Open Access

A security analysis of uniformly-layered rainbow defined over non-commutative rings

Pacific Journal of Mathematics for Industry20146:1

https://doi.org/10.1186/s40736-014-0001-1

Received: 1 April 2014

Accepted: 7 May 2014

Published: 11 September 2014

Abstract

Hashimoto and Sakurai proposed a signature scheme (HS scheme), whose security is based on the difficulty of integer factorization. In this paper, we redefine HS scheme as a signature scheme in Multivariate Public Key Cryptosystems (MPKC). MPKC are public key cryptosystems whose security is based on the difficulty of solving multivariate quadratic equations, and candidates for post-quantum cryptography. In this paper, we analyze the security of the extended HS scheme using technique of security analysis for MPKC. Furthermore, based on the security analysis of the extended HS scheme, we estimate secure parameters of the extended HS scheme.

Keywords

Public key cryptography Multivariate public key cryptosystems Rainbow Post-quantum cryptography

Introduction

In 1984, Ong, Schnorr and Shamir [15] proposed an efficient signature scheme (OSS signature scheme) using a bivariate quadratic equation,
$$\begin{array}{*{20}l} x^{2}+hy^{2}\equiv m\ \text{mod}\ N \end{array} $$
(1)

where h,m are integers and N is a composite number whose factorization is difficult. The security of this scheme was supposed to be based on the difficulty of integer factorization. However, Pollard and Schnorr proposed an algorithm to solve the equation (1) efficiently without the factorization of N [18]. Then OSS signature scheme would be extended to scheme using multivariate variables and scheme using non-commutative rings.

In 1994, Shamir [20] proposed a multivariate variant of OSS signature scheme, which is called Birational Permutation scheme. However, Coppersmith, Stern and Vaudenary [6] gave an efficient attack by observing linear combination of components of the public key. In 1997, Sato and Araki [19] proposed a new scheme extended from OSS signature scheme using quaternion algebra. Namely, \(\mathbb {Z}/N\mathbb {Z}\) in OSS signature scheme is replaced by a quaternion algebra over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith [5] gave two efficient attacks using special property of quaternion algebra. In 2008, Hashimoto and Sakurai [12] proposed a new scheme (HS scheme) including property of both Birational Permutation scheme and Sato-Araki scheme. In 2010, Uchiyama and Ogura [21] showed that this scheme is reduced to Rainbow [9], which is a signature scheme in the multivariate public key cryptosystem (MPKC), and discussed possibility of forgery in case of HS scheme with small size.

In this paper, we extend HS scheme to a signature scheme in MPKC. Therefore, the security of the extended HS scheme is no longer based on the difficulty of integer factorization. Generally, schemes in MPKC are expected to resist attacks using quantum computer, Moreover, we show that the extended HS scheme has an efficient signature generation.

On the other hand, Yasuda et al. [25] proposed another signature scheme “NC-Rainbow” in MPKC, which is an extension of a signature scheme called “Rainbow” using non-commutative rings. The paper [25] analyzed the security of NC-Rainbow for attacks against the original Rainbow, and estimated the secure parameters of NC-Rainbow.

In this paper, we analyze the security of the extended HS scheme. The attacks analyzed in this paper are 1) the attack against Birational Permutation scheme, 2) the attack against Sato-Araki scheme, and the attacks against Rainbow: 3) UOV [4,13,14], 4) MinRank [3,11,22], 5) HighRank [10,11,17], 6) direct [2,4,23], 7) Rainbow-Band-Separation (RBS) [10,16], and (8) UOV-Reconciliation (UOV-R) attacks [10,16].

This paper is basically a journal version of the paper [24]. However, the attacks analyzed in the paper [24] are from 1) to 5) above. In this paper, we add the security analysis against the attacks 6), 7) and 8). Moreover, we present secure parameters of the extended HS scheme for several security levels.

Birational permutation scheme

In this section, we summarize the attack of Coppersmith, Stern and Vaudenary against Birational Permutation scheme [6]. We will analyze this attack in the extended HS scheme later. First, we describe Birational Permutation scheme [20].

Let p,q be primes and N=pq. Assume that the factorization of N is difficult. Let n be a natural number. For k=2,3,…,n, we define \(g_{k}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow \mathbb {Z}/N\mathbb {Z}\) by a homogeneous quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\),
$$\begin{array}{*{20}l} g_{k}(x_{1},x_{2},\ldots,x_{n})=\sum\limits_{i=1}^{k-1}a_{ik}x_{i}x_{k}+\sum\limits_{1\le i\le j\le k-1}a_{ij}x_{i}x_{j}, \end{array} $$
where \(a_{\textit {ij}}\in \mathbb {Z}/N\mathbb {Z}\). The central map of Birational Permutation scheme is constructed by
$$\begin{array}{*{20}l} G=\left(g_{2},g_{3},\ldots,g_{n}\right):(\mathbb{Z}/N\mathbb{Z})^{n}\rightarrow (\mathbb{Z}/N\mathbb{Z})^{n-1}. \end{array} $$

The key generation, the signature generation and the verification of Birational Permutation scheme are described as follows.

Key Generation. The secret key consists of primes p,q and the central map G and two affine (linear) transformations \(A_{1}:(\mathbb {Z}/N\mathbb {Z})^{n-1}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1},\ A_{2}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n}.\) The public key consists of N and the composite map \(F=A_{1}\circ G\circ A_{2}=(\,f_{2},f_{3},\ldots,f_{n}):(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1}.\)

Signature Generation. Let \(\mathbf {M}\in (\mathbb {Z}/N\mathbb {Z})^{n-1}\) be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G−1(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is \(\mathbf {C}\in (\mathbb {Z}/N\mathbb {Z})^{n}\). Here G−1(A) stands for an element of preimage of A through G.

Verification. If F(C)=M, then the signature is accepted, otherwise rejected.

2.1 Attack against birational permutation scheme

It is believed that solving general equations over \(\mathbb {Z}/N\mathbb {Z}\) is more difficult than that over a finite field. The security of Birational Permutation scheme was based on the difficulty of solving the problem over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith, Stern and Vaudenary gave an efficient algorithm [6] to compute A2, a part of the secret key, without solving equations over \(\mathbb {Z}/N\mathbb {Z}\).

For simplicity, assume that A2 are linear transformations. We write A,B for the matrix expression of linear parts of A1,A2, respectively, and g k ,f k (k=2,3,…,n) are denoted by
$$\begin{array}{*{20}l} g_{k}(\mathbf{x})=\mathbf{x}^{T}\,G_{k}\mathbf{x},\,\, f_{k}=\mathbf{x}^{T}\,F_{k}\mathbf{x}\,\, \left(\mathbf{x}=(x_{1},\ldots,x_{n})^{T}\right), \end{array} $$
for some \(F_{k},G_{k}\in \mathbb {M}(n,\mathbb {Z}/N\mathbb {Z})\). (T means the transpose operator.) Since
$$\begin{array}{*{20}l} f_{k}(\mathbf{x})=\sum\limits_{l=2}^{n}a_{kl}\mathbf{x}^{T}B^{T}G_{l}B\mathbf{x}=\mathbf{x}^{T}B^{T} \left(\sum\limits_{l=2}^{n}a_{kl}G_{l}\right)B\mathbf{x} \end{array} $$
for A=(a kl ), we have
$$\begin{array}{*{20}l} F_{k}=B^{T}\left(\sum\limits_{l=2}^{n}a_{kl}G_{l}\right)B. \end{array} $$
(2)
For a variable λ and 1≤k1,k2n,
$$\begin{array}{*{20}l}{} \sum\limits_{l=2}^{n}\!a_{k_{1}l}G_{l}\,-\,\lambda\!\sum\limits_{l=2}^{n}\!a_{k_{2}l}G_{j} \,=\,\left(\!\begin{array}{cccc} * & \cdots & * & \left(a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)* \\ \vdots & \ddots & \vdots & \vdots \\ * & \cdots & * & \left(a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)* \\ \left(a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)* & \cdots & \left(a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)* & 0 \end{array}\!\right)\!. \end{array} $$
In particular, the determinant of this matrix is factored by \(\left (a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)^{2}\). From (2), the determinant of \(F_{k_{1}}-\lambda F_{k_{2}}\) is factored by \(\left (a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)^{2}\). Therefore \(a_{k_{1}n}/a_{k_{2}n}\), which is denoted by λ0, is computed by the public key. By calculating the kernel and the image of \(F_{k_{1}}-\lambda _{0} F_{k_{2}}\), \((\mathbb {Z}/N\mathbb {Z})^{n}\) is decomposed as
$$\begin{array}{*{20}l} (\mathbb{Z}/N\mathbb{Z})^{n}&=B^{-1}\left((\mathbb{Z}/N\mathbb{Z})^{n-1}\times\{0\}\right)\oplus B^{-1}\left(\{0\}^{n-1}\right.\\ &\left.\quad\times (\mathbb{Z}/N\mathbb{Z}){\vphantom{\{0\}^{n-1}}}\right) \end{array} $$
(3)
Continuing this operation, finally we have a decomposition
$$\begin{array}{*{20}l}{} (\mathbb{Z}/N\mathbb{Z})^{n}&=B^{-1}\left((\mathbb{Z}/N\mathbb{Z})\times\{0\}^{n-1}\right)\oplus\cdots\oplus B^{-1}\left(\{0\}^{n-1}\right.\\ &\left.\quad\times (\mathbb{Z}/N\mathbb{Z}){\vphantom{\{0\}^{n-1}}}\right) \end{array} $$

by subspaces with rank 1 over \(\mathbb {Z}/N\mathbb {Z}\). By rewriting the public key by a basis along the above decomposition, one obtains a system of equations with the same form as the central map, therefore a signature is forged.

Sato-Araki scheme

In this section, we summarize two attacks of Coppersmith against Sato-Araki scheme. We will analyze these attack in the extended HS scheme later.

Sato-Araki scheme [19] uses a quaternion algebra over \(\mathbb {Z}/N\mathbb {Z}\). Let R be a \(\mathbb {Z}/N\mathbb {Z}\)-analogue of the Hamilton’s quaternion algebra. Namely, R is defined by
$$R=\mathbb{Z}/N\mathbb{Z}\cdot 1\oplus\mathbb{Z}/N\mathbb{Z}\cdot i\oplus \mathbb{Z}/N\mathbb{Z}\cdot j\oplus \mathbb{Z}/N\mathbb{Z}\cdot ij, $$
and i2=j2=−1, ij=−ji. R is identified with a subring of a matrix ring by the embedding homomorphism,
$${} \begin{aligned} R&\;\ni a_{0}\cdot 1+a_{1}\cdot i+a_{2}\cdot j+a_{3}\cdot ij\\ &\longmapsto\!\! \left(\!\begin{aligned} a_{0}\,+\,a_{1}\sqrt{-1} & a_{3}\,+\,a_{2}\sqrt{-1} \\ -a_{3}\,+\,a_{2}\sqrt{-1} & a_{0}\,-\,a_{1}\sqrt{-1} \end{aligned}\right)\! \!\in\mathbb{M}\!\left(\!2,\mathbb{Z}/N\mathbb{Z}\!\left[\!\sqrt{-1}\right]\right)\!. \end{aligned} $$
(4)

Here, we identify i with the imaginary unit \(\sqrt {-1}\). Note that R is closed by the transpose operation. Sato-Araki scheme is described as follows.

Key Generation. The secret key consists of primes p,q and uR×. The public key consists of N=pq and h:=−(u T )−1u−1R.

Signature Generation. Let MR be a message such that M=M T . Choose ρR× randomly. We compute C1:=ρ−1M+ρ T , C2:=u(ρ−1Mρ T )R. (C1,C2) is a signature.

Verification. If \(\mathbf {C}_{1}^{T}\,\mathbf {C}_{1}+\mathbf {C}_{2}^{T}\,h\mathbf {C}_{2}=4\mathbf {M}\) then the signature is accepted, otherwise rejected.

Remark3.1.

The security of Sato-Araki scheme is based on the difficulty of solving the equation over R with respect to X1,X2,
$$\begin{array}{*{20}l} {X_{1}^{T}}\,X_{1}+{X_{2}^{T}}\,{hX}_{2}=4\mathbf{M} \end{array} $$
(5)

for any MR. Since the signer knows p and q, the signer can find a solution of (5) by the procedure of above signature generation.

3.1 Attacks against Sato-Araki scheme

The problem of solving the equation (5) is reduced to the problem of solving a equation over R,
$$X^{T}\,X+h\equiv 0\,\, \text{mod}\ N. $$
However, Coppersmith proposed two efficient attacks [5] by using special property of a quaternion algebra without the factorization of N.

3.1.1 Coppersmith’s first attack

The first attack of Coppersmith is a chosen message attack. For i=1,2,3, let \(\left (\textbf {C}_{1}^{(i)},\textbf {C}_{2}^{(i)}\right)\) be signatures for messages M i . The following fact is the key of the attack: For i=1,2,3,
$$\begin{array}{*{20}l} \left(\textbf{C}_{1}^{(i)}\right)^{T}u\textbf{C}_{2}^{(i)}\;\text{are symmetric matrices}, \end{array} $$
(6)
where u is a component of the secret key. Then these span a subspace {δ=δ T R}=Span{i,j,ij} of rank 3 with high probability. One can compute XR satisfying
$$\begin{array}{*{20}l} \left(\mathbf{C}_{1}^{(i)}\right)^{T}\,X\mathbf{C}_{2}^{(i)}\,\,\text{are symmetric matrices}\,\, (i=1,2,3), \end{array} $$

which is determined up to scalars. Therefore, X is proportional to u. It is not difficult to compute u from X.

3.1.2 Coppersmith’s second attack

The second attack of Coppersmith is based on the existence of the following algorithm.

Proposition3.1.

([1]) Let N be an odd positive integer and f(x,y) a bivariate quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\). Δ(f) denotes the discriminant of f defined as in [1]. If gcd(Δ(f),N)=1, then there exists an algorithm which gives a solution to f(x,y)=0 with probability 1−ε, and requires O(log(ε−1 logN) log4N) arithmetic operations on integers of size O(logN) bits.

If x,yR are written as
$$\begin{array}{*{20}l} &x=x_{0}\cdot 1+x_{1}\cdot i+x_{2}\cdot j+x_{3}\cdot ij,\\ &y=y_{0}\cdot 1+y_{1}\cdot i+y_{2}\cdot j+y_{3}\cdot ij, \end{array} $$
then the equation over R,
$$\begin{array}{*{20}l} x^{T}\,x+y^{T}\,hy=4\mathbf{M} \end{array} $$
(7)

is rewritten by three quadratic equations with respect to 8 variables x0,x1,…,y3. By a simplicity of equation (7) and property of quaternion algebra, the problem of solving the system of these quadratic equations can be reduced to that of some bivariate quadratic equations. Therefore a signature can be forged from the above proposition.

Our proposal: extension of HS scheme

HS scheme [12] is a signature scheme having properties of both birational permutation scheme and Sato-Araki scheme. Since the security of HS scheme is based on the difficulty of integer factorization, the scheme defined over the ring \(\mathbb {Z}/N\mathbb {Z}\). However, we want to redefine HS scheme as a scheme in MPKC. Therefore, in this section, we define HS scheme in more general fashion such that our definition involves both the original HS scheme and our proposed scheme.

4.1 Non-commutative rings

Let L be either a field K and \(\mathbb {Z}/N\mathbb {Z}\). In this paper, we say that a L-algebra R is a non-commutative ring only if

  1. 1.

    R is a free module over L with finite rank, and

     
  2. 2.

    R is non-commutative.

     

Example4.1.

(Quaternion algebra) For aL×, a non-commutative ring Q L (a) is defined as follows:
$$\begin{array}{*{20}l} &(\text{Set})\,\, Q_{L}(a)=L\cdot1\oplus L\cdot i\oplus L\cdot j\oplus L\cdot ij,\\ &(\text{Product})\,\, i^{2}=a,\ j^{2}=-1,\ ij=-ji. \end{array} $$
Q L (a) is a free module over L with rank 4. This is called a quaternion algebra. When \(L=\mathbb {Z}/N\mathbb {Z}\) and a=−1, R coincides with the quaternion algebra used in Sato-Araki scheme. If L=GF(q) and a=−1, we write simply Q q instead of Q L (a). Q L (a) is embedded into a matrix ring:
$${} \begin{aligned} \iota:Q_{L}(a)&\ni a_{1}+a_{2}i+a_{3}j+a_{4}ij\\ &\mapsto\!\! \left(\!\!\begin{aligned} a_{1}\!+a_{2}\sqrt{\!-1} & a_{3}\,+\,a_{4}\sqrt{\!-1} \\ -a_{3}\!+a_{4}\sqrt{\!-1} & a_{1}\!-a_{2}\sqrt{\!-1} \end{aligned}\right) \!\!\in\! \mathbb{M}\!\left(\!2,L\!\left[\!\sqrt{-1}\right]\right)\!. \end{aligned} $$
(8)
If Q L (a) is identified with the image of ι, any element in Q L (a) is closed by transpose operation in Q L (a). For v=c1+c2i+c3j+c4ijQ L (a), the main involution v of v is defined by
$$\begin{array}{*{20}l} v^{*}=c_{1}-c_{2}i-c_{3}j-c_{4}ij\in Q_{L}(a). \end{array} $$
(9)
Let R be a non-commutative ring over L and r its rank over L. Then there exists an L-linear isomorphism,
$$\begin{array}{*{20}l} \phi:L^{r}\xrightarrow{\sim}R. \end{array} $$
(10)

Using this isomorphism ϕ, an element αR can be represented by r elements in L.

4.2 HS scheme over L

Let R be a non-commutative ring over L of rank r and fix ϕ as in (10). In the rest of this paper, assume that R is realized as a subring of the matrix ring \(\mathbb {M}(s,L)\) for some \(s\in \mathbb {N}\), and closed by the transpose operation.

Let \(\tilde {n}\) be a positive integer. HS scheme deploys non-commutative multivariate polynomials as a central map:
$$\begin{array}{*{20}l}{} \tilde{g}_{k}(x_{1},\ldots,x_{\tilde{n}})&=\sum\limits_{i=1}^{k-1} {x_{i}^{T}}\, \alpha_{ik}^{(k)}x_{k} +\sum\limits_{1\le i,j\le k-1}{x_{i}^{T}}\,\alpha_{ij}^{(k)} x_{j}\\ &\quad+ \sum\limits_{1\le i\le k}\beta_{i}^{(k)}x_{i}+\gamma^{(k)} \ \ (k=2,3,\ldots,\tilde{n}), \end{array} $$
where \(\alpha _{i,j}^{(k)},\beta _{i}^{(k)},\gamma ^{(k)}\in R\). Note that \(\tilde {g}_{k}\) is essentially a polynomial of k variables. The central map of HS scheme is constructed by
$$\begin{array}{*{20}l} \tilde{G}=\left(\tilde{g}_{2},\ldots,\tilde{g}_{\tilde{n}}\right):R^{\tilde{n}}\rightarrow R^{\tilde{n}-1} \end{array} $$

The key generation, the signature generation and the verification are described as follows.

Key Generation. The secret key consists of R, the central map \(\tilde {G}\) and two affine transformations \(A_{1}:L^{m}\rightarrow L^{m}\ (m=r\tilde {n}-r),\ A_{2}:L^{n}\rightarrow L^{n}\ (n=r\tilde {n})\). The public key consists of L and the composed map \(\tilde {F}=A_{1}\circ \phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\circ A_{2}:L^{n}\rightarrow L^{m}\), which is a system of m quadratic polynomials of n variables over L. We denote by \(\tilde {F}=\left (\,\tilde {f}_{r+1},\ldots,\tilde {f}_{n}\right)^{T}\).

Signature Generation. Let ML m be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G−1(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is CL n . Here \(\mathbf {B}=\tilde {G}^{-1}(\mathbf {A})\) is computed by the following procedure.

Step 1 Choose a random element b1R.

Step 2 For \(k=1,\ldots,\tilde {n}\), do the following operation recursively.
\(\tilde {g}_{k}\) is a non-commutative polynomial with respect to x1,…,x k . By the substitution x1 = b1, …, xk−1 = bk−1 to \(\tilde {g}_{k}\), a non-commutative polynomial \(\bar {g}_{k}\) of one variable x k with at most 1 degree is obtained. We compute the solution b k R of
$$\begin{array}{*{20}l} \bar{g}_{k}(x_{k})=a_{k} \end{array} $$
(11)

where \(\mathbf {A}=(a_{i})\in R^{\tilde {m}}\). (If there is no solution, return to Step 1.)

Step 3 Set \(\mathbf {B}=(b_{1},\ldots,b_{\tilde {n}})\).

Verification. If \(\tilde {F}(\mathbf {C})=\mathbf {M}\) then the signature is accepted, otherwise rejected.

This scheme is denoted by \(\text {HS}(R;\,\tilde {n})\).

Remark4.1.

In general, it is difficult to solve a non-commutative equation (11) directly. However, if we fix a L-basis of R then it makes a new system of (commutative) linear equations with respect to the basis, which is easy to be solved in general. If R has an efficient arithmetic operation, the equation (11) can be solved more efficiently. For example, in the case of a quaternion algebra Q L (a), its realization (8) enables to compute its arithmetic operation efficiently.

Security analysis of the extended HS scheme

In the last section, we defined HS scheme over a non-commutative ring R. Here, we can take a non-commutative ring over a finite field K or a ring \(\mathbb {Z}/N\mathbb {Z}\). If R is defined over \(\mathbb {Z}/N\mathbb {Z}\), then the HS scheme becomes the original one. On the other hand, our proposed scheme is the HS scheme where R is defined over a finite field K.

First, we analyze the security of the extended HS scheme for attacks against the original Birational Permutation scheme and Sato-Araki scheme. As such attacks, there are the attack of Coppersmith, Stern and Vaudenary (CSV) attack [6] and the attacks of Coppersmith [5] has been analyzed [12]. These attacks can be extended those against HS scheme over \(\mathbb {Z}/N\mathbb {Z}\). Moreover, the extended attacks can be changed into attacks against the extended HS scheme over K easily. In this section, we analyze the security for these attacks against the extended HS scheme over K.

5.1 Security against CSV attack

In Birational Permutation scheme, only g n includes the variable x n in all the components of the central map G=(g2,g3,…,g n ). Therefore we can extract the term of g n from linear combinations of g2,g3,…,g n by eliminating x n . The components of the public key F=(f2,f3,…,f n ) are expressed as linear combinations of g2A2,…,g n A2 where A2 is an affine transformation in the private key. Similarly as in the case of the central map, we can also extract the term of g n A2 from the components. Then we have the decomposition (3) as we explained in § 2.1.

In HS scheme, only \(\tilde {g}_{n}\) includes the non-commutative variable x n in all the components of the central map \(\tilde {G}=\left (\,\tilde {g}_{2},\tilde {g}_{3},\ldots,\tilde {g}_{n}\right)\). However, from linear combinations of \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) we can not eliminate x n by the method in § 2.1 because the non-commutative variable x n corresponds to r (commutative) variables. Therefore it is difficult to apply the CSV attack to HS scheme.

5.2 Security against Coppersmith’s first attack

The first attack is applicable for Sato-Araki scheme because a simple relation (6) holds for a part u of the secret key. However in HS scheme, a simple relation like as (6) for the secret key is not expected. Therefore it is difficult to extend this attack to HS scheme.

5.3 Security against Coppersmith’s second attack

There exists an efficient algorithm solving a system of bivariate quadratic equations modulo N (Proposition 3.1) and a system of equations appearing in Sato-Araki scheme can be reduced to some of bivariate quadratic equations modulo N. However HS scheme has many variables, and a system of equations appearing in the scheme is not expected to be reduced to a simple system of equations even if L=K. Therefore this attack is not more efficient than the direct attack which find a solution of a system of equations by XL, Gröbner basis algorithm, etc.

Reduction of Uchiyama and Ogura to Rainbow

Uchiyama and Ogura [21] pointed out that the original HS scheme which is defined over \(\mathbb {Z}/N\mathbb {Z}\) can be rewritten by \(\mathbb {Z}/N\mathbb {Z}\)-analogue of Rainbow where the original Rainbow [9] is a multilayer variant of the Unbalanced Oil and Vinegar signature scheme [13]. This implies that the attacks against Rainbow are applicable to HS scheme.

6.1 Original Rainbow and its analogue

To deal with both the original Rainbow and its analogue over a finite field, we prepare Rainbow defined over L which is either K or \(\mathbb {Z}/N\mathbb {Z}\).

At first, we define parameters which determine the layer structure of Rainbow. Let t be the number of layers of Rainbow. Let v1,…,vt+1 be a sequence of positive t+1 integers such that
$$0<v_{1}<v_{2}<\cdots<v_{t}<v_{t+1}. $$
For h=1,…,t, the sets V h ,O h of indices of Vinegar and Oil variables of the h-th layer of Rainbow is defined by
$$\begin{array}{*{20}l}{} V_{h}\,=\,\left\{1,2\ldots,v_{h}\right\},\,\,O_{h}\,=\,\left\{v_{h}\,+\,1,v_{h}\,+\,2,\ldots,v_{h+1}\,-\,1,v_{h+1}\right\}\!. \end{array} $$

The number of elements in O h and V h are vh+1v h and v h , respectively, and denote o h =vh+1v h . Note that the smallest integer in O1 is v1+1. We define n=vt+1 which is the maximum number of the variables used in Rainbow.

Rainbow consists of t layers of multivariate polynomials of n variables. For h=1,2,…,t, the h-th layer of Rainbow deploys the following system of o h multivariate polynomials:
$$\begin{array}{*{20}l}{} g_{k}(x_{1},\ldots,x_{n})=&\sum\limits_{i\in O_{h},j\in V_{h}}\alpha_{i,j}^{(k)} x_{i} x_{j} +\sum\limits_{i,j\in V_{h},\,i\le j}\beta_{i,j}^{(k)} x_{i} x_{j}\\ &\ +\sum\limits_{i\in V_{h+1}}\gamma_{i}^{(k)} x_{i}+\eta^{(k)}\,(k\in O_{h}), \end{array} $$
(12)
where \(\alpha _{i,j}^{(k)},\beta _{i,j}^{(k)},\gamma _{i}^{(k)},\eta ^{(k)}\in L\). Note that g k is essentially a polynomial of v h +o h variables. We call variables x i (iO h ) and x j (iV j ) the Oil and Vinegar variable, respectively. Then the central map of Rainbow is constructed by
$$\begin{array}{*{20}l} G=\left(g_{v_{1}+1},\ldots,g_{n}\right):L^{n}\rightarrow L^{n-v_{1}}. \end{array} $$
Note that one of preimage of any element of \(\phantom {\dot {i}\!}L^{n-v_{1}}\) through G can be computed easily. For a system of o h equations for the h-th layer,
$$\begin{array}{*{20}l} g_{k}\left(b_{1},\ldots,b_{v_{h}},x_{v_{h}+1},\ldots,x_{v_{h+1}}\right)=a_{k}\,\,(k\in O_{h}) \end{array} $$

becomes o h linear equations of o h variables for any \(\phantom {\dot {i}\!}\left (a_{v_{h}+1},\ldots,a_{v_{h+1}}\right)\in L^{o_{h}}\) and \(\phantom {\dot {i}\!}(b_{1},\ldots,b_{v_{h}})\in L^{v_{h}}\). The values of Oil variables in the h-th layer obtained by solving this linear equations are utilized as that of Vinegar variables in the (h+1)-th layer.

We describe the key generation, the signature generation and the verification of Rainbow in the following.

Generation. The secret key consists of the central map G and two affine transformations A1:L m L m (m=nv1), A2:L n L n . The public key consists of L, which is either a field K or \(\mathbb {Z}/N\mathbb {Z}\), and the composed map F=A1GA2:L n L m , which is a system of m quadratic polynomials of n variables over L. We denote by \(F=\left (\,f_{v_{1}+1},\ldots,f_{n}\right)^{\mathrm {T}}\).

Signature Generation. Let ML m be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G−1(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is CL n . Remark that B=G−1(A) can be easily computed by the above property of G.

Verification. If F(C)=M then the signature is accepted, otherwise rejected.

This scheme is denoted by Rainbow(L; v1,o1,…,o t ), and we call v1,o1,…,o t a parameter of Rainbow.

6.2 Reduction of HS scheme to Rainbow

Uchiyama and Ogura wrote down \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) for \(\text {HS}(\mathbb {Z}/N\mathbb {Z},\tilde {n})\) and showed the following [21].

Proposition6.1.

Let R be a non-commutative ring over \(\mathbb {Z}/N\mathbb {Z}\) of rank r. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(\mathbb {Z}/N\mathbb {Z};\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

Remark6.1.

The above proposition defines a correspondent between signature schemes,
$$\begin{array}{*{20}l}{} \begin{array}{lccc} &\text{HS}(R;\,\tilde{n})& \rightsquigarrow &\text{Rainbow}(\mathbb{Z}/N\mathbb{Z};\,\overbrace{r,\ldots,r}^{\tilde{n}})\\ \text{Secret Key:\ }&(A_{1},\tilde{G},A_{2})&\mapsto&(A_{1},\phi^{-\tilde{n}+1}\circ \tilde{G}\circ\phi^{\tilde{n}},A_{2})\\ \text{Public Key:\ }&\tilde{F}&\mapsto&\tilde{F}. \end{array} \end{array} $$

Using this notation, the following correspondence holds.

$$\begin{array}{*{20}l}{} \begin{array}{ccc} \text{OSS scheme}&\rightsquigarrow& \text{Rainbow}(\mathbb{Z}/N\mathbb{Z};\,1,1),\\ \text{Birational Permutation scheme}& \rightsquigarrow\ \ & \text{Rainbow}(\mathbb{Z}/N\mathbb{Z};\,1,\ldots,1),\\ \text{Sato-Araki scheme}&\rightsquigarrow& \text{Rainbow}(\mathbb{Z}/N\mathbb{Z};\,4,4). \end{array} \end{array} $$

The argument of Uchiyama and Ogura in [21] is also valid for the case of HS scheme defined over field K. Therefore we have

Proposition6.2.

Let R be a non-commutative ring over K of dimension r. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(K;\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

Remark6.2.

The above proposition shows that HS scheme is another way of construction of the uniformly-layered Rainbow, where “uniformly-layered" means all components in the parameter of Rainbow are equal. If the arithmetic operation of non-commutative ring R is efficient, then the signature generation of HS scheme may be more efficient than that of the corresponding Rainbow.

6.3 Security analysis for attacks against Rainbow

Proposition 6.2 implies that attacks against Rainbow are applicable to the extended HS scheme over K. In this section, we analyze security of the extended HS scheme against well-known attacks against Rainbow.

6.3.1 Attacks against Rainbow

Here, we summarize the known attacks against Rainbow that have been reported in previous papers, and we analyze the security against each attack. The known relevant attacks against Rainbow are as follows.

  1. (1)

    Direct attacks [2,23],

     
  2. (2)

    UOV attack [13,14],

     
  3. (3)

    MinRank attack [3,11,22],

     
  4. (4)

    HighRank attack [10,11,17],

     
  5. (5)

    Rainbow-Band-Separation (RBS) attack [10,16],

     
  6. (6)

    UOV-Reconciliation (UOV-R) attack [10,16].

     
The direct attacks try to solve a system of equations F(X)=M from public key F and (fixed) message M [2,23]. By contrast, the goal of the other attacks is to find a part of the secret key. In the case of a UOV attack or HighRank attack, for example, the target Rainbow with parameters v1,o1,…,o t is then reduced into a version of Rainbow with simpler parameters such as v1,o1,…,ot−1 without o t . We can then break the original Rainbow with lower complexity. To carry out a reduction we need to find (a part of) a direct sum decomposition of vector space K n ,
$$\begin{array}{*{20}l} K^{n}= K^{v_{1}}\oplus K^{o_{1}}\oplus \cdots\oplus K^{o_{t}}, \end{array} $$
(13)
because expressing K n in an available basis enables returning the public key to the central map. In fact, if we can decompose \(\phantom {\dot {i}\!}K^{n}=W\oplus K^{o_{t}}\) for a certain W that has a coarser decomposition than (13) then the security of Rainbow(K; v1,o1,…,o t ) can be reduced to that of Rainbow(K; v1,o1,…,ot−1). There are two methods for finding this decomposition: (1) Find a simultaneous isotropic subspace of K n . Let V be a vector space over K, and let Q1 be a quadratic form on V. We determine that a subspace W of V is isotropic (with respect to Q1) if
$$Q_{1}(v_{1},v_{2}):=Q_{1}(v_{1}+v_{2})-Q_{1}(v_{1})-Q_{1}(v_{2})=0. $$
for any v1,v2W. In addition, we assume that V is also equipped with quadratic forms Q2,…,Q m . We determine that a subspace W of V is simultaneously isotropic if W is isotropic with respect to all Q1,…,Q m .
In Rainbow, m quadratic forms on K n are defined by the quadratic parts of the public polynomials of F. Note that the subspace \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13) is a simultaneous isotropic subspace of K n . If we find a simultaneous isotropic subspace, the basis of \(\phantom {\dot {i}\!}K^{o_{t}}\) is then obtained and the above attack is feasible. The UOV, UOV-R and RBS attacks are classified as being of this type. (2) Find a quadratic form with the minimum or second maximum rank. When the quadratic part of the k-th public polynomial of F in Rainbow is expressed as
$$\begin{array}{*{20}l} \sum\limits_{i=1}^{n}\sum\limits_{j=i}^{n}a_{ij}^{(k)}x_{i}x_{j}, \end{array} $$
we associate it with a symmetric matrix S k =A+AT, where \(A=\left (a_{\textit {ij}}^{(k)}\right)\). We define
$$\begin{array}{*{20}l} \mathcal{A}=\text{Span}_{K}\left\{S_{k}\,|\,k=v_{1}+1,\ldots,n\right\}, \end{array} $$
(14)

which is a vector space over K spanned by matrices \(S_{v_{1}+1},\ldots,S_{n}\). For example, if we find a matrix of rank v2=v1+o1 in , there is a high probability that the image of this matrix coincides with \(\phantom {\dot {i}\!}K^{v_{1}}\oplus K^{o_{1}}\) appearing in (13).

Therefore, we obtain the decomposition of \(\phantom {\dot {i}\!}K^{n}=(K^{v_{1}}\oplus K^{o_{1}})\oplus W'\) for some W that is a coarser decomposition than (13). The MinRank and HighRank attacks are classified as being of this type.

The details of abovementioned six attacks can be found in the literature [16].

6.4 Security against known attacks

6.4.1 UOV attack

Regard L2 as the part of a linear transformation of A2 and place \(\phantom {\dot {i}\!}\mathcal {O}_{t}=L_{2}^{-1}(\{0\}^{n-o_{t}}\times K^{o_{t}})\) as the subspace of K n corresponding to \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13). The UOV attack finds a non-trivial invariant subspace of \(W_{12}=W_{1}W_{2}^{-1}\) that is included in \(\mathcal {O}_{t}\) for invertible matrices \(W_{1},W_{2}\in \mathcal {A}\). The analysis in [13] shows that the probability that W12 has a non-trivial invariant subspace included in \(\mathcal {O}_{t}\) is equal to \(\phantom {\dot {i}\!}q^{{n-2o}_{t}}\). This is obtained by the following lemma.

Lemma6.1.

([8] Lemma 3.2.4) Let J:K n K n be an invertible linear map such that

  1. 1.

    there exist two subspace \(\mathcal {O}^{\prime }\subset \mathcal {V}^{\prime }\) of K n where the dimensions of \(\mathcal {O}^{\prime }\) and \(\mathcal {V}^{\prime }\) are o and v, respectively, and

     
  2. 2.

    \(J(\mathcal {O}^{\prime })\subset \mathcal {V}^{\prime }\).

     

Then the probability that J has a non-trivial invariant subspace in \(\mathcal {O}^{\prime }\) is no less than \(q^{o^{\prime }-v^{\prime }}\).

This lemma is also available for the extended HS scheme through Proposition 6.2. This means that the complexity is the same as that of the corresponding Rainbow. From the complexity of the UOV attack [13] and Proposition 6.2 we have

Proposition6.3.

Let a=log2(K). \(\text {HS}(R;\tilde {n})\) has a security level of l bits against the UOV attack if
$$\begin{array}{*{20}l} r\tilde{n}-2r\ge l/a+1. \end{array} $$

Remark6.3.

The UOV attack is more efficient in the case of balanced Oil and Vinegar than in the case of general Unbalanced Oil and Vinegar. Therefore, we should not choose \(\tilde {n}=2\) in the extended HS scheme, otherwise, HS scheme corresponds to a balanced Oil and Vinegar scheme.

6.4.2 MinRank attack

In the MinRank attack, we solve MinRank(v2) for . If there is a non-trivial \(P\in \mathcal {A}\) for a vK n such that Pv=0, there is high probability that P is a solution for MinRank(v2). For vK n , the probability that a non-trivial \(\phantom {\dot {i}\!}P\in \mathcal {A}\) exists such that Pv=0 is roughly \(\phantom {\dot {i}\!}q^{-v_{2}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

Proposition6.4.

Let a=log2(K). Assume that \(r\tilde {n}\). Then \(\text {HS}(R;\,\tilde {n})\) has a security level of l bits against the MinRank attack if
$$\begin{array}{*{20}l} 2r\ge l/a. \end{array} $$

6.4.3 HighRank attack

In the HighRank attack, we have an element \(W\in \mathcal {A}\) such that rank(W)=v t . For any \(W\in \mathcal {A}\), the probability that its rank is equal to v t is \(\phantom {\dot {i}\!}q^{-o_{t}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

Proposition6.5.

Let a=log2(K). Assume that nm. Then \(\text {HS}(R;\,\tilde {n})\) has a security level of l bits against the HighRank attack if
$$\begin{array}{*{20}l} r\ge l/a. \end{array} $$

6.5 Direct attacks and others

From Proposition 6.2, the public key of the extended HS scheme is exactly equal to that of the corresponding Rainbow. Therefore, the complexity against the direct attacks is estimated to be the same for the extended HS scheme as for the original Rainbow corresponding to it. Similarly, the complexities against the RBS and UOV-R attacks are estimated to be the same for the extended HS scheme as for the corresponding Rainbow.

The complexities of the direct, RBS and UOV-R attacks were discussed by Petzoldt et al. [16], and we follow their data regarding the complexities of these attacks. In particular, the complexities of the direct and UOV-R attacks are equivalent.

Total security and secure parameters

Based on the security analysis in the last section, we try to present secure parameters and their length for \(\text {HS}(R;\,\tilde {n})\) where R is a non-commutative ring of rank r over K=GF(256). We adopt the parameters of Petzoldt et al. in [16] for estimating the security against the direct, UOV-R and RBS attacks. For other attacks, from Propositions 6.3, 6.4 and 6.5, the following criteria are used for l-bit security against these attacks: Let a be the bit length of q and r the dimension of R. For \(\text {HS}(R;\,\tilde {n})\), we have \(n=r\tilde {n},\ m=r(\tilde {n}-1)\) and we assume that n>m.

  1. 1.

    UOV attack n−2rl/a+1.

     
  2. 2.

    MinRank attack 2rl/a.

     
  3. 3.

    HighRank attack rl/a.

     
From the above condition of UOV attack, \(\tilde {n}\ge 3\) is required in order to design a secure HS scheme. Table 1 presents the complexity against each attack for the extended HS scheme over a non-commutative ring R over GF(256) with \(\tilde {n}=3\). Table 1 shows that UOV attack is the strongest among all analyzed attacks.
Table 1

Security level against attacks on the extended HS scheme over R defined over G F (256) and with \({\tilde {n}=3}\)

r

10

11

12

13

UOV (bits)

72

80

88

96

MinRank (bits)

160

176

192

218

HighRank (bits)

80

88

96

104

Direct, UOV-R, RBS (bits)

93

99

104

110

Security level (bits)

72

80

88

96

Efficiency of HS scheme

Any non-commutative ring R can be embedded in a matrix ring \(\mathbb {M}(l,K)\) for some positive integer l. If we can choose a small l, the arithmetic operation of R becomes efficient. In the signature generation in our proposed scheme, we have to solve several systems of linear equations of the form, \(\mathcal {A}.\mathcal {X}=\mathcal {B}\ (\mathcal {A},\mathcal {B}\in \mathbb {M}(l,K))\) with respect to variable matrix \(\mathcal {X}\in \mathbb {M}(l,K)\). If we use Gaussian elimination to solve the above linear equations, the number of field multiplication in solving the linear equations has O(l3).

On the other hand, in the signature generation in the corresponding Rainbow the number of field multiplication has O(d3) where d is the dimension of R because of Proposition 6.2. Thus, if l<d is satisfied, the signature generation of our proposed scheme is more efficient than that of the corresponding Rainbow.

8.1 Efficiency in the case of group ring of dihedral group

To compare the efficiency of signature generation in HS scheme and the corresponding Rainbow, we prepare dihedral group and its realization. Let m be a positive integer. \(M_{1}=(a_{\textit {ij}}),M_{2}=(b_{\textit {ij}})\in \mathbb {M}(m,K)\) is defined as

$$\begin{array}{*{20}l}{} a_{ij}=\left\{\!\!\begin{array}{cc} \ 1\ &\text{if}\,\, j-i\equiv 1\, (\text{mod}\, m), \\ 0 & \text{otherwise}, \end{array} \right. \;b_{ij}=\left\{\!\!\begin{array}{cc} \ 1\ & \text{if}\,\,j+i\equiv 1\, (\text{mod}\, m), \\ 0 &\text{otherwise}. \end{array} \right. \end{array} $$
We write D m for the group generated by M1 and M2. D m is isomorphic to the dihedral group with 2m elements [7]. K[ D m ] denotes the group ring with coefficients in K and associated to D m , then, it is a non-commutative ring of dimension 2m−1, realized in \(\mathbb {M}(m,K)\). K[ D m ] is closed by a transpose operation because inverse operation on D m is closed in D m . Therefore we can use K[ D m ] as a base ring in HS scheme. Table 2 compares the efficiency of the signature generation in HS scheme and the corresponding Rainbow. The non-commutative rings used in HS schemes in the table are chosen by K[ D m ] where K=GF(256) and m=10,11,12,13. The number of layers in each HS scheme is chosen by 3, and then the corresponding Rainbow of HS(K[ D m ];3) becomes Rainbow(K;r,r,r) with r=2m−1 by Proposition 6.2. We estimate the number of multiplication of GF(256) for efficiency comparison. Msig(HS(R;3)) (resp. Msig(R(GF(256);r,r,r))) stands for the number of multiplications in the signature generation in HS(R;3) (resp. Rainbow(GF(256);r,r,r)). Table 2 shows that the signature generation of HS scheme is about 50% faster than that of the corresponding Rainbow.
Table 2

Efficiency comparison of HS scheme with the corresponding Rainbow (in terms of the number of multiplications in G F (256))

HS(R,3)

HS(K[D10],3)

HS(K[D11],3)

HS(K[D12],3)

HS(K[D13],3)

Dimension of R

19

21

23

25

Matrix size

10

11

12

13

Msig(HS(R;3))

25353

33233

42581

53521

Corresponding Rainbow

R(19,19,19)

R(21,21,21)

R(23,23,23)

R(25,25,25)

R(GF(256);r,r,r)

    

Security level (bits)

72

80

88

96

Msig(R(GF(256);r,r,r))

50198

66766

86618

110050

Ratio

50.5%

49.8%

49.2%

48.6%

Concluding remarks

We analyzed the security of the extended HS scheme, and presented secure parameters of the extended HS scheme. The attacks we analyzed the security are the attack of Coppersmith, Stern and Vaudenary for Birational Permutation scheme, two attacks of Coppersmith for Sato-Araki scheme and attacks against Rainbow. Based on the security analysis, we estimate secure parameters of the extended HS scheme. If a non-commutative ring used in the extended HS scheme is chosen by the group ring associated to dihedral group, the speed of the signature generation can be accelerated by about 50% in comparison with the corresponding Rainbow.

Declarations

Acknowledgments

This work has been supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0172”, Ministry of Internal Affairs and Communications, Japan.

Authors’ Affiliations

(1)
Institute of Systems, Information Technologies and Nanotechnologies
(2)
Kyushu University

References

  1. Adleman, LM., Estes, DR., McCurley, KS.: Solving bivariate quadratic congruences in random polynomial time. Math. Comput. 48, 17–28 (1987).MathSciNetView ArticleGoogle Scholar
  2. Bernstein, DJ., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Berlin Heidelberg (2009).View ArticleGoogle Scholar
  3. Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: SCN’06 Springer LNCS 4116, pp. 336–347. Springer, Berlin Heidelberg (2006).Google Scholar
  4. Braeken, A., Wolf, C., Preneel, B.: A study of the security of unbalanced oil and vinegar signature schemes. In: CT-RSA’05 Springer LNCS 3376, pp. 29–43. Springer, Berlin Heidelberg (2005).Google Scholar
  5. Coppersmith, D.: Weakness in quaternion signatures. In: CRYPTO’99 Springer LNCS 1666, pp. 305–314. J. Cryptology’01 (2001).Google Scholar
  6. Coppersmith, D., Stern, J., Vaudenay, S.: The security of the birational permutation signature scheme. J. Cryptology. 10, 207–221 (1997).MathSciNetView ArticleGoogle Scholar
  7. Dummit, DS., Foote, RM.: Abstract Algebra. John Wiley & Sons, Inc. (2006).Google Scholar
  8. Ding, J., Gower, JE., Schmidt, DS.: Multivariate Public Key Cryptosystems, Advances in Information Security 25. Springer, New York (2006).Google Scholar
  9. Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: ACNS’05 Springer LNCS 3531, pp. 164–175. Springer, Berlin Heidelberg (2005).Google Scholar
  10. Ding, J., Yang, B-Y., Chen, C-HO., Chen, M-S., Cheng, CM.: New differential-algebraic attacks and reparametrization of rainbow. In: Springer LNCS 5037, pp. 242–257. Springer, Berlin Heidelberg (2008).Google Scholar
  11. Goubin, L., Courtois, NT.: Cryptanalysis of the TTM cryptsystem. In: ASIACRYPT’00 Springer LNCS 1976, pp. 44–57. Springer, Berlin Heidelberg (2000).Google Scholar
  12. Hashimoto, Y., Sakurai, K.: On construction of signature schemes based on birational permutations over noncommutative. presented at the 1st International Conference on Symbolic Computation and Cryptography (SCC2008) held in Beijin, April 2008. ePrint. http://eprint.iacr.org/2008/340.Google Scholar
  13. Kipinis, A., Patarin, L., Goubin, L.: Unbalanced oil and vinegar schemes. In: EUROCRYPT’99, Springer LNCS 1592, pp. 206–222. Springer, Berlin Heidelberg (1999).Google Scholar
  14. Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: CRYPTO’98. Springer LNCS 1462, pp. 257–266. Springer, Berlin Heidelberg (1998).Google Scholar
  15. Ong, H., Schnorr, CP., Shamir, A.: An efficient signature scheme based on quadratic equations. In: Proc. 16th ACM Symp. Theory Comp, pp. 208–216. Springer, Berlin Heidelberg (1984).Google Scholar
  16. Petzoldt, A., Bulygin, S., Buchmann, J.: Selecting parameters for the rainbow signature scheme. In: PQCrypto’10, Springer LNCS 6061, pp. 218–240. Springer, Berlin Heidelberg (2010).Google Scholar
  17. Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow - a multivariate signature scheme with a partially cyclic public key based on rainbow. In: INDOCRYPT’10, Springer LNCS 6498, pp. 33–48. Springer, Berlin Heidelberg (2010).Google Scholar
  18. Pollard, JM., Schnorr, CP.: An efficient solution of the congruence x2+ky2m (mod n). IEEE Trans. Inf. Theory. IT-33, 702–709 (1987).MathSciNetView ArticleGoogle Scholar
  19. Satoh, T., Araki, K.: On construction of signature scheme over a certain noncommutative ring. IEICE Trans. Fundamentals. E80-A, 702–709 (1997).Google Scholar
  20. Shamir, A.: Efficient signature schemes based on birational permutations. In: CRYPTO’93, Springer LNCS 773, pp. 1–12. Springer, Berlin Heidelberg (1994).Google Scholar
  21. Uchiyama, S., Ogura, N.: Cryptanalysis of the birational permutation signature scheme over a non-commutative ring. JSIAM Lett. 2, 85–88 (2010). ePrinthttp://eprint.iacr.org/2009/245.MathSciNetView ArticleGoogle Scholar
  22. Yang, B-Y., Chen, J-M.: Building secure tame like multivariate public-key cryptosystems: the new TTS. In: ACISP’05, Springer LNCS 3574, pp. 518–531. Springer, Berlin Heidelberg (2005).Google Scholar
  23. Yang, B-Y., Chen, J-M.: All in the XL family, theory and practice. In: ICISC’04, Springer LNCS 3506, pp. 67–86. Springer, Berlin Heidelberg (2005).Google Scholar
  24. Yasuda, T., Sakurai, K.: A security analysis of uniformly-layered rainbow — revisiting Sato-Araki’s non-commutative approach to Ong-Schnorr-Shamir signature towards PostQuantum paradigm. In: PQCrypto’11, Springer LNCS 7071, pp. 275–294. Springer, Berlin Heidelberg (2011).Google Scholar
  25. Yasuda, T., Sakurai, K., Takagi, T.: Reducing the key size of rainbow using non-commutative rings. In: CT-RSA f12, Springer LNCS vol. 7178, pp. 68–83. Springer, Berlin Heidelberg (2012).Google Scholar

Copyright

© Takanori and Sakurai; licensee Springer 2014

This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License(http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.