Side-Channel Attacks on Post-Quantum Signature Schemes based on Multivariate Quadratic Equations - Rainbow and UOV -

. In this paper, we investigate the security of Rainbow and Unbalanced Oil-and-Vinegar (UOV) signature schemes based on multivariate quadratic equations, which is one of the most promising alternatives for post-quantum signature schemes, against side-channel attacks. We describe correlation power analysis (CPA) on the schemes that yield full secret key recoveries. First, we identify a secret leakage of secret aﬃne maps S and T during matrix-vector products in signing when Rainbow is implemented with equivalent keys rather than random aﬃne maps for optimal implementations. In this case, the simple structure of the equivalent keys leads to the retrieval of the entire secret aﬃne map T . Next, we extend the full secret key recovery to the general case using random aﬃne maps via a hybrid attack: after recovering S by performing CPA, we recover T by mounting algebraic key recovery attacks. We demonstrate how this leakage on Rainbow can be practically exploited on an 8-bit AVR microcontroller using CPA. Consequently, our CPA can be applied to Rainbow-like multi-layered schemes regardless of the use of the simple-structured equivalent keys and UOV-like single layer schemes with the implementations using the equivalent keys of the simple structure. This is the ﬁrst result on the security of multivariate quadratic equations-based signature schemes using only CPA. Our result can be applied to Rainbow-like multi-layered schemes and UOV-like single layer schemes submitted to NIST for Post-Quantum Cryptography Standardization.


Introduction
Security of the most widely used public-key cryptosystems (PKCs), such as RSA and ECDSA, is based on the hardness of the integer factorization problem or the (elliptic curve) discrete logarithm problem. However, these hard problems are known to be solvable by Shor's quantum algorithm in polynomial time [Sho97]. This means that the widely-used PKCs are susceptible to a large-scale quantum computer. Several types of cryptographic primitives exist, which are believed to be secure against a quantum computer including lattice-based, code-based, hash-based, and multivariate quadratic equations (MQ)-based cryptography. These cryptographic primitives are believed to be resistant against both classical and quantum attacks, and this has been increased confidence in their adoptability as post-quantum alternatives. Recently, the National Security Agency (NSA) has updated its Suite B algorithms to explicitly emphasize the importance of the migration to post-quantum cryptographic algorithms [NSA15]. NIST has started initiatives to develop post-quantum cryptographic standards. Submissions to NIST's Post-Quantum Cryptography Standardization are for post-quantum public-key encryption, key exchange and digital signature [NIS16a].
Multivariate quadratic public-key cryptosystem (MQ-PKC) relies on the hardness of solving large systems of multivariate quadratic equations, called the MQ-problem. In MQ-PKC, a public key is given by a system of multivariate quadratic equations, and a trapdoor is hidden in secret affine layers of the affine-substitution (quadratic)-affine (ASA) structure. Security of this ASA structure depends on the hardness of the Extended Isomorphism of Polynomials (EIP) problem [Pat96]. To build MQ-PKC, one starts with an easily invertible quadratic map F : F n q → F m q called a central map. Then one composes it with two invertible affine maps S : F m q → F m q and T : F n q → F n q to hide the special structure of F. A public key is P = S • F • T and the secret key is (S, F, T ) that allows the inversion of the public key. A main challenge in MQ-PKC is the selection of the nonlinear quadratic part F which is invertible.
In 1988, Imai and Matsumoto proposed the first MQ-based encryption scheme [MI88]. Since then, several MQ-schemes have been proposed, however, most MQ-schemes have been broken by targeting the IP-problem. There are two main types of signature schemes: HFEv-variants [PCG01, PCY + 15] and Unbalanced Oil-and-Vinegar (UOV) variants [KPG99,DS05]. The operations of UOV type MQ-schemes comprise matrices and vectors, and they are simple and computed on small fields. Hence, MQ-schemes do not require much computational resources. Consequently, they are attractive for use on resource-limited devices such as smart cards [BERW08, CCC + 09]. MQ-signature schemes surpass other alternatives in terms of speed and signature size. At CHES 2012, Czypek et al. [CHT12] demonstrated the feasibility of MQ-signature schemes on an 8-bit AVR microprocessor. They showed that the MQ-signature schemes, Rainbow, and enTTS outperform RSA and ECDSA in terms of speed. On the practical side, such an MQ-signature scheme is a promising alternative to classical schemes, such as RSA, DSA, and ECDSA.
Side-channel attacks (SCAs) focus on the capabilities of an attacker to break a cryptographic algorithm by exploiting vulnerabilities in the underlying implementations rather than its mathematical structure. SCAs can be divided into invasive, semi-invasive, and non-invasive attacks based on the interface that is exploited by the attack. An invasive attack has no limits to what is done on a cryptographic device, whereas a non-invasive attack does not physically transform the cryptographic device. Timing attacks [Koc96], power analysis (PA) [KJJ99], and electromagnetic (EM) attacks [GMO01] are non-invasive attacks. Further, the attacker can maliciously inject faults into the cryptographic algorithm and investigate the faulty outputs, which can reveal some information about the secret key. This attack is known as the fault attack which is a semi-invasive attack. It is well-known that any implementation of a cryptographic algorithm not protected against SCAs can be easily broken. Hence, if a cryptographic algorithm is used in embedded systems then it should be protected against SCAs.
Many SCAs against post-quantum cryptography have been proposed. There are a few results on implementation security of MQ-schemes. One is SCAs against SFLASH [SGB01,HTS11], which recovers a random seed ∆ used for the hash function SHA-1, not the secret key (S, T ). Another result comprises fault attacks on MQschemes [HTS11,YL17]. Hashimoto et al. [HTS11] presented general fault attacks on MQ-PKC including Big Field type, such as Matsumoto-Imai, HFEv-, and SFLASH, as well as Single Field type, such as UOV, Rainbow, STS, and TTM/TTS. Yi and Li [YL17] proposed a fault attack with DPA on enTTS which is a special case of Rainbow. No investigation has been conducted on the security of the MQ-schemes using only PA. In this paper, we provide the first results on the security of MQ-signature schemes using correlation power analysis (CPA) and algebraic key recovery attacks (KRAs).
Our Contributions. Our main contributions are as follows: − CPA on Rainbow Implementation with Equivalent Keys in the form of Fig. 1.
We recover a full secret key of Rainbow by performing CPA on its implementation with equivalent keys in the form of Fig. 1 to reduce the secret key size as presented in [CHT12]. The first source of side-channel leakage is a matrix-vector product obtained by a secret affine map S in signing. After recovering S, we recover the other secret affine map T using the special structure of the equivalent keys, This leads to the second source of the side-channel leakage, although we cannot know intermediate values via the central map F. We demonstrate how this leakage can be practically exploited on an 8-bit AVR microcontroller using CPA.

− Hybrid Attack on Rainbow Implementation with Random Affine Maps.
We extend our attack to Rainbow implementation with random affine maps instead of the equivalent keys in the form of Fig. 1. In this case, after recovering S via CPA, we recover T by mounting algebraic KRAs using good keys.
− CPA on UOV Implementation with the Equivalent Key in the form of Fig. 2. Our attack can be applied to the single layer MQ-signature, UOV, if it is implemented with the equivalent key in the form of Fig. 2 as presented in [CHT12] because the structure of equivalent keys is similar to those of Rainbow.
− CPA on Other MQ-signature Schemes. This is the first result on the security of MQ-signature schemes, Rainbow and UOV, against the non-invasive attacks. Our CPA can be applied to UOV-like single layer scheme LUOV, as the equivalent key T in the form of Fig. 2 was used in its design and implementation used. Our hybrid attack can also be applied to Rainbow-like multi-layered schemes, Rainbow, and HiMQ-3.
Organization. The rest of the paper is organized as follows. In Section 2, we describe UOV and Rainbow signature schemes, and CPA. In Section 3, we present a full secret key recovery on Rainbow implementation with the equivalent keys in the form of Fig. 1 via CPA. We then describe how this leakage in Rainbow can be practically exploited on an 8-bit AVR microcontroller using CPA. In Section 4, we demonstrate a hybrid attack on Rainbow implementation with random affine maps combining CPA with algebraic KRAs. CPA on other MQ-signature schemes is discussed in Section 5. We also discuss possible countermeasures to protect our proposed attacks in Section 6. Finally, concluding remarks are given in Section 7.

Preliminaries
Here, we first describe two MQ-signature schemes, UOV [KPG99] and its layered version Rainbow [DS05]. We then introduce the concept of equivalent keys of MQ-schemes and CPA.

UOV
Let F q be a finite field with q elements. We define a system of multivariate quadratic equations P = (P (1) , · · · , P (m) ) with m equations in n variables as

Rainbow
Ding and Schmidt [DS05] proposed a layered MQ-signature scheme, Rainbow, based on UOV to improve efficiency and reduce the key sizes. It has been submitted to NIST for Post-Quantum Cryptography Standards.
. . , n, we define multivariate quadratic polynomials in n variables x 1 , . . . , x n as follows: where x = (x 1 , . . . , x n ) and l is the only integer such that k ∈ O l . These are Oil and Vinegar polynomials with x i for i ∈ V l being Vinegar variables and can be inverted using the Oil-Vinegar method as in UOV. Then, two invertible affine maps S : F m q → F m q and T : F n q → F n q are chosen to hide the special structure of the central map F in the public key, where T mixes the variables and S mixes the polynomials. A public key is the composition of three maps, P = S • F • T , and a secret key is (S, F, T ). In general, Rainbow is denoted by 1. For a security parameter λ, a public key is P K = P = S • F • T and a secret key is SK = (S, F, T ).

Equivalent Keys in UOV and Rainbow
The existence of numerous different secret keys corresponding to a given public key is a special feature of MQ-schemes [DYC + 08, WP05]. The concept of equivalent keys is defined by Definition 1. Let GL m (F q ) be a general linear group of degree m over F q .
, F and F have the same structure when restricted to a fixed index set Assume that P is given by P = S • F • T . If P = S • F • T and F preserves all zero coefficients of F then we call (S , T ) equivalent keys of P. The concept of equivalent keys plays an important role in breaking MQ-schemes. If an adversary can find any equivalent key then he can forge signatures on any messages for the public key P. KRAs exploit the special structure of the central map, i.e., zero entries at certain known places, to obtain equations with variables in S and T . If one can find simpler equivalent keys, S and T , then one has to solve a large structured system of multivariate quadratic equations to recover S and T by reducing the number of variables. If one can find two invertible linear maps Σ ∈ GL m (F q ) and Ω ∈ GL n (F q ) such that and F and F have the same structure, then (S , F , T ) is an equivalent key, where Note that, we set the preserving index set as all quadratic terms with zero coefficients in the Oil × Oil part. Fig. 1 presents the forms of the equivalent keys of Rainbow, where gray parts denote arbitrary entries and white parts denote zero entries and there are ones at the diagonal. For UOV, if one can find Ω ∈ GL n (F q ) such that and F and F have the same structure then (F , T ) is an equivalent key, where F = F • Ω and T = Ω −1 • T . The form of equivalent keys of UOV is given in Fig. 2.
We will use these special structures of equivalent keys for CPA on UOV and Rainbow, if UOV and Rainbow are implemented with the equivalent keys of the forms in Fig. 1 and Fig. 2, respectively, as in [CHT12].

Correlation Power Analysis
PA exploits power consumption, which is measured when a cryptosystem operates on an electronic device. The two main classes of PA are simple power analysis (SPA) and DPA. Here, we introduce the properties of DPA. Typically, only knowledge of the cryptographic algorithm is sufficient. DPA is based on a divide and conquer scheme. Generally, this approach involves forming a hypothesis value and then comparing the hypothesis against measured power traces. An attacker repeats this process for all sub-key candidates and determines the value of each sub-key to recover the full key.
Power consumption is typically modeled by estimating the number of 1 s in a register using a Hamming weight or Hamming distance power model. If Pearson's correlation coefficient is used in DPA, it is referred to as CPA. DPA is summarized as follows [MOP07].

Choosing an intermediate result of the executed cryptographic algorithm.
This intermediate result is computed by a known non-constant data value d i , a small part of the secret value k j , and a target function f (d i , k j ). In most attack scenarios, d i is either plaintext or ciphertext. The correlation coefficient is an excellent choice when DPA is performed as it is the most common way to determine linear relationships between data. The correlation coefficient used in Step 4 is expressed as follows: where Cov (X, Y ) and V ar(X) denote the covariance between random variables X and Y and the variance of random variable X, respectively. Fig. 1

General Leakage Model
Here, we present a general leakage model against CPA on Rainbow implementation that operates on embedded devices. 1 As seen in §2.1 and §2.2, both UOV and Rainbow perform matrix-vector product operations for their signature generations. In Rainbow, the matrixvector product is computed at the second step of signature generation to compute α with S and the hash value of message m. The matrix-vector product is also calculated at the final step to compute a signature in both UOV(σ = T (α)) and Rainbow(σ = T (β)).
To recover the secret affine map, we target the location where the matrix-vector product operates. It is easy to reveal the secret affine map S using CPA as we can control (or know) the vector multiplied by S. Unfortunately, a technical hurdle must be overcome to recover the other secret affine map T , as we cannot find intermediate values, which are multiplied by T . However, if Rainbow and UOV are implemented with their equivalent keys in the forms of Fig. 1 and Fig. 2, respectively, for efficiency, we can also retrieve T using CPA, although we cannot find all intermediate values.
Let a matrix-vector product with matrix A ∈ F n×n q and x ∈ F n q be x = Ax T = (x 1 , x 2 , . . . , x n ) ∈ F n q . Each element of x is calculated as follows: First, if we can control all elements of the vector x to recover affine map S, then we use the intermediate results in Table 1 to obtain all elements of the i th row of matrix A.
In Table 1, Guess represents a hypothetical key. The intermediate results can always be used regardless of using the equivalent keys in the form of Fig. 1. Second, if the equivalent keys in the form of Fig. 1 are used at the final step of signature generation, we can find some information regarding the intermediate values. Here, let the matrix A be an equivalent key in the form of Fig. 1 which consists of two submatrices A 1 and A 2 as shown Fig. 3. Assume that the equivalent key A in the form of Fig. 1 is used in Rainbow implementation. As can be seen in Fig. 3, v 1 vinegar variables of x are affected by A 1 and A 2 , and the first o 1 oil variables of x are only affected by A 2 . The last o 2 oil variables, which are used Figure 3: Matrix-vector product using the equivalent key in the form of Fig. 1 in Rainbow with two layers in the second layer of Rainbow, do not change. Therefore, it is possible to recover A 2 because the last o 2 elements of x that were computed using the submatrix A 2 are identical to the last o 2 elements of x . In other words, Thus, we can reveal all elements of A 2 , i.e., the elements from the (v 1 + o 1 + 1) th to the n th column. Here, we use the following intermediate result to recover A 2 : After recovering A 2 , we compute x v1+1 to x v1+o1 using the following equation: th element of the submatrix A 2 . As x v1+1 , x v1+2 , . . . , x v1+o1 is multiplied with A 1 , we can reveal all elements of A 1 using the following intermediate result: Algorithm 1 Matrix-vector product Input: matrix A ∈ F n×n q , vector x ∈ F n q Output: vector x = Ax T ∈ F n q 1: for i = 1 to n do 2: x i = 0 3: end for 4: for i = 1 to n do 5: for j = 1 to n do 6: x j = x j + a ji · x i // +: field addition, ·: field multiplication 7: end for 8: end for 9: return x

Experimental Setup
Algorithm 1 is the most commonly used efficient matrix-vector product method because it can reduce the number of load operations. We analyze the C code of Rainbow at an 80-bit level, which also uses the matrix-vector product in Algorithm 1, over F q with q = 2 8 [COD]. Clearly, the addition operation of Eq. (1) can be replaced by the exclusive OR operation. To explain simply, we assume that the matrix-vector product is implemented as shown in Algorithm 1 with m = 6, n = 8, and two layers in the Rainbow signature scheme with o 1 = 2 and o 2 = 4. Note that, even though the parameters do not match the currently accepted security parameters, if CPA succeeds against this parameter set, the result can be easily extended to larger parameters. Moreover, we can retrieve secret key even if the size of o 2 is small.
We port the matrix-vector product code on the ChipWhisperer-Lite evaluation platform [New]. ChipWhisperer-Lite was developed to support embedded hardware security research. It is comprised of two main parts, a multi-purpose PA capture instrument and a target board. The target board is an Atmel XMEGA128 programmable chip with a fixed clock frequency of 7.37 MHz. The signal is amplified up to 55dB gain, and the power traces are sampled at a rate of 96 MS/s. To obtain power consumption traces of S, we first generate random hashed messages h (1) , h (2) , . . . , h (N ) ∈ F 8 2 8 , and then perform the matrix-vector product operations. Here, h (i) represents the hash value of i th message which is used in the i th signature generation. To recover T , we use outputs of signature generation, i.e., σ (1) , σ (2) , . . . , σ (N ) . For convenience, we drop the exponent of h and σ in the remaining paper.

Case Study: Recovering S and T
Now, we present a case study on the recovery of S and T in Rainbow. The second step of the Rainbow signature algorithm is to multiply S ∈ F 8×8 2 8 by the hashed message h ∈ F 8 2 8 . 00 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 01 When the hashed message h and matrix S are multiplied, h contains known values, and each element of S is a secret value that the attacker wants to find. If we perform CPA using the intermediate result discussed in §3.1, it is easy to find all elements of S. However, the obtained traces must be split into partial matrix-vector product traces owing to Algorithm 1.
There are two attack positions to find for each s ij . For example, if we target s 13 , then the first position is where the value of h 1 ⊕ ( s 13 · h 3 ) is calculated and stored. The second position is where the value of h 1 ⊕ ( s 13 · h 3 ) is loaded to calculate h 1 ⊕ ( s 13 · h 3 ) ⊕ ( s 14 · h 4 ). Fig. 4 shows the correlation coefficient for the intermediate result h 1 ⊕ ( s 13 · h 3 ) with the correct value. As can be seen in Fig. 4, there are two positions with high peaks.
When we attack the first position, loading of the message h 1 to calculate h 1 ⊕ ( s 13 · h 3 ) would encumber us. CPA results for s 13 at the first attack position are represented in Fig.  9a and 9b (Appendix A). The correlation coefficient for h 1 , i.e., the correlation coefficient of s 13 = 0, is higher than that for a right key. We have compared the locations where h 1 is loaded and h 1 ⊕( s 13 · h 3 ) is calculated. Peaks occurred in almost similar positions, however, one point difference was observed between loading h 1 and calculating h 1 ⊕ ( s 13 · h 3 ). The right key should be distinguished by substituting the key candidates in the intermediate result of s 14 . However, we use the second position for simplicity as it is unaffected by the loading of h 1 .
To recover the other secret map T , we consider the computation of the product T β for β ∈ 01 00 t 13 t 14 t 15 t 16 t 17 t 18 00 01 t 23 t 24 t 25 t 26 t 27 t 28 00 00 01 00 t 35 t 36 t 37 t 38 00 00 00 01 t 45 t 46 t 47 t 48 00 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 01 Note that σ 5 = β 5 , σ 6 = β 6 , σ 7 = β 7 , and σ 8 = β 8 . Thus, we can reveal the elements of T from columns 5 to 8. In fact, we still do not have information regarding β 3 and β 4 , which will encumber us when we perform CPA to find t 3j and t 4j . However, we can reveal t 4j (and t 3j ) because there are positions where t ij · β j is computed. After these positions are found, we perform CPA with the intermediate result Guess · β j . If we find the elements of T from columns 5 to 8, we can also calculate β 3 and β 4 as follows: Simialrly, we can recover the remaining elements of T from t j3 to t j4 for all 1 ≤ j ≤ 2.

Experimental Results
The top of Fig. 5 shows a power consumption trace during the multiplication of the 8 × 8 matrix S and vector h. As can be seen, eight operations are performed, i.e., the first iteration after initialization in Algorithm 1 (steps 4?8), and, if we expand part of the top of Since the same message is used consecutively, similar to Algorithm 1, we must find an appropriate target position that effectively reveals all elements of the secret matrices prior to performing CPA. We then carry out CPA with the collected 500 traces. Fig. 9 (Appendix A) and Fig. 6 show the results of CPA for s 13 . Fig. 9a (Appendix A) shows the maximum correlation coefficients of all hypothetical keys and Fig. 9b (Appendix A) shows the maximum correlation coefficients according to an increased number of traces at the first position. We experiment with traces that increase by 10. Here, even if the number of traces is increased, the appropriate key cannot be found. Figs. 6a and 6b show the maximum correlation coefficients of all hypothetical keys and the maximum correlation coefficients according to an increased number of traces at the second position, respectively. As can be seen in Fig. 6b, we can find the appropriate key using only 30 traces.
As mentioned previously, we use the signature values to reveal T and only target the place where t ij · β j is computed because we have unknown values. Fig. 7a and Fig. 7b show the CPA results for t 45 and t 46 , respectively.

Hybrid Attack on Rainbow Implementation with Random Affine Maps
In the previous section, we recovered the affine map T using CPA when Rainbow is implemented with its special equivalent keys of the forms shown in Fig. 1. Now, we show that full secret key recovery is possible via a hybrid attack when Rainbow is implemented using random affine maps instead of the equivalent keys in the form of Fig. 1. The hybrid  attack is a combination of CPA and algebraic KRAs: we first recover a random affine secret map S by performing CPA, and then, another affine secret map T is recovered by mounting algebraic KRAs.

Recovery of Random Affine Map S via CPA
The recovery of the random affine map S on Rainbow with random affine maps using CPA is identical to that of Rainbow with the special form of equivalent secret keys. Fig. 10 (Appendix B) shows CPA results for the random secret key S with 500 traces when we target the position where the s 11 · h 1 value is loaded. As seen in Fig. 10b (Appendix B), only 30 traces are required to reveal s 11 . Thus, the secret affine map S is recovered in this manner.

Recovery of Random Affine Map T via KRAs
Suppose that S is recovered from the public key P = S • F • T . Then we can easily recover T via the algebraic KRAs. In fact, the role of S is to mix the polynomials in the first and the second layers since the polynomials have different structures in multi-layered MQ-signature schemes such as Rainbow. Thus, in layered MQ-signature schemes, the removal of S means the extraction of each layer that leads to the breaking of the scheme  through several attacks, including rank-based attacks, direct attacks, and KRAs. Here, we show that T can be retrieved by KRAs using good keys. Because S and P are known, we can compute S −1 • P. Hence, without loss of generality, we begin with the structure P = F •T , where T is a random invertible affine map. We denote F (k) (1 ≤ k ≤ m) by symmetric matrices corresponding to the homogeneous quadratic part of the k-th component of the central map F. We also denote P (k) (1 ≤ k ≤ m) by symmetric matrices associated to the quadratic part of the k-th component of the public key P. As P = F • T , F = P • T , where T = T −1 and certain places with zero coefficients in F (k) are known, we obtain the following equality: The corresponding system of equations is: where P (k) yz the coefficient of x y x z in P (k) , because we already know that f (k) ij = 0 for some i, j, k by the construction of F. For Rainbow(F q , v 1 , o 1 , o 2 ), we obtain a system of quadratic equations with n 2 variables. The complexity of solving such a system using HF5 is very large, where HF5 is an efficient Gröbner basis algorithm for solving the MQ-problem [BFP09].
To improve this complexity, we can find an equivalent key (F , T ) such that P = F •T , where F Note that all variables of each equation in (3) are in a column of T . For each j with v 1 + o 1 + 1 ≤ j ≤ n, we obtain a smaller linear system of v 1 o 1 equations with v 1 + o 1 variables in the j-th column of T . Hence, we obtain o 2 in such linear systems with v 1 + o 1 variables (observe that v 1 o 1 ≥ v 1 + o 1 ) that are easily solvable. Note that solving each linear system is eventually equivalent to the KRAs using good keys on Rainbow in [Tho13]. Let T j be a good key, where it preserves the j-th column of T and the other parts are the same as the identity map. Then, it is enough to solve each linear system from (3) to find unknown variables in T j . In our attack, we need to find such good keys as T j for o 2 ; this is slightly different from the approach of KRAs using good keys in [Tho13]. After substituting the obtained variables into the remaining equations, we obtain a linear system of o 2 1 o 2 equations with the remaining v 1 o 1 variables in the following form: Finally, we can find T in polynomial time by solving o 2 linear systems of v 1 o 1 variables and then solving o 1 linear systems of v 1 variables. After recovering T , F is also easily computable as F = P • T . Practically, we consider a specific parameter, Rainbow (F 2 8 , 36, 21, 22), which achieves a 128-bit security level. We are able to recover its equivalent key in less than 0.46 milliseconds on Intel Xeon E5-2687W CPU 3.1 GHz with 256GB RAM.

CPA on Other MQ-Signature Schemes
We have shown that full secret key recovery on Rainbow-like multi-layered signature schemes via CPA is possible regardless of using the equivalent keys in the form of Fig. 1.  Fig. 2 is similar to that of Rainbow. However, if the random invertible affine map T is used in UOV implementation, we cannot recover T using the same attack. Now, we discuss the applicability of our attacks to MQ-schemes submitted to NIST. Seven MQ-signature schemes, LUOV, Rainbow, HiMQ-3, MQDSS, DualModeMS, Gui, and GeMSS, have been submitted to NIST's Post-Quantum Cryptography Standardization [NIS16b]. Our CPA can be applied to the UOV-like single layer scheme LUOV as its design and implementation use the equivalent key in the form of Fig. 2. Our hybrid attack can also be applied to Rainbow-like multi-layered schemes, Rainbow and HiMQ-3. However, our attacks cannot be applied to MQDSS because it does not use the ASA structure.
Finally, by choosing input messages, our CPA can be applied to the other three MQsignature schemes, DualModeMS, Gui, and GeMSS, based on the ASA structure. More precisely, partial information of the first affine secret map corresponding to S for the other three MQ-signature schemes can be retrieved by the chosen message 1 bit CPA. We cannot control all bits of h as they use HFEv-schemes. Therefore, we can only recover partial information of the first affine secret map. We believe that the recovery of partial information of S would weaken the security of the schemes. However, for each scheme, depending on additional structures of the central map or the other affine map T , exact analysis should be conducted on the effect of the recovery of S on the recovery of T or some forgery attacks.

Countermeasures Against the Proposed CPA
The algebraic KRAs in our attack can only be used when the secret affine map S is retrieved by CPA. Here, we discuss countermeasures against our CPA to protect the secret affine map S.

UOV-like single layer schemes
UOV-like single layer schemes are vulnerable to our attack only when it is implemented using the equivalent key in the form of Fig. 2. If they use random affine maps T instead of the equivalent keys in their implementations, they are secure against our CPA attack.

Rainbow-like multi-layered schemes
Unfortunately, Rainbow-like multi-layered schemes are vulnerable to our attack re-Algorithm 2 Matrix-vector product using shuffling Input: matrix A ∈ F n×n q , vector x ∈ F n q Output: vector x = Ax T ∈ F n q 1: for i = 1 to n do 2: // Generate random permutations 5: for i = 1 to n do 6: for j = 1 to n do 7: x κ2(j) = x κ2(j) + a κ2(j)κ1(i) · x κ1(i) 8: end for 9: end for 10: return x gardless of the use of equivalent keys in the form of Fig. 1. Therefore, we must focus on implementing a secure algorithm against PA. PA exploits the fact that the power consumption of cryptographic devices depends on intermediate values of the operated cryptographic algorithms. There are some types of countermeasures to eliminate or reduce these dependencies. A good overview of DPA countermeasures is available in [MOP07]. The most commonly used countermeasures are hiding and masking techniques at the algorithmic level. Random insertion of dummy operations and shuffling of operations are commonly used as a hiding technique because of flexibility in software. For example, each time the algorithm runs, the order of the loading rows or columns of the matrix A in Algorithm 1 can be changed.
Algorithm 2 shows the matrix-vector product using the shuffling countermeasure. Here, κ 1 and κ 2 are random permutations of a set of length n. The classical algorithm for random permutation generation can be found in [Knu81], which has been known as a linear complexity. The statistical effects of shuffling in terms of PA have been studied [CCD00,Man04]. It is generally known that if the probability that an intermediate value occurs at a certain time is p, then the number of traces needed for a successful attack increases by a factor of 1 p 2 [HOM06]. In Algorithm 2, the probability that an intermediate value in our proposed matrix-vector product using shuffling occurs at a certain time is 1 n 2 . Therefore, the number of traces needed for a successful attack increases by (n 2 ) 2 times.
Another approach is to use a logical masking method with random numbers. For example, message randomization is a widely used method to prevent DPA against RSA, which can be expressed as: where r and m represent a random number and a message, respectively. N is the public modulus, and the public key e and the private key d are linked to each other by the equation e · d ≡ 1 mod ϕ(N ), where ϕ(·) denotes Euler's function. Similarly, we can use message randomization to prevent our attack when S and h are multiplied.
where * denotes a vector and scalar product. Algorithm 3 shows the pseudo-code of the matrix-vector product obtained using message randomization, and Table 2 shows the comparison of operation counts for Algorithm 1 and 3. As can be seen in Table 2, the matrix-vector obtained using message randomization uses more 2n field multiplications and a field inversion as compared with the general matrix-vector product. , vector x ∈ F n q Output: vector x = Ax T ∈ F n q 1: for i = 1 to n do 2: x i = 0 3: end for 4: r ∈ R F * q // The notation ∈ R stands for randomly sampling and F * q means F q \{0} 5: for i = 1 to n do 6: x i = x i · r 7: end for 8: for i = 1 to n do 9: for j = 1 to n do 10: x j = x j + a ji · x i 11: end for 12: end for 13: for i = 1 to n do 14: x i = x i · r −1 15: end for 16: return x This countermeasure ensures the prevention of our proposed attacks, however, the scheme would still be vulnerable to sophisticated attacks (such as high-order DPA). We do not discuss countermeasures against sophisticated attacks here as they are out of the scope of this paper. Finding the optimal method is not easy, hence, our future work includes designing a masking scheme that adapts to the limitations of each implementation platform.

Conclusion
We showed that, only via CPA, we succeeded in recovering a full secret key on Rainbow implemented by the equivalent keys in the form of Fig. 1 due to the special structure of the equivalent keys. We also demonstrated how this leakage on Rainbow can be exploited in practice on an 8-bit AVR microcontroller using CPA. Next, we extended the full secret key recovery to the general case using random affine maps via a hybrid attack: after recovering S by performing CPA, we recovered T by mounting algebraic KRAs. The same attack can be applied to UOV when it is implemented with the equivalent key T in the form of Fig. 2. Our attacks can also be applied to Rainbow-like multi-layered signature schemes regardless of using the equivalent keys in the form of Fig. 1 and UOV-like single layer signature schemes with the implementations using the equivalent key T in the form of Fig. 2 submitted to NIST for Post-Quantum Cryptography Standardization. It is the first result on the security of MQ-signature schemes only using CPA.