A New Variant of Unbalanced Oil and Vinegar Using Quotient Ring: QR-UOV

Abstract

The unbalanced oil and vinegar signature scheme (UOV) is a multivariate signature scheme that has essentially not been broken for over 20 years. However, it requires the use of a large public key; thus, various methods have been proposed to reduce its size. In this paper, we propose a new variant of UOV with a public key represented by block matrices whose components correspond to an element of a quotient ring. We discuss how it affects the security of our proposed scheme whether or not the quotient ring is a field. Furthermore, we discuss their security against currently known and newly possible attacks and propose parameters for our scheme. We demonstrate that our proposed scheme can achieve a small public key size without significantly increasing the signature size compared with other UOV variants. For example, the public key size of our proposed scheme is 85.8 KB for NIST’s Post-Quantum Cryptography Project (security level 3), whereas that of compressed Rainbow is 252.3 KB, where Rainbow is a variant of UOV and is one of the third-round finalists of the NIST PQC project.

Appendices

Appendix A: Transformation on Polynomial Matrix from a Reducible Polynomial

First, we discuss the case in which f is reducible and decomposed into distinct irreducible polynomials.

Theorem 4

Let \(f \in {\mathbb F}_q [x]\) be a reducible polynomial with \(\deg {f} = \ell \) and W be an invertible matrix such that every element of \(W A_f\) is a symmetric matrix. If \(f=f_1 \cdots f_k\) \((k \in \mathbb N)\), where \(f_1, \dots , f_k\) are distinct and irreducible, and \(\deg {f_1} \le \cdots \le \deg {f_k}\), then there exists an invertible matrix \(L \in {\mathbb F}_q ^{\ell \times \ell }\) and \(i \in \{ 1, \dots , \ell -1 \}\) such that for any \(X \in W A_f\),

$$\begin{aligned} L ^{\top } X L = \left( {\begin{array}{cc} {*_{i\times i}} &{} {0_{i \times (\ell -i)}} \\ {0_{(\ell -i) \times i}} &{} {*_{(\ell -i) \times (\ell -i)}} \\ \end{array} } \right) . \end{aligned}$$

(14)

Proof

We first prove that every element of \(A_f W^{-1}\) is symmetric. For any \(g \in {\mathbb F}_q [x] / (f)\),

$$\begin{aligned} (\varPhi _g^f W^{-1})^\top= & {} W^{-\top } (\varPhi _g^f)^\top \\= & {} W^{-\top } (\varPhi _g^f)^\top W W^{-1} \\= & {} W^{-\top } (W \varPhi _g^f)^\top W^{-1} \quad (\because W \ \mathrm {is}\ \mathrm {symmetric}.) \\= & {} W^{-\top } W \varPhi _g^f W^{-1} \\= & {} \varPhi _g^f W^{-1}. \end{aligned}$$

Therefore, every element of \(A_f W^{-1}\) is symmetric.

As f is reducible, there exists \(a,b \in {\mathbb F}_q [x] / (f)\) such that \(a \cdot b =0\). Then, for any \(g \in {\mathbb F}_q [x] / (f)\),

$$\begin{aligned} (\varPhi _a^f W^{-1})^{\top } (W \varPhi _g^f) (\varPhi _b^f W^{-1})= & {} \varPhi _{a \cdot g \cdot b}^f W^{-1} \\= & {} \varPhi _{0}^f W^{-1} = 0_{\ell \times \ell }. \end{aligned}$$

We assume that \(L \in {\mathbb F}_q ^{\ell \times \ell }\) is designed such that the first i column vectors of L are chosen from the column vector space of \(\varPhi _a^f W^{-1}\), and the other \((\ell -i)\) column vectors of L are chosen from the column vector space of \(\varPhi _b^f W^{-1}\). Then, Eq. (14) explicitly holds from the above equation.

We next show that there exists an invertible such an invertible matrix L. We take \(a = f_1\) and \(b = f_2 \cdots f_k\) (here, \(f_1,\dots ,f_k\) are seen as elements of \({\mathbb F}_q [x] / (f)\).) and prove that \(\mathrm{rank}\,\varPhi _a^f = \deg {b}\) (\(\mathrm{rank}\,\varPhi _b^f = \deg {a}\)). We use the bijective map \(V_1\) used in the proof of Theorem 2. From Eq. (7), for any \(c \in {\mathbb F}_q [x] / (f)\),

$$\begin{aligned} a \cdot c = 0 \Leftrightarrow \varPhi _a^f \cdot V_1(c) = \mathbf {0}. \end{aligned}$$

As there is no \(c \in {\mathbb F}_q [x] / (f)\) such that \(a \cdot c = 0\) and \(\deg {c} < \deg {b}\), the first \(\deg {b}\) column vectors are linearly independent. Furthermore, as \(\varPhi _a^f \cdot V_1(b) = \mathbf {0},\) \(\varPhi _a^f \cdot V_1(xb) = \mathbf {0}, \dots , \varPhi _a^f \cdot V_1(x^{\deg {a}-1} b) = \mathbf {0}\), we have \(\mathrm{rank}\,\varPhi _a^f = \deg {b}\). Similarly, it is proved that \(\mathrm{rank}\,\varPhi _b^f = \deg {a}\).

Next, we design \(L \in {\mathbb F}_q ^{\ell \times \ell }\) such that the first \(\deg {b}\) column vectors of L are bases of the column vector space of \(\varPhi _a^f W^{-1}\) and the other \((\ell - \deg {b})\) \((= \deg {a})\) column vectors of L are bases of the column vector space of \(\varPhi _b^f W^{-1}\).

Finally, we prove that the column vector spaces of \(\varPhi _a^f W^{-1}\) and \(\varPhi _b^f W^{-1}\) have no intersection, that is, the column vector spaces of \(\varPhi _a^f\) and \(\varPhi _b^f\) have no intersection. If this statement holds, then L constructed using this approach is invertible. We assume that the column vector spaces of \(\varPhi _a^f\) and \(\varPhi _b^f\) have an intersection. Then, there exist two vectors \(\mathbf {x}, \mathbf {y} \in {\mathbb F} _q ^\ell \) such that the last \((\ell - \deg {b})\) elements of \(\mathbf {x}\) and the last \((\ell - \deg {a})\) elements of \(\mathbf {y}\) are zero, and \(\varPhi _a^f \mathbf {x} = \varPhi _b^f \mathbf {y}\) because the first \(\deg {b}\) (\(\deg {a}\)) vectors of \(\varPhi _a^f\) (\(\varPhi _b^f\)) are linearly independent. From the definition of \(\varPhi _g^f\), \(a V_1 ^{-1} (\mathbf {x}) = b V_1 ^{-1} (\mathbf {y})\), \(\deg {(V_1 ^{-1} (\mathbf {x}))} < \deg {b}\), and \(\deg {(V_1 ^{-1} (\mathbf {y}))} < \deg {a}\). However, this contradicts that \(f_1, \dots , f_k\) are distinct and irreducible. Therefore, the column vector spaces of \(\varPhi _a^f\) and \(\varPhi _b^f\) have no intersections.    \(\square \)

Next, we discuss another case where f is reducible.

Theorem 5

With the same notation as in Theorem 4, if there exists \(f' \in {\mathbb F}_q [x]\) such that \({f'}^2 \mid f\), there exists an invertible matrix \(L \in {\mathbb F}_q ^{\ell \times \ell }\) such that, for any \(X \in W A_f\),

$$\begin{aligned} (L ^{\top } X L)_{\ell \ell } = 0. \end{aligned}$$

Proof

From this assumption, there exists \(a \in {\mathbb F}_q [x] / (f)\) such that \(a ^2 = 0\). Therefore, for any \(g \in {\mathbb F}_q [x] / (f)\),

$$\begin{aligned} (\varPhi _a^f W^{-1})^\top (W \varPhi _g^f) (\varPhi _a^f W^{-1})= & {} \varPhi _{a \cdot g \cdot a}^f W^{-1} \\= & {} 0_{\ell \times \ell }, \end{aligned}$$

and \(\varPhi _a^f W^{-1}\) is symmetric. We suppose that \(L \in {\mathbb F}_q ^{\ell \times \ell }\) is an invertible matrix, wherein the \(\ell \)-th column vector is chosen from the column vectors of \(\varPhi _a^f W^{-1}\). From the above equation, the \((\ell ,\ell )\) component of \(L ^{\top } (W \varPhi _g^f) L\) is zero for any \(g \in {\mathbb F}_q [x] / (f)\).    \(\square \)

Appendix B: Proof of Theorem 3 in Subsect. 5.3

Theorem 3. With the same notation as in Theorem 2,

• (i) There exists an invertible matrix \(L \in \mathbb {F}_{q^\ell } ^{\ell \times \ell }\) such that \(L ^{-1} \varPhi _g ^f L\) is diagonal for any \(g \in {\mathbb F}_q [x] / (f)\).

• (ii) The matrix L described in (i) satisfies the condition that \(L^{\top } X L\) is diagonal for any \(X \in W A_f\).

• (iii) If there exists \(\mathbf {y} \in \mathbb {F}_{q ^{\ell }} ^{\ell }\) such that \(\mathbf {y}^{\top } X \mathbf {y} =0\) for any \(X \in W A_f\), then \(\mathbf{y} = \mathbf{0}\).

Proof

First, we prove statement 1. The characteristic polynomial of \( \varPhi _x ^ f \) is equal to f for \(x \in {\mathbb F}_q [x] / (f)\). As f is irreducible over \({\mathbb F}_q [x]\), f is separable, and its roots are distinct in \(\mathbb {F}_{q^\ell } [x]\). Therefore, the eigenvalues of \(\varPhi _x ^f\) are distinct in \(\mathbb {F}_{q^\ell }\), and there exists \(L \in \mathbb {F}_{q^\ell } ^{\ell \times \ell }\) such that \(L ^{-1} \varPhi _x ^f L\) is diagonal. Furthermore, \(\varPhi _{1} ^f\) is the identity matrix, and \(\varPhi _{x^i} ^f\) \((i = 2,\dots , \ell -1)\) can be diagonalized using L:

$$\begin{aligned} L ^{-1} \varPhi _{x^i} ^f L= & {} L ^{-1} (\varPhi _{x} ^f \cdots \varPhi _{x} ^f) L \\= & {} (L ^{-1} \varPhi _x ^f L) \cdots (L ^{-1} \varPhi _x ^f L). \end{aligned}$$

Then, for any \(g \in {\mathbb F}_q [x] / (f)\), \(L^{-1} \varPhi _g ^f L\) becomes diagonal because \(A_f\) is spanned by \(\{\varPhi _{1} ^f, \varPhi _{x} ^f, \dots , \varPhi _{x^{\ell -1}} ^f \}\) over \({\mathbb F}_q\).

Next, we prove statement 2 by using the following lemma.

Lemma 2

With the same notation as in Theorem 2, for \(L \in \mathbb {F}_{q^\ell } ^{\ell \times \ell }\) described in Theorem 3, \(L ^{\top } W L\) is diagonal.

Proof

Since \(W \varPhi _g ^f\) is symmetric,

$$\begin{aligned} W \varPhi _g ^f = (W \varPhi _g ^f) ^{\top } = (\varPhi _g ^f) ^{\top } W ^{\top }. \end{aligned}$$

Furthermore, because W is symmetric, we have

$$\begin{aligned} (\varPhi _g ^f) ^{\top } = W \varPhi _g ^f W ^{-1}. \end{aligned}$$

(15)

As \(L^{-1} \varPhi _g ^f L\) is symmetric,

$$\begin{aligned} L^{-1} \varPhi _g ^f L= & {} L^{\top } (\varPhi _g ^f) ^{\top } L ^{- \top } \\= & {} L^{\top } W \varPhi _g ^f W ^{-1} L ^{- \top } \quad (\because (15)) \\= & {} (L^{\top } W L) (L^{-1} \varPhi _g ^f L) (L^{\top } W L)^{-1}. \end{aligned}$$

Then, \(L^{\top } W L\) and \(L^{-1} \varPhi _g ^f L\) are commutative. As \(L^{-1} \varPhi _g ^f L\) is diagonal, and the diagonal components are distinct, \(L^{\top } W L\) is diagonal.    \(\square \)

For any \(g \in {\mathbb F}_q [x] / (f)\), we can transform \(L^{\top } W \varPhi _g ^f L\):

$$\begin{aligned} L^{\top } W \varPhi _g ^f L= & {} (L^{\top } W L) (L^{-1} \varPhi _g ^f L). \end{aligned}$$

From statement 1 and Lemma 2, \(L^{\top } W \varPhi _g ^f L\) are diagonal.

Finally, we prove statement 3. Let \(\mathbf {y} := L ^{-1} \mathbf {x}\); then,

$$\begin{aligned} \mathbf {x}^{\top } W \varPhi _g ^f \mathbf {x}= & {} (L \mathbf {y})^{\top } W \varPhi _g ^f (L \mathbf {y}) \\= & {} \mathbf {y} ^{\top } (L ^{\top } W L) (L^{-1} \varPhi _g ^f L) \mathbf {y}. \end{aligned}$$

If we define the diagonal components of \(L ^{-1} \varPhi _x ^f L\) as \(\theta _1, \dots , \theta _\ell \) (the roots of f in \(\mathbb {F}_{q^\ell }\)), the diagonal components of \(L ^{-1} \varPhi _g ^f L\) are equal to \(g(\theta _1), \dots , g(\theta _\ell )\). If ,

(16)

since \(L ^{\top } W L\) is diagonal.

Let \(g_1, \dots , g_\ell \) be the basis of \({\mathbb F}_q [x] / (f)\) over \({\mathbb F}_q\), then, satisfying Eq. (16) for any \(g \in {\mathbb F}_q [x] / (f)\) is equivalent to

$$\begin{aligned} \left( \begin{array}{ccc} g_1 (\theta _1) &{} \ldots &{} g_1 (\theta _\ell ), \\ \vdots &{} \ddots &{} \vdots \\ g_\ell (\theta _1) &{} \ldots &{} g_\ell (\theta _\ell ) \end{array} \right) (L ^{\top } W L) \mathbf {y}' = \mathbf {0}. \end{aligned}$$

(17)

In addition, \(g_1, \dots , g_\ell \) form the basis of \({\mathbb F}_{q ^\ell } [x] / (f)\) over \({\mathbb F}_{q ^\ell }\), and

$$\begin{aligned} {\mathbb F}_{q ^\ell } [x] / (f)\cong & {} {\mathbb F}_{q ^\ell } [x] / (x - \theta _1) \oplus {\mathbb F}_{q ^\ell } [x] / (x - \theta _2) \oplus \cdots \oplus {\mathbb F}_{q ^\ell } [x] / (x - \theta _\ell ), \\\cong & {} {\mathbb F}_{q ^\ell } ^{\ell }. \end{aligned}$$

Therefore, \(\left( g_i (\theta _1) \cdots g_i (\theta _\ell ) \right) \) \((i=1,\dots ,\ell )\) are linearly independent, and

$$\begin{aligned} (17)\Leftrightarrow & {} \mathbf {y}' = \mathbf {0} \\\Leftrightarrow & {} \mathbf {y} = \mathbf {0} \\\Leftrightarrow & {} \mathbf {x} = \mathbf {0}. \end{aligned}$$

   \(\square \)

Appendix C: Performance in Magma

Table 6. Performance of the improved QR-UOV in Subsect. 4.2 in Magma algebra system [7].

Here, we present the execution times for key generation, signature generation, and verification of the improved QR-UOV in Subsect. 4.2. All experiments were performed on a MacBook Pro with a 2.4-GHz quad-core, Intel Core i5 CPU, and the Magma algebra system (V2.24-82) [7]. Table 6 shows the average times for 100 runs using the improved QR-UOV scheme described in Subsect. 4.2 and our proposed parameters for levels I, III, and V of the NIST PQC project. All timings are in second. These are not optimized implementations.

In the key generation step, we first generate two 32-bit seeds (\(\mathbf {s}_{sk}\) and \(\mathbf {s}_{pk}\)) by using the Magma Random command. We then use the Magma SetSeed command as a pseudo-random number generator to generate part of the public and secret keys. (In Subsect. 6.2, we stated that the size of the two seeds is 256 bits; however, we use two 32-bit seeds because the size of the input for SetSeed is at most 32 bits.) Next, we generate a secret key using the method described in Subsect. 4.2. In the signature generation step, we recover the public and secret keys from the two seeds and perform the procedure explained in Subsect. 2.2. The signature is generated in the same manner as a signature is generated in the compressed Rainbow [12]. In the verification step, we generate the public key from the \(\mathbf {s}_{pk}\) seed and follow the procedure explained in Subsect. 2.1. In the signature generation and verification steps, we need to compute the product of a vector and matrices \(W \varPhi _g^f\) or \(\varPhi _g^f\), which is made more efficient using the structure of the polynomial matrix.

For example, in Table 6, the execution times of the key generation, signature generation, and verification steps of QR-UOV for level I are 0.06 s, 0.04 s, and 0.01 s, respectively. In most cases, our performance is approximately one order of magnitude slower than that of compressed Rainbow [12]. It should be noted that their implementation is in C, and ours is in Magma, and the signing and verification times of compressed Rainbow are dominated by the use of a cryptographic hash function which is not used in the implementation of QR-UOV.