From 5Pass \(\mathcal {MQ}\)Based Identification to \(\mathcal {MQ}\)Based Signatures
 20 Citations
 1.8k Downloads
Abstract
This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations (\(\mathcal {MQ}\) problem). In order to construct this scheme we give a new security reduction for the FiatShamir transform from a large class of 5pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS3164 achieves 128 bits of postquantum security. Finally, we describe an optimized implementation of MQDSS3164 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.
Keywords
Postquantum cryptography FiatShamir 5pass identification scheme Vectorized implementation1 Introduction
Already since 1997, when Shor published a polynomialtime quantum algorithm for factoring and discrete logarithms, it is known that an attacker equipped with a sufficiently large quantum computer will be able to break essentially all publickey cryptography in use today. More recently, various statements by physicists and quantum engineers indicate that they may be able to build such a large quantum computer within the next few decades. For example, IBM’s Mark Ketchen said in 2012 “I’m thinking like it’s 15 [years] or a little more. It’s within reach. It’s within our lifetime. It’s going to happen.”. In May this year, IBM gave access to their 5qubit quantum computer to researchers and announced that they are expecting to scale up to 50–100 qubits within one decade [36].
It is still a matter of debate when and even if we will see a large quantum computer that can efficiently break, for example, RSA4096 or 256bit ellipticcurve crypto. However, it becomes more and more clear that cryptography aiming at longterm security can no longer discard the possibility of attacks by large quantum computers in the foreseeable future. Consequently, NSA recently updated their Suite B to explicitly emphasize the importance of a migration to postquantum algorithms [41] and NIST announced a call for submissions to a postquantum competition [40]. Submissions to this competition will be accepted for postquantum publickey encryption, key exchange, and digital signature. The results presented in this paper fall into the last of these three categories: postquantum digital signature schemes.
Most experts agree that the most conservative choice for postquantum signatures are hashbased signatures with tight reductions in the standard model to properties like secondpreimage resistance of an underlying cryptographic hash function. Unfortunately, the most efficient hashbased schemes are stateful, a property that makes their use prohibitive in many scenarios [39]. A reasonably efficient stateless construction called SPHINCS was presented at Eurocrypt 2015 [6]; however, eliminating the state in this scheme comes at the cost of decreased speed and increased signature size.
The second direction of research for postquantum signatures are latticebased schemes. Various schemes have been proposed with different security and performance properties. The best performance is achieved by BLISS [23] (improved in [22]) whose security reduction relies on the hardness of RSIS and NTRU, and is nontight. Furthermore, the performance is achieved at the cost of being vulnerable against cacheattacks as demonstrated in [33]. A more conservative approach is the signature scheme proposed by Bai and Galbraith in [3] with improvements to performance and security in [1, 2, 17]. The security reduction to LWE in [2] is tight; a variant using the (more efficient) ideallattice setting was presented in [1]. However, these schemes either come with enormous key and signature sizes (e.g. sizes in [2] are in the order of megabytes), or sizes are reduced at the cost of switching to assumptions on lattices with additional structure like NTRU, RingSIS, or RingLWE.
The third large class of postquantum signature algorithms is based on the hardness of solving large systems of multivariate quadratic equations, the socalled \(\mathcal {MQ}\) problem. For random instances this problem is NPcomplete [30]. However, all schemes in this class that have been proposed with actual parameters for practical use share two properties that often raise concerns about their security: First, their security arguments are rather adhoc; there is no reduction from the hardness of \(\mathcal {MQ}\). The reason for this is the second property, namely that these systems require a hidden structure in the system of equations; this implies that their security inherently also relies on the hardness of the socalled isomorphismofpolynomials (IP) problem [42] (or, more precisely, the Extended IP problem [19] or the similar IP with partial knowledge [51] problem). Time has shown that IP in many of the proposed schemes actually relies on the MinRank problem [16, 28], and unfortunately, more than often, on an easy instance of this problem. Therefore, many proposed schemes have been broken not by targeting \(\mathcal {MQ}\), but by targeting IP (and thus exploiting the structure in the system of equations). Examples of broken schemes include OilandVinegar [43] (broken in [38]), SFLASH [14] (broken in [21]), MQQSig [31] (broken in [27]), (Enhanced) TTS [57, 58] (broken in [52]), and Enhanced STS [53] (broken in [52]). There are essentially only two proposals from the “\(\mathcal {MQ}\) + IP” class of schemes that are still standing: HFEv\(^\) variants [44, 45] and Unbalanced OilandVinegar (UOV)variants [20, 37]. The literature does not, to the best of our knowledge, describe any instantiation of those schemes with parameters that achieve a conservative postquantum security level.
Contributions of this paper. Obviously what one would want in the realm of \(\mathcal {MQ}\)based signatures is a scheme that has a tight reduction to \(\mathcal {MQ}\) in the quantumrandomoracle model (QROM) or even better in the standard model, and has small key and signatures sizes and fast signing and verification algorithms when instantiated with parameters that offer 128 bits of postquantum security. In this paper we make a major step towards such a scheme. Specifically, we present a signature system with a reduction from \(\mathcal {MQ}\), a set of parameters that achieves 128 bits of postquantum security according to our careful postquantum security analysis, and an optimized implementation of this scheme.
This does not mean that our proposal is going quite all the way to the desired scheme sketched above: our reduction is nontight and in the ROM. Furthermore, at the 128bit postquantum security level, the signature size is 40 952 bytes, which is comparable to SPHINCS [6], but larger than what latticebased schemes or \(\mathcal {MQ}\) + IP schemes achieve. However, the scheme excels in key sizes: it needs only 72 bytes for public keys and 64 bytes for private keys.
The basic idea of our construction is to apply a FiatShamir transform to the \(\mathcal {MQ}\)based 5pass identification scheme (IDS) that was presented by Sakumoto, Shirai, and Hiwatari at Crypto 2011 [48]. In principle, this idea is not new; it already appeared in a 2012 paper by El Yousfi Alaoui, Dagdelen, Véron, Galindo, and Cayrel [24]. In their paper they use the 5pass IDS from [48] as one example of a scheme with a property they call “nsoundness”. According to their proof in the ROM, this property of an IDS guarantees that it can be used in a FiatShamir transform to obtain an existentially unforgeable signature scheme. They give such a transform using the IDS from [48, Sect. 4.2].
One might think that choosing suitable parameters for precisely this transform (and implementing the scheme with those parameters) produces the results we are advertising in this paper. However, we show that not only is the construction from [24, Sect. 4.2] insecure (because it ignores the requirement of an exponentially large challenge space), but also that the proof based on the nsoundness property does not apply to a corrected FiatShamir transform of the 5pass IDS from [48]. The reason is that the nsoundness property does not hold for this IDS. More than that, we show that any \((2n+1)\)pass scheme for which the nsoundness property holds can trivially be transformed into a 3pass scheme. This observation essentially renders the results of [24] vacuous, because the declared contribution of that paper is to present “the first transformation which gives generic security statements for SS derived from \((2n+1)\) pass IS”.
To solve these issues, we present a new proof in the ROM for FiatShamir transforms of a large class of 5pass IDS, including the 5pass scheme from [48]. This proof is of independent interest; it applies also, for example, to the IDS from [11, 49] and (with minor modifications) to [46]. Equipped with this result, we fix the signature scheme from [24] and instantiate the scheme with parameters for the 128bit postquantum security level. We call this signature scheme MQDSS and the concrete instatiation with the proposed parameters MQDSS3164. Our optimized implementation of MQDSS3164 for Intel Haswell processors takes 8 510 616 cycles for signing and 5 752 612 cycles for verification; key generation takes 1 826 612 cycles. These cycle counts include full protection against timing attacks.
Organization of this paper. We start with some preliminaries in Sect. 2. In Sect. 3, we recall the 5pass IDS as introduced in [48]. We present our theoretical results in Sect. 4. We discuss the problems with the result from [24] in Subsect. 4.1, and resolve them by providing a new proof in Subsect. 4.3. We present a description of the transformed 5pass signature scheme and give a security reduction for it in Sect. 5. In Sect. 6 we finally present a concrete instantiation and implementation thereof.
Availability of the software. We place all software described in this paper into the public domain to maximize reusability of our results. The software is available online at https://joostrijneveld.nl/papers/mqdss.
2 Preliminaries
In the following we provide basic definitions used throughout this work.
Digital signatures. The main target of this work are digital signature schemes. These are defined as follows.
Definition 2.1

The key generation algorithm \(\mathsf {KGen} \) is a probabilistic algorithm that on input \(1^k\), where k is a security parameter, outputs a key pair \((\mathsf {sk},\mathsf {pk})\).

The signing algorithm \(\mathsf {Sign} \) is a possibly probabilistic algorithm that on input a secret key \(\mathsf {sk} \) and a message M outputs a signature \(\sigma \).

The verification algorithm \(\mathsf {Vf} \) is a deterministic algorithm that on input a public key \(\mathsf {pk} \), a message M and a signature \(\sigma \) outputs a bit b, where \(b=1\) indicates that the signature is accepted and \(b=0\) indicates a reject.
For correctness of a \(\mathsf {\textsf {Dss}}\), we require that for all \(k \in \mathbb {N}\), \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KGen} (1^k)\), all messages M and all signatures \(\sigma \leftarrow \mathsf {Sign} (\mathsf {sk},M)\), we get \(\mathsf {Vf} (\mathsf {pk}, M,\sigma )=1\), i.e., that correctly generated signatures are accepted.
Definition 2.2
Identification Schemes. An identification scheme (IDS) is a protocol that allows a prover \(\mathcal {P} \) to convince a verifier \(\mathcal {V} \) of its identity. More formally this is covered by the following definition.
Definition 2.3

the key generation algorithm \(\mathsf {KGen} \) is a probabilistic algorithm that on input \(1^k\), where k is a security parameter, outputs a key pair \((\mathsf {sk},\mathsf {pk})\).

\(\mathcal {P}\) and \(\mathcal {V}\) are interactive algorithms, executing a common protocol. The prover \(\mathcal {P}\) takes as input a secret key \(\mathsf {sk}\) and the verifier \(\mathcal {V}\) takes as input a public key \(\mathsf {pk}\). At the conclusion of the protocol, \(\mathcal {V}\) outputs a bit b with \(b = 1\) indicating “accept” and \(b = 0\) indicating “reject”.
For correctness of the scheme we require that for all \(k\in \mathbb {N}\) and all \((\mathsf {pk}, \mathsf {sk}) \leftarrow \mathsf {KGen} (1^k)\) we have \(\mathsf {Pr}\left[ \left\langle \mathcal {P} (\mathsf {sk}), \mathcal {V} (\mathsf {pk})\right\rangle = 1\right] = 1,\) where \(\left\langle \mathcal {P} (\mathsf {sk}), \mathcal {V} (\mathsf {pk})\right\rangle \) refers to the common execution of the protocol between \(\mathcal {P}\) with input \(\mathsf {sk}\) and \(\mathcal {V}\) on input \(\mathsf {pk}\).
In this work we are only concerned with passively secure identification schemes. We define security in terms of two properties: soundness and honestverifier zeroknowledge.
Definition 2.4
Of course, the goal is to obtain an IDS with negligible soundness error. This can be achieved by running r rounds of the protocol for an r that fulfills \(\kappa ^r = \text {negl}{(k)}\).
For the following definition we need the notion of a transcript. A transcript of an execution of an identification scheme \(\mathsf {IDS}\) refers to all the messages exchanged between \(\mathcal {P}\) and \(\mathcal {V}\) and is denoted by \(\mathsf {trans} (\left\langle \mathcal {P} (\mathsf {sk}), \mathcal {V} (\mathsf {pk})\right\rangle )\).
Definition 2.5
3 Sakumoto et al. 5Pass IDS Scheme
In [48], Sakumoto et al. proposed two new identification schemes, a 3pass and a 5pass IDS, based on the intractability of the \(\mathcal {MQ}\) problem. They showed that assuming existence of a noninteractive commitment scheme that is statistically hiding and computationally binding, their schemes are statistical zero knowledge and argument of knowledge, respectively. They further showed that the parallel composition of their protocols is secure against impersonation under passive attack. Let us quickly recall the basics of the construction.
Let \(\mathbf {x}=(x_1,\dots ,x_n)\) and let \(\mathcal {MQ} (n,m,\mathbb {F}_q)\) denote the family of vectorial functions \(\mathbf F :\mathbb {F}_q^n\rightarrow \mathbb {F}_q^m\) of degree 2 over \(\mathbb {F}_q\): \(\mathcal {MQ} (n,m,\mathbb {F}_q)=\{ \mathbf F (\mathbf {x})=(f_1(\mathbf {x}),\dots ,f_m(\mathbf {x})) f_s(\mathbf {x})=\sum _{i,j}{a^{(s)}_{i,j}x_ix_j}+ \sum _{i}{b^{(s)}_ix_i}, s\in \{1,\dots ,m\} \}\). The function \(\mathbf G (\mathbf{x},\mathbf{y})=\mathbf F (\mathbf{x}+\mathbf{y})\mathbf F (\mathbf{x})\mathbf F (\mathbf{y})\) is called the polar form of the function \(\mathbf F \). The \(\mathcal {MQ}\) problem \(\mathcal {MQ} (\mathbf F ,\mathbf {v})\) is defined as follows:
Given \(\mathbf {v}\in \mathbb {F}_q^m\) find, if any, \(\mathbf {s}\in \mathbb {F}_q^n\) such that \(\mathbf F (\mathbf {s})=\mathbf {v}\).
The decisional version of this problem is \(\mathsf {NP}\text {}\)complete [30]. It is widely believed that the \(\mathcal {MQ}\) problem is intractable, i.e., that given \(\mathbf F \leftarrow _R\mathcal {MQ} (n,m,\mathbb {F}_q)\), \(\mathbf {s}\leftarrow _R\mathbb {F}_q^n\) and \(\mathbf {v}=\mathbf F (\mathbf {s})\) there does not exist a PPT adversary \(\mathcal {A}\) that outputs a solution \(\mathbf {s}'\) to the \(\mathcal {MQ} (\mathbf F ,\mathbf {v})\) problem with nonnegligible probability.
The novelty of the approach of Sakumoto et al. [48] is that unlike previous public key schemes, their solution provably relies only on the \(\mathcal {MQ}\) problem (and the security of the commitment scheme), and not on other related problems in multivariate cryptography such as the Isomorphism of Polynomials (IP) problem [42], the related Extended IP [19] and IP with partial knowledge [51] problems or the MinRank problem [16, 28]. The key for this is the introduction of a technique to split the secret using the polar form \(\mathbf G (\mathbf {x},\mathbf {y})\) of a system of polynomials \(\mathbf F (\mathbf {x})\).
Sakumoto et al. [48] proved that their 5pass scheme is statistically zero knowledge when the commitment scheme Com is statistically hiding which implies (honestverifier) zero knowledge. Here we prove the soundness property of the scheme^{1}.
Theorem 3.1
The 5pass identification scheme of Sakumoto et al. [48] is sound with soundness error \(\frac{1}{2}+\frac{1}{2q}\) when the commitment scheme Com is computationally binding.
Proof
One can show that there exists an adversary \(\mathcal {C}\) that can cheat with probability \(\frac{1}{2}+\frac{1}{2q}\) (See the full version [13]). What we want to show now is that there cannot exist a cheater that wins with significantly higher success probability as long as the \(\mathcal {MQ}\) problem is hard and the used commitment is computationally binding.
Towards a contradiction, suppose there exists a malicious PPT cheater \(\mathcal {C} \) such that it holds that \(\epsilon := \mathsf {Pr}[\left\langle \mathcal {C} (1^k,\mathbf {v}), \mathcal {V} (\mathbf {v})\right\rangle = 1]  (\frac{1}{2}+\frac{1}{2q}) = \frac{1}{P(k)}.\) for some polynomial function P(k). We show that this implies that there exists a PPT adversary \(\mathcal {A}\) with access to \(\mathcal {C} \) that can either break the binding property of Com or can solve the \(\mathcal {MQ}\) problem \(\mathcal {MQ} (\mathbf {F},\mathbf {v})\).
If they are the same in both (1) and (2), then from (1):
\(\begin{array}{c} (\alpha ^{(1)}\alpha ^{(3)}) \mathbf r ^{(1)}_0=\mathbf t ^{(1)}_1\mathbf t ^{(3)}_1\ \mathrm{and}\ (\alpha ^{(1)}\alpha ^{(3)})\mathbf F (\mathbf r ^{(1)}_0)=\mathbf e ^{(1)}_1\mathbf e ^{(3)}_1\ \end{array},\)
and from (2): \( (\alpha ^{(2)}\alpha ^{(4)}) (\mathbf v \mathbf F (\mathbf r ^{(2)}_1))= \mathbf G (\mathbf t ^{(2)}_1\mathbf t ^{(4)}_1,\mathbf r ^{(2)}_1)+\mathbf e ^{(2)}_1\mathbf e ^{(4)}_1\).
We will look into the inner workings of the IDS in more detail in Sect. 5, where we also introduce the related 3pass scheme.
4 FiatShamir for 5Pass Identification Schemes
For several intractability assumptions, the most efficient IDS are five pass, i.e. IDS where a transcript consists of five messages. Here, efficiency refers to the size of all communication of sufficient rounds to make the soundness error negligible. This becomes especially relevant when one wants to turn an IDS into a signature scheme as it is closely related to the signature size of the resulting scheme.
In [24], the authors present a FiatShamir style transform for \((2n+1)\)pass IDS fulfilling a certain kind of canonical structure. To provide some intuition, a five pass IDS is called canonical in the above sense if \(\mathcal {P}\) starts with a commitment \(\mathsf {com} _1\), \(\mathcal {V}\) replies with a challenge \(\mathsf {ch} _1\), \(\mathcal {P}\) sends a first response \(\mathsf {resp} _1\), \(\mathcal {V}\) replies with a second challenge \(\mathsf {ch} _2\) and finally \(\mathcal {P}\) returns a second response \(\mathsf {resp} _2\). Based on this transcript, \(\mathcal {V}\) then accepts or rejects. The authors of [24] also present a security reduction for signature schemes derived from such IDS using a security property of the IDS which they call special nsoundness. Intuitively, this property says that given two transcripts that agree on all messages but the last challenge and possibly the last response, one can extract a valid secret key.
In this section we first show that any \((2n+1)\)pass IDS that fulfills the requirements of the security reduction in [24] can be converted into a 3pass IDS by letting \(\mathcal {P}\) choose all but the last challenge uniformly at random himself. The main reason this is possible is the special nsoundness. On the other hand, we argue that existing 5pass schemes in the literature do not fulfill special nsoundness and prove it for the 5pass \(\mathcal {MQ}\)IDS from [48]. Hence, they can neither be turned into 3pass schemes, nor does the security reduction from [24] apply. Afterwards we give a security reduction for a less generic class of 5pass IDS which covers many 5pass IDS, including [11, 46, 49]. In particular, it covers the 5pass \(\mathcal {MQ}\) scheme from [48].
4.1 The El Yousfi et al. Proof
Before we can make any statement about IDS that fall into the case of [24] we have to define the target of our analysis. A canonical \((2n+1)\)pass IDS is an IDS where the prover and the verifier exchange n challenges and replies. More formally:
Definition 4.1

\(\mathcal {P} _0(\mathsf {sk})\) computes the initial commitment \(\mathsf {com}\) sent as the first message.

\(\mathsf {ChS} _j, j \le n\) computes the jth challenge message \(\mathsf {ch} _j\leftarrow _R\mathsf {C} _j\), sampling a random element from the jth challenge space.

\(\mathcal {P} _i(\mathsf {sk}, \mathsf {trans} _{2i}), 0<i\le n\) computes the ith response of the prover given access to the secret key and \(\mathsf {trans} _{2i}\), the transcript so far, containing the first 2i messages.

\(\mathsf {Vf} (\mathsf {pk}, \mathsf {trans})\), upon access to the public key and the whole transcript outputs \(\mathcal {V}\) ’s final decision.
The definition implies that a canonical \((2n+1)\)pass IDS is public coin. The public coin property just says that the challenges are sampled from the respective challenge spaces using the uniform distribution.
El Yousfi et al. propose a generalized FiatShamir transform that turns a canonical \((2n+1)\)pass IDS into a digital signature scheme. The algorithms of the obtained signature scheme make use of the IDS algorithms as follows. The key generation is just the IDS key generation. The signature algorithm simulates an execution of the IDS, replacing challenge \(\mathsf {ch} _j\) by the output of a hash function (that maps into \(\mathsf {C} _j\)) that takes as input the concatenation of the message to be signed and all \(2(j1)+1\) messages that have been exchanged so far. The signature just contains the messages sent by \(\mathcal {P}\). The verification algorithm uses the signature and the message to be signed to generate a full transcript, recomputing the challenges using the hash function. Then the verification algorithm runs \(\mathsf {Vf} \) on the public key and the computed transcript and outputs its result.
El Yousfi et al. give a reduction for the resulting signature scheme if the used IDS is honestverifier zeroknowledge and fulfills special nsoundness defined below. The latter is a generalization of special soundness. Intuitively, special nsoundness says that given two transcripts that agree up to the secondtolast response but disagree on the last challenge, one can extract the secret key.
Definition 4.2
(Special n soundness). A canonical \((2n+1)\)pass IDS is said to fulfill special nsoundness if there exists a PPT algorithm \(\mathcal {E} \), called the extractor, that given two accepting transcripts \(\mathsf {trans} = (\mathsf {com},\) \(\mathsf {ch} _1,\) \(\mathsf {resp} _1,\) \(\ldots ,\) \(\mathsf {resp} _{n1},\) \(\mathsf {ch} _n,\mathsf {resp} _n)\) and \(\mathsf {trans} ' = (\mathsf {com},\) \(\mathsf {ch} _1,\) \(\mathsf {resp} _1,\) \(\ldots ,\) \(\mathsf {resp} _{n1},\) \(\mathsf {ch} _n',\mathsf {resp} _n')\) with \(\mathsf {ch} _n\ne \mathsf {ch} _n'\) as well as the corresponding public key \(\mathsf {pk}\), outputs a matching secret key \(\mathsf {sk}\) for \(\mathsf {pk}\) with nonnegligible success probability.
The common special soundness for canonical (3pass) IDS is hence just special 1soundness. Please note that El Yousfi et al. define special nsoundness for the resulting signature scheme which in turn requires the used IDS to provide special nsoundness. We decided to follow the more common approach, defining the soundness properties for the IDS.
From \(\mathbf{(2}{\varvec{n}}{} \mathbf{+1)}\) to three passes. We now show that every canonical \((2n+1)\)pass IDS that fulfills special nsoundness can be turned into a canonical 3pass IDS fulfilling special soundness.
Theorem 4.3
Let \(\mathsf {IDS} = (\mathsf {KGen}, \mathcal {P}, \mathcal {V})\) be a canonical \((2n+1)\)pass IDS that fulfills special nsoundness. Then, the following 3pass IDS \(\mathsf {IDS} '=(\mathsf {KGen},\mathcal {P} ',\mathcal {V} ')\) is canonical and fulfills special soundness.
\(\mathsf {IDS} '\) is obtained from \(\mathsf {IDS}\) by just moving \(\mathsf {ChS} _j, 0< j < n\), (i.e. all but the last challenge generation algorithm) from \(\mathcal {V}\) to \(\mathcal {P}\): \(\mathcal {P} '\) computes \(\mathsf {com} ' = (\mathsf {com}, \mathsf {ch} _1, \mathsf {resp} _1, \ldots , \mathsf {resp} _{n1}, \mathsf {ch} _{n1})\) using \(\mathcal {P} _0, \ldots , \mathcal {P} _{n1}\) and \(\mathsf {ChS} _1, \ldots , \mathsf {ChS} _{n1}\). After \(\mathcal {P} '\) sent \(\mathsf {com} '\), \(\mathcal {V} '\) replies with \(\mathsf {ch} _1'\leftarrow \mathsf {ChS} _n(1^k)\). \(\mathcal {P} '\) computes \(\mathsf {resp} _1'\leftarrow \mathcal {P} _n(\mathsf {sk},\mathsf {trans} _{2n})\) and \(\mathcal {V} '\) verifies the transcript using \(\mathsf {Vf} \).
Proof
Clearly, \(\mathsf {IDS} '\) is a canonical 3pass IDS. It remains to prove that it is honestverifier zeroknowledge and that it fulfills special soundness. The latter is straight forward as two transcripts for \(\mathsf {IDS} '\), that fulfill the conditions in the soundness definition, can be turned into two transcripts for \(\mathsf {IDS} \) fulfilling the conditions in the nsoundness definition, splitting \(\mathsf {com} ' = (\mathsf {com},\) \(\mathsf {ch} _1,\) \(\mathsf {resp} _1,\) \(\ldots ,\) \(\mathsf {resp} _{n1},\) \(\mathsf {ch} _{n1})\) into its parts. Consequently, we can use any extractor for \(\mathsf {IDS}\) as an extractor for \(\mathsf {IDS} '\) running in the same time and having the exact same success probability.
Showing honestverifier zeroknowledge is similarly straight forward. A simulator \(\mathcal {S} '\) for \(\mathsf {IDS} '\) can be obtained from any simulator \(\mathcal {S} \) for \(\mathsf {IDS} \). \(\mathcal {S} '\) just runs \(\mathcal {S} \) to obtain a transcript and regroups the messages to produce a valid transcript for \(\mathsf {IDS} '\). Again, \(\mathcal {S} '\) runs in essentially the same time as \(\mathcal {S} \) and achieves the exact same statistical distance. \(\square \)
The Sakumoto et al. 5pass IDS does not fulfill special n soundness. The above result raises the question whether this property was overlooked and we can turn all the 5pass schemes in the literature into 3pass schemes. This would have the benefit that we could use the classical FiatShamir transform to turn the resulting schemes into signature schemes.
Sadly, this is not the case. The reason is that the extractors for those IDS need more than two transcripts. For example, the extractor for the 5pass IDS from [48] needs four transcripts such that they all agree on \(\mathsf {com} \). The transcripts have to form two pairs such that in a pair the transcripts agree on \(\mathsf {ch} _1\) but not on \(\mathsf {ch} _2\) and the two pairs disagree on \(\mathsf {ch} _1\). The proof given by El Yousfi et al. is flawed. The authors miss that the two secret shares \(\mathbf r _0\) and \(\mathbf r _1\) obtained from two different transcripts do not have to be shares of a valid secret key. We now give a formal proof.
Theorem 4.4
The 5pass identification scheme from [48] does not fulfill special nsoundness if the computational \(\mathcal {MQ}\)problem is hard.
Proof
We prove this by showing that there exist pairs of transcripts, fulfilling the special nsoundness criteria that can be generated by an adversary without knowledge of the secret key simulating just two executions of the protocol. As a key pair for the \(\mathcal {MQ}\)IDS is a random instance of the \(\mathcal {MQ}\) problem, special nsoundness of the 5pass \(\mathcal {MQ}\)IDS would imply that the \(\mathcal {MQ}\) problem can be solved in probabilistic polynomial time.
Now, the first transcript (when \(\mathsf {ch} _2=0\)) is valid, since \(\mathbf {t}_0= \alpha \mathbf {r}_0\mathbf {t}_1\) and \(\mathbf {e}_0= \alpha \mathbf F (\mathbf {r}_0)\mathbf {e}_1\). The second transcript (when \(\mathsf {ch} _2=1\)) is also valid as a straight forward calculation shows. Finally, \(\mathcal {A}\) feeds the transcripts to \(\mathcal {E}\) and outputs whatever \(\mathcal {E}\) outputs. \(\mathcal {A}\) has the same success probability as \(\mathcal {E}\) and runs in essentially the same time. As \(\mathcal {E}\) is a PPT algorithm per assumption, this contradicts the hardness of the computational \(\mathcal {MQ}\) problem. \(\square \)
Clearly, we can also use \(\mathcal {A}\) to deal with a parallel execution of many rounds of the scheme. A similar situation arises for all the 5pass IDS schemes that we found in the literature.
4.2 A FiatShamir Transform for Most \((2n+1)\)pass IDS
By now we have established that we are currently lacking security arguments for signature schemes derived from \((2n+1)\)pass IDS. We now show how to fix this issue for most \((2n+1)\)pass IDS in the literature. As most of these IDS are 5pass schemes that follow a certain structure, we restrict ourselves to these cases. There are some generalizations that are straightforward and possible to deal with, but they massively complicate accessibility of our statements.
We will consider a particular type of 5pass identification protocols where the length of the two challenges is restricted to q and 2.
Definition 4.5
( \(q2\text {}\) Identification scheme). Let \(k\in \mathbb {N}\). A \(q2{{\mathrm{}}}\)Identification scheme \(\mathsf {IDS} (1^k)\) is a canonical 5pass identification scheme where for the challenge spaces \(\mathsf {C} _1\) and \(\mathsf {C} _2\) it holds that \(\mathsf {C} _1=q\) and \(\mathsf {C} _2=2\). Moreover, the probability that the commitment \(\mathsf {com}\) takes a given value is negligible (in k), where the probability is taken over the random choice of the input and the used randomness.
To keep the security reduction below somewhat generic, we also need a property that defines when an extractor exists for a q2IDS. As we have seen special nsoundness is not applicable. Hence, we give a less generic definition.
Definition 4.6
In what follows, let \(\mathsf {IDS} ^r = (\mathsf {KGen},\mathcal {P} ^r,\mathcal {V} ^r)\) be the parallel composition of r rounds of the identification scheme \(\mathsf {IDS} = (\mathsf {KGen},\mathcal {P},\mathcal {V})\). As the schemes we are concerned with only achieve a constant soundness error, the construction below uses a polynomial number of rounds to obtain an IDS with negligible soundness error as intermediate step. We denote the transcript of the jth round by \(\mathsf {trans} _j=(\mathsf {com} _j,\mathsf {ch} _{1,j}, \mathsf {resp} _{1,j},\mathsf {ch} _{2,j},\mathsf {resp} _{2,j})\).
Construction 4.7

\((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KGen} (1^k)\),

\(\sigma =(\sigma _0,\sigma _1,\sigma _2)\leftarrow \mathsf {Sign} (\mathsf {sk}, m)\) where \(\sigma _0=\mathsf {com} \leftarrow \mathcal {P} ^r_0(\mathsf {sk})\), \(h_1=H_1(m,\sigma _0)\), \(\sigma _1=\mathsf {resp} _{1}\leftarrow \mathcal {P} ^r_1(\mathsf {sk},\sigma _0,h_{1})\), \(h_2=H_2(m,\sigma _0,h_1,\sigma _1)\), and \(\sigma _2=\mathsf {resp} _{2}\leftarrow \mathcal {P} ^r_2(\mathsf {sk},\sigma _0,h_1,\sigma _1,h_{2})\).

\(\mathsf {Vf}(\mathsf {pk},m, \sigma )\) parses \(\sigma =(\sigma _0,\sigma _1,\sigma _2)\), computes the values \(h_1= H_1(m,\sigma _0)\), \(h_2= H_2(m,\sigma _0,h_1,\sigma _1)\) as above and outputs \(\mathcal {V} ^r(\mathsf {pk},\sigma _0,h_1,\sigma _1,h_2,\sigma _2)\).
Correctness of the scheme follows immediately from the correctness of \(\mathsf {IDS}\).
4.3 Security of q2signature Schemes
We now give a security reduction for the above transform in the random oracle model assuming that the underlying q2IDS is honestverifier zeroknowledge, achieves soundness with constant soundness error, and has a q2extractor. More specifically, we prove the following theorem:
Theorem 4.8
(EUCMA security of q2signature schemes). Let \(k\in \mathbb {N}\), \(\mathsf {IDS} (1^k)\) a q2IDS that is honestverifier zeroknowledge, achieves soundness with constant soundness error \(\kappa \) and has a q2extractor. Then \(q2{{\mathrm{}}}\mathsf {\textsf {Dss}}(1^k)\), the q2signature scheme derived applying Construction 4.7 is existentially unforgeable under adaptive chosen message attacks.
In the following, we model the functions \(H_1\) and \(H_2\) as independent random oracles \(\mathcal {O}_1\) and \(\mathcal {O}_2\). To proof Theorem 4.8, we proceed in several steps. Our proof builds on techniques introduced by Pointcheval and Stern [47]. As the reduction is far from being tight, we refrain from doing an exact proof as it does not buy us anything but a complicated statement. We first recall an important tool from [47] called the splitting lemma.
Lemma 4.9
(Splitting lemma [47]). Let \(A\subset X\times Y\), such that
We now present a forking lemma for q2signature schemes. The lemma shows that we can obtain four valid signatures which contain four valid transcripts of the underlying IDS, given a successful keyonly adversary. Moreover, these four traces fulfill a certain requirement on the challenges (here the related parts of the hash function outputs) that we need later.
Lemma 4.10
Proof
To prove the Lemma we need to show that we can rewind \(\mathcal {A}\) three times and the probability that \(\mathcal {A}\) succeeds in forging a (different) signature in all four runs is nonnegligible. Moreover, we have to show that the signatures have the additional property claimed in the Lemma, again with nonnegligible probability.
Let \(\omega \in R_w\) be \(\mathcal {A}\) ’s random tape with \(R_w\) the set of allowable random tapes. During the attack \(\mathcal {A}\) may ask polynomially many queries (in the security parameter k) \(Q_1(k)\) and \(Q_2(k)\) to the random oracles \(\mathcal {O}_1\) and \(\mathcal {O}_2\). Let \(q_{1,1},\) \(q_{1,2}, \dots ,\) \(q_{1,Q_1}\) and \(q_{2,1},\) \(q_{2,2}, \dots ,\) \(q_{2,Q_2}\) be the queries to \(\mathcal {O}_1\) and \(\mathcal {O}_2\), respectively. Moreover, let \((r_{1,1},r_{1,2},\dots ,r_{1,Q_1})\in (\mathsf {C} _1^r)^{Q_1}\) and \((r_{2,1},r_{2,2},\dots ,r_{2,Q_2})\in (\mathsf {C} _2^r)^{Q_2}\) the corresponding answers of the oracles.
Towards proving the first point, we assume that \(\mathcal {A}\) also outputs \(h_1,h_2\) with the signature and a signature is considered invalid if those do not match the responses of \(\mathcal {O}_1\) and \(\mathcal {O}_2\), respectively. This assumption is without loss of generality as we can construct such \(\mathcal {A}\) from any \(\mathcal {A} '\) that does not output \(h_1,h_2\). \(\mathcal {A}\) just runs \(\mathcal {A} '\) and given the result queries \(\mathcal {O}_1\) and \(\mathcal {O}_2\) for \(h_1,h_2\) and outputs everything. Clearly \(\mathcal {A}\) succeeds with the same success probability as \(\mathcal {A} '\) and runs in essentially the same time, making just one more query to each RO.
Denote by \(\mathsf {F}\) the event that \(\mathcal {A}\) outputs a valid message signature pair \((m,\sigma ^{(1)}=(\sigma _0,\sigma ^{(1)}_1,\sigma ^{(1)}_2))\) with the associated hash values \(h_1^{(1)},h_2^{(1)}\). Per assumption, this event occurs with nonnegligible probability, i.e., \(\mathsf {Pr}[\mathsf {F}]=\frac{1}{P(k)},\) for some polynomial P(k). In addition, \(\mathsf {F}\) implies \(h^{(1)}_1=\mathcal {O}_1(m,\sigma _0)\) and \(h^{(1)}_2=\mathcal {O}_2(m,\sigma _0,h^{(1)}_1,\sigma ^{(1)}_1)\). As \(h^{(1)}_1,h_2^{(1)}\) are chosen uniformly at random from exponentially large sets \(\mathsf {C} _1^r,\mathsf {C} _2^r\), the probability that \(\mathcal {A}\) did not query \(\mathcal {O} _1\) for \(h^{(1)}_1\) and \(\mathcal {O} _2\) for \(h^{(1)}_2\) is negligible. Hence, there exists a polynomial \(P'\) such that the event \(\mathsf {F}'\) that \(\mathsf {F}\) occurs and \(\mathcal {A}\) queried \(\mathcal {O} _1\) for \(h^{(1)}_1\) and \(\mathcal {O} _2\) for \(h^{(1)}_2\) has probability \(\displaystyle \mathsf {Pr}[\mathsf {F}']=\frac{1}{P'(k)}.\)
We now rewind the adversary again using exactly the same technique as above but now considering the queries to \(\mathcal {O}_1\) and its responses. In the replay we change the responses of \(\mathcal {O}_1\) to obtain a third signature that differs from the previously obtained ones in the first associated hash value. It can be shown that with nonnegligible probability \(\mathcal {A}\) will output a third signature on m, \(\sigma ^{(3)}=(\sigma _0,\sigma ^{(3)}_1,\sigma ^{(3)}_2)\), with associated hash values \((h^{(3)}_1,h^{(3)}_2)\) such that \(h^{(3)}_1\ne h^{(2)}_1=h^{(1)}_1\).
Finally, we rewind the adversary a third time, keeping the responses of \(\mathcal {O} _1\) from the last rewind and focusing on \(\mathcal {O} _2\) again. Again, with nonnegligible probability \(\mathcal {A}\) will produce yet another signature on m, \(\sigma ^{(4)}=(\sigma _0,\sigma ^{(4)}_1,\sigma ^{(4)}_2)\) with associated hash values \((h^{(4)}_1,h^{(4)}_2)\) such that \(h^{(4)}_1=h^{(3)}_1\) and \(h^{(4)}_2\ne h^{(3)}_2\).
Summing up, rewinding the adversary three times, we can find four valid signatures \(\sigma ^{(1)}, \sigma ^{(2)}, \sigma ^{(3)}, \sigma ^{(4)}\) with the above property on the associated hash values with nonnegligible success probability \(\displaystyle \frac{1}{P(k)}\) for some polynomial P(k). Let us denote this event by \(\mathcal {E}_\sigma \). So we have that \(\displaystyle {\text {Pr}}[\mathcal {E}_\sigma ]\geqslant \frac{1}{P(k)}.\)
What remains is to show that the obtained signatures satisfy the particular structure from the lemma (Eq. 4) with nonnegligible probability.
Finally, we just have to combine the two results. The adversary can at most choose out of a polynomially bounded number of fourtuples of hash pairs. Each of these fourtuples has a negligible probability of fulfilling \(\lnot \mathcal {H}\). Hence, the probability that all the possible combinations of query responses even contain a fourtuple that does not fulfill \(\mathcal {H}\) is negligible. So, \(\mathsf {Pr}[\lnot \mathcal {H}\mathcal {E}_\sigma ] = \text {negl}{(k)},\) and hence, the conditions from the lemma are satisfied with nonnegligible probability. \(\square \)
With Lemma 4.10 we can already establish unforgeability under key only attacks:
Corollary 4.11
(Keyonly attack resistance). Let \(k\in \mathbb {N}\), \(\mathsf {IDS} (1^k)\) a q2IDS that achieves soundness with constant soundness error \(\kappa \) and has a q2extractor. Then \(q2{{\mathrm{}}}\mathsf {\textsf {Dss}}(1^k)\), the q2signature scheme derived applying Construction 4.7 is unforgeable under keyonly attacks.
A straight forward application of Lemma 4.10 allows to generate the four traces needed to apply the q2extractor. The obtained secret key can then be used to violate soundness.
For \(\mathsf {\textsf {{EU\text {}CMA}}}\) security, we still have to deal with signature queries. The following lemma shows that a reduction can produce valid responses to the adversarial signature queries if the identification scheme is honestverifier zeroknowledge.
Lemma 4.12
Let \(k\in \mathbb {N}\) the security parameter, \(\mathsf {IDS} (1^k)\) a q2IDS that is honestverifier zeroknowledge. Then any PPT adversary \(\mathcal {B}\) against the \(\mathsf {\textsf {{EU\text {}CMA}}}\)security of \(q2{{\mathrm{}}}\mathsf {\textsf {Dss}}(1^k)\), the q2signature scheme derived by applying Construction 4.7, can be turned into a keyonly adversary \(\mathcal {A} \) with the properties described in Lemma 4.10. \(\mathcal {A}\) runs in polynomial time and succeeds with essentially the same success probability as \(\mathcal {B}\).
Proof
By construction. We show how to construct an oracle machine \(\mathcal {A} ^{\mathcal {B},\mathcal {S},\mathcal {O} _1,\mathcal {O} _2}\) that has access to \(\mathcal {B}\), an honestverifier zeroknowledge simulator \(\mathcal {S}\), and random oracles \(\mathcal {O} _1, \mathcal {O} _2\). \(\mathcal {A}\) produces a valid signature for \(q2{{\mathrm{}}}\mathsf {\textsf {Dss}}(1^k)\) given only a public key running in time polynomial in k and achieving essentially the same success probability (up to a negligible difference) as \(\mathcal {B}\).
Upon input of public key \(\mathsf {pk}\), \(\mathcal {A}\) runs \(\mathcal {B} ^{\mathcal {O} _1', \mathcal {O} _2',\mathsf {Sign}}(\mathsf {pk})\) simulating the random oracles (ROs) \(\mathcal {O} _1', \mathcal {O} _2'\), as well as the signing oracle \(\mathsf {Sign}\) towards \(\mathcal {B}\). When \(\mathcal {B}\) outputs a forgery \((m^*,\sigma ^*)\), \(\mathcal {A}\) just forwards it.
To simulate the ROs, \(\mathcal {A}\) keeps two initially empty tables of queryresponse pairs, one per oracle. Whenever \(\mathcal {B}\) queries \(\mathcal {O} _b'\), \(\mathcal {A}\) first checks if the table for \(\mathcal {O} _b'\) already contains a pair for this query. If such a pair exists, \(\mathcal {A}\) just returns the stored response. Otherwise, \(\mathcal {A}\) forwards the query to its own \(\mathcal {O} _b\).
As \(\mathsf {IDS}\) is honestverifier zeroknowledge there exists a PPT simulator \(\mathcal {S}\) that upon input of a \(\mathsf {IDS}\) public key generates a valid transcript that is indistinguishable of the transcripts generated by honest protocol executions. Whenever \(\mathcal {B}\) queries the signature oracle with message m, \(\mathcal {A}\) runs \(\mathcal {S}\) r times, to obtain r valid transcripts. \(\mathcal {A}\) combines the transcripts to obtain a valid signature with associated hashes \(\sigma =((\sigma _0,\sigma _1,\sigma _2), h_1, h_2)\). Before outputting \(\sigma \), \(\mathcal {A}\) checks if the table for \(\mathcal {O} _1'\) already contains an entry for query \((m,\sigma _0)\). If so, \(\mathcal {A}\) aborts. Otherwise, \(\mathcal {A}\) adds the pair \(((m,\sigma _0), h_1)\). Then, \(\mathcal {A}\) checks the second table for query \((m,\sigma _0,h_1,\sigma _1)\). Again, \(\mathcal {A}\) aborts if it finds such an entry and adds \(((m,\sigma _0,h_1,\sigma _1), h_2)\), otherwise.
The probability that \(\mathcal {A}\) aborts is negligible in k. When answering signature queries, \(\mathcal {A}\) verifies that certain queries were not made before. Both queries contain \(\sigma _1\) which takes any given value only with negligible probability. On the other hand, the total number of queries that \(\mathcal {B}\) makes to all its oracles is polynomially bounded. Hence, the probability that one of the two queries was already made before is negligible. If \(\mathcal {A}\) does not abort, it perfectly simulates all oracles towards \(\mathcal {B}\). Hence, \(\mathcal {B}\) – and thereby \(\mathcal {A}\) – succeeds with the same probability as in the real \(\mathsf {\textsf {{EU\text {}CMA}}}\) game in this case. Hence, \(\mathcal {A}\) succeeds with essentially the same probability as \(\mathcal {B}\). \(\square \)
We now got everything we need to prove Theorem 4.8. The proof is a straight forward application of the previous two lemmas.
Proof
(of Theorem 4.8 ). Towards a contradiction, assume that there exists a PPT adversary \(\mathcal {B}\) against the \(\mathsf {\textsf {{EU\text {}CMA}}}\)security of \(q2{{\mathrm{}}}\mathsf {\textsf {Dss}}\) succeeding with nonnegligible probability. We show how to construct a PPT impersonator \(\mathcal {C}\) breaking the soundness of \(\mathsf {IDS}\). Applying Lemma 4.12, \(\mathcal {C}\) can construct a PPT keyonly forger \(\mathcal {A}\), with essentially the same success probability as \(\mathcal {B}\). Given a public key for \(\mathsf {IDS}\) (which is a valid \(q2\text {}\mathsf {\textsf {Dss}}\) public key) \(\mathcal {C}\) runs \(\mathcal {A}\) as described in Lemma 4.10. That way \(\mathcal {C}\) can use \(\mathcal {A}\) to obtain four signatures that per (4) lead four transcripts as required by the q2extractor \(\mathcal {E}\). Running \(\mathcal {E}\), \(\mathcal {C}\) can extract a valid secret key that allows to impersonate \(\mathcal {P}\) with success probability 1.
\(\mathcal {C}\) just runs \(\mathcal {A}\) and \(\mathcal {E}\), two PPT algorithms. Consequently, \(\mathcal {C}\) runs in polynomial time. Also, \(\mathcal {A}\) and \(\mathcal {E}\) both have nonnegligible success probability implying that also \(\mathcal {C}\) succeeds with nonnegligible probability. \(\square \)
5 Our Proposal
In the previous sections, we gave security arguments for a FiatShamir transform of 5pass IDS that contain two challenges, from \(\{0, \dots , q1\}\) and \(\{0, 1\}\) respectively, where \(q\in \mathbb {Z}^*\). In this section we apply the transform to the 5pass IDS from [48] (see Sect. 3). Before discussing the 5pass scheme, which we dub MQDSS, we first briefly examine the signature scheme obtained by applying the traditional FiatShamir transform to the 3pass IDS in [48], to obtain a baseline. Then we give a generic description of MQDSS and prove it secure.
The IDS requires an \(\mathcal {MQ}\) system \(\mathbf F \) as input, potentially systemwide. We could simply select one function \(\mathbf F \) and define it as a system parameter for all users. Instead, we choose to derive it from a unique seed that is included in each public key. This increases the size of \(\mathsf {pk}\) by k bits, and adds some cost for seed expansion when signing and verifying. However, selecting a single systemwide \(\mathbf F \) might allow an attacker to focus their efforts on a single \(\mathbf F \) for all users, and would require whoever selects this system parameter to convince all users of its randomness (which is not trivial [5]). For consistency with literature, we still occasionally refer to \(\mathbf F \) as the ‘system parameter’.
Note that the signing procedure described below is slightly more involved than is suggested by Construction 4.7. Where the transformed construction operates directly on the message m, we first apply what is effectively a randomized hash function. As discussed in [35], this extra step provides resilience against collisions in the hash function at only little extra cost. A similar construction appears e.g. in SPHINCS [6]. The digest (and thus the signature) is still derived from m and \(\mathsf {sk}\) deterministically.
5.1 Establishing a Baseline Using the 3Pass Scheme over \(\mathbb {F}_2\)
In the interest of brevity, we will not go into the details of the derived signature scheme here – instead, we refer to the full version of the paper [13].
For the 3pass scheme, we select \(n = m = 256\) over \(\mathbb {F}_2\). This results in signatures of 54.81 KB, and a key pair of 64 bytes per key. We ran benchmarks on a single 3.5 GHz core of an Intel Core i74770K CPU, measuring 118 088 992 cycles for signature generation, 8 066 324 cycles for key generation and 82 650 156 cycles for signature verification (or 33.7 ms, 2.30 ms and 23.6 ms, respectively).
5.2 The 5Pass Scheme over \(\mathbb {F}_{31}\)
As can be seen from the results above, the plain 3pass scheme over \(\mathbb {F}_{2}\) is quite inefficient, both in terms of signature size and signing speed. This is a direct consequence of the large number of variables and equations required to achieve 128 bits of postquantum security using \(\mathcal {MQ}\) over \(\mathbb {F}_{2}\), as well as the high number of rounds required (see the full version [13] of the paper for an analysis). Using a 5pass scheme over \(\mathbb {F}_{31}\) allows for a smaller n and m, as well as a smaller number of rounds. One might wonder why we do not consider different fields for the 3pass scenario, instead. This turns out to be suboptimal: contrary to the 5pass scheme, this does not result in a knowledge error reduction, but does increase the transcript size per round.
The MQDSS signature scheme. We now explicitly construct the functions \(\mathsf {KGen} \), \(\mathsf {Sign} \) and \(\mathsf {Vf} \) in accordance with Definition 2.1. Specific values for the parameters that achieve 128 bit postquantum security are given in the next section. We start by presenting the parameters of the scheme in general.
Parameters. MQDSS is parameterized by a security parameter \(k\in \mathbb {N}\), and \(m,n \in \mathbb {N}\) such that the security level of the \(\mathcal {MQ}\) instance \(\mathcal {MQ} (n, m, \mathbb {F}_2) \ge k\). The latter fix the description length of the equation system \(\mathbf F \), \(F_{len} = m \cdot \frac{n \cdot (n + 1)}{2}\).

Cryptographic hash functions \(\mathcal {H}: \{0, 1\}^* \rightarrow \{0, 1\}^k\), \(H_1: \{0, 1\}^{2k} \rightarrow {\mathbb {F}_{31}}^r\), and \(H_2: \{0, 1\}^{2k} \rightarrow \{0,1\}^r\).

two string commitment functions \(Com_0: {\mathbb {F}_{31}}^n \times {\mathbb {F}_{31}}^n \times {\mathbb {F}_{31}}^m \rightarrow \{0, 1\}^k\) and \(Com_1: {\mathbb {F}_{31}}^n \times {\mathbb {F}_{31}}^m \rightarrow \{0, 1\}^k\),

pseudorandom generators \(G_{\mathcal {S}_F}: \{0, 1\}^k \rightarrow {\mathbb {F}_{31}}^{F_{len}}\), \(G_{SK}: \{0, 1\}^k \rightarrow {\mathbb {F}_{31}}^{n}\), and \(G_c: \{0, 1\}^{2k} \rightarrow {\mathbb {F}_{31}}^{r \cdot (2n + m)}\).
In order to compute the public key, we want to use the secret key as input for the \(\mathcal {MQ}\) function defined by \(\mathbf F \). As SK is a kbit string rather than a sequence of n elements from \(\mathbb {F}_{31}\), we instead use it as a seed for a pseudorandom generator as well, deriving \(SK_{\mathbb {F}_{31}} = G_{SK}(SK)\). It is then possible to compute \({{\varvec{PK}}}_{{\varvec{v}}} = \mathbf F (SK_{\mathbb {F}_{31}})\). The secret key \(\mathsf {sk} = (SK, \mathcal {S}_F)\) and the public key \(\mathsf {pk} = (\mathcal {S}_F, {{\varvec{PK}}}_{{\varvec{v}}})\) require \(2 \cdot k\) and \(k + 5 \cdot m\) bits respectively, assuming 5 bits per \(\mathbb {F}_{31}\) element.
Signing. The signature algorithm takes as input a message \(m \in \{0, 1\}^*\) and a secret key \(\mathsf {sk} = (SK, \mathcal {S}_F)\). Similarly as in the key generation, we derive \(\mathbf F = G_{\mathcal {S}_F}(\mathcal {S}_F)\). Then, we derive a messagedependent random value \(R = \mathcal {H}(SK\) \(\Vert \) m), where “\(\Vert \)” is string concatenation. Using this random value R, we compute the randomized message digest \(D = \mathcal {H}(R\) \(\Vert \) m). The value R must be included in the signature, so that a verifier can derive the same randomized digest.
As mentioned in Definition 2.4, the core of the derived signature scheme essentially consists of iterations of the IDS. We refer to the number of required iterations to achieve the security level k as r (note that this should not be confused with \(\mathbf r _0\) and \(\mathbf r _1\), which are vectors of elements of \(\mathbb {F}_{31}\)).
Let \(\sigma _1 = (\mathbf t _{(1, 0)} \Vert \mathbf e _{(1, 0)} \Vert \ldots \Vert \mathbf t _{(1, r  1)} \Vert \mathbf e _{(1, r  1)})\). We compute \(h_2\) by applying \(H_2\) to the tuple \((D, \sigma _0, h_1, \sigma _1)\) and use it as r binary challenges \(\mathsf {ch} _{2,i} \in \{0, 1\}\).
Now we define \(\sigma _2 = (\mathbf r _{(\mathsf {ch} _{2,i}, i)}, \ldots , \mathbf r _{(\mathsf {ch} _{2,i}, r1)}, c_{1\mathsf {ch} _{2,i}}, \ldots , c_{1\mathsf {ch} _{2, r  1}}) \). Note that here we also need to include the challenges \(c_{1\mathsf {ch} _{2,i}}\) that the verifier cannot recompute. We then output \(\sigma = (R, \sigma _0, \sigma _1, \sigma _2)\) as the signature. At 5 bits per \(\mathbb {F}_{31}\) element, the size of the signature is \((2 + r) \cdot k + 5 \cdot r \cdot (2 \cdot n + m)\) bits.
Extracting the missing commitments \(c_{(1  \mathsf {ch} _{2,i}, i)}\) from \(\sigma _2\), the verifier now computes \(\sigma _0' = \mathcal {H}(c_{(0, 0)} \Vert c_{(1, 0)} \ldots \Vert c_{(0, r  1)} \Vert c_{(1, r  1)})\). For verification to succeed, \(\sigma _0' = \sigma _0\) should hold.
5.3 Security of MQDSS
We now give a security reduction for MQDSS in the ROM. As our results from the last section are nontight we only prove an asymptotic statement. While this does not suffice to make any statement about the security of a specific parameter choice, it provides evidence that the general approach leads a secure scheme. Also, the reduction is in the ROM, not in the QROM, thereby limiting applicability in the postquantum setting. As already mentioned in the introduction, we consider it important future work to strengthen this statement.
In the remainder of this subsection we prove the following theorem.
Theorem 5.1

the search version of the \(\mathcal {MQ}\) problem is intractable,

the hash functions \(\mathcal {H}\), \(H_1\), and \(H_2\) are modeled as random oracles,

the commitment functions \(Com_0\) and \(Com_1\) are computationally binding, computationally hiding, and the probability that their output takes a given value is negligible in the security parameter,

the pseudorandom generator \(G_{\mathcal {S}_F}\) is modeled as random oracle, and

the pseudorandom generators, \(G_{SK}\), and \(G_c\) have outputs computationally indistinguishable from random.
To prove this theorem we would like to apply Theorem 4.8. However, Theorem 4.8 was formulated for a slightly more generic construction. The point is that we apply an optimization originally proposed in [50]. So, in our actual proposal, the parallel composition of the IDS is slightly different as, instead of the commitments, only the hash of their concatenation is sent. Also, the last message now contains the remaining commitments.
While we could have treated this case in Sect. 4, it would have limited the general applicability of the result, as the above optimization is only applicable to schemes with a certain, less generic, structure. However, it is straightforward to redo the proofs from Sect. 4 for the optimized scheme. When modeling the hash function used to compress the commitments as RO, the arguments are exactly the same with one exception. The proof of Lemma 4.12 uses that the commitment scheme – and thereby the first signature element \(\sigma _1\) – only takes a given value with negligible probability. Now this statement follows from the same property of the commitment scheme and the randomness of the RO. Altogether this leads to the following corollary:
Corollary 5.2
(EUCMA security of q2signature schemes).Let \(k\in \mathbb {N}\), \(\mathsf {IDS} (1^k)\) a q2IDS that is honestverifier zeroknowledge, achieves soundness with constant soundness error \(\kappa \) and has a q2extractor. Then \(opt\text {}{}q2\text {}\mathsf {\textsf {Dss}}(1^k)\), the optimized q2signature scheme derived by applying Construction 4.7 and the optimization explained above, is existentially unforgeable under adaptive chosen message attacks.
Based on this corollary we can now prove the above theorem.
Proof
 Game 0:

Is the \(\mathsf {\textsf {{EU\text {}CMA}}}\) game for MQDSS.
 Game 1:

Is Game 0 with the difference that \(\mathcal {M}\) replaces the outputs of \(G_{SK}\) by random bit strings.
 Game 2:

Is Game 1 with the difference that \(\mathcal {M}\) replaces the outputs of \(G_c\) by random bit strings.
 Game 3:

Is Game 2 with the difference that \(\mathcal {M}\) takes as additional input a random equation system \(\mathbf {F}\). \(\mathcal {M}\) simulates \(G_{\mathcal {S}_F}\) towards \(\mathcal {A}\), programming \(G_{\mathcal {S}_F}\) such that it returns the coefficients representing \(\mathbf {F}\) upon input of \(\mathcal {S}_F\) and uniformly random values on any other input.
Per assumption, \(\mathcal {A}\) wins Game 0 with nonnegligible success probability. Let’s call this \(\epsilon \). If the difference in \(\mathcal {A}\) ’s success probability playing Game 0 or Game 1 was nonnegligible, we could use \(\mathcal {A}\) to distinguish the outputs of \(G_{SK}\) from random. The same argument applies for the difference between Game 1 and Game 2, and \(G_c\). Finally, the output distribution of \(G_{\mathcal {S}_F}\) in Game 3 is the same as in previous games. Hence, there is no difference for \(\mathcal {A}\) between Game 2 and Game 3. Accordingly, \(\mathcal {A}\) ’s success probability in these two games is equal.
Now, Game 3 is exactly the \(\mathsf {\textsf {{EU\text {}CMA}}}\) game for the optimized q2 signature scheme that is derived from \(\mathcal {MQ} \text {}\mathsf {IDS} \), the 5pass IDS from [48]. We obtain the necessary contradiction if we can apply Corollary 5.2. For this, it just remains to be shown that \(\mathcal {MQ} \text {}\mathsf {IDS} \) is a q2IDS that is honestverifier zeroknowledge, achieves soundness with constant soundness error \(\kappa \) and has a q2extractor. Clearly, \(\mathcal {MQ} \text {}\mathsf {IDS} \) is a q2IDS under the given assumptions on the commitment schemes. Sakumoto et al. [48] show that \(\mathcal {MQ} \text {}\mathsf {IDS} \) is honestverifier zeroknowledge. Theorem 3.1 shows that \(\mathcal {MQ} \text {}\mathsf {IDS} \) achieves soundness with constant soundness error \(\kappa =\frac{q+1}{2q}\). Finally, the proof of Theorem 3.1 provides a construction of a q2extractor. \(\square \)
6 Instantiating the Scheme
In this section, we provide a concrete instance of MQDSS. We discuss a suitable set of parameters to achieve the desired security level, discuss an optimized software implementation, and present benchmark results.
Parameter choice and security analysis. For the 5pass scheme, the soundness error \(\kappa \) is affected by the size of q. This motivates a field choice larger than \(\mathbb {F}_2\) in order to reduce the number of rounds required. From an implementation point of view, it is beneficial to select a small prime, allowing very cheap multiplications as well as comparatively cheap field reductions. We choose \(\mathbb {F}_{31}\) with the intention of storing it in a 16 bit value – the benefits of which become clear in the next subsection, where we discuss the required reductions.
We now consider the choice of \(\mathcal {MQ} (n,m,\mathbb {F}_{31})\), i.e. the parameters n and m. There are several known generic classical algorithms for solving systems of quadratic equations over finite fields, such as the F4 algorithm [25] and the F5 algorithm [4, 26] using Gröbner basis techniques, the Hybrid Approach [9, 10] that is a variant of the F5 algorithm, or the XL algorithm [15, 18] and variants [56].
Currently, for fields \(\mathbb {F}_q\) where \(q\geqslant 4\), the best known technique for solving overdetermined systems of equations over \(\mathbb {F}_q\) is combining equation solvers with exhaustive search. The Hybrid Approach [9, 10] and the FXL variant of XL [56] use this paradigm. Here we will analyze the complexity using the Hybrid approach. Note that the complexity for the XL family of algorithms is similar [59].
Roughly speaking, for an optimization parameter \(\ell \), using the Hybrid approach one first fixes \(\ell \) among the n variables, and then computes \(q^\ell \) Gröbner bases of the smaller systems in \(n\ell \) variables. Hence, the improvement over the plain F5 algorithm comes from the proper choice of the parameter \(\ell \). It has been shown in [9] that the best tradeoff is achieved when the parameter \(\ell \) is proportional to the number of variables n, i.e. when \(\ell =\tau n\).
Following the analysis from [9, 10], we calculated the best tradeoff for \(\tau \) for the family of functions \(\mathcal {MQ} (n,n,\mathbb {F}_{31})\), when \(\omega =2.3\). Asymptotically, \(\tau \rightarrow 0.16\), although for smaller values of n (e.g. \(n=32\)) we find \(\tau =0.13\).
Since our goal is classical security of at least 128 bits, we need to choose \(n\ge 51\), so that for any choice of the linear algebra constant \(2\leqslant \omega \leqslant 3\) the Hybrid approach would need at least \(2^{128}\) operations. Note that if we set the more realistic value of \(\omega =2.3\), the minimum is \(n=45\).
For implementation reasons, we choose \(n=64\). In particular, a multiple of 16 suggests efficient register usage for vectorized implementations. In this case, for \(\omega =2.3\), the complexity of the Hybrid approach is \(\approx 2^{177}\) and the best result is obtained for \(\tau =0.14\), which translates to fixing 9 variables in the system.
Regarding postquantum security, at the moment there is no dedicated quantum algorithm for solving systems of quadratic equations. Instead, we can use Grover’s search algorithm [34] to directly attack the \(\mathcal {MQ}\) problem, or use Grover’s algorithm for the search part in a quantum implementation of the Hybrid method. Note that the later requires an efficient quantum implementation of the F5 algorithm, that we will assume provides no quantum speedup over the classical implementation.
Grover’s algorithm searches for an item in a unordered list of size \(N=2^\mathbf {n}\) that satisfies a certain condition given in the form of a quantum blackbox function \(f:\{0,1\}^\mathbf {n}\rightarrow \{0,1\}\). If the condition is satisfied for the ith item, then \(f(i)=1\), otherwise \(f(i)=0\). The complexity of Grover’s algorithm is \(\mathcal {O}(\sqrt{N/M})\), where M is the number of items in the list that satisfy the condition, i.e. the algorithm provides a quadratic speedup compared to classical search.
First we will consider a direct application of Grover’s algorithm on the \(\mathcal {MQ}\) problem in question. In this case, f should provide an answer whether a given ntuple \(\mathbf {x}\) from \(\mathbb {F}^n_{31}\) satisfies the system of equations \(\mathbf {F}(\mathbf {x})=\mathbf {v}\). Since the domain is not Boolean, we need to convert it one, so we get a domain of size \(n\log 31\).
To estimate the complexity of the algorithm, we need the number of solutions M to the given system of equations. Determining the exact M requires exponential time [54], but it was shown in [29] that the number of solutions of a system of n equations in n variables follows the Poisson distribution with parameter \(\lambda =1\). Therefore the expected value is 1. Furthermore, the probability that there are at least M solutions can be estimated as the tail probability of a Poisson random variable \(P[X\geqslant M]\geqslant \frac{(e\lambda )^M}{e^\lambda M^M}=\frac{1}{e}(\frac{e}{M})^M\) which is negligible in M. In practice, we can safely assume that \(M\leqslant 4\), since \(P[M\geqslant 5]\geqslant 2^{8}\). In total, Grover’s algorithm takes \(\mathcal {O}(2^{n\log 31/2}/4)\approx 2^{156}\) operations.
To achieve \(\mathsf {\textsf {{EU\text {}CMA}}}\) for 128 bits of postquantum security, we require that \(k^r \le 2^{256}\), as an adversary could perform a preimage search to effectively control the challenges. As \(\kappa = \frac{q+1}{2q}\) with \(q = 31\), we need \(r = 269\). To complete the scheme, we instantiate the functions \(\mathcal {H}\), \(Com_0\) and \(Com_1\) with SHA3256, and use SHAKE128 for \(H_1\), \(H_2\), \(G_{\mathcal {S}_F}\), \(G_c\), and \(G_{SK}\) [7]. In order to convert between the output domain of SHAKE128 and functions that map to vectors over \(\mathbb {F}_{31}\), we simply reject and resample values that are not in \(\mathbb {F}_{31}\) (effectively applying an instance of the second TSS08 construction from [55]).
We refer to this instance of the scheme as MQDSS3164.
Implementation. The central and most costly computation in this signature scheme is the evaluation of \(\mathbf {F}\) (and, by corollary, \(\mathbf {G}\)). The signing procedure requires one evaluation of each for every round, and the verifier needs to compute either \(\mathbf {F}\) (if \(\mathsf {ch} _2 = 0\)) or both \(\mathbf {F}\) and \(\mathbf {G}\) (if \(\mathsf {ch} _2 = 1\)), for each round. Other than these functions, the computational effort is made up of seed expansion, several hash function applications and a small number of additions and subtractions. For SHA3256 and SHAKE128, we rely on existing code from the Keccak Code Package [8]. Clearly, the focus for an optimized implementation should be on the \(\mathcal {MQ}\) function. Previous work [12] has shown that modern CPUs offer interesting and valuable methods to efficiently implement this primitive, in particular by exploiting the high level of internal parallelism.
Compared to the binary 3pass scheme, the implementation of the 5pass scheme over \(\mathbb {F}_{31}\) presents more challenges. As \(\mathbb {F}_{31}\) does not have closure under regular integer multiplication and addition, results of computations need to be reduced to smaller representations. To avoid having to this too frequently, we generally represent field elements during computation as unsigned 16 bit values. During specific parts of the computation, we vary this representation as needed.
The evaluation of \(\mathbf {F}\) can roughly be divided in two parts: the generation of all monomials, and computation of the resulting polynomials for known monomials. Generating the quadratic monomials based on the given linear monomials requires \(n \cdot \frac{n+1}{2}\) multiplications. For the second part, we require \(m \cdot (n + n \cdot \frac{n+1}{2})\) multiplications to multiply the coefficients of the system parameter with the quadratic monomials, as well as a number of additions to accumulate all results. As the second part is clearly more computationally intensive, the optimization of this part is our primary concern. We describe an approach for the monomial generation in the full version [13] of the paper.
To efficiently compute all polynomials for a given set of monomials, we keep all required data in registers to avoid the cost of register spilling throughout the computation. Given that \(n=m=64\), for this part of the computation we represent the 64 \(\mathbb {F}_{31}\) input values as 8 bit values and the resulting 64 \(\mathbb {F}_{31}\) elements as 16 bit values, costing us 2 and 4 YMM registers respectively. The coefficients of \(\mathbf {F}\) can be represented as a column major matrix with every column containing all coefficients that correspond to a specific monomial, i.e. one for each output value. That would imply that every row of the matrix represents one polynomial of \(\mathbf {F}\). In this representation, each result term is computed by accumulating the products of a row of coefficients with each monomial, which is exactly the same as computing the product of the matrix \(\mathbf {F}\) and the vector containing all monomials. This allows us to efficiently accumulate the output terms, minimizing the required output registers.
In order to perform the required multiplications and additions as quickly as possible, we heavily rely on the AVX2 instruction VPMADDUBSW. In one instruction, this computes two 8 bit SIMD multiplications and a 16 bit SIMD addition. However, this instruction operates on 8 bit input values that are stored adjacently. This requires a slight variation on the representation of \(\mathbf {F}\) described above: instead, we arrange the coefficients of \(\mathbf {F}\) in a column major matrix with 16 bit elements, each corresponding to two concatenated monomials.
When arranging reductions, we must strike a careful balance between preventing overflow and not reducing more often than necessary. As we make extensive use of VPMADDUBSW, which takes both a signed and an unsigned operand to compute the quadratic monomials, we ensure that the input variables for the \(\mathcal {MQ}\) function are unsigned values (in particular: \(\{0,\ldots ,31\}\)). For the coefficients in the system parameter \(\mathbf F \), we can then freely assume the values are in \(\{15,\ldots ,15\}\), as these are the direct result of a pseudorandom generator. It turns out to be efficient to immediately reduce the quadratic monomials back to \(\{0, \ldots , 31\}\) when they are computed. When we now multiply such a product with an element from the system parameter and add it to the accumulators, the maximum value of each accumulator word will be at most^{3} \( 64 \cdot 31 \cdot 15 = 29760\). As this does not exceed 32768, we only have to perform reductions on each individual accumulator at the very end.
One should note that [12] approaches this problem from a slightly different angle. In particular, they accumulate each individual output element sequentially, allowing them to keep the intermediate results in the 32 bit representation that is the output of their combined multiplication and addition instructions. This has the natural consequence of also avoiding early reductions.
Benchmark results. The MQDSS3164 implementation has been optimized for large Intel processors, supporting AVX2 instructions. Benchmarks were carried out on a single core of an Intel Core i74770K CPU, running at 3.5 GHz.
Signature and key sizes. The signature size of MQDSS3164 is considerably smaller than that of the 3pass scheme. The obvious factor in this is the decreased ratio between the element size (which, in packed form, now require \(64 \cdot 5 = 320\) bits each) and the number of rounds, resulting in a signature size of \(2 \cdot 256 + 269 \cdot (256 + (5 \cdot 3 \cdot 64)) = 327\,616\) bits, or 40 952 bytes (39.99 KB). The shape of the keys does not change compared to 3pass scheme, but since a vector of field elements now requires 320 bits, the public key is 72 bytes. The secret key remains 64 bytes.
Performance. As the \(\mathcal {MQ}\) function is the most costly part of the computation, parameters are chosen in such a way that its performance is maximized. The required number of multiplications and additions (expressed as functions of n and m) does not change dramatically compared to the 3pass baseline^{4}, but the actual values n and m are only a quarter of what they were. As the relation between n and m and the number of multiplications is quadratic for the monomials and cubic for the system parameter masking, and we see only a linear increase in the number of registers needed to operate on, the entire sequence of multiplications and additions becomes much cheaper. This especially impacts operations that involve the accumulators. As the representation allows us to keep reductions out of this innermost repeated loop, we perform (only) \(\frac{67 \cdot 4}{2} + 4 = 136\) reductions^{5} throughout the main computation and 66 when preparing quadratic monomials. As we were able to arrange the registers in such a way that they do not need to rotate across multiple registers, we greatly reduce the number of rotations required compared to the 3pass scenario. Furthermore, we note that we use a total of \(67 \cdot 16 \cdot 4 = 4288\) VPMADDUBSW instructions for the core computations.
For one iteration of the \(\mathcal {MQ}\) function F, we measure 6 616 cycles (\(\mathbf G \) is slightly less costly, at 6 396 cycles). We measure a total of 8 510 616 cycles for the complete signature generation. Key generation costs 1 826 612 cycles, and verification consumes 5 752 612 cycles. On the given platform, that translates to roughly 2.43 ms, 0.52 ms and 1.64 ms, respectively. Verification is expected to require on average \(\frac{3}{2}\) calls to an \(\mathcal {MQ}\) function per round, whereas signature generation always requires two. This explains the ratio; note that both signer and verifier incur additional costs besides the \(\mathcal {MQ}\) functions, e.g. for seed expansion.
In order to compare these results to the state of the art, we consider the performance figures reported in [12]. In particular, we examine the Rainbow(31, 24, 20, 20) instance, as the ‘public map’ in this scheme is effectively the \(\mathcal {MQ}\) function over \(\mathbb {F}_{31}\) with \(n = 64\), as used above. The number of equations differs (i.e. \(m = 40\) as opposed to \(m = 64\)), but this can be approximated by normalizing linearly. In [12], the authors report a time measurement of \(17.7\, \mu {}s\), which converts to 50 144 cycles on their 2.833 GHz Intel C2Q Q9550. After normalizing for m, this amounts to 80 230 cycles. Results from the eBACS benchmarking project further show that running the Rainbow verification function from [12] on a Haswell CPU requires approximately 46 520 cycles (and thus 74 432 after normalizing); verification is dominated by the public map. Using their (by now arguably outdated) SSE2based code to evaluate a public map with \(m = 64\) consumes 60 968 cycles on our Intel Core i74770K. All of these results provide confidence in the fact that our implementation, which makes extensive use of AVX2 instructions, is performing in line with expectations.
Footnotes
 1.
Sakumoto et al. [48] also sketched a proof that their 5pass protocol is argument of knowledge when Com is computationally binding. Our security arguments rely on the weaker notion of soundness, therefore we include an appropriate proof.
 2.
Note that the concatenation of all \(\alpha _i\) was previously referred to as \(\mathsf {ch} _1\).
 3.
This follows from the fact that we combine 64 such monomials in two YMM registers.
 4.
A slight difference is introduced by cancellation of the monomials in the \(\mathbb {F}_2\) setting.
 5.
This follows from the fact that we need a total of \(\frac{64+64\cdot 65}{2 \cdot 32} = 67\) YMM registers worth of space to store the monomials and perform 4 reductions after accumulating 2 YMM monomials.
Notes
Acknowledgements
The authors would like to thank Marc Fischlin for helpful discussions, the anonymous reviewers for valuable comments, WenDing Li for his contributions to the software, and Arno Mittelbach for the cryptocode package.
References
 1.Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient latticebased signature scheme with provably secure instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 44–60. Springer, Heidelberg (2016). doi: 10.1007/9783319315171_3 CrossRefGoogle Scholar
 2.Alkim, E., Bindel, N., Buchmann, J., Dagdelen, O.: TESLA: tightlysecure efficient signatures from standard lattices. Cryptology ePrint Archive (2015)Google Scholar
 3.Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CTRSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014). doi: 10.1007/9783319048529_2 CrossRefGoogle Scholar
 4.Bardet, M., Faugère, J., Salvy, B.: On the complexity of the F5 Gröbner basis algorithm. J. Symbolic Comput. 70, 49–70 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Bernstein, D.J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lange, T., Niederhagen, R., van Vredendaal, C.: How to manipulate curve standards: a white paper for the black hat. Cryptology ePrint Archive (2014)Google Scholar
 6.Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., WilcoxO’Hearn, Z.: SPHINCS: Practical Stateless HashBased Signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_15 Google Scholar
 7.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference (2011)Google Scholar
 8.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak Code Package (2016)Google Scholar
 9.Bettale, L., Faugère, J., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: ISSAC 2012, pp. 67–74. ACM (2012)Google Scholar
 10.Bettale, L., Faugère, J.C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptology, pp. 177–197 (2009)Google Scholar
 11.Cayrel, P.L., Véron, P., Yousfi Alaoui, S.M.: A zeroknowledge identification scheme based on the qary syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011). doi: 10.1007/9783642195747_12 CrossRefGoogle Scholar
 12.Chen, A.I.T., Chen, M.S., Chen, T.R., Cheng, C.M., Ding, J., Kuo, E.L.H., Lee, F.Y.S., Yang, B.Y.: SSE implementation of multivariate PKCs on Modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009). doi: 10.1007/9783642041389_3 CrossRefGoogle Scholar
 13.Chen, M.S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5pass MQbased identification to MQbased signatures. Cryptology ePrint Archive (2016)Google Scholar
 14.Courtois, N., Goubin, L., Patarin, J.: SFLASH, a fast asymmetric signature scheme for lowcost smartcards  primitive specification and supporting documentationGoogle Scholar
 15.Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi: 10.1007/3540455396_27 CrossRefGoogle Scholar
 16.Courtois, N.T.: Efficient zeroknowledge authentication based on a linear algebra problem minrank. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 402–421. Springer, Heidelberg (2001). doi: 10.1007/3540456821_24 CrossRefGoogle Scholar
 17.Dagdelen, Ö., Bansarkhani, R., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A.H., Schwabe, P.: Highspeed signatures from standard lattices. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 84–103. Springer, Heidelberg (2015). doi: 10.1007/9783319162959_5 Google Scholar
 18.Diem, C.: The XLalgorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004). doi: 10.1007/9783540305392_23 CrossRefGoogle Scholar
 19.Ding, J., Hu, L., Yang, B.Y., Chen, J.M.: Note on design criteria for rainbowtype multivariates. Cryptology ePrint Archive (2006)Google Scholar
 20.Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). doi: 10.1007/11496137_12 CrossRefGoogle Scholar
 21.Dubois, V., Fouque, P.A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/9783540741435_1 CrossRefGoogle Scholar
 22.Ducas, L.: Accelerating Bliss: the geometry of ternary polynomials. Cryptology ePrint Archive (2014)Google Scholar
 23.Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_3 CrossRefGoogle Scholar
 24.Yousfi Alaoui, S.M., Dagdelen, Ö., Véron, P., Galindo, D., Cayrel, P.L.: Extended security arguments for signature schemes. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 19–34. Springer, Heidelberg (2012). doi: 10.1007/9783642314100_2 CrossRefGoogle Scholar
 25.Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 26.Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 2002, 75–83. ACM (2002)Google Scholar
 27.Faugère, J.C., Gligoroski, D., Perret, L., Samardjiska, S., Thomae, E.: A polynomialtime keyrecovery attack on MQQ cryptosystems. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 150–174. Springer, Heidelberg (2015). doi: 10.1007/9783662464472_7 Google Scholar
 28.Faugère, J.C., LevyditVehel, F., Perret, L.: Cryptanalysis of minrank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008). doi: 10.1007/9783540851745_16 CrossRefGoogle Scholar
 29.Fusco, G., Bach, E.: Phase transition of multivariate polynomial systems. In: Cai, J.Y., Cooper, S.B., Zhu, H. (eds.) TAMC 2007. LNCS, vol. 4484, pp. 632–645. Springer, Heidelberg (2007). doi: 10.1007/9783540725046_58 CrossRefGoogle Scholar
 30.Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NPCompleteness. W. H. Freeman and Company, New York (1979)zbMATHGoogle Scholar
 31.Gligoroski, D., Ødegård, R.S., Jensen, R.E., Perret, L., Faugère, J.C., Knapskog, S.J., Markovski, S.: MQQSIG. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 184–203. Springer, Heidelberg (2012). doi: 10.1007/9783642322983_13 CrossRefGoogle Scholar
 32.Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 33.Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, Gauss, and Reload  a cache attack on the BLISS latticebased signature scheme. Cryptology ePrint Archive (2016)Google Scholar
 34.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219. ACM (1996)Google Scholar
 35.Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006). doi: 10.1007/11818175_3 CrossRefGoogle Scholar
 36.IBM. IBM makes quantum computing available on IBM cloud to accelerate innovation (2016)Google Scholar
 37.Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). doi: 10.1007/354048910X_15 Google Scholar
 38.Gligoroski, D., Ødegård, R.S., Jensen, R.E., Perret, L., Faugère, J.C., Knapskog, S.J., Markovski, S.: MQQSIG. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 184–203. Springer, Heidelberg (2012). doi: 10.1007/9783642322983_13 CrossRefGoogle Scholar
 39.McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.L., Butin, D., Buchmann, J.: State management for hash based signatures. Cryptology ePrint Archive (2016)Google Scholar
 40.NIST. Postquantum cryptography: NIST’s plan for the future (2016)Google Scholar
 41.NSA. NSA suite B cryptographyGoogle Scholar
 42.Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). doi: 10.1007/3540683399_4 Google Scholar
 43.Patarin, J.: The Oil and Vinegar signature scheme. In: Dagstuhl Workshop on Cryptography (1997)Google Scholar
 44.Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128bit long digital signatures. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001). doi: 10.1007/3540453539_21 CrossRefGoogle Scholar
 45.Petzoldt, A., Chen, M.S., Yang, B.Y., Tao, C., Ding, J.: Design principles for HFEv based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_14 CrossRefGoogle Scholar
 46.Pointcheval, D., Poupard, G.: A new NPcomplete problem and publickey identification. Des. Codes Crypt. 28(1), 5–31 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 47.Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3540683399_33 Google Scholar
 48.Sakumoto, K., Shirai, T., Hiwatari, H.: Publickey identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). doi: 10.1007/9783642227929_40 CrossRefGoogle Scholar
 49.Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). doi: 10.1007/3540483292_2 Google Scholar
 50.Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 46(6), 1757–1768 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 51.Thomae, E.: About the Security of Multivariate Quadratic Public Key Schemes. Ph.D. thesis, RuhrUniversity Bochum, Germany (2013)Google Scholar
 52.Thomae, E., Wolf, C.: Cryptanalysis of Enhanced TTS, STS and All Its Variants, or: why crossterms are important. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 188–202. Springer, Heidelberg (2012). doi: 10.1007/9783642314100_12 CrossRefGoogle Scholar
 53.Tsujii, S., Gotaishi, M., Tadaki, K., Fujita, R.: Proposal of a signature scheme based on STS trapdoor. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 201–217. Springer, Heidelberg (2010). doi: 10.1007/9783642129292_15 CrossRefGoogle Scholar
 54.Valiant, L.G.: The complexity of enumeration and reliability problems. SIAM J. Comput. 8(3), 410–421 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
 55.Weiden, P., Hülsing, A., Cabarcas, D., Buchmann, J.: Instantiating treeless signature schemes. Cryptology ePrint Archive (2013)Google Scholar
 56.Yang, B.Y., Chen, J.M.: All in the XL Family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005). doi: 10.1007/11496618_7 CrossRefGoogle Scholar
 57.Yang, B.Y., Chen, J.M.: Building secure Tamelike multivariate publickey cryptosystems: the new TTS. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 518–531. Springer, Heidelberg (2005). doi: 10.1007/11506157_43 CrossRefGoogle Scholar
 58.Yang, B.Y., Chen, J.M., Chen, Y.H.: TTS: highspeed signatures on a lowcost smart card. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 371–385. Springer, Heidelberg (2004). doi: 10.1007/9783540286325_27 CrossRefGoogle Scholar
 59.Yeh, J.Y.C., Cheng, C.M., Yang, B.Y.: Operating degrees for XL vs. F\(_4\)/F\(_5\) for generic \({\cal{MQ}}\) with number of equations linear in that of variables. In: Fischlin, M., Katzenbeisser, S. (eds.) Number Theory and Cryptography. LNCS, vol. 8260, pp. 19–33. Springer, Heidelberg (2013). doi: 10.1007/9783642420016_3 Google Scholar