Algorithm for Solving Massively Underdefined Systems of Multivariate Quadratic Equations over Finite Fields

Solving systems of m multivariate quadratic equations in n variables (MQ-problem) over finite fields is NP-hard. The security of many cryptographic systems is based on this problem. Up to now, the best algorithm for solving the underdefined MQ-problem is Hiroyuki Miura et al.’s algorithm, which is a polynomial-time algorithm when [n \ge m(m + 3)/2] and the characteristic of the field is even. In order to get a wider applicable range, we reduce the underdefined MQ-problem to the problem of finding square roots over finite field, and then combine with the guess and determine method. In this way, the applicable range is extended to [n \ge m(m + 1)/2], which is the widest range until now. Theory analysis indicates that the complexity of our algorithm is [O(q{n^\omega }m{(\log {\kern 1pt} {\kern 1pt} q)^2}){\kern 1pt} ] when characteristic of the field is even and [O(q{2^m}{n^\omega }m{(\log {\kern 1pt} {\kern 1pt} q)^2})] when characteristic of the field is odd, where [2 \le \omega \le 3] is the complexity of Gaussian elimination.

💡 Research Summary

The paper addresses the underdefined multivariate quadratic (MQ) problem, which consists of solving m quadratic equations in n variables over a finite field 𝔽_q. This problem underpins the security of many post‑quantum cryptographic schemes and is known to be NP‑hard. The best previously known polynomial‑time algorithm for the underdefined case was presented by Hiroyuki Miura and colleagues; it works when the number of variables satisfies n ≥ m(m + 3)/2 and the field characteristic is even. The authors aim to broaden the applicable parameter range. Their approach consists of two main ideas. First, they transform the original system into a canonical form using linear changes of variables and Gaussian elimination, separating each quadratic equation into a sum of pure square terms (x_i²) and linear terms. This reduction turns the MQ problem into a set of square‑root problems over 𝔽_q. Second, they apply a “guess‑and‑determine” strategy: the remaining free variables after the transformation are guessed, and for each guess the resulting linear system is solved to recover the remaining unknowns. Because the number of free variables after reduction is n − m(m + 1)/2, the algorithm succeeds as long as n ≥ m(m + 1)/2, which relaxes the previous bound by roughly m/2 variables. Complexity analysis shows that when the field characteristic is two, the algorithm runs in O(q · n^ω · m · (log q)²) time, where ω (2 ≤ ω ≤ 3) is the exponent of matrix multiplication (Gaussian elimination). For odd characteristic fields the cost gains an extra factor 2^m, yielding O(q · 2^m · n^ω · m · (log q)²). Thus, in even‑characteristic fields the method remains polynomial in q, n, and m, while in odd‑characteristic fields the exponential factor depends only on m, not on n. The authors compare their results with Miura’s algorithm, demonstrating that their technique works for a strictly larger set of (n, m) pairs. They also discuss practical considerations, such as the impact of field size q and the logarithmic term on runtime, and suggest that the guess‑and‑determine phase can be parallelized to further improve performance. Finally, the paper evaluates the cryptographic implications: many MQ‑based schemes that were previously considered secure under the stricter bound may now be vulnerable when the number of variables falls within the newly extended range. The authors conclude by outlining future work, including heuristic methods to reduce the guessing space and adaptations for specific cryptographic constructions.