Multivariate Signature Scheme
using Quadratic Forms
Takanori Yasuda (ISIT)
Joint work with
Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)
This work was partially supported by the Japan Science and Technology Agency (JST) Strategic Japanese-Indian
Cooperative Programme for Multidisciplinary Research Fields, which aims to combine Information and
Communications Technology with Other Fields. The first author is supported by Grant-in-Aid for Young
Scientists (B), Grant number 24740078.
1
Contents
1.
2.
3.
4.
5.
Multivariate Signature Schemes
Quadratic Forms
Multivariate System defined by Quadratic Forms
Application to Signature Scheme
Comparison with Rainbow
1.
2.
3.
Efficiency of Signature Generation
Key Sizes
Security
6. Conclusion
2
MPKC Signature
𝐹: 𝐾 𝑛 → 𝐾 𝑚 : multivariate polynomial map
Vector space 𝐾 𝑛
Vector space 𝐾 𝑚
𝐹
𝑺 = 𝑭−𝟏 (𝑴)
Signature
𝑴
Inverse function
𝐹 −1
Message
For any message M, there must exist the corresponding signature.
F is surjective.
3
New Multivariate
Polynomial Map
• We introduce a multivariate polynomial map not
surjective, and apply it to signature scheme.
Multivariate polynomial map 𝐺
For a symmetric matrix A,
𝐺(𝑋) = 𝑋. 𝐴. 𝑋 𝑇
where 𝑋 = 𝑥𝑖𝑗 is a matrix of variables of size 𝑟 × 𝑟.
𝐺 is a map which assigns a matrix to a matrix.
G can be regarded as
2
2
a multivariate polynomial map 𝐾 𝑟 → 𝐾 𝑟 .
𝐾 𝑟(𝑟+1)/2
4
Questions
Is G applicable to signature scheme or not?
Questions
1. Can its inverse map be computed efficiently?
Necessary to compute 𝐺 −1 M for a message M
in order to generate a signature.
2. Is it surjective or not?
For any message M,
necessary to generate its signature.
5
Quadratic Forms
• Definition 1
𝐾: Field with odd characteristic (or 0)
𝑟 : Natural number
𝑞: 𝐾 𝑟 → 𝐾 is a quadratic form
𝑞 𝑥 = 𝑥. 𝐴. 𝑥 𝑇 for some symmetric matrix 𝐴
• Definition 2
𝑞𝐴 , 𝑞𝐵 : quadratic forms associated to 𝐴, 𝐵
𝑞𝐴 and 𝑞𝐵 are isometric
𝐶. 𝐴. 𝐶 𝑇 = 𝐵 for some 𝐶 ∈ 𝐺𝐿(𝑟, 𝐾)
6
Translation of questions of 𝐺
in terms of quadratic form
• Equation
(𝐴, 𝐵: symmetric matrices)
𝐺(𝑋) = 𝑋. 𝐴. 𝑋 𝑇 = 𝐵
• Restrict solution 𝑋 ∈ 𝐺𝐿(𝑟, 𝐾)
o Problem 1 For 𝑞𝐴 , 𝑞𝐵 , isometric each other,
find a translation matrix 𝐶 efficiently.
o Problem 2 For any 𝑞𝐴 , 𝑞𝐵 ,
determine whether 𝑞𝐴 and 𝑞𝐵 isometric or not?
7
How to compute the
inverse map
Simple case
1
𝐴 = 𝐼𝑟 =
0
⋱
0
1
Problem 1 is equivalent to
Problem 1’: Find an orthonormal basis of 𝐾 𝑟
with respect to 𝑞𝐵 .
Orthonormal basis: 𝑣1 , … 𝑣𝑟 in 𝐾 𝑟
𝑞𝐵 𝑣𝑖 = 1 for 𝑖 = 1, … , 𝑟,
𝑞𝐵 𝑣𝑖 , 𝑣𝑗
≔ 𝑣𝑖 . 𝐵. 𝑣𝑗
𝑇
= 0 for 𝑖 ≠ 𝑗
8
Real field Case
• 𝐾 = 𝑹 : real field
Gram-Schmidt orthonormalization provides an efficient
algorithm to solve Problem 1’.
It uses special property of 𝑞𝐴 = 𝑞𝐼𝑟 .
Fact: 𝑞𝐴 = 𝑞𝐼𝑟 is anisotropic.
Definition:
A quadratic form 𝑞 is anisotropic
for any 𝑣 (≠ 0)𝜖 𝐾 𝑟 , 𝑞(𝑣) ≠ 0
We want to apply Gram-Schmidt orthonormalization technique
to the case of finite fields.
9
Finite Field Case
Fact Let 𝐾 be a finite field.
Any quadratic form on 𝐾 𝑟 (𝑟 ≥ 3) is not anisotropic.
We cannot apply Gram-Schmidt orthonormalization directly.
• However, we can extend Gram-Schmidt orthonormalization
by inserting a step:
If 𝑞 𝑣 = 0, then find another element 𝑣′ such that 𝑞 𝑣′ ≠ 0.
Solve Problem 1
10
2-dimensional case (1)
Operation for Matrices of 2×2 is fundamental.
𝑎
(1) 𝐴 =
𝑏
𝑏
𝑐
(𝑎 ≠ 0)
In this case, apply the usual GS orthonormalization.
11
2-dimensional case (2)
𝑎
(2) 𝐴 =
𝑏
𝑏
𝑐
(𝑎 = 0)
• There are two cases: 𝑐 = 0 or 𝑐 ≠ 0.
⇒
apply the usual GS-normalization.
12
2-dimensional case (3)
• We obtained
•
𝑎 0
𝐴′ =
(𝑎, 𝑐 ≠ 0)
0 𝑐
There is a matrix 𝐵 such that
1 0
𝑇
𝐵. 𝐴’. 𝐵 =
.
0 𝑐′
This completes the Extended GS-normalization.
13
Problem 2
• Definition
𝑞𝐴 : quadratic form associated to 𝐴.
𝑞𝐴 is nondegenerate
det(𝐴) ≠ 0
Classification theorem
Any nondegenerate quadratic form is isometric to either
𝑞𝐴1 or 𝑞𝐴𝛿 .
14
Classification Theorem
• For any (nondegenerate) message 𝑀, either
•
•
•
•
𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 = 𝑀 or 𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 = 𝑀
has a solution.
𝐴1 or 𝐴𝛿 is determined by det(𝑀).
In the degenerate case, both equations have solutions.
𝐺 𝑋 = 𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 or 𝐺 𝑋 = 𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 is not surjective.
However, we can apply these maps to MPKC signature
scheme.
15
Application to MPKC
Signature Scheme
• Secret Key
𝐶1 , 𝐶𝛿 𝜖 𝐺𝐿(𝑟, 𝐾)
𝐴1 ≔ 𝐶1 . 𝐴1 . 𝐶1 𝑇 , 𝐴𝛿 ≔ 𝐶𝛿 . 𝐴𝛿 . 𝐶𝛿 𝑇 ,
𝐺1 𝑋 = 𝑋. 𝐴1 . 𝑋,
𝐿: 𝐾 𝑚 → 𝐾 𝑚 ,
• Public Key
𝐺𝛿 𝑋 = 𝑋. 𝐴𝛿 . 𝑋
𝑅: 𝐾 𝑛 → 𝐾 𝑛 , affine transformations
𝑚=
𝑟 𝑟+1
2
,
𝑛 = 𝑟2
𝐹1 : 𝐾 𝑛 → 𝐾 𝑚 defined by 𝐹1 = 𝐿°𝐺1 °𝑅,
𝐹𝛿 : 𝐾 𝑛 → 𝐾 𝑚 defined by 𝐹𝛿 = 𝐿°𝐺𝛿 °𝑅,
16
Signature Generation
For a symmetric matrix 𝑀,
• Step 1 Compute 𝑀’ = 𝑅−1 (𝑀) .
• Step 2 Apply the extended Gram-Schmidt
orthornormalization to 𝑀′.
o Find a solution 𝑋 = 𝐷 of either
𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 = 𝑀′ or
𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 = 𝑀′
• Step 3 Compute 𝐸 = 𝐶1 −1 . 𝐷 or 𝐸 = 𝐶𝛿 −1 . 𝐷.
𝑋 = 𝐸 is a solution of 𝐺1 𝑋 = 𝑀 or 𝐺𝛿 𝑋 = 𝑀.
• Step 4 Compute 𝑆 = 𝐿−1 (𝐸).
17
Property of Our Scheme
• Respective map 𝐺1 or 𝐺𝛿 is not surjective.
• However, the union of images of these maps covers the
whole space.
For any M, there exists the corresponding signature.
𝑲𝑛
𝑮𝟏
𝑮𝜹
𝑲𝑚
M
18
Other Signature Schemes
Multivariate Polynomial Maps
Rainbow
Surjective
HFE
UOV
MI
Not
Surjective
Proposal
19
Security of Our Scheme
• There are several attacks of MPKC signature schemes
which depend on the structure of central map.
• For example, UOV attack is an attack which transforms
public key into a form of central map of UOV scheme.
o Central maps of UOV are surjective.
o The public key of our scheme cannot be transformed into any
surjective map.
• These attacks is not applicable against our scheme.
（Other examples: Rainbow-band-separation attack,
UOV-Reconciliation attack）
• However, attacks which is independent of scheme, like
direct attacks, are applicable to our scheme.
20
Comparison with
Rainbow
Compared in the case that 𝑚 and 𝑛 are same
for public key F : 𝐾 𝑛 → 𝐾 𝑚
• Equivalent with respect to cost of verification and public key
length.
• Cost of signature generation (number of mult.)
o Proposal
𝑂(𝑛2 )
o Rainbow
𝑂(𝑛3 )
⇒ 8 or 9 times more efficient at the level of 88-bit security.
• Secret Key Size (number of elements of field)
o Proposal
o Rainbow
21
Conclusion
• We propose a new MPKC signature scheme using quadratic
forms. The multivariate polynomial map used in the scheme
is not surjective.
• Signature generation uses an extended Gram-Schmidt
orthonormalization. It is 8 or 9 times more efficient than that
of Rainbow at the level of 88-bit security.
Future Work
• Security analysis
• Application to encryption scheme
22