Literature DB >> 35915107

A new quantum-safe multivariate polynomial public key digital signature algorithm.

Randy Kuang1, Maria Perepechaenko2, Michel Barbeau3.   

Abstract

We propose a new quantum-safe digital signature algorithm called Multivariate Polynomial Public Key Digital Signature (MPPK/DS). The core of the algorithm is based on the modular arithmetic property that for a given element g, greater than equal to two, in a prime Galois field GF(p) and two multivariate polynomials P and Q, if P is equal to Q modulo p-1, then g to the power of P is equal to g to the power of Q modulo p. MPPK/DS is designed to withstand the key-only, chosen-message, and known-message attacks. Most importantly, making secret the element g disfavors quantum computers' capability to solve the discrete logarithm problem. The security of the MPPK/DS algorithm stems from choosing a prime p associated with the field GF(p), such that p is a sum of a product of an odd prime number q multiplied with a power x of two and one. Given such a choice of a prime, choosing even coefficients of the publicly available polynomials makes it hard to find any private information modulo p-1. Moreover, it makes it exponentially hard to lift the solutions found modulo q to the ring of integers modulo p-1 by properly arranging x and q. However, finding private information modulo the components q and power x of two is an NP-hard problem since it involves solving multivariate equations over the chosen finite field. The time complexity of searching a private key from a public key or signatures is exponential over GF(p). The time complexity of perpetrating a spoofing attack is also exponential for a field GF(p). MPPK/DS can achieve all three NIST security levels with optimized choices of multivariate polynomials and the generalized safe prime p.
© 2022. The Author(s).

Entities:  

Year:  2022        PMID: 35915107      PMCID: PMC9343446          DOI: 10.1038/s41598-022-15843-x

Source DB:  PubMed          Journal:  Sci Rep        ISSN: 2045-2322            Impact factor:   4.996


Introduction

The demand for secure communications increased dramatically in the last few decades. Authentication algorithms play a major role in providing security in the digital world. Most of the digital signature algorithms are implemented using the well-known and well-studied cryptosystems Rivest–Shamir–Adleman (RSA)[1], Digital Signature Algorithm (DSA), and Elliptic Curve Digital Signature Algorithm (ECDSA)[2,3]. However, none of the algorithms based on prime factorization, such as RSA, or the Discrete Logarithm Problem (DLP), such as DSA and ECDSA, are secure against quantum attacks[4]. Thus, a need for a secure Public Key Infrastructure (PKI) created a new effort to find one or efficient quantum-safe digital signature algorithms. We propose a new quantum-safe digital signature algorithm, Multivariate Polynomial Public Key Digital Signature (MPPK/DS). It stems from the Kuang et al.’s Multivariate Polynomial Public Key (MPPK) Key Encapsulation Mechanism (KEM) algorithm[5]. The MPPK/DS signature scheme design is different from a decryption-encryption digital signature scheme addressing the key-only attack vulnerability, such as with RSA. MPPK/DS also withstand known quantum computing attacks, such as solving DLP, by using a secret random base in modular arithmetic exponentiation in the signing algorithm. In addition, we focus on developing a probabilistic digital signature. The core of the signing-verifying relationship in the MPPK/DS algorithm is a modular arithmetic property that states that given an integer x co-prime with n and two integers a and b, if modulo , then modulo n, where is the Euler’s totient function evaluated at n. Most importantly, a and b are values of multivariate polynomials modulo . The security of the algorithm is based on the hardness of solving multivariate polynomials over a large finite field[6]. Moreover, by using a clever choice of prime p associated with a finite field that has form , where q is a large prime, and special choice of the coefficients of the publicly available polynomials, we make it hard for an attacker to find private key components modulo , and exponentially difficult to lift the solutions found modulo q and to the ring The best complexity of cracking the MPPK/DS algorithm is using a classical system, and respectively using a quantum device. We review the related in "Related work". "MPPK digital signature and verification" describes the MPPK/DS algorithm in detail, including key generation, signing, verification, and signing-verifying relationship. Security analysis is done in "Security analysis". We discuss an optimal choice of parameters and give a brief overview of the performance of MPPK/DS in "Brief benchmarking results and optimal parameters of MPPK/DS". The conclusion is drawn in the last section.

Related work

In the digital age that we live in today, simple day-to-day activities, such as surfing the Internet[7,8] or performing financial transactions using credit cards[9], require the use of digital signature cryptosystems. Tan et al. identified 14 real-world applications of digital signature cryptosystems across the financial, critical infrastructure, Internet, and enterprise sectors[3]. Currently, the most widely used digital signature schemes are RSA[1] and ECDSA[2]. As of July 2013, both are digital signature standards[10]. However, none of them are secure against attacks using fault-tolerant quantum computers[4,11]. That is, ECDSA, like DSA[10], relies on DLP that can be broken using Shor’s algorithm[4]. RSA depends on the integer factorization problem that can also be efficiently solved using Shor’s algorithm implemented on a quantum computer[4]. Some other digital signature algorithms, such as hash-based algorithms, are considered to be quantum-resistant[12,13]. However, they might not be suitable for specific use-cases, such as when the platform of execution is a chip-card[3]. In an attempt to tackle this issue, National Institute of Standards and Technology (NIST) launched a Post-Quantum Cryptography (PQC) project aiming to standardize one or more key exchange and digital signature algorithms that withstand classical and quantum attacks[14]. In November 2017, NIST received a total of 82 submissions, out of which seven are digital signature algorithms falling into the category of multivariate algorithms that proceeded to the first round[15]. Only four of the seven first-round candidates moved on to the second round, namely the Lifted Unbalanced Oil and Vinegar (LUOV), Rainbow, GeMSS, and MQDSS schemes. The Rainbow scheme has been accepted as a Round three finalist. GeMSS has been accepted as a Round three alternate candidate. Based on the overall consideration of public key size, signature size, and performance of key generation, signing, and verification, NIST plans to reopen for submissions of PQC digital signature in early 2022. LUOV[16] and Rainbow[17] are both multivariate digital signature algorithms based on the Unbalanced Oil and Vinegar (UOV) scheme, originally introduced by Kipnis et al.[18]. There have been some attacks over the years on the UOV scheme; however, overall, the UOV scheme remains secure[19]. Braeken et al. did a study[20] of the security of the UOV scheme. They showed that if the number of variables n used in the scheme is greater than 2m, where m is the number of equations used in the scheme, then the cryptosystem is particularly vulnerable to the Gröbner basis attacks. This is an improvement of the result showed by Courtois et al. for [21]. Moreover, they showed that choosing coefficients from a small sub-field raises serious security concerns and should be avoided. In addition, Braeken et al. extended the Youssef et al. attack[22] against Scheme B from Imai and Matsumoto[23] against the Unbalanced Oil and Vinegar scheme. This new attack is particularly efficient when the number of vinegar variables v is small. Faugère and Perret also studied[24] the security of the UOV scheme. They showed that some of the parameters proposed by Kipnis et al.[18] are not secure against a special Gröbner basis attack. The attack entails computing Gröbner bases of an “easier” system of equations rather than computing a single Gröbner basis for the original system of equations. However, most of these attacks can be resisted by updating the proposed parameters. Ding et al. developed an attack method on LUOV, called the Subfield Differential Attack (SDA)[25]. SDA does not rely on the Oil and Vinegar structure of LUOV; rather, it takes advantage of the fact that the coefficients of the quadratic terms are contained in a small subfield. This attack reduces the complexity of the LUOV scheme below the targeted security for the NIST post-quantum standardization competition. Ding et al. point out that the SDA does not work on UOV or the Rainbow digital signatures algorithm[25]. Later, Ding et al. proposed a modified SDA, called the Nested Subset Differential Attack, which fully breaks half of the parameter sets of the LUOV scheme and can practically be done in under 210 minutes for the NIST level I security parameters[26]. This attack is the reason for LUOV’s elimination from the standardization project. As the original SDA, the updated Nested SDA does not leverage the UOV scheme and rather takes advantage of the lifting technique of LUOV; thus, it does not apply to the Rainbow digital signature algorithm. Recall that the Rainbow algorithm relies on the UOV scheme. In addition to the attacks on the UOV scheme described above, Beullens gave two new attacks against the Rainbow signature schemes, namely the intersection and rectangular MinRank attacks[27]. Given the Rainbow third round parameters[17], these new attacks reduce the cost of a key recovery by a factor of for the security level I, for the security level III, and for security level V, making these parameter sets fall short of the security requirements set out by NIST. In addition to mathematical cryptanalysis, physical implementation attacks on UOV and Rainbow are also studied to ensure the security of the NIST Round 3 finalists. Hashimoto et al. presented general fault attacks on the multivariate quadratic equations-based schemes[28]. Later, Krämer et al. showed how to apply Hashimoto et al.’s attack to the UOV and Rainbow schemes. It did not, however, lead to the complete private key recovery[29]. Shim et al. performed an extensive fault analysis of UOV and Rainbow[30]. They focused on attacks that cause faults on random Vinegar values used in signing. Shim et al. showed that the equivalent key of UOV is wholly recovered in polynomial time from and m signatures generated by the entire faulty Vinegar values in the three cases, respectively. The equivalent key of Rainbow is also recovered from 44, 79, and 43 signatures with 36 bytes of faulty Vinegar values in the three cases, respectively. This is the first result that leads to the full secret key recovery of UOV and Rainbow from the leakage of the Vinegar values. Two other NIST round two finalists, the GeMSS[31] and MQDSS algorithms[32], have also been studied for any possible security concerns. Kales and Zaverucha presented an attack on the MQDSS scheme[33]. Their attack can be applied to signature schemes built upon five-round identification schemes constructed via the Fiat-Shamir transformation. MQDSS falls under this category. They showed that forging a signature for the 128-bit security level version of MQDSS can be done in operations. To avoid the attack, new parameters were proposed that make the scheme significantly worse in performance[15]. That caused the elimination of the MQDSS method from the standardization project. The GeMSS scheme did not have any serious security concerns in Round two. One of the significant drawbacks of the system is enormous public keys, difficulty implementing the algorithm on low-end devices, and slow signing times[19]. The security of the GeMSS scheme relies on HFE construction. Ding et al. studied the security of the HFE cryptosystem[34]. They presented a new algebraic method to attack the HFEv cryptosystem, using the algebraic structure of HFEv. The idea of the attack is to view the new vinegar variables as an external perturbation and to try to separate them, which can be done efficiently for small parameters . However, the complexity of the attack is exponential in the small parameter r. Overall, the GeMSS scheme is considered secure and is a NIST round-three finalist in the alternative digital signature scheme category. We now shift the attention to the DLP. The DLP is the core mathematical problem underlying many widely used cryptosystems such as Diffie–Hellman (DH) and Elliptic Curve Diffie–Hellman (ECDH). It is, however, as we pointed out, not secure against attacks using quantum devices[4]. In our digital signature scheme, we use in part a construction similar to the one of DH. However, we do not share the base with the verifier, nor do we share the exponent. Nevertheless, we feel that it is worthwhile investigating any advances related to DLP. Using Pollard’s rho algorithm one might solve DLP in a cyclic group of size q with computational complexity of [35]. Assuming DLP in a group GF(n), where , if one knows u and v, one might reduce DLP to a smaller DLP using the Chinese Remainder Theorem and Pohlig–Hellman algorithm. Then it is possible to solve the reduced problem with modular multiplications[36]. Boudot et al. set two new records: factorize RSA-240, 795-bit number, and compute a discrete logarithm over a 795-bit prime field. They used the same system to set both records, thus showing that the difficulty of computing discrete logarithm is comparable to the problem of factorization of the same bit size[37]. Granger et al. computed a discrete logarithm in the finite field using the elimination step of the Granger, Kleinjung, and Zumbrägel’s algorithm[38] recursively. Corrigan-Gibbs and Kogan studied algorithms to solve DLP that utilizes pre-processing[39]. They showed that any generic discrete logarithm algorithm with pre-processed S-bit “advice” string runs in online time T and succeeds with probability if where N is the order of the underlying group. They also demonstrated two new generic pre-processing attacks: one for the multiple-discrete-log problem and certain decisional-type problems in groups. Hong et al. proposed a fuzzy Hellman algorithm that solves DLP using a one-time pre-computation process[36]. Given the pre-computation cost and online efficiency, this algorithm performs better than other known algorithms. Bellare introduced the Multi-Base Discrete Logarithm[40] that fills a gap exhibited by all known standard proofs[41,42] of the security of Schnorr’s identification and signatures algorithms[43]. Teseleanu produced the first l out of n threshold kleptographic attack on discrete logarithm-based digital signatures by combining the notions of threshold scheme and kleptographic attack[44]. Recently, Abdullah et al. presented a new way to solve the elliptic curve DLP, using initial minors[45]. Practical implementation showed that the attack could be performed for groups of orders up to Roetteler et al. gave a precise estimate of quantum resources needed to compute discrete logarithm on elliptic curves over prime fields using Shor’s algorithm[46]. They showed that it takes at most qubits to compute discrete logarithm on an elliptic curve defined over n-bit prime field, using a quantum circuit of at most Toffoli gates. This result supports the one presented earlier by Proos and Zalka[47] and suggests that the number of qubits required to break Elliptic Curve Cryptography (ECC) is less than the number needed to break RSA. Ekerå bridged their work with Shor’s work on computing discrete logarithms as well as Seifret’s work on computing orders with trade-offs to give an algorithm that computes discrete logarithms without any knowledge of the group order[48]. Moreover, compared to Shor’s algorithm, their algorithm has a factor of two fewer group operations evaluated quantumly in each run, at the expense of multiple runs. In addition to PQC digital signature schemes, another promising idea using quantum systems to create digital signatures has emerged, called Quantum Digital Signature (QDS). The QDS was first proposed by Gottesman and Chuang[49], signing classical bits with qubits. QDS offers information-theoretic security of signatures guaranteed by the laws of quantum mechanics. Lü and Feng proposed their QDS based on quantum one-way functions[50], a novel arbitrated quantum digital signature scheme to sign general quantum states. Clarke et al. experimentally demonstrated QDS using phase-encoded coherent states[51]. Wallen et al. presented their QDS with QKD components and offered their security proof[52]. Hong et al. presented their QDS in a network with a signer, multiple verifiers, and a trusted center, a quantum counterpart of the classical PKI[53]. Single-bit QDS was first extended to multi-bit QDS by Wang et al.[54] and further by Wang and Wang in 2019 with a more efficient protocol[55]. Inspired by the measurement-device-independent continuous-variable scheme in QKD, Zhao et al. first proposed their Continuous-Variable QDS (CV-QDS) in 2021 for both single-bit and multi-bit schemes[56]. They later improved CV-QDS to remove the loopholes of the practical detectors and eliminate all side-channel attacks[57]. To visualize the various approaches and differences between the described digital signature schemes, we provide the Table 1. There are two groups of rows: classical data and quantum data. The first column lists classical techniques applicable to classical data. The second group of columns summarizes quantum techniques applicable to classical or quantum data. In the classical data case, we provide the name of the primitive, basis, known most effective attack, and whether it is considered for the NIST third round. In the quantum data case, we provide the name of two applicable techniques.
Table 1

Summary of related work.

Classical techniqueQuantum technique
Classical dataPrimitiveBased onMost effective attackNIST 3rd round finalist
RSA[1]LUOV[16]UOV[18]Nested subfield attack[26]
DSARainbow[17]UOV[18]Min-Rank attacks[27]\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document}
ECDSA[2]GeMSS[31]HFE[34]Due to Ding[34]\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document}
MQDSS[32]Fiat-ShamirDue to Kales and Zaverucha[33]
Quantum dataQDS[4955]
CV-QDS[56,57]
Summary of related work.

MPPK digital signature and verification

MPPK/DS is a digital signature and verification scheme that uses public keys. We formally define the concept of a digital signature and verification using public keys, consistently with other authors[58,59].

Definition 3.1

(Digital signature) A digital signature scheme is specified by a pair of algorithms. There are two parties: a signer and a verifier. To sign a message , the signer uses a signing private key s and an algorithm to create a message-digital signature pair . The signer sends the pair . Upon reception of a message-digital signature pair , the verifier uses a public key v, corresponding to s, and a signature verifying algorithm to evaluate if is a matching digital signature for . When there is a match, the evaluation returns , otherwise it yields . Key generation can also be addressed explicitly. Hence, MPPK/DS comprises three algorithms: key generation, signing and signature verifying. They are respectively described in "Key generation algorithm", "Signing algorithm" and "Signature verifying algorithm".

Key generation algorithm

MPPK/DS has its own public-key and private-key operations. A key generation algorithm produces a private key and a corresponding public key. Said algorithm is described in this subsection. The algorithm has the following security parameters: A chosen generalized safe prime that determines the index of a finite field defining the domain of all coefficients and variables. Note that its Euler’s totient is equal to , or . Positive integers m, n,  and , that respectively specify the number of noise variables, the degree of a base polynomial, defined in the Eq. (1), and the degree of two univariate polynomials, defined in the Eq. (3). The positive integers that determine the degrees of noise variables in the base polynomial, as defined in Eq. (2). The signer and verifier agree on the actual values of the security parameters upon establishing communication. Note that the set GF(p), or . denotes the integers modulo p. Let GF(p) be the domain of variables . Variable denotes a message or the hashed value of a message. Variables represent noise. We also refer to the set , or , the integers modulo . With all arithmetic done modulo , the following mathematical objects are created by the signer: The private key s consists of the following items: A multivariate base polynomial of the form The constants are positive integers. The coefficients are randomly selected from . Written with respect to the variable , Eq. (1) is a polynomial of the form Two univariate polynomials of the form The coefficients and are randomly selected from . Using the base polynomial and two univariate polynomials, two product polynomials are created Polynomial can also be written in the form (similarly for ) For and , every (similarly for ) has the form Two univariate polynomials containing only the message variable for randomly selected . Two even random integers in . Using the integers two noise functions are created where and are as defined in the Eq. (2). Let be the polynomial without the highest order term and the constant term with respect to the variable , namely where the coefficients are as defined in the Eq. (5), ignoring the constant term and highest order term with respect to the variable . Such polynomial is created. Similarly, polynomial is created. Using , , , , , and two polynomials are created. The two univariate polynomials and . The values of the two even noise constants and . Polynomials and . The public key v comprises the following elements: The two polynomials and . The two noise functions and .

Signing algorithm

Let be a message, or the hash of a message. Let , with , be a randomly selected base. All arithmetic is done modulo , unless specified otherwise. Using the signer’s private key s, the signing algorithm consists of computing the following items: , with . , with . , with . , with . , with . The digital signature is the quintuple (A, B, C, D, E). The signing algorithm yields . The components A, B, C, D and E are required to be not equal to 0 or 1. If any of A, B, C, D and E is 1, a new random base g is chosen and a new quintuple (A, B, C, D, E) is created. The signer sends the pair to the verifier.

Signature verifying algorithm

All arithmetic is done modulo , unless specified otherwise. Upon receiving a message (or the hash of a message) and a corresponding signature (A, B, C, D, E) from a signer, the verifier applies the signature verifying algorithm using the signer’s public key v. Using for and randomly chosen positive values for the noise variables , the verifier evaluates the two public polynomialsand the noise functions When is equal to , the signature verifying algorithm returns , otherwise it yields . Note that there are multiple choices for the random variables . They all produce various values for , , and . Thus, MPPK/DS falls into the category of non deterministic digital signature algorithms in the sense that verifying the same valid signature several times with different values of the polynomial resolves in equalities.

Lemma 3.2

(Completeness) Given a message , a public key v and corresponding private key s we have .

Proof

It follows from the modular arithmetic property: where g and p are co-prime numbers. Note, that polynomial can be expressed asand polynomial can be expressed as Multiplying polynomial by , and by yields the following equality. Using Eqs. (12) and (13), Eq. (14) can be expanded as This expression can be rewritten aswhere ), , and Performing modular exponentiation of Eq. (17) results in This equality can be rewritten as

Security analysis

We discuss attack models on digital signature algorithms. There are three attack types: chosen-message, known-message, and key-only. There are two sub-categories in the chosen-message attack: direct-chosen and generic-chosen, depending on whether the adversary knows the public key. If the adversary knows the public key, then the direct-chosen method can replace a message signed by the signer with a message the adversary wants but with the signer’s signature. If the adversary does not know the public key, then the generic-chosen method can trick the signer into digitally signing a message that it does not intend to sign. In the known message attack, the adversary obtains old messages and signatures. It tries to forge signatures for messages that the signer does not intend to sign. It uses brute force to analyze old data to recreate the signer’s signature. This attack is analogous to the known-plaintext attack on encryption. The signer’s public key is assumed to be available to everyone in the key-only attack. The adversary uses this fact and tries to recreate the signer’s signature and digitally sign messages that the signer does not intend to do. This causes a significant threat to the authentication of messages, which is non-repudiated as the signer cannot deny signing it. A digital signature using RSA[1], without hashing messages, is vulnerable to the known-message and chosen-message attacks. This is due to its multiplicative property where a product of messages leads to a product of their signatures. Once an attacker knows the public key, then the signer is requested to sign a public key encrypted message y. The returning signature x forms a message-signature pair of x and y called a key-only attack. Therefore, the RSA digital signature must be used with a cryptographic hash function. The ElGamal digital signature[60] and Digital Signature Algorithm (DSA)[10], based on the DLP, also require the use of a cryptographic message hash function to prevent existential forgery. These digital signature attacks are not applicable to MPPK/DS. Unlike the RSA signature scheme, MPPK/DS is not a one-way trap door type of digital signature, with decryption for signing and encryption for verification. It is also not a DLP-type signature scheme like DSA, with a public generator as modulo arithmetic exponentiation base. Most importantly, it does not use a secret message directly as the exponent in the modulo arithmetic exponentiation to calculate the signature. It uses polynomials evaluated at the message in the exponent for modulo arithmetic exponentiation. Therefore, MPPK/DS is not vulnerable to the above signature attacks. Furthermore, techniques for solving the DLP, such as the ones using the Shor’s quantum algorithm, are not directly applicable. Cracking MPPK/DS boils down to producing a signature for a fake message that passes verification. In other words, it requires a universal or selective forgery of signatures. To achieve that, adversaries must crack public keys or signatures to obtain private keys or directly brute force the values A, B, C, D, and E consistently with the verification relationship. In the remainder of this section, we analyze the security of MPPK/DS. We examine possible approaches a malicious party could take to obtain the private key from a public key and a signature. We also discuss digital signature spoofing vulnerabilities.

Security of the private key given the public key

MPPK/DS stems from MPPK KEM. Most of the security analysis done by Kuang et al.[5] directly applies to MPPK/DS. Public keys in both algorithms are almost identical, except for the modulo in the exponent polynomial computations. They share the same relationship with the corresponding private keys. We start by considering whether it is possible to obtain any components of the private key from the published coefficients of polynomials and Note that all the calculations involving private and public keys are performed modulo Recall, that every term of the coefficients of the public polynomials and contains and respectively. Since both and are not co-prime with , it is not possible for a malicious party to solve the system of equations generated by the coefficients of and correctly in the ring That is because it is impossible to divide by the terms containing and in the ring However, q and are co-prime, so the ring of integers Hence, calculations to obtain private keys from public keys can essentially be performed modulo q and and then lifted to modulo Notice, that since and are even it is not possible to gain any information modulo . Hence, the attacker is reduced to solving the system of equations modulo q, and lifting the solutions to the ring in order to find the actual solution. Since it is not possible to fully solve the system of equations generated by the coefficients of and modulo or , since and are even, we turn our attention to the ring . We first discuss two ways of considering the publicly available coefficients of and modulo q. One way is to consider the coefficients of and that are not associated with the pure term, namely and for all and Solving this system of equations does not give the attacker any information about the signature component E. The other way for a malicious party to find private keys from public keys is to consider all of the shared coefficients of and including coefficients and respectively for all The latter approach involves systems of equations with more variables and equations. Note also that the term E can be derived from A, B, C, and D as We start by considering the first approach, namely the one without coefficients of and associated with pure terms modulo q. Note that similar to MPPK KEM[5], we can set the public key parameters in such a way that the attacker is faced with an underdetermined systems of equations when considering the shared coefficients of the polynomial separately from the shared coefficients of the polynomial

Proposition 4.1

Let be the base polynomial. Publicly available coefficients of , without pure terms, form an underdetermined system of equations, when . The same holds true for the coefficients of considered independently without the pure terms. Let . Publicly available coefficients of or considered independently, and without pure terms, form a system ofif the base polynomial is defined as Since , the number of variables is greater than the number of equations

Corollary 4.2

Let the base polynomial be where for any desired . Then publicly available coefficients of , without pure terms, form an underdetermined system of equations, when . The same holds true for publicly available coefficients of considered independently without the pure terms. Let the base polynomial be defined as where for any desired . In this case, the coefficients of the polynomial or without pure terms considered independently from one another form a system of Let . Then, the number of variables is greater than the number of equations

Proposition 4.3

When the coefficients of and , without the pure terms, are examined together they form an overdetermined system of equations. Let the base polynomial be as defined in the Corollary 4.2. Considering two public polynomials and together yields a system of Equivalently, if the base polynomial is defined as in the Proposition 4.1, then considering together with yields a system of We now consider the second approach, namely the one that includes coefficients of and associated with pure term modulo q.

Proposition 4.4

Let the base polynomial be . Let . The shared coefficients of the polynomial , including the pure terms, considered separately from the shared coefficients of the polynomial , and vice versa, produce an underdetermined system of equations. Let the base polynomial be defined as . Considering the shared coefficients of the polynomial separately from the shared coefficients of the polynomial and vice versa produces a system of Let . The number of variables is greater than the number of equations .

Corollary 4.5

Let the base polynomial be defined as where for any desired . Let . The shared coefficients of the polynomial , including the pure terms, considered separately from the shared coefficients of the polynomial , and vice versa, produce an underdetermined system of equations. Let the base polynomial be where for any desired k and . Considering all the public coefficients of or separately produces a system of Let . Then such system is underdetermined.

Proposition 4.6

If the publicly available coefficients of the polynomials and are considered together, they can produce an overdetermined or an underdetermined system of equations, depending on the parameters and for each . Let the base polynomial be as in the Proposition 4.1. Considering the coefficients of and together, they will produce a systems of Then if and , the system of equations produces by the coefficients of together with is overdetermined. On the other hand, if and , such system is underdetermined. Equivalently, if the base polynomial is defined as in the Proposition 4.2, then public polynomials considered together result in the system of Such system is overdetermined if and , and underdetermined when and . We claim that one possible way for the attacker to solve the systems of equations produced by the coefficients of the shared polynomials and , regardless of whether it is underdetermined or overdetermined, is to solve the system modulo q first, then lift the solutions to the ring For instance, assume that the attacker can solve the system of equations produced by the polynomial in the ring to find . This result considered modulo is not a single value, but rather an entire equivalence class or equivalently a list of values of the form less than for positive integers i. Such a list consists of values. One of the list values is the correct solution modulo One way to deterministically conclude whether the value is correct is to solve the same system of equations in the ring . Similarly, consider the equivalence class generated by the solution modulo to lift it to the ring . The correct value modulo is an element present in both equivalence classes or lists. On its own, this problem depends on the size of the lists, or equivalently the number of elements of the equivalence classes less than . Note, however, that the attacker is unable to fully solve the system of equations modulo , since and are even numbers, thus it is impossible to find an inverse of or in the ring . So the attacker is reduced to only solving the system of equations in the field , and then trying to lift the solution to the ring using another way. The complexity of solving underdetermined systems of m equations in n unknowns over a field is [21]. The complexity of solving an overdetermined system of equations modulo q is , where n is the number of variables, and k is the highest degree of the polynomials[61]. Note that the results found modulo q are not deterministic, since the lifting step adds uncertainty to the solution. One way to successfully lift the solutions modulo q to modulo is to recreate the terms of the form and , where and are coefficients of the polynomials and respectively using the elements in the equivalence classes of the solutions found modulo q. Classical complexity of this lifting approach is where v is the number of unknowns, and c is an integer that depends on n, and . Quantum complexity is due to Grover’s algorithm. Depending on if the attacker is including the pure terms, v and c will vary. Thus, as with MPPK KEM[5], the malicious party chooses whether to take advantage of the shared coefficients and solve an overdetermined system of equations or consider an underdetermined system of equations and use the solution to such system to solve another set of equations. Let be the shared coefficient of the polynomial associated with the term .

Claim 4.7

There exists a way to attack the publicly available coefficients of and modulo q, and then lift the solution to the ring . This attack has classical complexity of Begin by working in the ring . First, use brute force search to find the noise coefficient . Then, divide the values of the shared coefficients by to obtain new values , for all . Suppose that . The system of equations generated by the new coefficients of public polynomials can be viewed as Then the coefficients of the base polynomial can be expressed as The values are known for each . Suppose that the values for are found for each , then it is possible to find the coefficients for all . Once the coefficients are found, they can be directly substituted in the system of equation generated by the publicly available terms of to solve for for all . Suppose that is known, then it is a simple calculation to find for all Note that the attacker can divide coefficients of by the coefficients of the base polynomial to derive . Then the attacker can construct signature components A, B, C, and D once they lift the solutions to the ring . The malicious party can use values A, B, C and D to derive E since . So in order to find all the private information modulo q necessary to forge a signature one needs to brute force search and for all . The complexity of this part of the approach is using classical system and using a quantum system. Note however, that to find the original value modulo , the attacker needs to lift the solutions modulo q to modulo . The attacker knows actual shared values of the coefficients of and . Thus, the attacker can try to recreate these coefficients using elements of the equivalence classes or lists generated by the solutions modulo q to find a match between the actual value and the one recreated by the attacker. The classical complexity of the lifting method is Using Grover’s algorithm, quantum complexity of the lifting method is Overall, the classical complexity of this attack is and the quantum complexity of this attack is . It is worth mentioning, that in the case of digital signatures, there exists a way to simplify some of the equations produced by the coefficients of and . Let be a coefficient of the polynomial associated with the term . Since the coefficients of the noise function are components of the terms for and ; , their values can be directly substituted in these expressions. Similar calculations can be done for the coefficients of and terms for ; and Such advantage does not effect the solution modulo , since and are not co-prime to however these substitutions do benefit the attacker working in the ring by providing unique solution modulo q. Lifting the solutions up to the ring has complexity where v is the number of unknowns and c is some constant that depends on and n. Another attack on the public keys is described in the Kuang’s et al.’s MPPK KEM paper. It leverages the fact that the malicious party can produce as many noise functions and as they want, and solve the system produced by the noise variables to retrieve private information. However, similarly to MPPK KEM, if the malicious party generated a set of equations of the form aiming to find or the coefficients of the form , they are unable to succeed. In the MPPK/DS case the inability to carry out this attack comes from the incapacity to divide by , since is not co-prime to . The same holds true for equations of the form , and not co-prime with If the attacker considers these equations modulo q, they have the same issue as we described in Kuang et al.’s paper[5], namely the system will produce all zero results. One of the differences between the MPPK KEM and MPPK/DS algorithms is that the ratios of the form , , and for any cannot be derived modulo in the MPPK/DS algorithm since , and are not co-prime with . This makes the MPPK/DS algorithm more secure in the sense that it is not possible to obtain explicit relationships between the components of the private key. We now describe another attack on the public key carried out in the ring . Considering only the public key, one strategy for the attack in the ring is to brute force search for the terms , , and for all in the ring . The complexity of this search is using classical device and using a quantum system. Given the values for , , and for all , the attacker can produce the signature components A, B, C, and D for any hashed message . The malicious party can use values A, B, C and D to derive E since , thus, fully forge the signature. However, the next attack on the public key in the ring is far more efficient.

Claim 4.8

Finding the private key from public key in the ring has an optimal complexity of , classically, and using a quantum computer. For the sake of simplicity, let us suppose that . Begin by brute force searching for values for all The complexity of this step is classically and using quantum computer. The coefficients of a public key polynomial  for can be expressed aswhere for all Then the variables can be found using Equivalent calculations can be done for the variables for all The attacker can first verify if the coefficients found using brute force search are correct. For that, the attacker can check if all s are zero for . If the condition is met, then verify if all s are zero for . Then we have a candidate list of , , and for . If the list only contains a single set of those coefficients, we then find the right coefficients. Having this information, the attacker can create signature components A and B. In order to create C and D, the attacker needs to find and for all i ∈ {0, ..., λ}. The most efficient way to do that would be to find it modulo q and then lift it to the ring The attacker knows and modulo q, these values can be used to find modulo q for all i ∈ {0, ..., λ}. Similar calculations are done for the values h0, ..., hλ in the field GF(q). The adversary then needs to lift these values to the ring /φ(p). Classical complexity of this part is  because the adversary needs to test that the lifting is successful by confirming that   for all i ∈ {0, ..., λ}. Same is true for values of h0, ..., hλ. Using Grover's algorithm implemented on a quantum device, the complexity becomes  for all 2(λ+1) values. Now the attacker is lacking only the signature component E, which he can get through A, B, C, D since . Hence, the overall complexity of this attack is using classical system and using quantum system.

Corollary 4.9

Given the public key, the most efficient attack for the private key has classical complexity of and quantum complexity of .

Security of the private key given the signature

As mentioned in "Key generation algorithm", neither the base g nor the exponents or are known to anyone but the signing party. The signer simply shares the signature A, B, C, D and E. We now examine whether there are relationships between the signature components that a malicious party can exploit.

Proposition 4.10

There is no explicit way to express A and B in terms of each other in the ring . Recall, that and , where are calculated modulo . If we consider the definition of a logarithm as is a constant t, such that mod p, it is apparent that However, the element does not exist modulo , since is not co-prime with Thus, such value t cannot be computed modulo Similarly, but does not exist in the ring . Hence, there is no explicit way to express A and B in terms of each other in the ring . These values exist, however, modulo q. The attacker might be able to calculate them to find a ratio of the form modulo q. It will not be possible, however, to correctly lift this value to the ring since the solution modulo does not exist. However, if we consider the signature together with the public key there is a way to find public key, and as a result, forge the signature. We discuss this approach later, towards the end of the section. Moreover, if the adversary uses Shor’s algorithm to solve for a discrete logarithm, he will run into a problem. Indeed, let be a generator of a multiplicative group , thenwhere none of the terms or are known. Therefore, given the numerical value of it is not be possible to conclude anything about the private key. Similarly,where and g are unknown. Thus, taking discrete logarithms of values A and B does not yield any explicit information modulo Considering these logarithms modulo q, is the same as since

Proposition 4.11

There is no explicit way for the elements C and D to be expressed in terms of A and B modulo Consider The expression does not exist mod . So it is not be possible to express C in terms of A and B modulo . Similarly, D could be written asbut does not exist mod . Taking discrete logarithm does not yield any meaningful information either sincewhere are unknown, and does not exist modulo For the same reasons does not offer any meaningful information. On the other hand, note that the expressionwhere multiplication by is purely symbolic, can exist modulo . Then one might suggest to create a system of such equations for different values of A, B, and C in order to find and Note, however, that it is not possible to solve such system as it will not be possible to express one variable in terms of the other. Indeed, expressing or in terms of or requires dividing by and respectively. Expressing and in terms of other values requires dividing by or , however, both of these values are a multiple of and respectively, thus, not co-prime to So approaching the problem this way does not provide a solution to the attacker. Similar argument can be made for Nevertheless, these expressions can be considered modulo q, but it is exponentially hard to lift the solution to . Note that systems of equations with polynomials such as considered modulo q will yield Considering system of equations that consists of polynomials of the form yields and modulo q. Let . One way to determine which elements of the equivalence classes of , and are the actual solutions in , is to use brute force search to find coefficients and and then compare the expressions and for all in the equivalence classes to the actual values and in . The classical complexity in this case is . Otherwise, it is impossible to deterministically lift the solution to since these equations can not be considered modulo . This approach can yield A, B, C and D. The term E can be expressed using A, B, C, D as . Lastly, we check if the term E can be used to gain any private information. The term E can be written as Taking logarithm with respect to some generator yieldsIt is natural to consider a system of such equations for every new and E; however, the unknowns and change with every new choice of so the system regardless of the number of polynomials is always underdetermined. Modulo q, the system is also underdetermined and does not produce unique solutions. Another possible attack to deduce the private key from signature utilizes the public key. We describe it in the following proposition.

Proposition 4.12

For any hashed documents or message value , cracking the MPPK/DS using signature, obtained from communication records, and public key has classical time complexity of and quantum complexity of . Start by computing and modulo q for different values of A and B associated with different to obtain a system of equations of the formwhere and for all . This step can be done in polynomial time using Shor’s algorithm implemented on a quantum computer. However, classically, one needs to use Baby-Step-Giant-Step algorithm with classical computational complexity of  for each value θ. Thus, to create the said system of equations the total complexity of this step is . Then use brute force search to find the value , since the system is homogeneous. Classical complexity of the brute force search is and quantum complexity is due to Grover’s algorithm. The value can be used to find for all and for all . Once these values are found, they can be used to create a matrix modulo q with respect to the coefficients of the public polynomials and as shown in "Security of the private key given the public key". This matrix is used to find the coefficients of the base polynomial. Note that the coefficients of the noise functions and the base polynomial can be used to find and , and therefore, and for . Everything computed using this approach up to this point is computed modulo q. Now, we lift the values for to the ring , and use these values as well as the coefficients of the public polynomial to check if the lift is successful. It is successful if the inverse of the matrix constructed using the coefficients of the base polynomial multiplied by the vector of the coefficients of the public polynomial yields a vector with a few bottom values equal to 0. We discussed this construction in more detail "Security of the private key given the public key". Classical complexity of this lifting part is , and the quantum complexity is due to Grover’s algorithm. The lifted values of the base polynomial coefficients are then used to find and in the ring for all . In order to find and in the ring , one can simply divide the coefficients of by and of by . The only thing left to do in order to be able to create A, B, C and D for any is to lift and to the ring  for all . That can be done by comparing the values and computed using matrix of base polynomial coefficients and the values , that are known and lifted from . Classical complexity of lifting values and is , and quantum complexity is due to Grover’s algorithm. The overall classical complexity is then Quantum complexity is . Using this attack the malicious party can compute A, B, C and D for any hashed documents or message value The value E can then be expressed as

Proposition 4.13

For any hashed document or message value , cracking the MPPK/DS using only signatures obtained from communication records, has classical time complexity of and quantum complexity of . This attack utilizes signature components A, B, C and D without the public key. Note that for any generator , logarithm This equation has unknowns , for . Let an adversary consider the following system of equations, where values A are obtained from communication records between the signer and the verifier for all values . Classical computational complexity of computing discrete logarithms is for any , using Baby-Step-Giant-Step algorithm. On the other hand, using quantum computer one can compute discrete logarithms in polynomial time. The malicious party can brute force search for values for all The complexity of this search is Once, these values are found, the adversary can solve deterministically the system of equations modulo q in the Eq. (18) to retrieve private information for . The same values , for all , can be used to deterministically find the private information , for , from the system of equations similar to the one in Eq. (18) with signature component B computed modulo q. Classical complexity of this part comes from solving discrete logarithms of the form for all . The complexity is equal to Using private values found this way, the adversary can construct A and B for any message. For values C and D the adversary can consider the following system of equations modulo qwhere for as described in "Signing algorithm". Values , for all are known so the complexity comes from solving discreet logarithms for Similar system of equations can be created for the signature component D. All the obtained private values need to be lifted to the ring ℤ/φ(p)ℤ. The classical complexity of the lifting step is (2(2λ+4)).The component E can be calculated using Overall, the total classical complexity of the attack is Quantum complexity is using Grover’s algorithm for brute force search. We conclude that the smallest computational complexity of finding private key from signature, depending on the parameter choices, is either using a classical computer, and using a quantum device.

Spoofing attacks

Recall, that the base , as well as polynomials , constants , and polynomials are unknown. The attacker might try to look at any existing relationship between the values A, B, C, D and E. Then, if any other values and satisfy the same relationship, they might be used as a signature, and pass verification. We showed in the “Security of the private key given the public key” section that none of the values A, B, C, D and E can be expressed in terms of one another. Another way for the malicious party to carry out a spoofing attack is to break the value intoand obtain every element of the form for . Similarly, obtain the terms from , the terms from , and terms from for all . The attacker also need to obtain the terms from E. This way, the attacker can easily change the original document into a different document with the correct signature, in other words, achieve universal forgery. In this case, the verifier will not be able to determine any malicious activity as the document and the signature will pass the verification without raising any issues. We show that such an attack is not applicable because it does not yield deterministic results if the terms described above are found using brute force.

Proposition 4.14

Generating all components of the form , , and associated with A, B, C, D and E respectively for each , has time complexity of . Once the correct tuples are found, they can be used to repeatedly forge a signature for any hashed message For the proof we consider a simplified example with quadratic polynomials and . The proof for the general case is identical. We have the following equations Using brute force, the attacker needs to go over every term and , and consider an equality of the formwhich yields Thus, to generate tuples the malicious party needs to sample elements. Since the ratios of the form do not exist for any the attacker has to find tuplesusing the same strategy. However, the terms and are simply elements of the field . The attacker has already calculated for all possible elements . All such terms can be reused to find all possible from the equality Thus, to construct tuples the attacker does not need to sample any more terms but the calculations require going through terms. Similarly, the existing sampled terms for all possible elements can be reused for C. Indeed, the equations are Checking the value for C requires going through items. In our example, with quadratic functions , the equation for D has the following form The attacker needs to go through values to check for D. Lastly, the malicious party has to consider the following equation with The attacker will need to go through elements. One of the terms can be derived as a ration between E and the remaining terms of the form . The complexity of generating all the tuples is, therefore, for this example. However, there is no efficient way to determine which five tuples, one for each of A, B, C, D and E, are the correct ones used by the signing party. For that one might try to create A, B, C, D and E for different and verify that for different and In the case that the attacker finds the correct tuples associated with A, B, C, D, and E, since the tuples are independent of , the attacker can use them to forge a signature for any There are other ways to carry out a spoofing attack. However, we claim that the following approach is the most efficient.

Proposition 4.15

Search for the values A, B, C, D, E, such that holds for any and , has time complexity using a classical computer, and using a quantum computer, where m is the number of noise variables. For each given begin by fixing a choice of values for variables . Use such choice of noise values to calculate values of the polynomials and Recall, that for any computed using publicly available coefficients provided by the signer. Thus, given and the attacker should look for values A, B, C, D and compute . To check if the choice of A, B, C,  and D is correct, the attacker can use these values and new values to check if remains true. If not, discard of the value A, B, C, D and look for new ones. There are in total tuples of the form (A, B, C, D). Thus, the attacker in the worst case will have to go through all such sets for two fixed and until the equality of the form is achieved for at least two distinct choices of values . Once the attacker finds values A, B, C, D, E such the equality holds for two values of public polynomials , they will have to check whether the equality holds for all the other choices of . If so, then the values A, B, C, D, E can be used by the attacker as the signature, and will result in the universal forgery. The overall complexity of this attack is using a classical computer.

Corollary 4.16

The most efficient spoofing attack has classical complexity and quantum complexity , where m is the number of noise variables.

Security conclusion

The best classical complexities of universal forgery of the signature are as follows. [Attack 1] The attacker can use public key to crack for the private key and create signature for any message or document. The classical complexity of this attack is . [Attack 2] Another attack on the public key that we have discovered has classical complexity of . [Attack 3] A different attack the malicious party can undertake is to gain enough information from a genuine signature obtained from a communication interception between the signer and verifier as well as the public key and use that information to recreate a full signature for any message or document . The classical complexity of this attack is . [Attack 4] A similar attack that only uses a genuine signature has classical complexity of . [Attack 5] And lastly, the attacker can directly spoof the signature. The complexity of direct spoofing is Of these five attacks, the attack that use genuine signatures is in favor of the attacker with classical complexity For complexities of cracking MPPK/DS using a quantum computer, the adversary can use public key only attack that has quantum complexity of Another attack that uses public keys has quantum complexity of . The adversary can also use honest signatures obtained from communication records. The attack that uses honest signatures in conjunction with public keys has quantum complexity of . The attack that uses signatures only has quantum complexity Lastly, the attacker can directly spoof the signature. Quantum complexity of this case is

Brief benchmarking results and optimal parameters of MPPK/DS

We now introduce optimal parameters and report benchmarking results for MPPK/DS. For benchmarking. we used the NIST recognized SUPERCOP benchmarking tool. The SUPERCOP was run on a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz system.

Configuration

We begin by requiring that the prime p is a generalized safe prime (or a special Cullen prime) such that , where q is a prime number. We will further discuss x and q with respect to the desirable security level. We require that noise coefficients and are even non-zero numbers in the ring We require that A, B, C, D,  and E are all integers in the field not equal to 0 or 1. We require that neither nor are equal to zero modulo Note that the smallest classical complexity is , which depends majorly on x. Thus, when making decisions about x and q, it is important to make x and q sufficiently large to guarantee the security of the DS scheme. We also suggest to set and for optimal performance of key generation, signing, and verification to achieve the NIST security three levels. We provide optimal parameters for each security level, considering classical complexity of each attack we have discovered in Table 2. That is, the parameters given in Table 2 are sufficient to meet corresponding NIST security level and avert the corresponding attack.
Table 2

Proposed MPPK/DS configurations to meet corresponding NIST Security level and avert corresponding attack, with values given as .

AttackComplexitySecurity level
Level ILevel IIILevel V
1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_1 = {\mathscr {O}}(\varphi(p)^{n+1}+2\times 2^{x(\lambda+1)})$$\end{document}C1=O(φ(p)n+1+2×2x(λ+1))(32, 32, 64, 2, 2, 1)(32, 32, 64, 3, 2, 1)(32, 32, 64, 4, 2, 1)
2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_2 = {\mathscr {O}}({q^{\lambda+2} [2\lceil \frac{n+1} {\lambda+2}\rceil 2^{x(\lambda+2)}]})$$\end{document}C2=O(qλ+2[2n+1λ+22x(λ+2)])(32, 32, 64, 2, 1, 1)(32, 32, 64, 2, 2, 1)(32, 32, 64, 2, 3, 1)
3\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_3 = {\mathscr {O}}([2(2\lambda+1)\log p]q^{\frac{3}{2}}2^{x(n+1)+x/2}+2(\lambda+1)\times 2^x)$$\end{document}C3=O([2(2λ+1)logp]q322x(n+1)+x/2+2(λ+1)×2x)(32, 32, 64, 2, 2, 1)(32, 32, 64, 4, 2, 1)(32, 32, 64, 6, 2, 1)
4\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_4 = {\mathscr {O}}(4(\lambda+1)p^{\lambda+1}[\sqrt{p}\log p]2^{x(2\lambda+4)})$$\end{document}C4=O(4(λ+1)pλ+1[plogp]2x(2λ+4))(32, 32, 64, 2, 2, 1)(32, 32, 64, 2, 2, 1)(32, 32, 64, 2, 3, 1)
5\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_5 = {\mathscr {O}}(p^{4+m})$$\end{document}C5=O(p4+m)(32, 32, 64, 2, 2, 1)(32, 32, 64, 2, 2, 1)(32, 32, 64, 2, 2, 1)
1–5\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathscr {C}}_1, {\mathscr {C}}_2, {\mathscr {C}}_3, {\mathscr {C}}_4, {\mathscr {C}}_5$$\end{document}C1,C2,C3,C4,C5a(32, 32, 64, 2, 2, 3)(32, 32, 64, 4, 2, 3)(32, 32, 64, 6, 3, 2)

aAll the classical complexity estimations considered together.

Proposed MPPK/DS configurations to meet corresponding NIST Security level and avert corresponding attack, with values given as . aAll the classical complexity estimations considered together.

Benchmarking results

Assuming the parameters shown in Table 2 for each corresponding security level and complexity of all attacks considered together, that is the last row of Table 2, we report benchmarking results about MPPK/DS. We used the NIST accepted SUPERCOP benchmarking tool. All the NIST third round finalists’ SUPERCOP measurement data was contributed to SUPERCOP. Thus, we take advantage of the common performance measurement platform and report on the benchmarking results of MPPK/DS alongside the NIST third-round DS finalists, namely Crystals-Dilithium, Falcon, and Rainbow algorithms. The system used for all primitives is a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz. For this paper, we use a snapshot of detailed data reported separately[62]. Performance measurements presented in this section are median values. The average values, quartile values, as well as standard deviation, and error rates are available separately[62]. We first present the reader with Table 3, illustrating public key sizes and signature sizes of the MPPK/DS scheme and the NIST third round finalists in bytes, for NIST security levels I, III, and V. Public key sizes of the MPPK/DS algorithm are calculated using the formula over GF(p), since public key consists of the coefficients of polynomials and , each having coefficients for each choice of noise variables, and coefficients of the noise functions with one coefficient each, for every choice of noise variables. Finite field being 64 bits for all three security levels, result in public key sizes of 192, 288,  and 288 bytes for levels I, III and V respectively. Considering together with the NIST third round finalists, MPPK/DS offers rather small public key sizes.
Table 3

Public Key and Signature sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 Finalists, with values given in Bytes corresponding to various NIST Security Levels.

SignaturePublic key size (B)Signature size (B)
SchemeIIIIVIIIIV
MPPK/DS19228828880120160
Rainbowa161,600882,0801,930,60066164212
Dilithiumb1952259232934,595
Falconc89717936901330

aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V.

bDilithium does not provide primitive for NIST Level I, dilithium3 was used for Level III, and dilithium5 for Level V.

cFor Falcon, falcon512dyn was measured for Level I, no primitive was measured for Level III, falcon1024dyn was measured for Level V.

Public Key and Signature sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 Finalists, with values given in Bytes corresponding to various NIST Security Levels. aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. bDilithium does not provide primitive for NIST Level I, dilithium3 was used for Level III, and dilithium5 for Level V. cFor Falcon, falcon512dyn was measured for Level I, no primitive was measured for Level III, falcon1024dyn was measured for Level V. Recall, that there are five components in the signature, namely (A, B, C, D, E). Each such signature element should be of sufficient size to prevent brute force attacks, leading to spoofing. For level I, therefore, each component of the signature element is 128 bits. The entire signature is bits, which is 80 bytes. Similarly, the signature size for level III is 120 bytes, and 160 bytes for level V. Based on values in Table 3, sizes of the MPPK/DS are comparable and some cases noticeably smaller than the corresponding signature sizes of the three NIST finalists. Key generation performance comparison between the MPPK/DS scheme and the NIST finalists is given in Table 4. From the data shown in the table, MPPK/DS offers efficient key generation, outperforming the NIST Round 3 finalists. A similar account is observed for the signing procedure. Note that the values given in both tables are median values of the SUPERCOP measurement.
Table 4

Median values given in clock cycles, corresponding to the Performance measurement of the MPPK/DS scheme as well as the NIST PQC Round 3 Finalists for various NIST Security Levels.

Security levelLevel ILevel IIILevel V
Key generation
MPPK/DS22,43736,70047,668
Rainbowa20,788,655123,007,216263,207,040
Dilithiumb322,993454,373
Falconc32,557,52591,533,955
Signing procedure
MPPK/DS42,28657,22363,534
Rainbowa180,675898,2231,491,838
Dilithiumb1,163,8821,041,113
Falconc10,268,55622,499,756
Signature verification procedure
MPPK/DS48,96575,98087,567
Rainbowa21,258177,094332,196
Dilithiumb313,009482,670
Falconc68,858138,492

aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V.

bDilithium does not provide primitive for NIST Level I, dilithium3 was used for Level III, and dilithium5 for Level V.

cFor Falcon, falcon512dyn was measured for Level I, no primitive was measured for Level III, falcon1024dyn was measured for Level V.

Median values given in clock cycles, corresponding to the Performance measurement of the MPPK/DS scheme as well as the NIST PQC Round 3 Finalists for various NIST Security Levels. aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. bDilithium does not provide primitive for NIST Level I, dilithium3 was used for Level III, and dilithium5 for Level V. cFor Falcon, falcon512dyn was measured for Level I, no primitive was measured for Level III, falcon1024dyn was measured for Level V. Table 4 also depicts the median values of MPPK/DS and NIST Round 3 finalists’ signature verification performance in clock cycles. The data in the table demonstrates that the signature verification performance of the MPPK/DS primitive is comparable to the Rainbow signature scheme and faster than the Crystals-Dilithium as well as the Falcon algorithms. The reader will notice that the overall performance of the MPPK/DS scheme is more comparable to the Rainbow scheme than other NIST Round 3 finalists. To explore this a little further, we include Tables 5 and 6 to compare the public key and signature sizes, as well as the performance of the MPPK/DS algorithm and the NIST Round 3 multivariate finalist and alternative algorithms, Rainbow and GeMSS[17,31].
Table 5

Public Key Sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 multivariate DS schemes, with values given in Bytes.

SignaturePublic key size (B)Signature size (B)
SchemeIIIIVIIIIV
MPPK/DS19228828880120160
Rainbowa161, 600882, 0801, 930, 60066164212
GeMSSb352, 1881, 237, 9643, 040, 70032.2551.37572

aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V.

bGeMSS128 primitive corresponds to values for level I, GeMSS192 corresponds to values for level III, and GeMSS256 corresponds to values for level V.

Table 6

Performance of the the MPPK/DS scheme as well as the NIST PQC Round 3 multivariate DS schemes, with values given in clock cycles.

PrimitiveLevel ILevel IIILevel V
Key generation
MPPK/DS22,43736,70047, 668
Rainbowa20,788,655123,007,216263,207,040
GeMSSb36,800,000167,000,000508,000,000
Signing procedure
MPPK/DS42,28657,22363,534
Rainbowa180,675898,2231,491,838
GeMSSb529,000,0001720,000,0002830,000,000
Signature Verification procedure
MPPK/DS48,96575,98087,567
Rainbowa21,258177,094332,196
GeMSSb84,600233,000550,000

aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V.

bGeMSS128 primitive corresponds to values for level I, GeMSS192 corresponds to values for level III, and GeMSS256 corresponds to values for level V.

Public Key Sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 multivariate DS schemes, with values given in Bytes. aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. bGeMSS128 primitive corresponds to values for level I, GeMSS192 corresponds to values for level III, and GeMSS256 corresponds to values for level V. Performance of the the MPPK/DS scheme as well as the NIST PQC Round 3 multivariate DS schemes, with values given in clock cycles. aThe rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. bGeMSS128 primitive corresponds to values for level I, GeMSS192 corresponds to values for level III, and GeMSS256 corresponds to values for level V. Table 5 shows that public key sizes of the MPPK/DS are noticeably smaller than public key sizes of other multivariate primitives considered. However, signature sizes of the MPPK/DS are greater than those of the GeMSS algorithm and comparable to the Rainbow algorithm. Table 6 provides comparison of the performance measurements between MPPK/DS, and Rainbow and GeMSS signature schemes. All the values are given in clock cycles. Note, however, that the values for MPPK/DS and Rainbow are taken from our own benchmarking work, using SUPERCOP and only the median value are provided in the table. The system that was used to measure the performance of MPPK/DS and Rainbow is a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz. On the other hand, the values for GeMSS were taken from their official online page, The performance was measured using MQsoft using Skylake processor Intel®Core™i7-6600U CPU at 2.60GHz. Table 6 values show that MPPK/DS achieve more efficient key generation and signature creation procedures compared to the Rainbow and GeMSS signature schemes. However, the signature verification performance of MPPK/DS is not as efficient as the Rainbow algorithm for level I security. For level III, MPPK/DS performance is comparable with Rainbow and GeMSS. For level V, a noticeable difference between values is observed, with MPPK/DS outperforming both the Rainbow and GeMSS signature schemes. Overall, MPPK/DS achieves rather small public key and signature sizes and offers efficient key generation, signature creation, and signature verification procedures compared to other PQC signature schemes.

Conclusion

We presented a new quantum-safe digital signature algorithm called MPPK/DS. It is based on the Kuang et al.’s MPPK KEM algorithm. MPPK/DS is a multivariate, quantum-safe and falls into the category of probabilistic DS algorithms. Indeed, verifying the same signature multiple times with different noise variable values meets the same verification relationship. The core of the signing-verifying relationship is a modular arithmetic property that given x co-prime to n and two integers a and b such that where is the Euler’s totient function evaluated at n. Using a generalized safe prime , discussed in "MPPK digital signature and verification", we performed security analysis for the MPPK/DS algorithm to conclude that the complexity of the best possible attack on the MPPK/DS is using classical computing, and and for quantum computing. We also report briefly on the performance of MPPK/DS measured using the NIST recognized benchmarking toolkit SUPERCOP. The overall performance for key generation, signing, and verifying, is very efficient, outperforming the NIST 3rd round finalists. We provide a detailed performance analysis of the MPPK/DS algorithm in a companion paper[62]. A MPPK/DS implementation is available online[63].
  2 in total

1.  Security of quantum digital signatures for classical messages.

Authors:  Tian-Yin Wang; Xiao-Qiu Cai; Yan-Li Ren; Rui-Ling Zhang
Journal:  Sci Rep       Date:  2015-03-18       Impact factor: 4.379

2.  Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light.

Authors:  Patrick J Clarke; Robert J Collins; Vedran Dunjko; Erika Andersson; John Jeffers; Gerald S Buller
Journal:  Nat Commun       Date:  2012       Impact factor: 14.919
  2 in total

北京卡尤迪生物科技股份有限公司 © 2022-2023.