Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proofing against Quantum Computers. In 2009, it was shown that hardware advances do not favor just "traditional" alternatives such as ECC and RSA, but also makes MPKCs faster and keeps them competitive at 80-bit security when properly implemented. These techniques became outdated due to emergence of new instruction sets and higher requirements on security.In this paper, we review how MPKC signatures changes from 2009 including new parameters (from a newer security level at 128-bit), cryptosafe implementations, and the impact of new AVX2and AESNI instructions. We also present new techniques on evaluating multivariate polynomials, multiplications of large finite fields by additive Fast Fourier Transforms, and constant time linear solvers.Polynomials p 1 , p 2 , . . . have (almost always) been quadratic. In public-key cryptography, we can let P(0) = 0.We need to discuss the security of MPKCs in order to set the parameters needed for the required security level(s). Public key of MPKCs are instances of solving multivariate quadratic equations, or instances. One can break all MPKCs if one is able to efficiently solve MQ problems.1.2.1 Class MQ(q, n, m) and the MQ Problem For given q, n, m, the class MQ(q, n, m) consists of all systems of m quadratic polynomials in F q with n variables. To choose a random system S from MQ(q, n, m),Solving S(x) = b for any MQ system S is then known as the "multivariate quadratic" problem. It is an NP-complete problem [GJ79]. However, it is not easy to base a proof on worst-case hardness. Often the premise used is the hereto unchallenged average-case MQ hardness assumption [BGP06, LLY08]:
Assumption MQGiven any k and prime power q, for parameters n, m satisfying m/n = c + o(1), no probabilistic algorithm in subexponential(n)-time can solve S(x) = b with a non-neglible probability ε > 0, if the systems S are drawn from MQ(q, n, m), and a vector b = (b 1 , b 2 , . . . , b m ) drawn from S(U n ), where U n is the uniform distribution over (F q ) n .
Hardness of generic MQThe complexity of solving a random instance out of MQ(n, m, q) is estimated using Gröbner basis methods, often XL with sparse matrices [CKPS00,YCBC07] or F5 [Fau02,BFSY05]. We simply use prior estimates for complexity of solving MQ.
Effect of Quantum Computers on MQ signaturesSince we discuss MPKC as post-quantum, we must consider a direct quantum computer attack using Grover's algorithm [Gro96], which is considered in [WS16]. The summary of this attack is that a system of MQ equations with n-bits of inputs can be solved in 2 n 2 +1 n 3 quantum operating steps ("gates"). Note that this is not usually a problem because a signature scheme usually requires 2b-bit wide hashes for b-bit security, so usually a 128-bit secure digital signature scheme has 256 bits of input anyway. If we assume that a quantum step ("gate") can run at the speed as a CPU cycle (a very very aggressive assumption about quantum computers), solving a quadratic system with 210 bits of ...
