Multivariate Signature Scheme using Quadratic Forms

Takanori Yasuda (ISIT) Joint work with Tsuyoshi Takagi (Kyushu Univ.), Kouichi Sakurai (Kyushu Univ.) Workshop on Solving Multivariate Polynomial Systems and Related Topics 2013/3/3

Contents

1. Multivariate Signature Schemes 2. Quadratic Forms 3. Multivariate System defined by Quadratic Forms 4. Application to Signature Scheme 5. Comparison with Rainbow 1.

2.

Efficiency of Signature Generation Key Sizes 3.

Security 6. Conclusion 1

MPKC Signature 𝐹: 𝐾

𝑛

→ 𝐾

𝑚 : multivariate polynomial map Vector space 𝐾 𝑛 Vector space 𝐾 𝑚 𝐹 𝑺 = 𝑭 −𝟏 (𝑴) Inverse function 𝐹 −1 Signature 𝑴 Message For any message M, there must exist the corresponding signature.

F is surjective. 6

New Multivariate Polynomial Map

• We introduce a multivariate polynomial map not surjective , and apply it to signature . Multivariate polynomial map 𝐺 For a symmetric matrix A,

𝐺(𝑋) = 𝑋. 𝐴. 𝑋

𝑇 where 𝑋 = 𝑥 𝑖𝑗 is a matrix of variables of size 𝑟 × 𝑟 .

𝐺 is a map which assigns a matrix to a matrix. G can be regarded as a multivariate polynomial map 𝐾 𝑟 2 → 𝐾 𝑟 2 . 2

Problems of G

Is G applicable to signature or not?

Problems 1. Can its inverse map be computed efficiently?

Necessary to compute 𝐺 −1 M in order to generate a signature.

for a message M 2. Is it surjective or not?

For any message M, necessary to generate its signature. 3

•

Quadratic Forms

Definition 1

𝐾 : Field with odd characteristic (or 0) 𝑟 : Natural number 𝑞: 𝐾 𝑟 → 𝐾 is a quadratic form 𝑞 𝑥 = 𝑥. 𝐴. 𝑥 𝑇 for some symmetric matrix 𝐴 •

Definition 2

𝑞 𝐴 , 𝑞 𝐵 : quadratic forms associated to 𝐴, 𝐵 𝑞 𝐴 and 𝑞 𝐵 are isometric 𝐶. 𝐴. 𝐶 𝑇 = 𝐵 for some 𝐶 ∈ 𝐺𝐿(𝑟, 𝐾)

•

Translation of problems of

𝐺

in terms of quadratic form

Equation ( 𝐴, 𝐵 : symmetric matrices)

𝐺(𝑋) = 𝑋. 𝐴. 𝑋

𝑇 =

𝐵

• Restrict solution 𝑋 ∈ 𝐺𝐿(𝑟, 𝐾) o Problem 1’ For 𝑞 𝐴 , 𝑞 𝐵 , isometric each other, find a translation matrix 𝐶 efficiently.

o Problem 2’ For any 𝑞 𝐴 , 𝑞 𝐵 , are 𝑞 𝐴 and 𝑞 𝐵 isometric or not?

How to compute the inverse map

Simple case 1 𝐴 = 𝐼 𝑟 = 0 Problem 1’ is equivalent to ⋱ 0 1 Problem 1’’: Find an orthonormal basis of 𝐾 𝑟 with respect to 𝑞 𝐵 . Orthonormal basis: 𝑣 1 , … 𝑣 𝑟 in 𝐾 𝑟 𝑞 𝐵 𝑞 𝐵 𝑣 𝑣 𝑖 𝑖 , 𝑣 = 1 𝑗 for 𝑖 = 1, … , 𝑟, 𝑇 ≔ 𝑣 𝑖 . 𝐵. 𝑣 𝑗 = 0 for 𝑖 ≠ 𝑗 5

•

Real field Case

𝐾 = 𝑹 : real field Gram-Schmidt orthonormalization algorithm to solve Problem 1’’.

provides an efficient It uses special property of 𝑞 𝐴 = 𝑞 𝐼 𝑟 . Fact: 𝑞 𝐴 = 𝑞 𝐼 𝑟 is anisotropic . Definition: A quadratic form 𝑞 is anisotropic for any 𝑣 (≠ 0)𝜖 𝐾 𝑟 , 𝑞(𝑣) ≠ 0 We want to apply Gram-Schmidt orthonormalization technique to the case of finite fields.

Finite Field Case

Fact Let 𝐾 be a finite field. Any quadratic form on 𝐾 𝑟 ( 𝑟 ≥ 3 ) is not anisotropic.

We cannot apply Gram-Schmidt orthonormalization directly. • However, we can extend Gram-Schmidt orthonormalization by inserting a step: If 𝑞 𝑣 = 0 , then find another element 𝑣′ such that 𝑞 𝑣′ ≠ 0 .

Solve Problem 1’

•

Problem 2

Definition

𝑞 𝐴 : quadratic form associated to 𝐴 .

𝑞 𝐴 is nondegenerate det (𝐴) ≠ 0 Classification theorem (if K has odd characteristic) Any nondegenerate quadratic form is isometric to either 𝑞 𝐴 1 or 𝑞 𝐴 𝛿 .

7

• • • • •

Classification Theorem

For any (nondegenerate) message 𝑀 , either 𝑋 ∙ 𝐴 1 ∙ 𝑋 has a solution.

𝑇 = 𝑀 or 𝑋 ∙ 𝐴 𝛿 ∙ 𝑋 𝑇 = 𝑀 𝐴 1 or 𝐴 𝛿 is determined by det (𝑀) .

In the degenerate case, both equations have solutions.

𝐺 𝑋 = 𝑋 ∙ 𝐴 1 ∙ 𝑋 𝑇 or 𝐺 𝑋 = 𝑋 ∙ 𝐴 𝛿 ∙ 𝑋 𝑇 is not surjective.

However, we can apply this map to MPKC signature.

•

Application to MPKC Signature Scheme

Secret Key 𝐶 1 , 𝐶 𝛿 𝜖 𝐺𝐿(𝑟, 𝐾) 𝐴 1 𝐺 1 ≔ 𝐶 1 . 𝐴 1 . 𝐶 1 𝑇 , 𝐴 𝛿 ≔ 𝐶 𝛿 . 𝐴 𝛿 . 𝐶 𝛿 𝑇 , 𝑋 = 𝑋. 𝐴 1 . 𝑋 , 𝐺 𝛿 𝑋 = 𝑋. 𝐴 𝛿 . 𝑋 𝐿: 𝐾 𝑚 → 𝐾 𝑚 , 𝑅: 𝐾 𝑛 → 𝐾 𝑛 , affine transformations • Public Key 𝑚 = 𝑟 𝑟+1 2 , 𝑛 = 𝑟 2 𝐹 1 : 𝐾 𝑛 𝐹 𝛿 : 𝐾 𝑛 → 𝐾 𝑚 → 𝐾 𝑚 defined by 𝐹 1 defined by 𝐹 𝛿 = 𝐿°𝐺 1 °𝑅 , = 𝐿°𝐺 𝛿 °𝑅 ,

• •

Signature Generation

For any symmetric matrix 𝑀 , Step 1 Apply the extended Gram-Schmidt orthonormalization to 𝑀 .

o Find a solution 𝑋 = 𝐷 of either 𝑋 ∙ 𝐴 1 ∙ 𝑋 𝑇 = 𝑀 or 𝑋 ∙ 𝐴 𝛿 ∙ 𝑋 𝑇 = 𝑀 • Step 2 Compute 𝐸 = 𝐶 1 −1 . 𝐷 or 𝐸 = 𝐶 𝛿 −1 . 𝐷 .

𝑋 = 𝐸 is a solution of 𝐺 1 𝑋 = 𝑀 or 𝐺 𝛿 𝑋 = 𝑀 .

• •

Property of Our Scheme

Respective map 𝐺 1 or 𝐺 𝛿 is not surjective.

However, the union of images of these maps covers the whole space.

𝑲 𝑛 𝑮 𝟏 𝑲 𝑚 𝑮 𝜹 14

Property of Our Scheme

Surjective Multivariate Polynomial Maps Rainbow HFE UOV MI Not Surjective Proposal 4

• • • •

Security of Our Scheme

There are several attacks of MPKC signature schemes which depend on the structure of central map.

For example, UOV attack is an attack which transforms public key into a form of central map of UOV scheme.

o Central maps of UOV ara surjective.

o The public key of our scheme cannot be transformed into any surjective map.

These attacks is not applicable against our scheme.

（ Other example: Rainbow-band-separation attack, UOV-Reconciliation attack ） However, attacks which is independent of scheme, like direct attacks, are applicable to our scheme.

15

Comparison with Rainbow

• • • Compared in the case that 𝑚 for public key F : 𝐾 𝑛 → 𝐾 𝑚 and 𝑛 are same Equivalent with respect to cost of verification and public key length.

Cost of signature generation (number of mult.) o o ⇒ 8 or 9 times more efficient at the level of 88-bit security.

Secret Key Size (number of elements of field) o Proposal 𝑂(𝑛 2 ) Rainbow 𝑂(𝑛 3 ) Proposal o Rainbow 16

Conclusion

• We propose a new MPKC signature scheme using quadtaci forms. The multivariate polynomial map used in the scheme is not surjective.

• Signature generation uses an extended Gram-Schmidt orthonormalization. It is 8 or 9 times more efficient than that of Rainbow at the level of 88-bit security.

• •

Future Work

Security analysis Application to encryption scheme 17