A security analysis of uniformly-layered rainbow defined over non-commutative rings

Hashimoto and Sakurai proposed a signature scheme (HS scheme), whose security is based on the difficulty of integer factorization. In this paper, we redefine HS scheme as a signature scheme in Multivariate Public Key Cryptosystems (MPKC). MPKC are public key cryptosystems whose security is based on the difficulty of solving multivariate quadratic equations, and candidates for post-quantum cryptography. In this paper, we analyze the security of the extended HS scheme using technique of security analysis for MPKC. Furthermore, based on the security analysis of the extended HS scheme, we estimate secure parameters of the extended HS scheme.

In 1984, Ong, Schnorr and Shamir [15] proposed an efficient signature scheme (OSS signature scheme) using a bivariate quadratic equation,

where h,m are integers and N is a composite number whose factorization is difficult. The security of this scheme was supposed to be based on the difficulty of integer factorization. However, Pollard and Schnorr proposed an algorithm to solve the equation (1) efficiently without the factorization of N [18]. Then OSS signature scheme would be extended to scheme using multivariate variables and scheme using non-commutative rings.

In 1994, Shamir [20] proposed a multivariate variant of OSS signature scheme, which is called Birational Permutation scheme. However, Coppersmith, Stern and Vaudenary [6] gave an efficient attack by observing linear combination of components of the public key. In 1997, Sato and Araki [19] proposed a new scheme extended from OSS signature scheme using quaternion algebra. Namely, \(\mathbb {Z}/N\mathbb {Z}\) in OSS signature scheme is replaced by a quaternion algebra over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith [5] gave two efficient attacks using special property of quaternion algebra. In 2008, Hashimoto and Sakurai [12] proposed a new scheme (HS scheme) including property of both Birational Permutation scheme and Sato-Araki scheme. In 2010, Uchiyama and Ogura [21] showed that this scheme is reduced to Rainbow [9], which is a signature scheme in the multivariate public key cryptosystem (MPKC), and discussed possibility of forgery in case of HS scheme with small size.

In this paper, we extend HS scheme to a signature scheme in MPKC. Therefore, the security of the extended HS scheme is no longer based on the difficulty of integer factorization. Generally, schemes in MPKC are expected to resist attacks using quantum computer, Moreover, we show that the extended HS scheme has an efficient signature generation.

On the other hand, Yasuda et al. [25] proposed another signature scheme “NC-Rainbow” in MPKC, which is an extension of a signature scheme called “Rainbow” using non-commutative rings. The paper [25] analyzed the security of NC-Rainbow for attacks against the original Rainbow, and estimated the secure parameters of NC-Rainbow.

In this paper, we analyze the security of the extended HS scheme. The attacks analyzed in this paper are 1) the attack against Birational Permutation scheme, 2) the attack against Sato-Araki scheme, and the attacks against Rainbow: 3) UOV [4,13,14], 4) MinRank [3,11,22], 5) HighRank [10,11,17], 6) direct [2,4,23], 7) Rainbow-Band-Separation (RBS) [10,16], and (8) UOV-Reconciliation (UOV-R) attacks [10,16].

This paper is basically a journal version of the paper [24]. However, the attacks analyzed in the paper [24] are from 1) to 5) above. In this paper, we add the security analysis against the attacks 6), 7) and 8). Moreover, we present secure parameters of the extended HS scheme for several security levels.

In this section, we summarize the attack of Coppersmith, Stern and Vaudenary against Birational Permutation scheme [6]. We will analyze this attack in the extended HS scheme later. First, we describe Birational Permutation scheme [20].

Let p,q be primes and N=pq. Assume that the factorization of N is difficult. Let n be a natural number. For k=2,3,…,n, we define \(g_{k}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow \mathbb {Z}/N\mathbb {Z}\) by a homogeneous quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\),

where \(a_{\textit {ij}}\in \mathbb {Z}/N\mathbb {Z}\). The central map of Birational Permutation scheme is constructed by

The key generation, the signature generation and the verification of Birational Permutation scheme are described as follows.

Key Generation. The secret key consists of primes p,q and the central map G and two affine (linear) transformations \(A_{1}:(\mathbb {Z}/N\mathbb {Z})^{n-1}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1},\ A_{2}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n}.\) The public key consists of N and the composite map \(F=A_{1}\circ G\circ A_{2}=(\,f_{2},f_{3},\ldots,f_{n}):(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1}.\)

Signature Generation. Let \(\mathbf {M}\in (\mathbb {Z}/N\mathbb {Z})^{n-1}\) be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G⁻¹(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is \(\mathbf {C}\in (\mathbb {Z}/N\mathbb {Z})^{n}\). Here G⁻¹(A) stands for an element of preimage of A through G.

Verification. If F(C)=M, then the signature is accepted, otherwise rejected.

2.1 Attack against birational permutation scheme

It is believed that solving general equations over \(\mathbb {Z}/N\mathbb {Z}\) is more difficult than that over a finite field. The security of Birational Permutation scheme was based on the difficulty of solving the problem over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith, Stern and Vaudenary gave an efficient algorithm [6] to compute A₂, a part of the secret key, without solving equations over \(\mathbb {Z}/N\mathbb {Z}\).

For simplicity, assume that A₂ are linear transformations. We write A,B for the matrix expression of linear parts of A₁,A₂, respectively, and g _k ,f _k (k=2,3,…,n) are denoted by

for some \(F_{k},G_{k}\in \mathbb {M}(n,\mathbb {Z}/N\mathbb {Z})\). (T means the transpose operator.) Since

for A=(a _kl ), we have

For a variable λ and 1≤k₁,k₂≤n,

In particular, the determinant of this matrix is factored by \(\left (a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)^{2}\). From (2), the determinant of \(F_{k_{1}}-\lambda F_{k_{2}}\) is factored by \(\left (a_{k_{1}n}\,-\,\lambda a_{k_{2}n}\right)^{2}\). Therefore \(a_{k_{1}n}/a_{k_{2}n}\), which is denoted by λ₀, is computed by the public key. By calculating the kernel and the image of \(F_{k_{1}}-\lambda _{0} F_{k_{2}}\), \((\mathbb {Z}/N\mathbb {Z})^{n}\) is decomposed as

Continuing this operation, finally we have a decomposition

by subspaces with rank 1 over \(\mathbb {Z}/N\mathbb {Z}\). By rewriting the public key by a basis along the above decomposition, one obtains a system of equations with the same form as the central map, therefore a signature is forged.

In this section, we summarize two attacks of Coppersmith against Sato-Araki scheme. We will analyze these attack in the extended HS scheme later.

Sato-Araki scheme [19] uses a quaternion algebra over \(\mathbb {Z}/N\mathbb {Z}\). Let R be a \(\mathbb {Z}/N\mathbb {Z}\)-analogue of the Hamilton’s quaternion algebra. Namely, R is defined by

and i²=j²=−1, ij=−ji. R is identified with a subring of a matrix ring by the embedding homomorphism,

Here, we identify i with the imaginary unit \(\sqrt {-1}\). Note that R is closed by the transpose operation. Sato-Araki scheme is described as follows.

Key Generation. The secret key consists of primes p,q and u∈R^×. The public key consists of N=pq and h:=−(u^T)⁻¹u⁻¹∈R.

Signature Generation. Let M∈R be a message such that M=M^T. Choose ρ∈R^× randomly. We compute C₁:=ρ⁻¹M+ρ^T, C₂:=u(ρ⁻¹M−ρ^T)∈R. (C₁,C₂) is a signature.

Verification. If \(\mathbf {C}_{1}^{T}\,\mathbf {C}_{1}+\mathbf {C}_{2}^{T}\,h\mathbf {C}_{2}=4\mathbf {M}\) then the signature is accepted, otherwise rejected.

Remark3.1.

The security of Sato-Araki scheme is based on the difficulty of solving the equation over R with respect to X₁,X₂,

for any M∈R. Since the signer knows p and q, the signer can find a solution of (5) by the procedure of above signature generation.

3.1 Attacks against Sato-Araki scheme

The problem of solving the equation (5) is reduced to the problem of solving a equation over R,

However, Coppersmith proposed two efficient attacks [5] by using special property of a quaternion algebra without the factorization of N.

3.1.1 Coppersmith’s first attack

The first attack of Coppersmith is a chosen message attack. For i=1,2,3, let \(\left (\textbf {C}_{1}^{(i)},\textbf {C}_{2}^{(i)}\right)\) be signatures for messages M _i . The following fact is the key of the attack: For i=1,2,3,

where u is a component of the secret key. Then these span a subspace {δ=δ^T∈R}=Span{i,j,ij} of rank 3 with high probability. One can compute X∈R satisfying

which is determined up to scalars. Therefore, X is proportional to u. It is not difficult to compute u from X.

3.1.2 Coppersmith’s second attack

The second attack of Coppersmith is based on the existence of the following algorithm.

Proposition3.1.

([1]) Let N be an odd positive integer and f(x,y) a bivariate quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\). Δ(f) denotes the discriminant of f defined as in [1]. If gcd(Δ(f),N)=1, then there exists an algorithm which gives a solution to f(x,y)=0 with probability 1−ε, and requires O(log(ε⁻¹ logN) log4N) arithmetic operations on integers of size O(logN) bits.

If x,y∈R are written as

then the equation over R,

is rewritten by three quadratic equations with respect to 8 variables x₀,x₁,…,y₃. By a simplicity of equation (7) and property of quaternion algebra, the problem of solving the system of these quadratic equations can be reduced to that of some bivariate quadratic equations. Therefore a signature can be forged from the above proposition.

HS scheme [12] is a signature scheme having properties of both birational permutation scheme and Sato-Araki scheme. Since the security of HS scheme is based on the difficulty of integer factorization, the scheme defined over the ring \(\mathbb {Z}/N\mathbb {Z}\). However, we want to redefine HS scheme as a scheme in MPKC. Therefore, in this section, we define HS scheme in more general fashion such that our definition involves both the original HS scheme and our proposed scheme.

4.1 Non-commutative rings

Let L be either a field K and \(\mathbb {Z}/N\mathbb {Z}\). In this paper, we say that a L-algebra R is a non-commutative ring only if

1. 1.

   R is a free module over L with finite rank, and

2. 2.

   R is non-commutative.

Example4.1.

(Quaternion algebra) For a∈L^×, a non-commutative ring Q _L (a) is defined as follows:

Q _L (a) is a free module over L with rank 4. This is called a quaternion algebra. When \(L=\mathbb {Z}/N\mathbb {Z}\) and a=−1, R coincides with the quaternion algebra used in Sato-Araki scheme. If L=GF(q) and a=−1, we write simply Q _q instead of Q _L (a). Q _L (a) is embedded into a matrix ring:

If Q _L (a) is identified with the image of ι, any element in Q _L (a) is closed by transpose operation in Q _L (a). For v=c₁+c₂i+c₃j+c₄ij∈Q _L (a), the main involution v^∗ of v is defined by

Let R be a non-commutative ring over L and r its rank over L. Then there exists an L-linear isomorphism,

Using this isomorphism ϕ, an element α∈R can be represented by r elements in L.

4.2 HS scheme over L

Let R be a non-commutative ring over L of rank r and fix ϕ as in (10). In the rest of this paper, assume that R is realized as a subring of the matrix ring \(\mathbb {M}(s,L)\) for some \(s\in \mathbb {N}\), and closed by the transpose operation.

Let \(\tilde {n}\) be a positive integer. HS scheme deploys non-commutative multivariate polynomials as a central map:

where \(\alpha _{i,j}^{(k)},\beta _{i}^{(k)},\gamma ^{(k)}\in R\). Note that \(\tilde {g}_{k}\) is essentially a polynomial of k variables. The central map of HS scheme is constructed by

The key generation, the signature generation and the verification are described as follows.

Key Generation. The secret key consists of R, the central map \(\tilde {G}\) and two affine transformations \(A_{1}:L^{m}\rightarrow L^{m}\ (m=r\tilde {n}-r),\ A_{2}:L^{n}\rightarrow L^{n}\ (n=r\tilde {n})\). The public key consists of L and the composed map \(\tilde {F}=A_{1}\circ \phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\circ A_{2}:L^{n}\rightarrow L^{m}\), which is a system of m quadratic polynomials of n variables over L. We denote by \(\tilde {F}=\left (\,\tilde {f}_{r+1},\ldots,\tilde {f}_{n}\right)^{T}\).

Signature Generation. Let M∈L^m be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G⁻¹(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is C∈Lⁿ. Here \(\mathbf {B}=\tilde {G}^{-1}(\mathbf {A})\) is computed by the following procedure.

Step 1 Choose a random element b₁∈R.

Step 2 For \(k=1,\ldots,\tilde {n}\), do the following operation recursively.

\(\tilde {g}_{k}\) is a non-commutative polynomial with respect to x₁,…,x _k . By the substitution x₁ = b₁, …, x_k−1 = b_k−1 to \(\tilde {g}_{k}\), a non-commutative polynomial \(\bar {g}_{k}\) of one variable x _k with at most 1 degree is obtained. We compute the solution b _k ∈R of

$$\begin{array}{*{20}l} \bar{g}_{k}(x_{k})=a_{k} \end{array} $$

((11))

where \(\mathbf {A}=(a_{i})\in R^{\tilde {m}}\). (If there is no solution, return to Step 1.)

Step 3 Set \(\mathbf {B}=(b_{1},\ldots,b_{\tilde {n}})\).

Verification. If \(\tilde {F}(\mathbf {C})=\mathbf {M}\) then the signature is accepted, otherwise rejected.

This scheme is denoted by \(\text {HS}(R;\,\tilde {n})\).

Remark4.1.

In general, it is difficult to solve a non-commutative equation (11) directly. However, if we fix a L-basis of R then it makes a new system of (commutative) linear equations with respect to the basis, which is easy to be solved in general. If R has an efficient arithmetic operation, the equation (11) can be solved more efficiently. For example, in the case of a quaternion algebra Q _L (a), its realization (8) enables to compute its arithmetic operation efficiently.

In the last section, we defined HS scheme over a non-commutative ring R. Here, we can take a non-commutative ring over a finite field K or a ring \(\mathbb {Z}/N\mathbb {Z}\). If R is defined over \(\mathbb {Z}/N\mathbb {Z}\), then the HS scheme becomes the original one. On the other hand, our proposed scheme is the HS scheme where R is defined over a finite field K.

First, we analyze the security of the extended HS scheme for attacks against the original Birational Permutation scheme and Sato-Araki scheme. As such attacks, there are the attack of Coppersmith, Stern and Vaudenary (CSV) attack [6] and the attacks of Coppersmith [5] has been analyzed [12]. These attacks can be extended those against HS scheme over \(\mathbb {Z}/N\mathbb {Z}\). Moreover, the extended attacks can be changed into attacks against the extended HS scheme over K easily. In this section, we analyze the security for these attacks against the extended HS scheme over K.

5.1 Security against CSV attack

In Birational Permutation scheme, only g _n includes the variable x _n in all the components of the central map G=(g₂,g₃,…,g _n ). Therefore we can extract the term of g _n from linear combinations of g₂,g₃,…,g _n by eliminating x _n . The components of the public key F=(f₂,f₃,…,f _n ) are expressed as linear combinations of g₂∘A₂,…,g _n ∘A₂ where A₂ is an affine transformation in the private key. Similarly as in the case of the central map, we can also extract the term of g _n ∘A₂ from the components. Then we have the decomposition (3) as we explained in § 2.1.

In HS scheme, only \(\tilde {g}_{n}\) includes the non-commutative variable x _n in all the components of the central map \(\tilde {G}=\left (\,\tilde {g}_{2},\tilde {g}_{3},\ldots,\tilde {g}_{n}\right)\). However, from linear combinations of \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) we can not eliminate x _n by the method in § 2.1 because the non-commutative variable x _n corresponds to r (commutative) variables. Therefore it is difficult to apply the CSV attack to HS scheme.

5.2 Security against Coppersmith’s first attack

The first attack is applicable for Sato-Araki scheme because a simple relation (6) holds for a part u of the secret key. However in HS scheme, a simple relation like as (6) for the secret key is not expected. Therefore it is difficult to extend this attack to HS scheme.

5.3 Security against Coppersmith’s second attack

There exists an efficient algorithm solving a system of bivariate quadratic equations modulo N (Proposition 3.1) and a system of equations appearing in Sato-Araki scheme can be reduced to some of bivariate quadratic equations modulo N. However HS scheme has many variables, and a system of equations appearing in the scheme is not expected to be reduced to a simple system of equations even if L=K. Therefore this attack is not more efficient than the direct attack which find a solution of a system of equations by XL, Gröbner basis algorithm, etc.

Uchiyama and Ogura [21] pointed out that the original HS scheme which is defined over \(\mathbb {Z}/N\mathbb {Z}\) can be rewritten by \(\mathbb {Z}/N\mathbb {Z}\)-analogue of Rainbow where the original Rainbow [9] is a multilayer variant of the Unbalanced Oil and Vinegar signature scheme [13]. This implies that the attacks against Rainbow are applicable to HS scheme.

6.1 Original Rainbow and its analogue

To deal with both the original Rainbow and its analogue over a finite field, we prepare Rainbow defined over L which is either K or \(\mathbb {Z}/N\mathbb {Z}\).

At first, we define parameters which determine the layer structure of Rainbow. Let t be the number of layers of Rainbow. Let v₁,…,v_t+1 be a sequence of positive t+1 integers such that

For h=1,…,t, the sets V _h ,O _h of indices of Vinegar and Oil variables of the h-th layer of Rainbow is defined by

The number of elements in O _h and V _h are v_h+1−v _h and v _h , respectively, and denote o _h =v_h+1−v _h . Note that the smallest integer in O₁ is v₁+1. We define n=v_t+1 which is the maximum number of the variables used in Rainbow.

Rainbow consists of t layers of multivariate polynomials of n variables. For h=1,2,…,t, the h-th layer of Rainbow deploys the following system of o _h multivariate polynomials:

where \(\alpha _{i,j}^{(k)},\beta _{i,j}^{(k)},\gamma _{i}^{(k)},\eta ^{(k)}\in L\). Note that g _k is essentially a polynomial of v _h +o _h variables. We call variables x _i (i∈O _h ) and x _j (i∈V _j ) the Oil and Vinegar variable, respectively. Then the central map of Rainbow is constructed by

Note that one of preimage of any element of \(\phantom {\dot {i}\!}L^{n-v_{1}}\) through G can be computed easily. For a system of o _h equations for the h-th layer,

becomes o _h linear equations of o _h variables for any \(\phantom {\dot {i}\!}\left (a_{v_{h}+1},\ldots,a_{v_{h+1}}\right)\in L^{o_{h}}\) and \(\phantom {\dot {i}\!}(b_{1},\ldots,b_{v_{h}})\in L^{v_{h}}\). The values of Oil variables in the h-th layer obtained by solving this linear equations are utilized as that of Vinegar variables in the (h+1)-th layer.

We describe the key generation, the signature generation and the verification of Rainbow in the following.

Generation. The secret key consists of the central map G and two affine transformations A₁:L^m→L^m (m=n−v₁), A₂:Lⁿ→Lⁿ. The public key consists of L, which is either a field K or \(\mathbb {Z}/N\mathbb {Z}\), and the composed map F=A₁∘G∘A₂:Lⁿ→L^m, which is a system of m quadratic polynomials of n variables over L. We denote by \(F=\left (\,f_{v_{1}+1},\ldots,f_{n}\right)^{\mathrm {T}}\).

Signature Generation. Let M∈L^m be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), B=G⁻¹(A), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is C∈Lⁿ. Remark that B=G⁻¹(A) can be easily computed by the above property of G.

Verification. If F(C)=M then the signature is accepted, otherwise rejected.

This scheme is denoted by Rainbow(L; v₁,o₁,…,o _t ), and we call v₁,o₁,…,o _t a parameter of Rainbow.

6.2 Reduction of HS scheme to Rainbow

Uchiyama and Ogura wrote down \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) for \(\text {HS}(\mathbb {Z}/N\mathbb {Z},\tilde {n})\) and showed the following [21].

Proposition6.1.

Let R be a non-commutative ring over \(\mathbb {Z}/N\mathbb {Z}\) of rank r. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(\mathbb {Z}/N\mathbb {Z};\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

Remark6.1.

The above proposition defines a correspondent between signature schemes,

Using this notation, the following correspondence holds.

The argument of Uchiyama and Ogura in [21] is also valid for the case of HS scheme defined over field K. Therefore we have

Proposition6.2.

Let R be a non-commutative ring over K of dimension r. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(K;\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

Remark6.2.

The above proposition shows that HS scheme is another way of construction of the uniformly-layered Rainbow, where “uniformly-layered" means all components in the parameter of Rainbow are equal. If the arithmetic operation of non-commutative ring R is efficient, then the signature generation of HS scheme may be more efficient than that of the corresponding Rainbow.

6.3 Security analysis for attacks against Rainbow

Proposition 6.2 implies that attacks against Rainbow are applicable to the extended HS scheme over K. In this section, we analyze security of the extended HS scheme against well-known attacks against Rainbow.

6.3.1 Attacks against Rainbow

Here, we summarize the known attacks against Rainbow that have been reported in previous papers, and we analyze the security against each attack. The known relevant attacks against Rainbow are as follows.

1. (1)

   Direct attacks [2,23],

2. (2)

   UOV attack [13,14],

3. (3)

   MinRank attack [3,11,22],

4. (4)

   HighRank attack [10,11,17],

5. (5)

   Rainbow-Band-Separation (RBS) attack [10,16],

6. (6)

   UOV-Reconciliation (UOV-R) attack [10,16].

The direct attacks try to solve a system of equations F(X)=M from public key F and (fixed) message M [2,23]. By contrast, the goal of the other attacks is to find a part of the secret key. In the case of a UOV attack or HighRank attack, for example, the target Rainbow with parameters v₁,o₁,…,o _t is then reduced into a version of Rainbow with simpler parameters such as v₁,o₁,…,o_t−1 without o _t . We can then break the original Rainbow with lower complexity. To carry out a reduction we need to find (a part of) a direct sum decomposition of vector space Kⁿ,

because expressing Kⁿ in an available basis enables returning the public key to the central map. In fact, if we can decompose \(\phantom {\dot {i}\!}K^{n}=W\oplus K^{o_{t}}\) for a certain W that has a coarser decomposition than (13) then the security of Rainbow(K; v₁,o₁,…,o _t ) can be reduced to that of Rainbow(K; v₁,o₁,…,o_t−1). There are two methods for finding this decomposition: (1) Find a simultaneous isotropic subspace of Kⁿ. Let V be a vector space over K, and let Q₁ be a quadratic form on V. We determine that a subspace W of V is isotropic (with respect to Q₁) if

for any v₁,v₂∈W. In addition, we assume that V is also equipped with quadratic forms Q₂,…,Q _m . We determine that a subspace W of V is simultaneously isotropic if W is isotropic with respect to all Q₁,…,Q _m .

In Rainbow, m quadratic forms on Kⁿ are defined by the quadratic parts of the public polynomials of F. Note that the subspace \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13) is a simultaneous isotropic subspace of Kⁿ. If we find a simultaneous isotropic subspace, the basis of \(\phantom {\dot {i}\!}K^{o_{t}}\) is then obtained and the above attack is feasible. The UOV, UOV-R and RBS attacks are classified as being of this type. (2) Find a quadratic form with the minimum or second maximum rank. When the quadratic part of the k-th public polynomial of F in Rainbow is expressed as

we associate it with a symmetric matrix S _k =A+A^T, where \(A=\left (a_{\textit {ij}}^{(k)}\right)\). We define

which is a vector space over K spanned by matrices \(S_{v_{1}+1},\ldots,S_{n}\). For example, if we find a matrix of rank v₂=v₁+o₁ in , there is a high probability that the image of this matrix coincides with \(\phantom {\dot {i}\!}K^{v_{1}}\oplus K^{o_{1}}\) appearing in (13).

Therefore, we obtain the decomposition of \(\phantom {\dot {i}\!}K^{n}=(K^{v_{1}}\oplus K^{o_{1}})\oplus W'\) for some W^′ that is a coarser decomposition than (13). The MinRank and HighRank attacks are classified as being of this type.

The details of abovementioned six attacks can be found in the literature [16].

6.4 Security against known attacks

6.4.1 UOV attack

Regard L₂ as the part of a linear transformation of A₂ and place \(\phantom {\dot {i}\!}\mathcal {O}_{t}=L_{2}^{-1}(\{0\}^{n-o_{t}}\times K^{o_{t}})\) as the subspace of Kⁿ corresponding to \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13). The UOV attack finds a non-trivial invariant subspace of \(W_{12}=W_{1}W_{2}^{-1}\) that is included in \(\mathcal {O}_{t}\) for invertible matrices \(W_{1},W_{2}\in \mathcal {A}\). The analysis in [13] shows that the probability that W₁₂ has a non-trivial invariant subspace included in \(\mathcal {O}_{t}\) is equal to \(\phantom {\dot {i}\!}q^{{n-2o}_{t}}\). This is obtained by the following lemma.

Lemma6.1.

([8] Lemma 3.2.4) Let J:Kⁿ→Kⁿ be an invertible linear map such that

1. 1.

   there exist two subspace \(\mathcal {O}^{\prime }\subset \mathcal {V}^{\prime }\) of Kⁿ where the dimensions of \(\mathcal {O}^{\prime }\) and \(\mathcal {V}^{\prime }\) are o^′ and v^′, respectively, and

2. 2.

   \(J(\mathcal {O}^{\prime })\subset \mathcal {V}^{\prime }\).

Then the probability that J has a non-trivial invariant subspace in \(\mathcal {O}^{\prime }\) is no less than \(q^{o^{\prime }-v^{\prime }}\).

This lemma is also available for the extended HS scheme through Proposition 6.2. This means that the complexity is the same as that of the corresponding Rainbow. From the complexity of the UOV attack [13] and Proposition 6.2 we have

Proposition6.3.

Let a=log₂(♯K). \(\text {HS}(R;\tilde {n})\) has a security level of l bits against the UOV attack if

Remark6.3.

The UOV attack is more efficient in the case of balanced Oil and Vinegar than in the case of general Unbalanced Oil and Vinegar. Therefore, we should not choose \(\tilde {n}=2\) in the extended HS scheme, otherwise, HS scheme corresponds to a balanced Oil and Vinegar scheme.

6.4.2 MinRank attack

In the MinRank attack, we solve MinRank(v₂) for . If there is a non-trivial \(P\in \mathcal {A}\) for a v∈Kⁿ such that Pv=0, there is high probability that P is a solution for MinRank(v₂). For v∈Kⁿ, the probability that a non-trivial \(\phantom {\dot {i}\!}P\in \mathcal {A}\) exists such that Pv=0 is roughly \(\phantom {\dot {i}\!}q^{-v_{2}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

Proposition6.4.

Let a=log₂(♯K). Assume that \(r\tilde {n}\). Then \(\text {HS}(R;\,\tilde {n})\) has a security level of l bits against the MinRank attack if

6.4.3 HighRank attack

In the HighRank attack, we have an element \(W\in \mathcal {A}\) such that rank(W)=v _t . For any \(W\in \mathcal {A}\), the probability that its rank is equal to v _t is \(\phantom {\dot {i}\!}q^{-o_{t}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

Proposition6.5.

Let a=log₂(♯K). Assume that n≥m. Then \(\text {HS}(R;\,\tilde {n})\) has a security level of l bits against the HighRank attack if

6.5 Direct attacks and others

From Proposition 6.2, the public key of the extended HS scheme is exactly equal to that of the corresponding Rainbow. Therefore, the complexity against the direct attacks is estimated to be the same for the extended HS scheme as for the original Rainbow corresponding to it. Similarly, the complexities against the RBS and UOV-R attacks are estimated to be the same for the extended HS scheme as for the corresponding Rainbow.

The complexities of the direct, RBS and UOV-R attacks were discussed by Petzoldt et al. [16], and we follow their data regarding the complexities of these attacks. In particular, the complexities of the direct and UOV-R attacks are equivalent.

Based on the security analysis in the last section, we try to present secure parameters and their length for \(\text {HS}(R;\,\tilde {n})\) where R is a non-commutative ring of rank r over K=GF(256). We adopt the parameters of Petzoldt et al. in [16] for estimating the security against the direct, UOV-R and RBS attacks. For other attacks, from Propositions 6.3, 6.4 and 6.5, the following criteria are used for l-bit security against these attacks: Let a be the bit length of q and r the dimension of R. For \(\text {HS}(R;\,\tilde {n})\), we have \(n=r\tilde {n},\ m=r(\tilde {n}-1)\) and we assume that n>m.

1. 1.

   UOV attack n−2r≥l/a+1.

2. 2.

   MinRank attack 2r≥l/a.

3. 3.

   HighRank attack r≥l/a.

From the above condition of UOV attack, \(\tilde {n}\ge 3\) is required in order to design a secure HS scheme. Table 1 presents the complexity against each attack for the extended HS scheme over a non-commutative ring R over GF(256) with \(\tilde {n}=3\). Table 1 shows that UOV attack is the strongest among all analyzed attacks.

Any non-commutative ring R can be embedded in a matrix ring \(\mathbb {M}(l,K)\) for some positive integer l. If we can choose a small l, the arithmetic operation of R becomes efficient. In the signature generation in our proposed scheme, we have to solve several systems of linear equations of the form, \(\mathcal {A}.\mathcal {X}=\mathcal {B}\ (\mathcal {A},\mathcal {B}\in \mathbb {M}(l,K))\) with respect to variable matrix \(\mathcal {X}\in \mathbb {M}(l,K)\). If we use Gaussian elimination to solve the above linear equations, the number of field multiplication in solving the linear equations has O(l³).

On the other hand, in the signature generation in the corresponding Rainbow the number of field multiplication has O(d³) where d is the dimension of R because of Proposition 6.2. Thus, if l<d is satisfied, the signature generation of our proposed scheme is more efficient than that of the corresponding Rainbow.

8.1 Efficiency in the case of group ring of dihedral group

To compare the efficiency of signature generation in HS scheme and the corresponding Rainbow, we prepare dihedral group and its realization. Let m be a positive integer. \(M_{1}=(a_{\textit {ij}}),M_{2}=(b_{\textit {ij}})\in \mathbb {M}(m,K)\) is defined as

We write D _m for the group generated by M₁ and M₂. D _m is isomorphic to the dihedral group with 2m elements [7]. K[ D _m ] denotes the group ring with coefficients in K and associated to D _m , then, it is a non-commutative ring of dimension 2m−1, realized in \(\mathbb {M}(m,K)\). K[ D _m ] is closed by a transpose operation because inverse operation on D _m is closed in D _m . Therefore we can use K[ D _m ] as a base ring in HS scheme. Table 2 compares the efficiency of the signature generation in HS scheme and the corresponding Rainbow. The non-commutative rings used in HS schemes in the table are chosen by K[ D _m ] where K=GF(256) and m=10,11,12,13. The number of layers in each HS scheme is chosen by 3, and then the corresponding Rainbow of HS(K[ D _m ];3) becomes Rainbow(K;r,r,r) with r=2m−1 by Proposition 6.2. We estimate the number of multiplication of GF(256) for efficiency comparison. M_sig(HS(R;3)) (resp. M_sig(R(GF(256);r,r,r))) stands for the number of multiplications in the signature generation in HS(R;3) (resp. Rainbow(GF(256);r,r,r)). Table 2 shows that the signature generation of HS scheme is about 50% faster than that of the corresponding Rainbow.

We analyzed the security of the extended HS scheme, and presented secure parameters of the extended HS scheme. The attacks we analyzed the security are the attack of Coppersmith, Stern and Vaudenary for Birational Permutation scheme, two attacks of Coppersmith for Sato-Araki scheme and attacks against Rainbow. Based on the security analysis, we estimate secure parameters of the extended HS scheme. If a non-commutative ring used in the extended HS scheme is chosen by the group ring associated to dihedral group, the speed of the signature generation can be accelerated by about 50% in comparison with the corresponding Rainbow.

This work has been supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0172”, Ministry of Internal Affairs and Communications, Japan.

Authors and Affiliations

1. Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan

   Takanori Yasuda & Kouichi Sakurai

2. Kyushu University, Fukuoka, Japan

   Kouichi Sakurai

Corresponding author

Correspondence to Takanori Yasuda.

Open Access  This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.

The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

To view a copy of this licence, visit https://creativecommons.org/licenses/by/4.0/.

Reprints and permissions