Gui: Revisiting Multivariate Schemes based on HFEv-

No Author Given

No Institute Given

Abstract. The QUARTZ digital sig­ 1 Introduction nature scheme (Patarin, Courtois and Goubin, 2001) is one of the best known Cryptographic techniques are an essential tool to multivariate PKCs, based on an adap­ guarantee the security of communication in mod­ tation of “Hidden Field Equations with vinegar-minus” for very short signatures. ern society. Today, the security of nearly all of the Designed for a 80-bit security level, cryptographic schemes used in practice is based on QUARTZ has no known flaws and is cur­ number theoretic problems such as factoring large rently estimated to have a security level integers and solving discrete logarithms. The best ∼ 292 . known schemes in this area are RSA [25], DSA QUARTZ was never widely used, prob­ [16] and ECC. However, schemes like these will ably due to its slow signing speed. The become insecure as soon as large enough quantum authors of QUARTZ had chosen ultra- computers arrive. The reason for this is Shor’s algo­ safe parameters in 2001, based on what rithm [26], which solves number theoretic problems they knew about HFEv-. In this paper, like and discrete logarithms in we show how to choose parameters to time on a quantum computer. There­ speed up such schemes at 80- and 128­ fore, one needs alternatives to those classical public bit security levels given the new research on HFEv- security levels since then. schemes, based on hard mathematical problems We show that reducing the degree of not affected by quantum computer attacks. the central HFE polynomial, when com­ bined with an appropriate increase in the Besides lattice, code and hash based cryptosys­ number of Vinegar variables and minus tems, multivariate is one of the main equations, does not decrease the security candidates for this [1]. Multivariate schemes are of the scheme compared to the original in general very fast and require only modest com­ QUARTZ design. This is backed up both putational resources, which makes them attractive with theory and with experiments. We for the use on low cost devices like smart cards and achieve a speed-up of the signature gen­ RFID chips [4,5]. Additionally, at least in the area eration process by two orders of magni­ of digital signatures, there exists a large number of tude. We call our new design Gui and show that the performance of Gui is com­ practical multivariate schemes [10,17]. parable to that of standard signature schemes, including signatures on elliptic In 2001, Patarin and Courtois proposed a mul­ curves. tivariate signature scheme called QUARTZ [21], which is based on the concept of HFEv-. While QUARTZ produces very short signatures (128 bit), Keywords: Multivariate Cryptography, QUARTZ the signature generation process is very slow (at Signature Scheme, HFEv-, Direct Algebraic At­ the time about 11 seconds per signature [5]). The tacks main reason for this is the use of a high degree HFE polynomial (for QUARTZ this degree is given by periments with direct attacks against low degree D = 129), which makes the inversion of the central versions of HFEv-. Based on these results, we pro­ map very costly. pose in Section 5 our new multivariate signature scheme Gui. Section 6 gives details on the imple­ At the time of the design of the QUARTZ mentation and compares the efficiency of Gui with scheme, very little was known about the com­ that of some standard signature schemes. Finally, plexity of algebraic attacks against the HFE fam­ Section 7 concludes the paper. ily of systems, in particular, the HFEv- schemes. Therefore, the authors of QUARTZ could not base their parameter choice on theoretical foundations. 2 Multivariate Cryptography Recently, there has been a fundamental break­ through in terms of understanding the behavior of algebraic attacks on the HFE family of systems The basic ob jects of multivariate cryptography are [8,9,11], which enables us to substantially improve systems of multivariate quadratic . The the original design of QUARTZ without reducing security of multivariate schemes is based on the its security. In this paper, we propose to choose new parameter sets for more efficient HFEv- based MQ Problem: Given m multivariate quadratic signature schemes for the low (80-bit) and high polynomials p(1)(x), . . . , p(m)(x) in n variables (112+-bit) security levels. We achieve this by re­ x1, . . . , xn, find a vector x¯ = ( x¯1, . . . , x¯n) such ducing the degree of the central HFEv- polynomial that p(1)(x¯) = . . . = p(m)(x¯) = 0. while increasing the number of vinegar variables The MQ problem (for m ≈ n) is proven to be NP- and minus equations. hard even for quadratic polynomials over the field GF(2) [14]. Under state-of-the-art theoretical and experi­ mental analysis, this adaptation should not cost To build a public key based on the us in terms of security, compared to conservative MQ problem, one starts with an easily invertible choices like the original QUARTZ design. Referring quadratic map F : Fn → Fm (central map). To to a 3-legged Chinese utensil [28] dating back to hide the structure of F in the public key, one com­ earthenware pottery from the 4000-year-old Long­ poses it with two invertible affine (or linear) maps shan culture, we call our new scheme Gui. We S : Fm → Fm and T : Fn → Fn . The public key show that our new design speeds up the signature is therefore given by P = S ◦ F ◦ T . The private generation process by two degrees of magnitude key consists of S, F and T and therefore allows to compared to QUARTZ, and has comparable per­ invert the public key. formance to standard signature schemes like RSA and ECDSA. Note: Due to the above construction, the security of multivariate schemes is not only based on the The rest of this paper is organized as follows. In MQ-Problem but also on the EIP-Problem (“Ex­ Section 2 we give an introduction into the area of tended Isomorphisms of Polynomials”) of finding multivariate cryptography and in particular Big- the composition of P. Field signature schemes. Section 3 introduces the HFEv- signature scheme and the changes made to In this paper we concentrate on multivariate sig­ this scheme by Patarin and Courtois when defin­ nature schemes of the BigField family. For this ing QUARTZ. Furthermore, in this section, we give type of multivariate schemes, the map F is a spe­ a short overview on the security and efficiency of cially chosen easily invertible map over a degree n QUARTZ. Section 4 presents the results of our ex­ extension field E of F. One uses an isomorphism Φ : Fn → E to transform F into a quadratic map The standard signature generation and verification process of a multivariate BigField scheme works as F¯ = Φ−1 ◦ F ◦ Φ (1) shown in Figure 1. from Fn to itself. The public key of the scheme is therefore given by −1 n n P = S ◦ F¯ ◦ T = S ◦ Φ ◦ F ◦ Φ ◦ T : F → F . (2)

Signature Generation −1 X ∈ E F -Y ∈ E 1 Φ Φ−1

−1 ¯−1 −1 n S - n F- n T - n h ∈ F x ∈ F y ∈ F z ∈ F 1 P

Signature Verification

Fig. 1. General workflow of BigField schemes

Signature generation: To sign a message h ∈ Fn , in schemes like SFLASH [22] to prevent Patarins one computes recursively x = S−1(h) ∈ Fn , X = Linearization Equations attack [23] against the Φ(x) ∈ E, Y = F −1(X) ∈ E, y = Φ−1(Y ) ∈ Fn Matsumoto-Imai cryptosystem [20]. and z = T −1(y). The signature of the message h is z ∈ Fn . Vinegar-Variation: The idea of this variation is to parametrize the central map F by adding (a Verification: To check the authenticity of a signa­ small set of ) additional (Vinegar) variables. In the ture z ∈ Fn, one simply computes h' = P(z) ∈ Fn . context of multivariate BigField schemes, the Vine­ If h' = h holds, the signature is accepted, other­ gar variation can be used to increase the security wise rejected. of the scheme against direct and rank attacks.

A good overview on existing multivariate schemes can be found in [7]. Two widely used variations of 3 The QUARTZ Signature Scheme multivariate BigField schemes are the Minus varia­ tion and the use of additional (Vinegar) variables. QUARTZ is a multivariate signature scheme stan­ Minus-Variation: The idea of this variation is dardized by Patarin and Courtois in [21]. Roughly to remove a small number of equations from the speaking, it is an HFEv- scheme with a specially public key. The Minus-Variation was first used designed signature generation process to enable se­ cure short signatures of length 128 bit. 3.1 The HFEv- Signature Scheme FV (Y ) = X by Berlekamp’s algorithm and compute y ' = Φ−1(Y ) ∈ Fn . Let = be a finite field with q elements and ' F Fq E Set y = (y ||v1|| . . . ||vv). be a degree n extension field of . Furthermore, we n+v F 3. Compute the signature z ∈ F by z = choose integers D, a and v. Let Φ be the canonical T −1(y). isomorphism between Fn and E, i.e. Signature verification: To check the authenticity n n i−1 of a signature z ∈ n+v, one simply computes Φ(x1, . . . , xn) = xi · X . (3) F ' n−a ' i=1 h = P(z) ∈ F . If h = h holds, the signature is accepted, otherwise rejected. The central map F of the HFEv- scheme is a map from E × Fv to E of the form 3.2 QUARTZ q i+qj ≤D n i j F(X) = α · Xq +q ij Patarin and Courtois suggested the following pa­ 0≤i≤j rameters for QUARTZ: i q ≤D n q i + βi(v1, . . . , vv ) · X i=0 (F, n, D, a, v) = (GF(2), 103, 129, 3, 4). + γ(v1, . . . , vv), (4) Due to this choice, the public key P of QUARTZ with α ∈ , β : v → being linear and ij E i F E is a quadratic map from 107 to 100. The public γ : v → being a . F F F E of QUARTZ is 71 kB, the private key size Due to the special form of F, the map F¯ = 3 kB. Φ−1 ◦ F ◦ Φ is a quadratic polynomial map from To avoid birthday attacks, Patarin and Courtois de­ n+v to n. To hide the structure of F¯ in the pub­ F F veloped a special procedure for the signature gen­ lic key, one combines it with two affine (or linear) eration process of QUARTZ. Roughly spoken, one maps S : n → n−a and T : n+v → n+v of F F F F computes four HFEv- signatures (for the messages maximal rank. h, H(h||0x00), H(h||0x01) and H(h||0x02)) and combines them to a single 128 bit signature of the The public key of the scheme is the composed map message h. Analogously, during the signature ver­ P = S ◦ F¯ ◦ T : n+v → n−a, the private key F F ification process, one has to use the public key P consists of S, F and T . four times. Signature generation: To generate a signature for a message h ∈ n−a, the signer performs the follow­ F 3.3 Security ing three steps.

n Despite of its rather complicated signature gen­ 1. Compute a preimage x ∈ F of h under the affine map S. eration process, breaking the QUARTZ scheme is still equivalent to breaking the underlying HFEv­ 2. Lift x to the extension field E (using the iso­ morphism Φ). Denote the result by X. scheme. The most important attacks against this Choose random values for the vinegar vari­ scheme are ables v1, . . . , vv ∈ F and compute FV = – the MinRank attack and F(v1, . . . , vv). Solve the univariate polynomial equation – direct algebraic attacks. The MinRank attack on HFE In this para­ For fields of even characteristic we eventually have graph we describe the attack of Kipnis and Shamir to decrease this rank by 1, since over those fields, [18] against the HFE cryptosystem. For the sim­ the matrix PF is always of even rank. The complex­ plicity of our description we restrict ourselves to ity of the MinRank attack against QUARTZ like homogeneous maps F and P. schemes is therefore given roughly by The key observation of the attack is to lift the maps S, T and P to functions S*, T * and P* over the Complexity = O(q n·(r+v+a−1) · (n − a)3). extension field . Since S and T are linear maps, MinRank E (9) S* and T * have the form n−1 n−1 * n q i * n q i S (X) = si · X and T (X) = ti · X , i=1 i=1 Direct attacks For the HFE family of schemes, (5) the direct attack, namely the attack by directly * with coefficients si and ti ∈ E. The function P can solving the public equation P(x) = h by an algo­ be expressed as rithm like XL or a Gr¨obner basis method such as F4 [12] is a ma jor concern due to which happened n−1 n−1 n n i j P*(X) = p* Xq +q = X · P * · XT , (6) to HFE challenge 1 [13]. At the time of the design ij of the QUARTZ scheme, very little was known the­ i=0 j=0 oretically about the complexity of algebraic attacks * * q 0 q 1 q n−1 against the HFE family of systems, in particular, where P = [pij ] and X = (X , X , . . . , X ) . Due to the relation P*(X) = S* ◦ F ◦ T *(X) we the HFEv- schemes. The authors of QUARTZ did get S* −1 ◦ P *(X) = F ◦ T *(X) and not actually give an explanation of their selection of the parameters and therefore the parameter selec­ n−1 tion of their scheme was not supported by theoret­ ˜ n *k T P = sk · G = W · F · W (7) ical results. We need to point out that, as has been k=0 shown by experiments [19], the public systems of HFEv- can be solved easier than random systems. * k * q k with gij = (p i−k mod n,j−k mod n ) , wij = Recently, there has been a fundamental break­ q i through in terms of understanding how algebraic sj−i mod n and F being the n × n matrix repre­ senting the central map F. Note that, due to the attacks on the HFE family of systems [8,9,11] work. special structure of F, the only non zero entries in In particular, we now have a solid insight what hap­ the matrix F are located in the upper left r × r pens in the case of HFEv-. An upper bound for the degeneration degree of a Gr¨obner Basis attack submatrix (r = llogq D − 1J + 1). Since the rank of the matrix W · F · W T is less or against HFEv- is given by [11] equal to r, we can determine the coefficients sk of equation (7) by solving an instance of the MinRank (q−1)·(r−1+a+v) 2 + 2 q even and r + a odd problem. dreg ≤ , (q−1)·(r+a+v) + 2 otherwise In the setting of HFEv-, the rank of this matrix 2 can, for odd characteristic, be bounded from above (10) by [11] where r is given by r = llogq (D − 1)J + 1. Rank(P ) ≤ r + a + v. (8) F Note: In [6] Courtois et al. estimated the com­ 74 Under the assumption that the vinegar maps βi plexity of a direct attack on QUARTZ by 2 oper­ look like random functions, we find that this bound ations. However, they underestimated the degree of is tight. regularity of solving an HFEv- system drastically. 3.4 Efficiency the same can be achieved by a linear transforma­ tion of the variables. So, the smallest value of D The most costly step during the signature gener­ we feel comfortable to use is D = 9, which leads to ation process of QUARTZ is the inversion of the matrices of rank 4. Another promising value for D univariate polynomial equation F over the exten­ is D = 17, which leads to matrices of rank 5. sion field E. This step is usually performed by In this section we present the results of our Berlekamp’s algorithm, whose complexity can be experiments of running direct attacks on HFEv­ estimated by [24] schemes with low degree central maps. By our ex­ periments we want to answer the following ques­ O(D3 + n · D2). (11) tions: Due to the high degree of the HFEv- polynomial used in QUARTZ, the inversion of F is very costly. – Is the upper bound on the degree of regularity Furthermore, we have to perform this step four given by equation (10) reasonable tight? times during the signature generation of QUARTZ. – Can we, for our choices of D, find appropriate Additionally, the design of QUARTZ requires the values of a and v such that the HFEv- scheme central equation F(Y ) = X to have a unique is still intractable? root. Since, after choosing random values for Minus equations and Vinegar variables, F can be seen as In our experiments, we used F = GF(2) as the un­ a random function, this requires about e trials to derlying field. The degree of the HFEv- polynomial obtain a signature. Thus, the QUARTZ signature was chosen to be D ∈ {9, 17} (see above). The scheme is rather slow and it takes about 11 seconds corresponding values of r are 4 and 5 respectively. to generate a signature [5]. Furthermore, we set for simplicity reasons a = v. The theoretical breakthrough mentioned above We created instances of the HFEv- signature indicates that it might be possible to substantially scheme for our two values of D and a = v ∈ improve the original design of QUARTZ without {0, . . . , 5} with MAGMA. Then we fixed a + v of reducing the security of the scheme, if we adapt the variables to get determined systems and tried the number of Minus equations and Vinegar vari­ to solve them with the F4 algorithm integrated in ables in an appropriate way. By reducing the degree MAGMA. of the central HFEv- polynomial we can speed up As we found, it is very important to add the field 2 the operations of Berlekamp’s algorithm and there­ equations (xi − xi = 0 (i = 1, . . . , n − a)) to fore the signature generation process of the HFEv­ the system before running the F4 algorithm. Table scheme. 1 and Figure 2 show the results of our experiments.

As our experiments show, the upper bound on the 4 The New HFEv- design degree of regularity given by equation (10) is rela­ tively tight. In fact, for a = v = 3 we could reach The first question we want to answer in this section the upper bound for n ≥ 41 (D = 9) and n ≥ 43 is the following: How should we choose the degree D (D = 17) respectively. However, shortly after hav­ of the central HFEv- polynomial for Gui? A small ing reached this degree, we ran out of memory. D will speed up the scheme, but choosing D too Furthermore we saw that for both the parameter small might bring the security of the scheme into sets (D, a, v) = (9, 5, 5) and (D, a, v) = (17, 4, 4), jeopardy. HFEv- systems with more than 31 equations have Surely, D = 2 (“Square” systems) or 3 seems to a degree of regularity of ≥ 7 (although we do not be a bad choice, since such small values of D would have enough memory to solve these systems com­ lead to maps F of rank 2. For D = 5 and D = 7 pletely). 5 The New Multivariate Signature The number of non zero elements in each row can zn−ae 12 Scheme Gui be estimated by τ = 2 > 2 . Therefore we get for the complexity of a direct attack against one of Based on our experiments presented in the previ­ our schemes ous section we propose two different versions of Complexity ≥ 3 · τ · T 2 > 280.7. (12) our HFEv- based signature scheme over the field F4/F5 GF(2): Note that this number is very optimistic since we assume that the degree of regularity will not – Gui-95 with (n, D, a, v) = (95, 9, 5, 5) with 90 rise above 7. Additionally, for better compari­ equations in 100 variables and son to standard signature schemes, we propose a – Gui-94 with (n, D, a, v) = (94, 17, 4, 4) with 90 third version of Gui, Gui-127, with the parameters equations in 98 variables (n, D, a, v) = (127, 9, 4, 6), providing design secu­ The complexity of direct attacks against these two rity levels of 120 bits. schemes can be estimated as follows. Similarly to QUARTZ, we must repeat the According to our experiments, the degree of reg­ HFEv- core map several times to avoid birthday attacks against Gui. One has to sign different hash ularity of the F4 algorithm against these schemes will be at least 7. values of the same message and combine the out­ The number T of top-level monomials in the solving puts into a single signature. Here, we follow closely the design of QUARTZ and apply the core HFEv­ step of the F4 algorithm is therefore given by operation 4, 3 and 4 times respectively for Gui-94, n − a 90 -95 and -127. The resulting key and signature sizes T = ≥ ≥ 233.6 dreg 7 for our scheme can be seen from Table 3.

D=9 D=17 120 120

100 100

80 80

a=v=5 a=v=5

60 a=v=4 60 a=v=4 a=v=3 a=v=3 (running time) (running (running time) (running 2 2 a=v=2 a=v=2 40 40 log log a=v=1 a=v=1

20 20

0 0 0 20 40 60 80 100 120 0 20 40 60 80 100 120 # equations # equations

Fig. 2. Results of our experiments with the F4 algorithm against HFEv- schemes (D ∈ {9, 17}) # equations 20 25 30 32 theoretical degree of regularity (formula (10)) ≤ 6 parameters (n,D,a,v) (23,9,3,3) (28,9,3,3) (33,9,3,3) (35,9,3,3) a = v = 3 dreg 5 5 5 5 time (s) 2.6 179 2,899 28,746 HFEv­ theoretical degree of regularity (formula (10)) ≤ 8 system parameters (n,D,a,v) (24,9,4,4) (29,9,4,4) (34,9,4,4) (36,9,4,4) a = v = 4 D=9 dreg 5 6 6 6 time (s) 2.7 244 31,537 102,321 theoretical degree of regularity (formula (10)) ≤ 8 parameters (n,D,a,v) (25,9,5,5) (30,9,5,5) (35,9,5,5) (47,9,5,5) a = v = 5 dreg 5 6 6 7 time (s) 2.8 255 32,481 ooM 1 theoretical degree of regularity (formula (10)) ≤ 7 parameters (n,D,a,v) (23,17,3,3) (28,17,3,3) (33,17,3,3) (35,17,3,3) a = v = 3 dreg 5 6 6 6 time (s) 2.4 245 28,768 87,726 HFEv­ theoretical degree of regularity (formula (10)) ≤ 8 system parameters (n,D,a,v) (24,17,4,4) (29,17,4,4) (34,17,4,4) (36,17,4,4) a = v = 4 D=17 dreg 5 6 6 7 time (s) 2.4 248 31,911 ooM 1 theoretical degree of regularity (formula (10)) ≤ 9 parameters (n,D,a,v) (25,17,5,5) (30,17,5,5) (35,17,5,5) (37,17,5,5) a = v = 5 dreg 5 6 6 7 time (s) 2.4 250 32,350 ooM 1

for comparison: dreg 5 6 6 7 random system time (s) 3.5 310 32,533 ooM 1 1) out of memory

Table 1. Results of our experiments with the F4 algorithm against HFEv- schemes (D ∈ {9, 17})

6 Implementation and Comparison in the latest Intel Haswell cpu (lantency 7 cycles, throughput 2 cycles)[15]. 6.1 Arithmetics over Finite Fields In our targeted field size (≤ 128 bit), we choose Karatsuba algorithm to avoid 3 calls of Large binary field operations with PCLMULQDQ PCLMULQDQ in the multiplication phase. The reduc­ Time records for arithmetic operations over large tion phase of the field multiplication is heavily re­ binary fields were changed since the emerging lated to the field representation. For the original of new instructions of carry-less multiplication: QUARTZ (GF(2103)) the authors used GF(2103) := PCLMULQDQ [27]. Although we would rely on GF(2)[x]/(x103+x9+1) [21]. For Gui, we choose the PCLMULQDQ to take the burden off from multiplica­ field representations GF(294) := GF(2)[x]/(x94 + tion, in some cases old tricks help to avoid the use x21 + 1), GF(295) := GF(2)[x]/(x95 + x11 + 1) and of PCLMULQDQ and therefore its long latency even GF(2127) := GF(2)[x]/(x127 + x + 1) respectively. In the GF(2127) case, for example, reduction costs By multiplying Y to the naive relation Y D = 128 y 2i +2j only 2 128-bit shifts for the x part and 1 con­ 0≤i≤j,2i+2j

n We can further reduce the number of computa- 2 m gcd(F(Y ) − X, Y − Y ) tions by raising the Y 2 with a higher degree i 2m 24m = gcd(F(Y ) − X, (Y − i)) Y table. For example, if we raise Y to Y in one step, the number of multiplications be­ i∈F2n ,i =0 comes O((n − m) · D: squ + (n−m) · D2: mul), = (Y − i), 2 but the computation for preparing the Y i table i:F(i)=X increases. Table 2 shows the time needed to com­ n pute gcd(Y 2 − Y , F(Y )) on two different CPUs. and therefore the main process in creating a signa­ n ture is to compute gcd(F(Y ) − X, Y 2 − Y ). The scheme security time needed for number of roots to F(Y ) = X (as well as the only level (bit) inverting F (kilo-cycles) 1 solution when that happens) can obviously be read HFEv-(95,9,5,5) 80 159 / 135 off from the result. HFEv-(94,17,4,4) 80 533 / 453 HFEv-(103,129,3,4) 80 25,793 / 20,784 HFEv-(127,9,4,6) 123 170 / 156 How do we optimize the computation of the 1 [1] running time on AMD Opteron 6212, 2.5 GHz / gcd? The main computation consumption in this Intel Xeon CPU E5-2620, 2.0 GHz step comes from the division of the extreme high n 2 n power polynomial Y − Y mod F(Y). Naive long Table 2. Time to compute gcd(Y 2 − Y, F(Y )) for division is unacceptable due to its slow reduction HFEv- instances pace. Instead, we choose to recursively raise the m lower degree polynomial Y 2 to the power of 2. 6.3 Experiments and Comparison m (Y 2 mod F(Y ))2 mod F(Y ) Table 3 shows key sizes and running time for sig­ n i 2 = ( biY ) mod F(Y ) nature generation and verification of Gui and com­ i<2m pares these data with those of some standard signa­

n 2 2i ture schemes. The data are benchmarked according = ( bi Y ) mod F(Y ) i<2m to specifications given by the eBACS pro ject [3]. scheme security public key private key signature signing time verify time level(bits) size (Bytes) size (Bytes) size(bits) (k-cycles) 1 (k-cycles) 1 Gui-95 (95,9,5,5) 80 60,600 3,053 120 1,479/1,186 325/230 Gui-94 (94,17,4,4) 80 58,212 2,943 124 4,945/5,421 357/253 Gui-127 (127,9,4,6) 123 142,576 5,350 160 1,966/1,249 707/427 QUARTZ (103,129,3,4) 80 75,514 3,774 128 167,485/168,266 375/235 RSA-1024 80 128 128 128 2,080/1,058 74/ 32 RSA-2048 112 256 256 256 8,834/5,347 138/ 76 ECDSA P160 80 40 60 320 1,283/ 558 1,448/635 ECDSA P192 96 48 72 384 1,513/ 773 1,715/867 ECDSA P256 128 64 96 512 830/ 388 2,111/920 1 Tested on AMD Opteron 6212, 2.5 GHz / Intel Xeon CPU E5-2620, 2.0 GHz

Table 3. Comparison between Gui and standard signature schemes

We should note that the timings for Gui given mal implementation of HFEv- (Gui) and compare by Table 3 are for C programs with a few intrin­ it with some of the best optimized code for ECC sic function calls to invoke PCLMULQDQ. The PKCs and RSA, such as Ed25519 [2]. The other would be benchmarked in the eBACs pro ject (represented by to verify such optimal Gui code for formal correct­ the eBATs programs as their implementations) also ness. In short, we believe that there is still much to do not represent optimal implementations of RSA be done about the HFEv- digital signature schemes. and ECC. We present these numbers in an effort to compare apples to apples by using only reference References implementations. 1. D.J. Bernstein, J. Buchmann, E. Dahmen (eds.): 7 Conclusion and Future Work Post . Springer, 2009. 2. D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and In this paper, we analyzed the behavior of direct B.-Y. Yang, High-speed high-security signatures, J. Cryptographic Engineering 2:2, pp. 77-89 (2012). attacks against the HFEv- signature scheme. Ex­ 3. D.J. Bernstein and T. Lange (editors). eBACS: periments show that the upper bound on the degree ECRYPT Benchmarking of Cryptographic Sys­ of regularity found by Ding and Yang in [11] is rel­ tems. http://bench.cr.yp.to, accessed 14 May 2014. atively tight. Based on our results, we can give 4. A. Bogdanov, T. Eisenbarth, A. Rupp, C. Wolf. new recommendations on the parameter choice of Time-area optimized public-key engines: MQ­ HFEv- based schemes, by which it is possible to as replacement for elliptic curves? speed up the signature generation process by two CHES 2008, LNCS vol. 5154, pp. 45-61. Springer, orders of magnitude (nearly 150×) compared to 2008. the original QUARTZ. We name our new design 5. A.I.T. Chen, M.-S. Chen, T.-R. Chen, C.-M. Cheng, J. Ding, E. L.-H. Kuo, F. Y.-S. Lee, B.-Y. Gui and show that the running time of Gui is Yang. SSE implementation of multivariate PKCs comparable to that of standard signature schemes, on modern x86 cpus. CHES 2009, LNCS vol. 5747, including signatures on elliptic curves. pp. 33 - 48. Springer, 2009. 6. N.T. Courtois, M. Daum, P. Felke: On the Security The most obvious future work would be to cre­ of HFE, HFEv- and QUARTZ. PKC 2003, LNCS ate for every common existing platform an opti­ vol. 2567, pp. 337 - 350. Springer 2003. 7. J. Ding, J. E. Gower, D. S. Schmidt: Multivariate ISA 2011, Communications in Computer and In­ Public Key Cryptosystems. Springer, 2006. formation Science vol. 200, pp. 123-131. Springer 8. J. Ding, T. Hodges: Inverting HFE Systems Is 2011. Quasi-Polynomial for All Fields. CRYPTO 2011, 20. T. Matsumoto, H. Imai: Public quadratic LNCS vol. 6841, pp. 724-742. Springer 2011. polynomial-tuples for efficient signature- 9. J. Ding, T. Kleinjung: Degree of regularity for verification and message-. EURO­ HFE-. IACR eprint 2011/570. CRYPT 1988. LNCS vol. 330, pp. 419-453. 10. J. Ding, D. S. Schmidt: Rainbow, a new multi­ Springer 1988. variate polynomial signature scheme. ACNS 2005, 21. J. Patarin, N. Courtois, L. Goubin: QUARTZ, 128­ LNCS vol. 3531, pp. 164-175. Springer 2005. Bit Long Digital Signatures. CTRSA 2001, LNCS 11. J. Ding, B.Y. Yang: Degree of Regularity for HFEv vol. 2020, pp. 282-297. Springer, 2001. and HFEv-. PQCrypto 2013, LNCS vol. 7932, pp. 22. J. Patarin, N. Courtois, L. Goubin: Flash, a fast 52-66. Springer, 2013. multivariate signature algorithm. CTRSA 2001, 12. J.C. Faug`ere: A new efficient algorithm for com­ LNCS vol. 2020, pp. 298 - 307. Springer, 2001. puting Gr¨obner bases (F4). Journal of Pure and 23. J. Patarin: of the Matsumoto and Applied Algebra 139, pp. 61-88 (1999). Imai public key scheme of Eurocrypt 88. CRYPTO 13. J.C. Faug`ere, A. Joux: Algebraic Cryptanalysis of 95. LNCS vol. 963, pp. 248 - 261. Springer 1995. Hidden Field Equation (HFE) Cryptosystems Us­ 24. C. Richards: Algorithms for Factoring Square-Free ing Gr¨obner Bases. CRYPTO 2003, LNCS vol. Polynomials over Finite Fields. Master Thesis, Si­ 2729, pp. 44-60. Springer 2003. mon Fraser University (Canada), 2009. 14. M. R. Garey and D. S. Johnson: Computers and 25. R. L. Rivest, A. Shamir, L. Adleman: A Method Intractability: A Guide to the Theory of NP- for Obtaining Digital Signatures and Public-Key Completeness. W.H. Freeman and Company 1979. 15. Intel Corporation, Hashwell Cryptographic Perfor­ Cryptosystems. Commun. ACM 21 (2), pp. 120­ mance. 126 (1978). http://www.intel.com/content/dam/www/public/ 26. P. Shor: Polynomial-Time Algorithms for Prime us/en/documents/white-papers/haswell­ Factorization and Discrete Logarithms on a Quan­ cryptographic-performance-paper.pdf tum Computer, SIAM J. Comput. 26 (5), pp. 1484 16. D. Kravitz: Digital Signature Algorithm. US patent - 1509 (1997). 5231668 (July 1991). 27. J. Taverne, A. Faz-Hern`andez, D. F. Aranha, F. 17. A. Kipnis, L. Patarin, L. Goubin: Unbalanced Oil Rodrquez-Henr¨ıquez, D. Hankerson, J. L´opez: Soft­ and Vinegar Schemes. EUROCRYPT 1999, LNCS ware Implementation of Binary Elliptic Curves: Im­ vol. 1592, pp. 206–222. Springer 1999. pact of the Carry-Less Multiplier on Scalar Multi­ 18. A. Kipnis, A. Shamir: Cryptanalysis of the HFE plication. CHES 2011, LNCS vol. 6917, pp. 108­ Public Key Cryptosystem. CRYPTO 99, LNCS vol. 123. Springer 2011. 1666, pp. 19 - 30. Springer 1999. 28. http://en.wikipedia.org/wiki/ 19. M. S. E. Mohamed, J. Ding and J. Buchmann: To­ File:CMOC Treasures of Ancient China exhibit wards Algebraic Cryptanalysis of HFE Challenge 2, white pottery gui 1.jpg, Wikipedia.