HMFEv - An Efficient Multivariate Signature Scheme

Abstract

Multivariate Cryptography, as one of the main candidates for establishing post-quantum cryptosystems, provides strong, efficient and well-understood digital signature schemes such as UOV, Rainbow, and Gui. While Gui provides very short signatures, it is, for efficiency reasons, restricted to very small finite fields, which makes it hard to scale it to higher levels of security and leads to large key sizes.

In this paper we propose a signature scheme called HMFEv (“Hidden Medium Field Equations”), which can be seen as a multivariate version of HFEv. We obtain our scheme by applying the Vinegar Variation to the MultiHFE encryption scheme of Chen et al. We show both theoretically and by experiments that our new scheme is secure against direct and Rank attacks. In contrast to other schemes of the HFE family such as Gui, HMFEv can be defined over arbitrary base fields and therefore is much more efficient in terms of both performance and memory requirements. Our scheme is therefore a good candidate for the upcoming standardization of post-quantum signature schemes.

A Results of Our Computer Experiments with the Direct Attack Against HMFEv Systems over Small Fields

In this section we present the results of our computer experiments with the direct attack against HMFEv schemes over small fields. In particular, we wanted to answer the questions

1. 1.

   Is the concrete choice of k and v (or only their sum) important for the degree of regularity of a direct attack against the scheme? and

2. 2.

   Is the upper bound on \(d_\mathrm{reg}\) given by Eq. (5) reasonably tight?

In order to answer the first question, we performed experiments of the following type: For fixed values of q and \(s=k+v\), we varied the values of k and v. We then created the public systems of the corresponding HMFEv instances (for different values of \(\ell \)) and solved these systems using the \(F_4\) algorithm integrated in MAGMA. The experiments were (like all the experiments presented in this paper) performed on a server with 16 AMD Opteron cores (2.4 GHz) and 128 GB of RAM. However, as MAGMA is not parallelizable, our programs use only one core.

In our experiments, we fixed the field \(\mathbb {F}\) to be GF(2) and the sum \(s=k+v\) to be 9. We varied v in the interval \(I=\{0, \dots , 8\}\) and created HMFEv(GF(2), \(s-v\), \(\ell \), v) instances (for increasing values of \(\ell \)). After that, we fixed v of the variables to get a determined system and solved the resulting public systems by the \(F_4\) algorithm integrated in MAGMA. Table 5 shows, for \(v \in I\), the highest degree of regularity we observed in these experiments. For each parameter set, we performed 10 experiments.

Table 5. Degree of regularity of HMFEv systems over GF(2) with \(k+v=9\)

As the experiments show, the concrete ratio between k and v has, as long as we choose v and k not too small, no influence on the degree of regularity of solving the public systems of HMFEv. For HMFEv schemes over larger fields the importance of the concrete choice of k and v decreases further, since those systems behave much more like random systems (see Sect. 6.2). We therefore choose, in order to increase the efficiency of our scheme, the parameter \(k \in \{2,3\}\) and increase v to reach the required level of security.

Is the Upper Bound on \({{\varvec{d}}_\mathbf{reg }}\) Given by Eq. (5) Reasonably Tight?

In order to answer this second question, we created for fixed values of q, k and v and varying values of \(\ell \) public systems of HMFEv and solved them with the \(F_4\) algorithm integrated in MAGMA. We increased the value of \(\ell \) and therefore the numbers of equations and variables in the system until we reached the upper bound of (5) or ran out of memory.

It is obvious that we can only hope to find such systems for small field sizes. We therefore restricted to values of \(q \in \{2,3\}\).

By doing so, we identified the following “tight” instances of HMFEv

Scheme	Upper bound on \(d_{reg}\) (Eq. (5))	Experimental result
HMFEv(GF(2),1,\(\ell \),2)	3	3 for \(\ell \ge 9 (n \ge 9)\)
HMFEv(GF(2),2,\(\ell \),3)	4	4 for \(\ell \ge 9 (n \ge 18)\)
HMFEv(GF(2),3,\(\ell \),4)	5	5 for \(\ell \ge 10 (n \ge 30)\)
HMFEv(GF(3),1,\(\ell \),2)	5	5 for \(\ell \ge 18 (n \ge 18)\)

For most other HMFEv instances with \(q \in \{2,3\}\) and \(k+v \le 9\) we missed the upper bound given by Eq. (5) only by 1.

We believe that, also for these systems, we could have reached the upper bound given by Eq. (5) by increasing the parameter \(\ell \) further. However, we did not have the necessary memory resources to solve HMFEv systems with more than 35 equations.