Post-quantum digital signature scheme based on multivariate cubic problem

Abstract

Today, with the advent of internet technology, we are looking for e-mechanisms such as e-voting, e-commerce, e-learning, etc., where electronic information are transferred between the entities via the public network. However, e-mechanisms require the support of integrity, authenticity and non-repudiability of the transmitted electronic information. The digital signature is a technique that allows users to attain these parameters during the transmission of information via the public channel. The existing number-theoretic assumption based digital signature schemes is vulnerable to quantum attacks due to the development in a quantum computer. Thus, there is a necessity of quantum computer resistant digital signature scheme, i.e., post-quantum digital signature. Multivariate Public Key Cryptography (MPKC) is one of the most promising candidates of post-quantum cryptography as the MPKC based constructions are computationally fast and need only modest computational resources. In the literature, there are few multivariate digital signature schemes based on Multivariate Quadratic (MQ) problem. However, the design of efficient constructions of digital signature schemes based on higher degree ( > 2) multivariate polynomials is still an open problem. Generally, the question relating to the multivariate polynomials of degree  > 2 is expected to be equally or harder than the quadratic one. In this paper, we have designed a digital signature framework based on Multivariate Cubic (MC) problem to address the issue. The signature size in our scheme is less than all the existing MPKC based signature schemes under the same security assumptions.

Introduction

In our everyday life, the internet becomes an efficient and user-friendly way of communication, whereas cryptosystem is designed and developed to ensure secure and private communication among individuals and organizations. Public key cryptography (PKC) is an essential tool, which protects the information as it travels over an insecure channel. Existing PKC is established on the hardness of factorization and computation of elliptic curve discrete logarithm (ECDL) problems. Currently, both of the questions are believed to be hard. Existing PKC is able to present a secure and privacy-preserving environment. However, the complicated problem will arise, when a largescale functional quantum computer will be introduced as factorization and ECDL problems could be solved efficiently by adopting Shor’s algorithm on a quantum computer.

Although it was less apparent in the past that scalable quantum computers are physically possible. But, now many researchers believe in it and even predict that within the next two decades efficient and scalable large quantum computers will be developed to collapse existing PKC-based schemes. Hence, irrespective of whether one can calculate the arrival of exact time of quantum computer era, the construction of quantum attack resisting security systems to be focussed. To counter this threat, Post-Quantum Cryptography (PQC) based work initiated and appreciated, which includes the study of algorithms that are unbreakable in polynomial time on a full-scale quantum computer.

To authorized verification of transmission of digital messages/ documents, digital signatures are designed and developed. It is a mathematical application of the asymmetric cryptographic method that is used to verify the authenticity of digital content. Fig. 1 provides a brief overview of the communication flow in a signature scheme.

For the adaptation of digital signatures for realtime systems, it is required that a digital signature should satisfy the following properties:

• Integrity: It ensures that the message is not altered during the transmission of data.

• Authentication: It specifies that the sender and the intended receiver must be correctly identified.

• Nonrepudiation: It ensures that neither the destination can deny the receipt of the message nor the source can deny the transmission of the message.

Most of the modern digital signature schemes are depending on number theoretical problems such as discrete logarithm problem [45] and factorising problem [42]. These number theoretical problems are solvable in polynomial time by quantum machine due to Shor’s algorithm [44]. As a consequence, researchers have started exploring and designing digital signatures which would be able to resist quantum attacks. Such digital signatures fall under the category of post-quantum cryptography (PQC) [4].

Multivariate cryptography is one of the leading candidates for PQC based digital signatures. Schemes based on multivariate cryptography are computationally very fast. Moreover, they need only modest computational resources. These properties make multivariate cryptography interesting for the use on low-cost devices [6], [8].

A Multivariate Public Key Cryptosystem (MPKC) is a public key cryptosystem, where a set of multivariate polynomials is considered as the public key. These cryptosystems are based on the assumption that solving a system of multivariate polynomials is cryptographically hard over a finite field. Particularly, if the polynomials are of degree two, then the problem is known as multivariate quadratic (MQ) problem. While the problem is known as multivariate cubic (MC) problem if the polynomials are of degree three. These problems are NP-complete [21], [37]. However, the MC problem is expected to be equally or harder than the MQ problem. A public key for MPKC of degree three has the following form over the finite field:

$$\begin{array}{ccc}\hfill p_1(x_1,\dots ,x_n)& =& \sum _{1\le i\le j\le k\le n}{\alpha }_{1ijk}{x}_i{x}_j{x}_k+\sum _{1\le i\le j\le n}{\beta }_{1ij}{x}_i{x}_j\hfill \\ & & +\sum _{i=1}^n{\gamma }_{1i}{x}_i+{\delta }_1\hfill \\ \hfill p_2(x_1,\dots ,x_n)& =& \sum _{1\le i\le j\le k\le n}{\alpha }_{2ijk}{x}_i{x}_j{x}_k+\sum _{1\le i\le j\le n}{\beta }_{2ij}{x}_i{x}_j\hfill \\ & & +\sum _{i=1}^n{\gamma }_{2i}{x}_i+{\delta }_2\hfill \\ & & ⋮\hfill \\ \hfill p_m(x_1,\dots ,x_n)& =& \sum _{1\le i\le j\le k\le n}{\alpha }_{mijk}{x}_i{x}_j{x}_k+\sum _{1\le i\le j\le n}{\beta }_{mij}{x}_i{x}_j\hfill \\ & & +\sum _{i=1}^n{\gamma }_{mi}{x}_i+{\delta }_m.\hfill \end{array}$$

In the design of a digital signature scheme, if we use multivariate cryptographic primitives as its building blocks, then that is known as the multivariate signature. An overview of an MPKC based digital signature scheme is depicted in Fig. 2, where $pk=P=S\circ F\circ T:{\left({\mathbb{F}}_q\right)}^n\to \left({\mathbb{F}}_q^m\right)$ is the verification key and $sk=(S,F,T)$ is the signing key.

A practical multivariate signature scheme, namely “Oil and Vinegar”, was developed by Patarin [34]. The scheme is straightforward and fast. The space complexity of this scheme is minimal. The main idea is to hide quadratic equations over a finite field ${\mathbb{F}}_q$ using linear secret functions. The quadratic equations in this scheme contain $o=n$ oil variables and $v=n$ vinegar variables. Unfortunately, the scheme was broken by Kipnis and Shamir [27]. In the following year, Kipnis et al. [26] constructed a simple variation of [34], where the number of vinegar variables v is greater than the number of oil variables n. Their scheme is known as “Unbalanced Oil and Vinegar” (UOV). They proved that the attack of [27] can be extended while v ≃ n, but for suitable parameters (for instance v ≥ 2n) the scheme is believed to offer high security. Patarin et al. [35], [36] proposed two multivariate signature schemes: SFlash based on MI [29] and QUARTZ based on HFEv- [26], [33] respectively. Among these, SFlash is vulnerable to attack due to [17]. On the other hand, QUARTZ generates very short signatures (128 bit), but very slowly. Later, a multivariate signature TTS based on Tame Transformations or Tame Map was developed by Chen and Yang [11]. This scheme was broken by Ding et al. [16]. In the following, Ding and Schmidt [15] proposed a multilayer UOV protocol, known as Rainbow. This signature scheme reduces the key and signature sizes in UOV and improves the UOV performance. Moreover, in terms of signature generating time, Rainbow works better than SFlash. Later, Petzoldt et al. [39] improved the Rainbow signature scheme to design a signature scheme, called CyclicRainbow. It reduces the public key size by up to 62% and the number of field multiplications by 30%, which is required during the verification process. In the following, HFEv- based multivariate signature scheme (namely Gui) was proposed by Petzoldt et al. [41]. Due to its special design, one can generate a secure signature of size 120-bit (for 80-bit security) which is the shortest among all the existing classic and post-quantum signatures. However, for efficiency reasons, the underlying field is considered as small finite fields. This makes it hard to scale the scheme to higher levels of security and leads to large key sizes. Applying the Vinegar variation to the MultiHFE [9], Petzoldt et al. [40] developed a multivariate signature scheme, called HMFEv. Unlike other HFE based schemes such as Gui, HMFEv can be defined over arbitrary base fields. Unfortunately, security of [40] was broken due to Hashimoto [24]. Chen et al. [12] developed the first probably secure multivariate signature scheme MQDSS in the random oracle model by applying Fiat-Shamir transform [20] to the 5-pass identification protocol of [43]. Later on, Chen et al. [13] proposed an MQ based signature scheme, namely SOFIA which is proven to be secure in the quantum random oracle model. Recently, Akleylek et al. [1] constructed an MQ based signature scheme by designing a new 3-pass identification protocol in the random oracle model. In the signature schemes [1], [12], [13], the public key sizes are very small due to the use of pseudorandom generators for generating the respective MQ system. However, from the signature size and performance point of view, [1], [12], [13] are less efficient than Rainbow. In addition to that, each of [1], [12], [13] possess knowledge error (negligible). More recently, Akleylek et al. [2] presented a method for computing polar form of arbitrary degree multivariate polynomials and used that to propose a generic framework for designing identification protocol for Internet-of-Things and RFID applications. They stated that signature scheme can be constructed using their identification protocol.

Nie et al. [31] proposed a digital signature scheme, namely CUOV. Later, Duong et al. [18] constructed digital signature schemes CSSv, SVSv2 by modifying the work of [31]. Unfortunately, security of the schemes [18] were broken by Hashimoto [23] due the structure of their central maps.

Apart from the aforementioned works, there are many other candidates [10], [14], [25], [28], [30] as applications of multivariate digital signature.

• A protocol is said to be secure under some computational hardness problem if the problem cannot be solved in polynomial time. Modern-day, most of the existing digital signature schemes are based on number theoretic problems which are easily solvable by a quantum computer in polynomial time due to Shor’s algorithm [44]. As a consequence, researchers have started exploring and designing digital signature schemes which would be resistant to attacks by quantum computers. Such cryptographic protocols fall under post-quantum cryptography. Recently, MPKC based constructions of digital signatures are potential candidates for the post-quantum cryptography as they are very efficient.

• Considering the state-of-the-art algorithms [5], [7], [19], there are fewer ways to solve the MC problem than the MQ problem as it is a particular case of the MC problem. Thus, from the security aspects, it is desirable to design protocols based more intractable problem. Unfortunately, most of the existing multivariate digital signature schemes are not proven to be secure under the hardness of MC problem. Thus, designing reliable and efficient MC based multivariate digital signature scheme becomes an exciting direction of research.

• To fill the gaps, we proposed an MC based multivariate digital signature scheme, namely, OHV. We use the idea of multilayer UOV, i.e., Rainbow signature scheme [15] to develop proposed OHV scheme. The central map of HFE [33] is used as building blocks of OHV design. However, any MQ based central map, where domain and range are of the same dimension (i.e., from ${\mathbb{F}}_q^n$ to ${\mathbb{F}}_q^n$), can be used in our construction.

• Signature size and crucial public size are the main two parameters determining the efficiency of a signature scheme. From the signature size point of view, the proposed OHV scheme performs better over the existing MPKC based digital signature schemes under the same security level. Unfortunately, to achieve security under a more intractable problem (MC problem), the proposed design faces the limitations of large public key size. In contrast to the attacks [18], [31] proposed by Hashimoto [23], the proposed model can efficiently resist due to the particular structure of the central map.