## 1. Introduction

Post-quantum cryptography is a new direction in the last two decades after the thread of polynomial quantum algorithms of Shor [

1], which totally broke the currently most widely-used public key cryptosystems such as RSA [

2], DSA [

3], and ECC [

4]. It has received much more attention recently after the call of NIST [

5] for proposals of post-quantum cryptosystems to be standardized in the near future. There have been a number of submissions for the first round [

6], and the first NIST conference has been recently held for discussions [

7].

Multivariate cryptography is one of the main candidates for this standardization [

5,

6]. These schemes are in general very fast and require only modest computational resources, which can be used on low-cost devices like smart cards and RFID chips [

8,

9]. Multivariate schemes were first proposed by Matsumoto and Imai in the mid-1980s [

10]. Since then, there has been a rich development of designing multivariate schemes in several directions, e.g., BigField or SingleField schemes. The first SingleField signature scheme was the Oil and Vinegar (OV) signature scheme, introduced by Patarin after he broke the Matsumoto–Imai scheme [

11]. Soon after, Patarin broke the OV schemes and introduced a variant [

12], which is called the Unbalanced Oil and Vinegar (UOV) scheme. After around two decades, UOV schemes were still secure up to the choices of parameters. While the signature generation of UOV is very efficient, it has a very large public key. To deal with this, several improvements have been suggested. The first improvement was made by Ding and Schmidt [

13], who proposed the Rainbow signature scheme, which can be seen as a multi-layer version of UOV with smaller keys and shorter signatures. The Rainbow signature scheme has remained secure for more than a decade and has been submitted as a candidate for the NIST standardization competition [

6].

In practice, digital certificates linking public keys with identities of users are needed, and this fact leads to some drawbacks in efficiency and simplicity. For this reason, the alternative framework of identity-based cryptography was introduced by Shamir [

14]. The idea is that the public key of a user can be directly derived from his/her identity, and therefore, digital certificates are avoidable. Shamir already proposed an Identity-Based Signature scheme (IBS), but it took a while until the first identity-based encryption arrived [

15]. In the area of multivariate cryptography, there has been only one proposal in the area of identity-based cryptography, that is the identity-based signature scheme IBUOV based on the UOV scheme [

16]. However, the authors of IBUOV simply used the standard version of UOV, which is not Existential Unforgeability under Chosen-Message Attack (EU-CMA) secure. This implies that the constructed IBS scheme is also not EU-CMA secure. Moreover, they also proposed the wrong parameters with the corresponding desired security level, as well as computed the wrong the corresponding key sizes.

In this paper, we adapt the method of Shamir to instantiate an identity-based signature scheme based on a provable version of Rainbow, which we call IBS-Rainbow. Since our Rainbow scheme is EU-CMA secure, the resulting IBS-Rainbow is also EU-CMA secure. In addition, we also adapt a provable UOV scheme in [

17] to IBUOV, revise the parameter choice for IBUOV, and compare with our IBS-Rainbow scheme. As a result, our IBS-Rainbow scheme is more efficient than IBUOV in terms of both key sizes and signature sizes.

The paper is organized as follows. We recall some definitions of digital signatures and identity-based signatures in

Section 2. We also present the construction of an IBS scheme from a digital signature scheme. In

Section 3, we present some basics of multivariate cryptography and recall the UOV and Rainbow schemes.

Section 4 is devoted o the modified versions of UOV and Rainbow, which are proven to be EU-CMA secure. Attacks against Rainbow are also presented. In

Section 5, we present the construction of our IBS-Rainbow scheme and the parameter choices.

Section 6 concludes the paper.

## 2. Preliminaries

In this section, we first recall some basic notions on digital signatures and identity-based signatures and a transformation from a digital signature into an identity-based signature.

An Identity-Based Signature ($\mathcal{IBS}$) scheme is a tuple of polynomial-time algorithms $(\mathrm{Setup},\mathrm{KeyDer},\mathrm{Sign},\mathrm{Vf})$. The first three are randomized, but the last one. The trusted key distribution center runs the setup algorithm $\mathrm{Setup}$ on input ${1}^{k}$ to obtain a master public and secret key $(mpk,msk)$. To generate the secret signing key $usk$ for the user with identity $id\in {\{0,1\}}^{*}$, it runs the key derivation algorithm $\mathrm{KeyDer}$ on inputs $msk$ and $id$. On input $usk$ and a message M, the signing algorithm $\mathrm{Sign}$ returns a signature $\sigma $ of M. On inputs $mpk,id,M,\sigma $, the verification algorithm $\mathrm{Vf}$ returns one if $\sigma $ is valid for $id$ and M and returns zero otherwise. Correctness requires that $\mathrm{Vf}(mpk,id,M,\sigma )=1$ with a probability of one for all $k\in \mathbb{N}$ and $id,M$ whenever the keys are generated as indicated above.

For security, we follow the notion of Existential Unforgeability under Chosen-Message and chosen-identity Attack (EU-CMA). It is defined through a game with a forger F and parameterized with the security parameter k. The experiments begin with the generation of a fresh master public and secret key pair $(msk,msk)$. The forger F is run on the input of the master public key $mpk$ and has access to the following oracles:

$\mathrm{KeyDer}(\xb7)$: on the input identity $id$, this oracle returns a secret signing key $usk$.

$\mathrm{Sign}(\xb7)$: on the input identity $id$ and a message M, this oracle returns a signature $\sigma \leftarrow \mathrm{Sign}(usk,M)$ where $usk\leftarrow \mathrm{KeyDer}(msk,id)$.

At the end of its execution, the forger outputs identity $i{d}^{*}$, message ${M}^{*}$, and a forged signature ${\sigma}^{*}$. The forger is said to win the game if $\mathrm{Vf}(mpk,i{d}^{*},{M}^{*},{\sigma}^{*})=1$ and F never queried $\mathrm{KeyDer}\left(i{d}^{*}\right)$ or $\mathrm{Sign}(i{d}^{*},{M}^{*})$. The advantage ${\mathbf{Adv}}_{\mathcal{IBS},F}^{\mathrm{EU}-\mathrm{CMA}}\left(k\right)$ is defined to be the probability that F wins the game, and $\mathcal{IBS}$ is said to be EU-CMA secure if ${\mathbf{Adv}}_{\mathcal{IBS},F}^{\mathrm{EU}-\mathrm{CMA}}\left(k\right)$ is negligible in k for all polynomial-time forgers F, i.e., for all $c\in \mathbb{N}$, there exists ${k}_{c}\in \mathbb{N}$ such that ${\mathbf{Adv}}_{SS,F}^{\mathrm{EU}-\mathrm{CMA}}\left(k\right)<{k}^{-c}$ for all $k>{k}_{c}$.

A Standard Signature ($\mathcal{SS}$) scheme consists of three polynomial-time algorithms $(\mathrm{KeyGen},\mathrm{Sign},\mathrm{Vf})$. The randomized key generation algorithm KeyGen, on input ${1}^{k}$, generates a key pair $(pk,sk)$. The signer creates a signature on a message M via $\sigma \leftarrow \mathrm{Sign}(sk,M)$, and the verifier can check the validity of a signature $\sigma $ by testing whether $\mathrm{Vf}(pk,M,\sigma )=1$. It is required that for all messages M, $\mathrm{Vf}(pk,M,\sigma )=1$ with a probability of one.

The security notion for a signature scheme $\mathcal{SS}$ is defined through the notion of EU-CMA, described as the following game with a forger F. The forger is run with a fresh public key $pk$ as an input and is given access to a signing oracle for the corresponding secret key $sk$. It is said to win the game if it can output a pair $({M}^{*},{\sigma}^{*})$ such that $\mathrm{Vf}(pk,{M}^{*},{\sigma}^{*})=1$ and it never queried ${M}^{*}$ from the signing oracle. The advantage ${\mathbf{Adv}}_{\mathcal{SS},F}^{\mathrm{EU}-\mathrm{CMA}}\left(k\right)$ is defined as the probability that F wins this game. $\mathcal{SS}$ is said to be EU-CMA secure if ${\mathbf{Adv}}_{\mathcal{SS},F}^{\mathrm{EU}-\mathrm{CMA}}\left(k\right)$ is a negligible function in k for all polynomial-time forger F.

Given a standard signature scheme $\mathcal{SS}=(\mathrm{KeyGen},\mathrm{Sign},\mathrm{Vf})$, one can build a certificate-based IBS scheme $\mathcal{IBS}=(\mathrm{Setup},\mathrm{KeyDer},{\mathrm{Sign}}^{\prime},{\mathrm{Vf}}^{\prime})$ as the following.

$\mathrm{Setup}\left({1}^{k}\right)$: Run $\mathrm{KeyGen}\left({1}^{k}\right)$ to obtain $(mpk,msk)$.

$\mathrm{KeyDer}(msk,id)$: $(pk,sk)\leftarrow \mathrm{KeyGen}\left({1}^{k}\right)$, $cert\leftarrow \mathrm{Sign}(msk,pk\parallel id)$; and return $usk\leftarrow (sk,pk,cert)$.

${\mathrm{Sign}}^{\prime}(usk,M)$: Parse $usk$ as $(sk,pk,cert)$; compute $\sigma \leftarrow \mathrm{Sign}(sk,M)$; and return ${\sigma}^{\prime}=(\sigma ,pk,cert)$.

${\mathrm{Vf}}^{\prime}(mpk,id,M,{\sigma}^{\prime})$: Parse ${\sigma}^{\prime}$ as $(\sigma ,pk,cert)$, and check if both $\mathrm{Vf}(pk,M,\sigma )=1$ and $\mathrm{Vf}(mpk,pk\parallel id,cert)=1$ are satisfied, then return one, otherwise zero.

One can see that if

$\mathcal{SS}$ is EU-CMA, then the constructed

$\mathcal{IBS}$ above is also EU-CMA; see [

18] for more details and the references therein. In this paper, we will present a multivariate signature scheme that is EU-CMA and apply the above transformation to construct an EU-CMA-secure IBS scheme.

## 3. Multivariate Public Key Cryptography

In this section, we recall some basic concepts of multivariate public key cryptography. The basic objects of multivariate cryptography are systems of multivariate quadratic polynomials over a finite field

K. The security of multivariate schemes is based on the

MQ-problem, which asks for a solution of a given system of multivariate quadratic polynomials over the field

K. The MQ-problem has been proven to be NP-hard even for quadratic polynomials over the field

${\mathbb{F}}_{2}$ [

19].

To build a multivariate public key cryptosystem, one starts with an easily-invertible quadratic map $\mathcal{F}:{K}^{n}\to {K}^{m}$ (central map). To hide the structure of $\mathcal{F}$ in the public key, one composes it with two invertible affine (or linear) maps $\mathcal{T}:{K}^{m}\to {K}^{m}$ and $\mathcal{S}:{K}^{n}\to {K}^{n}$. The public key is therefore given by $\mathcal{P}=\mathcal{T}\circ \mathcal{F}\circ \mathcal{S}:{K}^{n}\to {K}^{m}$. The private key consists of $\mathcal{T},\mathcal{F}$ and $\mathcal{S}$.

In this paper, we consider multivariate signature schemes. For these schemes, we require

$n\ge m$, which ensures that every message has a signature. The signature generation and verification are as the following, which is depicted in

Figure 1.

Signature generation: To generate a signature for a message (or its hash value) $\mathbf{d}\in {K}^{m}$, one computes recursively $\mathbf{w}={\mathcal{T}}^{-1}\left(\mathbf{d}\right)\in {K}^{m},\phantom{\rule{3.33333pt}{0ex}}\mathbf{y}={\mathcal{F}}^{-1}\left(\mathbf{w}\right)\in {K}^{n}$ and $\mathbf{z}={\mathcal{S}}^{-1}\left(\mathbf{y}\right)$. Then, $\mathbf{z}\in {K}^{n}$ is the signature of the message $\mathbf{d}$. Here, ${\mathcal{F}}^{-1}\left(\mathbf{w}\right)$ means finding one (of possibly many) pre-image of $\mathbf{w}$ under the central map $\mathcal{F}$.

Signature verification: To check the authenticity of a signature $\mathbf{z}\in {K}^{n}$, the verifier simply computes ${\mathbf{d}}^{\prime}=\mathcal{P}\left(\mathbf{z}\right)$. If the result is equal to the message $\mathbf{d}$, the signature is accepted, otherwise rejected.

#### 3.1. Unbalanced Oil and Vinegar Signature Scheme

Let

$K={\mathbb{F}}_{q}$ be the finite field with

q elements, and let

$n=v+o$ with

$v,o$ positive integers. An oil-vinegar quadratic polynomial over

K is of the form:

with coefficients

${a}_{ij},{b}_{i},c\in K$. The variables

${x}_{1},\dots ,{x}_{v}$ are called vinegar variables and

${x}_{v+1},\dots ,{x}_{n}$ the oil variables. Note that in an oil-vinegar polynomial, the oil and vinegar variables are not fully mixed, i.e., there are no quadratic terms

${x}^{2}$ for oil variables

x. A UOV scheme is constructed as the following.

The central map

$\mathcal{F}:{K}^{n}\to {K}^{o},({x}_{1},\dots ,{x}_{n})\mapsto ({f}^{\left(1\right)},\dots ,{f}^{\left(o\right)})$ consists of

o oil-vinegar polynomials:

where the coefficients

${a}_{ij}^{\left(k\right)},{b}_{ij}^{\left(k\right)},{c}^{\left(k\right)}$ are in

K. Choose randomly an invertible affine map

$\mathcal{S}:{K}^{n}\to {K}^{n}$. The public key is given by

$\mathcal{P}=\mathcal{F}\circ \mathcal{S}:{K}^{n}\to {K}^{o}$, and the private key consists of

$\mathcal{F}$ and

$\mathcal{S}$.

To sign a message $\mathbf{m}=({m}_{1},\dots ,{m}_{o})\in {K}^{o}$, we do the following.

- (1)
Randomly choose vinegar values $a=({a}_{1},\dots ,{a}_{v})\in {K}^{v}$, and plug them into the polynomials in the central map to obtain ${\overline{f}}^{\left(1\right)},\dots ,{\overline{f}}^{\left(o\right)}$.

- (2)
Solving the linear system ${\overline{f}}^{\left(i\right)}={m}_{i}$ with $i=1,\dots ,o$ yields solution $({b}_{1},\dots ,{b}_{o})$. If there is no solution, then go back to Step (1).

- (3)
Set $\mathbf{x}=({a}_{1},\dots ,{a}_{v},{b}_{1},\dots ,{b}_{o})$. A signature is computed by $\mathbf{s}:={\mathcal{S}}^{-1}\left(\mathbf{x}\right)$.

A signature $\mathbf{s}$ is accepted if $\mathcal{P}\left(\mathbf{s}\right)=\mathbf{m}$, otherwise it is rejected.

The public key of the scheme consists of

o quadratic equations in

n variables; hence, the public key has size:

and the size of the private key is:

#### 3.2. Rainbow Signature Scheme

Rainbow signature schemes [

13] are multi-layer versions of UOV schemes. For convenience, we introduce the two-layered Rainbow scheme (in the design, there is no advantage of using more than two layers). Let

$K={\mathbb{F}}_{q}$ be the finite field with

q elements

$n={v}_{1}+{o}_{1}+{o}_{2}$ with

${v}_{1},{o}_{1},{o}_{2}$ positive integers. Set

$m={o}_{1}+{o}_{2}$,

${v}_{2}={o}_{1}+{v}_{1}$. The Rainbow central map

$\mathcal{F}:{K}^{n}\to {K}^{{o}_{1}+{o}_{2}},({x}_{1},\dots ,{x}_{n})\mapsto ({f}_{1},\dots ,{f}_{{o}_{1}+{o}_{2}})$ consists of the following

$m={o}_{1}+{o}_{2}$ polynomials:

where the coefficients

${a}_{ij}^{\left(k\right)},{b}_{ij}^{\left(k\right)},{c}^{\left(k\right)}$ are in

K. Choose randomly two invertible affine maps

$\mathcal{S}:{K}^{n}\to {K}^{n}$ and

$\mathcal{T}:{K}^{{o}_{1}+{o}_{2}}\to {K}^{{o}_{1}+{o}_{2}}$. The public key is given by

$\mathcal{P}=\mathcal{T}\circ \mathcal{F}\circ \mathcal{S}:{K}^{n}\to {K}^{{o}_{1}+{o}_{2}}$, and the private key consists of

$\mathcal{T}$,

$\mathcal{F}$, and

$\mathcal{S}$.

To sign a message $\mathbf{m}=({m}_{1},\dots ,{m}_{{o}_{1}+{o}_{2}})\in {K}^{{o}_{1}+{o}_{2}}$, we first compute $\mathbf{y}={\mathcal{T}}^{-1}\left(\mathbf{m}\right)=({y}_{1},\dots ,{y}_{{o}_{1}+{o}_{2}})$ and do the following.

- (1)
Choose $a=({a}_{1},\dots ,{a}_{{v}_{1}})\in {K}^{{v}_{1}}$, and plug this into the polynomials in the central map to obtain ${\overline{f}}^{\left(1\right)},\dots ,{\overline{f}}^{({o}_{1}+{o}_{2})}$.

- (2)
Solving the linear system ${\overline{f}}^{\left(i\right)}={y}_{i}$ with $i=1,\dots ,{o}_{1}$ yields solution $({b}_{1},\dots ,{b}_{{o}_{1}})$. If there is no solution, then go back to Step (1).

- (3)
Plug $({b}_{1},\dots ,{b}_{{o}_{1}})$ into ${\overline{f}}^{({o}_{1}+1)},\dots ,{\overline{f}}^{({o}_{1}+{o}_{2})}$, and solve the linear system ${\overline{f}}^{\left(i\right)}={y}_{i}$ with $i={o}_{1}+1,\dots ,{o}_{1}+{o}_{2}$ to get a solution $({b}_{{o}_{1}+1},\dots ,{b}_{{o}_{1}+{o}_{2}})$. If there is no solution, then go back to Step (1).

- (4)
Set $\mathbf{x}=({a}_{1},\dots ,{a}_{{v}_{1}},{b}_{1},\dots ,{b}_{{o}_{1}+{o}_{2}})$. A signature is computed by $\mathbf{s}:={\mathcal{S}}^{-1}\left(\mathbf{x}\right)$.

A signature $\mathbf{s}$ is accepted if $\mathcal{P}\left(\mathbf{s}\right)=\mathbf{m}$, otherwise it is rejected.

The public key of the scheme consists of

m quadratic equations in

n variables; hence, the public key has size:

and the size of the private key is:

in which

${v}_{3}:={v}_{2}+{o}_{2}=n$.

## 4. Modified UOV and Rainbow

#### 4.1. Modified UOV Signature Scheme

The standard UOV scheme in

Section 3.1 does not provide EUF-CMA security. Sakumoto et al. [

17] modified the UOV scheme into a scheme that is EU-CMA secure. The difference with the standard UOV is the use of a binary salt

r in the signature generation. The procedure is described as the following.

Key generation: With the input UOV parameters $(q,v,o)$ and a length l of salt, generate the public key $\mathcal{P}$ and secret key $(\mathcal{F},\mathcal{S})$ as in the standard Rainbow. Now, the public key and secret key of the modified Rainbow are $(\mathcal{P},l)$ and $(\mathcal{F},\mathcal{T},\mathcal{S},l)$, respectively.

Signature generation: To sign on a message $\mathbf{m}$, one does the following:

- (1)
Choose $a=({a}_{1},\dots ,{a}_{{v}_{1}})\in {K}^{v}$.

- (2)
Choose a random salt $r\in {\{0,1\}}^{l}$.

- (3)
Let $\mathbf{h}=\mathcal{H}(\mathbf{m}\parallel r)$, where $\mathcal{H}:{\{0,1\}}^{*}\to {K}^{o}$ is a hash function.

- (4)
Solving the linear system ${\overline{f}}^{\left(i\right)}={h}_{i}$ with $i=1,\dots ,o$ yields solution $({b}_{1},\dots ,{b}_{o})$. If there is no solution, then go back to Step (2).

- (5)
Set $\mathbf{x}=({a}_{1},\dots ,{a}_{{v}_{1}},{b}_{1},\dots ,{b}_{o})$, and compute $\mathbf{s}:={\mathcal{S}}^{-1}\left(\mathbf{x}\right)$. A signature is of the form $\sigma =(\mathbf{s},r)$.

Verification: Given a message $\mathbf{m}$ and a signature $\sigma =(\mathbf{s},r)$, one first computes $\mathbf{h}=\mathcal{H}(\mathbf{m}\parallel r)$ and ${\mathbf{h}}^{\prime}=\mathcal{P}\left(\mathbf{s}\right)$. If $\mathbf{h}={\mathbf{h}}^{\prime}$, then accept, otherwise reject.

It was proven in [

17] that the modified UOV is EU-CMA secure if the underlying UOV scheme is secure, and it was mentioned that the modified UOV does not degrade the efficiency too much compared to the standard UOV; see [

17] for more details.

#### 4.2. Modified Rainbow Signature Scheme

The standard Rainbow scheme in

Section 3.2 also does not provide EUF-CMA security. Here, we present a modified version that obtained EUF-CMA security, similar to [

17] for UOV. The difference is the use of a random salt, which is a binary vector

r. Instead of generating a signature for

$\mathcal{H}\left(\mathbf{m}\right)$, one generates a signature for

$\mathcal{H}(\mathbf{m}\parallel r)$. The procedure is as follows.

Key generation: With input Rainbow parameters $(q,{v}_{1},{o}_{1},{o}_{2})$ and a length l of salt, generate the public key $\mathcal{P}$ and secret key $(\mathcal{F},\mathcal{T},\mathcal{S})$ as in the standard Rainbow. Now, the public key and secret key of the modified Rainbow are $(\mathcal{P},l)$ and $(\mathcal{F},\mathcal{T},\mathcal{S},l)$, respectively.

Signature generation: To sign on a message $\mathbf{m}$, one does the following:

- (1)
Choose $a=({a}_{1},\dots ,{a}_{{v}_{1}})\in {K}^{{v}_{1}}$, and plug this into the polynomials in the central map to obtain ${\overline{f}}^{\left(1\right)},\dots ,{\overline{f}}^{({o}_{1}+{o}_{2})}$ until the first ${o}_{1}$ linear polynomials ${\overline{f}}^{\left(1\right)},\dots ,{\overline{f}}^{\left({o}_{1}\right)}$ are non-degenerated, i.e., the corresponding coefficient matrix is invertible.

- (2)
Choose a random salt $r\in {\{0,1\}}^{l}$.

- (3)
Let $\mathbf{h}=\mathcal{H}(\mathbf{m}\parallel r)$.

- (4)
Compute $\mathbf{y}={\mathcal{T}}^{-1}\left(\mathbf{h}\right)=({y}_{1},\dots ,{y}_{{o}_{1}+{o}_{2}})$.

- (5)
Solving the linear system ${\overline{f}}^{\left(i\right)}={y}_{i}$ with $i=1,\dots ,{o}_{1}$ yields solution $({b}_{1},\dots ,{b}_{{o}_{1}})$. This always has a solution since Step (1).

- (6)
Plug $({b}_{1},\dots ,{b}_{{o}_{1}})$ into ${\overline{f}}^{({o}_{1}+1)},\dots ,{\overline{f}}^{({o}_{1}+{o}_{2})}$, and solve the linear system ${\overline{f}}^{\left(i\right)}={y}_{i}$ with $i={o}_{1}+1,\dots ,{o}_{1}+{o}_{2}$ to get a solution $({b}_{{o}_{1}+1},\dots ,{b}_{{o}_{1}+{o}_{2}})$. If there is no solution, then go back to Step (2).

- (7)
Set $\mathbf{x}=({a}_{1},\dots ,{a}_{{v}_{1}},{b}_{1},\dots ,{b}_{{o}_{1}+{o}_{2}})$, and compute $\mathbf{s}:={\mathcal{S}}^{-1}\left(\mathbf{x}\right)$. A signature is of the form $\sigma =(\mathbf{s},r)$.

Verification: Given a message $\mathbf{m}$ and a signature $\sigma =(\mathbf{s},r)$, one first computes $\mathbf{h}=\mathcal{H}(\mathbf{m}\parallel r)$ and ${\mathbf{h}}^{\prime}=\mathcal{P}\left(\mathbf{s}\right)$. If $\mathbf{h}={\mathbf{h}}^{\prime}$ then accept, otherwise reject.

One easily proves the EU-CMA security of the modified Rainbow by following the same procedure as for the modified UOV scheme in [

17].

#### 4.3. Attacks

In this section, we review all currently-known (classical) attacks against Rainbow.

#### 4.3.1. Direct Attacks

It is also well known that Rainbow schemes behave similarly to random systems, and therefore, we can estimate the complexity of direct attack against Rainbow as (cf. [

20]):

where

$2<\omega \le 3$ is the linear algebra constant of solving a linear system and

${d}_{\mathrm{reg}}$ is the degree of regularity of the system, which can be estimated as the smallest

d for which the coefficient of

${x}^{d}$ in the expression:

is non-positive.

#### 4.3.2. The Rank Attacks

There are Minrank [

21] and Highrank [

22] attacks. The Minrank [

21] attack tries to find a linear combination of the public key polynomials of minimal rank. In the case of Rainbow, such a minimal rank is

${v}_{2}$, which corresponds to a linear combination of polynomials in the first layer of the central map. The complexity is estimated as:

The Highrank [

22] attack tries to identify variables that appear the lowest number of times in the polynomials of the central map. In the case of Rainbow, those are the oil variables of the last layer. The complexity of the Highrank attack is estimated as:

#### 4.3.3. UOV Attack

One can consider Rainbow as a UOV scheme with

$v={v}_{1}+{o}_{1}$ and

$o={o}_{2}$, and hence, it can be attacked by the UOV attack. Its goal is to find the pre-image of the oil subspace

$\{x\in {K}^{n}:{x}_{1}=\cdots ={x}_{v}=0\}$ under the affine transformation

$\mathcal{S}$. The complexity of this attack is estimated as:

#### 4.3.4. Rainbow-Band-Separation Attack

The Rainbow-Band-Separation (RBS) attack [

23] tries to find linear transformations

$\mathcal{S}$ and

$\mathcal{T}$ that transform the public polynomials into ones of the form of polynomials in the central map of Rainbow, and hence find an equivalent key to forge a signature. To do this, one has to solve

$m+n-1$ equations in

n variables. In our paper, we used the field

$K={\mathbb{F}}_{{2}^{8}}$, and we followed [

20] to choose

$n\ge \frac{5}{3}(m-1)$ so that the complexity of the RBS attack against Rainbow was at least the complexity of the direct attack.

#### 4.3.5. Collision Attacks against the Hash Function

Note that the modified Rainbow scheme uses hash function $\mathcal{H}:{\{0,1\}}^{*}\to {K}^{m}$. Hence, in order to prevent a collision attack against the hash function, we need the number m of public equations satisfying that $m\xb7{log}_{2}\left(q\right)$ is greater than the desired security level.

## 5. Identity-Based Signature Schemes Based on Rainbow

In this section, we follow the construction in

Section 2 to instantiate an identity-based signature scheme based on the modified Rainbow scheme from

Section 4.2. We call the scheme IBS-Rainbow.

#### 5.1. Construction

Let

$q,{v}_{1},{o}_{1},{o}_{2}$ be parameters as in

Section 3.2. Let

$K={\mathbb{F}}_{q}$,

$n=v+{o}_{1}+{o}_{2}$,

$m={o}_{1}+{o}_{2}$, and

${v}_{2}={o}_{1}+{v}_{1}$. Let

$\mathcal{H}:{\{0,1\}}^{*}\to {K}^{m}$ be a hash function and

l be the length of salts. The scheme IBS-Rainbow consists of four algorithms

$(\mathrm{Setup},\mathrm{KeyDer},\mathrm{Sign},\mathrm{Vf})$ defined as follows.

**Master-key generation:**$(mpk,msk)\leftarrow \mathrm{Setup}\left({1}^{k}\right)$.

The algorithm $\mathrm{Setup}$ selects a central map $\mathcal{F}:{K}^{n}\to {K}^{m}$ for a Rainbow scheme with parameters as above, two invertible affine maps $\mathcal{S}:{K}^{n}\to {K}^{n}$, $\mathcal{T}:{K}^{m}\to {K}^{m}$, and computes $\mathcal{P}=\mathcal{T}\circ \mathcal{F}\circ \mathcal{S}:{K}^{n}\to {K}^{m}$. It outputs the master secret key $msk\leftarrow (\mathcal{F},\mathcal{S},\mathcal{T})$ and the master public key $mpk\leftarrow \mathcal{P}$.

**User-key extraction:**$us{k}_{I}\leftarrow \mathrm{KeyDer}(msk,I)$.

For a user

I, the algorithm

$\mathrm{KeyDer}$ generates a new Rainbow scheme with secret key

$s{k}_{I}\leftarrow ({\mathcal{F}}_{I},{\mathcal{S}}_{I},{\mathcal{T}}_{I})$ and public key

$p{k}_{I}\leftarrow {\mathcal{P}}_{I}={\mathcal{T}}_{I}\circ {\mathcal{F}}_{I}\circ {\mathcal{S}}_{I}$ such that

$({\mathcal{F}}_{I},{\mathcal{S}}_{I},{\mathcal{T}}_{I})$ is different from the master secret key

$(\mathcal{F},\mathcal{S},\mathcal{T})$. Then, it executes

${d}_{I}\leftarrow \mathcal{H}({\mathcal{P}}_{I}\parallel I)$. Next, it uses the knowledge of master secret key

$msk\leftarrow (\mathcal{F},\mathcal{S},\mathcal{T})$ to find a signature

$({\sigma}_{cI},{r}_{cI})$ for the message

${d}_{I}$ as in

Section 4.2. Note that

$\mathcal{P}\left({\sigma}_{cI}\right)=\mathcal{H}({d}_{I}\parallel {r}_{cI})$. Let

$cer{t}_{I}\leftarrow ({\sigma}_{cI},{r}_{cI})$. The algorithm then returns the secret key for the user

I as

$us{k}_{I}\leftarrow (s{k}_{I},p{k}_{I},cer{t}_{I})$.

**Signature generation:**$\sigma \leftarrow \mathrm{Sign}(us{k}_{I},M)$.

Given a message

M, the algorithm uses the knowledge of

$us{k}_{I}$ to find a signature

$({\sigma}_{I},{r}_{I})$ for

M from the system

${\mathcal{P}}_{I}={\mathcal{T}}_{I}\circ {\mathcal{F}}_{I}\circ {\mathcal{S}}_{I}$ as in

Section 4.2. It outputs the signature

$\sigma \leftarrow (p{k}_{I},cer{t}_{I},({\sigma}_{I},{r}_{I}))$.

**Verification:**$\{0,1\}\leftarrow \mathrm{Vf}(mpk,I,M,\sigma )$.

Given a signature $\sigma $ of a message M of the user I. Parse $\sigma $ as $(p{k}_{I},cer{t}_{I},({\sigma}_{I},{r}_{I}))$. Note that $mpk\leftarrow \mathcal{P}$, $p{k}_{I}\leftarrow {\mathcal{P}}_{I}$ and $cer{t}_{I}\leftarrow ({\sigma}_{cI},{r}_{cI})$. We then compute $\mathbf{h}=\mathcal{P}\left({\sigma}_{cI}\right)$, ${\mathbf{h}}^{\prime}={\mathcal{P}}_{I}\left({\sigma}_{I}\right)$. If both $\mathbf{h}=\mathcal{H}(\mathcal{H}({\mathcal{P}}_{I}\parallel I),{r}_{cI})$ and ${\mathbf{h}}^{\prime}=\mathcal{H}(M\parallel {r}_{I})$, then it outputs one, which means the signature is accepted. Otherwise, it outputs zero and rejects the signature.

The correctness is easy to check. Since we are using the modified Rainbow scheme in

Section 4.2, which is EU-CMA secure, the resulting IBS-Rainbow scheme is also EU-CMA secure.

#### 5.2. Parameters

We next give a choice of parameters and compute the key sizes of the IBS-Rainbow. We also revised the IBUOV scheme in [

16] (note that the construction of the IBUOV scheme also follows the same route as in

Section 5.1 with the core modified Rainbow (

Section 4.2) replaced by the normal UOV scheme (the scheme in

Section 4.1 without using salts and the hash function in Steps (2) and (3) of the signature generation process); see

Appendix A for more details.) and compared it with IBS-Rainbow.

First, for the EU-CMA security of the system, we needed to ensure that no salt was used for more than one signature. Under the assumption of up to ${2}^{64}$ signatures being generated with the system, we chose the length l of the salt to be $l=128$ bit, independent of the security level.

Second, we chose two popular base fields for

K, which were

${\mathbb{F}}_{{2}^{8}}$ and

${\mathbb{F}}_{31}$. We aimed for the security level to be the standard 128-bit. The choice of parameters had to ensure that the corresponding Rainbow scheme was secure against all attacks mentioned in

Section 4.3, i.e., for a choice of parameters, the complexities of all attacks in

Section 4.3 had to be at least

${2}^{k}$ for corresponding security level

k (

$k=128$).

The details are illustrated in

Table 1. We write

$\mathrm{IBUOV}(q,o,v)$, meaning that

$(q,o,v)$ is the parameter of the UOV scheme used in IBUOV. Similarly, we write

$\mathrm{IBS}-\mathrm{Rainbow}(q,{v}_{1},{o}_{1},{o}_{2})$ with

$(q,{v}_{1},{o}_{1},{o}_{2})$ the parameter of the Rainbow scheme used in IBS-Rainbow.

As we see from

Table 1, using Rainbow, we can reduce the key sizes and signature sizes. In particular, we reduced the signature sizes up to

$50\%$. For the user’s secret key size, we can reduce up to

$55\%$ and

$65\%$ for the fields

${\mathbb{F}}_{{2}^{8}}$ and

${\mathbb{F}}_{31}$, respectively.