## Time-area optimized publickey engines: MQ-cryptosystems as replacement for elliptic curves? (2008)

Citations: | 9 - 1 self |

### BibTeX

@MISC{Bogdanov08time-areaoptimized,

author = {Andrey Bogdanov and Thomas Eisenbarth and Andy Rupp and Christopher Wolf},

title = { Time-area optimized publickey engines: MQ-cryptosystems as replacement for elliptic curves?},

year = {2008}

}

### OpenURL

### Abstract

In this paper ways to efficiently implement public-key schemes based on Multivariate Quadratic polynomials (MQ-schemes for short) are investigated. In particular, they are claimed to resist quantum computer attacks. It is shown that such schemes can have a much better time-area product than elliptic curve cryptosystems. For instance, an optimised FPGA implementation of amended TTS is estimated to be over 50 times more efficient with respect to this parameter. Moreover, a general framework for implementing small-field MQ-schemes in hardware is proposed which includes a systolic architecture performing Gaussian elimination over composite binary fields.

### Citations

47 | Unbalanced Oil and Vinegar Signature Schemes. Extended version available at http://citeseer.ist.psu.edu/231623.html
- Kipnis, Patarin, et al.
(Show Context)
Citation Context ... 4,10 1 × K = 4, 2 × K = 10 2.4.1 Unbalanced Oil and Vinegar (UOV). p ′ i(x ′ 1,...,x ′ n) := n−m ∑ n∑ j=1 k=j γ ′ i,j,kx ′ jx ′ k for i = 1...v1 Unbalanced Oil and Vinegar Schemes were introduced in =-=[10, 11]-=-. Here we have γ ∈ F, i.e. the polynomials p are over the finite field F. In this context, the variables x ′ i for 1 ≤ i ≤ n−m are called for n − m < i ≤ n the “oil” variables. We also write o := m fo... |

33 | Taxonomy of public key schemes based on the problem of multivariate quadratic equations,” Cryptology ePrint Archive, Report 2005/077
- Wolf, Preneel
- 2005
(Show Context)
Citation Context ...ch ⎧ ⎪⎨ ⎪⎩ y1 = p1(x1,...,xn) y2 = p2(x1,...,xn) . ym = pm(x1,...,xn), for given y1,...,ym ∈ F and unknown x1,...,xn ∈ F is difficult, namely N P-complete. An overview over this field can be found in =-=[14]-=-. Roughly speaking, most work on public-key hardware architectures tries to optimise either the speed of a single instance of an algorithm (e.g., high-speed ECC or RSA implementations) or to build the... |

17 |
a new multivariable polynomial signature scheme
- “Rainbow
- 2005
(Show Context)
Citation Context ...such datagrams occur frequently in applications with power or bandwidth restrictions, hence we have noted this special possibility here. 2.4.2 Rainbow. Rainbow is the name for a generalisation of UOV =-=[7]-=-. In particular, we do not have one layer, but several layers. This way, we can reduce the number of variables and hence obtain a faster scheme when dealing with hash values. The general form of the R... |

15 |
ℓ-Invertible Cycles for Multivariate Quadratic Public Key Cryptography
- Ding, Wolf, et al.
- 2007
(Show Context)
Citation Context ...S, amended TTS, Unbalanced Oil and Vinegar and Rainbow. Systems of the big-field classes HFE (Hidden Field Equations), MIA (Matsumoto Imai Scheme A) and the mixed-field class ℓIC — ℓ-Invertible Cycle =-=[8]-=- were excluded as results from their software implementation show that they cannot be implemented as efficiently as schemes from the small-field classes, i.e. enTTS, amTTS, UOV and Rainbow. The propos... |

14 | High performance architecture of elliptic curve scalar multiplication
- Ansari, Hasan
- 2006
(Show Context)
Citation Context ...e implementations of the major building blocks (F=frequency,T=Time, L=luts, S=slices, FF=flip-flops, A=area, XC3=XC3S1500, XC5=XC5VLX50-3) Implementation F, MHz T, µs S/L/FF A,kGE S·T [S·ms] ECC-163, =-=[1]-=-, XC2V200 100 41 -/8,300/1100 - 85.1 ECC-163, CMOS 167 21 - 36 - ECC-163, [12], XCV200E-7 48 68.9 -/25,763/7,467 - 447.9 UOV(60,20), XC3 80/160 14.625 9821 / 16694 / 5665 149 143.6 UOV(60,20), XC5 200... |

11 |
Low latency elliptic curve cryptography accelerators for NIST curves over binary fields
- Shu, Gaj, et al.
- 2005
(Show Context)
Citation Context ...=slices, FF=flip-flops, A=area, XC3=XC3S1500, XC5=XC5VLX50-3) Implementation F, MHz T, µs S/L/FF A,kGE S·T [S·ms] ECC-163, [1], XC2V200 100 41 -/8,300/1100 - 85.1 ECC-163, CMOS 167 21 - 36 - ECC-163, =-=[12]-=-, XCV200E-7 48 68.9 -/25,763/7,467 - 447.9 UOV(60,20), XC3 80/160 14.625 9821 / 16694 / 5665 149 143.6 UOV(60,20), XC5 200/400 5.85 5334 / 13437 / 5774 143 31.2 UOV(30,10), XC3 80/160 4.188 3060 / 530... |

10 | J.-M.: Building Secure Tame-like Multivariate Public-Key Cryptosystems: The New TTS
- Yang, Chen
(Show Context)
Citation Context ... Signature Core Building Block: Systolic Array LSE Solver (Structure) 2.4.4 enhanced TTS (enTTS). The overall idea of enTTS is similar to amTTS, m = 20,n = 28. For a detailed description of enTTS see =-=[16, 15]-=-. According to [6], enhanced TTS is broken, hence we do not advocate its use nor did we give a detailed description in the main part of this article, However, it was implemented in [17], so we have in... |

9 | Cryptanalysis of rainbow
- Billet, Gilbert
(Show Context)
Citation Context ...y that we do not obtain a solution for this system is τ rainbow = 1 − ∏ L l=1 ∏ v l+1 −v l i=0 q v l+1 −v l −q i q v l+1 −v2 l using a similar argument as in Sec. 2.4.1. Taking the latest attack from =-=[3]-=- into account, we obtain the parameters L = 2,v1 = 18,v2 = 30,v3 = 42 for a security level of 2 80 , i.e. a two layer scheme 18 initial vinegar variables and 12 equations in the first layer and 12 new... |

8 | A parallel hardware architecture for fast gaussian elimination over gf(2
- Bogdanov, Mertens
- 2006
(Show Context)
Citation Context ...to build an LSE solver architecture over GF(2 k ). The biggest advantage of systolic architectures with regard to our application is the low amount of cells compared to other architectures like SMITH =-=[4]-=-. For solving a m × m LSE, a systolic array consisting of only m boundary cells and m(m + 1)/2 main cells is required. An overview of the architecture is given in Figure 2. The boundary cells shown in... |

6 |
Fast Multivariate Signature Generation in Hardware: The Case of Rainbow
- Balasubramanian, Carter, et al.
- 2008
(Show Context)
Citation Context ...tation of a cryptosystem based on multivariate polynomials we are aware of is [17], where enTTS is realized. A more recent result on the evaluation of hardware performance for Rainbow can be found in =-=[2]-=-. 1.1 Our Contribution Our contribution is many-fold. First, a clear taxonomy of secure multivariate systems and existing attacks is given. Second, we present a systolic architecture implementing Gaus... |

6 |
Rank attacks and defence in Tame-like multivariate PKC's. Cryptology ePrint Archive, Report 2004/061, 29rd September 2004. http://eprint.iacr
- Yang, Chen
(Show Context)
Citation Context ... Signature Core Building Block: Systolic Array LSE Solver (Structure) 2.4.4 enhanced TTS (enTTS). The overall idea of enTTS is similar to amTTS, m = 20,n = 28. For a detailed description of enTTS see =-=[16, 15]-=-. According to [6], enhanced TTS is broken, hence we do not advocate its use nor did we give a detailed description in the main part of this article, However, it was implemented in [17], so we have in... |

5 |
de Dormale, J.-J. Quisquater, High-speed hardware implementations of elliptic curve cryptography: a survey
- Meurice
- 2007
(Show Context)
Citation Context ...liptic curves with field bitlengths in the rage of 160 bit (corresponding to the security level of 2 80 ) over GF(2 k ), see Table 3. A good survey on hardware implementations for ECC can be found in =-=[5]-=-. Even the most conservative design, i.e. long-message UOV, can outperform some of the most efficient ECC implementations in terms of TA-product on some hardware platforms. More hardwarefriendly desig... |

5 |
Implementing Minimized Multivariate Public-Key Cryptosystems on Low-Resource Embedded Systems
- Yang, Cheng, et al.
- 2006
(Show Context)
Citation Context ...d to elliptic curve schemes, which have the reputation of being particularly efficient. The first public hardware implementation of a cryptosystem based on multivariate polynomials we are aware of is =-=[17]-=-, where enTTS is realized. A more recent result on the evaluation of hardware performance for Rainbow can be found in [2]. 1.1 Our Contribution Our contribution is many-fold. First, a clear taxonomy o... |

4 |
A systolic architecture for computing inverses and divisions in finite fields GF(Z
- Wang, Lin
- 1993
(Show Context)
Citation Context ...ear taxonomy of secure multivariate systems and existing attacks is given. Second, we present a systolic architecture implementing Gauss-Jordan elimination over GF(2 k ) which is based on the work in =-=[13]-=-. The performance of this central operation is important for the overall efficiency of multivariate based signature systems. Then, a number of concrete hardware architectures are presented having a lo... |

1 | Note on design criteria for rainbow-type multivariates. Cryptology ePrint Archive http://eprint.iacr.org, Report 2006/307
- Ding, Hu, et al.
- 2006
(Show Context)
Citation Context ...bles and 12 equations in the second layer. Hence, we need two K = 12 solvers and obtain τ ≈ 0.007828 2.4.3 amended TTS (amTTS). The central polynomials P ′ ∈ MQ(F n , F m ) for m = 24,n = 34 in amTTS =-=[6]-=- are defined as given below: p ′ i := x ′ i + α ′ ix ′ σ(i) + 8∑ j=1 p ′ i := x ′ i + α ′ ix ′ σ(i) + γ′ 0,ix ′ 1x ′ i + p ′ i := x ′ i + γ ′ 0,ix ′ 0x ′ i + 9∑ j=1 γ ′ i,jx ′ j+1x ′ 11+(i+j mod 10) 8... |

1 |
Systolic Gaussian Elimination over GF (p) with Partial Pivoting
- Hochet, Quinton, et al.
- 1989
(Show Context)
Citation Context ...operations. Using these generic building blocks we can compose a signature core for any of the presented MQ-schemes (cf Section 4). 3.1 A Systolic Array LSE Solver for GF(2 k ) In 1989, Hochet et al. =-=[9]-=- proposed a systolic architecture for Gaussian elimination over GF(p). They considered an architecture of simple processors, used as systolic cells that are connected in a triangular network. They dis... |