US20130294601A9 - Efficient Multivariate Signature Generation - Google Patents

Efficient Multivariate Signature Generation Download PDF

Info

Publication number
US20130294601A9
US20130294601A9 US13/699,912 US201013699912A US2013294601A9 US 20130294601 A9 US20130294601 A9 US 20130294601A9 US 201013699912 A US201013699912 A US 201013699912A US 2013294601 A9 US2013294601 A9 US 2013294601A9
Authority
US
United States
Prior art keywords
vector
message
digital signature
mapping
values
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/699,912
Other versions
US8958560B2 (en
US20130129090A1 (en
Inventor
Aviad Kipnis
Yaron Sella
Yaacov Belenky
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
NDS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NDS Ltd filed Critical NDS Ltd
Assigned to NDS LIMITED reassignment NDS LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BELENKY, YAACOV, KIPNIS, AVIAD, SELLA, YARON
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NDS LIMITED
Publication of US20130129090A1 publication Critical patent/US20130129090A1/en
Publication of US20130294601A9 publication Critical patent/US20130294601A9/en
Application granted granted Critical
Publication of US8958560B2 publication Critical patent/US8958560B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Definitions

  • the present invention relates generally to methods and systems of cryptography, and specifically to public-key signature schemes.
  • Public-key cryptographic techniques are widely used for encryption and authentication of electronic documents. Such techniques use a mathematically-related key pair: a secret private key and a freely-distributed public key.
  • the sender uses a private key to compute an electronic signature over a given message, and then transmits the message together with the signature.
  • the recipient verifies the signature against the message using the corresponding public key, and thus confirms that the document originated with the holder of the private key and not an impostor.
  • Embodiments of the present invention that are described hereinbelow provide a multivariate polynomial scheme for public-key signature with enhanced computational efficiency.
  • a cryptographic method including providing a public key that defines a multivariate polynomial mapping Q( ) over a finite field F.
  • a first vector Y of verification values is extracted from a message.
  • a processor computes over the first vector a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aY SHIFT over F, wherein Y SHIFT is a shifted version of Y, and a ⁇ F.
  • the message is conveyed with the digital signature to a recipient for authentication using the public key.
  • the method includes receiving the message with the digital signature, extracting the first vector Y of the verification values from the received message, and authenticating the message by applying the mapping defined by the public key to find the output values, and finding a factor a ⁇ F such that each output value is equal to the corresponding element of the vector sum Y+aY SHIFT .
  • extracting the first vector includes applying a predefined hash function to the message, and the multivariate polynomial mapping is a quadratic mapping.
  • computing the digital signature includes applying an affine transform B ⁇ 1 to the first vector Y in order to compute an intermediate vector Z′, and applying a univariate polynomial function P ⁇ 1 (Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′.
  • B includes a right-to-left Toeplitz matrix.
  • U(T) (1+aT).
  • the multivariate polynomial mapping Q( ) includes at least one additional constraint not imposed by the univariate polynomial function
  • computing the digital signature includes testing the multiple candidate digital signatures X′ for different power vectors V, in order to find the digital signature X that satisfies the at least one additional constraint.
  • applying the affine transform includes setting at least one of the values y i in the first vector Y so that at least one corresponding intermediate value in the intermediate vector Z′ is zero, and providing the public key includes discarding at least one equation corresponding to the at least one of the values y i from the multivariate polynomial mapping Q( ) that is defined by the public key.
  • a cryptographic method including receiving a message with a digital signature X, for verification using a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F.
  • a first vector Y of verification values is extracted from the received message.
  • the multivariate polynomial mapping is applied to the digital signature so as to find a second vector of output values Q(X).
  • the message is authenticated by finding a factor a ⁇ F such that each output value is equal to the corresponding element of a vector sum Y+aY SHIFT .
  • the method includes rejecting the message if no factor a ⁇ F can be found to authenticate the message.
  • cryptographic apparatus including a memory, which is configured to store a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F.
  • a processor is configured to extract a first vector Y of verification values from a message, and to compute over the first vector, using the private key, a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aY SHIFT over F, wherein Y SHIFT is a shifted version of Y, and a ⁇ F, and to convey the message with the digital signature to a recipient for authentication using the public key.
  • the apparatus includes a device coupled to receive the message with the digital signature, to extract the first vector Y of the verification values from the received message, and to authenticate the message by applying the mapping defined by the public key to find the output values, and finding a factor a ⁇ F such that each output value is equal to the corresponding element of the vector sum Y+aY SHIFT .
  • cryptographic apparatus including a memory, which is configured to store a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F.
  • a processor is configured to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor a ⁇ F such that each output value is equal to the corresponding element of a vector sum Y+aY SHIFT .
  • a computer software product including a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F, to extract a first vector Y of verification values from a message, to compute over the first vector, using the private key, a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aY SHIFT over F, wherein Y SHIFT is a shifted version of Y, and a ⁇ F, and to convey the message with the digital signature to a recipient for authentication using the public key.
  • a computer software product including a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F, to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor a ⁇ F such that each output value is equal to the corresponding element of a vector sum Y+aY SHIFT .
  • FIG. 1 is a block diagram that schematically illustrates a data communication system in which messages are authenticated using a public-key signature, in accordance with an embodiment of the present invention
  • FIG. 2 is a flow chart that schematically illustrates components of public- and private-key signature computations, in accordance with an embodiment of the present invention
  • FIG. 3 is a flow chart that schematically illustrates a method for computing a digital signature, in accordance with an embodiment of the present invention.
  • FIG. 4 is a flow chart that schematically illustrates a method for verifying a digital signature, in accordance with an embodiment of the present invention.
  • Embodiments of the present invention that are described hereinbelow provide a new public-key signature scheme, using multivariate polynomial equations, that can be implemented with relatively low expenditure of computational resources, while still providing high security against attack.
  • This new scheme can use relatively short signatures (by comparison with methods that are currently in common use, such as RSA) and requires less computation for signature generation than other proposed multivariate polynomial schemes.
  • the disclosed embodiments are based on multivariate quadratic equations, but the principles of the present invention may be extended, mutatis mutandis, to multivariate polynomial equations of higher order.
  • the sender uses a private key to generate a digital signature over the message, using techniques described below.
  • the recipient uses a polynomial mapping, typically having the form of multivariate quadratic mapping Q( ) over F.
  • This mapping comprises a set of multivariate quadratic equations Q 0 ( ), Q 1 ( ), . . . , Q m ( ) of the form:
  • mapping coefficients ⁇ i,j,k , ⁇ i,j and ⁇ i are specified by the public key distributed by the sender of the message, i.e., the public key specifies the values of the coefficients that are to be used in the quadratic mapping by the recipient in authenticating the signature.
  • the sender extracts a vector Y of verification values from the message, typically by applying a predefined hash function to the message.
  • the sender then applies a sequence of transformations defined by the sender's private key to find the signature X.
  • a univariate polynomial function P(X) is a univariate polynomial function defined below, corresponding to the multivariate polynomial mapping that is used in verifying the signature.
  • the coefficients a 0 , a 1 , . . . , a n-1 correspond to the vector elements of X in the multivariate representation.
  • Computing the signature X in the polynomial representation facilitates efficient computation, but this computation still involves the modular exponentiation Z d , which is computationally costly.
  • U(T) is a predefined polynomial.
  • B has the form of a right-to-left (RTL) diagonal Toeplitz matrix, as defined hereinbelow.
  • the recipient applies the mapping defined by the public key to find the output values Q(X).
  • the factor a is therefore referred to hereinbelow as the shift factor.
  • FIG. 1 is a block diagram that schematically illustrates a data communication system 20 using the sort of digital signature scheme that is described above, in accordance with an embodiment of the present invention.
  • System 20 is shown and described here for the sake of example, to illustrate a typical configuration in which such digital signatures may be used, but is not meant to limit the application of such signatures to this sort of context.
  • a computer such as a server 22 transmits data over a network 26 to a receiving device 24 .
  • Device 24 may comprise a media player, for example, either fixed or mobile, which comprises an embedded processor or has a plug-in smart card or key.
  • Such devices typically have limited memory and computational resources, making the low resource demands of the present digital signature technique particularly attractive.
  • the recipient of the data may be a general-purpose computer or other computing device.
  • server 22 and device 24 conduct an authentication procedure, which may include transmission of one or more authentication frames 34 . This procedure may be repeated subsequently if desired.
  • a processor 28 in server 22 generates a message 36 for transmission to device 24 .
  • Processor 28 computes a signature 40 , denoted X, over message 36 using a private key 38 that is stored in a memory 30 .
  • the signature is computed using a shift factor a, as defined above.
  • the server then transmits frame 34 , comprising message 36 and signature 40 , via an interface 32 over network 26 to device 24 .
  • a processor 42 associated with device 24 receives frame 34 via an interface 44 .
  • Processor 42 sets up a quadratic mapping Q( ) using a public multivariate quadratic (MQ) key 48 that is stored in a memory 46 .
  • This key may be preinstalled in memory 46 , or it may be downloaded to device 24 from server 22 or from another trusted source.
  • processor 28 and possibly processor 42 , as well, comprise general-purpose computer processors, which are programmed in software to carry out the functions that are described herein.
  • This software may be downloaded to the either of the processors in electronic form, over a network, for example.
  • the software may be provided on tangible, non-transitory storage media, such as optical, magnetic, or electronic memory media. Further alternatively or additionally, some or all of these processing functions may be performed by special-purpose or programmable digital logic circuits.
  • FIG. 1 shows a certain operational configuration in which the signature scheme described herein may be applied.
  • This same scheme may be applied in signing not only authentication frames transmitting over a network, but also in signing documents and files of other types, whether transmitted or locally stored.
  • the embodiments and claims in this patent application refer to computation of a signature over a message, but the term “message” should be understood, in the context of the present patent application and in the claims, as referring to any sort of data that is amenable to signature by the present scheme.
  • FIG. 2 is a flow chart that schematically illustrates components of public- and private-key signature computations, in accordance with an embodiment of the present invention.
  • the signature and verification vectors are represented, for the sake of convenience, as being having length n, they may alternatively be of different lengths.
  • Y SHIFT (y 2 , y 2 , . . . ) contains the elements of Y shifted over one element.
  • the public key-based computation verifies that:
  • the security of the signature scheme against algebraic attack may be further enhanced by altering the mapping that is defined by the public key. For this purpose, certain equations in Q( ) may be perturbed; additional equations (besides Q n-1 and Q n-2 ) may be discarded; equations may be rewritten over a reduced input space; or different schemes may be combined. Such measures are described, for example, by Clough et al., in “Square, a New Multivariate Encryption Scheme,” Topics in Cryptology —CT-RSA 2009 (LNCS 5473), pages 252-264, which is incorporated herein by reference.
  • Private key-based computation 52 includes a first affine transform 58 , having the form of a matrix A, which transforms X into a vector X′.
  • a further affine transform 62 given by a matrix B, transforms Z′ into Y.
  • the signer of a message (such as server 22 ) performs the inverse steps: B ⁇ 1 , P ⁇ 1 , A ⁇ 1 , to derive the signature X from Y.
  • each of the steps in the private key-based computation is easily inverted.
  • the public key-based mapping Q( ) When the public key-based mapping Q( ) is altered, as explained above, it imposes additional constraints to be applied by public key-based computation 50 . In this case, not every X that results from inverting the elements of private key-based computation 52 will satisfy the public-key based mapping. To deal with this limitation, the signer typically tests each value of X to verify that it satisfies the public-key based mapping, and discards unsuitable values until a satisfying signature is found.
  • FIG. 3 is a flow chart that schematically illustrates a method for computing the digital signature X, in accordance with an embodiment of the present invention.
  • the method comprises two parts: a preliminary computation 70 , which can be performed in advance, before there is a message to be signed; and an in-line computation 72 , performed over each message.
  • a preliminary computation 70 which can be performed in advance, before there is a message to be signed
  • an in-line computation 72 performed over each message.
  • the method will be described with reference to the components of server 22 ( FIG. 1 ).
  • the private key to be used by server 22 defines the polynomial function P( ) at a private function definition step 74 .
  • This definition of Z mandates that the affine transform matrix B have a right-to-left (RTL) diagonal Toeplitz form, meaning that each row is a copy of the row above it, but shifted one place to the left:
  • This matrix and the matrix A are components of the private key, which are defined at a matrix definition step 76 .
  • Processor 28 uses these private key elements together in computing the public key that defines the coefficients of the multivariate quadratic mapping Q( ) at a public key computation step 78 .
  • the public key may be transmitted over network 26 or otherwise conveyed to device 24 .
  • the elements of the private key are stored by processor 28 in memory 30 .
  • In-line computation 72 typically begins when processor 28 receives a message for signature, at a message input 82 .
  • the processor extracts a verification vector Y, of length n, from the message, typically using a predefined hash function, at a hash computation step 84 . Any suitable hash function that is known in the art may be used at this step. Because the last public-key equation, Q n-1 ( ), has been discarded, however, the most significant element of Y, y n-1 , is actually a free variable and may be set to any desired value in F for the purpose of calculating the signature X.
  • step 88 the processor may return to step 84 and take a different Y (by adding a dummy field to the message, for example, so that the hash result will be different). The processor then repeats steps 86 and 88 until it finds a valid signature.
  • FIG. 4 is a flow chart that schematically illustrates a method used by device 24 to verify the digital signature of a message, in accordance with an embodiment of the present invention.
  • the method is initiated when device 24 receives a message with a signature X, at a method reception step 100 .
  • Processor 42 computes the verification vector Y using the same predefined hash function as was used in generating the signature, at a hash computation step 102 .
  • the processor uses the public key of server 22 that is stored in memory 46 to set up and compute the output values of the multivariate quadratic mapping Q(X), at a mapping computation step 104 .

Abstract

A cryptographic method and apparatus, including providing a public key that defines a multivariate polynomial mapping Q( ) over a finite field F, extracting a first vector Y of verification values from a message, computing over the first vector, using a processor, a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and aεF, and conveying the message with the digital signature to a recipient for authentication using the public key. Related methods, systems, and apparatus are also described.

Description

    FIELD OF THE INVENTION
  • The present invention relates generally to methods and systems of cryptography, and specifically to public-key signature schemes.
  • BACKGROUND OF THE INVENTION
  • Public-key cryptographic techniques are widely used for encryption and authentication of electronic documents. Such techniques use a mathematically-related key pair: a secret private key and a freely-distributed public key. For authentication, the sender uses a private key to compute an electronic signature over a given message, and then transmits the message together with the signature. The recipient verifies the signature against the message using the corresponding public key, and thus confirms that the document originated with the holder of the private key and not an impostor.
  • Commonly-used public-key cryptographic techniques, such as the Rivest Shamir Adleman (RSA) algorithm, rely on numerical computations over large finite fields. To ensure security against cryptanalysis, these techniques require the use of large signatures, which are costly, in terms of memory and computing power, to store and compute. These demands can be problematic in applications such as smart cards, in which computing resources are limited.
  • Various alternative public-key signature schemes have been developed in order to reduce the resource burden associated with cryptographic operations. One class of such schemes is based on solution of multivariate polynomial equations over finite fields. These schemes can offer enhanced security while operating over relatively small finite fields. Most attention in this area has focused on multivariate quadratic (MQ) equations. A useful survey of work that has been done in this area is presented by Wolf and Preneel in “Taxonomy of Public Key Schemes Based on the Problem of Multivariate Quadratic Equations,” Cryptology ePrint Archive, Report 2005/077 (2005), which is incorporated herein by reference.
  • SUMMARY
  • Embodiments of the present invention that are described hereinbelow provide a multivariate polynomial scheme for public-key signature with enhanced computational efficiency.
  • There is therefore provided, in accordance with an embodiment of the present invention, a cryptographic method, including providing a public key that defines a multivariate polynomial mapping Q( ) over a finite field F. A first vector Y of verification values is extracted from a message. A processor computes over the first vector a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and a εF. The message is conveyed with the digital signature to a recipient for authentication using the public key.
  • In a disclosed embodiment, the method includes receiving the message with the digital signature, extracting the first vector Y of the verification values from the received message, and authenticating the message by applying the mapping defined by the public key to find the output values, and finding a factor aεF such that each output value is equal to the corresponding element of the vector sum Y+aYSHIFT.
  • Typically, extracting the first vector includes applying a predefined hash function to the message, and the multivariate polynomial mapping is a quadratic mapping.
  • In some embodiments, computing the digital signature includes applying an affine transform B−1 to the first vector Y in order to compute an intermediate vector Z′, and applying a univariate polynomial function P−1 (Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′. Typically, B includes a right-to-left Toeplitz matrix.
  • In a disclosed embodiment, P−1(Z′)=(U(T))dZ′d, wherein U is a polynomial in the extension field over a variable T with at least one coefficient given by the factor a, and d is an exponent, and wherein computing the digital signature includes precomputing and storing respective power vectors Va=(U(T))d for multiple possible factors aεF, and using the stored power values in order to compute and test multiple candidate digital signatures X′ for a given exponentiation of Z′→Z′d. Typically, U(T)=(1+aT). Additionally or alternatively, the multivariate polynomial mapping Q( ) includes at least one additional constraint not imposed by the univariate polynomial function, and computing the digital signature includes testing the multiple candidate digital signatures X′ for different power vectors V, in order to find the digital signature X that satisfies the at least one additional constraint.
  • Further additionally or alternatively, applying the affine transform includes setting at least one of the values yi in the first vector Y so that at least one corresponding intermediate value in the intermediate vector Z′ is zero, and providing the public key includes discarding at least one equation corresponding to the at least one of the values yi from the multivariate polynomial mapping Q( ) that is defined by the public key.
  • There is also provided, in accordance with an embodiment of the present invention, a cryptographic method, including receiving a message with a digital signature X, for verification using a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F. A first vector Y of verification values is extracted from the received message. The multivariate polynomial mapping is applied to the digital signature so as to find a second vector of output values Q(X). The message is authenticated by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
  • Typically, the method includes rejecting the message if no factor aεF can be found to authenticate the message.
  • There is additionally provided, in accordance with an embodiment of the present invention, cryptographic apparatus, including a memory, which is configured to store a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F. A processor is configured to extract a first vector Y of verification values from a message, and to compute over the first vector, using the private key, a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and aεF, and to convey the message with the digital signature to a recipient for authentication using the public key.
  • In a disclosed embodiment, the apparatus includes a device coupled to receive the message with the digital signature, to extract the first vector Y of the verification values from the received message, and to authenticate the message by applying the mapping defined by the public key to find the output values, and finding a factor aεF such that each output value is equal to the corresponding element of the vector sum Y+aYSHIFT.
  • There is further provided, in accordance with an embodiment of the present invention, cryptographic apparatus, including a memory, which is configured to store a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F. A processor is configured to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
  • There is moreover provided, in accordance with an embodiment of the present invention, a computer software product, including a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F, to extract a first vector Y of verification values from a message, to compute over the first vector, using the private key, a digital signature X including a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and aεF, and to convey the message with the digital signature to a recipient for authentication using the public key.
  • There is furthermore provided, in accordance with an embodiment of the present invention, a computer software product, including a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F, to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
  • The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which:
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram that schematically illustrates a data communication system in which messages are authenticated using a public-key signature, in accordance with an embodiment of the present invention;
  • FIG. 2 is a flow chart that schematically illustrates components of public- and private-key signature computations, in accordance with an embodiment of the present invention;
  • FIG. 3 is a flow chart that schematically illustrates a method for computing a digital signature, in accordance with an embodiment of the present invention; and
  • FIG. 4 is a flow chart that schematically illustrates a method for verifying a digital signature, in accordance with an embodiment of the present invention.
  • DETAILED DESCRIPTION OF EMBODIMENTS Overview
  • Embodiments of the present invention that are described hereinbelow provide a new public-key signature scheme, using multivariate polynomial equations, that can be implemented with relatively low expenditure of computational resources, while still providing high security against attack. This new scheme can use relatively short signatures (by comparison with methods that are currently in common use, such as RSA) and requires less computation for signature generation than other proposed multivariate polynomial schemes. The disclosed embodiments are based on multivariate quadratic equations, but the principles of the present invention may be extended, mutatis mutandis, to multivariate polynomial equations of higher order.
  • To enable authentication of a message, the sender uses a private key to generate a digital signature over the message, using techniques described below. The signature has the form of a vector of values X=(x0, . . . , xn-1) in a finite field F having p elements.
  • To verify the authenticity of the message, the recipient uses a polynomial mapping, typically having the form of multivariate quadratic mapping Q( ) over F. This mapping comprises a set of multivariate quadratic equations Q0( ), Q1( ), . . . , Qm( ) of the form:
  • Q i ( X ) = j , k γ i , j , k x j x k + j β i , j x j + α i
  • The mapping coefficients γi,j,k, βi,j and αi are specified by the public key distributed by the sender of the message, i.e., the public key specifies the values of the coefficients that are to be used in the quadratic mapping by the recipient in authenticating the signature.
  • To compute the digital signature, the sender extracts a vector Y of verification values from the message, typically by applying a predefined hash function to the message. The sender then applies a sequence of transformations defined by the sender's private key to find the signature X. At the core of these transformations is a univariate polynomial function P(X), as defined below, corresponding to the multivariate polynomial mapping that is used in verifying the signature. (As explained in the above-mentioned article by Wolf and Preneel, there is a direct correspondence between these univariate and multivariate representations.) The univariate polynomial function operates over an extension field of F, whose members can be represented as polynomials of the form X′=a0+a1T+ . . . +an-1Tn-1 in a variable T, and there is an irreducible polynomial of degree n that operates in a manner equivalent to the modulus in number fields. (Irreducible polynomials can be found by choosing polynomials at random and testing for reducibility until an irreducible polynomial is found, or by selection from published tables of irreducible polynomials.) The coefficients a0, a1, . . . , an-1 correspond to the vector elements of X in the multivariate representation. In the univariate representation, P(X)=Xm, wherein m and pn−1 are relatively prime, so that P(X) is invertible, and its inverse P−1 (X)=Xd for some d.
  • In embodiments of the present invention, the private key-based computation for deriving the signature X of a verification vector Y is defined such that X=A−1X′, and X′=P−1(Z) Zd, Z=B−1Y, and A and B are affine transforms. Computing the signature X in the polynomial representation facilitates efficient computation, but this computation still involves the modular exponentiation Zd, which is computationally costly. To protect the set of multivariate quadratic equations defined by the public key against algebraic attack, it is desirable to obfuscate the signature computation still further by adding constraints to the equations in Q( ). As a result, however, not every possible signature X for a given verification vector Y will give a valid verification result under Q(X). To sign a given message, it may thus be necessary to compute X multiple times for different choices of the intermediate vector Z, and then to test each X by trial and error until a valid signature is found.
  • To avoid the need to repeat the costly computation of Zd for each new trial value of X, the intermediate vector Z is redefined in embodiments of the present invention as the product Z=U(T)Z′, wherein U(T) is a predefined polynomial. For mathematical simplicity in the embodiments described below, U(T)=1+aT, a first-order polynomial, wherein aεF, but other, higher-degree polynomials may similarly be used. The sender pre-computes and stores power vectors of the form Va=(U(T))d for multiple possible factors aεF (typically for all such possible factors). The exponent Zd=(U(T))dZ′d=VaZ′d, wherein Va depends only on the value of a. Therefore, multiple values of Zd can be computed and evaluated by performing the exponentiation Z′d only once and then multiplying by the different stored vectors Va in turn. Thus, the computational cost of finding a valid signature X, meeting all constraints, is substantially reduced.
  • This change in the definition of the intermediate vector limits the form of the affine transform B and, furthermore, alters the way in which the signature is authenticated by the recipient of the message. Thus, in some embodiments of the present invention, B has the form of a right-to-left (RTL) diagonal Toeplitz matrix, as defined hereinbelow. The authentication criterion for the digital signature X is not simply Q(X)=Y, but rather involves a vector sum: When U(T)=1+aT, a valid signature X satisfies Q(X)=Y+aYSHIFT, wherein YSHIFT is a shifted version of Y (i.e., Q0(X)=y0+ay1; Q1(X)=y1+ay2; and so forth).
  • To authenticate a given message with signature X, the recipient applies the mapping defined by the public key to find the output values Q(X). The recipient then evaluates different possible factors aεF by solving the vector sum Y+aYSHIFT until it finds the factor a that satisfies Q(X)=Y+aYSHIFT. The factor a is therefore referred to hereinbelow as the shift factor. The evaluation can be carried out simply and efficiently, without any need to try all aεF by brute force. Rather, the recipient computes an initial value a=(Q0−Y0)/Y1 or a=0 if Y1=0 and then verifies that this value satisfies the remaining equations. If a valid factor a is found, the recipient accepts the message as authentic; otherwise, the message is rejected.
  • System Description and Operation
  • FIG. 1 is a block diagram that schematically illustrates a data communication system 20 using the sort of digital signature scheme that is described above, in accordance with an embodiment of the present invention. System 20 is shown and described here for the sake of example, to illustrate a typical configuration in which such digital signatures may be used, but is not meant to limit the application of such signatures to this sort of context.
  • In the pictured embodiment, a computer, such as a server 22 transmits data over a network 26 to a receiving device 24. Device 24 may comprise a media player, for example, either fixed or mobile, which comprises an embedded processor or has a plug-in smart card or key. Such devices typically have limited memory and computational resources, making the low resource demands of the present digital signature technique particularly attractive. Alternatively, the recipient of the data may be a general-purpose computer or other computing device.
  • Before beginning media transmission, server 22 and device 24 conduct an authentication procedure, which may include transmission of one or more authentication frames 34. This procedure may be repeated subsequently if desired. In the example shown in the figure, a processor 28 in server 22 generates a message 36 for transmission to device 24. Processor 28 computes a signature 40, denoted X, over message 36 using a private key 38 that is stored in a memory 30. The signature is computed using a shift factor a, as defined above. The server then transmits frame 34, comprising message 36 and signature 40, via an interface 32 over network 26 to device 24.
  • A processor 42 associated with device 24 receives frame 34 via an interface 44. Processor 42 sets up a quadratic mapping Q( ) using a public multivariate quadratic (MQ) key 48 that is stored in a memory 46. This key may be preinstalled in memory 46, or it may be downloaded to device 24 from server 22 or from another trusted source. Processor 42 applies the quadratic mapping to signature 40, giving Q(X), and compares the resulting output values to a verification vector, denoted Y, derived from message 36. If processor 42 is able to find a value aεF satisfying Q (X)=Y+aYSHIFT, it authenticates the message as having originated from server 22, and media transmission proceeds. As noted above, for this purpose the processor computes an initial value a=(Q0−Y0)/Y1 and then verifies that this value satisfies the remaining equations.
  • Typically, processor 28, and possibly processor 42, as well, comprise general-purpose computer processors, which are programmed in software to carry out the functions that are described herein. This software may be downloaded to the either of the processors in electronic form, over a network, for example. Alternatively or additionally, the software may be provided on tangible, non-transitory storage media, such as optical, magnetic, or electronic memory media. Further alternatively or additionally, some or all of these processing functions may be performed by special-purpose or programmable digital logic circuits.
  • As noted above, FIG. 1 shows a certain operational configuration in which the signature scheme described herein may be applied. This same scheme may be applied in signing not only authentication frames transmitting over a network, but also in signing documents and files of other types, whether transmitted or locally stored. For the sake of convenience and clarity, the embodiments and claims in this patent application refer to computation of a signature over a message, but the term “message” should be understood, in the context of the present patent application and in the claims, as referring to any sort of data that is amenable to signature by the present scheme.
  • Methods of Computation and Authentication
  • FIG. 2 is a flow chart that schematically illustrates components of public- and private-key signature computations, in accordance with an embodiment of the present invention. The chart includes a public key-based computation 50 and a private key-based computation 52, both of which take a signature vector 56, denoted X=(x0, . . . , xn-1), into a verification vector 54, denoted Y=(y0, . . . , yn-1). Although the signature and verification vectors are represented, for the sake of convenience, as being having length n, they may alternatively be of different lengths.
  • Public key-based computation 50, which is conducted by the recipient of the signed message (such as device 24), uses the multivariate quadratic mapping Q( ) which is defined by the public key, along with the shift factor a, to verify that Q(X)=Y+aYSHIFT. As noted earlier, YSHIFT=(y2, y2, . . . ) contains the elements of Y shifted over one element. In other words, the public key-based computation verifies that:
  • Q 0 ( X ) = y 0 + ay 1 Q 1 ( X ) = y 1 + ay 2 Q n - 3 ( X ) = y n - 3 + ay n - 2
  • Qn-1 is undefined, and Qn-2(X)=yn-2 ayn-1 is also omitted from the public key to avoid revealing the value of yn-1 (which could otherwise create a security problem because of the manner in which X is computed using the private key, as explained below). Inversion of this sort of mapping is computationally hard, thus providing security against attack.
  • The security of the signature scheme against algebraic attack may be further enhanced by altering the mapping that is defined by the public key. For this purpose, certain equations in Q( ) may be perturbed; additional equations (besides Qn-1 and Qn-2) may be discarded; equations may be rewritten over a reduced input space; or different schemes may be combined. Such measures are described, for example, by Clough et al., in “Square, a New Multivariate Encryption Scheme,” Topics in Cryptology—CT-RSA 2009 (LNCS 5473), pages 252-264, which is incorporated herein by reference.
  • Private key-based computation 52 includes a first affine transform 58, having the form of a matrix A, which transforms X into a vector X′. A univariate polynomial function 60, denoted P( ) operates on the polynomial representation of X′ to generate the intermediate vector Z′=(z′0, . . . , z′n-1), with z′n-1=0, in the polynomial form P(X′)=(1+aT)Z′. A further affine transform 62, given by a matrix B, transforms Z′ into Y. The signer of a message (such as server 22) performs the inverse steps: B−1, P−1, A−1, to derive the signature X from Y. (In contrast to the multivariate quadratic mapping defined by the public key, each of the steps in the private key-based computation is easily inverted.) The inverse function P−1 (Z)=Zd=(1+aT)dZ′d, as noted above.
  • When the public key-based mapping Q( ) is altered, as explained above, it imposes additional constraints to be applied by public key-based computation 50. In this case, not every X that results from inverting the elements of private key-based computation 52 will satisfy the public-key based mapping. To deal with this limitation, the signer typically tests each value of X to verify that it satisfies the public-key based mapping, and discards unsuitable values until a satisfying signature is found.
  • FIG. 3 is a flow chart that schematically illustrates a method for computing the digital signature X, in accordance with an embodiment of the present invention. The method comprises two parts: a preliminary computation 70, which can be performed in advance, before there is a message to be signed; and an in-line computation 72, performed over each message. For clarity of description, the method will be described with reference to the components of server 22 (FIG. 1).
  • The private key to be used by server 22 defines the polynomial function P( ) at a private function definition step 74. As explained above, this function is defined such that P−1(Z)=Zd, and Z=(1+aT)Z′. This definition of Z mandates that the affine transform matrix B have a right-to-left (RTL) diagonal Toeplitz form, meaning that each row is a copy of the row above it, but shifted one place to the left:
  • B = ( b 0 b 1 b 2 b n - 1 b 1 b 2 b 3 b n b 2 b 3 b 4 b n + 1 b 3 b 4 b 5 b n + 2 )
  • This matrix and the matrix A, are components of the private key, which are defined at a matrix definition step 76.
  • Processor 28 uses these private key elements together in computing the public key that defines the coefficients of the multivariate quadratic mapping Q( ) at a public key computation step 78. (Details of this computation are presented, for example, by Wolf and Preneel.) The public key may be transmitted over network 26 or otherwise conveyed to device 24. The elements of the private key are stored by processor 28 in memory 30. As explained above, processor 28 also computes and stores the set of vectors Va=(1+aT)d for all values of the shift factor a in the finite field F, at a vector pre-computation step 80.
  • In-line computation 72 typically begins when processor 28 receives a message for signature, at a message input 82. The processor extracts a verification vector Y, of length n, from the message, typically using a predefined hash function, at a hash computation step 84. Any suitable hash function that is known in the art may be used at this step. Because the last public-key equation, Qn-1( ), has been discarded, however, the most significant element of Y, yn-1, is actually a free variable and may be set to any desired value in F for the purpose of calculating the signature X.
  • Therefore, processor 28 chooses yn-1 so as to generate Z′=B−1Y such that z′n-1=0 (i.e., the most significant element of Z′, seen as a polynomial, is zero), at an intermediate vector computation step 86. The processor then uses the stored vectors Va in order to find a vector X′ satisfying the polynomial relation P(X′)=(1+aT)Z′, at a polynomial inversion step 88. As noted earlier, the processor finds multiple candidate values Wa of X′ by performing a single exponentiation, Z′d, and multiplying the result by Va: Wa=VaZ′d. Processor 28 tests each candidate Wa to ascertain whether it meets the additional constraints (such as (Wa)0=0) that have been incorporated in the public key-based computation Q(X). Upon finding a suitable candidate, the processor computes and outputs the actual signature, X=A−1X′, at a signature output step 90.
  • If no suitable candidate is found at step 88, the processor may return to step 84 and take a different Y (by adding a dummy field to the message, for example, so that the hash result will be different). The processor then repeats steps 86 and 88 until it finds a valid signature.
  • FIG. 4 is a flow chart that schematically illustrates a method used by device 24 to verify the digital signature of a message, in accordance with an embodiment of the present invention. (Again, the method is described with reference to the elements of system 20, in FIG. 1, solely for the sake of clarity, and not limitation.) The method is initiated when device 24 receives a message with a signature X, at a method reception step 100. Processor 42 computes the verification vector Y using the same predefined hash function as was used in generating the signature, at a hash computation step 102. The processor uses the public key of server 22 that is stored in memory 46 to set up and compute the output values of the multivariate quadratic mapping Q(X), at a mapping computation step 104.
  • Processor 46 compares the vector of output values of Q(X) to the vector sum Y+aYSHIFT for each of the possible values of the shift factor a in F, at an output comparison step 106. Specifically, the processor computes an initial value a=(Q0−Y0)Y1 or a=0 if Y1=0 and then verifies that this value satisfies the remaining equations. The comparison is thus simple and typically requires only a small number of multiplications and additions to check whether the initial value of a is valid. If the processor finds a shift factor that gives a solution, Q(X)=Y+aYSHIFT it accepts the message as authentic, at a message verification step 108. Otherwise, the processor considers the message to be suspect, and takes appropriate action, at a message rejection step 110.
  • It will be appreciated that the embodiments described above are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art.

Claims (32)

1. A cryptographic method, comprising:
providing a public key that defines a multivariate polynomial mapping Q( ) over a finite field F;
extracting a first vector Y of verification values from a message;
computing over the first vector, using a processor, a digital signature X comprising a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, a does not equal zero, and aεF; and
conveying the message with the digital signature to a recipient for authentication using the public key.
2. The method according to claim 1, and comprising:
receiving the message with the digital signature;
extracting the first vector Y of the verification values from the received message; and
authenticating the message by applying the mapping defined by the public key to find the output values, and finding a factor aεF such that each output value is equal to the corresponding element of the vector sum Y+aYSHIFT.
3. The method according to claim 1, wherein extracting the first vector comprises applying a predefined hash function to the message.
4. The method according to claim 1, wherein the multivariate polynomial mapping is a quadratic mapping.
5. The method according to claim 1, wherein computing the digital signature comprises:
applying an affine transform B−1 to the first vector Y in order to compute an intermediate vector Z′; and
applying a univariate polynomial function P−1(Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′.
6. The method according to claim 5, wherein B comprises a right-to-left Toeplitz matrix.
7. The method according to claim 5, wherein P−1(Z′)=(U(T))dZ′d, wherein U is a polynomial in the extension field over a variable T with at least one coefficient given by the factor a, and d is an exponent, and
wherein computing the digital signature comprises precomputing and storing respective power vectors Va=(U(T))d for multiple possible factors aεF, and using the stored power values in order to compute and test multiple candidate digital signatures X′ for a given exponentiation of Z′→Z′d.
8. The method according to claim 7, wherein U(T)=(1+aT).
9. The method according to claim 7, wherein the multivariate polynomial mapping Q( ) comprises at least one additional constraint not imposed by the univariate polynomial function, and wherein computing the digital signature comprises testing the multiple candidate digital signatures X′ for different power vectors Va in order to find the digital signature X that satisfies the at least one additional constraint.
10. The method according to claim 5, wherein applying the affine transform comprises setting at least one of the values yi in the first vector Y so that at least one corresponding intermediate value in the intermediate vector Z′ is zero, and
wherein providing the public key comprises discarding at least one equation corresponding to the at least one of the values yi from the multivariate polynomial mapping Q( ) that is defined by the public key.
11. A cryptographic method, comprising:
receiving a message with a digital signature X, for verification using a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F;
extracting a first vector Y of verification values from the received message;
applying the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X); and
authenticating the message by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
12. The method according to claim 11, wherein extracting the first vector comprises applying a predefined hash function to the message.
13. The method according to claim 11, wherein the multivariate polynomial mapping is a quadratic mapping.
14. The method according to claim 11, and comprising rejecting the message if no factor aεF can be found to authenticate the message.
15. Cryptographic apparatus, comprising:
a memory, which is configured to store a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F; and
a processor, which is configured to extract a first vector Y of verification values from a message, and to compute over the first vector, using the private key, a digital signature X comprising a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, a does not equal zero, and aεF, and to convey the message with the digital signature to a recipient for authentication using the public key.
16. The apparatus according to claim 15, and comprising a device coupled to receive the message with the digital signature, to extract the first vector Y of the verification values from the received message, and to authenticate the message by applying the mapping defined by the public key to find the output values, and finding a factor aεF such that each output value is equal to the corresponding element of the vector sum Y+aYSHIFT.
17. The apparatus according to claim 15, wherein the processor is configured to extract the first vector by applying a predefined hash function to the message.
18. The apparatus according to claim 15, wherein the multivariate polynomial mapping is a quadratic mapping.
19. The apparatus according to claim 15, wherein the processor is configured to compute the digital signature by applying an affine transform B−1 to the first vector Y in order to compute an intermediate vector Z′, and applying a univariate polynomial function P−1(Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′.
20. The apparatus according to claim 19, wherein B comprises a right-to-left Toeplitz matrix.
21. The apparatus according to claim 19, wherein P−1(Z′)=(U(T))dZ′d, wherein U is a polynomial in the extension field over a variable T with at least one coefficient given by the factor a, and d is an exponent, and
wherein the processor is configure to precompute and store respective power vectors Va=(U(T))d for multiple possible factors aεF, and to use the stored power values in order to compute and test multiple candidate digital signatures X′ for a given exponentiation of Z′→Z′d.
22. The apparatus according to claim 21, wherein U(T)=(1+aT).
23. The apparatus according to claim 21, wherein the multivariate polynomial mapping Q( ) comprises at least one additional constraint not imposed by the univariate polynomial function, and wherein the processor is configured to test the multiple candidate digital signatures X′ for different power vectors Va in order to find the digital signature X that satisfies the at least one additional constraint.
24. The apparatus according to claim 19, wherein the processor is configured to set at least one of the values yi in the first vector Y so that at least one corresponding intermediate value in the intermediate vector Z′ is zero, and to discard at least one equation corresponding to the at least one of the values yi from the multivariate polynomial mapping Q( ) that is defined by the public key.
25. Cryptographic apparatus, comprising:
a memory, which is configured to store a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F; and
a processor, which is configured to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
26. The apparatus according to claim 25, wherein the processor is configured to extract the first vector by applying a predefined hash function to the message.
27. The apparatus according to claim 25, wherein the multivariate polynomial mapping is a quadratic mapping.
28. The apparatus according to claim 25, wherein the processor is configured to reject the message if no factor aεF can be found to authenticate the message.
29. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F, to extract a first vector Y of verification values from a message, to compute over the first vector, using the private key, a digital signature X comprising a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, a does not equal zero, and aεF, and to convey the message with the digital signature to a recipient for authentication using the public key.
30. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to read from a memory a predefined public key, which defines a multivariate polynomial mapping Q( ) over a finite field F, to receive a message with a digital signature X, for verification using the public key, to extract a first vector Y of verification values from the received message, to apply the multivariate polynomial mapping to the digital signature so as to find a second vector of output values Q(X), and to authenticate the message by finding a factor aεF such that each output value is equal to the corresponding element of a vector sum Y+aYSHIFT.
31. A cryptographic method, comprising:
providing a public key that defines a multivariate polynomial mapping Q( ) over a finite field F;
extracting a first vector Y of verification values from a message;
computing over the first vector, using a processor, a digital signature X comprising a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and aεF;
applying an affine transform B−1 to the first vector Y in order to compute an intermediate vector Z′;
applying a univariate polynomial function P−1(Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′; and
conveying the message with the digital signature to a recipient for authentication using the public key, wherein P−1(Z′)=(U(T))dZ′d, wherein U is a polynomial in the extension field over a variable T with at least one coefficient given by the factor a, and d is an exponent, and
wherein computing the digital signature comprises precomputing and storing respective power vectors Va=(U(T))d for multiple possible factors a εF, and using the stored power values in order to compute and test multiple candidate digital signatures X′ for a given exponentiation of Z′→Z′d.
32. Cryptographic apparatus, comprising:
a memory, which is configured to store a private key corresponding to a public key that defines a multivariate polynomial mapping Q( ) over a finite field F; and
a processor, which is configured to extract a first vector Y of verification values from a message, and to compute over the first vector, using the private key, a digital signature X comprising a second vector of signature values such that application of the mapping to the digital signature gives a third vector Q(X) of output values such that each output value is equal to a corresponding element of a vector sum Y+aYSHIFT over F, wherein YSHIFT is a shifted version of Y, and aεF, and to convey the message with the digital signature to a recipient for authentication using the public key,
wherein the processor is configured to compute the digital signature by applying an affine transform B−1 to the first vector Y in order to compute an intermediate vector Z′, and applying a univariate polynomial function P−1(Z′), corresponding to the multivariate polynomial mapping, over an extension field of F in order to find the digital signature in a polynomial representation X′,
wherein P−1(Z′)=(U(T))dZ′d, wherein U is a polynomial in the extension field over a variable T with at least one coefficient given by the factor a, and d is an exponent, and
wherein the processor is configure to precompute and store respective power vectors Va=(U(T))d for multiple possible factors aεF, and to use the stored power values in order to compute and test multiple candidate digital signatures X′ for a given exponentiation of Z′→Z′d.
US13/699,912 2010-06-02 2010-12-14 Efficient multivariate signature generation Active 2031-06-17 US8958560B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
IL206139A IL206139A0 (en) 2010-06-02 2010-06-02 Efficient multivariate signature generation
IL206139 2010-06-02
PCT/IB2010/055810 WO2011151680A1 (en) 2010-06-02 2010-12-14 Efficient multivariate signature generation

Publications (3)

Publication Number Publication Date
US20130129090A1 US20130129090A1 (en) 2013-05-23
US20130294601A9 true US20130294601A9 (en) 2013-11-07
US8958560B2 US8958560B2 (en) 2015-02-17

Family

ID=43569881

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/699,912 Active 2031-06-17 US8958560B2 (en) 2010-06-02 2010-12-14 Efficient multivariate signature generation

Country Status (4)

Country Link
US (1) US8958560B2 (en)
EP (1) EP2564548A1 (en)
IL (2) IL206139A0 (en)
WO (1) WO2011151680A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9129122B2 (en) * 2011-08-29 2015-09-08 Koichi SAKUMOTO Signature verification apparatus, signature verification method, program, and recording medium
US20160234021A1 (en) * 2013-09-17 2016-08-11 South China University Of Technology Multivariate public key signature/ verification system and signature/verification method

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5790286B2 (en) * 2011-08-12 2015-10-07 ソニー株式会社 Information processing apparatus, signature generation apparatus, information processing method, signature generation method, and program
JP5790291B2 (en) * 2011-08-12 2015-10-07 ソニー株式会社 Information processing apparatus, signature providing method, signature verification method, program, and recording medium
JP5790289B2 (en) * 2011-08-12 2015-10-07 ソニー株式会社 Information processing apparatus, information processing method, program, and recording medium
JP6069852B2 (en) * 2011-08-29 2017-02-01 ソニー株式会社 Information processing apparatus, information processing method, and program
US9722798B2 (en) * 2014-02-10 2017-08-01 Security Innovation Inc. Digital signature method
US9948460B2 (en) * 2015-08-28 2018-04-17 City University Of Hong Kong Multivariate cryptography based on clipped hopfield neural network
WO2017061017A1 (en) * 2015-10-08 2017-04-13 三菱電機株式会社 Encryption system, homomorphic signature method, and homomorphic signature program
US20200044832A1 (en) * 2018-07-31 2020-02-06 International Business Machines Corporation System and method for quantum resistant public key encryption
JP2022546156A (en) * 2019-06-07 2022-11-04 ファットゥーシュ,ミシェル New high-capacity communication system
KR102364047B1 (en) * 2019-11-19 2022-02-16 기초과학연구원 Method and apparatus for public-key cryptography based on structured matrices

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5263085A (en) * 1992-11-13 1993-11-16 Yeda Research & Development Co. Ltd. Fast signature scheme based on sequentially linearized equations
US20010012301A1 (en) * 2000-02-02 2001-08-09 Lg Electronics Inc. Method for allocating common packet channels
US20040151309A1 (en) * 2002-05-03 2004-08-05 Gentry Craig B Ring-based signature scheme
US20090187766A1 (en) * 2008-01-17 2009-07-23 Camille Vuillaume System and Method for Digital Signatures and Authentication
US8732457B2 (en) * 1995-10-02 2014-05-20 Assa Abloy Ab Scalable certificate validation and simplified PKI management

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69920875T2 (en) 1999-04-29 2005-10-27 Bull Cp8 Apparatus and method for calculating a digital signature
FR2815493B1 (en) 2000-09-29 2004-12-31 Bull Cp8 METHOD FOR IMPLEMENTING A TECHNIQUE FOR ENHANCING THE SECURITY OF PUBLIC KEY SIGNATURES BASED ON MULTIVARIABLE POLYNOMES
US7961876B2 (en) 2005-01-11 2011-06-14 Jintai Ding Method to produce new multivariate public key cryptosystems
US8019079B2 (en) 2007-07-08 2011-09-13 Georgia Tech Research Corporation Asymmetric cryptosystem employing paraunitary matrices
GB0805271D0 (en) 2008-03-20 2008-04-30 Ntnu Technology Transfer As Encryption method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5263085A (en) * 1992-11-13 1993-11-16 Yeda Research & Development Co. Ltd. Fast signature scheme based on sequentially linearized equations
US8732457B2 (en) * 1995-10-02 2014-05-20 Assa Abloy Ab Scalable certificate validation and simplified PKI management
US20010012301A1 (en) * 2000-02-02 2001-08-09 Lg Electronics Inc. Method for allocating common packet channels
US20040151309A1 (en) * 2002-05-03 2004-08-05 Gentry Craig B Ring-based signature scheme
US20090187766A1 (en) * 2008-01-17 2009-07-23 Camille Vuillaume System and Method for Digital Signatures and Authentication

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9129122B2 (en) * 2011-08-29 2015-09-08 Koichi SAKUMOTO Signature verification apparatus, signature verification method, program, and recording medium
US20160234021A1 (en) * 2013-09-17 2016-08-11 South China University Of Technology Multivariate public key signature/ verification system and signature/verification method
US9948463B2 (en) * 2013-09-17 2018-04-17 South China University Of Technology Multivariate public key signature/verification system and signature/verification method

Also Published As

Publication number Publication date
EP2564548A1 (en) 2013-03-06
IL223315A0 (en) 2013-02-03
US8958560B2 (en) 2015-02-17
IL206139A0 (en) 2010-12-30
WO2011151680A1 (en) 2011-12-08
US20130129090A1 (en) 2013-05-23

Similar Documents

Publication Publication Date Title
US8958560B2 (en) Efficient multivariate signature generation
EP2591570B1 (en) Attack-resistant multivariate signature scheme
Imem Comparison and evaluation of digital signature schemes employed in NDN network
US6411715B1 (en) Methods and apparatus for verifying the cryptographic security of a selected private and public key pair without knowing the private key
EP2359523B1 (en) Acceleration of key agreement protocols
EP1903713B1 (en) Authentication system, authentication method, attesting device, verification device, their programs, and recording medium
US10333718B2 (en) Method for the generation of a digital signature of a message, corresponding generation unit, electronic apparatus and computer program product
US20130073855A1 (en) Collision Based Multivariate Signature Scheme
US9800418B2 (en) Signature protocol
US11870911B2 (en) Providing a cryptographic information
EP2846493A1 (en) Method for ciphering and deciphering, corresponding electronic device and computer program product
Chande et al. An improvement of a elliptic curve digital signature algorithm
US7760873B2 (en) Method and a system for a quick verification rabin signature scheme
US9577828B2 (en) Batch verification method and apparatus thereof
KR100971038B1 (en) Cryptographic method for distributing load among several entities and devices therefor
Ramlee et al. A new directed signature scheme with hybrid problems
WO2009090519A1 (en) Efficient reconstruction of a public key from an implicit certificate
Mohapatra Signcryption schemes with forward secrecy based on elliptic curve cryptography
Moldovyan et al. Short signatures from the difficulty of factoring problem
WO2011033642A1 (en) Signature generation device and signature verification device
Valluri An identification protocol based on the twisted ring-root extraction problem
Bashir Analysis and Improvement of Some Signcryption Schemes Based on Elliptic Curve
CN112054894B (en) Batch verification method and system based on SM2
Lesaignoux et al. ON THE IMPLEMENTATION OF A LATTICE-BASED DAA FOR VANET SYSTEM
Luu et al. SOME VARIANTS OF THE SCHNORR SIGNATURE SCHEMA ON THE FINITE FIELD AND THE ELLIPTIC CURVE

Legal Events

Date Code Title Description
AS Assignment

Owner name: NDS LIMITED, UNITED KINGDOM

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIPNIS, AVIAD;SELLA, YARON;BELENKY, YAACOV;REEL/FRAME:025799/0469

Effective date: 20110111

AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NDS LIMITED;REEL/FRAME:030258/0465

Effective date: 20130314

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8