Multivariate Signature Scheme using Quadratic

Forms

Takanori Yasuda (ISIT) 　

Joint work with

Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.) 　

2013/3/3Workshop on Solving Multivariate Polynomial Systems and Related Topics

Contents1. Multivariate Signature Schemes2. Quadratic Forms3. Multivariate System defined by Quadratic Forms4. Application to Signature Scheme5. Comparison with Rainbow

1. Efficiency of Signature Generation2. Key Sizes3. Security

6. Conclusion

1

MPKC Signature: multivariate polynomial map

𝐹

Inverse function

Vector space Vector space

Signature Message

𝑺=𝑭 −𝟏(𝑴 ) 𝑴

6

For any message M, there must exist the corresponding signature.

F is surjective.

New Multivariate Polynomial Map

• We introduce a multivariate polynomial map not surjective, and apply it to signature.

2

Multivariate polynomial map

For a symmetric matrix A,

𝐺 (𝑋)=𝑋 . 𝐴 . 𝑋𝑇

where is a matrix of variables of size .

is a map which assigns a matrix to a matrix.

G can be regarded as a multivariate polynomial map.

Problems of G

3

Is G applicable to signature or not?

1. Can its inverse map be computed efficiently? Necessary to compute for a message M in order to generate a signature.

2. Is it surjective or not?

For any message M, necessary to generate its signature.

Problems

Quadratic Forms• Definition 1 : Field with odd characteristic (or 0) : Natural number

is a quadratic form for some symmetric matrix

• Definition 2 , : quadratic forms associated to

and are isometric for some

Translation of problems of in terms of quadratic

form• Equation

• Restrict solution o Problem 1’ For , , isometric each other, find a translation matrix efficiently.o Problem 2’ For any , , are and isometric or not?

=

(: symmetric matrices)

How to compute the inverse map

5

Simple case 𝐴=𝐼 𝑟=( 1 ¿ 0

⋱ ¿ ¿1¿)Problem 1’ is equivalent to

Problem 1’’: Find an orthonormal basis of with respect to .

Orthonormal basis: in

for for

Real field Case• : real field

Gram-Schmidt orthonormalization provides an efficient algorithm to solve Problem 1’’.

It uses special property of .

Fact: is anisotropic.

A quadratic form is anisotropic for any ,

Definition:

We want to apply Gram-Schmidt orthonormalization technique to the case of finite fields.

Finite Field Case

• However, we can extend Gram-Schmidt orthonormalization by inserting a step:

Fact Let be a finite field. Any quadratic form on () is not anisotropic.

We cannot apply Gram-Schmidt orthonormalization directly.

If , then find another element such that .

Solve Problem 1’

Problem 2• Definition : quadratic form associated to .

is nondegenerate det

7

Classification theorem (if K has odd characteristic)Any nondegenerate quadratic form is isometric to either or .

Classification Theorem• For any (nondegenerate) message , either

has a solution.• or is determined by det.• In the degenerate case, both equations have

solutions.• or is not surjective.• However, we can apply this map to MPKC

signature.

or 　

Application to MPKC Signature Scheme

• Secret Key

, , ,

• Public Key

, , affine transformations

defined by , defined by ,

Signature Generation• For any symmetric matrix ,• Step 1 Apply the extended Gram-Schmidt

orthonormalization to .o Find a solution of either

• Step 2 Compute or .

or 　

is a solution of or .

Property of Our Scheme

• Respective map or is not surjective.• However, the union of images of these maps

covers the whole space.

𝑲 𝑛

𝑲𝑚𝑮𝟏

𝑮𝜹14

Property of Our Scheme

Multivariate Polynomial Maps

Rainbow

UOV

HFE

MI

Proposal

Surjective

Not Surjective

4

Security of Our Scheme

• There are several attacks of MPKC signature schemes which depend on the structure of central map.

• For example, UOV attack is an attack which transforms public key into a form of central map of UOV scheme.o Central maps of UOV ara surjective.o The public key of our scheme cannot be transformed into any

surjective map.

• These attacks is not applicable against our scheme.（ Other example: Rainbow-band-separation attack, UOV-Reconciliation attack ）

• However, attacks which is independent of scheme, like direct attacks, are applicable to our scheme.

15

Comparison with Rainbow

• Equivalent with respect to cost of verification and public key length.

• Cost of signature generation (number of mult.)o Proposal o Rainbow 　⇒ 8 or 9 times more efficient at the level of 88-bit security.

• Secret Key Size (number of elements of field)o Proposal

o Rainbow

Compared in the case that and are same for public key F :

16

Conclusion• We propose a new MPKC signature scheme using

quadtaci forms. The multivariate polynomial map used in the scheme is not surjective.

• Signature generation uses an extended Gram-Schmidt orthonormalization. It is 8 or 9 times more efficient than that of Rainbow at the level of 88-bit security.

Future Work• Security analysis• Application to encryption scheme

17