DualModeMS: A Dual Mode for Multivariate-based Signature
Principal submitters
- J.-C. Faugère, INRIA, Sorbonne Université, CNRS
- L. Perret, Sorbonne Université, CNRS, INRIA
- J. Ryckeghem, Sorbonne Université, CNRS, INRIA
Summary
DualModeMS is a multivariate-based signature scheme with a rather peculiar property. Its public-key is small whilst the signature is large. This is in sharp contrast with traditionnal multivariate signature schemes based on the so-called Matsumoto and Imai (MI) constructions that produce short signatures but have larger public-keys. DualModeMS is composed by two distinct layers. The first one is a classical MI-like multivariate scheme based on HFEv-. The second part is based on the method proposed by A. Szepieniec, W. Beullens, and B. Preneel (SBP) in "MQ signatures for PKI" where present a generic technique permitting to transform any MI-based multivariate signature scheme into a new scheme with much shorter public-key but larger signatures. We emphasize that this technique can be viewed as a mode of operations that offers a new flexibility for MI-like signature schemes. Thus, we believe that DualModeMS could also be useful for others multivariate-based signature candidates proposed to NIST.
This submission is somewhat a complement to another multivariate-based signature scheme proposed to NIST: GeMSS. In particular, the security analysis for the first layer is largely similar to the one performed for GeMSS. In fact, it is a re-parametrization of GeMSS imposed by a specificity of SBP.
Since the submission, we have improved the additional implementation of DualModeMS, which is based on the additional implementation of GeMSS. The latter is become MQsoft. MQsoft is an efficient library flexible on the choice of the security parameters.
We propose to study the performance of the Inner mode (small signature but large public-key) and that of DualModeMS (small public-key but medium signature). Then, we propose other sets of parameters in order to study the trade-off between the size of the public-key and that of the signature.
Specification (version of 11/30/2017)
The specification's document submitted to the NIST PQC Standardization Process is available here.Package of submission (version of 11/30/2017)
The full submission package (with the implementations) is available here. The KAT files are here. Note that these KAT files are not the same that those provided on https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions. Unlike NIST which provides ten intermediate KAT but only one request and response KAT, we provide ten KAT files for the three categories. However, these files are huge (approximately 200 MB).News
Improved implementation
- 09/20/2018. The measurements of an improved additional implementation of Inner.DualModeMS have been added. This implementation is not yet available. It has been extended for the three levels of security.
- 10/19/2018. The measurements of an improved additional implementation of DualmodeMS (in Dual mode) have been added. This implementation is not yet available. It has been extended for the three levels of security. For Skylake processors, we obtain a factor 373 for the keypair generation, a factor 1.5 for the signing process, and a factor 6.4 for the verifying process.
Specification
- 01/11/2018. For the experimental measurements, turbo boost was enabled.
- 07/24/2018. We have added experimental measurements for Inner.DualModeMS, based on GeMSS128 additional implementation.
- 07/24/2018. Two sizes of public-key are slightly incorrect in the specification. Look the tables to have the corrected values.
Performance of the fastest implementations of Inner.DualModeMS (the first layer)
Here are measurements of performance of the first level of security of Inner.DualModeMS. An implementation of this mode does not have been submitted explicitly. However, since the Inner mode is a re-parametrization of GeMSS, we can easily transform the submitted GeMSS128 implementation to obtain the Inner mode. To do it, we just replace config_HFE.h by this file (only the security parameters are modified). For the first level of security, the measurements are the average on 1,000 keypair generation, 1,000 signatures and 1,000,000 verifications. In the tables, this implementation is written in red.
As specified in the web page of GeMSS, we have a new implementation of GeMSS. This implementation provides naturally the three security levels of Inner.DualModeMS. We compare it to the previous implementation.
| category of security | keypair generation | signature generation | verification |
|---|---|---|---|
| 1 (128 bits) | 383 MC / 136 ms | 112 MC / 39.3 ms | 0.182 MC / 0.064 ms |
| 1 (128 bits) | 208 MC / 74.0 ms | 83 MC / 29.7 ms | 0.036 MC / 0.013 ms |
| 3 (192 bits) | 1119 MC / 399 ms | 185 MC / 65.8 ms | 0.119 MC / 0.042 ms |
| 5 (256 bits) | 3765 MC / 1341 ms | 351 MC / 125 ms | 0.374 MC / 0.133 ms |
Here are the theoretical and practical sizes for keys and signatures of Inner.DualModeMS. We correct the theoretical size of the public-key which is 1232.13 KB (and not 1139.06 KB) for the category of security 1. As for the performance measurements, we compare the practical size used by the NIST submission (written in red) to this of our new implementation. For the moment, we do not improve the sizes.
| category of security | public-key | secret-key | signature |
|---|---|---|---|
| 1 (128 bits) | 1232.128 KB | 24.554 KB | 277 bits |
| 3 (192 bits) | 4243.728 KB | 59.587 KB | 420 bits |
| 5 (256 bits) | 10635.328 KB | 133.816 KB | 576 bits |
| category of security | public-key | secret-key | signature |
|---|---|---|---|
| 1 (128 bits) | 1232.128 KB | 29.080 KB | 320 bits |
| 1 (128 bits) | 1232.128 KB | 29.080 KB | 320 bits |
| 3 (192 bits) | 4243.744 KB | 65.352 KB | 448 bits |
| 5 (256 bits) | 10635.328 KB | 139.248 KB | 576 bits |
Performance of the fastest implementations of DualModeMS
Here are new measurements of performance of the additional implementation submitted to NIST. In the tables, this implementation is written in red. We compare it to our new implementation. The measurements are the average on 1 keypair generation, 256 signatures and 10240 verifications.
| category of security | keypair generation | signature generation | verification |
|---|---|---|---|
| 1 (128 bits) | 1988572 MC / 708 s | 7870 MC / 2.80 s | 9.868 MC / 3.514 ms |
| 1 (128 bits) | 5334 MC / 1.90 s | 5397 MC / 1.92 s | 1.549 MC / 0.552 ms |
| 3 (192 bits) | 9833 MC / 3.50 s | 17982 MC / 6.40 s | 3.635 MC / 1.295 ms |
| 5 (256 bits) | 20214 MC / 7.20 s | 92225 MC / 32.84 s | 8.016 MC / 2.855 ms |
Here are the theoretical and practical sizes for keys and signatures of DualModeMS. A seed of size the level of security is counted two times: one time in the public-key and one time in the secret-key. This seed has been removed in our new implementation. We correct the theoretical size of the public-key which is 2080 bytes (and not 2112 bytes) for the category of security 5. As for the performance measurements, we compare the practical size used by the NIST submission (written in red) to this of our new implementation. For the moment, we do not improve the sizes.
| category of security | public-key | secret-key | signature |
|---|---|---|---|
| 1 (128 bits) | 0.528 KB | 18032.890 KB | 32.002 KB |
| 3 (192 bits) | 1.560 KB | 29466.091 KB | 79.415 KB |
| 5 (256 bits) | 2.080 KB | 44319.512 KB | 149.029 KB |
| category of security | public-key | secret-key | signature |
|---|---|---|---|
| 1 (128 bits) | 0.528 KB | 18038.184 KB | 32.640 KB |
| 1 (128 bits) | 0.512 KB | 18038.168 KB | 32.640 KB |
| 3 (192 bits) | 1.536 KB | 29473.608 KB | 81.872 KB |
| 5 (256 bits) | 2.048 KB | 44326.896 KB | 153.608 KB |
Other sets of parameters
The transformation proposed by SBP allows to choose the trade-off between the size of the public-key and that of the signature. Here, we propose to compare different sets of parameters for a 128 bits level of security. By default, the security parameters of the dual mode are τ=218,ϑ=18 and k=21. The performance is measured with our new implementation.
| Target | Parameters | Theoretical sizes (|pk|, |sk|, |sign|) | Perf. (keygen, sign, verif) | Specificity |
|---|---|---|---|---|
| minimizing |pk| | α=2,σ=64,δ=0 | 0.032 KB, 18033.834 KB, 34.306 KB | 1.90 s, 1.92 s, 0.592 ms | the smallest pk |
| DualModeMS128 | α=2,σ=64,δ=4 | 0.512 KB, 18032.874 KB, 32.002 KB | 1.90 s, 1.92 s, 0.552 ms | reference |
| |pk|≈|sign| | α=2,σ=64,δ=9 | 16.384 KB, 18001.130 KB, 29.122 KB | 1.90 s, 1.92 s, 0.511 ms | medium pk |
| minimizing |pk|+|sign| | α=1,σ=128,δ=5 | 1.024 KB, 18031.850 KB, 28.829 KB | 1.90 s, 3.81 s, 0.578 ms | slower sign |
| minimizing |pk|+|sign| | α=2,σ=64,δ=4 * | 0.512 KB, 68364.522 KB, 28.418 KB | 7.90 s, 1.92 s, 0.522 ms | slower keygen |
| minimizing |pk|+|sign| | α=1,σ=128,δ=4 * | 0.512 KB, 68364.522 KB, 25.821 KB | 7.90 s, 3.81 s, 0.555 ms | slower keygen / sign |
| Inner.DualModeMS128 | n=266, D=129 | 1232.128 KB, 24.554 KB, 277 bits | 74.0 ms, 29.7 ms, 0.013 ms | fast sign/verif |
| GeMSS128 | n=174, D=513 | 352.188 KB, 13.438 KB, 258 bits | 16.1 ms, 260 ms, 0.028 ms | the smallest sign |
The inner mode permits to have a very small signature (277 bits). In contrast, the dual mode allows to have a very small public-key (32 B). The original submission proposes a small public-key (512 B) and a smaller size of |pk|+|sign| (32.514 KB). On the one hand, |pk|+|sign| can be minimized by losing a factor two during the signature generation. This implies |pk|+|sign|=29.853 KB. On the other hand, |pk|+|sign| can be minimized by increasing by four the size of the secret-key and the time of the keypair generation. This implies |pk|+|sign|=28.930 KB. We can merge the two ideas to obtain |pk|+|sign|=26.333 KB. Finally, we can decrease the size of the signature by increasing δ. This choice increases the size of the public-key (16.384 KB) and improves slightly the performance.
Acknowledgement
DualModeMS has been prepared with the support of the French Programme d'Investissement d'Avenir under national project RISQ P141580.