HMFEv - An Efficient Multivariate Signature Scheme
Albrecht Petzoldt, Ming-Shing Chen, Jintai Ding, Bo-Yin Yang
PQCrypto 2017
Utrecht, Netherlands
A. Petzoldt
HMFEv
PQCrypto 2017
1 / 23
Outline
1
Multivariate Cryptography
2
The HMFEv Signature Scheme
3
Security
4
Parameters and Key Sizes
5
Efficiency and Comparison
6
Conclusion
A. Petzoldt
HMFEv
PQCrypto 2017
2 / 23
Multivariate Cryptography
p
(1)
(x1 , . . . , xn ) =
p (2) (x1 , . . . , xn ) =
n X
n
X
(1)
pij · xi xj
+
n
X
(1)
pi
i=1 j=i
i=1
n X
n
X
(2)
n
X
(2)
pij · xi xj
+
i=1 j=i
pi
(1)
· xi + p0
(2)
· xi + p0
i=1
..
.
p (m) (x1 , . . . , xn ) =
n X
n
X
(m)
pij
· xi xj
i=1 j=i
+
n
X
(m)
pi
(m)
· xi + p0
i=1
The security of multivariate schemes is based on the
Problem MQ: Given m multivariate quadratic polynomials
p (1) (x), . . . , p (m) (x), find a vector x̄ = (x̄1 , . . . , x̄n ) such that
p (1) (x̄) = . . . = p (m) (x̄) = 0.
A. Petzoldt
HMFEv
PQCrypto 2017
3 / 23
Construction
Easily invertible quadratic map F : Fn → Fm
Two invertible linear maps S : Fm → Fm and T : Fn → Fn
Public key: P = S ◦ F ◦ T supposed to look like a random system
Private key: S, F, T allows to invert the public key
A. Petzoldt
HMFEv
PQCrypto 2017
4 / 23
Workflow
Decryption / Signature Generation
w ∈ Fm
S −1-
F −1-
x ∈ Fm
y ∈ Fn
T −1-
z ∈ Fn
6
P
Encryption / Signature Verification
A. Petzoldt
HMFEv
PQCrypto 2017
5 / 23
Multivariate Signature Schemes
Multivariate Signature Schemes
@
@
@
@
@
Big Field Schemes
Single Field Schemes
• UOV
• HFEv-
• Rainbow
A. Petzoldt
HMFEv
PQCrypto 2017
6 / 23
Multivariate Signature Schemes
Multivariate Signature Schemes
@
@
@
@
@
Big Field Schemes
Single Field Schemes
• UOV
• HFEv-
• Rainbow
A. Petzoldt
HMFEv
PQCrypto 2017
7 / 23
HFEv-
uses HFE polynomial F of degree D
signature generation: invert F by Berlekamps algorithm
(complexity ∼ D 3 )
Efficiency: Use small D
Security: r = blogq (D − 1)c + 1 should not be too small
⇒ Use HFEv- over small fields, e.g. F=GF(2)
⇒ many equations and variables required to defend against (quantum)
brute force attacks
⇒ large key sizes, hard to scale to higher security levels
⇒ Can we create HFEv- like schemes over large fields?
A. Petzoldt
HMFEv
PQCrypto 2017
8 / 23
Medium Field Signature Schemes
Signature Generation
X ∈ Ek F −1 -Y ∈ Ek
φ × ··· × φ 6
φ−1 × . . . φ−1
|
|
w∈
{z
k−times
−1
Fn S-
}
x ∈ Fn
?
F̄ −1
- y∈
{z
k−times
−1
Fn T -
}
z ∈ Fn
6
P
Signature Verification
A. Petzoldt
HMFEv
PQCrypto 2017
9 / 23
HMFEv - Key Generation
finite field F, integers k, `, v , extension field E of degree `,
isomorphism φ : F` → E, m = k · `, n = m + v
central map F: k components f (1) , . . . , f (k) : Ek × Fv → E,
f (i) (X1 , . . . , Xk ) =
k
X
r ,s=1
αr(i),s Xr Xs +
k
X
βr(i) (v1 , . . . , vv ) · Xr + γ (i) (v1 , . . . , vv )
r =1
(i)
with βr : Fv → E linear, γ (i) : Fv → E quadratic
⇒ F̄ = (φ−1 × · · · × φ−1 ) ◦ F ◦ (φ × · · · × φ × idv ) : Fn → Fm
quadratic
two invertible affine transformations S : Fm → Fm , T : Fn → Fn
public key: P = S ◦ F̄ ◦ T : Fn → Fm
private key: S, F, T
A. Petzoldt
HMFEv
PQCrypto 2017
10 / 23
Signature Generation
Given: document d
1
2
3
use hash function H : {0, 1}? → Fm to compute w = H(d) ∈ Fm
Compute x = S −1 (w) ∈ Fm and
Xi = φ(x(i−1)·`+1 , . . . , xi·` ) ∈ E (i = 1, . . . , k).
Choose random values for the vinegar variables v1 , . . . , vv
Solve the multivariate quadratic system
(i)
fv1 ,...,vv (Y1 , . . . , Yk ) = Xi (i = 1, . . . , k) by XL or a Gröbner basis
algorithm
4
Compute y = (φ−1 (Y1 ), . . . , φ−1 (Yk ), v1 , . . . , vv ) ∈ Fn
5
Compute the signature z ∈ Fn by z = T −1 (y)
A. Petzoldt
HMFEv
PQCrypto 2017
11 / 23
Signature Verification
Given: signature z ∈ Fn , message d
Compute w = P(d) ∈ Fm
Compute w0 = P(z) ∈ Fm
Accept the signature z ⇔ w0 = w.
A. Petzoldt
HMFEv
PQCrypto 2017
12 / 23
Security
Min Rank attack
Theorem
If v ≤ ` holds, the rank of the quadratic form associated to F (i) is less or
equal to k + v
Vinegar maps are chosen completely random ⇒ upper bound is tight
ComplexityMinRank = `(k+v +1)·ω
with 2 < ω ≤ 3.
A. Petzoldt
HMFEv
PQCrypto 2017
13 / 23
Direct attack
Theorem
The degree of regularity of a direct attack against an HMFEv system is,
under the assumption of v ≤ ` bounded by
(
dreg ≤
(q−1)·(k+v −1)
2
(q−1)·(k+v )
2
for q even and k + v odd
otherwise.
Experiments over small fields
⇒ bound is relativelty tight
⇒ concrete choice of k and v is not important, as long as k + v is fixed
and k, v ≥ 2
A. Petzoldt
HMFEv
PQCrypto 2017
14 / 23
Direct attacks (2)
Experiments over large fields
GF(31)
GF(256)
parameters (k, `, v )
m,n
dreg
time (s)
memory (MB)
parameters (k, `, v )
m,n
dreg
time (s)
memory (MB)
(2,6,4)
12,12
14
1,911
953
(3,3,6)
9,9
11
3.9
23.7
(2,7,4)
14,14
16
164,089
17,273
(3,4,6)
12,12
14
1,853
952
(2,8,4)
16,16
18
ooM
(3,5,6)
15,15
17
ooM
random
16,16
18
ooM
random
15,15
17
ooM
⇒ we can reach high values of dreg
⇒ HMFEv systems behave very similar to random systems
ComplexityDirect
A. Petzoldt
n + dreg
=3·
dreg
HMFEv
!2
!
n
·
.
2
PQCrypto 2017
15 / 23
Quantum Attacks
With the help of Grover’s algorithm, a binary multivariate system with n
variables can be solved using
2(n/2) · 2 · n3 operations
⇒ large impact on multivariate schemes over small fields (e.g. HFEv-)
⇒ no significant impact on multivariate schemes over large fields (e.g.
HMFE)
A. Petzoldt
HMFEv
PQCrypto 2017
16 / 23
Parameter Choice
How to choose the parameter k?
Efficiency: Choose k as small as possible
Security: too small k might make the scheme insecure
⇒ odd q: choose k = 2, choose the coefficients of f (1) and f (2) such that
p(X ) = det(F1 + X · F2 ) is irreducible
⇒ even q: choose k = 3
A. Petzoldt
HMFEv
PQCrypto 2017
17 / 23
Key Sizes and Comparison
quantum security
level (bit)
80
128
256
Rainbow (GF(256),17,13,13)
Gui (GF(2),120,9,3,3,2)
HMFEv (GF(31),2,18,8)
HMFEv (GF(256),3,9,12)
Rainbow (GF(256),36,21,22)
Gui (GF(2),212,9,3,4,2)
HMFEv (GF(31),2,28,12)
HMFEv (GF(256),3,15,16)
Rainbow (GF(256),86,45,46)
Gui (GF(2),464,9,7,8,2)
HMFEv (GF(31),2,55,21)
HMFEv (GF(256),3,31,26)
A. Petzoldt
HMFEv
public key
size (kB)
25.1
110.7
22.5
21.6
136.0
592.8
81.8
85.8
1,415.7
6,253.7
583.9
659.4
private key
size (kB)
19.9
3.8
3.5
6.0
102.5
11.6
8.9
15.2
1,046.3
56.4
38.0
65.3
signature
size (bit)
344
129
218
312
632
222
337
488
1,416
488
649
952
PQCrypto 2017
18 / 23
Comparison with HFEv-/Gui
Major advantages:
fewer equations and variables in the public key
⇒ smaller key sizes
larger internal state
⇒ no ”double-signing” needed
⇒ Easier to implement, greater efficiency
larger field size
⇒ easier to scale to higher levels of security
A. Petzoldt
HMFEv
PQCrypto 2017
19 / 23
Implementation and Efficiency
Central step in signature generation: Inversion of FV
Two steps:
1
Gröbner Basis Step: Find a univariate polynomial p : E → E in the
(1)
(k)
ideal hfV , . . . , fV i.
k small ⇒ can be performed efficiently by a specially designed
algorithm
2
Solving Step: Solve the univariate polynomial p by Berlekamps
algorithm
A. Petzoldt
HMFEv
PQCrypto 2017
20 / 23
Efficiency
quantum security
level (bit)
62
80
83
128
A. Petzoldt
Gui (GF(2),96,5,6,6)
Gui(GF(2),95,9,5,5)
Gui(GF(2),94,17,4,4)
HMFEv (GF(31),2,18,8)
HMFEv (GF(256),3,9,12)
Gui(127,9,4,6,2)
HMFEv (GF(31),2,28,12)
HMFEv (GF(256),3,15,16)
HMFEv
sign. gen.
time (ms)
0.07
0.18
0.73
0.131
0.261
0.28
0.26
0.443
verification
time (ms)
0.02
0.02
0.02
0.0085
0.0236
0.015
0.0259
0.063
PQCrypto 2017
21 / 23
Conclusion
Proposal of a new efficient multivariate signature scheme of the HFEvtype which
can be defined over large fields
⇒ reduces the number of equations and variables ⇒ smaller key sizes
⇒ improves scalability to higher levels of security
resists all known attacks against MPKCs
is very efficient
⇒ HMFEv is a promising candidate for the upcoming standardization
process of post-quantum signature schemes
A. Petzoldt
HMFEv
PQCrypto 2017
22 / 23
The End
Thank you for your attention
Questions?
A. Petzoldt
HMFEv
PQCrypto 2017
23 / 23
© Copyright 2026 Paperzz