: One of the following two return values: such that and or , a factor of .
From the presentation of the classical algorithm SparseLinearSystemSolver, and the subroutines, it is clear that the significant operations performed classically are matrix multiplication and vector-matrix products. The complexity analysis for such operations is given in a black-box model. Therefore, it is sufficient to show that these operations can be executed (in comparable time) by a quantum circuit on a quantum computer, in order to construct a quantum oracle for matrix consistency checking.
3.2.2 Quantum case.
As the basic operations implemented by the classical consistency check are linear algebra on matrices, it is important to verify that this linear algebra can be computed on a superposition of inputs via a quantum circuit. We must check that a reversible unitary operation can compute the required algebraic computations on a quantum computer, with comparable computational complexity to their classical analogs.
Binary equality testing, i.e. checking if , can be computed via one CNOT and one X gate, as follows: .
Matrix Vector Multiplication.
The formula for matrix vector multiplication calculates each element of the product vector . To compute each we require at most products between the elements of and of . Therefore, the matrix-vector product requires at most products. It remains to show that the computation is reversible.
Figure 1 shows a reversible circuit for computing the inner product between two vectors. This is simply done by replacing the products by Toffoli gates. This quantum circuit is also itself reversible; applying the circuit twice leads to identity. In total, the inner product of two -bit vectors can be computed, on a superposition of inputs, using Toffoli gates. Therefore, the computation of such a matrix vector multiplication requires at most Toffoli gates.
In the same fashion it is possible to compute matrix products in the quantum setting. Each column of the matrix can be computed using matrix vector multiplication, which, in turn, can be implemented using Toffoli gates. In total, a reversible quantum circuit for computing matrix multiplication on a superposition of inputs requires at most Toffoli gates, for square matrices.
Utilizing this quantum circuit for inner product between two vectors the quantum oracle for consistency checking can be constructed. Despite the fact that this naive quantum matrix multiplication is computed in , time greater than where is the current classical complexity of matrix multiplication with the Coppersmith-Winograd algorithm, quantizing this computation will result in a lower quantum computational time for the classical MQ problem. ClassicalBooleanSolve, as well as SparseLinearSystemSolver and the provided subroutines are analyzed in the black box model, where matrix multiplication such as for a vector and a matrix are given by black boxes. We have provided the above construction to assure that such computations can be carried out by a quantum computer, reversibly and without entanglement concerns.
4 Complexity Analysis
We can now study the complexity of QuantumBooleanSolve (Section 3.1). This analysis consists of constructing the quantum oracle implementing , which on input specializes the polynomial system and indicates the consistency of the associated Macaulay matrix of appropriate degree. This can be done by analyzing SparseLinearSystemSolver and any associated subroutines separately, either illustrating the equivalence between the complexity of the classical function and the quantum circuit or proving that the quantum circuit is more efficient.
For example, the quantization of the subroutine RandomSol would consist of constructing a quantum circuit . RandomSol takes as input a matrix , a vector , a polynomial with (and , which is in the case of MQ a field extention of . We would build
This quantum circuit takes as input the elements of the matrix , the coefficients of the function , the elements of the random vector , , and the elements of the vector , as well as wires for computation space, and returns , , a boolean which takes the value of 1 if and 0 otherwise, along with the input for reversibility.
The quantum circuit
implementing RandomSol requires quantum gates to compute. In the black-box model, when provided with an oracle to compute matrix-vector and matrix-matrix products, requires evaluations of the black box, and operations in the base field , which is equivalent to the classical complexity of RandomSol.
A proof of the above theorem is fairly straightforward when directly analyzing a quantum analogue of the classical algorithm provided above for RandomSol. It is clear that steps 4, 6, and 7 of RandomSol are the only steps computed by the quantum circuit. Firstly, step 4 consists of the computation of , the first entries of the vector . This is merely matrix-vector multiplication and vector-vector addition; we compute the entries of with T gates for multiplication and CNOT gates for addition, totaling quantum gates. In the black box model, we have 1 oracle query for matrix-vector multiplication and field operations for addition of two vectors. Secondly, step 6 consists of computing for the matrix-vector product with T gates, followed by the computation of via one T-gate, and computing the th term of the sum with an additional T gate. This is quantum gates to compute when we consider the additional NOT gate at the end of the computation. In the black box model, we have black box matrix-vector product queries and field operations for the sum. Finally, the equality test conducted in step 7 consists of computing the matrix-vector product with T gates, followed by CNOT gates to compute, element by element, , and then one gate to compute the value . In the black box model, this is 1 call to the matrix-vector product oracle. Therefore, we have established the equivalence of the classical complexity of the subroutine RandomSol with the quantum oracle implementing the function in the black-box model.
Similar arguments demonstrate the equivalence of SparseLinearSystemSolver as well as the entire quantum circuit . Due to the equivalence of the classical and quantum consistency checks in the black-box model, it is straightforward to adapt Theorem 2.1 to QuantumBooleanSolve, as follows.
Let is such that any two matrices can be multiplied in operations in the underlying field. For any , and and sufficiently large , testing the consistency of all Macaulay matrices in requires the:
evaluation of quantum gates in the deterministic variant;
evaluation, on average, quantum gates in the probabilistic variant,
where , with and