From 5-Pass MQ -Based Identification to MQ -Based Signatures

This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations $$\mathcal {MQ}$$ problem. In order to construct this scheme we give a new security reduction for the Fiat-Shamir transform from a large class of 5-pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS-31-64 achieves 128 bits of post-quantum security. Finally, we describe an optimized implementation of MQDSS-31-64 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.

[1]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[3]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[4]  Bo-Yin Yang,et al.  On Asymptotic Security Estimates in XL and Gröbner Bases-Related Algebraic Cryptanalysis , 2004, ICICS.

[5]  Daniel J. Bernstein,et al.  How to manipulate curve standards: a white paper for the black hat , 2014, IACR Cryptol. ePrint Arch..

[6]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[7]  Claus Diem,et al.  The XL-Algorithm and a Conjecture from Commutative Algebra , 2004, ASIACRYPT.

[8]  Bo-Yin Yang,et al.  Theoretical Analysis of XL over Small Fields , 2004, ACISP.

[9]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[10]  Adi Shamir,et al.  Cryptanalysis of the Oil & Vinegar Signature Scheme , 1998, CRYPTO.

[11]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[12]  Erdem Alkim,et al.  TESLA: Tightly-Secure Efficient Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[13]  Taizo Shirai,et al.  Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials , 2011, CRYPTO.

[14]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[15]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[16]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[17]  Danilo Gligoroski,et al.  A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems , 2014, Public Key Cryptography.

[18]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[19]  Bo-Yin Yang,et al.  TTS: High-Speed Signatures on a Low-Cost Smart Card , 2004, CHES.

[20]  Sidi Mohamed El Yousfi Alaoui,et al.  Extended Security Arguments for Signature Schemes , 2012, AFRICACRYPT.

[21]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[22]  Peter Schwabe,et al.  High-Speed Signatures from Standard Lattices , 2014, LATINCRYPT.

[23]  Ludovic Perret,et al.  Cryptanalysis of MinRank , 2008, CRYPTO.

[24]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[25]  Bo-Yin Yang,et al.  Building Secure Tame-like Multivariate Public-Key Cryptosystems: The New TTS , 2005, ACISP.

[26]  Johannes A. Buchmann,et al.  Instantiating Treeless Signature Schemes , 2013, IACR Cryptol. ePrint Arch..

[27]  Bo-Yin Yang,et al.  Design Principles for HFEv- Based Multivariate Signature Schemes , 2015, ASIACRYPT.

[28]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[29]  Jennifer Prestigiacomo,et al.  A Hybrid Approach , 2018, How High the Sky?.

[30]  Chen-Mou Cheng,et al.  Operating Degrees for XL vs. F4/F5 for Generic $\mathcal{M}Q$ with Number of Equations Linear in That of Variables , 2013, Number Theory and Cryptography.

[31]  Eric Bach,et al.  Phase Transition of Multivariate Polynomial Systems , 2007, TAMC.

[32]  Danilo Gligoroski,et al.  MQQ-SIG - An Ultra-Fast and Provably CMA Resistant Digital Signature Scheme , 2011, INTRUST.

[33]  Jean-Charles Faugère,et al.  On the Complexity of the F5 Gr\"obner basis Algorithm , 2013 .

[34]  Leslie G. Valiant,et al.  The Complexity of Enumeration and Reliability Problems , 1979, SIAM J. Comput..

[35]  Luk Bettale,et al.  Solving polynomial systems over finite fields: improved analysis of the hybrid approach , 2012, ISSAC.

[36]  Christopher Wolf,et al.  Cryptanalysis of Enhanced TTS, STS and All Its Variants, or: Why Cross-Terms Are Important , 2012, AFRICACRYPT.

[37]  Chen-Mou Cheng,et al.  Operating Degrees for XL vs. F4/F5 for Generic MQ with Number of Equations Linear in That of Variables , 2013 .

[38]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[39]  Ariel Shamir,et al.  Cryptanalysis of the oil and vinegar signature scheme , 1998 .

[40]  Lei Hu,et al.  Note on Design Criteria for Rainbow-Type Multivariates , 2006, IACR Cryptol. ePrint Arch..

[41]  David Pointcheval,et al.  A New NP-Complete Problem and Public-Key Identification , 2003, Des. Codes Cryptogr..

[42]  Chen-Mou Cheng,et al.  SSE Implementation of Multivariate PKCs on Modern x86 CPUs , 2009, CHES.

[43]  Nicolas Courtois,et al.  Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank , 2001, ASIACRYPT.

[44]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[45]  Kohtaro Tadaki,et al.  Proposal of a Signature Scheme Based on STS Trapdoor , 2010, PQCrypto.

[46]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[47]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[48]  David Pointcheval,et al.  A New $$\mathcal{N}\mathcal{P} $$ -Complete Problem and Public-Key Identification , 2003 .

[49]  Sedat Akleylek,et al.  An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation , 2016, AFRICACRYPT.

[50]  Jean-Charles Faugère,et al.  On the complexity of solving quadratic Boolean systems , 2011, J. Complex..

[51]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[52]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[53]  Léo Ducas,et al.  Accelerating Bliss: the geometry of ternary polynomials , 2014, IACR Cryptol. ePrint Arch..

[54]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[55]  Sidi Mohamed El Yousfi Alaoui,et al.  A Zero-Knowledge Identification Scheme Based on the q-ary Syndrome Decoding Problem , 2010, Selected Areas in Cryptography.

[56]  Enrico Thomae,et al.  About the security of multivariate quadratic public key schemes , 2013 .

[57]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[58]  Scott R. Fluhrer,et al.  State Management for Hash-Based Signatures , 2016, SSR.

[59]  Jintai Ding,et al.  Rainbow, a New Multivariable Polynomial Signature Scheme , 2005, ACNS.

[60]  Bo-Yin Yang,et al.  All in the XL Family: Theory and Practice , 2004, ICISC.