 Research
 Open access
 Published:
Performance comparison of quantumsafe multivariate polynomial public key encapsulation algorithm
EURASIP Journal on Information Security volumeÂ 2024, ArticleÂ number:Â 23 (2024)
Abstract
A novel quantumsafe key encapsulation algorithm, called Multivariate Polynomial Public Key (MPPK), was recently proposed by Kuang, Perepechaenko, and Barbeau. Security of the MPPK key encapsulation mechanism does not rely on the prime factorization or discrete logarithm problems. It builds upon the NPcompleteness of the modular Diophantine equation problem, for which there are no known efficient classical or quantum algorithms. Hence, it is resistant to known quantum computing attacks. The private key of MPPK comprises a pair of multivariate polynomials. In a companion paper, we analyzed the performance of MPPK when these polynomials are quadratic. The analysis highlighted the MPPK high decapsulation time. We found that, while maintaining the security strength, the polynomials can be linear. Considerable performance gains are obtained for the decapsulation process. In this article, we benchmark the linear case and compare the results with the previous quadratic case.
1 Introduction
Multivariate Polynomial Public Key (MPPK) Key Encapsulation Mechanism (KEM) is a public key cryptographic scheme for encapsulating a secret, typically a symmetric encryption key. A MPPK KEM public key is made of polynomials ranging over a large finite field. Furthermore, the encapsulation is nondeterministic. A detailed security analysis of MPPK KEM can be found inÂ [1]. A performance analysis published inÂ [2] highlights the slow key decapsulation performance of MPPK relative to the four National Institute of Standards and Technology (NIST) PostQuantum Cryptography (PQC) KEM schemes. This arises from the quest to find the roots of a quadratic polynomial within a Galois field, specifically, the process of extracting square roots within a finite field.
2 Contribution
In this article, the performance issue is resolved by choosing private key polynomials of degree \(\lambda\) equals to one. The case where \(\lambda\) equals two is called quadratic. Its performance has been analyzed and publishedÂ [2]. The linear case, where \(\lambda\) equals one, is studied in this article and compared against the quadratic case. We examine in detail the performance of the linear case. Evidence is provided that the decapsulation performance is over ten times better than the quadratic case. There is no loss of security strength. Indeed, the security analysis inÂ [1] is developed for any positive integer value \(\lambda\). A security reduction from the NPcomplete Modular Diophantine Equation Problem (MDEP) to MPPK establishes the strength of MPPK KEM. As in this article, the security reduction applies directly to the case \(\lambda\) equals one.
The article is structured as follows. Related work is reviewed. The MPPK KEM cryptographic system is described. The results of benchmarking MPPK against the NISTchosen algorithms as candidates for potential standardization are presented. We conclude at the end.
3 Related work
This research relates to the work on PQC, which is about creating cryptographic schemes that withstand attacks perpetrated with the assistance of quantum computersÂ [3]. The main threat is Shorâ€™s quantum algorithmÂ [4] that can efficiently solve the prime factorization and discrete logarithm problems. Cryptographic schemes building on the strength of these problems, such as Rivestâ€“Shamirâ€“Adleman (RSA), are at risk. The Groverâ€™s quantum algorithm Â [5] is also a concern for symmetric encryption but to a lesser extent because the risk can be mitigated by doubling the key length.
An influential initiative in the realm of PQC has been spearheaded by NIST, aiming to standardize KEMs resilient to Shorâ€™s algorithmÂ [6, 7]. Cryptosystems impervious to Shorâ€™s algorithm include McEliece, Kyber, NTRU, Saber, BIKE, and HQCÂ [8,9,10,11,12,13].
Our work is closely aligned with Multivariate Public Key Cryptosystem (MPKC) PQC KEMÂ [14,15,16,17]. MPKC relies on the NPhardness of solving systems of multivariate quadratic polynomials over finite fields. In the MPKC cryptographic scheme, a public key comprises polynomials over a finite field. Notably, MPKC polynomials operate over relatively small fields (\(\mathbb {F}_q\)) or a small extension field \(\mathbb {F}_{q^n}\), where n is relatively small.
MPKC employs a central mapping mechanism represented by a system of reversible matrices, denoted as \(\mathcal {P}_j\) for \(j=1, 2, \dots , n\). Each matrix has dimensions \(m \times m\) and operates within an mdimensional vector space denoted by \({\textbf {U}}=\mathbb {F}_q^m[x_1, \dots ,x_m]\). In this vector space, a secret can be represented as a column vector \(\vec {x}=(x_1, \dots , x_m)^T\). The mapping operates symmetrically, utilizing the product \(\vec {x}^T \cdot \mathcal {P}_j \cdot \vec {x} \rightarrow \sum _{i=1}^m\sum _{k=1}^m \mathcal {P}^{(j)}_{ik}x_ix_k=P_j(x_1, x_2, \dots , x_m)\), where both the left and right sides of matrix \(\mathcal {P}_j\) involve the same secret vectorleft as a row vector \(\vec {x}^T\) and right as a column vector \(\vec {x}\).
While MPKC, in its traditional form, does not inherently offer a KEM due to the deterministic nature of the symmetric map, it has been adapted into various schemes to address different cryptographic needs. For instance, MPKC has been employed in digital signature schemes using a single field, key exchange using a big field like the Hidden Field Equations (HFE)Â [18], and a simple matrix scheme known as SimpleMatrixÂ [19] for specific key exchange scenarios.
MPPK, proposed by Kuang, Perepechaenko, and BarbeauÂ [1], can be considered as a new unique variant of the MPKC scheme in the following ways:

1.
The symmetric map \(\vec {x}^T \cdot \mathcal {P}_j \cdot \vec {x}\) in MPKC is substituted by an asymmetric map \(\vec {x_0}^T \cdot \mathcal {P}_j \cdot \vec {x}\) with \(\vec {x_0}^T = \left( x_0^0, x_0^1, \dots , x_0^{n+\lambda }\right)\) denoting a secret \(x_0\) in a polynomial vector space \({\textbf {V}}=\) \(\mathbb {F}_p[x_0]^{(n+\lambda )}\) and \(\vec {x}\) denoting a noise vector in a mdimensional vector space \({\textbf {U}}=\mathbb {F}_p^m[x_1,\dots ,x_m]\). Only two multivariate polynomials are required in MPPK.

2.
The separate representations of the left vector (secret) from a vector space \({\textbf {V}}=\mathbb {F}_p[x_0]^{n+\lambda }\) and right vector (noise) from a vector space \({\textbf {U}}=\mathbb {F}_p^{m}[x_1,\dots ,x_m]\) enables MPPK to be a randomized KEM scheme, working over a large finite field \(\mathbb {F}_p\).

3.
The invertible map requirement is eliminated. The inverse reciprocity of multiplication and division is used for key construction and secret decapsulation.
4 MPPKÂ KEM in a nutshell
The security parameters of MPPK KEM are as follows:

p: The prime number of a prime field \(\mathbb {F}_p\).

\(\lambda\): The order of of two private polynomials \(f(x_0)\) and \(h(x_0)\).

n: With respect to variable \(x_0\), the order of a randomly chosen base multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\).

t: The value defining the hidden ring \(\mathbb {Z}/t\mathbb {Z}\), where the bit size \(t_2\) of t is of the form \(2 p_2+8\). It is a security parameter. The value t is a part of the private key.
We briefly outline the MPPK key pair construction in SubsectionÂ 4.1, encapsulation in SubsectionÂ 4.2, and decapsulation in SubsectionÂ 4.3.
4.1 Key pair construction
MPPK KEMÂ [1] starts from three polynomials: two univariate polynomials \(f(x_0)\) and \(h(x_0)\), with \(x_0\) denoting the secret, and one multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\) over a prime field \(\mathbb {F}_p\). They have the following general forms:
where \(\lambda\), n and m areÂ positive integers with \(m \ge 4\) for the security consideration as shown in SectionÂ 6. Using polynomial multiplication, two product polynomials are assembled as follows:
Using these three polynomials, we derive the polynomials \(\Phi (x_0, x_1, \dots , x_m)\) and \(\Psi (x_0, x_1, \dots , x_m)\) as follows:
These two derived polynomials are parts of the public key with \(\Phi _{ij} = \sum _{s+t=i} f_sc_{tj}\) and \(\Psi _{ij} = \sum _{s+t=i} h_sc_{tj}\). The first and last terms in Eq.Â (2) are encrypted in the hidden ring \(\mathbb {Z}/t\mathbb {Z}\) with randomly chosen values \(R_0\) and \(R_n\) over the ring, with the conditions \(gcd(R_0, t) = 1\) and \(gcd(R_n, t) = 1\) with the bit length of t greater than or equal to \(2p_2 + m(n+\lambda +1)_2\) as shown in the third bullet point in the above. Using \(R_0\) and \(R_n\), two noise functions are defined
where the coefficients \(\mathcal {N}_{0j}\) and \(\mathcal {N}_{nj}\) are integers over the hidden ring \(\mathbb {Z}/t\mathbb {Z}\). In the ring, they hide the coefficients \(c_{0j}, c_{nj}\), \(j=1,\ldots ,m\), shared with the polynomial \(\beta (\cdot )\) (Eq.Â (1)). We define the public key as the following items

1
Polynomial \(\Phi (x_0, x_1, \dots , x_m)\),

2
Polynomial \(\Psi (x_0, x_1, \dots , x_m)\),

3
Noise functions \(\mathcal {N}_0( x_1, \dots , x_m)\) and \(\mathcal {N}_n(x_0, x_1, \dots , x_m)\)
together with the security parameters \(\lambda\), n, m, and p. The private key consists of the items

1
\(t, R_0\), \(R_n\)

2
\(f(x_0)\)

3
\(h(x_0)\)
AlgorithmÂ 1 formally describes the key generation procedure. The inputs are security parameters \(\lambda\), n, m, and p. The body of the algorithm implements the above series of equations. From LinesÂ 2 toÂ 5, a forloop generates the coefficients of the polynomials \(f(\cdot )\) and \(h(\cdot )\), first two lines of Eq.Â (1). From LinesÂ 6 toÂ 10, a second forloop produces the coefficients of the polynomials \(\beta (\cdot )\), third line of Eq.Â (1). From LinesÂ 12 toÂ 19, a third forloop derives the coefficients of the polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), Eq.Â (3). The random values \(R_0\) and \(R_1\) are generated in LinesÂ 21 toÂ 26 and LinesÂ 28 toÂ 31. From LinesÂ 33 toÂ 36, a final forloop assembles the noise functions \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), Eq.Â (4). The key pair generator keeps the private key safely and publishes the public key with security parameters \(\lambda\), n, m, and p. The returned values are the coefficients of the two polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), over \(\mathbb {F}_p\), and the noise functions \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), over the hidden ring.
4.2 Encapsulation
A shared secret (symmetric) key can be encapsulated using the MPPK public key. A source randomly selects a secret s in \(\mathbb {F}_p\). It assigns it to the variable \(x_0\). The secret s is encapsulated by the source and subsequently decapsulated by a destination. The latter uses the private key. For instance, s could be a symmetric encryption key between the source and destination for the following communications. The encapsulation process involves randomly choosing m values \(v_1,\ldots ,v_m\) in \(\mathbb {F}_p\) for the variables \(x_1,\dots ,x_m\), representing m noise variables. The source evaluates the functions \(\Phi (\cdot )\), \(\Psi (\cdot )\), \(\mathcal {N}_0(\cdot )\), and \(\mathcal {N}_n(\cdot )\) as follows:
AlgorithmÂ 2 formally delineates the encapsulation process. The encapsulation procedure has formal parameters the polynomials \(\Phi (\cdot )\), \(\Psi (\cdot )\), \(\mathcal {N}_0(\cdot )\), \(\mathcal {N}_n(\cdot )\), secret s, and security parameters \(\lambda\), n, m, and p. LinesÂ 2 toÂ 4 generate the m random values assigned to the noise variables \(x_1,\dots ,x_m\). This step implements the concept of randomized encapsulation in the MPPK KEM scheme. Using the coefficients of the public key polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), the values of the noise variables, and secret s, LinesÂ 6 toÂ 13 evaluate \(\Phi (\cdot )\) and \(\Psi (\cdot )\) that are loaded into variables \(\overline{\Phi }\) and \(\overline{\Psi }\). Using the coefficients of the public key polynomials \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), the values of the noise variables, and secret s, Lines 15 toÂ 21 evaluate \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\) and store the results into the variables \(\overline{\mathcal {N}}_0\) and \(\overline{\mathcal {N}}_n\). The procedure returns the quadruple \(\left( \overline{\Phi }, \overline{\Psi },\overline{\mathcal {N}}_0,\overline{\mathcal {N}}_n\right)\).
4.3 Decapsulation
The destination receives the quadruple \(\left( \overline{\Phi }, \overline{\Psi }, \overline{\mathcal {N}}_0, \overline{\mathcal {N}}_n \right)\). The destination calculates the following two quantities:
By construction, both values \(\phi (s,v_1,\ldots ,v_m)\) and \(\psi (s,v_1,\ldots ,v_m)\) share the common factor \(\beta (s,v_1,\ldots ,v_m)\), see Eq.Â (1). To cancel their common factor, the destination calculates the following ratio, modulo p:
The value k is evaluated by the destination that owns all the secret elements of the private key, including t, \(R_0\), and \(R_n\). At this point, the destination obtains the secret solving for the unknown denoted as s the following univariate polynomial equation:
Recall that \(f(\cdot )\) and \(h(\cdot )\) are solvable polynomials of degree \(\lambda\), Eq.Â (8) can be solved with wellknown radicals. In contrast, in our previous workÂ [2] (\(\lambda\) is two), the polynomials \(f(x_0)\) and \(h(x_0)\) are quadratic. The secret s is extracted using a modular square root algorithm. Verification is required to choose between two rootsÂ [2].
The detailed decapsulation procedure for the new linear case (\(\lambda\) is one) is formalized in AlgorithmÂ 3. The decapsulation procedure takes in input the secret values t, \(R_0\), and \(R_n\), and the secret polynomials \(f(\cdot )\) and \(h(\cdot )\). It also takes the quadruple \(\left( \overline{\Phi }, \overline{\Psi }, \overline{\mathcal {N}}_0, \overline{\mathcal {N}}_n \right)\), which encapsulates the secret produced by the source, and the public security parameters \(\lambda\), n, m, and p. LinesÂ 2 andÂ 3 calculate the first terms of polynomials \(f(\cdot )\) and \(h(\cdot )\), evaluated with the encapsulated secret. Similarly, LinesÂ 4 andÂ 5 calculate the last terms of polynomials \(f(\cdot )\) and \(h(\cdot )\), evaluated with the encapsulated secret. On LinesÂ 6 and Â 7, the variables \(\overline{\Phi }\) and \(\overline{\Psi }\) denote the evaluations of the polynomials \(\phi (\cdot )\) and \(\psi (\cdot )\) with the encapsulated secret and the m noise variables. LineÂ 8 determines the value of k, Eq.Â (7). On LineÂ 9, the linear equation is solved to determine the value of the unknown s, i.e., the secret. The secret is returned on LineÂ 11.
A detailed security analysis of MPPK KEM has been publishedÂ [1]. In short, the security of MPPK KEM relies upon the computationally difficult NPcompleteness of MDEPÂ [20].
5 Benchmarking results
We report new benchmarking results for the MPPK KEM linear case, comparing against the NIST PQC standardized Kyber and fourthround candidatesthe McEliece, BIKE, and HQC schemes. Additionally, we include the NTRU and Saber schemes for exploration purposes despite their exclusion from the NIST standardization. Benchmarking was conducted using the SUPERCOP benchmarking toolÂ [21].
All schemes were configured to align with the NIST security LevelsÂ I, III, andÂ V, corresponding to the difficulty levels of breaking the 128, 192, and 256bit Advanced Encryption Standard (AES). The benchmarking runs were performed on a 16core IntelÂ® Coreâ„¢ i710700 CPU at 2.90â€‰GHz.
The notation MPPK\(n\lambda m\) refers to a MPPK scheme instance where n is the order of the base polynomial, \(\lambda\) is the order of the univariate polynomials, and m is the number of noise variables. For example, MPPK325 means \(n=3\), \(\lambda =2\) (quadratic univariate polynomials), and \(m=5\) for five noise variables, whereas MPPK115 means that the univariate polynomials are linear. The performance of univariate quadratic polynomials has been reportedÂ [2]. In this article, the focus is on linear univariate polynomials. The performance of three configurations of MPPK KEM is compared with NIST standardized Kyber, the fourthround candidates (McEliece, BIKE, HQC), as well as twothirdround finalists NTRU and Saber although both NTRU and Saber are excluded for the fourth round.
We omitted the performance comparison with BIKEÂ [12] as its reference implementation is not advisable due to the susceptibility to sidechannel attacks. The provided performance metrics for key generation, encapsulation, and decapsulation in the AVX2 implementation are indicative benchmarks for comparison with the MPPK KEM reference implementation.
5.1 NIST security level I
TableÂ 1 compares public key, private key, and ciphertext (encapsulated secret) sizes for various cryptographic schemes with a secret size requirement of 32 bytes, aligned with NIST security LevelÂ I. The analyzed algorithms include MPPK325Â [2], MPPK415, MPPK115, McEliece, Kyber, NTRU, Saber, BIKEÂ [12], and HQCÂ [13].
McEliece has the largest public key (261,120 bytes) and private key (6492 bytes) sizes. Although, its ciphertext is relatively compact at 128 bytes. In contrast, MPPK325 and MPPK415 exhibit smaller public keys (490 bytes) compared to Kyber (800 bytes), NTRU (699 bytes), and Saber (672 bytes). MPPK115 boasts a compact public key of 250 bytes. Notably, the private keys of all three MPPK schemes are less than 100 bytes, over ten times smaller than those of Kyber, NTRU, Saber, and McEliece. A small public key is an advantage because, in many use cases, it has to be transported over a network.
In terms of ciphertext sizes, McEliece stands out with the smallest size of 128 bytes. Conversely, the MPPK schemes feature larger ciphertexts: 272 bytes for MPPK415 and MPPK115, and 340 bytes for MPPK325Â [2]. For \(\lambda =2\), a secret verification code is included in the ciphertext of the MPPK325 scheme to determine which root of a quadratic polynomial corresponds to the secret. This addition contributes to the larger size of the MPPK325 ciphertext. Nevertheless, these sizes remain smaller than those of Kyber, NTRU, and Saber. It is worth noting the distinctive characteristics of BIKE and HQC: BIKE boasts a larger public key and ciphertext size compared to HQC, yet its private key is more compact. Comparatively, BIKE stands out with a larger public key (1541 bytes) and ciphertext (1573 bytes), while having a more compact private key (281 bytes) compared to the other schemes. HQC exhibits the largest public key (2249 bytes) and ciphertext (4497 bytes) sizes, with a remarkably small private key (56 bytes). The MPPK schemes, including MPPK325, MPPK415, and MPPK115, present competitive sizes, balancing public key, private key, and ciphertext considerations.
In TableÂ 2, we present the key generation performance data for NIST security LevelÂ I across standardized Kyber, the fourth round candidates (McEliece,BIKE, HQC), NTRU, Saber, and three MPPK configurations. The data, expressed in clock cycles, has been obtained using the NIST SUPERCOP tool, providing a standardized testing environment, except for BIKE and HQC. BIKE and HQC data has been taken from their submissions to NIST. We put their data in the 50th percentile category.
The table categorizes the performance data into three percentilesâ€”25th, 50th, and 75th. McElieceâ€™s 75thpercentile performance data is notably higher, exceeding 100 million cycles, making it the slowest among all schemes and 2.5 times larger than the 25thpercentile. NTRU exhibits the secondslowest key generation performance among all listed schemes. Kyber is significantly faster than NTRU but slower than Saber. Saber positions itself as a competitive option, with MPPK325 and MPPK415 achieving similar key generation performances. MPPK115 is the fastest scheme, requiring less than 20,000 clock cycles for key generation. Considering BIKEâ€™s AVX2 performance (usually ten times faster than reference implementation), its reference performance should be comparable with NTRU. HQC performs five to ten times slower than MPPK schemes. Notably, MPPK115 outperforms all other schemes in terms of key generation efficiency.
TableÂ 3 categorizes the encapsulation performance data into three percentilesâ€”25th, 50th, and 75th. McEliece demonstrates relatively consistent encapsulation performance across percentiles, exhibiting a moderate increase from the 25th to the 75th percentile. Kyber shows stable encapsulation speed, slightly increasing from the 25th to the 50th percentile. NTRU maintains consistent encapsulation performance across percentiles, with a relatively narrow range between the 25th and 75th percentiles. Saber exhibits a moderate increase in encapsulation speed from the 25th to the 75th percentile.
MPPK325Â [2] and MPPK415 showcase similar encapsulation speeds, with MPPK325 demonstrating slightly better performance. McEliece, Kyber, BIKE(AVX2), and MPPK325 perform at similar speeds in encapsulation, around 100â€‰K cycles. Saber and MPPK415 exhibit comparable performance levels of about 60â€‰K cycles. MPPK115 consistently outperforms other schemes, requiring the fewest clock cycles for encapsulation across all percentiles. Overall, MPPK115 stands out as the most efficient scheme for encapsulation, making it wellsuited for applications demanding superior encapsulation efficiency.
For decapsulation of security LevelÂ I in TableÂ 4, McEliece becomes the slowest scheme with over 45 million cycles. NTRU is the secondslowest scheme, with over one million cycles. MPPK325 is at 480 kilocycles, much slower than Kyber and Saber at levels of around 100 kilocycles. The primary reason is that the secret is extracted through a modular square root over the field \(\mathbb {F}_p\). The fastest schemes are MPPK415 and MPPK115, with the same performance of 34 kilocycles. The fast speed is due to the linear polynomials \(f(x_0)\) and \(h(x_0)\), so the secret extraction is achieved with modular division. It is also noticed that the performance is independent of the order n of the base polynomial \(\beta (x_0, x_1, \dots , x_m)\). BIKEâ€™s AVX2 performance is comparable with NTRUâ€™s reference performance, with over 1 million cycles as the secondslowest scheme for decapsulation. The third slowest is HQC with 833 kilocycles.
5.2 NIST security level III
TableÂ 5 contains the public, private, and ciphertext sizes required to achieve NIST security LevelÂ III. Relative performance results are very similar to security LevelÂ I. McEliece has the largest public key of 524,160 bytes, a private key of 13,608, and the smallest ciphertext size of 188. HQC and BIKE have the second and third largest for public key size but the largest and second largest for ciphertext size. HQC offers the smallest private key of only 64 bytes. Kyber and Saber have over one kilobyte public key and ciphertext sizes, but their private key sizes are more than double their public keys. MPPK326 and MPPK416 have bigger public key sizes, 588 bytes, than for the security LevelÂ I because they are six noise variables, compared with five noise variables in security LevelÂ I. However, their private keys and ciphertexts are the exact sizes as in the security LevelÂ I.
The performance results for key generation for security LevelÂ III are presented in TableÂ 6. McEliece behaves similarly to its security LevelÂ I (TableÂ 2) but is more than three times slower. NTRU also behaves like security LevelÂ I but is about 50\(\%\) slower at over 10 million cycles. The key generation performance for Kyber also increases its cycles by 50\(\%\) from security LevelÂ I to LevelÂ III, with about 100 kilocycles. Saber doubles its clock cycles from security LevelÂ I at 60 kilocycles to LevelÂ III at 128 kilocycles. BIKEâ€™s key generation takes 1.8 million cycles (three times slower compared with its LevelÂ I performance) with the AVX2 implementation. HQC is also more than doubling its cycles, compared with its performance at LevelÂ I, and about three to four times slower than Kyber and Saber. However, the three MPPK KEM schemes only slightly increased their clock cycles from security LevelÂ I to LevelÂ III, continuing to position themselves as the fastest schemes compared with the NIST candidates.
TableÂ 7 lays out the encapsulation performance data for security LevelÂ III. NTRU still has the slowest performance, with over 700 kilocycles. McEliece, Kyber, and Saber, are at the same level at 150 kilocycles. BIKE demonstrates a reasonable encapsulation performance with the AVX2 implementation. HQC stands at the slowest position, with over 900 kilocycles for encapsulation. The three MPPK KEM schemes are the fastest, with MPPK116 being the quickest at 33 kilocycles. The MPPK KEM schemes are identical for decapsulation from security LevelÂ I to LevelÂ III. McEliece doubles its clock cycles from LevelÂ I at 45 million cycles to LevelÂ III at 93 million cycles. NTRU increases from 1.2 million cycles for LevelÂ I to 2.1 million cycles for LevelÂ III. Kyber and Saber behave the same as NTRU and McEliece, about doubling their clock cycles. BIKE is the secondslowest decapsulation scheme with about 3.9 million cycles in AVX2 implementation, compared with McEliece at its reference implementation. HQC takes the third slowest position at about 1.7 million cycles (Table 8).
5.3 NIST security level V
For security LevelÂ V, the parameter sets and performance figures for key generation, encapsulation, and decapsulation are enumerated in TablesÂ 9, 10, 11, andÂ 12. For this case, the MPPK KEM public keys are bigger because the number of noise variables is seven. There is no change in private key and ciphertext sizes. MPPK KEM produces the smallest keys compared with the NIST finalists. The most significant key sizes are still from McEliece, with a public key of over oneÂ MB and a 13Â KB private key, then HQC and BIKE have the second and third largest public key sizes. The relative placement of all schemes is consistent with the security LevelsÂ I andÂ III.
The performance for key generation in TableÂ 10 reaches over 1 billion clock cycles for McEliece and 16 million clock cycles for NTRU. Kyber and Saber are in the midtens of kilocycles. HQC stands on the third slowest scheme with over 800 kilocycles for key generation at LevelÂ V. MPPK327 takes about half the number of clock cycles of Saber, and MPPK117 is the fastest at 20 kilocycles.
The slowest performance for encapsulation in TableÂ 11 is HQC with over 1.8 million cycles then NTRU with one million cycles, then McEliece and Keyber with 200 kilocycles. Saber is at the midhundreds of kilocycles. MPPK117 is again the fastest scheme with less than 40 kilocycles.
TableÂ 12 shows that all MPPK KEM schemes have the same decapsulation performance as in security levels I and III. McEliece still has the worst performance with 179 million cycles in decapsulation, then NTRU and HQC with three million cycles. However, Kyber is about 240 kilocycles, and Saber is less than 200 kilocycles. MPPK327Â [2] is more than ten times slower than MPPK417 and MPPK117 due to its decapsulation requiring quadratic root computations.
6 Discussion on new potential attacks
Known attacks against MPPK KEM have been reviewed in Ref.Â [1]. Their corresponding complexities have been analyzed. Optimal configurations mitigating the risks of attacks for NIST security LevelsÂ I, III, andÂ V have been identified. In the following, we discuss the time complexity of new potential attacks against MPPK KEM that have been uncovered since the publication of Ref.Â [1]. In no way do they weaken the strength of the MPPK KEM, but we feel it is essential to address and respond to what may seem to be problems, a priori.
6.1 Message recovery attack
A message recovery attack is based on intercepted ciphertexts to extract the secret message or usually called session key. A message recovery attack on MPPK KEM implies challenging an adversary with a system of equations generated by an encapsulated text quadruple of the form:
where \(m+1\) is greater than four. The adversary is looking to solve this system to obtain the value for the message variable \(x_0\) that carries the secret value s. A ciphertextonly attack strategy consists of first solving every equation separately and then finding a common solution. However, every equation has more than one variable. Another avenue for an adversary is to reduce the system in Eq.Â (9) to a single equation of the form:
However, the framework of MPPK KEM requires \(m+1\) to be greater than four. InÂ [1], it is demonstrated that the best classical time complexity of a ciphertextonly attack is in \(\mathcal {O}(p^{m3}).\)
6.2 Key recovery attack
In this article, we examine one new key recovery attack. The attack uses the public key, as defined in Eqs.Â (3) andÂ (4). The attack is applicable to both the quadratic case (\(\lambda\) is two) and linear case (\(\lambda\) is one). Without loss of generality, we review the attack for the linear case. A system of equations generated by the coefficients of the polynomial \(\Phi (x_0, x_1, \dots , x_m)\) can be reduced to an equation of the form \(F(f_0, f_1, c_0, c_n)=0\).
For j in 1,Â ...,Â m, consider a system of equations of the form
with variables \(f_0\) and \(f_1\) of orders as high as n and linear orders for the terms \(c_{0j}\) and \(c_{nj}\). Similarly, we can derive an equation of that same form from the polynomial \(\Psi (.)\),
Using Gaussian eliminations for Eqs.Â (11) andÂ (12), we can easily remove a common variable such as \(c_{nj}\) and obtain a single equation for a given j as follows:
with the highest order being 2n for \(j=1,\ldots ,m\), forming a typical homogeneous nonlinear multivariate polynomial equation system. A total of \(m+4\) variables with m equations forms an underdetermined system. The time complexity of obtaining the correct coefficients for \(f_0\), \(f_1\), \(h_0\), and \(h_1\) is in \(\mathcal {O}\left( p^4\right)\). Therefore, the overall time complexity for the key recovery attack is in \(\mathcal {O}\left( tp^4\right)\), which is equivalent to \(\mathcal {O}\left( 2^{6log_2p+8}\right)\) for \(\lambda\) equal to one.
This article reports the detailed performance for \(\lambda\) equal to one, m equal to 5, 6, or 7, and the NIST security Levels I, III, and V. TableÂ 13 provides the configurations required by the MPPK KEM scheme to achieve the NIST security levels I, III, and V for the private and secret recovery attacks. The entropy in bits is listed next to each configuration. By entropy, we imply the classical computational complexity needed to break MPPK KEM given in bits. The order n of the base multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\) does not impact the optimal complexity due to the Gaussian elimination technique in the private key attack. It has no significant impact on performance in the secret recovery attack. For example, the configurations (64,Â 4,Â 1,Â 5) and (64,Â 1,Â 1,Â 5) both offer 128bit entropy in the secret recovery attack. Still, they have 384bit entropy when the attack aims to break the private and public keys. That means we are required to select the field size to be at least 64 bits long. We evaluated both configurations (64,Â 4,Â 1,Â m) and (64,Â 1,Â 1,Â m) for the chosen security level and compare their performance. Of course, the public key size should be much larger for m equals four than for m equals one.
Sizes (bytes) of the public key, private key, and ciphertext are calculated as follows:

Public Key(B): \(2 m(n+\lambda 1)p_8 + 2 m(2p_8 +1)\).

Private Key(B): \(2(\lambda +1)p_8+3(2p_8+1)\).

Ciphertext(B): \(\frac{32}{p_8}[2p_8 + 2(3p_8+2)]\).
The first parts of key and ciphertext sizes are determined by the elements over the field \(\mathbb {F}_p\). The elements over the unknown ring \(\mathbb {Z}/t\mathbb {Z}\) determine the second parts. The factor \(\frac{32}{p_8}\) is the segment of the secret over the field. The ciphertext second part term \(2(3p_8+2)\) includes the potential extra byte associated with calculating the elements \(\overline{\mathcal {N}}_0\) and \(\overline{\mathcal {N}}_n\) because of multiple integers added together over the ring \(\mathbb {Z}/t\mathbb {Z}\).
7 Conclusion
The study presented in this article highlights performance differences between the linear and quadratic cases of the MPPK KEM scheme. The described evaluation indicates performance gains when MPPK KEM degreeone private polynomials are chosen versus when they are degree two. The data presented indicates that performance gains are obtained for key generation and encapsulation. However, the gains are substantial for decapsulation. This is because the key decapsulation performance is greatly affected by finding the roots of the equation \(\frac{f(s)}{h(s)}=k.\) In the case of linear polynomials, the root can be found with simple arithmetic operations, such as addition and multiplication, over the Galois field \(\mathbb {F}_p\). In the case of quadratic polynomials, the rootfinding problem is reduced to finding quadratic roots, which require iteration over field elements, significantly affecting the MPPK KEM decapsulation performance. Given that the security foundation of the scheme remains intact for any value of \(\lambda\), we conclude that the optimal configuration of MPPK KEM is achieved when the security parameter value \(\lambda\) is equal to one.
Availability of data and materials
All the data and materials generated are included in this manuscript.
References
R. Kuang, M. Perepechaenko, M. Barbeau, A new postquantum multivariate polynomial public key encapsulation algorithm. Quantum Inf. Process. 21, 360 (2022)
R. Kuang, M. Perepechaenko, R. Toth, M. Barbeau, in Risks and Security of Internet and Systems. ed. by S. Kallel, M. Jmaiel, M. Zulkernine, A. Hadj Kacem, F. Cuppens, N. Cuppens, Benchmark performance of the multivariate polynomial public key encapsulation mechanism (Springer Nature Switzerland, Cham, 2023), pp.239â€“255
D. Bernstein, J. Buchmann, E. Dahmen, PostQuantum Cryptography (Springer, Berlin, 2009)
P.W. Shor, Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303â€“332 (1999)
L.K. Grover, Quantum mechanics helps in searching for a needle in a haystack. Phys. Rev. Lett. 79(2), 325 (1997)
Dustin Moody. Status update on the 3rd Round (NIST). https://csrc.nist.gov/CSRC/media/Presentations/statusupdateonthe3rdround/imagesmedia/session1moodynistround3update.pdf. Accessed 23 May 2022
NIST. Status report on the third round of the nist postquantum cryptography standardization process. 2022. https://csrc.nist.gov/publications/detail/nistir/8413/final. Accessed 4 July 2024.
R.J. McEliece, A PublicKey Cryptosystem Based On Algebraic Coding Theory. Deep Space Netw. Prog. Rep. 44, 114â€“116 (1978)
R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J.M. Schanck, P. Schwabe, G. Seiler, D. StehlÃ©, Crystalskyber algorithm specifications and supporting documentation. NIST PQC Round. 2, 4 (2017)
J. Hoffstein, J. Pipher, J.H. Silverman, in Algorithmic Number Theory. ed. by J.P. Buhler, NTRU: a ringbased public key cryptosystem (Springer, Berlin Heidelberg, Berlin, Heidelberg, 1998), pp.267â€“288
I.F. Vercauteren. SABER: ModLWR based KEM (Round 3 Submission) (2017). https://www.esat.kuleuven.be/cosic/pqcrypto/saber/files/saberspecround3.pdf. Accessed 21 June 2022
R. Misoczki. BIKE  BIt flipping key encapsulation (2021). https://bikesuite.org/. Accessed 4 July 2024
H. Team. HQC specification (2023). https://pqchqc.org/documentation.html. Accessed 34 July 2024
T. Matsumoto, H. Imai, in Advances, in Cryptology  EUROCRYPT â€™88. ed. by D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. SeegmÃ¼ller, J. Stoer, N. Wirth, C.G. GÃ¼nther, Public quadratic polynomialtuples for efficient signatureverification and messageencryption (Springer, Berlin Heidelberg, Berlin, Heidelberg, 1988), pp.419â€“453
J.Â Ding, in Public Key Cryptography â€“ PKC 2004, ed. by F.Â Bao, R.Â Deng, J.Â Zhou, A new variant of the MatsumotoImai cryptosystem through perturbation (Springer Berlin Heidelberg, Berlin, Heidelberg, 2004), pp. 305â€“318
J. Ding, J. Gower, D. Schmidt, Zhuangzi: a new algorithm for solving multivariate polynomial equations over a finite field. IACR Cryptol. ePrint Arch. 2006, 38 (2006)
J. Ding, B.Y. Yang, Multivariate Public Key Cryptography (Springer, Berlin Heidelberg, Berlin, Heidelberg, 2009), pp.193â€“241
J. Patarin, in Advances, in Cryptology  EUROCRYPT â€™96. ed. by U. Maurer, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms (Springer, Berlin Heidelberg, Berlin, Heidelberg, 1996), pp. 33â€“48
C. Tao, A. Diene, S. Tang, J. Ding, in PostQuantum Cryptography. ed. by P. Gaborit, Simple matrix scheme for encryption (Springer, Berlin Heidelberg, Berlin, Heidelberg, 2013), pp.231â€“242
M.R. Garey, D.S. Johnson, Computers and Intractability: A Guide to the Theory of NPCompleteness (W. H. Freeman and Co., USA, 1990)
VAMPIRE. eBACS: ECRYPT benchmarking of cryptographic systems â€“ SUPERCOP. https://bench.cr.yp.to/supercop.html. Accessed 4 July 2024
Acknowledgements
Not applicable
Funding
The 4th author acknowledges the financial support from the Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Contributions
All authors contributed equally.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Kuang, R., Perepechaenko, M., Toth, R. et al. Performance comparison of quantumsafe multivariate polynomial public key encapsulation algorithm. EURASIP J. on Info. Security 2024, 23 (2024). https://doi.org/10.1186/s13635024001707
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13635024001707