Small Public Keys and Fast Verification for \(\mathcal{M}\)ultivariate \(\mathcal{Q}\)uadratic Public Key Systems

  • Albrecht Petzoldt
  • Enrico Thomae
  • Stanislav Bulygin
  • Christopher Wolf
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)


Security of public key schemes in a post-quantum world is a challenging task—as both RSA and ECC will be broken then. In this paper, we show how post-quantum signature systems based on \(\mathcal{M}\)ultivariate \(\mathcal{Q}\)uadratic (\(\mathcal{MQ}\)) polynomials can be improved up by about 9/10, and 3/5, respectively, in terms of public key size and verification time. The exact figures are 88% and 59%. This is particularly important for small-scale devices with restricted energy, memory, or computational power. In addition, we provide evidence that this reduction does not affect security and that it is also optimal in terms of possible attacks. We do so by combining the previously unrelated concepts of reduced and equivalent keys. Our new scheme is based on the so-called Unbalanced Oil and Vinegar class of \(\mathcal{MQ}\)-schemes. We have derived our results mathematically and verified the speed-ups through a C++ implementation.


Multivariate Quadratic Cryptography Post-Quantum Cryptography Implementation Unbalanced Oil and Vinegar Signature Scheme 


  1. [1]
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  2. [2]
    Bettale, L., Faugére, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. Journal of Mathematical Cryptology 3, 177–197 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  3. [3]
    Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Time-area optimized public-key engines: \(\mathcal{MQ}\)-cryptosystems as replacement for elliptic curves? In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 45–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. [4]
    Chen, A.I.-T., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M., Yang, B.-Y.: Practical-sized instances of multivariate pKCs: Rainbow, TTS, and ℓIC-derivatives. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 95–108. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. [5]
    Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate pKCs on modern x86 cPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. [6]
    Ding, J., Gower, J.E., Schmidt, D.: Multivariate Public Key Cryptography. Cambridge University Press, Cambridge (2006)Google Scholar
  7. [7]
    Faugére, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 2002, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  8. [8]
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)zbMATHGoogle Scholar
  9. [9]
    Hu, Y., Wang, L., Chou, C., Lai, F.: Similar keys of multivariate quadratic public key cryptosystems. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 211–222. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. [10]
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  11. [11]
    Kipnis, A., Shamir, A.: Cryptanalysis of the oil & vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  12. [12]
    Patarin, J.: The oil and vinegar signature scheme. Presented at the Dagstuhl Workshop on Cryptography, transparencies (September 1997)Google Scholar
  13. [13]
    Petzoldt, A., Bulygin, S., Buchmann, J.: A multivariate signature scheme with a partially cyclic public key. In: SCC 2010, pp. 229–235 (2010)Google Scholar
  14. [14]
    Petzoldt, A., Bulygin, S., Buchmann, J.: Linear recurring sequences for the UOV key generation. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 335–350. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. [15]
    Petzoldt, A., Thomae, E., Bulygin, S., Wolf, C.: Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems (full version),
  16. [16]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26(5), 1484–1509 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  17. [17]
    Turán, P.: On an extremal problem in Graph Theory. Matematiko Fizicki Lapok 48, 436–452 (1941)zbMATHGoogle Scholar
  18. [18]
    Wolf, C., Preneel, B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations,
  19. [19]
    Wolf, C., Preneel, B.: Superfluous keys in Multivariate Quadratic asymmetric systems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 275–287. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. [20]
    Wolf, C., Preneel, B.: Equivalent keys in multivariate quadratic public key systems. Journal of Mathematical Cryptology (to appear, 2011)Google Scholar
  21. [21]
    Yang, B.-Y., Chen, J.-M., Chen, Y.-H.: TTS: High-speed signatures on a low-cost smart card. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 371–385. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Albrecht Petzoldt
    • 1
  • Enrico Thomae
    • 2
  • Stanislav Bulygin
    • 1
  • Christopher Wolf
    • 2
  1. 1.Technische Universität Darmstadt and, Center for Advanced Security Research Darmstadt (CASED)Germany
  2. 2.Horst Görtz Institute for IT-security, Faculty of MathematicsRuhr-University of BochumBochumGermany

Personalised recommendations