U.S. patent application number 13/699912 was filed with the patent office on 2013-11-07 for efficient multivariate signature generation.
This patent application is currently assigned to NDS Limited. The applicant listed for this patent is Yaacov Belenky, Aviad Kipnis, Yaron Sella. Invention is credited to Yaacov Belenky, Aviad Kipnis, Yaron Sella.
Application Number | 20130294601 13/699912 |
Document ID | / |
Family ID | 43569881 |
Filed Date | 2013-11-07 |
United States Patent
Application |
20130294601 |
Kind Code |
A9 |
Kipnis; Aviad ; et
al. |
November 7, 2013 |
Efficient Multivariate Signature Generation
Abstract
A cryptographic method and apparatus, including providing a
public key that defines a multivariate polynomial mapping Q( ) over
a finite field F, extracting a first vector Y of verification
values from a message, computing over the first vector, using a
processor, a digital signature X including a second vector of
signature values such that application of the mapping to the
digital signature gives a third vector Q(X) of output values such
that each output value is equal to a corresponding element of a
vector sum Y+aY.sub.SHIFT over F, wherein Y.sub.SHIFT is a shifted
version of Y, and a.epsilon.F, and conveying the message with the
digital signature to a recipient for authentication using the
public key. Related methods, systems, and apparatus are also
described.
Inventors: |
Kipnis; Aviad; (Efrat,
IL) ; Sella; Yaron; (Beit Nekofa, IL) ;
Belenky; Yaacov; (maaleh Adumim, IL) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Kipnis; Aviad
Sella; Yaron
Belenky; Yaacov |
Efrat
Beit Nekofa
maaleh Adumim |
|
IL
IL
IL |
|
|
Assignee: |
NDS Limited
Stains, Middlesex
GB
|
Prior
Publication: |
|
Document Identifier |
Publication Date |
|
US 20130129090 A1 |
May 23, 2013 |
|
|
Family ID: |
43569881 |
Appl. No.: |
13/699912 |
Filed: |
December 14, 2010 |
PCT Filed: |
December 14, 2010 |
PCT NO: |
PCT/IB2010/055810 PCKC 00 |
371 Date: |
January 7, 2013 |
Current U.S.
Class: |
380/255 |
Current CPC
Class: |
H04L 9/3247 20130101;
H04L 9/3073 20130101; H04L 9/0822 20130101; H04L 9/3093 20130101;
H04L 9/0819 20130101; H04L 9/0825 20130101; H04L 2209/12 20130101;
H04L 9/30 20130101; H04L 9/0838 20130101 |
Class at
Publication: |
380/255 |
International
Class: |
H04L 9/30 20060101
H04L009/30 |
Foreign Application Data
Date |
Code |
Application Number |
Jun 2, 2010 |
IL |
206139 |
Claims
1. A cryptographic method, comprising: providing a public key that
defines a multivariate polynomial mapping Q( ) over a finite field
F; extracting a first vector Y of verification values from a
message; computing over the first vector, using a processor, a
digital signature X comprising a second vector of signature values
such that application of the mapping to the digital signature gives
a third vector Q(X) of output values such that each output value is
equal to a corresponding element of a vector sum Y+aY.sub.SHIFT
over F, wherein Y.sub.SHIFT is a shifted version of Y, a does not
equal zero, and a.epsilon.F; and conveying the message with the
digital signature to a recipient for authentication using the
public key.
2. The method according to claim 1, and comprising: receiving the
message with the digital signature; extracting the first vector Y
of the verification values from the received message; and
authenticating the message by applying the mapping defined by the
public key to find the output values, and finding a factor
a.epsilon.F such that each output value is equal to the
corresponding element of the vector sum Y+aY.sub.SHIFT.
3. The method according to claim 1, wherein extracting the first
vector comprises applying a predefined hash function to the
message.
4. The method according to claim 1, wherein the multivariate
polynomial mapping is a quadratic mapping.
5. The method according to claim 1, wherein computing the digital
signature comprises: applying an affine transform B.sup.-1 to the
first vector Y in order to compute an intermediate vector Z'; and
applying a univariate polynomial function P.sup.-1(Z'),
corresponding to the multivariate polynomial mapping, over an
extension field of F in order to find the digital signature in a
polynomial representation X'.
6. The method according to claim 5, wherein B comprises a
right-to-left Toeplitz matrix.
7. The method according to claim 5, wherein
P.sup.-1(Z')=(U(T)).sup.dZ'.sup.d, wherein U is a polynomial in the
extension field over a variable T with at least one coefficient
given by the factor a, and d is an exponent, and wherein computing
the digital signature comprises precomputing and storing respective
power vectors V.sub.a=(U(T)).sup.d for multiple possible factors
a.epsilon.F, and using the stored power values in order to compute
and test multiple candidate digital signatures X' for a given
exponentiation of Z'.fwdarw.Z'.sup.d.
8. The method according to claim 7, wherein U(T)=(1+aT).
9. The method according to claim 7, wherein the multivariate
polynomial mapping Q( ) comprises at least one additional
constraint not imposed by the univariate polynomial function, and
wherein computing the digital signature comprises testing the
multiple candidate digital signatures X' for different power
vectors V.sub.a in order to find the digital signature X that
satisfies the at least one additional constraint.
10. The method according to claim 5, wherein applying the affine
transform comprises setting at least one of the values y.sub.i in
the first vector Y so that at least one corresponding intermediate
value in the intermediate vector Z' is zero, and wherein providing
the public key comprises discarding at least one equation
corresponding to the at least one of the values y.sub.i from the
multivariate polynomial mapping Q( ) that is defined by the public
key.
11. A cryptographic method, comprising: receiving a message with a
digital signature X, for verification using a predefined public
key, which defines a multivariate polynomial mapping Q( ) over a
finite field F; extracting a first vector Y of verification values
from the received message; applying the multivariate polynomial
mapping to the digital signature so as to find a second vector of
output values Q(X); and authenticating the message by finding a
factor a.epsilon.F such that each output value is equal to the
corresponding element of a vector sum Y+aY.sub.SHIFT.
12. The method according to claim 11, wherein extracting the first
vector comprises applying a predefined hash function to the
message.
13. The method according to claim 11, wherein the multivariate
polynomial mapping is a quadratic mapping.
14. The method according to claim 11, and comprising rejecting the
message if no factor a.epsilon.F can be found to authenticate the
message.
15. Cryptographic apparatus, comprising: a memory, which is
configured to store a private key corresponding to a public key
that defines a multivariate polynomial mapping Q( ) over a finite
field F; and a processor, which is configured to extract a first
vector Y of verification values from a message, and to compute over
the first vector, using the private key, a digital signature X
comprising a second vector of signature values such that
application of the mapping to the digital signature gives a third
vector Q(X) of output values such that each output value is equal
to a corresponding element of a vector sum Y+aY.sub.SHIFT over F,
wherein Y.sub.SHIFT is a shifted version of Y, a does not equal
zero, and a.epsilon.F, and to convey the message with the digital
signature to a recipient for authentication using the public
key.
16. The apparatus according to claim 15, and comprising a device
coupled to receive the message with the digital signature, to
extract the first vector Y of the verification values from the
received message, and to authenticate the message by applying the
mapping defined by the public key to find the output values, and
finding a factor a.epsilon.F such that each output value is equal
to the corresponding element of the vector sum Y+aY.sub.SHIFT.
17. The apparatus according to claim 15, wherein the processor is
configured to extract the first vector by applying a predefined
hash function to the message.
18. The apparatus according to claim 15, wherein the multivariate
polynomial mapping is a quadratic mapping.
19. The apparatus according to claim 15, wherein the processor is
configured to compute the digital signature by applying an affine
transform B.sup.-1 to the first vector Y in order to compute an
intermediate vector Z', and applying a univariate polynomial
function P.sup.-1(Z'), corresponding to the multivariate polynomial
mapping, over an extension field of F in order to find the digital
signature in a polynomial representation X'.
20. The apparatus according to claim 19, wherein B comprises a
right-to-left Toeplitz matrix.
21. The apparatus according to claim 19, wherein
P.sup.-1(Z')=(U(T)).sup.dZ'.sup.d, wherein U is a polynomial in the
extension field over a variable T with at least one coefficient
given by the factor a, and d is an exponent, and wherein the
processor is configure to precompute and store respective power
vectors V.sub.a=(U(T)).sup.d for multiple possible factors
a.epsilon.F, and to use the stored power values in order to compute
and test multiple candidate digital signatures X' for a given
exponentiation of Z'.fwdarw.Z'.sup.d.
22. The apparatus according to claim 21, wherein U(T)=(1+aT).
23. The apparatus according to claim 21, wherein the multivariate
polynomial mapping Q( ) comprises at least one additional
constraint not imposed by the univariate polynomial function, and
wherein the processor is configured to test the multiple candidate
digital signatures X' for different power vectors V.sub.a in order
to find the digital signature X that satisfies the at least one
additional constraint.
24. The apparatus according to claim 19, wherein the processor is
configured to set at least one of the values y.sub.i in the first
vector Y so that at least one corresponding intermediate value in
the intermediate vector Z' is zero, and to discard at least one
equation corresponding to the at least one of the values y.sub.i
from the multivariate polynomial mapping Q( ) that is defined by
the public key.
25. Cryptographic apparatus, comprising: a memory, which is
configured to store a predefined public key, which defines a
multivariate polynomial mapping Q( ) over a finite field F; and a
processor, which is configured to receive a message with a digital
signature X, for verification using the public key, to extract a
first vector Y of verification values from the received message, to
apply the multivariate polynomial mapping to the digital signature
so as to find a second vector of output values Q(X), and to
authenticate the message by finding a factor a.epsilon.F such that
each output value is equal to the corresponding element of a vector
sum Y+aY.sub.SHIFT.
26. The apparatus according to claim 25, wherein the processor is
configured to extract the first vector by applying a predefined
hash function to the message.
27. The apparatus according to claim 25, wherein the multivariate
polynomial mapping is a quadratic mapping.
28. The apparatus according to claim 25, wherein the processor is
configured to reject the message if no factor a.epsilon.F can be
found to authenticate the message.
29. A computer software product, comprising a computer-readable
medium in which program instructions are stored, which
instructions, when read by a processor, cause the processor to read
from a memory a private key corresponding to a public key that
defines a multivariate polynomial mapping Q( ) over a finite field
F, to extract a first vector Y of verification values from a
message, to compute over the first vector, using the private key, a
digital signature X comprising a second vector of signature values
such that application of the mapping to the digital signature gives
a third vector Q(X) of output values such that each output value is
equal to a corresponding element of a vector sum Y+aY.sub.SHIFT
over F, wherein Y.sub.SHIFT is a shifted version of Y, a does not
equal zero, and a.epsilon.F, and to convey the message with the
digital signature to a recipient for authentication using the
public key.
30. A computer software product, comprising a computer-readable
medium in which program instructions are stored, which
instructions, when read by a processor, cause the processor to read
from a memory a predefined public key, which defines a multivariate
polynomial mapping Q( ) over a finite field F, to receive a message
with a digital signature X, for verification using the public key,
to extract a first vector Y of verification values from the
received message, to apply the multivariate polynomial mapping to
the digital signature so as to find a second vector of output
values Q(X), and to authenticate the message by finding a factor
a.epsilon.F such that each output value is equal to the
corresponding element of a vector sum Y+aY.sub.SHIFT.
31. A cryptographic method, comprising: providing a public key that
defines a multivariate polynomial mapping Q( ) over a finite field
F; extracting a first vector Y of verification values from a
message; computing over the first vector, using a processor, a
digital signature X comprising a second vector of signature values
such that application of the mapping to the digital signature gives
a third vector Q(X) of output values such that each output value is
equal to a corresponding element of a vector sum Y+aY.sub.SHIFT
over F, wherein Y.sub.SHIFT is a shifted version of Y, and
a.epsilon.F; applying an affine transform B.sup.-1 to the first
vector Y in order to compute an intermediate vector Z'; applying a
univariate polynomial function P.sup.-1(Z'), corresponding to the
multivariate polynomial mapping, over an extension field of F in
order to find the digital signature in a polynomial representation
X'; and conveying the message with the digital signature to a
recipient for authentication using the public key, wherein
P.sup.-1(Z')=(U(T)).sup.dZ'.sup.d, wherein U is a polynomial in the
extension field over a variable T with at least one coefficient
given by the factor a, and d is an exponent, and wherein computing
the digital signature comprises precomputing and storing respective
power vectors V.sub.a=(U(T)).sup.d for multiple possible factors a
.epsilon.F, and using the stored power values in order to compute
and test multiple candidate digital signatures X' for a given
exponentiation of Z'.fwdarw.Z'.sup.d.
32. Cryptographic apparatus, comprising: a memory, which is
configured to store a private key corresponding to a public key
that defines a multivariate polynomial mapping Q( ) over a finite
field F; and a processor, which is configured to extract a first
vector Y of verification values from a message, and to compute over
the first vector, using the private key, a digital signature X
comprising a second vector of signature values such that
application of the mapping to the digital signature gives a third
vector Q(X) of output values such that each output value is equal
to a corresponding element of a vector sum Y+aY.sub.SHIFT over F,
wherein Y.sub.SHIFT is a shifted version of Y, and a.epsilon.F, and
to convey the message with the digital signature to a recipient for
authentication using the public key, wherein the processor is
configured to compute the digital signature by applying an affine
transform B.sup.-1 to the first vector Y in order to compute an
intermediate vector Z', and applying a univariate polynomial
function P.sup.-1(Z'), corresponding to the multivariate polynomial
mapping, over an extension field of F in order to find the digital
signature in a polynomial representation X', wherein
P.sup.-1(Z')=(U(T)).sup.dZ'.sup.d, wherein U is a polynomial in the
extension field over a variable T with at least one coefficient
given by the factor a, and d is an exponent, and wherein the
processor is configure to precompute and store respective power
vectors V.sub.a=(U(T)).sup.d for multiple possible factors
a.epsilon.F, and to use the stored power values in order to compute
and test multiple candidate digital signatures X' for a given
exponentiation of Z'.fwdarw.Z'd.
Description
FIELD OF THE INVENTION
[0001] The present invention relates generally to methods and
systems of cryptography, and specifically to public-key signature
schemes.
BACKGROUND OF THE INVENTION
[0002] Public-key cryptographic techniques are widely used for
encryption and authentication of electronic documents. Such
techniques use a mathematically-related key pair: a secret private
key and a freely-distributed public key. For authentication, the
sender uses a private key to compute an electronic signature over a
given message, and then transmits the message together with the
signature. The recipient verifies the signature against the message
using the corresponding public key, and thus confirms that the
document originated with the holder of the private key and not an
impostor.
[0003] Commonly-used public-key cryptographic techniques, such as
the Rivest Shamir Adleman (RSA) algorithm, rely on numerical
computations over large finite fields. To ensure security against
cryptanalysis, these techniques require the use of large
signatures, which are costly, in terms of memory and computing
power, to store and compute. These demands can be problematic in
applications such as smart cards, in which computing resources are
limited.
[0004] Various alternative public-key signature schemes have been
developed in order to reduce the resource burden associated with
cryptographic operations. One class of such schemes is based on
solution of multivariate polynomial equations over finite fields.
These schemes can offer enhanced security while operating over
relatively small finite fields. Most attention in this area has
focused on multivariate quadratic (MQ) equations. A useful survey
of work that has been done in this area is presented by Wolf and
Preneel in "Taxonomy of Public Key Schemes Based on the Problem of
Multivariate Quadratic Equations," Cryptology ePrint Archive,
Report 2005/077 (2005), which is incorporated herein by
reference.
SUMMARY
[0005] Embodiments of the present invention that are described
hereinbelow provide a multivariate polynomial scheme for public-key
signature with enhanced computational efficiency.
[0006] There is therefore provided, in accordance with an
embodiment of the present invention, a cryptographic method,
including providing a public key that defines a multivariate
polynomial mapping Q( ) over a finite field F. A first vector Y of
verification values is extracted from a message. A processor
computes over the first vector a digital signature X including a
second vector of signature values such that application of the
mapping to the digital signature gives a third vector Q(X) of
output values such that each output value is equal to a
corresponding element of a vector sum Y+aY.sub.SHIFT over F,
wherein Y.sub.SHIFT is a shifted version of Y, and a .epsilon.F.
The message is conveyed with the digital signature to a recipient
for authentication using the public key.
[0007] In a disclosed embodiment, the method includes receiving the
message with the digital signature, extracting the first vector Y
of the verification values from the received message, and
authenticating the message by applying the mapping defined by the
public key to find the output values, and finding a factor
a.epsilon.F such that each output value is equal to the
corresponding element of the vector sum Y+aY.sub.SHIFT.
[0008] Typically, extracting the first vector includes applying a
predefined hash function to the message, and the multivariate
polynomial mapping is a quadratic mapping.
[0009] In some embodiments, computing the digital signature
includes applying an affine transform B.sup.-1 to the first vector
Y in order to compute an intermediate vector Z', and applying a
univariate polynomial function P.sup.-1 (Z'), corresponding to the
multivariate polynomial mapping, over an extension field of F in
order to find the digital signature in a polynomial representation
X'. Typically, B includes a right-to-left Toeplitz matrix.
[0010] In a disclosed embodiment,
P.sup.-1(Z')=(U(T)).sup.dZ'.sub.d, wherein U is a polynomial in the
extension field over a variable T with at least one coefficient
given by the factor a, and d is an exponent, and wherein computing
the digital signature includes precomputing and storing respective
power vectors V.sub.a=(U(T)).sup.d for multiple possible factors
a.epsilon.F, and using the stored power values in order to compute
and test multiple candidate digital signatures X' for a given
exponentiation of Z'.fwdarw.Z'.sup.d. Typically, U(T)=(1+aT).
Additionally or alternatively, the multivariate polynomial mapping
Q( ) includes at least one additional constraint not imposed by the
univariate polynomial function, and computing the digital signature
includes testing the multiple candidate digital signatures X' for
different power vectors V, in order to find the digital signature X
that satisfies the at least one additional constraint.
[0011] Further additionally or alternatively, applying the affine
transform includes setting at least one of the values y.sub.i in
the first vector Y so that at least one corresponding intermediate
value in the intermediate vector Z' is zero, and providing the
public key includes discarding at least one equation corresponding
to the at least one of the values y.sub.i from the multivariate
polynomial mapping Q( ) that is defined by the public key.
[0012] There is also provided, in accordance with an embodiment of
the present invention, a cryptographic method, including receiving
a message with a digital signature X, for verification using a
predefined public key, which defines a multivariate polynomial
mapping Q( ) over a finite field F. A first vector Y of
verification values is extracted from the received message. The
multivariate polynomial mapping is applied to the digital signature
so as to find a second vector of output values Q(X). The message is
authenticated by finding a factor a.epsilon.F such that each output
value is equal to the corresponding element of a vector sum
Y+aY.sub.SHIFT.
[0013] Typically, the method includes rejecting the message if no
factor a.epsilon.F can be found to authenticate the message.
[0014] There is additionally provided, in accordance with an
embodiment of the present invention, cryptographic apparatus,
including a memory, which is configured to store a private key
corresponding to a public key that defines a multivariate
polynomial mapping Q( ) over a finite field F. A processor is
configured to extract a first vector Y of verification values from
a message, and to compute over the first vector, using the private
key, a digital signature X including a second vector of signature
values such that application of the mapping to the digital
signature gives a third vector Q(X) of output values such that each
output value is equal to a corresponding element of a vector sum
Y+aY.sub.SHIFT over F, wherein Y.sub.SHIFT is a shifted version of
Y, and a.epsilon.F, and to convey the message with the digital
signature to a recipient for authentication using the public
key.
[0015] In a disclosed embodiment, the apparatus includes a device
coupled to receive the message with the digital signature, to
extract the first vector Y of the verification values from the
received message, and to authenticate the message by applying the
mapping defined by the public key to find the output values, and
finding a factor a.epsilon.F such that each output value is equal
to the corresponding element of the vector sum Y+aY.sub.SHIFT.
[0016] There is further provided, in accordance with an embodiment
of the present invention, cryptographic apparatus, including a
memory, which is configured to store a predefined public key, which
defines a multivariate polynomial mapping Q( ) over a finite field
F. A processor is configured to receive a message with a digital
signature X, for verification using the public key, to extract a
first vector Y of verification values from the received message, to
apply the multivariate polynomial mapping to the digital signature
so as to find a second vector of output values Q(X), and to
authenticate the message by finding a factor a.epsilon.F such that
each output value is equal to the corresponding element of a vector
sum Y+aY.sub.SHIFT.
[0017] There is moreover provided, in accordance with an embodiment
of the present invention, a computer software product, including a
computer-readable medium in which program instructions are stored,
which instructions, when read by a processor, cause the processor
to read from a memory a private key corresponding to a public key
that defines a multivariate polynomial mapping Q( ) over a finite
field F, to extract a first vector Y of verification values from a
message, to compute over the first vector, using the private key, a
digital signature X including a second vector of signature values
such that application of the mapping to the digital signature gives
a third vector Q(X) of output values such that each output value is
equal to a corresponding element of a vector sum Y+aY.sub.SHIFT
over F, wherein Y.sub.SHIFT is a shifted version of Y, and
a.epsilon.F, and to convey the message with the digital signature
to a recipient for authentication using the public key.
[0018] There is furthermore provided, in accordance with an
embodiment of the present invention, a computer software product,
including a computer-readable medium in which program instructions
are stored, which instructions, when read by a processor, cause the
processor to read from a memory a predefined public key, which
defines a multivariate polynomial mapping Q( ) over a finite field
F, to receive a message with a digital signature X, for
verification using the public key, to extract a first vector Y of
verification values from the received message, to apply the
multivariate polynomial mapping to the digital signature so as to
find a second vector of output values Q(X), and to authenticate the
message by finding a factor a.epsilon.F such that each output value
is equal to the corresponding element of a vector sum
Y+aY.sub.SHIFT.
[0019] The present invention will be more fully understood from the
following detailed description of the embodiments thereof, taken
together with the drawings in which:
BRIEF DESCRIPTION OF THE DRAWINGS
[0020] FIG. 1 is a block diagram that schematically illustrates a
data communication system in which messages are authenticated using
a public-key signature, in accordance with an embodiment of the
present invention;
[0021] FIG. 2 is a flow chart that schematically illustrates
components of public- and private-key signature computations, in
accordance with an embodiment of the present invention;
[0022] FIG. 3 is a flow chart that schematically illustrates a
method for computing a digital signature, in accordance with an
embodiment of the present invention; and
[0023] FIG. 4 is a flow chart that schematically illustrates a
method for verifying a digital signature, in accordance with an
embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Overview
[0024] Embodiments of the present invention that are described
hereinbelow provide a new public-key signature scheme, using
multivariate polynomial equations, that can be implemented with
relatively low expenditure of computational resources, while still
providing high security against attack. This new scheme can use
relatively short signatures (by comparison with methods that are
currently in common use, such as RSA) and requires less computation
for signature generation than other proposed multivariate
polynomial schemes. The disclosed embodiments are based on
multivariate quadratic equations, but the principles of the present
invention may be extended, mutatis mutandis, to multivariate
polynomial equations of higher order.
[0025] To enable authentication of a message, the sender uses a
private key to generate a digital signature over the message, using
techniques described below. The signature has the form of a vector
of values X=(x.sub.0, . . . , x.sub.n-1) in a finite field F having
p elements.
[0026] To verify the authenticity of the message, the recipient
uses a polynomial mapping, typically having the form of
multivariate quadratic mapping Q( ) over F. This mapping comprises
a set of multivariate quadratic equations Q.sub.0( ), Q.sub.1( ), .
. . , Q.sub.m( ) of the form:
Q i ( X ) = j , k .gamma. i , j , k x j x k + j .beta. i , j x j +
.alpha. i ##EQU00001##
The mapping coefficients .gamma..sub.i,j,k, .beta..sub.i,j and
.alpha..sub.i are specified by the public key distributed by the
sender of the message, i.e., the public key specifies the values of
the coefficients that are to be used in the quadratic mapping by
the recipient in authenticating the signature.
[0027] To compute the digital signature, the sender extracts a
vector Y of verification values from the message, typically by
applying a predefined hash function to the message. The sender then
applies a sequence of transformations defined by the sender's
private key to find the signature X. At the core of these
transformations is a univariate polynomial function P(X), as
defined below, corresponding to the multivariate polynomial mapping
that is used in verifying the signature. (As explained in the
above-mentioned article by Wolf and Preneel, there is a direct
correspondence between these univariate and multivariate
representations.) The univariate polynomial function operates over
an extension field of F, whose members can be represented as
polynomials of the form X'=a.sub.0+a.sub.1T+ . . .
+a.sub.n-1T.sup.n-1 in a variable T, and there is an irreducible
polynomial of degree n that operates in a manner equivalent to the
modulus in number fields. (Irreducible polynomials can be found by
choosing polynomials at random and testing for reducibility until
an irreducible polynomial is found, or by selection from published
tables of irreducible polynomials.) The coefficients a.sub.0,
a.sub.1, . . . , a.sub.n-1 correspond to the vector elements of X
in the multivariate representation. In the univariate
representation, P(X)=X.sup.m, wherein m and p.sup.n-1 are
relatively prime, so that P(X) is invertible, and its inverse
P.sup.-1 (X)=X.sup.d for some d.
[0028] In embodiments of the present invention, the private
key-based computation for deriving the signature X of a
verification vector Y is defined such that X=A.sup.-1X', and
X'=P.sup.-1(Z) Z.sup.d, Z=B.sup.-1Y, and A and B are affine
transforms. Computing the signature X in the polynomial
representation facilitates efficient computation, but this
computation still involves the modular exponentiation Z.sup.d,
which is computationally costly. To protect the set of multivariate
quadratic equations defined by the public key against algebraic
attack, it is desirable to obfuscate the signature computation
still further by adding constraints to the equations in Q( ). As a
result, however, not every possible signature X for a given
verification vector Y will give a valid verification result under
Q(X). To sign a given message, it may thus be necessary to compute
X multiple times for different choices of the intermediate vector
Z, and then to test each X by trial and error until a valid
signature is found.
[0029] To avoid the need to repeat the costly computation of
Z.sup.d for each new trial value of X, the intermediate vector Z is
redefined in embodiments of the present invention as the product
Z=U(T)Z', wherein U(T) is a predefined polynomial. For mathematical
simplicity in the embodiments described below, U(T)=1+aT, a
first-order polynomial, wherein a.epsilon.F, but other,
higher-degree polynomials may similarly be used. The sender
pre-computes and stores power vectors of the form
V.sub.a=(U(T)).sup.d for multiple possible factors a.epsilon.F
(typically for all such possible factors). The exponent
Z.sup.d=(U(T)).sup.dZ'.sup.d=V.sub.aZ'.sup.d, wherein V.sub.a
depends only on the value of a. Therefore, multiple values of
Z.sup.d can be computed and evaluated by performing the
exponentiation Z'.sup.d only once and then multiplying by the
different stored vectors V.sub.a in turn. Thus, the computational
cost of finding a valid signature X, meeting all constraints, is
substantially reduced.
[0030] This change in the definition of the intermediate vector
limits the form of the affine transform B and, furthermore, alters
the way in which the signature is authenticated by the recipient of
the message. Thus, in some embodiments of the present invention, B
has the form of a right-to-left (RTL) diagonal Toeplitz matrix, as
defined hereinbelow. The authentication criterion for the digital
signature X is not simply Q(X)=Y, but rather involves a vector sum:
When U(T)=1+aT, a valid signature X satisfies Q(X)=Y+aY.sub.SHIFT,
wherein Y.sub.SHIFT is a shifted version of Y (i.e.,
Q.sub.0(X)=y.sub.0+ay.sub.1; Q.sub.1(X)=y.sub.1+ay.sub.2; and so
forth).
[0031] To authenticate a given message with signature X, the
recipient applies the mapping defined by the public key to find the
output values Q(X). The recipient then evaluates different possible
factors a.epsilon.F by solving the vector sum Y+aY.sub.SHIFT until
it finds the factor a that satisfies Q(X)=Y+aY.sub.SHIFT. The
factor a is therefore referred to hereinbelow as the shift factor.
The evaluation can be carried out simply and efficiently, without
any need to try all a.epsilon.F by brute force. Rather, the
recipient computes an initial value a=(Q.sub.0-Y.sub.0)/Y.sub.1 or
a=0 if Y.sub.1=0 and then verifies that this value satisfies the
remaining equations. If a valid factor a is found, the recipient
accepts the message as authentic; otherwise, the message is
rejected.
System Description and Operation
[0032] FIG. 1 is a block diagram that schematically illustrates a
data communication system 20 using the sort of digital signature
scheme that is described above, in accordance with an embodiment of
the present invention. System 20 is shown and described here for
the sake of example, to illustrate a typical configuration in which
such digital signatures may be used, but is not meant to limit the
application of such signatures to this sort of context.
[0033] In the pictured embodiment, a computer, such as a server 22
transmits data over a network 26 to a receiving device 24. Device
24 may comprise a media player, for example, either fixed or
mobile, which comprises an embedded processor or has a plug-in
smart card or key. Such devices typically have limited memory and
computational resources, making the low resource demands of the
present digital signature technique particularly attractive.
Alternatively, the recipient of the data may be a general-purpose
computer or other computing device.
[0034] Before beginning media transmission, server 22 and device 24
conduct an authentication procedure, which may include transmission
of one or more authentication frames 34. This procedure may be
repeated subsequently if desired. In the example shown in the
figure, a processor 28 in server 22 generates a message 36 for
transmission to device 24. Processor 28 computes a signature 40,
denoted X, over message 36 using a private key 38 that is stored in
a memory 30. The signature is computed using a shift factor a, as
defined above. The server then transmits frame 34, comprising
message 36 and signature 40, via an interface 32 over network 26 to
device 24.
[0035] A processor 42 associated with device 24 receives frame 34
via an interface 44. Processor 42 sets up a quadratic mapping Q( )
using a public multivariate quadratic (MQ) key 48 that is stored in
a memory 46. This key may be preinstalled in memory 46, or it may
be downloaded to device 24 from server 22 or from another trusted
source. Processor 42 applies the quadratic mapping to signature 40,
giving Q(X), and compares the resulting output values to a
verification vector, denoted Y, derived from message 36. If
processor 42 is able to find a value a.epsilon.F satisfying Q
(X)=Y+aY.sub.SHIFT, it authenticates the message as having
originated from server 22, and media transmission proceeds. As
noted above, for this purpose the processor computes an initial
value a=(Q.sub.0-Y.sub.0)/Y.sub.1 and then verifies that this value
satisfies the remaining equations.
[0036] Typically, processor 28, and possibly processor 42, as well,
comprise general-purpose computer processors, which are programmed
in software to carry out the functions that are described herein.
This software may be downloaded to the either of the processors in
electronic form, over a network, for example. Alternatively or
additionally, the software may be provided on tangible,
non-transitory storage media, such as optical, magnetic, or
electronic memory media. Further alternatively or additionally,
some or all of these processing functions may be performed by
special-purpose or programmable digital logic circuits.
[0037] As noted above, FIG. 1 shows a certain operational
configuration in which the signature scheme described herein may be
applied. This same scheme may be applied in signing not only
authentication frames transmitting over a network, but also in
signing documents and files of other types, whether transmitted or
locally stored. For the sake of convenience and clarity, the
embodiments and claims in this patent application refer to
computation of a signature over a message, but the term "message"
should be understood, in the context of the present patent
application and in the claims, as referring to any sort of data
that is amenable to signature by the present scheme.
Methods of Computation and Authentication
[0038] FIG. 2 is a flow chart that schematically illustrates
components of public- and private-key signature computations, in
accordance with an embodiment of the present invention. The chart
includes a public key-based computation 50 and a private key-based
computation 52, both of which take a signature vector 56, denoted
X=(x.sub.0, . . . , x.sub.n-1), into a verification vector 54,
denoted Y=(y.sub.0, . . . , y.sub.n-1). Although the signature and
verification vectors are represented, for the sake of convenience,
as being having length n, they may alternatively be of different
lengths.
[0039] Public key-based computation 50, which is conducted by the
recipient of the signed message (such as device 24), uses the
multivariate quadratic mapping Q( ) which is defined by the public
key, along with the shift factor a, to verify that
Q(X)=Y+aY.sub.SHIFT. As noted earlier, Y.sub.SHIFT=(y.sub.2,
y.sub.2, . . . ) contains the elements of Y shifted over one
element. In other words, the public key-based computation verifies
that:
Q 0 ( X ) = y 0 + ay 1 ##EQU00002## Q 1 ( X ) = y 1 + ay 2
##EQU00002.2## ##EQU00002.3## Q n - 3 ( X ) = y n - 3 + ay n - 2
##EQU00002.4##
Q.sub.n-1 is undefined, and Q.sub.n-2(X)=y.sub.n-2 ay.sub.n-1 is
also omitted from the public key to avoid revealing the value of
y.sub.n-1 (which could otherwise create a security problem because
of the manner in which X is computed using the private key, as
explained below). Inversion of this sort of mapping is
computationally hard, thus providing security against attack.
[0040] The security of the signature scheme against algebraic
attack may be further enhanced by altering the mapping that is
defined by the public key. For this purpose, certain equations in
Q( ) may be perturbed; additional equations (besides Q.sub.n-1 and
Q.sub.n-2) may be discarded; equations may be rewritten over a
reduced input space; or different schemes may be combined. Such
measures are described, for example, by Clough et al., in "Square,
a New Multivariate Encryption Scheme," Topics in Cryptology--CT-RSA
2009 (LNCS 5473), pages 252-264, which is incorporated herein by
reference.
[0041] Private key-based computation 52 includes a first affine
transform 58, having the form of a matrix A, which transforms X
into a vector X'. A univariate polynomial function 60, denoted P( )
operates on the polynomial representation of X' to generate the
intermediate vector Z'=(z'.sub.0, . . . , z'.sub.n-1), with
z'.sub.n-1=0, in the polynomial form P(X')=(1+aT)Z'. A further
affine transform 62, given by a matrix B, transforms Z' into Y. The
signer of a message (such as server 22) performs the inverse steps:
B.sup.-1, P.sup.-1, A.sup.-1, to derive the signature X from Y. (In
contrast to the multivariate quadratic mapping defined by the
public key, each of the steps in the private key-based computation
is easily inverted.) The inverse function P.sup.-1
(Z)=Z.sup.d=(1+aT).sup.dZ'.sup.d, as noted above.
[0042] When the public key-based mapping Q( ) is altered, as
explained above, it imposes additional constraints to be applied by
public key-based computation 50. In this case, not every X that
results from inverting the elements of private key-based
computation 52 will satisfy the public-key based mapping. To deal
with this limitation, the signer typically tests each value of X to
verify that it satisfies the public-key based mapping, and discards
unsuitable values until a satisfying signature is found.
[0043] FIG. 3 is a flow chart that schematically illustrates a
method for computing the digital signature X, in accordance with an
embodiment of the present invention. The method comprises two
parts: a preliminary computation 70, which can be performed in
advance, before there is a message to be signed; and an in-line
computation 72, performed over each message. For clarity of
description, the method will be described with reference to the
components of server 22 (FIG. 1).
[0044] The private key to be used by server 22 defines the
polynomial function P( ) at a private function definition step 74.
As explained above, this function is defined such that
P.sup.-1(Z)=Z.sup.d, and Z=(1+aT)Z'. This definition of Z mandates
that the affine transform matrix B have a right-to-left (RTL)
diagonal Toeplitz form, meaning that each row is a copy of the row
above it, but shifted one place to the left:
B = ( b 0 b 1 b 2 b n - 1 b 1 b 2 b 3 b n b 2 b 3 b 4 b n + 1 b 3 b
4 b 5 b n + 2 ) ##EQU00003##
This matrix and the matrix A, are components of the private key,
which are defined at a matrix definition step 76.
[0045] Processor 28 uses these private key elements together in
computing the public key that defines the coefficients of the
multivariate quadratic mapping Q( ) at a public key computation
step 78. (Details of this computation are presented, for example,
by Wolf and Preneel.) The public key may be transmitted over
network 26 or otherwise conveyed to device 24. The elements of the
private key are stored by processor 28 in memory 30. As explained
above, processor 28 also computes and stores the set of vectors
V.sub.a=(1+aT).sup.d for all values of the shift factor a in the
finite field F, at a vector pre-computation step 80.
[0046] In-line computation 72 typically begins when processor 28
receives a message for signature, at a message input 82. The
processor extracts a verification vector Y, of length n, from the
message, typically using a predefined hash function, at a hash
computation step 84. Any suitable hash function that is known in
the art may be used at this step. Because the last public-key
equation, Q.sub.n-1( ), has been discarded, however, the most
significant element of Y, y.sub.n-1, is actually a free variable
and may be set to any desired value in F for the purpose of
calculating the signature X.
[0047] Therefore, processor 28 chooses y.sub.n-1 so as to generate
Z'=B.sup.-1Y such that z'.sub.n-1=0 (i.e., the most significant
element of Z', seen as a polynomial, is zero), at an intermediate
vector computation step 86. The processor then uses the stored
vectors V.sub.a in order to find a vector X' satisfying the
polynomial relation P(X')=(1+aT)Z', at a polynomial inversion step
88. As noted earlier, the processor finds multiple candidate values
W.sub.a of X' by performing a single exponentiation, Z'.sup.d, and
multiplying the result by V.sub.a: W.sub.a=V.sub.aZ'.sup.d.
Processor 28 tests each candidate W.sub.a to ascertain whether it
meets the additional constraints (such as (W.sub.a).sub.0=0) that
have been incorporated in the public key-based computation Q(X).
Upon finding a suitable candidate, the processor computes and
outputs the actual signature, X=A.sup.-1X', at a signature output
step 90.
[0048] If no suitable candidate is found at step 88, the processor
may return to step 84 and take a different Y (by adding a dummy
field to the message, for example, so that the hash result will be
different). The processor then repeats steps 86 and 88 until it
finds a valid signature.
[0049] FIG. 4 is a flow chart that schematically illustrates a
method used by device 24 to verify the digital signature of a
message, in accordance with an embodiment of the present invention.
(Again, the method is described with reference to the elements of
system 20, in FIG. 1, solely for the sake of clarity, and not
limitation.) The method is initiated when device 24 receives a
message with a signature X, at a method reception step 100.
Processor 42 computes the verification vector Y using the same
predefined hash function as was used in generating the signature,
at a hash computation step 102. The processor uses the public key
of server 22 that is stored in memory 46 to set up and compute the
output values of the multivariate quadratic mapping Q(X), at a
mapping computation step 104.
[0050] Processor 46 compares the vector of output values of Q(X) to
the vector sum Y+aY.sub.SHIFT for each of the possible values of
the shift factor a in F, at an output comparison step 106.
Specifically, the processor computes an initial value
a=(Q.sub.0-Y.sub.0)Y.sub.1 or a=0 if Y.sub.1=0 and then verifies
that this value satisfies the remaining equations. The comparison
is thus simple and typically requires only a small number of
multiplications and additions to check whether the initial value of
a is valid. If the processor finds a shift factor that gives a
solution, Q(X)=Y+aY.sub.SHIFT it accepts the message as authentic,
at a message verification step 108. Otherwise, the processor
considers the message to be suspect, and takes appropriate action,
at a message rejection step 110.
[0051] It will be appreciated that the embodiments described above
are cited by way of example, and that the present invention is not
limited to what has been particularly shown and described
hereinabove. Rather, the scope of the present invention includes
both combinations and subcombinations of the various features
described hereinabove, as well as variations and modifications
thereof which would occur to persons skilled in the art upon
reading the foregoing description and which are not disclosed in
the prior art.
* * * * *