Design Principles for HFEv- Based Multivariate Signature Schemes
The Hidden Field Equations (HFE) Cryptosystem as proposed by Patarin is one of the best known and most studied multivariate schemes. While the security of the basic scheme appeared to be very weak, the HFEv- variant seems to be a good candidate for digital signature schemes on the basis of multivariate polynomials. However, the currently existing scheme of this type, the QUARTZ signature scheme, is hardly used in practice because of its poor efficiency. In this paper we analyze recent results from Ding and Yang about the degree of regularity of HFEv- systems and derive from them design principles for signature schemes of the HFEv- type. Based on these results we propose the new HFEv- based signature scheme Gui, which is more than 100 times faster than QUARTZ and therefore highly comparable with classical signature schemes such as RSA and ECDSA.
KeywordsMultivariate cryptography Digital signatures HFEv- Design principles Security Performance
We thank the anonymous reviewers of Asiacrypt for their comments which helped to improve the paper. Especially we want to thank the shepherd of our paper for his valuable advice. Due to this we included – Further remarks on the complexity of the Kipnis-Shamir attack on HFE and its variants (Sect. 3.3). – Additional experiments on the effect of the parameters a and v on the security of our scheme and the Hybrid approach (Sects. 4.2 and 4.4). – Remarks on side channel leakage and countermeasures (Sects. 6.1 and 6.2). – Implementation details of Gui on ARM platforms (Sect. 6.4). – Remarks on how Grover’s algorithm might affect our parameter choice (Sect. 6.5). We would like to thank for partial support from the Charles Phelps Taft Research Center, the Center for Advanced Security Research Darmstadt (CASED), ECSPRIDE, Academia Sinica, the CAS/SAFEA International Partnership Program for Creative Research Teams, Taiwan’s Ministry of Science and Technology, National Taiwan University and Intel Corporation under grands NIST 60NAN15D059, NSFC 61472054, MOST 103-2911-I-002-001, NTU-ICRP-104R7501 and NTU-ICRP-104R7501-1.
- 3.Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to. Accessed 14 May 2014
- 9.Ding, J., Kleinjung, T.: Degree of regularity for HFE-. IACR eprint 2011/570Google Scholar
- 14.Fog, A.: Instruction tables: Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs, 7 December 2014. http://www.agner.org/optimize/
- 16.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of STOC, pp. 212–219. ACM (1996)Google Scholar
- 17.Intel Corporation: Hashwell Cryptographic Performance. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/haswell-cryptographic-performance-paper.pdf
- 19.Kravitz, D.: Digital Signature Algorithm. US patent 5231668, July 1991Google Scholar
- 26.Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt ’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995) Google Scholar
- 27.Richards, C.: Algorithms for factoring square-free polynomials over finite fields. Master thesis, Simon Fraser University, Canada (2009)Google Scholar
- 30.Taverne, J., Faz-Hernández, A., Aranha, D.F., Rodríguez-Henríquez, F., Hankerson, D., López, J.: Software implementation of binary elliptic curves: impact of the carry-less multiplier on scalar multiplication. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 108–123. Springer, Heidelberg (2011) CrossRefGoogle Scholar