Ultra-Short Multivariate Public Key Signatures

In this paper we study multivariate public key signature schemes with “ultra”-short signatures. In order to do so, we consider that signing and verifying a signature could require up to 1 minute of computation on a modern personal computer. Of course, very close results would be obtained for times around one second, at the cost of 6 to 10 more bits in the signatures, and more generally a trade-off could be found between computation time and signature size at each security level. Despite the fact that a time of one minute is way bigger than the time required by general purpose multivariate-based signature schemes, such as Quartz or GeMMS, it enables us to reach ultra-short signature lengths, for instance, around 70 bits long signatures for a security of 80 bits. Two main issues arise when one wants to build a signature scheme with ultra-short signatures: avoiding the birthday paradox attack and having the ability to sign arbitraly long messages, this paper gives ways to overcome both. In a first part, we describe the attacks against multivariate public key signatures and use them to compute the minimal parameters that an ultra-short signature scheme would have. In a second part, we give an explicit example of such an ultra-short signature scheme using HFE-like algorithms. In the end, we give parameters for several level of security: 80, 90, 100 bits and the classic 128, 192, and 256 bits; for each of them, we propose different choices of finite fields.

[1]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[2]  H. Lenstra,et al.  Factoring integers with the number field sieve , 1993 .

[3]  Luk Bettale,et al.  Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic , 2012, Designs, Codes and Cryptography.

[4]  Albrecht Petzoldt,et al.  On the Complexity of the Hybrid Approach on HFEv- , 2017, IACR Cryptol. ePrint Arch..

[5]  David Naccache,et al.  Gröbner Basis , 2011, Encyclopedia of Cryptography and Security.

[6]  Nicolas Courtois,et al.  Short Signatures, Provable Security, Generic Attacks and Computational Security of Multivariate Polynomial Schemes such as HFE, Quartz and Sflash , 2004, IACR Cryptol. ePrint Arch..

[7]  Luk Bettale,et al.  Cryptanalysis of Multivariate and Odd-Characteristic HFE Variants , 2011, Public Key Cryptography.

[8]  Bo-Yin Yang,et al.  Degree of Regularity for HFEv and HFEv- , 2013, PQCrypto.

[9]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[10]  Jintai Ding,et al.  Cryptanalysis of HFEv and Internal Perturbation of HFE , 2005, Public Key Cryptography.

[11]  Jean-Charles Faugère,et al.  On the complexity of solving quadratic Boolean systems , 2011, J. Complex..

[12]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[13]  Jintai Ding,et al.  Towards Algebraic Cryptanalysis of HFE Challenge 2 , 2011, ISA.

[14]  Daniel Smith-Tone,et al.  Key Recovery Attack for All Parameters of HFE- , 2017, PQCrypto.

[15]  Jacques Stern,et al.  Cryptanalysis of HFE with Internal Perturbation , 2007, Public Key Cryptography.

[16]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[17]  Daniel Smith-Tone,et al.  Improvements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems , 2020, ASIACRYPT.

[18]  Ludovic Perret,et al.  GeMSS: A Great Multivariate Short Signature , 2017 .

[19]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[20]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[21]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[22]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[23]  Jacques Patarin,et al.  Asymmetric Cryptography with a Hidden Monomial , 1996, CRYPTO.

[24]  Pierre-Alain Fouque,et al.  Practical Key-recovery For All Possible Parameters of SFLASH , 2011, IACR Cryptol. ePrint Arch..

[25]  Jintai Ding,et al.  Improved Cryptanalysis of HFEv- via Projection , 2018, IACR Cryptol. ePrint Arch..

[26]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[27]  John Baena,et al.  Rank Analysis of Cubic Multivariate Cryptosystems , 2018, IACR Cryptol. ePrint Arch..

[28]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.