QUARTZ, 128-Bit Long Digital Signatures: http://www. minrank. org/quartz
J Patarin, N Courtois, L Goubin - Cryptographers' Track at the RSA …, 2001 - Springer
J Patarin, N Courtois, L Goubin
Cryptographers' Track at the RSA Conference, 2001•SpringerFor some applications of digital signatures the traditional schemes as RSA, DSA or Elliptic
Curve schemes, give signature size that are not short enough (with security 2 80, the
minimal length of these signatures is always≥ 320 bits, and even≥ 1024 bits for RSA). In
this paper we present a first well defined algorithm and signature scheme, with concrete
parameter choice, that gives 128-bit signatures while the best known attack to forge a
signature is in 2 80. It is based on the basic HFE scheme proposed on Eurocrypt 1996 along …
Curve schemes, give signature size that are not short enough (with security 2 80, the
minimal length of these signatures is always≥ 320 bits, and even≥ 1024 bits for RSA). In
this paper we present a first well defined algorithm and signature scheme, with concrete
parameter choice, that gives 128-bit signatures while the best known attack to forge a
signature is in 2 80. It is based on the basic HFE scheme proposed on Eurocrypt 1996 along …
Abstract
For some applications of digital signatures the traditional schemes as RSA, DSA or Elliptic Curve schemes, give signature size that are not short enough (with security 280, the minimal length of these signatures is always ≥ 320 bits, and even ≥ 1024 bits for RSA). In this paper we present a first well defined algorithm and signature scheme, with concrete parameter choice, that gives 128-bit signatures while the best known attack to forge a signature is in 280. It is based on the basic HFE scheme proposed on Eurocrypt 1996 along with several modifications, such that each of them gives a scheme that is (quite clearly) strictly more secure. The basic HFE has been attacked recently by Shamir and Kipnis (cf [3]) and independently by Courtois (cf this RSA conference) and both these authors give subexponential algorithms that will be impractical for our parameter choices. Moreover our scheme is a modification of HFE for which there is no known attack other that inversion methods close to exhaustive search in practice. Similarly there is no method known, even in theory to distinguish the public key from a random quadratic multivariate function.
QUARTZ is so far the only candidate for a practical signature scheme with length of 128-bits.
QUARTZ has been accepted as a submission to NESSIE (New European Schemes for Signatures, Integrity, and Encryption), a project within the Information Societies Technology (IST) Programme of the European Commission.
Springer