## Cryptology ePrint Archive: Report 2016/708

From 5-pass MQ-based identification to MQ-based signatures

Ming-Shing Chen and Andreas Hülsing and Joost Rijneveld and Simona Samardjiska and Peter Schwabe

Abstract: This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations (MQ problem). In order to construct this scheme we give a new security reduction for the Fiat-Shamir transform from a large class of $5$-pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS-31-64 achieves $128$ bits of post-quantum security. Finally, we describe an optimized implementation of MQDSS-31-64 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.

Category / Keywords: public-key cryptography / post-quantum cryptography, Fiat-Shamir, $5$-pass identification scheme, vectorized implementation

Original Publication (with major differences): IACR-ASIACRYPT-2016

Date: received 15 Jul 2016, last revised 4 Dec 2016

Contact author: authors-mqdss at huelsing net

Available format(s): PDF | BibTeX Citation

Note: *A missed reference.* After finishing this work, we were made aware that the authors of [EDV+12] published an updated journal version of their paper [DGV+16]. In this updated version, the authors give a new definition of $n$-soundness, adapt their forking lemma, and fix the presented signature scheme constructions to respect the requirement of exponentially large challenge spaces. However, it turns out that even the updated proof in [DGV+16] does not cover security of the proposed MQ-based signature scheme (and neither of the code-based signature scheme proposed in the same paper). Nevertheless, the signature schemes proposed in [DGV+16] can be proven secure using our results without any modifications.

Short URL: ia.cr/2016/708

[ Cryptology ePrint archive ]