WO2000067423A1 - Public-key signature methods and systems - Google Patents

Public-key signature methods and systems Download PDF

Info

Publication number
WO2000067423A1
WO2000067423A1 PCT/IB2000/000692 IB0000692W WO0067423A1 WO 2000067423 A1 WO2000067423 A1 WO 2000067423A1 IB 0000692 W IB0000692 W IB 0000692W WO 0067423 A1 WO0067423 A1 WO 0067423A1
Authority
WO
WIPO (PCT)
Prior art keywords
vinegar
variables
oil
scheme
signature
Prior art date
Application number
PCT/IB2000/000692
Other languages
French (fr)
Inventor
Jacques Patarin
Aviad Kipnis
Louis Goubin
Original Assignee
Bull Cp8
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to ES99401048T priority Critical patent/ES2230814T3/en
Application filed by Bull Cp8 filed Critical Bull Cp8
Priority to AU46028/00A priority patent/AU774346B2/en
Priority to BRPI0006085A priority patent/BRPI0006085B1/en
Priority to JP2000616162A priority patent/JP4183387B2/en
Publication of WO2000067423A1 publication Critical patent/WO2000067423A1/en
Priority to HK02100489.6A priority patent/HK1039004B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme

Definitions

  • the present invention generally relates to cryptography, and more particularly to public-key cryptography.
  • y ⁇ P ⁇ (x ⁇ ,...,x n )
  • y 2 P 2 ( ⁇ ⁇ ,..., ⁇ n )
  • Pi,..., P K are multivariable polynomials of small total degree, typically, less than or equal to 8, and in many cases, exactly two.
  • the C* scheme is described in an article titled "Public Quadratic Polynomial-tuples for Efficient Signature Verification and Message-encryption” in Proceedings of EUROCRYPT'88, Springer- Verlag, pp. 419 - 453.
  • the HFE scheme is described in an article titled “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms” in Proceedings of EUROCRYPT'96, Springer- Verlag, pp. 33 - 48.
  • HFE Hidden Fields Equations
  • IP Isomorphisms of Polynomials
  • the present invention seeks to improve security of digital signature cryptographic schemes in which the public-key is given as a set of k multivariable polynomial equations, typically, over a finite mathematical field K
  • the present invention seeks to improve security of the basic form of the "Oil and Vinegar” and the HFE schemes
  • An "Oil and Vinegar” scheme which is modified to improve security according to the present invention is referred to herein as an unbalanced "Oil and Vinegar” (UOV) scheme
  • UOV unbalanced "Oil and Vinegar
  • An HFE scheme which is modified to improve security according to the present invention is referred to herein as an HFEV scheme
  • a set SI of k polynomial functions is supplied as a public-key
  • the set SI preferably includes the functions P ⁇ (x ⁇ , ,x technically+ v , yi, ,yk), , Pk(x ⁇ , ,x n +v, yi, ,yk), where k, v, and n are integers, xi, ,x n+v are n+v variables of a first type, and yi, ,y are k variables of a second type
  • the set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' ⁇ (a ⁇ , ,adire + v,y ⁇ , ,y ⁇ , ,P ⁇ (a ⁇ , ,a n+v ,y ⁇ , ,y where a., ,a n+v are n+v variables which include a set of n "oil" variables ai, ,afro, and a set of
  • k values b ⁇ ,...,bk are preferably substituted for the variables y ⁇ ,...,y k of the set S2 respectively so as to produce a set S3 of k polynomial functions P" ⁇ (a ⁇ ,...,a supplement+v),..., P"k(ai,...,an+ V ). Then, v values a' supplement+ ⁇ ,...,a' phenomenon+v may be selected for the v "vinegar" variables a n + ⁇ ,...,a political+v, either randomly or according to a predetermined selection algorithm.
  • the secret key operation may be applied to transform a' ⁇ ,...,a' n+v to a digital signature ei,...,en+ v .
  • the generated digital signature e ⁇ ,...,eflower+v may be verified by a verifier which may include, for example, a computer or a smart card.
  • the verifier preferably obtains the signature ei,...,eflower+v, the message, the hash function and the public key. Then, the verifier may apply the hash function on the message to produce the series of k values b ⁇ ,...,bk.
  • a digital signature cryptographic method including the steps of supplying a set S 1 of k polynomial functions as a public-key, the set S 1 including the functions P ⁇ (x ⁇ ,...,x conveyor +V , y ⁇ , ..,yk),- ., Pk(x ⁇ , ..,x n+ v, y ⁇ ....,yk), where k, v, and n are integers, x ⁇ ,...,xicide +v are n+v variables of a first type, y ⁇ ,...,yk are k variables of a second type, and the set S 1 is obtained by applying a secret key operation on a set S2 of k polynomial functions P',(a ⁇ ,...,a n+ v,y ⁇ ,...,yk),...,P'k(a ⁇ ,...,a n+ v,y ⁇ ,...,yk) where a ⁇ ,...,acute +v are
  • the method also includes the step of verifying the digital signature.
  • the secret key operation preferably includes a secret affine transformation s on the n+v variables a ⁇ ,...,a n+v .
  • the set S2 includes the set f(a) of k polynomial functions of the HFEV scheme.
  • the set S2 preferably includes an expression including k functions that are derived from a univariate polynomial.
  • the univariate polynomial preferably includes a univariate polynomial of degree less than or equal to 100,000.
  • the set S2 includes the set S of k polynomial functions of the UOV scheme.
  • the supplying step may preferably include the step of selecting the number v of "vinegar” variables to be greater than the number n of "oil” variables.
  • v is selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K.
  • the supplying step includes the step of obtaining the set SI from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ... ,y k variables in the k polynomial functions P' ⁇ (a ⁇ ,...,a ⁇ + v,y ⁇ ,...,y k ),...,P' k (a ⁇ ,...,a n+v ,y ⁇ ,...,y k ) are zero, and the number v of "vinegar” variables is greater than the number n of "oil” variables.
  • an improvement of an "Oil and Vinegar” signature method including the step of using more "vinegar” variables than "oil” variables.
  • FIG. 1 is a simplified block diagram illustration of a preferred implementation of a system for generating and verifying a digital signature to a message, the system being constructed and operative in accordance with a preferred embodiment of the present invention
  • Fig. 2A is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message, the method being operative in accordance with a preferred embodiment of the present invention.
  • Fig. 2B is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A, the method being operative in accordance with a preferred embodiment of the present invention.
  • Appendix I is an article by Aviad Kipnis, Jacques Patarin and Louis Goubin submitted for publication by Springer- Verlag in Proceedings of EUROCRYPT'99, the article describing variations of the UOV and the HFEV schemes.
  • FIG. 1 is a simplified block diagram illustration of a preferred implementation of a system 10 for generating and verifying a digital signature to a message, the system 10 being constructed and operative in accordance with a preferred embodiment of the present invention.
  • the system 10 includes a computer 15, such as a general purpose computer, which communicates with a smart card 20 via a smart card reader 25.
  • the computer 15 may preferably include a digital signature generator 30 and a digital signature verifier 35 which may communicate data via a communication bus 40.
  • the smart card 20 may preferably include a digital signature generator 45 and a digital signature verifier 50 which may communicate data via a communication bus 55.
  • a signer of a message and a receptor of a signed message agree on a public-key which is published, and on a hash function to be used. In a case that the hash function is compromised, the signer and the receptor may agree to change the hash function. It is appreciated that a generator of the public-key need not be the signer or the receptor.
  • the digital signature verifier 35 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
  • the digital signature verifier 50 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
  • FIG. 2A which is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message in a first processor (not shown), and to Fig. 2B which is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A in a second processor (not shown), the methods of Figs. 2A and 2B being operative in accordance with a preferred embodiment of the present invention.
  • Figs 2A and 2B may be implemented in hardware, in software or in a combination of hardware and software
  • the first processor and the second processor may be identical
  • the method may be implemented by the system 10 of Fig 1 in which the first processor may be comprised, for example, in the computer 15, and the second processor may be comprised in the smart card 20, or vice versa
  • Figs 2A and 2B are described in Appendix I which is incorporated herein
  • the applications of the methods of Figs 2A and 2B may be employed to modify the basic form of the "Oil and Vinegar" scheme and the HFE scheme thereby to produce the
  • Appendix I includes an unpublished article by Aviad Kipnis, Jacques
  • a set SI of k polynomial functions is preferably supplied as a public-key (step 100) by a generator of the public-key (not shown) which may be, for example, the generator 30 of Fig 1, the generator 45 of Fig 1, or an external public-key generator (not shown)
  • the set SI preferably includes the functions P ⁇ (x ⁇ , ,x n +v, yi, ..,y k ), , Pk(x ⁇ , ,x n+ v, yi, ,y k ), where k, v, and n are integers, x ,x n+v are n+v variables of a first type, and yi, ,y k are k variables of a second type
  • the set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' ⁇ (a ⁇ , ,adire + v,y ⁇ , ,y k ), ,P ⁇ (a ⁇ , ,adire +v ,y ⁇ , ,y k ) where a u ,aology +v are n+v variables which include a set of n "oil” variables ai, ,arate, and a set of v "vinegar” variables a dire +
  • oil variables and "vinegar” variables refer to "oil” variables and "vinegar” variables as defined in the basic form of the "Oil and
  • a signer may apply a hash function on the message to produce a series of k values b ⁇ ,...,b k (step 110).
  • the signer may be, for example, the generator 30 or the generator 45 of Fig. 1.
  • the series of k values b ⁇ ,...,b is preferably substituted for the variables y ⁇ ,...,yk of the set S2 respectively so as to produce a set S3 of k polynomial functions P" ⁇ (a ⁇ ,...,an+ V ), .., P" k (a ⁇ ,...,an+ V ) (step 115).
  • v values a'n+ ⁇ ,...,a' n +v may be randomly selected for the v "vinegar" variables a n + ⁇ ,...,a n +v (step 120).
  • the v values a' n+ ⁇ ,...,a' n +v may be selected according to a predetermined selection algorithm.
  • the secret key operation may be applied to transform a' ⁇ ,...,a' n +v to a digital signature e ⁇ ,...,e n+v (step 130).
  • the generated digital signature e ⁇ ,...,en+ v may be verified according to the method described with reference to Fig. 2B by a verifier of the digital signature (not shown) which may include, for example, the verifier 35 or the verifier 50 of Fig. 1.
  • the verifier preferably obtains the signature ei,...,en+ v , the message, the hash function and the public key (step 200). Then, the verifier may apply the hash function on the message to produce the series of k values b ⁇ ,...,b k (step 205).
  • the generation and verification of the digital signature as mentioned above may be used for the HFEV by allowing the set S2 to include the set f(a) of k polynomial functions of the HFEV scheme as described in Appendix I.
  • the methods of Figs 2A and 2B enable obtaining of digital signatures which are typically smaller than digital signatures obtained in conventional number theoretic cryptography schemes, such as the well known RSA scheme
  • the set SI may be supplied with the number v of "vinegar" variables being selected to be greater than the number n of "oil” variables
  • v may be also selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K over which the sets S 1 , S2 and S3 are provided
  • the SI may be obtained from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ,y k variables in the k polynomial functions P' ⁇ (a ⁇ , ,adire +v ,y ⁇ , ,y k ), ,P ⁇ (a ⁇ , ,a n+v ,y ⁇ , ,y k ) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables
  • the number v of "vinegar” variables is chosen to be equal to the number n of "oil” variables
  • Aviad Kipnis who is one of the inventors of the present invention
  • Adi Shamir have shown, in the above mentioned Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a cryptanalysis of the basic "Oil and Vinegar” signature scheme which renders the basic "Oil and Vinegar” scheme insecure
  • the basic "Oil and Vinegar” scheme may be shown to be insecure for any number v of "vinegar” variables which is lower than the number n of "oil” variables
  • the inventors of the present invention have found, as described in
  • the UOV scheme is considered secure for values of v which satisfy the inequality q ⁇ "1 1 * n 4 > 2 40 .
  • the number v of "vinegar" variables may be selected so as to satisfy the inequalities v ⁇ n 2 and q (v ⁇ nH * n 4 >2 40 . It is appreciated that for values of v which are higher than n 2 /2 but less than or equal to n 2 , the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 2 , the UOV is believed to be insecure.
  • the UOV scheme is considered secure for values of v which are substantially greater than n*(l + sqrt(3)) and lower than or equal to n 6. It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 3 /2, the UOV is also considered secure, and solving the set S 1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n /2, and for values of v which are lower than n*(l + sqrt(3)), the UOV is believed to be insecure.
  • the UOV scheme is considered secure for values of v which are substantially greater than n and lower than or equal to n 4 . It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 4 , the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 4 , and for values of v which are lower than n, the UOV is believed to be insecure.
  • the set S2 may include an expression which includes k functions that are derived from a univariate polynomial.
  • the univariate polynomial may include a polynomial of degree less than or equal to 100,000 on an extension field of degree n over K.
  • UOV is a very simple scheme: the original Oil and Vinegar signature scheme (of [16]) was broken (see [10]), but if we have significantly more "vinegar” unknowns than "oil” unknowns (a definition of the "oil” and “vinegar” unknowns can be found in section 2), then the attack of [10] does not work and the security of this more general scheme (called UOV) is still an open problem.
  • UOV Oil and Vinegar schemes of degree three (instead of two).
  • HFEV HFEV combines the ideas of HFE (of [14]) and of vinegar variables. HFEV looks more efficient than the original HFE scheme.
  • section 13 we present what we know about the main schemes in this area of multivariate polynomials.
  • n and v be two integers.
  • q n _ 2 128 (in section 8, we will see that q n _ 2 64 is also possible).
  • the secret key is made of two parts:
  • a bijective and affine function s K n+V — ⁇ K n+V .
  • affine we mean that each component of the output can be written as a polynomial of degree one in the n + v input unknowns, and with coefficients in K.
  • the coefficients tJ k, j k- ⁇ i j , ⁇ t ' J an ⁇ 3 ⁇ t are the secret coefficients of these n equations.
  • the values ⁇ i, ..., a n (the "oil” unknowns) and a' x , ..., a' v (the "vinegar” unknowns) lie in K. Note that these equations (S) contain no terms in a ⁇ a 3 .
  • Each value y t , 1 ⁇ i ⁇ n, can be written as a polynomial P % of total degree two in the x ⁇ unknowns, 1 ⁇ j ⁇ n + v.
  • V the set of the following n equations:
  • Step 1 We find n unknowns ⁇ i ...., oograph of K and ⁇ unknowns a , ..., a v ' of K such that the n equations (S) are satisfied. This can be done as follows: we randomly choose the v vinegar unknowns a, and then we compute the a t unknowns from ( ⁇ S) by Gaussian reductions (because - since there are no a t a j terms - the (S) equations are affine in the a t unknowns when the a are fixed).
  • a signature x of y is valid if and only if all the (V) are satisfied. As a result, no secret is needed to check whether a signature is valid: this is an asymmetric signature scheme.
  • the name “Oil and Vinegar” comes from the fact that - in the equations (S) - the "oil unknowns" a t and the “vinegar unknowns” a' are not all mixed together: there are no a l a J products.
  • (V) this property is hidden by the "mixing" of the unknowns by the s transformation. Is this property "hidden enough" ? In fact, this question exactly means: “is the scheme secure ?” .
  • G ⁇ S I R _ l I S', where S is an invertible In x In matrix.
  • Definition 3.1 We define the oil subspace to be the linear subspace of all vectors in K 2n whose second half contains only zeros.
  • E and F be a 2n x 2n matrices with an upper left zero n x n submatrix. If F is in ⁇ ertible then the oil subspace is an invariant subspace of EF- 1 .
  • Theorem 3.1 O is a common invariant subspace of all the matrices G tJ . Proof:
  • the two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant subspace of the inner term and 0 is an invariant subspace of G G ⁇ l .
  • Lemma 1 is not true any more when ⁇ > n.
  • the oil subspace is still mapped by E and F into the vinegar subspace.
  • “1 does not necessary maps the image by E of the oil subspace back into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for the unbalanced case.
  • Definition 4.1 We define in this section the oil subspace to be the linear subspace of all vectors in K n+ ⁇ whose last v coordinates are only zeros.
  • vinegar subspace was the linear subspace of all vectors in K n+V whose first n coordinates are only zeros.
  • a t is a n x v matrix
  • B ⁇ is a v x n matrix
  • C ⁇ is a v x ⁇ matrix
  • S is a (n + v) x (n + v) invertible linear matrix.
  • the algorithm we propose is probabilistic. It looks for an invariant subspace of the oil subspace after it is transformed by S. The probability for the algorithm to succeed on the first try is small. Therefore we need to repeat it with different inputs. We use the following property: any linear combination of the matrices
  • the inner term is an invariant subspace of the oil subspace with the required probability. Therefore, the same will hold for FG k , but instead of a subspace of the oil subspace, we get a subspace of O.
  • Lemma 3 gives a polynomial test to distinguish between subspaces of O and random subspaces. If the matrix we used has no minimal subspace which is also a subspace of O, then we pick another linear combination of Gi , ..., G n , multiply it by an inverse of one of the G k matrices and try again. After repeating this process approximately q d ⁇ x times, we find with good probability at least one zero vector of O. We continue the process until we get n independent vectors of O. These vectors span O. The expected complexity of the process is proportional to q d ⁇ 1 ⁇ n 4 . We use here the expected number of tries until we find a non trivial invariant subspace and the term n 4 covers the computational linear algebra operations we need to perform for evey try.
  • (A) be a random set of n quadratic equations in (n + v) variables n , ..., x + ⁇ .
  • (By "random” we mean that the coefficients of these equations are uniformly and randomly chosen).
  • v ⁇ and more generally when v _ )
  • n+ ⁇ C ( n+v,l ⁇ + Q -n+v, 2 ' ⁇ ⁇ ⁇ ⁇ Ctn+v,n+vX n +v
  • the system may have a solution, but finding the solution might be a difficult problem. This is why an Unbalanced Oil and Vinegar scheme might be secure (for well chosen parameters): there is always a linear change of variables that makes the problem easy to solve, but finding such a change of variables might be difficult.
  • the main idea of the algorithm consists in using a change of variables such as:
  • ⁇ Xn+v whose a ltJ coefficients (for 1 ⁇ i ⁇ n, 1 ⁇ j ⁇ n + v) are found step by step, in order that the resulting system (S 1 ) (written with respect to these new variables 2/ ⁇ , ..., y n +v) is easy to solve.
  • n vectors ⁇ ' , ..., ' • are very likely to be
  • ⁇ tJ constants i.e. those with n + 1 ⁇ i ⁇ n + ⁇ and 1 ⁇ j ⁇ n + 1) are randomly chosen, so as to obtain a bijective change of variables.
  • the cryptanalyst can specify about n — 1 of the coordinates d k of d, since the vectorial space of the correct d is of dimension n. It remains thus to solve n - (n + v) quadratic equations in (v + 1) unknowns d ⁇ .
  • v is not too large (typically when ⁇ v+ 2 ' ⁇ n(n + ⁇ ), i.e. when v ⁇ (1 + y/3)n)
  • this is expected to be easy.
  • ⁇ ⁇ approximately (1 + y/S)n and ⁇ K ⁇ is odd, this gives a simple way to break the scheme.
  • ⁇ l , a t and ⁇ o are elements of the field F ⁇ « .
  • v be an integer (v will be the number of extra x % variables, or the number of "vinegar" variables that we will add in the scheme).
  • a' — (a[, ⁇ , ' v ) be a ⁇ -uple of variables of K.
  • each a ⁇ of (1) be an element of ⁇ q n such that each of the n components of ⁇ 2 in a basis is a secret random linear function of the vinegar variables ⁇ i , ..., a' v .
  • ⁇ o be an element of F 9 n such that each one of the n components of ⁇ o in a basis is a secret random quadratic function of the variables a[ , ..., a' ⁇ .
  • the n + v variables oi , ..., ⁇ ordinate, a[ , ..., a' ⁇ will be mixed in the secret affine bijection s in order to obtain the variables x , ..., x n + v .
  • t(b ⁇ , ..., b n ) (y ⁇ , —, y n ), where t is a secret affine bijection.
  • oilxoil such as a 17 , a 12 , a 10 , etc
  • oilxvinegar such as ⁇ ea l ⁇ , ⁇ % cP, etc
  • vinegar x vinegar in ⁇ o
  • the signature scheme is the one of section 8, and the length of a signature is only 192 bits (or 256 bits) in this case. More examples of possible parameters are given in the extended version of this paper.
  • HFE- is just an HFE where some of the public equations are not published. Due to [1] and [2], it may be recommended to do this (despite the fact that original HFE may be secure without it). In the extended version of [14] a second challenge of US $500 is described on a HFE- .
  • HFEV is described in this paper. HFEV and HFEV- look very hard to break. Moreover, HFEV is more efficient than the original HFE and it can give public key signatures of only 80 bits !
  • HM and HM " were designed in [20]. Very few analysis have been done in these schemes (but maybe we can recommend to use HM ⁇ instead of HM ?).
  • IP was designed in [14]. IP schemes have the best proofs of security so far (see [19]). IP is very simple and can be seen as a nice generalization of Graph Isomorphism. The original Oil and Vinegar was presented in [16] and broken in [10].
  • HFE Hidden Fields Equations
  • IP Isomorphisms of Polynomials

Abstract

The invention provides for a cryptographic method for digital signature. A set S1 of k polynomial functions Pk(x1, ..., xn+v, y1, ..., y¿k¿) are supplied as a public key, where k, v, and n are integers, x¿1?, ..., xn+v are n+v variables of a first type, and y1, .., yk are k variables of a second type, the set S1 being obtained by applying a secret key operation on a given set S2 of k polynomial functions P'k(a1, ..., an+v, y1, ..., yk), a1, ..., an+v designating n+v variables including a set of n 'oil' and v 'vinegar' variables. A message to be signed is provided and submitted to a hash function to produce a series of k values b1, ..., bk. These k values are substituted for the k variables y1, ...,yk, of the set S2 to produce a set S3 of k polynomial functions P''k(a1, ..., an+v), and v values a'n+1, ..., a'n+v are selected for the v 'vinegar' variables. A set of equations P''k(a1, ..., a'n+v)=0 is solved to obtain a solution for a'1, ..., a'n and the secret key operation is applied to transform the solution to the digital signature.

Description

PUBLIC-KEY SIGNATURE METHODS AND SYSTEMS
FIELD OF THE INVENTION
The present invention generally relates to cryptography, and more particularly to public-key cryptography.
BACKGROUND OF THE INVENTION
The first public-key cryptography scheme was introduced in 1975.
Since then, many public-keys schemes have been developed and published. Many public-key schemes require some arithmetic computations modulo an integer n, where today n is typically between 512 and 1024 bits.
Due to the relatively large number of bits n, such public-key schemes are relatively slow in operation and are considered heavy consumers of random- access-memory (RAM) and other computing resources. These problems are particularly acute in applications in which the computing resources are limited, such as smart card applications. Thus, in order to overcome these problems, other families of public-key schemes which do not require many arithmetic computations modulo n have been developed. Among these other families are schemes where the public-key is given as a set of k multivariable polynomial equations over a finite mathematical field K which is relatively small, e.g., between 2 and 264.
The set of k multivariable polynomial equations can be written as follows:
yι = Pι(xι,...,xn) y2 = P2(χι,...,χ n)
Figure imgf000004_0001
where Pi,..., PK are multivariable polynomials of small total degree, typically, less than or equal to 8, and in many cases, exactly two.
Examples of such schemes include the C* scheme of T. Matsumoto and H. Imai, the HFE scheme of Jacques Patarin, and the basic form of the "Oil and Vinegar" scheme of Jacques Patarin.
The C* scheme is described in an article titled "Public Quadratic Polynomial-tuples for Efficient Signature Verification and Message-encryption" in Proceedings of EUROCRYPT'88, Springer- Verlag, pp. 419 - 453. The HFE scheme is described in an article titled "Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms" in Proceedings of EUROCRYPT'96, Springer- Verlag, pp. 33 - 48. The basic form of the "Oil and Vinegar" scheme of Jacques Patarin is described in an article titled "The Oil and Vinegar Signature Scheme" presented at the Dagstuhl Workshop on Cryptography in September 1997.
However, the C* scheme and the basic form of the "Oil and Vinegar" scheme have been shown to be insecure in that cryptanalysis of both the C* scheme and the basic form of the "Oil and Vinegar" scheme have been discovered and published by Aviad Kipnis and Adi Shamir in an article titled "Cryptanalysis of the Oil and Vinegar Signature Scheme" in Proceedings of CRYPTO'98, Springer- Verlag LNCS n°1462, pp. 257 - 266. Weaknesses in construction of the HFE scheme have been described in two unpublished articles titled "Cryptanalysis of the HFE Public Key Cryptosystem" and "Practical Cryptanalysis of the Hidden Fields Equations (HFE)", but at present, the HFE scheme is not considered compromised since for well chosen and still reasonable parameters, the number of computations required to break the HFE scheme is still too large. Some aspects of related technologies are described in the following publications
US Patent 5,263,085 to Shamir describes a new type of digital signature scheme whose security is based on the difficulty of solving systems of k polynomial equations in m unknowns modulo a composite n, and
US Patent 5,375,170 to Shamir describes a novel digital signature scheme which is based on a new class of birational permutations which have small keys and require few arithmetic operations
The disclosures of all references mentioned above and throughout the present specification are hereby incorporated herein by reference
SUMMARY OF THE INVENTION
The present invention seeks to improve security of digital signature cryptographic schemes in which the public-key is given as a set of k multivariable polynomial equations, typically, over a finite mathematical field K Particularly, the present invention seeks to improve security of the basic form of the "Oil and Vinegar" and the HFE schemes An "Oil and Vinegar" scheme which is modified to improve security according to the present invention is referred to herein as an unbalanced "Oil and Vinegar" (UOV) scheme An HFE scheme which is modified to improve security according to the present invention is referred to herein as an HFEV scheme
In the present invention, a set SI of k polynomial functions is supplied as a public-key The set SI preferably includes the functions Pι(xι, ,x„+v, yi, ,yk), , Pk(xι, ,xn+v, yi, ,yk), where k, v, and n are integers, xi, ,xn+v are n+v variables of a first type, and yi, ,y are k variables of a second type The set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P'ι(aι, ,a„+v,yι, ,yύ, ,P\(aι, ,an+v,yι, ,y where a., ,an+v are n+v variables which include a set of n "oil" variables ai, ,a„, and a set of v "vinegar" variables a„+i, .,a„+v It is appreciated that the secret key operation may include a secret affine transformation s on the n+v variables ai, ,an+v When a message to be signed is provided, a hash function may be applied on the message to produce a series of k values bι,... ,bk. The series of k values bι,...,bk is preferably substituted for the variables yι,...,yk of the set S2 respectively so as to produce a set S3 of k polynomial functions P"ι(aι,...,a„+v),..., P"k(ai,...,an+V). Then, v values a'„+ι,...,a'„+v may be selected for the v "vinegar" variables an+ι,...,a„+v, either randomly or according to a predetermined selection algorithm.
Once the v values a'n+ι, ...,a'n+v are selected, a set of equations P"ι(aι,...,an,aVι,...,a'n+v)=0,..., P" (aι,...,an,a'n+ι,...,a'n+v)=0 is preferably solved to obtain a solution for a'ι,...,a'n. Then, the secret key operation may be applied to transform a'ι,...,a'n+v to a digital signature ei,...,en+v.
The generated digital signature eι,...,e„+v may be verified by a verifier which may include, for example, a computer or a smart card. In order to verify the digital signature, the verifier preferably obtains the signature ei,...,e„+v, the message, the hash function and the public key. Then, the verifier may apply the hash function on the message to produce the series of k values bι,...,bk. Once the k values bι,...,bk are produced, the verifier preferably verifies the digital signature by verifying that the equations Pι(eι,...,en+v,bι,...,bk)^0,..., Pk(eι,...,e„+v, b,,...,bk)=0 are satisfied.
There is thus provided in accordance with a preferred embodiment of the present invention a digital signature cryptographic method including the steps of supplying a set S 1 of k polynomial functions as a public-key, the set S 1 including the functions Pι(xι,...,x„+V, yι, ..,yk),- ., Pk(xι, ..,xn+v, yι....,yk), where k, v, and n are integers, xι,...,x„+v are n+v variables of a first type, yι,...,yk are k variables of a second type, and the set S 1 is obtained by applying a secret key operation on a set S2 of k polynomial functions P',(aι,...,an+v,yι,...,yk),...,P'k(aι,...,an+v,yι,...,yk) where aι,...,a„+v are n+v variables which include a set of n "oil" variables aι,...,an, and a set of v "vinegar" variables an+ι,...,an+v, providing a message to be signed, applying a hash function on the message to produce a series of k values bι,...,bk, substituting the series of k values bι,...,bk for the variables yι,...,yk of the set S2 respectively to produce a set S3 of k polynomial functions P"ι(aι,...,an+V), - ., P"k(aι,...,an+V), selecting v values a'n+ι,...,a'n+v for the v "vinegar" variables an+ι,...,an+v, solving a set of equations P"ι(aι,...,an,a'n+ι,...,a'n+v)=0,... , P"k(aι,...,an,a'n+ι,...,a'n+v)=0 to obtain a solution for a'ι,...,a'n, and applying the secret key operation to transform a'ι,...,a'n+v to a digital signature eι,...,en+v-
Preferably, the method also includes the step of verifying the digital signature. The verifying step preferably includes the steps of obtaining the signature ei,...,en+v, the message, the hash function and the public key, applying the hash function on the message to produce the series of k values bι,...,bk, and verifying that the equations Pi(ei,...,en+v,bi,...,bk)=0,..., Pk(ei,...,en+V, bι,...,bk)=0 are satisfied.
The secret key operation preferably includes a secret affine transformation s on the n+v variables aι,...,an+v.
Preferably, the set S2 includes the set f(a) of k polynomial functions of the HFEV scheme. In such a case, the set S2 preferably includes an expression including k functions that are derived from a univariate polynomial. The univariate polynomial preferably includes a univariate polynomial of degree less than or equal to 100,000.
Alternatively, the set S2 includes the set S of k polynomial functions of the UOV scheme.
The supplying step may preferably include the step of selecting the number v of "vinegar" variables to be greater than the number n of "oil" variables. Preferably, v is selected such that qv is greater than 232, where q is the number of elements of a finite field K.
In accordance with a preferred embodiment of the present invention, the supplying step includes the step of obtaining the set SI from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ... ,yk variables in the k polynomial functions P'ι(aι,...,aπ+v,yι,...,yk),...,P'k(aι,...,an+v,yι,...,yk) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables.
Preferably, the set S2 includes the set S of k polynomial functions of the UOV scheme, and the number v of "vinegar" variables is selected so as to satisfy one of the following conditions: (a) for each characteristic p other than 2 of a field K in an "Oil and Vinegar" scheme of degree 2, v satisfies the inequality q(v"n)"1* n4 > 240, (b) for p = 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than n*(l + sqrt(3)) and lower than or equal to n 6, and (c) for each p other than 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than n and lower than or equal to n4. Preferably, the number v of "vinegar" variables is selected so as to satisfy the inequalities v<n2 and q^"1*1* n4 >240 for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2.
There is also provided in accordance with a preferred embodiment of the present invention an improvement of an "Oil and Vinegar" signature method, the improvement including the step of using more "vinegar" variables than "oil" variables. Preferably, the number v of "vinegar" variables is selected so as to satisfy one of the following conditions: (a) for each characteristic p other than 2 of a field K and for a degree 2 of the "Oil and Vinegar" signature method, v satisfies the inequality q^1* n 4 > 240, (b) for p = 2 and for a degree 3 of the "Oil and Vinegar" signature method, v is greater than n*(l + sqrt(3)) and lower than or equal to n3/6, and (c) for each p other than 2 and for a degree 3 of the "Oil and Vinegar" signature method, v is greater than n and lower than or equal to n4. Preferably, the number v of "vinegar" variables is selected so as to satisfy the inequalities v<n2 and q^"1 "1* n4 >240for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which: Fig. 1 is a simplified block diagram illustration of a preferred implementation of a system for generating and verifying a digital signature to a message, the system being constructed and operative in accordance with a preferred embodiment of the present invention;
Fig. 2A is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message, the method being operative in accordance with a preferred embodiment of the present invention; and
Fig. 2B is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A, the method being operative in accordance with a preferred embodiment of the present invention.
Appendix I is an article by Aviad Kipnis, Jacques Patarin and Louis Goubin submitted for publication by Springer- Verlag in Proceedings of EUROCRYPT'99, the article describing variations of the UOV and the HFEV schemes.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Reference is now made to Fig. 1 which is a simplified block diagram illustration of a preferred implementation of a system 10 for generating and verifying a digital signature to a message, the system 10 being constructed and operative in accordance with a preferred embodiment of the present invention.
Preferably, the system 10 includes a computer 15, such as a general purpose computer, which communicates with a smart card 20 via a smart card reader 25. The computer 15 may preferably include a digital signature generator 30 and a digital signature verifier 35 which may communicate data via a communication bus 40. The smart card 20 may preferably include a digital signature generator 45 and a digital signature verifier 50 which may communicate data via a communication bus 55.
It is appreciated that in typical public-key signature scheme applications, a signer of a message and a receptor of a signed message agree on a public-key which is published, and on a hash function to be used. In a case that the hash function is compromised, the signer and the receptor may agree to change the hash function. It is appreciated that a generator of the public-key need not be the signer or the receptor. Preferably, the digital signature verifier 35 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45. Similarly, the digital signature verifier 50 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45. Reference is now made to Fig. 2A which is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message in a first processor (not shown), and to Fig. 2B which is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A in a second processor (not shown), the methods of Figs. 2A and 2B being operative in accordance with a preferred embodiment of the present invention. It is appreciated that the methods of Figs 2A and 2B may be implemented in hardware, in software or in a combination of hardware and software Furthermore, the first processor and the second processor may be identical Alternatively, the method may be implemented by the system 10 of Fig 1 in which the first processor may be comprised, for example, in the computer 15, and the second processor may be comprised in the smart card 20, or vice versa
The methods of Fig 2A and 2B, and applications of the methods of
Figs 2A and 2B are described in Appendix I which is incorporated herein The applications of the methods of Figs 2A and 2B may be employed to modify the basic form of the "Oil and Vinegar" scheme and the HFE scheme thereby to produce the
UOV and the HFEV respectively
Appendix I includes an unpublished article by Aviad Kipnis, Jacques
Patarin and Louis Goubin submitted for publication by Spπnger-Verlag in
Proceedings of EUROCRYPT'99 which is scheduled on 2 - 6 May 1999 The article included in Appendix I also describes variations of the UOV and the HFEV schemes with small signatures
In the digital signature cryptographic method of Fig 2 A, a set SI of k polynomial functions is preferably supplied as a public-key (step 100) by a generator of the public-key (not shown) which may be, for example, the generator 30 of Fig 1, the generator 45 of Fig 1, or an external public-key generator (not shown)
The set SI preferably includes the functions Pι(xι, ,xn+v, yi, ..,yk), , Pk(xι, ,xn+v, yi, ,yk), where k, v, and n are integers, x ,xn+v are n+v variables of a first type, and yi, ,yk are k variables of a second type The set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P'ι(aι, ,a„+v,yι, ,yk), ,P\(aι, ,a„+v,yι, ,yk) where au ,a„+v are n+v variables which include a set of n "oil" variables ai, ,a„, and a set of v "vinegar" variables a„+ι, ..,an+v It is appreciated that the secret key operation may include a secret affine transformation s on the n+v variables ai, ,an+v
The terms "oil" variables and "vinegar" variables refer to "oil" variables and "vinegar" variables as defined in the basic form of the "Oil and
Vinegar" scheme of Jacques Patarin which is described in the above mentioned article titled "The Oil and Vinegar Signature Scheme" presented at the Dagstuhl Workshop on Cryptography in September 1997.
Preferably, when a message to be signed is provided (step 105), a signer may apply a hash function on the message to produce a series of k values bι,...,bk (step 110). The signer may be, for example, the generator 30 or the generator 45 of Fig. 1. The series of k values bι,...,b is preferably substituted for the variables yι,...,yk of the set S2 respectively so as to produce a set S3 of k polynomial functions P"ι(aι,...,an+V), .., P"k(aι,...,an+V) (step 115). Then, v values a'n+ι,...,a'n+v may be randomly selected for the v "vinegar" variables an+ι,...,an+v (step 120). Alternatively, the v values a'n+ι,...,a'n+v may be selected according to a predetermined selection algorithm.
Once the v values aVι,...,a'n+v are selected, a set of equations P"i(ai,...,an,a'n+i,...,a'n+v)=0,..., P"k(aι,...,an,a'n+ι,...,a'n+v)=0 is preferably solved to obtain a solution for a'ι,...,a'n (step 125). Then, the secret key operation may be applied to transform a'ι,...,a'n+v to a digital signature eι,...,en+v (step 130).
The generated digital signature eι,...,en+v may be verified according to the method described with reference to Fig. 2B by a verifier of the digital signature (not shown) which may include, for example, the verifier 35 or the verifier 50 of Fig. 1. In order to verify the digital signature, the verifier preferably obtains the signature ei,...,en+v, the message, the hash function and the public key (step 200). Then, the verifier may apply the hash function on the message to produce the series of k values bι,...,bk (step 205). Once the k values bt,...,bk are produced, the verifier preferably verifies the digital signature by verifying that the equations Pι(eι,...,en+v,b1,...,bk)=0,..., Pk(eι,...,en+V, bι,...,bk)=0 are satisfied (step 210). It is appreciated that the generation and verification of the digital signature as mentioned above may be used for the UOV by allowing the set S2 to include the set S of k polynomial functions of the UOV scheme as described in Appendix I. Alternatively, the generation and verification of the digital signature as mentioned above may be used for the HFEV by allowing the set S2 to include the set f(a) of k polynomial functions of the HFEV scheme as described in Appendix I. As mentioned in Appendix I, the methods of Figs 2A and 2B enable obtaining of digital signatures which are typically smaller than digital signatures obtained in conventional number theoretic cryptography schemes, such as the well known RSA scheme In accordance with a preferred embodiment of the present invention, when the set S2 includes the set S of k polynomial functions of the UOV scheme, the set SI may be supplied with the number v of "vinegar" variables being selected to be greater than the number n of "oil" variables Preferably, v may be also selected such that qv is greater than 232, where q is the number of elements of a finite field K over which the sets S 1 , S2 and S3 are provided
Further preferably, the SI may be obtained from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ,yk variables in the k polynomial functions P'ι(aι, ,a„+v,yι, ,yk), ,P\(aι, ,an+v,yι, ,yk) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables
In the basic "Oil and Vinegar" scheme, the number v of "vinegar" variables is chosen to be equal to the number n of "oil" variables For such a selection of the v variables, Aviad Kipnis, who is one of the inventors of the present invention, and Adi Shamir have shown, in the above mentioned Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a cryptanalysis of the basic "Oil and Vinegar" signature scheme which renders the basic "Oil and Vinegar" scheme insecure Additionally, by applying the same method described by Kipnis and Shamir, the basic "Oil and Vinegar" scheme may be shown to be insecure for any number v of "vinegar" variables which is lower than the number n of "oil" variables The inventors of the present invention have found, as described in
Appendix I, that if the "Oil and Vinegar" scheme is made unbalanced by modifying the "Oil and Vinegar" scheme so that the number v of "vinegar" variables is greater than the number n of "oil" variables, a resulting unbalanced "Oil and Vinegar" (UOV) scheme may be secure Specifically, for a UOV of degree 2 and for all values of p other than
2, where p is a characteristic of the field K, p being the additive order of 1, the UOV scheme is considered secure for values of v which satisfy the inequality q^"1 1* n4 > 240. For a UOV of degree 2 and for p=2, the number v of "vinegar" variables may be selected so as to satisfy the inequalities v<n2 and q(v~nH* n4>240. It is appreciated that for values of v which are higher than n2/2 but less than or equal to n2, the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n2, the UOV is believed to be insecure.
Furthermore, for a UOV of degree 3 and for p = 2, the UOV scheme is considered secure for values of v which are substantially greater than n*(l + sqrt(3)) and lower than or equal to n 6. It is appreciated that for values of v which are higher than n3/6 but lower than or equal to n3/2, the UOV is also considered secure, and solving the set S 1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n /2, and for values of v which are lower than n*(l + sqrt(3)), the UOV is believed to be insecure. Additionally, for a UOV of degree 3 and for p other than 2, the UOV scheme is considered secure for values of v which are substantially greater than n and lower than or equal to n4. It is appreciated that for values of v which are higher than n3/6 but lower than or equal to n4, the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n4, and for values of v which are lower than n, the UOV is believed to be insecure.
Preferably, in a case that the set S2 includes the set f(a) of k polynomial functions of the HFEV scheme, the set S2 may include an expression which includes k functions that are derived from a univariate polynomial. Preferably, the univariate polynomial may include a polynomial of degree less than or equal to 100,000 on an extension field of degree n over K.
Example of parameters selected for the UOV and the HFEV schemes are shown in Appendix I.
It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined only by the claims which follow.
APPENDIX I 14
Unbalanced Oil and Vinegar Signature
Schemes
Aviad Kipnis Jacques Patarin, Louis Goubin
NDS Technologies Bull SmartCards and Terminals
5 Hamarpe St. Har Hotzvim 68, route de Versailles - BP45
Jerusalem - Israel 78431 Louveciennes Cedex - France akipnis@ndsisrael.com {J. Patarin, L.Goubin}@frlv.bull.fr
Abstract
In [16], J. Patarin designed a new scheme, called "Oil and Vinegar" , for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called "oil" and υ = n unknowns called "vinegar" over a finite field K, with linear secret functions. This original scheme was broken in [10] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where v > n (instead of υ = n). These schemes are called "Unbalanced Oil and Vinegar" (UOV), since we have more "vinegar" unknowns than "oil" unknowns. We show that, when υ _ n, the attack of [10] can be extended, but when v > 2n for example, the security of the scheme is still an open problem. Moreover, when υ ~ , the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in unknowns (with no trapdoor) . However, we show that (in characteristic 2) when v > n2 , finding a solution is generally easy. Then we will see that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of [14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. The length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits.
Note: An extended version of this paper can be obtained from the authors.
1 Introduction
Since 1985, various authors (see [7], [9], [12], [14], [16], [17], [18], [21] for example) have suggested some public key schemes where the public key is given as a set of multivariate quadratic (or higher degree) equations over a small finite field K. The general problem of solving such a set of equations is NP-hard (cf [8]) (even in the quadratic case). Moreover, when the number of unknowns is, say, n > 16, the best known algorithms are often not significantly better than exhaustive search (when n is very small, Grobner bases algorithms are more efficient, cf [6]).
The schemes are often very efficient in terms of speed or RAM required in a smartcard implementation. (However, the length of the public key is generally > 1 Kbyte. Nevertheless, it is sometimes useful to notice that secret key computations can be performed without the public key). The most serious problem is that, in order to introduce a trapdoor (to allow the computation of signatures or to allow the decryption of messages when a secret is known) , the generated set of public equations generally becomes a small subset of all the possible equations and, in many cases, the algorithms have been broken. For example [7] was broken by their authors, and [12], [16], [21] were broken. However, many schemes are still not broken (for example [14], [17], [18], [20]), and also in many cases, some very simple variations have been suggested in order to repair the schemes. Therefore, at the present, we do not know whether this idea of designing public key algorithms with multivariate polynomials over small finite fields is a very powerful idea (where only some too simple schemes are insecure) or not.
In this paper, we will present two new schemes: UOV and HFEV. UOV is a very simple scheme: the original Oil and Vinegar signature scheme (of [16]) was broken (see [10]), but if we have significantly more "vinegar" unknowns than "oil" unknowns (a definition of the "oil" and "vinegar" unknowns can be found in section 2), then the attack of [10] does not work and the security of this more general scheme (called UOV) is still an open problem. We will also study Oil and Vinegar schemes of degree three (instead of two). Then, we will present another scheme, called HFEV. HFEV combines the ideas of HFE (of [14]) and of vinegar variables. HFEV looks more efficient than the original HFE scheme. Finally, in section 13, we present what we know about the main schemes in this area of multivariate polynomials.
2 The (Original and Unbalanced) Oil and Vinegar of degree two
Let K — _ q be a small finite field (for example K = F2). Let n and v be two integers. The message to be signed (or its hash) is represented as an element of Kn, denoted by y = (j χ, ... , ?/„). Typically, qn _ 2128 (in section 8, we will see that qn _ 264 is also possible). The signature x is represented as an element of jζn+v denoted by x = (xι , ..., xn+v)-
Secret key
The secret key is made of two parts:
1. A bijective and affine function s : Kn+V — ► Kn+V. By "affine" , we mean that each component of the output can be written as a polynomial of degree one in the n + v input unknowns, and with coefficients in K.
2. A set (<S) of n equations of the following type:
Vi,l < i < n,yt = ∑7ι]kaja'k+∑\ljkaJ'ak+∑ξtjaJ+∑ξl'Ja]'+δt (S).
The coefficients tJk, jk- ζij, ζt'J an<3 δt are the secret coefficients of these n equations. The values αi, ..., an (the "oil" unknowns) and a'x, ..., a'v (the "vinegar" unknowns) lie in K. Note that these equations (S) contain no terms in aτa3.
Public key
Let A be the element of Kn+V defined by A = (αi, ..., „, a[, ..., a'υ). A is transformed into x = s~1(A), where s is the secret, bijective and affine function from Kn+V to Kn+V . Each value yt, 1 < i < n, can be written as a polynomial P% of total degree two in the x} unknowns, 1 < j < n + v. We denote by (V) the set of the following n equations:
Mi, l≤i≤n, yl=Pt(x1,...,xn+υ) (V).
These n quadratic equations (V) (in the n + v unknowns x3) are the public key.
Computation of a signature (with the secret key)
The computation of a signature x of y is performed as follows: Step 1: We find n unknowns αi ...., o„ of K and υ unknowns a , ..., av' of K such that the n equations (S) are satisfied. This can be done as follows: we randomly choose the v vinegar unknowns a, and then we compute the at unknowns from (<S) by Gaussian reductions (because - since there are no ataj terms - the (S) equations are affine in the at unknowns when the a are fixed).
Remark: If we find no solution, then we simply try again with new random vinegar unknowns. After very few tries, the probability of obtaining at least one solution is very high, because the probability for a n x n matrix over Fq to be invertible is not negligible. (It is exactly (l-i)(l- -)...(l- ^τ). For 9 = 2, this gives approximately 30 %, and for q > 2, this probability is even larger.)
Step 2: We compute x — s~l(A), where A = (αi, ..,an,a , ...,a'υ). x is a signature of y.
Public verification of a signature
A signature x of y is valid if and only if all the (V) are satisfied. As a result, no secret is needed to check whether a signature is valid: this is an asymmetric signature scheme. Note: The name "Oil and Vinegar" comes from the fact that - in the equations (S) - the "oil unknowns" at and the "vinegar unknowns" a' are not all mixed together: there are no alaJ products. However, in (V), this property is hidden by the "mixing" of the unknowns by the s transformation. Is this property "hidden enough" ? In fact, this question exactly means: "is the scheme secure ?" . When υ = n, we call the scheme "Original Oil and Vinegar" , since this case was first presented in [16]. This case was broken in [10]. It is very easy to see that the cryptanalysis of [10] also works, exactly in the same way, when v < n. However, the cases v > n are, as we will see, much more difficult. When v > n, we call the scheme "Unbalanced Oil and Vinegar" .
3 Cryptanalysis of the case v = n (from [10])
The idea of the attack of [10] is essentially the following: In order to separate the oil variables and the vinegar Λ-ariables, we look at the quadratic forms of the n public equations of (V), we omit for a while the linear terms. Let G for 1 < i < n be the respective matrix of the quadratic form of Pt of the public equations (V). The quadratic part of the equations in the set (S) is represented as a quadratic form with a corresponding 2n x 2n matrix of the form : I R -, ) , the upper left n x n zero submatrix is due to the fact that an oil variable is not multiplied by an oil variable. After hiding the internal variables with the linear function s, we get a representation for the matrices
Gι = S I R _l I S', where S is an invertible In x In matrix.
Definition 3.1: We define the oil subspace to be the linear subspace of all vectors in K2n whose second half contains only zeros.
Definition 3.2: We define the vinegar subspace as the linear subspace of all vectors in K2n whose first half contains only zeros.
Lemma 1 Let E and F be a 2n x 2n matrices with an upper left zero n x n submatrix. If F is inυertible then the oil subspace is an invariant subspace of EF-1.
Proof: see [10].
Definition 3.4: For an invertible matrix G3 , define Gt] = GtG l.
Definition 3.5: Let O be the image of the oil subspace by 5_1. In order to find the oil subspace, we use the following theorem:
Theorem 3.1 O is a common invariant subspace of all the matrices GtJ . Proof:
G„ = s Bt A ) W)- ( ° A c> i 4-
Figure imgf000020_0001
The two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant subspace of the inner term and 0 is an invariant subspace of G G~l . The problem of finding common invariant subspace of set of matrices is studied in [10]. Applying the algorithms in [10] gives us O. We then pick V to be an arbitrary subspace of dimension n such that V + O = K2n, and they give an equivalent oil and vinegar separation. Once we have such a separation, we bring back the linear terms that were omitted, we pick random values for the vinegar variables and left with a set of n linear equations with n oil variables.
Note: Lemma 1 is not true any more when υ > n. The oil subspace is still mapped by E and F into the vinegar subspace. However "1 does not necessary maps the image by E of the oil subspace back into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for the unbalanced case.
4 Cryptanalysis when v > n and v _ n
In this section, we will describe a modification of the above attack, that is applicable as long as υ — n is small (more precisely the expected complexity of the attack is approximately ς(υ_n)_1 • n4).
Definition 4.1: We define in this section the oil subspace to be the linear subspace of all vectors in Kn+υ whose last v coordinates are only zeros.
Definition 4.2: We define in this section the vinegar subspace to be the linear subspace of all vectors in Kn+V whose first n coordinates are only zeros.
Here in this section, we start with the homogeneous quadratic terms of the equations: we omit the linear terms for a while. The matrices Gt have the representation
where the upper left matrix is the n x n zero matrix, At is a n x v matrix, Bτ is a v x n matrix, Cτ is a v x υ matrix and S is a (n + v) x (n + v) invertible linear matrix. 0 At
Definition 4.3: Define E, to be Bt d
Lemma 2 For any matrix E that has the form I R „ 1 , the following holds: a) E transforms the oil subspace into the vinegar subspace. b) If the matrix E_1 exists, then the image of the vinegar subspace by E~x is a subspace of dimension v which contains the n-dimensional oil subspace
Figure imgf000021_0001
Proof: a) follows directly from the definition of the oil and vinegar subspaces. When a) is given then b) is immediate.
The algorithm we propose is probabilistic. It looks for an invariant subspace of the oil subspace after it is transformed by S. The probability for the algorithm to succeed on the first try is small. Therefore we need to repeat it with different inputs. We use the following property: any linear combination of the matrices
0 A '
Ei , ..., En is also of the form I R _ J . The following theorem explains why an invariant subspace may exist with a certain probability.
Theorem 4.1 Let F be an invertible linear combination of the matrices Ei, ..., E„. Then for any k such that Ek l exists, the matrix FEk λ has a non trivial invariant subspace which is also a subspace of the oil subspace, with probability not less than U for d = υ — n.
Proof: See the extended version of this paper.
Note: It is possible to get a better result for the expected number of eigenvectors and with much less effort: 7ι is a subspace with dimension not less than n — d and is mapped by FE^1 into a subspace with dimension n. The probability for a non zero vector to be mapped to a non zero multiple of itself is qL_ . To get the expected value, we multiply it by the number of non zero vectors in Ji . It gives a value which is not less than ^q~ ''„_1 ~ ' . Since every eigenvector is counted q — 1 times, then the expected number of invariant subspcaes of dimension 1 is not less than q 1 ~ q .
We define O as in section 3 and we get the following result for O:
Theorem 4.2 Let F be an invertible linear combination of the matrices Gi ; ..., Gn. Then for any k such that G 1 exists, the matrix FGI1 has a non trivial invariant subspace, which is also a subspace of O with probability not less than ^ - for d = v - n. Proof:
Figure imgf000022_0001
= S(aιEι + ... +
Figure imgf000022_0002
= S(Eι + ... + anEn)Ek l S'1.
The inner term is an invariant subspace of the oil subspace with the required probability. Therefore, the same will hold for FGk , but instead of a subspace of the oil subspace, we get a subspace of O.
How to find O ?
We take a random linear combination of G , ..., Gn and multiply it by an inverse of one of the G matrices. Then we calculate all the minimal invariant subspaces of this matrix (a minimal invariant subspace of a matrix A contains no non trivial invariant subspaces of the matrix A - these subspaces corresponds to irreducible factors of the characteristic polynomial of A). This can be done in probabilistic polynomial time using standard linear algebra techniques. This matrix may have an invariant subspace wich is a subspace of O.
The following lemma enables us to distinguish between subspaces that are contained in O and random subspaces.
Lemma 3 If H is a linear subspace and H c O, then for every x, y in H and every i, G%(x, y) = 0 (here we regard Gτ as a bilinear form).
Proof: There are x' and y' in the oil subspace such that x' = xS and y' = yS.
Gt(χ,v) = *s ( B° t ) sy = *' ( ^ ) (y')' = o.
The last term is zero because x' and y' are in the oil subspace.
Lemma 3 gives a polynomial test to distinguish between subspaces of O and random subspaces. If the matrix we used has no minimal subspace which is also a subspace of O, then we pick another linear combination of Gi , ..., Gn, multiply it by an inverse of one of the Gk matrices and try again. After repeating this process approximately qd~x times, we find with good probability at least one zero vector of O. We continue the process until we get n independent vectors of O. These vectors span O. The expected complexity of the process is proportional to qd~1 ■ n4. We use here the expected number of tries until we find a non trivial invariant subspace and the term n4 covers the computational linear algebra operations we need to perform for evey try.
_— 2 2
5 The cases v _ (or v > y)
Property
Let (A) be a random set of n quadratic equations in (n + v) variables n , ..., x +υ. (By "random" we mean that the coefficients of these equations are uniformly and randomly chosen). When v ~ (and more generally when v _ ), there is probably - for most of such (A) - a linear change of variables (xi , ..., xn+υ) >-+ (x' , ..., x'n+υ) such that the set (.4') of (A) equations written in (x , ..., xn' +v) is an "Oil and Vinegar" system (i.e. there are no terms in x ■ x'- with i < n and j < n).
An argument to justify the property
Let
' Xi = ai X'i + Ql.2X2 + — + aι,n+υ 'n+υ
, n+υ = C(n+v,l ι + Q-n+v, 2 ' ■ ■ ■ <~ Ctn+v,n+vXn+v
By writing that the coefficient in all the n equations of (A) of all the x ■ xj' (i < n and j < n) is zero, we obtain a system of n n ^- quadratic equations in the (n + v) - n variables α^ (1 < i < n + v, 1 < j < n). Therefore, when υ > approximately , we may expect to have a solution for this system of equations for most of (A).
Remarks:
1. This argument is very natural, but this is not a complete mathematical proof.
2. The system may have a solution, but finding the solution might be a difficult problem. This is why an Unbalanced Oil and Vinegar scheme might be secure (for well chosen parameters): there is always a linear change of variables that makes the problem easy to solve, but finding such a change of variables might be difficult.
3. In section 7, we will see that, despite the result of this section, it is not recommended to choose v > n2 (at least in characteristic 2) .
6 Solving a set of n quadratic equations in k unknowns, k > n, is NP-hard
(See the extended version of this paper.)
7 A generally (but not always) efficient algorithm for solving a random set of n quadratic equations in n2 (or more) unknowns
In this section, we describe an algorithm that solves a system of n randomly chosen quadratic equations in n + v variables, when v > n2. Let (S) be the following system:
∑ alJix,x3+ ∑ btιxt + δι=0 l<ι<3<n-{-h l<.ι<n+v
2_ Ujj-nXiX + 2_ Oιn ι + On = U l<ι<j<n+v l<ι<n+v
The main idea of the algorithm consists in using a change of variables such as:
%l = C-1,121 + Q2,l2/2 + ••• + Cin+υ,iyn+v
■ Xn+v =
Figure imgf000024_0001
whose altJ coefficients (for 1 < i < n, 1 < j < n + v) are found step by step, in order that the resulting system (S1) (written with respect to these new variables 2/ι, ..., yn+v) is easy to solve.
• We begin by choosing randomly αι,ι, ..., αι,„+„.
• We then compute 02,1, ....0:2, n+u such that (S1) contains no j/ιj/2 terms. This condition leads to a system of n linear equations on the (n + v) unknowns α2j (1 < j < n + v ): ^ αtjkαι,l 2,j =0 (1 < k < n).
\<ι<j<n+v
• We then compute 03,1, --•, ctz,n+v such that (S1) contains neither j/ιj3 terms, nor t223 terms. This condition is equivalent to the following system of 2n linear equations on the (n + v) unknowns α^,3 (1 < j <n + v):
{ ∑ αljkαιtl 3,j =0 (1 < k < n) l<ι<3<n+v ∑ αljkα2,,α3,j =0 -≤k≤n)
_ι<]<n+v
Finally, we compute α„,ι...., α„,n+t, such that (<S') contains neither yιyn terms, nor j/22n terms, ..., nor yn-ιyn terms. This condition gives the following system of (n — l)n linear equations on the (n + υ) unknowns OLn,j (1 < j <n + v): α kαltlαn =0 (1 < k < n)
ατjkαn- tlαn -0 (1 < k < n)
Figure imgf000024_0002
In general, all these linear equations provide at least one solution (found by Gaussian reductions). In particular, the last system of n(n — 1) equations and (n + v) unknowns generally gives a solution, as soon as n + υ > n(n — 1), i.e. v > n(n — 2), which is true by hypothesis. O-l.l \ °t-n,\ \
Moreover, the n vectors ■ ' , ..., '• are very likely to be
\ O-l.n+v ) \ OL-n.n+v J linearly independent for a random quadratic system (<S).
The remaining αtJ constants (i.e. those with n + 1 < i < n + υ and 1 < j < n + 1) are randomly chosen, so as to obtain a bijective change of variables.
By rewriting the system (<S) with respect to these new variables yt, we are led to the following system:
Σ βi.lV2 + ∑ VtLt.i n+l , ..., yn+υ) + Ql(Vn+l , —, yn+υ) = 0 »=1 ι=l
(S1)
Σ βι,ny2 + ∑ yι n{yn+ι , ..., yn+v) + Qn(yn+ι , —, yn+v)
1=1 ι-\ where each LltJ is an affine function and each Qτ is a quadratic function. We then compute yn+ι , ■■■, yn+v such that:
Vi, 1 < i < n, V , 1 < j < n + v, LttJ (yn+ι , ..., yn+υ) = 0.
This is possible because we have to solve a linear system of n2 equations and v unknowns, which generally provides at least one solution, as long as υ > n2. We pick one of these solutions. In general, this gives the y2 by Gaussian reduction. Then, in characteristic 2, since x *-+ x2 is a bijection, we will then find easily a solution for the yt from this expression of the y2. In characteristic 2, it will also succeed when 2™ is not too large (i.e. when n < 40 for example). When n is large, there is also a method to find a solution, based on the general theory of quadratic forms. Due to the lack of space, this method will be found in the extended version of this paper.
8 A variation with twice smaller signatures
In the UOV described in section 2. the public key is a set of n quadratic equations yi = Pt (xi, ..., xn+v), for 1 < i < n, where y = (j/i , ..., t/„) is the hash value of the message to be signed. If we use a collision-free hash function, the hash value must at least be 128 bits long. Therefore, qn must be at least 2128, so that the typical length of the signature, if υ = 2n, is at least 3 x 128 = 384 bits.
As we see now, it is possible to make a small variation in the signature design in order to obtain twice smaller signatures. The idea is to keep the same polynomial Pτ (with the same associated secret key) , but now the public equations that we check are:
Vi, Pl(xι , ..., xn+V) + Lt(y , ..., yn, xι , ..., xn+υ) = 0, where L% is a linear function in (xχ . ..., _cn+υ) and where the coefficients of Lt are generated by a hash function in (j/1 ; ..., y„).
For example Lt(yι , ..., yn, xι xn+v) = ctιXι +a2X2 + ■■■ + an+vxn+v, where
(aι , a2 , —, an+v) = Hash (j/i , .... 2 „ || - Now, n can be chosen such that qn > 264 (instead qn > 2128). (Note: qn must be > 264 in order to avoid exhaustive search on a solution x). If υ = 2n and ςrra ~ 264, the length of the signature will be 3 x 64 = 192 bits.
9 Oil and Vinegar of degree three
The scheme
The quadratic Oil and Vinegar schemes described in section 2 can easily be extended to any higher degree. In the case of degree three, the set (S) of hidden equations are of the following type: for all i < n, yι ~ __ "tuktctja i + _Z
Figure imgf000026_0001
+ _Z Vnkθ!3o!k + ∑ ξt]a, + ∑ ξ^' + δ (S).
Figure imgf000026_0002
are xe .
The computation of the public key, the computation of a signature and the verification of a signature are done as before.
First cryptanalysis of Oil and Vinegar of degree three when v < n
We can look at the quadratic part of the public key and attack it exactly as for an Oil and Vinegar of degree two. This is expected to work when υ < n.
Note: If there is no quadratic part (i.e. is the public key is homogeneous of degree three), or if this attack does not work, then it is always possible to apply a random affine change of variables and to try again.
Cryptanalysis of Oil and Vinegar of degree three when υ < (1 + /3)n and K is of characteristic 2 (from an idea of D. Coppersmith, cf [4])
The key idea is to detect a "linearity" in some directions. We search the set V of the values d = (di , ..., dn+υ) such that:
Vs, Vt, 1 < i < n, Pτ{x + d) + Pt{x - d) - 2Pt(x) (#). By writing that each xk indeterminate has a zero coefficient, we obtain n - (n + v) quadratic equations in the (n + υ) unknowns d3.
(Each monomial xtx3xk gives (x2 + d3)(x + dk)[xe + de) + (x3 — dJ){xk — dk)(xe - de) - 2xJxkxe, i.e. 2(x3dkde + x djdc + xedjdk).)
Furthermore, the cryptanalyst can specify about n — 1 of the coordinates dk of d, since the vectorial space of the correct d is of dimension n. It remains thus to solve n - (n + v) quadratic equations in (v + 1) unknowns d} . When v is not too large (typically when ^v+ 2 ' < n(n + υ), i.e. when v < (1 + y/3)n), this is expected to be easy. As a result when υ < approximately (1 + y/S)n and \K\ is odd, this gives a simple way to break the scheme.
Note 1: When υ is sensibly greater than (1 + /3)n (this is a more unbalanced limit than what we had in the quadratic case), we do not know at the present how to break the scheme.
Note 2: Strangely enough, this cryptanalysis of degre three Oil and Vinegar schemes does not work on degree two Oil and Vinegar schemes. The reason is that - in degree two -writing
Vx, Vi, 1 < i < n, Pt{x + d) + Pt(x - d) = 2Pt(x) only gives n equations of degree two on the (n + v) d unknowns (that we do not know how to solve). (Each monomial x3xk gives (x} + dj)(xk + dk) + (xj — dj)(xk - dk) - 2xjXk, i.e. 2djdk.)
Note 3: In degree two, we have seen that Unbalanced Oil and Vinegar public keys are expected to cover almost all the set of n quadratic equations when v — ! . In degree three, we have a similar property: the public keys are expected to cover almost all the set of n cubic equations when v _ *g- (the proof is similar).
10 Another scheme: HFEV
In the "most simple" HFE scheme (we use the notations of [14]), we have b = f(a), where: f(a) = ∑ β a*θ-1 +'φ" -r- ∑ α.α^ + μo, (1)
where βl , at and μo are elements of the field Fρ« . Let v be an integer (v will be the number of extra x% variables, or the number of "vinegar" variables that we will add in the scheme). Let a' — (a[, ■■■, 'v) be a υ-uple of variables of K. Let now each aτ of (1) be an element of Εqn such that each of the n components of α2 in a basis is a secret random linear function of the vinegar variables αi , ..., a'v. And in (1), let now μo be an element of F9n such that each one of the n components of μo in a basis is a secret random quadratic function of the variables a[ , ..., a'υ. Then, the n + v variables oi , ..., α„, a[ , ..., a'υ will be mixed in the secret affine bijection s in order to obtain the variables x , ..., xn+v. And, as before, t(bι , ..., bn) = (yι , —, yn), where t is a secret affine bijection. Then the public key is given as the n equations yi = Pi{x\ , ..., xn+υ). To compute a signature, the vinegar values a . ..., a'υ will simply be chosen at random. Then, the values μo and α; will be computed. Then, the monovariate equations (1) will be solved (in o) in F?™ .
Example: Let K = F2. In HFEV, let for example the hidden polynomial be: f(a) = a17 + β16a16 + al2 + a10 + a9sas + a6 + a54a4 + a3 + β2a21a + βo, where a = (αι , ..., α„) (αi , ..., an are the "oil" variables), β , β2, βι, βs and /?ι6 are given by n secret linear functions on the v vinegar variables and βo is given by n secret quadratic functions on the υ vinegar variables. In this example, we compute a signature as follows: the vinegar variables are chosen at random and the resulting equation of degree 17 is solved in a.
Note: Unlike UOV, in HFEV we have terms in oilxoil (such as a17, a12, a10, etc), oilxvinegar (such as βιea, β%cP, etc) and vinegar x vinegar (in βo).
Simulations
Nicolas Courtois did some simulations on HFEV and, in all his simulations, when the number of vinegar variables is > 3, there is no affine multiple equations of small degree (which is very nice). See the extended version of this paper for more details.
11 Concrete examples of parameters for UOV
At the present, it seems possible to choose for example n — 64, υ = 128 (or v = 192) and K = F2. The signature scheme is the one of section 8, and the length of a signature is only 192 bits (or 256 bits) in this case. More examples of possible parameters are given in the extended version of this paper.
Note: If we choose K = F2 then the public key is often large. So it is often more practical to choose a larger K and a smaller n: then the length of the public key can be reduced a lot. However, even when K and n are fixed, it is always feasible to make some easy transformations on a public key in order to obtain the public key in a canonical way such that this canonical expression is slightly shorter than the original expression. See the extended version of this paper for details. 12 Concrete example of parameters for HFEV
At the present, it seems possible to choose a small value for v (for example v = 3) and a small value for d (for example n = 77, υ = 3, d = 33 and K — F2). The signature scheme is described in the extended version of this paper (to avoid the birthday paradox). Here the length of a signature is only 80 bits ! More examples of possible parameters are given in the extended version of this paper.
13 State of the art (in May 1999) on Public-Key schemes with Multivariate Polynomials over a small finite field
Recently, many new ideas have been introduced to design better schemes, such as UOV or HFEV described in this paper. Another idea is to fix some variables to hide some algebraic properties, and another idea is to introduce a few really random quadratic equations and to mix them with the original equations: see the extended version of this paper. However, many new ideas have also been introduced to design better attacks on previous schemes, such as the - not yet published - papers [1], [2], [3], [5]. So the field is fast moving and it can look a bit confusing at first. Moreover, some authors use the word "cryptanalysis" for "breaking" and some authors use this word with the meaning "an analysis about the security" that does not necessary mean "breaking" . In this section, we describe what we know at the present about the main schemes.
In the large families of the public key based on multivariate polynomials over a small finite field, we can distinguish between five main families characterized by the way the trapdoor is introduced or by the difficult problem on which the security relies. In the first family are the schemes "with a Hidden Monomial" , i.e. the key idea is to compute an exponentiation x \- xd in a finite field for secret key computation. In the second family are the schemes where a polynomial function (with more than one monomial) is hidden. In the third family, the security relies on an isomorphism problem. In the fourth family, the security relies on the difficulty of finding the decomposition of two multivariate quadratic polynomials from all or part of their composition. Finally, in the fifth family, the secret key computations are based on Gaussian computations. The main schemes in these families are described in the figure below. What may be the most interesting scheme in each family is in a rectangle.
• C* was the first scheme of all, and it can be seen as the ancestor of all these schemes. It was designed in [12] and broken in [13].
• Schemes with a Hidden Monomial (such as some Dragon schemes) were studied in [15], where it is shown that most of them are insecure. However, C* (studied in [20]) is (at the present) the most efficient signature scheme (in time and RAM) in a smartcard. The scheme is not broken Family 1: C* (1985-1995) Family 2: HFE, (polynomial) Dragons, HM
Schemes with a Hidden Monomial HM- (ex: Dragons with
Figure imgf000030_0001
one monomial)
C_* Family 4: (Original) Oil and Vinegar (1997-1998)
Family 3: | IP Unbalanced Oil and Vinegar (UOV)
Family 5: 2 Round schemes (2R) (£>**, 2R with S-boxes, Hybrid 2R)
Figure imgf000030_0002
(but it may seem too simple or too close to C* to have a large confidence in its security ...).
HFE was designed in [14]. The most recent results about its security are in [1] and [2]. In these papers, very clever attacks are described. However, at the present, it seems that the scheme is not broken since for well chosen and still reasonable parameters the computations required to break it are still too large. For example, the first challenge of US $500 given in the extended version of [14] has not been claimed yet (it is a pure HFE with n = 80 and d = 96 over F2).
HFE- is just an HFE where some of the public equations are not published. Due to [1] and [2], it may be recommended to do this (despite the fact that original HFE may be secure without it). In the extended version of [14] a second challenge of US $500 is described on a HFE- .
HFEV is described in this paper. HFEV and HFEV- look very hard to break. Moreover, HFEV is more efficient than the original HFE and it can give public key signatures of only 80 bits !
HM and HM" were designed in [20]. Very few analysis have been done in these schemes (but maybe we can recommend to use HM~ instead of HM ?).
IP was designed in [14]. IP schemes have the best proofs of security so far (see [19]). IP is very simple and can be seen as a nice generalization of Graph Isomorphism. The original Oil and Vinegar was presented in [16] and broken in [10].
• UOV is described in this paper. With IP, they are certainly the most simple schemes.
• 2R was designed in [17] and [18]. Due to [3], it is necessary to have at least 128 bits in input, and due to [5], it may be wise to not publish all the (originally) public equations: this gives the 2R~ algorithms (the efficiency of the decomposition algorithms given in [5] on the 2R schemes is not yet completely clear).
Remark 1 : These schemes are of theoretical interest but (at the exception of IP) their security is not directly relied to a clearly defined and considered to be difficult problem. So is it reasonable to implement them in real products ? We think indeed that it is a bit risky to rely all the security of sensitive applications on such schemes. However, at the present, most of the smartcard applications use secret key algorithms (for example Triple-DES) because RSA smartcards are more expensive. So it can be reasonable to put in a low-cost smartcard one of the previous public key schemes in addition to (not instead of) the existing secret key scheme. Then the security can only be increased and the price of the smartcard would still be low (no coprocessor needed). The security would then rely on a master secret key for the secret key algorithm (with the risk of depending on a master secret key) and on a new low-cost public-key scheme (with the risk that the scheme has no proof of security). It can also be noticed that when extremely short signature length (or short block encryption) are required, there is no real choice: at the present only multivariate schemes can have length between 64 and 256 bits.
Remark 2: When a new scheme is found with multivariate polynomials, we do not necessary have to explain how the trapdoor has been introduced. Then we will obtain a kind of "Secret-Public Key scheme" ! The scheme is clearly a Public Key scheme since anybody can verify a signature from the public key (or can encrypt from the public key) and the scheme is secret since the way to compute the secret key computations (i.e. the way the trapdoor has been introduced) has not been revealed and cannot be guessed from the public key. For example, we could have done this for HFEV (instead of publishing it).
14 Conclusion
In this paper, we have presented two new public key schemes with "vinegar variables" : UOV and HFEV. The study of such schemes has led us to analyze very general properties about the solutions of systems of general quadratic forms. Moreover, from the general view presented in section 13, we see that these two schemes are at the present among the most interesting schemes in two of the five main families of schemes based on multivariate polynomials over a small finite field. Will this still be true in a few years ? References
Anonymous, Cryptanalysis of the HFE Public Key Cryptosystem, not yet published.
Anonymous, Practical cryptanalysis of Hidden Field Equations (HFE), not yet published.
Anonymous, Cryptanalysis of Patarin 's 2-Round Public Key System with S Boxes, not yet published.
D. Coppersmith, personal communication, e-mail.
Z. Dai, D. Ye, K.-Y. Lam, Factoring-attacks on Asymmetric Cryptography Based on Mapping-compositions, not yet published.
J.-C. Faugere, personal communication.
H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, Proceedings of CRYPTO'85, Springer- Verlag, vol. 218, pp. 340-349
M. Garey, D. Johnson, Computers and Intractability, a Guide to the Theory of NP-Completeness, Freeman, p. 251.
H. Imai, T. Matsumoto, Algebraic Methods for Constructing Asymmetric Cryptosystems, Algebraic Algorithms and Error Correcting Codes (AAECC-3), Grenoble, 1985, Springer-Verlag, LNCS n°229.
A. Kipnis, A. Shamir, Cryptanalysis of the Oil and Vinegar Signature Scheme, Proceedings of CRYPTO'98, Springer, LNCS n°1462, pp. 257- 266.
R. Lidl, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its applications, volume 20, Cambridge University Press.
T. Matsumoto, H. Imai, Public Quadratic Polynomial-tuples for efficient signature-veriήcation and message-encryption, Proceedings of EU- ROCRYPT'88, Springer-Verlag, pp. 419-453.
Jacques Patarin, Cryptanalysis of the Matsumoto and Imai public Key Scheme ofEurocrypt'88, Proceedings of CRYPTO'95, Springer-Verlag, pp. 248-261.
J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP) : Two New Families of Asymmetric Algorithms, Proceedings of EUROCRYPT'96, Springer, pp. 33-48.
Jacques Patarin, Asymmetric Cryptography with a Hidden Monomial, Proceedings of CRYPTO'96, Springer, pp. 45-60. [16] J. Patarin, The Oil and Vinegar Signature Scheme, presented at the Dagstuhl Workshop on Cryptography, September 1997 (transparencies).
[17] J. Patarin, L. Goubin, Trapdoor One-way Permutations and Multivariate Polynomials, Proceedings of ICICS'97, Springer, LNCS n°1334, pp. 356- 368.
[18] J. Patarin, L. Goubin, Asymmetric Cryptography with S-Boxes, Proceedings of ICICS'97, Springer, LNCS n°1334, pp. 369-380.
[19] J. Patarin, L. Goubin, N. Courtois, Improved Algorithms for Isomorphisms of Polynomials, Proceedings of EUROCRYPT'98, Springer, pp. 184-200.
[20] J. Patarin, L. Goubin, N. Courtois, C_* + and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai, Proceedings of ASIACRYPT'98, Springer, pp. 35-49.
[21] A. Shamir, A simple scheme for encryption and its cryptanalysis found by D. Coppersmith and J. Stern, presented at the Luminy workshop on cryptography, September 1995.

Claims

What is claimed is:CLAIMS
1. A digital signature cryptographic method comprising: supplying a set S 1 of k polynomial functions as a public-key, the set
SI including the functions Pι(χι,...,xn+v, yι,...,yk),..., Pk(xι,...,xn+v, yι,...,yk), where k, v, and n are integers, xι,...,xn+v are n+v variables of a first type, yι,...,yk are k variables of a second type, and the set SI is obtained by applying a secret key operation on a set S2 of k polynomial functions P'ι(aι,...,an+v,yι,...,yk),...,P'k(aι,...,a„+v,yι,...,yk) where aι,...,an+v are n+v variables which include a set of n "oil" variables aι,...,an, and a set of v "vinegar" variables
providing a message to be signed; applying a hash function on the message to produce a series of k values bι,...,bt; substituting the series of k values bi, ... ,bk for the variables yi, ... ,yk of the set S2 respectively to produce a set S3 of k polynomial functions P" ι(aι,...,a„+v), ... , P"k(aι,...,an+v); selecting v values a'n+ι,...,a'n+v for the v "vinegar" variables
solving a set of equations P"ι(aι,...,an,a'n+ι,...,a'n+v)=0,..., P"k(aι,...,a„,a'„+ι,...,a'n+v)=0 to obtain a solution for a'ι,...,a'n; and applying the secret key operation to transform a'ι,...,a'n+v to a digital signature eι,...,en+v.
2. A method according to claim 1 and also comprising the step of verifying the digital signature.
3. A method according to claim 2 and wherein said verifying step comprises the steps of: obtaining the signature eι,...,en+v, the message, the hash function and the public key; applying the hash function on the message to produce the series of k values bι,...,bk; and verifying that the equations Pι(eι,...,en+v,bι,...,bk)=0,..., Pk(eι,...,e„+v, bι,...,bk)=0 are satisfied.
4. A method according to claim 1 and wherein the set S2 comprises the set f(a) of k polynomial functions of the HFEV scheme.
5. A method according to claim 1 and wherein the set S2 comprises the set S of k polynomial functions of the UOV scheme.
6. A method according to claim 1 and wherein said supplying step comprises the step of selecting the number v of "vinegar" variables to be greater than the number n of "oil" variables.
7. A method according to claim 1 and wherein v is selected such that qv is greater than 232, where q is the number of elements of a finite field K.
8. A method according to claim 1 and wherein said supplying step comprises the step of obtaining the set SI from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yι,...,yk variables in the k polynomial functions P'ι(aι,...,a„+v,yι,...,yk),...,P'k(aι,...,an+v,yι,...,yk) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables.
9. A method according to claim 8 and wherein the set S2 comprises the set S of k polynomial functions of the UOV scheme, and the number v of "vinegar" variables is selected so as to satisfy one of the following conditions: (a) for each characteristic p other than 2 of a field K in an "Oil and Vinegar" scheme of degree 2, v satisfies the inequality q(v"n * n4 > 240,
(b) for p = 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than n*(l + sqrt(3)) and lower than or equal to n3/6, and
(c) for each p other than 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than n and lower than or equal to n4.
10. A method according to claim 8 and wherein the set S2 comprises the set S of k polynomial functions of the UOV scheme, and the number v of "vinegar" variables is selected so as to satisfy the inequalities v<n2 and q^""*"1* n4 >240 for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2.
11. A method according to claim 1 and wherein said secret key operation comprises a secret affine transformation s on the n+v variables aι,...,a„+v.
12. A method according to claim 4 and wherein said set S2 comprises an expression including k functions that are derived from a univariate polynomial.
13. A method according to claim 12 and wherein said univariate polynomial includes a univariate polynomial of degree less than or equal to 100,000.
14. A cryptographic method for verifying the digital signature of claim 1, the method comprising: obtaining the signature eι,...,en+v, the message, the hash function and the public key; applying the hash function on the message to produce the series of k values bι,...,bk; and verifying that the equations Pι(eι,...,en+v,b-,...,bk)=0,..., Pk(eι,...,e„+v, bi, ... ,bk)=0 are satisfied.
15. In an "Oil and Vinegar" signature method, an improvement comprising the step of using more "vinegar" variables than "oil" variables.
16. A method according to claim 15 and wherein the number v of "vinegar" variables is selected so as to satisfy one of the following conditions:
(a) for each characteristic p other than 2 of a field K and for a degree 2 of the "Oil and Vinegar" signature method, v satisfies the inequality q(v-nH* n4 > 240j
(b) for p = 2 and for a degree 3 of the "Oil and Vinegar" signature method, v is greater than n*(l + sqrt(3)) and lower than or equal to n3/6, and
(c) for each p other than 2 and for a degree 3 of the "Oil and Vinegar" signature method, v is greater than n and lower than or equal to n4.
17. A method according to claim 15 and wherein the set S2 comprises the set S of k polynomial functions of the UOV scheme, and the number v of "vinegar" variables is selected so as to satisfy the inequalities v<n2 and q(v"n * n4 >240 for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2.
PCT/IB2000/000692 1999-04-29 2000-04-28 Public-key signature methods and systems WO2000067423A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
ES99401048T ES2230814T3 (en) 1999-04-29 1999-04-29 METHODS AND SYSTEMS OF PUBLIC KEY SIGNATURE.
AU46028/00A AU774346B2 (en) 1999-04-29 2000-04-28 Public-key signature methods and systems
BRPI0006085A BRPI0006085B1 (en) 1999-04-29 2000-04-28 public key signing systems and methods
JP2000616162A JP4183387B2 (en) 1999-04-29 2000-04-28 Methods and systems for signing public keys
HK02100489.6A HK1039004B (en) 1999-04-29 2002-01-22 Public-key signature methods and systems

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP99401048.6 1999-04-29
EP99401048A EP1049289B1 (en) 1999-04-29 1999-04-29 Public-key signature methods and systems

Publications (1)

Publication Number Publication Date
WO2000067423A1 true WO2000067423A1 (en) 2000-11-09

Family

ID=8241961

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2000/000692 WO2000067423A1 (en) 1999-04-29 2000-04-28 Public-key signature methods and systems

Country Status (12)

Country Link
US (1) US7100051B1 (en)
EP (1) EP1049289B1 (en)
JP (2) JP4183387B2 (en)
CN (1) CN1285191C (en)
AU (1) AU774346B2 (en)
BR (1) BRPI0006085B1 (en)
DE (1) DE69920875T2 (en)
DK (1) DK1049289T3 (en)
ES (1) ES2230814T3 (en)
HK (1) HK1039004B (en)
IL (1) IL135647A (en)
WO (1) WO2000067423A1 (en)

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2810139B1 (en) * 2000-06-08 2002-08-23 Bull Cp8 METHOD FOR SECURING THE PRE-INITIALIZATION PHASE OF AN ON-BOARD ELECTRONIC CHIP SYSTEM, ESPECIALLY A CHIP CARD, AND ON-BOARD SYSTEM IMPLEMENTING THE METHOD
WO2002084590A1 (en) * 2001-04-11 2002-10-24 Applied Minds, Inc. Knowledge web
US20030196094A1 (en) * 2002-04-10 2003-10-16 Hillis W. Daniel Method and apparatus for authenticating the content of a distributed database
US7844610B2 (en) * 2003-12-12 2010-11-30 Google Inc. Delegated authority evaluation system
US20030195834A1 (en) * 2002-04-10 2003-10-16 Hillis W. Daniel Automated online purchasing system
US8069175B2 (en) 2002-04-10 2011-11-29 Google Inc. Delegating authority to evaluate content
US7600118B2 (en) * 2002-09-27 2009-10-06 Intel Corporation Method and apparatus for augmenting authentication in a cryptographic system
AU2003297193A1 (en) 2002-12-13 2004-07-09 Applied Minds, Inc. Meta-web
US8012025B2 (en) * 2002-12-13 2011-09-06 Applied Minds, Llc Video game controller hub with control input reduction and combination schemes
US20050131918A1 (en) * 2003-12-12 2005-06-16 W. Daniel Hillis Personalized profile for evaluating content
CN1870499B (en) * 2005-01-11 2012-01-04 丁津泰 Method for generating multiple variable commom key password system
US7961876B2 (en) * 2005-01-11 2011-06-14 Jintai Ding Method to produce new multivariate public key cryptosystems
WO2007057610A1 (en) * 2005-11-18 2007-05-24 France Telecom Cryptographic system and method of authentication or signature
FR2916317B1 (en) * 2007-05-15 2009-08-07 Sagem Defense Securite PROTECTION OF EXECUTION OF A CRYPTOGRAPHIC CALCULATION
CN101321059B (en) * 2007-06-07 2011-02-16 管海明 Method and system for encoding and decoding digital message
FR2918525A1 (en) 2007-07-06 2009-01-09 France Telecom ASYMMETRICAL ENCRYPTION OR SIGNATURE VERIFICATION PROCESS.
CN101227286B (en) * 2008-01-31 2010-04-14 北京飞天诚信科技有限公司 Method for generating message authentication code
WO2011033642A1 (en) * 2009-09-17 2011-03-24 株式会社 東芝 Signature generation device and signature verification device
JP2011107528A (en) * 2009-11-19 2011-06-02 Sony Corp Information processing apparatus, key generating apparatus, signature verifying apparatus, information processing method, signature generating method, and program
IL205803A0 (en) * 2010-05-16 2010-12-30 Yaron Sella Collision-based signature scheme
IL206139A0 (en) 2010-06-02 2010-12-30 Yaron Sella Efficient multivariate signature generation
IL207918A0 (en) 2010-09-01 2011-01-31 Aviad Kipnis Attack-resistant multivariate signature scheme
JP5790287B2 (en) * 2011-08-12 2015-10-07 ソニー株式会社 Information processing apparatus, information processing method, program, and recording medium
US20160149708A1 (en) * 2013-07-12 2016-05-26 Koninklijke Philips N.V. Electronic signature system
CN103457726B (en) * 2013-08-26 2016-12-28 华南理工大学 Multi-variable public key ciphering method based on matrix
CN103780383B (en) * 2014-01-13 2017-05-31 华南理工大学 One kind is based on hyperspherical multivariable public key signature/checking system and method
CN104009848B (en) * 2014-05-26 2017-09-29 华南理工大学 A kind of multivariate digital signature system and method for mixed type
CN105245343B (en) * 2015-09-22 2018-09-14 华南理工大学 A kind of online static signature system and method based on multivariable cryptographic technique
JP7322763B2 (en) 2020-03-13 2023-08-08 日本電信電話株式会社 Key generation device, key generation method and program

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NZ240019A (en) * 1991-09-30 1996-04-26 Peter John Smith Public key encrypted communication with non-multiplicative cipher
US5375170A (en) 1992-11-13 1994-12-20 Yeda Research & Development Co., Ltd. Efficient signature scheme based on birational permutations
US5263085A (en) 1992-11-13 1993-11-16 Yeda Research & Development Co. Ltd. Fast signature scheme based on sequentially linearized equations
FR2737370B1 (en) * 1995-07-27 1997-08-22 Bull Cp8 CRYPTOGRAPHIC COMMUNICATION METHOD
FR2744309B1 (en) * 1996-01-26 1998-03-06 Bull Cp8 ASYMMETRIC CRYPTOGRAPHIC COMMUNICATING METHOD, AND PORTABLE OBJECT THEREOF
US6076163A (en) * 1997-10-20 2000-06-13 Rsa Security Inc. Secure user identification based on constrained polynomials

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KIPNIS A ET AL: "Cryptanalysis of the oil and vinegar signature scheme", ADVANCES IN CRYPTOLOGY - CRYPTO'98. 18TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, ADVANCES IN CRYPTOLOGY - CRYPTO '98. 18TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, SANTA BARBARA, CA, USA, 23-27 AUG. 1998, 1998, Berlin, Germany, Springer-Verlag, Germany, pages 257 - 266, XP002116820, ISBN: 3-540-64892-5 *
PATARIN J: "HIDDEN FIELDS EQUATIONS (HFE) AND ISOMORPHISMS OF POLYNOMIALS (IP):TWO NEW FAMILIES OF ASYMMETRIC ALGORITHMS", ADVANCES IN CRYPTOLOGY - EUROCRYPT '96 INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOGRAPHIC TECHNIQUES, SARAGOSSA, MAY 12 - 16, 1996, 12 May 1996 (1996-05-12), MAURER U (ED ), pages 33 - 48, XP000725433, ISBN: 3-540-61186-X *

Also Published As

Publication number Publication date
AU774346B2 (en) 2004-06-24
JP2005253107A (en) 2005-09-15
EP1049289B1 (en) 2004-10-06
BR0006085A (en) 2001-03-20
AU4602800A (en) 2000-11-17
IL135647A0 (en) 2001-05-20
JP2002543478A (en) 2002-12-17
CN1285191C (en) 2006-11-15
DE69920875T2 (en) 2005-10-27
CN1314040A (en) 2001-09-19
EP1049289A1 (en) 2000-11-02
DE69920875D1 (en) 2004-11-11
IL135647A (en) 2010-11-30
ES2230814T3 (en) 2005-05-01
HK1039004A1 (en) 2002-04-04
BRPI0006085B1 (en) 2016-05-10
US7100051B1 (en) 2006-08-29
JP4183387B2 (en) 2008-11-19
DK1049289T3 (en) 2005-02-14
HK1039004B (en) 2007-05-04

Similar Documents

Publication Publication Date Title
Kipnis et al. Unbalanced oil and vinegar signature schemes
WO2000067423A1 (en) Public-key signature methods and systems
Patarin et al. C−+* and HM: Variations around two schemes of T. Matsumoto and H. Imai
Patarin et al. QUARTZ, 128-Bit Long Digital Signatures: http://www. minrank. org/quartz
Fouque et al. Differential cryptanalysis for multivariate schemes
Eichlseder et al. An algebraic attack on ciphers with low-degree round functions: application to full MiMC
EP2873186B1 (en) Method and system for homomorphicly randomizing an input
Kipnis et al. Efficient methods for practical fully homomorphic symmetric-key encrypton, randomization and verification
EP2351287B1 (en) Method of generating a cryptographic key, network and computer program therefor
WO2011151680A1 (en) Efficient multivariate signature generation
Raghunandan et al. Key generation using generalized Pell’s equation in public key cryptography based on the prime fake modulus principle to image encryption and its security analysis
KR100445893B1 (en) Asymmetric cryptographic communication method and related portable object
EP2966802A1 (en) Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context
JP2002540484A (en) Countermeasures for Electronic Components Using Elliptic Curve Type Public Key Encryption Algorithm
Kundu et al. Post-quantum digital signature scheme based on multivariate cubic problem
Yasuda et al. Reducing the key size of Rainbow using non-commutative rings
Badhwar The need for post-quantum cryptography
Hakuta et al. Batch verification suitable for efficiently verifying a limited number of signatures
US11888984B2 (en) White-box ECC implementation
Garg Candidate multilinear maps
Ding et al. Hidden Field Equations
Ding et al. Cryptanalysis of an implementation scheme of the tamed transformation method cryptosystem
Tripathi et al. An efficient digital signature scheme by using integer factorization and discrete logaríthm problem
Smith-Tone Properties of the discrete differential with cryptographic applications
Moh An application of algebraic geometry to encryption: tame transformation method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 00801038.2

Country of ref document: CN

AK Designated states

Kind code of ref document: A1

Designated state(s): AU BR CN JP

ENP Entry into the national phase

Ref document number: 2000 616162

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 46028/00

Country of ref document: AU

WWG Wipo information: grant in national office

Ref document number: 46028/00

Country of ref document: AU