Advertisement

From 5-Pass \(\mathcal {MQ}\)-Based Identification to \(\mathcal {MQ}\)-Based Signatures

  • Ming-Shing Chen
  • Andreas Hülsing
  • Joost Rijneveld
  • Simona Samardjiska
  • Peter Schwabe
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)

Abstract

This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations (\(\mathcal {MQ}\) problem). In order to construct this scheme we give a new security reduction for the Fiat-Shamir transform from a large class of 5-pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS-31-64 achieves 128 bits of post-quantum security. Finally, we describe an optimized implementation of MQDSS-31-64 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.

Keywords

Post-quantum cryptography Fiat-Shamir 5-pass identification scheme Vectorized implementation 

Notes

Acknowledgements

The authors would like to thank Marc Fischlin for helpful discussions, the anonymous reviewers for valuable comments, Wen-Ding Li for his contributions to the software, and Arno Mittelbach for the cryptocode package.

References

  1. 1.
    Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 44–60. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-31517-1_3 CrossRefGoogle Scholar
  2. 2.
    Alkim, E., Bindel, N., Buchmann, J., Dagdelen, O.: TESLA: tightly-secure efficient signatures from standard lattices. Cryptology ePrint Archive (2015)Google Scholar
  3. 3.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-04852-9_2 CrossRefGoogle Scholar
  4. 4.
    Bardet, M., Faugère, J., Salvy, B.: On the complexity of the F5 Gröbner basis algorithm. J. Symbolic Comput. 70, 49–70 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Bernstein, D.J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lange, T., Niederhagen, R., van Vredendaal, C.: How to manipulate curve standards: a white paper for the black hat. Cryptology ePrint Archive (2014)Google Scholar
  6. 6.
    Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: Practical Stateless Hash-Based Signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_15 Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference (2011)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak Code Package (2016)Google Scholar
  9. 9.
    Bettale, L., Faugère, J., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: ISSAC 2012, pp. 67–74. ACM (2012)Google Scholar
  10. 10.
    Bettale, L., Faugère, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptology, pp. 177–197 (2009)Google Scholar
  11. 11.
    Cayrel, P.-L., Véron, P., Yousfi Alaoui, S.M.: A zero-knowledge identification scheme based on the q-ary syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19574-7_12 CrossRefGoogle Scholar
  12. 12.
    Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate PKCs on Modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_3 CrossRefGoogle Scholar
  13. 13.
    Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass MQ-based identification to MQ-based signatures. Cryptology ePrint Archive (2016)Google Scholar
  14. 14.
    Courtois, N., Goubin, L., Patarin, J.: SFLASH, a fast asymmetric signature scheme for low-cost smartcards - primitive specification and supporting documentationGoogle Scholar
  15. 15.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_27 CrossRefGoogle Scholar
  16. 16.
    Courtois, N.T.: Efficient zero-knowledge authentication based on a linear algebra problem minrank. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 402–421. Springer, Heidelberg (2001). doi: 10.1007/3-540-45682-1_24 CrossRefGoogle Scholar
  17. 17.
    Dagdelen, Ö., Bansarkhani, R., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A.H., Schwabe, P.: High-speed signatures from standard lattices. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 84–103. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-16295-9_5 Google Scholar
  18. 18.
    Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_23 CrossRefGoogle Scholar
  19. 19.
    Ding, J., Hu, L., Yang, B.-Y., Chen, J.-M.: Note on design criteria for rainbow-type multivariates. Cryptology ePrint Archive (2006)Google Scholar
  20. 20.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). doi: 10.1007/11496137_12 CrossRefGoogle Scholar
  21. 21.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_1 CrossRefGoogle Scholar
  22. 22.
    Ducas, L.: Accelerating Bliss: the geometry of ternary polynomials. Cryptology ePrint Archive (2014)Google Scholar
  23. 23.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_3 CrossRefGoogle Scholar
  24. 24.
    Yousfi Alaoui, S.M., Dagdelen, Ö., Véron, P., Galindo, D., Cayrel, P.-L.: Extended security arguments for signature schemes. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 19–34. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31410-0_2 CrossRefGoogle Scholar
  25. 25.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 2002, 75–83. ACM (2002)Google Scholar
  27. 27.
    Faugère, J.-C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomial-time key-recovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46447-2_7 Google Scholar
  28. 28.
    Faugère, J.-C., Levy-dit-Vehel, F., Perret, L.: Cryptanalysis of minrank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_16 CrossRefGoogle Scholar
  29. 29.
    Fusco, G., Bach, E.: Phase transition of multivariate polynomial systems. In: Cai, J.-Y., Cooper, S.B., Zhu, H. (eds.) TAMC 2007. LNCS, vol. 4484, pp. 632–645. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72504-6_58 CrossRefGoogle Scholar
  30. 30.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman and Company, New York (1979)zbMATHGoogle Scholar
  31. 31.
    Gligoroski, D., Ødegård, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: MQQ-SIG. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 184–203. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32298-3_13 CrossRefGoogle Scholar
  32. 32.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, Gauss, and Reload - a cache attack on the BLISS lattice-based signature scheme. Cryptology ePrint Archive (2016)Google Scholar
  34. 34.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219. ACM (1996)Google Scholar
  35. 35.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006). doi: 10.1007/11818175_3 CrossRefGoogle Scholar
  36. 36.
    IBM. IBM makes quantum computing available on IBM cloud to accelerate innovation (2016)Google Scholar
  37. 37.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_15 Google Scholar
  38. 38.
    Gligoroski, D., Ødegård, R.S., Jensen, R.E., Perret, L., Faugère, J.-C., Knapskog, S.J., Markovski, S.: MQQ-SIG. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 184–203. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32298-3_13 CrossRefGoogle Scholar
  39. 39.
    McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.: State management for hash based signatures. Cryptology ePrint Archive (2016)Google Scholar
  40. 40.
    NIST. Post-quantum cryptography: NIST’s plan for the future (2016)Google Scholar
  41. 41.
    NSA. NSA suite B cryptographyGoogle Scholar
  42. 42.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_4 Google Scholar
  43. 43.
    Patarin, J.: The Oil and Vinegar signature scheme. In: Dagstuhl Workshop on Cryptography (1997)Google Scholar
  44. 44.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). doi: 10.1007/3-540-45353-9_21 CrossRefGoogle Scholar
  45. 45.
    Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_14 CrossRefGoogle Scholar
  46. 46.
    Pointcheval, D., Poupard, G.: A new NP-complete problem and public-key identification. Des. Codes Crypt. 28(1), 5–31 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_33 Google Scholar
  48. 48.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_40 CrossRefGoogle Scholar
  49. 49.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). doi: 10.1007/3-540-48329-2_2 Google Scholar
  50. 50.
    Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 46(6), 1757–1768 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    Thomae, E.: About the Security of Multivariate Quadratic Public Key Schemes. Ph.D. thesis, Ruhr-University Bochum, Germany (2013)Google Scholar
  52. 52.
    Thomae, E., Wolf, C.: Cryptanalysis of Enhanced TTS, STS and All Its Variants, or: why cross-terms are important. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 188–202. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31410-0_12 CrossRefGoogle Scholar
  53. 53.
    Tsujii, S., Gotaishi, M., Tadaki, K., Fujita, R.: Proposal of a signature scheme based on STS trapdoor. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 201–217. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12929-2_15 CrossRefGoogle Scholar
  54. 54.
    Valiant, L.G.: The complexity of enumeration and reliability problems. SIAM J. Comput. 8(3), 410–421 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  55. 55.
    Weiden, P., Hülsing, A., Cabarcas, D., Buchmann, J.: Instantiating treeless signature schemes. Cryptology ePrint Archive (2013)Google Scholar
  56. 56.
    Yang, B.-Y., Chen, J.-M.: All in the XL Family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005). doi: 10.1007/11496618_7 CrossRefGoogle Scholar
  57. 57.
    Yang, B.-Y., Chen, J.-M.: Building secure Tame-like multivariate public-key cryptosystems: the new TTS. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 518–531. Springer, Heidelberg (2005). doi: 10.1007/11506157_43 CrossRefGoogle Scholar
  58. 58.
    Yang, B.-Y., Chen, J.-M., Chen, Y.-H.: TTS: high-speed signatures on a low-cost smart card. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 371–385. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_27 CrossRefGoogle Scholar
  59. 59.
    Yeh, J.Y.-C., Cheng, C.-M., Yang, B.-Y.: Operating degrees for XL vs. F\(_4\)/F\(_5\) for generic \({\cal{MQ}}\) with number of equations linear in that of variables. In: Fischlin, M., Katzenbeisser, S. (eds.) Number Theory and Cryptography. LNCS, vol. 8260, pp. 19–33. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42001-6_3 Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Department of Electrical EngineeringNational Taiwan UniversityTaipeiTaiwan
  2. 2.Research Center for Information Technology InnovationAcademia SinicaTaipeiTaiwan
  3. 3.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  4. 4.Digital Security GroupRadboud UniversityNijmegenThe Netherlands
  5. 5.Faculty of Computer Science and Engineering“Ss. Cyril and Methodius” UniversitySkopjeRepublic of Macedonia

Personalised recommendations