Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes
Albrecht Petzoldt, Stanislav Bulygin and Johannes BuchmannTU Darmstadt, Germany
PQCrypto 2013Limoges, France
05. June 2013
Outline
1. Motivation: Multivariate Cryptography2. The UOV Signature Scheme3. UOV Schemes with partially circulant Public Key4. The Verification Process5. Extension to Rainbow6. Hybrid approach and Application to QUAD ( eprint)7. Experiments and Results8. Conclusion
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2
Multivariate Cryptography
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 3
Problem MQ: Finding a vector such that
is a hard task.
Multivariate Cryptography (2)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 4
Construction
• Start with an easily invertible quadratic map (central map)
• Combine it with two invertible affine maps and
•The public key is supposed to look like a random system
Multivariate Cryptography (3)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 5
Signature generation: For a hashvalue compute recursively , and . The signature of the document is .
Signature verification: To verify the authenticity of a signature , one computes . If holds, the signature is accepted, otherwise rejected.
Signature Schemes
Multivariate Cryptography (4)
Advantages:• Secure against attacks with quantum computers• Great diversity of schemes and variations• Enables fast en- and decryption as well as signature generation
and verification• Requires modest computational resources Can be implemented on low cost smart cards
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 6
Multivariate Cryptography (5)
Major Drawbacks• Relatively young field of Research Security is not so well understood • No explicit parameter choices to meet given security levels
known• Large size of the public and private keys
Multivariate Cryptography is not yet widely spread
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 7
The UOV Signature Scheme
Two types of variables: Vinegar and Oil
Central map
Inversion of
1.Choose the Vinegar variables at random2.Solve the resulting linear system for the Oil variables
Public Key: with an affine map . Private Key: , .
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 8
},,{ 1 vxxV },,{ 1 ovv xxO
VV OV OO linearconstant linear in O linear in Oo equa-tions
Partially Circulant UOV Schemes
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 9
Partially Circulant UOV Schemes (2)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 10
PM B
0FM
Partially Circulant UOV Schemes (2)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 11
PM B1 ABH
H 0 linear termsFM
Partially Circulant UOV Schemes (2)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 12
PM B
0 linear terms
C
FM H
The verification process (1)
Standard approach Signature Vector Macauley matrix
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 13
The verification process (2)
Alternative approach extended signature vector
Matrix MP(k)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 14
Example (o,v)=(2,4)
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 15
=( as1, bs1+gs2, cs1+hs2+ls3, ds1+is2+ms3+ps4, es1+js2+ns3+qs4+ , fs1+ks2+os3+rs4+ , ) (s1, …, s6,1)T
= ( rs1, as1+fs2, bs1+gs2+ks3, cs1+hs2+ls3+os4, ds1+is2+ms3+ps4+ , es1+js2+ns3+qs4+ , ) (s1, …, s6,1)T
Extension to Rainbow
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 16
Several layers of Oil and Vinegar
Use the same idea as for UOV for each Rainbow layer separately
PM
Hybrid approach ( eprint)
Evaluate the structured part with the alternative approach and the random looking part with the standard approach
UOV
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 17
Hybrid approach (2)
Rainbow
First layer
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 18
Hybrid approach (3)
Rainbow
Second layer
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 19
Application to QUAD ( eprint)
The systems and can be chosen partially circulant
Experiments indicate that this does not weaken the security of the scheme
Key stream generation can be sped up significantly
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 20
Experiments and Results (1)
Public key size (kB)
reduction factor
Verification time (ms)
Speed up factor
UOV(256,28,56) 99.9 0.98 (standard)cyclicUOV(256,28,56) 16.5 6.1 0.20 (alternative) 4.9
0.18 (hybrid) 5.5UOV(31,33,66) 108.5 1.75 (standard)cyclicUOV(31,33,66) 17.1 6.3 0.34 (alternative) 5.5
0.32 (hybrid) 5.7
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 21
• Implementation in C• Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM
Experiments and Results (2)
Public key size (kB)
reduction factor
Verification time (ms)
Speed up factor
Rainbow(256,17,13,13) 25.1 0.26 (standard)
cyclicRainbow (256,17,13,13)
9.5 2.6 0.12 (alternative) 2.10.12 (hybrid) 2.1
Rainbow(31,14,19,14) 25.3 0.45 (standard)cyclicRainbow (31,14,19,14)
9.5 2.6 0.22 (alternative) 2.00.19 (hybrid) 2.3
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 22
Experiments and Results (3)
Data throughput (kB/s)
CPUcycles/byte Speed up factor
QUAD(16,30) 71.7 35,265cyclicQUAD(16,30) 458.3 5,513 6.4QUAD(256,26) 157.3 15,777cyclicQUAD(256,26) 853.6 2,820 5.5
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 23
Conclusion
Structured versions of UOV
Reduce public key size
Speed up the verification process
Technique can be extended to Rainbow and QUAD
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 24
99.9 kB
16.5 kB
0.98 ms
0.19 ms
15,777 cycles/byte
2,820 cycles/byte
0.26 ms
0.12 ms
Thank you for your attention
05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 25
www.eprint.iacr.org/2013/263
www.eprint.iacr.org/2013/315
Questions?0.98 ms
0.19 ms 0.26 ms
0.12 ms