A Multivariate Signature Based On Block Matrix Multiplication

An oil and vinegar scheme is a signature scheme based on multivariate quadratic polynomials over finite fields. The system of polynomials contains n variables, divided into two groups: v vinegar variables and o oil variables. The scheme is called balanced (OV) or unbalanced (UOV), depending on whether v = 0 or not, respectively. These schemes are very fast and require modest computational resources, which make them ideal for low-cost devices such as smart cards. However, the OV scheme has been already proven to be insecure and the UOV scheme has been proven to be very vulnerable for many parameter choices. In this paper, we propose a new multivariate public key signature whose central map consists of a set of polynomials obtained from the multiplication of block matrices. Our construction is motivated by the design of the Simple Matrix Scheme for Encryption and the UOV scheme. We show that it is secure against the Separation Method, which can be used to attack the UOV scheme, and against the Rank Attack, which is one of the deadliest attacks against multivariate public key cryptosystems. Some theoretical results on matrices with polynomial entries are also given, to support the construction of the scheme.


Introduction
Multivariate public key cryptosystems (MPKCs) were first introduced in 1988 by Matsumoto and Imai [1] with their scheme, called C* or MI. The public key of an MPKC is a system of multivariate polynomials-mostly quadratic-over a finite field. In general, the structure of an MPKC can be described, as follows. Let k be a finite field with q elements. A public key is a map F : k n → k m , which is constructed asF = L 1 • F • L 2 , where L 1 and L 2 are two random invertible affine transformations over k n and k m , respectively. The central map F : k n → k m is a non-linear multivariate polynomial map which has the property of being easily invertible (i.e., computationally). The key to building a good MPKC is to find a good polynomial system F which makes the cryptosystem secure.
The security of an MPKC is based on the fact that solving a set of multivariate polynomial equations over a finite field, in general, has been proven to be an NP-hard problem [2]. However, this does not guarantee that MPKCs are secure. Nevertheless, this property makes the family of MPKCs a good candidate for the Post Quantum Cryptography (PQC) era, if well designed. On the other hand, due to Shor's algorithm [3], the well-known number theoretic-based cryptosystems(e.g., RSA, ECC, and the Diffie-Hellman key exchange scheme) have been proven to be insecure if a quantum computer is built.
These facts have inspired many researchers to become involved in the area of MPKCs, which underwent very fast development in the late 1990s. Since then, there have been many attempts to build MPKCs. Unfortunately, most of the existing MPKCs have problems, due to the facts that randomness has not been well-used and that cryptanalysts usually exploit the structure of the family of polynomials involved to attack the MPKCs (see [4,5,6,7,8,1,1,1,1]). Direct attacks using algorithms to solve the multivariate systems are also often used to attack MPKCs [1, 1, 1, 1, 1, 1]. As mentioned in [1], the deadliest attacks for MPKCs are Rank attacks [8], which consist of finding some quadratic forms with low rank associated with the central map. Even if the parameters are carefully chosen, there still exist few successful designs, such as the Rainbow scheme proposed by Ding and Schmidt [2,2], the Simple Matrix Scheme for Encryption [1], and the HFEv − [2, 2, 2]. Indeed, this work was mostly inspired by the constructions in [1,2]. We use the multiplication of block matrices to design our new proposed scheme. The arguments that prove its security are very similar to those used in [1,2].
The rest of this paper is organized as follows. We recall the description of a UOV scheme from [2,2] in Section 2. In Section 3, we introduce some theoretical groundwork concerning matrices with polynomial entries. These results support the construction of the new proposed scheme, which is introduced in the second part of Section 3. Section 4 discusses the security of our scheme and Section 5 concludes the paper.

Preliminaries
The initial Oil and Vinegar scheme was defeated with the separation method attack. However, a huge number of multivariate schemes have been proven to be vulnerable to the MinRank attack. In this section, we recall the descriptions of these two algebraic attacks. A short description of the UOV scheme is also given.

Multivariate Public Key Cryptosystems and UOV Scheme 2.1.1. Multivariate Public Key Cryptosystems
The main characteristic of a Multivariate public-key cryptosystem is that its public keys consist of a set of non-linear algebraic polynomials To encrypt a message or to verify a signature, one needs only to evaluate this set of polynomials at a given point (a 1 , ..., a n ). Decryption and signing are done with the help of the private key by solving the system p 1 (z 1 , ..., z n ) = 0, ..., p m (z 1 , ..., z n ) = 0. (1) However, without the private key, solving the system should be impossible (or, at least, very hard) to ensure the security of the cryptosystem. To build a secure system, we start by very carefully choosing a trapdoor which is easy to solve. That is, given y = (y 1 , ..., y m ) ∈ k m , we have an efficient method for computing the solutions of Then, denoting by GL i (k) the set of all i × i invertible matrices with entries in k, we choose (L 1 , L 2 ) ∈ GL m (k) × GL n (k) and compose f with L 1 and L 2 from the left and right, respectively, to obtain where x = (x 1 , ..., x n ). In some cases, L 1 or L 2 may be the identity of GL m (k) or GL n (k), respectively. The private key of these systems consists of (L 1 , L 2 ) ∈ GL m (k) × GL n (k) and the polynomial f 1 , . . . , f m , while the public key consists of the field k and the set of algebraic polynomials: p = (p 1 (x 1 , ..., x n ), ..., p m (x 1 , ..., x n )) ∈ k[x 1 , ..., x n ] m mentioned above.

Oil and Vinegar Polynomials
In this subsection, we give a quick description of the Unbalanced Oil and Vinegar (UOV) scheme and its known cryptanalysis, for illustrative purposes. The basic building block for an OV or UOV scheme is the Oil and Vinegar polynomial.
An Oil and Vinegar polynomial is a quadratic multivariate polynomial with o + v = n variables, where o represents the number of oil variables and v the number of vinegar variables. The non-linear terms appear only in the following two cases: between vinegar variables, or with one vinegar variable and one oil variable. In other words, there is no quadratic term with oil variables only. More precisely, let k be a finite field with q elements, x 1 , x 2 , ..., x o be the o oil variables, and x 1 , x 2 , ..., x v be the v vinegar variables. An Oil and Vinegar polynomial is any (total degree two) polynomial f ∈ k[x 1 , ..., where a ij , b ij , c i , d j , e ∈ k. The trapdoor for an OV or UOV scheme is a set of Oil and Vinegar polynomial maps, where the public key is a map In the context described above, L 1 is the identity of GL o (k) and composition by L 2 ∈ GL n (k) is carried out to mix the oil and vinegar variables. The private key is L 2 and the central map is F. For the OV and UOV schemes, there is no need to use a second linear transformation L 1 . These schemes are designed only for the signature.
To sign a message y = (y 1 , y 2 , ...., y o ), we need to find a vector w = (w 1 , w 2 , ..., w n ) such that p(w) = y. To do so, we first choose v random values for the vinegar variables x 1 , x 2 , ..., x v and substitute them into the system to obtain o linear equations in the o variables x 1 , x 2 , ..., x o . This linear system has a high probability of having a solution. If it does not, we change the values of the vinegar variables x 1 , x 2 , ..., x v and try again until a solution in k o is found. Then, we apply L −1 2 ∈ GL n (k).
To verify whether w is a signature for y, it suffices to check that p(w) = y.

Attacks against the UOV Scheme
In this subsection, we present two of the most well-known attacks against the UOV scheme; namely, the Separation Method attack and the MinRank attack, which was performed for the first time on the HFE scheme.

Separation Method Attack
The separation attack was introduced by Kipnis and Shamir [8], in order to defeat the original Oil and Vinegar scheme. It has been extended to many other systems containing two different sets of variables. The idea consists of finding an invariant subspace of the subspace spanned by the n polynomials of the public key. This invariant subspace represents the Oil subspace and its complement is the Vinegar subspace. Once this separation is done, one can easily forge arbitrary signatures.

MinRank attack
As mentioned earlier, one of the deadliest attacks against multivariate public key cryptosystems is the MinRank attack, which is an attack based on the MinRank problem. This problem can be formulated as follows: Given positive integers N, n, r with r ≤ n and N matrices M 1 , ..., M N of dimension n × n, find a non-trivial linear combination M of M 1 , M 2 , ..., M N such that Rank(M ) ≤ r. If r = n − 1, the MinRank problem has been proven to be NP-complete. However, for small r, it may be easily solvable. Therefore, all MPKCs which have the property that some quadratic form associated to their central maps has a low rank are vulnerable to this attack. We give an illustration by describing the MinRank attack on the HFE scheme [2]. The attack was first performed by Kipnis and Shamir [8], who showed that the security of HFE can be reduced to a MinRank problem.

The HFE Scheme
The HFE cryptosystem was proposed by Jacques Patarin in [2]. It can be described as follows: Let q = p e , where p is a prime number and e ≥ 1. Let K be an extension of degree n of the finite field k = F q . Clearly, K ∼ = k n .
Let φ : K → k n be a k-linear isomorphism map between the finite field K and the n-dimensional vector space k n . The central map of HFE is a univariate polynomial F (x) of the following form where α ij , β i , γ ∈ K and r is a small constant, chosen in a way such that F (x) can be efficiently inverted. The public key is given by where T : k n −→ k n and S : k n −→ k n are two invertible linear transformations and the private key consists of T, F, and S.

MinRank Attack on HFE
In [8], Kipnis and Shamir showed that an attacker can ignore lower degree monomials and still be able to recover the key. Furthermore, the public key P and the transformations S, T, T −1 satisfy the following theorem.
Theorem 1. For the maps S, T, T −1 given in the HFE, there exist maps G * , S * , T * , T * −1 over K such that and G * (x) = T * (F (S * (x))). Moreover, G * (x) can be expressed in the form: The theorem implies the identity where F = [α ij ] over K, G * k and W are two matrices over K whose respective (i, j) entries are g q k i−k,j−k , and s q i i−j , where i − k, j − k, and i − j are computed modulo n.
As the rank of W F W t is no more than r, recovering t 0 , t 1 , . . . , t n−1 can be reduced to solving a MinRank problem; that is, finding t 0 , t 1 , . . . , t n−1 such that Once the values t 0 , t 1 , . . . , t n−1 are found, T and S can be easily computed. Therefore, the key point in the HFE attack is to solve the MinRank problem.
Just as for the HFE, many other multivariate schemes have been proven to be insecure using the MinRank attack. In [1], Billet and Gilbert used the MinRank attack against the Rainbow scheme [19] with the parameters (2 8 , 6, 6, 5, 5, 11), which forms a layer-based variant of the UOV scheme.

Our New Scheme
In this section, we describe the proposed scheme. As stated in the introduction, we were mainly inspired by the construction of the Simple Matrix Scheme [1] and the Unbalanced Oil Vinegar Signature Scheme [2, 2] to conduct this work. Some theoretical results needed in the description are also presented.

Theoretical Groundwork
We start with the following theorem. It plays a crucial role in the signing process.
Theorem 2. Let k be a finite field and denote by k * the non-zero elements of k. Let A = (a ij ) u×u be an invertible u × u matrix with a ij ∈ k and C any (s−u)×u matrix with entries in k. Let B be a u×(s−u) matrix whose entries are random multivariate linear polynomials.
Then, the block matrix is invertible and the entries of M −1 are multivariate affine linear polynomials with coefficients in k.
and assume that there exist matrices U, V, X, and Y of dimension u × u, (s − u) × (s − u), (s − u) × u, and u × (s − u), respectively, satisfying Then, we have By equating the two forms of M, we obtain That is, which can be inverted, as A −1 and (D − CA −1 B) are invertible. We have The fact that the entries of M −1 are multivariate affine linear polynomials with coefficients in k follows directly from the entries of the matrices A, B, C, and D.
The matrix in Theorem 2 will play a crucial role in the design of our new scheme. As we will see in the description of the scheme, the polynomials in the public key are the entries of a matrix obtained by multiplying M with another matrix whose entries are random polynomials. The matrix M −1 will be used in the signing process. This will help to create a system of linear equations whose solution is the signature x of a given document y.

Description of the New Scheme
Let n, m, s ∈ N be integers satisfying m = s 2 and 4 3 ≤ n ≤ 2m. For i ∈ N, let k i denote the set of all i-tuples of elements of k and let (x 1 , x 2 , . . . , x n ) ∈ k n and (y 1 , y 2 , . . . , y m ) ∈ k m . The polynomial ring with n variables in k is denoted by k[x 1 , . . . , x n ]. Let L 1 : k n → k n and L 2 : k m → k m be two linear transformations; that is where L 1 is an n × n matrix and and L 2 is an m × m matrix with entries in k, x = (x 1 , x 2 , . . . , x n ) t , y = (y 1 , y 2 , . . . , y m ) t , and t denotes matrix transposition.

The Central map
The central map of the new scheme is obtained after performing a series of operations on matrices with polynomial entries. The idea is inspired by the construction of the Simple Matrix Scheme for Encryption, which was the first in this new generation of multivariate polynomial cryptosystems which use matrix multiplication to generate a public key.
For i = 1, ..., s, let p i , p i ∈ k[x 1 , ..., x n ], be 2s 2 random affine polynomials. Define , be a block matrix such that A is invertible and only one of the matrices B and C has linear polynomial entries and the other one has scalar entries.
where L 1 : k n → k n and L 2 : k m → k m are as defined above, andf i ∈ k[x 1 , . . . , x n ] are m multivariate polynomials of degree three. The secret key and the public key are given by: Secret Key: The secret key is comprised of the following two parts: 1) The invertible linear transformations L 1 , L 2 .
2) The matrices M and P .
Public Key: The public key is comprised of the following two parts: 1) The field k, including the additive and multiplicative structure; 2) The mapsF or, equivalently, its m total degree three components Signing: A signer will sign a message y 1 , ..., y m with x 1 , ..., x n satisfying (y 1 , y 2 , . . . , y m ) =F(x 1 , x 2 , . . . , x n ).
As H = M P , we have P = M −1 H. Notice that M is an invertible matrix with polynomial entries and, so, Theorem 2 can be used to find its inverse.
Some Remarks on the signing process: • The matrix M used in the description of the new scheme satisfies the conditions of Theorem 2. Therefore, the existence of the inverse M −1 is guaranteed by the theorem and the entries of M −1 are all multivariate affine linear polynomials with coefficients in k. • Step 3 is necessary, in case some of the p i are not linearly independent.
In such a case, there will be no solution and the values for the p i should be changed.
After few tries, a solution will be found: the probability of obtaining at least one solution is very high, as the probability of an n × n matrix over F q being invertible is (1 − 1 q )(1 − 1 q 2 ) · · · (1 − 1 q n−1 ) (see [2]). • The relation between m, n, and s may be ignored and the values may be chosen arbitrarily, in general.
• Contrary to the decryption process in [1], there is no failure in the signing process.
The following toy example is based on Theorem 2 and uses aB with linear polynomial entries.

Security Analysis
Further analysis of the security, as well as the choice of parameters and the efficiency of our new scheme, will be left for future work. We give, here, some observations that make us believe that our new proposed scheme has good security, if the parameters are carefully chosen.
In the separation attacks introduced by Kipnis and Shamir [8], the Oil variables and Vinegar variables must be separated to forge arbitrary signatures. Its improvement by Kipnis, Patarin, and Goubin to attack the UOV scheme [2] proposes finding some hidden invariant subspaces from the public polynomials that will allow for separation of the Oil variables and Vinegar variables and forging an arbitrary signature.
The Rainbow Band Separation attack and its generalization [1,1] need to use the missing cross-terms of the variables to find an equivalent set of keys, in order to forge an arbitrary signature. Therefore, none of these attacks pose a real security threat to our new proposed scheme, due to its structural design whihc focuses on polynomials, rather than variables.
For the MinRank attack, an attacker needs to find a non-trivial linear combination of matrices with minimal rank associated with the components of the set of public polynomials. After finding these low-rank linear combinations, the linear map L 2 can be recovered and, therefore, the secret key of the scheme is exposed. For the High-Rank Attack, the attacker tries to find linear combinations corresponding to variables with minimum appearances in the central map to recover the linear map L 1 and, subsequently, the secret key of the scheme as well. however, as in the previous cases, the structural design of the new scheme uses a product of randomly chosen affine linear polynomials and, hence, the entries of the matrix P are random multivariate quadratic polynomials. This guarantees that the rank of any non-trivial linear combination of matrices associated with the public polynomials will be close to n. Furthermore, as all variables appear in each of the central polynomials approximately the same number of times, neither of the two rank attacks can be used against our new scheme. Considering the above arguments, we can conclude that the most likely successful attack against our new scheme must be a direct attack and, so, we can choose the parameters accordingly to guarantee acceptable security, due to the following observation: Let us assume that an attacker wants to solve the equation (y 1 , y 2 , . . . , y m ) =F(x 1 , x 2 , . . . , x n ) to find the signature x 1 , x 2 , . . . , x n of the message y 1 , y 2 , . . . , y m . Assume that an oracle O gives the attacker the values (ȳ 1 ,ȳ 2 , . . . ,ȳ n ) (without knowing L 2 , one of the secret keys) and they can obtain the matrix At this point, the attacker still needs to find a way to get the entries of the matrices M −1 . Even if they succeed in finding the entries of the matrix M −1 H without knowing M −1 explicitly, to be able to forge a signature, they will still need to solve the system P = M −1 H, which is a system of multivariate quadratic equations with randomly chosen coefficients.

Conclusion
We have proposed a new multivariate signature scheme whose central map is obtained from the multiplication of matrices with random multivariate polynomials as entries. This implies that the central map is composed of cubic polynomials which are the sum of the products of completely randomly chosen affine linear polynomials, with no specific form. Multiplication from the left by the block matrix M causes any tentative factorization of the polynomials in the central matrix extremely difficult. Due to its structural design, the only feasible attack against this new scheme is the direct attack, and we conjecture that its security can be reduced to the NP-hard problem of solving a non-linear system of equations. Finally, we need to mention that this paper focuses more on the design and the theoretical approach of the scheme, and further study to establish the provable security, determine secure parameters, and analyze the efficiency of the proposed scheme will be the object of future research.

Acknowledgements
The first author was supported by the Emirate Foundation through grant 21S021.