Efficient Implementations of Rainbow and UOV using AVX2

A signature scheme based on multivariate quadratic equations, Rainbow, was selected as one of digital signature finalists for NIST Post-Quantum Cryptography Standardization Round 3. In this paper, we provide efficient implementations of Rainbow and UOV using the AVX2 instruction set. These efficient implementations include several optimizations for signing to accelerate solving linear systems and the Vinegar value substitution. We propose a new block matrix inversion (BMI) method using the Lower-Diagonal-Upper decomposition of blocks matrices based on the Schur complement that accelerates solving linear systems. Compared to UOV implemented with Gaussian elimination, our implementations with the BMI result in speedups of 12.36%, 24.3%, and 34% for signing at security categories I, III, and V, respectively. Compared to Rainbow implemented with Gaussian elimination, our implementations with the BMI result in speedups of 16.13% and 20.73% at the security categories III and V, respectively. We show that precomputation for the Vinegar value substitution and solving linear systems dramatically improve their signing. UOV with precomputation is 16.9 times, 35.5 times, and 62.8 times faster than UOV without precomputation at the three security categories, respectively. Rainbow with precomputation is 2.1 times, 2.2 times, and 2.8 times faster than Rainbow without precomputation at the three security categories, respectively. We then investigate resilience against leakage or reuse of the precomputed values in UOV and Rainbow to use the precomputation securely: leakage or reuse of the precomputed values leads to their full secret key recoveries in polynomial-time.


Notations
-x1, · · · , xv : Vinegar variables (v : the number of Vinegar variables) -xv+1, · · · , xv+o : Oil variables (o : the number of Oil variables, the number of equations in F) n = v + o : the number of variables in F Each component function F (k) of F = (F (1) , F (2) , · · · , F (o) ) is of the form K. -A. Shim, S. Lee, and N. Koo Efficient Implementations of Rainbow and UOV using AVX2 (5/25) MQ-PKC (4/5) How to construct easily invertible F : Single Field Type -OV map How to invert F -Choose Vinegar variables at random and plug them into each Then the red parts are converted to constants in above equation. -since there are no quadratic terms with oil variables in each  Note that we select q = 256 for all our parameters above.

Detail of our implementations
Similarly with Rainbow, we apply T = I T ′ 0 I for UOV.
Intel(R) Core(TM) i9-10900X CPU running at the constant clock frequency of 3.70GHz.
Each result is an average of 10,000 measurements for each function using the C programming language with GNU GCC version 10.

Efficient Implementations of UOV and Rainbow
The most dominated part of signing of UOV and Rainbow Substitution of Vinegar Values into the Central Polynomialscomputing the coefficient matrix LS V and constant term of the linear system which we will obtain.
Solving Obtained Linear System -we require to compute the inverse matrix LS −1 V of the coefficient matrix obtained above.

Key idea of our efficient implementations of UOV and Rainbow
Block Matrix Inversion -we replace an inversion of m × m matrix into two inversions of m/2 × m/2 matrices when m is even.
Precomputation -the above two parts can be precomputed, and then signing process can be significantly improved.

Theorem 1
Let R = A B C D be a matrix partitioned into 2 × 2 blocks.
(i) Assume A is nonsingular. Then the matrix R is invertible if and only if the Schur complement (D − CA −1 B) of A is invertible and (ii) Assume D is nonsingular. Then the matrix R is invertible if and only if the Schur complement (A − BD −1 C) is invertible and ⇒ It requires two inversions and six matrix multiplications of the half-sized matrices.
For a nonsingular k × k matrix R in the above, R −1 · α requires two inversions, two matrix multiplications of the half-sized block matrices and four block matrix-vector products, where k is even and α = (α 1 , · · · , α k/2 ) T .

Sketch of Proof.
A nonsingular square matrix R of 2 × 2 blocks is represented by the LDU decomposition of block matrices based on the Schur complement as

Repeated BMI
An inversion of m × m matrix can be replaced by 2 inversions of m/2 × m/2 matrices. In a similar manner, each of 2 inversions of m/2 × m/2 matrices can be replaced by 2 inversions of m/4 × m/4 matrices if m is a multiple of 4.
Like this, for k = 2 l · k ′ , we can apply the BMI l times. We define the number of these iterations of the BMI as a depth. We cannot expect that l iterations will always be effective, because 2 l inversions of k/2 l × k/2 l matrices are required.  The larger the size, the greater the performance improvement.
Especially excellent improvements in the case of 64 and 96 are due to the fact that the multiples of 32 are optimal parameters which are suitable for the AVX2 vectorization.

Appling BMI to UOV and Rainbow Signing
After obtaining LS V from the Vinegar value substitution, we set and apply the BMI on LS V .
is not invertible then we choose another Vinegar values.
Note that the probability that the matrices are invertible is Details of our proposed algorithm applying BMI on the signing of Rainbow and UOV are given in Algorithm 7 and 8 in our paper, respectively.
The below table describes our implementation results on our proposed BMI method in CPU Cycles.
Compared to UOV implemented with Gaussian elimination, by using the BMI with the depth 1, we obtain speedups of 12.36%, 20.41%, and 32.42% at the three security categories, respectively. Offline/Online Signing of UOV.

Offline phase
After choosing random Vinegar values sV = (s1, · · · , sv) ∈ F v q , substitute sV into o equations F (k) (1 ≤ k ≤ o) to get the linear system LSV of o equations and o unknowns and a constant vector cV = (c1, · · · , cm). Compute LS −1 V . If LSV is not invertible then go back to the first step. Store < sV , cV , LS −1 V > as the precomputed values.

Offline/Online Signing of Rainbow
The offline phase of the first layer of Rainbow is similar with UOV.
But in the second layer precomputation is limited -Some Vinegar variables x v+1 , · · · , x v+o1 of the second layer are detemined depending on the (hashed) message h. So precomputable values are : V,1 -the inverse of the coefficient matrix LSV,1 of the linear system obtained in the first layer CV,1 -a vector of constant terms in F (1)(s V ) , · · · , F (o 1 )(s V ) F (o 1 +1) (sV ), · · · , F (o 1 +o 2 ) (sV ) -linear terms and constant terms when sV is substituted into central polynomials in second layer The precomputed values < s V , c V , LS −1 V > should be stored securely.

Theorem 3
> are given such that the n × n matrix (σ (1)T σ (2)T · · · σ (n)T ) is invertible then the secret key of UOV is completely recovered in polynomial-time.
Do not Reuse < s V , c V , LS −1 V >. The precomputed value < s V , c V , LS −1 V > should not be reused in signing.

Theorem 5 [SK20]
If (m + 1) signatures generated by the reused Vinegar values are given then the equivalent key of UOV is completely recovered in polynomial time, the complexity of the KRAs using good keys on Rainbow is determined by solving a multivariate system of m quadratic equations with o 1 variables.

Theorem 6
If (o 2 + 1) signatures generated by reusing the precomputed values then an equivalent key of Rainbow is recovered in polynomial-time with high probability.