Kuang, Perepechaenko, and Barbeau recently proposed a novel quantum-safe digital signature algorithm called Multivariate Polynomial Public Key or MPPK/DS. The key construction originated with two univariate polynomials and one base multivariate polynomial defined over a ring. The variable in the univariate polynomials represents a plain message. All but one variable in the multivariate polynomial refer to noise used to obscure private information. These polynomials are then used to produce two multivariate product polynomials, while excluding the constant term and highest order term with respect to the message variable. The excluded terms are used to create two noise functions. Then four produced polynomials, masked with two randomly chosen even numbers over the ring, form the Public Key. The two univariate polynomials and two randomly chosen numbers, behaving as an encryption key to obscure public polynomials, form the Private Key. The verification equation is derived from multiplying all of the original polynomials together. MPPK/DS uses a special safe prime to prevent private key recovery attacks over the ring, forcing adversaries to solve for private values over a sub-prime field and lift the solutions to the original ring. Lifting entire solutions from the sub-prime field to the ring is designed to be difficult based on security requirements. This paper intends to optimize MPPK/DS to reduce the signature size by a fifth. We added extra two private elements to further increase the complexity of the private key recovery attack. However, we show in our newly identified optimal attack that these extra private elements do not have any effect on the complexity of the private recovery attack due to the intrinsic feature of MPPK/DS. The optimal key-recovery attack reduces to a Modular Diophantine Equation Problem or MDEP with more than one unknown variables for a single equation. MDEP is a well-known NP-complete problem, producing a set with many equally-likely solutions, so the attacker would have to make a decision to choose the correct solution from the entire list. By purposely choosing the field size and the order of the univariate polynomials, we can achieve the desired security level. We also identified a new deterministic attack on the coefficients of two univariate private polynomials using intercepted signatures, which forms a overdetermined set of homogeneous cubic equations. To the best of our knowledge, the solution to such a problem is to brute force search all unknown variables and verify the obtained solutions. With those optimizations, MPPK/DS can offer extra security of 384 bit entropy at 128 bit field with a public key size being 256 bytes and signature size 128 or 256 bytes using SHA256 or SHA512 as the hash function respectively.

Kuang、Perepechaenko 和 Barbeau 最近提出了一种新型的量子安全数字签名算法，称为多元多项式公钥或 MPPK/DS。密钥构造起源于两个单变量多项式和一个在环上定义的基本多元多项式。单变量多项式中的变量表示一条普通消息。多元多项式中除一个变量外的所有变量均指用于掩盖私人信息的噪声。然后使用这些多项式生成两个多元乘积多项式，同时排除关于消息变量的常数项和最高阶项。排除项用于创建两个噪声函数。然后四个生成的多项式，在环上用两个随机选择的偶数掩盖，形成公钥。两个单变量多项式和两个随机选择的数字，作为加密密钥来隐藏公共多项式，形成私钥。验证方程是通过将所有原始多项式相乘得出的。MPPK/DS 使用特殊的安全质数来防止环上的私钥恢复攻击，迫使对手在次质数域上求解私有值并将解提升到原始环。根据安全要求，将整个解决方案从次贷领域提升到环被设计为困难的。本文旨在优化 MPPK/DS 以将签名大小减少五分之一。我们添加了额外的两个私有元素，以进一步增加私钥恢复攻击的复杂性。然而，我们在新确定的最佳攻击中表明，由于 MPPK/DS 的固有特征，这些额外的私有元素对私有恢复攻击的复杂性没有任何影响。最佳密钥恢复攻击简化为模块化丢番图方程问题或 MDEP，其中单个方程有多个未知变量。MDEP 是一个众所周知的 NP 完全问题，它会产生一个包含许多同样可能的解决方案的集合，因此攻击者必须做出决定，从整个列表中选择正确的解决方案。通过有目的地选择字段大小和单变​​量多项式的阶数，我们可以达到所需的安全级别。我们还使用截获的签名确定了对两个单变量私有多项式系数的新确定性攻击，它形成了一组超定的齐次三次方程。据我们所知，解决此类问题的方法是蛮力搜索所有未知变量并验证获得的解决方案。通过这些优化，MPPK/DS 可以使用 SHA256 或 SHA512 作为哈希函数分别提供 128 位字段的 384 位熵的额外安全性，公钥大小为 256 字节，签名大小为 128 或 256 字节。