Lite-Rainbow: Lightweight Signature Schemes Based on Multivariate Quadratic Equations and Their Secure Implementations

Abstract

Rainbow signature scheme based on multivariate quadratic equations is one of alternatives to guarantee secure communications in the post-quantum world. Its speed is about dozens of times faster than classical public-key signatures, RSA and ECDSA, while its key size is much heavier than those of the classical ones. We propose lightweight variants of Rainbow, Lite-Rainbow-0 and Lite-Rainbow-1, for constrained devices. By replacing some parts of a public key or a secret key with small random seeds via a pseudo-random number generator, we reduce a public key in Lite-Rainbow-1 and a secret key in Lite-Rainbow-0 by factors 71 % and 99.8 %, respectively, compared to Rainbow. Although our schemes require additional costs for key recovery processes, they are still highly competitive in term of performance. We also prove unforgeability of our scheme with special parameter sets in the random oracle model under the hardness assumption of the multivariate quadratic polynomial solving problem. Finally, we propose countermeasures of Rainbow-like schemes against side channel attacks such as power analysis for their secure implementations.

Appendix

The most general security notion of a public-key signature (PKS) scheme is existential unforgeability under an adaptively chosen-message attack (EUF-acma). Its formal security model is defined as follows:

Unforgeability of Signature Schemes Against EUF-acma. An adversary \(\mathcal A\)’s advantage \(Adv_{\mathcal{PKS}, \mathcal{A}}\) is defined as its probability of success in the following game between a challenger \(\mathcal C\) and \(\mathcal A\):

• Setup. The challenger runs Setup algorithm and its resulting system parameters are given to \(\mathcal A\).

• Queries. \(\mathcal A\) issues the following queries:

  • Sign Query: Adaptively, \(\mathcal A\) requests a signature on a message m \(_i\), \(\mathcal C\) returns a signature \(\sigma _i\).

• Output. Eventually, \(\mathcal A\) outputs \(\sigma ^*\) on a message \(\mathtt{m}^*\) and wins the game if (i) Verify \((\mathtt{m}^*, \sigma ^*)=1\) and ii) \(\mathtt{m}^*\) has never requested to the Sign oracle.

Definition 2. A forger \(\mathcal A\) \((t, g_H, q_S, \epsilon )\)-breaks a PKS scheme if \(\mathcal A\) runs in time at most t, \(\mathcal A\) makes at most \(q_H\) queries to the hash oracle, \(q_S\) queries to the signing oracle and \(Adv_{\mathcal{PKS}, \mathcal{A}}\) is at least \(\epsilon \). A PKS scheme is \((t, q_E, q_S, \epsilon )\)-EUF-acma if no forger \((t, q_H, q_S, \epsilon )\)-breaks it in the above game.

Theorem 1. If the MQ-problem is \((t', \varepsilon ')\)-hard, Lite-Rainbow-1\((K, v_1, o_1, o_2)\) is \((t, q_{H}, q_S, q_\mathcal{G}, \varepsilon )\)-existential unforgeable against an adaptively chosen message attack, for any t and \(\varepsilon \) satisfying

$$\begin{aligned} \varepsilon \ge \texttt {e} \cdot (q_S+1) \cdot \varepsilon ', \ t' \ge t+q_H \cdot c_V+q_S \cdot c_S+c_\mathcal{G}, \end{aligned}$$

where \(\texttt {e}\) is the base of the natural logarithm, and \(c_S\), \(c_V\) and \(c_\mathcal{G}\) are time for a signature generation, a signature verification and a \(\mathcal G\) evaluation to recover some parts of a public key, respectively, provided that the parameter set \((K, v_1, o_1, o_2)\) is chosen to be resistant to the KRAs.

Proof. A random instance of the MQ-problem \((\mathcal{P}, \eta )\) is given. Suppose that \(\mathcal A\) is a forger who breaks Lite-Rainbow-\(1(K, v_1, o_1, o_2)\) with the target public key \(\mathcal P\). By using \(\mathcal A\), we will construct an algorithm \(\mathcal B\) which outputs a solution x \(\in K^n\) such that \(\mathcal{P}(\mathbf{x})=\eta \). Algorithm \(\mathcal B\) performs the following simulation by interacting with \(\mathcal A\).

Setup. Algorithm \(\mathcal B\) chooses a random seed se and set \(PK=(\mathsf{se}, P_{12}, P_R, P_{L12})\) as a public key, where \(P_{12}, P_R, P_{L12}\) are the corresponding parts of \(\mathcal P\).

At any time, \(\mathcal A\) can query random oracles, \(\mathcal G\) and H, and Sign oracle. To answer these queries, \(\mathcal B\) does the following:

To respond to H-queries, \(\mathcal B\) maintains a list of tuples (m \(_i, c_i, \tau _i, \mathcal{P}(\tau _i))\) as explained below. We refer to this list as H -list. When \(\mathcal A\) queries H at a point m \(_i \in \{0, 1\}^*\),

1. If the query already appears on H -list in a tuple (m \(_i, c_i, \tau _i,\) \(\mathcal{P}(\tau _i))\) then \(\mathcal B\) returns H(m \(_i)=\mathcal{P}(\tau _i)\).

2. Otherwise, \(\mathcal B\) picks a random coin \(c_i \in \{0, 1\}\) with \(Pr[c_i=0]=\frac{1}{q_S+1}\).

• If \(c_i=1\) then \(\mathcal B\) chooses a random \(\tau _i \in K^n\), adds a tuple \((\mathtt{m}_i, c_i, \tau _i, \mathcal{P}(\tau _i))\) to H -list and returns H(m \(_i)=\mathcal{P}(\tau _i)\).

• If \(c_i=0\) then \(\mathcal B\) adds (m \(_i, c_i, *, \eta )\) to H -list from the instance, and returns \(H(\mathtt{m}_i)=\eta \).

Sign Queries. When \(\mathcal A\) makes a Sign-query on m \(_i\), \(\mathcal B\) finds the corresponding tuple (m \(_i, c_i, \tau _i, \mathcal{P}(\tau _i))\) from H -list.

• If \(c_i=1\) then \(\mathcal B\) responds with \(\tau _i\).

• If \(c_i=0\) then \(\mathcal B\) reports failure and terminates.

To verify a signature, \(\mathcal A\) has to query the random oracle \(\mathcal G\).

To verify a signature, \(\mathcal A\) must query the oracle \(\mathcal G\). When \(\mathcal A\) queries G at a point \(\mathsf{se} \in \{0, 1\}^\lambda \), \(\mathcal B\) returns \(\mathcal{G}(\mathsf{se})=(P_{11}, P_{21}, P_{22}, P_{L11}, P_{L21}, P_{L22}, P_C)\), where \(P_{11}, P_{21}, P_{22}, P_{L11}, P_{L21}, P_{L22}, P_C\) are the corresponding parts of \(\mathcal P\).

All responses to Sign queries not aborted are valid. If \(\mathcal B\) doesn’t abort as a result of \(\mathcal A\)’s Sign query then \(\mathcal A\)’s view in the simulation is identical to its view in the real attack.

Output. Finally, \(\mathcal A\) produces a signature x \(^*\) on a message m \(^*\). If it is not valid then \(\mathcal B\) reports failure and terminates. Otherwise, a query on \(m^*\) already appears on H -list in a tuple (m \(^*, c^*, \tau ^*, \mathcal{P}(\tau ^*))\): if \(c_*=1\) then reports failure and terminates. Otherwise, \(c^*=0\), i.e., (\(c^*\), m \(^*\), *, \(\eta \)), then \(\mathcal{P}\)(x \(^*\)) = \(\eta \). Finally, \(\mathcal B\) outputs x \(^*\) is a solution of \(\mathcal P\).

To show that \(\mathcal B\) solves the given instance with probability at least \(\varepsilon '\), we analyze four events needed for \(\mathcal B\) to succeed:

• \(E_1\): \(\mathcal B\) doesn’t abort as a result of \(\mathcal A\)’s Sign query.

• \(E_2\): \(\mathcal A\) generates a valid and nontrivial signature forgery \(\sigma \) on m \(_i\).

• \(E_3\): Event \(E_2\) occurs, \(c_i=0\) for the tuple containing m \(_i\) in the H -list.

Algorithm \(\mathcal B\) succeeds if all of these events happen. The probability \(Pr[E_1 \wedge E_3]\) is decomposed as

$$\begin{aligned} Pr[E_1 \wedge E_3]=Pr[E_1] \cdot Pr[E_2 \wedge E_1] \cdot Pr[E_3|E_1 \wedge E_2] \cdot (*). \end{aligned}$$

The probability that \(\mathcal B\) doesn’t abort as a result of \(\mathcal A\)’s Sign query is at least \((1-\frac{1}{q_S+1})^{q_S}\) since \(\mathcal A\) makes at most \(q_S\) queries to the Sign oracle. Thus, \(Pr[E_1] \ge (1-\frac{1}{q_S+1})^{q_S}\). If \(\mathcal B\) doesn’t abort as a result of \(\mathcal A\)’s Sign query then \(\mathcal A\)’s view is identical to its view in the real attack. Hence, \(Pr[E_1 \wedge E_2] \ge \varepsilon \). Given that events \(E_1\), \(E_2\) and \(E_3\) happened, \(\mathcal B\) will abort if \(\mathcal A\) generates a forgery with \(c_i=1\). Thus, all the remaining \(c_i\) are independent of \(\mathcal A\)’s view. Since \(\mathcal A\) could not have issued a signature query for the output we know that c is independent of \(\mathcal A\)’s current view and therefore \(Pr[c=0|E_1 \wedge E_2] =\frac{1}{q_S+1}\). Then we get \(Pr[E_3|E_1 \wedge E_2] \ge \frac{1}{q_S+1}\). From \((*)\), \(\mathcal B\) produces the correct answer with probability at least

$$\begin{aligned} (1-\frac{1}{q_S+1})^{q_S} \cdot \varepsilon \cdot \frac{1}{q_S+1} \ \ge \ \frac{1}{\texttt {e}} \cdot \frac{\varepsilon }{(q_S+1)} \ \ge \ \varepsilon '. \end{aligned}$$

Algorithm \(\mathcal B\)’s running time is the same as \(\mathcal A\)’s running time plus the time that takes to respond to \(q_H\) H-queries, and \(q_S\) Sign-queries. The H- and Sign-queries require a signature verification and a signature generation, respectively. We assume that a signature generation, a signature verification and a \(\mathcal G\) evaluation to recover some parts of a public key take time \(c_S\), \(c_V\) and \(c_\mathcal{G}\), respectively. Hence, the total running time is at most \(t' \ge t+q_H \cdot c_V+q_S \cdot c_S+c_\mathcal{G}\).         \(\square \)