Recent Developments in Multivariate Public Key Cryptosystems

Abstract

The multivariate signature schemes UOV, Rainbow, and HFEv- have been considered to be secure and efficient enough under suitable parameter selections. In fact, several second round candidates of NIST’s standardization project of Post-Quantum Cryptography are based on these schemes. On the other hand, there are few multivariate encryption schemes expected to be practical and despite that, various new schemes have been proposed recently. In the present paper, we summarize multivariate schemes UOV, Rainbow, and (variants of) HFE generating the second round candidates and study the practicalities of several multivariate encryption schemes proposed recently.

1 Introduction

In 2016, NIST launched the standardization project of Post-Quantum Cryptography (NIST 2020). A lot of schemes were submitted to the first round of its project and 26 of them were chosen as the second round candidates in 2019 (NIST 2020). LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020) and GeMSS (Casanova et al. 2020) are multivariate signature schemes in the second round. These schemes are based on UOV (Patarin 1997; Kipnis et al. 1999), Rainbow (Ding et al. 2005), and HFEv- (Patarin et al. 2001), respectively, which were proposed before or around 2000 and have been still considered to be secure and efficient enough under suitable parameter selections. On the other hand, there are few practical multivariate encryption schemes and despite that, various new schemes have been proposed in this decade.

The aim of this paper is to describe recent developments of multivariate public key cryptosystems, not yet presented in the previous paper (Hashimoto 2017). We first summarize in Sect. 2 the schemes UOV (Patarin 1997; Kipnis et al. 1999), Rainbow (Ding et al. 2005), and (variants of) HFE (Patarin 1996) with short surveys on the second round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and GeMSS (Casanova et al. 2020). Besides, we study in Sect. 3 the encryption schemes HFERP (Ikematsu et al. 2018), ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013) proposed recently, and show that the practicalities of these schemes are not much higher than the HFE variants for encryption, which are already known to be not too practical. Remark that MQDSS (Chen et al. 2016, 2020) is also a second round candidate and has been considered as a multivariate signature scheme since a set of randomly chosen multivariate quadratic forms is used in key generation, signature generation, and signature verification. However, it is based on Fiat–Shamir’s transform of the 5-pass identification scheme (Sakumoto et al. 2011) and is far from other multivariate schemes. We then avoid to study MQDSS in this paper.

2 UOV, Rainbow, and Variants of HFE

In this section, we describe UOV (Patarin 1997; Kipnis et al. 1999), Rainbow (Ding et al. 2005), and variants of HFE (Patarin 1996) and give short surveys on the second round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and GeMSS (Casanova et al. 2020) of NIST’s project (NIST 2020). We first propose the basic constructions of multivariate public key cryptosystems (MPKCS).

2.1 Basic Constructions of Multivariate Public Key Cryptosystems

Let \(n,m\ge 1\) be integers, q a power of prime, and \(\mathbf {F}_q\) a finite field of order q. Most MPKCs are described as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m}\rightarrow \mathbf {F}_q^{m}\) and a quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) to be inverted feasibly.

Public key. The quadratic map \(F:=T\circ G\circ S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Encryption scheme.

Encryption. For a plaintext \(\mathbf {p}\in \mathbf {F}_q^{n}\), the ciphertext is \(\mathbf {c}=F(\mathbf {p})\in \mathbf {F}_q^{m}\).

Decryption. For a given ciphertext \(\mathbf {c}\in \mathbf {F}_q^{m}\), compute \(\mathbf {z}:=T^{-1}(\mathbf {c})\) and find \(\mathbf {y}\in \mathbf {F}_q^{n}\) with \(G(\mathbf {y})=\mathbf {z}\). Then the plaintext is \(\mathbf {p}=S^{-1}(\mathbf {y})\).

Signature scheme.

Signature generation. For a message \(\mathbf {m}\in \mathbf {F}_q^{m}\), compute \(\mathbf {z}:=T^{-1}(\mathbf {m})\) and find \(\mathbf {y}\in \mathbf {F}_q^{n}\) with \(G(\mathbf {y})=\mathbf {z}\). Then the signature is \(\mathbf {s}=S^{-1}(\mathbf {y})\).

Signature verification. The signature \(\mathbf {s}\in \mathbf {F}_q^{n}\) is verified by \(\mathbf {m}=F(\mathbf {s})\).

Efficiency. The encryption and signature verification are done by substituting \(\mathbf {p},\mathbf {s}\in \mathbf {F}_q^{n}\) into m quadratic forms of n variables. Their complexities are then \(O(n^{2}m)\) for most MPKCs under naive implementations. Furthermore, it is known (Hashimoto 2017) that the complexities of encrypting n plaintexts and of verifying n signatures simultaneously are \(O(n^{w}m)\), where \(2\le w<3\) is a linear algebra constant. The complexities of decryption and signature generation depend mainly on how to invert G. We will discuss them in the individual schemes.

Security. There are two types of attacks on MPKCs. One is the direct attack to recover the plaintext \(\mathbf {p}\) of a given ciphertext \(\mathbf {c}\) directly by solving a system of m quadratic equations \(F(\mathbf {x})=(f_{1}(\mathbf {x}),\dots ,f_{m}(\mathbf {x}))=\mathbf {c}\) of n variables. The Gröbner basis attack is considered to be the most standard approach, and its complexity depends on the degree \(d_{\mathrm {reg}}\) of regularity of the corresponding polynomial system \(F(\mathbf {x})-\mathbf {c}\). In general, \(d_{\mathrm {reg}}\) is known to be smaller when the system is more over-defined (\(m\gg n\)) (Bardet et al. 2005). Furthermore, if q is small, the attacker will solve more efficiently by combining with the exhaustive search, which is called a hybrid method (Bettale et al. 2012). We also note that, if the system is massively under-defined (\(n\gg m\)), the attacker can find (at least) one of the solutions more effectively than the case of \(n\sim m\) (Kipnis et al. 1999; Miura et al. 2013; Tomae and Wolf 2012; Cheng et al. 2014).

The other type is to recover partial information of the secret key (S, T) which is enough to invert F. In most known key recovery attacks on MPKCs, the attacker uses the property of the coefficient matrices of quadratic forms in G. Let \(G_{1},\dots ,G_{m},F_{1},\dots ,F_{m}\) be the coefficient matrices of \(g_{1}(\mathbf {x}),\dots ,g_{m}(x),f_{1}(\mathbf {x}),\dots ,f_{m}(\mathbf {x})\), respectively, i.e., \(g_{l}(\mathbf {x})={}^{t}\!\mathbf {x}G_{l}\mathbf {x}+(\text {linear form})\) and \(f_{l}(\mathbf {x})={}^{t}\!\mathbf {x}F_{l}\mathbf {x}+(\text {linear form})\) for \(1\le l\le m\). Since \(F(\mathbf {x})=T(G(S(\mathbf {x})))\), it holds

$$\begin{aligned} \begin{pmatrix}F_1 \\ \vdots \\ F_m\end{pmatrix} =T \begin{pmatrix} {}^{t}\!SG_1S \\ \vdots \\ {}^{t}\!SG_mS \end{pmatrix}. \end{aligned}$$

(1)

This shows that, if \(G_{1},\dots ,G_{m}\) have special properties, partial information S, T will be recovered by the public information \(F_{1},\dots ,F_{m}\). How to recover and the complexity of the attack depend on \(G_{1},\dots ,G_{m}\), and then we discuss them in the individual schemes.

2.2 UOV

Let \(o,v\ge 1\) be integers and put \(n:=o+v\), \(m:=o\). The quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) is defined by

$$\begin{aligned} \begin{aligned} g_j(\mathbf {x})&= \sum _{1\le i\le o} x_i \cdot \text {(linear form of }x_{o+1},\dots ,x_{n})\\&+\text {(quadratic form of }x_{o+1},\dots ,x_{n}), \end{aligned} \end{aligned}$$

(2)

for \(1\le j\le o\). UOV (Unbalanced Oil and Vinegar signature scheme, Patarin (1997), Kipnis et al. (1999) is constructed as follows.

Secret key. An invertible affine map \(S:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{n}\) and the quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) defined above.

Public key. The quadratic map \(F:= G\circ S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Signature generation. For a message \(\mathbf {m}=(m_{1},\dots ,m_{o})\in \mathbf {F}_q^{m}\), choose \(u_{1},\dots ,u_{v}\in \mathbf {F}_q\) randomly and find \(y_1,\dots ,y_o\in \mathbf {F}_q\) such that

$$\begin{aligned} g_1(y_1,\dots ,y_o,u_1,\dots ,u_v)=m_1, \quad \dots \quad , \quad g_o(y_1,\dots ,y_o,u_1,\dots ,u_v)=m_o. \end{aligned}$$

(3)

The signature is \(\mathbf {s}=S^{-1}(y_{1},\dots ,y_{o},u_{1},\dots ,u_{v})\).

Signature verification. The signature \(\mathbf {s}\in \mathbf {F}_q^{n}\) is verified by \(\mathbf {m}=F(\mathbf {s})\).

Complexity of signature generation. Since (3) is a system of o linear equations of o variables, we see that the complexity of signature generation of UOV is \(O(n^{3})\).

Security. The most important attack on UOV is Kipnis–Shamir’s attack (Kipnis and Shamir 1998; Kipnis et al. 1999), which recovers an affine map \(S'\) such that \(SS'=\left( \begin{array}{ll} *_{o} &{} * \\ 0 &{} *_{v} \end{array}\right) \) by using the fact that \(G_{1},\dots ,G_{m}\) are matrices having the forms of \(\left( \begin{array}{ll} 0_{o} &{} * \\ * &{} *_{v} \end{array}\right) \). Its complexity is known to be \(O(q^{\max {(v-o,0)}}\cdot n^{4})\) (Kipnis et al. 1999), and then the parameter v must be sufficiently larger than o, namely n must be sufficiently larger than 2m. This causes two inconveniences on UOV; one is that the sizes of keys are relatively large, and the other is that the approaches in Tomae and Wolf (2012), Cheng et al. (2014) weakens the security against the direct attacks a little. The later is easily covered by taking (n, m) a little larger. For the former, several approaches have been given until now. However, since some of key reduction approaches yield critical vulnerabilities (e.g., Peng and Tang 2018; Hashimoto 2019), the security of such UOVs must be studied quite carefully.

LUOV. LUOV (Beullens et al. 2020) is a signature scheme based on UOV and is a second round candidate of NIST’s project. It is constructed over a finite field of even characteristic field and the components and coefficients in S, G, F are elements of \(\mathbf{F}_{2}\). The size of keys is smaller and the security against the direct attack is not too less than the original UOV. Remark that the security against Kipnis–Shamir’s attack is \(O(2^{v-o}\cdot n^{4})\) and a new attack on LUOV was quite recently proposed in Ding et al. (2013). Then the parameters o, v should be taken larger than the original version. See Beullens et al. (2020) for the latest version.

2.3 Rainbow

Rainbow (Ding et al. 2005) is a multi-layer version of UOV. We now describe the two-layer version. Let \(o_{1},o_{2},v\ge 1\) be integers and put \(n=o_{1}+o_{2}+v\), \(m=o_{1}+o_{2}\). Define the quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) by

$$\begin{aligned} \begin{aligned} g_1(\mathbf {x}),\dots ,g_{o_1}(\mathbf {x})&= \sum _{1\le i\le o_1}x_i \cdot (\text {linear form of }x_{o_1+1},\dots ,x_n)\\&+(\text {quadratic form of } x_{o_1+1},\dots ,x_n),\\ g_{o_1+1}(\mathbf {x}),\dots ,g_{m}(\mathbf {x})&= \sum _{o_1+1\le i\le m}x_i \cdot (\text {linear form of }x_{m+1},\dots ,x_n)\\&+(\text {quadratic form of }x_{m+1},\dots ,x_n), \end{aligned} \end{aligned}$$

(4)

Rainbow is constructed as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m} \rightarrow \mathbf {F}_q^{m}\) and the quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) defined above.

Public key. The quadratic map \(F:=T\circ G\circ S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Signature generation. For a message \(\mathbf {m}\in \mathbf {F}_q^{m}\) to be signed, compute \(\mathbf {z}={}^{t}\!(z_{1},\dots ,z_{m})\) \(:=T^{-1}(\mathbf {m})\) and choose \(u_{1},\dots ,u_{v}\in \mathbf {F}_q\) randomly. Find \(y_{o_{1}+1},\dots ,y_{m}\in \mathbf {F}_q\) such that

$$\begin{aligned} g_{o_{1}+1}(y_1,\dots ,y_{m},u_1,\dots ,u_v)=z_{o_{1}+1}, \quad \dots , \quad g_m(y_1,\dots ,y_{m},u_1,\dots ,u_v)=z_m. \end{aligned}$$

(5)

After that, find \(y_{1},\dots ,y_{o_{1}}\in \mathbf {F}_q\) such that

$$\begin{aligned} g_{1}(y_1,\dots ,y_{m},u_1,\dots ,u_v)=z_{1}, \quad \dots , \quad g_{o_{1}}(y_1,\dots ,y_{m},u_1,\dots ,u_v)=z_{o_{1}}. \end{aligned}$$

(6)

The signature is \(\mathbf {s}=S^{-1}(y_{1},\dots ,y_{m},u_{1},\dots ,u_{v})\).

Signature verification. The signature \(\mathbf {s}\in \mathbf {F}_q^{n}\) is verified by \(\mathbf {m}=F(\mathbf {s})\).

Complexity of signature generation. Since (5) is a system of \(o_{2}\) linear equations of \(o_{2}\) variables and (6) is a system of \(o_{1}\) linear equations of \(o_{1}\) variables, we see that the complexity of signature generation is \(O(n^{3})\).

Security. Kipnis–Shamir’s attack and rank attacks are major attacks on Rainbow. Since \(G_{1},\dots ,G_{o_{1}}=\left( \begin{array}{ll} 0_{o_{1}} &{} * \\ * &{} *_{o_{2}+v} \end{array}\right) \) and \(G_{o_{1}+1},\dots ,G_{m}= \left( \begin{array}{lll} 0_{o_{1}} &{} 0 &{} 0 \\ 0 &{} 0_{o_{2}} &{} * \\ 0 &{} * &{} *_{v} \end{array}\right) \), the complexity of Kipnis–Shamir’s attack (Kipnis and Shamir 1998; Kipnis et al. 1999) on Rainbow is \(O(q^{\max (o_{2}+v-o_{1},0)}\cdot n^{4})\). Furthermore, by checking the ranks of \(G_{1},\dots ,G_{m}\), we see that the complexities of min-rank attack and high-rank attack are \(O(q^{o_{2}+v}\cdot n^{4})\) and \(O(q^{o_{1}}\cdot n^{4})\), respectively (Yang and Chen 2005). Note that there have been several approaches to improve the efficiency of Rainbow. However, some of improvements are known to be insecure (e.g., Peng and Tang 2018; Hashimoto 2019; Shim et al. 2017; Hashimoto et al. 2018) and then the security of such efficient Rainbows must be studied carefully.

Rainbow on NIST’s project. Rainbow (Ding et al. 2020) in the second round of NIST’s project includes three versions; the standard Rainbow, the cyclic Rainbow, and the compressed Rainbow. The public keys and the numbers of arithmetics for signature verification for the later two Rainbows are smaller than the standard Rainbow. However, it is reported (Ding et al. 2020) that the verifications of the latter two versions are slower than the standard version. We consider that it is because the algorithms for verifications of the latter two versions are more complicated than the naive algorithm for the standard Rainbow. Better implementations are required for these arranged versions.

2.4 HFE

Let \(n,m,d\ge 1\) be integers with \(n=m\), \(d<n\). Define \(\mathscr {G}:\mathbf {F}_{q^{n}}\rightarrow \mathbf {F}_{q^{n}}\) by

$$\begin{aligned} \mathscr {G}(X):&= \sum _{\begin{subarray}{c}0\le i\le j\le d\end{subarray}}\alpha _{ij}X^{q^{i}+q^{j}} +\sum _{\begin{subarray}{c}0\le i\le d \end{subarray}}\beta _iX^{q^i}+\gamma , \end{aligned}$$

where \(\alpha _{ij},\beta _i,\gamma \in \mathbf {F}_{q^{n}}\) and \(G:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{n}\) by \(G:=\phi ^{-1}\circ \mathscr {G}\circ \phi \) where \(\phi :\mathbf {F}_q^n\rightarrow \mathbf {F}_{q^{n}}\) is an \(\mathbf {F}_q\)-isomorphism. HFE (Patarin 1996) is constructed as follows.

Secret key. Two invertible affine maps \(S,T:\mathbf {F}_q^n\rightarrow \mathbf {F}_q^n\) and \(\mathscr {G}:\mathbf {F}_{q^{n}}\rightarrow \mathbf {F}_{q^{n}}\) defined above.

Public key. The quadratic map \(F:=T\circ G\circ S=T\circ \phi ^{-1}\circ \mathscr {G}\circ \phi \circ S:\mathbf {F}_q^n\rightarrow \mathbf {F}_q^n\).

Encryption. For a plaintext \(\mathbf{p}\in \mathbf {F}_q^n\), the ciphertext is \(\mathbf{c}:=F(\mathbf{p})\in \mathbf {F}_q^n\).

Decryption. For a given ciphertext \(\mathbf{c}\), compute \(\mathbf{z}:=T^{-1}(\mathbf{c})\) and put \(Z:=\phi (\mathbf{z})\). Find \(Y\in \mathbf {F}_{q^{n}}\) with \(\mathscr {G}(Y)=Z\) and put \(\mathbf{y}:=\phi ^{-1}(Y)\). The plaintext is \(\mathbf{p}=S^{-1}(\mathbf{z})\).

Complexity of decryption. Since \(\mathscr {G}(Y)=Z\) is a univariate polynomial equation of degree at most \(2q^{d}\) over \(\mathbf {F}_{q^{n}}\), the complexity of finding Y is

$$O((\deg {\mathscr {G}(X)})^3+n(\deg {\mathscr {G}(X)})^2\log {q})= O(q^{3d}+nq^{2d}\log {q})$$

by the Berlekamp algorithm (Berlekamp 1967, 1970). Then the parameter d should be \(d=O(\log _{q}n)\).

Security. Let \(\{\theta _1,\dots ,\theta _n\}\) be a basis of \(\mathbf {F}_{q^{n}}\) over \(\mathbf {F}_q\) and \(\varTheta :=\left( \theta _j^{q^{i-1}}\right) _{1\le i,j\le n}\). It is easy to see that \(\varTheta \mathbf {x}={}^{t}\!(\phi (\mathbf {x}),\phi (\mathbf {x})^{q},\dots , \phi (\mathbf {x})^{q^{n-1}}) :={}^{t}\!(X,X^{q},\dots ,X^{q^{n-1}})\). Since \(F=(T\circ \phi ^{-1})\circ \mathscr {G}\circ (\phi \circ S)\), we have

$$\begin{aligned} \begin{pmatrix} F_1 \\ \vdots \\ F_n \end{pmatrix} =(T\cdot \varTheta ^{-1}) \begin{pmatrix} {}^{t}\!(\varTheta S) \mathscr {G}^{(0)} (\varTheta S) \\ \vdots \\ {}^{t}\!(\varTheta S) \mathscr {G}^{(n-1)} (\varTheta S) \end{pmatrix}, \end{aligned}$$

(7)

where \(\bar{X}:=\varTheta \mathbf {x}\) and \(\mathscr {G}^{(i)}\) is an \(n\times n\) matrix over \(\mathbf {F}_{q^{n}}\) such that \(\mathscr {G}(X)^{q^i}={}^{t}\!\bar{X}\mathscr {G}^{(i)}\bar{X}+(\text {linear form of }\bar{X})\). This means that there exist \(a_1,\dots ,a_n\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned} a_1F_1+\cdots +a_nF_n={}^{t}\!(\varTheta S)\mathscr {G}^{(0)}(\varTheta S) ={}^{t}\!(\varTheta S)\begin{pmatrix}*_{d+1} &{} \\ &{} 0_{n-d-1} \end{pmatrix}(\varTheta S), \end{aligned}$$

(8)

and then \(\mathrm {rank}{\left( a_1F_1+\cdots +a_nF_n\right) }\le d+1.\) The min-rank attack (Kipnis and Shamir 1999; Bettale et al. 2013) is an attack to recover such \((a_{1},\dots ,a_{n})\) and its complexity is estimated by \(O(\left( {\begin{array}{c}n+d+2\\ d+2\end{array}}\right) ^w)=O(n^{(d+2)w})\) under the assumption that a variant of Fröberg conjecture holds, where \(2\le w\le 3\) is a linear algebra constant. It is not difficult to check that the tuple \((a_1,\dots ,a_n)\) gives partial information of \(T\varTheta ^{-1}\) and, once such a tuple is recovered, the attacker can recover partial information of \(\varTheta S\), which is enough to decrypt arbitrary ciphertexts by elementary linear algebraic approaches. Since \(d=O(\log _{q}n)\), the security of HFE is \(n^{O(\log _{q}n)}\). Then the original HFE has been considered to be impractical. We also note that the security against Gröbner basis attack has been studied well (see e.g., Faugère 2003; Granboulan et al. 2020; Dubois and Gamma 2020; Ding et al. 2011; Huang et al. 2018). It is known that the rank condition (8) gives an upper bound of the degree \(d_{\mathrm {reg}}\) of regularity of the polynomial system \(F(\mathbf {x})=\mathbf {c}\), in fact, \(d_{\mathrm {reg}}\le \frac{1}{2}(q-1)(d+2)\) holds for HFE (Ding et al. 2011).

2.5 Variants of HFE

There have been various variants of HFE. In this subsection, we describe four major variants “plus (+)”, “minus (–)”, “vinegar (v)”, and “projection (p)”.

Plus (+). The “plus (+)” is a variant to add several polynomials on G. Let \(r_{+}\ge 1\) be an integer and \(h_1(\mathbf {x}),\dots ,h_{r_{+}}(\mathbf {x})\) random quadratic forms of \(\mathbf {x}\). For the map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) of the original scheme, define \(G_{+}:\mathbf {F}_q^n\rightarrow \mathbf {F}_q^{m+r_{+}}\) by \(G_{+}(\mathbf {x}):={}^{t}\!(g_1(\mathbf {x}),\dots ,g_{m}(\mathbf {x}),h_1(\mathbf {x}),\dots ,h_{r_{+}}(\mathbf {x}))\). The public key \(F_{+}: \mathbf {F}_q^n\rightarrow \mathbf {F}_q^{m+r_{+}}\) of the plus is \(F_{+}:=T_{+}\circ G_{+}\circ S\) where \(T_{+}:\mathbf {F}_q^{m+r_{+}}\rightarrow \mathbf {F}_q^{m+r_{+}}\) is an invertible affine map. It is mainly used for encryption when \(m\ge n\). The decryption is as follows.

Decryption. For the ciphertext \(\mathbf{c}\in \mathbf {F}_q^{m+r_{+}}\), compute \(\mathbf{z}=(z_1,\dots ,z_{m+r_{+}}):=T_{+}^{-1}(\mathbf{c}).\) Find \(\mathbf{y}\in \mathbf {F}_q^n\) with \(G(\mathbf{y})={}^{t}\!(z_1,\dots ,z_{m})\) and verify whether \({}^{t}\!(h_1(\mathbf{y}),\dots ,h_{u_+}(\mathbf{y}))={}^{t}\!(z_{m+1},\dots ,z_{m+r_{+}}).\) If it holds, the plaintext is \(\mathbf{p}=S^{-1}(\mathbf{y})\). If not, try it again by another \(\mathbf {y}\).

Complexity of decryption. If \(m\ge n\), the number of \(\mathbf {y}\) with \(G(\mathbf {y})=\mathbf {z}\) is (probably) small. Then the complexity of decryption of “plus” is not much larger than the original scheme.

Security. It is easy to see that an equation similar to (8) holds for the “plus” of HFE. Then the complexity of the min-rank attack on HFE+ is similar to the original HFE.

Minus (–). The “minus (–)” is to reduce several polynomials in F. Let \(r_{-}\ge 1\) be an integer. For the public key \(F:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) of the original scheme, the public key \(F_{-}:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m-r_{-}}\) of the minus is generated by \(F_{-}(x)={}^{t}\!(f_1(x),\dots ,f_{m-r_{-}}(x))\). It is mainly used for the signature scheme when \(n\ge m\). The signature generation is as follows.

Signature generation. For a message \(\mathbf {m}={}^{t}\!(m_1,\dots ,m_{m-r_{-}})\in \mathbf {F}_q^{m-r_{-}}\) to be signed, choose \(u_1,\dots ,u_{r_{-}}\in \mathbf {F}_q\) randomly and let \({\bar{\mathbf {m}}}:={}^{t}\!(m_1,\dots ,m_{m-r_{-}},u_1,\dots ,u_{r_{-}})\). Find \(\mathbf {s}\in \mathbf {F}_q^{n}\) with \(F(\mathbf {s})={\bar{\mathbf {m}}}\). If there exists such an \(\mathbf {s}\), the signature is \(\mathbf {s}\). If not, change \(u_{1},\dots ,u_{r_{-}}\) and repeat until such an \(\mathbf {s}\) appears.

Complexities of signature generation. When \(n\ge m\), the probability that \(\mathbf {s}\) does not exist is considered to be not large. Then the complexity of the signature generation of the “minus” is not much larger than the original scheme.

Security. For the minus, it is easy to see that there exists an \((n-r_{-})\times n\) matrix \(T_{-}\) such that

$$\begin{aligned} \begin{pmatrix} F_1 \\ \vdots \\ F_{n-r_{-}} \end{pmatrix} =(T_{-}\cdot \varTheta ^{-1}) \begin{pmatrix} {}^{t}\!(\varTheta S) \mathscr {G}^{(0)} (\varTheta S) \\ \vdots \\ {}^{t}\!(\varTheta S) \mathscr {G}^{(n-1)} (\varTheta S) \end{pmatrix}. \end{aligned}$$

(9)

Then one can eliminate the contributions of \(n-r_{-}-1\) matrices in the right hand side by taking a linear combination of \(F_{1},\dots ,F_{n-r_{-}}\), namely there exist \(a_1,\dots ,a_{n-r_{-}},\) \(b_{0},\dots ,b_{r_{-}}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned} a_1F_1+\cdots +a_{n-r_{-}}F_{n-r_{-}}&= b_0{}^{t}\!(\varTheta S)\mathscr {G}^{(0)}(\varTheta S)+\cdots +b_{r_{-}}{}^{t}\!(\varTheta S)\mathscr {G}^{(r_{-})}(\varTheta S)\\&= {}^{t}\!(\varTheta S) \left( \begin{array}{cc} *_{d+r_{-}+1} &{} \\ &{} 0_{n-d-r_{-}-1} \end{array}\right) (\varTheta S). \end{aligned}$$

The min-rank attack is thus available on HFE- and its complexity can be estimated by \(O(\left( {\begin{array}{c}n+d+r_{-}+2\\ d+r_{-}+2\end{array}}\right) ^w)=O(n^{(d+r_{-}+2)w}).\) This means that the “minus” enhances the security of HFE (see also Vates and Smith-Tone 2017).

Vinegar (v). The “vinegar (v)” is to add several variables on G. Let \(r_{\mathrm{v}}\ge 1\) be an integer. For the map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) of the original scheme, define \(G_\mathrm{v}:\mathbf {F}_q^{n+r_{\mathrm{v}}}\rightarrow \mathbf {F}_q^{m}\) such that \(G_\mathrm{v}(x_{1},\dots ,x_{n},u_{1},\dots ,u_{r_{\mathrm{v}}})\) is inverted similarly to \(G(\mathbf {x})\) for any (or most) \(u_{1},\dots ,u_{r_{\mathrm{v}}}\in \mathbf {F}_q\). For example, the map \(G_\mathrm{v}\) of HFEv is given by \(G_\mathrm{v}:=\phi _{-1}\circ \mathscr {G}_\mathrm{v} \circ \phi _\mathrm{v}\), where \(\phi _\mathrm{v}:\mathbf {F}_q^{n+r_{\mathrm{v}}}\rightarrow \mathbf {F}_{q^{n}}\times \mathbf {F}_q^{r_{\mathrm{v}}}\) is an \(\mathbf {F}_q\)-isomorphism and \(\mathscr {G}_\mathrm{v}:\mathbf {F}_{q^{n}}\times \mathbf {F}_q^{r_{\mathrm{v}}}\rightarrow \mathbf {F}_{q^{n}}\) is the following polynomial map.

$$\begin{aligned} \mathscr {G}_\mathrm{v}(X,x_{n+1},\dots ,x_{n+r_{\mathrm{v}}})&= \sum _{0\le i,j\le d}\alpha _{ij}X^{q^{i}+q^{j}} +\sum _{0\le i\le d}X^{q^{i}}\cdot (\text {linear form of} x_{n+1},\dots ,x_{n+r_{\mathrm{v}}})\\&+(\text {quadratic form of }x_{n+1},\dots ,x_{n+r_{\mathrm{v}}}). \end{aligned}$$

The public key \(F_{\mathrm{v}}:\mathbf {F}_q^{n+r_{\mathrm{v}}}\rightarrow \mathbf {F}_q^{n}\) of the vinegar is \(F_{\mathrm{v}}:=T\circ G_{\mathrm{v}}\circ S_{\mathrm{v}}\) where \(S_{\mathrm{v}}:\mathbf {F}_q^{n+r_{\mathrm{v}}}\rightarrow \mathbf {F}_q^{n+r_{\mathrm{v}}}\) is an invertible affine map. It is mainly used for signature when \(n\ge m\). The signature generation is as follows.

Signature generation. For a message \(\mathbf {m}\in \mathbf {F}_q^{m}\) to be signed, compute \(\mathbf {z}:=T^{-1}(\mathbf {m})\). Choose \(u_{1},\dots ,u_{r_{\mathrm{v}}}\in \mathbf {F}_q\) randomly, and find \(\mathbf {y}\in \mathbf {F}_q^{n}\) with \(G_{\mathrm{v}}(\mathbf {y},u_{1},\dots ,u_{r_{\mathrm{v}}})=\mathbf {z}\). If such an \(\mathbf {y}\) does not exist, change \(u_{1},\dots ,u_{r_{\mathrm{v}}}\) and try again. The signature is \(\mathbf {s}=S_{\mathrm{v}}^{-1}(\mathbf {y},u_{1},\dots ,u_{r_{\mathrm{v}}})\).

Complexity of signature generation. Since \(\mathbf {y}\) is found similarly to the original scheme, the complexity of finding \(\mathbf {y}\) is almost the same as the original scheme. If \(n\ge m\), the probability that \(\mathbf {y}\) does not exist is considered to be not too large. Then the complexity of the “vinegar” is not too larger than the original scheme.

Security. For HFEv, we see that \(\mathscr {G}_{\mathrm{v}}(X,x_{n+1},\dots ,x_{n+r_{\mathrm{v}}})={}^{t}\!{\bar{X}}_{\mathrm{v}} {\left( \begin{array}{ll|l} *_{d+1} &{} &{} * \\ &{} 0_{n-d-1} &{} \\ \hline * &{} &{} *_{r_{\mathrm{v}}}\end{array}\right) } {\bar{X}}_{\mathrm{v}}+\text {(linear form of }{\bar{X}}_{\mathrm{v}})\), where \({\bar{X}}_{\mathrm{v}}={}^{t}\!(X,\dots ,X^{q^{n-1}},x_{n+1},\dots ,x_{n+r_{\mathrm{v}}})\). Then there exist \(a_{1},\dots ,a_{n}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned} a_1F_1+\cdots +a_{n}F_{n}&= {}^{t}\!\left( \begin{pmatrix}\varTheta &{} \\ &{} I_{r_{\mathrm{v}}}\end{pmatrix} S_{\mathrm{v}}\right) \left( \begin{array}{ll|l} *_{d+1} &{} &{} * \\ &{} 0_{n-d-1} &{} \\ \hline * &{} &{} *_{r_{\mathrm{v}}}\end{array}\right) \left( \begin{pmatrix}\varTheta &{} \\ &{} I_{r_{\mathrm{v}}}\end{pmatrix} S_{\mathrm{v}}\right) . \end{aligned}$$

Since the rank of the matrix in the right hand side above is at most \(d+r_{\mathrm{v}}+1\), the security of HFEv against the min-rank attack is estimated by \(O(\left( {\begin{array}{c}n+d+r_{\mathrm{v}}+2\\ d+r_{-}+2\end{array}}\right) ^w)=O(n^{(d+r_{\mathrm{v}}+2)w}).\)

Projection (p). The “projection” is to reduce several variables of the polynomials in F. Let \(r_{\mathrm{p}}\ge 1\) be an integer and \(u_1,\dots ,u_{r_{\mathrm{p}}}\in \mathbf {F}_q\). For the public key \(F:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) of the original scheme, the public key \(F_{\mathrm{p}}:\mathbf {F}_q^{n-r_{\mathrm{p}}}\rightarrow \mathbf {F}_q^{m}\) of the projection is generated by \(F_{\mathrm{p}}(x_1,\dots ,x_{n-r_{\mathrm{p}}}):=F(x_1,\dots ,x_{n-r_{\mathrm{p}}},u_1,\dots ,u_{r_{\mathrm{p}}})\). It is mainly used for encryption when \(m\ge n\). The decryption is as follows.

Decryption. For the ciphertext \(\mathbf {c}\in \mathbf {F}_q^{m}\), find \(\mathbf {p}\in \mathbf {F}_q^n\) with \(F(\mathbf {p})=\mathbf {c}\) similarly to the original scheme. If \(\mathbf{p}=(*,\dots ,*,u_1,\dots ,u_{r_{\mathrm{p}}})\), the plaintext is \({\tilde{\mathbf{p}}}:=(p_1,\dots ,p_{n-r_{\mathrm{p}}})\in \mathbf {F}_q^{n-r_{\mathrm{p}}}\). If not, try it again by another \(\mathbf {p}\).

Complexities of decryption. If \(m\ge n\), the number of \(\mathbf {p}\) with \(F(\mathbf {p})=\mathbf {c}\) is (probably) not too large. Then the complexity of decryption of the “projection” is not much larger than the original scheme.

Security. For the projection of HFE, we see that there exist \(a_{1},\dots ,a_{n}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned} a_{1}F_{1}+\cdots +a_{n}F_{n}={}^{t}\!(\varTheta \tilde{S}) \begin{pmatrix}*_{d+1} &{} \\ &{} 0_{n-d-1} \end{pmatrix} (\varTheta \tilde{S}), \end{aligned}$$

where \(\tilde{S}\) is an \(n\times (n-r_{\mathrm{p}})\) matrix with \(S=(\tilde{S},*)\). Then the min-rank attack is available and its complexity is almost the same as the original scheme.

The most successful variant of HFE is probably the signature scheme HFEv- (Patarin et al. 2001), a combination of “minus” and “vinegar” of HFE, since the security against the min-rank attack is enhanced drastically without slowing down the signature generation. In fact, GeMSS (Casanova et al. 2020) based on HFEv- was chosen as a second round candidate of NIST’s project (NIST 2020). There are three kinds of GeMSS, called GeMSS, BlueGeMSS, and RedGeMSS, The major difference among these three GeMSSs is the degree of \(\mathscr {G}_\mathrm{v}\); the degrees are \(513(=2^{9}+1)\), \(129(=2^{7}+1)\), \(17(=2^{4}+1)\), i.e., d’s are 10, 8, 5, respectively. Of course, the signature generation of RedGeMSS is fastest and the BlueGeMSS is the next. Furthermore, the securities against the min-rank attack are enough if \(r_{-},r_{\mathrm{v}}\) are sufficiently large. On the other hand, as pointed out in Hashimoto (2018) for HMFEv (Petzoldt et al. 2017) (the vinegar of multi-HFE (Chen et al. 2020), the minus and the vinegar do not enhance the security against the high-rank attack. Though critical vulnerabilities of HFE variants against the high-rank attack have not been reported until now, we consider that an HFEv- with smaller d has a higher risk against the high-rank attack.

We recall that Sflash (Akkar et al. 2003) (a minus of Matsumoto–Imai’s scheme (Matsumoto and Imai 1988) is a signature scheme selected by NESSIE (Preneel 2020) and broken by a differential attack (Fouque et al. 2005). Recently, its projections called Pflash (Smith-Tone et al. 2015; Cartor and Smith-Tone 2017) and Eflash (Cartor and Smith-Tone 2018) were proposed. Pflash is a signature scheme with \(r_{\mathrm{p}}<r_{-}\) and Eflash is an encryption scheme with \(r_{\mathrm{p}}>r_{-}\). The complexities of signature generation and decryption are about \(q^{\min {(r_{\mathrm{p}},r_{-})}}\) times of Matsumoto–Imai’s scheme (Matsumoto and Imai 1988) and then we should take \(r_{-},r_{\mathrm{p}}\) by \(\min {(r_{\mathrm{p}},r_{-})}=O(\log _{q}n)\). It has been considered that the differential attack is not available on these schemes, and the security against the min-rank attack highly depends on \(r_{-}\). The security of Eflash is thus \(n^{O(\log _{q}n)}\). Similarly for the encryption scheme HFEp- with \(r_{\mathrm{p}}>r_{-}\), it is easy to see that the complexity of decryption is about \(q^{r_{-}}\) times of the original HFE and the complexity of the min-rank attack is roughly estimated by \(O(n^{(3d+r_{-}+2)w})\). Since \(3d+r_{-}=O(\log _{q}n)\), its security is also \(n^{O(\log _{q}n)}\).

3 New Encryption Schemes

In this section, we study the encryption schemes HFERP (Ikematsu et al. 2018), ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013, 2015) proposed recently.

3.1 HFERP

HFERP (Ikematsu et al. 2018) is an encryption scheme constructed by a “plus" and “projection" of a combination of HFE and Rainbow. We first describe a one-layer version HFERP without “plus” and “projection”.

Let \(v,o,l,d_0\ge 1\) be integers, \(n:=v+o\) and \(m:=v+o+l\). Define the map \(\mathscr {G}_{0}:\mathbf {F}_{q^v}\rightarrow \mathbf {F}_{q^v}\) by

$$\mathscr {G}_0(X):= \sum _{0\le i\le j\le d_{0}}\alpha _{ij}X^{q^i+q^j} +\sum _{0\le i \le d_{0}}\beta _iX^{q^i}+\gamma ,$$

where \(\alpha _{ij},\beta _i,\gamma \in \mathbf {F}_{q^v}\). The quadratic map \(G:\mathbf {F}_q^n\rightarrow \mathbf {F}_q^m\) is given as follows.

$$\begin{aligned} {}^{t}\!(g_1(\mathbf {x}),\dots ,g_v(\mathbf {x}))&= (\phi _0^{-1}\circ \mathscr {G}_0\circ \phi _0)(\mathbf {x}_{0}),\\ g_{v+1}(\mathbf {x}),\dots ,g_{m}(\mathbf {x})&= \sum _{v+1\le i \le n}x_i\cdot (\text {linear form of }\mathbf {x}_{0}) +(\text {quadratic form of }\mathbf {x}_{0}), \end{aligned}$$

where \(\phi _0:\mathbf {F}_q^v\rightarrow \mathbf {F}_{q^v}\) is an \(\mathbf {F}_q\)-isomorphism and \(\mathbf {x}_{0}={}^{t}\!(x_{1},\dots ,x_{v})\). HFERP (without “plus”, “projection”) is constructed as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m}\rightarrow \mathbf {F}_q^{m}\) and the quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Public key. The quadratic map \(F:=T\circ G \circ S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Encryption. For a plaintext \(\mathbf{p}\in \mathbf {F}_q^{n}\), the ciphertext is \(\mathbf {c}=F(\mathbf{p})\in \mathbf {F}_q^{m}\).

Decryption. For a given ciphertext \(\mathbf {c}\), compute \(\mathbf {z}={}^{t}\!(z_{1},\dots ,z_{m}):=T^{-1}(\mathbf {c})\). Let \(Z_0:=\phi _0(z_1,\dots ,z_v)\in \mathbf {F}_{q^v}\) and find \(Y_0\in \mathbf {F}_{q^v}\) such that \(\mathscr {G}_0(Y_0)=Z_0\). Put \((y_1,\dots ,y_v):=\phi _0^{-1}(Y_0)\in \mathbf {F}_q^v\) and find \(y_{v+1},\dots ,y_{n}\in \mathbf {F}_q\) with

$$\begin{aligned} g_{v+1}(y_1,\dots ,y_v,y_{v+1},\dots ,y_{n})=z_{v+1},\quad \dots , \quad g_{m}(y_1,\dots ,y_v,y_{v+1},\dots ,y_{n})=z_{m}. \end{aligned}$$

(10)

The plaintext is \(\mathbf {p}=S^{-1}(y_{1},\dots ,y_{n})\).

Complexity of decryption. Since the degree of \(\mathscr {G}_{0}(X)\) is at most \(2q^{d_{0}}\), the complexity of finding \(Y_{0}\) is \(O(q^{3d_{0}}+vq^{2d_{0}}\log {q})\) by Berlekamp’s algorithm. We see that (10) is a system of \(o+l\) linear equations of o variables. We thus conclude that the total complexity of decryption is \(O(q^{3d_{0}}+vq^{2d_{0}}\log {q}+n^{3})\). The parameter \(d_{0}\) should be taken by \(d_{0}=O(\log _{q}n)\).

Security. Let \(\{\theta _1,\dots ,\theta _v\}\) be a basis of \(\mathbf {F}_{q^v}\) over \(\mathbf {F}_q\) and \(\varTheta _0:=\left( \theta _j^{q^{i-1}}\right) _{1\le i,j\le v}\). By the definition of G, F, we see that

$$\begin{aligned} \begin{pmatrix} F_{1} \\ \vdots \\ F_{m} \end{pmatrix}= T\cdot \begin{pmatrix}\varTheta _0^{-1} &{} \\ &{} I_{o+l} \end{pmatrix} \begin{pmatrix} {}^{t}\!S {\begin{pmatrix} {}^{t}\!\varTheta _{0}\mathscr {G}_{0}^{(0)} \varTheta _{0}&{} \\ &{} 0_{o} \end{pmatrix}}S \\ \vdots \\ {}^{t}\!S {\begin{pmatrix}{}^{t}\!\varTheta _{0} \mathscr {G}_{0}^{(v-1)} \varTheta _{0} &{} \\ &{} 0_{o} \end{pmatrix}}S \\ {}^{t}\!S {\begin{pmatrix} *_{v} &{} * \\ * &{} 0_{o} \end{pmatrix}}S \\ \vdots \\ {}^{t}\!S {\begin{pmatrix} *_{v} &{} * \\ * &{} 0_{o} \end{pmatrix}}S \end{pmatrix} \end{aligned}$$

and then there exist \(a_{1},\dots ,a_{m}\in \mathbf {F}_{q^v}\) such that

$$\begin{aligned} a_{1}F_{1}+\cdots +a_{m}F_{m}={}^{t}\!S \begin{pmatrix} {}^{t}\!\varTheta _{0}\mathscr {G}_{0}^{(0)} \varTheta _{0}&{} \\ &{} 0_{o} \end{pmatrix}S ={}^{t}\!S {}^{t}\!\begin{pmatrix} \varTheta _{0} &{} \\ &{} I_{o} \end{pmatrix} \begin{pmatrix} *_{d_{0}+1} &{} \\ &{} 0_{n-d_{0}-1} \end{pmatrix} \begin{pmatrix} \varTheta _{0} &{} \\ &{} I_{o} \end{pmatrix}S. \end{aligned}$$

The min-rank attack is thus available on HFERP and its complexity can be estimated by \(O(\left( {\begin{array}{c}m+d_{0}+2\\ d_{0}+2\end{array}}\right) ^w)=O(m^{(d_{0}+2)w})\) (Ikematsu et al. 2018). This situation is similar for its plus and projection. Since \(d_{0}=O(\log _{q}n)\), the security of HFERP is \(n^{O(\log _{q}n)}\), which is almost the same as HFE. For the minus, we can easily check that the complexity of decryption is at most \(q^{r_{-}}\) times of the original HFERP and the security against the min-rank attack is \(O(\left( {\begin{array}{c}m+d_{0}+2\\ d_{0}+r_{-}+2\end{array}}\right) ^w)=O(m^{(d_{0}+r_{-}+2)w}).\) This means that the security of HFERP- is also \(n^{O(\log _{q}n)}\).

3.2 ZHFE

ZHFE (Porras et al. 2020) is an encryption scheme constructed by two univariate polynomials over an extension field. In this subsection, we study the simplest version of ZHFE since the structure of the original version is not far from the simplest version.

Let \(n,m,D\ge 1\) be integers with \(m=2n\) and define the quadratic forms \(\mathscr {G}_{1}(X),\mathscr {G}_{2}(X)\) of \(\bar{X}={}^{t}\!(X,X^{q},\dots ,X^{q^{n-1}})\) such that the degree of \(\varPsi (X):=X^{q}\cdot \mathscr {G}_{1}(X)+X\cdot \mathscr {G}_{2}(X)\) is at most D. It is easy to see that the coefficient matrices \(\mathscr {G}_{1}^{(0)},\mathscr {G}_{2}^{(0)}\) of \(\mathscr {G}_{1}(X),\mathscr {G}_{2}(X)\) as quadratic forms of \(\bar{X}\) are

(11)

where \(d:=\lceil \log _{q}\frac{D-q}{2}\rceil \). Denote by \(\phi _{2}:\mathbf {F}_q^{m}\rightarrow \mathbf {F}_{q^{n}}^{2}\) an \(\mathbf {F}_q\)-isomorphism and \(\mathscr {G}(X):=(\mathscr {G}_{1}(X),\mathscr {G}_{2}(X))\). ZHFE is constructed as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m}\rightarrow \mathbf {F}_q^{m}\) and the quadratic map \(G:=\phi _{2}^{-1}\circ \mathscr {G}\circ \phi : \mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Public key. The quadratic map \(F:=T\circ G \circ S: \mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Encryption. For a plaintext \(\mathbf {p}\in \mathbf {F}_q^{n}\), the ciphertext is \(\mathbf {c}=F(\mathbf {p})\in \mathbf {F}_q^{m}\).

Decryption. For a given ciphertext \(\mathbf {c}\in \mathbf {F}_q^{m}\), compute \(\mathbf {z}:=T^{-1}(\mathbf {c})\). Let \((Z_1,Z_2):=\phi _2(z)\in \mathbf {F}_{q^{n}}^2\), and find \(Y\in \mathbf {F}_{q^{n}}\) such that \(\varPsi (Y)-Y^{q}\cdot Z_{1}-Y\cdot Z_{2}=0.\) Verify whether \(\mathscr {G}_1(Y)=Z_1\), \(\mathscr {G}_2(Y)=Z_2\) hold and put \(\mathbf {y}:=\phi ^{-1}(Y)\in \mathbf {F}_q^n\). The plaintext is \(\mathbf {p}=S^{-1}(\mathbf {y})\).

Complexity of decryption. Since \(\varPsi (Y)-Y^{q}\cdot Z_{1}-Y\cdot Z_{2} =Y^{q}\cdot (\mathscr {G}_{1}(Y)-Z_{1})+Y\cdot (\mathscr {G}_{2}(Y)-Z_{2})\), at least one of Y satisfies \(\mathscr {G}_1(Y)=Z_1\), \(\mathscr {G}_2(Y)=Z_2\) if \(\mathbf{z}\in G(\mathbf {F}_{q^{n}})\). The complexity of decryption is \(O(D^3+nD^2\log {q})=O(q^{3d}+nq^{2d}\log {q})\) by Berlekamp’s algorithm. The parameter d should be \(d=O(\log _{q}n)\).

Security. Let \(\{\theta _{1},\dots ,\theta _{n}\}\) be a basis of \(\mathbf {F}_{q^{n}}\) over \(\mathbf {F}_q\) and \(\varTheta _{2}:=\left( \theta _{j}^{q^{i-1}}\cdot I_{2}\right) _{1\le i,j\le n}\). We can easily check that

$$\begin{aligned} \begin{pmatrix}F_{1} \\ \vdots \\ F_{m} \end{pmatrix} =T\varTheta _{2}^{-1} \begin{pmatrix} {}^{t}\!(\varTheta S)\mathscr {G}_{1}^{(0)}(\varTheta S) \\ {}^{t}\!(\varTheta S)\mathscr {G}_{2}^{(0)}(\varTheta S) \\ {}^{t}\!(\varTheta S)\mathscr {G}_{1}^{(1)}(\varTheta S) \\ \vdots \\ {}^{t}\!(\varTheta S)\mathscr {G}_{2}^{(n-1)}(\varTheta S) \\ \end{pmatrix} \end{aligned}$$

and then there exist \(a_{1},\dots ,a_{m}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned} a_1F_1+\cdots +a_{m}F_{m}={}^{t}\!(\varTheta S)\mathscr {G}_1^{(0)}(\varTheta S). \end{aligned}$$

Since \(\mathrm {rank}\mathscr {G}_{1}^{(0)}\le d+2\) due to (11), the min-rank attack is available on ZHFE and its complexity can be estimated by \(O(\left( {\begin{array}{c}m+d+3\\ d+3\end{array}}\right) ^w)=O(m^{(d+3)w})\) (Perlne and Smith-Tone 2016; Cabarcas et al. 2017). Since \(d=O(\log _{q}n)\), the security of ZHFE is also \(n^{O(\log _{q}n)}\).

We note that the plus and projection do not enhance the security. For the minus, we see that there exist \(a_{1},\dots ,a_{m-r_{-}},b_{0},\dots ,b_{r_{-}}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned}&a_1F_1+\cdots +a_{m-r_{-}}F_{m-r_{-}} \\&=b_{0}{}^{t}\!(\varTheta S)\mathscr {G}_1^{(0)}(\varTheta S) +b_{1}{}^{t}\!(\varTheta S)\mathscr {G}_2^{(0)}(\varTheta S) +\cdots +b_{r_{-}}{}^{t}\!(\varTheta S)\mathscr {G}_{(r_{-}\bmod {2})+1}^{(\lfloor r_{-}/2 \rfloor )}(\varTheta S) \\&={}^{t}\!(\varTheta S)\left( \begin{array}{lll} *_{\lceil \frac{r_{-}}{2}\rceil +1} &{} * &{} * \\ * &{} *_{d-(r_{-}\bmod {2})} &{} 0 \\ * &{} 0 &{} 0 \end{array}\right) (\varTheta S). \end{aligned}$$

Since the rank of the matrix above is \(d+r_{-}+2\), the complexity of the min-rank attack is \(O(\left( {\begin{array}{c}m+d+3\\ d+r_{-}+3\end{array}}\right) ^w)=O((2n)^{(d+r_{-}+3)w})\). However, the complexity of decryption is at most \(q^{r_{-}}\) times of the original ZHFE, and then the security of ZHFE- is also \(n^{O(\log _{q}n)}\). Remark that (Perlne and Smith-Tone 2016) proposed a minus of ZHFE without slowing down the decryption by using a singular-type ZHFE. However, by studying the structure of such a ZHFE- carefully, we can easily check that such a minus does not enhance the security against the min-rank attack at all.

3.3 EFC

EFC (Szepieniec et al. 2016) is an encryption scheme constructed from the fact that an extension field can be expressed by a set of matrices.

Let \(n,m\ge 1\) be integers with \(m=2n\), h(t) an irreducible univariate polynomial over \(\mathbf {F}_q\) and H an \(n\times n\) matrix whose characteristic polynomial is h(t). It is easy to see that \(\mathscr {H}:=\left\{ a_0I_n+a_{1}H+\cdots +a_{n-1}H^{n-1}|a_0,\dots ,a_{n-1}\in \mathbf {F}_q\right\} \) is isomorphic to \(\mathbf {F}_q[t]/\langle h(t)\rangle \simeq \mathbf {F}_{q^{n}}\). Choose \(A_1,\dots ,A_{m}\in \mathscr {H}\) and define the map \(G:\mathbf {F}_q^n\rightarrow \mathbf {F}_q^{m}\) by

$$\begin{aligned} {}^{t}\!(g_1(\mathbf {x}),g_{3}(\mathbf {x}),\dots ,g_{m-1}(\mathbf {x}))&= \left( x_1A_1+x_{2}A_{3}+\cdots +x_{m-1}A_n\right) \mathbf {x},\\ {}^{t}\!(g_2(\mathbf {x}),g_{4}(\mathbf {x}),\dots ,g_{m}(\mathbf {x}))&= \left( x_1A_2+x_{2}A_{4}+\cdots +x_{m}A_n\right) \mathbf {x}. \end{aligned}$$

EFC (Szepieniec et al. 2016) is constructed as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m}\rightarrow \mathbf {F}_q^{m}\) and the quadratic map \(G:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\) (i.e., the matrices \(A_{1},\dots ,A_{m}\)) defined above.

Public key. The quadratic map \(F:=T\circ G \circ S: \mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Encryption. For a plaintext \(\mathbf {p}\in \mathbf {F}_q^{n}\), the ciphertext is \(\mathbf {c}=F(\mathbf {p})\in \mathbf {F}_q^{m}\).

Decryption. For a given ciphertext \(\mathbf {c}\), compute \(\mathbf {z}={}^{t}\!(z_{1},\dots ,z_{m}):=T^{-1}(\mathbf {c})\). Solve a system of linear equations given by

$$\begin{aligned} \begin{aligned}&\left( x_1A_{1}+x_{2}A_{3}+\cdots +x_nA_{m-1}\right) {}^{t}\!(z_{2},z_{4},\dots ,z_{m})\\&=\left( x_1A_{2}+x_{2}A_{4}+\cdots +x_nA_{m}\right) {}^{t}\!(z_{1},z_{3},\dots ,z_{m-1}), \end{aligned} \end{aligned}$$

(12)

and find a solution \(\mathbf {y}\) of (12) satisfying \(G(\mathbf {y})=\mathbf {z}\). The plaintext is \(\mathbf {p}=S^{-1}(\mathbf {y})\).

Complexity of decryption. Since \(\mathscr {H}\) is commutative, it holds

$$\begin{aligned}&\left( x_1A_{2}+x_{2}A_{4}+\cdots +x_nA_{m}\right) {}^{t}\!(g_1(\mathbf {x}),g_{3}(\mathbf {x}),\dots ,g_{m-1}(\mathbf {x}))\\&=\left( x_1A_{1}+x_{2}A_{3}+\cdots +x_nA_{m-1}\right) {}^{t}\!(g_2(\mathbf {x}),g_{4}(\mathbf {x}),\dots ,g_{m}(\mathbf {x})). \end{aligned}$$

Then at least one of solutions of (12) satisfies \(G(\mathbf {y})=\mathbf {z}\) if \(\mathbf{z}\in G(\mathbf {F}_q^{n})\). The equation (12) is written by \(\left( z_1B_1+\cdots +z_{m}B_{m}\right) \mathbf {x}=0\) with \(n\times n\) matrices \(B_1,\dots ,B_{m}\) are \(n\times n\) derived from \(A_1,\dots ,A_{m}\). The complexity of decryption is thus \(O(n^{3})\).

Note that, since the map G in EFC is over-defined, the complexity of the “plus” and the “projection” is almost the same as the original EFC and that of the “minus” is at most \(q^{r_{-}}\) times of the original EFC.

Security. It is already known that the original EFC is insecure against the linearization attack (Szepieniec et al. 2016). We now study the security of EFC- against the min-rank attack. Let \(\theta \in \mathbf {F}_{q^{n}}\) be a root of h(t), choose a basis of \(\mathbf {F}_{q^{n}}\) over \(\mathbf {F}_q\) by \(\{\theta _1,\dots ,\theta _n\}=\{1,\theta ,\theta ^2,\dots ,\theta ^{n-1}\}\) and put \(\varTheta :=\Big (\theta _{j}^{q^{i-1}}\Big )_{1\le i,j\le n}\). Suppose that H is a companion matrix of h(t). Since \(A_{1},\dots ,A_{m}\in \mathscr {H}\), there exist linear forms \(L_{1}(\mathbf {x}),\dots ,L_{m}(\mathbf {x})\) of \(\mathbf {x}\) over \(\mathbf {F}_q\) such that

$$\begin{aligned} x_{1}A_{1}+x_{2}A_{3}+\cdots +x_{n}A_{m-1}&= L_{1}(\mathbf {x})I_{n}+L_{3}(\mathbf {x})H+\cdots +L_{m-1}(\mathbf {x})H^{n-1},\\ x_{1}A_{2}+x_{2}A_{4}+\cdots +x_{n}A_{m}&= L_{2}(\mathbf {x})I_{n}+L_{4}(\mathbf {x})H+\cdots +L_{m}(\mathbf {x})H^{n-1}. \end{aligned}$$

Denote by

$$\begin{aligned} \mathscr {G}_{1}(X):&= g_{1}(\mathbf {x})\theta _{1}+g_{3}(\mathbf {x})\theta _{2}+\cdots +g_{m-1}(\mathbf {x})\theta _{n},\\ \mathscr {G}_{2}(X):&= g_{2}(\mathbf {x})\theta _{1}+g_{4}(\mathbf {x})\theta _{2}+\cdots +g_{m}(\mathbf {x})\theta _{n},\\ \mathcal {L}_{1}(X):&= L_{1}(\mathbf {x})\theta _{1}+L_{3}(\mathbf {x})\theta _{2}+\cdots +L_{m-1}(\mathbf {x})\theta _{n},\\ \mathcal {L}_{2}(X):&= L_{2}(\mathbf {x})\theta _{1}+L_{4}(\mathbf {x})\theta _{2}+\cdots +L_{m}(\mathbf {x})\theta _{n}, \end{aligned}$$

where \(X:=\phi (\mathbf {x})=x_{1}\theta _{1}+\cdots +x_{n}\theta _{n}\). It is easy to see that \(\mathscr {G}_{1}(X),\mathscr {G}_{2}(X)\) are quadratic forms and \(\mathcal {L}_{1}(X),\mathcal {L}_{2}(X)\) are linear forms of \(\bar{X}=\varTheta \mathbf {x}={}^{t}\!(X,X^{q},\dots ,X^{q^{n-1}})\). By the definition of G, we see that

$$\begin{aligned} \begin{aligned} \varTheta {}^{t}\!(g_1(\mathbf {x}),g_{3}(\mathbf {x}),\dots ,g_{m-1}(\mathbf {x}))&= \left( \sum _{1\le i\le n} L_{2i-1}(\mathbf {x})(\varTheta H\varTheta ^{-1})^{i-1} \right) (\varTheta \mathbf {x}),\\ \varTheta {}^{t}\!(g_2(\mathbf {x}),g_{4}(\mathbf {x}),\dots ,g_{m}(\mathbf {x}))&= \left( \sum _{1\le i\le n} L_{2i}(\mathbf {x})(\varTheta H\varTheta ^{-1})^{i-1} \right) (\varTheta \mathbf {x}). \end{aligned} \end{aligned}$$

(13)

Since \(\varTheta H\varTheta ^{-1}=\mathrm {diag}{\big (\theta ,\theta ^{q},\dots ,\theta ^{q^{n-1}}\big )}\) (e.g., Horn et al. 1985), we have \(\mathscr {G}_{1}(X)=\mathcal {L}_{1}(X)\cdot X\), \(\mathscr {G}_{2}(X)=\mathcal {L}_{2}(X) \cdot X\) due to (13). This means that the map G is written by \(G=\phi _2^{-1}\circ \mathscr {G}\circ \phi \) where \(\mathscr {G}(X)=(\mathscr {G}_{1}(X),\mathscr {G}_{2}(X))=(\mathcal {L}_{1}(X)\cdot X,\mathcal {L}_{2}(X) \cdot X)\), and it holds

$$\begin{aligned} \begin{pmatrix}F_{1} \\ \vdots \\ F_{m} \end{pmatrix} =T\varTheta _{2}^{-1} \begin{pmatrix} {}^{t}\!(\varTheta S)\mathscr {G}_{1}^{(0)}(\varTheta S) \\ {}^{t}\!(\varTheta S)\mathscr {G}_{2}^{(0)}(\varTheta S) \\ {}^{t}\!(\varTheta S)\mathscr {G}_{1}^{(1)}(\varTheta S) \\ \vdots \\ {}^{t}\!(\varTheta S)\mathscr {G}_{2}^{(n-1)}(\varTheta S) \end{pmatrix}. \end{aligned}$$

Then, for EFC-, there exist \(a_{1},\dots ,a_{m-r_{-}},b_{0},\dots ,b_{r_{-}}\in \mathbf {F}_{q^{n}}\) such that

$$\begin{aligned}&a_1F_1+\cdots +a_{m-r_{-}}F_{m-r_{-}} \\&=b_{0}{}^{t}\!(\varTheta S)\mathscr {G}_1^{(0)}(\varTheta S) +b_{1}{}^{t}\!(\varTheta S)\mathscr {G}_2^{(0)}(\varTheta S) +\cdots +b_{r_{-}}{}^{t}\!(\varTheta S)\mathscr {G}_{(r_{-}\bmod {2})+1}^{(\lfloor r_{-}/2 \rfloor )}(\varTheta S) \\&={}^{t}\!(\varTheta S) \left( \begin{array}{ll} *_{1+\lfloor \frac{r_{-}}{2}\rfloor } &{} * \\ * &{} 0 \end{array}\right) (\varTheta S). \end{aligned}$$

Since the rank of the matrix above is at most \(2\lfloor \frac{r_{-}}{2} \rfloor +2\), the min-rank attack is available on EFC- and its complexity can be estimated by \(O(\left( {\begin{array}{c}2n-r_{-}+2\lfloor \frac{r_{-}}{2} \rfloor +3\\ 3+2\lfloor \frac{r_{-}}{2} \rfloor \end{array}}\right) ^{w}) =O((2n)^{(r_{-}+3)w}).\) Since \(r_{-}=O(\log _{q}n)\), the security of EFC- is also \(n^{O(\log _{q}n)}\). This situation is similar to the “plus” and “projection” of EFC-.

3.4 ABC

ABC (Tao et al. 2013, 2015) is an encryption scheme constructed by three polynomial matrices A, B, C. Let \(r,n,m\ge 1\) be integers with \(n=r^{2},m=2r^{2}\). For \(\mathbf {x}={}^{t}\!(x_{1},\dots ,x_{n})\), define the \(r\times r\) matrices \(A(\mathbf {x}),B(\mathbf {x}),C(\mathbf {x}),E_{1}(\mathbf {x}),E_{2}(\mathbf {x})\) by \(A(\mathbf {x}):=\left( x_{j+r(i-1)}\right) _{1\le i,j\le r}\), \(B(\mathbf {x}):=\left( b_{ij}(\mathbf {x})\right) _{1\le i,j\le r}\), \(C(\mathbf {x}):=\left( c_{ij}(\mathbf {x})\right) _{1\le i,j\le r}\), \(E_{1}(\mathbf {x}):=A(\mathbf {x})B(\mathbf {x})\) and \(E_{2}(\mathbf {x}):=A(\mathbf {x})C(\mathbf {x})\), where \(b_{ij}(\mathbf {x}),c_{ij}(\mathbf {x})\) are linear forms of \(\mathbf {x}\). The quadratic map \(G:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{m}\) is generated by \(E_{1}(\mathbf {x})=\left( g_{j+r(i-1)}(\mathbf {x})\right) _{1\le i,j\le r}\) and \(E_{2}(\mathbf {x})=\left( g_{n+j+r(i-1)}(\mathbf {x})\right) _{1\le i,j\le r}\). The encryption scheme ABC (Tao et al. 2013) is constructed as follows.

Secret key. Two invertible affine maps \(S:\mathbf {F}_q^{n} \rightarrow \mathbf {F}_q^{n}\), \(T:\mathbf {F}_q^{m} \rightarrow \mathbf {F}_q^{m}\) and the quadratic map G defined above.

Public key. The quadratic map \(F:=T\circ G\circ S:\mathbf {F}_q^{n}\rightarrow \mathbf {F}_q^{m}\).

Encryption. For a plaintext \(\mathbf {p}\in \mathbf {F}_q^{n}\), the ciphertext is \(\mathbf {c}=F(\mathbf {p})\in \mathbf {F}_q^{m}\).

Decryption. For a given ciphertext \(\mathbf {c}\), compute \(\mathbf {z}={}^{t}\!(z_{1},\dots ,z_{m}):=T^{-1}(\mathbf {c})\) and put \(Z_{1}:=\left( z_{j+r(i-1)}\right) _{1\le i,j\le r}\), \(Z_{2}:=\left( z_{n+j+r(i-1)}\right) _{1\le i,j\le r}\). Find \(\mathbf {y}\in \mathbf {F}_q^{n}\) such that

$$\begin{aligned} B(\mathbf {y})=C(\mathbf {y})Z_{2}^{-1}Z_{1}. \end{aligned}$$

(14)

If \(Z_{2}\) is not invertible, replace (14) into \(B(\mathbf {y})Z_{1}^{-1}Z_{2}=C(\mathbf {y})\). The plaintext is \(\mathbf {p}=S^{-1}(\mathbf {y})\).

Complexity of decryption. The equation (14) yields a system of n linear equations of n variables. Then the complexity of decryption is \(O(n^{3})\). Remark that the decryption fails if \(A(S(\mathbf {p}))\) is not invertible and its probability is about \(q^{-1}\).

Security. It is easy to check that the coefficient matrix \(G_{1}\) of the first polynomial \(g_{1}(\mathbf {x})\) in \(G(\mathbf {x})\) is \(G_{1}=\left( \begin{array}{ll} *_{r} &{} * \\ * &{} 0_{n-r} \end{array} \right) \). Then the min-rank attack is available and its complexity is \(O(q^{2r}\cdot n^{4})\) (Tao et al. 2013). Moody et. al. (Moody et al. 2014, 2017) proposed an asymptotically optimal attack with the complexity \(O(q^{r+2}\cdot n^{4})\) based on the structure of subspace differential invariants. Recently, Liu (Liu et al. 2018) proposed a key recovery attack by solving a system of linear equations derived from the construction of the polynomials, and extended its key recovery attack to the rectangular ABC (Tao et al. 2015) and Cubic ABC (Ding et al. 2014). They claimed that the complexities of these attacks are with the complexity \(O(n^{2w})\), which is critical for the security of ABC schemes. On the other hand, one of the anonymous reviewers on the present paper claimed in his/her report that its attack seems doubtful. He/She may present his/her opinion somewhere in the near future.

Table 1 Signature schemes

Table 2 Encryption schemes

4 Conclusion

In Sect. 2, we describe the multivariate schemes UOV, Rainbow, HFE variants and the corresponding second round candidates of NIST’s project. In Sect. 3, we discuss the practicalities of several new multivariate encryption schemes proposed recently. Tables 1 and 2 are rough sketches of the complexities of decryption/signature generation and the major attacks for the corresponding schemes. Remark that there are various other attacks concerned for implementations.

Table 1 shows that practical signature schemes can be implemented easily since signatures can be generated in polynomial time and the proposed attacks are in exponential time. On the other hand, Table 2 shows that the issues on the practicality of HFE variants have not been eliminated on the new encryption schemes. While selecting parameters for 80-, 100-, 120-bit securities on such encryption schemes might be possible, they will not be able to follow the future inflation of security levels. Further drastic approaches will be required to construct practical multivariate encryption schemes.