 Original article
 Open Access
 Published:
A security analysis of uniformlylayered rainbow defined over noncommutative rings
Pacific Journal of Mathematics for Industry volume 6, Article number: 1 (2014)
Abstract
Hashimoto and Sakurai proposed a signature scheme (HS scheme), whose security is based on the difficulty of integer factorization. In this paper, we redefine HS scheme as a signature scheme in Multivariate Public Key Cryptosystems (MPKC). MPKC are public key cryptosystems whose security is based on the difficulty of solving multivariate quadratic equations, and candidates for postquantum cryptography. In this paper, we analyze the security of the extended HS scheme using technique of security analysis for MPKC. Furthermore, based on the security analysis of the extended HS scheme, we estimate secure parameters of the extended HS scheme.
Introduction
In 1984, Ong, Schnorr and Shamir [15] proposed an efficient signature scheme (OSS signature scheme) using a bivariate quadratic equation,
where h,m are integers and N is a composite number whose factorization is difficult. The security of this scheme was supposed to be based on the difficulty of integer factorization. However, Pollard and Schnorr proposed an algorithm to solve the equation (1) efficiently without the factorization of N [18]. Then OSS signature scheme would be extended to scheme using multivariate variables and scheme using noncommutative rings.
In 1994, Shamir [20] proposed a multivariate variant of OSS signature scheme, which is called Birational Permutation scheme. However, Coppersmith, Stern and Vaudenary [6] gave an efficient attack by observing linear combination of components of the public key. In 1997, Sato and Araki [19] proposed a new scheme extended from OSS signature scheme using quaternion algebra. Namely, $\mathbb {Z}/N\mathbb {Z}$ in OSS signature scheme is replaced by a quaternion algebra over $\mathbb {Z}/N\mathbb {Z}$ . However, Coppersmith [5] gave two efficient attacks using special property of quaternion algebra. In 2008, Hashimoto and Sakurai [12] proposed a new scheme (HS scheme) including property of both Birational Permutation scheme and SatoAraki scheme. In 2010, Uchiyama and Ogura [21] showed that this scheme is reduced to Rainbow [9], which is a signature scheme in the multivariate public key cryptosystem (MPKC), and discussed possibility of forgery in case of HS scheme with small size.
In this paper, we extend HS scheme to a signature scheme in MPKC. Therefore, the security of the extended HS scheme is no longer based on the difficulty of integer factorization. Generally, schemes in MPKC are expected to resist attacks using quantum computer, Moreover, we show that the extended HS scheme has an efficient signature generation.
On the other hand, Yasuda et al. [25] proposed another signature scheme “NCRainbow” in MPKC, which is an extension of a signature scheme called “Rainbow” using noncommutative rings. The paper [25] analyzed the security of NCRainbow for attacks against the original Rainbow, and estimated the secure parameters of NCRainbow.
In this paper, we analyze the security of the extended HS scheme. The attacks analyzed in this paper are 1) the attack against Birational Permutation scheme, 2) the attack against SatoAraki scheme, and the attacks against Rainbow: 3) UOV [4,13,14], 4) MinRank [3,11,22], 5) HighRank [10,11,17], 6) direct [2,4,23], 7) RainbowBandSeparation (RBS) [10,16], and (8) UOVReconciliation (UOVR) attacks [10,16].
This paper is basically a journal version of the paper [24]. However, the attacks analyzed in the paper [24] are from 1) to 5) above. In this paper, we add the security analysis against the attacks 6), 7) and 8). Moreover, we present secure parameters of the extended HS scheme for several security levels.
Birational permutation scheme
In this section, we summarize the attack of Coppersmith, Stern and Vaudenary against Birational Permutation scheme [6]. We will analyze this attack in the extended HS scheme later. First, we describe Birational Permutation scheme [20].
Let p,q be primes and N=pq. Assume that the factorization of N is difficult. Let n be a natural number. For k=2,3,…,n, we define $g_{k}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow \mathbb {Z}/N\mathbb {Z}$ by a homogeneous quadratic polynomial over $\mathbb {Z}/N\mathbb {Z}$ ,
where $a_{\textit {ij}}\in \mathbb {Z}/N\mathbb {Z}$ . The central map of Birational Permutation scheme is constructed by
The key generation, the signature generation and the verification of Birational Permutation scheme are described as follows.
Key Generation. The secret key consists of primes p,q and the central map G and two affine (linear) transformations $A_{1}:(\mathbb {Z}/N\mathbb {Z})^{n1}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n1},\ A_{2}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n}.$ The public key consists of N and the composite map $F=A_{1}\circ G\circ A_{2}=(\,f_{2},f_{3},\ldots,f_{n}):(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n1}.$
Signature Generation. Let $\mathbf {M}\in (\mathbb {Z}/N\mathbb {Z})^{n1}$ be a message. We compute $\mathbf {A}=A_{1}^{1}(\mathbf {M})$ , B=G^{−1}(A), $\mathbf {C}=A_{2}^{1}(\mathbf {B})$ in this order. The signature of the message is $\mathbf {C}\in (\mathbb {Z}/N\mathbb {Z})^{n}$ . Here G^{−1}(A) stands for an element of preimage of A through G.
Verification. If F(C)=M, then the signature is accepted, otherwise rejected.
2.1 Attack against birational permutation scheme
It is believed that solving general equations over $\mathbb {Z}/N\mathbb {Z}$ is more difficult than that over a finite field. The security of Birational Permutation scheme was based on the difficulty of solving the problem over $\mathbb {Z}/N\mathbb {Z}$ . However, Coppersmith, Stern and Vaudenary gave an efficient algorithm [6] to compute A_{2}, a part of the secret key, without solving equations over $\mathbb {Z}/N\mathbb {Z}$ .
For simplicity, assume that A_{2} are linear transformations. We write A,B for the matrix expression of linear parts of A_{1},A_{2}, respectively, and g_{ k },f_{ k } (k=2,3,…,n) are denoted by
for some $F_{k},G_{k}\in \mathbb {M}(n,\mathbb {Z}/N\mathbb {Z})$ . (T means the transpose operator.) Since
for A=(a_{ kl }), we have
For a variable λ and 1≤k_{1},k_{2}≤n,
In particular, the determinant of this matrix is factored by $\left (a_{k_{1}n}\,\,\lambda a_{k_{2}n}\right)^{2}$ . From (2), the determinant of $F_{k_{1}}\lambda F_{k_{2}}$ is factored by $\left (a_{k_{1}n}\,\,\lambda a_{k_{2}n}\right)^{2}$ . Therefore $a_{k_{1}n}/a_{k_{2}n}$ , which is denoted by λ_{0}, is computed by the public key. By calculating the kernel and the image of $F_{k_{1}}\lambda _{0} F_{k_{2}}$ , $(\mathbb {Z}/N\mathbb {Z})^{n}$ is decomposed as
Continuing this operation, finally we have a decomposition
by subspaces with rank 1 over $\mathbb {Z}/N\mathbb {Z}$ . By rewriting the public key by a basis along the above decomposition, one obtains a system of equations with the same form as the central map, therefore a signature is forged.
SatoAraki scheme
In this section, we summarize two attacks of Coppersmith against SatoAraki scheme. We will analyze these attack in the extended HS scheme later.
SatoAraki scheme [19] uses a quaternion algebra over $\mathbb {Z}/N\mathbb {Z}$ . Let R be a $\mathbb {Z}/N\mathbb {Z}$ analogue of the Hamilton’s quaternion algebra. Namely, R is defined by
and i^{2}=j^{2}=−1, ij=−ji. R is identified with a subring of a matrix ring by the embedding homomorphism,
Here, we identify i with the imaginary unit $\sqrt {1}$ . Note that R is closed by the transpose operation. SatoAraki scheme is described as follows.
Key Generation. The secret key consists of primes p,q and u∈R^{×}. The public key consists of N=pq and h:=−(u^{T})^{−1}u^{−1}∈R.
Signature Generation. Let M∈R be a message such that M=M^{T}. Choose ρ∈R^{×} randomly. We compute C_{1}:=ρ^{−1}M+ρ^{T}, C_{2}:=u(ρ^{−1}M−ρ^{T})∈R. (C_{1},C_{2}) is a signature.
Verification. If $\mathbf {C}_{1}^{T}\,\mathbf {C}_{1}+\mathbf {C}_{2}^{T}\,h\mathbf {C}_{2}=4\mathbf {M}$ then the signature is accepted, otherwise rejected.
Remark3.1.
The security of SatoAraki scheme is based on the difficulty of solving the equation over R with respect to X_{1},X_{2},
for any M∈R. Since the signer knows p and q, the signer can find a solution of (5) by the procedure of above signature generation.
3.1 Attacks against SatoAraki scheme
The problem of solving the equation (5) is reduced to the problem of solving a equation over R,
However, Coppersmith proposed two efficient attacks [5] by using special property of a quaternion algebra without the factorization of N.
3.1.1 Coppersmith’s first attack
The first attack of Coppersmith is a chosen message attack. For i=1,2,3, let $\left (\textbf {C}_{1}^{(i)},\textbf {C}_{2}^{(i)}\right)$ be signatures for messages M_{ i }. The following fact is the key of the attack: For i=1,2,3,
where u is a component of the secret key. Then these span a subspace {δ=δ^{T}∈R}=Span{i,j,ij} of rank 3 with high probability. One can compute X∈R satisfying
which is determined up to scalars. Therefore, X is proportional to u. It is not difficult to compute u from X.
3.1.2 Coppersmith’s second attack
The second attack of Coppersmith is based on the existence of the following algorithm.
Proposition3.1.
([1]) Let N be an odd positive integer and f(x,y) a bivariate quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}$ . Δ(f) denotes the discriminant of f defined as in [1]. If gcd(Δ(f),N)=1, then there exists an algorithm which gives a solution to f(x,y)=0 with probability 1−ε, and requires O(log(ε^{−1} logN) log4N) arithmetic operations on integers of size O(logN) bits.
If x,y∈R are written as
then the equation over R,
is rewritten by three quadratic equations with respect to 8 variables x_{0},x_{1},…,y_{3}. By a simplicity of equation (7) and property of quaternion algebra, the problem of solving the system of these quadratic equations can be reduced to that of some bivariate quadratic equations. Therefore a signature can be forged from the above proposition.
Our proposal: extension of HS scheme
HS scheme [12] is a signature scheme having properties of both birational permutation scheme and SatoAraki scheme. Since the security of HS scheme is based on the difficulty of integer factorization, the scheme defined over the ring $\mathbb {Z}/N\mathbb {Z}$ . However, we want to redefine HS scheme as a scheme in MPKC. Therefore, in this section, we define HS scheme in more general fashion such that our definition involves both the original HS scheme and our proposed scheme.
4.1 Noncommutative rings
Let L be either a field K and $\mathbb {Z}/N\mathbb {Z}$ . In this paper, we say that a Lalgebra R is a noncommutative ring only if

1.
R is a free module over L with finite rank, and

2.
R is noncommutative.
Example4.1.
(Quaternion algebra) For a∈L^{×}, a noncommutative ring Q_{ L }(a) is defined as follows:
Q_{ L }(a) is a free module over L with rank 4. This is called a quaternion algebra. When $L=\mathbb {Z}/N\mathbb {Z}$ and a=−1, R coincides with the quaternion algebra used in SatoAraki scheme. If L=GF(q) and a=−1, we write simply Q_{ q } instead of Q_{ L }(a). Q_{ L }(a) is embedded into a matrix ring:
If Q_{ L }(a) is identified with the image of ι, any element in Q_{ L }(a) is closed by transpose operation in Q_{ L }(a). For v=c_{1}+c_{2}i+c_{3}j+c_{4}ij∈Q_{ L }(a), the main involution v^{∗} of v is defined by
Let R be a noncommutative ring over L and r its rank over L. Then there exists an Llinear isomorphism,
Using this isomorphism ϕ, an element α∈R can be represented by r elements in L.
4.2 HS scheme over L
Let R be a noncommutative ring over L of rank r and fix ϕ as in (10). In the rest of this paper, assume that R is realized as a subring of the matrix ring $\mathbb {M}(s,L)$ for some $s\in \mathbb {N}$ , and closed by the transpose operation.
Let $\tilde {n}$ be a positive integer. HS scheme deploys noncommutative multivariate polynomials as a central map:
where $\alpha _{i,j}^{(k)},\beta _{i}^{(k)},\gamma ^{(k)}\in R$ . Note that $\tilde {g}_{k}$ is essentially a polynomial of k variables. The central map of HS scheme is constructed by
The key generation, the signature generation and the verification are described as follows.
Key Generation. The secret key consists of R, the central map $\tilde {G}$ and two affine transformations $A_{1}:L^{m}\rightarrow L^{m}\ (m=r\tilde {n}r),\ A_{2}:L^{n}\rightarrow L^{n}\ (n=r\tilde {n})$ . The public key consists of L and the composed map $\tilde {F}=A_{1}\circ \phi ^{\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\circ A_{2}:L^{n}\rightarrow L^{m}$ , which is a system of m quadratic polynomials of n variables over L. We denote by $\tilde {F}=\left (\,\tilde {f}_{r+1},\ldots,\tilde {f}_{n}\right)^{T}$ .
Signature Generation. Let M∈L^{m} be a message. We compute $\mathbf {A}=A_{1}^{1}(\mathbf {M})$ , B=G^{−1}(A), $\mathbf {C}=A_{2}^{1}(\mathbf {B})$ in this order. The signature of the message is C∈L^{n}. Here $\mathbf {B}=\tilde {G}^{1}(\mathbf {A})$ is computed by the following procedure.
Step 1 Choose a random element b_{1}∈R.
Step 2 For $k=1,\ldots,\tilde {n}$ , do the following operation recursively.
$\tilde {g}_{k}$ is a noncommutative polynomial with respect to x_{1},…,x_{ k }. By the substitution x_{1} = b_{1}, …, x_{k−1} = b_{k−1} to $\tilde {g}_{k}$ , a noncommutative polynomial $\bar {g}_{k}$ of one variable x_{ k } with at most 1 degree is obtained. We compute the solution b_{ k }∈R of
$$\begin{array}{*{20}l} \bar{g}_{k}(x_{k})=a_{k} \end{array} $$((11))where $\mathbf {A}=(a_{i})\in R^{\tilde {m}}$ . (If there is no solution, return to Step 1.)
Step 3 Set $\mathbf {B}=(b_{1},\ldots,b_{\tilde {n}})$ .
Verification. If $\tilde {F}(\mathbf {C})=\mathbf {M}$ then the signature is accepted, otherwise rejected.
This scheme is denoted by $\text {HS}(R;\,\tilde {n})$ .
Remark4.1.
In general, it is difficult to solve a noncommutative equation (11) directly. However, if we fix a Lbasis of R then it makes a new system of (commutative) linear equations with respect to the basis, which is easy to be solved in general. If R has an efficient arithmetic operation, the equation (11) can be solved more efficiently. For example, in the case of a quaternion algebra Q_{ L }(a), its realization (8) enables to compute its arithmetic operation efficiently.
Security analysis of the extended HS scheme
In the last section, we defined HS scheme over a noncommutative ring R. Here, we can take a noncommutative ring over a finite field K or a ring $\mathbb {Z}/N\mathbb {Z}$ . If R is defined over $\mathbb {Z}/N\mathbb {Z}$ , then the HS scheme becomes the original one. On the other hand, our proposed scheme is the HS scheme where R is defined over a finite field K.
First, we analyze the security of the extended HS scheme for attacks against the original Birational Permutation scheme and SatoAraki scheme. As such attacks, there are the attack of Coppersmith, Stern and Vaudenary (CSV) attack [6] and the attacks of Coppersmith [5] has been analyzed [12]. These attacks can be extended those against HS scheme over $\mathbb {Z}/N\mathbb {Z}$ . Moreover, the extended attacks can be changed into attacks against the extended HS scheme over K easily. In this section, we analyze the security for these attacks against the extended HS scheme over K.
5.1 Security against CSV attack
In Birational Permutation scheme, only g_{ n } includes the variable x_{ n } in all the components of the central map G=(g_{2},g_{3},…,g_{ n }). Therefore we can extract the term of g_{ n } from linear combinations of g_{2},g_{3},…,g_{ n } by eliminating x_{ n }. The components of the public key F=(f_{2},f_{3},…,f_{ n }) are expressed as linear combinations of g_{2}∘A_{2},…,g_{ n }∘A_{2} where A_{2} is an affine transformation in the private key. Similarly as in the case of the central map, we can also extract the term of g_{ n }∘A_{2} from the components. Then we have the decomposition (3) as we explained in § 2.1.
In HS scheme, only $\tilde {g}_{n}$ includes the noncommutative variable x_{ n } in all the components of the central map $\tilde {G}=\left (\,\tilde {g}_{2},\tilde {g}_{3},\ldots,\tilde {g}_{n}\right)$ . However, from linear combinations of $\phi ^{\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}$ we can not eliminate x_{ n } by the method in § 2.1 because the noncommutative variable x_{ n } corresponds to r (commutative) variables. Therefore it is difficult to apply the CSV attack to HS scheme.
5.2 Security against Coppersmith’s first attack
The first attack is applicable for SatoAraki scheme because a simple relation (6) holds for a part u of the secret key. However in HS scheme, a simple relation like as (6) for the secret key is not expected. Therefore it is difficult to extend this attack to HS scheme.
5.3 Security against Coppersmith’s second attack
There exists an efficient algorithm solving a system of bivariate quadratic equations modulo N (Proposition 3.1) and a system of equations appearing in SatoAraki scheme can be reduced to some of bivariate quadratic equations modulo N. However HS scheme has many variables, and a system of equations appearing in the scheme is not expected to be reduced to a simple system of equations even if L=K. Therefore this attack is not more efficient than the direct attack which find a solution of a system of equations by XL, Gröbner basis algorithm, etc.
Reduction of Uchiyama and Ogura to Rainbow
Uchiyama and Ogura [21] pointed out that the original HS scheme which is defined over $\mathbb {Z}/N\mathbb {Z}$ can be rewritten by $\mathbb {Z}/N\mathbb {Z}$ analogue of Rainbow where the original Rainbow [9] is a multilayer variant of the Unbalanced Oil and Vinegar signature scheme [13]. This implies that the attacks against Rainbow are applicable to HS scheme.
6.1 Original Rainbow and its analogue
To deal with both the original Rainbow and its analogue over a finite field, we prepare Rainbow defined over L which is either K or $\mathbb {Z}/N\mathbb {Z}$ .
At first, we define parameters which determine the layer structure of Rainbow. Let t be the number of layers of Rainbow. Let v_{1},…,v_{t+1} be a sequence of positive t+1 integers such that
For h=1,…,t, the sets V_{ h },O_{ h } of indices of Vinegar and Oil variables of the hth layer of Rainbow is defined by
The number of elements in O_{ h } and V_{ h } are v_{h+1}−v_{ h } and v_{ h }, respectively, and denote o_{ h }=v_{h+1}−v_{ h }. Note that the smallest integer in O_{1} is v_{1}+1. We define n=v_{t+1} which is the maximum number of the variables used in Rainbow.
Rainbow consists of t layers of multivariate polynomials of n variables. For h=1,2,…,t, the hth layer of Rainbow deploys the following system of o_{ h } multivariate polynomials:
where $\alpha _{i,j}^{(k)},\beta _{i,j}^{(k)},\gamma _{i}^{(k)},\eta ^{(k)}\in L$ . Note that g_{ k } is essentially a polynomial of v_{ h }+o_{ h } variables. We call variables x_{ i } (i∈O_{ h }) and x_{ j } (i∈V_{ j }) the Oil and Vinegar variable, respectively. Then the central map of Rainbow is constructed by
Note that one of preimage of any element of $\phantom {\dot {i}\!}L^{nv_{1}}$ through G can be computed easily. For a system of o_{ h } equations for the hth layer,
becomes o_{ h } linear equations of o_{ h } variables for any $\phantom {\dot {i}\!}\left (a_{v_{h}+1},\ldots,a_{v_{h+1}}\right)\in L^{o_{h}}$ and $\phantom {\dot {i}\!}(b_{1},\ldots,b_{v_{h}})\in L^{v_{h}}$ . The values of Oil variables in the hth layer obtained by solving this linear equations are utilized as that of Vinegar variables in the (h+1)th layer.
We describe the key generation, the signature generation and the verification of Rainbow in the following.
Generation. The secret key consists of the central map G and two affine transformations A_{1}:L^{m}→L^{m} (m=n−v_{1}), A_{2}:L^{n}→L^{n}. The public key consists of L, which is either a field K or $\mathbb {Z}/N\mathbb {Z}$ , and the composed map F=A_{1}∘G∘A_{2}:L^{n}→L^{m}, which is a system of m quadratic polynomials of n variables over L. We denote by $F=\left (\,f_{v_{1}+1},\ldots,f_{n}\right)^{\mathrm {T}}$ .
Signature Generation. Let M∈L^{m} be a message. We compute $\mathbf {A}=A_{1}^{1}(\mathbf {M})$ , B=G^{−1}(A), $\mathbf {C}=A_{2}^{1}(\mathbf {B})$ in this order. The signature of the message is C∈L^{n}. Remark that B=G^{−1}(A) can be easily computed by the above property of G.
Verification. If F(C)=M then the signature is accepted, otherwise rejected.
This scheme is denoted by Rainbow(L; v_{1},o_{1},…,o_{ t }), and we call v_{1},o_{1},…,o_{ t } a parameter of Rainbow.
6.2 Reduction of HS scheme to Rainbow
Uchiyama and Ogura wrote down $\phi ^{\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}$ for $\text {HS}(\mathbb {Z}/N\mathbb {Z},\tilde {n})$ and showed the following [21].
Proposition6.1.
Let R be a noncommutative ring over $\mathbb {Z}/N\mathbb {Z}$ of rank r. Let $\tilde {F}$ be a public key of $\text {HS}(R;\,\tilde {n})$ . Then $\tilde {F}$ becomes a public key of $\text {Rainbow}(\mathbb {Z}/N\mathbb {Z};\,\overbrace {r,\ldots,r}^{\tilde {n}})$ .
Remark6.1.
The above proposition defines a correspondent between signature schemes,
Using this notation, the following correspondence holds.
The argument of Uchiyama and Ogura in [21] is also valid for the case of HS scheme defined over field K. Therefore we have
Proposition6.2.
Let R be a noncommutative ring over K of dimension r. Let $\tilde {F}$ be a public key of $\text {HS}(R;\,\tilde {n})$ . Then $\tilde {F}$ becomes a public key of $\text {Rainbow}(K;\,\overbrace {r,\ldots,r}^{\tilde {n}})$ .
Remark6.2.
The above proposition shows that HS scheme is another way of construction of the uniformlylayered Rainbow, where “uniformlylayered" means all components in the parameter of Rainbow are equal. If the arithmetic operation of noncommutative ring R is efficient, then the signature generation of HS scheme may be more efficient than that of the corresponding Rainbow.
6.3 Security analysis for attacks against Rainbow
Proposition 6.2 implies that attacks against Rainbow are applicable to the extended HS scheme over K. In this section, we analyze security of the extended HS scheme against wellknown attacks against Rainbow.
6.3.1 Attacks against Rainbow
Here, we summarize the known attacks against Rainbow that have been reported in previous papers, and we analyze the security against each attack. The known relevant attacks against Rainbow are as follows.
 (1)
 (2)
 (3)
 (4)
 (5)
 (6)
The direct attacks try to solve a system of equations F(X)=M from public key F and (fixed) message M [2,23]. By contrast, the goal of the other attacks is to find a part of the secret key. In the case of a UOV attack or HighRank attack, for example, the target Rainbow with parameters v_{1},o_{1},…,o_{ t } is then reduced into a version of Rainbow with simpler parameters such as v_{1},o_{1},…,o_{t−1} without o_{ t }. We can then break the original Rainbow with lower complexity. To carry out a reduction we need to find (a part of) a direct sum decomposition of vector space K^{n},
because expressing K^{n} in an available basis enables returning the public key to the central map. In fact, if we can decompose $\phantom {\dot {i}\!}K^{n}=W\oplus K^{o_{t}}$ for a certain W that has a coarser decomposition than (13) then the security of Rainbow(K; v_{1},o_{1},…,o_{ t }) can be reduced to that of Rainbow(K; v_{1},o_{1},…,o_{t−1}). There are two methods for finding this decomposition: (1) Find a simultaneous isotropic subspace of K^{n}. Let V be a vector space over K, and let Q_{1} be a quadratic form on V. We determine that a subspace W of V is isotropic (with respect to Q_{1}) if
for any v_{1},v_{2}∈W. In addition, we assume that V is also equipped with quadratic forms Q_{2},…,Q_{ m }. We determine that a subspace W of V is simultaneously isotropic if W is isotropic with respect to all Q_{1},…,Q_{ m }.
In Rainbow, m quadratic forms on K^{n} are defined by the quadratic parts of the public polynomials of F. Note that the subspace $\phantom {\dot {i}\!}K^{o_{t}}$ appearing in (13) is a simultaneous isotropic subspace of K^{n}. If we find a simultaneous isotropic subspace, the basis of $\phantom {\dot {i}\!}K^{o_{t}}$ is then obtained and the above attack is feasible. The UOV, UOVR and RBS attacks are classified as being of this type. (2) Find a quadratic form with the minimum or second maximum rank. When the quadratic part of the kth public polynomial of F in Rainbow is expressed as
we associate it with a symmetric matrix S_{ k }=A+A^{T}, where $A=\left (a_{\textit {ij}}^{(k)}\right)$ . We define
which is a vector space over K spanned by matrices $S_{v_{1}+1},\ldots,S_{n}$ . For example, if we find a matrix of rank v_{2}=v_{1}+o_{1} in , there is a high probability that the image of this matrix coincides with $\phantom {\dot {i}\!}K^{v_{1}}\oplus K^{o_{1}}$ appearing in (13).
Therefore, we obtain the decomposition of $\phantom {\dot {i}\!}K^{n}=(K^{v_{1}}\oplus K^{o_{1}})\oplus W'$ for some W^{′} that is a coarser decomposition than (13). The MinRank and HighRank attacks are classified as being of this type.
The details of abovementioned six attacks can be found in the literature [16].
6.4 Security against known attacks
6.4.1 UOV attack
Regard L_{2} as the part of a linear transformation of A_{2} and place $\phantom {\dot {i}\!}\mathcal {O}_{t}=L_{2}^{1}(\{0\}^{no_{t}}\times K^{o_{t}})$ as the subspace of K^{n} corresponding to $\phantom {\dot {i}\!}K^{o_{t}}$ appearing in (13). The UOV attack finds a nontrivial invariant subspace of $W_{12}=W_{1}W_{2}^{1}$ that is included in $\mathcal {O}_{t}$ for invertible matrices $W_{1},W_{2}\in \mathcal {A}$ . The analysis in [13] shows that the probability that W_{12} has a nontrivial invariant subspace included in $\mathcal {O}_{t}$ is equal to $\phantom {\dot {i}\!}q^{{n2o}_{t}}$ . This is obtained by the following lemma.
Lemma6.1.
([8] Lemma 3.2.4) Let J:K^{n}→K^{n} be an invertible linear map such that

1.
there exist two subspace $\mathcal {O}^{\prime }\subset \mathcal {V}^{\prime }$ of K^{n} where the dimensions of $\mathcal {O}^{\prime }$ and $\mathcal {V}^{\prime }$ are o^{′} and v^{′}, respectively, and

2.
$J(\mathcal {O}^{\prime })\subset \mathcal {V}^{\prime }$ .
Then the probability that J has a nontrivial invariant subspace in \(\mathcal {O}^{\prime }$ is no less than \(q^{o^{\prime }v^{\prime }}$ .
This lemma is also available for the extended HS scheme through Proposition 6.2. This means that the complexity is the same as that of the corresponding Rainbow. From the complexity of the UOV attack [13] and Proposition 6.2 we have
Proposition6.3.
Let a=log_{2}(♯K). \(\text {HS}(R;\tilde {n})$ has a security level of l bits against the UOV attack if
Remark6.3.
The UOV attack is more efficient in the case of balanced Oil and Vinegar than in the case of general Unbalanced Oil and Vinegar. Therefore, we should not choose \(\tilde {n}=2$ in the extended HS scheme, otherwise, HS scheme corresponds to a balanced Oil and Vinegar scheme.
6.4.2 MinRank attack
In the MinRank attack, we solve MinRank(v_{2}) for . If there is a nontrivial $P\in \mathcal {A}$ for a v∈K^{n} such that Pv=0, there is high probability that P is a solution for MinRank(v_{2}). For v∈K^{n}, the probability that a nontrivial $\phantom {\dot {i}\!}P\in \mathcal {A}$ exists such that Pv=0 is roughly $\phantom {\dot {i}\!}q^{v_{2}}$ . This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:
Proposition6.4.
Let a=log_{2}(♯K). Assume that \(r\tilde {n}$ . Then \(\text {HS}(R;\,\tilde {n})$ has a security level of l bits against the MinRank attack if
6.4.3 HighRank attack
In the HighRank attack, we have an element $W\in \mathcal {A}$ such that rank(W)=v_{ t }. For any $W\in \mathcal {A}$ , the probability that its rank is equal to v_{ t } is $\phantom {\dot {i}\!}q^{o_{t}}$ . This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:
Proposition6.5.
Let a=log_{2}(♯K). Assume that n≥m. Then \(\text {HS}(R;\,\tilde {n})$ has a security level of l bits against the HighRank attack if
6.5 Direct attacks and others
From Proposition 6.2, the public key of the extended HS scheme is exactly equal to that of the corresponding Rainbow. Therefore, the complexity against the direct attacks is estimated to be the same for the extended HS scheme as for the original Rainbow corresponding to it. Similarly, the complexities against the RBS and UOVR attacks are estimated to be the same for the extended HS scheme as for the corresponding Rainbow.
The complexities of the direct, RBS and UOVR attacks were discussed by Petzoldt et al. [16], and we follow their data regarding the complexities of these attacks. In particular, the complexities of the direct and UOVR attacks are equivalent.
Total security and secure parameters
Based on the security analysis in the last section, we try to present secure parameters and their length for $\text {HS}(R;\,\tilde {n})$ where R is a noncommutative ring of rank r over K=GF(256). We adopt the parameters of Petzoldt et al. in [16] for estimating the security against the direct, UOVR and RBS attacks. For other attacks, from Propositions 6.3, 6.4 and 6.5, the following criteria are used for lbit security against these attacks: Let a be the bit length of q and r the dimension of R. For $\text {HS}(R;\,\tilde {n})$ , we have $n=r\tilde {n},\ m=r(\tilde {n}1)$ and we assume that n>m.

1.
UOV attack n−2r≥l/a+1.

2.
MinRank attack 2r≥l/a.

3.
HighRank attack r≥l/a.
From the above condition of UOV attack, $\tilde {n}\ge 3$ is required in order to design a secure HS scheme. Table 1 presents the complexity against each attack for the extended HS scheme over a noncommutative ring R over GF(256) with $\tilde {n}=3$ . Table 1 shows that UOV attack is the strongest among all analyzed attacks.
Efficiency of HS scheme
Any noncommutative ring R can be embedded in a matrix ring $\mathbb {M}(l,K)$ for some positive integer l. If we can choose a small l, the arithmetic operation of R becomes efficient. In the signature generation in our proposed scheme, we have to solve several systems of linear equations of the form, $\mathcal {A}.\mathcal {X}=\mathcal {B}\ (\mathcal {A},\mathcal {B}\in \mathbb {M}(l,K))$ with respect to variable matrix $\mathcal {X}\in \mathbb {M}(l,K)$ . If we use Gaussian elimination to solve the above linear equations, the number of field multiplication in solving the linear equations has O(l^{3}).
On the other hand, in the signature generation in the corresponding Rainbow the number of field multiplication has O(d^{3}) where d is the dimension of R because of Proposition 6.2. Thus, if l<d is satisfied, the signature generation of our proposed scheme is more efficient than that of the corresponding Rainbow.
8.1 Efficiency in the case of group ring of dihedral group
To compare the efficiency of signature generation in HS scheme and the corresponding Rainbow, we prepare dihedral group and its realization. Let m be a positive integer. $M_{1}=(a_{\textit {ij}}),M_{2}=(b_{\textit {ij}})\in \mathbb {M}(m,K)$ is defined as
We write D_{ m } for the group generated by M_{1} and M_{2}. D_{ m } is isomorphic to the dihedral group with 2m elements [7]. K[ D_{ m }] denotes the group ring with coefficients in K and associated to D_{ m }, then, it is a noncommutative ring of dimension 2m−1, realized in $\mathbb {M}(m,K)$ . K[ D_{ m }] is closed by a transpose operation because inverse operation on D_{ m } is closed in D_{ m }. Therefore we can use K[ D_{ m }] as a base ring in HS scheme. Table 2 compares the efficiency of the signature generation in HS scheme and the corresponding Rainbow. The noncommutative rings used in HS schemes in the table are chosen by K[ D_{ m }] where K=GF(256) and m=10,11,12,13. The number of layers in each HS scheme is chosen by 3, and then the corresponding Rainbow of HS(K[ D_{ m }];3) becomes Rainbow(K;r,r,r) with r=2m−1 by Proposition 6.2. We estimate the number of multiplication of GF(256) for efficiency comparison. M_{sig}(HS(R;3)) (resp. M_{sig}(R(GF(256);r,r,r))) stands for the number of multiplications in the signature generation in HS(R;3) (resp. Rainbow(GF(256);r,r,r)). Table 2 shows that the signature generation of HS scheme is about 50% faster than that of the corresponding Rainbow.
Concluding remarks
We analyzed the security of the extended HS scheme, and presented secure parameters of the extended HS scheme. The attacks we analyzed the security are the attack of Coppersmith, Stern and Vaudenary for Birational Permutation scheme, two attacks of Coppersmith for SatoAraki scheme and attacks against Rainbow. Based on the security analysis, we estimate secure parameters of the extended HS scheme. If a noncommutative ring used in the extended HS scheme is chosen by the group ring associated to dihedral group, the speed of the signature generation can be accelerated by about 50% in comparison with the corresponding Rainbow.
References
 1
Adleman, LM., Estes, DR., McCurley, KS.: Solving bivariate quadratic congruences in random polynomial time. Math. Comput. 48, 17–28 (1987).
 2
Bernstein, DJ., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Berlin Heidelberg (2009).
 3
Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: SCN’06 Springer LNCS 4116, pp. 336–347. Springer, Berlin Heidelberg (2006).
 4
Braeken, A., Wolf, C., Preneel, B.: A study of the security of unbalanced oil and vinegar signature schemes. In: CTRSA’05 Springer LNCS 3376, pp. 29–43. Springer, Berlin Heidelberg (2005).
 5
Coppersmith, D.: Weakness in quaternion signatures. In: CRYPTO’99 Springer LNCS 1666, pp. 305–314. J. Cryptology’01 (2001).
 6
Coppersmith, D., Stern, J., Vaudenay, S.: The security of the birational permutation signature scheme. J. Cryptology. 10, 207–221 (1997).
 7
Dummit, DS., Foote, RM.: Abstract Algebra. John Wiley & Sons, Inc. (2006).
 8
Ding, J., Gower, JE., Schmidt, DS.: Multivariate Public Key Cryptosystems, Advances in Information Security 25. Springer, New York (2006).
 9
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: ACNS’05 Springer LNCS 3531, pp. 164–175. Springer, Berlin Heidelberg (2005).
 10
Ding, J., Yang, BY., Chen, CHO., Chen, MS., Cheng, CM.: New differentialalgebraic attacks and reparametrization of rainbow. In: Springer LNCS 5037, pp. 242–257. Springer, Berlin Heidelberg (2008).
 11
Goubin, L., Courtois, NT.: Cryptanalysis of the TTM cryptsystem. In: ASIACRYPT’00 Springer LNCS 1976, pp. 44–57. Springer, Berlin Heidelberg (2000).
 12
Hashimoto, Y., Sakurai, K.: On construction of signature schemes based on birational permutations over noncommutative. presented at the 1st International Conference on Symbolic Computation and Cryptography (SCC2008) held in Beijin, April 2008. ePrint. http://eprint.iacr.org/2008/340.
 13
Kipinis, A., Patarin, L., Goubin, L.: Unbalanced oil and vinegar schemes. In: EUROCRYPT’99, Springer LNCS 1592, pp. 206–222. Springer, Berlin Heidelberg (1999).
 14
Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: CRYPTO’98. Springer LNCS 1462, pp. 257–266. Springer, Berlin Heidelberg (1998).
 15
Ong, H., Schnorr, CP., Shamir, A.: An efficient signature scheme based on quadratic equations. In: Proc. 16th ACM Symp. Theory Comp, pp. 208–216. Springer, Berlin Heidelberg (1984).
 16
Petzoldt, A., Bulygin, S., Buchmann, J.: Selecting parameters for the rainbow signature scheme. In: PQCrypto’10, Springer LNCS 6061, pp. 218–240. Springer, Berlin Heidelberg (2010).
 17
Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow  a multivariate signature scheme with a partially cyclic public key based on rainbow. In: INDOCRYPT’10, Springer LNCS 6498, pp. 33–48. Springer, Berlin Heidelberg (2010).
 18
Pollard, JM., Schnorr, CP.: An efficient solution of the congruence x^{2}+ky^{2}≡m (mod n). IEEE Trans. Inf. Theory. IT33, 702–709 (1987).
 19
Satoh, T., Araki, K.: On construction of signature scheme over a certain noncommutative ring. IEICE Trans. Fundamentals. E80A, 702–709 (1997).
 20
Shamir, A.: Efficient signature schemes based on birational permutations. In: CRYPTO’93, Springer LNCS 773, pp. 1–12. Springer, Berlin Heidelberg (1994).
 21
Uchiyama, S., Ogura, N.: Cryptanalysis of the birational permutation signature scheme over a noncommutative ring. JSIAM Lett. 2, 85–88 (2010). ePrinthttp://eprint.iacr.org/2009/245.
 22
Yang, BY., Chen, JM.: Building secure tame like multivariate publickey cryptosystems: the new TTS. In: ACISP’05, Springer LNCS 3574, pp. 518–531. Springer, Berlin Heidelberg (2005).
 23
Yang, BY., Chen, JM.: All in the XL family, theory and practice. In: ICISC’04, Springer LNCS 3506, pp. 67–86. Springer, Berlin Heidelberg (2005).
 24
Yasuda, T., Sakurai, K.: A security analysis of uniformlylayered rainbow — revisiting SatoAraki’s noncommutative approach to OngSchnorrShamir signature towards PostQuantum paradigm. In: PQCrypto’11, Springer LNCS 7071, pp. 275–294. Springer, Berlin Heidelberg (2011).
 25
Yasuda, T., Sakurai, K., Takagi, T.: Reducing the key size of rainbow using noncommutative rings. In: CTRSA f12, Springer LNCS vol. 7178, pp. 68–83. Springer, Berlin Heidelberg (2012).
Acknowledgments
This work has been supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 01590172”, Ministry of Internal Affairs and Communications, Japan.
Author information
Rights and permissions
About this article
Received
Revised
Accepted
Published
DOI
Keywords
 Public key cryptography
 Multivariate public key cryptosystems
 Rainbow
 Postquantum cryptography