Popis: |
Abstract Recent rank-based attacks have reduced the security of Rainbow, which is one of the multi-layer UOV signatures, below the NIST security requirements by speeding up iterative kernel-finding operations using classical mathematics techniques. If quantum algorithms are applied to perform these iterative operations, the rank-based attacks may be more threatening to multi-layer UOV, including Rainbow. In this paper, we propose a quantum rectangular MinRank attack called the Q-rMinRank attack, the first quantum approach to key recovery attacks on multi-layer UOV signatures. Our attack is a general model applicable to multi-layer UOV signature schemes, and in this paper, we provide examples of its application to Rainbow and the Korean TTA standard, HiMQ. We design two quantum oracle circuits to find the kernel in consideration of the depth-width trade-off of quantum circuits. One is to reduce the width of the quantum circuits using qubits as a minimum, and the other is to reduce the depth using parallelization instead of using a lot of qubits. By designing quantum circuits to find kernels with fewer quantum resources and complexity by adding mathematical techniques, we achieve quadratic speedup for the MinRank attack to recover the private keys of multi-layer UOV signatures. We also estimate quantum resources for the designed quantum circuits and analyze quantum complexity based on them. The width-optimized circuit recovers the private keys of Rainbow parameter set V with only 1089 logical qubits. The depth-optimized circuit recovers the private keys of Rainbow parameter set V with a quantum complexity of $$2^{174}$$ 2 174 , which is lower than the complexity of $$2^{221}$$ 2 221 recovering the secret key of AES-192, which provides the same security level as parameter set III. |