An improved signature model of multivariate polynomial public key cryptosystem against key recovery attack

1.   Introduction

Post-quantum cryptosystem has grown about 30 years. Especially in the past 10 years, the field of signature developed in leaps and bounds and emerged many research. Hash-based signature schemes are still the most promising cryptosystem candidates in a post-quantum world, such as eXtended Merkle Signature Scheme (XMSS) ^[1] and G-Merkle ^[2] XMSS, which only rely on the properties of cryptographic hash functions instead of the conjectured hardness of mathematical problems. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. Hash-based signatures can so far withstand known attacks using quantum computers. And another kind new research is Hysteresis Digital Signature for keyed hash chain with one-time signatures. The hysteresis signature calculates the hash value for the data generated only at that point and the short data, such as the hash value of the data at the previous point. Hysteresis signatures ^[3,4] have a linking structure is constructed between the signatures. It is applicable to verify the non-alteration of total data for maintaining the long-term reliability and relevance of digital signatures. For example, the file server manager and the auditor can verify the hysteresis signature chain sequentially from the most recent one to the oldest one. In other words, the integrity of each file can be verified with the hysteresis signature scheme, which makes it impossible to implement rollback and reordering attacks. So the mechanism is different in our scheme of multivariate public key cryptosystem. In hysteresis signatures, it is difficult to make falsification of a file, because it would mandate the reconstruction of the linked structure of all newer signatures in order to remain undetected. However, in multivariate public key cryptosystem, the equivalent keys always exist. So a falsification signature generated by equivalent key can always be generated and it can certainly pass the verification. So our purpose is to reduce the potential threats caused by rank attack of equivalent key of multivariate public key cryptosystem itself.

The multivariable public key cryptosystem, which differs from two traditional public key cryptosystems RSA or ECC, is another kind of post-quantum cryptosystem ^[5,6] and has aroused much attention in recent years. It is designed with a set of nonlinear multivariable equations on finite field. Its security is based on the fact that solving a set of multivariable quadratic polynomial equations is a NP-C problem, which is called MQ-problem (multivariate quadratic problem) ^[7]. On January 30, 2019, NIST (National Institute of Standards and Technology) launched a global solicitation campaign of post-quantum public key cryptography standard draft. After one year of proposal collection and first round review, 26 algorithms were selected from the initial 69 and entered the semi-finals of post-quantum cryptography. In this candidate algorithm, there are 9 signatures algorithms.and Among these signatures algorithms, 4 signatures LUOV, Rainbow ^[8,9], MQDSS ^[10] and GeMSS are based on multivariate polynomials, This multivariate public key cryptography shows great potential. Especially, the MQDSS signature scheme is designed from a new construction idea based on the multivariate identity authentication protocol ^[10]. Along the way, different multivariate signature schemes with special signature characteristics have emerged in recent years, such as blind signatures ^[11]. These schemes are different from the previously designed multivariate digital signature schemes, which are all based on the underlying security authentication protocol, and the security can be directly reduced to the MQ problem.

The key recovery attack for multivariate polynomial public key cryptosystem ^[12], since there are superfluous equivalent keys in its key space ^[13,14], is an effective method to analyze multivariate cryptosystems. However, the original signature model of multivariable system did not take the potential threat such as the key recovery attack into account. Then most of the existing encryption or signature schemes are vulnerable to key recovery attack ^{[15,16,17,18,19]}. In those schemes, only the message and the signature themselves are taken into account when designing a signature scheme in the original model. Those schemes do not involve the internal information in verifying process as the cause that they are crashed easily. In fact, people cannot verify that how the signature comes from through the original signature model. The forged signature is likely to produce by some equivalent key ^[20]. Because the signature is generated whether by the exact private key or the equivalent private key are corresponding to the same public key. As indicated in ^[21], the author describe a key recovery attack for ZHFE (A scheme utilizes as core map two HFE polynomials and the basic idea for the construction comes from the Zhuang-Zi algorithm ^[22]) using the MinRank approach shows that such linear combinations can be efficiently extracted from the public key and then linear combinations can be efficiently extracted from the public key. Although in some research ^[23], the authors claim that their scheme is secure against direct and Rank attacks of the Kipnis-Shamir/Bettale type, however there still have some reservations. The situation is only temporary, because the existence of equivalent keys in multivariate public key cryptosystem induces a structural weakness ^[24]. This point of view is also reflected in ^[25]. So we have reason to think the weakness the inherent characteristic of classic multivariate public key cryptosystem signature model.

The idea of key recovery attack is to find another private key and not knowing the exact valid private key of one same public key. This is the fact that multivariate public key cryptosystem has a large number of equivalent redundant keys ^[13,14]. Therefore, the attacker can use the equivalent private key of the public key to forge a signature without knowing the real private key, and this signature followed from the equivalent private key can also be verified by the public key. Therefore, the forged signature be produced successfully. In this paper, by adding two pairs of public keys and corresponding verification of the crucial internal node information, we propose an improved multivariate signature model resisting the key recovery attack. In this paper we aim to resist the key recovery attack by adding auxiliary information in the verification when the signature is generated. To eliminate all possibility that the signature generated by the equivalent key, which also passes the verification, the additional public key is used to verify its internal node information. So that, the signature can only be generated by the user who has the real legal key and the threat of the key recovery attack can be resisted. The model is generic construction and applicable for existing multivariate scheme's construction, In this paper, we take the classic HFE (Hidden Fields Equations) scheme HFE ^[26] as an example to illustrate that the advantages of the improved model is more secure than the original model at the expense of taking a little more time. Moreover, the design of the improved signature model is universal and it can be widely applied in existing multivariate schemes.

The security targets and adversary model of key recovery attack is different from the chosen-message attacks (EUF-CMA) of a signature scheme. EUF-CMA is to prove existentially unforgeable under chosen message attack for a concrete scheme. The key recovery attack here is only to the universal model of the multivariate polynomial public key system and it is a more fundamental issue than the EUF-CMA security of a concrete scheme. The adversary model is he has only the ability of obtaining the equivalent key from the public key and the security aim is to build a universal construction of multivariate signature model which resists the key recovery attack. Because, Wolf ^[13,14] observed a fact that multiple private keys correspond to one public key is an essential characteristic of multivariate public key system, and up to now, most existing multivariable signature schemes generated by the universal model are often vulnerable to key recovery attack. So we propose an improved multivariate signature model resisting the key recovery attack by adding two pairs of public keys and corresponding verification of the crucial internal node information. Thus this paper mainly analyzes the security and performance of the multivariable universal signature structure in the key recovery attack.

As for the public key certificate, we give a briefly introduction. Google with block chain is to document valid certificates is a new study and it has good research prospects. While based on the published research, Public Key Infrastructure (PKI) is used to solve the man-in-the-middle attack with certificates that authenticate the transmitted public key in multivariate polynomials public key cryptosystem is the same as that in classic public key cryptosystem. The certificate itself is a linked list of public keys and signatures, where each signature authenticates the next public key under the previous one. The first public key in this link is the root public key of a Certificate Authority, which in the case of web traffic is built into the user's browser ^[27]. And the transmission of the certificate constitutes a significant bandwidth cost in any key establishment protocol and should consequently be minimized. In ^[28], the author explains how to transform any MQ signature scheme into one with a much smaller public key at the cost of a larger signature.

The paper is organized as follows. The preliminaries are briefly described in Section 1. The original signature model of multivariate polynomial cryptosystem was showed in Section 2. Section 3 introduced the improved signature model of multivariate cryptosystem. The comparison of our proposed scheme with the original model is discussed in Section 4. Finally, we conclude this paper in Section 5.

2.   The original signature model of multivariable public key cryptosystem

F is a finite field. $\left({\mathit{\boldsymbol{\mathcal{J}}}, \mathit{\boldsymbol{\mathcal{Q}}}, \mathit{\boldsymbol{\mathcal{S}}}} \right)$ is the trapdoor information. $\mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{J}}}$ are randomly selected reversible affine transformations in ${F}^{n}$ and ${F}^{m}$, where $\mathit{\boldsymbol{\mathcal{S}}}\mathit{\boldsymbol{:u}} \to \mathit{\boldsymbol{x}} = {\mathit{\boldsymbol{M}}_S}\mathit{\boldsymbol{u}} + {\mathit{\boldsymbol{c}}_S} \in {\rm{Af}}{{\rm{f}}^{ - 1}}\left({{{\rm{F}}^n}} \right)$, and $\mathit{\boldsymbol{\mathcal{J}}}\mathit{\boldsymbol{:y}} \to \mathit{\boldsymbol{v}} = {\mathit{\boldsymbol{M}}_\mathit{\boldsymbol{\mathcal{J}}}}\mathit{\boldsymbol{y}} + {\mathit{\boldsymbol{c}}_\mathit{\boldsymbol{\mathcal{J}}}} \in {\rm{Af}}{{\rm{f}}^{ - 1}}\left({{{\rm{F}}^m}} \right)$. $\mathit{\boldsymbol{\mathcal{Q}}}$ is a central mapping. It is usually made up of $m$ quadratic polynomial equations of $n$ variables: $\mathit{\boldsymbol{\mathcal{Q}}}\left({{x_1}, \cdots, {x_n}} \right) \mapsto \left({{q_1}\left({{x_1}, \cdots, {x_n}} \right), \cdots, {q_m}\left({{x_1}, \cdots, {x_n}} \right)} \right)$.

The structure is usually open or partially confidential. $\mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{J}}}$ "hide" the center mapping equation $\mathit{\boldsymbol{\mathcal{Q}}}$. Triple $\left({\mathit{\boldsymbol{\mathcal{J}}}, \mathit{\boldsymbol{\mathcal{Q}}}, \mathit{\boldsymbol{\mathcal{S}}}} \right)$ is usually as a private key and the corresponding public key is $\mathit{\boldsymbol{\mathcal{P}}}\left({{x_1}, \cdots, {x_n}} \right) = \mathit{\boldsymbol{\mathcal{J}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{x_1}, \cdots, {x_n}} \right) = \left({{p_1}\left({{x_1}, \cdots, {x_n}} \right), \cdots, {p_m}\left({{x_1}, \cdots, {x_n}} \right)} \right).$

Public Key: $\mathit{\boldsymbol{\mathcal{P}}}$.

Private Key: $\mathit{\boldsymbol{\mathcal{Q}, }}\mathit{\boldsymbol{\mathcal{S}, }}\mathit{\boldsymbol{\mathcal{J}, }}$.

The original model of the signature and verification of multivariate public key cryptosystem ^[29,30] is given as Figure 1.

2.1.   Signature generation

$\mathit{\boldsymbol{\mathcal{M}}}$ is a message. Taking a hash function $H$, we have $\boldsymbol{v} = {H} \left(\mathit{\boldsymbol{\mathcal{M}}} \right)$. Then ${\boldsymbol{y}} = {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}\left(\boldsymbol{v} \right)$, $\boldsymbol{x} = {\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}}\left(\boldsymbol{y} \right)$ and $\boldsymbol{u} = {\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}}\left(\boldsymbol{x} \right)$ are calculated in turn, where ${\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}}$, ${\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}$ and ${\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}}$ are reversible affine transformations of private key $\mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{J}}}$ and the central mapping $\mathit{\boldsymbol{\mathcal{Q}}}$ respectively. Vector $\boldsymbol{u} = \left({{u_1}, \cdots \left. {, {u_n}} \right)} \right.$ is the signature of message $\mathit{\boldsymbol{\mathcal{M}}}$.

2.2.   Verification

A signature $\boldsymbol{u}$ is accepted if $\boldsymbol{v} = \mathit{\boldsymbol{\mathcal{P}}}\left(\boldsymbol{u} \right)$ using the public key $\mathit{\boldsymbol{\mathcal{P}}}$. As shown in Figure 1, a signature $\boldsymbol{u}$ is accepted if $\boldsymbol{v} = \mathit{\boldsymbol{\mathcal{P}}}\left(\boldsymbol{u} \right)$ using the public key $\mathit{\boldsymbol{\mathcal{P}}}$. We call the signature $\boldsymbol{u}$ is passed the public key verification and the signature $\boldsymbol{u}$ is a valid signature.

2.3.   Key recovery attack

Definition 1 Equivalent private keys ^[13,14]: For a cryptosystem, if two (or more) private keys $({\mathit{\boldsymbol{\mathcal{J}}}_1}, {\mathit{\boldsymbol{\mathcal{Q}}}_1}{\rm{, }}{\mathit{\boldsymbol{\mathcal{S}}}_1}\mathit{\boldsymbol{)}}$ and $({\mathit{\boldsymbol{\mathcal{J}}}_2}, {\mathit{\boldsymbol{\mathcal{Q}}}_2}, {\mathit{\boldsymbol{\mathcal{S}}}_2}\mathit{\boldsymbol{)}}$ $\in \operatorname{Aff}^{-1}\left(\mathrm{F}^{m}\right) \times \mathrm{MQ}\left(\mathrm{F}^{n}, \mathrm{F}^{m}\right) \times \mathrm{Aff}^{-1}\left(\mathrm{F}^{n}\right)$ correspond to the same public key, we call the two (multiple) private keys "equivalent", which have: ${\mathit{\boldsymbol{\mathcal{J}}}_1} \circ {\mathit{\boldsymbol{\mathcal{Q}}}_1} \circ {\mathit{\boldsymbol{\mathcal{S}}}_1} = \mathit{\boldsymbol{\mathcal{P}}} = {\mathit{\boldsymbol{\mathcal{J}}}_2} \circ {\mathit{\boldsymbol{\mathcal{Q}}}_2} \circ {\mathit{\boldsymbol{\mathcal{S}}}_2}$. For example, $(\mathit{\boldsymbol{\mathcal{J', Q', S')}}}$ is an equivalent key of the private key $(\mathit{\boldsymbol{\mathcal{J, Q, S)}}}$, then according Definition 1, we have $\mathit{\boldsymbol{\mathcal{J}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ \mathit{\boldsymbol{\mathcal{S}}} = \mathit{\boldsymbol{\mathcal{P}}} = \mathit{\boldsymbol{\mathcal{J'}}} \circ \mathit{\boldsymbol{\mathcal{Q'}}} \circ \mathit{\boldsymbol{\mathcal{S'}}}$. Then for a message $\boldsymbol{v}$, we get the correct and valid signature $\boldsymbol{u} = \mathit{\boldsymbol{\mathcal{J}}}_{}^{{\rm{ - 1}}} \circ \mathit{\boldsymbol{\mathcal{Q}}}_{}^{{\rm{ - 1}}} \circ \mathit{\boldsymbol{\mathcal{S}}}_{}^{{\rm{ - 1}}}\left(\boldsymbol{v} \right)$ by using the private key $(\mathit{\boldsymbol{\mathcal{J, Q, S)}}}$. And there is also $\boldsymbol{u'} = \mathit{\boldsymbol{\mathcal{J'}}} \circ \mathit{\boldsymbol{\mathcal{Q'}}} \circ \mathit{\boldsymbol{\mathcal{S'}}}\left(\boldsymbol{v} \right)$ by using the equivalent key $(\mathit{\boldsymbol{\mathcal{J', Q', S')}}}$. Be notice that according Definition 1, there is $\boldsymbol{v} = \mathit{\boldsymbol{\mathcal{P}}}\left(\boldsymbol{u} \right) = \mathit{\boldsymbol{\mathcal{P}}}\left({\boldsymbol{u}'} \right)$. That is to say for the fake signature $\boldsymbol{u}'$, there is $\boldsymbol{u}' \ne \boldsymbol{u}$ and $\boldsymbol{u}'$ can pass the verification.

Definition 2 Key recovery attack: A public key $\mathit{\boldsymbol{\mathcal{P}}}$ is known. This type of attack is to find more intrinsic links between the variables of the public key and to generate more multivariable public key equations which are independent of the original equations, then to solve the equivalent keys from the public key.

In other words, the key recovery attack depends on linear algebra in all kinds of spaces of homogeneous polynomials ^[31]. When the attacker finds a decomposition of public key $\mathit{\boldsymbol{\mathcal{P}}}$, that is to say he find the equivalent key ${\mathit{\boldsymbol{\mathcal{J}}}_2}$, ${\mathit{\boldsymbol{\mathcal{S}}}_2}$ (and ${\mathit{\boldsymbol{\mathcal{Q}}}_2}$), and it is very easy to forge a signature in the scheme. For example, the Unbalanced Oil and Vinegar Scheme (UOV) have such an equivalent key with probability roughly ^[32]. Besides, in some sense, the key recovery attack coincides with the EIP-problem (Extended Isomorphism of Polynomials¹) ^[33]. And the EIP-problem of Matrix-based UOV can be solved in polynomial-time in ^[34], and then the Matrix-based UOV signature can be forged at appropriate parameters at 80 or 100 security levels. Therefore, key-recovery attack helps find an equivalent key and fork signature by using algebraic structure of concrete trapdoor of scheme.

¹ EIP-problem: Let public key $\mathit{\boldsymbol{\mathcal{P}}}$ be nonlinear multivariate systems $\mathit{\boldsymbol{\mathcal{P}}} = {\mathit{\boldsymbol{\mathcal{J}}}_1}\circ{\mathit{\boldsymbol{\mathcal{Q}}}_1}\circ{\mathit{\boldsymbol{\mathcal{S}}}_1}$ with a linear maps, and ${\mathit{\boldsymbol{\mathcal{S}}}_1}$, ${\mathit{\boldsymbol{\mathcal{J}}}_1}$ and trapdoor ${\mathit{\boldsymbol{\mathcal{Q}}}_1}$ belongs to some special class of multivariate polynomial systems, find another decomposition of $\mathit{\boldsymbol{\mathcal{P}}}$ such that $\mathit{\boldsymbol{\mathcal{P}}} = {\mathit{\boldsymbol{\mathcal{J}}}_2} \circ {\mathit{\boldsymbol{\mathcal{Q}}}_2} \circ {\mathit{\boldsymbol{\mathcal{S}}}_2}$ with a linear maps ${\mathit{\boldsymbol{\mathcal{S}}}_2}$, ${\mathit{\boldsymbol{\mathcal{J}}}_2}$ and ${\mathit{\boldsymbol{\mathcal{Q}}}_2}$.

3.   Improved signature model of multivariable public key cryptosystem

The original signature model is described as Figure 1 in Section 1, and we also hash the message before we make the signature. This is for compression only as in tradition public key cryptosystem. We use secret hash function to generate the public key in the improved model, then we would like to stress that this is only to hide the private key as hash function is irreversible and anti-collision. And we will regard the hash as a random oracle. Moreover, as we know the known quantum decomposition algorithm has no advantage in such as SHA-3.

3.1.   Generating system parameters

Similarly, let F be a finite field and E be a $n$ -th power extension field of F, $n$-th and $m$-th extension fields of F are denoted as Fⁿ and F^m respectively. The isomorphic mapping $\pi :{\rm E} \to {\rm F}^n$ is defined from the extended domain to vector space. Take a central mapping $\mathit{\boldsymbol{\mathcal{Q}}}$, two reversible affine transformations $\mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{J}}}$.

Then randomly select a set of $n$ variable quadratic multivariable polynomial equation vector $\left({{g_1}\left({{x_1}, \cdots, {x_n}} \right), \cdots, {g_n}\left({{x_1}, \cdots, {x_n}} \right)} \right)$, which denoted as $\mathit{\boldsymbol{\mathcal{G}}}$, $\mathit{\boldsymbol{\mathcal{G}}}\left({\boldsymbol{x}} \right) = \left({{g_1}\left({\boldsymbol{x}} \right), \cdots, {g_n}\left({\boldsymbol{x}} \right)} \right)$, and two one-way irreversible polynomials $\mathit{\boldsymbol{\mathcal{H}}}$ and $\mathit{\boldsymbol{\mathcal{\tilde H}}}$ on Fⁿ. The user's private key consists of $\mathit{\boldsymbol{\mathcal{Q}}}$, $\mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{J}}}$ and $\mathit{\boldsymbol{\mathcal{G}}}$, all of which are invertible affine transformations. $\mathit{\boldsymbol{\mathcal{H}}}$ and $\mathit{\boldsymbol{\mathcal{\tilde H}}}$ are secretly selected for public key generation. The public key is composed of five parts: $\mathit{\boldsymbol{\mathcal{P}}} = \mathit{\boldsymbol{\mathcal{J}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{H}}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, and $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}$. The signature generation progress and signature verification progress are as shown in Figure 2.

Public Key: F, $\mathit{\boldsymbol{\mathcal{P}}}$, $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{H}}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$, $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}$.

Private Key: $\mathit{\boldsymbol{\mathcal{Q, G, S, T}}}$.

3.2.   The signature generation

(1) For message $\boldsymbol{u}$, the signer uses secret key $\mathit{\boldsymbol{\mathcal{J}}}$ to calculate $\left({{y_1}, \cdots, {y_m}} \right) = \mathit{\boldsymbol{\mathcal{J}}}_{}^{ - 1}\left({{u_1}, \cdots, {u_m}} \right)$ and denotes $\left({{y_1}, \cdots, {y_m}} \right)$ as ${\boldsymbol{y}}$;

(2) The signer calculates $\left({{x_1}, \cdots, {x_n}} \right) = {\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}}\left({{y_1}, \cdots, {y_m}} \right) = \pi \circ {\mathit{\boldsymbol{\mathcal{\tilde Q}}}^{ - 1}} \circ {\pi ^{ - 1}}\left({{y_1}, \cdots, {y_m}} \right)$ and denotes the result $\left({{x_1}, \cdots, {x_n}} \right)$ as ${\boldsymbol{x}}$;

(3) The signer uses the private key ${\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}}$ to obtain $\left({{v_1}, \cdots, {v_n}} \right) = \mathit{\boldsymbol{\mathcal{S}}}_{}^{ - 1}\left({{x_1}, \cdots, {x_n}} \right)$ and remembers $\left({{v_1}, \cdots, {v_n}} \right)$ as ${\boldsymbol{v}}$.

The signature generation above is the same as that in the original model. ${\boldsymbol{v}}$ is called forward signature.

(4) The signer uses private key $\mathit{\boldsymbol{\mathcal{G}}}$ to get $\mathit{\boldsymbol{\mathcal{G}}}\left({{x_1}, \cdots, {x_n}} \right) = \left({{g_1}\left({{x_1}, \cdots, {x_n}} \right), \cdots, {g_n}\left({{x_1}, \cdots, {x_n}} \right)} \right) = \left({{g_1}, \cdots, {g_n}} \right)$ and denotes it as ${\boldsymbol{g}}$;

(5) The signer uses ${\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}}$ of the private key $\mathit{\boldsymbol{\mathcal{S}}}$ to obtain ${\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}}\left({\boldsymbol{g}} \right) = {\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{G}}}\left({\boldsymbol{x}} \right) = \left({{v_{g1}}, \cdots, {v_{gn}}} \right)$ and denotes it as ${{\boldsymbol{v}}_g}$. ${{\boldsymbol{v}}_g}$ is the backward signature.

The concatenated ${\boldsymbol{v}}\left\| {{{\boldsymbol{v}}_g}} \right.$ is the final signature of message $\mathit{\boldsymbol{\mathcal{M}}}$.

3.3.   The signature verification

(1) The verifier uses the signer's public key to calculate $\mathit{\boldsymbol{\mathcal{P}}}\left({{v_1}, \cdots, {v_n}} \right)$ and verifies $\mathit{\boldsymbol{\mathcal{P}}}\left({{v_1}, \cdots, {v_n}} \right)\mathop = \limits^? \left({{u_1}, \cdots, {u_m}} \right)$. If it does, then continue with the next step, otherwise reject.

(2) The verifier takes the forward signature $\left({{v_1}, \cdots, {v_n}} \right)$ into $\mathit{\boldsymbol{\mathcal{H}}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ to get $\mathit{\boldsymbol{\mathcal{H}}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{v_1}, \cdots, {v_n}} \right)$, which denoted as $\left({{h_1}, \cdots, {h_n}} \right)$. The backward signature $\left({{v_{g1}}, \cdots, {v_{gn}}} \right)$ is substituted into the public key $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ to obtain the result $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{v_{g1}}, \cdots, {v_{gn}}} \right)$, which denoted as $\left({{{h'}_1}, \cdots, {{h'}_n}} \right)$. If $\left({{{h'}_1}, \cdots, {{h'}_n}} \right)$ and $\left({{h_1}, \cdots, {h_n}} \right)$ are equal, the signature is valid, otherwise the signature is invalid and rejected.

(3) The verifier substitutes respectively the backward signature $\left({{v_{g1}}, \cdots, {v_{gn}}} \right)$ and message $\left({{u_1}, \cdots, {u_m}} \right)$ into public key $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{J}}}_{}^{ - 1}$ to obtain $\left({{{\tilde h'}_1}, \cdots, {{\tilde h'}_m}} \right) = \mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{v_{g1}}, \cdots, {v_{gn}}} \right)$ and $\left({{{\tilde h}_1}, \cdots, {{\tilde h}_m}} \right) = \mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{J}}}_{}^{ - 1}\left({{u_1}, \cdots, {u_n}} \right)$ respectively. If the value $\left({{{\tilde h'}_1}, \cdots, {{\tilde h'}_m}} \right)$ is equal to $\left({{{\tilde h}_1}, \cdots, {{\tilde h}_m}} \right)$, then signature is valid and accepted, otherwise the signature is rejected.

3.4.   Security analysis

Suppose the signature ${\boldsymbol{v}}\left\| {{{\boldsymbol{v}}_g}} \right.$ is generated according to the above steps. Then we have $\mathit{\boldsymbol{\mathcal{P}}}\left({\boldsymbol{v}} \right) = \mathit{\boldsymbol{\mathcal{P}}}\left({{\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}\left({{u_1}, \cdots, {u_m}} \right)} \right) = \mathit{\boldsymbol{\mathcal{P}}} \circ {\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}\left({\boldsymbol{u}} \right) = \mathit{\boldsymbol{\mathcal{J}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ \mathit{\boldsymbol{\mathcal{S}}} \circ {\mathit{\boldsymbol{\mathcal{S}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{Q}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}\left({\boldsymbol{u}} \right) = {\boldsymbol{u}}$, $\mathit{\boldsymbol{\mathcal{S}}}\left({\boldsymbol{v}} \right) = \left({{x_1}, \cdots, {x_n}} \right) = {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{{\boldsymbol{v}}_g}} \right)$, and $\mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({{{\boldsymbol{v}}_g}} \right) = {\boldsymbol{y}} = {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}\left({\boldsymbol{u}} \right)$. The correctness of this algorithm is intuitively clear.

Claim 1: In the improved multivariate signature model, the probability of finding equivalent keys of a given public key is approaching 0 for some concrete trapdoor structure.

As is analyzed previously, the multivariate polynomial cryptographic system always has the characteristic of "equivalent key". That is the same public key corresponds to multiple private keys. Therefore, with the help of the key recovery attack, the attacker succeeded in forging signature without the correct private key $\left({\mathit{\boldsymbol{\mathcal{J}}}, \mathit{\boldsymbol{\mathcal{Q}}}, \mathit{\boldsymbol{\mathcal{S}}}} \right)$. However even the attacker gets an equivalent private key $\left({\mathit{\boldsymbol{\mathcal{J'}}}, \mathit{\boldsymbol{\mathcal{Q'}}}, \mathit{\boldsymbol{\mathcal{S'}}}} \right)$ in our proposed construction, the probability that he forges a signature is 0. A signature is valid in the improved model, only when it consist of a forward signature ${\boldsymbol{v}}$ and a backward signature ${{\boldsymbol{v}}_g}$ and it is verified by verification condition (1), (2) and (3) in Section 3.3. However it is impossible for a signature followed by equivalent key. For a signature ${\boldsymbol{\hat v}}\left\| {{{{\boldsymbol{\hat v}}}_g}} \right.$ recovered by an equivalent key $\left({\mathit{\boldsymbol{\mathcal{J'}}}, \mathit{\boldsymbol{\mathcal{Q'}}}, \mathit{\boldsymbol{\mathcal{S'}}}} \right)$ through the key recovery attack, the forward part is denoted as ${\boldsymbol{\hat v}}$, and the backward part is denoted as ${{\boldsymbol{\hat v}}_g}$. We say it would still unable to pass verification condition 2 and 3. In condition 2, the public keys $\mathit{\boldsymbol{\mathcal{H}}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ restrict the internal note information $\boldsymbol{x}$ for correct signature ${\boldsymbol{v}}\left\| {{{\boldsymbol{v}}_g}} \right.$ and $\boldsymbol{x}$ is generated by correct private key $\mathit{\boldsymbol{\mathcal{J, S}}}$. Similarly, in condition 3, the public keys $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}$ and $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ {\mathit{\boldsymbol{\mathcal{J}}}^{ - 1}}$ restrict the internal note information ${\boldsymbol{y}}$ for correct signature ${\boldsymbol{v}}\left\| {{{\boldsymbol{v}}_g}} \right.$ and ${\boldsymbol{y}}$ is generated by correct private key $\mathit{\boldsymbol{\mathcal{J}}}$. However, the equality probability of the equivalent $\mathit{\boldsymbol{\mathcal{J'}}}$ and the right $\mathit{\boldsymbol{\mathcal{J}}}$ is $p\left({\mathit{\boldsymbol{\mathcal{J' = J}}}} \right) = {\raise0.7ex\hbox{$1$} \!\mathord{\left/ {\vphantom {1 {{q^m}}}}\right.} \!\lower0.7ex\hbox{${{q^m}}$}}$. Similarly, the equality probability of the equivalent $\left({\mathit{\boldsymbol{\mathcal{J'}}}, \mathit{\boldsymbol{\mathcal{S'}}}} \right)$ and the right $\left({\mathit{\boldsymbol{\mathcal{J}}}, \mathit{\boldsymbol{\mathcal{S}}}} \right)$ is $p\left({\mathit{\boldsymbol{\mathcal{J' = J}}}} \wedge {\mathit{\boldsymbol{\mathcal{S' = S}}}} \right) = {\raise0.7ex\hbox{$1$} \!\mathord{\left/ {\vphantom {1 {{q^{mn}}}}}\right.} \!\lower0.7ex\hbox{${{q^{mn}}}$}}$. Moreover, if an attacker randomly guesses a forward signature ${\boldsymbol{\hat v}}$ and a backward signature ${{\boldsymbol{\hat v}}_g}$, the probability of correct guess for $p\left({{\boldsymbol{\hat v}} = {\boldsymbol{v}} \wedge {{{\boldsymbol{\hat v}}}_g} = {{\boldsymbol{v}}_g}} \right)$ is $\frac{1}{{{{q}^{2\boldsymbol{n}}}}}$.

Therefore the improved model can effectively help multivariate scheme to resist the key recovery attack and forking signature.

4.   Comparative analysis of HFE in the original model and the improved model

HFE is one classical multivariate polynomial cryptosystem ^[26]. However it was broken by recovering the secret key from the public key by linearization technique, which is belong to key recovery attack ^[35].

In this section, by comparing HFE scheme in the original model and the improved model, we shows that the new improved model enhance the security of the HFE scheme and help HFE resist and key recovery attack of the linearization technique.

4.1.   HFE scheme

Let F be an $q$ order finite field and E be a $n$-th power extension field of F. The isomorphic mapping $\pi :{\rm E} \to {\rm F}^n$ is defined from the extended domain to vector space. The central map of HFE is homogeneous polynomials (the lower degree monomials can be ignored for they have no impact on security):

where $i, j \in \text{N}$, $d \in \text{N}$. The second-order coefficients ${C_{i, j}} \in \text{E}$ is randomly selected. The degree ${q^i}$ and ${q^j}$ must be less than some parameter $d$ to be resolved. Then central map $\mathit{\boldsymbol{\mathcal{Q}}}\left({{x_1}, \cdots, {x_n}} \right)$ is quadratic mapping from F to F : $\mathit{\boldsymbol{\mathcal{Q}}}\left({{x_1}, \cdots, {x_n}} \right) = \left({{q_1}\left({{x_1}, \cdots, {x_n}} \right), \cdots, {q_n}\left({{x_1}, \cdots, {x_n}} \right)} \right) = \pi \circ \mathit{\boldsymbol{\mathcal{\tilde Q}}} \circ {\pi ^{ - 1}}\left({{x_1}, \cdots, {x_n}} \right)$.

$\mathit{\boldsymbol{\mathcal{P = J}}} \circ \pi \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\pi ^{ - 1}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({\boldsymbol{x}} \right) = \mathit{\boldsymbol{\mathcal{J}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ \mathit{\boldsymbol{\mathcal{S}}}\left({\boldsymbol{x}} \right)$ is public key. $\mathit{\boldsymbol{\mathcal{J}}}$ and $\mathit{\boldsymbol{\mathcal{S}}}$ are private keys.

4.2.   Key recovery attack on HFE scheme under original model

Kipins and Shamir broke the HFE scheme using linearization technique by key recovery attack, and the idea is given as follows ^[35,36].

We take a set of $\varepsilon {m^2}$ quadratic equations in $m$ variables ${x_1}, \cdots, {x_m}$, where $\varepsilon$ is constant. It can be rewritten as a new set of $\varepsilon {m^2}$ linear equations in the approximately ${\raise0.7ex\hbox{${{m^2}}$} \!\mathord{\left/ {\vphantom {{{m^2}} 2}}\right.} \!\lower0.7ex\hbox{$2$}}$ new variables ${y_{ij}} = {x_i}{x_j}$, where $i \leqslant j$. Then for any 4-tuple ${x_a}{x_b}{x_c}{x_d}$ of indices $1 \leqslant a \leqslant b \leqslant c \leqslant d \leqslant m$, it is parenthesized in three different ways:

.

Then there are about ${{{m^4}} \mathord{\left/ {\vphantom {{{m^4}} {4!}}} \right. } {4!}}$ different ways to choose from the sorted 4-tuples of distinct indices, and each choice gives rise to 2 equations. Thus there are about ${{{m^4}} \mathord{\left/ {\vphantom {{{m^4}} {12}}} \right. } {12}}$ quadratic equations in the ${{{m^2}} \mathord{\left/ {\vphantom {{{m^2}} 2}} \right. } 2}$ ${y_{ij}}$ variables, and these equations are linearly independent. By replacing each one of the ${y_{ij}}$ variables via its parametric representation as a linear combination of the new $\left( {1/2 - \varepsilon } \right){m^2}{z_i}$ variables, the number of variables is decreased to $\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}$. The new ${{{m^4}} \mathord{\left/ {\vphantom {{{m^4}} {12}}} \right. } {12}}$ quadratic equations in the new $\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}$ ${z_i}$ variables can be linearized again by replacing each product ${z_i}{z_j}$ for $i \leqslant j$ by new variables ${v_{ij}}$, which is called the relinearization technique and is belong to key recover attack. Then the new system has ${{{m^4}} \mathord{\left/ {\vphantom {{{m^4}} {12}}} \right. } {12}}$ linear equations in ${{{{\left({\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}} \right)}^2}} \mathord{\left/ {\vphantom {{{{\left({\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}} \right)}^2}} 2}} \right. } 2}$ variables ${v_{ij}}$.

The relinear process is summarized as follows.

When ${{{m^4}} \mathord{\left/ {\vphantom {{{m^4}} {12}}} \right. } {12}} \geqslant {{{{\left({\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}} \right)}^2}} \mathord{\left/ {\vphantom {{{{\left({\left({{1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - \varepsilon } \right){m^2}} \right)}^2}} 2}} \right. } 2}$, that is $\varepsilon \geqslant {1 \mathord{\left/ {\vphantom {1 2}} \right. } 2} - {1 \mathord{\left/ {\vphantom {1 {\sqrt 6 }}} \right. } {\sqrt 6 }} \approx 0.1$, the linear system is resolved uniquely by Gauss linearization. Therefore, HFE Scheme under original model was broken by the key recovery attack.

4.3.   HFE signature scheme under the improved model

In the improved signature model, as analysis in Section 2.4, for the same message $\left({{u_1}, \cdots, {u_m}} \right)$, the signature changes from the original to two parts, ${v_1}, \cdots, {v_n}$ and ${v_{g1}}, \cdots, {v_{gn}}$. When verifying that whether the ${\mathit{\boldsymbol{\mathcal{P}}}_{Alice}}\left({{v_1}, \cdots, {v_n}} \right)$ is equal to $\left({{u_1}, \cdots, {u_n}} \right)$, namely using the original public key ${\mathit{\boldsymbol{\mathcal{P}}}_{Alice}}$, it is necessary to verify that whether the $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{S}}}_{Alice}}\left({{v_1}, \cdots, {v_n}} \right)$ associated with the private key is equal to the $\mathit{\boldsymbol{\mathcal{H}}} \circ {\mathit{\boldsymbol{\mathcal{S}}}_{Alice}}\left({{v_{{g_1}}}, \cdots, {v_{{g_n}}}} \right)$ and whether the $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{J}}}_{Alice}^{ - 1}\left({{u_1}, \cdots, {u_n}} \right)$ is equal to $\mathit{\boldsymbol{\mathcal{\tilde H}}} \circ \mathit{\boldsymbol{\mathcal{Q}}} \circ {\mathit{\boldsymbol{\mathcal{G}}}^{ - 1}} \circ {\mathit{\boldsymbol{\mathcal{S}}}_{Alice}}\left({{v_{g1}}, \cdots, {v_{gn}}} \right)$. This shows that only when all three conditions are verified, $\left. {{v_1}, \cdots, {v_n}} \right\|{v_{g1}}, \cdots, {v_{gn}}$ can be obtained. Thus it is a valid signature. That is to say, the verification under the new model involves not only the message $\boldsymbol{u}$ and signature $\boldsymbol{v}$, but also the verification of the internal node information. And according the recommended choice, such as $q{\rm{ = GF}}{\left(2 \right)^{128}}$ and suitable parameters $m$ and $n$ for HFE in ^[35], the probabilities finding the equivalent keys in Section 2.4 are all close to 0.

Therefore, the improved model is guaranteed that each signature is generated by the correct private key of the legitimate user, which prevents the equivalent key from recovering and signature from forging by the key recovery attack.

4.4.   Performance analysis

4.4.1.   Computation complexity

As shown in the original model, the kernel polynomials ${q_1}, \cdots {q_m}$ are $m$ polynomials in $n$ variables of degree 2, since for any integer $d$, $x \mapsto {x^{{q^d}}}$ is a linear function of ${\rm F}^n \mapsto {\rm F}^n$ ^[26]. In the original model, the time of signature generation include the inverse of affine transformation $\mathit{\boldsymbol{\mathcal{S}}}$, the inverse of central mapping $\mathit{\boldsymbol{\mathcal{Q}}}$ and the inverse of affine transformation $T$, so the time complexity is ($O\left[{{m^2} + d \cdot \frac{{mn(n - 1)}}{2} + {n^2}} \right]$). Similarly, the time complexity of the verification process is ($O\left[{m\left({\frac{{n(n - 1)}}{2} + n + 1} \right)} \right]$). In the improved model, the signature generation of HFE has the same time complexity as in the original model. However, the time of signature verification has a little more than that in original model, for there are two additional verification conditions. Thus the total time complexity of the verification is $O\left[{m\left({\frac{{n(n - 1)}}{2} + n + 1} \right) + n + m} \right]$. The comparison of HFE in the original model and the improved model are as Table 2.

Then we easily can get the computation complexity for some parameter, such as m = n = 128 or 160 ^[26].

4.4.2.   Experimental results

The evaluation is conducted through experiment assessing the time cost of the proposed scheme on a computer with Windows7 Intel i5-4570S-2.90GHz CPU and 8-GB RAM. For the convenience of comparative analysis, we set ${{m = n}}$ in experiment. All results presented here are the average value in 100 different messages. The cost of signature depends on the computation of ${\mathit{\boldsymbol{\mathcal{\tilde Q}}}^{ - 1}}$. With the help of Magma V2.12-16, we take efficient FM algorithm. Consider the parameter $d$ is not be too big and it will be out of our memory or system resources for larger input parameter, we list some corresponding signature and verification time for about ${2^2} \leqslant q \leqslant {2^8}$, $4 \leqslant n \leqslant 64$ and $3 \leqslant d \leqslant 7$ in Table 3. To achieve higher security requirements, larger parameters can be taken.

The speed of verification is faster than the signature in these two models, since the signature needs to compute the ${\mathit{\boldsymbol{\mathcal{\tilde Q}}}^{ - 1}}$ while the verification is only to compute common modulo additions and multiplications on finite field. The parameter $q$, $n$ and $d$ in HFE takes a large number, then the overload of signature or verification will be very large. Both signature time and verification time in improved model is increased compared with those in the original model. It is easy to understand that the small-scale increase of parameters leads to the signature and verification time in a highly non-linear fashion. This basically conforms to the nonlinear properties of central map of multivariate polynomials cryptosystem.

To provide the detailed differences of small values, we give two classifications by parameters according the Table 3 and evaluate the logarithm of these times in following figures.

Fix $q = {2^3}$, the comparing results with different degree and number of equations $\left({n, d} \right)$ is presented in Figure 3. It shows that the more equations or degrees, the greater the consumption. Especially, when $n$ is double, the signature and verification time is increased to several dozen times in these two models. It is similar when the degree $d$ is large.

Fix $n = 4, d = 3$, the comparing results with different size of finite field $q$ is presented in Figure 4. We also conclude that the larger size of finite field, the greater the consumption, furthermore in the form of nonlinear approach to exponential growth. The verification time in the improved model is increased much more than the original model. For there are three verification conditions in the improved model while only one verification condition in the original model. However, the indicators of signature time are not very different from each other, and no significant difference is shown.

5.   Conclusions

The existing signature model of multivariate system does not take the potential hazard of the key recovery attack at the initial design into account. To overcome the defect, this paper proposes an improved signature model. In the new model, a strengthening public key verification progress of verifying the internal information is proposed to inhibit the forged signature brought with the key recovery attack effectively. Finally, we take the classical scheme HFE as an example to illustrate that the new model can effectively resist key recovery attacks. It provides a useful supplement to the design and research of secure digital signature schemes in the quantum age.

Acknowledgments

This work is supported by National Key R & D Program of China (No.2017YFB0802000), the National Natural Science Foundation of China (61572303, 61772326, 61802241, 61802242), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20180217), the Foundation of State Key Laboratory of Information Security (2017-MS-03) and the Doctoral Scientific Fund Project of Shaanxi University of Science & Technology, China (No. BJ11-12).

Conflict of interest

All authors declared that we have no conflicts of interest to this work.