Fast Verification for Improved Versions of the UOV and Rainbow Signature Schemes Albrecht Petzoldt, Stanislav Bulygin and Johannes Buchmann TU Darmstadt, Germany PQCrypto 2013 Limoges, France 05. June 2013

Outline 1.Motivation: Multivariate Cryptography 2.The UOV Signature Scheme 3.UOV Schemes with partially circulant Public Key 4.The Verification Process 5.Extension to Rainbow 6.Hybrid approach and Application to QUAD (  eprint) 7.Experiments and Results 8.Conclusion | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 2

Multivariate Cryptography | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 3 Problem MQ: Finding a vector such that is a hard task.

Multivariate Cryptography (2) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 4 Construction Start with an easily invertible quadratic map (central map) Combine it with two invertible affine maps and The public key is supposed to look like a random system

Multivariate Cryptography (3) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 5 Signature generation: For a hashvalue compute recursively, and. The signature of the document is. Signature verification: To verify the authenticity of a signature, one computes. If holds, the signature is accepted, otherwise rejected. Signature Schemes

Multivariate Cryptography (4) Advantages: Secure against attacks with quantum computers Great diversity of schemes and variations Enables fast en- and decryption as well as signature generation and verification Requires modest computational resources  Can be implemented on low cost smart cards | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 6

Multivariate Cryptography (5) Major Drawbacks Relatively young field of Research  Security is not so well understood No explicit parameter choices to meet given security levels known Large size of the public and private keys  Multivariate Cryptography is not yet widely spread | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 7

The UOV Signature Scheme  Two types of variables: Vinegar and Oil  Central map  Inversion of 1.Choose the Vinegar variables at random 2.Solve the resulting linear system for the Oil variables  Public Key: with an affine map.  Private Key:, | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 8 linear constant linear in O o equa- tions

Partially Circulant UOV Schemes           | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 9

Partially Circulant UOV Schemes (2) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 10

Partially Circulant UOV Schemes (2) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 11 linear terms

Partially Circulant UOV Schemes (2) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 12 linear terms

The verification process (1) Standard approach  Signature  Vector  Macauley matrix | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 13

The verification process (2) Alternative approach  extended signature vector  Matrix MP (k) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 14

Example (o,v)=(2,4) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 15 =( as 1, bs 1 +gs 2, cs 1 +hs 2 +ls 3, ds 1 +is 2 +ms 3 +ps 4, es 1 +js 2 +ns 3 +qs 4 + , fs 1 +ks 2 +os 3 +rs 4 + ,  ) (s 1, …, s 6,1) T = ( rs 1, as 1 +fs 2, bs 1 +gs 2 +ks 3, cs 1 +hs 2 +ls 3 +os 4, ds 1 +is 2 +ms 3 +ps 4 + , es 1 +js 2 +ns 3 +qs 4 + ,  ) (s 1, …, s 6,1) T

Extension to Rainbow | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 16  Several layers of Oil and Vinegar Use the same idea as for UOV for each Rainbow layer separately

Hybrid approach (  eprint)  Evaluate the structured part with the alternative approach and the random looking part with the standard approach UOV | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 17

Hybrid approach (2) Rainbow First layer | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 18

Hybrid approach (3) Rainbow Second layer | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 19

Application to QUAD (  eprint)  The systems and can be chosen partially circulant  Experiments indicate that this does not weaken the security of the scheme  Key stream generation can be sped up significantly | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 20

Experiments and Results (1) Public key size (kB) reduction factor Verification time (ms) Speed up factor UOV(256,28,56) (standard) cyclicUOV(256,28,56) (alternative) (hybrid) 5.5 UOV(31,33,66) (standard) cyclicUOV(31,33,66) (alternative) (hybrid) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 21 Implementation in C Lenovo ThinkPad, Intel Core 2Duo 2.53 GHz, 4 GB RAM

Experiments and Results (2) Public key size (kB) reduction factor Verification time (ms) Speed up factor Rainbow(256,17,13,13) (standard) cyclicRainbow (256,17,13,13) (alternative) (hybrid) 2.1 Rainbow(31,14,19,14) (standard) cyclicRainbow (31,14,19,14) (alternative) (hybrid) | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 22

Experiments and Results (3) Data throughput (kB/s) CPUcycles/byteSpeed up factor QUAD(16,30) ,265 cyclicQUAD(16,30) , QUAD(256,26) ,777 cyclicQUAD(256,26) , | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | 23

Conclusion Structured versions of UOV  Reduce public key size  Speed up the verification process  Technique can be extended to Rainbow and QUAD | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | kB 16.5 kB 0.98 ms 0.19 ms 15,777 cycles/byte 2,820 cycles/byte 0.26 ms 0.12 ms

Thank you for your attention | PQCrypto 2013 | Albrecht Petzoldt | TU Darmstadt | Questions? 0.98 ms 0.19 ms 0.26 ms 0.12 ms