Abstract
Due to the recent attack of Beullens on Rainbow, the crypto community looks back again at the unbalanced oil-and-vinegar (UOV) signature. The original UOV does not have any formal security reduction. It was Sakumoto et al. who added a random salt to the original UOV signature to give a reduction under the UOV-inversion (UOVI) problem in the classical random oracle model (CROM).
In this paper, we revisit the security of salted UOV signature. We start by identifying some issues related to programming the random oracle and the distribution of the salt. Then provide a security reduction of the salted UOV signature in the CROM that clearly addresses these issues. One crucial requirement of our reduction is that the field size needs to be asymptotically superpolynomial in the security parameter. We also give a security reduction of the salted UOV under the UOVI problem in the quantum random oracle model. This work is hoped to aid further concrete security analysis and thereby guide parameter choice of UOV-based schemes in the context of future standardization of post-quantum signature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Given a random UOV public map \(\mathcal {P}:\mathbb {F}^{n}\rightarrow \mathbb {F}^{m}\) and a random element \({\boldsymbol{y}}\in \mathbb {F}^{m}\), find an \({\boldsymbol{x}}\in \mathbb {F}^{n}\) such that \(\mathcal {P}({\boldsymbol{x}}) = {\boldsymbol{y}}\).
- 2.
Note that whatever the parameter choice of UOV, the unavoidable degradation due to the total number of random oracle queries will always be there.
- 3.
Note that the reduction also works, if f is considered to be a regular function. Here regular means the preimage sets of all the points in \({\mathcal {M}}\) under f are of same size.
- 4.
As mentioned earlier in Sect. 3.1, there is a gap between the distribution of salts involved in the construction and the security reduction of [SSH11]. That gap essentially depends on the size of the underlying field. But the authors implicitly assumed that a computational adversary cannot distinguish the difference. Unlike [SSH11], our security treatment takes into account this difference.
- 5.
Note that \(\mathcal {H}(\textsf{m}_i||s_i)\) is programmed by the value \(\mathcal {P}({\boldsymbol{x}}_i)\), instead of uniformly random value of \(\mathbb {F}^{m}\) and this change is already captured in \(\textsf{Game}_2\).
- 6.
Since the salt generation in the security game is involved only in answering sign-oracle (classically), it is sufficient to have a salt generation random oracle \(\mathcal {O}_{\textsf{salt}}\) which is classical.
- 7.
The whole purpose of this counter is to generate different salts even for the same message queried multiple times to the sign-oracle.
References
Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13
Beullens, W.: Breaking rainbow takes a weekend on a laptop. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 464–479. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_16
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: 1st ACM conference on Computer and communications security, pp. 62–73. SIAM (1993)
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chatterjee, S., Dimri, A., Pandit, T.: Identity-based signature and extended forking algorithm in the multivariate quadratic setting. In: Adhikari, A., Küsters, R., Preneel, B. (eds.) INDOCRYPT 2021. LNCS, vol. 13143, pp. 387–412. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92518-5_18
Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass \(\cal{MQ}\)-based identification to \(\cal{MQ}\)-based signatures. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 135–165. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_5
Chen, J., Ling, J., Ning, J., Ding, J.: Identity-based signature schemes for multivariate public key cryptosystems. Comput. J. 62(8), 1132–1147 (2019)
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055733
Mohamed, M.S.E., Petzoldt, A.: RingRainbow – an efficient multivariate ring signature scheme. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 3–20. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57339-7_1
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, New York (2000)
Patarin, J.: The oil and vinegar algorithm for signatures. In: Dagstuhl Workshop on Cryptography (1997)
Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_14
Petzoldt, A., Szepieniec, A., Mohamed, M.S.E.: A practical multivariate blind signature scheme. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 437–454. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_25
Sakumoto, K., Shirai, T., Hiwatari, H.: On provable security of UOV and HFE signature schemes against chosen-message attack. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 68–82. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_5
Zhandry, M.: How to construct quantum random functions. In: FOCS, pp. 679–687. IEEE Computer Society (2012)
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhandry, M.: Cryptography in the age of quantum computers. Ph.D. thesis, Stanford University (2015)
Acknowledgement
We would like to thank the anonymous reviewers of Indocrypt 2022 for their comments and suggestions that helped us in polishing the technical and editorial content of this paper. This work is supported by the Ministry of Electronics and Information Technology, Government of India through its grants for the Center of Excellence in Quantum Technology at IISc Bangalore, India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Signature Using Trapdoor Information
1.1 A.1 Algorithm for Solving the Public Key System Using Trapdoor Information
In this section, we give the method for solving the public key system using the trapdoor information as an algorithm. The procedure was described in Sect. 4.1.
1.2 A.2 Signature Scheme
Let us write down the complete signature scheme based on this trapdoor.
-
\(\textsf{KeyGen}\). This takes the security parameter \(1^\kappa \) as input and outputs the public and secret keys. The secret key is a description of the subspace \(\textsf{O}\subset \mathbb {F}^{n}\) and the public key is the system \(\mathcal {P}\) consisting of \({m}\) MQ-polynomials in \({n}\) variables which vanish at \(\textsf{O}\). Note that \(\textsf{O}\) can be represented by an \(n\times m\) matrix as described in Sect. 4.1. Thus \(\mathcal{S}\mathcal{K}= \textsf{O}\) and \(\mathcal{P}\mathcal{K}= \mathcal {P}\). A hash function \(\mathcal {H}:{\mathcal {M}}\rightarrow \mathbb {F}^{m}\) for converting message into a fixed-length digest is known publicly.
-
\(\textsf{Sign}\). This takes message \(\textsf{m}\) and the secret key \(\mathcal{S}\mathcal{K}\) as input and outputs a signature \(\sigma \). The signature \(\sigma \) is obtained by solving \(\mathcal {P}(\cdot ) = \mathcal {H}(\textsf{m})\) using Algorithm 2.
-
\(\textsf{Ver}\). This takes the message \(\textsf{m}\), the signature \(\sigma \) and the public key \(\mathcal{P}\mathcal{K}\) as input and outputs accept or reject. If \(\mathcal {P}(\sigma ) = \mathcal {H}(\textsf{m})\), holds, the signature is accepted. Otherwise, the signature is rejected.
B Signature of Sakumoto et al.
We reproduce the salted version of UOV signature given in [SSH11, Section 4.1]. The secret key is a UOV type MQ system \(\mathcal {F}\) of \({m}\) polynomials in \({n}\) variables. The authors consider non-homogeneous polynomials. Then, as usual, an affine invertible transformation \(\mathcal {T}\) is used for mixing the variables. The public key is obtained in the obvious way as \(\mathcal {P}= \mathcal {F}\circ \mathcal {T}\). The scheme uses a salt of length \({\ell _s}\), which is a polynomial in the security parameter \(\kappa \). The public and the secret keys contain a description of the salt space.
The verification follows the obvious procedure. We describe the signing algorithm in Algorithm 3. The variable list is parsed as \(({\boldsymbol{x}}_{v},{\boldsymbol{x}}_{m})\), where \({\boldsymbol{x}}_{v}\) denotes the vector of vinegar variables and \({\boldsymbol{x}}_{m}\) that of oil variables. There are \({v}\) vinegar variables and \({m}\) oil variables. The notation \(\mathcal {F}({\boldsymbol{x}}_{v}^{\prime }, {\boldsymbol{x}}_{m})\) is used to denote the linear system in oil variables which is obtained after the vinegar variables have been specialized to the vector \({\boldsymbol{x}}_{v}^{\prime }\).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chatterjee, S., Das, M.P.L., Pandit, T. (2022). Revisiting the Security of Salted UOV Signature. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_31
Download citation
DOI: https://doi.org/10.1007/978-3-031-22912-1_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22911-4
Online ISBN: 978-3-031-22912-1
eBook Packages: Computer ScienceComputer Science (R0)