Security analysis of ZKPoK based on MQ problem in the multi-instance setting

Delaram Kahrobaei; Ludovic Perret; Martina Vigorito

doi:10.1515/jmc-2024-0046

Artikel Open Access

Security analysis of ZKPoK based on MQ problem in the multi-instance setting

Delaram Kahrobaei , Ludovic Perret und Martina Vigorito

Veröffentlicht/Copyright: 15. April 2025

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 19 Heft 1

Abstract

Bidoux and Gaborit introduced a new general technique to improve zero-knowledge (ZK) proof-of-knowledge (PoK) schemes for a large set of well-known post-quantum hard computational problems such as the syndrome decoding, the permuted kernel, the rank syndrome decoding, and the multivariate quadratic (MQ) problems. In particular, the authors’ idea in the study of Bidoux and Gaborit was to use the structure of these problems in the multi-instance setting to minimize the communication complexity of the resulting ZK PoK schemes. The security of the new schemes is then related to new hard problems. In this article, we focus on the new multivariate-based ZK PoK and the corresponding new underlying problem: the so-called DiffMQ H . We present a new efficient probabilistic algorithm for solving the DiffMQ H which is polynomial-time if m − n ∈ O ( 1 ) . We also present experimental results showing that the algorithm is efficient in practice.

Keywords: multivariate cryptography; MQ problem; ZkPok protocol

MSC 2010: 11T06; 11T55; 11T71; 12E20

1 Introduction

With the advent of post-quantum cryptography [1] following the development of Shor’s algorithm, many cryptographers have focused on finding quantum-resistant public-key systems. Multivariate cryptography is one of the main families of post-quantum primitives. The security of these systems is based on the difficulty of solving a set of randomly chosen nonlinear multivariate polynomials over a finite field. So far, there is no evidence that quantum computers can solve such sets of multivariate polynomials efficiently.

Motivated by this, Bidoux and Gaborit, in [2,3], introduced a novel general technique to enhance zero-knowledge (ZK) proof-of-knowledge (PoK) schemes for a broad class of well-known computational problems that are difficult in the post-quantum setting. In particular, they focused on the multivariate quadratic (MQ) problem, for which the definition is provided below. In the following, we denote as F q a finite field with q elements, where q = p s , p is a prime, and s is a positive integer.

Definition 1.1

(MQ problem) Let m and n be positive integers. We define by MQ ( n , m , F q ) the family of systems of m multivariate quadratic polynomials { ℱ = ( p 1 , … , p m ) ∈ F q [ x 1 , … , x n ] m } such that ∀ ℓ , 1 ≤ ℓ ≤ m :

(1) p ℓ ( x 1 , … , x n ) = ∑ 1 ≤ i ≤ j ≤ n a i , j ( ℓ ) x i x j + ∑ 1 ≤ i ≤ n c i ( ℓ ) x i + k ( ℓ ) where a i , j ( ℓ ) , c i ( ℓ ) , k ( ℓ ) ∈ F q .

Given ℱ ∈ MQ ( n , m , F q ) and v = ( v 1 , … , v m ) ∈ F q m , the MQ problem asks to find s ∈ F q n such that

p 1 ( s ) = v 1 , … , p m ( s ) = v m .

We will call the MQ H the restriction of the MQ to homogeneous polynomials.

The solution of the MQ remains computationally challenging, as it is known to be NP-hard [4]. This hardness forms the foundation of various cryptographic schemes, particularly in the field of post-quantum cryptography, where the security of multivariate public-key cryptosystems relies on the difficulty of solving large instances of the MQ. In fact, these problems are widely used as the basis for many proposed post-quantum digital signature schemes, for example, Biscuit signature scheme [5], GeMSS [6], UOV signature scheme [7], and MAYO signatures [8].

In this article, we investigate the security of a new ZKPoK based on the MQ introduced in the studies of Bidoux and Gaborit [2,3]. The ZKPoK schemes are significant due to their practical applications in cryptography [9–11]. One of the key reasons to study these schemes is that they provide a foundation for constructing highly efficient digital signature schemes, [12–14]. By leveraging the properties of zero-knowledge proofs, it is possible to design digital signatures that offer both strong security guarantees and improved performance. This makes ZKPoK particularly attractive for real-world implementations where efficiency and security are crucial.

One way to construct a signature scheme is to first construct a ZKPoK scheme and then transform it to a non-interactive signature scheme with a transformation such as the Fiat-Shamir transform [14] or the Unruh transform [15]. Looking at the NIST Post-Quantum Standardization project, three of the Round II signature schemes, MQDSS, Picnic, and Dilithium, use this approach [16].

Considering the significance of ZKPoK, Bidoux and Gaborit [2,3] presented a new ZKPoK scheme, which we will call MQBG, which is related to new variants of the MQ H such as the MQ H + . This problem occurs in the multi-instance setting and it is defined as follows.

Definition 1.2

( MQ H + problem) Let m and n be positive integers, we define by MQ H ( n , m , F q ) the family of systems of m multivariate quadratic homogeneous polynomials { ℱ = ( p 1 , … , p m ) ∈ F q [ x 1 , … , x n ] m } such that ∀ ℓ , 1 ≤ ℓ ≤ m :

(2) p ℓ ( x 1 , … , x n ) = ∑ 1 ≤ i ≤ j ≤ n a i , j ( ℓ ) x i x j , where a i , j ( ℓ ) ∈ F q .

Given ℱ ∈ MQ H ( n , m , F q ) and v 1 , … , v M ∈ F q m . The MQ H + problem asks to find s 1 , … , s M ∈ F q n such that

ℱ ( s 1 ) = v 1 , … , ℱ ( s M ) = v M .

Bidoux and Gaborit [2,3] claimed that the security of this MQBG relies on a new intermediate problem which is called the differential multivariate quadratic homogeneous ( DiffMQ H + ) problem in a multi-instance version that follows.

Definition 1.3

( DiffMQ H + problem) Let M ≥ 1 , m , n be positive integers, ℱ ∈ MQ H ( n , m , F q ) and ( u 1 , v 1 ) , … , ( u M , v M ) ∈ F q n × F q m such that ℱ ( u 1 ) = v 1 , … , ℱ ( u M ) = v M . Given κ 1 , κ 2 ∈ F q * , the DiffMQ H + problem asks to find ( c , d 1 , d 2 ) ∈ F q m × F q n × F q n such that

(3) ℱ ( d 1 ) + c = κ 1 2 v μ 1 and ℱ ( d 2 ) + c = κ 2 2 v μ 2 ,

with μ 1 , μ 2 ∈ [ 1 , … , M ] .

More precisely, the DiffMQ H + is related to the special soundness of MQBG, that is the property of a cryptographic protocol, which ensures that if an adversary can convince a verifier of a false statement with some probability, then there exists an efficient algorithm that can extract a witness from any such convincing interaction.

1.1 Organization of the article and main results

This article is structured as follows. In Section 2, we describe MQBG. Section 3 presents the main result of this work, that is, a probabilistic polynomial-time algorithm for solving the DiffMQ H + , in particular, we will prove the following theorem:

Theorem 1.1

Let ℱ ∈ MQ H ( n , m , F q ) , where m and n are positive integers. Then, there exists a probabilistic polynomial-time algorithm that solves the DiffMQ H + with probability O ( 1 ⁄ q m − n ) .

To do so, we show that the DiffMQ H + reduces to solving a linear system generated from the polar form of multivariate public-key quadratic polynomials. In Section 3.1, we report the experimental results obtained in Magma V2.20-3 that confirm our claim, that is the algorithm is efficient and succeeds with probability O ( 1 ⁄ q m − n ) , where m denotes the number of polynomials and n the number of variables. Note that Bidoux and Gaborit [3] only proposed parameters of the MQ with m = n ; in this case, our algorithm returns a solution with probability one.

It was initially claimed that the DiffMQ H + is not easier than the MQ H + (see [3, Theorem 8]), i.e., if there exists a polynomial-time algorithm solving the DiffMQ H + with success probability p , then there exists a polynomial-time algorithm solving the MQ H + with probability 1 − 1 q m − n p . This statement was then revisited in the updated version [2]. However, the DiffMQ H + was still defined and the complexity was not known until now. The contribution of this work is to show that the problem on which the proof of the special soundness of MQBG is based, see [3, Appendix G], can be solved in polynomial time, meaning that the security of MQBG needs to be improved.

2 Description of the protocol and security analysis

The MQ-based ZKPoK introduced in the study of Bidoux and Gaborit [3], which we will call MQBG, is inspired by the recent ZKPoK proposed by Wang [12]. In particular, these protocols use the polar form associated with a set of quadratic equations:

Definition 2.1

(Polar form) Let m , n be positive integers and ℱ ∈ MQ H ( n , m , F q ) . The polar form ℱ ′ ∈ F q [ x 1 , … , x n , y 1 , … , y n ] m associated with ℱ is defined as follows:

(4) ℱ ′ ( x , y ) = ℱ ( x + y ) − ℱ ( x ) − ℱ ( y ) ,

with x = ( x 1 , … , x n ) and y = ( y 1 , … , y n ) being variables.

Note that the polar form of a multivariate quadratic map is symmetric and bilinear.

We can now quickly recall the basics of MQBG from the study of Bidoux and Gaborit [3], which is depicted in Figure 1.

Figure 1

The MQBG.

Let ℱ ∈ MQ H ( n , m , F q ) be a system of m multivariate quadratic homogeneous polynomials in n variables, and ℱ ′ : F q n × F q n → F q n be its polar form. We can rewrite (4) as follows:

ℱ ( x ) − ℱ ( x − y ) = ℱ ′ ( y , x − y ) + ℱ ( y ) .

The specificity of MQBG is to use an instance of the MQ H with M > 1 solutions. The secret key sk is given by ( x i ) i ∈ [ 1 , M ] ∈ ( F q n ) M and the public key pk is composed by ℱ ∈ MQ H ( n , m , F q ) and ( y i ) i ∈ [ 1 , M ] = ( ℱ ( x i ) ) i ∈ [ 1 , M ] ∈ ( F q m ) M . The challenge ch struct from the verifier V is a tuple ( μ , κ , α ) ∈ [ 1 , M ] × F q * × [ 1 , N ] .

A trick of this protocol is the introduction of a technique to split the secret using ℱ ′ . If k ∈ F q * is one of the challenges chosen by the verifier V and x μ ∈ F q n the secret corresponding to the challenge μ ∈ [ 1 , M ] , then the element k x μ ∈ F q n is divided into

k x μ = s 0 + u where s 0 , u ∈ F q n .

In a preprocessing phase, the prover P generates additive shares u i ∈ F q n and v i ∈ F q m for random u ∈ F q n and ℱ ( u ) ∈ F q m respectively. During protocol execution, P begins with k x μ − u and locally computes ℱ ′ ( u i , s 0 ) + v i which constitute shares of ℱ ( k x μ ) − ℱ ( s 0 ) . These are recombined and V replaces ℱ ( k x μ ) with k 2 y μ to check the knowledge of the secret by the prover P .

Regarding the security of MQBG, an analysis is provided in [3, Appendix G].

3 Polynomial-time algorithm for solving the DiffMQ H +

In this section, we present a polynomial-time algorithm that solves the DiffMQ H + with probability O ( 1 ⁄ q m − n ) . The main idea here is that the DiffMQ H + can be reduced to the problem of finding a collision on the quadratic system ℱ ∈ MQ H ( n , m , F q ) . Although the MQ H is hard, the problem of finding a collision is much easier in the case of quadratic equations [17,18].

Theorem 3.1

Proof

The idea is to consider the polar form ℱ ′ : F q n × F q n → F q m associated with ℱ (see Definition 4). Therefore, this polar form is bilinear and equal to

(5) ℱ ′ ( x , y ) = ℱ ( x + y ) − ℱ ( x ) − ℱ ( y ) .

Let ( s 1 , v 1 ) , … , ( s M , v M ) ∈ F q n × F q m and ℱ ( s 1 ) = v 1 , … , ℱ ( s M ) = v M and κ 1 , κ 2 ∈ F q * . We present now an algorithm that recovers ( c , d 1 , d 2 ) ∈ F q m × F q n × F q n such that

(6) ℱ ( d 1 ) + c = κ 1 2 v 1 and ℱ ( d 2 ) + c = κ 2 2 v 2 .

Note then that we restrict (3) to μ 1 = 1 and μ 2 = 2 .

The algorithm has two main steps. First, we eliminate c ∈ F q m and recover ( d 1 , d 2 ) ∈ F q n × F q n by solving a linear system. We then recover the c ∈ F q n that fits the ( d 1 , d 2 ) recovered in the first step.

Recovering d 1 and d 2 using the polar form

Let Δ , d 1 ∈ F q n and set d 2 = d 1 + Δ ∈ F q n . We consider the difference of the two equations of (6). This allows eliminating c and yields

ℱ ( d 1 + Δ ) − ℱ ( d 1 ) = κ 2 2 v 2 − κ 1 2 v 1 .

From (5), we obtain that ℱ ( d 1 + Δ ) − ℱ ( d 1 )

(7) ℱ ′ ( d 1 , Δ ) + ℱ ( Δ ) = κ 2 2 v 2 − κ 1 2 v 1 .

Recall that ℱ ′ is bilinear. By randomly sampling Δ , we can recover d 1 by solving a linear system of m equations in n variables. The success probability of this step is 1 ⁄ q m − n . Remark that this step is independent from c .

Recovering c

Let d 1 ∈ F q n be a solution of the linear system (7). From the very definition of a DiffMQ H + solution and (6), we set c as

(8) − ℱ ( d 1 ) + κ 1 2 v μ 1 ∈ F q m .

Correctness of d 2

It remains to show that d 2 = d 1 + Δ found at the first step is correct, i.e.,

ℱ ( d 2 ) + c = κ 2 2 v μ 2 .

By definition, we have

□ ℱ ( d 2 ) + c = ℱ ( d 1 ) + ℱ ′ ( d 1 , Δ ) + ℱ ( Δ ) + c = ℱ ( d 1 ) + ( κ 2 2 v μ 2 − κ 1 2 v μ 1 ) + ( − ℱ ( d 1 ) + κ 1 2 v μ 1 ) = κ 2 2 v μ 2 .

3.1 Experimental results

The following tests were run on a MacBook Air with Apple chip M 2 , 8 GB, SSD 512 GB and using Magma V2.20-3 (STUDENT). For each n , 100 tests were run with a timeout of 24 h per test. We fix n = m , q = 31 , M = 2 , μ 1 = 1 , μ 2 = 2 , and k 1 , k 2 are chosen randomly in F q * .

n	Successful tests	Failed tests	Time to generate matrix (s)	Time to compute solution (s)	Time to verify (s)
10	99	1	0.420	0.001	0.000
15	95	5	3.165	0.002	0.000
20	98	2	13.839	0.009	0.001
25	97	3	44.607	0.017	0.002
30	94	6	118.949	0.028	0.004

The following tests were run with m < n , i.e. m = n − 2 and the same setting we used before:

n	m	Successful tests	Time to generate matrix (s)	Time to compute solution (s)	Time to verify (s)
10	8	100	0.269	0.001	0.000
15	13	100	2.344	0.002	0.001
20	18	100	11.222	0.009	0.001
25	23	100	37.736	0.016	0.002
30	28	100	103.552	0.029	0.002

From these tables, we can see that the polynomial-time algorithm that solves the DiffMQ H + works very fast, in polynomial-time as we expected. There are some cases where the algorithm failed, but most of the time it succeeded especially when the number of equations is smaller than the number of variables. Hence, the above tests confirm our Theorem 1.1.

Acknowledgement

We thank Daniel Escudero and Javier Verbel for fruitful discussions. MV thanks Sorbonne University, CNRS, LIP6, PolSys, which hosted her in the Winter 2024 and the University of Salerno for their financial support. MV is a member of the “National Group for Algebraic and Geometric Structures, and their Applications” (GNSAGA - INdAM). The authors are grateful for the valuable comments of the reviewers that improved the manuscript. These results were presented in September 2024 at CIFRIS24, the Italian Congress of De Cifris (www.decifris.it/cifris24).

Funding information: MV received financial support from GNSAGA - INdAM. Funded by the European Union - Next Generation EU, Missione 4 Componente 1 CUP B53D23009410006, PRIN 2022- 2022PSTWLB - Group Theory and Applications. MV thanks the University of Salerno and Erasmus Traineeship grant for their financial support.
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and consented to its submission to the journal, reviewed all results, and approved the final version of the manuscript.
Conflict of interest: The authors declare no conflict of interest.
Ethical approval: The research conducted is not related to human or animal use.
Data availability statement: Data sharing is not applicable to this article as no data sets were generated or analyzed during the current study.

References

[1] Bernstein D, Lange T. Post-quantum cryptography. Nature. 2017;549:188–94. 10.1038/nature23461Suche in Google Scholar PubMed

[2] Bidoux L, Gaborit P. Compact post-quantum signatures from proofs of knowledge leveraging structure for the sfPKP, sfSD and sfRSD problems. In: Hajji SE, Mesnager S, Souidi EM, editors. Codes, Cryptology and Information Security - 4th International Conference, C2SI 2023, Rabat, Morocco, May 29–31, 2023, Proceedings. vol. 13874 of Lecture Notes in Computer Science. Springer; 2023. p. 10–42. 10.1007/978-3-031-33017-9_2. Suche in Google Scholar

[3] Bidoux L, Gaborit P. Shorter signatures from proofs of knowledge for the SD, MQ, PKP and RSD problems. In: arXiv Preprint; 2022. Initial version, April 2022, Creative Commons Attribution 4.0 International. https://arxiv.org/abs/2204.02915. Suche in Google Scholar

[4] Bellini E, Makarim RH, Sanna C, Verbel J. An estimator for the hardness of the MQ problem. IACR; 2022. Cryptology ePrint Archive, Paper 2022/708. https://eprint.iacr.org/2022/708. Suche in Google Scholar

[5] Bettale L, Kahrobaei D, Perret L, Verbel JA. Biscuit: new MPCitH signature scheme from structured multivariate polynomials. In: Pöpper C, Batina L, editors. Applied Cryptography and Network Security – 22nd International Conference, ACNS 2024, Abu Dhabi, United Arab Emirates, March 5–8, 2024, Proceedings, Part I. vol. 14583 of Lecture Notes in Computer Science. Springer; 2024. p. 457–86. 10.1007/978-3-031-54770-6_18. Suche in Google Scholar

[6] Casanova A, Faugère J, Macario-Rat G, Patarin J, Perret L, Ryckeghem J. GeMSS: AGreat Multivariate Signature Scheme;. NIST round 3 post-quantum submission. Gaithersburg, Maryland, United States: National Institute of Standards and Technology (NIST). Suche in Google Scholar

[7] Kipnis A, Patarin J, Goubin L. Unbalanced oil and vinegar signature schemes. In: Stern J, editor. Advances in Cryptology - EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2–6, 1999, Proceedings. vol. 1592 of Lecture Notes in Computer Science. Springer; 1999. p. 206–22. 10.1007/3-540-48910-X_15. Suche in Google Scholar

[8] Beullens W. MAYO: Practical post-quantum signatures from oil-and-vinegar maps. In: Aitawy R, Hülsing A, editors. Selected Areas in Cryptography - 28th International Conference, SAC 2021, Virtual Event, September 29–October 1, 2021, Revised Selected Papers. vol. 13203 of Lecture Notes in Computer Science. Springer; 2021. p. 355–76. 10.1007/978-3-030-99277-4_17. Suche in Google Scholar

[9] Cayrel PL, Véron P, Alaoui SMEY. A zero-knowledge identification scheme based on the q-ary syndrome decoding problem. In: Biryukov A, Gong G, Stinson DR, editors. Selected Areas in Cryptography. vol. 6544 of Lecture Notes in Computer Science. Springer; 2010. p. 171–86. https://hal-univ-tln.archives-ouvertes.fr/hal-00674249/document. 10.1007/978-3-642-19574-7_12Suche in Google Scholar

[10] Stern J. A new paradigm for public key identification. IEEE Trans Inform Theory. 1996;42(6):1757–68. https://www.di.ens.fr/users/stern/data/St55b.pdf. 10.1109/18.556672Suche in Google Scholar

[11] Sakumoto K, Shirai T, Hiwatari H. Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway P, editor. Advances in Cryptology - CRYPTO 2011. vol. 6841 of Lecture Notes in Computer Science. Springer; 2011. p. 706–23. https://www.iacr.org/archive/crypto2011/68410703/68410703.pdf. 10.1007/978-3-642-22792-9_40Suche in Google Scholar

[12] Wang W. Shorter Signatures from MQ; 2022. https://eprint.iacr.org/2022/344. Cryptology ePrint Archive, Paper 2022/344. Suche in Google Scholar

[13] Beullens W. Sigma Protocols for MQ, PKP and SIS, and Fishy Signature Schemes; 2019. Cryptology ePrint Archive, Paper 2019/490. https://eprint.iacr.org/2019/490. Suche in Google Scholar

[14] Fiat A, Shamir A. How to prove yourself: Practical solutions to identification and signature problems. In: Oswald E, Fischlin M, editors., Advances in Cryptology - EUROCRYPT 2015. Lecture Notes in Computer Science(), vol. 9057. Berlin, Heidelberg: Springer; 2015. https://doi.org/10.1007/978-3-662-46803-6_25 Suche in Google Scholar

[15] Unruh D. Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Theory of Cryptography, 12th Theory of Cryptography Conference (TCC 2015). Springer; 2015. p. 755–84. 10.1007/978-3-662-46803-6_25Suche in Google Scholar

[16] Yesina M, Shahov BS. Analysis and research of digital signature algorithm Picnic. Radiotekhnika. 2020;4(203):19–24. https://doi.org/10.30837/rt.2020.4.203.02.10.30837/rt.2020.4.203.02Suche in Google Scholar

[17] Bettale L, Faugère J, Perret L. Security analysis of multivariate polynomials for hashing. In: Yung M, Liu P, Lin D, editors. Information Security and Cryptology, 4th International Conference, Inscrypt 2008, Beijing, China, December 14–17, 2008, Revised Selected Papers. vol. 5487 of Lecture Notes in Computer Science. Springer; 2008. p. 115–24. 10.1007/978-3-642-01440-6_11. Suche in Google Scholar

[18] Ding J, Yang B. Multivariate polynomials for hashing. In: Pei D, Yung M, Lin D, Wu C, editors. Information Security and Cryptology, Third SKLOIS Conference, Inscrypt 2007, Xining, China, August 31–September 5, 2007, Revised Selected Papers. vol. 4990 of Lecture Notes in Computer Science. Springer; 2007. p. 358–71. 10.1007/978-3-540-79499-8_28. Suche in Google Scholar

Received: 2024-11-30

Revised: 2025-02-22

Accepted: 2025-02-23

Published Online: 2025-04-15

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2024-0046

Schlagwörter für diesen Artikel

multivariate cryptography; MQ problem; ZkPok protocol

Creative Commons

BY 4.0