Abstract
Multivariate Cryptography, as one of the main candidates for establishing post-quantum cryptosystems, provides strong, efficient and well-understood digital signature schemes such as UOV, Rainbow, and Gui. While Gui provides very short signatures, it is, for efficiency reasons, restricted to very small finite fields, which makes it hard to scale it to higher levels of security and leads to large key sizes.
In this paper we propose a signature scheme called HMFEv (“Hidden Medium Field Equations”), which can be seen as a multivariate version of HFEv. We obtain our scheme by applying the Vinegar Variation to the MultiHFE encryption scheme of Chen et al. We show both theoretically and by experiments that our new scheme is secure against direct and Rank attacks. In contrast to other schemes of the HFE family such as Gui, HMFEv can be defined over arbitrary base fields and therefore is much more efficient in terms of both performance and memory requirements. Our scheme is therefore a good candidate for the upcoming standardization of post-quantum signature schemes.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The reason why we do not propose parameters for our scheme over GF(16) is the following: To defend the scheme against the quantum attack (see Sect. 5.2), we need a large number of equations over GF(16). This actually makes the schemes less efficient than HMFEv over GF(31) or GF(256).
References
Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post Quantum Cryptography. Springer, Heidelberg (2009)
Bettale, L., Faugère, J.C., Perret, L.: Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Cryptogr. 69(1), 1–52 (2013)
Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Time-area optimized public-key engines: \(\cal{MQ}\)-cryptosystems as replacement for elliptic curves? In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 45–61. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85053-3_4
Cartor, R., Gipson, R., Smith-Tone, D., Vates, J.: On the differential security of the HFEv- signature primitive. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 162–181. Springer, Cham (2016). doi:10.1007/978-3-319-29360-8_11
Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04138-9_3
Chen, C.H.O., Chen, M.S., Ding, J., Werner, F., Yang, B.Y.: Odd-char multivariate Hidden Field Equations. IACR eprint (2008). http://eprint.iacr.org/2008/543
Daniels, T., Smith-Tone, D.: Differential properties of the HFE cryptosystem. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 59–75. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_4
Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Springer, New York (2006)
Ding, J., Yang, B.-Y.: Degree of regularity for HFEv and HFEv-. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 52–66. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38616-9_4
Ding, J., Hodges, T.J.: Inverting HFE systems is quasi-polynomial for all fields. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 724–742. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_41
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). doi:10.1007/11496137_12
Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)
Hashimoto, Y.: Cryptanalysis of Multi HFE. IACR eprint (2015). http://eprint.iacr.org/2015/1160.pdf
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_2
Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). doi:10.1007/3-540-45353-9_21
Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_14
Schwabe, P., Westerbaan, B.: Solving binary MQ with Grovers algorithm. https://cryptojedi.org/papers/mqgrover-20160901.pdf
Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27800-9_24
Acknowledgments
The third author is partially supported by NIST. The second and fourth authors would like to thank Academia Sinica for the second author’s Investigator Award and Taiwan’s Ministry of Science and Technology grant MoST-105-2923-E-001-003-MY3. We want to thank the anonymous reviewers for their valuable comments which helped to improve this paper.
Disclaimer. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Results of Our Computer Experiments with the Direct Attack Against HMFEv Systems over Small Fields
A Results of Our Computer Experiments with the Direct Attack Against HMFEv Systems over Small Fields
In this section we present the results of our computer experiments with the direct attack against HMFEv schemes over small fields. In particular, we wanted to answer the questions
-
1.
Is the concrete choice of k and v (or only their sum) important for the degree of regularity of a direct attack against the scheme? and
-
2.
Is the upper bound on \(d_\mathrm{reg}\) given by Eq. (5) reasonably tight?
In order to answer the first question, we performed experiments of the following type: For fixed values of q and \(s=k+v\), we varied the values of k and v. We then created the public systems of the corresponding HMFEv instances (for different values of \(\ell \)) and solved these systems using the \(F_4\) algorithm integrated in MAGMA. The experiments were (like all the experiments presented in this paper) performed on a server with 16 AMD Opteron cores (2.4 GHz) and 128 GB of RAM. However, as MAGMA is not parallelizable, our programs use only one core.
In our experiments, we fixed the field \(\mathbb {F}\) to be GF(2) and the sum \(s=k+v\) to be 9. We varied v in the interval \(I=\{0, \dots , 8\}\) and created HMFEv(GF(2), \(s-v\), \(\ell \), v) instances (for increasing values of \(\ell \)). After that, we fixed v of the variables to get a determined system and solved the resulting public systems by the \(F_4\) algorithm integrated in MAGMA. Table 5 shows, for \(v \in I\), the highest degree of regularity we observed in these experiments. For each parameter set, we performed 10 experiments.
As the experiments show, the concrete ratio between k and v has, as long as we choose v and k not too small, no influence on the degree of regularity of solving the public systems of HMFEv. For HMFEv schemes over larger fields the importance of the concrete choice of k and v decreases further, since those systems behave much more like random systems (see Sect. 6.2). We therefore choose, in order to increase the efficiency of our scheme, the parameter \(k \in \{2,3\}\) and increase v to reach the required level of security.
Is the Upper Bound on \({{\varvec{d}}_\mathbf{reg }}\) Given by Eq. (5) Reasonably Tight?
In order to answer this second question, we created for fixed values of q, k and v and varying values of \(\ell \) public systems of HMFEv and solved them with the \(F_4\) algorithm integrated in MAGMA. We increased the value of \(\ell \) and therefore the numbers of equations and variables in the system until we reached the upper bound of (5) or ran out of memory.
It is obvious that we can only hope to find such systems for small field sizes. We therefore restricted to values of \(q \in \{2,3\}\).
By doing so, we identified the following “tight” instances of HMFEv
Scheme | Upper bound on \(d_{reg}\) (Eq. (5)) | Experimental result |
---|---|---|
HMFEv(GF(2),1,\(\ell \),2) | 3 | 3 for \(\ell \ge 9 (n \ge 9)\) |
HMFEv(GF(2),2,\(\ell \),3) | 4 | 4 for \(\ell \ge 9 (n \ge 18)\) |
HMFEv(GF(2),3,\(\ell \),4) | 5 | 5 for \(\ell \ge 10 (n \ge 30)\) |
HMFEv(GF(3),1,\(\ell \),2) | 5 | 5 for \(\ell \ge 18 (n \ge 18)\) |
For most other HMFEv instances with \(q \in \{2,3\}\) and \(k+v \le 9\) we missed the upper bound given by Eq. (5) only by 1.
We believe that, also for these systems, we could have reached the upper bound given by Eq. (5) by increasing the parameter \(\ell \) further. However, we did not have the necessary memory resources to solve HMFEv systems with more than 35 equations.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Petzoldt, A., Chen, MS., Ding, J., Yang, BY. (2017). HMFEv - An Efficient Multivariate Signature Scheme. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham. https://doi.org/10.1007/978-3-319-59879-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-59879-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59878-9
Online ISBN: 978-3-319-59879-6
eBook Packages: Computer ScienceComputer Science (R0)