Cryptology ePrint Archive: Report 2021/1338

Embedded Multilayer Equations: a New Hard Problem for Constructing Post-Quantum Signatures Smaller than RSA (without Hardness Assumption)

Dongxi Liu

Abstract: We propose a new hard problem, called the Embedded Multilayer Equations (eMLE) problem in this paper. An example of eMLE, with one secret variable x and three layers, is given below.

6268 = 57240 * x + (1248 * x + (9 * x mod 16) mod 2053) mod 65699

In this example, the eMLE problem is to find x from the above equation. eMLE in this paper has the same number of variables and equations. The hardness of eMLE problem lies in its layered structure. Without knowing the eMLE value of lower layer (i.e., the layer with modulus 2053), the top layer (i.e., the layer with modulus 65699) has many candidate solutions; the adversary has to search the solution space for a few valid ones. A lower-bound for the number of searches has been proven in the paper, together with the expected number of valid solutions. The hardness of eMLE can be increased by adding more layers, without changing the number of variables and equations; no existing NP-complete problems have this feature. Over the hardness of eMLE, a post-quantum signature scheme, eMLE-Sig, is constructed. Compared with all existing signature schemes (conventional and post-quantum), eMLE-Sig might be the simplest to understand, analyze, instantiate, and implement. At the security level above 128 bits, five configurations are provided; all of them have keys and signatures smaller than RSA keys and signatures (above 380 bytes) at the 128-bit security level. The smallest configuration is with two variables and three layers, having 84.1/52.2 bytes for private/public key and 168.4 bytes for signatures.

Category / Keywords: foundations / Post-quantum Signature, RSA, Complexity theory

Date: received 4 Oct 2021, last revised 26 Oct 2021

Contact author: dongxi liu at csiro au

Available format(s): PDF | BibTeX Citation

Note: New eMLE-Sig is multivariate cubic equations, but can be extended to any high degree (e.g., 7th degree; Hilbert's 13th problem is 7th degree equation).

Version: 20211026:193627 (All versions of this report)

Short URL: ia.cr/2021/1338


[ Cryptology ePrint archive ]