An improved signature model of multivariate polynomial public key cryptosystem against key recovery attack

: An improved signature model of multivariate polynomial public key cryptosystem to resist the key recovery attack is presented in this paper. Two pairs of public keys are added to design new authentication conditionals for public keys, and then the verification is not only to verify the original external information but also the exact internal kernel information. It requires both the corresponding private key and the exact internal node information to produce an accurate signature, so that a forged signature by key recovery attack cannot pass the verification without the exact private key. To illustrate this, the classic HFE (Hidden Fields Equations) scheme is taken as an example to clarify the signing and verifying process in detail. It provides a useful supplement to the research and designing of secure digital signature schemes in the quantum age.


Introduction
Post-quantum cryptosystem has grown about 30 years. Especially in the past 10 years, the field of signature developed in leaps and bounds and emerged many research. Hash-based signature schemes are still the most promising cryptosystem candidates in a post-quantum world, such as eXtended Merkle Signature Scheme (XMSS) [1] and G-Merkle [2] XMSS, which only rely on the properties of cryptographic hash functions instead of the conjectured hardness of mathematical problems. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. Hash-based signatures can so far withstand the basic idea for the construction comes from the Zhuang-Zi algorithm [22]) using the MinRank approach shows that such linear combinations can be efficiently extracted from the public key and then linear combinations can be efficiently extracted from the public key. Although in some research [23], the authors claim that their scheme is secure against direct and Rank attacks of the Kipnis-Shamir/Bettale type, however there still have some reservations. The situation is only temporary，because the existence of equivalent keys in multivariate public key cryptosystem induces a structural weakness [24]. This point of view is also reflected in [25]. So we have reason to think the weakness the inherent characteristic of classic multivariate public key cryptosystem signature model.
The idea of key recovery attack is to find another private key and not knowing the exact valid private key of one same public key. This is the fact that multivariate public key cryptosystem has a large number of equivalent redundant keys [13,14]. Therefore, the attacker can use the equivalent private key of the public key to forge a signature without knowing the real private key, and this signature followed from the equivalent private key can also be verified by the public key. Therefore, the forged signature is produced successfully. In this paper, by adding two pairs of public keys and corresponding verification of the crucial internal node information, we propose an improved multivariate signature model resisting the key recovery attack. In this paper we aim to resist the key recovery attack by adding auxiliary information in the verification when the signature is generated. To eliminate all possibility that the signature generated by the equivalent key, which also passes the verification, the additional public key is used to verify its internal node information. So that, the signature can only be generated by the user who has the real legal key and the threat of the key recovery attack can be resisted. The model is generic construction and applicable for existing multivariate scheme's construction, In this paper, we take the classic HFE (Hidden Fields Equations) scheme HFE [26] as an example to illustrate that the advantages of the improved model is more secure than the original model at the expense of taking a little more time. Moreover, the design of the improved signature model is universal and it can be widely applied in existing multivariate schemes.
The security targets and adversary model of key recovery attack is different from the chosen-message attacks (EUF-CMA) of a signature scheme. EUF-CMA is to prove existentially unforgeable under chosen message attack for a concrete scheme. The key recovery attack here is only to the universal model of the multivariate polynomial public key system and it is a more fundamental issue than the EUF-CMA security of a concrete scheme. The adversary model is he has only the ability of obtaining the equivalent key from the public key and the security aim is to build a universal construction of multivariate signature model which resists the key recovery attack. Because, Wolf [13,14] observed a fact that multiple private keys correspond to one public key is an essential characteristic of multivariate public key system, and up to now, most existing multivariable signature schemes generated by the universal model are often vulnerable to key recovery attack. So we propose an improved multivariate signature model resisting the key recovery attack by adding two pairs of public keys and corresponding verification of the crucial internal node information. Thus this paper mainly analyzes the security and performance of the multivariable universal signature structure in the key recovery attack.
As for the public key certificate, we give a briefly introduction. Google with block chain is to document valid certificates is a new study and it has good research prospects. While based on the published research, Public Key Infrastructure (PKI) is used to solve the man-in-the-middle attack with certificates that authenticate the transmitted public key in multivariate polynomials public key cryptosystem is the same as that in classic public key cryptosystem. The certificate itself is a linked list of public keys and signatures, where each signature authenticates the next public key under the previous one. The first public key in this link is the root public key of a Certificate Authority, which in the case of web traffic is built into the user's browser [27]. And the transmission of the certificate constitutes a significant bandwidth cost in any key establishment protocol and should consequently be minimized. In [28], the author explains how to transform any MQ signature scheme into one with a much smaller public key at the cost of a larger signature.
The paper is organized as follows. The preliminaries are briefly described in Section 1. The original signature model of multivariate polynomial cryptosystem is showed in Section 2. Section 3 introduces the improved signature model of multivariate cryptosystem. The comparison of our proposed scheme with the original model is discussed in Section 4. Finally, we conclude this paper in Section 5.

The original signature model of multivariable public key cryptosystem
The structure is usually open or partially confidential. The original model of the signature and verification of multivariate public key cryptosystem [29,30] is given as Figure 1. ,

Verification
using the public key P . As shown in Figure 1, a signature uis accepted if   v = u P using the public key P . We call the signature uis passed the public key verification and the signature uis a valid signature.

Key recovery attack
Definition 1 Equivalent private keys [13,14]: For a cryptosystem, if two (or more) private keys F F F correspond to the same public key, we call the two (multiple) private keys "equivalent", which have: 1 by using the equivalent key (    T , Q , S ) . Be notice that according . That is to say for the fake signature u , there is uu   and u can pass the verification. Definition 2 Key recovery attack: A public key P is known. This type of attack is to find more intrinsic links between the variables of the public key and to generate more multivariable public key equations which are independent of the original equations, then to solve the equivalent keys from the public key.
In other words, the key recovery attack depends on linear algebra in all kinds of spaces of homogeneous polynomials [31]. When the attacker finds a decomposition of public key P , that is to say he find the equivalent key 2 T , 2 S (and 2 Q ), and it is very easy to forge a signature in the scheme. For example, the Unbalanced Oil and Vinegar Scheme (UOV) has have such an equivalent key with probability roughly [32]. Besides, in some sense, the key recovery attack coincides with the EIP-problem (Extended Isomorphism of Polynomials 1 ) [33]. And the EIP-problem of Matrix-based UOV can be solved in polynomial-time in [34], and then the Matrix-based UOV signature can be forged at appropriate parameters at 80 or 100 security levels. Therefore, key-recovery attack helps find an equivalent key and fork signature by using algebraic structure of concrete trapdoor of scheme.

Improved signature model of multivariable public key cryptosystem
The original signature model is described as Figure 1 in Section 1, and we also hash the message before we make the signature. This is for compression only as in tradition public key cryptosystem. We use secret hash function to generate the public key in the improved model, then we would like to stress that this is only to hide the private key as hash function is irreversible and anti-collision. And we will regard the hash as a random oracle. Moreover, as we know the known quantum decomposition algorithm has no advantage in such as SHA-3.

Generating system parameters
Similarly, let F be a finite field and E be a n -th power extension field of F , n -th and m -th extension fields of F are denoted as n F and m F respectively. The isomorphic mapping :  (2) The signer calculates       it as v g . v g is the backward signature.
The concatenated vv g is the final signature of message M .

The signature verification
(

Verification Verification
The backward signature The backward signature

Security analysis
Suppose the signature vv g is generated according to the above steps. Then we have The correctness of this algorithm is intuitively clear. Claim 1: In the improved multivariate signature model, the probability of finding equivalent keys of a given public key is approaching 0 for some concrete trapdoor structure.
As is analyzed previously, the multivariate polynomial cryptographic system always has the characteristic of "equivalent key". That is the same public key corresponds to multiple private keys. Therefore, with the help of the key recovery attack, the attacker succeeded in forging signature without the correct private key . Moreover, if an attacker randomly guesses a forward signaturev and a backward signaturev g , the probability of correct guess Therefore the improved model can effectively help multivariate scheme to resist the key recovery attack and forking signature.

Comparative analysis of HFE in the original model and the improved model
HFE is one classical multivariate polynomial cryptosystem [26]. However it was broken by recovering the secret key from the public key by linearization technique, which is belong to key recovery attack [35].
In this section, by comparing HFE scheme in the original model and the improved model, we shows that the new improved model enhance the security of the HFE scheme and help HFE resist and key recovery attack of the linearization technique.

HFE scheme
Let F be an q order finite field and E be a n -th power extension field of F . The isomorphic mapping :   n EF is defined from the extended domain to vector space. The central map of HFE is homogeneous polynomials (the lower degree monomials can be ignored for they have no impact on security): is public key.
T and Sare private keys.

Key recovery attack on HFE scheme under original model
Kipins and Shamir broke the HFE scheme using linearization technique by key recovery attack, and the idea is given as follows [35,36].
We take a set of The relinear process is summarized as follows. parameters m and n for HFE in [35], the probabilities finding the equivalent keys in Section 2.4 are all close to 0.
Therefore, the improved model is guaranteed that each signature is generated by the correct private key of the legitimate user, which prevents the equivalent key from recovering and signature from forging by the key recovery attack.  it will be out of our memory or system resources for larger input parameter, we list some corresponding signature and verification time for about 28 22 q  , 4 64  n and 37  d in Table 3. To achieve higher security requirements, larger parameters can be taken. The speed of verification is faster than the signature in these two models, since the signature needs to compute the 1  Q % while the verification is only to compute common modulo additions and multiplications on finite field. The parameter q , n and d in HFE takes a large number, then the overload of signature or verification will be very large. Both signature time and verification time in improved model is increased compared with those in the original model. It is easy to understand that the small-scale increase of parameters leads to the signature and verification time in a highly non-linear fashion. This basically conforms to the nonlinear properties of central map of multivariate polynomials cryptosystem.
To provide the detailed differences of small values, we give two classifications by parameters according the Table 3 and evaluate the logarithm of these times in following figures.

Mathematical Biosciences and Engineering
Volume 16, Issue 6, 7734-7750.    Figure 3. It shows that the more equations or degrees, the greater the consumption.
Especially, when n is double, the signature and verification time is increased to several dozen times in these two models. It is similar when the degree d is large.
nd, the comparing results with different size of finite field q is presented in Figure 4. We also conclude that the larger size of finite field, the greater the consumption, furthermore in the form of nonlinear approach to exponential growth. The verification time in the improved model is increased much more than the original model. For there are three verification conditions in the improved model while only one verification condition in the original model. However, the indicators of signature time are not very different from each other, and no significant difference is shown.