1. Introduction
Over the past few years and currently, the development of practical digital signature (DS) and public encryption algorithms suitable for the development of post-quantum cryptographic standards based on them has attracted special attention from the global cryptographic community [
1,
2], which has actively participated in the worldwide competition for the development of algorithms for post-quantum standards announced by the US National Institute of Standards and Technology (NIST) for the period 2017–2024 [
3,
4] in the following two categories:
- (1)
post-quantum algorithms for public encryption and key encapsulation algorithms;
- (2)
post-quantum algorithms of digital signature (DS).
Currently, work on the NIST post-quantum project and the associated NIST competition is in its final stages. Based on preliminary results, it can be concluded that post-quantum cryptographic algorithms (including algorithms selected to define post-quantum cryptographic standards) are significantly inferior to analog algorithms based on the factorization problem (FP) and discrete logarithm problem (DLP). Because of the significantly larger size of the signature and the public and secret keys, the known post-quantum public key algorithms are less practical. Apparently, this is an objective fact that needs to be accepted, since security considerations of the algorithms used take precedence over other application aspects (public-key algorithms based on FP and DLP are not resistant to attacks using a quantum computer [
5,
6]). The only question is to minimize the size of these parameters and the complexity of the hardware implementation while maintaining sufficiently high performance.
Thus, the post-quantum cryptography should be based on computationally complex problems other than DLP and FP. For example, post-quantum public-key cryptographic algorithms on groups [
7], algebraic lattices [
8], codes [
9], and hash functions [
10] have been proposed.
One attractive approach to developing post-quantum public-key algorithms involves exploiting the computational complexity of solving large systems of power equations [
11,
12]. Cryptographic algorithms based on the latter problem belong to the field of multivariate public-key cryptography (MPC) [
13]. Quantum computers are ineffective for solving systems of power equations with many unknowns, so MPC algorithms are resistant to quantum attacks [
14]. MPC algorithms have fairly high performance and a small digital signature size and are promising for practical use in the coming post-quantum era [
15]. However, the known MPC algorithms have a significant drawback for practical use, which is the very large size of the public key.
For the development of practical post-quantum DS schemes, algebraic algorithms on finite non-commutative associative algebras (FNAA) with a hidden group, the security of which is based on the computational complexity of solving large systems of quadratic equations [
16], are of great interest. A common feature of these algorithms is the repeated inclusion of a signature fitting element in the signature verification formula; for example, double [
16], triple, and quadruple [
17]. At the same time, four-dimensional and six-dimensional FNAAs are considered as an algebraic support of DS algorithms, suggesting the potential possibility of implementation on FNAAs with dimensions
[
17].
This paper shows that the reappearance of a signature in the verification equation is due to its generation by some typical mathematical formula, causing limited randomization of the signature, which reduces the assessment of the security level compared to the assessment performed for the case of a direct attack (computing the secret key elements based on public-key elements). To eliminate this general drawback, a method for ensuring complete signature randomization in hidden group algorithms based on the complexity of solving large systems of power equations is proposed. A specific algorithm is developed that implements the introduced method.
2. The Used FNAA
Let us assume that in a finite
m-dimensional vector space (with two standard operations: vector addition and scalar multiplication), given over a Galois finite field
, the operation of vector multiplication (i.e., multiplication of a vector by a vector) is defined, which is closed and distributive on the left and right relative to the addition operation. Such algebraic structure is called a finite
m-dimensional algebra. The multiplication of the vectors
and
, where
are formal basis vectors, is usually given by the following formula:
where, instead of all possible products of pairs of basis vectors
, one-component vectors of the form
where
(in particular, the basis vectors
) are substituted in accordance with some basis vector multiplication table (BVMT); namely, the expression
is replaced by a one-component vector
contained in the BVMT cell at the intersection of the
ith row and the
jth column.
For BVMTs of arbitrary-type, the vector multiplication operation defined in this way possesses the properties of closure and right and left distributivity; however, in algebraic signature schemes [
16,
17], the operation of exponentiation to a large-size degree (from 80 to 256 bits) is used, which can be carried out in an acceptable time only if it is possible to use the fast exponentiation algorithm that is based on sequential squaring. This possibility exists if the specified vector multiplication operation is associative. In this regard, FNAAs are considered as an algebraic support of algorithms with a hidden group. For estimation of the security of DS algorithms with a hidden group, the knowledge of the structure of FNAA (as a decomposition into a set of commutative subalgebras) is very useful. The structure of FNAA is sufficiently well studied only for the four-dimensional case.
In connection with the latter, we will assume that a version of the algorithms [
16,
17] is being considered, which corresponds to the use of four-dimensional FNAA as their algebraic support. The results of the study of the structure of four-dimensional FNAAs showed that they have a similar structure, regardless of the type of BVMT setting the multiplication operation. For example, the structure of the FNAAs set by sparse BVMTs was studied in [
18]. Due to the generality of the structure, the security estimates obtained below relate to different FNAAs used as an algebraic support. For certainty, we will assume the use of FNAA with vector multiplication defined by BVMT [
18], presented in
Table 1. Such certainty will be required to describe the set of all elements of a certain commutative subalgebra according to the coordinates of some representative of this subalgebra using a specific mathematical formula.
Below we use the following terms: group, hidden group, subalgebra, and scalar vector.
By the term “group” we mean a set of elements (with the vector multiplication operation) which contain a unity element relatively in which all elements are reversible.
By the term “hidden group” we mean a group contained in a considered algebra, the minimum generator system of which is used as a secret element (an element of the secret key).
By the term “subalgebra” we mean a subset of vectors of some considered algebra, which compose a ring.
By the term “scalar vector” we mean a vector where E is the unit element (global two-sided unit) and is a scalar value, i.e.,
The general properties of the structure of four-dimensional FNAA are the following:
1. The four-dimensional FNAA contains various commutative subalgebras having order and intersecting strictly in the set of scalar vectors.
2. The commutative subalgebras relate to the following three types.
2.1. Subalgebras containing a multiplicative group having a cyclic structure and the order . Since an element of order of this multiplicative group produces different non-zero vectors, the said group is therefore cyclic and the subalgebra is a Galois field of order . Taking into account that all Galois fields of the same order are isomorphic, you can state that subalgebras of the considered type are isomorphic to the field . The number of such subalgebras is equal to
2.2. Subalgebras containing the multiplicative group having a two-dimensional cyclic structure and order , i.e., is generated by two generators, each of which has order . Every one of the subalgebras of this type contains irreversible vectors, and the number of subalgebras of this type is .
2.3. Subalgebras containing the multiplicative group having a cyclic structure and order . The number of such subalgebras is .
3. All elements of a given commutative subalgebra can be described as a set of vectors
V, whose coordinates are given by the coordinates of some vector
C (that is not a scalar vector) contained in the subalgebra, and a pair of scalar variables
In particular, for FNAA set by
Table 1, all elements of a subalgebra containing a multiplicative group of the
type are described by the coordinates of the vector
by the following formula [
18]:
In the algorithms from the articles [
16,
17], FNAA are given over the field
with the characteristic
where
q is a prime number of a sufficiently large size.
3. Limited Randomization and Attack Based on Known Signatures
In algebraic algorithms [
16,
17], the DS includes a randomizing part in the form of one or more natural numbers and a fitting part represented by the fitting vector
Since concatenation of several natural numbers can be represented as a single number of larger size, for all DS algorithms the signature can be represented as a pair of values
where
e is a natural number that plays the role of a randomizing parameter. The use of verification equations with multiple occurrences of the fitting element determines the use of a standard formula for calculating the signature in the algorithms [
16,
17], which has the form
in which the natural powers
n and
d are calculated beforehand (depending on the value of
e and some other hidden randomization parameters), and the vectors
A,
B,
G, and
H are fixed secret vectors that are part of the secret key associated with the public key; the vectors
G and
H have the same order
q and compose a minimum system of generators
of the hidden commutative group (that is a subgroup of order
of a multiplicative group of the
type of some commutative subalgebra, contained in the four-dimensional FNAA used as an algebraic support of the DS algorithm).
Note that the vector takes on only values from the hidden group. Due to the uniqueness of the natural values n and d for each signature and their dependence on the signature randomization parameters, the value is generally unique for each signature; however, the number of such vector values does not exceed the value (the order of the hidden group). Due to the left and right multipliers (which are non-permutable, i.e., ), the vector S takes random values from the entire FNAA, but no more than different values, whereas FNAA includes different four-dimensional vectors.
Thus, the fitting element of the signature
S takes on only a very small fraction of the values from the FNAA, i.e., the randomization of the DS in the algorithms [
16,
17] is incomplete and even significantly limited. Incompleteness of signature randomization may cause potential vulnerability to attacks using known signatures, which can be implemented as follows.
Let there be some set including
z known authentic signatures. The fitting element
of each
ith signature was calculated using Formula (3). At the same time, the vector fixator
can be calculated using the
ith signature and the DS verification equation, which was calculated during the signature generation procedure using random natural values
and
according to the formula
where the vector
F is an element of the secret key (in a particular case,
F is equal to the secret element
A from Formula (3)). Thus, two vector equations of the form (2) and (3) are associated with each signature, in which the unknowns are the vectors
A,
B,
F (each one sets four scalar unknowns, which are its coordinates),
, and
In this case, the values of the latter always belong to the hidden group and can be calculated using Formula (2) for a given representative of the hidden group. Taking
C as an unknown common to all signatures, the unknown values
and
for each signature can be set by two different pairs of scalar unknowns
Thus, each signature (of the
z known genuine signatures) sets according to Formulas (3) and (4) two vector quadratic equations
which, using Formula (2), are reduced to 8 cubic scalar equations with 16 fixed scalar unknowns (i.e., common to all known signatures and being the coordinates of secret vectors
A,
B,
F, and
C) and 4 unique scalar unknowns. For
z known authentic signatures, we have a system of
power equations with
scalar unknowns. From the condition of equality of the number of equations and the number of unknowns, we obtain the equation
from which we determine a presumably sufficient number of known signatures to calculate the secret values of
A,
B, and
F:
The last value sets the number of equations and unknowns in the solved system of cubic equations equal to 32. With this number of power equations in the system, the computational complexity of its solution is quite high. However, finding the unknown
F can be carried out by solving only the equations obtained by Formula (4), i.e., the vector equations of the form
For
z known signatures, we obtain
scalar equations with 8 fixed scalar unknowns (coordinates of vectors
F and
C) and
unique scalar unknowns. From the equation
we find the value
, which sets the number of known signatures for the case of equality of the number of unknowns and the number of equations in the system. The last value is
The computational complexity of solving systems of power equations with such a number of equations and unknowns is quite low, and the attack using the known signatures can be considered effectively implemented in practice.
Finding the unknowns
A and
B can be carried out by solving only the equations obtained by Formula (3), i.e., the vector equations of the form
In this case, for
z known signatures, we obtain
scalar equations with 12 fixed scalar unknowns (coordinates of vectors
A,
B, and
C) and
unique scalar unknowns. From the equation
we find the value
, which sets the number of known signatures for the case of equality of the number of unknowns and the number of equations in the system. The last value is
. This variant of the attack based on known signatures is also potentially feasible in practice.
The last two attacks significantly reduce the expected security level of algorithms [
16,
17], obtained from estimates of the computational complexity of solving systems of equations connecting elements of the secret key with elements of the public key (in the latter system, there are 12 more scalar unknowns). The considered variants of attack based on known signatures show the possibility of fairly effective use of the limitations of signature randomization in the known algebraic DS algorithms with a hidden group, based on the computational difficulty of solving systems of power equations, and the relevance of developing a method for setting complete randomization in algorithms of this type.
4. A Way to Ensure Complete Randomization of the Signature
By the completeness of the signature randomization, we will understand the potential possibility to obtain any reversible vector as the value of the fitting element
To achieve this, it seems reasonable to include in Formula (3) a multiplier in the form of a uniformly random reversible vector V, selected from the set of all reversible values of FNAA, used as an algebraic support of the DS scheme. It is proposed to set a formula for calculating the fitting element
S in the following form:
where
D is a secret reversible vector (element of the secret key).
However, the presence of a random multiplier V makes it impossible to use verification equations with multiple occurrences of S and thus necessitates the search for other methods to prevent the use of the value of S as a fitting parameter for forging DS. As such, we propose using the doubling of the signature verification equation. By “doubling the verification equation” we mean using two similar verification equations; in each equation, the fitting element of the signature is included once.
The use of the doubled DS verification equation implies the formation of two random vector fixators (according to their values and the document, the randomizing element of the signature is calculated), the values of which will be recovered during the signature verification procedure performed by using the correctly calculated fitting element
The calculation of the required value of
S can be provided, using formulas for generating vector fixators, which are consistent with Formula (6) and with verification equations. The following two formulas have been developed as such:
in which the pre-generation of random natural numbers
,
,
,
, and a random reversible vector
V is assumed, as well as the pre-calculation of the value of the hash function
(where
denotes the concatenation operation) from the signed document
M, the hash function being represented as a concatenation of two bit strings of the same size (treated as natural numbers). The vector
J has the order
(i.e., it is a generator of a multiplicative group of the
type) and is a common parameter for all users of the DS algorithm. The purpose of the use of various multipliers
and
in the first and second Formula (6) is to prevent the possibility of using the element
S as a fitting parameter in the forging signature attack (calculating a signature from verification equations without knowing the secret key).
Using a pair of fixed Formulas (5) and (6) allows us to develop various versions of verification equations specifying various variants of algebraic DS schemes based on the computational difficulty of solving large systems of power equations. However, for all such algorithms, the complexity of the attack based on known signatures will be the same for a given value of the characteristic of the field, over which a four-dimensional FNAA is set as an algebraic support of the DS algorithm. This is predetermined by fixing Formulas (5) and (6). Let us estimate the computational complexity of this attack as the complexity of solving the emerging system of power equations, the latter being estimated by the number of equations and unknowns in the system.
Given that the smallest number of equations arises when calculating fixed unknown parameters separately (it is obvious that the method of separating variables is not applicable to unique unknowns), first consider the option of constructing a system of equations for
z different genuine signatures using a pair of Equation (
6). It is easy to establish that in this version of the attack, we have
scalar equations, 12 fixed scalar unknowns (associated with unknown vectors
A,
F, and
C, where
C is a representative of the hidden group) and
unique scalar unknowns (uniqueness is understood in the sense that they relate to only one pair of vector Equation (
6)). For any value of
z, we have a number of unknowns that exceeds the number of equations by 12. The underdeterminacy of the emerging system shows that a small number of solutions, if possible, can be obtained only for very large values of
A similar situation occurs with other attempts to construct a system of equations using one or two formulas from Formulas (5) and (6).
Thus, the most effective attack option based on known signatures seems to be the construction of a system based on the triple of Equations (5) and (6) and its subsequent solution. In this case, for
z known signatures, we have
scalar equations, 16 fixed scalar unknowns (associated with unknown vectors
A,
F,
D, and
C) and
unique scalar unknowns (four associated with a random vector
V and six associated with three random vectors
,
, and (
from the hidden group defined by the vector
C). Equating the number of equations and the number of unknowns, we obtain the equation
from which we find the value
. The latter sets the number of equations equal to 96. For such a large number of power equations, the computational complexity of finding a solution to the system exceeds the level of
bit operations (see Table 1 in [
19]), i.e., an attack based on known signatures is computationally impossible. The latter means that the proposed mechanism for ensuring complete randomization is sufficient. Let us consider the implementation of a specific DS algorithm based on it.
5. The DS Algorithm Implementing the Proposed Method of Signature Randomization
We will assume that the four-dimensional FNAA used as the algebraic support of the DS algorithm is set by
Table 1 over the field
, where prime
with 128-bit prime
A collision-resistant 256-bit hash function
, the said FNAA, and some vector
J of order
are common to all users of the digital signature algorithm.
The formation of a public key in the form of a set of seven vectors , , , , , , and W (with a total size of ≈448 bytes) is carried out according to the following algorithm:
Generate two random vectors G and H of the order q that form the basis of a hidden group possessing two-dimensional cyclicity and the order .
Generate a random vector P of the order and random invertible vectors A, B, D, and F that satisfy the inequalities , , , , , , , , , , , , , , and .
Generate random natural numbers
and
and calculate vectors
Numbers x and w and the vectors A, B, D, F, G, H, and P compose a secret key with a total size of ≈480 bytes.
The generation of the basis of the hidden group can be performed as follows:
Generate a random vector .
If is a non-scalar vector and (probability of this event is 0.25), then ; otherwise, go to step 1.
Generate a random non-scalar vector .
If is a non-scalar vector and (probability of this event is 0.25), then ; otherwise, go to step 1.
The algorithm for generating DS includes the following steps:
Calculate the value of the hash function from the signed electronic document M: , where the 256-bit hash value is represented as a concatenation of 128-bit natural numbers and
Generate a random reversible vector V and random natural numbers , , , and (). Next, using Formula (6), calculate the values of the vector fixators and
Calculate the hash value from the document M to which the vectors and are attached: , where the 256-bit hash value is represented as a concatenation of two 128-bit natural numbers and
Calculate the value of the degree d:
Calculate the value of the first auxiliary fitting element of the DS using the formula
Calculate the degree n by formula (or by formula ).
Calculate the value of the second auxiliary fitting element of the DS by formula : (or by formula ).
Calculate the degree b:
Calculate the fitting signature element
S using the following formula:
A digital signature to an electronic document M is a set of values with a total size of 128 bytes. Given that , the computational complexity of the signature generation algorithm can be roughly estimated as 6 exponentiation operations to a 128-bit degree and 2 exponentiation operations to a 256-bit degree (calculation of the vectors and ), i.e., estimates as ≈15,400 multiplication operations in the field
The algorithm for verifying the signature to the document M is performed using the public key and has the following form:
Calculate the hash value of the document M:
Calculate the values of the vectors
and
by the following two formulas:
Calculate the hash value from the document M to which the vectors and are concatenated: , where the 256-bit hash value is represented as a concatenation of two 128-bit integers and
If the equalities and hold true simultaneously, then the DS is accepted as genuine; otherwise, the DS is rejected as false.
The computational complexity of the DS verification algorithm can be roughly evaluated as 4 exponentiations of four-dimensional vectors to a 128-bit degree and 2 exponentiations to a 256-bit degree, i.e., as ≈12,300 multiplication operations in the field
You can easily show the correctness of the proposed DS algorithm, namely, that a correctly calculated signature to the document M passes the verification procedure as a genuine signature. To prove the correctness of the proposed DS algorithm, you can calculate the vectors and :
The computation of the hash value
and the comparison of
with the value of
gives:
6. Discussion
A quantum computer is not efficient for solving large systems of power equations. Therefore, the proposed algorithm, whose security is based on the computational complexity of the latter problem, is secure to quantum attacks if it is secure to attacks with using ordinary computers.
A detailed examination of possible structural attacks (attacks exploiting the specifics of algorithm construction) using conventional computers is an independent research task. Let us consider the security of the proposed algorithm to a direct attack related to solving a basic computationally difficult problem.
The developed DS algorithm implements the proposed randomization method corresponding to Formula (5); furthermore, additional randomization is introduced by introducing a unique multiplier for each signature in Formula (9) used in the developed algorithm to calculate the fitting element of the signature This leads to the fact that the computational complexity of the attack based on known signatures exceeds the estimate of obtained for the case of using Formula (5). This required the use of an additional exponentiation operation in the signature generation procedure, resulting in a decrease in its performance by about 12%.
The implementation of algorithms in strict accordance with Formula (5) also practically prevents attacks based on known signatures; however, using Formula (9) allows you to include multipliers equal to various degrees of the secret vector
P in formulas for calculating elements of the public key, the presence of which is aimed at ensuring resistance to attacks using the search for potential equivalent keys. At the same time, the security level to a direct attack (calculation of secret vectors based on public-key elements) increases due to the appearance of additional square vector equations in the system of equations written in accordance with Formulas (7) and (8). The system of square vector equations considered in a direct attack has the following form:
where
The solution of the system of power vector Equation (
10) is reduced to solving a system of 28 power (square and cubic) scalar equations with 34 scalar unknowns. The coordinates of the 6 unknown vectors
and
define 24 scalar unknowns, and the coordinates of each of the unknown vectors
(
) are expressed (according to Formula (2)) through the coordinates of the vector
(
P) and 2 scalar unknowns
, specifying 10 additional scalar unknowns. Thus, a direct attack is associated with the solution of a system of 28 power equations with 34 unknowns, given in the
field of a prime 129-bit order. Considering that the computational complexity
of solving a system of 26 quadratic equations with 26 unknowns in a finite field of 8-bit order has a level of
(see Table 1 in [
19]) and using estimates [
20] that take into account the dependence of
on the value of the field order, we obtain the following preliminary estimate of the security level of the proposed algorithm to a direct attack:
. Clarifying this assessment is an independent task. Additionally, further research on security evaluation should be conducted in the direction of developing structural attacks that use the algorithm design features and of evaluating their computational complexity.
It should be noted that the number of scalar unknowns exceeds the number of equations, indicating the potential existence of a set of equivalent keys, but this does not change the obtained preliminary assessment of the security to a direct attack.
7. Conclusions
To eliminate the demonstrated potential vulnerability of the algebraic DS algorithms [
16,
17] to attacks based on known signatures due to limited randomization of the signature, a method is proposed to ensure complete randomization of the signature. Based on the latter, a new DS algorithm based on a four-dimensional FNAA has been developed, which is of interest as a practical post-quantum public-key signature algorithm. An assessment of its resistance to direct attack associated with the solution of a large system of power equations is given. As a direction for further research, it is of interest to consider implementation of similar algorithms on FNAAs with dimensions
which provides a potential opportunity to increase the security level by increasing the number of power equations in the system, a problem which arises when considering direct attacks.