Gui: Revisiting Multivariate Digital Signature Schemes based on HFEv- No Author Given No Institute Given Abstract. The QUARTZ digital sig­ 1 Introduction nature scheme (Patarin, Courtois and Goubin, 2001) is one of the best known Cryptographic techniques are an essential tool to multivariate PKCs, based on an adap­ guarantee the security of communication in mod­ tation of “Hidden Field Equations with vinegar-minus” for very short signatures. ern society. Today, the security of nearly all of the Designed for a 80-bit security level, cryptographic schemes used in practice is based on QUARTZ has no known flaws and is cur­ number theoretic problems such as factoring large rently estimated to have a security level integers and solving discrete logarithms. The best ∼ 292 . known schemes in this area are RSA [25], DSA QUARTZ was never widely used, prob­ [16] and ECC. However, schemes like these will ably due to its slow signing speed. The become insecure as soon as large enough quantum authors of QUARTZ had chosen ultra- computers arrive. The reason for this is Shor’s algo­ safe parameters in 2001, based on what rithm [26], which solves number theoretic problems they knew about HFEv-. In this paper, like integer factorization and discrete logarithms in we show how to choose parameters to polynomial time on a quantum computer. There­ speed up such schemes at 80- and 128­ fore, one needs alternatives to those classical public bit security levels given the new research on HFEv- security levels since then. key schemes, based on hard mathematical problems We show that reducing the degree of not affected by quantum computer attacks. the central HFE polynomial, when com­ bined with an appropriate increase in the Besides lattice, code and hash based cryptosys­ number of Vinegar variables and minus tems, multivariate cryptography is one of the main equations, does not decrease the security candidates for this [1]. Multivariate schemes are of the scheme compared to the original in general very fast and require only modest com­ QUARTZ design. This is backed up both putational resources, which makes them attractive with theory and with experiments. We for the use on low cost devices like smart cards and achieve a speed-up of the signature gen­ RFID chips [4,5]. Additionally, at least in the area eration process by two orders of magni­ of digital signatures, there exists a large number of tude. We call our new design Gui and show that the performance of Gui is com­ practical multivariate schemes [10,17]. parable to that of standard signature schemes, including signatures on elliptic In 2001, Patarin and Courtois proposed a mul­ curves. tivariate signature scheme called QUARTZ [21], which is based on the concept of HFEv-. While QUARTZ produces very short signatures (128 bit), Keywords: Multivariate Cryptography, QUARTZ the signature generation process is very slow (at Signature Scheme, HFEv-, Direct Algebraic At­ the time about 11 seconds per signature [5]). The tacks main reason for this is the use of a high degree HFE polynomial (for QUARTZ this degree is given by periments with direct attacks against low degree D = 129), which makes the inversion of the central versions of HFEv-. Based on these results, we pro­ map very costly. pose in Section 5 our new multivariate signature scheme Gui. Section 6 gives details on the imple­ At the time of the design of the QUARTZ mentation and compares the efficiency of Gui with scheme, very little was known about the com­ that of some standard signature schemes. Finally, plexity of algebraic attacks against the HFE fam­ Section 7 concludes the paper. ily of systems, in particular, the HFEv- schemes. Therefore, the authors of QUARTZ could not base their parameter choice on theoretical foundations. 2 Multivariate Cryptography Recently, there has been a fundamental break­ through in terms of understanding the behavior of algebraic attacks on the HFE family of systems The basic ob jects of multivariate cryptography are [8,9,11], which enables us to substantially improve systems of multivariate quadratic polynomials. The the original design of QUARTZ without reducing security of multivariate schemes is based on the its security. In this paper, we propose to choose new parameter sets for more efficient HFEv- based MQ Problem: Given m multivariate quadratic signature schemes for the low (80-bit) and high polynomials p(1)(x); : : : ; p(m)(x) in n variables (112+-bit) security levels. We achieve this by re­ x1; : : : ; xn, find a vector x¯ = ( x¯1; : : : ; x¯n) such ducing the degree of the central HFEv- polynomial that p(1)(x¯) = : : : = p(m)(x¯) = 0. while increasing the number of vinegar variables The MQ problem (for m ≈ n) is proven to be NP- and minus equations. hard even for quadratic polynomials over the field GF(2) [14]. Under state-of-the-art theoretical and experi­ mental analysis, this adaptation should not cost To build a public key cryptosystem based on the us in terms of security, compared to conservative MQ problem, one starts with an easily invertible choices like the original QUARTZ design. Referring quadratic map F : Fn ! Fm (central map). To to a 3-legged Chinese utensil [28] dating back to hide the structure of F in the public key, one com­ earthenware pottery from the 4000-year-old Long­ poses it with two invertible affine (or linear) maps shan culture, we call our new scheme Gui. We S : Fm ! Fm and T : Fn ! Fn . The public key show that our new design speeds up the signature is therefore given by P = S ◦ F ◦ T . The private generation process by two degrees of magnitude key consists of S, F and T and therefore allows to compared to QUARTZ, and has comparable per­ invert the public key. formance to standard signature schemes like RSA and ECDSA. Note: Due to the above construction, the security of multivariate schemes is not only based on the The rest of this paper is organized as follows. In MQ-Problem but also on the EIP-Problem (“Ex­ Section 2 we give an introduction into the area of tended Isomorphisms of Polynomials”) of finding multivariate cryptography and in particular Big- the composition of P. Field signature schemes. Section 3 introduces the HFEv- signature scheme and the changes made to In this paper we concentrate on multivariate sig­ this scheme by Patarin and Courtois when defin­ nature schemes of the BigField family. For this ing QUARTZ. Furthermore, in this section, we give type of multivariate schemes, the map F is a spe­ a short overview on the security and efficiency of cially chosen easily invertible map over a degree n QUARTZ. Section 4 presents the results of our ex­ extension field E of F. One uses an isomorphism Φ : Fn ! E to transform F into a quadratic map The standard signature generation and verification process of a multivariate BigField scheme works as F¯ = Φ−1 ◦ F ◦ Φ (1) shown in Figure 1. from Fn to itself. The public key of the scheme is therefore given by −1 n n P = S ◦ F¯ ◦ T = S ◦ Φ ◦ F ◦ Φ ◦ T : F ! F : (2) Signature Generation −1 X 2 E F -Y 2 E 6 Φ Φ−1 −1 ¯−1 ? −1 n S - n F- n T - n h 2 F x 2 F y 2 F z 2 F 6 P Signature Verification Fig. 1. General workflow of BigField schemes Signature generation: To sign a message h 2 Fn , in schemes like SFLASH [22] to prevent Patarins one computes recursively x = S−1(h) 2 Fn , X = Linearization Equations attack [23] against the Φ(x) 2 E, Y = F −1(X) 2 E, y = Φ−1(Y ) 2 Fn Matsumoto-Imai cryptosystem [20]. and z = T −1(y). The signature of the message h is z 2 Fn . Vinegar-Variation: The idea of this variation is to parametrize the central map F by adding (a Verification: To check the authenticity of a signa­ small set of ) additional (Vinegar) variables. In the ture z 2 Fn, one simply computes h0 = P(z) 2 Fn . context of multivariate BigField schemes, the Vine­ If h0 = h holds, the signature is accepted, other­ gar variation can be used to increase the security wise rejected. of the scheme against direct and rank attacks. A good overview on existing multivariate schemes can be found in [7]. Two widely used variations of 3 The QUARTZ Signature Scheme multivariate BigField schemes are the Minus varia­ tion and the use of additional (Vinegar) variables. QUARTZ is a multivariate signature scheme stan­ Minus-Variation: The idea of this variation is dardized by Patarin and Courtois in [21]. Roughly to remove a small number of equations from the speaking, it is an HFEv- scheme with a specially public key. The Minus-Variation was first used designed signature generation process to enable se­ cure short signatures of length 128 bit. 3.1 The HFEv- Signature Scheme FV (Y ) = X by Berlekamp’s algorithm and compute y 0 = Φ−1(Y ) 2 Fn . Let = be a finite field with q elements and 0 F Fq E Set y = (y jjv1jj : : : jjvv). be a degree n extension field of . Furthermore, we n+v F 3. Compute the signature z 2 F by z = choose integers D, a and v. Let Φ be the canonical T −1(y). isomorphism between Fn and E, i.e. Signature verification: To check the authenticity n X i−1 of a signature z 2 n+v, one simply computes Φ(x1; : : : ; xn) = xi · X : (3) F 0 n−a 0 i=1 h = P(z) 2 F . If h = h holds, the signature is accepted, otherwise rejected.