GeMSS: A Great Multivariate Short Signature

Principal submitters

A. Casanova, CS
J.-C. Faugère, INRIA, Sorbonne Université, CNRS
G. Macario-Rat, Orange
J. Patarin, University of Versailles
L. Perret, Sorbonne Université, CNRS, INRIA
J. Ryckeghem, Sorbonne Université, CNRS, INRIA

Summary

This web page is dedicated to GeMSS: a Great Multivariate Short Signature. GeMSS is a multivariate based signature scheme producing small signatures. It has a fast verification process, and a medium/large public-key. GeMSS is in direct lineage from the multivariate signature scheme QUARTZ. Thus, GeMSS is built from the Hidden Field Equations cryptosystem (HFE) by using the so-called minus and vinegar modifiers, i.e. HFEv-. GeMSS is a faster variant of QUARTZ that incorporates the latest results in multivariate cryptography to reach higher security levels than QUARTZ whilst improving efficiency.

We have also submitted a variant, DualModeMS, which uses a generic technique permitting to transform any MI-based multivariate signature scheme into a new scheme with much shorter public-key but larger signatures.

Since the submission, we have improved the additional implementation of GeMSS, which is become MQsoft. MQsoft is an efficient library flexible on the choice of the security parameters.

Specification

The specification's document submitted to the first round of the NIST PQC Standardization Process is available here.

This submitted to the second round is available here, and the changes are here.

Package of submission

The full submission package (with the implementations) of the first round is available here. The KAT files are here.

This of the second round is available here.

Last version of GeMSS (second round, 04/15/2020)

We propose an updated implementation of GeMSS, available here. We have decreased the size of the keys. For the secret-key, it is now generated from a small secret seed. For the public-key, we have improved the implementation to reach the theoretical size. Thus, these changes modify the KAT files. The new KATs are here.

We have specified the major changes here (in Section II), and updated the specification accordingly.

Updated implementation and KAT for D=513 (first round)

The parameter D is incorrect in the submitted implementation of the first round. The value should be 513 and not 512. Here is explained how to modify D. The updated implementation is here and the KAT files for D=513 are here.

News

The 01/30/2019, GeMSS is moving on to the second round of the NIST PQC Standardization Process!

Improved implementation

08/20/2019. The measurements of an improved version of MQsoft-2.1 (august 2019) have been added for Haswell and Skylake.
10/10/2019. An exhaustive table of security parameters has been added for Skylake, based on an improved version of MQsoft-2.1(july 2019).

Old news (first round)

Improved implementation

09/20/2018. The measurements of MQsoft, an improved additional implementation, have been added. This implementation is not yet available. For Skylake processors, we obtain a factor between 2 and 2.6 for the keypair generation, a factor between 1.3 and 1.6 for the signing process, and a factor between 1.8 and 2 for the verifying process.
09/27/2018. The measurements of MQsoft are available for Skylake and Haswell processors.

Specification

01/11/2018. The size of the secret-key is slightly incorrect, the values given are for D=512 instead of 513. Look the tables to have the corrected values.
01/11/2018. For the experimental measurements, turbo boost was enabled.

Correction of mistakes in the original implementation

01/11/2018. The parameter D is incorrect in the implementation. The value should be 513 and not 512. The update is done here.

Performance of the fastest implementations (second round)

Here are new measurements of performance of GeMSS with the latest version of MQsoft.

Performance of MQsoft. We use a Haswell processor Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz. MC (resp. KC) stands for Mega (resp. Kilo) Cycles. The results have three significant digits. PCLMULQDQ and AVX2 are used. Turbo Boost is not used.
cryptosystem	(λ,D,n,Δ,v,nb_ite,s)	keypair generation	signing process	verifying process
GeMSS128	(128,513,174,12,12,4,0)	38.3 MC	736 MC	80.8 KC
BlueGeMSS128	(128,129,175,13,14,4,0)	38.5 MC	110 MC	106 KC
RedGeMSS128	(128,17,177,15,15,4,0)	41 MC	2.76 MC	104 KC
GeMSS192	(192,513,265,22,20,4,0)	176 MC	2520 MC	237 KC
BlueGeMSS192	(192,129,265,22,23,4,0)	175 MC	316 MC	250 KC
RedGeMSS192	(192,17,266,23,25,4,0)	170 MC	8.36 MC	256 KC
GeMSS256	(256,513,354,30,33,4,0)	485 MC	3600 MC	568 KC
BlueGeMSS256	(256,129,358,34,32,4,0)	475 MC	531 MC	582 KC
RedGeMSS256	(256,17,358,34,35,4,0)	470 MC	12.9 MC	592 KC

Performance of MQsoft. We use a Skylake processor Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz. MC (resp. KC) stands for Mega (resp. Kilo) Cycles. The results have three significant digits. PCLMULQDQ and AVX2 are used. Turbo Boost is not used.
cryptosystem	(λ,D,n,Δ,v,nb_ite,s)	keypair generation	signing process	verifying process
GeMSS128	(128,513,174,12,12,4,0)	36.8 MC	529 MC	84.6 KC
BlueGeMSS128	(128,129,175,13,14,4,0)	37.4 MC	78.3 MC	111 KC
RedGeMSS128	(128,17,177,15,15,4,0)	38.2 MC	2.08 MC	107 KC
GeMSS192	(192,513,265,22,20,4,0)	167 MC	1720 MC	233 KC
BlueGeMSS192	(192,129,265,22,23,4,0)	166 MC	232 MC	249 KC
RedGeMSS192	(192,17,266,23,25,4,0)	162 MC	6.34 MC	254 KC
GeMSS256	(256,513,354,30,33,4,0)	508 MC	2830 MC	550 KC
BlueGeMSS256	(256,129,358,34,32,4,0)	510 MC	411 MC	560 KC
RedGeMSS256	(256,17,358,34,35,4,0)	505 MC	10.2 MC	563 KC

Here are the theoretical sizes for keys and signatures.

Theoretical sizes of keys and signatures.
cryptosystem	public-key	secret-key	signature
GeMSS128	352.188 KB	13.438 KB	258 bits
BlueGeMSS128	363.609 KB	13.697 KB	270 bits
RedGeMSS128	375.213 KB	13.104 KB	282 bits
GeMSS192	1237.964 KB	34.070 KB	411 bits
BlueGeMSS192	1264.117 KB	35.378 KB	423 bits
RedGeMSS192	1290.543 KB	34.792 KB	435 bits
GeMSS256	3040.700 KB	75.893 KB	576 bits
BlueGeMSS256	3087.963 KB	71.460 KB	588 bits
RedGeMSS256	3135.591 KB	71.888 KB	600 bits

An exhaustive table of security parameters (second round)

Similarly to Section 9.6 of the GeMSS specification, we propose performance measurements for a large number of security parameters. The main difference with the specification is the use of an improved version of MQsoft.

Performance of GeMSS in function of the parameters

Performance of GeMSS on a Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (Skylake).
Turbo Boost is not used.

Caption:

GeMSS

BlueGeMSS

RedGeMSS

FGeMSS

Inner.DualModeMS
(λ,D,n,Δ,v,nb_ite,s)	keygen (MC)	sign (MC)	verify (Kc)	\|pk\| (KB)	\|sk\| (KB)	\|sign\| (bits)
(128,17,268,12,12,1,0)	154	1.65	37.1	1260	23.8	280
(128,17,204,12,15,2,0)	58	2.52	50.9	578	16.5	246
(128,17,186,15,15,3,0)	45.2	1.84	67.4	434	14.2	261
(128,17,177,15,15,4,0)	38.9	2.23	109	375	13.1	282
(128,33,268,12,12,1,0)	159	5.42	36.5	1260	24.4	280
(128,33,204,12,15,2,0)	58.9	8.05	49.8	578	17	246
(128,33,186,15,15,3,0)	46.3	5.45	63.2	434	14.7	261
(128,33,177,15,15,4,0)	39.9	6.55	110	375	13.5	282
(128,129,266,10,11,1,0)	155	56.4	35.7	1230	24.6	277
(128,130,266,10,11,1,3)	155	34.6	35.6	1230	24.5	277
(128,129,204,12,12,2,0)	59.1	94.4	48.6	562	16.2	240
(128,130,204,12,12,2,3)	60.3	58.5	48.4	562	16.2	240
(128,129,185,14,13,3,0)	44.9	62.6	71	421	14.4	252
(128,130,185,14,13,3,3)	45	36	69.5	421	14.3	252
(128,129,175,13,14,4,0)	39	80.9	108	364	13.7	270
(128,130,175,13,14,4,3)	39.4	47.8	106	364	13.7	270
(128,513,265,9,9,1,0)	158	410	34.8	1210	24.2	274
(128,514,265,9,9,1,3)	158	245	35	1210	24.1	274
(128,513,202,10,11,2,0)	60.2	618	46.6	547	16.4	234
(128,514,202,10,11,2,3)	59.8	376	47.3	547	16.4	234
(128,513,183,12,12,3,0)	45.5	417	67.8	408	14.5	243
(128,514,183,12,12,3,3)	45	251	68.5	408	14.5	243
(128,513,174,12,12,4,0)	39	547	80	352	13.4	258
(128,514,174,12,12,4,3)	38.8	313	78.9	352	13.4	258
(192,17,404,20,19,1,0)	802	3.69	125	4300	57.8	423
(192,17,310,22,23,2,0)	277	3.89	157	2000	41.5	378
(192,17,279,23,25,3,0)	196	4.75	189	1480	37.4	400
(192,17,266,23,25,4,0)	169	6.4	258	1290	34.8	435
(192,33,404,20,19,1,0)	823	12	127	4300	59	423
(192,33,310,22,23,2,0)	280	11.8	158	2000	42.6	378
(192,33,279,23,25,3,0)	203	15.4	192	1480	38.4	400
(192,33,266,23,25,4,0)	176	19.5	254	1290	35.8	435
(192,129,402,18,18,1,0)	829	135	120	4240	59.6	420
(192,130,402,18,18,1,3)	841	94.9	123	4240	59.5	420
(192,640,402,18,18,1,0)	839	1310	121	4240	62.6	420
(192,640,402,18,18,1,3)	837	909	120	4240	62.5	420
(192,129,308,20,22,2,0)	274	124	152	1970	43.1	372
(192,130,308,20,22,2,3)	275	86.8	152	1970	43.1	372
(192,129,278,22,23,3,0)	199	181	180	1450	38	391
(192,130,278,22,23,3,3)	200	122	186	1450	37.9	391
(192,129,265,22,23,4,0)	176	232	253	1260	35.4	423
(192,130,265,22,23,4,3)	177	148	251	1260	35.3	423
(192,513,399,15,18,1,0)	820	1030	118	4180	61.5	417
(192,514,399,15,18,1,3)	829	631	117	4180	61.4	417
(192,513,308,20,19,2,0)	278	980	147	1930	41.7	366
(192,514,308,20,19,2,3)	273	539	146	1930	41.6	366
(192,513,276,20,22,3,0)	204	1290	180	1430	38.6	382
(192,514,276,20,22,3,3)	202	779	181	1430	38.5	382
(192,513,265,22,20,4,0)	178	1670	237	1240	34.1	411
(192,514,265,22,20,4,3)	176	946	237	1240	34	411
(256,17,540,28,29,1,0)	2800	7.43	403	10400	117	569
(256,17,415,31,32,2,0)	985	7.85	372	4810	82.8	510
(256,17,375,33,33,3,0)	609	8.05	495	3570	73	540
(256,17,358,34,35,4,0)	526	10.5	596	3140	71.9	600
(256,33,540,28,29,1,0)	2800	22.9	390	10400	119	569
(256,33,415,31,32,2,0)	990	23.7	370	4810	84.7	510
(256,33,375,33,33,3,0)	611	25.1	520	3570	74.8	540
(256,33,358,34,35,4,0)	545	34	606	3140	73.7	600
(256,129,540,28,26,1,0)	2820	267	387	10300	116	566
(256,130,540,28,26,1,3)	2860	203	388	10300	116	566
(256,129,414,30,30,2,0)	987	290	354	4740	84.1	504
(256,130,414,30,30,2,3)	995	203	369	4740	84	504
(256,129,372,30,33,3,0)	614	323	487	3510	77.6	531
(256,130,372,30,33,3,3)	634	205	475	3510	77.5	531
(256,129,358,34,32,4,0)	556	429	591	3090	71.5	588
(256,130,358,34,32,4,3)	535	272	574	3090	71.4	588
(256,513,537,25,26,1,0)	2880	2390	379	10200	120	563
(256,514,537,25,26,1,3)	2830	1300	379	10200	120	563
(256,1152,537,25,26,1,0)	2860	6470	381	10200	123	563
(256,1152,537,25,26,1,3)	2870	3780	379	10200	123	563
(256,513,414,30,27,2,0)	1020	2280	357	4680	81.7	498
(256,514,414,30,27,2,3)	1010	1300	360	4680	81.6	498
(256,513,372,30,30,3,0)	614	2480	460	3460	75.3	522
(256,514,372,30,30,3,3)	608	1320	466	3460	75.2	522
(256,513,354,30,33,4,0)	532	2970	578	3040	75.9	576
(256,514,354,30,33,4,3)	545	1680	572	3040	75.8	576

Performance of the fastest implementations (first round)

Here are new measurements of performance of the additional implementation submitted to the first round of the NIST PQC Standardization Process. We corrected the parameter D in the implementation (513 instead of 512). We compare this corrected version to our new implementation. The measurements are the average on 1,000 keypair generations, 256 signatures and 1,000,000 verifications for the category of security 1, on 100 keypair generations, 256 signatures and 100,000 verifications for the category of security 3, and on 20 keypair generations, 256 signatures and 50,000 verifications for the category of security 5. In the tables, the original implementation is written in red.

Measurements of cryptographic operations (Mega Cycles / milliseconds) on a Skylake processor Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, PCLMULQDQ and AVX2 are used. Turbo Boost is used.
category of security	keypair generation	signature generation	verification
1 (128 bits)	92.6 MC / 27.2 ms	978 MC / 287 ms	0.125 MC / 0.0368 ms
1 (128 bits)	36.2 MC / 10.6 ms	597 MC / 175 ms	0.0666 MC / 0.0195 ms
3 (192 bits)	424 MC / 124 ms	2570 MC / 754 ms	0.35 MC / 0.103 ms
3 (192 bits)	189 MC / 55.6 ms	1880 MC / 552 ms	0.197 MC / 0.0577 ms
5 (256 bits)	1150 MC / 336 ms	4040 MC / 1190 ms	0.883 MC / 0.259 ms
5 (256 bits)	564 MC / 166 ms	3100 MC / 909 ms	0.451 MC / 0.132 ms

Measurements of cryptographic operations (mega cycles / milliseconds) on a Haswell processor Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, PCLMULQDQ and AVX2 are used. Turbo Boost is not used.
category of security	keypair generation	signature generation	verification
1 (128 bits)	125 MC / 35.6 ms	1510 MC / 432 ms	0.161 MC / 0.046 ms
1 (128 bits)	44.9 MC / 12.8 ms	962 MC / 275 ms	0.0814 MC / 0.0233 ms
3 (192 bits)	562 MC / 160 ms	3870 MC / 1100 ms	0.439 MC / 0.125 ms
3 (192 bits)	235 MC / 67.1 ms	3080 MC / 881 ms	0.240 MC / 0.0685 ms
5 (256 bits)	1620 MC / 463 ms	7300 MC / 2090 ms	1.01 MC / 0.288 ms
5 (256 bits)	694 MC / 198 ms	5930 MC / 1690 ms	0.577 MC / 0.165 ms

Here are the theoretical and practical sizes for keys and signatures. The correction of the parameter D induces minor modifications of the size of the secret-key. As for the performance measurements, we compare the practical size used by the NIST submission (written in red) to this of our new implementation. For the moment, we have improved only the size of the public key for GeMSS256.

Theoretical sizes of keys and signatures.
category of security	public-key	secret-key	signature
1 (128 bits)	352.188 KB	13.438 KB	258 bits
3 (192 bits)	1237.964 KB	34.070 KB	411 bits
5 (256 bits)	3040.700 KB	75.893 KB	576 bits

Practical sizes of keys and signatures.
category of security	public-key	secret-key	signature
1 (128 bits)	417.408 KB	14.520 KB	384 bits
1 (128 bits)	417.416 KB	14.520 KB	384 bits
3 (192 bits)	1304.192 KB	40.280 KB	704 bits
3 (192 bits)	1304.192 KB	40.280 KB	704 bits
5 (256 bits)	3603.792 KB	83.688 KB	832 bits
5 (256 bits)	3046.856 KB	83.688 KB	832 bits

Acknowledgement

GeMSS has been prepared with the support of the French Programme d'Investissement d'Avenir under national project RISQ P141580.