Jintai Ding,Zheng Zhang,Joshua Deaton,Kurt Schmidt,FNU Vishakha

2019-01-01

Abstract:In 2017, Ward Beullens et al submitted Lifted Unbalanced Oil and Vinegar (LUOV)[1], a signature scheme based on the famous multivariate public key cryptosystem (MPKC) called Unbalanced Oil and Vinegar (UOV), to NIST for the competition for post-quantum public key scheme standardization. The defning feature of LUOV is that, though the public key P works in the extension feld of degree r of F2, the coeffcients of P come from F2. This is done to signifcantly reduce the size of P . This is a totally new design which was not therefore under any scrutiny before the submission. The LUOV scheme is now in the second round of the NIST PQC standardization process. In this paper we introduce a new attack on LUOV. The main idea is to consider some special differentials to develop new approaches to attack the systems.

Jintai Ding,Joshua Deaton,Vishakha,Bo-Yin Yang

DOI: https://doi.org/10.1007/978-3-030-77870-5_12

2021-01-01

Abstract:In 2017, Ward Beullens et al. submitted Lifted Unbalanced Oil and Vinegar [3], which is a modification to the Unbalanced Oil and Vinegar Scheme by Patarin. Previously, Ding et al. proposed the Subfield Differential Attack [22] which prompted a change of parameters by the authors of LUOV for the second round of the NIST post quantum standardization competition [4]. In this paper we propose a modification to the Subfield Differential Attack called the Nested Subset Differential Attack which fully breaks half of the parameter sets put forward. We also show by experimentation that this attack is practically possible to do in under 210 min for the level I security parameters and not just a theoretical attack. The Nested Subset Differential attack is a large improvement of the Subfield differential attack which can be used in real world circumstances. Moreover, we will only use what is called the "lifted" structure of LUOV, and our attack can be thought as a development of solving "lifted" quadratic systems.

Anindya Ganguly,Angshuman Karmakar,Nitin Saxena

2023-12-15

Abstract:Hard lattice problems are predominant in constructing post-quantum cryptosystems. However, we need to continue developing post-quantum cryptosystems based on other quantum hard problems to prevent a complete collapse of post-quantum cryptography due to a sudden breakthrough in solving hard lattice problems. Solving large multivariate quadratic systems is one such quantum hard problem. Unbalanced Oil-Vinegar is a signature scheme based on the hardness of solving multivariate equations. In this work, we present a post-quantum digital signature algorithm VDOO (Vinegar-Diagonal-Oil-Oil) based on solving multivariate equations. We introduce a new layer called the diagonal layer over the oil-vinegar-based signature scheme Rainbow. This layer helps to improve the security of our scheme without increasing the parameters considerably. Due to this modification, the complexity of the main computational bottleneck of multivariate quadratic systems i.e. the Gaussian elimination reduces significantly. Thus making our scheme one of the fastest multivariate quadratic signature schemes. Further, we show that our carefully chosen parameters can resist all existing state-of-the-art attacks. The signature sizes of our scheme for the National Institute of Standards and Technology's security level of I, III, and V are 96, 226, and 316 bytes, respectively. This is the smallest signature size among all known post-quantum signature schemes of similar security.

Cryptography and Security

Wuqiang Shen,Shaohua Tang,Lingling Xu

DOI: https://doi.org/10.1109/CSE.2013.66

2013-01-01

Abstract:Multivariate Public Key Cryptosystem (MPKC) is one of post-quantum cryptosystems which can potentially resist quantum computer attacks. It has increasingly been seen by some as a possible alternative to public key cryptosystems RSA, ECC, etc., which are widely in use today. Moreover, MPKC schemes are in general much more computationally efficient than number theoretic-based schemes. However, the oversize key poses obstacle on the calculation and transmission in MPKC. We notice the feature and benefit of the identity-based cryptography - the public key is directly gained from the user's identity information. Based on this, we consider introducing the identity-based semantics to MPKC, and it can cut down the size of public key of MPKC. Using the idea of constructing certificate-based Identity-Based Signature (IBS), we propose a novel and secure Identity-Based Unbalanced Oil-Vinegar (IBUOV) signature scheme based on the ordinary Unbalanced Oil-Vinegar (UOV) signature scheme. We provide the provable security to explain that our proposal is secure.

Ward Beullens

DOI: https://doi.org/10.1007/978-3-030-99277-4_17

2022-01-01

Abstract:The Oil and Vinegar signature scheme, proposed in 1997 by Patarin, is one of the oldest and best understood multivariate quadratic signature schemes. It has excellent performance and signature sizes but suffers from large key sizes on the order of 50 KB, which makes it less practical as a general-purpose signature scheme. To solve this problem, this paper proposes MAYO, a variant of the UOV signature scheme whose public keys are two orders of magnitude smaller. MAYO works by using a UOV map P:Fqn→Fqn$$\mathcal {P}:\mathbb {F}_q^n \rightarrow \mathbb {F}_q^n$$ with an unusually small oil space, which makes it possible to represent the public key very compactly. The usual UOV signing algorithm fails if the oil space is too small, but MAYO works around this problem by “whipping up” the oil and vinegar map P$$\mathcal {P}$$ into a larger map P⋆:Fqkn→Fqm$$\mathcal {P}^\star :\mathbb {F}_q^{kn} \rightarrow \mathbb {F}_q^m$$, that does have a sufficiently large oil space. With parameters targeting NISTPQC security level I, MAYO has a public key size of only 614 Bytes and a signature size of 392 Bytes. This makes MAYO more compact than state-of-the-art lattice-based signature schemes such as Falcon and Dilithium. Moreover, we can choose MAYO parameters such that, unlike traditional UOV signatures, signatures provably only leak a negligible amount of information about the private key.

Weiwei Cao,Lei Hu,Jintai Ding,Zhijun Yin

DOI: https://doi.org/10.1007/978-3-642-21031-0_13

2011-01-01

Abstract:The public key of the Oil-Vinegar scheme consists of a set of m quadratic equations in m + n variables over a finite field F-q. Kipnis and Shamir broke the balanced Oil-Vinegar scheme where d = n - m = 0 by finding equivalent keys of the cryptosytem. Later their method was extended by Kipnis et al to attack the unbalanced case where 0 < d < m and d is small with a complexity of O(q(d-1) m(4)). This method uses the matrices associated with the quadratic polynomials in the public key, which needs to be symmetric and invertible. In this paper, we give an optimized search method for Kipnis el al's attack. Moreover, for the case that the finite field is of characteristic 2, we find the situation becomes very subtle, which, however, was totally neglected in the original work of Kipnis et al. We show that the Kipnis-Shamir method does not work if the field characteristic is 2 and d is a small odd number, and we fix the situation by proposing an alternative method and give an equivalent key recovery attack of complexity O(q(d+1) m(4)). We also prove an important experimental observation by Ding et al for the Kipnis-Shamir attack on balanced Oil-Vinegar schemes in characteristic 2.

Jintai Ding,Zhijun Yin

2012-01-01

Abstract:We explore ideas for oil-vinegar signature schemes in the multivariate polynomial cryptography.In the first half, we focus on TTS (Tame Transformation Signature) systems. We find a structure attack to defeat a family of TTS systems. Then we have the related complexity analysis to claim that a family of TTS systems can be broken in the time complexity O(261). In the second half, we discuss the algebraic attack for the randomly built unbalanced oil-vinegar signature systems with different characteristics. Then we explore the security of those general oil-vinegar systems under F4 algorithm attack.

Hao Guo,Yi Jin,Yuansheng Pan,Xiaoou He,Boru Gong,Jintai Ding

DOI: https://doi.org/10.1007/978-3-031-62746-0_9

2024-01-01

Abstract:VOX is a UOV-like hash-and-sign signature scheme from the Multivariate Quadratic (MQ) family, which has been submitted to NIST Post-Quantum Cryptography Project, in response to NIST's Call for Additional Digital Signature Schemes for the PQC Standardization Process. In 2023, the submitters of VOX updated the sets of recommended parameters of VOX, due to the rectangular MinRank attack proposed by Furue and Ikematsu. In this work we demonstrate the insecurity of the updated VOX from both the practical and the theoretical aspects. First, we conduct a practical MinRank attack against VOX, which uses multiple matrices from matrix deformation of public key to form a large rectangular matrix and evaluate the rank of this new matrix. By using Kipnis-Shamir method and Grobner basis calculation only instead of support-minors method, our experiment shows it could recover, within two seconds, the secret key of almost every updated recommended instance of VOX. Moreover, we propose a theoretical analysis on VOX by expressing public/secret key as matrices over a smaller field to find a low-rank matrix, resulting in a more precise estimation on the concrete hardness of VOX; for instance, the newly recommended VOX instance claimed to achieve NIST security level 3 turns out to be 69-bit-hard, as our analysis shows.

Jiahui Chen,Shaohua Tang,Xinglin Zhang

DOI: https://doi.org/10.3837/tiis.2017.06.020

2017-01-01

KSII Transactions on Internet and Information Systems

Abstract:For "generic" multivariate public key cryptography (MPKC) systems, experts believe that the Unbalanced Oil-Vinegar (UOV) scheme is a feasible signature scheme with good efficiency and acceptable security. In this paper, we address two problems that are to find inversion solution of quadratic multivariate equations and find another structure with some random Oil-Oil terms for UOV, then propose a novel signature scheme based on hyper-sphere (HS-Sign for short) which directly answers these two problems. HS-Sign is characterized by its adding Oil-Oil terms and more advantages compared to UOV. On the one side, HS-Sign is based on a new inversion algorithm from hyper-sphere over finite field, and is shown to be a more secure UOV-like scheme. More precisely, according to the security analysis, HS-Sign achieves higher security level, so that it has larger security parameters choice ranges. On the other side, HS-Sign is beneficial from both the key side and computing complexity under the same security level compared to many baseline schemes. To further support our view, we have implemented 5 different attack experiments for the security analysis and we make comparison of our new scheme and the baseline schemes with simulation programs so as to show the efficiencies. The results show that HS-Sign has exponential attack complexity and HS-Sign is competitive with other signature schemes in terms of the length of the message, length of the signature, size of the public key, size of the secret key, signing time and verification time.

Zhiniang Peng,Shaohua Tang

DOI: https://doi.org/10.3837/tiis.2018.03.022

2018-01-01

KSII Transactions on Internet and Information Systems

Abstract:UOV is one of the most important signature schemes in Multivariate Public Key Cryptography (MPKC). It has a strong security guarantee and is considered to be quantum-resistant. However, it suffers from large key size and its signing procedure is relatively slow. In this paper, we propose a new secure UOV variant (Circulant UOV) with shorter private key and higher signing efficiency. We estimate that the private key size of Circulant UOV is smaller by about 45% than that of the regular UOV and its signing speed is more than 14 times faster than that of the regular UOV. We also give a practical implementation on modern x64 CPU, which shows that Circulant UOV is comparable to many other signature schemes.

Jíntai Ding,Zheng Zhang,Joshua D. Deaton,Lih-Chung Wang

DOI: https://doi.org/10.1007/978-3-030-61078-4_24

2020-01-01

Abstract:In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.

Peigen Li,Jintai Ding

DOI: https://doi.org/10.1007/978-3-031-62746-0_4

2024-01-01

Abstract:SNOVA is a variant of a UOV-type signature scheme over a noncommutative ring. In this article, we demonstrate that certain parameters provided by authors in SNOVA fail to meet the NIST security level, and the complexities are lower than those claimed by SNOVA.

Jiahui Chen,Jianting Ning,Jie Ling,Terry Shue Chien Lau,Yacheng Wang

DOI: https://doi.org/10.1016/j.tcs.2019.12.032

IF: 1.002

2020-01-01

Theoretical Computer Science

Abstract:It is regarded as a difficult task to design a secure MPKC fundamental schemes such as an encryption scheme. In this paper we introduce a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Rainbow which only allow for signatures. The same as UOV or Rainbow, our construction is single field scheme where the central polynomial system is chosen to have a particular structure that enables efficient inversion. After applying this transformation, the plaintext can be recovered by solving a linear system. Our new central trapdoor can use to replace the broken extension field calculation trapdoor and simple matrix encryption trapdoor, thereafter, we use the minus and plus modifiers to inoculate our scheme against known attacks. It is highlight that our encryption scheme is a good explore in the area of multivariate cryptography. Finally, a straightforward Magma implementation confirms the efficient operation of the public key algorithms.

Jiahui Chen,Shaohua Tang,Daojing He,Yang Tan

DOI: https://doi.org/10.1007/s11276-016-1245-8

IF: 2.701

2016-01-01

Wireless Networks

Abstract:Being a member of the post quantum cryptography family, multivariate public key cryptographic (MPKC) system enjoys many useful properties such as fast implementation and moderate resources requirement, which is quite suitable for the wireless sensor network (WSN). However, MPKC system requires the usage of large public and private keys to ensure security which makes it inapplicable to wireless sensors with very limited system resources. In this paper, we propose an online/offline signature scheme based on a well known MPKC scheme: unbalanced oil and vinegar signature scheme for the wireless sensor network. Our scheme can reduce the cost of hardware running on signing process and the storage space of private key in the online signing phase. What is more, by combining a recent technique, the total storage requirement in a WSN node reduces by 85.8 % for the recommended parameters, which makes our new scheme feasible for the practical deployment on the WSN platforms.

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/11496137_12

2005-01-01

Abstract:Balanced Oil and Vinegar signature schemes and the unbalanced Oil and Vinegar signature schemes are public key signature schemes based on multivariable polynomials. In this paper, we suggest a new signature scheme, which is a generalization of the Oil-Vinegar construction to improve the efficiency of the unbalanced Oil and Vinegar signature scheme. The basic idea can be described as a construction of multi-layer Oil-Vinegar construction and its generalization. We call our system a Rainbow signature scheme. We propose and implement a practical scheme, which works better than Sflash$^{v_2}$, in particular, in terms of signature generating time.

Yang Tan,Shaohua Tang

DOI: https://doi.org/10.1007/978-3-319-38898-4_4

2016-01-01

Abstract:UOV is one of the earliest signature schemes in Multivariate Public Key Cryptography (MPKC). It also poses a strong security and none of the existing attacks can cause severe security threats to it. However, it suffers from a large key size. In this paper, we will propose two approaches to build variants of UOV with shorter private key size and faster signature generating process.

Jintai Ding,Momonari Kudo,Shinya Okumura,Tsuyoshi Takagi,Chengdong Tao

DOI: https://doi.org/10.1007/s13160-018-0316-x

2018-01-01

Japan Journal of Industrial and Applied Mathematics

Abstract:Researching post-quantum cryptography is now an important task in cryptography. Although various candidates of post-quantum cryptosystems (PQC) have been constructed, sizes of their public keys are large. Okumura constructed a candidate of PQC whose security is expected to be based on certain Diophantine equations (DEC). Okumura analysis suggests that DEC achieves the high security with small public key sizes. This paper proposes a polynomial time-attack on the one-way property of DEC. We reduce the security of DEC to finding special short lattice points of some low-rank lattices derived from public data. The usual LLL algorithm could not find the most important lattice point in our experiments because of certain properties of the lattice point. Our heuristic analysis leads us to using a variant of the LLL algorithm, called a weighted LLL algorithm by us. Our experiments suggest that DEC with 128 bit security becomes insecure by our attack.

LU Gang,NIE Xu-yun,QIN Zhi-guang,HOU Chuan-yong

DOI: https://doi.org/10.3969/j.issn.1001-0548.2018.02.013

2018-01-01

Abstract:In 2014, Yuan et al. proposed a new multivariate public key cryptosystem by combining "small field-big field" and "stepwise triangular" methods. The authors claimed that their scheme can be secure against rank attack, linearization equation attack and differential attack. Through analysis, we found that there are a lot of linearization equations satisfied by this scheme. We can transform it to an equivalent square encryption scheme by linearization equation method and then recover corresponding plaintext for any given cipheretext by differential attack. As to two recommended parameters, for given public key, the complexities of recovering plaintext are 233 and 235, respectively. The results above are further confirmed by computer experiments.

Antonio Corbo Esposito,Rosa Fera,Francesco Romeo

2024-05-14

Abstract:In this paper, we present OliVier a new Public Key Exchange cryptosystem that is based on a multivariate quadratic polynomial system: Oil & Vinegar polynomials together with fully quadratic ones. We describe its designing process, usage, complexity

Commutative Algebra

Ling Zhang,Qi Gui,Xiang-Jun Xin,Chao-Yang Li

DOI: https://doi.org/10.1142/s0217732324501116

2024-08-20

Modern Physics Letters A

Abstract:Modern Physics Letters A, Ahead of Print. Based on a set of locally indistinguishable orthogonal product (LIOP) states, a quantum designated multi-verifier signature scheme (LIOP-QDMVS) is proposed. In this scheme, each verifier can independently verify partial signature without exchanging information with other verifiers. The protocol can address the issue of excessive power from individual verifiers, as the signature is accepted as valid only when all verifiers confirm its validity. Additionally, all designated verifiers can collaborate to simulate signatures from the signer, that achieve the non-transferability and source hiding of the protocol. Furthermore, the scheme does not require any third-party involvement, and no entangled states need to be prepared during signature generation. It is proven that the LIOP-QDMVS owns unforgeability, correctness, theoretical information security, and designated verifier properties, as well as it is resistant to replay attacks and impersonation attacks. Therefore, LIOP-QDMVS offers better security and efficiency.

astronomy & astrophysics,physics, particles & fields, nuclear, mathematical