Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes

1. Fast VerificationforImproved Versions ofthe UOV and Rainbow SignatureSchemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt, Germany PQCrypto 2013 Limoges, France 05. June 2013

2. Outline • Motivation: Multivariate Cryptography • The UOV Signature Scheme • UOV Schemes with partially circulant Public Key • The Verification Process • Extension to Rainbow • Hybrid approach and Application to QUAD ( eprint) • Experiments and Results • Conclusion 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2

3. Multivariate Cryptography Problem MQ: Finding a vector such that is a hard task. 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 3

4. Multivariate Cryptography (2) • Construction • Start with an easily invertible quadratic map (central map) • Combine it with two invertible affine maps and • The public key is supposed to look like a random system 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 4

5. Multivariate Cryptography (3) Signature Schemes Signature generation: For a hashvalue compute recursively , and . The signature of the document is . Signature verification: To verify the authenticity of a signature , one computes . If holds, the signature is accepted, otherwise rejected. 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 5

6. Multivariate Cryptography (4) Advantages: • Secure against attacks with quantum computers • Great diversity of schemes and variations • Enables fast en- and decryption as well as signature generation and verification • Requires modest computational resources  Can be implemented on low cost smart cards 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 6

7. Multivariate Cryptography (5) Major Drawbacks • Relatively young field of Research  Security is not so well understood • No explicit parameter choices to meet given security levels known • Large size of the public and private keys  Multivariate Cryptography is not yet widely spread 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 7

8. The UOV Signature Scheme • Twotypesof variables: VinegarandOil • Central map • Inversion of • ChoosetheVinegar variables atrandom • Solvetheresulting linear systemfortheOil variables • Public Key: with an affine map . • Private Key: , . o equa-tions linear constant linear in O linear in O 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 8

9. Partially Circulant UOV Schemes 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 9

10. Partially Circulant UOV Schemes (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 10

11. Partially Circulant UOV Schemes (2) linear terms 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 11

12. Partially Circulant UOV Schemes (2) linear terms 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 12

13. The verification process (1) Standard approach • Signature • Vector • Macauley matrix 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 13

14. The verification process (2) Alternative approach • extended signature vector • Matrix MP(k) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 14

15. Example (o,v)=(2,4) =( as1, bs1+gs2, cs1+hs2+ls3, ds1+is2+ms3+ps4, es1+js2+ns3+qs4+, fs1+ks2+os3+rs4+ , ) (s1, …, s6,1)T = ( rs1, as1+fs2, bs1+gs2+ks3, cs1+hs2+ls3+os4, ds1+is2+ms3+ps4+, es1+js2+ns3+qs4+ , ) (s1, …, s6,1)T 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 15

16. Extension to Rainbow • Several layers of Oil and Vinegar Use the same idea as for UOV for each Rainbow layer separately 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 16

17. Hybrid approach ( eprint) • Evaluate the structured part with the alternative approach and the random looking part with the standard approach UOV 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 17

18. Hybrid approach (2) Rainbow First layer 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 18

19. Hybrid approach (3) Rainbow Second layer 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 19

20. Application to QUAD ( eprint) • The systems and can be chosen partially circulant • Experiments indicate that this does not weaken the security of the scheme  Key stream generation can be sped up significantly 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 20

21. Experiments and Results (1) • Implementation in C • Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 21

22. Experiments and Results (2) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 22

23. Experiments and Results (3) 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 23

24. Conclusion Structured versions of UOV • Reduce public key size • Speed up the verification process • Technique can be extended to Rainbow and QUAD 15,777 cycles/byte 99.9 kB 0.98 ms 0.26 ms 0.19 ms 16.5 kB 0.12 ms 2,820 cycles/byte 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 24

25. Thank you for your attention 0.98 ms 0.26 ms 0.19 ms 0.12 ms Questions? www.eprint.iacr.org/2013/263 www.eprint.iacr.org/2013/315 05.06.2013 | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 25