Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes

Albrecht Petzoldt, Stanislav Bulygin and Johannes BuchmannTU Darmstadt, Germany

PQCrypto 2013Limoges, France

05. June 2013

Outline

1. Motivation: Multivariate Cryptography2. The UOV Signature Scheme3. UOV Schemes with partially circulant Public Key4. The Verification Process5. Extension to Rainbow6. Hybrid approach and Application to QUAD ( eprint)7. Experiments and Results8. Conclusion

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2

Multivariate Cryptography

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 3

Problem MQ: Finding a vector such that

is a hard task.

Multivariate Cryptography (2)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 4

Construction

• Start with an easily invertible quadratic map (central map)

• Combine it with two invertible affine maps and

•The public key is supposed to look like a random system

Multivariate Cryptography (3)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 5

Signature generation: For a hashvalue compute recursively , and . The signature of the document is .

Signature verification: To verify the authenticity of a signature , one computes . If holds, the signature is accepted, otherwise rejected.

Signature Schemes

Multivariate Cryptography (4)

Advantages:• Secure against attacks with quantum computers• Great diversity of schemes and variations• Enables fast en- and decryption as well as signature generation

and verification• Requires modest computational resources Can be implemented on low cost smart cards

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 6

Multivariate Cryptography (5)

Major Drawbacks• Relatively young field of Research Security is not so well understood • No explicit parameter choices to meet given security levels

known• Large size of the public and private keys

Multivariate Cryptography is not yet widely spread

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 7

The UOV Signature Scheme

Two types of variables: Vinegar and Oil

Central map

Inversion of

1.Choose the Vinegar variables at random2.Solve the resulting linear system for the Oil variables

Public Key: with an affine map . Private Key: , .

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 8

},,{ 1 vxxV },,{ 1 ovv xxO

VV OV OO linearconstant linear in O linear in Oo equa-tions

Partially Circulant UOV Schemes

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 9

Partially Circulant UOV Schemes (2)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 10

PM B

0FM

Partially Circulant UOV Schemes (2)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 11

PM B1 ABH

H 0 linear termsFM

Partially Circulant UOV Schemes (2)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 12

PM B

0 linear terms

C

FM H

The verification process (1)

Standard approach Signature Vector Macauley matrix

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 13

The verification process (2)

Alternative approach extended signature vector

Matrix MP(k)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 14

Example (o,v)=(2,4)

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 15

=( as1, bs1+gs2, cs1+hs2+ls3, ds1+is2+ms3+ps4, es1+js2+ns3+qs4+ , fs1+ks2+os3+rs4+ , ) (s1, …, s6,1)T

= ( rs1, as1+fs2, bs1+gs2+ks3, cs1+hs2+ls3+os4, ds1+is2+ms3+ps4+ , es1+js2+ns3+qs4+ , ) (s1, …, s6,1)T

Extension to Rainbow

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 16

Several layers of Oil and Vinegar

Use the same idea as for UOV for each Rainbow layer separately

PM

Hybrid approach ( eprint)

Evaluate the structured part with the alternative approach and the random looking part with the standard approach

UOV

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 17

Hybrid approach (2)

Rainbow

First layer

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 18

Hybrid approach (3)

Rainbow

Second layer

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 19

Application to QUAD ( eprint)

The systems and can be chosen partially circulant

Experiments indicate that this does not weaken the security of the scheme

Key stream generation can be sped up significantly

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 20

Experiments and Results (1)

Public key size (kB)

reduction factor

Verification time (ms)

Speed up factor

UOV(256,28,56) 99.9 0.98 (standard)cyclicUOV(256,28,56) 16.5 6.1 0.20 (alternative) 4.9

0.18 (hybrid) 5.5UOV(31,33,66) 108.5 1.75 (standard)cyclicUOV(31,33,66) 17.1 6.3 0.34 (alternative) 5.5

0.32 (hybrid) 5.7

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 21

• Implementation in C• Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM

Experiments and Results (2)

Public key size (kB)

reduction factor

Verification time (ms)

Speed up factor

Rainbow(256,17,13,13) 25.1 0.26 (standard)

cyclicRainbow (256,17,13,13)

9.5 2.6 0.12 (alternative) 2.10.12 (hybrid) 2.1

Rainbow(31,14,19,14) 25.3 0.45 (standard)cyclicRainbow (31,14,19,14)

9.5 2.6 0.22 (alternative) 2.00.19 (hybrid) 2.3

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 22

Experiments and Results (3)

Data throughput (kB/s)

CPUcycles/byte Speed up factor

QUAD(16,30) 71.7 35,265cyclicQUAD(16,30) 458.3 5,513 6.4QUAD(256,26) 157.3 15,777cyclicQUAD(256,26) 853.6 2,820 5.5

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 23

Conclusion

Structured versions of UOV

Reduce public key size

Speed up the verification process

Technique can be extended to Rainbow and QUAD

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 24

99.9 kB

16.5 kB

0.98 ms

0.19 ms

15,777 cycles/byte

2,820 cycles/byte

0.26 ms

0.12 ms

Thank you for your attention

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 25

www.eprint.iacr.org/2013/263

www.eprint.iacr.org/2013/315

Questions?0.98 ms

0.19 ms 0.26 ms

0.12 ms