1 / 19

Multivariate Signature Scheme using Quadratic Forms

Multivariate Signature Scheme using Quadratic Forms. Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.). Workshop on Solving Multivariate Polynomial Systems and Related Topics. Contents. Multivariate Signature Schemes Quadratic Forms

chogan
Download Presentation

Multivariate Signature Scheme using Quadratic Forms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multivariate Signature Scheme using Quadratic Forms Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.) Workshop on Solving Multivariate Polynomial Systems and Related Topics

  2. Contents • Multivariate Signature Schemes • Quadratic Forms • Multivariate System defined by Quadratic Forms • Application to Signature Scheme • Comparison with Rainbow • Efficiency of Signature Generation • Key Sizes • Security • Conclusion

  3. MPKCSignature : multivariate polynomial map Vector space Vector space Inverse function Signature Message For any message M, there must exist the corresponding signature. F is surjective.

  4. New Multivariate Polynomial Map • We introduce a multivariate polynomial map not surjective, and apply it to signature. Multivariate polynomial map For a symmetric matrix A, where is a matrix of variables of size . is a map which assigns a matrix to a matrix. G can be regarded as a multivariate polynomial map.

  5. Problems of G Is G applicable to signature or not? Problems Can its inverse map be computed efficiently? Necessary to compute for a message M in order to generate a signature. 2. Is it surjective or not? For any message M, necessary to generate its signature.

  6. Quadratic Forms • Definition 1 : Field with odd characteristic (or 0) : Natural number is a quadratic form for some symmetric matrix • Definition 2 , : quadratic forms associated to and are isometric for some

  7. Translation of problems of in terms of quadratic form • Equation • Restrict solution • Problem 1’ For , , isometric each other, find a translation matrix efficiently. • Problem 2’ For any , , are and isometric or not? (: symmetric matrices) =

  8. How to compute the inverse map Simple case Problem 1’ is equivalent to Problem 1’’: Find an orthonormal basis of with respect to . Orthonormal basis: in for for

  9. Real field Case • : real field Gram-Schmidt orthonormalizationprovides an efficient algorithm to solve Problem 1’’. It uses special property of . Fact: is anisotropic. Definition: A quadratic form is anisotropic for any , We want to apply Gram-Schmidt orthonormalization technique to the case of finite fields.

  10. Finite Field Case • However, we can extend Gram-Schmidt orthonormalization by inserting a step: Fact Let be a finite field. Any quadratic form on () is not anisotropic. We cannot apply Gram-Schmidt orthonormalizationdirectly. If , then find another element such that . Solve Problem 1’

  11. Problem 2 • Definition : quadratic form associated to . is nondegeneratedet Classification theorem (if K has odd characteristic) Any nondegenerate quadratic form is isometric to either or .

  12. Classification Theorem • For any (nondegenerate) message , either has a solution. • or is determined by det. • In the degenerate case, both equations have solutions. • or is not surjective. • However, we can apply this map to MPKC signature. or

  13. Application to MPKC Signature Scheme • Secret Key , , , • Public Key , , affine transformations defined by , defined by ,

  14. Signature Generation • For any symmetric matrix , • Step 1 Apply the extended Gram-Schmidt orthonormalization to . • Find a solution of either • Step 2 Compute or . or is a solution of or .

  15. Property of Our Scheme • Respective map or is not surjective. • However, the union of images of these maps covers the whole space.

  16. Property of Our Scheme Multivariate Polynomial Maps Rainbow HFE Surjective UOV MI Proposal Not Surjective

  17. Security of Our Scheme • There are several attacks of MPKCsignature schemes which depend on the structure of central map. • For example, UOVattack is an attackwhich transforms public key into a form of central map of UOV scheme. • Central maps of UOVarasurjective. • The public key of our scheme cannot be transformed into any surjective map. • These attacks is not applicable against our scheme.(Other example: Rainbow-band-separationattack, UOV-Reconciliationattack) • However, attacks which is independent of scheme, like direct attacks, are applicable to our scheme.

  18. Comparison with Rainbow • Equivalent with respect to cost of verification and public key length. • Cost of signature generation (number of mult.) • Proposal • Rainbow  ⇒ 8 or 9 times more efficient at the level of 88-bit security. • Secret Key Size(number of elements of field) • Proposal • Rainbow Compared in the case that and are same for public key F :

  19. Conclusion • We propose a new MPKC signature scheme using quadtaci forms. The multivariate polynomial map used in the scheme is not surjective. • Signature generation uses an extended Gram-Schmidt orthonormalization. It is 8 or 9 times more efficient than that of Rainbow at the level of 88-bit security. Future Work • Security analysis • Application to encryption scheme

More Related