# A security analysis of uniformly-layered rainbow defined over non-commutative rings

- Takanori Yasuda
^{1}Email author and - Kouichi Sakurai
^{1, 2}

**6**:1

https://doi.org/10.1186/s40736-014-0001-1

© Takanori and Sakurai; licensee Springer 2014

**Received: **1 April 2014

**Accepted: **7 May 2014

**Published: **11 September 2014

## Abstract

Hashimoto and Sakurai proposed a signature scheme (HS scheme), whose security is based on the difficulty of integer factorization. In this paper, we redefine HS scheme as a signature scheme in Multivariate Public Key Cryptosystems (MPKC). MPKC are public key cryptosystems whose security is based on the difficulty of solving multivariate quadratic equations, and candidates for post-quantum cryptography. In this paper, we analyze the security of the extended HS scheme using technique of security analysis for MPKC. Furthermore, based on the security analysis of the extended HS scheme, we estimate secure parameters of the extended HS scheme.

### Keywords

Public key cryptography Multivariate public key cryptosystems Rainbow Post-quantum cryptography## Introduction

where *h*,*m* are integers and *N* is a composite number whose factorization is difficult. The security of this scheme was supposed to be based on the difficulty of integer factorization. However, Pollard and Schnorr proposed an algorithm to solve the equation (1) efficiently without the factorization of *N* [18]. Then OSS signature scheme would be extended to scheme using multivariate variables and scheme using non-commutative rings.

In 1994, Shamir [20] proposed a multivariate variant of OSS signature scheme, which is called Birational Permutation scheme. However, Coppersmith, Stern and Vaudenary [6] gave an efficient attack by observing linear combination of components of the public key. In 1997, Sato and Araki [19] proposed a new scheme extended from OSS signature scheme using quaternion algebra. Namely, \(\mathbb {Z}/N\mathbb {Z}\) in OSS signature scheme is replaced by a quaternion algebra over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith [5] gave two efficient attacks using special property of quaternion algebra. In 2008, Hashimoto and Sakurai [12] proposed a new scheme (HS scheme) including property of both Birational Permutation scheme and Sato-Araki scheme. In 2010, Uchiyama and Ogura [21] showed that this scheme is reduced to Rainbow [9], which is a signature scheme in the multivariate public key cryptosystem (MPKC), and discussed possibility of forgery in case of HS scheme with small size.

In this paper, we extend HS scheme to a signature scheme in MPKC. Therefore, the security of the extended HS scheme is no longer based on the difficulty of integer factorization. Generally, schemes in MPKC are expected to resist attacks using quantum computer, Moreover, we show that the extended HS scheme has an efficient signature generation.

On the other hand, Yasuda et al. [25] proposed another signature scheme “NC-Rainbow” in MPKC, which is an extension of a signature scheme called “Rainbow” using non-commutative rings. The paper [25] analyzed the security of NC-Rainbow for attacks against the original Rainbow, and estimated the secure parameters of NC-Rainbow.

In this paper, we analyze the security of the extended HS scheme. The attacks analyzed in this paper are 1) the attack against Birational Permutation scheme, 2) the attack against Sato-Araki scheme, and the attacks against Rainbow: 3) UOV [4,13,14], 4) MinRank [3,11,22], 5) HighRank [10,11,17], 6) direct [2,4,23], 7) Rainbow-Band-Separation (RBS) [10,16], and (8) UOV-Reconciliation (UOV-R) attacks [10,16].

This paper is basically a journal version of the paper [24]. However, the attacks analyzed in the paper [24] are from 1) to 5) above. In this paper, we add the security analysis against the attacks 6), 7) and 8). Moreover, we present secure parameters of the extended HS scheme for several security levels.

## Birational permutation scheme

In this section, we summarize the attack of Coppersmith, Stern and Vaudenary against Birational Permutation scheme [6]. We will analyze this attack in the extended HS scheme later. First, we describe Birational Permutation scheme [20].

*p*,

*q*be primes and

*N*=

*p*

*q*. Assume that the factorization of

*N*is difficult. Let

*n*be a natural number. For

*k*=2,3,…,

*n*, we define \(g_{k}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow \mathbb {Z}/N\mathbb {Z}\) by a homogeneous quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\),

The key generation, the signature generation and the verification of Birational Permutation scheme are described as follows.

Key Generation. The secret key consists of primes *p*,*q* and the central map *G* and two affine (linear) transformations \(A_{1}:(\mathbb {Z}/N\mathbb {Z})^{n-1}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1},\ A_{2}:(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n}.\) The public key consists of *N* and the composite map \(F=A_{1}\circ G\circ A_{2}=(\,f_{2},f_{3},\ldots,f_{n}):(\mathbb {Z}/N\mathbb {Z})^{n}\rightarrow (\mathbb {Z}/N\mathbb {Z})^{n-1}.\)

Signature Generation. Let \(\mathbf {M}\in (\mathbb {Z}/N\mathbb {Z})^{n-1}\) be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), **B**=*G*^{−1}(**A**), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is \(\mathbf {C}\in (\mathbb {Z}/N\mathbb {Z})^{n}\). Here *G*^{−1}(**A**) stands for an element of preimage of **A** through *G*.

Verification. If *F*(**C**)=**M**, then the signature is accepted, otherwise rejected.

### 2.1 Attack against birational permutation scheme

It is believed that solving general equations over \(\mathbb {Z}/N\mathbb {Z}\) is more difficult than that over a finite field. The security of Birational Permutation scheme was based on the difficulty of solving the problem over \(\mathbb {Z}/N\mathbb {Z}\). However, Coppersmith, Stern and Vaudenary gave an efficient algorithm [6] to compute *A*_{2}, a part of the secret key, without solving equations over \(\mathbb {Z}/N\mathbb {Z}\).

*A*

_{2}are linear transformations. We write

*A*,

*B*for the matrix expression of linear parts of

*A*

_{1},

*A*

_{2}, respectively, and

*g*

_{ k },

*f*

_{ k }(

*k*=2,3,…,

*n*) are denoted by

*T*means the transpose operator.) Since

*A*=(

*a*

_{ kl }), we have

*λ*and 1≤

*k*

_{1},

*k*

_{2}≤

*n*,

*λ*

_{0}, is computed by the public key. By calculating the kernel and the image of \(F_{k_{1}}-\lambda _{0} F_{k_{2}}\), \((\mathbb {Z}/N\mathbb {Z})^{n}\) is decomposed as

by subspaces with rank 1 over \(\mathbb {Z}/N\mathbb {Z}\). By rewriting the public key by a basis along the above decomposition, one obtains a system of equations with the same form as the central map, therefore a signature is forged.

## Sato-Araki scheme

In this section, we summarize two attacks of Coppersmith against Sato-Araki scheme. We will analyze these attack in the extended HS scheme later.

*R*be a \(\mathbb {Z}/N\mathbb {Z}\)-analogue of the Hamilton’s quaternion algebra. Namely,

*R*is defined by

*i*

^{2}=

*j*

^{2}=−1,

*i*

*j*=−

*j*

*i*.

*R*is identified with a subring of a matrix ring by the embedding homomorphism,

Here, we identify *i* with the imaginary unit \(\sqrt {-1}\). Note that *R* is closed by the transpose operation. Sato-Araki scheme is described as follows.

Key Generation. The secret key consists of primes *p*,*q* and *u*∈*R*^{×}. The public key consists of *N*=*p**q* and *h*:=−(*u*^{
T
})^{−1}*u*^{−1}∈*R*.

Signature Generation. Let **M**∈*R* be a message such that **M**=**M**^{
T
}. Choose *ρ*∈*R*^{×} randomly. We compute **C**_{1}:=*ρ*^{−1}**M**+*ρ*^{
T
}, **C**_{2}:=*u*(*ρ*^{−1}**M**−*ρ*^{
T
})∈*R*. (**C**_{1},**C**_{2}) is a signature.

Verification. If \(\mathbf {C}_{1}^{T}\,\mathbf {C}_{1}+\mathbf {C}_{2}^{T}\,h\mathbf {C}_{2}=4\mathbf {M}\) then the signature is accepted, otherwise rejected.

**Remark****3.1**.

*R*with respect to

*X*

_{1},

*X*

_{2},

for any **M**∈*R*. Since the signer knows *p* and *q*, the signer can find a solution of (5) by the procedure of above signature generation.

### 3.1 Attacks against Sato-Araki scheme

*R*,

*N*.

#### 3.1.1 Coppersmith’s first attack

*i*=1,2,3, let \(\left (\textbf {C}_{1}^{(i)},\textbf {C}_{2}^{(i)}\right)\) be signatures for messages

**M**

_{ i }. The following fact is the key of the attack: For

*i*=1,2,3,

*u*is a component of the secret key. Then these span a subspace {

*δ*=

*δ*

^{ T }∈

*R*}=Span{

*i*,

*j*,

*i*

*j*} of rank 3 with high probability. One can compute

*X*∈

*R*satisfying

which is determined up to scalars. Therefore, *X* is proportional to *u*. It is not difficult to compute *u* from *X*.

#### 3.1.2 Coppersmith’s second attack

The second attack of Coppersmith is based on the existence of the following algorithm.

**Proposition****3.1**.

([1]) Let *N* be an odd positive integer and *f*(*x*,*y*) a bivariate quadratic polynomial over \(\mathbb {Z}/N\mathbb {Z}\). *Δ*(*f*) denotes the discriminant of *f* defined as in [1]. If gcd(*Δ*(*f*),*N*)=1, then there exists an algorithm which gives a solution to *f*(*x*,*y*)=0 with probability 1−*ε*, and requires *O*(log(*ε*^{−1} log*N*) log4*N*) arithmetic operations on integers of size *O*(log*N*) bits.

*x*,

*y*∈

*R*are written as

*R*,

is rewritten by three quadratic equations with respect to 8 variables *x*_{0},*x*_{1},…,*y*_{3}. By a simplicity of equation (7) and property of quaternion algebra, the problem of solving the system of these quadratic equations can be reduced to that of some bivariate quadratic equations. Therefore a signature can be forged from the above proposition.

## Our proposal: extension of HS scheme

HS scheme [12] is a signature scheme having properties of both birational permutation scheme and Sato-Araki scheme. Since the security of HS scheme is based on the difficulty of integer factorization, the scheme defined over the ring \(\mathbb {Z}/N\mathbb {Z}\). However, we want to redefine HS scheme as a scheme in MPKC. Therefore, in this section, we define HS scheme in more general fashion such that our definition involves both the original HS scheme and our proposed scheme.

### 4.1 Non-commutative rings

Let *L* be either a field *K* and \(\mathbb {Z}/N\mathbb {Z}\). In this paper, we say that a *L*-algebra *R* is a non-commutative ring only if

- 1.
*R*is a free module over*L*with finite rank, and - 2.
*R*is non-commutative.

**Example****4.1**.

**(Quaternion algebra)**For

*a*∈

*L*

^{×}, a non-commutative ring

*Q*

_{ L }(

*a*) is defined as follows:

*Q*

_{ L }(

*a*) is a free module over

*L*with rank 4. This is called a quaternion algebra. When \(L=\mathbb {Z}/N\mathbb {Z}\) and

*a*=−1,

*R*coincides with the quaternion algebra used in Sato-Araki scheme. If

*L*=

*G*

*F*(

*q*) and

*a*=−1, we write simply

*Q*

_{ q }instead of

*Q*

_{ L }(

*a*).

*Q*

_{ L }(

*a*) is embedded into a matrix ring:

*Q*

_{ L }(

*a*) is identified with the image of

*ι*, any element in

*Q*

_{ L }(

*a*) is closed by transpose operation in

*Q*

_{ L }(

*a*). For

*v*=

*c*

_{1}+

*c*

_{2}

*i*+

*c*

_{3}

*j*+

*c*

_{4}

*i*

*j*∈

*Q*

_{ L }(

*a*), the main involution

*v*

^{∗}of

*v*is defined by

*R*be a non-commutative ring over

*L*and

*r*its rank over

*L*. Then there exists an

*L*-linear isomorphism,

Using this isomorphism *ϕ*, an element *α*∈*R* can be represented by *r* elements in *L*.

### 4.2 HS scheme over *L*

Let *R* be a non-commutative ring over *L* of rank *r* and fix *ϕ* as in (10). In the rest of this paper, assume that *R* is realized as a subring of the matrix ring \(\mathbb {M}(s,L)\) for some \(s\in \mathbb {N}\), and closed by the transpose operation.

*k*variables. The central map of HS scheme is constructed by

The key generation, the signature generation and the verification are described as follows.

Key Generation. The secret key consists of *R*, the central map \(\tilde {G}\) and two affine transformations \(A_{1}:L^{m}\rightarrow L^{m}\ (m=r\tilde {n}-r),\ A_{2}:L^{n}\rightarrow L^{n}\ (n=r\tilde {n})\). The public key consists of *L* and the composed map \(\tilde {F}=A_{1}\circ \phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\circ A_{2}:L^{n}\rightarrow L^{m}\), which is a system of *m* quadratic polynomials of *n* variables over *L*. We denote by \(\tilde {F}=\left (\,\tilde {f}_{r+1},\ldots,\tilde {f}_{n}\right)^{T}\).

Signature Generation. Let **M**∈*L*^{
m
} be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), **B**=*G*^{−1}(**A**), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is **C**∈*L*^{
n
}. Here \(\mathbf {B}=\tilde {G}^{-1}(\mathbf {A})\) is computed by the following procedure.

Step 1 Choose a random element *b*_{1}∈*R*.

\(\tilde {g}_{k}\) is a non-commutative polynomial with respect tox_{1},…,x_{ k }. By the substitutionx_{1}=b_{1}, …,x_{k−1}=b_{k−1}to \(\tilde {g}_{k}\), a non-commutative polynomial \(\bar {g}_{k}\) of one variablex_{ k }with at most 1 degree is obtained. We compute the solutionb_{ k }∈Rof$$\begin{array}{*{20}l} \bar{g}_{k}(x_{k})=a_{k} \end{array} $$(11)where \(\mathbf {A}=(a_{i})\in R^{\tilde {m}}\). (If there is no solution, return to Step 1.)

Step 3 Set \(\mathbf {B}=(b_{1},\ldots,b_{\tilde {n}})\).

Verification. If \(\tilde {F}(\mathbf {C})=\mathbf {M}\) then the signature is accepted, otherwise rejected.

This scheme is denoted by \(\text {HS}(R;\,\tilde {n})\).

**Remark****4.1**.

In general, it is difficult to solve a non-commutative equation (11) directly. However, if we fix a *L*-basis of *R* then it makes a new system of (commutative) linear equations with respect to the basis, which is easy to be solved in general. If *R* has an efficient arithmetic operation, the equation (11) can be solved more efficiently. For example, in the case of a quaternion algebra *Q*_{
L
}(*a*), its realization (8) enables to compute its arithmetic operation efficiently.

## Security analysis of the extended HS scheme

In the last section, we defined HS scheme over a non-commutative ring *R*. Here, we can take a non-commutative ring over a finite field *K* or a ring \(\mathbb {Z}/N\mathbb {Z}\). If *R* is defined over \(\mathbb {Z}/N\mathbb {Z}\), then the HS scheme becomes the original one. On the other hand, our proposed scheme is the HS scheme where *R* is defined over a finite field *K*.

First, we analyze the security of the extended HS scheme for attacks against the original Birational Permutation scheme and Sato-Araki scheme. As such attacks, there are the attack of Coppersmith, Stern and Vaudenary (CSV) attack [6] and the attacks of Coppersmith [5] has been analyzed [12]. These attacks can be extended those against HS scheme over \(\mathbb {Z}/N\mathbb {Z}\). Moreover, the extended attacks can be changed into attacks against the extended HS scheme over *K* easily. In this section, we analyze the security for these attacks against the extended HS scheme over *K*.

### 5.1 Security against CSV attack

In Birational Permutation scheme, only *g*_{
n
} includes the variable *x*_{
n
} in all the components of the central map *G*=(*g*_{2},*g*_{3},…,*g*_{
n
}). Therefore we can extract the term of *g*_{
n
} from linear combinations of *g*_{2},*g*_{3},…,*g*_{
n
} by eliminating *x*_{
n
}. The components of the public key *F*=(*f*_{2},*f*_{3},…,*f*_{
n
}) are expressed as linear combinations of *g*_{2}∘*A*_{2},…,*g*_{
n
}∘*A*_{2} where *A*_{2} is an affine transformation in the private key. Similarly as in the case of the central map, we can also extract the term of *g*_{
n
}∘*A*_{2} from the components. Then we have the decomposition (3) as we explained in § 2.1.

In HS scheme, only \(\tilde {g}_{n}\) includes the non-commutative variable *x*_{
n
} in all the components of the central map \(\tilde {G}=\left (\,\tilde {g}_{2},\tilde {g}_{3},\ldots,\tilde {g}_{n}\right)\). However, from linear combinations of \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) we can not eliminate *x*_{
n
} by the method in § 2.1 because the non-commutative variable *x*_{
n
} corresponds to *r* (commutative) variables. Therefore it is difficult to apply the CSV attack to HS scheme.

### 5.2 Security against Coppersmith’s first attack

The first attack is applicable for Sato-Araki scheme because a simple relation (6) holds for a part *u* of the secret key. However in HS scheme, a simple relation like as (6) for the secret key is not expected. Therefore it is difficult to extend this attack to HS scheme.

### 5.3 Security against Coppersmith’s second attack

There exists an efficient algorithm solving a system of bivariate quadratic equations modulo *N* (Proposition 3.1) and a system of equations appearing in Sato-Araki scheme can be reduced to some of bivariate quadratic equations modulo *N*. However HS scheme has many variables, and a system of equations appearing in the scheme is not expected to be reduced to a simple system of equations even if *L*=*K*. Therefore this attack is not more efficient than the direct attack which find a solution of a system of equations by XL, Gröbner basis algorithm, etc.

## Reduction of Uchiyama and Ogura to Rainbow

Uchiyama and Ogura [21] pointed out that the original HS scheme which is defined over \(\mathbb {Z}/N\mathbb {Z}\) can be rewritten by \(\mathbb {Z}/N\mathbb {Z}\)-analogue of Rainbow where the original Rainbow [9] is a multilayer variant of the Unbalanced Oil and Vinegar signature scheme [13]. This implies that the attacks against Rainbow are applicable to HS scheme.

### 6.1 Original Rainbow and its analogue

To deal with both the original Rainbow and its analogue over a finite field, we prepare Rainbow defined over *L* which is either *K* or \(\mathbb {Z}/N\mathbb {Z}\).

*t*be the number of layers of Rainbow. Let

*v*

_{1},…,

*v*

_{t+1}be a sequence of positive

*t*+1 integers such that

*h*=1,…,

*t*, the sets

*V*

_{ h },

*O*

_{ h }of indices of Vinegar and Oil variables of the

*h*-th layer of Rainbow is defined by

The number of elements in *O*_{
h
} and *V*_{
h
} are *v*_{h+1}−*v*_{
h
} and *v*_{
h
}, respectively, and denote *o*_{
h
}=*v*_{h+1}−*v*_{
h
}. Note that the smallest integer in *O*_{1} is *v*_{1}+1. We define *n*=*v*_{t+1} which is the maximum number of the variables used in Rainbow.

*t*layers of multivariate polynomials of

*n*variables. For

*h*=1,2,…,

*t*, the

*h*-th layer of Rainbow deploys the following system of

*o*

_{ h }multivariate polynomials:

*g*

_{ k }is essentially a polynomial of

*v*

_{ h }+

*o*

_{ h }variables. We call variables

*x*

_{ i }(

*i*∈

*O*

_{ h }) and

*x*

_{ j }(

*i*∈

*V*

_{ j }) the Oil and Vinegar variable, respectively. Then the central map of Rainbow is constructed by

*G*can be computed easily. For a system of

*o*

_{ h }equations for the

*h*-th layer,

becomes *o*_{
h
} linear equations of *o*_{
h
} variables for any \(\phantom {\dot {i}\!}\left (a_{v_{h}+1},\ldots,a_{v_{h+1}}\right)\in L^{o_{h}}\) and \(\phantom {\dot {i}\!}(b_{1},\ldots,b_{v_{h}})\in L^{v_{h}}\). The values of Oil variables in the *h*-th layer obtained by solving this linear equations are utilized as that of Vinegar variables in the (*h*+1)-th layer.

We describe the key generation, the signature generation and the verification of Rainbow in the following.

Generation. The secret key consists of the central map *G* and two affine transformations *A*_{1}:*L*^{
m
}→*L*^{
m
} (*m*=*n*−*v*_{1}), *A*_{2}:*L*^{
n
}→*L*^{
n
}. The public key consists of *L*, which is either a field *K* or \(\mathbb {Z}/N\mathbb {Z}\), and the composed map *F*=*A*_{1}∘*G*∘*A*_{2}:*L*^{
n
}→*L*^{
m
}, which is a system of *m* quadratic polynomials of *n* variables over *L*. We denote by \(F=\left (\,f_{v_{1}+1},\ldots,f_{n}\right)^{\mathrm {T}}\).

Signature Generation. Let **M**∈*L*^{
m
} be a message. We compute \(\mathbf {A}=A_{1}^{-1}(\mathbf {M})\), **B**=*G*^{−1}(**A**), \(\mathbf {C}=A_{2}^{-1}(\mathbf {B})\) in this order. The signature of the message is **C**∈*L*^{
n
}. Remark that **B**=*G*^{−1}(**A**) can be easily computed by the above property of *G*.

Verification. If *F*(**C**)=**M** then the signature is accepted, otherwise rejected.

This scheme is denoted by Rainbow(*L*; *v*_{1},*o*_{1},…,*o*_{
t
}), and we call *v*_{1},*o*_{1},…,*o*_{
t
} a parameter of Rainbow.

### 6.2 Reduction of HS scheme to Rainbow

Uchiyama and Ogura wrote down \(\phi ^{-\tilde {n}+1}\circ \tilde {G}\circ \phi ^{\tilde {n}}\) for \(\text {HS}(\mathbb {Z}/N\mathbb {Z},\tilde {n})\) and showed the following [21].

**Proposition****6.1**.

Let *R* be a non-commutative ring over \(\mathbb {Z}/N\mathbb {Z}\) of rank *r*. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(\mathbb {Z}/N\mathbb {Z};\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

**Remark****6.1**.

Using this notation, the following correspondence holds.

The argument of Uchiyama and Ogura in [21] is also valid for the case of HS scheme defined over field *K*. Therefore we have

**Proposition****6.2**.

Let *R* be a non-commutative ring over *K* of dimension *r*. Let \(\tilde {F}\) be a public key of \(\text {HS}(R;\,\tilde {n})\). Then \(\tilde {F}\) becomes a public key of \(\text {Rainbow}(K;\,\overbrace {r,\ldots,r}^{\tilde {n}})\).

**Remark****6.2**.

The above proposition shows that HS scheme is another way of construction of the uniformly-layered Rainbow, where “uniformly-layered" means all components in the parameter of Rainbow are equal. If the arithmetic operation of non-commutative ring *R* is efficient, then the signature generation of HS scheme may be more efficient than that of the corresponding Rainbow.

### 6.3 Security analysis for attacks against Rainbow

Proposition 6.2 implies that attacks against Rainbow are applicable to the extended HS scheme over *K*. In this section, we analyze security of the extended HS scheme against well-known attacks against Rainbow.

#### 6.3.1 Attacks against Rainbow

Here, we summarize the known attacks against Rainbow that have been reported in previous papers, and we analyze the security against each attack. The known relevant attacks against Rainbow are as follows.

- (1)
- (2)
- (3)
- (4)
- (5)
- (6)

*F*(

**X**)=

**M**from public key

*F*and (fixed) message

**M**[2,23]. By contrast, the goal of the other attacks is to find a part of the secret key. In the case of a UOV attack or HighRank attack, for example, the target Rainbow with parameters

*v*

_{1},

*o*

_{1},…,

*o*

_{ t }is then reduced into a version of Rainbow with simpler parameters such as

*v*

_{1},

*o*

_{1},…,

*o*

_{t−1}without

*o*

_{ t }. We can then break the original Rainbow with lower complexity. To carry out a reduction we need to find (a part of) a direct sum decomposition of vector space

*K*

^{ n },

*K*

^{ n }in an available basis enables returning the public key to the central map. In fact, if we can decompose \(\phantom {\dot {i}\!}K^{n}=W\oplus K^{o_{t}}\) for a certain

*W*that has a coarser decomposition than (13) then the security of Rainbow(

*K*;

*v*

_{1},

*o*

_{1},…,

*o*

_{ t }) can be reduced to that of Rainbow(

*K*;

*v*

_{1},

*o*

_{1},…,

*o*

_{t−1}). There are two methods for finding this decomposition:

*(1)*Find a simultaneous isotropic subspace of

*K*

^{ n }. Let

*V*be a vector space over

*K*, and let

*Q*

_{1}be a quadratic form on

*V*. We determine that a subspace

*W*of

*V*is

*isotropic*(with respect to

*Q*

_{1}) if

*v*

_{1},

*v*

_{2}∈

*W*. In addition, we assume that

*V*is also equipped with quadratic forms

*Q*

_{2},…,

*Q*

_{ m }. We determine that a subspace

*W*of

*V*is

*simultaneously isotropic*if

*W*is isotropic with respect to all

*Q*

_{1},…,

*Q*

_{ m }.

*m*quadratic forms on

*K*

^{ n }are defined by the quadratic parts of the public polynomials of

*F*. Note that the subspace \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13) is a simultaneous isotropic subspace of

*K*

^{ n }. If we find a simultaneous isotropic subspace, the basis of \(\phantom {\dot {i}\!}K^{o_{t}}\) is then obtained and the above attack is feasible. The UOV, UOV-R and RBS attacks are classified as being of this type.

*(2)*Find a quadratic form with the minimum or second maximum rank. When the quadratic part of the

*k*-th public polynomial of

*F*in Rainbow is expressed as

*S*

_{ k }=

*A*+

*A*

^{T}, where \(A=\left (a_{\textit {ij}}^{(k)}\right)\). We define

which is a vector space over *K* spanned by matrices \(S_{v_{1}+1},\ldots,S_{n}\). For example, if we find a matrix of rank *v*_{2}=*v*_{1}+*o*_{1} in
, there is a high probability that the image of this matrix coincides with \(\phantom {\dot {i}\!}K^{v_{1}}\oplus K^{o_{1}}\) appearing in (13).

Therefore, we obtain the decomposition of \(\phantom {\dot {i}\!}K^{n}=(K^{v_{1}}\oplus K^{o_{1}})\oplus W'\) for some *W*^{′} that is a coarser decomposition than (13). The MinRank and HighRank attacks are classified as being of this type.

The details of abovementioned six attacks can be found in the literature [16].

### 6.4 Security against known attacks

#### 6.4.1 UOV attack

Regard *L*_{2} as the part of a linear transformation of *A*_{2} and place \(\phantom {\dot {i}\!}\mathcal {O}_{t}=L_{2}^{-1}(\{0\}^{n-o_{t}}\times K^{o_{t}})\) as the subspace of *K*^{
n
} corresponding to \(\phantom {\dot {i}\!}K^{o_{t}}\) appearing in (13). The UOV attack finds a non-trivial invariant subspace of \(W_{12}=W_{1}W_{2}^{-1}\) that is included in \(\mathcal {O}_{t}\) for invertible matrices \(W_{1},W_{2}\in \mathcal {A}\). The analysis in [13] shows that the probability that *W*_{12} has a non-trivial invariant subspace included in \(\mathcal {O}_{t}\) is equal to \(\phantom {\dot {i}\!}q^{{n-2o}_{t}}\). This is obtained by the following lemma.

**Lemma****6.1**.

([8] Lemma 3.2.4) Let *J*:*K*^{
n
}→*K*^{
n
} be an invertible linear map such that

- 1.
there exist two subspace \(\mathcal {O}^{\prime }\subset \mathcal {V}^{\prime }\) of

*K*^{ n }where the dimensions of \(\mathcal {O}^{\prime }\) and \(\mathcal {V}^{\prime }\) are*o*^{′}and*v*^{′}, respectively, and - 2.
\(J(\mathcal {O}^{\prime })\subset \mathcal {V}^{\prime }\).

Then the probability that *J* has a non-trivial invariant subspace in \(\mathcal {O}^{\prime }\) is no less than \(q^{o^{\prime }-v^{\prime }}\).

This lemma is also available for the extended HS scheme through Proposition 6.2. This means that the complexity is the same as that of the corresponding Rainbow. From the complexity of the UOV attack [13] and Proposition 6.2 we have

**Proposition****6.3**.

*a*=log

_{2}(

*♯*

*K*). \(\text {HS}(R;\tilde {n})\) has a security level of

*l*bits against the UOV attack if

**Remark****6.3**.

The UOV attack is more efficient in the case of balanced Oil and Vinegar than in the case of general Unbalanced Oil and Vinegar. Therefore, we should not choose \(\tilde {n}=2\) in the extended HS scheme, otherwise, HS scheme corresponds to a balanced Oil and Vinegar scheme.

#### 6.4.2 MinRank attack

In the MinRank attack, we solve MinRank(*v*_{2}) for
. If there is a non-trivial \(P\in \mathcal {A}\) for a *v*∈*K*^{
n
} such that *P**v*=0, there is high probability that *P* is a solution for MinRank(*v*_{2}). For *v*∈*K*^{
n
}, the probability that a non-trivial \(\phantom {\dot {i}\!}P\in \mathcal {A}\) exists such that *P**v*=0 is roughly \(\phantom {\dot {i}\!}q^{-v_{2}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

**Proposition****6.4**.

*a*=log

_{2}(

*♯*

*K*). Assume that \(r\tilde {n}\). Then \(\text {HS}(R;\,\tilde {n})\) has a security level of

*l*bits against the MinRank attack if

#### 6.4.3 HighRank attack

In the HighRank attack, we have an element \(W\in \mathcal {A}\) such that rank(*W*)=*v*_{
t
}. For any \(W\in \mathcal {A}\), the probability that its rank is equal to *v*_{
t
} is \(\phantom {\dot {i}\!}q^{-o_{t}}\). This is also true for the extended HS scheme. Therefore, from [11], we have the following proposition:

**Proposition****6.5**.

*a*=log

_{2}(

*♯*

*K*). Assume that

*n*≥

*m*. Then \(\text {HS}(R;\,\tilde {n})\) has a security level of

*l*bits against the HighRank attack if

### 6.5 Direct attacks and others

From Proposition 6.2, the public key of the extended HS scheme is exactly equal to that of the corresponding Rainbow. Therefore, the complexity against the direct attacks is estimated to be the same for the extended HS scheme as for the original Rainbow corresponding to it. Similarly, the complexities against the RBS and UOV-R attacks are estimated to be the same for the extended HS scheme as for the corresponding Rainbow.

The complexities of the direct, RBS and UOV-R attacks were discussed by Petzoldt et al. [16], and we follow their data regarding the complexities of these attacks. In particular, the complexities of the direct and UOV-R attacks are equivalent.

## Total security and secure parameters

Based on the security analysis in the last section, we try to present secure parameters and their length for \(\text {HS}(R;\,\tilde {n})\) where *R* is a non-commutative ring of rank *r* over *K*=*G**F*(256). We adopt the parameters of Petzoldt et al. in [16] for estimating the security against the direct, UOV-R and RBS attacks. For other attacks, from Propositions 6.3, 6.4 and 6.5, the following criteria are used for *l*-bit security against these attacks: Let *a* be the bit length of *q* and *r* the dimension of *R*. For \(\text {HS}(R;\,\tilde {n})\), we have \(n=r\tilde {n},\ m=r(\tilde {n}-1)\) and we assume that *n*>*m*.

- 1.
UOV attack

*n*−2*r*≥*l*/*a*+1. - 2.
MinRank attack 2

*r*≥*l*/*a*. - 3.
HighRank attack

*r*≥*l*/*a*.

*R*over

*G*

*F*(256) with \(\tilde {n}=3\). Table 1 shows that UOV attack is the strongest among all analyzed attacks.

**Security level against attacks on the extended HS scheme over**
R
**defined over**
G
F
**(256) and with**
\({\tilde {n}=3}\)

| 10 | 11 | 12 | 13 |
---|---|---|---|---|

UOV (bits) | 72 | 80 | 88 | 96 |

MinRank (bits) | 160 | 176 | 192 | 218 |

HighRank (bits) | 80 | 88 | 96 | 104 |

Direct, UOV-R, RBS (bits) | 93 | 99 | 104 | 110 |

Security level (bits) | 72 | 80 | 88 | 96 |

## Efficiency of HS scheme

Any non-commutative ring *R* can be embedded in a matrix ring \(\mathbb {M}(l,K)\) for some positive integer *l*. If we can choose a small *l*, the arithmetic operation of *R* becomes efficient. In the signature generation in our proposed scheme, we have to solve several systems of linear equations of the form, \(\mathcal {A}.\mathcal {X}=\mathcal {B}\ (\mathcal {A},\mathcal {B}\in \mathbb {M}(l,K))\) with respect to variable matrix \(\mathcal {X}\in \mathbb {M}(l,K)\). If we use Gaussian elimination to solve the above linear equations, the number of field multiplication in solving the linear equations has *O*(*l*^{3}).

On the other hand, in the signature generation in the corresponding Rainbow the number of field multiplication has *O*(*d*^{3}) where *d* is the dimension of *R* because of Proposition 6.2. Thus, if *l*<*d* is satisfied, the signature generation of our proposed scheme is more efficient than that of the corresponding Rainbow.

### 8.1 Efficiency in the case of group ring of dihedral group

To compare the efficiency of signature generation in HS scheme and the corresponding Rainbow, we prepare dihedral group and its realization. Let *m* be a positive integer. \(M_{1}=(a_{\textit {ij}}),M_{2}=(b_{\textit {ij}})\in \mathbb {M}(m,K)\) is defined as

*D*

_{ m }for the group generated by

*M*

_{1}and

*M*

_{2}.

*D*

_{ m }is isomorphic to the dihedral group with 2

*m*elements [7].

*K*[

*D*

_{ m }] denotes the group ring with coefficients in

*K*and associated to

*D*

_{ m }, then, it is a non-commutative ring of dimension 2

*m*−1, realized in \(\mathbb {M}(m,K)\).

*K*[

*D*

_{ m }] is closed by a transpose operation because inverse operation on

*D*

_{ m }is closed in

*D*

_{ m }. Therefore we can use

*K*[

*D*

_{ m }] as a base ring in HS scheme. Table 2 compares the efficiency of the signature generation in HS scheme and the corresponding Rainbow. The non-commutative rings used in HS schemes in the table are chosen by

*K*[

*D*

_{ m }] where

*K*=

*G*

*F*(256) and

*m*=10,11,12,13. The number of layers in each HS scheme is chosen by 3, and then the corresponding Rainbow of HS(

*K*[

*D*

_{ m }];3) becomes Rainbow(

*K*;

*r*,

*r*,

*r*) with

*r*=2

*m*−1 by Proposition 6.2. We estimate the number of multiplication of

*G*

*F*(256) for efficiency comparison. M

_{sig}(HS(

*R*;3)) (resp. M

_{sig}(R(

*G*

*F*(256);

*r*,

*r*,

*r*))) stands for the number of multiplications in the signature generation in HS(

*R*;3) (resp. Rainbow(

*G*

*F*(256);

*r*,

*r*,

*r*)). Table 2 shows that the signature generation of HS scheme is about 50

*%*faster than that of the corresponding Rainbow.

**Efficiency comparison of HS scheme with the corresponding Rainbow (in terms of the number of multiplications in**
G
F
**(256))**

HS( | HS( | HS( | HS( | HS( |
---|---|---|---|---|

Dimension of | 19 | 21 | 23 | 25 |

Matrix size | 10 | 11 | 12 | 13 |

M | 25353 | 33233 | 42581 | 53521 |

Corresponding Rainbow | R(19,19,19) | R(21,21,21) | R(23,23,23) | R(25,25,25) |

R( | ||||

Security level (bits) | 72 | 80 | 88 | 96 |

M | 50198 | 66766 | 86618 | 110050 |

Ratio | 50.5 | 49.8 | 49.2 | 48.6 |

## Concluding remarks

We analyzed the security of the extended HS scheme, and presented secure parameters of the extended HS scheme. The attacks we analyzed the security are the attack of Coppersmith, Stern and Vaudenary for Birational Permutation scheme, two attacks of Coppersmith for Sato-Araki scheme and attacks against Rainbow. Based on the security analysis, we estimate secure parameters of the extended HS scheme. If a non-commutative ring used in the extended HS scheme is chosen by the group ring associated to dihedral group, the speed of the signature generation can be accelerated by about 50*%* in comparison with the corresponding Rainbow.

## Declarations

### Acknowledgments

This work has been supported by “Strategic Information and Communications R&D Promotion Programme (SCOPE), no. 0159-0172”, Ministry of Internal Affairs and Communications, Japan.

## Authors’ Affiliations

## References

- Adleman, LM., Estes, DR., McCurley, KS.: Solving bivariate quadratic congruences in random polynomial time. Math. Comput. 48, 17–28 (1987).MathSciNetView ArticleGoogle Scholar
- Bernstein, DJ., Buchmann, J., Dahmen, E.: Post Quantum Cryptography. Springer, Berlin Heidelberg (2009).View ArticleGoogle Scholar
- Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In:
*SCN’06 Springer LNCS 4116*, pp. 336–347. Springer, Berlin Heidelberg (2006).Google Scholar - Braeken, A., Wolf, C., Preneel, B.: A study of the security of unbalanced oil and vinegar signature schemes. In:
*CT-RSA’05 Springer LNCS 3376*, pp. 29–43. Springer, Berlin Heidelberg (2005).Google Scholar - Coppersmith, D.: Weakness in quaternion signatures. In: CRYPTO’99 Springer LNCS 1666, pp. 305–314. J. Cryptology’01 (2001).Google Scholar
- Coppersmith, D., Stern, J., Vaudenay, S.: The security of the birational permutation signature scheme. J. Cryptology. 10, 207–221 (1997).MathSciNetView ArticleGoogle Scholar
- Dummit, DS., Foote, RM.: Abstract Algebra. John Wiley & Sons, Inc. (2006).Google Scholar
- Ding, J., Gower, JE., Schmidt, DS.: Multivariate Public Key Cryptosystems, Advances in Information Security 25. Springer, New York (2006).Google Scholar
- Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In:
*ACNS’05 Springer LNCS 3531*, pp. 164–175. Springer, Berlin Heidelberg (2005).Google Scholar - Ding, J., Yang, B-Y., Chen, C-HO., Chen, M-S., Cheng, CM.: New differential-algebraic attacks and reparametrization of rainbow. In:
*Springer LNCS 5037*, pp. 242–257. Springer, Berlin Heidelberg (2008).Google Scholar - Goubin, L., Courtois, NT.: Cryptanalysis of the TTM cryptsystem. In:
*ASIACRYPT’00 Springer LNCS 1976*, pp. 44–57. Springer, Berlin Heidelberg (2000).Google Scholar - Hashimoto, Y., Sakurai, K.: On construction of signature schemes based on birational permutations over noncommutative. presented at the 1st International Conference on Symbolic Computation and Cryptography (SCC2008) held in Beijin, April 2008. ePrint. http://eprint.iacr.org/2008/340.Google Scholar
- Kipinis, A., Patarin, L., Goubin, L.: Unbalanced oil and vinegar schemes. In:
*EUROCRYPT’99, Springer LNCS 1592*, pp. 206–222. Springer, Berlin Heidelberg (1999).Google Scholar - Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In:
*CRYPTO’98. Springer LNCS 1462*, pp. 257–266. Springer, Berlin Heidelberg (1998).Google Scholar - Ong, H., Schnorr, CP., Shamir, A.: An efficient signature scheme based on quadratic equations. In:
*Proc. 16th ACM Symp. Theory Comp*, pp. 208–216. Springer, Berlin Heidelberg (1984).Google Scholar - Petzoldt, A., Bulygin, S., Buchmann, J.: Selecting parameters for the rainbow signature scheme. In:
*PQCrypto’10, Springer LNCS 6061*, pp. 218–240. Springer, Berlin Heidelberg (2010).Google Scholar - Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow - a multivariate signature scheme with a partially cyclic public key based on rainbow. In:
*INDOCRYPT’10, Springer LNCS 6498*, pp. 33–48. Springer, Berlin Heidelberg (2010).Google Scholar - Pollard, JM., Schnorr, CP.: An efficient solution of the congruence
*x*^{2}+*k**y*^{2}≡*m*(mod*n*). IEEE Trans. Inf. Theory. IT-33, 702–709 (1987).MathSciNetView ArticleGoogle Scholar - Satoh, T., Araki, K.: On construction of signature scheme over a certain noncommutative ring. IEICE Trans. Fundamentals. E80-A, 702–709 (1997).Google Scholar
- Shamir, A.: Efficient signature schemes based on birational permutations. In:
*CRYPTO’93, Springer LNCS 773*, pp. 1–12. Springer, Berlin Heidelberg (1994).Google Scholar - Uchiyama, S., Ogura, N.: Cryptanalysis of the birational permutation signature scheme over a non-commutative ring. JSIAM Lett. 2, 85–88 (2010).
*ePrint*http://eprint.iacr.org/2009/245.MathSciNetView ArticleGoogle Scholar - Yang, B-Y., Chen, J-M.: Building secure tame like multivariate public-key cryptosystems: the new TTS. In:
*ACISP’05, Springer LNCS 3574*, pp. 518–531. Springer, Berlin Heidelberg (2005).Google Scholar - Yang, B-Y., Chen, J-M.: All in the XL family, theory and practice. In:
*ICISC’04, Springer LNCS 3506*, pp. 67–86. Springer, Berlin Heidelberg (2005).Google Scholar - Yasuda, T., Sakurai, K.: A security analysis of uniformly-layered rainbow — revisiting Sato-Araki’s non-commutative approach to Ong-Schnorr-Shamir signature towards PostQuantum paradigm. In:
*PQCrypto’11, Springer LNCS 7071*, pp. 275–294. Springer, Berlin Heidelberg (2011).Google Scholar - Yasuda, T., Sakurai, K., Takagi, T.: Reducing the key size of rainbow using non-commutative rings. In:
*CT-RSA f12, Springer LNCS vol. 7178*, pp. 68–83. Springer, Berlin Heidelberg (2012).Google Scholar

## Copyright

This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License(http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.