A Multivariate Encryption Scheme with Rainbow

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)


Multivariate Public Key Cryptosystems (MPKC) are a candidate of post-quantum cryptography. The MPKC signature scheme Rainbow is endowed of efficient signature generation and verification, while no major attack has been reported so far. In this paper, we propose a MPKC encryption scheme based on Rainbow. The public key of Rainbow is a surjective polynomial map, whereas the encryption scheme requires an injective polynomial map. We explain how to change the public key of Rainbow to an injective map.


Multivariate Public Key Cryptosystem Rainbow Square Post-quantum cryptography 

1 Introduction

1.1 Motivation and Background

The foundation of public key cryptography currently consists of RSA and elliptic curve cryptography. However, these two cryptosystems do not have sufficient resistance against quantum computers. Therefore, the current foundation of public key cryptography needs to shift to cryptography preventing attacks coming from quantum computers, which is called post-quantum cryptography [12], and before quantum computers become widely spread. Since 2013, a working group on post-quantum cryptography at NIST is studying the standardization of Post-Quantum cryptography. ETSI is also holding a regular Quantum-Safe-Crypto Workshop. Main candidates for post-quantum cryptography are lattice-based cryptography, code-based cryptography, multivariate public key cryptography, and hash-based cryptography.

1.2 Previous Work and Challenging Issues

The encryption scheme \(C^*\) proposed in [29] is considered to be the first MPKC scheme. However, Patarin in  [33] showed an efficient attack against \(C^*\). After that, many encryption schemes have been proposed [17, 35, 36]. However, efficient attacks have been found against most of these schemes [9, 13, 21, 27], and at present, only few MPKC encryption schemes have remained safe. Among them are ZHFE [39], ABC [41] and cubic ABC [14]. Besides safety, it is also important to design a secure MPKC encryption scheme which has efficient encryption and decryption algorithms.

As for signature schemes, SFlash [36], TTS[10] have been proposed, but efficient attacks against these schemes have been found [13, 16]. Rainbow [15] is a signature scheme which has efficient signature generation and verification. Its security has been analyzed by several researchers, and so far no major attack against it has been found.

1.3 Contribution

We propose a new encryption scheme which has an efficient decryption algorithm. The proposed scheme is a combination of the encryption scheme “Square” [7] and the signature scheme “Rainbow”. Since the decryption in both Square and Rainbow is efficient, it results that the decryption of the proposed scheme is also efficient. Furthermore, we analyze the security of the proposed scheme. We consider existing attacks against Square and existing attacks against Rainbow etc. Based on this security analysis, we estimate the parameters yielding 80-bit, 112-bit and 160-bit security levels. Finally, for these parameters we have implemented the new scheme and measured encryption time and decryption time.

In MPKC, encryption scheme and signature scheme deploy different kinds of multivariate polynomial maps. MPKC signature scheme often uses surjective maps because given an arbitrary message, the corresponding signature has to be generated at least one. On the other hand, MPKC encryption schemes use injective map because if not, the scheme would cause decryption failures. For instance the lattice-based encryption NTRU can cause decryption failures. But NTRU avoids this problem by tuning parameters so that the probability that a decryption failure occurs is minimal. Among MPKC encryption schemes, ABC also has this problem. The original ABC has a non-negligible probability of decryption failure, but it was improved by using almost injective multivariate maps so that the probability is minimized [42].

Our scheme adopts basically the same policy as the improved ABC. The multivariate map associated with our scheme is almost injective. To the end, we thought of two devices: (1) the vinegar variables used in Rainbow are exchanged to variables in the encryption scheme (which in this paper is Square), and (2) the number of equations increases for each layer in Rainbow. About (1), in the decryption of Rainbow, a signer can substitute several values in the vinegar variables. However in the encryption scheme, the decryption result has to coincide in a unique way with the plain text. We make use of the decryption method of Square instead of substituting in vinegar variables, so that the inverse is determined uniquely. The reason why we adopt Square as an encryption scheme in (1) is that it has strong tolerance against the direct attacks [12] and an efficient decryption algorithm. Next, we explain about (2). In the decryption of Rainbow, solving linear equations is required for each layer. The linear equations may be degenerated, in which case the decryption algorithm reselects values in vinegar variables, and reconstruct linear equations. However, since the proposed scheme does not use vinegar variables, we increase the number of equations such that the linear equations are not degenerated. As the number of equations increases, the probability of degeneration becomes indeed lower; thus we can control the probability.

Square requires square root computation during decryption. This computation is executed by some exponentiation algorithms. In the original paper [7], the decryption time takes more than ten times that of the encryption time. We rather adopt the multi-exponentiation technique [32], which has been put into practice in efficient pairing computations [40], GLV [23], GLS [24], so that seeing on single Square, we achieve about 10 times acceleration of the decryption of the original Square.

1.4 Comparison with Related Works

The public key size of the proposed scheme is about 30 times shorter as large as that of ABC. The decryption of the proposed scheme is more efficient than that of ZHFE because ZHFE requires heavy computations like the Berlekamp algorithm for decryption.

The direct attack is an attack which directly computes the plain text from a cipher text and the public key. Gröbner basis computations are often used for this attack. From our experiments for low parameters, we observed that the multivariate system provided by the proposed scheme is semi-regular [4]. Since Square has a property that its security against direct attack is strong [11], and Rainbow has a wide range of possible secret keys, we can expect that the security of our scheme against direct attacks is also strong. Therefore, we infer that our scheme also holds the semi-regular property for higher parameters. On the other hand, since ABC does not have the semi-regular property, we have to select a higher number of variables and of equations than those of our scheme.

The multivariate polynomial maps used in our scheme are constructed from those of Square and Rainbow, and additionally, randomly chosen polynomial maps are appended. Adding such polynomials is called the Plus method [12], which is used to enhance the security mainly. In fact, due to the Plus method the UOV attack, the UOV-Reconciliation attack and the Rainbow-Band-Separation attack cannot be applied to our scheme. We remark that the Plus method cannot be applied to the original Rainbow neither because in order to find an inverse image of a randomly chosen polynomial map, a searching process is required, therefore, the signature generation of Rainbow loses its good efficiency. On the other hand, in the case of our scheme, since the decryption requires only the decryption of Square and the decryption Rainbow, the inverse computation of the plus part is not necessary.

2 Background

2.1 A Signature Scheme, Rainbow

Ding and Schmidt proposed a signature scheme called Rainbow, which is a multilayer variant of Unbalanced Oil and Vinegar [15]. In this section, we review Rainbow shortly.

First, we set some parameters in order to describe Rainbow with a h-layer structure. Let \(v_1\) and \(o_1,\ldots ,o_{h}\) be positive integers. For \(k=2,\ldots ,h+1\), let \(v_k=v_1+o_1+\cdots +o_{k-1}\). For \(k=1,\ldots ,h\), we define two sets of integers, \(V_k=\{1,2,\ldots ,v_k\},\ O_k=\{v_k+1,\ldots ,v_k+o_k\}\). The sets \(O_i\) and \(V_i\) are used for the indices of the oil and vinegar variables in Rainbow, respectively. We define \(n=v_{h+1}\), which is the number of variables used in Rainbow.

Let \(K=GF(q)\) be a finite field of order q. For \(k=1,2,\ldots ,h\), a multivariate quadratic map \(G_k=(g_{v_k+1},\ldots ,g_{v_k+o_k}):K^n\rightarrow K^{o_k}\) consists of \(o_k\) multivariate polynomials: For \(l=v_k+1,\ldots ,v_k+o_k\),
$$\begin{aligned} g_l(x_1,\ldots ,x_n)=\sum _{i\in O_k,j\in V_k}\alpha _{i,j}^{(l)} x_i x_j +\sum _{i,j\in V_k,\,i\le j}\beta _{i,j}^{(l)} x_i x_j +\sum _{i\in V_{k+1}}\gamma _{i}^{(l)} x_i+\eta ^{(l)}, \end{aligned}$$
where \(\alpha _{i,j}^{(l)},\beta _{i,j}^{(l)},\gamma _i^{(l)},\eta ^{(l)}\in K\) are randomly chosen. We call the variables \(x_i\ (i\in O_k)\) and \(x_j\ (i\in V_j)\) oil and vinegar variables in the k-th layer, respectively. A multivariate quadratic map G is then defined by the concatenation,
$$\begin{aligned} G=G_1\Vert G_2\Vert \cdots \Vert G_h=(g_{v_1+1},\ldots ,g_n):K^{n}\rightarrow K^{n-v_1}. \end{aligned}$$
Scheme. We describe the key generation, signature generation and verification processes of Rainbow as follows.

Key Generation. A secret key consists of a central map G and two affine transformations \(A_1:K^m\rightarrow K^m\ (m=n-v_1),\ A_2:K^n\rightarrow K^n\). The public key consists of the field K and the composed map \(F=A_1\circ G\circ A_2:K^n\rightarrow K^m\), which is a system of m quadratic polynomials of n variables over K.

Signature Generation. Let \(M\in K^{m}\) be a message. A signer computes \(A=A_1^{-1}(M)\), \(B=G^{-1}(A)\) and \(C=A_2^{-1}(B)\) in that order. The signature of the message is \(C\in K^n\). Here, the inverse computation \(B=G^{-1}(A)\) for \(A=(a_{v_1+1},\ldots ,a_n)\), is executed by the following algorithm.

  • Step 1. Select \(B_0=(b_1,\ldots ,b_{v_1})\in K^{v_1}\) randomly.

  • Step 2. For \(k=1\) to h do:
    1. (4-1)
      For a subsequence \(A_k=(a_{v_{k}+1},\ldots ,a_{v_{k}+o_k})\) of A, set up a linear equation with respect to \(X_k=(x_{v_{k}+1},\ldots ,x_{v_k+o_k})\),
      $$\begin{aligned} G_k(B_{k-1},X_k)=A_k. \end{aligned}$$
      (We remark that \(G_k\) can be regarded as a map having \(v_{k+1}\) variables.)
    2. (4-2)

      Solve the above linear equation. If it has an unique solution, denote the solution by \(D_k\). Otherwise, go back to Step 1.

    3. (4-3)

      Put \(B_k=B_{k-1}\Vert D_k\) (concatenation).

  • Output \(B=B_h\).

Verification. If \(F(C)=M\), the signature is accepted, otherwise it is rejected.

Remark 1

The linear equation \(G_k(B_{k-1},X_k)=A_k\) in Step 4-1 has \(o_k\) variables and \(o_k\) equations. Therefore, solving the equation fails with the probability of \(q^{-1}\). However, since there are many choice for \(B_0\) in Step 1, the signature generation itself does not fail.

Attacks Against Rainbow. In this section, we summarize the necessary information about the known attacks against Rainbow that have been reported in previous papers. Since the scheme which we propose later make uses of structure of Rainbow, we will analyze the effect of these attacks on the proposed scheme. The known relevant attacks against Rainbow are as follows.

  1. (1)

    Direct attacks [2, 46],

  2. (2)

    UOV attack [26, 28],

  3. (3)

    MinRank attack [5, 22],

  4. (4)

    HighRank attack [18, 22, 38],

  5. (5)

    Rainbow-Band-Separation (RBS) attack [18, 37],

  6. (6)

    UOV-Reconciliation (UOV-R) attack [18, 37].

The direct attacks try to solve a system of equations \(F(X)=M\) from public key F and (fixed) message M [2, 46]. By contrast, the goal of the other attacks is to find a part of the secret key. In the case of a UOV attack or HighRank attack, for example, the target Rainbow with parameters \(v_1,o_1,\ldots ,o_t\) is then reduced into a version of Rainbow with simpler parameters such as \(v_1,o_1,\ldots ,o_{t-1}\) without \(o_t\). We can then break the original Rainbow with lower complexity. To carry out a reduction we need to find (a part of) a direct sum decomposition of vector space \(K^n\),
$$\begin{aligned} K^n= K^{v_1}\oplus K^{o_1}\oplus \cdots \oplus K^{o_t}, \end{aligned}$$
because expressing \(K^n\) in an available basis enables returning the public key to the central map. In fact, if we can decompose \(K^n=W\oplus K^{o_t}\) for a certain W that has a coarser decomposition than (2) then the security of \(\mathrm {Rainbow}\) can be reduced to that of \(\mathrm {Rainbow}\) with the number of layer one fewer. There are two methods for finding this decomposition:

(1) Find a simultaneous isotropic subspace of \(K^n\).

Let V be a vector space over K, and let \(Q_1\) be a quadratic form on V. We determine that a subspace W of V is isotropic (with respect to \(Q_1\)) if
$$ v_1,v_2\in W\Rightarrow Q_1(v_1,v_2):=Q_1(v_1+v_2)-Q_1(v_1)-Q_1(v_2)=0. $$
In addition, we assume that V is also equipped with quadratic forms \(Q_2,\ldots ,Q_m\). We determine that a subspace W of V is simultaneously isotropic if W is isotropic with respect to all \(Q_1,\ldots , Q_m\).

In Rainbow, m quadratic forms on \(K^n\) are defined by the quadratic parts of the public polynomials of F. Note that the subspace \(K^{o_t}\) appearing in (2) is a simultaneous isotropic subspace of \(K^n\). If we find a simultaneous isotropic subspace, the basis of \(K^{o_t}\) is then obtained and the above attack is feasible. The UOV, UOV-R and RBS attacks are classified as being of this type.

(2) Find a quadratic form with the minimum or second maximum rank.

When the quadratic part of the k-th component polynomial of F in Rainbow is expressed as
$$\begin{aligned} \sum _{i=1}^n\sum _{j=i}^na_{ij}^{(k)}x_ix_j, \end{aligned}$$
we associate it with a symmetric matrix \(P_k=A+A^{\mathrm {T}}\), where \(A=(a_{ij}^{(k)})\). We define \(\Omega _F=\mathrm {Span}_K\{P_k\,|\,k=v_1+1,\ldots ,n\}\), which is a vector space over K spanned by matrices \(P_{v_1+1},\ldots ,P_{n}\). For example, if we find a matrix of rank \(v_2=v_1+o_1\) in \(\Omega _F\), there is a high probability that the image of this matrix coincides with \(K^{v_1}\oplus K^{o_1}\) appearing in (2). Therefore, we obtain the decomposition of \(K^n=(K^{v_1}\oplus K^{o_1})\oplus W'\) for some \(W'\) that is a coarser decomposition than (2). The MinRank and HighRank attacks are classified as being of this type.

The details of above mentioned six attacks can be found in the literature [37].

3 Our Proposed Scheme

In this section, we propose a MPKC encryption scheme, which is called SRP because it is constructed by combining Square, Rainbow and the Plus method technique. First, we prepare some parameters necessary to construct our scheme:
  • \(K=GF(q)\): finite field of odd characteristic (\(q\equiv 3\ \mathrm {mod}\ 4\))

  • d: degree of extension field \(L=GF(q^d)\) over K (\(d\equiv 1\ \mathrm {mod}\ 2\))

  • h: number of layers

  • \(o_1,\ldots ,o_h\): number of oil variables in each layer

  • r: number determining the probability of decryption success

  • s: number of equations added in the Plus method

  • l: number of variables reduced in the embedding method

  • \(\phi :GF(q^d)\rightarrow K^d\): linear isomorphism over K

3.1 Key Generation

Let \(n=d+o_1+\cdots +o_h-l\) and \(m=d+o_1+\cdots +o_h+hr+s\). Then, the public key of the proposed scheme is given by a quadratic polynomial map from \(K^n\) to \(K^m\). Let \(n'=d+o_1+\cdots +o_h\). Three multivariate quadratic maps \(G_S,G_R,G_P\) on \(K^{n'}\) are constructed as follows:
  1. (i)

    Construction of \(G_S:K^{n'}\rightarrow K^d\).

    A multivariate quadratic map \(G'_S:K^d\rightarrow K^d\) is defined by
    $$\begin{aligned} G'_S:K^d\xrightarrow {\phi ^{-1}} GF(q^d)\ni X\rightarrow X^2\in GF(q^d)\xrightarrow {\phi } K^d. \end{aligned}$$
    \(G_S\) is defined as a natural extension of \(G'_S\) to \(K^{n'}\), i.e.
    $$\begin{aligned} G_S:K^{d+o_1+\cdots +o_h}\xrightarrow {\text {projection}} K^d\xrightarrow {G'_S}K^d. \end{aligned}$$
  2. (ii)

    Construction of \(G_R:K^{n'}\rightarrow K^{o_1+\cdots +o_h+hr}\).

    For each layer \(k=1,\ldots ,h\), we construct a multivariate quadratic map \(G_{R,k}:K^{n'}\rightarrow K^{o_k+r}\) as follows. Let \(v_k=d+o_1+\cdots +o_{k-1}\) and \(V_k=\{1,2,\ldots ,v_k\},\ O_k=\{v_k+1,\ldots ,v_k+o_k\}\). The \(o_k+r\) components of \(G_{R,k}\) are chosen by the multivariate quadratic polynomials of the form,
    $$\begin{aligned} g(x_1,\ldots ,x_{n'})=\sum _{i\in O_k,j\in V_k}\alpha _{i,j} x_i x_j +\sum _{i,j\in V_k,\,i\le j}\beta _{i,j} x_i x_j+\sum _{i\in V_{k}\cup O_{k}}\gamma _{i} x_i+\eta .\nonumber \end{aligned}$$
    Here, \(\alpha _{i,j},\beta _{i,j},\gamma _{i},\eta \) are randomly chosen in K for each component of \(G_{R,k}\). Then, \(G_R\) is defined by the concatenation \(G_R=G_{R,1}\Vert \ldots \Vert G_{R,h}\).
  3. (iii)

    Construction of \(G_P:K^{n'}\rightarrow K^{s}\).

    \(G_P\) consist of randomly chosen s multivariate quadratic polynomials of the form,
    $$\begin{aligned} g(x_1,\ldots ,x_{n'})=\sum _{1\le i\le j\le n'}\alpha _{i,j} x_i x_j +\sum _{1\le i\le n'}\beta _{i} x_i+\gamma \ \ \ (\alpha _{i,j},\beta _{i},\gamma \in K).\nonumber \end{aligned}$$

Using above (i), (ii), (iii), a polynomial map \(G:K^{n'}\rightarrow K^m\) is defined by the concatenation \(G=G_S\Vert G_R\Vert G_P\). Additionally, the following are selected randomly.

  1. (1)

    affine embedding map \(A_1:K^n\rightarrow K^{n'},\)

  2. (2)

    affine isomorphism \(A_2:K^m\rightarrow K^m.\)


A multivariate quadratic map F from \(K^n\) to \(K^m\) is defined by \(F=A_2\circ G\circ A_1\). Then, the secret key consists of \(G,\ A_1\) and \(A_2\), and the public key consists of F.

3.2 Encryption

We identify a plain text M with an element of \(K^n\). The cipher text C corresponding to M is obtained by the polynomial evaluation,
$$\begin{aligned} C=F(M)\in K^m. \end{aligned}$$

3.3 Decryption

For a cipher text \(C=(c_1,\ldots ,c_m)\in K^m\), the decryption is executed as follows.

  • Step 1. Compute \(B=(b_1,\ldots ,b_m)=A_2^{-1}(C)\).

  • Step 2. Compute \(B_0=\phi ^{-1}(B_S)\) where \(B_S=(b_1,\ldots ,b_d)\), the vector of the first d-components of B.

  • Step 3. Compute \(R=\pm B_0^{(q^d+1)/4}\) and \(D_0=\phi (R).\)

  • Step 4. For \(k=1\) to h do:
    1. (4-1)
      For \(B_k=(b_{m_{k}+1},\ldots ,b_{m_k+o_k+r})\), where \(m_k:=v_k+(k-1)r\), set up a linear equation with respect to \(X_k=(x_{v_{k}+1},\ldots ,x_{v_k+o_k})\),
      $$\begin{aligned} G_{R,k}(D_{k-1},X_k)=B_k. \end{aligned}$$
      (We remark that \(G_{R,k}\) can be regarded as a map having \(v_{k+1}\) variables.)
    2. (4-2)

      Solve the above linear equation, and denote the solution by \(D_k\).

  • Step 4. Put \(D=D_0\Vert D_1\Vert \cdots \Vert D_h\) (concatenation).

  • Step 5. Compute \(M'=A_1^{-1}(D)\), which is the corresponding plain text.

Remark 2

In Step 3, the computation of the exponentiation \(B_0^{(q^d+1)/4}\) is required. The multi-exponentiation technique [32] can be applied to this computation. The concrete algorithm is described in the Appendix A.

3.4 Probability of Decryption Failure

We have to guarantee that the above decryption algorithm recovers the plain text. To the end, it is necessary to show that the public key F is injective. In the case of the original ABC [41], the probability of decryption failure is non-negligible because its public key is not injective. However, ABC has been already improved such that the public key becomes almost injective [42]. Therefore, the probability of decryption failure of the improved ABC can be minimized by choosing a suitable parameter.

The public key of our scheme is also almost injective. More precisely,

Proposition 1

The probability of F are not injective is equal to \(hq^{-l-1}\).

This proposition implies that the probability of the decryption failure in our scheme is equal to \(hq^{-l-1}\). The above proposition is shown in the Appendix B.

4 Security Analysis

In this section, we analyze the security of our scheme. The attacks which we have to observe is as follows:
  1. 1.

    Direct attack

  2. 2.

    Differential attack [6]

  3. 3.

    Rank attacks

  4. 4.

    Other attacks against Rainbow (RBS attack, UOV attack, UOV-R attack)


4.1 Direct Attack

The Direct attack is an attack that compute the plain text by solving multivariate equation system obtained by the cipher text and the public key. Currently, the most efficient direct attack is the gröbner basis computation algorithm [19, 20]. For any multivariate polynomial system, the degree of regularity \(d_{\mathrm {reg}}\) is defined as an invariant [1]. Moreover, the concept of semi-regular (for an overdetermined system) is defined [4]. For \(m>n\), let \(c_0,c_1,\ldots \in \mathbb {Z}\) be defined by
$$\begin{aligned} \sum _{k}c_kz^k=\frac{(1-x^2)^m}{(1-z)^n}. \end{aligned}$$
If an overdetermined system of n variables and m equations is semi-regular, then the index d of the first non-positive coefficient \(c_d\) coincides with \(d_{\mathrm {reg}}\) [4].
The complexity of the Gröbner basis computation depends on the degree of regularity, in fact, the complexity of \(F_5\) algorithm [4] is described by
$$\begin{aligned} \mathcal {O}(m\cdot \left( \begin{array}{c} n+d_{reg}-1\\ d_{reg} \end{array} \right) ^{\omega }). \end{aligned}$$
Here, \(2<\omega <3\) is a linear algebra constant. Furthermore, the hybrid method that mixes Gröbner basis computation with exhaustive search is proposed, and its complexity is estimated [4].
Table 1 compares the degree of regularity of the proposed scheme with the semi-regular degree by experiment. We use gröbner basis computation algorithm implemented in the software Magma. In this table, we consider only the case that the layer number h is equal to 1. Time (RS) means the computation time for random system with same m and n. The semi-regular degree is computed by using the Hilbert series (3). This table shows that in any cases of the experiments, the degree of regularity of the proposed scheme are equal to the semi-regular degree.
Table 1.

Result of experiments of the direct attack using MAGMA

\((q,d,\{o_1,\ldots \},r,s,l)\)



Time (RS)

\(d_{\mathrm {reg}}\)

semi-regular degree

(31, 15, 11, 3, 2, 10)

(31, 16)

14 s

14 s



(31, 15, 11, 3, 2, 9)

(31, 17)

44 s

42 s



(31, 15, 11, 3, 2, 8)

(31, 18)

206 s

204 s



(31, 15, 11, 3, 2, 7)

(31, 19)

2311 s

2351 s



(31, 15, 10, 3, 2, 6)

(30, 19)

2916 s

2846 s



(31, 15, 11, 3, 2, 6)

(31, 20)

9331 s

8840 s



(31, 15, 12, 3, 2, 6)

(32, 21)

34080 s

41647 s



(31, 15, 11, 3, 2, 5)

(31, 21)

156624 s

168693 s



4.2 Differential attack

For a function f, its differential is defined by
$$\begin{aligned} Df(A,X)=f(A+X)-f(A)-f(X)+f(0). \end{aligned}$$
If we take the public key F as f and substitute a point of \(K^n\) for A, we have a linear map M from \(K^n\) to \(K^m\). In the case of the simple Square, by finding another linear map which is commutative with M, recover a multiplication map by an element of \(GF(q^d)\) [6]. The point is that the differential attack is effective to the simple Square because all the variables are obtained by the reduction of the variable for the extension field. However, the proposed scheme includes variables in Rainbow other than variables in Square, therefore, the differential attack is not applied to the proposed scheme.

4.3 Rank Attacks

First, consider the HighRank attack against Rainbow. We can assume that l is less than \(o_h\) because if l is greater than or equal to \(o_h\), the scheme has an equivalent secret key as a proposed scheme with \(h-1\) and \(l-o_h\) instead of h and l.
$$\begin{aligned} \Omega _F=\mathrm {Span}_K\{P_k\,|\,k=1,\ldots ,m\} \end{aligned}$$
is defined similarly to Sect. 2.1 (Attacks Against Rainbow) from the public key F. The highest rank of a matrix belonging to \(\Omega _F\) is n. The second highest rank is \(d+o_1+\cdots +o_{h-1}\) with high probability. Since the difference is \(o_h-l\), similarly to computing the complexity in the case of Rainbow, the complexity of HighRank attack against the proposed scheme is
$$\begin{aligned} n^3/6\cdot q^{o_h-l}\ \mathbf {m}. \end{aligned}$$
Here, \(\mathbf {m}\) stands for the number of the field multiplication.
Next, consider the MinRank attack. The same attack can be applied to Double-Layer Square [8], and the complexity has been estimated [43]:
$$\begin{aligned} (n+l)q^{l+1}(2n+l)^3\ \mathbf {m}. \end{aligned}$$
Against the proposed scheme, the MinRank attack has the same complexity.

4.4 Other Attacks against Rainbow

Let \(Q=\{q_1,\ldots ,q_m\}\) be the set of all the quadratic forms given by the quadratic parts of the components of the public key F for the proposed scheme. As explained in Sect. 2.1 (Attacks Against Rainbow), the UOV attack, the UOV-R attack and the RBS attack all require a simultaneous isotropic space in \(K^n\) with respect to Q. If the parameter s for the proposed scheme is equal to zero, that is, the proposed scheme does not have the plus part \(G_P\) substantially, then there is a simultaneous isotropic space in \(K^n\). In fact, the subspace
$$\begin{aligned} A_1^{-1}(V')\ \ \text {where}\ \ V'=\{(0,\ldots ,0|\overbrace{*,\ldots ,*}^{o_h})\}(\subset K^{n'}), \end{aligned}$$
becomes a simultaneous isotropic space with respect to Q because \(V'\) is isotropic with respect to any quadratic form obtained by a component of \(G_S\) and \(G_R\). However, if \(s>0\) then \(V'\) is not isotropic with respect to a quadratic form obtained by a component of \(G_P\) because \(G_P\) consists of randomly chosen polynomials. Therefore, there is no simultaneous isotropic space in general. Consequently, the UOV attack, the UOV-R attack and the RBS attack cannot be applied to the proposed scheme.

5 Practical Parameters and Implementation

Consider the following parameters.

  • (A) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),33,1,\{32\},16,5,16)\) (80-bit security level)

  • (B) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),47,1,\{47\},22,5,22)\) (112-bit security level)

  • (C) \((K,d,h,\{o_1,\ldots \},r,s,l)=(GF(31),71,1,\{71\},32,5,32)\) (160-bit security level)

We have \((n,m)=(49,86)\) for (A), (72, 121) for (B) and (110, 179) for (C). The security level for each case is estimated based on (5), (6) and the the complexity of the hybrid method [4]. Here, the complexity of the hybrid method is computed under the assumption that the multivariate polynomial system of the proposed scheme is semi-regular. For each parameter, we execute experiment of encryption and decryption for 100 different plain texts. The following table shows the average time of encryption and decryption. The implementation environment is as follows (Table 2).
Table 2.

Experimental results of SRP






80 bit

112 bit

160 bit


0.75 ms

2.26 ms

7.82 ms


1.06 ms

3.01 ms

9.14 ms

Secret key size

57.1 kB

161.4 kB

528.1 kB

Public key size

69.9 kB

207.0 kB

701.6 kB

Probability of decryption failure




  • OS Microsoft Windows 7 Professional 64bit

  • CPU Intel(R) Xeon CPU E31270 @ 3.40GHz

  • memory 16.0 GB

  • Compiler Cygwin + gcc version 3.4.4

  • Language C

6 Conclusion

We propose a MPKC encryption scheme called SRP. Our scheme has an efficient decryption algorithm, in fact, the decryption time is less than twice that of the encryption time according to our experiments. The system of multivariate quadratic equations obtained in our scheme by any cipher text behave as if it was a system of random quadratic equations with respect to direct attacks.



This work was commissioned by Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0016 Ministry of Internal Affairs and Communications, JAPAN. Dr. Xavier Dahan read carefully and proof-read the preliminary version of this paper. The authors would like to thank him.


  1. 1.
    Bardet, M., Faugére, J.-C., Salvy, B.: On the complexity of gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  2. 2.
    Bernstein, D.J., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  3. 3.
    Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009)Google Scholar
  4. 4.
    Bettale, L., Faugére, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Crypt. 3(3), 177–197 (2010)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006)Google Scholar
  6. 6.
    Billet, O., Macario-Rat, G.: Cryptanalysis of the square cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 451–468. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Clough, C., Baena, J., Ding, J., Yang, B.-Y., Chen, M.: Square, a new multivariate encryption scheme. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 252–264. Springer, Heidelberg (2009)Google Scholar
  8. 8.
    Clough, C.L., Ding, J.: Secure variants of the square encryption scheme. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 153–164. Springer, Heidelberg (2010)Google Scholar
  9. 9.
    Courtois, N.T., Daum, M., Felke, P.: On the security of HFE, HFEv- and Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2002)Google Scholar
  10. 10.
    Chen, J.M., Yang, B.-Y.: A more secure and efficacious TTS signature scheme. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 320–338. Springer, Heidelberg (2004)Google Scholar
  11. 11.
    Ding, J., Clough, C., Araujo, R.: Inverting square systems algebraically is exponential. Finite Fields Appl. 26, 32–48 (2014)MathSciNetzbMATHGoogle Scholar
  12. 12.
    Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Advances in Information Security, vol. 25. Springer, New york (2006)zbMATHGoogle Scholar
  13. 13.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)Google Scholar
  14. 14.
    Ding, J., Petzoldt, A., Wang, L.: The cubic simple matrix encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 76–87. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Ding, J., Schmidt, D., Yin, Z.: Cryptanalysis of the new TTS scheme in CHES 2004. Int. J. Inf. Secur. 5(4), 231–240 (2006)zbMATHGoogle Scholar
  17. 17.
    Ding, J., Wolf, C., Yang, B.-Y.: \(\ell \)-invertible cycles for multivariate quadratic (MQ) public key cryptography. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 266–281. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  18. 18.
    Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008)Google Scholar
  19. 19.
    Faugére, J.-C.: A new efficient algorithm for computing Gröbner basis (\(F_4\)). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)MathSciNetzbMATHGoogle Scholar
  20. 20.
    Faugére, J.-C.: A new efficient algorithm for computing Gröbner basis without to zero (\(F_5\)). In: Proceedings of the International Symposium on Symbolic and Algebraic Computation, pp. 75–83 (2002)Google Scholar
  21. 21.
    Fouque, P.-A., Macario-Rat, G., Perret, L., Stern, J.: Total break of the \(\ell \)-IC signature scheme. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 1–17. Springer, Heidelberg (2008)Google Scholar
  22. 22.
    Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000)Google Scholar
  23. 23.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)Google Scholar
  24. 24.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Crypt. 24(3), 446–469 (2011)MathSciNetzbMATHGoogle Scholar
  25. 25.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)Google Scholar
  26. 26.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)Google Scholar
  27. 27.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  28. 28.
    Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  29. 29.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  30. 30.
    Moh, T.-T.: A fast public key system with signature ans master key functions. In: CrypTEC 1999, pp. 63–69 (1999)Google Scholar
  31. 31.
    Moh, T.-T.: A public key system with signature and master key functions. Commun. Algebra 27(5), 2207–2222 (1999)MathSciNetzbMATHGoogle Scholar
  32. 32.
    Möller, B.: Algorithms for multi-exponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001)Google Scholar
  33. 33.
    Patarin, J.: Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt ’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  34. 34.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  35. 35.
    Patarin, J., Goubin, L., Courtois, N.T.: \(C_-+^*\) and HM: variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998)Google Scholar
  36. 36.
    Patarin, J., Courtois, N.T., Goubin, L.: FLASH, a fast multivariate signature algorithm. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 298. Springer, Heidelberg (2001)Google Scholar
  37. 37.
    Petzoldt, A., Bulygin, S., Buchmann, J.: Selecting parameters for the rainbow signature scheme. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 218–240. Springer, Heidelberg (2010)Google Scholar
  38. 38.
    Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow – a multivariate signature scheme with a partially cyclic public key. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 33–48. Springer, Heidelberg (2010)Google Scholar
  39. 39.
    Porras, J., Baena, J., Ding, J.: ZHFE, a new multivariate public key encryption scheme. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 229–245. Springer, Heidelberg (2014)Google Scholar
  40. 40.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  41. 41.
    Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013)Google Scholar
  42. 42.
    Tao, C., Xiang, H., Petzoldt, A., Ding, J.: Simple matrix - a multivariate public key cryptosystem (MPKC) for encryption. Finite Fields Appl. 35, 352–368 (2015)MathSciNetzbMATHGoogle Scholar
  43. 43.
    Thomae, E., Wolf, C.: Roots of square: cryptanalysis of double-layer square and square+. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 83–97. Springer, Heidelberg (2011)Google Scholar
  44. 44.
    Wolf, C., Preneel, B.: Taxonomy of public key schemes based on the problem of multivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077, December 2005.
  45. 45.
    Yang, B.-Y., Chen, J.-M.: TTS: rank attacks in tame-like multivariate PKCs. Cryptology ePrint Archive, Report 2004/061, November 2004.
  46. 46.
    Yang, B.-Y., Chen, J.-M.: All in the XL family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Institute of Systems, Information Technologies and NanotechnologiesFukuokaJapan
  2. 2.Department of InformaticsKyushu UniversityFukuokaJapan

Personalised recommendations