Loading [MathJax]/jax/output/SVG/jax.js
Research article Special Issues

An improved signature model of multivariate polynomial public key cryptosystem against key recovery attack

  • An improved signature model of multivariate polynomial public key cryptosystem to resist the key recovery attack is presented in this paper. Two pairs of public keys are added to design new authentication conditionals for public keys, and then the verification is not only to verify the original external information but also the exact internal kernel information. It requires both the corresponding private key and the exact internal node information to produce an accurate signature, so that a forged signature by key recovery attack cannot pass the verification without the exact private key. To illustrate this, the classic HFE (Hidden Fields Equations) scheme is taken as an example to clarify the signing and verifying process in detail. It provides a useful supplement to the research and designing of secure digital signature schemes in the quantum age.

    Citation: Xin Wang, Bo Yang. An improved signature model of multivariate polynomial public key cryptosystem against key recovery attack[J]. Mathematical Biosciences and Engineering, 2019, 16(6): 7734-7750. doi: 10.3934/mbe.2019388

    Related Papers:

    [1] Xiaodong Yang, Haoqi Wen, Lei Liu, Ningning Ren, Caifen Wang . Blockchain-enhanced certificateless signature scheme in the standard model. Mathematical Biosciences and Engineering, 2023, 20(7): 12718-12730. doi: 10.3934/mbe.2023567
    [2] Xiaodong Yang, Ruixia Liu, Bin Shu, Ningning Ren, Wenjia Wang . A heterogeneous signcryption scheme for smart grid with trusted multi-ciphertext equality test. Mathematical Biosciences and Engineering, 2023, 20(11): 20295-20316. doi: 10.3934/mbe.2023898
    [3] Nyamsuren Vaanchig, Zhiguang Qin . Public key encryption with temporary and fuzzy keyword search. Mathematical Biosciences and Engineering, 2019, 16(5): 3914-3935. doi: 10.3934/mbe.2019193
    [4] Yanfeng Shi, Shuo Qiu, Jiqiang Liu, Tinghuai Ma . Novel efficient lattice-based IBE schemes with CPK for fog computing. Mathematical Biosciences and Engineering, 2020, 17(6): 8105-8122. doi: 10.3934/mbe.2020411
    [5] Xiao Dong Yang, Wen Jia Wang, Bin Shu, Mei Juan Li, Rui Xia Liu, Cai Fen Wang . Multi-message multi-receiver signcryption scheme based on blockchain. Mathematical Biosciences and Engineering, 2023, 20(10): 18146-18172. doi: 10.3934/mbe.2023806
    [6] Te-Wei Chiang, Dai-Lun Chiang, Tzer-Shyong Chen, Frank Yeong-Sung Lin, Victor R. L. Shen, Min-Chien Wang . Novel Lagrange interpolation polynomials for dynamic access control in a healthcare cloud system. Mathematical Biosciences and Engineering, 2022, 19(9): 9200-9219. doi: 10.3934/mbe.2022427
    [7] Guodong Ye, Huishan Wu, Kaixin Jiao, Duan Mei . Asymmetric image encryption scheme based on the Quantum logistic map and cyclic modulo diffusion. Mathematical Biosciences and Engineering, 2021, 18(5): 5427-5448. doi: 10.3934/mbe.2021275
    [8] Qiuling Wu, Dandan Huang, Jiangchun Wei, Wenhui Chen . Adaptive and blind audio watermarking algorithm based on dither modulation and butterfly optimization algorithm. Mathematical Biosciences and Engineering, 2023, 20(6): 11482-11501. doi: 10.3934/mbe.2023509
    [9] Sabina Szymoniak . Security protocols analysis including various time parameters. Mathematical Biosciences and Engineering, 2021, 18(2): 1136-1153. doi: 10.3934/mbe.2021061
    [10] Guozheng Yang, Lintao Liu, Xuehu Yan . A compressed secret image sharing method with shadow image verification capability. Mathematical Biosciences and Engineering, 2020, 17(4): 4295-4316. doi: 10.3934/mbe.2020237
  • An improved signature model of multivariate polynomial public key cryptosystem to resist the key recovery attack is presented in this paper. Two pairs of public keys are added to design new authentication conditionals for public keys, and then the verification is not only to verify the original external information but also the exact internal kernel information. It requires both the corresponding private key and the exact internal node information to produce an accurate signature, so that a forged signature by key recovery attack cannot pass the verification without the exact private key. To illustrate this, the classic HFE (Hidden Fields Equations) scheme is taken as an example to clarify the signing and verifying process in detail. It provides a useful supplement to the research and designing of secure digital signature schemes in the quantum age.


    Post-quantum cryptosystem has grown about 30 years. Especially in the past 10 years, the field of signature developed in leaps and bounds and emerged many research. Hash-based signature schemes are still the most promising cryptosystem candidates in a post-quantum world, such as eXtended Merkle Signature Scheme (XMSS) [1] and G-Merkle [2] XMSS, which only rely on the properties of cryptographic hash functions instead of the conjectured hardness of mathematical problems. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. Hash-based signatures can so far withstand known attacks using quantum computers. And another kind new research is Hysteresis Digital Signature for keyed hash chain with one-time signatures. The hysteresis signature calculates the hash value for the data generated only at that point and the short data, such as the hash value of the data at the previous point. Hysteresis signatures [3,4] have a linking structure is constructed between the signatures. It is applicable to verify the non-alteration of total data for maintaining the long-term reliability and relevance of digital signatures. For example, the file server manager and the auditor can verify the hysteresis signature chain sequentially from the most recent one to the oldest one. In other words, the integrity of each file can be verified with the hysteresis signature scheme, which makes it impossible to implement rollback and reordering attacks. So the mechanism is different in our scheme of multivariate public key cryptosystem. In hysteresis signatures, it is difficult to make falsification of a file, because it would mandate the reconstruction of the linked structure of all newer signatures in order to remain undetected. However, in multivariate public key cryptosystem, the equivalent keys always exist. So a falsification signature generated by equivalent key can always be generated and it can certainly pass the verification. So our purpose is to reduce the potential threats caused by rank attack of equivalent key of multivariate public key cryptosystem itself.

    The multivariable public key cryptosystem, which differs from two traditional public key cryptosystems RSA or ECC, is another kind of post-quantum cryptosystem [5,6] and has aroused much attention in recent years. It is designed with a set of nonlinear multivariable equations on finite field. Its security is based on the fact that solving a set of multivariable quadratic polynomial equations is a NP-C problem, which is called MQ-problem (multivariate quadratic problem) [7]. On January 30, 2019, NIST (National Institute of Standards and Technology) launched a global solicitation campaign of post-quantum public key cryptography standard draft. After one year of proposal collection and first round review, 26 algorithms were selected from the initial 69 and entered the semi-finals of post-quantum cryptography. In this candidate algorithm, there are 9 signatures algorithms.and Among these signatures algorithms, 4 signatures LUOV, Rainbow [8,9], MQDSS [10] and GeMSS are based on multivariate polynomials, This multivariate public key cryptography shows great potential. Especially, the MQDSS signature scheme is designed from a new construction idea based on the multivariate identity authentication protocol [10]. Along the way, different multivariate signature schemes with special signature characteristics have emerged in recent years, such as blind signatures [11]. These schemes are different from the previously designed multivariate digital signature schemes, which are all based on the underlying security authentication protocol, and the security can be directly reduced to the MQ problem.

    The key recovery attack for multivariate polynomial public key cryptosystem [12], since there are superfluous equivalent keys in its key space [13,14], is an effective method to analyze multivariate cryptosystems. However, the original signature model of multivariable system did not take the potential threat such as the key recovery attack into account. Then most of the existing encryption or signature schemes are vulnerable to key recovery attack [15,16,17,18,19]. In those schemes, only the message and the signature themselves are taken into account when designing a signature scheme in the original model. Those schemes do not involve the internal information in verifying process as the cause that they are crashed easily. In fact, people cannot verify that how the signature comes from through the original signature model. The forged signature is likely to produce by some equivalent key [20]. Because the signature is generated whether by the exact private key or the equivalent private key are corresponding to the same public key. As indicated in [21], the author describe a key recovery attack for ZHFE (A scheme utilizes as core map two HFE polynomials and the basic idea for the construction comes from the Zhuang-Zi algorithm [22]) using the MinRank approach shows that such linear combinations can be efficiently extracted from the public key and then linear combinations can be efficiently extracted from the public key. Although in some research [23], the authors claim that their scheme is secure against direct and Rank attacks of the Kipnis-Shamir/Bettale type, however there still have some reservations. The situation is only temporary, because the existence of equivalent keys in multivariate public key cryptosystem induces a structural weakness [24]. This point of view is also reflected in [25]. So we have reason to think the weakness the inherent characteristic of classic multivariate public key cryptosystem signature model.

    The idea of key recovery attack is to find another private key and not knowing the exact valid private key of one same public key. This is the fact that multivariate public key cryptosystem has a large number of equivalent redundant keys [13,14]. Therefore, the attacker can use the equivalent private key of the public key to forge a signature without knowing the real private key, and this signature followed from the equivalent private key can also be verified by the public key. Therefore, the forged signature be produced successfully. In this paper, by adding two pairs of public keys and corresponding verification of the crucial internal node information, we propose an improved multivariate signature model resisting the key recovery attack. In this paper we aim to resist the key recovery attack by adding auxiliary information in the verification when the signature is generated. To eliminate all possibility that the signature generated by the equivalent key, which also passes the verification, the additional public key is used to verify its internal node information. So that, the signature can only be generated by the user who has the real legal key and the threat of the key recovery attack can be resisted. The model is generic construction and applicable for existing multivariate scheme's construction, In this paper, we take the classic HFE (Hidden Fields Equations) scheme HFE [26] as an example to illustrate that the advantages of the improved model is more secure than the original model at the expense of taking a little more time. Moreover, the design of the improved signature model is universal and it can be widely applied in existing multivariate schemes.

    The security targets and adversary model of key recovery attack is different from the chosen-message attacks (EUF-CMA) of a signature scheme. EUF-CMA is to prove existentially unforgeable under chosen message attack for a concrete scheme. The key recovery attack here is only to the universal model of the multivariate polynomial public key system and it is a more fundamental issue than the EUF-CMA security of a concrete scheme. The adversary model is he has only the ability of obtaining the equivalent key from the public key and the security aim is to build a universal construction of multivariate signature model which resists the key recovery attack. Because, Wolf [13,14] observed a fact that multiple private keys correspond to one public key is an essential characteristic of multivariate public key system, and up to now, most existing multivariable signature schemes generated by the universal model are often vulnerable to key recovery attack. So we propose an improved multivariate signature model resisting the key recovery attack by adding two pairs of public keys and corresponding verification of the crucial internal node information. Thus this paper mainly analyzes the security and performance of the multivariable universal signature structure in the key recovery attack.

    As for the public key certificate, we give a briefly introduction. Google with block chain is to document valid certificates is a new study and it has good research prospects. While based on the published research, Public Key Infrastructure (PKI) is used to solve the man-in-the-middle attack with certificates that authenticate the transmitted public key in multivariate polynomials public key cryptosystem is the same as that in classic public key cryptosystem. The certificate itself is a linked list of public keys and signatures, where each signature authenticates the next public key under the previous one. The first public key in this link is the root public key of a Certificate Authority, which in the case of web traffic is built into the user's browser [27]. And the transmission of the certificate constitutes a significant bandwidth cost in any key establishment protocol and should consequently be minimized. In [28], the author explains how to transform any MQ signature scheme into one with a much smaller public key at the cost of a larger signature.

    The paper is organized as follows. The preliminaries are briefly described in Section 1. The original signature model of multivariate polynomial cryptosystem was showed in Section 2. Section 3 introduced the improved signature model of multivariate cryptosystem. The comparison of our proposed scheme with the original model is discussed in Section 4. Finally, we conclude this paper in Section 5.

    F is a finite field. (J,Q,S) is the trapdoor information. S and J are randomly selected reversible affine transformations in Fn and Fm, where S:ux=MSu+cSAff1(Fn), and J:yv=MJy+cJAff1(Fm). Q is a central mapping. It is usually made up of m quadratic polynomial equations of n variables: Q(x1,,xn)(q1(x1,,xn),,qm(x1,,xn)).

    The structure is usually open or partially confidential. S and J "hide" the center mapping equation Q. Triple (J,Q,S) is usually as a private key and the corresponding public key is P(x1,,xn)=JQS(x1,,xn)=(p1(x1,,xn),,pm(x1,,xn)).

    Public Key: P.

    Private Key: Q,S,J,.

    The original model of the signature and verification of multivariate public key cryptosystem [29,30] is given as Figure 1.

    Figure 1.  The original signature model of multivariate public key cryptosystem.

    M is a message. Taking a hash function H, we have v=H(M). Then y=J1(v), x=Q1(y) and u=S1(x) are calculated in turn, where S1, J1 and Q1 are reversible affine transformations of private key S, J and the central mapping Q respectively. Vector u=(u1,,un) is the signature of message M.

    A signature u is accepted if v=P(u) using the public key P. As shown in Figure 1, a signature u is accepted if v=P(u) using the public key P. We call the signature u is passed the public key verification and the signature u is a valid signature.

    Definition 1 Equivalent private keys [13,14]: For a cryptosystem, if two (or more) private keys (J1,Q1,S1) and (J2,Q2,S2) Aff1(Fm)×MQ(Fn,Fm)×Aff1(Fn) correspond to the same public key, we call the two (multiple) private keys "equivalent", which have: J1Q1S1=P=J2Q2S2. For example, (J,Q,S) is an equivalent key of the private key (J,Q,S), then according Definition 1, we have JQS=P=JQS. Then for a message v, we get the correct and valid signature u=J1Q1S1(v) by using the private key (J,Q,S). And there is also u=JQS(v) by using the equivalent key (J,Q,S). Be notice that according Definition 1, there is v=P(u)=P(u). That is to say for the fake signature u, there is uu and u can pass the verification.

    Definition 2 Key recovery attack: A public key P is known. This type of attack is to find more intrinsic links between the variables of the public key and to generate more multivariable public key equations which are independent of the original equations, then to solve the equivalent keys from the public key.

    In other words, the key recovery attack depends on linear algebra in all kinds of spaces of homogeneous polynomials [31]. When the attacker finds a decomposition of public key P, that is to say he find the equivalent key J2, S2 (and Q2), and it is very easy to forge a signature in the scheme. For example, the Unbalanced Oil and Vinegar Scheme (UOV) have such an equivalent key with probability roughly [32]. Besides, in some sense, the key recovery attack coincides with the EIP-problem (Extended Isomorphism of Polynomials1) [33]. And the EIP-problem of Matrix-based UOV can be solved in polynomial-time in [34], and then the Matrix-based UOV signature can be forged at appropriate parameters at 80 or 100 security levels. Therefore, key-recovery attack helps find an equivalent key and fork signature by using algebraic structure of concrete trapdoor of scheme.

    1 EIP-problem: Let public key P be nonlinear multivariate systems P=J1Q1S1 with a linear maps, and S1, J1 and trapdoor Q1 belongs to some special class of multivariate polynomial systems, find another decomposition of P such that P=J2Q2S2 with a linear maps S2, J2 and Q2.

    The original signature model is described as Figure 1 in Section 1, and we also hash the message before we make the signature. This is for compression only as in tradition public key cryptosystem. We use secret hash function to generate the public key in the improved model, then we would like to stress that this is only to hide the private key as hash function is irreversible and anti-collision. And we will regard the hash as a random oracle. Moreover, as we know the known quantum decomposition algorithm has no advantage in such as SHA-3.

    Similarly, let F be a finite field and E be a n -th power extension field of F, n-th and m-th extension fields of F are denoted as Fn and Fm respectively. The isomorphic mapping π:EFn is defined from the extended domain to vector space. Take a central mapping Q, two reversible affine transformations S and J.

    Then randomly select a set of n variable quadratic multivariable polynomial equation vector (g1(x1,,xn),,gn(x1,,xn)), which denoted as G, G(x)=(g1(x),,gn(x)), and two one-way irreversible polynomials H and ˜H on Fn. The user's private key consists of Q, S, J and G, all of which are invertible affine transformations. H and ˜H are secretly selected for public key generation. The public key is composed of five parts: P=JQS, HG1S, HS, ˜HQG1S, and ˜HJ1. The signature generation progress and signature verification progress are as shown in Figure 2.

    Figure 2.  The improved signature model of multivariate public key cryptosystem.

    Public Key: F, P, HG1S, HS, ˜HQG1S, ˜HJ1.

    Private Key: Q,G,S,T.

    (1) For message u, the signer uses secret key J to calculate (y1,,ym)=J1(u1,,um) and denotes (y1,,ym) as y;

    (2) The signer calculates (x1,,xn)=Q1(y1,,ym)=π˜Q1π1(y1,,ym) and denotes the result (x1,,xn) as x;

    (3) The signer uses the private key S1 to obtain (v1,,vn)=S1(x1,,xn) and remembers (v1,,vn) as v.

    The signature generation above is the same as that in the original model. v is called forward signature.

    (4) The signer uses private key G to get G(x1,,xn)=(g1(x1,,xn),,gn(x1,,xn))=(g1,,gn) and denotes it as g;

    (5) The signer uses S1 of the private key S to obtain S1(g)=S1G(x)=(vg1,,vgn) and denotes it as vg. vg is the backward signature.

    The concatenated vvg is the final signature of message M.

    (1) The verifier uses the signer's public key to calculate P(v1,,vn) and verifies P(v1,,vn)?=(u1,,um). If it does, then continue with the next step, otherwise reject.

    (2) The verifier takes the forward signature (v1,,vn) into HS to get HS(v1,,vn), which denoted as (h1,,hn). The backward signature (vg1,,vgn) is substituted into the public key HG1S to obtain the result HG1S(vg1,,vgn), which denoted as (h1,,hn). If (h1,,hn) and (h1,,hn) are equal, the signature is valid, otherwise the signature is invalid and rejected.

    (3) The verifier substitutes respectively the backward signature (vg1,,vgn) and message (u1,,um) into public key ˜HQG1S and ˜HJ1 to obtain (˜h1,,˜hm)=˜HQG1S(vg1,,vgn) and (˜h1,,˜hm)=˜HJ1(u1,,un) respectively. If the value (˜h1,,˜hm) is equal to (˜h1,,˜hm), then signature is valid and accepted, otherwise the signature is rejected.

    Suppose the signature vvg is generated according to the above steps. Then we have P(v)=P(S1Q1J1(u1,,um))=PS1Q1J1(u)=JQSS1Q1J1(u)=u, S(v)=(x1,,xn)=G1S(vg), and QG1S(vg)=y=J1(u). The correctness of this algorithm is intuitively clear.

    Claim 1: In the improved multivariate signature model, the probability of finding equivalent keys of a given public key is approaching 0 for some concrete trapdoor structure.

    As is analyzed previously, the multivariate polynomial cryptographic system always has the characteristic of "equivalent key". That is the same public key corresponds to multiple private keys. Therefore, with the help of the key recovery attack, the attacker succeeded in forging signature without the correct private key (J,Q,S). However even the attacker gets an equivalent private key (J,Q,S) in our proposed construction, the probability that he forges a signature is 0. A signature is valid in the improved model, only when it consist of a forward signature v and a backward signature vg and it is verified by verification condition (1), (2) and (3) in Section 3.3. However it is impossible for a signature followed by equivalent key. For a signature ˆvˆvg recovered by an equivalent key (J,Q,S) through the key recovery attack, the forward part is denoted as ˆv, and the backward part is denoted as ˆvg. We say it would still unable to pass verification condition 2 and 3. In condition 2, the public keys HS and HG1S restrict the internal note information x for correct signature vvg and x is generated by correct private key J,S. Similarly, in condition 3, the public keys ˜HQG1S and ˜HJ1 restrict the internal note information y for correct signature vvg and y is generated by correct private key J. However, the equality probability of the equivalent J and the right J is p(J=J)=1/1qmqm. Similarly, the equality probability of the equivalent (J,S) and the right (J,S) is p(J=JS=S)=1/1qmnqmn. Moreover, if an attacker randomly guesses a forward signature ˆv and a backward signature ˆvg, the probability of correct guess for p(ˆv=vˆvg=vg) is 1q2n.

    Therefore the improved model can effectively help multivariate scheme to resist the key recovery attack and forking signature.

    HFE is one classical multivariate polynomial cryptosystem [26]. However it was broken by recovering the secret key from the public key by linearization technique, which is belong to key recovery attack [35].

    In this section, by comparing HFE scheme in the original model and the improved model, we shows that the new improved model enhance the security of the HFE scheme and help HFE resist and key recovery attack of the linearization technique.

    Let F be an q order finite field and E be a n-th power extension field of F. The isomorphic mapping π:EFn is defined from the extended domain to vector space. The central map of HFE is homogeneous polynomials (the lower degree monomials can be ignored for they have no impact on security):

    ˜Q(X):=0i,jdqi+qjdCi,jXqi+qj

    where i,jN, dN. The second-order coefficients Ci,jE is randomly selected. The degree qi and qj must be less than some parameter d to be resolved. Then central map Q(x1,,xn) is quadratic mapping from F to F : Q(x1,,xn)=(q1(x1,,xn),,qn(x1,,xn))=π˜Qπ1(x1,,xn).

    P=JπQπ1S(x)=JQS(x) is public key. J and S are private keys.

    Kipins and Shamir broke the HFE scheme using linearization technique by key recovery attack, and the idea is given as follows [35,36].

    We take a set of εm2 quadratic equations in m variables x1,,xm, where ε is constant. It can be rewritten as a new set of εm2 linear equations in the approximately m2/m222 new variables yij=xixj, where ij. Then for any 4-tuple xaxbxcxd of indices 1abcdm, it is parenthesized in three different ways:

    (xaxb)(xcxd)=(xaxc)(xbxd)=(xaxd)(xbxc)yabycd=yacybd=yadybc.

    .

    Then there are about m4/m44!4! different ways to choose from the sorted 4-tuples of distinct indices, and each choice gives rise to 2 equations. Thus there are about m4/m41212 quadratic equations in the m2/m222 yij variables, and these equations are linearly independent. By replacing each one of the yij variables via its parametric representation as a linear combination of the new (1/2ε)m2zi variables, the number of variables is decreased to (1/122ε)m2. The new m4/m41212 quadratic equations in the new (1/122ε)m2 zi variables can be linearized again by replacing each product zizj for ij by new variables vij, which is called the relinearization technique and is belong to key recover attack. Then the new system has m4/m41212 linear equations in ((1/122ε)m2)2/((1/122ε)m2)222 variables vij.

    The relinear process is summarized as follows.

    Table 1.  The process of the relinearization technique.
    The number of the equations The number of the variables Variables
    εm2 m x1,,xm
    m4/m41212 m2/m222 yij=xixj
    m4/m41212 (1/122ε)m2 zk=yij
    m4/m41212 ((1/122ε)m2)2/((1/122ε)m2)222 vij=zizj

     | Show Table
    DownLoad: CSV

    When m4/m41212((1/122ε)m2)2/((1/122ε)m2)222, that is ε1/1221/1660.1, the linear system is resolved uniquely by Gauss linearization. Therefore, HFE Scheme under original model was broken by the key recovery attack.

    In the improved signature model, as analysis in Section 2.4, for the same message (u1,,um), the signature changes from the original to two parts, v1,,vn and vg1,,vgn. When verifying that whether the PAlice(v1,,vn) is equal to (u1,,un), namely using the original public key PAlice, it is necessary to verify that whether the HG1SAlice(v1,,vn) associated with the private key is equal to the HSAlice(vg1,,vgn) and whether the ˜HJ1Alice(u1,,un) is equal to ˜HQG1SAlice(vg1,,vgn). This shows that only when all three conditions are verified, v1,,vnvg1,,vgn can be obtained. Thus it is a valid signature. That is to say, the verification under the new model involves not only the message u and signature v, but also the verification of the internal node information. And according the recommended choice, such as q=GF(2)128 and suitable parameters m and n for HFE in [35], the probabilities finding the equivalent keys in Section 2.4 are all close to 0.

    Therefore, the improved model is guaranteed that each signature is generated by the correct private key of the legitimate user, which prevents the equivalent key from recovering and signature from forging by the key recovery attack.

    As shown in the original model, the kernel polynomials q1,qm are m polynomials in n variables of degree 2, since for any integer d, xxqd is a linear function of FnFn [26]. In the original model, the time of signature generation include the inverse of affine transformation S, the inverse of central mapping Q and the inverse of affine transformation T, so the time complexity is (O[m2+dmn(n1)2+n2]). Similarly, the time complexity of the verification process is (O[m(n(n1)2+n+1)]). In the improved model, the signature generation of HFE has the same time complexity as in the original model. However, the time of signature verification has a little more than that in original model, for there are two additional verification conditions. Thus the total time complexity of the verification is O[m(n(n1)2+n+1)+n+m]. The comparison of HFE in the original model and the improved model are as Table 2.

    Table 2.  The comparison of computation complexity for HFE in the original model and the improved Model.
    Scheme The signature generation The signature verification
    HFE in the original model O[m2+dmn(n1)2+n2] O[m(n(n1)2+n+1)]
    HFE in the improved model O[m2+dmn(n1)2+n2] O[m(n(n1)2+n+1)+n+m]

     | Show Table
    DownLoad: CSV

    Then we easily can get the computation complexity for some parameter, such as m = n = 128 or 160 [26].

    The evaluation is conducted through experiment assessing the time cost of the proposed scheme on a computer with Windows7 Intel i5-4570S-2.90GHz CPU and 8-GB RAM. For the convenience of comparative analysis, we set m=n in experiment. All results presented here are the average value in 100 different messages. The cost of signature depends on the computation of ˜Q1. With the help of Magma V2.12-16, we take efficient FM algorithm. Consider the parameter d is not be too big and it will be out of our memory or system resources for larger input parameter, we list some corresponding signature and verification time for about 22q28, 4n64 and 3d7 in Table 3. To achieve higher security requirements, larger parameters can be taken.

    Table 3.  The average signature and verification time for HFE in 1000 messages.
    Model q n d signature time(s) verification time(s)
    HFE in 4 4 3 0.001 0.001
    original 8 4 3 0.002 0.002
    model 16 4 3 0.041 0.003
    32 4 3 0.229 0.005
    64 4 3 1.792 0.009
    128 4 3 8.903 0.014
    256 4 3 64.314 0.016
    8 8 3 0.012 0.003
    8 16 3 0.19 0.043
    8 32 3 5.473 1.285
    8 64 3 220.149 36.785
    HFE in 4 4 3 0.002 0.002
    improved 8 4 3 0.002 0.006
    model 16 4 3 0.041 0.094
    32 4 3 0.248 0.531
    64 4 3 1.681 3.570
    128 4 3 8.700 19.589
    256 4 3 63.781 120.097
    8 8 3 0.014 0.022
    8 16 3 0.264 0.191
    8 32 3 7.705 4.047
    8 64 3 367.086 132.242

     | Show Table
    DownLoad: CSV

    The speed of verification is faster than the signature in these two models, since the signature needs to compute the ˜Q1 while the verification is only to compute common modulo additions and multiplications on finite field. The parameter q, n and d in HFE takes a large number, then the overload of signature or verification will be very large. Both signature time and verification time in improved model is increased compared with those in the original model. It is easy to understand that the small-scale increase of parameters leads to the signature and verification time in a highly non-linear fashion. This basically conforms to the nonlinear properties of central map of multivariate polynomials cryptosystem.

    To provide the detailed differences of small values, we give two classifications by parameters according the Table 3 and evaluate the logarithm of these times in following figures.

    Fix q=23, the comparing results with different degree and number of equations (n,d) is presented in Figure 3. It shows that the more equations or degrees, the greater the consumption. Especially, when n is double, the signature and verification time is increased to several dozen times in these two models. It is similar when the degree d is large.

    Figure 3.  The comparison of HFE in original and improved model with q=23.

    Fix n=4,d=3, the comparing results with different size of finite field q is presented in Figure 4. We also conclude that the larger size of finite field, the greater the consumption, furthermore in the form of nonlinear approach to exponential growth. The verification time in the improved model is increased much more than the original model. For there are three verification conditions in the improved model while only one verification condition in the original model. However, the indicators of signature time are not very different from each other, and no significant difference is shown.

    Figure 4.  The comparison of HFE in original and improved model with n=4,d=3.

    The existing signature model of multivariate system does not take the potential hazard of the key recovery attack at the initial design into account. To overcome the defect, this paper proposes an improved signature model. In the new model, a strengthening public key verification progress of verifying the internal information is proposed to inhibit the forged signature brought with the key recovery attack effectively. Finally, we take the classical scheme HFE as an example to illustrate that the new model can effectively resist key recovery attacks. It provides a useful supplement to the design and research of secure digital signature schemes in the quantum age.

    This work is supported by National Key R & D Program of China (No.2017YFB0802000), the National Natural Science Foundation of China (61572303, 61772326, 61802241, 61802242), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20180217), the Foundation of State Key Laboratory of Information Security (2017-MS-03) and the Doctoral Scientific Fund Project of Shaanxi University of Science & Technology, China (No. BJ11-12).

    All authors declared that we have no conflicts of interest to this work.



    [1] A. Huelsing, D. Butin, S. Gazdag, et al., XMSS: eXtended Merkle Signature Scheme, RFC 8391 (May 2018). Available from: https://tools.ietf.org/html/rfc8391.
    [2] R. E. Bansarkhani and R. Misoczki, G-Merkle: A hash-based group signature scheme from standard assumptions, PQCrypto, (2018), 441–463.
    [3] Y. Ashino and R. Sasaki, Proposal of digital forensic system using security device and hysteresis signature, IEEE Compt. Soc., 2 (2008), 3–7.
    [4] S. Tezuka, R. Uda and K. Okada, ADEC: Assured deletion and verifiable version control for cloud storage, AINA, 11 (2012), 23–30.
    [5] Shor and W. Peter, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SICOMP, 41 (1999), 1484–1509.
    [6] J. Ding and B. Yang, Multivariate public key cryptography, PQCrypto, (2008), 193–234.
    [7] M. Garay and D. Johnson, Computers and intractability: a guide to the theory of NP-Completeness, New York, USA, W.H. Freeman and Company, 1979.
    [8] A. Kipnis, J. Patarin and L. Goubin, Unbalanced oil and vinegar signature schemes, Eurocrypt, (1999), 206–222.
    [9] J. Ding and D. Schmidt, Rainbow, a new multivariable polynomial signature scheme, Appl. Cryptogr. Net. Secur., (2005), 164–175.
    [10] M. S. Chen, A. Hülsing, J. Rijneveld, et al., From 5-pass MQ-based identification to MQ-based signatures, International Conference On, Part II. Springer-Verlag New York, Inc., (2016), 135–165.
    [11] A. Petzoldt, A. Szepieniec and M. S. E. Mohamed, A practical multivariate blind signature scheme, International Conference on Financial Cryptography & Data Security. Springer, Cham, (2017), 437–454.
    [12] Y. Hashimoto, Key recovery attacks on multivariate public key cryptosystems derived from quadratic forms over an extension field, IEICE T. Fund. Electr., 100 (2017), 18–25.
    [13] C. Wolf and B. Preneel, Large superfluous keys in multivariate quadratic asymmetric systems, PKC, (2005), 275–287.
    [14] C. Wolf and B. Preneel, Equivalent keys in HFE, c* , and variations, Mycrypt, (2005), 33–49.
    [15] J. C. Faugère, D. Gligoroski, L. Perret, et al., A polynomial-time key-recovery attack on MQQ cryptosystems, IACR International Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg, (2015), 150–174.
    [16] N. Courtois, A. Klimov, J. Patarin, et al., Efficient algorithms for solving overdefined systems of multivariate polynomial equations, Proc. Eurocrypt, (2000), 392–407.
    [17] A. Biryukov, C. D. Christophe, B. An, et al., A toolbox for cryptanalysis: Linear and affine equivalence algorithms, Lect. Notes Comput. Sci., (2003), 33–50.
    [18] Y. H. Hu, L. C. Wang, C. Y. Chou, et al., Similar keys of multivariate quadratic public key cryptosystems, International Conference on Cryptology & Network Security. Springer-Verlag, (2005), 211–222.
    [19] C. Bouillaguet, P. A. Fouque, A. Joux, et al., A family of weak keys in HFE and the corresponding practical key-recovery, J. Math. Cryptol., 5 (2012), 247–275.
    [20] H. Wang, H. Zhang and S. Tang, Key recovery on several matrix public-key encryption schemes, IET Inform. Secur., 10 (2016), 152–155.
    [21] D. Cabarcas, D. Smith-Tone and J. A. Verbel, Key recovery attack for ZHFE, International Workshop on Post-quantum Cryptography. Springer, Cham, (2017), 289–308.
    [22] J. Porras, J. Baena and J. Ding, ZHFE, a new multivariate public key encryption scheme, International Workshop on Post-Quantum Cryptography, (2014), 229–245.
    [23] A. Petzoldt, M. S. Chen , J. Ding, et al., HMFEv-an efficient multivariate signature scheme, International Workshop on Post-Quantum Cryptography. Springer, Cham, (2017), 205–223.
    [24] L. Bettale, J. C. Faugère and L. Perret, Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic, Design. Code. Cryptogr., 69 (2013), 1–52.
    [25] J. Vates and D. Smith-Tone, Key recovery attack for all parameters of HFE-, PQCrypto, (2017), 272–288.
    [26] J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, Eurocrypt, (1996), 33–48.
    [27] A. Szepieniec, W. Beullens and B. Preneel, MQ signatures for PKI, PQCrypto, (2017), 224–240.
    [28] A. Szepieniec and B. Preneel, Block-anti-circulant unbalanced oil and vinegar, (2019). Available from: https://eprint.iacr.org/2019/046.pdf.
    [29] D. J. Bernstein, J. Buchmann and E. Dahmen, Introduction to post-quantum cryptography, Post-Quantum Cryptography, 1st ed. New York, USA: Springer, Heidelberg, 2010.
    [30] Y. Hashimoto, Multivariate public key cryptosystems, Math. Model.r Next-Gen. Cryptogr., 29 (2017), 17–42.
    [31] H. Gilbert, J. Plût, and J. Treger, Key-recovery attack on the ASASA cryptosystem with expanding S-boxes, Advances in Cryptology-CRYPTO 2015. Springer Berlin Heidelberg, (2015), 475–490.
    [32] E. Thomae, About the security of multivariate quadratic public key schemes, Ph.D thesis, Ruhr-University in Bochum, Germany, 2013.
    [33] A. Petzoldt, Selecting and reducing key sizes for multivariate cryptography, Ph.D thesis, Technische Universität Darmstadt in Germany, 2013.
    [34] C. Park, Cryptanalysis of matrix-based UOV, Finite Fields Th. App., 50 (2018), 209–221.
    [35] A. Kipnis and A. Shamir, Cryptanalysis of the HFE public key cryptosystem by relinearization, Proc. Crypto, (1999), 19–30.
    [36] Y. Hashimoto, On the security of HMFEv, (2017). Available from: https://www.researchgate.net/publication/318543302_On_the_security_of_HMFEv.
  • This article has been cited by:

    1. Wenjuan Zhang, Gang Li, An Efficient and Secure Data Transmission Mechanism for Internet of Vehicles Considering Privacy Protection in Fog Computing Environment, 2020, 8, 2169-3536, 64461, 10.1109/ACCESS.2020.2983994
    2. Nacer Ghadbane, On Public-key Cryptosystem Based on the Problem of Solving a Non-Linear System of Polynomial Equations, 2020, 8, 1991-8755, 106, 10.37394/232018.2020.8.13
    3. Yifeng Yin, Zhaobo Wang, Wanyi Zhou, Yong Gan, Yanhua Zhang, Group key agreement protocol for edge computing in industrial internet, 2022, 19, 1551-0018, 12730, 10.3934/mbe.2022594
    4. Yongyan Hou, Baiyang Dong, Wenqiang Guo, Xin Wang, Qinkun Xiao, A Triple Unlocking Mechanism Model Against Forging Signature Attack Based on Multivariate Polynomial Public Key Cryptosystem, 2023, 11, 2169-3536, 134614, 10.1109/ACCESS.2023.3338025
    5. Jalaja Valisireddy, S Balakrishna, L Narendra Mohan, Kotte Amaranadha Reddy, Devendra Jangiti, G G Rajasekhar, 2024, Integration of a Conjugacy over Non-Commutative Ring in Digital Signature Mechanism, 979-8-3503-7274-8, 481, 10.1109/ICC-ROBINS60238.2024.10533925
  • Reader Comments
  • © 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(4511) PDF downloads(477) Cited by(5)

Figures and Tables

Figures(4)  /  Tables(3)

Other Articles By Authors

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog