An Improved Identity-Based Multivariate Signature Scheme Based on Rainbow

Multivariate Public Key Cryptography (MPKC) is one of the main candidates for post-quantum cryptography, especially in the area of signature schemes. In this paper, we instantiate a certificate Identity-Based Signature (IBS) scheme based on Rainbow, one of the most efficient and secure multivariate signature schemes. In addition, we revise the previous identity-based signature scheme IBUOV based on the Unbalanced Oil and Vinegar (UOV) scheme on the security and choice of parameters and obtain that our scheme is more efficient than IBUOV in terms of key sizes and signature sizes.


Introduction
Post-quantum cryptography is a new direction in the last two decades after the thread of polynomial quantum algorithms of Shor [1], which totally broke the currently most widely-used public key cryptosystems such as RSA [2], DSA [3], and ECC [4].It has received much more attention recently after the call of NIST [5] for proposals of post-quantum cryptosystems to be standardized in the near future.There have been a number of submissions for the first round [6], and the first NIST conference has been recently held for discussions [7].
Multivariate cryptography is one of the main candidates for this standardization [5,6].These schemes are in general very fast and require only modest computational resources, which can be used on low-cost devices like smart cards and RFID chips [8,9].Multivariate schemes were first proposed by Matsumoto and Imai in the mid-1980s [10].Since then, there has been a rich development of designing multivariate schemes in several directions, e.g., BigField or SingleField schemes.The first SingleField signature scheme was the Oil and Vinegar (OV) signature scheme, introduced by Patarin after he broke the Matsumoto-Imai scheme [11].Soon after, Patarin broke the OV schemes and introduced a variant [12], which is called the Unbalanced Oil and Vinegar (UOV) scheme.After around two decades, UOV schemes were still secure up to the choices of parameters.While the signature generation of UOV is very efficient, it has a very large public key.To deal with this, several improvements have been suggested.The first improvement was made by Ding and Schmidt [13], who proposed the Rainbow signature scheme, which can be seen as a multi-layer version of UOV with smaller keys and shorter signatures.The Rainbow signature scheme has remained secure for more than a decade and has been submitted as a candidate for the NIST standardization competition [6].
In practice, digital certificates linking public keys with identities of users are needed, and this fact leads to some drawbacks in efficiency and simplicity.For this reason, the alternative framework of identity-based cryptography was introduced by Shamir [14].The idea is that the public key of a user can be directly derived from his/her identity, and therefore, digital certificates are avoidable.Shamir already proposed an Identity-Based Signature scheme (IBS), but it took a while until the first identity-based encryption arrived [15].In the area of multivariate cryptography, there has been only one proposal in the area of identity-based cryptography, that is the identity-based signature scheme IBUOV based on the UOV scheme [16].However, the authors of IBUOV simply used the standard version of UOV, which is not Existential Unforgeability under Chosen-Message Attack (EU-CMA) secure.This implies that the constructed IBS scheme is also not EU-CMA secure.Moreover, they also proposed the wrong parameters with the corresponding desired security level, as well as computed the wrong the corresponding key sizes.
In this paper, we adapt the method of Shamir to instantiate an identity-based signature scheme based on a provable version of Rainbow, which we call IBS-Rainbow.Since our Rainbow scheme is EU-CMA secure, the resulting IBS-Rainbow is also EU-CMA secure.In addition, we also adapt a provable UOV scheme in [17] to IBUOV, revise the parameter choice for IBUOV, and compare with our IBS-Rainbow scheme.As a result, our IBS-Rainbow scheme is more efficient than IBUOV in terms of both key sizes and signature sizes.
The paper is organized as follows.We recall some definitions of digital signatures and identity-based signatures in Section 2. We also present the construction of an IBS scheme from a digital signature scheme.In Section 3, we present some basics of multivariate cryptography and recall the UOV and Rainbow schemes.Section 4 is devoted o the modified versions of UOV and Rainbow, which are proven to be EU-CMA secure.Attacks against Rainbow are also presented.In Section 5, we present the construction of our IBS-Rainbow scheme and the parameter choices.Section 6 concludes the paper.

Preliminaries
In this section, we first recall some basic notions on digital signatures and identity-based signatures and a transformation from a digital signature into an identity-based signature.
An Identity-Based Signature (I BS) scheme is a tuple of polynomial-time algorithms (Setup, KeyDer, Sign, Vf).The first three are randomized, but the last one.The trusted key distribution center runs the setup algorithm Setup on input 1 k to obtain a master public and secret key (mpk, msk).To generate the secret signing key usk for the user with identity id ∈ {0, 1} * , it runs the key derivation algorithm KeyDer on inputs msk and id.On input usk and a message M, the signing algorithm Sign returns a signature σ of M. On inputs mpk, id, M, σ, the verification algorithm Vf returns one if σ is valid for id and M and returns zero otherwise.Correctness requires that Vf(mpk, id, M, σ) = 1 with a probability of one for all k ∈ N and id, M whenever the keys are generated as indicated above.
For security, we follow the notion of Existential Unforgeability under Chosen-Message and chosen-identity Attack (EU-CMA).It is defined through a game with a forger F and parameterized with the security parameter k.The experiments begin with the generation of a fresh master public and secret key pair (msk, msk).The forger F is run on the input of the master public key mpk and has access to the following oracles: • KeyDer(•): on the input identity id, this oracle returns a secret signing key usk.

•
Sign(•): on the input identity id and a message M, this oracle returns a signature σ ← Sign(usk, M) where usk ← KeyDer(msk, id).
At the end of its execution, the forger outputs identity id * , message M * , and a forged signature σ * .The forger is said to win the game if Vf(mpk, id * , M * , σ * ) = 1 and F never queried KeyDer(id * ) or Sign(id * , M * ).The advantage Adv EU-CMA IBS,F (k) is defined to be the probability that F wins the game, and IBS is said to be EU-CMA secure if Adv EU-CMA IBS,F (k) is negligible in k for all polynomial-time forgers F, i.e., for all c ∈ N, there exists A Standard Signature (S S) scheme consists of three polynomial-time algorithms (KeyGen, Sign, Vf).The randomized key generation algorithm KeyGen, on input 1 k , generates a key pair (pk, sk).The signer creates a signature on a message M via σ ← Sign(sk, M), and the verifier can check the validity of a signature σ by testing whether Vf(pk, M, σ) = 1.It is required that for all messages M, Vf(pk, M, σ) = 1 with a probability of one.
The security notion for a signature scheme SS is defined through the notion of EU-CMA, described as the following game with a forger F. The forger is run with a fresh public key pk as an input and is given access to a signing oracle for the corresponding secret key sk.It is said to win the game if it can output a pair (M * , σ * ) such that Vf(pk, M * , σ * ) = 1 and it never queried M * from the signing oracle.The advantage Adv EU-CMA SS,F (k) is defined as the probability that F wins this game.SS is said to be EU-CMA secure if Adv EU-CMA SS,F (k) is a negligible function in k for all polynomial-time forger F.
Given a standard signature scheme SS = (KeyGen, Sign, Vf), one can build a certificate-based IBS scheme IBS = (Setup, KeyDer, Sign , Vf ) as the following.
One can see that if SS is EU-CMA, then the constructed IBS above is also EU-CMA; see [18] for more details and the references therein.In this paper, we will present a multivariate signature scheme that is EU-CMA and apply the above transformation to construct an EU-CMA-secure IBS scheme.

Multivariate Public Key Cryptography
In this section, we recall some basic concepts of multivariate public key cryptography.The basic objects of multivariate cryptography are systems of multivariate quadratic polynomials over a finite field K.The security of multivariate schemes is based on the MQ-problem, which asks for a solution of a given system of multivariate quadratic polynomials over the field K.The MQ-problem has been proven to be NP-hard even for quadratic polynomials over the field F 2 [19].
To build a multivariate public key cryptosystem, one starts with an easily-invertible quadratic map F : K n → K m (central map).To hide the structure of F in the public key, one composes it with two invertible affine (or linear) maps T : K m → K m and S : K n → K n .The public key is therefore given by P = T • F • S : K n → K m .The private key consists of T , F and S.
In this paper, we consider multivariate signature schemes.For these schemes, we require n ≥ m, which ensures that every message has a signature.The signature generation and verification are as the following, which is depicted in Figure 1.
Signature generation: To generate a signature for a message (or its hash value) d ∈ K m , one computes recursively w = T −1 (d) ∈ K m , y = F −1 (w) ∈ K n and z = S −1 (y).Then, z ∈ K n is the signature of the message d.Here, F −1 (w) means finding one (of possibly many) pre-image of w under the central map F .
Signature verification: To check the authenticity of a signature z ∈ K n , the verifier simply computes d = P (z).If the result is equal to the message d, the signature is accepted, otherwise rejected.

Verification
Figure 1.Two processes of multivariate signature schemes.

Unbalanced Oil and Vinegar Signature Scheme
Let K = F q be the finite field with q elements, and let n = v + o with v, o positive integers.An oil-vinegar quadratic polynomial over K is of the form: with coefficients a ij , b i , c ∈ K.The variables x 1 , . . ., x v are called vinegar variables and x v+1 , . . ., x n the oil variables.Note that in an oil-vinegar polynomial, the oil and vinegar variables are not fully mixed, i.e., there are no quadratic terms x 2 for oil variables x.A UOV scheme is constructed as the following.
The central map F : 1) , . . ., f (o) ) consists of o oil-vinegar polynomials: where the coefficients a Choose randomly an invertible affine map S : K n → K n .The public key is given by P = F • S : K n → K o , and the private key consists of F and S.
To sign a message m = (m 1 , . . ., m o ) ∈ K o , we do the following. (

x).
A signature s is accepted if P (s) = m, otherwise it is rejected.
The public key of the scheme consists of o quadratic equations in n variables; hence, the public key has size: and the size of the private key is:

Rainbow Signature Scheme
Rainbow signature schemes [13] are multi-layer versions of UOV schemes.For convenience, we introduce the two-layered Rainbow scheme (in the design, there is no advantage of using more than two layers).Let K = F q be the finite field with q elements n = where the coefficients a The public key is given by P = T • F • S : K n → K o 1 +o 2 , and the private key consists of T , F , and S.
(2) Solving the linear system f A signature s is accepted if P (s) = m, otherwise it is rejected.The public key of the scheme consists of m quadratic equations in n variables; hence, the public key has size: and the size of the private key is:

Modified UOV Signature Scheme
The standard UOV scheme in Section 3.1 does not provide EUF-CMA security.Sakumoto et al. [17] modified the UOV scheme into a scheme that is EU-CMA secure.The difference with the standard UOV is the use of a binary salt r in the signature generation.The procedure is described as the following.
Key generation: With the input UOV parameters (q, v, o) and a length l of salt, generate the public key P and secret key (F , S) as in the standard Rainbow.Now, the public key and secret key of the modified Rainbow are (P, l) and (F , T , S, l), respectively.
Signature generation: To sign on a message m, one does the following: (1) Choose a = (a 1 , . . ., a v 1 ) ∈ K v .
Verification: Given a message m and a signature σ = (s, r), one first computes h = H(m r) and h = P (s).If h = h , then accept, otherwise reject.
It was proven in [17] that the modified UOV is EU-CMA secure if the underlying UOV scheme is secure, and it was mentioned that the modified UOV does not degrade the efficiency too much compared to the standard UOV; see [17] for more details.

Modified Rainbow Signature Scheme
The standard Rainbow scheme in Section 3.2 also does not provide EUF-CMA security.Here, we present a modified version that obtained EUF-CMA security, similar to [17] for UOV.The difference is the use of a random salt, which is a binary vector r.Instead of generating a signature for H(m), one generates a signature for H(m r).The procedure is as follows.
Key generation: With input Rainbow parameters (q, v 1 , o 1 , o 2 ) and a length l of salt, generate the public key P and secret key (F , T , S) as in the standard Rainbow.Now, the public key and secret key of the modified Rainbow are (P, l) and (F , T , S, l), respectively.
Verification: Given a message m and a signature σ = (s, r), one first computes h = H(m r) and h = P (s).If h = h then accept, otherwise reject.
One easily proves the EU-CMA security of the modified Rainbow by following the same procedure as for the modified UOV scheme in [17].

Attacks
In this section, we review all currently-known (classical) attacks against Rainbow.

Direct Attacks
It is also well known that Rainbow schemes behave similarly to random systems, and therefore, we can estimate the complexity of direct attack against Rainbow as (cf.[20]): where 2 < ω ≤ 3 is the linear algebra constant of solving a linear system and d reg is the degree of regularity of the system, which can be estimated as the smallest d for which the coefficient of x d in the expression: is non-positive.

The Rank Attacks
There are Minrank [21] and Highrank [22] attacks.The Minrank [21] attack tries to find a linear combination of the public key polynomials of minimal rank.In the case of Rainbow, such a minimal rank is v 2 , which corresponds to a linear combination of polynomials in the first layer of the central map.The complexity is estimated as: The Highrank [22] attack tries to identify variables that appear the lowest number of times in the polynomials of the central map.In the case of Rainbow, those are the oil variables of the last layer.The complexity of the Highrank attack is estimated as: (2)

UOV Attack
One can consider Rainbow as a UOV scheme with v = v 1 + o 1 and o = o 2 , and hence, it can be attacked by the UOV attack.Its goal is to find the pre-image of the oil subspace {x ∈ K n : under the affine transformation S. The complexity of this attack is estimated as:

Rainbow-Band-Separation Attack
The Rainbow-Band-Separation (RBS) attack [23] tries to find linear transformations S and T that transform the public polynomials into ones of the form of polynomials in the central map of Rainbow, and hence find an equivalent key to forge a signature.To do this, one has to solve m + n − 1 equations in n variables.In our paper, we used the field K = F 2 8 , and we followed [20] to choose n ≥ 5 3 (m − 1) so that the complexity of the RBS attack against Rainbow was at least the complexity of the direct attack.

Collision Attacks against the Hash Function
Note that the modified Rainbow scheme uses hash function H : {0, 1} * → K m .Hence, in order to prevent a collision attack against the hash function, we need the number m of public equations satisfying that m • log 2 (q) is greater than the desired security level.
The details are illustrated in Table 1.We write IBUOV(q, o, v), meaning that (q, o, v) is the parameter of the UOV scheme used in IBUOV.Similarly, we write IBS-Rainbow(q, v 1 , o 1 , o 2 ) with (q, v 1 , o 1 , o 2 ) the parameter of the Rainbow scheme used in IBS-Rainbow.As we see from Table 1, using Rainbow, we can reduce the key sizes and signature sizes.In particular, we reduced the signature sizes up to 50%.For the user's secret key size, we can reduce up to 55% and 65% for the fields F 2 8 and F 31 , respectively.

Conclusions
In this paper, we instantiated an identity-based signature scheme based on a provably-secure Rainbow signature scheme, IBS-Rainbow.We also revisited the previous identity-based signature scheme IBUOV based on UOV [16] and noted that IBUOV is not EU-CMA secure since the underlying UOV scheme is not EU-CMA secure, and the proposed security parameters and key sizes of IBUOV are not correct.We revised again and compared it with our IBS-Rainbow.As a result, IBS-Rainbow was much more efficient than IBUOV in terms of key sizes and signature sizes.There are possibilities to optimize the key sizes by applying the methods in [24][25][26].We will leave it as a future work for further optimization, both in terms of key sizes and security under the quantum random oracle model.to find a signature (σ cI , r cI ) for the message d I as in Section 4.2.Note that P (σ cI ) = H(d I r cI ).Let cert I ← (σ cI , r cI ).The algorithm then returns the secret key for the user I as usk I ← (sk I , pk I , cert I ).
Given a message M, the algorithm uses the knowledge of usk I to find a signature (σ I , r I ) for M from the system P I = F I • S I as in Section 4.2.It outputs the signature σ ← (pk I , cert I , (σ I , r I )).
Given a signature σ of a message M of the user I. Parse σ as (pk I , cert I , (σ I , r I )).Note that mpk ← P, pk I ← P I , and cert I ← (σ cI , r cI ).We then compute h = P (σ cI ), h = P I (σ I ).If both h = H(H(P I I), r cI ) and h = H(M r I ), then it outputs one, which means the signature is accepted.Otherwise, it outputs zero and rejects the signature.

Funding:
The research is funded by by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-18-03.

Table 1 .
Comparison of key sizes and signature lengths at the 128-bit security level.