BMQE SYSTEM

A MQ Equations System based on Ergodic Matrix

Xiaoyi Zhou

1,2

, Jixin Ma

, Wencai Du

, Bo Zhao

, Miltos Petridis

and Yongzhe Zhao

School of Computing and Mathematical Science, University of Greenwich, 30 Park Row, SE10 9LS, London, U.K.

School of Computer Science and Technology, Hainan University, 58 Renmin Avenue, 570228 Haikou, Hainan, China

College of Computer Science and Technology, Huazhong University of Science and Technology

430074, Wuhan, Hubei, China

College of Computer Science and Technology, Jilin University, 2699 Qianwei Street, 130012, Changchun, Jilin, China

Keywords: Ergodic Matrix, Bisectional, Multivariate Quadratic, Fixing Variables, NP-hard.

Abstract: In this paper, we propose a multivariate quadratic (MQ) equation system based on ergodic matrix (EM) over

a finite field with q elements (denoted as 



). The system actually implicates a problem which is equivalent

to the famous Graph Coloring problem, and therefore is NP complete for attackers. The complexity of

bisectional multivariate quadratic equation (BMQE) system is determined by the number of the variables, of

the equations and of the elements of 



, which is denoted as n, m, and q, respectively. The paper shows that,

if the number of the equations is larger or equal to twice the number of the variables, and q

is large enough,

the system is complicated enough to prevent attacks from most of the existing attacking schemes.

1 INTRODUCTION

Public key cryptography has prevailed ever since

Diffie and Hellman published their paper “New

Directions in Cryptography” (Diffie and Hellman,

1976). Thereafter, algorithms based on public key

cryptography were developed in the following years,

e.g., RSA and ECC. The first is based on the

problem of factoring large numbers (1024 bits and

more), the latter on discrete logarithm. Both are

computationally difficult problems even modern

algorithms and computers are facing. Unfortunately,

these kinds of algorithms are either based on

factoring or discrete logarithms, which means the

“crypto-eggs” are in one basket – too dangerous.

Furthermore, particular techniques for factorization

and solving discrete logarithm improve constantly.

For example, polynomial time quantum algorithms

(Shore, 1997) can be used to solve these problems.

Therefore, they are facing the threats of quantum

computers (if they exist). Thus new cryptographic

schemes are in need to take the place of the

traditional ones.

At present, the most promising substitutable

scheme is based on the problem of solving

Multivariate Quadratic equations (MQ-problem)

over finite fields (Wolf, 2005). A multivariate

quadratic equations in n variables defined over a

finite field 



is a polynomial P(x) of degree 2 of the

form P(x)=

∑















∑















with

coefficients α

, β

and γ in 



(Arditti et al., 2007).

This is also a research hotspot of the new generation

of public key cryptography. This kind of research

can be traced back to 1980s and some efforts have

been made to test its security since then. Thus there

are a few famous schemes, which can be classified

into Unbalanced Oil and Vinegar scheme (UOV)

(Baena et al., 2008), Stepwise Triangular Systems

(STS) (Wolf et al., 2006), Matsumoto-Imai Scheme

(MIC) (Patarin, 1998), Hidden Field Equations

(HFE) (Hamdi et al., 2006) and ℓ- Invertible Cycles

(ℓIC) (Ding & Wagner, 2008).

The advantages of the MQ-based public key

cryptography schemes (MPKCs) are mainly

reflected in their fast speed of encryption (or

signature verification) and resistance of quantum

attacks. Nonetheless, apart from UOV schemes with

proper parameter values, the basic types of these

schemes are considered to be insecure. HFE was

broken by Aviad Kipnis and Adi Shamir (Kipnis &

Shamir, 1999), STS was broken by Christopher Wolf

et al. (Wolf et al, 2004). As a result, revised MQ-

based schemes have been proposed, including

HFEv-, MIAi+, UOV/, STS (UOV), (ICi+), etc

431

Zhou X., Ma J., Du W., Zhao B., Petridis M. and Zhao Y. (2010).

BMQE SYSTEM - A MQ Equations System based on Ergodic Matrix.

In Proceedings of the International Conference on Security and Cryptography, pages 431-435

DOI: 10.5220/0002992304310435

 SciTePress

(Patarin et al., 1998; Ding & Schmidt, 2006; Ding et

al., 2005).

Therefore, in this paper, based on ergodic matrix

(Zhao et al., 2004), we propose a new MQ equations

system over finite fields, which will yield a NP

complete problem.

The rest of this paper is organized as follows. In

Section 2, a definition of EM and related theorems

are given. In Section 3, BMQE system is introduced

and we shall prove that such a system is NP-hard for

the attackers. The complexity analysis is presented

Section 4. Finally, some conclusions are drawn in

Section 5.

2 ERGODIC MATRIX AND

RELATED THEOREMS

The concept of EM and some related theorems were

described as (Zhao et al., 2004):

Definition 2.1: Given Q





, if for any non-zero

column vector v





\{0}, {Qv, Q

v,  ,







exhausts 





\{0}, then Q is what we call Ergodic

Matrix over finite field 



. (Where 0=[0 0  0]

and 





is a set of 1×n vectors over 



Definition 2.2: Given m 





, if C(m)={x|x







 xm = mx}, then C(m) is the centralizer of m

over 





Definition 2.3: Given Q

,m  





, if for any

Q

\{I} and q

Q

\{I},



Rank(C(q

)mC(q

))< n

, then m is called as a

robust matrix, denoted as M

) = {m|m







 m is robust for Q

and Q

Theorem 2.1: Given Q







is an EM, there will



-1) EMs in Q={Q

| x=1,2,3, }, and the

EMs have the same generating set(Only that the

generators appear in different orders).

Theorem 2.2: Q





is an EM, then 



[Q] =

{0}∪Q = {0, Q, Q

,…, 







= I }, and 



[Q]

forms an extended finite field 





after the matrix

Q’s multiplication.

Theorem 2.3: Let Q





be an EM, [Q

=I, Q,

,…, Q

n-1

] is a basis of 



[Q] over finite field 





where 



[Q] stands for a set of polynomials Q over





For any Q





, it’s obvious that Q

Q linearly

transforms each row of Q and QQ

linearly

transforms each column of Q, respectively. Thus

QQ

distributes each element of Q, This

process can be repeated several times, e.g.

QQ

(1s|Q

|, 1t|Q

|), so that Q’s

transformation is much more complex. In order to

improve the quality of encryption (or

transformation), the generating set Q

 and Q



must be as large as possible. Furthermore, the result

of Q

multiplying a column vector on the left side

and Q

multiplying a row vector on the right side

should be divergent. As a result, EM can be used to

construct a system based on MQ equations.

3 BMQE PROBLEM

In what follows, we shall propose a new scheme

called BMQE problem based on EM, which is

actually NP-hard and different from all of the

existing MQ problems.

3.1 Definition

From Definition 2.1, let Q







, we take any

non-zero matrix in the spanning set of Q

as an

-verctor, and randomly choose two basis B

=(Q













….,Q







), B

=(Q







, Q







….,Q







) for Q

, Q

over

finite field 



, respectively. Then there exist

exclusive tuples (x

, x

, …, x

) and (y

, y

, …, y

)







\{0} such that:























,





















(1)

Then we have:















































(2)

Linearize the n×n matrix T and 















into n

vectors. (e.g. t

i,j

T

,



′) Hence there

is a system of m equations in 2n variables over a

finite field 



. The variables in these equations are 2

degrees, each consists of x and y. We call a system

with this format BMQE system, based on which we

propose our BMQE problem as below:

BMQE Problem: Let an equation system ES over

any finite field 



has m equations in 2n variables.

Furthermore, each equation has the format as

follows:





























(3)

SECRYPT 2010 - International Conference on Security and Cryptography

432

where 





, 



 



are known values, k = 1,

2, …, m.

Now, how to deduce ES’s solution such that x,

y





It is obvious that the BMQE problem is a special

case of multivariate quadric problems. The

differences are that:

(1) ES is composed of x

and y

, where i=1, 2, …,

n and j=1, 2, …, n;

(2) Each equation of ES only has terms with 2

degrees;

(3) Each term in each equation of ES is chosen

from x and y, where x={x

| i=1, 2, …n} and

y={y

| j=1, 2, …n}.

Therefore, the BMQE system in 2n variables has

terms of 2 degrees, whilst MQ equations in n

variables has 2n

+ n terms of 2 degrees and 2n

terms of 1 degree.

Moreover, MQ equations over 



may have

exclusive solution if q ≤ 2. This is because when q>2,

if (x

,…x

), (y

, y

, …, y

) ∈





is one solution to

ES, then for ∀c ∈



\{0}, c(x

,…x

), c

-1

, y

, …,

) must also be a solution to ES.

3.2 NP-hard Proof of BMQE

MQ problem over 





has been proven to be NP-hard,

here we will prove that the BMQE problem is also

NP-hard over 





Theorem 3.1: BMQE problem is an NP-hard

problem over 





Proof. Given Graph 3-coloring (i.e. Given an

undirected graph G = (V; E), the vertices of the

graph can be colored using 3colors so that vertices

connected by an edge do not get the same color) is

an NP-complete problem in [36], if it can be reduced

to BMQE problem over 





, then Theorem 3.1 is

proven. In fact, this can be done in terms of the

following steps:

(1) Let ES denote an equation systems which

is initialised as empty, and denote each vertex v

graph G by (x

, y

) over 



;

(2) Set vertex v

’s colour in the graph as a, b

or c iff (x

, y

) = (0, 1), (1, 0) or (1, 1), respectively;

(3) If v

and v

are adjacent, then add an

equation x

= 1 into ES.

Then the equation system formed up by means of

the above steps, i.e., ES, is actually a special BMQE

system over 



. By step (3), for any pair of adjacent

vertices v

and v

, we have x

= 1, which

implies that (x

, y

) ≠ (0, 0) (x

, y

) ≠ (0, 0) (x

, y

)

≠ (x

, y

). Therefore, v

and v

can only be differently

coloured by a, b or c. Thus graph 3-colouring can be

reduced to the BMQE problem over 



, and hence

the BMQE problem over 



is NP-hard.

Likewise, BMQE problem over 



(q>2) can be

proved NP-hard.

4 COMPLEXITY ANALYSIS

Even though the BMQE problem is NP-hard, it does

not guarantee all bisectional multivariate quadratic

equations are difficult enough to be unsolvable by

polynomial-time algorithms. By analysis, the

complexity of the BMQE is actually determined by

q, n and m, where q is the number of a given finite

field 



, n and m are the number of variables and

equations, respectively.

To find out the relation between q, m and n, we

proposed an approach called fixing variables. This

approach is based on the idea of how to eliminate

variables in equation systems, which is also the key

idea of those existing attacks such as Linearization

(Herlihy & Wing, 1987), Relinearization, Gröbner

bases (Lenstra &Verheul, 2001), XL (Kipnis &

Shamir, 1999) and DR (Tang & Feng, 2005).

However, on one hand, as pointed out by Kipnis and

Shamir, the method of Linearization only succeed

when m = n(n+1)/2. On the other hand,

Relinearization, Gröbner bases, XL and DR are

designed to attack systems with polynomials

containing just one tuple of n variables, rather than a

pair of such tuples.

Lots of the experiment results show that with the

increase of (m-n), the complexity of solving MQ

problem. The growth trend varies from exponential,

sub-exponential to polynomial. If m≈n, it is barely

possible to solve MQ equation. But if q is small,

then we can fix r variables such that m>(n-r). If a

MQ-problem with m equations and (n-r) variables

can be solved, then it takes at most q

times to work

out the solution. The following of this section shows

how fixing variables attack BMQE system and a

conclusion will be drawn at the end.

According to BMQE problem, let an equation (4)

be as follows:

















,











































,





































(4)

and denote the value space of (p

, p

, …, p

) as

BMQE SYSTEM - A MQ Equations System based on Ergodic Matrix

433

Spc = { p

(x, y), …, p

(x, y) | x, y∈





For any x, y∈





, let xy = (x

, …, x

)

∈







, then (p

, p

, …, p

) is exclusively decided by

xy. It is obvious that (x, y) generates q

values,

thus the results of xy include a zero and (q

-1)

/(q-

1) non-zeros. Hence, we have: | Spc| ≤ Min(q

, (q

/(q-1) + 1).

And if n>1, q

2n-1

< (q

-1)

/(q-1) + 1 < q

consequently we have:











1





1

1



2







 



2



(5)

When { p

(x, y), …, p

(x, y)} is determined,

there are several cases of solutions to Spc:

(1) if (b

, b

, …, b

) = 0, then Spc at least has

(2q

-1) solutions with the form (x=0, y=0)∨(x≠0,

y=0)∨ (x=0, y≠0).

(2) if (b

, b

, …, b

) ≠ 0∧(b

, b

, …, b

) Spc,

equation (4) has no solutions.

(3) if (b

, b

, …, b

) ∈Spc \{0}, then equation (4)

has at least (q-1) equivalent solutions (x, y) ∈ (





\{0})

If (b

, b

, …, b

) ∈Spc \{0}, higher order

correlation attack can be used in solving equation (4).

For there is a mutual relation between x and y, fixing

either of them is enough. And there are two methods,

fixing whole or fixing part. The former means to fix

all the elements in x, while the latter means to fix a

part elements 





,





,…





(1≤t<n) of x.

Let us take an example of fixing the whole

elements of x. The steps are as follows:

(1) Randomly fix x = (α

, α

, …, α

)≠0

(2) Replace x in equation (4) with (α

, α

, …, α

)

and we get a linear equation (6) with n unknowns y

= (y

, y

, …, y









,















,







(6)

(3) Equation (6) has a solution y = β = (β

, β

, …,

), otherwise go to step (1).

(4) (x, y) = (α, β) is a solution to equation (4).

Obviously, the success of fixing variables attack

is proportional to the solutions of equation (4). In

addition, the solutions increase with the number of

equations diminishing. In particular, when m = n,

the number of the solutions to equation (4)

approximates (q

-1), which means the probability

that one guesses the solution is nearly 100 percent.

Therefore, if n is fixed and m is too small, it is quite

easy to solve the equation (4).

Similarly, for any (b

, b

, …, b

) ∈Spc \{0}, if

equation (4) has (q-1) solutions and m≥2n, the

probability falls down to (q-1)/( q

-1) ≈ q

-(n-1)

(Refer

to equation (5). Consequently, we have a theorem:

Theorem 4.1: Randomly create a bisectional

multivariate quadratic equation system ES of m

equations in 2n variables over 





, if ES satisfies

m≥2n∧|Spc\{0}|=(q

-1)

/ (q-1) and q

is large

enough, the approach of fixing variables cannot

solve ES.

5 CONCLUSIONS

In this paper, we firstly summarized that all MQ

equations schemes based on asymmetric

cryptography known so far fit into an taxonomy of

five basic classes, namely UOV schemes, stepwise

triangular systems, MI schemes, HFE, and invertible

cycles. As pointed in the introduction, at present,

these schemes have been proven to be insecure

except UOV with proper parameters. Moreover, the

existent MQ-equation-based schemes have some

shortages. Thus, combined with ergodic matrix, we

propose a multivariate equation system over a finite

field 



. The complexity analysis shows that the

proposed system is NP hard for MQ problem

attackers. Also, under the condition of Theorem 4.1,

such a system with proper parameters is resistant

against the most efficient attacks for MQ problems.

ACKNOWLEDGEMENTS

This research program has been supported by the

Scientific Research Fund of Hainan Provincial

Education Department, Grant Number Hjkj2010-

10.

REFERENCES

Whitfield Diffie and Martin E. Hellman, 1976. “New

directions in cryptography”. IEEE Transactions on

Information Theory, Vol. IT-22 pp.644-654.

Christopher Wolf, 2005. Multivariate Quadratic

Polynomials in Public Key Cryptography.

DIAMANT/EIDMA symposium 2005 on Technische

Universiteit. [Online]. Available: http://www.win.tue.

nl/diamant/ sym- posium05/abstracts/wolf.pdf.

SECRYPT 2010 - International Conference on Security and Cryptography

434

M. Herlihy and J. Wing, 1987. Axioms for Concurrent

Objects. in Proc. the 14th ACM SIGACT-SIGPLAN

symposium on Principles of programming languages.

pp. 13-26.

John Baena, Crystal Clough, Jintai Ding. 2008. “Square-

Vinegar Signature Scheme”, in Proc. PQCrypto 2008,

pp. 17 - 30.

Aviad Kipnis, Jacques Patarin, Louis Goubin, 1999.

“Unbalanced oil and Vinegar Signature Schemes”, in

Proc. EUROCRPT’99, pp. 206-222.

Christopher Wolf, An Braeken, Bart Preneel, 2006. “On

the Security of Stepwise Triangular Systems”. Designs

Codes and Cryptography. Vol. 40(3): 285-302.

Jacques Patarin. 1998. Cryptanalysis of the Matsumoto

and Imai Public Key Scheme of Eurocypt’98. Codes

and Cryptography. 20(2):175-209

O. Hamdi, A. Bouallegue, S. Harari, 2006. “Hidden Field

Equations Cryptosystem Performances”. in Proc. the

IEEE International Conference on Computer Systems

and Applications of AICCSA’06, pp.308-311.

Jintai Ding, John Wagner, 2008. “Cryptanalysis of

Rational Multivariate Public Key Cryptosystems”. in

Proc. the 2nd International Workshop on Post-

Quantum Cryptography, pp. 124-136.

Jacques Patarin, Louis Goubin, Nicolas T. Courtois, 1998.

“C*-+ and HM: Variations Around Two Schemes of T.

Matsumoto and H. Imai”. in Proc. the International

Conference on the Theory and Application of

Cryptology and Information Security ASIACRYPT '98,

pp. 35-49.

Jintai Ding and Dieter Schmidt, 2006. Multivariate Public

Key Cryptosystems, ser. Advances in Information

Security, Berlin, Germany: Springer, vol. 25.: 288-

301

Xijin Tang and Yong Feng, A new efficient algorithm for

solving systems of multivariate polynomial equations,

ser. Lecture Notes in Computer Science. Berlin,

Germany: Springer, 2005, vol. 1807.

Zhao Yongzhe, Wang Liou, Zhang Wei, 2004.

“Information-Exchange Using the Ergodic Matrices in

GF(2)”. in Proc. 2nd International Conference, ACNS

2004, pp. 388-397.

Avid Arditti, Côme Berbain, Oliver Billet, Henri Gilbert,

2007. “Compact FPGA implementations of QUAD”.

in Proc. the 2nd ACM symposium on Information,

computer and communications security, pp. 347-349

Aviad Kipnis, Adi Shamir. Cryptanalysis of the HFE

Public Key Cryptosystem, 1999. in Proc. Advances in

cryptology—CRYPTO '99, 19th annual international

cryptology conference. pp. 166-175.

Arjen K. Lenstra, Eric R. Verheul, 2001. “Selecting

Cryptographic Key Sizes”, J. Cryptology, Vol. 14(4),

pp. 255-293.

Aviad Kipnis, Adi Shamir, 1999. Cryptanalysis of the

HFE Public Key Cryptosystem. in Proc. Advances in

cryptology—CRYPTO '99, 19th annual international

cryptology conference. pp. 166-175.

Christopher Wolf, An Braeken, Bart Preneel, 2006. “On

the Security of Stepwise Triangular Systems”.

Designs

Codes and Cryptography. Vol. 40(3): 285-302.

BMQE SYSTEM - A MQ Equations System based on Ergodic Matrix

435