Polynomial-Time Algorithms for Quadratic Isomorphism of Polynomials: The Regular Case

Let $\mathbf{f}=(f_1,\ldots,f_m)$ and $\mathbf{g}=(g_1,\ldots,g_m)$ be two sets of $m\geq 1$ nonlinear polynomials over $\mathbb{K}[x_1,\ldots,x_n]$ ($\mathbb{K}$ being a field). We consider the computational problem of finding – if any – an invertible transformation on the variables mapping $\mathbf{f}$ to $\mathbf{g}$. The corresponding equivalence problem is known as {\tt Isomorphism of Polynomials with one Secret} ({\tt IP1S}) and is a fundamental problem in multivariate cryptography. The main result is a randomized polynomial-time algorithm for solving {\tt IP1S} for quadratic instances, a particular case of importance in cryptography and somewhat justifying {\it a posteriori} the fact that {\it Graph Isomorphism} reduces to only cubic instances of {\tt IP1S} (Agrawal and Saxena). To this end, we show that {\tt IP1S} for quadratic polynomials can be reduced to a variant of the classical module isomorphism problem in representation theory, which involves to test the orthogonal simultaneous conjugacy of symmetric matrices. We show that we can essentially {\it linearize} the problem by reducing quadratic-{\tt IP1S} to test the orthogonal simultaneous similarity of symmetric matrices; this latter problem was shown by Chistov, Ivanyos and Karpinski to be equivalent to finding an invertible matrix in the linear space $\mathbb{K}^{n \times n}$ of $n \times n$ matrices over $\mathbb{K}$ and to compute the square root in a matrix algebra. While computing square roots of matrices can be done efficiently using numerical methods, it seems difficult to control the bit complexity of such methods. However, we present exact and polynomial-time algorithms for computing the square root in $\mathbb{K}^{n \times n}$ for various fields (including finite fields). We then consider \#{\tt IP1S}, the counting version of {\tt IP1S} for quadratic instances. In particular, we provide a (complete) characterization of the automorphism group of homogeneous quadratic polynomials. Finally, we also consider the more general {\it Isomorphism of Polynomials} ({\tt IP}) problem where we allow an invertible linear transformation on the variables \emph{and} on the set of polynomials. A randomized polynomial-time algorithm for solving {\tt IP} when (\mathbf{f}=(x_1^d,\ldots,x_n^d)) is presented. From an algorithmic point of view, the problem boils down to factoring the determinant of a linear matrix (\emph{i.e.}\ a matrix whose components are linear polynomials). This extends to {\tt IP} a result of Kayal obtained for {\tt PolyProj}.

💡 Research Summary

The paper addresses the computational problem known as Isomorphism of Polynomials with one Secret (IP1S), which asks whether there exists an invertible linear change of variables that maps one set of multivariate polynomials to another. While the general problem is believed to be hard and is linked to Graph Isomorphism via cubic instances, the authors focus on the important special case where all polynomials are homogeneous quadratics.

The main contribution is a randomized polynomial‑time algorithm that solves quadratic IP1S over a wide range of fields (including finite fields and fields of characteristic different from two). The algorithm proceeds in several conceptual steps. First, using random linear combinations, the instance is transformed into a “regular” form where at least one quadratic form is non‑degenerate; this step succeeds with high probability when the field size exceeds the number of variables.

In the regular case each quadratic form can be represented by its symmetric Hessian matrix H_i. The existence of a transformation A ∈ GL_n(K) satisfying g(x)=f(Ax) is equivalent to the simultaneous orthogonal similarity condition H′_i = A^T H_i A for all i. The authors reduce this condition to a D‑Orthogonal Simultaneous Matrix Conjugacy (D‑OSMC) problem: find a matrix X that is D‑orthogonal (X^T D X = D) and simultaneously conjugates the two families of Hessians.

Building on a 1997 result of Chistov, Ivanyos and Karpinski, they show that D‑OSMC can be split into two sub‑problems: (1) find an invertible matrix Y that satisfies the linear equations H_i Y = Y H′_i for all i (the simultaneous matrix conjugacy problem) and (2) compute a square root W of the matrix Z = D Y Y^T D^{-1}. The final solution is X = Y W^{-1}.

The first sub‑problem is linear: the set of matrices Y satisfying the equations forms a linear subspace V ⊂ K^{n×n}. The task reduces to finding a nonsingular element of V, which is an instance of Edmonds’ problem. By random sampling within V and applying the Schwartz‑Zippel‑DeMillo‑Lipton lemma, a nonsingular Y can be obtained with overwhelming probability, provided the field is sufficiently large.

The second sub‑problem—computing a matrix square root—cannot rely on floating‑point methods because the algorithm must control bit‑complexity. The authors devise exact algebraic algorithms for this task. They factor the minimal polynomial of Z, work in an appropriate field extension L/K, and construct a matrix U such that Z = U U^T. Then W = U^{-1} serves as the required square root. The algorithms run in polynomial time for finite fields, the rationals, and any field of characteristic ≠ 2, with each coefficient lying in an extension of bounded degree.

Beyond solving the decision problem, the paper studies the counting version #IP1S, providing a complete description of the automorphism group of a set of homogeneous quadratic forms. This group is shown to be the intersection of the D‑orthogonal group with the centralizer of the algebra generated by the Hessians, yielding explicit formulas for the number of solutions.

Finally, the authors extend their techniques to the full Isomorphism of Polynomials (IP) problem, where both the variables and the polynomials may be transformed linearly. For the special case f = (x_1^d,…,x_n^d), they reduce IP to factoring the determinant of a linear matrix (a matrix whose entries are linear forms). This generalizes a result of Kayal for the PolyProj problem and leads to a randomized polynomial‑time algorithm for this class as well.

Overall, the paper transforms the seemingly nonlinear quadratic isomorphism problem into a combination of linear algebraic tasks—simultaneous similarity and matrix square roots—both of which admit efficient exact algorithms. This breakthrough provides the first polynomial‑time solution for quadratic IP1S, clarifies the structure of its solution space, and opens new avenues for cryptographic analysis and for tackling higher‑degree instances.