Skip to main content

Advertisement

EURASIP Journal on Wireless Communications and Networking
EURASIP Journal on Wireless Communications and Networking Cover Image

High-speed hardware architecture for implementations of multivariate signature generations on FPGAs

EURASIP Journal on Wireless Communications and Networking volume 2018, Article number: 93 (2018) | Download Citation

Article metrics

  • 988 Accesses

  • 1 Citations

Abstract

Multivariate signature belongs to Multivariate-Quadratic-Equations Public Key Cryptography (MPKC), which is secure to quantum computer attacks. Compared with RSA and ECC, it is required to speed up multivariate signature implementations. A high-speed hardware architecture for signature generations of a multivariate scheme is proposed in this paper. The main computations of signature generations of multivariate schemes are additions, multiplications, inversions, and solving systems of linear equations (LSEs) in a finite field. Thus, we improve the finite field multiplications via using composite field expression and design a finite field inversion via using binary trees. Besides, we improve solving LSEs in a finite field based on a variant algorithm of Gauss-Jordan elimination and use the XOR gates to compute additions. We implement the high-speed hardware architecture based on the above improvements on an Altera Stratix Field-Programmable Gate Array (FPGA), which shows that it takes only 90 clock cycles and 0.9 μs to generate a multivariate signature. The comparison shows that the hardware architecture is much faster than other implementations.

Introduction

Quantum technology has developed rapidly in recent years. Quantum computer is in a position to attack RSA [1], ECC [2], and other signature algorithms adopted by many chips due to the algorithm by Peter Shor [3]. Therefore, chip security is facing severe threats.

Fortunately, there are a few post-quantum candidates for signature chips, in which multivariate signature is included [4]. Multivariate signature belongs to Multivariate Quadratic Equations Public Key Cryptography (MPKC), which is secure to quantum computer attacks and general computer attacks [5, 6]. MPKC is first proposed by Matsumoto and Imai in the 1980s. During the past 30 years, various schemes of MPKC have been proposed [7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32], which includes Rainbow [28], Unbalanced Oil-Vinegar (UOV) [29], and Tame Transformation Signature (TTS) [30, 31]. Software and hardware implementations of multivariate signature schemes have been one of the topics of many researchers [33,34,35,36,37,38,39,40]. enTTS belongs to the triangular family, which can be viewed as extensions of Tame Transformation Method (TTM) Among the existing enTTS schemes, enTTS(20,28) is believed to be one of the fastest signature schemes, which works with 20 B hashes and 28 B signatures. Compared with the implementations of other public key cryptosystems, e.g., RSA and ECC, we need to speed up multivariate signature generations.

Some previous works of efficient implementations of multivariate signature schemes are as follows:

The work in [33] proposed a fast implementation of SFlash;

The work in [34] presented an efficient public key generation for multivariate cryptosystems;

In [35], a minimized PKC of multivariate schemes on low-resource embedded systems was proposed;

In [36], an efficient implementation of multivariate quadratic systems was presented;

A fast implementation of Rainbow signature generation was proposed in [37];

A high-speed hardware architecture based on Rainbow signature on Field-Programmable Gate Arrays (FPGAs) was proposed in [38];

For low area design, a multivariate signature FPGA processor was proposed in [39];

The work of [40] was a time-area optimized design, which showed that multivariate cryptosystems are more efficient than ECC.

Among such multivariate signature schemes, enTTS is a Tame-like multivariate public key cryptosystem [32]. Hardware implementations of TTS (including enTTS) signature are mainly proposed in [31, 35, 36, 39, 40]. Most of these implementations are focusing on area optimizations. The main computations during generations of enTTS signature are addition, multiplication, inversion, and solving Systems of Linear Equations (LSEs) in a finite field.

Thus, the main contributions of this paper are as follows. We improve the finite field multiplications via using composite field expression and design a finite field inversion based on binary trees described in [41]. Besides, we improve solving LSEs in a finite field based on the algorithm of Gauss-Jordan elimination and use the XOR gates to compute additions.

We implement the high-speed hardware architecture based on the above improvements on an Altera Stratix FPGA. The comparison shows that the hardware architecture is much faster than other implementations of public key cryptosystems.

We organize the rest of this paper as follows: the algorithm of multivariate scheme is introduced in Section 2; the high-speed hardware architecture for multivariate signature generations is given in Section 3; implementation results of the high-speed hardware architecture on FPGAs and comparisons with related cryptosystems are given in Section 4; Conclusions are summarized in Section 5.

Method

This study originates from a need to speed up signature generations of multivariate scheme, since the efficiency of implementations should be improved as a quantum-resistance cryptosystems. Specifically, we propose a high-speed hardware architecture for multivariate scheme through improving finite field multiplications based on composite field expression, finite field inversions based on binary trees and solving LSEs based on the algorithm of Gauss-Jordan elimination.

We implement the high-speed hardware architecture based on the above improvements on an Altera Stratix FPGA and the comparison shows that the hardware architecture is much faster than other implementations.

The multivariate scheme, enTTS is employed to the architecture for hardware implementations of signature generations in a finite field. enTTS belongs to the triangular family, which can be viewed as extensions of Tame Transformation Method (TTM). enTTS is designed with a higher security level than TTS. We illustrate enTTS parameters in Table 1.

Table 1 Multivariate scheme parameters
Full size table

We use GF((24)2) for implementation of enTTS, which is a composite field of GF(256). We suppose that y denotes the message (20 B) of multivariate scheme and y0, y1, …, y19 denote each byte from the message, where y0, y1, …, y19 are elements in GF((24)2). We suppose that x denotes the signature (28 B) and x0, x1, …, x27 denote each byte of the signature, where x0, x1, …, x27 are elements in GF((24)2).

The construction of this signature scheme uses affine transformation L1, central map transformation F, and affine transformation L2.

In order to sign a message, i.e., y(y0, y1, …, y19), it is required to compute several steps for the following equation:

$$ {F}^{{}^{\circ}}{L}_2\left({x}_0,{x}_1,\dots, {x}_{27}\right)={L}_1^{-1}\left({y}_0,{y}_1,\dots, {y}_{19}\right). $$

First, the following equation is required to solve:

$$ \overline{y}\left({\overline{y}}_0,{\overline{y}}_1,\dots, {\overline{y}}_{19}\right)={L}_1^{-1}\left({y}_0,{y}_1,\dots, {y}_{19}\right). $$

\( {L}_1^{-1} \) is an invertible affine transformation with the following form:

$$ \overline{y}= Ay+B. $$

A is a matrix with the size of 20 × 20, part of private keys of enTTS;

B is a vector with the size of 20, part of private keys of enTTS.

Then, \( \overline{y}\left({\overline{y}}_0,{\overline{y}}_1,\dots, {\overline{y}}_{19}\right) \) is the result of affine transformation L1, where \( {\overline{y}}_0,{\overline{y}}_1,\dots, {\overline{y}}_{19} \) are elements in GF((24)2).

Second, the following equation is required to solve:

$$ \overline{x}\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right)={F}^{-1}\left({\overline{y}}_0,{\overline{y}}_1,\dots, {\overline{y}}_{19}\right). $$

The construction of central map transformation depends on a map with the following representation.

$$ F\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right)=\left({f}_0,{f}_1,\dots, {f}_{19}\right). $$

We suppose that \( x\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right) \) denote the result of central map transformation F, where \( {\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27} \) are elements in GF((24)2). MQ polynomials f(f0, f1, …, f19) are defined by the following equations:

$$ {f}_{i-8}={\overline{x}}_i+{\sum}_{j=1}^7{p}_{ij}{\overline{x}}_j{\overline{x}}_{8+\left(\left(i+j\right)\kern0.62em \operatorname{mod}\kern0.62em 9\right)},i=8,9,\dots, 16, $$
$$ {f}_9={\overline{x}}_{17}+{p}_{17,1}{\overline{x}}_1{\overline{x}}_6+{p}_{17,2}{\overline{x}}_2{\overline{x}}_5+{p}_{17,3}{\overline{x}}_3{\overline{x}}_4\kern0.5em +{p}_{17,4}{\overline{x}}_9{\overline{x}}_{16}+{p}_{17,5}{\overline{x}}_{10}{\overline{x}}_{15}+{p}_{17,6}{\overline{x}}_{11}{\overline{x}}_{14}\kern0.5em +{p}_{17,7}{\overline{x}}_{12}{\overline{x}}_{13}, $$
$$ {f}_{10}={\overline{x}}_{18}+{p}_{18,1}{\overline{x}}_2{\overline{x}}_7+{p}_{18,2}{\overline{x}}_3{\overline{x}}_6+{p}_{18,3}{\overline{x}}_4{\overline{x}}_5+{p}_{18,4}{\overline{x}}_{10}{\overline{x}}_{17}+{p}_{18,5}{\overline{x}}_{11}{\overline{x}}_{16}+{p}_{18,6}{\overline{x}}_{12}{\overline{x}}_{15}+{p}_{18,7}{\overline{x}}_{13}{\overline{x}}_{14}, $$
$$ {f}_{i-8}={\overline{x}}_i+{p}_{i,0}{\overline{x}}_{i-11}{\overline{x}}_{i-9}+{\sum}_{j=19}^i{p}_{i,j-18}{\overline{x}}_{2\left(i-j\right)}{\overline{x}}_j+{\sum}_{j=i+1}^{27}{p}_{i,j-18}{\overline{x}}_{i-j+19}{\overline{x}}_j,i=19,20,\dots, 27, $$

p ij are coefficients, part of private key.

The MQ polynomials

$$ \overline{y}\left({\overline{y}}_0,{\overline{y}}_1,\dots, {\overline{y}}_{19}\right)=f\left({f}_0,{f}_2,\dots, {f}_{19}\right) $$

can be divided into three groups:

$$ {\displaystyle \begin{array}{l}{f}_i\mid i=0,1,\dots, 8\\ {}{f}_i\mid i=9,10\\ {}{f}_i\mid i=11,12,\dots, 19.\end{array}} $$

Similarly, \( \overline{x}\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right) \) are divided into four groups:

$$ {\displaystyle \begin{array}{l}{\overline{x}}_i\mid i=0,1,\dots, 7\\ {}{\overline{x}}_i\mid i=8,9,\dots, 16\\ {}{\overline{x}}_i\mid i=17,18\\ {}{\overline{x}}_i\mid i=19,20,\dots, 27.\end{array}} $$

The first group variables of \( \overline{x} \), i.e., \( {\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_7 \) are randomly chosen and then the first group polynomials of f i , i.e., f0, f1, …, f8 are evaluated.

Then, the second group variables of \( \overline{x} \) are \( {\overline{x}}_8,{\overline{x}}_9,\dots, {\overline{x}}_{16} \), and we solve the LSEs on such variables.

Next, we evaluate the second group polynomials of f i , i.e., f9, f10 and solve the third group variables of \( \overline{x} \), i.e., \( {\overline{x}}_{17},{\overline{x}}_{18} \).

Then, the third group polynomials of f i , i.e., f11, f12, …, f19 are evaluated and we solve the LSEs on such variables of the fourth group variables of \( \overline{x} \), i.e., \( {\overline{x}}_{19},{\overline{x}}_{20},\dots, {\overline{x}}_{27} \).

After that, the result of central map transformation F, i.e., \( x\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right) \) is computed.

Last, we solve the following equations based on the values of \( {\overline{x}}_{19},{\overline{x}}_{20},\dots, {\overline{x}}_{27} \).

$$ x\left({x}_0,{x}_1,\dots, {x}_{27}\right)={L_2}^{-1}\left({\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_{27}\right). $$

\( {L}_2^{-1} \) is an invertible affine transformation

$$ x=C\overline{x}+D. $$

C is a matrix with the size of 28 × 28, part of private keys of enTTS;

D is a vector with the size of 28, part of private keys of enTTS.

Finally, we have computed the signature of y(y0, y1, …, y19), which is x(x0, x1, …, x27).

A high-speed hardware architecture for multivariate signature

Overview of the hardware architecture

We choose enTTS (20,28) scheme described in Section 2 for hardware implementations in a composite field GF((24)2), where the size of message (hash value) is 20 B and the signature size is 28 B.

We illustrate the generation of a multivariate signature in Fig. 1. It can be observed from Fig. 1 that the signature generations of multivariate scheme include seven steps:

Fig. 1
figure1

The generation process of multivariate signatures

Full size image

(1) Affine transformation L1.

\( {L}_1^{-1} \) is an invertible affine transformation with the following form.

$$ \overline{y}= Ay+B. $$

A is a matrix with the size of 20 × 20.

B is a vector with the size of 20.

It can be observed that \( {L}_1^{-1} \) is performed via matrix-vector multiplications and vector additions, where A and B are parts of private keys.

(2) Polynomial evaluation (first part F)

First, we randomly choose the variables of \( {\overline{x}}_0,{\overline{x}}_1,\dots, {\overline{x}}_7 \), i.e., the first group variables of \( \overline{x} \).

Second, we evaluate the polynomials of f0, f1, …, f8, i.e., the first group polynomials of f i .

After that, this part of polynomial evaluation is performed via using additions and multiplications in a finite field.

(3) Solving (LSEs) in a finite field

During the signature generations of multivariate scheme, it is required to perform solving LSEs twice with the same matrix of size 9 × 9.

First, for the second group variables of \( \overline{x} \), i.e., \( {\overline{x}}_8,{\overline{x}}_9,\dots, {\overline{x}}_{16} \), we solve the LSEs on such variables.

Second, for the fourth group variables of \( \overline{x} \), i.e., \( {\overline{x}}_{19},{\overline{x}}_{20},\dots, {\overline{x}}_{27} \), we solve the LSEs on such variables.

During this step, solving LSEs is performed via using a variant Gauss-Jordan elimination in a finite field.

(4) Polynomial evaluation (second part F)

The third group variables of \( \overline{x} \), i.e., \( {\overline{x}}_{17},{\overline{x}}_{18} \) are solved by evaluating the second group polynomials of f i , i.e., f9, f10.

This part of polynomial evaluation is performed via using additions and multiplications in a finite field;

(5) Polynomial evaluation (third part F)

We evaluate the third group polynomials of f i , i.e., f11, f12, …, f19.

This part of polynomial evaluation is performed via using additions and multiplications in a finite field.

(6) Affine transformation L2: \( {L}_2^{-1} \) is an affine transformation with the following form:

$$ x=C\overline{x}+D. $$

C: is a matrix with the size of 28 × 28.

D is a vector with the size of 28.

It can be observed that \( {L}_2^{-1} \) is performed via matrix-vector multiplications and vector additions, where C and D are parts of private keys.

Our hardware architecture for the signature generation of multivariate scheme is depicted in Fig. 2. It can be observed from Fig. 2 that the hardware architecture consists of adders, multipliers, inverter, parallel Gauss-Jordan eliminator, polynomial evaluation, matrix vector multiplication, vector addition, polynomial evaluation, and processor components in a finite field, where only the first four components are computing components and the others are logical components.

Fig. 2
figure2

Hardware architecture of multivariate schemes

Full size image

Performance evaluation of irreducible polynomial in composite fields

Irreducible polynomials in composite fields are involved in the additions, multiplications, and other operations during signature generations. Thus, the performance evaluation of the irreducible polynomial in the composite field GF((24)2) is very critical for the implementation of high-speed hardware architecture of multivariate scheme.

We suppose that q(x) denotes the irreducible polynomial in GF((24)2), and it has the following form.

$$ q(x)={x}^2+{q}_1x+{q}_0. $$

p1, p0 are elements in GF(24).

We suppose that p(x) denotes the irreducible polynomial in the subfield of GF((24)2), i.e., GF(24), and it has the following form:

$$ p(x)={x}^4+{p}_3{x}^3+{p}_2{x}^2+{p}_1x+1. $$

p3, p2, p1 are bits, i.e., 0 or 1.

The performance of the multiplications and inversions has been evaluated based on such irreducible polynomials, respectively. q(x) = x2 + x + 9 is chosen as the irreducible polynomials in GF((24)2) and p(x) = x4 + x + 1 is chosen as the irreducible polynomials in the subfield GF(24).

Finite field adder

Let a(x) = a h x + a l and b(x) = b h x + b l be the elements in GF((24)2), where a h , a l , b h , and b l are elements in GF(24).

Then the addition of a(x) and b(x) can be expressed as

$$ a(x)+b(x)= $$
$$ \left({a}_hx+{a}_l\right)+\left({b}_hx+{b}_l\right)= $$
$$ \left({a}_h+{b}_h\right)x+{a}_l+{b}_l. $$

Then, we suppose that c h , c l are elements in GF(24), and we can compute their values via the following expressions:

$$ {c}_h={a}_h+{b}_h, $$
$$ {c}_l={a}_l+{b}_l. $$

Thus, c(x) = c h x + c l is the addition result of a(x) and b(x).

Finite field multiplier

Let a(x) = a h x + a l and b(x) = b h x + b l be the elements in GF((24)2), where a h , a l , b h , and b l are elements in GF(24).

Then the multiplication of a(x) and b(x) can be expressed as

$$ a(x)\times b(x)= $$
$$ \left({a}_hx+{a}_l\right)\left({b}_hx+{b}_l\right)= $$
$$ \left({a}_h{b}_h{x}^2+\left({a}_h{b}_l+{a}_l{b}_h\right)x+{a}_l{b}_l\right)\operatorname{mod}q(x). $$

We perform the polynomial multiplication and reduction module the irreducible polynomial q(x) = x2 + x + 9. We suppose that c h and c l are elements in GF(24), and we can compute their values via the following expressions:

$$ {c}_h=\left({a}_h+{a}_l\right)\left({b}_h+{b}_l\right)+{a}_l{b}_l, $$
$$ {c}_l={a}_l{b}_l+9{a}_h{b}_h. $$

It can be observed that the critical path of multiplication of two elements in GF((24)2) includes one multiplication, one constant multiplication, and one addition in GF(24).

p(x) is the irreducible polynomial in GF(24). Let \( a(x)=\sum \limits_{i=0}^3{a}_i{x}^i \) and \( b(x)=\sum \limits_{i=0}^3{b}_i{x}^i \) be elements in GF(24), a i , b i GF(2), and we suppose that

$$ c(x)=a(x)\times b(x)\left( \operatorname {mod}\;\left(p(x)\right)\right)=\sum \limits_{i=0}^3{c}_i{x}^i $$

is the multiplication result of two elements, where c i  GF(2).

First, we compute v ij for i = 0, 1, …, 6and j = 0, 1, 2, 3 according to the following equation:

$$ {x}^i \operatorname {mod}\;p(x)=\sum \limits_{j=0}^3{v}_{ij}{x}^j. $$

Next, we compute S i for i = 0, 1, …, 6 by the following equation:

$$ {S}_i=\sum \limits_{j+k=i}{a}_j{b}_k. $$

After that, we compute c i for i = 0, 1, 2, 3 by the following equation:

$$ {c}_i=\sum \limits_{j=0}^6{v}_{ji}{S}_j. $$

Finally, the multiplication result is

$$ c(x)=\sum \limits_{i=0}^3{c}_i{x}^i. $$

Multiplicative inverter

Let a(x) = a h x + a l and b(x) = b h x + b l be the elements in GF((24)2), where a h , a l , b h , and b l are elements in GF(24).

We suppose that b(x) is the inverse of a(x). Then,

$$ {\displaystyle \begin{array}{l}{b}_h={\left({a}_h+{a}_l\right)}^{-1}{a}_h{b}_l,\\ {}{b}_l={\left({a}_l+9{a}_h^2{\left({a}_l+{a}_h\right)}^{-1}\right)}^{-1}.\end{array}} $$

We use two binary trees for inversions in subfield GF(24), which are illustrated as follows:

Each binary tree has four layers in GF(24);

Root nodes are on the third layer;

Each node has at most two child nodes, left node represents value of zero and right node represents value of one;

Each child must either be a leaf or the root of another tree, each node has a father node when it is not a root node;

Each element in a finite field (except (0000)2 and (0001)2) has a unique traversal from root to leaf due to the fact that (0000)2 has no inverse and the inverse of (0001)2 is itself;

Each leaf is linked to another leaf.

Figure 3 depicts the architecture for inversions in GF(24).

Fig. 3
figure3

Multiplicative inversion based on binary trees

Full size image

Example 1. It can be observed from Fig. 4, if it is required to inverse the element (0100)2, we search the binary tree from root nodes to leaf nodes, the path from n1 to n4 represents (0100)2. n4 is linked with n8, thus the path from n5 to n8 represents the inverse of (0100)2, i.e., (1001)2.

Fig. 4
figure4

An example of inversion

Full size image

Parallel Gauss-Jordan eliminator

During central map transformation in signature generations, it is required to solve LSEs in a finite field twice with the same matrix size 9 × 9.

We adopt a parallel Gauss-Jordan elimination, which is depicted in Fig. 5. It can solve a LSE with matrix size of 9 × 9. The parallel Gauss-Jordan eliminator solves systems of linear equations with 9 iterations, which is enhanced in the following directions:

Fig. 5
figure5

Parallel Gauss-Jordan eliminator with matrix size 9 × 9

Full size image

First, exclusive adders are used in the parallel Gauss-Jordan elimination based on the design described in Section 3.3;

Second, exclusive multipliers are used in the parallel Gauss-Jordan elimination based on the design described in Section 3.4;

Third, exclusive inverters are used in the parallel Gauss-Jordan elimination based on the design described in Section 3.5.

It can be observed from Fig. 4, I, N l , and E kl are three kinds of cells in the architecture, where k = 1, 2, …, 9 and l = 1, 2, …, 10.

The I cell is used for multiplicative inversion in a finite field, which includes an exclusive inverter described in Section 3.5.

The N l cells are used for normalization of finite field elements, which includes exclusive multipliers described in Section 3.4.

The E kl cells are used for elimination of finite field elements, which includes exclusive adders and multipliers described in Sections 3.3 and 3.4.

In conclusion, the architecture includes one I cell, 9 N l cells, and 90 E lk cells and solves the LSEs within 9 clock cycles with the matrix size of 9 × 9.

Results

In this section, we investigate the performance of the high-speed hardware architecture for multivariate scheme through hardware implementations on an Altera Stratix FPGA. The implementation is programmed in the hardware programming language, Verilog.

The implementation of multivariate signature generations is illustrated in Table 2, where the executing time for a signature generation of enTTS is 0.9 μs, the time frequency is 100 MHz, and the clock cycle is 90. It should be noted that, all of the results from implementations mentioned are extracted after place and route on the Altera Stratix FPGA.

Table 2 FPGA implementation of hardware architecture for multivariate signature generation
Full size table

We compare the high-speed hardware architecture with the related implementations of multivariate schemes and other public key schemes, which is depicted in Table 3. The ECC cryptosystems proposed in [2] are efficient implementations and Rainbow cryptosystems proposed in [38] are fast implementations.

Table 3 Comparison on public key cryptographic systems
Full size table

It can be observed from Table 3 that the high-speed hardware architecture is much faster than the related implementations of public key cryptosystems.

Conclusions

We propose a high-speed cryptographic architecture for hardware implementation of multivariate signature generations in this paper. The main computations of signature generations of multivariate scheme are multiplications, inversions, and solving LSEs in a finite field. Thus, we improve the finite field multiplications via using composite field expression and design a finite field inversion via using binary trees. Besides, we improve solving LSEs in a finite field based on the variant algorithm of Gauss-Jordan elimination.

We implement the high-speed hardware architecture based on the above improvements on an Altera Stratix FPGA device. The implementation results show that the executing time for a signature generation of multivariate scheme is 0.9 μs, the time frequency is 100 MHz, and the clock cycle is 90. The comparison shows that the hardware architecture is much faster than other implementations.

Abbreviations

ECC:

Elliptic Curve Crypto

enTTS:

Enhanced Tame Transformation Signature

FPGA:

Field-Programmable Gate Array

LSE:

Systems of Linear Equations

MPKC:

Multivariate Quadratic Equations Public Key Cryptography

MQ:

Multivariate Quadratic

PKC:

Public Key Cryptography

RSA:

Rivest-Shamir-Adleman

TTS:

Tame Transformation Signature

UOV:

Unbalanced Oil-Vinegar

References

  1. 1.

    M Shand, J Vuillemin, in Fast implementations of RSA cryptography, Proceedings of IEEE 11th Symposium on Computer Arithmetic, Windsor, Ont., (IEEE, USA, 1993) pp. 252-259

  2. 2.

    B Ansari, MA Hasan, High-performance architecture of elliptic curve scalar multiplication. IEEE Trans. Comput. 57(11), 1443–1453 (2008)

  3. 3.

    PW Shor, in Quantum Entanglement and Quantum Information-Proceedings of Ccast. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer (1999), pp. 303–332

  4. 4.

    D Bernstein, J Buchmann, E Dahmen, Post-quantum cryptography (Springer, Berlin Heidelberg, 2009)

  5. 5.

    J Ding, BY Yang, in Post-Quantum Cryptography. Multivariate public key cryptography (2009), pp. 193–241

  6. 6.

    Garey M. R., Johnson D. S. Computers and Intractability: A Guide to the Theory of NP-Completeness. 1986.

  7. 7.

    T Matsumoto, H Imai, in The Workshop on Advances in Cryptology-Eurocrypt. DBLP. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption (1988), pp. 419–453

  8. 8.

    J Patarin, in Advancews in Cryptology - CRYPTO '96, International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996, Proceedings. Asymmetric cryptography with a hidden monomial (Springer, Berlin, 1996), pp. 45–60

  9. 9.

    J Patarin, in International Conference on the Theory and Applications of Cryptographic Techniques. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms (Springer, Berlin, Heidelberg, 1996), pp. 33–48

  10. 10.

    Y Tan, S Tang, J Chen, et al., Building a new secure variant of rainbow signature scheme[J]. IET Inf. Secur. 10(2), 53–59 (2016)

  11. 11.

    Y Tan, S Tang, T Wang, Adding variables variation to rainbow - like scheme to enhance its security level against MinRank attack. Secur. Commun. Netw. 7(12), 2326–2334 (2015)

  12. 12.

    Patarin J., Courtois N., Goubin L. FLASH, a fast multivariate signature algorithm. 2020, 298–307 (2001)

  13. 13.

    J Ding, A Petzoldt, Current state of multivariate cryptography. IEEE Secur. Privacy 15(4), 28–36 (2017)

  14. 14.

    Z Peng, S Tang, Circulant rainbow: A new rainbow variant with shorter private key and faster signature generation. IEEE Access PP(99), 1 (2017)

  15. 15.

    J Ding, JE Gower, Inoculating multivariate schemes against differential attacks[J]. Lect. Notes Comput. Sci 2006, 290–301 (2005)

  16. 16.

    A Diene, J Ding, JE Gower, et al., in Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 14–18, 2005. Revised Selected Papers. Dimension of the linearization equations of the Matsumoto-Imai cryptosystems (DBLP), (Springer, Berlin, 2008) pp. 242–251

  17. 17.

    J Ding, C Wolf, BY Yang, in International Conference on Practice and Theory in Public-Key Cryptography. Invertible cycles for multivariate quadratic (MQ) public key cryptography (Springer-Verlag, Berlin, 2007), pp. 266–281

  18. 18.

    S Tsujii, T Itoh, A Fujioka, et al., Public-key cryptosystem based on the difficulty of solving a system of nonlinear equations. Syst. Comput. Japan 19(2), 10–18 (2010)

  19. 19.

    A Shamir, in Advances in Cryptology -CRYPTO’ 93. Efficient signature schemes based on birational permutations (Springer, Berlin Heidelberg, 1993), pp. 1–12

  20. 20.

    T Moh, A public key system with signature and master key functions. 27(5), 2207–2222 (1999)

  21. 21.

    M Kasahara, R Sakai, A construction of public key cryptosystem for realizing Ciphertext of size 100 bit and digital signature scheme (asymmetric cipher) (cryptography and information security). IEICE Trans. Fundamentals Electron. Commun. Comput. Sci. 87-A(1), 102–109 (2004)

  22. 22.

    LC Wang, FH Chang, Tractable rational map cryptosystem. Iacr Cryptology Eprint Archive (2005), http://eprint.iacr.org/2004/046.pdf

  23. 23.

    M Kasahara, A construction of public-key cryptosystem based on singular simultaneous equations. IEICE Trans. Fundamentals Electron. Commun. Comput. Sci. 88-A(1), 74–80 (2005)

  24. 24.

    Wolf C., Preneel B. Large superfluous keys in multivariate quadratic asymmetric systems. International Conference on Theory and Practice in Public Key Cryptography. (Springer, Berlin, 2005) pp. 275–287

  25. 25.

    LC Wang, YH Hu, F Lai, et al., in Public Key Cryptography - PKC 2005, International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23–26, 2005, Proceedings. Tractable rational map signature (DBLP) (Springer, Berlin, 2005), pp. 244–257

  26. 26.

    T Moh, Two new examples of TTM. Iacr Cryptology Eprint Arch. (2007) http://eprint.iacr.org/2007/144

  27. 27.

    J Baena, C Clough, J Ding, in International Workshop on Post-Quantum Cryptography. Square-Vinegar Signature Scheme (Springer-Verlag, 2008), pp. 17–30

  28. 28.

    J Ding, D Schmidt, in Applied Cryptography and Network Security, Third International Conference, ACNS 2005, New York, NY, USA, June 7–10, 2005, Proceedings. Rainbow, a new multivariable polynomial signature scheme (DBLP) (Springer, Berlin, 2005), pp. 164–175

  29. 29.

    A Kipnis, J Patarin, L Goubin, Unbalanced oil and vinegar signature schemes. Adv. Cryptology Eurocrypt 1592, 206–222 (1999)

  30. 30.

    JM Chen, BY Yang, in International Conference on Information Security and Cryptology. A more secure and efficacious TTS signature scheme (2004), pp. 320–338

  31. 31.

    BY Yang, JM Chen, YH Chen, in Cryptographic Hardware and Embedded Systems - CHES 2004:, International Workshop Cambridge, Ma, USA, August 11–13, 2004. Proceedings. TTS: High-speed signatures on a low-cost smart card (DBLP) (Springer, Berlin, 2004), pp. 371–385

  32. 32.

    BY Yang, JM Chen, in Australasian Conference on Information Security and Privacy. Building secure Tame-like multivariate public-key cryptosystems: The new TTS (Springer, Berlin, 2005), pp. 518–531

  33. 33.

    ML Akkar, N Courtois, R Duteuil, et al., in International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography. A fast and secure implementation of Sflash (Springer, Berlin, 2003), pp. 267–278

  34. 34.

    Wolf C. Efficient Public Key Generation for Multivariate Cryptosystems. 2003.

  35. 35.

    BY Yang, CM Cheng, BR Chen, et al., in Security in Pervasive Computing. Implementing minimized multivariate PKC on low-resource embedded systems (Springer, Berlin Heidelberg, 2006), pp. 73–88

  36. 36.

    C Berbain, O Billet, H Gilbert, Efficient implementations of multivariate quadratic systems. Lect. Notes Comput. Sci 4356, 174–187 (2006)

  37. 37.

    S Balasubramanian, A Bogdanov, A Rupp, et al., in International Symposium on Field-Programmable Custom Computing Machines. Fast multivariate signature generation in hardware: The case of rainbow (IEEE Computer Society, USA, 2008), pp. 281–282

  38. 38.

    S Tang, H Yi, J Ding, et al., in Post-Quantum Cryptography. High-speed hardware implementation of rainbow signature on FPGAs (Springer, Berlin Heidelberg, 2011), pp. 228–243

  39. 39.

    H Yi, S Tang, Very small FPGA processor for multivariate signatures. Comput. J. 59(7), 1091–1101 (2016)

  40. 40.

    A Bogdanov, T Eisenbarth, A Rupp, et al., in Proceeding of the, International Workshop on Cryptographic Hardware and Embedded Systems. Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? (Springer, Berlin, 2008), pp. 45–61

  41. 41.

    H Yi, S Tang, R Vemuri, Fast inversions in small finite fields by using binary trees. Comput. J. 59(7), 1102–1112 (2016)

Download references

Acknowledgements

The authors would like to express our cordial thanks to the section editor in charge and the respected reviewers for their time, accurate review of our manuscript, and their invaluable comments on this paper.

Funding

This work is supported by Shenzhen Science and Technology Program under Grant (nos. JCYJ20170306144219159 and JCYJ20160428092427867), Foundation for Distinguished Young Talents in Higher Education of Guangdong, China (no. 2017GkQNCX059), Special Fund for the Development of Strategic Emerging Industries and Future Industries of Shenzhen (no. 20170502142224600), Science and Technology Program of Shenzhen Polytechnic (no. 601722 K20018).

Author information

Affiliations

  1. School of Computer Engineering, Shenzhen Polytechnic, Shenzhen, China

    • Haibo Yi
    •  & Zhe Nie

Authors

  1. Search for Haibo Yi in:

  2. Search for Zhe Nie in:

Contributions

HY is the main writer of this paper. He proposed the main idea, designed and implemented the architecture, and drafted the manuscript. ZN gave some important suggestions for the architecture and analyzed the results. Both authors read and approved the final manuscript.

Corresponding author

Correspondence to Haibo Yi.

Ethics declarations

Authors’ information

Haibo Yi received the bachelor degree in computer science from Beijing Jiaotong University, China, in 2009 and the PhD from South China University of Technology, China in 2015. Since 2015, he has been with School of Computer Engineering of Shenzhen Polytechnic, as a lecturer. He has published over 20 technical papers. His main research areas are information security, cloud computing, and big data. He is a member of Chinese Association for Cryptologic Research.

Zhe Nie received the B.S. degree in industrial automation from the North China University of Technology, China and the M.S. degree in Computer application technology from Harbin Institute of Technology, China. He joined Shenzhen Polytechnic in 1994 and currently is a professor. His research interests include internet public opinion, artificial intelligence, and computer vision technology.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Keywords

  • Cryptographic system
  • Multivariate-Quadratic-Equations Public Key Cryptography (MPKC)
  • Multivariate signature
  • Field-Programmable Gate Array (FPGA)