Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt,...

Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes

Albrecht Petzoldt, Stanislav Bulygin and Johannes BuchmannTU Darmstadt, Germany

PQCrypto 2013Limoges, France

05. June 2013

Outline

1. Motivation: Multivariate Cryptography2. The UOV Signature Scheme3. UOV Schemes with partially circulant Public Key4. The Verification Process5. Extension to Rainbow6. Hybrid approach and Application to QUAD ( eprint)7. Experiments and Results8. Conclusion

05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2

Multivariate Cryptography


Problem MQ: Finding a vector such that

is a hard task.

Multivariate Cryptography (2)


Construction

• Start with an easily invertible quadratic map (central map)

• Combine it with two invertible affine maps and

•The public key is supposed to look like a random system



Signature generation: For a hashvalue compute recursively ,

and . The signature of the document is .

Signature verification: To verify the authenticity of a signature , one

computes . If holds, the signature is accepted, otherwise

rejected.

Signature Schemes


Advantages:• Secure against attacks with quantum computers• Great diversity of schemes and variations• Enables fast en- and decryption as well as signature generation

and verification• Requires modest computational resources Can be implemented on low cost smart cards



Major Drawbacks• Relatively young field of Research Security is not so well understood • No explicit parameter choices to meet given security levels

known• Large size of the public and private keys

Multivariate Cryptography is not yet widely spread


The UOV Signature Scheme

Two types of variables: Vinegar and Oil

Central map

Inversion of

1.Choose the Vinegar variables at random2.Solve the resulting linear system for the Oil variables

Public Key: with an affine map . Private Key: , .


},,{ 1 vxxV },,{ 1 ovv xxO

VV OV OO linearconstant linear in O linear in Oo equa-tions

Partially Circulant UOV Schemes


Partially Circulant UOV Schemes (2)


PM B

0FM



PM B1 ABH

H 0 linear termsFM



PM B

0 linear terms

C

FM H

The verification process (1)

Standard approach Signature Vector Macauley matrix


The verification process (2)

Alternative approach extended signature vector

Matrix MP(k)


Example (o,v)=(2,4)


=( as1, bs1+gs2, cs1+hs2+ls3, ds1+is2+ms3+ps4, es1+js2+ns3+qs4+ ,

fs1+ks2+os3+rs4+ , ) (s1, …, s6,1)T

= ( rs1, as1+fs2, bs1+gs2+ks3, cs1+hs2+ls3+os4, ds1+is2+ms3+ps4+ ,

es1+js2+ns3+qs4+ , ) (s1, …, s6,1)T

Extension to Rainbow


Several layers of Oil and Vinegar

Use the same idea as for UOV for each Rainbow layer separately

PM

Hybrid approach ( eprint)

Evaluate the structured part with the alternative approach and the random looking part with the standard approach

UOV


Hybrid approach (2)

Rainbow

First layer


Hybrid approach (3)

Rainbow

Second layer


Application to QUAD ( eprint)

The systems and can be chosen partially circulant

Experiments indicate that this does not weaken the security of the scheme

Key stream generation can be sped up significantly


Experiments and Results (1)

Public key size (kB)

reduction factor

Verification time (ms)

Speed up factor

UOV(256,28,56) 99.9 0.98 (standard)

cyclicUOV(256,28,56) 16.5 6.1 0.20 (alternative) 4.9

0.18 (hybrid) 5.5UOV(31,33,66) 108.5 1.75 (standard)

cyclicUOV(31,33,66) 17.1 6.3 0.34 (alternative) 5.5

0.32 (hybrid) 5.7


• Implementation in C• Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM


Public key size (kB)

reduction factor

Verification time (ms)

Speed up factor

Rainbow(256,17,13,13) 25.1 0.26 (standard)

cyclicRainbow (256,17,13,13)

9.5 2.6 0.12 (alternative) 2.1

0.12 (hybrid) 2.1Rainbow(31,14,19,14) 25.3 0.45 (standard)

cyclicRainbow (31,14,19,14)

9.5 2.6 0.22 (alternative) 2.0

0.19 (hybrid) 2.3



Data throughput (kB/s)

CPUcycles/byte Speed up factor

QUAD(16,30) 71.7 35,265cyclicQUAD(16,30) 458.3 5,513 6.4QUAD(256,26) 157.3 15,777cyclicQUAD(256,26) 853.6 2,820 5.5


Conclusion

Structured versions of UOV

Reduce public key size

Speed up the verification process

Technique can be extended to Rainbow and QUAD


99.9 kB

16.5 kB

0.98 ms

0.19 ms

15,777 cycles/byte

2,820 cycles/byte

0.26 ms

0.12 ms

Thank you for your attention


www.eprint.iacr.org/2013/263

www.eprint.iacr.org/2013/315

Questions?0.98 ms

0.19 ms 0.26 ms

0.12 ms

Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt,...

Documents

Transcript of Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt,...