up:: The New Standards MOC

Algebraic Attacks on Multivariate Cryptography

Algebraic attacks are the way multivariate cryptography gets broken. Instead of guessing keys, they treat the public system of quadratic equations as a puzzle to be solved directly, using heavy algebra (Gröbner bases, the MinRank problem, the Kipnis-Shamir method) to hunt for the hidden structure the designer scrambled away. This is the family of techniques Ward Beullens used to break Rainbow on a laptop in 2022, and it’s the exact threat that UOV and MAYO parameters are chosen to survive. Understanding these attacks explains both why multivariate signatures can be so small and why NIST is being so careful before standardizing any of them.

The short version:

  • Algebraic attacks solve the public equations directly rather than searching a keyspace, so their cost is governed by the difficulty of the algebra, not by key length alone.
  • The core engine is Gröbner-basis computation (Faugère’s F4 and F5 algorithms), which systematically simplifies a polynomial system until it can be solved. When the system has hidden structure, this can run far faster than the designer intended.
  • The MinRank problem, finding a low-rank matrix in a space of matrices, is the abstract weakness underneath many multivariate breaks. Oil-and-vinegar-style trapdoors leak a low-rank object that a MinRank solver can grab.
  • The Kipnis-Shamir attack (1999) was the first to turn hidden multivariate structure into a MinRank instance, and its descendants are what most modern breaks run on.
  • These attacks are why Rainbow fell in 2022 and why UOV and MAYO parameters are set against them. The live risk to this family is classical algebra, not quantum computing.

Picture the public key as a knotted mess of a few thousand quadratic equations in several hundred unknowns, deliberately tangled so no shortcut is visible. A brute-force solver would try to untangle it blindly and drown in the size. An algebraic attacker does something smarter: it looks for a faint regularity the designer couldn’t fully erase, a place where the tangle secretly has low rank or extra symmetry, and it aims the full machinery of computer algebra at that seam. If the seam is real, the whole knot comes apart far faster than the size suggests. Every multivariate break in the record is a story of an attacker finding such a seam.

What are algebraic attacks on multivariate cryptography?

Algebraic attacks recover the secret key of a multivariate scheme by solving polynomial equations, not by exhausting a keyspace. A multivariate public key is a map of quadratic polynomials over a finite field, and the scheme is secure only because inverting that map (the MQ problem) is hard in general. An algebraic attacker sets up a polynomial system that encodes either the message-forgery problem or, more damagingly, the secret-key-recovery problem, then throws general equation-solving machinery at it.

The reason this is the natural attack is that a multivariate key is, by construction, a big pile of equations. The whole security argument is that a random such pile is NP-hard to solve. The danger is that the pile isn’t random: it was built with a trapdoor, and a trapdoor is structure, and structure is what algebraic solvers exploit. So the entire cryptanalytic contest is about whether the trapdoor structure leaks into a form these solvers can detect.

The three techniques that dominate the family’s cryptanalysis fit together as a toolkit:

TechniqueWhat it doesRole in a break
Gröbner basis (F4/F5)Simplifies a polynomial system to a solvable canonical formThe general solving engine; its cost tracks the solving degree
MinRankFinds a low-rank matrix in a matrix spaceThe abstract weakness oil-and-vinegar trapdoors leak into
Kipnis-ShamirRecasts hidden multivariate structure as a MinRank instanceThe 1999 template most modern key-recovery attacks follow

Source: NIST IR 8528, Status Report on the First Round of the Additional Digital Signature Schemes, October 2024, csrc.nist.gov, which evaluates the surviving multivariate candidates against exactly this class of attack.

How do Gröbner-basis attacks (F4 and F5) work?

Gröbner-basis attacks work by transforming a messy system of polynomial equations into an equivalent, cleaner system from which solutions can be read off. A Gröbner basis is a canonical, simplified form of a polynomial ideal, and computing one is the algebraic equivalent of running Gaussian elimination on a linear system, generalized to higher-degree equations. Once you have it, extracting the solutions is comparatively easy. The hard part is the computation itself, whose cost explodes with the degree the system reaches during solving.

The workhorse algorithms are Jean-Charles Faugère’s F4 and F5. F5’s key advance is avoiding the wasted effort of computing rows that reduce to zero, which is where naive Gröbner methods burn most of their time. Against a genuinely random quadratic system, these algorithms hit the same wall everyone does, because the solving degree climbs and the cost with it. Against a structured multivariate trapdoor, the solving degree can stay unexpectedly low, and the attack finishes far ahead of the security estimate.

Source: J.-C. Faugère, “A new efficient algorithm for computing Gröbner bases without reduction to zero (F5),” ISSAC 2002, ACM Digital Library, the algorithm at the center of modern algebraic cryptanalysis.

So the security of a multivariate scheme against Gröbner attacks comes down to one number: how high the solving degree stays. Designers estimate it, set parameters so it stays high, and cryptanalysts spend their time finding structural tricks that pull it back down.

What is the MinRank problem, and why does it matter here?

The MinRank problem asks, given a collection of matrices, to find a low-rank linear combination of them, and it’s the abstract soft spot underneath a large share of multivariate breaks. It matters because oil-and-vinegar trapdoors, the design nearly every surviving multivariate scheme is built on, hide their secret in objects that have deliberately low rank. If an attacker can reformulate key recovery as “find the low-rank matrix in this space,” a MinRank solver becomes a key-recovery engine.

MinRank is itself NP-hard in general, so its presence is not an automatic break. The threat is specific: certain multivariate constructions turn out to give a MinRank instance that’s much easier than a random one, because the scheme’s structure forces the target rank low or the matrix space small. The cryptanalytic history of the family is largely a sequence of researchers finding sharper ways to express a given scheme as a tractable MinRank problem and then solving it with Gröbner methods.

Source: J.-C. Faugère, F. Levy-dit-Vehel, L. Perret, “Cryptanalysis of MinRank,” CRYPTO 2008, SpringerLink, which develops the Gröbner-based approach to solving MinRank that underpins later multivariate attacks.

What was the Kipnis-Shamir attack?

The Kipnis-Shamir attack, published in 1999, was the first to turn the hidden structure of a multivariate scheme into a MinRank instance, and it set the template every later break followed. Aviad Kipnis and Adi Shamir aimed it at Patarin’s HFE (Hidden Field Equations) cryptosystem. Their insight was that HFE’s secret polynomial, lifted into matrix form, has low rank, so recovering the private key reduces to finding a low-rank matrix in a space defined by the public key. That’s a MinRank problem, and solving it recovers the trapdoor.

Source: A. Kipnis and A. Shamir, “Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization,” CRYPTO 1999, SpringerLink, the paper that first connected multivariate key recovery to MinRank.

The lasting importance is the method, not the specific target. Kipnis-Shamir established the two-step recipe that dominates multivariate cryptanalysis: first find the low-rank object the trapdoor secretly contains, then solve for it with rank-based algebra and Gröbner tools. Every modern attack on the oil-and-vinegar lineage, including the one that broke Rainbow, is a descendant of this move.

Why did these attacks break Rainbow in 2022?

These attacks broke Rainbow because its layered design, added for efficiency, introduced extra algebraic structure that an attacker could grab as a MinRank instance. Rainbow was a multi-layer generalization of Unbalanced Oil and Vinegar and a NIST Round 3 finalist. In 2020, Ward Beullens published new attacks against UOV and Rainbow, including a “rectangular MinRank” attack that exploited a fresh way to extract a low-rank target from Rainbow’s public key.

Source: W. Beullens, “Improved Cryptanalysis of UOV and Rainbow,” Eurocrypt 2021, IACR ePrint 2020/1343, which introduced the intersection and rectangular-MinRank attacks on the family.

He then sharpened the assault. In February 2022, Beullens published a key-recovery attack that, for Rainbow’s level-1 parameters, recovered the secret key in about 53 hours on a standard laptop, one weekend of commodity compute. That result knocked Rainbow out of standardization contention.

Source: W. Beullens, “Breaking Rainbow Takes a Weekend on a Laptop,” CRYPTO 2022, IACR ePrint 2022/214, which reports the ~53-hour laptop key recovery.

The lesson the field drew is precise: Rainbow’s extra layers were extra structure, and extra structure is extra surface for a MinRank attack. The plainer Unbalanced Oil and Vinegar design underneath Rainbow was not broken by this attack, which is why the family survived the loss of its flagship rather than disappearing with it.

How are UOV and MAYO parameters set against these attacks?

UOV and MAYO parameters are chosen so that every known algebraic attack, Gröbner-basis solving and the MinRank variants alike, costs more than the scheme’s target security level. Designers estimate the cost of each attack as a function of the field size and the numbers of oil and vinegar variables, then pick values that push the cheapest attack above, say, the work of breaking AES-128. The generous excess of vinegar variables over oil variables in UOV exists specifically to keep the relevant MinRank and Gröbner attacks expensive.

Source: NIST IR 8528, October 2024, csrc.nist.gov, which tracks UOV, MAYO, QR-UOV, and SNOVA as second-round candidates under continuing algebraic-attack analysis.

This is why the family is treated as promising-but-unfinalized. The security of a multivariate scheme is a moving estimate against a live, active area of algebraic cryptanalysis, and Rainbow is the reminder that a parameter set can look safe right up until a new structural trick appears. NIST’s caution is a direct response to that history: it wants the surviving oil-and-vinegar schemes to sit under sustained attack for years before any of them carries a standard.

Common misconceptions

“Quantum computers are what threaten multivariate cryptography.” They aren’t the main threat. The MQ problem has no known efficient quantum attack, so Shor’s algorithm has nothing to grab. The real danger to this family is classical algebraic cryptanalysis, the Gröbner and MinRank machinery that broke Rainbow.

“Rainbow fell, so the whole multivariate family is broken.” Only Rainbow’s specific layered structure fell to the MinRank attack. The plainer Unbalanced Oil and Vinegar design it was built on withstood it and remains a NIST second-round candidate. The break narrowed the family without ending it.

“A Gröbner basis is a quick solve.” Computing a Gröbner basis is the hard part of the attack, and its cost can explode with the solving degree. It becomes a fast break only when the target scheme’s structure keeps the solving degree low, which is exactly what good parameters prevent.

“If a laptop broke it, the underlying math must be weak.” The Rainbow attack exploited that scheme’s added structure, not a weakness in the general MQ problem, which stays NP-hard. The takeaway was about the danger of structure added for efficiency, not about multivariate hardness being fragile.

Questions people ask

What is the main way multivariate cryptography gets attacked? Through algebraic attacks that solve the public equations directly, principally Gröbner-basis methods and MinRank-based key recovery, rather than through key search or quantum algorithms.

What is the MinRank problem in one line? It’s the problem of finding a low-rank combination of a given set of matrices, and it’s the abstract weakness that oil-and-vinegar trapdoors can leak into, which is why so many multivariate breaks reduce to it.

Who broke Rainbow, and how fast? Ward Beullens, with a MinRank-based key-recovery attack that took about 53 hours on a standard laptop for the level-1 parameters (IACR ePrint 2022/214).

Are UOV and MAYO safe from these attacks? Their parameters are set so every known algebraic attack costs more than the target security level, and both are active NIST second-round candidates under continuing analysis. That makes them design-for-and-watch options, with no finalized standard yet.

Do these attacks use a quantum computer? No. Gröbner-basis and MinRank attacks are classical. The multivariate family’s exposure is to classical algebra, which is a different risk from the quantum threat that drives the rest of the transition.


Algebraic attacks are the reason multivariate cryptography carries both its smallest-in-class signatures and its most cautionary track record, and they explain exactly why NIST is studying the survivors so carefully. Everything here is the map, given freely. When your team needs to decide which post-quantum signatures actually belong in your protocols and estate, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.