Multivariate Signature Scheme
using Quadratic Forms
Takanori Yasuda (ISIT)
Joint work with
Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.)
Workshop on Solving Multivariate Polynomial Systems and Related Topics
2013/3/3
Contents
1.
2.
3.
4.
5.
Multivariate Signature Schemes
Quadratic Forms
Multivariate System defined by Quadratic Forms
Application to Signature Scheme
Comparison with Rainbow
1.
2.
3.
Efficiency of Signature Generation
Key Sizes
Security
6. Conclusion
1
MPKC Signature
𝐹: 𝐾 𝑛 → 𝐾 𝑚 : multivariate polynomial map
Vector space 𝐾 𝑛
Vector space 𝐾 𝑚
𝐹
𝑺 = 𝑭−𝟏 (𝑴)
Signature
𝑴
Inverse function
𝐹 −1
Message
For any message M, there must exist the corresponding signature.
F is surjective.
6
New Multivariate
Polynomial Map
• We introduce a multivariate polynomial map not
surjective, and apply it to signature.
Multivariate polynomial map 𝐺
For a symmetric matrix A,
𝐺(𝑋) = 𝑋. 𝐴. 𝑋 𝑇
where 𝑋 = 𝑥𝑖𝑗 is a matrix of variables of size 𝑟 × 𝑟.
𝐺 is a map which assigns a matrix to a matrix.
G can be regarded as
2
2
a multivariate polynomial map 𝐾 𝑟 → 𝐾 𝑟 .
2
Problems of G
Is G applicable to signature or not?
Problems
1. Can its inverse map be computed efficiently?
Necessary to compute 𝐺 −1 M for a message M
in order to generate a signature.
2. Is it surjective or not?
For any message M,
necessary to generate its signature.
3
Quadratic Forms
• Definition 1
𝐾: Field with odd characteristic (or 0)
𝑟 : Natural number
𝑞: 𝐾 𝑟 → 𝐾 is a quadratic form
𝑞 𝑥 = 𝑥. 𝐴. 𝑥 𝑇 for some symmetric matrix 𝐴
• Definition 2
𝑞𝐴 , 𝑞𝐵 : quadratic forms associated to 𝐴, 𝐵
𝑞𝐴 and 𝑞𝐵 are isometric
𝐶. 𝐴. 𝐶 𝑇 = 𝐵 for some 𝐶 ∈ 𝐺𝐿(𝑟, 𝐾)
Translation of problems of 𝐺
in terms of quadratic form
• Equation
(𝐴, 𝐵: symmetric matrices)
𝐺(𝑋) = 𝑋. 𝐴. 𝑋 𝑇 =𝐵
• Restrict solution 𝑋 ∈ 𝐺𝐿(𝑟, 𝐾)
o Problem 1’ For 𝑞𝐴 , 𝑞𝐵 , isometric each other,
find a translation matrix 𝐶 efficiently.
o Problem 2’ For any 𝑞𝐴 , 𝑞𝐵 ,
are 𝑞𝐴 and 𝑞𝐵 isometric or not?
How to compute the
inverse map
Simple case
𝐴 = 𝐼𝑟 =
1
0
⋱
0
1
Problem 1’ is equivalent to
Problem 1’’: Find an orthonormal basis of 𝐾 𝑟
with respect to 𝑞𝐵 .
Orthonormal basis: 𝑣1 , … 𝑣𝑟 in 𝐾 𝑟
𝑞𝐵 𝑣𝑖 = 1 for 𝑖 = 1, … , 𝑟,
𝑞𝐵 𝑣𝑖 , 𝑣𝑗
≔ 𝑣𝑖 . 𝐵. 𝑣𝑗
𝑇
= 0 for 𝑖 ≠ 𝑗
5
Real field Case
• 𝐾 = 𝑹 : real field
Gram-Schmidt orthonormalization provides an efficient
algorithm to solve Problem 1’’.
It uses special property of 𝑞𝐴 = 𝑞𝐼𝑟 .
Fact: 𝑞𝐴 = 𝑞𝐼𝑟 is anisotropic.
Definition:
A quadratic form 𝑞 is anisotropic
for any 𝑣 (≠ 0)𝜖 𝐾 𝑟 , 𝑞(𝑣) ≠ 0
We want to apply Gram-Schmidt orthonormalization technique
to the case of finite fields.
Finite Field Case
Fact Let 𝐾 be a finite field.
Any quadratic form on 𝐾 𝑟 (𝑟 ≥ 3) is not anisotropic.
We cannot apply Gram-Schmidt orthonormalization directly.
• However, we can extend Gram-Schmidt orthonormalization
by inserting a step:
If 𝑞 𝑣 = 0, then find another element 𝑣′ such that 𝑞 𝑣′ ≠ 0.
Solve Problem 1’
Problem 2
• Definition
𝑞𝐴 : quadratic form associated to 𝐴.
𝑞𝐴 is nondegenerate
det(𝐴) ≠ 0
Classification theorem (if K has odd characteristic)
Any nondegenerate quadratic form is isometric to either
𝑞𝐴1 or 𝑞𝐴𝛿 .
7
Classification Theorem
• For any (nondegenerate) message 𝑀, either
•
•
•
•
𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 = 𝑀 or 𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 = 𝑀
has a solution.
𝐴1 or 𝐴𝛿 is determined by det(𝑀).
In the degenerate case, both equations have solutions.
𝐺 𝑋 = 𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 or 𝐺 𝑋 = 𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 is not surjective.
However, we can apply this map to MPKC signature.
Application to MPKC
Signature Scheme
• Secret Key
𝐶1 , 𝐶𝛿 𝜖 𝐺𝐿(𝑟, 𝐾)
𝐴1 ≔ 𝐶1 . 𝐴1 . 𝐶1 𝑇 , 𝐴𝛿 ≔ 𝐶𝛿 . 𝐴𝛿 . 𝐶𝛿 𝑇 ,
𝐺1 𝑋 = 𝑋. 𝐴1 . 𝑋,
𝐿: 𝐾 𝑚 → 𝐾 𝑚 ,
• Public Key
𝐺𝛿 𝑋 = 𝑋. 𝐴𝛿 . 𝑋
𝑅: 𝐾 𝑛 → 𝐾 𝑛 , affine transformations
𝑚=
𝑟 𝑟+1
2
,
𝑛 = 𝑟2
𝐹1 : 𝐾 𝑛 → 𝐾 𝑚 defined by 𝐹1 = 𝐿°𝐺1 °𝑅,
𝐹𝛿 : 𝐾 𝑛 → 𝐾 𝑚 defined by 𝐹𝛿 = 𝐿°𝐺𝛿 °𝑅,
Signature Generation
• For any symmetric matrix 𝑀,
• Step 1 Apply the extended Gram-Schmidt
orthonormalization to 𝑀.
o Find a solution 𝑋 = 𝐷 of either
𝑋 ∙ 𝐴1 ∙ 𝑋 𝑇 = 𝑀 or
𝑋 ∙ 𝐴𝛿 ∙ 𝑋 𝑇 = 𝑀
• Step 2 Compute 𝐸 = 𝐶1 −1 . 𝐷 or 𝐸 = 𝐶𝛿 −1 . 𝐷.
𝑋 = 𝐸 is a solution of 𝐺1 𝑋 = 𝑀 or 𝐺𝛿 𝑋 = 𝑀.
Property of Our Scheme
• Respective map 𝐺1 or 𝐺𝛿 is not surjective.
• However, the union of images of these maps covers the
whole space.
𝑲𝑛
𝑮𝟏
𝑮𝜹
𝑲𝑚
14
Property of Our Scheme
Multivariate Polynomial Maps
Rainbow
Surjective
HFE
UOV
MI
Not
Surjective
Proposal
4
Security of Our Scheme
• There are several attacks of MPKC signature schemes
which depend on the structure of central map.
• For example, UOV attack is an attack which transforms
public key into a form of central map of UOV scheme.
o Central maps of UOV ara surjective.
o The public key of our scheme cannot be transformed into any
surjective map.
• These attacks is not applicable against our scheme.
（Other example: Rainbow-band-separation attack,
UOV-Reconciliation attack）
• However, attacks which is independent of scheme, like
direct attacks, are applicable to our scheme.
15
Comparison with
Rainbow
Compared in the case that 𝑚 and 𝑛 are same
for public key F : 𝐾 𝑛 → 𝐾 𝑚
• Equivalent with respect to cost of verification and public key
length.
• Cost of signature generation (number of mult.)
o Proposal
𝑂(𝑛2 )
o Rainbow
𝑂(𝑛3 )
⇒ 8 or 9 times more efficient at the level of 88-bit security.
• Secret Key Size (number of elements of field)
o Proposal
o Rainbow
16
Conclusion
• We propose a new MPKC signature scheme using quadtaci
forms. The multivariate polynomial map used in the scheme
is not surjective.
• Signature generation uses an extended Gram-Schmidt
orthonormalization. It is 8 or 9 times more efficient than that
of Rainbow at the level of 88-bit security.
Future Work
• Security analysis
• Application to encryption scheme
17