SSE Implementation of Multivariate PKCs on Modern x86 CPUs

  • Anna Inn-Tung Chen
  • Ming-Shing Chen
  • Tien-Ren Chen
  • Chen-Mou Cheng
  • Jintai Ding
  • Eric Li-Hsiang Kuo
  • Frost Yu-Shuang Lee
  • Bo-Yin Yang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proofing against Quantum Computers. It also has been known for efficiency compared to “traditional” alternatives. However, this advantage seems to erode with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to Elliptic Curve Cryptography (ECC). In this paper, we show that hardware advances do not just favor ECC. Modern commodity CPUs also have many small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction sets, that are useful for MPKCs. In particular, Intel’s SSSE3 instructions can speed up both public and private maps over prior software implementations of Rainbow-type systems up to 4×. Furthermore, MPKCs over fields of relatively small odd prime characteristics can exploit SSE2 instructions, supported by most modern 64-bit Intel and AMD CPUs. For example, Rainbow over \({\mathbb F}_{31}\) can be up to 2× faster than prior implementations of similarly-sized systems over \({\mathbb F}_{16}\). Here a key advance is in using Wiedemann (as opposed to Gauss) solvers to invert the small linear systems in the central maps. We explain the techniques and design choices in implementing our chosen MPKC instances over fields such as \({\mathbb F}_{31}\), \({\mathbb F}_{16}\) and \({\mathbb F}_{256}\). We believe that our results can easily carry over to modern FPGAs, which often contain a large number of small multipliers, usable by odd-field MPKCs.


multivariate public key cryptosystem (MPKC) TTS rainbow ℓIC vector instructions SSE2 SSSE3 Wiedemann 


  1. 1.
    Akkar, M.-L., Courtois, N.T., Duteuil, R., Goubin, L.: A fast and secure implementation of SFLASH. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 267–278. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Berbain, C., Billet, O., Gilbert, H.: Efficient implementations of multivariate quadratic systems. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 174–187. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: Faster square roots in annoying finite fields. In: High-Speed Cryptography (2001) (to appear),
  4. 4.
    Bernstein, D.J.: SUPERCOP: System for unified performance evaluation related to cryptographic operations and primitives (April 2009),
  5. 5.
    Billet, O., Patarin, J., Seurin, Y.: Analysis of intermediate field systems. Presented at SCC 2008, Beijing (2008)Google Scholar
  6. 6.
    Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 45–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Burger, D., Goodman, J.R., Kägi, A.: Memory bandwidth limitations of future microprocessors. In: Proceedings of the 23rd annual international symposium on Computer architecture, pp. 78–89 (1996)Google Scholar
  8. 8.
    Chen, A.I.-T., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M., Yang, B.-Y.: Practical-sized instances of multivariate pkcs: Rainbow, TTS, and ℓIC-derivatives. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 95–108. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Courtois, N.: Algebraic attacks over \(GF(2^{\mbox{k}}\)), application to HFE challenge 2 and SFLASH-v2. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 201–217. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., Goubin, L., Patarin, J.: SFLASH: Primitive specification (second revised version), Submissions, Sflash, 11 pages (2002),
  11. 11.
    Ding, J., Dubois, V., Yang, B.-Y., Chen, C.-H.O., Cheng, C.-M.: Could SFLASH be repaired? In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 691–701. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Ding, J., Gower, J.: Inoculating multivariate schemes against differential attacks. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 290–301. Springer, Heidelberg (2006), Scholar
  13. 13.
    Ding, J., Gower, J., Schmidt, D.: Multivariate Public-Key Cryptosystems. In: Advances in Information Security. Springer, Heidelberg (2006) ISBN 0-387-32229-9Google Scholar
  14. 14.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Ding, J., Schmidt, D., Werner, F.: Algebraic attack on hfe revisited. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 215–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Ding, J., Wolf, C., Yang, B.-Y.: ℓ-invertible cycles for multivariate quadratic public key cryptography. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 266–281. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008), Scholar
  18. 18.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of Hidden Field Equations (HFE) using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Fouque, P.-A., Macario-Rat, G., Perret, L., Stern, J.: Total break of the ℓIC- signature scheme. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 1–17. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Granboulan, L., Joux, A., Stern, J.: Inverting HFE is quasipolynomial. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Granlund, T., Montgomery, P.: Division by invariant integers using multiplication. In: Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, pp. 61–72 (1994),
  24. 24.
    Güneysu, T., Paar, C.: Ultra high performance ecc over nist primes on commercial fpgas. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 62–78. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Imai, H., Matsumoto, T.: Algebraic methods for constructing asymmetric cryptosystems. In: Calmet, J. (ed.) AAECC 1985. LNCS, vol. 229, pp. 108–119. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  26. 26.
    Intel Corp. Intel 64 and IA-32 architectures optimization reference manual (November 2007),
  27. 27.
    Intel Corp. Carryless multiplication and its usage for computing the GCM mode. (2008),
  28. 28.
    Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Doklady Akad. Nauk SSSR 145, 293–294 (1962); Translation in Physics-Doklady.  7, 595–596 (1963)Google Scholar
  29. 29.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  30. 30.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–545. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  31. 31.
    Moh, T.: A public key system with signature and master key function. Communications in Algebra 27(5), 2207–2222 (1999), Electronic version, http://citeseer/moh99public.htmlGoogle Scholar
  32. 32.
    Seiler, L., Carmean, D., Sprangle, E., Forsyth, T., Abrash, M., Dubey, P., Junkins, S., Lake, A., Sugerman, J., Cavin, R., Espasa, R., Grochowski, E., Juan, T., Hanrahan, P.: Larrabee: a many-core x86 architecture for visual computing. ACM Transactions on Graphics 27(18) (August 2008)Google Scholar
  33. 33.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full sha-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  34. 34.
    Wolf, C.: Multivariate Quadratic Polynomials in Public Key Cryptography. PhD thesis, Katholieke Universiteit Leuven (2005),
  35. 35.
    Wolf, C., Preneel, B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077, 64 pages, May 12 (2005),
  36. 36.
    Wulf, W.A., McKee, S.A.: Hitting the memory wall: Implications of the obvious. Computer Architecture News 23(1), 20–24 (1995)CrossRefGoogle Scholar
  37. 37.
    Yang, B.-Y., Chen, J.-M.: Building secure tame-like multivariate public-key cryptosystems: The new TTS. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 518–531. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Anna Inn-Tung Chen
    • 1
  • Ming-Shing Chen
    • 2
  • Tien-Ren Chen
    • 2
  • Chen-Mou Cheng
    • 1
  • Jintai Ding
    • 3
  • Eric Li-Hsiang Kuo
    • 2
  • Frost Yu-Shuang Lee
    • 1
  • Bo-Yin Yang
    • 2
  1. 1.National Taiwan UniversityTaipeiTaiwan
  2. 2.Academia SinicaTaipeiTaiwan
  3. 3.University of CincinnatiCincinnatiUSA

Personalised recommendations