Design Principles for HFEv Based Multivariate Signature Schemes
Abstract
The Hidden Field Equations (HFE) Cryptosystem as proposed by Patarin is one of the best known and most studied multivariate schemes. While the security of the basic scheme appeared to be very weak, the HFEv variant seems to be a good candidate for digital signature schemes on the basis of multivariate polynomials. However, the currently existing scheme of this type, the QUARTZ signature scheme, is hardly used in practice because of its poor efficiency. In this paper we analyze recent results from Ding and Yang about the degree of regularity of HFEv systems and derive from them design principles for signature schemes of the HFEv type. Based on these results we propose the new HFEv based signature scheme Gui, which is more than 100 times faster than QUARTZ and therefore highly comparable with classical signature schemes such as RSA and ECDSA.
Keywords
Multivariate cryptography Digital signatures HFEv Design principles Security Performance1 Introduction
Cryptographic techniques are an essential tool to guarantee the security of communication in modern society. Today, the security of nearly all of the cryptographic schemes used in practice is based on number theoretic problems such as factoring large integers and solving discrete logarithms. The best known schemes in this area are RSA [28], DSA [19] and ECC. However, schemes like these will become insecure as soon as large enough quantum computers arrive. The reason for this is Shor’s algorithm [29], which solves number theoretic problems like integer factorization and discrete logarithms in polynomial time on a quantum computer. Therefore, one needs alternatives to those classical public key schemes, based on hard mathematical problems not affected by quantum computer attacks.
Besides lattice, code and hash based cryptosystems, multivariate cryptography is one of the main candidates for this [1]. Multivariate schemes are in general very fast and require only modest computational resources, which makes them attractive for the use on low cost devices like smart cards and RFID chips [5, 6]. Additionally, at least in the area of digital signatures, there exists a large number of practical multivariate schemes [10, 20].
In 2001, Patarin and Courtois proposed a multivariate signature scheme called QUARTZ [24], which is based on the concept of HFEv. While QUARTZ produces very short signatures (128 bit), the signature generation process is very slow (at the time about 11 seconds per signature [6]). The main reason for this is the use of a high degree HFE polynomial (for QUARTZ this degree is given by \(D=129\)), which makes the inversion of the central map very costly.
At the time of the design of the QUARTZ scheme, very little was known about the complexity of algebraic attacks against the HFE family of systems, in particular, the HFEv schemes. Therefore, the authors of QUARTZ could not base their parameter choice on theoretical foundations. Recently, there has been a fundamental breakthrough in terms of understanding the behavior of algebraic attacks on the HFE family of systems [9, 11], which gives an upper bound on the degree of regularity of Gröbner basis attacks against those schemes.
In this paper, we review and analyze the results of Ding and Yang and derive from these results design criteria for HFEv based signature schemes. In particular we show that we can, by increasing the numbers a of Minus equations and v of Vinegar variables, achieve adequate security even for low degree HFE polynomials and that the upper bound on the degree of regularity given by Ding and Yang is reasonably tight. Based on our analysis, we propose the new HFEv based signature scheme Gui^{1}, which uses HFE polynomials of very low degree, namely \(D \in \{5,9,17\}\). This enables us to speed up the signature generation process by a factor of more than 100 compared to QUARTZ, without weakening the security of the scheme. By doing so, we create a highly practical multivariate signature scheme, whose performance is comparable to that of classical signature schemes such as RSA and ECDSA.
The rest of this paper is organized as follows. In Sect. 2 we give an introduction into the area of multivariate cryptography and in particular BigField signature schemes. Section 3 introduces the HFEvsignature scheme and the changes made to this scheme by Patarin and Courtois when defining QUARTZ. Furthermore, in this section, we discuss the performance and the security of HFEv based signature schemes. In Sect. 4 we analyze the results of Ding and Yang on the behaviour of direct attacks on HFEv schemes by performing a large number of experiments and present the design criteria we derive from that. Based on these principles, we propose in Sect. 5 our new multivariate signature scheme Gui. Section 6 gives details on the implementation of the scheme and compares the efficiency of Gui with that of some standard signature schemes. Finally, Sect. 7 concludes the paper.
2 Multivariate Cryptography
MQ Problem: Given m multivariate quadratic polynomials \(p^{(1)}(\mathbf{x}), \dots , p^{(m)}(\mathbf{x})\) in n variables \(x_1, \dots , x_n\) as shown in Eq. (1), find a vector \(\bar{\mathbf{x}}=(\bar{x}_1, \dots , \bar{x}_n)\) such that \(p^{(1)}(\bar{\mathbf{x}})= \ldots = p^{(m)}(\bar{\mathbf{x}})=0\).
The MQ problem (for \(m \approx n\)) is proven to be NPhard even for quadratic polynomials over the field GF(2) [15].
To build a public key cryptosystem based on the MQ problem, one starts with an easily invertible quadratic map \(\mathcal{F}:{\mathbb F}^n \rightarrow {\mathbb F}^m\) (central map). To hide the structure of \(\mathcal F\) in the public key, one composes it with two invertible affine (or linear) maps \(\mathcal{S}:{\mathbb F}^m \rightarrow {\mathbb F}^m\) and \(\mathcal{T}:{\mathbb F}^n \rightarrow {\mathbb F}^n\). The public key is therefore given by \(\mathcal{P}=\mathcal{S} \circ \mathcal{F} \circ \mathcal{T}\). The private key consists of \(\mathcal{S}\), \(\mathcal F\) and \(\mathcal{T}\) and therefore allows to invert the public key.
Note: Due to the above construction, the security of multivariate schemes is not only based on the MQProblem but also on the EIPProblem (“Extended Isomorphism of Polynomials”) of finding the composition of \(\mathcal P\).
Signature generation: To generate a signature for a message \(\mathbf{h} \in {\mathbb F}^n\), one computes recursively \(\mathbf{x} = \mathcal{S}^{1}(\mathbf{h}) \in {\mathbb F}^n\), \(X= \varPhi (\mathbf{x}) \in {\mathbb E}\), \(Y= \mathcal{F}^{1}(X) \in {\mathbb E}\), \(\mathbf{y}= \varPhi ^{1} (Y) \in {\mathbb F}^n\) and \(\mathbf{z}= \mathcal{T}^{1}(\mathbf{y})\). The signature of the message \(\mathbf h\) is \(\mathbf{z} \in {\mathbb F}^n\).
Verification: To check the authenticity of a signature \(\mathbf{z} \in {\mathbb F}^n\), one simply computes \(\mathbf{h}' = \mathcal{P}(\mathbf{z}) \in {\mathbb F}^n\). If \(\mathbf{h}'=\mathbf{h}\) holds, the signature is accepted, otherwise rejected.
A good overview on existing multivariate schemes can be found in [8].
Two widely used variations of multivariate BigField signature schemes are the Minus variation and the use of additional (Vinegar) variables.
Minus variation: The idea of this variation is to remove a small number of equations from the public key. The MinusVariation was first used in schemes like SFLASH [25] to prevent Patarins Linearization Equations attack [26] against the MatsumotoImai cryptosystem [23].
Vinegar variation: In this variation one parametrizes the central map \(\mathcal F\) by adding (a small set of) additional (Vinegar) variables. In the context of multivariate BigField signature schemes, the Vinegar variation can be used to increase the security of the scheme against direct and rank attacks.
3 The HFEv Signature Scheme
In this section we introduce the HFEv signature scheme, which is the basis of both QUARTZ and our new signature scheme Gui (see Sect. 5).
Due to the special form of \(\mathcal F\), the map \(\bar{\mathcal{F}}= \varPhi ^{1} \circ \mathcal{F} \circ \varPhi \) is a quadratic polynomial map from \({\mathbb F}^{n+v}\) to \({\mathbb F}^n\). To hide the structure of \(\bar{\mathcal{F}}\) in the public key, one combines it with two affine (or linear) maps \(\mathcal{S}: {\mathbb F}^n \rightarrow {\mathbb F}^{na}\) and \(\mathcal{T}:{\mathbb F}^{n+v} \rightarrow {\mathbb F}^{n+v}\) of maximal rank.
The public key of the scheme is the composed map \(\mathcal{P}=\mathcal{S} \circ \bar{\mathcal{F}} \circ \mathcal{T}:{\mathbb F}^{n+v} \rightarrow {\mathbb F}^{na}\), the private key consists of \(\mathcal S\), \(\mathcal F\) and \(\mathcal T\).
Signature generation: To generate a signature for a message \(\mathbf{h} \in {\mathbb F}^{na}\), the signer performs the following three steps.
 1.
Compute a preimage \(\mathbf{x} \in {\mathbb F}^n\) of \(\mathbf h\) under the affine map \(\mathcal S\).
 2.
Lift \(\mathbf x\) to the extension field \(\mathbb E\) (using the isomorphism \(\varPhi \)). Denote the result by X.
Choose random values for the vinegar variables \(v_1, \dots , v_v \in {\mathbb F}\) and compute \(\mathcal{F}_V=\mathcal{F}(v_1, \dots , v_v)\).
Solve the univariate polynomial equation \(\mathcal{F}_V(Y)=X\) by Berlekamp’s algorithm and compute \(\mathbf{y}' = \varPhi ^{1}(Y) \in {\mathbb F}^{n}\).
Set \(\mathbf{y}= (\mathbf{y}'v_1 \dots  v_v)\).
 3.
Compute the signature \(\mathbf{z} \in {\mathbb F}^{n+v}\) by \(\mathbf{z}= \mathcal{T}^{1} (\mathbf{y})\).
3.1 QUARTZ
The input length of QUARTZ is only \(na=100\) bit. Therefore, it is possible for an attacker to use a birthday attack to find two different messages \(m_1\) and \(m_2\) which map to the same input value \(\mathbf{h} \in {\mathbb F}^{100}\) and therefore to the same signature.
To prevent this kind of attack, Patarin and Courtois developed a special procedure for the signature generation process of QUARTZ. Roughly spoken, one computes four HFEv signatures (for the messages \(\mathbf h\), \(\mathcal{H}(\mathbf{h}0x00)\), \(\mathcal{H}(\mathbf{h}0x01)\) and \(\mathcal{H}(\mathbf{h}0x02)\)) and combines them to a single 128 bit signature of the message \(\mathbf h\). Analogously, during the signature verification process, one has to use the public key \(\mathcal P\) four times.
3.2 Performance
3.3 Security of HFEv Based Schemes

the MinRank attack and

direct algebraic attacks.
Therefore, the rank of the matrix \(W \cdot F \cdot W^T\) is less or equal to r, which means that we can determine the coefficients \(s_k\) of Eq. (9) by solving an instance of the MinRank problem.
There is one other formulation of the MinRank problem. According to [13], solving a MinRank problem with \(n\times n\) matrices to a rank of \(r'\) involves computing a Gröbner basis with degree of regularity \(r'(nr')+1\), where the rank is given by \(r'=r+v+a1\) . When we raise the rank \(r'\) (by increasing \(a+v\)), this means that the attack complexity of the MinRank attack is much higher than that of a direct attack.
Direct Attacks. For the HFE family of schemes, the direct attack, namely the attack by directly solving the public equation \(\mathcal{P}(\mathbf{x})=\mathbf{h}\) by an algorithm like XL or a Gröbner basis method such as \(F_4\) [12] is a major concern due to which happened to HFE challenge 1. At the time of the design of QUARTZ, very little was known theoretically about the complexity of algebraic attacks against the HFE family of systems, in particular, the HFEv schemes. The authors of QUARTZ did not actually give an explanation for their selection of the parameters and therefore the parameter selection of their scheme was not supported by theoretical results. We need to point out that, as has been shown by experiments [22], the public systems of HFEv based schemes can be solved easier than random systems.
Note: In [7] Courtois et al. estimated the complexity of a direct attack on QUARTZ by \(2^{74}\) operations. However, they underestimated the degree of regularity of solving an HFEv system drastically.
4 Design Principles for HFEv Based Signature Schemes
The theoretical breakthrough mentioned in the previous subsection indicates that it might be possible to substantially improve the original design of QUARTZ without reducing the security of the scheme, if we adapt the number of Minus equations and Vinegar variables in an appropriate way. By reducing the degree of the central HFEv polynomial we can speed up the operations of Berlekamp’s algorithm and therefore the signature generation process of the HFEv scheme. In this section, we analyze by experiments the behavior of direct attacks against HFEv schemes and the tightness of the upper bound given by Eq. (12). From our results we derive design principles for the construction of HFEv based signature schemes, which we later apply to our new signature scheme Gui presented in the next section.
In particular, we answer in this section the following questions.
 1.
Equation (12) shows a tradeoff between the degree D of the HFE polynomial and the sum \(a+v\) of minus equations and vinegar variables. This would enable us to use low degree HFE polynomials in the construction of HFEv based signature schemes and therefore to improve their performance drastically. Can we verify this by experiments?
 2.
Is the ratio between a and v important for the security of the scheme?
 3.
Is the upper bound on the degree of regularity given by equation (12) reasonably tight?
 4.
Does it help to guess some variables before applying a Gröbner basis algorithm to the system \(\mathcal P\) (Hybrid Approach)?
To answer these questions, we performed a large number of experiments with the \(F_4\) algorithm integrated in MAGMA. As we found, adding the field equations \(\{x_i^2x_i\}\) to the system makes a huge difference regarding the degree of regularity and the running time of the attack.
4.1 Can We Use HFE Polynomials of Low Degree D?
How should we choose the degree D of the HFE polynomial in order to obtain secure and efficient HFEv based schemes?

\(D=2,3\): Such small values of D would lead to matrices F of rank 2. We therefore do not think that these schemes can be secure.

\(D=5\): Although the plain HFE scheme with an HFE polynomial of degree 5 \((r=3)\) is highly insecure, we believe that the modified HFEv scheme provides adequate security.

\(D=9,17\): Other promising values for the degree of the HFE polynomial in use are \(D=9\) and \(D=17\), which lead to values of r of 4 and 5 respectively.
In the first row of experiments we analyzed the behavior of direct attacks against HFEv systems over GF(2) with different values of D. For this, we fixed the number of equations in the system. For different values of D, a and v we created HFEv systems and fixed \(a+v\) variables randomly to get determined systems. After adding the field equations \(\{x_i^2x_i\}\) we solved the systems using MAGMA’s implementation of the \(F_4\) algorithm. For each parameter set we performed 10 experiments.
Experiments with \(F_4\) on determined HFEv systems with 20 and 25 equations
D  r  20 equations  25 equations  

Minimal a,v  \(d_{reg}\)  Time (s)  Memory (MB)  Minimal a, v  \(d_{reg}\)  Time (s)  Memory(MB)  
129  8  \(a=v=0\)  5  2.74  109.7  \(a=v=1\)  6  276.2  7,621 
65  7  \(a=0\), \(v=1\)  5  2.73  110.2  \(a=v=2\)  6  276.0  7,681 
33  6  \(a=v=1\)  5  2.75  109.7  \(a=2\), \(v=3\)  6  273.4  7,762 
17  5  \(a=1\), \(v=2\)  5  2.72  109.7  \(a=v=3\)  6  275.7  7,751 
9  4  \(a=v=2\)  5  2.73  109.9  \(a=3\), \(v=4\)  6  276.4  7,693 
5  3  \(a=2\), \(v=3\)  5  2.73  109.6  \(a=v=4\)  6  272.8  7,680 
Random system  5  2.85  110.8  6  286.3  7,683 
Let d be the degree of regularity of a direct attack against an HFEv system with parameters \(D_1,n,a_1,v_1\) and let \(D_2 < D_1\).
By choosing large enough values for \(a_2\) and \(v_2\), we can obtain an HFEv scheme with parameters \(D_2,n,a_2,v_2\), such that the degree of regularity of a direct attack against this system is d, too.
4.2 Is the Ratio Between a and v Important for the Security of the Scheme?
Experiments with \(F_4\) on determined HFEv systems with 20 equations
D = 5, a + v = 5  D = 9, a + v = 4  D = 17, a + v = 3  

a  v  \(d_{reg}\)  Time (s)  Memory (MB)  a  v  \(d_{reg}\)  Time (s)  Memory (MB)  a  v  \(d_{reg}\)  Time (s)  Memory (MB) 
0  5  5  2.76  109.7  0  4  5  2.77  109.7  0  3  5  2.75  110.7 
1  4  5  2.77  109.7  1  3  5  2.78  110.8  1  2  5  2.77  109.7 
2  3  5  2.76  110.7  2  2  5  2.76  110.7  2  1  5  2.74  110.8 
3  2  5  2.77  110.8  3  1  5  2.75  110.8  3  0  5  2.73  109.7 
4  1  5  2.75  109.8  4  0  5  2.79  108.7  —  
5  0  4  1.01  32.6  —  — 
Experiments with \(F_4\) on determined HFEv systems with 25 equations
D = 5, a + v = 8  D = 9, a + v = 7  D = 17, a + v = 6  

a  v  \(d_{reg}\)  Time (s)  Memory (MB)  a  v  \(d_{reg}\)  Time (s)  Memory (MB)  a  v  \(d_{reg}\)  Time (s)  Memory (MB) 
0  8  6  246.6  7,582  0  7  6  248.9  7,582  0  6  6  247.0  7,581 
1  7  6  246.2  7,579  1  6  6  247.4  7,582  1  5  6  247.6  7,581 
2  6  6  246.6  7,580  2  5  6  248.0  7,580  2  4  6  247.6  7,581 
3  5  6  248.1  7,581  3  4  6  246.4  7,593  3  3  6  248.3  7,579 
4  4  6  247.1  7,581  4  3  6  248.3  7,578  4  2  6  246.5  7,580 
5  3  6  248.3  7,582  5  2  6  248.5  7,579  5  1  6  248.8  7,580 
6  2  6  248.3  7,554  6  1  6  247.3  7,581  6  0  6  247.9  7,581 
7  1  5  99.3  1,317  7  0  5  99.5  1,380  —  
8  0  5  88.3  1,509  —  — 
As the tables show, in particular for HFEv schemes with low degree D, the number v of vinegar variables should not be too small. Especially, \(v=0\) (i.e. HFE) seems to be a bad choice.
4.3 Is the Upper Bound on \(d_{reg}\) Given by Eq. (12) Reasonably Tight?
For most of the other parameter sets, we missed the upper bound on the degree of regularity given by Eq. (12) only by 1. We believe that, by increasing the number of equations in the systems, it would be possible to reach the upper bound for arbitrary values of (D, a, v). However, due to memory restrictions, we could not perform experiments with more than 38 equations.
Parameter sets which lead to \(d_{reg} \ge 7\)
D  a  v  \(d_{reg} \) (experimental)  Upper bound for \(d_{reg}\) (12) 

5  6  6  7 for \(n \ge 38\)  9 
9  5  5  7 for \(n \ge 37\)  8 
17  4  4  7 for \(n \ge 37\)  8 
4.4 Does it Help to Guess Some Variables Before Applying a Gröbner Basis Algorithm?
In the case of multivariate signature schemes such as HFEv the public key \(\mathcal P\) is an underdetermined system of quadratic equations. In our case this system consists of \(na\) quadratic equations in \(n+v\) variables. For the experiments presented in the previous subsections we fixed \(a+v\) of the variables of the system to create a determined system before applying the \(F_4\) algorithm.
Experiments on HFEv systems with the Hybrid Approach
# k of guessed variables  Minimal value of n to reach \(d_{reg} \ge 7\)  

D = 5, a = v = 6  D = 9, a = v = 5  D = 17, a = v = 4  
0  38  37  37 
1  39  38  38 
2  40  40  39 
3  42  41  41 
4  43  43  42 
5  44  44  44 
As the table shows, we could, for each of the above parameter sets and each value \(k \in \{0, \dots , 5\}\), create a HFEv system offering a good level of security, simply by increasing the number of equations in the system. In fact, the degree of regularity of a direct attack against such a system of \(na\) quadratic equations in \(nak\) variables will be at least 7.
We therefore assume that, for large enough n, all the multivariate systems which have to be solved in the course of a direct/hybrid attack against our schemes, will have a degree of regularity of at least 7. This is the basis for our parameter selection presented in the next section.
5 The New Multivariate Signature Scheme Gui

Gui96 with \((n,D,a,v)=(96,5,6,6)\) with 90 equations in 102 variables,

Gui95 with \((n,D,a,v)=(95,9,5,5)\) with 90 equations in 100 variables and

Gui94 with \((n,D,a,v)=(94,17,4,4)\) with 90 equations in 98 variables.
The complexity of direct attacks against these schemes can be estimated as follows.
According to our experiments (see Table 6), the degree of regularity of the \(F_4\) algorithm (even with the Hybrid Approach) against these schemes will be at least 7.
Additionally, for better comparison to standard signature schemes, we propose a fourth version of Gui, Gui127, with the parameters \((n,D,a,v)=(127,9,4,6)\), providing a security level of 120 bits.
5.1 Signature Generation
The central component of the signature generation process of Gui is inverting the HFEv core map.
To compute a preimage of a \((na)\) bit digest \(\mathbf{h}\), one first has to choose random values for the Minus equations and the Vinegar variables. In our concrete implementation, these values are the last \(a+v\) bits of SHA256\((\mathbf{h})\). After that, one computes recursively \(\mathbf{x}=\mathcal{S}^{1}(\mathbf{h})\), \(X=\varPhi (x)\), \(Y=\mathcal{F}_V^{1}(X)\), \(\mathbf{y}=(\varPhi ^{1}(Y)v_1 \dots  v_v)\) and \(\mathbf{z}=\mathcal{T}^{1}(\mathbf{y})\) (see Fig. 2).
For the parameters of Gui, the length of the digest \(\mathbf{h}\) is only \(na=90\) bits. To prevent birthday attacks, we therefore have to perform the above process several times (for different values of \(\mathbf{h}\)). We denote this repetition factor by k and set \(k=3\) for Gui96 and Gui95. For Gui94 and Gui127 the value k is chosen to be 4.
The signature generation process of Gui works as shown in Algorithm 1 and Fig. 3.
We initialize the \(na\) vector \(S_0\) to be \(\mathbf 0\) and compute the SHA256 hash value \(\mathbf h\) of the message. Let \(D_1\) be the bitstring consisting of the first \((na)\) bits of \(\mathbf{h}\). We compute the preimage of \(D_1\) under the HFEv core (see above) and split the result into an \((na)\) bit string \(S_1\) and an \(a+v\) bit string \(X_1\).
We set \(D_2\) to be the string consisting of the first \((na)\) bits of SHA256(\(\mathbf{h}\)) and compute the HFEv preimage of \(D_2 \oplus S_1\). Again, the result is split into the two parts \(S_2\) (\(na\) bits) and \(X_2\) (\(a+v\) bits). This process is repeated, until we have values \(S_i,X_i\) for \(i=1, \dots , k\).
The final signature of the message is given by \(\sigma =(S_k  X_k  \dots  X_1 )\). The resulting signature sizes for our schemes can be found in Table 7.
5.2 Signature Verification
To check the authenticity of a signature \(\sigma \in {\text {GF(2)}}^{(na)+k(a+v)}\) we parse \(\sigma \) into \(S_k\), \(X_k, \dots , X_1\) and compute \(D_1, \dots , D_k\) as shown in Sect. 5.1. For \(i=k1\) to 0 we compute recursively \(S_i=\mathcal{P}(S_{i+1}X_{i+1}) \oplus D_{i+1}\). The signature is accepted, if and only if \(S_0= \mathbf{0}\) holds.
By the above construction of the signature generation and verification process we prevent birthday attacks as follows. We consider an adversary A who wants to find two messages \(m_1\) and \(m_2\) which lead to the same signature \(\sigma \).
For the plain HFEv signature scheme it would be enough to find two messages \(m_1\) and \(m_2\) such that SHA256\((m_1)_i\) = SHA256\((m_2)_i\) for the first \(na\) bits. If \((na) \le 160\), the adversary can find \(m_1\) and \(m_2\) by a birthday attack.
Key and signature sizes of Gui94, Gui95, Gui96, and Gui127
Scheme  Core map HFEv(n, D, a, v)  Public key size (byte)  Private key size (byte)  Repetition factor k  Signature size (bit) 

Gui96  (96, 5, 6, 6)  63036  3175  3  126 
Gui95  (95, 9, 5, 5)  60600  3053  3  120 
Gui94  (94, 17, 4, 4)  58212  2943  4  122 
Gui127  (127, 9, 4, 6)  142576  5350  4  163 
QUARTZ  (103, 129, 3, 4)  75515  3774  4  128 
6 Implementation and Comparison
In this section we present the details of our implementation of the Gui signature scheme and compare the performance of our scheme with that of the original QUARTZ and other standard signature schemes.
6.1 Arithmetics Over Finite Fields
The first step in our implementation of the Gui signature scheme is to provide efficient arithmetics over the large binary fields in use. To speed up these computations, we use a set of new processor instructions for carryless multiplication: PCLMULQDQ [30].
A multiplication over the large field \(\mathbb E\) is divided into two phases, namely a multiplication and a reduction phase.
In the multiplication phase, the multiplication of two 128bit polynomials can be performed by 4 calls of PCLMULQDQ. With the help of the Karatsuba algorithm, we can avoid one call of PCLMULQDQ and therefore its long latency (see Table 8). To square an element of \(\mathbb E\), we need only two calls of PCLMULQDQ since we are operating over a field of characteristic 2.

\(\mathrm {GF}(2^{94}) := \mathrm {GF}(2) [x]/(x^{94}+x^{21}+1)\),

\(\mathrm {GF}(2^{95}) := \mathrm {GF}(2) [x]/(x^{95}+x^{11}+1)\),

\(\mathrm {GF}(2^{96}) := \mathrm {GF}(2) [x]/(x^{96}+x^{10}+x^9+x^6+1)\) and

\(\mathrm {GF}(2^{127}) := \mathrm {GF}(2) [x]/(x^{127}+x+1)\) respectively.
The baseline for the reduction phase is two calls of PCLMULQDQ since, after the multiplication phase, the degree of the polynomial will be greater than \(2 \times 64\). The irreducible polynomials above are chosen to contain only few terms of low degree. With few terms in the irreducible polynomials, we may replace the use of PCLMULQDQ by a few logic shifts and XOR instructions.
In the \(\mathrm {GF}(2^{127}) \) case, for example, the reduction can be performed by only two 128bit shifts for the \(x^{128}\) part and one conditional XOR for the \(x^{127}\) term, avoiding at least two calls of PCLMULQDQ while reducing the high 128 bit register.
Another technique is to represent elements as 128bit polynomials while avoiding full reduction. This allows us to perform the reduction of degree 128–191 and 192–255 terms using only two calls of PCLMULQDQ without data dependency. In the \(\mathrm {GF}(2^{96}) \) case, for example, we can perform the reduction phase by multiplying the degree 128–191 terms by \(x^{128} = x^{42} + x^{41}+x^{38}+x^{32}\) and the degree 192–255 terms with \(x^{192} = x^{20} + x^{18}+x^{12}+1\). All the polynomials in use have degree \(\le 64\), and we can perform the reduction by two calls of PCLMULQDQ.
The proposed implementation provides timeconstant multiplication for preventing side channel leakage, since, regardless of the input, the same operations are performed. The same strategy is also applied to the calculation of multiplicative inverses. For example, for the sake of timeconstant arithmetics, the inverse of an element \(x \in \mathrm {GF}(2^{127}) \) is calculated by raising x to \(x^{2^{127}2}\) instead of the faster extended Euclidean algorithm.
6.2 Inverting the HFEv Core
In this section we describe how we can perform the inversion of the central HFEv equation \(\mathcal{F}_V(Y) = X\) efficiently. During the signature generation process of Gui we have to perform this step several times to avoid birthday attacks (see Sect. 5.1). Therefore it is extremely important to perform this step efficiently.
Probability of a Unique Root. Every time we choose the values of Minus equations and Vinegar variables, we basically pick a random central equation \(\mathcal{F}_V(Y)X = 0\). The probability of this equation having a unique solution is about 1 / e. Therefore, in order to invert the HFEv central equation, we have to perform the \(\gcd \) computation about e times.
The repeated computation of the \(\gcd \) (see Eq. 15) is probably the most detectable side channel leakage of our scheme. However, there are no known side channel attacks on big field schemes or HFEv which use the information that one particular equation in the big field has no, respectively two or more solutions.
Although the starting relation \(\mathcal{F}_V(Y) = Y^{D} + \sum _{0 \le i \le j, 2^i+2^j <D } a_{ij} Y^{2^i+2^j}\) is a sparse polynomial, the polynomials become dense quickly in the course of the raising process. However, the number of terms in the polynomials is restricted by D because of \(\mod ~\mathcal F_V(Y)\). We expect the number of terms to be in average D during the computation.
We implemented Berlekamp’s algorithm in such a way that it takes the same number of iterations in the main GCD loop and the same number of operations in the big field for each run at very low cost. Therefore it runs, independently from the input, at constant time.
Key sizes of HFEv schemes and running time of \(\gcd ( X^{2^n}  X , \mathcal F(X))\)
Scheme  Security level (bit)  Public key size (kB)  Private key size (kB)  Time needed for inverting \(\mathcal F\) (kilocycles) 

HFEv (96, 5, 6, 6)  80  61.6  3.1  72/76/55\({}^a\) 
HFEv (95, 9, 5, 5)  80  59.2  3.0  159/135/79 
HFEv (94, 17, 4, 4)  80  56.8  2.9  533/453/274 
HFEv (127, 9, 4, 6)  120  139.2  5.2  170/156/128 
HFEv (103, 129, 3, 4)  80  71.9  3.1  25,793/20,784/12,630 
6.3 Experiments and Comparison
Comparison between Gui and standard signature schemes
Scheme  Security level (bits)  Public key size (Bytes)  Private key size (Bytes)  Signature size (bits)  Signing time (kcycles)\(^{a}\)  Verification time (kcycles)\(^{a}\) 

Gui96 (96, 5, 6, 6)  80  63,036  3,175  126  603/569/238  97/70/62 
Gui95 (95, 9, 5, 5)  80  60,600  3,053  120  1,417/1,441/602  91/60/58 
Gui94 (94, 17, 4, 4)  80  58,212  2,943  124  5,800/5,480/2,495  118/74/71 
Gui127 (127, 9, 4, 6)  120  142,576  5,350  163  2,368/2,183/1,080  220/121/122 
QUARTZ (103, 129, 3, 4)  80  73,626  3,174  128  302,882/315,716/128,736  145/84/86 
RSA1024  80  128  128  128  2,080/1,058/1,073  74/32/33 
RSA2048  112  256  256  256  8,834/5,347/4,625  138/76/61 
ECDSA P160  80  40  60  320  1,283/558/588  1,448/635/652 
ECDSA P192  96  48  72  384  1,513/773/697  1,715/867/779 
ECDSA P256  128  64  96  512  830/388/342  2,111/920/816 
We should note that the timings for Gui given by Table 10 are for C programs with a few intrinsic function calls of PCLMULQDQ. The PKCs benchmarked in the eBACs project also do not represent optimal implementations of RSA and ECC. We present these numbers in an effort to compare apples to apples by using only reference implementations.
6.4 Platforms Without PCLMULQDQ

\(\mathrm {GF}(16) := \mathrm {GF}(2) [y]/(y^4+y+1)\),

\(\mathrm {GF}(2^{96}) := \mathrm {GF}(16) [x]/(x^{24}+y^3x^3+x+y)\).
The multiplication in \(\mathrm {GF}(16)\) is performed with PSHUFB and the multiplication in \(\mathrm {GF}(2^{96})\) corresponds to a polynomial multiplication over \(\mathrm {GF}(16)\). Furthermore, we use Karatsuba’s technique for the computation of coefficients in different registers. To prevent the scheme from side channel leakage, we implement the multiplication in GF(16) with logarithm/exponential tables instead of multiplication tables, except for the multiplication with fixed values in the reduction phase of the polynomial multiplication. With logarithm tables, the multiplication in \(\mathrm {GF}(16)\) is performed by an addition in the exponents of a multiplicative generator and therefore consists of two table lookups, addition and reduction. Although there is only one table lookup in a normal implementation of multiplication tables, an intentional cache miss would result in a time difference since the tables are loaded with the values of input operands.
Average number of cycles for the arithmetics in \(\mathrm {GF}(2^{96}) \) and GF(\(2^{127}\)) for various implementations.
Implementation  Multiplication  Square  Inversion  

GF(\(2^{96}\))  64bit variables, school book  624/3392\(^{{\text {a}}}\)  624/3384  68,752/357,728 
128bit register, PSHUFB/VTBL  138/731  87/424  11,242/48,825  
128bit register, PCLMULQDQ  12/  8/  2,489/  
GF(\(2^{127}\))  64bit variables, school book  743/4,009  735/3,997  105,235/546,881 
128bit register, PSHUFB/VTBL \(^{{\text {b}}}\)  318/813  187/531  28,565/77,703  
128bit register, PCLMULQDQ  15/  9/  3,257/ 
Performance data for Gui on ARM platforms (timings in \(10^{6}\) s)
Scheme  Key generation  Signature generation  Signature verification 

Gui96(96, 5, 6, 6)  99,555  3,291  102 
6.5 Grover’s Algorithm and Potential Extension to Larger Fields
By Grover’s algorithm [16] it might be possible to cut down the complexity of a bruteforce search in an nbit space to \(O(2^{n/2})\). We believe that this is no major threat to HFEv and in particular to Gui because of the large number of quantum bits (qubits) needed in this case: While we need only 1024 qubits to solve Discrete Logarithms on a 256bit prime modulus elliptic curve and 6000 qubits to factorize 3000bit RSA numbers using Shor’s Algorithm, the number of qubits and quantum gates needed to attack Gui by Grover’s algorithm is in the order of a million (\(n^3\)), since it implies the evaluation of n quadratic polynomials in n variables. Therefore, quantum algorithms can be used much more easy for the cryptanalysis of schemes such as RSA and ECC than for that of multivariate schemes such as Gui and we do not consider Grover’s algorithm to be a major problem for our scheme. However, even if we have to take Grover’s algorithm into account, there is an easy way to prevent this kind of attack, namely by choosing the parameter n about twice as large while keeping all other parameters constant. In the implementation, this means an extra layer of the Karatsuba algorithm in the multiplication phase and therefore a factor of 3 slowdown. Furthermore, this increases the public key size by a factor of 8.
7 Conclusion and Future Work
In this paper, we analyzed the behavior of direct attacks against HFEv based signature schemes. Experiments show that, even for low degree HFE polynomials in use, we can obtain adequate security levels by increasing the numbers a and v of Minus equations and Vinegar variables. Furthermore we find that the upper bound on the degree of regularity proposed by Ding and Yang in [11] is relatively tight. From our results we derive design principles for the construction of HFEv based signature schemes, which lead to both secure and efficient schemes. We apply these principles to the construction of our new HFEv based signature scheme Gui, which is more than 100 times faster than the original QUARTZ scheme. Furthermore we show that the performance of our scheme is highly comparable to that of standard signature schemes, including signatures on elliptic curves.
As future work we want to analyze the influence of the numbers a of Minus Equations and v of Vinegar variables on the security of HFEv schemes further. Furthermore we plan to create for every common existing platform an optimal implementation of HFEv (Gui) and compare it with some of the best optimized code for ECC and RSA, such as Ed25519 [2]. Another approach would be to verify such optimal Gui code for formal correctness. In short, we believe that there is still much work to be done on the HFEv digital signature schemes.
Footnotes
Notes
Acknowledgements
We thank the anonymous reviewers of Asiacrypt for their comments which helped to improve the paper. Especially we want to thank the shepherd of our paper for his valuable advice. Due to this we included – Further remarks on the complexity of the KipnisShamir attack on HFE and its variants (Sect. 3.3). – Additional experiments on the effect of the parameters a and v on the security of our scheme and the Hybrid approach (Sects. 4.2 and 4.4). – Remarks on side channel leakage and countermeasures (Sects. 6.1 and 6.2). – Implementation details of Gui on ARM platforms (Sect. 6.4). – Remarks on how Grover’s algorithm might affect our parameter choice (Sect. 6.5). We would like to thank for partial support from the Charles Phelps Taft Research Center, the Center for Advanced Security Research Darmstadt (CASED), ECSPRIDE, Academia Sinica, the CAS/SAFEA International Partnership Program for Creative Research Teams, Taiwan’s Ministry of Science and Technology, National Taiwan University and Intel Corporation under grands NIST 60NAN15D059, NSFC 61472054, MOST 1032911I002001, NTUICRP104R7501 and NTUICRP104R75011.
References
 1.Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
 2.Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: Highspeed highsecurity signatures. J. Cryptographic Eng. 2(2), 77–89 (2012)CrossRefzbMATHGoogle Scholar
 3.Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to. Accessed 14 May 2014
 4.Bettale, L., Faugère, J.C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3, 177–197 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Timearea optimized publickey engines: \(\cal MQ\)cryptosystems as replacement for elliptic curves? In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 45–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 6.Chen, A.I.T., Chen, M.S., Chen, T.R., Cheng, C.M., Ding, J., Kuo, E.L.H., Lee, F.Y.S., Yang, B.Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 7.Courtois, N.T., Daum, M., Felke, P.: On the security of HFE, HFEv and QUARTZ. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 8.Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Springer, New York (2006)zbMATHGoogle Scholar
 9.Ding, J., Kleinjung, T.: Degree of regularity for HFE. IACR eprint 2011/570Google Scholar
 10.Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 11.Ding, J., Yang, B.Y.: Degree of regularity for HFEv and HFEv. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 12.Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 13.Faugère, J.C., Safey el Din, M., Spaenlehauer, P.J.: On the complexity of the generalized MinRank problem. J. Symbolic Comput. 55, 30–58 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Fog, A.: Instruction tables: Lists of instruction latencies, throughputs and microoperation breakdowns for Intel, AMD and VIA CPUs, 7 December 2014. http://www.agner.org/optimize/
 15.Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NPCompleteness. W.H. Freeman and Company, New York (1979)zbMATHGoogle Scholar
 16.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of STOC, pp. 212–219. ACM (1996)Google Scholar
 17.Intel Corporation: Hashwell Cryptographic Performance. http://www.intel.com/content/dam/www/public/us/en/documents/whitepapers/haswellcryptographicperformancepaper.pdf
 18.Jiang, X., Ding, J., Hu, L.: KipnisShamir attack on HFE revisited. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 399–411. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 19.Kravitz, D.: Digital Signature Algorithm. US patent 5231668, July 1991Google Scholar
 20.Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 21.Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 22.Mohamed, M.S.E., Ding, J., Buchmann, J.: Towards algebraic cryptanalysis of HFE challenge 2. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 123–131. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 23.Matsumoto, T., Imai, H.: Public quadratic polynomialtuples for efficient signatureverification and messageencryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988) CrossRefGoogle Scholar
 24.Patarin, J., Courtois, N.T., Goubin, L.: QUARTZ, 128bit long digital signatures. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 25.Patarin, J., Courtois, N.T., Goubin, L.: FLASH, a fast multivariate signature algorithm. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 26.Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995) Google Scholar
 27.Richards, C.: Algorithms for factoring squarefree polynomials over finite fields. Master thesis, Simon Fraser University, Canada (2009)Google Scholar
 28.Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
 29.Shor, P.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 30.Taverne, J., FazHernández, A., Aranha, D.F., RodríguezHenríquez, F., Hankerson, D., López, J.: Software implementation of binary elliptic curves: impact of the carryless multiplier on scalar multiplication. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 108–123. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 31.