IET Information Security - 2022 - Ikematsu - Recent Progress in The Security Evaluation of Multivariate Public Key

Received: 11 November 2021
DOI: 10.1049/ise2.12092
REVIEW
- -
Revised: 16 March 2022 Accepted: 17 August 2022
- IET Information Security
Recent progress in the security evaluation of multivariate

public‐key cryptography
Yasuhiko Ikematsu1 | Shuhei Nakamura2 | Tsuyoshi Takagi3
1
Institute of Mathematics for Industry, Kyushu Abstract
University, Nishi‐ku, Fukuoka, Japan
Multivariate public‐key cryptography (MPKC) is considered a leading candidate for post‐
2
Department of Liberal Arts and Basic Sciences, quantum cryptography (PQC). It is based on the hardness of the multivariate quadratic
Nihon University, Narashino, Chiba, Japan
3
polynomial (MQ) problem, which is a problem of finding a solution to a system of
Department of Mathematical Informatics, The
quadratic equations over a finite field. In this paper, we survey some recent progress in
University of Tokyo, Bunkyo‐ku, Tokyo, Japan
the security analysis of MPKC. Among various existing multivariate schemes, the most
Correspondence important one is the Rainbow signature scheme proposed by Ding et al. in 2005, which
Yasuhiko Ikematsu, Institute of Mathematics for was later selected as a finalist in the third round of the PQC standardization project by the
Industry, Kyushu University, 744, Motooka, Nishi‐ National Institute of Standards and Technology. Under the circumstances, some recent
ku, Fukuoka, Japan.
research studies in MPKC have focussed on the security analysis of the Rainbow scheme.
Email: ikematsu@imi.kyushu-u.ac.jp
In this paper, the authors first explain efficient algorithms for solving the MQ problem
Funding information and the research methodology for estimating their complexity in MPKC. Then, the au-
Core Research for Evolutional Science and thors survey some recent results related to the security analysis of the Rainbow scheme.
Technology, Grant/Award Number: JPMJCR2113; In particular, the authors provide a detailed description of the complexity analysis for
Japan Society for the Promotion of Science, Grant/
solving the bi‐graded polynomial systems studied independently by Nakamura et al. and
Award Numbers: JP19K20266, JP20K19802
Smith‐Tone et al., and then expound the rectangular MinRank attack against Rainbow
proposed by Beullens.
1 | INTRODUCTION MPKC has a relatively old history in PQC, and the first
multivariate scheme was proposed by Matsumoto and Imai in
By Shor's quantum algorithms [1] in 1994, it is known that widely 1988, called the MI scheme [6]. Subsequently, as a general-
used public‐key cryptosystems, such as RSA and ECC, can be isation of the MI scheme, the Hidden Field Equation (HFE)
broken if a large‐scale quantum computer is built. Thus, it is scheme was proposed in 1996 by Patarin [7]. There are
important to study public‐key cryptography that can potentially several signature schemes based on the HFE scheme such as
resist such quantum computer attacks, which is called post‐ GeMMS [8] and Gui [9]. Apart from that, the unbalanced oil
quantum cryptography (PQC) [2]. In 2016, the National Insti- and vinegar (UOV) signature scheme [10] is a well‐established
tute of Standards and Technology (NIST) announced a PQC signature scheme proposed by Kipnis et al. in 1999. As its
standardization project [3]. This project has now advanced to the efficient multilayer variant, the Rainbow scheme was pro-
third round, and PQC has been more actively researched. posed by Ding et al. [11] in 2005. Because of its good per-
Multivariate public‐key cryptography (MPKC) (cf., Ref. [4]) formance and security, the Rainbow scheme was selected as a
is a leading candidate for PQC and is constructed using multi- finalist in the third round of NIST PQC standardisation [12],
variate quadratic polynomial (MQ) maps P over a finite field Fq and its security analysis has become an important research
with a trap‐door structure. The security of MPKC is dependent topic of MPKC. In addition, as a multivariate scheme without
on the hardness of the multivariate quadratic polynomial (MQ) using any trap‐door of special algebraic structure, in 2011
problem, which is to find a solution to a system of quadratic Sakumoto et al. [13] proposed an identification scheme that is
equations over a finite field. The MQ problem is known to be proven to be secure purely under the hardness of the MQ
NP‐hard [5]. problem. In this way, further more multivariate schemes have
-
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is
properly cited.
© 2022 The Authors. IET Information Security published by John Wiley & Sons Ltd on behalf of The Institution of Engineering and Technology.
210 IET Inf. Secur. 2023;17:210–226. wileyonlinelibrary.com/journal/ise2

17518717, 2023, 2, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12092 by CochraneUnitedArabEmirates, Wiley Online Library on [15/04/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
IKEMATSU ET AL.
- 211
been proposed so far, and MPKC has become a major topic an important and fundamental tool to estimate the complexity
in the research of PQC. of various attacks in MPKC. Moreover, the Rainbow scheme
On the other hand, the security analysis of MPKC has also [11] is one of the most influential multivariate schemes owing to
been intensively developed along with the afore‐mentioned its selection as a finalist in the third round of the NIST PQC
progress in the explicit constructions of MPKC. In some standardisation project. Some recent progress in MPKC has
initial studies in the 90s, the MI scheme [6] was broken by Patarin been made via the security analysis of the Rainbow scheme.
[14] using the linearisation equation attack. Furthermore, the Oil Considering this situation, we mainly provide a survey on the
Vinegar (OV) scheme was broken in polynomial time by Kipnis– following topics: the state‐of‐the‐art approaches for solving
Shamir (KS) attack [15] and then improved to its unbalanced polynomial systems used in MPKC and two recently improved
variant, called the UOV scheme [15]. We stress that the linear- attacks on the Rainbow scheme, namely the Rainbow‐Band‐
isation attack and KS attack strongly depend on the special Separation (RBS) attack [28] using the bi‐graded polynomial
algebraic structures of MI and OV schemes, respectively. After system and the rectangular MinRank attack [29].
those studies, two types of more general attacks applicable to First, we explain the current knowledge on the direct attack.
various multivariate schemes have been proposed. As stated above, there are two main approaches for solving a
The first one is the direct attack wherein the system of system of equations in MPKC research, namely, the Gröbner
quadratic equations associated with a public key (quadratic basis approach and Wiedeman XL approach. The Gröbner basis
map) P and a ciphertext w (or signature) of PðxÞ ¼ w is approach is to compute a Gröbner basis of the ideal associated
directly solved. In MPKC research, two major methods are with the solved system PðxÞ ¼ w. The algorithms F4 [30] and
often considered to solve such a system, namely Gröbner basis F5 [16] are often used in MPKC research. The XL approach tries
approaches and Wiedemann extended linearisation (XL) to solve the linear system obtained from multiplying terms with
approach. For the F5 Gröbner basis algorithm [16] proposed a certain degree d by the solved system. The Wiedeman XL
by Faugère, the first HFE challenge [17] was solved in 2003 by approach efficiently obtains a solution using the Wiedemann
Faugère et al. [18]. However, it is a non‐trivial problem to algorithm [31] if the linear system mentioned above is sparse
evaluate the complexity of the direct attack. To study its ac- with a few solutions. Note that Ars et al. [32] shows that the XL
curate estimation, the degree of regularity dreg and the first fall algorithm is also a Gröbner basis algorithm that can be repre-
degree dff are extensively researched in Ref. [19–21] and so on. sented as a redundant variant of the Gröbner basis algorithm F4
The complexity of solving semi‐regular systems of quadratic [30]. The crucial point for complexity estimation is to determine
equations is accurately estimated by the degree of regularity. the appropriate degree d of the Macaulay matrix Md , inducing a
However, many quadratic systems appearing in MPKC are not correct solution of the solved system practically. We will explain
semi‐regular, and thus the analysis of the first fall degree is an how to estimate d in MPKC research.
important research topic in MPKC. It has been shown that the Second, we discuss recent studies on the bi‐graded poly-
first fall degree for the HFE scheme and its variants can be nomial systems. Though such systems do not appear in the
precisely estimated [20, 22, 23]. direct attack against general multivariate schemes, they appear
The second one is the MinRank attack, which exploits the in the analysis of a MinRank attack against Rainbow, called the
special algebraic structure of MPKC, which was initially applied RBS attack [28]. The bi‐graded system that appears in the RBS
to the HFE scheme in Ref. [24]. A public key P of quadratic attack was initially analysed under the assumption that the
polynomials in n variables corresponds to some symmetric system is semi‐regular. However, it is already known in Ref.
matrices of size n. The symmetric matrices corresponding to the [33] in 2012 that such a bi‐graded system does not behave like
public key P often generate a low‐rank matrix because of its trap‐ semi‐regular in some experiments. In 2020, Nakamura et al.
door structure. The MinRank attack tries to recover a secret key [34] and Smith‐Tone et al. [35] independently studied the bi‐
by finding such a low‐rank matrix. Moreover, the related prob- graded systems that appear in the RBS attack. Their studies
lem to find a low‐rank matrix by computing a linear combination can show more accurate estimation focussing on the bi‐graded
of given matrices over a finite field, called the MinRank problem, structure, and thus it affects the proposed parameters of the
is another important research in the security analysis of MPKC. Rainbow scheme. In our paper, following the work of Naka-
The MinRank problem is proven to be NP‐hard [25]. In general, mura [36], we will explain the bi‐graded version of semi‐
the MinRank problem can be solved by searching a hidden kernel regularity and degree of regularity, which can be seen as a
space using linear algebra or by reducing it to polynomial sys- generalisation of the work by Diem [37] and Bardet et al. [19].
tems. The latter method includes the minor modelling methods Moreover, following the way of Smith‐Tone et al. [35], we will
[26, 27] and the KS method [24], which require the polynomial explain how to estimate the computational complexity of the
system to be solved by algorithms used in the direct attack. bi‐graded systems. Furthermore, we will describe the RBS
attack [28], which is the motivation for the study of the bi‐
graded systems, and explain its complexity estimation using
1.1 | Contribution the above discussion.
Finally, we explain the rectangular MinRank attack [29]
In this paper, we survey some recent progress in the security against the Rainbow scheme proposed by Beullens. This attack
analysis of MPKC. The direct attack, which was initially devel- is carried out by deforming the MinRank problem associated
oped via the security analysis on the HFE scheme, has become with the Rainbow scheme to another MinRank problem and
212
- IKEMATSU ET AL.
solving it using the support minor modelling method proposed be easy‐to‐invert. This map is the core object because it de-
by Bardet et al. [26]. This attack affects the proposed param- termines properties (e.g. security and efficiency) of the multi-
eters of the Rainbow scheme. We will describe how to deform variate scheme constructed from the map.
the MinRank problem for the Rainbow scheme in terms of In general, a multivariate scheme is constructed as follows.
matrix representation, which was originally done in terms of First, choose an easy‐to‐invert map F : Fnq → Fm q . Next,
polynomial representation in Ref. [29]. By using matrix rep- randomly choose two invertible linear maps S : Fnq → Fnq and
resentation, we can provide another description of the rect- T : Fm m
q → Fq . Then a public key is given by the composite
angular MinRank attack. The system that appears in the
rectangular MinRank problem becomes a bi‐graded homoge- P ≔ T ◦ F ◦ S : Fnq → Fm
q
neous system. In Ref. [29], Beullens estimates the complexity
of solving the bi‐graded system based on the complexity
and the secret key is given by ðF ; T ; SÞ: Here, it is clear that
analysis of the support minor modelling method [26], under a
P : Fnq → Fm q is also a quadratic map.
generic assumption. We will explicitly describe the generic
The property of the easy‐to‐invert map F determines
assumption and explain the complexity estimation of the
whether the constructed scheme becomes an encryption
rectangular MinRank attack in Ref. [29]. We also state the
scheme or a signature scheme. In fact, if F is injective, then the
support minor modelling method [26] to solve the MinRank
constructed scheme becomes an encryption scheme. Then the
problem.
encryption process is performed by substituting
Our paper is organised as follows. In Section 2, we briefly
c ≔ PðmÞ ∈ Fm n
q for a message m ∈ Fq . The decryption pro-
recall a general construction of multivariate schemes and the
cess of c is performed by computing three inverses:
Rainbow signature scheme as an example. In addition, we
w1 ≔ T −1 ðcÞ; w2 ≔ F −1 ðw1 Þ, and m ¼ S −1 ðw2 Þ. Here, since
explain how the security of multivariate schemes relates to the
F is easy‐to‐invert, the decryptor can easily and efficiently
hardness of the MQ problem and the MinRank problem. In
compute the inverse F −1 ðw1 Þ. Namely, the decryption process
Section 3, we review some approaches to solve the MQ
is performed efficiently (See Figure 1).
problem. In Section 4, we discuss the complexity estimations
On the other hand, if F is surjective, then the constructed
of the MQ problem using the approaches in Section 3. In
scheme becomes a signature scheme. For a message m ∈ Fm q to
Section 5, we explain the definition of the bi‐graded systems
be signed, a signature s ∈ Fnq is generated by three inverses:
and their complexity analysis to solve them. In addition, we
w1 ≔ T −1 ðmÞ; w2 ≔ F −1 ðw1 Þ, and s ≔ S −1 ðw2 Þ. Here,
recall the RBS attack against the Rainbow scheme and explain
F −1 ðw1 Þ means an element of the pre‐image of the set {w1}
how its complexity is estimated. In Section 6, we explain the
under the surjective map F . The verification process is done
rectangular MinRank attack against the Rainbow scheme.
by checking whether PðsÞ ¼ m or not (See Figure 2).
Finally, we conclude our paper in Section 7.
The MI scheme, which was the first multivariate scheme, was
proposed in 1988 by Matsumoto and Imai [6]. The corre-
sponding easy‐to‐invert map F is constructed by using a
2 | MPKC CONSTRUCTION AND ITS
monomial map X ↦ X q þq on a large finite extension field of
ℓ1 ℓ2
SECURITY
Fq . As a generalisation, by extending such a monomial map to a
In this section, we recall a general construction of multivariate
schemes and describe the construction of the Rainbow
signature scheme [11] as an example. Subsequently, we review
the MQ and MinRank problems, which essentially determine
the security of MPKC.
2.1 | General construction
Let n, m be positive integers and Fq be a finite field with q

FIGURE 1 General workflow of multivariate encryption schemes
elements. For m quadratic polynomials p1 ; …; pm ∈ Fq ½x� in n
variables x = (x1, …, xn) over Fq , we define the following map
P : Fnq ∋ v ↦ ðp1 ðvÞ; …; pm ðvÞÞ ∈ Fm

q:
Such a map is called a quadratic (polynomial) map.

To construct a multivariate scheme, we recall the following
definition. Let F ¼ ðf 1 ; …; f m Þ : Fnq → Fm
q be a quadratic map.
If for any element w ∈ Fm q the system of quadratic equations
F ðxÞ ¼ w can be solved with less complexity, then F is said to FIGURE 2 General workflow of multivariate signature schemes
IKEMATSU ET AL.
- 213
P ℓj
polynomial map X ↦ i;j ai;j X q þq with low degree, the HFE
ℓi
f o1 þ1ðz0 ; z00 ; x3 Þ ¼ wo1 þ1; …; f o1 þo2 ðz0 ; z00 ; x3 Þ ¼ wm :
scheme was proposed by Patarin [7] in 1996. Thereafter, several
multivariate schemes have been proposed, such as UOV [10], 4. Let z ≔ ðz0 ; z00 ; z000 Þ ∈ Fnq , which is a solution to F ðxÞ ¼ w.
ABC [38], ZHFE [39], EFC [40], Gui [9], GeMMS [8], and
HFERP [41]. In the next subsection, we explain the Rainbow In this algorithm, if there is no solution of the system to
[11] signature scheme, which is a variant of UOV [10]. linear equations in Step 2 or 3, then go back to Step 1 or 2,
respectively. It is clear that this algorithm is efficient; in fact,
the complexity is given by O(n3) at most.
2.2 | Rainbow The Rainbow signature scheme [11] was proposed as an
improved version of the OV and UOV schemes. If we remove
In this subsection, we describe Rainbow, a multivariate signa- the parameter o2 (i.e. o2 = 0) and set v = o1 in the Rainbow
ture scheme that was proposed by Ding and Schmidt in 2005 signature scheme, then the obtained scheme becomes the OV
[11] as an efficient variant of the UOV scheme [10]. signature scheme [42], which was proposed by Patarin in 1997.
Fix positive integers v; o1 ; o2 ∈ N, and set n ≔ v + o1 + o2 However, it is broken by the OV attack [15] in polynomial time.
and m ≔ o1 + o2. Let x1 ¼ ðx1 ; …; xv Þ; x2 ¼ ðxvþ1 ; …; xvþo1 Þ, In 1999, Kipnis et al. proposed the Unbalanced OV (UOV)
and x3 ¼ ðxvþo1 þ1; …; xn Þ be three sets of variables, and x = scheme [10] by modifying the parameter (v, o1) as v > o1 (and
(x1, …, xn). An easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ : Fnq → Fm
q o2 = 0), which can resist the OV attack. Finally, in 2005, the
of Rainbow is defined by Rainbow scheme improved the efficiency of the UOV scheme
8 P P by adding a new parameter o2.
ð1Þ ð1Þ
>
> f1 ¼ aij xi xj þ aij xi xj ; The Rainbow scheme was selected as a finalist in the third
>
>
>
>
1≤i≤j≤v 1≤i≤v round of the NIST PQC standardisation [12]. Table 1 presents
>
>
>
> vþ1≤j≤vþo1 the proposed parameters. In this paper, we primarily focussed
>
>
>
> ⋮ on the RBS and Rectangular MinRank attacks against the
>
>
>
> P ðo Þ P ðo Þ Rainbow scheme in order to understand some recent progress
>
> f o1 ¼ aij 1 xi xj þ aij 1 xi xj ;
>
> in the security analysis of MPKC. Recently, Beullens proposed
>
> 1≤i≤j≤v 1≤i≤v
>
> a new attack, known as simple attack [43], in IACR ePrint. The
< vþ1≤j≤vþo1
parameters (Table 1) of the Rainbow scheme in the third round
> P ðo þ1Þ P ðo þ1Þ
>
>
> f o1 þ1 ¼ aij 1 xi xj þ aij 1 xi xj ; should be rescaled such that it is secure against the simple
>
> 1≤i≤j≤vþo1 attack [43].
>
> 1≤i≤vþo1
>
> vþ1≤j≤n
>
>
>
>
>
> ⋮
>
> 2.3 | MQ problem
>
> P ðmÞ P ðmÞ
> fm
>
> ¼ aij xi xj þ aij xi xj ;
>
> 1≤i≤j≤vþo1
>
: 1≤i≤vþo1 In this subsection, we describe the MQ problem, which is
vþ1≤j≤n strongly related to the security of multivariate schemes.
Clearly, by solving the equations PðxÞ − w ¼ 0 for a public
ðkÞ
where each coefficient aij is randomly chosen from Fq . For an key P and a ciphertext (or message) w ∈ Fm q , we obtain the
element w ¼ ðw1 ; …; wm Þ ∈ Fm q , the process of finding a so- message m (or a signature s). Thus, the following problem is
lution to the equations F ðxÞ ¼ w (namely, the computation of important for understanding the security of multivariate
F −1 ðwÞ) is as follows: schemes:
�
1. Randomly choose an element z0 ¼ z01 ; …; z0v ∈ Fvq .
2. Find a solution x2 ¼ z00 ∈ Foq1 to the system of linear 2.3.1 | Multivariate quadratic polynomial (MQ)
equations: problem
f 1 ðz0 ; x2 Þ ¼ w1 ; …; f o1 ðz0 ; x2 Þ ¼ wo1 : Given a system of m quadratic polynomial g1(x), …, gm(x) in n
variables, find a solution x ∈ Fnq to
3. Find a solution x3 ¼ z000 ∈ Fo2 to the system of linear
equations: g1 ðxÞ ¼ ⋯ ¼ gm ðxÞ ¼ 0:
T A B L E 1 The parameters of the

Security Parameter Public key Secret key Signature
rainbow scheme in the third round of National
level (q, v, o1, o2) size (KB) size (KB) size (B)
Institute of Standards and Technology post‐
quantum cryptography standardisation [12] I (24, 36, 32, 32) 157.8 101.2 66
8
III (2 , 68, 32, 48) 861.4 611.3 164
8
V (2 , 96, 36, 64) 1885.4 1375.7 204
214
- IKEMATSU ET AL.
This problem is proven to be NP‐hard for the binary field However, since S ⋅ Gup ⋅tS is not an upper triangular matrix
F2 [5]. Thus, it is considered to be difficult to solve a system of in general, the corresponding upper triangular matrix of
randomly chosen quadratic equations g1(x) = ⋯ = gm(x) = 0. g ◦ SðxÞ is not equal to S ⋅ Gup ⋅tS.
In MPKC research, since a public key P : Fnq → Fm q is To avoid this inequality, it is necessary to consider sym-
constructed using an easy‐to‐invert map F : Fnq → Fm q , which metric matrices. For the above quadratic polynomial g(x), we
has a special structure to realise an efficient inverting process, it define the following symmetric matrix:
is considered that the associated MQ problem PðxÞ − w ¼ 0
might be easier than the random MQ problem. G ≔ Gup þ t Gup :
It is important to study the precise computational cost of
solving a given system of equations g1(x) = ⋯ = gm(x) = 0, Then, the corresponding symmetric matrix of g ◦ SðxÞ is
since it directly affects the secure parameters of multivariate equal to
schemes. In Sections 3 and 4, we will discuss how the MQ
S ⋅ G⋅ t S:
problem is solved and how its complexity is estimated in
MPKC research. Thus, if (F1, …, Fm) and (P1, …, Pm) are the corresponding
symmetric matrices of the easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ
Remark 1 In general, it is difficult to prove a reduction of the and the public key P ¼ ðp1 ; …; pm Þ, then we have
security of multivariate schemes to the hardness of the MQ
problem. As an exception, MQDSS [44] is the only signature ðP 1 ; …; P m Þ ¼ ðSF1 t S; …; SFm t SÞ ⋅ T ;
scheme that uses multivariate polynomials such that it has
provably security to the MQ problem. MQDSS was a candidate where S, T are the corresponding matrices of size n, m to the
for the second round of NIST PQC standardisation [45] and is secret key S; T . As a result, it is considered that the symmetric
constructed based on the 5‐pass identification scheme pro- matrices of the public key P inherit some properties of the
posed by Sakumoto et al. [13]. Note that the construction of symmetric matrices of the easy‐to‐invert map F .
MQDSS does not follow the method in Section 2.1.
Remark 2 Since g(x) = x⋅tGup⋅tx, we have
2.4 | MinRank problem x ⋅ G⋅ t x ¼ 2gðxÞ:
In this subsection, we describe the MinRank problem, which is From this equality, it can be easily seen that if the characteristic
also strongly related to the security of multivariate schemes. of Fq is not 2, then the map g ↦ 12 G is a bijective map between
Before we state the MinRank problem, we recall a relation the set of homogeneous quadratic polynomials and the set of
between quadratic polynomials and matrices. symmetric matrices.
For a homogeneous quadratic polynomial
X For example, the form of symmetric matrices (F1, …, Fm)
gðxÞ ¼ gij xi xj ∈ Fq ½x�; of the Rainbow easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ in Sec-
1≤i≤j≤n
tion 2.2 is given as follows:
we define the upper triangular matrix Gup by 80 1
>
> ∗v�v ∗v�o1 0v�o2
0 1 >
> @ ∗o1 �v 0o1 �o1 0o1 �o2 A ð1 ≤ i ≤ o1 Þ;
g11 g12 ⋯ g1n >
>
>
< 0o2 �v
B 0 g22 ⋯ g2n C 0o2 �o1 0o2 �o2
G ≔B
up C ∈ Fn�n :
q
Fi ¼ 0 1
@ ⋮ ⋮ ⋱ ⋮ A >
> ∗ ∗v�o1 ∗v�o2
⋯ gnn > @ v�v
>
>
0 0 >
> ∗ o1 �v ∗o1 �o1 ∗o1 �o2 A ðo1 þ 1 ≤ i ≤ mÞ:
:
∗o2 �v ∗o2 �o1 0o2 �o2
Then, we obtain the following equality
Here, *k�l means a k‐by‐l matrix over Fq . Since the rank of Fi
gðxÞ ¼ x ⋅ Gup ⋅ t x; (1 ≤ i ≤ o1) is less than or equal to v + o1, we can generate a
linear combination of the matrices P1, …, Pm with rank
where tx denotes the transpose of x. It is clear that the map ≤v + o1. Once an attacker finds such a low‐rank matrix from
g↦Gup is a bijective map between the set of homogeneous the public key, the attacker can recover the secret key using the
quadratic polynomials in Fq ½x� and the set of upper trian- kernel of the low‐rank matrix.
gular (square) matrices of size n. Let S be a linear map on As stated in the Rainbow example, the problem of finding
Fnq , and let S be its corresponding matrix of size n. Then, a low‐rank matrix from linear combinations of the symmetric
we have matrices (P1, …, Pm) of the public key P is strongly related to
the security of multivariate schemes. As a result, the following
MinRank problem, which is a generalisation of this problem, is
g ◦ SðxÞ ¼ x ⋅ S ⋅ Gup ⋅ t S ⋅ t x: important for understanding the security of MPKC.
IKEMATSU ET AL.
- 215
2.4.1 | MinRank problem using FGLM [48] or other algorithms. Then, the Gröbner basis
Glex = {h1, …, hℓ} has the following form:
Given s matrices M1 ; …; Ms ∈ Ft�u
q integer r > 0, find a
and P
non‐trivial Fq ‐linear combination M ¼ si¼1 ai Mi with Rank h1 ðxn Þ ¼ 0;
(M) ≤ r, if it exists. h2 ðxn−1 ; xn Þ ¼ 0;
This is proven to be NP‐hard [25]. Thus, it is considered to ⋮
be difficult to solve a randomly chosen instance of the Min- hℓ ðx1 ; …; xn Þ ¼ 0:
Rank problem. In Section 6.1, we will explain the support
minor modelling [26] as a method to solve the MinRank Thus, by solving these equations in the order from top to
problem proposed by Bardet et al. in 2020. bottom, we can obtain a solution to g1 = ⋯ = gm = 0.
Remark 3 Originally, the first key recovery attack using the Remark 5 If the system of equations g1 = ⋯ = gm = 0 has
MinRank problem was proposed in Ref. [24] in a security finite solutions over an algebraic closure Fq , then the ideal I is
analysis against the HFE scheme [7]. said to be zero‐dimensional. The complexity of the FGLM
algorithm [48] is O(nD3), where D is the number of solutions
Remark 4 Since the MinRank problem is NP‐hard, it might be to the system with multiplicities. When the Gröbner basis
possible to construct a scheme based on the MinRank problem. approach is used in MPKC research, the case where the ideal
For example, a zero‐knowledge identification scheme based on of system g1 = ⋯ = gm = 0 is zero‐dimensional and D is low is
the MinRank problem was proposed by Courtois [46]. typically considered. Hence, in MPKC research, the complexity
of the FGLM algorithm is typically disregarded.
3 | SOLVING MULTIVARIATE It is known that the dominant complexity in the above

POLYNOMIAL SYSTEMS procedure of solving equations g1 = ⋯ = gm = 0 is that of
computing Ggrev when I is of zero dimension. Therefore, it is
In this section, we describe approaches of solving a system important to estimate the complexity of computing Ggrev.
of polynomial equations. To solve such equations, the To compute a Gröbner basis using F4 or F5, a Macaulay
Gröbner basis approach or Wiedemann XL approach is matrix or a similar matrix is constructed from the equations
mainly used in MPKC research. Moreover, solving equations g1 = ⋯ = gm = 0 and then it is reduced by a reduction al-
is also important in the MinRank problem, since the Min- gorithm such as Gaussian elimination. Here, the Macaulay
Rank problem can be reduced to a problem of solving matrix Md of degree d with respect to g1, …, gm is defined as
polynomial equations. follows. For any polynomial gðxÞ ∈ Fq ½x� of degree ≤d, we
In Section 3.1, we explain the Gröbner basis approach. In denote by vg the row vector of coefficients of g(x), where the
Section 3.2, we describe the Wiedemann XL approach. sorting order of coefficients is determined by the term order ⪰.
Then, the matrix Md is defined by concatenating the row
vectors vugi , where 1 ≤ i ≤ m and u runs in the set of terms of
3.1 | Gröbner basis approach degree ≤d
� � − deg gi. Since the number of terms of degree ≤d is
nþd
First, we briefly recall Gröbner basis. Gröbner basis is a good , the number of column vectors in the Macaulay
d
finite set of generators of an ideal in a polynomial ring, and it � �
nþd
was introduced by Buchberger [47] in 1965. To state it more matrix Md is .
d
precisely, let ⪰ be a term order on the polynomial ring Fq ½x�
and I be an ideal of Fq ½x�, where x = (x1, …, xn). Then a finite The complexity of computing a Gröbner basis is dominated
set G⪰ ≔ {h1, …, hℓ} of generators of I is called a Gröbner by that of reduction of the Macaulay matrix Md with the largest
basis of I, and if it satisfies that for any h ∈ I there exists degree d appeared in the Gröbner basis algorithm. As a result, if
1 ≤ i ≤ ℓ such that the leading term of h is divided by that of we denote the largest degree by dmax, the complexity of solving
hi. The algorithms F4 [30] and F5 [16] are known as efficient the system of equations g1 = ⋯ = gm = 0 is bounded by
algorithms for computing Gröbner basis.
� �ω
For g1 ; …; gm ∈ Fq ½x�, a solution to g1 = ⋯ = gm = 0 is n þ d max
;
computed using a Gröbner basis algorithm as follows. Define d max
the ideal I by
I ≔ 〈g1 ; …; gm 〉 ⊂ Fq ½x�: where 2 < ω ≤ 3 is a linear algebra constant. Therefore, it is

important to determine the degree dmax to estimate the
Using the Gröbner basis algorithm, compute a Gröbner complexity of solving the system of equations g1 = ⋯ = gm = 0.
basis Ggrev of I with respect to the graded reverse lexicographic However, finding the degree dmax for a given system of equations
term order ⪰grev. If the ideal I is zero‐dimensional, one can g1 = ⋯ = gm = 0 is generally difficult. In Section 4, we will discuss
convert Ggrev into a lexicographic Gröbner basis Glex of I how dmax is currently estimated in MPKC research.
216
- IKEMATSU ET AL.
3.2 | Wiedemann XL approach 4 | COMPLEXITY OF SOLVING MQ

PROBLEM
The Wiedemann XL approach is an accelerated version of the
extended linearisation (XL) algorithm using the Wiedemann In this section, we discuss the complexity of solving the
algorithm. MQ problem. In Sections 4.1 and 4.2, we describe the
A variant of the XL algorithm [49] is a method of finding a degree of regularity dreg and the first fall degree dff used
solution of g1 = ⋯ = gm = 0 by solving a linear system in MPKC research as indicators of dmax and dfull. In
associated with the Macaulay matrix Md . More precisely, let Section 4.3, we explain how the complexity of solving the
Xd be a column vector of terms in the variables x of degree MQ problem that appears in MPKC is estimated using
≤d, where the sorting order of terms is determined by the term dreg or dff. In Section 4.4, we explain the hybrid approach
order ⪰. Then Md ⋅ Xd is the column vector consisting of as an improvement on approaches addressed in Sec-
polynomials ugi, where 1 ≤ i ≤ m and u runs in the set of tions 3.1 and 3.2.
terms of degree ≤d − deg gi. A variant of XL algorithm solves
the linear system Md ⋅ Xd ¼ 0 where each term in Xd is treated
as a new variable, or the (inhomogeneous) linear system 4.1 | Degree of regularity
transposed the last column vector of Md corresponding to 1
in Xd on the right hand side. First, we prepare some notations. Let g1 ; …; gm ∈ Fq ½x� be a
The Wiedemann XL approach finds a solution to polynomial system with degree di ≔ deg gi. We denote by
g1 = ⋯ = gm = 0 by solving such a linear system using ~g1 ; …; ~gm their homogeneous parts of the highest degree. Set
Wiedemann algorithms such as in Ref. [31] or Ref. [50]. the ideals
Such algorithms can solve a linear system faster than
Gaussian elimination when the Macaulay matrix is sparse. ~I ¼ ~I ðmÞ ≔ 〈~g ; …; ~g 〉 and ~I ðiÞ ≔ 〈~g ; …; ~g 〉;
1 m 1 i
Note that the algorithms [31, 50] aim to find a single so-
lution of a linear system and not all possible solutions. Thus, where i = 1, …, m − 1. Moreover, for d ∈ N, we define the
if a linear system has many solutions, then it is not possible following:
to find all the solutions in one trial in general. Therefore,
when finding a solution to g1 = ⋯ = gm = 0, the following j
Fq ½x�d ≔ ⊕ Fq ⋅ x11 ⋯xjnn ;
conditions are required: (i) g1 = ⋯ = gm = 0 has a few j1 þ⋯þjn ¼d
solutions. (ii) � The rank � of the Macaulay matrix Md is ~I ðiÞ ≔ ~I ðiÞ ∩ Fq ½x� :
nþd d d
approximately − 1.
d
Condition (i) almost holds since the solved system of Then, for D ∈ N, the polynomial system g1 ; …; gm ∈ Fq ½x�
equations g1 = ⋯ = gm = 0 is often of zero dimension in is said to be regular up to D [37] if it satisfies for any 1 ≤ i ≤ m − 1
MPKC research. Therefore, condition (ii) is important. We and any d ≤ D, and the following map is injective:
define dfull as the degree d such�that the�rank of the Macaulay
ðiÞ ðiÞ
nþd Fq ½x�d−diþ1 =~I d−diþ1 ∋ h ↦ h ⋅ ~giþ1 ∈ Fq ½x�d =~I d :
matrix Md is approximately − 1. Note that the
d
Weidemann XL algorithm finds only one element from the Note that this definition does not depend on the sorting
right kernel of the Macaulay matrix M� d . Thus, �
the Weidemann order of the polynomials g1, …, gm.
nþd
−RankMd
d
algorithm is applied for Md at most q times
to find a solution of the system of equations g1 = ⋯ = gm = 0. 4.1.1 | Degree of regularity dreg
To reduce this time, the rank of the Macaulay matrix Md needs
to be low. In MPKC � research,�the rank of Md to determine For polynomials g1 ; …; gm ∈ Fq ½x�, we define the degree of
nþd regularity dreg [19] as follows:
dfull is typically set to − 1. Once dfull is determined,
d � �
the complexity of solving a system of ‘quadratic’ equations d reg ≔ min d ∈ N j Fq ½x�d ¼ ~I d :
g1 = ⋯ = gm = 0 is obtained from Ref. [51] as
If there is no integer d such that Fq ½x�d ¼ ~I d , we define
� �2 � � dreg = ∞. Since we mainly treat the zero‐dimensional case, the
n þ d full n degree dreg will not be ∞.
3 :
d full 2 A polynomial system g1 ; …; gm ∈ Fq ½x� is said to be semi‐
regular [19] if it is regular up to dreg − 1. Note that the defi-
In general, for any system of equations g1 = ⋯ = gm = 0, it nition we state here is given by Diem [37] and is equivalent to
is difficult to estimate the degree dfull. In Section 4, we will that of Ref. [19]. Let g1 ; …; gm ∈ Fq ½x� be a semi‐regular sys-
discuss how dfull is currently estimated in MPKC research. tem. Then the following lemma holds:
IKEMATSU ET AL.
- 217
Lemma 1 ([19]). For a semi‐regular system g1, …, gm and dff can represent the minimum of degrees of ‘degree fall’ for a
d < dreg, the dimension dim Fq ½x�d =~I d is equal to the coeffi- given system g1 = ⋯ = gm = 0. Note that initially, the first fall
cient of degree d of the following power series degree was called the degree of regularity, for example, in Ref.
� [20, 22]. In general, it is difficult to compute the first fall degree
Πm 1 − t d i dff for a given polynomial system. Ding and Hodges [22] give an
HðtÞ ≔ i¼1 : ð1Þ
ð1 − tÞn upper bound for the first fall degree dff by constructing a non‐
trivial syzygy for the HFE scheme [7]. In addition, Verbel et al.
The degree of regularity dreg for a semi‐regular system can [52] construct non‐trivial syzygies of a quadratic system in the
be easily computed as the minimal degree with a non‐positive Kipnis–Shamir method [15] for the MinRank problem and give
coefficient in the power series H(t). an upper bound of the first fall degree dff.
The degree of regularity dreg is defined by Bardet et al. [19].
As shown from the definition, any element of the reduced
Gröbner basis of I is of degree dreg at the most. With this fact, 4.3 | Complexity estimation of solving MQ
it is expected that dmax and dfull might be estimated by the problem
degree of regularity dreg. In Section 4.3, we will discuss how
dreg is utilised to estimate dmax and dfull in MPKC research. In this subsection, we explain how to estimate the complexity
of solving a system of quadratic equations g1 = ⋯ = gm = 0
using the Gröbner basis approach or Wiedemann XL
4.2 | First fall degree approach. As stated in Section 3, we need to estimate dmax and
q q q q
dfull. This task is done using the degree of regularity or the first
Define B ≔ Fq ½x�=〈x1 ; …; xn 〉 and Bd ≔ Fq ½x�d =〈x1 ; …; xn 〉d fall degree. We will divide the system g1, …, gm into two cases:
for d ∈ N. Let g1 ; …; gm ∈ Fq ½x� be a polynomial system such (i) a semi‐regular quadratic system and (ii) a quadratic system
that ~g1 ; …; ~gm are of degree d 0 ∈ N. We denote by ~gi the associated with a public key P of a multivariate scheme.
image of ~gi ∈ Fq ½x�d0 in Bd0 . For a positive integer d, we Let dreg and dff be the degree of regularity and the first fall
consider the homomorphism degree for g1, …, gm, respectively. Moreover, let d ðn;mÞ
reg be the
degree of regularity for a semi‐regular system of m quadratic
Φd : B m g1 þ ⋯ þ bm~gm :
d−d 0 → Bd ; ðb1 ; …; bm Þ ↦ b1~ equations in n variables, which is efficiently computed by the
Then, we set power series H(t) in Equation (1).
! (i) Semi‐regular case

i j
πij ≔ 0; …; 0; −~gj ; 0; …; 0; ~gi ; 0; …; 0 ∈ Bm ;
As stated above, the degree of any element in the reduced
i
! Gröbner basis of the ideal I = 〈g1, …, gm〉 is ≤dðn;mÞ
q−1 reg . From
τi ≔ 0; …; 0; ~gi ; 0; …; 0 ∈ Bm ; this, it is considered that the Gröbner basis is obtained by the
reduction process of the Macaulay matrix Md with some
ðn;mÞ fd
d ≤ d reg . We define the homogeneous Macaulay matrix M
and define TSyz as the submodule of Bm generated by such by concatenating the row vectors vu~g as in Section 3.1, where
elements and set TSyzd ≔ TSyz ∩ Bm
i
d . In addition, we call an 1 ≤ i ≤ n and u runs in the set of terms of degree d − deg gi.
element in Ker Φd \ TSzyd a non‐trivial syzygy. From the definition of the degree of regularity [19], it is seen
that if the system is semi‐regular, then the rank of M f d be-
ðn;mÞ
comes full when d ¼ d reg . From such observations, both
4.2.1 | First fall degree dff ðn;mÞ
dmax and dfull are estimated by d reg in MPKC research. Thus,
the complexity of solving a semi‐regular system of m quadratic
Then, the first fall degree dff [20] is defined by equations g1 = ⋯ = gm = 0 in n variables using Gröbner basis
� � or Wiedemann XL approaches is estimated by
d ff ≔ min d ∈ N j Ker Φd ≠ TSzyd :
0 1ω 0 12
ðn;mÞ ðn;mÞ � �
n þ d reg n þ d reg n
namely, dff is the smallest number d where a non‐trivial syzygy @ A or 3@ A ;
appears.
ðn;mÞ
d reg
ðn;mÞ
d reg 2
The first fall degree dff and degree of regularity dreg have
the following relation: respectively. For instance, these estimations are used in Refs.
[8, 12].
Lemma 2 ([36]). For a non‐semi‐regular system, if dff < q, Note that a random instance of the MQ problem, which is
then we have dff ≤ dreg. a problem of solving a system of randomly chosen quadratic
equations, is experimentally known to behave as a semi‐regular
The first fall degree dff was introduced by Dubois and Gama system. Thus, its complexity is usually estimated to be the same
[20] in 2010 from a security analysis of the HFE scheme [7] and as that of a semi‐regular system.
218
- IKEMATSU ET AL.
(ii) Multivariate scheme case system. Then, the new system given by fixing k variables is also
considered to be semi‐regular. Therefore, the degree of regu-
We explain how to estimate the complexity of solving a larity d ðn−k;mÞ
reg is given by the smallest integer d for which the
system of quadratic equations PðxÞ − w ¼ 0 using the Gröb- m
coefficient of td in the power series ð1−t2 Þ
is non‐positive.
ner basis approach or Wiedemann XL approach. Here, ð1−tÞn−k
P ¼ ðp1 ; …; pm Þ is a public key for a multivariate scheme and As stated in (i) of Section 4.3, we have the following
w ¼ ðw1 ; …; wm Þ ∈ Fm q is a ciphertext or message to be complexity of the hybrid approach using the Gröbner basis
signed. Solving the system using such approaches is known as approach:
direct attack in MPKC. Put the system 0 1ω
ðn−k;mÞ
n − k þ d
min qk ⋅ @
reg
g1 ≔ p1 − w1 ; …; gm ≔ pm − wm : A :
ðn−k;mÞ
0≤k≤n d reg
We assume that n ≤ m; otherwise, we fix n − m variables
Moreover, we have the following complexity of the hybrid
in the system. Since the fixed system has m equations in m
approach using the Wiedemann XL approach:
variables, it has a solution with a high probability. Therefore,
we can always assume n ≤ m. 0 12
� �
First, we experimentally investigate whether the system g1, n − k þ d ðn−k;mÞ n−k
min qk ⋅ 3@
reg
A :
…, gm is semi‐regular or not. However, since it is not feasible 0≤k≤n ðn−k;mÞ
d reg 2
for P with a larger (i.e. practical) parameter, we need to
conduct some experiments for small parameters. If the systems
Remark 6 The complexity of the direct attack against the
g1, …, gm for P with small parameters behave as a semi‐regular
Rainbow scheme [11] in Section 2.2 is considered as follows.
system of the same size, then we consider that the systems g1,
First, since n > m, we fix n − m variables in x and obtain a
…, gm for P with large parameters are also semi‐regular. Then
system of m quadratic equations in m variables. Through ex-
its complexity is given as in the case (i).
periments, it is known that such systems behave as semi‐
Next, we consider that systems g1, …, gm for P with small
regular. In Ref. [12], the complexity of the direct attack
parameters do not behave as semi‐regular systems. For this
against the Rainbow scheme is estimated using the hybrid
case, we often have d reg > d ðn;mÞ
reg . However, it is known that a version of the Wiedemann XL approach as follows:
non‐semi‐regular system that appears in case (ii) can be solved
faster than a semi‐regular system with the same size. Thus, we 0 12
cannot use dreg to estimate the complexity of solving a non‐ ðm−k;mÞ � �
k
m − k þ d reg m−k
semi‐regular system. Instead, we try to use the first fall de- min q ⋅ 3@ A :
0≤k≤m ðm−k;mÞ
d reg 2
gree dff. This estimation method was initially applied to the
security analysis of the HFE scheme [7]. In the HFE scheme,
by constructing a non‐trivial syzygy of g1, …, gm, Ding et al.
[22] give an upper bound of the first fall degree dff and esti- 5 | BI‐GRADED POLYNOMIAL
mate dmax by using the upper bound of dff. They also exper- SYSTEMS AND RBS ATTACK
imentally confirmed that the upper bound of dff approximates
dmax for small parameters. As a result, dmax for a large In this section, we consider to solve bi‐graded polynomial
parameter of the HFE scheme is estimated by the upper bound systems. Such systems were mainly studied by Nakamura [36],
of dff. However, for schemes other than the HFE scheme and Nakamura et al. [34] and Smith‐Tone et al. [35] via the analysis
its variants, it is necessary to theoretically and experimentally of the RBS attack [28] against the Rainbow scheme [11].
analyse case‐by‐case whether dff can approximate dmax. In Section 5.1, following the work of Nakamura [36], we
Moreover, there is little research on whether dff correctly es- describe the bi‐degree of regularity, which is a generalisation of
timates dfull, and thus further research is required. the degree of regularity dreg. In Section 5.2, following the idea of
Smith‐Tone et al. [35], we explain a complexity estimation of bi‐
graded instances of the MQ problem. Based on these, in Sec-
4.4 | Hybrid approach and its complexity tion 5.3, we explain a new analysis of the RBS attack given by the
studies of Nakamura et al. [34] and Smith‐Tone et al. [35].
In Sections 3.1 and 3.2, we described two approaches for
solving a given quadratic equations g1 = ⋯ = gm = 0. As an
improvement, a hybrid approach [53] with the brute‐force 5.1 | Regularity for bi‐graded polynomial
search is often used, namely after fixing some variables in x systems
(i.e. substituting elements of Fq into some variables), we solve
the obtained equations by an approach discussed in Sec- In this subsection, we recall the definition of the bi‐graded
tions 3.1 or 3.2. Here, we assume that n ≤ m as in Section 4.3. polynomials and describe a generalisation of the degree of
Let 0 ≤ k ≤ n be the number of fixed variables. We consider regularity for them, following the work of Nakamura [36].
the case in which g1 = ⋯ = gm = 0 is a semi‐regular quadratic Let ⪯ be a relation on N2 defined by
IKEMATSU ET AL.
- 219
� �
∏m d i1 d i2
def
ða; bÞ ⪯ ðc; dÞ ⇔ a ≤ c; b ≤ d: i¼1 1 − t 1 t 2
H ðt1 ; t2 Þ ≔ : ð2Þ
We recall the definition of bi‐graded polynomials. We ð1 − t1 Þn1 ð1 − t2 Þn2
consider two variable sets x ¼ ðx1 ; …; xn1 Þ and y ¼ ðy1 ;
…; yn2 Þ. Put the polynomial ring As a result, for a bi‐graded semi‐regular system, any bi‐
degree of regularity (i.e. D) can be easily computed from bi‐
Fq ½x; y� ≔ Fq ½x1 ; …; xn1 ; y1 ; …; yn2 �: degrees of the coefficients in the two‐variable power series
Equation (2).
For polynomials g1 ; …; gm ∈ Fq ½x; y�, we denote their ho-
mogeneous parts of the highest degree by ~g1 ; …; ~gm . Set the
ideals 5.2 | Complexity estimation
~I ¼ ~I ðmÞ ≔ 〈~g ; …; ~g 〉 and ~I ðiÞ ¼ 〈~g ; …; ~g 〉; In this subsection, using the idea of Smith‐Tone et al. [35], we
1 m 1 i
estimate the complexity of solving bi‐graded instances of the
MQ problem. This task is done using the bi‐degrees of regu-
where i = 1, …, m − 1. For d ¼ ðd 1 ; d 2 Þ ∈ N2 , we define the larity in Section 5.1.
following: Let g1 ; …; gm ∈ Fq ½x; y� be a quadratic bi‐graded poly-
i j
nomial system. We consider how to solve such a quadratic bi‐
j
Fq ½x; y�d ≔ ⊕ Fq ⋅ xi11 ⋯xnn11 ⋅ y11 ⋯ynn22 ; graded system using the Wiedemann XL approach. This is
i1 þ⋯þin1 ¼d 1
done as in Section 3.2, namely by solving the linear system
j1 þ⋯þjn2 ¼d 2
associated with the bi‐graded Macaulay matrix. Here, the bi‐
~I ðiÞ ≔ ~I ðiÞ ∩ Fq ½x; y� : graded Macaulay matrix Md of bi‐degree d ∈ N2 with
d d
respect to g1, …, gm is defined as follows: For any bi‐graded
polynomial gðx; yÞ ∈ Fq ½x; y� of bi‐degree ⪯d, we denote by
If ~gi is in Fq ½x; y�d and gi ∈ ⊕d0 ⪯d Fq ½x; y�d0 , then gi is called
vg the row vector of coefficients of g(x, y). Then the matrix Md
a bi‐graded polynomial and we define bi‐deg gi ≔ d.
is defined by concatenating the row vectors vugi , where
Assume that each gi is bi‐graded and di ¼ ðd i1 ; d i2 Þ≔
1 ≤ i ≤ m and u runs in the set of terms with bi‐degree ⪯d − di.
bi ‐ deg gi ∈ N2 . Then, for D ∈ N2 , the polynomial system g1,
The number of terms of degree ⪯d is given as follows:
…, gm is said to be regular up to D [36] if it satisfies that for
any 1 ≤ i ≤ m − 1 and any d ⪯ D the following map is
Lemma 4 ([35]). The number of terms of degree ⪯d is equal to
injective
the coefficient Md ∈ Z of bi‐degree d of the following two‐
variable power series:
ðiÞ ðiÞ
Fq ½x; y�d−di =~I d−di ∋ h ↦ h ⋅ ~giþ1 ∈ Fq ½x; y�d =~I d :
1
:
ð1 − t1 Þn1 þ1 ð1 − t2 Þn2 þ1
5.1.1 | Bi‐degree of regularity
For bi‐graded quadratic polynomials g1 ; …; gm ∈ Fq ½x; y�, we Moreover, the number of terms of degree d is equal to the
~ d ∈ Z of bi‐degree d of the following two‐variable
coefficient M
define the following sets:
power series:
� �
D0 ≔ d ∈ N2 j Fq ½x; y�d ¼ ~I d ; 1
D ≔ fd ∈ D0 j d : minimum in D0 w:r:t ⪯g: :
ð1 − t1 Þ ð1 − t2 Þn2
n1
We call an element of D a bi‐degree of regularity for

g1, …, gm. Note that there is a case where the cardinality Thus, from Lemma 4, the size of the bi‐graded Macaulay
of D is ≥2, that is, a bi‐degree of regularity is not unique matrix Md is considered to be approximately Md.
in general.
Let g1 ; …; gm ∈ Fq ½x; y� be a bi‐graded system. Then the We explain the complexity estimation for solving a quadratic
bi‐graded system g1, …, gm is said to be bi‐graded semi‐regular bi‐graded semi‐regular system. Then the rank of the homoge-
if it is regular up to d for any d ≺ D ∈ D. Then the following neous bi‐graded Macaulay matrix M f d becomes full when d is a
lemma holds: bi‐degree of regularity D ∈ D from Lemma 3. From such an
observation, we can consider that a solution to the bi‐graded
Lemma 3 ([36]). Let g1 ; …; gm ∈ Fq ½x; y� be a bi‐graded semi‐ semi‐regular system can be found by solving a linear system
regular system. For any d ≺ D ∈ D, the dimension with respect to MD . Assume that g1, …, gm consist of m1
dim Fq ½x; y�d =~I d is equal to the d degree coefficient of the polynomials with bi‐degree (2, 0), m2 polynomials with bi‐
following two‐variable power series degree (1, 1), and m3 polynomials with bi‐degree (0, 2). Set
220
- IKEMATSU ET AL.
8� �
< n1 þ 1 þ n1 þ 1; ðm1 > 0Þ;
> of the easy‐to‐invert map F ¼ ðf 1 ; …; f m Þ : Fnq → Fm
q , each
N1 ≔ 2 symmetric matrix corresponding to fi has the following form:
>
:
0; ðotherwiseÞ; 80 1
>
> ∗v�v ∗v�o1 0v�o2
� >@∗
ðn1 þ 1Þðn2 þ 1Þ; ðm2 > 0Þ; >
>
> o1 �v 0o1 �o1 0o1 �o2 A ð1 ≤ i ≤ o1 Þ;
N2 ≔ >
< 0o2 �v 0o2 �o1 0o2 �o2
0; ðotherwiseÞ;
8� � Fi ¼ 0 1
>
< n2 þ 1 þ n2 þ 1; ðm3 > 0Þ;
> >
> ∗v�v ∗v�o1 ∗v�o2
>
> @ ∗o �v
N3 ≔ 2 >
> ∗o1 �o1 ∗o1 �o2 A ðo1 þ 1 ≤ i ≤ mÞ:
: 1
>
: ∗o2 �v ∗o2 �o1 0o2 �o2
0; ðotherwiseÞ:
Similarly, the matrices corresponding to S and T can be
Then, the complexity of solving the system written as follows:
g1 = ⋯ = gm = 0 is estimated by
0 1
� � Iv 0v�o1 0v�o2
min 3 ⋅ M 2D ⋅ maxfN1 ; N2 ; N3 g : S ¼ @ ∗o1 �v Io1 0o1 �o2 A;
D∈D
∗o2 �v ∗o2 �o1 Io2 ð3Þ
Note that since a bi‐degree of regularity D is not unique � �
I 0o1 �o2
for g1,…,gm in general, we need to take the minimum in the T ¼ o1 :
∗o2 �o1 Io2
complexity estimation.
Remark 7 The idea of the estimation described in this sub-

Remark 8 It is known that the security of Rainbow does not
section was given by Smith‐Tone et al. [35]. In fact, they gave a
decrease, even if S and T are taken in the form in Equa-
complexity estimation of the bi‐graded systems that appears in
tion (3). Therefore, S and T are set to be in the form in
the RBS attack based on this idea. However, the complexity
Equation (3), which reduces the secret key size.
estimation we explained herein has not been sufficiently
investigated for general bi‐graded systems. It is noteworthy
The symmetric matrices P1, …, Pm corresponding to the
that a few studies regarding general bilinear systems (namely,
public polynomials p1, …, pm are given as
bi‐degree (1, 1)) have been reported in Ref. [54, 55]. Faugére
et al. studied bilinear systems for under‐determined cases in
ðP 1 ; …; P m Þ ¼ ðSF1 t S; …; SFm t SÞ ⋅ T : ð4Þ
Ref. [55] using the F5 algorithm [16]. Meanwhile, Baena et al.
studied them for over‐determined cases in Ref. [54]. Baena
et al. considered the behaviour of bilinear polynomials According to the form in Equation (3), there exists an n‐
g1 ; …; gm ∈ Fq ½x; y� when only the terms in y are multiplied by‐1 vector
into g1, …, gm, and then they defined the y‐semi‐regularity and
y‐degree of regularity. The exact complexity between our study s ¼ ðλ1 ; …; λvþo1 ; 0; …; 0; 1Þ
and those of the abovementioned studies should be compared
in the future. such that
s ⋅ S ¼ ð0; …; 0; 1Þ:
5.3 | RBS attack and its new analysis
Then, for i = 1, …, m, we have
In this subsection, we describe the RBS attack [28] against the
Rainbow scheme [11]. As stated above, the complexity esti- s ⋅ SFi t S⋅t s ¼ ð0; …; 0; 1Þ ⋅ Fi ⋅t ð0; …; 0; 1Þ ¼ 0:
mation of solving bi‐graded polynomial systems is developed
via the analysis of the RBS attack. First, we explain the RBS Since each Pk is a linear combination of
attack. Then, based on Section 5.2, we explain a new
complexity estimation of the RBS attack following Smith‐Tone SF1 t S; …; SFm t S;
et al. [35].
we obtain the equations in λ1 ; …; λvþo1 :
5.3.1 | RBS attack s ⋅ P k ⋅ t s ¼ 0; k ¼ 1; …; m: ð5Þ
Let (v, o1, o2) be the Rainbow parameter set described in By the form in Equation (3), there exists an m‐by‐1 vector
Section 2.2, and let n = v + o1 + o2 and m = o1 + o2. For a
Rainbow public key P ¼ ðp1 ; …; pm Þ, the RBS attack recovers
its secret key ðF ; T ; SÞ as follows: According to the definition t ¼ ð1; 0…; 0; λvþo1 þ1; …; λvþo1 þo2 Þ
IKEMATSU ET AL.
- 221
such that semi‐regular. However, it is known in Ref. [33] in 2012 that the
RBS dominant system does not behave as a semi‐regular sys-
T ⋅t t ¼ t ð1; 0; …; 0Þ: tem in some experiments.
In 2020, Nakamura et al. [34] and Smith‐Tone et al. [35]
Then, by multiplying Equation (4) by tt, we obtain independently analysed the RBS dominant system by focussing
on the bi‐graded structure. The following estimation is given
o2
X by Smith‐Tone et al. [35]. The RBS dominant system consists
P1 þ λvþo1 þiP o1 þi ¼ SF1 t S: of m polynomials with bi‐degree (2, 0) and n − 1 polynomials
i¼1
with bi‐degree (1, 1). Then the complexity of solving the RBS
dominant system can be estimated by
Moreover, multiplying this equation by s, we have
� ��
mþ1
o2
X min 3 ⋅ M 2D ⋅ max þ m þ 1; ðm þ 1Þn :
s ⋅ P1 þ λvþo1 þis ⋅ P o1 þi ¼ s ⋅ SF1 t S ¼ ð0; …; 0Þ: D∈D 2
i¼1
Here D is computed using
Consequently, for k = 1, …, n − 1, we obtain the following
equations in λ1, …, λn: � n−1
∏m
i¼1 1 − t1 ∏i¼1 ð1 − t1 t2 Þ
2
o2
X ð1 − t1 Þvþo1 ð1 − t2 Þo2
t t
s ⋅ P 1 ⋅ ek þ λvþo1 þis ⋅ P o1 þi ⋅ ek ¼ 0; ð6Þ
i¼1 as in Lemma 3, and MD is given by Lemma 4 as n1 = v + o1
� and n2 = o2.
where ek is the n‐by‐1 vector 0; …; 0; 1k ; 0; …; 0 . Here, we
remove the case k = n because Equation (6) for k = n follows Remark 9 The two‐variable power series Equation (2) was
Equation (5). introduced by Nakamura et al. [34] and Smith‐Tone et al. [35]
Clearly, Equation (5) is a bi‐graded system with bi‐degree independently. Nakamura et al. [34] introduced Equation (2) as
(2, 0) and Equation (6) is a bi‐graded system with bi‐degree an analogy of the power series of Equation (1) in Lemma 1 and
(1, 1) with respect to fλ1 ; …; λvþo1 g, fλvþo1 þ1; …; λn g. Sys- confirmed that dmax of the RBS dominant system can be
tem Equations (5) and (6) consist of n + m − 1 quadratic bi‐ approximated using the power series in Equation (2). Subse-
graded equations in n variables. By solving the quadratic sys- quently, Nakamura [36] arranged the theoretical background of
tem, an attacker can recover a part of the secret key S and T, the power series in Equation (2) by extending the studies of
namely s and t, respectively. The RBS attack can recover S and Diem [37] and Bardet et al. [19], for example, by using the idea of
T by repeating a similar process (see Ref. [28] for details). bi‐graded semi‐regularity and so on. On the other hand, Smith‐
Because the complexity of the RBS attack is dominated by that Tone et al. [35] introduced the power series in Equation (2) based
of solving the bi‐graded quadratic system, it is sufficient to on two assumptions regarding maximal rank conjectures. It will
treat only the system. We refer to the quadratic system con- be necessary to study the relationship between bi‐graded semi‐
sisting of Equations (5) and (6) as the RBS dominant system. regularity and the two assumptions for further analysis. The
complexity estimation of the bi‐graded semi‐regular system in
this section follows the idea of Smith‐Tone et al. [35]. Since the
5.3.2 | Complexity estimation study of the bi‐graded systems and their complexities have just
begun, further research will be needed.
We first recall the complexity analysis of the RBS attack in the
second round submission [56] of the NIST PQC stand-
ardisation project regarding the Rainbow scheme. As seen 6 | RECTANGULAR MINRANK ATTACK
above, the RBS dominant system consists of n variables and
n + m − 1 quadratic equations. In Ref. [56], the complexity of In this section, we explain the rectangular MinRank attack [29]
solving the RBS dominant system was estimated using the against the Rainbow scheme proposed by Beullens. This attack
hybrid version of the Wiedemann XL approach in Section 4.4 is carried out by deforming the MinRank problem associated
as follows: with the Rainbow scheme to another MinRank problem and by
8 0 12 9 solving it using the support minor modelling method proposed
� �=
< n þ d ðn−k;nþm−1Þ n−k
by Bardet et al. [26].
qk ⋅ 3@
reg
min A : In Section 6.1, we briefly explain the support minor
0≤k≤n: d ðn−k;nþm−1Þ 2 ;
reg modelling method [26] that solves the MinRank problem. In
Section 6.2, we prepare some notations to explain the rect-
Namely, in Ref. [56] the complexity of the RBS dominant angular MinRank attack in terms of matrix representations. In
system was estimated without using the bi‐graded structure Section 6.3, we describe the rectangular MinRank attack using
and based on the assumption that the RBS dominant system is matrix representation. In Section 6.4, we explain the
222
- IKEMATSU ET AL.
complexity estimation of the rectangular MinRank attack in P mi;δj of M is a linear combination

Here, the (i, δj)‐component
Ref. [29]. of a1, …, as since M ¼ si¼1 ai Mi . As a result, putting two sets
of variables a = {a1, …, as} and b ¼ fbΔ0 gΔ0 , we have that cΔ,i
is a quadratic bi‐graded homogeneous polynomial in Fq ½a; b�
6.1 | Support minor modelling method with bi‐degree (1, 1).
The support minor modelling method finds a low‐rank
In this subsection, we briefly explain the support minor matrix M by solving the system of bi‐graded homogeneous
modelling method [26] to solve the MinRank problem, which equations in variables a, b:
is an improvement of the minor modelling method [27].
Recall the MinRank problem: Given s matrices cΔ;i ða; bÞ ¼ 0 ðΔ ⊂ f1; …; ug; 1 ≤ i ≤ tÞ:
M1 ; …; Ms ∈ Ft�u
q and an integer r > 0, find a non‐trivial Fq ‐ � � � �
P u u
linear combination M ¼ si¼1 ai Mi with Rank(M) ≤ r. This system consists of t
rþ1
equations in s þ
r
Let M ∈ Ft�u
q be a correct solution for the MinRank variables.
problem and w1, …, wr be a set of row vectors of M such that Next, we recall the complexity estimation for solving such a
the following r‐by‐u matrix W has the same rank as M: bi‐graded system in Ref. [26]. We assume that the system has only
one non‐trivial solution up to a scalar multiple. Let J be the
1 00 1 homogeneous ideal in Fq ½a; b� generated by the system cΔ,i(a, b).
w1 w11 w12 … w1u
W ≔@ ⋮ A¼@ ⋮ ⋮ ⋱ ⋮ A ∈ Fr�u : For d ∈ N, we define Jðd;1Þ ≔ Fq ½a; b�ðd;1Þ ∩ J as in Section 5.1.
wr wr1 wr2 … wru By an easy computation, we have
� ��
u sþd−1
Then, any row vector mi = (mi1, …, miu) of M is a linear dimFq Fq ½a; b�ðd;1Þ ¼ :
r d
combination of w1, …, wr, and the following (r + 1)‐by‐u
matrix W(i) is of rank ≤r:
Let dmin be the smallest integer d such that
0 1
mi
B w1 C dimFq Fq ½a; b�ðd;1Þ =Jðd;1Þ ¼ 1:
W ðiÞ ≔ B C
@ ⋮ A:
wr When dmin < min{r + 2, q}, Bardet et al. [26] estimate the
dimension of dimFq Fq ½a; b�ðd;1Þ =Jðd;1Þ for d ≤ dmin by con-
Thus, each minor of order (r + 1) of W(i) is zero. The structing syzygies of the system as follows:
support minor modelling method constructs quadratic equa-
tions from this fact. dim Fq ½a; b�ðd;1Þ =Jðd;1Þ
Let Δ = (δ1, …, δr+1) be a subset of the index of column � ��
{1, …, u} with cardinality r + 1, where δ1 < … < δr+1. For any u sþd−1
¼
1 ≤ i ≤ t, the minor cΔ,i of W(i) corresponding to Δ is written r d
as follows: � ��
Pd iþ1 u tþi−1 sþd−i−1
0 1 − i¼1 ð−1Þ ;
mi;δ1 mi;δ2 … mi;δrþ1 rþi i d−i
Bw w1;δ2 … w1;δrþ1 C
B 1;δ1 C
cΔ;i ≔ detB C when the right‐hand side is ≥2. Otherwise, the coefficient is 1.
@ ⋮ ⋮ ⋱ ⋮ A
wr;δ1 wr;δ2 … wr;δrþ1 Then, by identifying each term in Jðdmin ;1Þ as a new variable, we
0 1 obtain a linear system with one‐dimensional solution space. By
j applying the Wiedemann XL approach to the linear system, we
rþ1
X B w1;δ1 w1;δ2 … w1;δrþ1 C
̌
can solve the bi‐graded system cΔ,i = 0. Therefore, the
¼ ð−1Þjþ1 mi;δj ⋅ detB
@ ⋮ ⋮ ⋱ ⋮ A:
C
j¼1
complexity of the support minor modelling method [26] is
wr;δ1 wr;δ2 … wr;δrþ1 given by
j �� 2
Here, ˇ shows that the j‐th column vector is removed. u s þ d min − 1
3sðr þ 1Þ :
For Δ0 ⊂ {1, …, u} with cardinality r, we denote by bΔ0 the r d min
minor of W corresponding to Δ0 . For instance, the determinant
of the matrix in the second line in the definition of cΔ,i is
written as bΔnfδj g. Thus, we have the equality: 6.2 | Matrix deformation
rþ1
As stated in Section 2.4, the security of the Rainbow scheme is
X jþ1
cΔ;i ¼ ð−1Þ mi;δj ⋅ bΔnfδj g: reduced to an instance of the MinRank problem. The basic
j¼1 idea behind the rectangular MinRank attack [29] is to reveal
IKEMATSU ET AL.
- 223
another instance of the MinRank problem lurking in the Since F~ vþo1 þ1; …; F~ n are of rank ≤o2, we have another
Rainbow scheme, which is different from the instance stated in instance of the MinRank problem. Beullens [29] proposed a
Section 2.4. Beullens [29] explained this idea using the poly- key recovery attack based on this MinRank problem against the
nomial maps P and its polar forms. However, this idea can be Rainbow scheme. This is called the rectangular MinRank
explained in terms of the symmetric matrices of P. For this attack.
purpose, we prepare some notations and a lemma in this More precisely, this attack is slightly modified in Ref. [29] as
subsection. follows. With a high probability, there exists an n‐by‐1 vector
Let (Q1, …, Qm) be a set of n‐by‐n matrices over Fq , and
ðjÞ
qi denotes the j‐th column vector of Qi, namely, a ¼ ða1 ; …; avþo1 þ1; 0; …; 0Þ ∈ Fnq
� vþo1 �
� � zfflffl }|fflffl { zfflfflffl}o|ffl
2
fflffl{
Qi ¼ qð1Þ
i
ð2Þ
qi … qi
ðnÞ
∈ Fn�n
q :
such that a ⋅ S ¼ 0; …; 0 ; ∗; …; ∗ : Then, we show that
� � vþo
X 1 þ1 � � �
Then, we define the new set ~ ; …; Q
Q ~ of n‐by‐m ~i ¼ P
ai P ~ n ⋅t a ¼ SF~ 1 T ; …; SF~ n T ⋅t ða ⋅ SÞ
~ 1 ; …; P
1 n
matrices as follows: i¼1
� �
~ ≔ qð1Þ
Q1 1
ð1Þ
q2 … qð1Þ
m
; is a linear combination of SF~ vþo1 þ1T ; …; SF~ n T . Thus, since
� � this matrix is of rank ≤o
~ ≔ qð2Þ �2, the vector a �gives a solution to the
Q ð2Þ
q2 … qð2Þ ; ~ 1 ; …; P
~ vþo þ1 with the target rank
2 1 m MinRank problem for P 1
⋮ o2. Moreover, for i = 1, …, m, we have
� �
~ ≔ qðnÞ
Q ðnÞ
q2 … qðnÞ :
n 1 m
� � p1 ðaÞ ¼ ⋯ ¼ pm ðaÞ ¼ 0;
We call Q ~ ; …; Q
~ the matrix deformation of
1 n
(Q1, …, Qm). Then the following lemma can be easily proven: where P ¼ ðp1 ; …; pm Þ is a public key of the Rainbow scheme.
As a result, the vector a is a common solution of the
Lemma 5 Let S be an n‐by‐n matrix and T be an m‐by‐m following problems:
matrix. Then the matrix deformation of
ðSQ1 t S; …; SQm t SÞ ⋅ T is given by ðiÞ p1 ðaÞ ¼ ⋯ ¼ pm ðaÞ ¼ 0� for public key �
P ¼ ðp1 ; …; pm Þ;
� � ~ ~
ðiiÞ MinRank problem for P 1 ; …; P vþo þ1 with rank r ¼ o2 :
SQ ~ T ⋅t S:
~ T ; …; SQ 1
1 n
The rectangular MinRank attack finds a common solution

The rectangular MinRank attack can be explained based on a of the above problems (i) and (ii).
this lemma.
6.4 | Complexity estimation

6.3 | Rectangular MinRank attack
In this subsection, we explain the complexity estimation of the
Let (P1, …, Pm) be the set of n‐by‐n symmetric matrices of the rectangular MinRank attack, namely finding a solution a to
public key of the Rainbow scheme in Section 2.2. Then, by problems (i) and (ii). We assume that a solution a is unique up
Lemma 5, we obtain to a scalar multiple. Let J be the homogeneous ideal in Fq ½a; b�
� � generated by the support minor modelling method for Min-
�
P ~ n ¼ SF~ 1 T ; …; SF~ n T ⋅t S:
~ 1 ; …; P Rank problem (ii). The dimension of Fq ½a; b�ðd;1Þ =Jðd;1Þ for
d ≤ dmin is given in Section 6.1 when dmin < min{o2 + 2, q}.
Let J0 be the homogeneous ideal in Fq ½a; b� generated by J and
Here, F~ i has the following form: p1(a), …, pm(a). Beullens computes the dimension of
80 1 Fq ½a; b�ðd;1Þ =J 0ðd;1Þ under a generic assumption [29]. In the
> ∗v�o1 ∗v�o2
>
>@∗ following, we explicitly describe the generic assumption. Let
>
>
> o1 �o1 ∗o1 �o2 A ð1 ≤ i ≤ vÞ; HJ(t) be the partial Hilbert series of J with respect to (*, 1),
>
> 0 ∗o2 �o2
>
> o2 �o1 namely
>
> 0 1
>
>
< ∗v�o1 ∗v�o2
F~ i ¼ @ 0o1 �o1 ∗o1 �o2 A ðv þ 1 ≤ i ≤ v þ o1 Þ; X� �
>
> HJ ðtÞ ≔ dim Fq ½a; b�ðd;1Þ =Jðd;1Þ ⋅ td :
>
> 0o2 �o1 ∗o2 �o2
>
> 0 1 d
>
>
> 0v�v
> ∗v�o2
>
>
>
>
:
@ 0o1 �v ∗o1 �o2 A ðv þ o1 þ 1 ≤ i ≤ nÞ: Similarly, we define HJ0 (t) for J0 . From Section 6.1, the
0o2 �v 0o2 �o2 coefficient of td in HJ(t) is
224
- IKEMATSU ET AL.
dim Fq ½a; b�ðd;1Þ =Jðd;1Þ Rainbow scheme is one of the most influential multivariate
schemes owing to its selection as a finalist in the third round of
� ��
m v þ o1 þ d the NIST PQC standardisation project, and thus some recent
¼
o2 d progress in MPKC has been made via the security analysis of
� �� the Rainbow scheme.
P m nþi−1 v þ o1 þ d − i
− di¼1 ð−1Þiþ1 ; Considering this situation, we mainly provided a survey on
o2 þ i i d−i the following topics: the state‐of‐the‐art approaches for solv-
ð7Þ ing a polynomial system used in MPKC and two recently
improved attacks on the Rainbow scheme, namely the RBS
attack using the bi‐graded polynomial system in the studies of
when the right‐hand side is ≥2. Otherwise, the coefficient is 1.
0 Nakamura et al. and Smith‐Tone et al. and the rectangular
Let d min be the smallest integer d such that the coefficient
MinRank attack proposed by Beullens.
of degree d of HJ0 (t) is 1. Under the following generic
In particular, we defined the semi‐regularity of the bi‐
assumption, we can compute HJ0 (t) and d 0min from HJ(t).
graded systems based on the work of Nakamura and
explained the complexity estimation for solving a bi‐graded
Lemma 6 For 1 ≤ i ≤ m, let J(i) be the ideal generated by J and
system based on the idea of Smith‐Tone et al. Moreover,
p1(a), …, pi(a). Assume that for any 1 ≤ i ≤ m − 1 and any
0 we provided another description for the rectangular MinRank
d < d min , the following map is injective:
attack, which was originally proposed by Beullens, based on a
ðiÞ ðiÞ matrix representation. By explicitly describing the generic
Fq ½a; b�ðd−2;1Þ =J ðd−2;1Þ ∋ h ↦ h ⋅ piþ1 ðaÞ ∈ Fq ½a; b�ðd;1Þ =J ðd;1Þ :
assumption for the bi‐graded system appearing in the rect-
angular MinRank attack, we reconfirmed the complexity
Then, we have estimation of solving the bi‐graded system of the attack.
� �m �þ
HJ 0 ðtÞ ¼ 1 − t2 ⋅ HJ ðtÞ ; ð8Þ We believe this survey will be useful for future de-
velopments in MPKC research.
�P �
i þ
P i
P i
where [ ⋅ ]+ means i ci t ≔ i<i0 ci t þ i≥i0 t and
i0 ≔ min{i | ci ≤ 1}. A C K N OWL E D G EM E N TS
This work was supported by JST CREST Grant Number
Thus, if the assumption of Lemma 6 is satisfied, then d min
0 JPMJCR2113 and JSPS KAKENHI Grant Number
is computed from the explicit Equation (8) of HJ0 (t) in JP19K20266, JP20K19802.
Lemma 6. This lemma follows from similar discussions of the
proofs for Lemmas 1 and 3 (see Refs. [19, 36]). C O N F L I C T O F I N TE R E S T
Then, by identifying each term in J 0ðd0 ;1Þ as a new vari- The authors declared that they have no conflicts of interest to
min this work.
able, we obtain a linear system with one‐dimensional solution
space. By applying the Wiedemann XL approach to the linear DATA AVAI L AB I LI TY S TAT E M E N T
system, we can find a common solution to problems (i) and (ii). Data sharing is not applicable to this article as no datasets were
Therefore, the complexity of the support minor modelling generated or analysed during the current study.
method is given by
!!2 O R CI D
� �
m v þ o1 þ d min
0
Yasuhiko Ikematsu https://orcid.org/0000-0002-9714-
3ðo2 þ 1Þðn þ o1 þ 1Þ : ð9Þ
o2 d 0min 2675
Remark 10 Beullens [29] mentioned that when the character- R E FE R E N C E S

1. Shor, P.: Polynomial‐time algorithms for prime factorization and discrete
istic of Fq is 2, the above estimation of dim Fq ½a; b�ðd;1Þ =Jðd;1Þ
logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509
does not hold because of some syzygies of the system. To (1997). https://doi.org/10.1137/s0097539795293172
avoid this situation, Beullens [29] removes the first rows in 2. Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post‐quantum Cryp-
matrices P~ 1 ; …; P
~ vþo þ1 in MinRank problem (ii) and experi- tography. Springer, Heidelberg (2009)
1
mentally confirms that the estimation holds. Then, the 3. National Institute of Standards and Technology: Post‐quantum cryp-
complexity estimation in this case is given by changing n to tography standardization. https://csrc.nist.gov/projects/post‐quantum‐
cryptography
n − 1 in Equations (7) and (9). 4. Ding, J., Petzoldt, A., Schmidt, D.S.: Multivariate Public Key Crypto-
systems, 2nd edn. Springer, New York (2020)
5. Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the
Theory of NP‐Completeness. W.H. Freeman and Company, New York
7 | CONCLUSION (1979)
6. Matsumoto, T., Imai, H.: Public quadratic polynomial‐tuples for efficient
In this paper, we surveyed some recent progress in the security signature‐verification and message‐encryption. In: EUROCRYPT 1988,
analysis of MPKC, which is a leading candidate for PQC. The LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)
IKEMATSU ET AL.
- 225
7. Patarin, J.: Hidden field equations (HFE) and isomorphisms of 30. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases
polynomials (IP): two new families of asymmetric algorithms. In: (F4). J. Pure Appl. Algebra. 139(1–3), 61–88 (1999). https://doi.org/10.
EUROCRYPT 1996, LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg 1016/s0022‐4049(99)00005‐5
(1996) 31. Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE
8. Casanova, A., et al.: GeMSS: A Great Multivariate Short Signature. Trans. Inf. Theory. 32(1), 54–62 (1986). https://doi.org/10.1109/tit.1986.
Specification document of NIST PQC 2nd round submission package 1057137
(2019) 32. Ars, G., et al.: Comparison between XL and Gröbner basis algorithms. In:
9. Ding, J., et al.: Gui. Technical report. National Institute of Standards and ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg
Technology. Post‐Quantum Cryptography. https://csrc.nist.gov/ (2004)
Projects/Post‐Quantum‐Cryptography/Round‐1‐submissions 33. Thomae, E.: A Generalization of the Rainbow Band Separation Attack
10. Kipnis, A., Patarin, L., Goubin, L.: Unbalanced oil and vinegar schemes. and Its Applications to Multivariate Schemes. IACR Cryptology ePrint
In: EUROCRYPT 1999, LNCS, vol. 1592, pp. 206–222. Springer, Hei- Archive (2012). https://eprint.iacr.org/2012/223. Accessed 22
delberg (1999) September 2020
11. Ding, J., Schmidt, D.S.: Rainbow, a new multivariate polynomial signature 34. Nakamura, S., et al.: New complexity estimation on the rainbow‐band‐
scheme. In: ACNS 2005, LNCS, vol. 3531, pp. 164–175. Springer, Hei- separation attack. Theor. Comput. Sci. 896, 1–8 (2021). https://doi.
delberg (2005) org/10.1016/j.tcs.2021.09.043
12. Ding, J., et al.: Rainbow. Technical report. National Institute of Standards 35. Smith‐Tone, D., Perlner, R.A.: Rainbow Band Separation Is Better Than
and Technology. Post‐Quantum Cryptography. https://csrc.nist.gov/ We Thought. IACR Cryptology ePrint Archive, 2020/702 (2020)
Projects/Post‐Quantum‐Cryptography/Round‐3‐submissions 36. Nakamura, S.: Formal Power Series on Algebraic Cryptanalysis. arXiv.org
13. Sakumoto, K., Shirai, T., Hiwatari, H.: Public‐key identification schemes e‐Print archive (30 July 2020). arXiv. https://arxiv.org/abs/2007.14729
based on multivariate quadratic polynomials. In: CRYPTO 2011, LNCS, 37. Diem, C.: Bound of regularity. J. Algebra. 423, 1143–1160 (2015). https://
vol. 6841, pp. 706–723. Springer, Heidelberg (2011) doi.org/10.1016/j.jalgebra.2014.09.029
14. Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of 38. Tao, C., et al.: Simple matrix scheme for encryption. In: PQCrypto 2013,
Eurocrypt 88. In: CRYPTO 1995, LNCS, vol. 963, pp. 248–261. Springer, LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013)
Heidelberg (1995) 39. Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key
15. Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature encryption scheme. In: PQCrypto 2014, LNCS, vol. 8772, pp. 229–245.
scheme. In: CRYPTO 98, LNCS, vol. 1462, pp. 257–266. Springer, Springer, Heidelberg (2014)
Heidelberg (1998) 40. Szepieniec, A., Ding, J., Preneel, B.: Extension field cancellation: a new
16. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases central trapdoor for multivariate quadratic systems. In: PQCrypto 2016,
without reduction to zero (F5). In: ISSAC 2002, pp. 75–83 (2002) LNCS, vol. 9606, pp. 182–196. Springer, Heidelberg (2016)
17. Patarin, J.: HFE first challenge. http://www.minrank.org/hfe/% 41. Ikematsu, Y., et al.: HFERP – a new multivariate encryption scheme. In:
23challenge (1996) PQCrypto 2018, LNCS, vol. 10786, pp. 396–416. Springer, Heidelberg
18. Faugére, J.C., Joux, A.: Algebraic cryptanalysis of hidden field equation (2018)
(HFE) cryptosystems using Gröbner bases. In: CRYPTO 2003, LNCS, 42. Patarin, J.: The oil and vinegar algorithm for signatures. In: Dagstuhl
vol. 2729, pp. 44–60 (2003) Workshop on Cryptography (September 1997)
19. Bardet, M., et al.: Asymptotic behavior of the index of regularity of 43. Beullens, W.: Breaking rainbow takes a weekend on a laptop. In: IACR
quadratic semi‐regular polynomial systems. In: 8th International Sympo- Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/214.pdf
sium on Effective Methods in Algebraic Geometry (MEGA), pp. 1–14 44. Chen, M.S., et al.: From 5‐pass MQ‐based identification to MQ‐based
(2005) signatures. In: ASIACRYPT 2016, LNCS, vol. 10032, pp. 135–165.
20. Dubois, V., Gamma, N.: The degree of regularity of HFE systems. In: Springer, Heidelberg (2016)
Asiacrypt 2010, LNCS, vol. 6477, pp. 557–576. Springer, Heidelberg 45. Chen, M.S., et al.: MQDSS. Technical report. National Institute of
(2010) Standards and Technology. Post‐Quantum Cryptography. https://csrc.
21. Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. In: nist.gov/Projects/Post‐Quantum‐Cryptography/Round‐3‐submissions
CRYPTO 2006, LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg 46. Courtois, N.T.: Efficient zero‐knowledge authentication based on a linear
(2006) algebra problem MinRank. In: ASIACRYPT 2001, LNCS, vol. 2248, pp.
22. Ding, J., Hodges, T.J.: Inverting HFE systems is quasi‐polynomial for all 402–421. Springer, Heidelberg (2001)
fields. In: CRYPTO 2011, LNCS, vol. 6841, pp. 724–742. Springer, 47. Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des
Heidelberg (2011) Restklassenrings nach einem nulldimensionalen Polynomideal. PhD
23. Ding, J., Yang, B.Y.: Degree of regularity for HFEv and HFEv‐. thesis. Universität Innsbruck (1965)
In: PQCrypto 2013, LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg 48. Faugére, J.C., et al.: Efficient computation of zero‐dimensional Gröbner
(2013) bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993).
24. Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem https://doi.org/10.1006/jsco.1993.1051
by relinearization. In: CRYPTO 99, LNCS, vol. 1666, pp. 19–30. Springer, 49. Courtois, N., et al.: Efficient algorithms for solving overdefined systems
Heidelberg (1999) of multivariate polynomial equations. In: EUROCRYPT 2000, LNCS, vol.
25. Buss, J., Frandsen, G., Shallit, J.: The computational complexity of some 1807, pp. 392–407 (2000)
problems of linear algebra. J. Comput. Syst. Sci. 58(3), 572–596 (1999). 50. Coppersmith, D.: Solving homogeneous linear equations over GF(2) via
https://doi.org/10.1006/jcss.1998.1608 block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994).
26. Bardet, M., et al.: Improvements of algebraic attacks for solving the rank https://doi.org/10.2307/2153413
decoding and MinRank problems. In: International Conference on the 51. Yang, B.Y., et al.: Analysis of QUAD. In: FSE 2007, LNCS, vol. 4593, pp.
Theory and Application of Cryptology and Information Security (2020) 290–308. Springer, Heidelberg (2007)
27. Faugère, J.C., Safey El Din, M., Spaenlehauer, P.J.: Computing loci of rank 52. Verbel, J.A., et al.: On the complexity of “superdetermined” MinRank
defects of linear matrices using Gröbner bases and applications to instances. In: PQCrypto 2019, LNCS, vol. 11505, pp. 167–186. Springer,
cryptology. In: ISSAC 2010, pp. 257–264 (2010) Heidelberg (2019)
28. Ding, J., et al.: New differential‐algebraic attacks and reparametrization of 53. Bettale, L., Faugère, J.C., Perret, L.: Hybrid approach for solving multi-
Rainbow. In: ACNS 2008, LNCS, vol. 5037, pp. 242–257. Springer, variate systems over finite fields. J. Math. Cryptol. 3, 177–197 (2009).
Heidelberg (2008) https://doi.org/10.1515/jmc.2009.009
29. Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: EURO- 54. Baena, J., Cabarcas, D., Verbel, J.: On the Complexity of Solving Generic
CRYPT 2021, LNCS, vol. 12696, pp. 348–373. Springer, Heidelberg Over‐Determined Bilinear Systems. arXiv:2006.09442. https://arxiv.org/
(2021) abs/2006.09442
226
- IKEMATSU ET AL.
55. Faugère, J.C., Safey El Din, M., Spaenlehauer, P.J.: Gröbner bases of
bihomogeneous ideals generated by polynomials of bidegree (1, 1): al- How to cite this article: Ikematsu, Y., Nakamura, S.,
gorithms and complexity. J. Symb. Comput. 46(4), 406–437 (2011). Takagi, T.: Recent progress in the security evaluation
https://doi.org/10.1016/j.jsc.2010.10.014 of multivariate public‐key cryptography. IET Inf. Secur.
56. Ding, J., et al.: Rainbow. Technical report. National Institute of 17(2), 210–226 (2023). https://doi.org/10.1049/ise2.
Standards and Technology. Post‐Quantum Cryptography. https://
csrc.nist.gov/Projects/Post‐Quantum‐Cryptography/Round‐2‐submiss
12092
ions

IET Information Security - 2022 - Ikematsu - Recent Progress in The Security Evaluation of Multivariate Public Key

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IET Information Security - 2022 - Ikematsu - Recent Progress in The Security Evaluation of Multivariate Public Key

Uploaded by

Copyright:

Available Formats

Received: 11 November 2021

- IET Information Security

Recent progress in the security evaluation of multivariate

Yasuhiko Ikematsu1 | Shuhei Nakamura2 | Tsuyoshi Takagi3

210 IET Inf. Secur. 2023;17:210–226. wileyonlinelibrary.com/journal/ise2

2.1 | General construction

Let n, m be positive integers and Fq be a finite field with q

P : Fnq ∋ v ↦ ðp1 ðvÞ; …; pm ðvÞÞ ∈ Fm

Such a map is called a quadratic (polynomial) map.

T A B L E 1 The parameters of the

2.4 | MinRank problem x ⋅ G⋅ t x ¼ 2gðxÞ:

3 | SOLVING MULTIVARIATE It is known that the dominant complexity in the above

I ≔ 〈g1 ; …; gm 〉 ⊂ Fq ½x�: where 2 < ω ≤ 3 is a linear algebra constant. Therefore, it is

3.2 | Wiedemann XL approach 4 | COMPLEXITY OF SOLVING MQ

! (i) Semi‐regular case

We call an element of D a bi‐degree of regularity for

Remark 7 The idea of the estimation described in this sub-

5.3.1 | RBS attack s ⋅ P k ⋅ t s ¼ 0; k ¼ 1; …; m: ð5Þ

complexity estimation of the rectangular MinRank attack in P mi;δj of M is a linear combination

The rectangular MinRank attack finds a common solution

6.4 | Complexity estimation

Remark 10 Beullens [29] mentioned that when the character- R E FE R E N C E S

You might also like