# Breaking MQ-Sign round 1 using algebraic cryptanalysis

In [None]:
# Params setup

q = 2^8
v = 72
m = 46

__SEC_LEVEL__ = 1

if __SEC_LEVEL__ == 3:
    v = 112
    m = 72

if __SEC_LEVEL__ == 5:
    v = 148
    m = 96

n = v + m
K = GF(q)

# Functions for MQ-Sign keygen

def V2(i, s):
    return ((((i+1)+(s+1)-1) % v))

def O2(i, s):
    return ((((i+1)+(s+1)-2) % m) + v)

def Upper(M, nn):
  for i in range(0, nn):
      for j in range(i, nn):
          M[i, j] += M[j, i]
          M[j, i] = 0
  return M

def MQSignCentralMap():
    F = []
    for s in range(0, m):
        M = zero_matrix(K, n, n)
        for i in range(0, v):
            M[i, V2(i, s)] = K.random_element()
            M[i, O2(i, s)] = K.random_element()
        M = Upper(M, n)
        F.append(M)
    return F

def UpperTriangularS():
    S = block_matrix([ [identity_matrix(K,v), random_matrix(K, v, m)], [zero_matrix(K,m,v), identity_matrix(K,m)] ])
    return S

def GetPublicKey(F, S):
  S = S.submatrix(0, v, v, m)
  F1 = [F[s].submatrix(0, 0, v, v) for s in range(0, m)]
  F2 = [F[s].submatrix(0, v, v, m) for s in range(0, m)]
  P1 = [F1[s] for s in range(0, m)]
  P2 = [(F1[s] + F1[s].transpose())*S + F2[s] for s in range(0, m)]
  P3 = [Upper(S.transpose()*F1[s]*S+S.transpose()*F2[s], m) for s in range(0, m)]
  P = [block_matrix([[P1[s], P2[s]], [zero_matrix(K, m, v), P3[s]]]) for s in range(0, m)]
  return P




# MAIN

F = MQSignCentralMap()
S = UpperTriangularS()
P = GetPublicKey(F, S)

S_sol = GetSolution(P)
print(S_sol == S.submatrix(0, v, v, m))


## Your solution

In [None]:
# Functions used for the attack
# Starting only from an MQ-Sign public key, try to find the value of S in the upper-right corner.
# As per the equivalent keys optimization, this is a v by m matrix. 
def GetSolution(P):
    
    return S_sol


## Test time

In [None]:
F = MQSignCentralMap()
S = UpperTriangularS()
P = GetPublicKey(F, S)

S_sol = GetSolution(P)
print(S_sol == S.submatrix(0, v, v, m))