Performance comparison of quantum-safe multivariate polynomial public key encapsulation algorithm

A novel quantum-safe key encapsulation algorithm, called Multivariate Polynomial Public Key (MPPK), was recently proposed by Kuang, Perepechaenko, and Barbeau. Security of the MPPK key encapsulation mechanism does not rely on the prime factorization or discrete logarithm problems. It builds upon the NP-completeness of the modular Diophantine equation problem, for which there are no known efficient classical or quantum algorithms. Hence, it is resistant to known quantum computing attacks. The private key of MPPK comprises a pair of multivariate polynomials. In a companion paper, we analyzed the performance of MPPK when these polynomials are quadratic. The analysis highlighted the MPPK high decapsulation time. We found that, while maintaining the security strength, the polynomials can be linear. Considerable performance gains are obtained for the decapsulation process. In this article, we benchmark the linear case and compare the results with the previous quadratic case.

Multivariate Polynomial Public Key (MPPK) Key Encapsulation Mechanism (KEM) is a public key cryptographic scheme for encapsulating a secret, typically a symmetric encryption key. A MPPK KEM public key is made of polynomials ranging over a large finite field. Furthermore, the encapsulation is non-deterministic. A detailed security analysis of MPPK KEM can be found in [1]. A performance analysis published in [2] highlights the slow key decapsulation performance of MPPK relative to the four National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) KEM schemes. This arises from the quest to find the roots of a quadratic polynomial within a Galois field, specifically, the process of extracting square roots within a finite field.

In this article, the performance issue is resolved by choosing private key polynomials of degree \(\lambda\) equals to one. The case where \(\lambda\) equals two is called quadratic. Its performance has been analyzed and published [2]. The linear case, where \(\lambda\) equals one, is studied in this article and compared against the quadratic case. We examine in detail the performance of the linear case. Evidence is provided that the decapsulation performance is over ten times better than the quadratic case. There is no loss of security strength. Indeed, the security analysis in [1] is developed for any positive integer value \(\lambda\). A security reduction from the NP-complete Modular Diophantine Equation Problem (MDEP) to MPPK establishes the strength of MPPK KEM. As in this article, the security reduction applies directly to the case \(\lambda\) equals one.

The article is structured as follows. Related work is reviewed. The MPPK KEM cryptographic system is described. The results of benchmarking MPPK against the NIST-chosen algorithms as candidates for potential standardization are presented. We conclude at the end.

This research relates to the work on PQC, which is about creating cryptographic schemes that withstand attacks perpetrated with the assistance of quantum computers [3]. The main threat is Shor’s quantum algorithm [4] that can efficiently solve the prime factorization and discrete logarithm problems. Cryptographic schemes building on the strength of these problems, such as Rivest–Shamir–Adleman (RSA), are at risk. The Grover’s quantum algorithm  [5] is also a concern for symmetric encryption but to a lesser extent because the risk can be mitigated by doubling the key length.

An influential initiative in the realm of PQC has been spearheaded by NIST, aiming to standardize KEMs resilient to Shor’s algorithm [6, 7]. Cryptosystems impervious to Shor’s algorithm include McEliece, Kyber, NTRU, Saber, BIKE, and HQC [8,9,10,11,12,13].

Our work is closely aligned with Multivariate Public Key Cryptosystem (MPKC) PQC KEM [14,15,16,17]. MPKC relies on the NP-hardness of solving systems of multivariate quadratic polynomials over finite fields. In the MPKC cryptographic scheme, a public key comprises polynomials over a finite field. Notably, MPKC polynomials operate over relatively small fields (\(\mathbb {F}_q\)) or a small extension field \(\mathbb {F}_{q^n}\), where n is relatively small.

MPKC employs a central mapping mechanism represented by a system of reversible matrices, denoted as \(\mathcal {P}_j\) for \(j=1, 2, \dots , n\). Each matrix has dimensions \(m \times m\) and operates within an m-dimensional vector space denoted by \({\textbf {U}}=\mathbb {F}_q^m[x_1, \dots ,x_m]\). In this vector space, a secret can be represented as a column vector \(\vec {x}=(x_1, \dots , x_m)^T\). The mapping operates symmetrically, utilizing the product \(\vec {x}^T \cdot \mathcal {P}_j \cdot \vec {x} \rightarrow \sum _{i=1}^m\sum _{k=1}^m \mathcal {P}^{(j)}_{ik}x_ix_k=P_j(x_1, x_2, \dots , x_m)\), where both the left and right sides of matrix \(\mathcal {P}_j\) involve the same secret vector-left as a row vector \(\vec {x}^T\) and right as a column vector \(\vec {x}\).

While MPKC, in its traditional form, does not inherently offer a KEM due to the deterministic nature of the symmetric map, it has been adapted into various schemes to address different cryptographic needs. For instance, MPKC has been employed in digital signature schemes using a single field, key exchange using a big field like the Hidden Field Equations (HFE) [18], and a simple matrix scheme known as SimpleMatrix [19] for specific key exchange scenarios.

MPPK, proposed by Kuang, Perepechaenko, and Barbeau [1], can be considered as a new unique variant of the MPKC scheme in the following ways:

1. 1.

   The symmetric map \(\vec {x}^T \cdot \mathcal {P}_j \cdot \vec {x}\) in MPKC is substituted by an asymmetric map \(\vec {x_0}^T \cdot \mathcal {P}_j \cdot \vec {x}\) with \(\vec {x_0}^T = \left( x_0^0, x_0^1, \dots , x_0^{n+\lambda }\right)\) denoting a secret \(x_0\) in a polynomial vector space \({\textbf {V}}=\) \(\mathbb {F}_p[x_0]^{(n+\lambda )}\) and \(\vec {x}\) denoting a noise vector in a m-dimensional vector space \({\textbf {U}}=\mathbb {F}_p^m[x_1,\dots ,x_m]\). Only two multivariate polynomials are required in MPPK.

2. 2.

   The separate representations of the left vector (secret) from a vector space \({\textbf {V}}=\mathbb {F}_p[x_0]^{n+\lambda }\) and right vector (noise) from a vector space \({\textbf {U}}=\mathbb {F}_p^{m}[x_1,\dots ,x_m]\) enables MPPK to be a randomized KEM scheme, working over a large finite field \(\mathbb {F}_p\).

3. 3.

   The invertible map requirement is eliminated. The inverse reciprocity of multiplication and division is used for key construction and secret decapsulation.

The security parameters of MPPK KEM are as follows:

• p: The prime number of a prime field \(\mathbb {F}_p\).

• \(\lambda\): The order of of two private polynomials \(f(x_0)\) and \(h(x_0)\).

• n: With respect to variable \(x_0\), the order of a randomly chosen base multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\).

• t: The value defining the hidden ring \(\mathbb {Z}/t\mathbb {Z}\), where the bit size \(|t|_2\) of t is of the form \(2 |p|_2+8\). It is a security parameter. The value t is a part of the private key.

We briefly outline the MPPK key pair construction in Subsection 4.1, encapsulation in Subsection 4.2, and decapsulation in Subsection 4.3.

4.1 Key pair construction

MPPK KEM [1] starts from three polynomials: two univariate polynomials \(f(x_0)\) and \(h(x_0)\), with \(x_0\) denoting the secret, and one multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\) over a prime field \(\mathbb {F}_p\). They have the following general forms:

where \(\lambda\), n and m are  positive integers with \(m \ge 4\) for the security consideration as shown in Section 6. Using polynomial multiplication, two product polynomials are assembled as follows:

Using these three polynomials, we derive the polynomials \(\Phi (x_0, x_1, \dots , x_m)\) and \(\Psi (x_0, x_1, \dots , x_m)\) as follows:

These two derived polynomials are parts of the public key with \(\Phi _{ij} = \sum _{s+t=i} f_sc_{tj}\) and \(\Psi _{ij} = \sum _{s+t=i} h_sc_{tj}\). The first and last terms in Eq. (2) are encrypted in the hidden ring \(\mathbb {Z}/t\mathbb {Z}\) with randomly chosen values \(R_0\) and \(R_n\) over the ring, with the conditions \(gcd(R_0, t) = 1\) and \(gcd(R_n, t) = 1\) with the bit length of t greater than or equal to \(2|p|_2 + |m(n+\lambda +1)|_2\) as shown in the third bullet point in the above. Using \(R_0\) and \(R_n\), two noise functions are defined

where the coefficients \(\mathcal {N}_{0j}\) and \(\mathcal {N}_{nj}\) are integers over the hidden ring \(\mathbb {Z}/t\mathbb {Z}\). In the ring, they hide the coefficients \(c_{0j}, c_{nj}\), \(j=1,\ldots ,m\), shared with the polynomial \(\beta (\cdot )\) (Eq. (1)). We define the public key as the following items

1. 1

   Polynomial \(\Phi (x_0, x_1, \dots , x_m)\),

2. 2

   Polynomial \(\Psi (x_0, x_1, \dots , x_m)\),

3. 3

   Noise functions \(\mathcal {N}_0( x_1, \dots , x_m)\) and \(\mathcal {N}_n(x_0, x_1, \dots , x_m)\)

together with the security parameters \(\lambda\), n, m, and p. The private key consists of the items

1. 1

   \(t, R_0\), \(R_n\)

2. 2

   \(f(x_0)\)

3. 3

   \(h(x_0)\)

Algorithm 1 MPPK Key generation

Algorithm 1 formally describes the key generation procedure. The inputs are security parameters \(\lambda\), n, m, and p. The body of the algorithm implements the above series of equations. From Lines 2 to 5, a for-loop generates the coefficients of the polynomials \(f(\cdot )\) and \(h(\cdot )\), first two lines of Eq. (1). From Lines 6 to 10, a second for-loop produces the coefficients of the polynomials \(\beta (\cdot )\), third line of Eq. (1). From Lines 12 to 19, a third for-loop derives the coefficients of the polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), Eq. (3). The random values \(R_0\) and \(R_1\) are generated in Lines 21 to 26 and Lines 28 to 31. From Lines 33 to 36, a final for-loop assembles the noise functions \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), Eq. (4). The key pair generator keeps the private key safely and publishes the public key with security parameters \(\lambda\), n, m, and p. The returned values are the coefficients of the two polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), over \(\mathbb {F}_p\), and the noise functions \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), over the hidden ring.

4.2 Encapsulation

A shared secret (symmetric) key can be encapsulated using the MPPK public key. A source randomly selects a secret s in \(\mathbb {F}_p\). It assigns it to the variable \(x_0\). The secret s is encapsulated by the source and subsequently decapsulated by a destination. The latter uses the private key. For instance, s could be a symmetric encryption key between the source and destination for the following communications. The encapsulation process involves randomly choosing m values \(v_1,\ldots ,v_m\) in \(\mathbb {F}_p\) for the variables \(x_1,\dots ,x_m\), representing m noise variables. The source evaluates the functions \(\Phi (\cdot )\), \(\Psi (\cdot )\), \(\mathcal {N}_0(\cdot )\), and \(\mathcal {N}_n(\cdot )\) as follows:

Algorithm 2 MPPK encapsulation

Algorithm 2 formally delineates the encapsulation process. The encapsulation procedure has formal parameters the polynomials \(\Phi (\cdot )\), \(\Psi (\cdot )\), \(\mathcal {N}_0(\cdot )\), \(\mathcal {N}_n(\cdot )\), secret s, and security parameters \(\lambda\), n, m, and p. Lines 2 to 4 generate the m random values assigned to the noise variables \(x_1,\dots ,x_m\). This step implements the concept of randomized encapsulation in the MPPK KEM scheme. Using the coefficients of the public key polynomials \(\Phi (\cdot )\) and \(\Psi (\cdot )\), the values of the noise variables, and secret s, Lines 6 to 13 evaluate \(\Phi (\cdot )\) and \(\Psi (\cdot )\) that are loaded into variables \(\overline{\Phi }\) and \(\overline{\Psi }\). Using the coefficients of the public key polynomials \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\), the values of the noise variables, and secret s, Lines 15 to 21 evaluate \(\mathcal {N}_0(\cdot )\) and \(\mathcal {N}_n(\cdot )\) and store the results into the variables \(\overline{\mathcal {N}}_0\) and \(\overline{\mathcal {N}}_n\). The procedure returns the quadruple \(\left( \overline{\Phi }, \overline{\Psi },\overline{\mathcal {N}}_0,\overline{\mathcal {N}}_n\right)\).

4.3 Decapsulation

The destination receives the quadruple \(\left( \overline{\Phi }, \overline{\Psi }, \overline{\mathcal {N}}_0, \overline{\mathcal {N}}_n \right)\). The destination calculates the following two quantities:

By construction, both values \(\phi (s,v_1,\ldots ,v_m)\) and \(\psi (s,v_1,\ldots ,v_m)\) share the common factor \(\beta (s,v_1,\ldots ,v_m)\), see Eq. (1). To cancel their common factor, the destination calculates the following ratio, modulo p:

The value k is evaluated by the destination that owns all the secret elements of the private key, including t, \(R_0\), and \(R_n\). At this point, the destination obtains the secret solving for the unknown denoted as s the following univariate polynomial equation:

Recall that \(f(\cdot )\) and \(h(\cdot )\) are solvable polynomials of degree \(\lambda\), Eq. (8) can be solved with well-known radicals. In contrast, in our previous work [2] (\(\lambda\) is two), the polynomials \(f(x_0)\) and \(h(x_0)\) are quadratic. The secret s is extracted using a modular square root algorithm. Verification is required to choose between two roots [2].

Algorithm 3 MPPK decapsulation

The detailed decapsulation procedure for the new linear case (\(\lambda\) is one) is formalized in Algorithm 3. The decapsulation procedure takes in input the secret values t, \(R_0\), and \(R_n\), and the secret polynomials \(f(\cdot )\) and \(h(\cdot )\). It also takes the quadruple \(\left( \overline{\Phi }, \overline{\Psi }, \overline{\mathcal {N}}_0, \overline{\mathcal {N}}_n \right)\), which encapsulates the secret produced by the source, and the public security parameters \(\lambda\), n, m, and p. Lines 2 and 3 calculate the first terms of polynomials \(f(\cdot )\) and \(h(\cdot )\), evaluated with the encapsulated secret. Similarly, Lines 4 and 5 calculate the last terms of polynomials \(f(\cdot )\) and \(h(\cdot )\), evaluated with the encapsulated secret. On Lines 6 and  7, the variables \(\overline{\Phi }\) and \(\overline{\Psi }\) denote the evaluations of the polynomials \(\phi (\cdot )\) and \(\psi (\cdot )\) with the encapsulated secret and the m noise variables. Line 8 determines the value of k, Eq. (7). On Line 9, the linear equation is solved to determine the value of the unknown s, i.e., the secret. The secret is returned on Line 11.

A detailed security analysis of MPPK KEM has been published [1]. In short, the security of MPPK KEM relies upon the computationally difficult NP-completeness of MDEP [20].

We report new benchmarking results for the MPPK KEM linear case, comparing against the NIST PQC standardized Kyber and fourth-round candidates-the McEliece, BIKE, and HQC schemes. Additionally, we include the NTRU and Saber schemes for exploration purposes despite their exclusion from the NIST standardization. Benchmarking was conducted using the SUPERCOP benchmarking tool [21].

All schemes were configured to align with the NIST security Levels I, III, and V, corresponding to the difficulty levels of breaking the 128, 192, and 256-bit Advanced Encryption Standard (AES). The benchmarking runs were performed on a 16-core Intel® Core™ i7-10700 CPU at 2.90 GHz.

The notation MPPK-\(n\lambda m\) refers to a MPPK scheme instance where n is the order of the base polynomial, \(\lambda\) is the order of the univariate polynomials, and m is the number of noise variables. For example, MPPK-325 means \(n=3\), \(\lambda =2\) (quadratic univariate polynomials), and \(m=5\) for five noise variables, whereas MPPK-115 means that the univariate polynomials are linear. The performance of univariate quadratic polynomials has been reported [2]. In this article, the focus is on linear univariate polynomials. The performance of three configurations of MPPK KEM is compared with NIST standardized Kyber, the fourth-round candidates (McEliece, BIKE, HQC), as well as two-third-round finalists NTRU and Saber although both NTRU and Saber are excluded for the fourth round.

We omitted the performance comparison with BIKE [12] as its reference implementation is not advisable due to the susceptibility to side-channel attacks. The provided performance metrics for key generation, encapsulation, and decapsulation in the AVX2 implementation are indicative benchmarks for comparison with the MPPK KEM reference implementation.

5.1 NIST security level I

Table 1 compares public key, private key, and ciphertext (encapsulated secret) sizes for various cryptographic schemes with a secret size requirement of 32 bytes, aligned with NIST security Level I. The analyzed algorithms include MPPK-325 [2], MPPK-415, MPPK-115, McEliece, Kyber, NTRU, Saber, BIKE [12], and HQC [13].

McEliece has the largest public key (261,120 bytes) and private key (6492 bytes) sizes. Although, its ciphertext is relatively compact at 128 bytes. In contrast, MPPK-325 and MPPK-415 exhibit smaller public keys (490 bytes) compared to Kyber (800 bytes), NTRU (699 bytes), and Saber (672 bytes). MPPK-115 boasts a compact public key of 250 bytes. Notably, the private keys of all three MPPK schemes are less than 100 bytes, over ten times smaller than those of Kyber, NTRU, Saber, and McEliece. A small public key is an advantage because, in many use cases, it has to be transported over a network.

In terms of ciphertext sizes, McEliece stands out with the smallest size of 128 bytes. Conversely, the MPPK schemes feature larger ciphertexts: 272 bytes for MPPK-415 and MPPK-115, and 340 bytes for MPPK-325 [2]. For \(\lambda =2\), a secret verification code is included in the ciphertext of the MPPK-325 scheme to determine which root of a quadratic polynomial corresponds to the secret. This addition contributes to the larger size of the MPPK-325 ciphertext. Nevertheless, these sizes remain smaller than those of Kyber, NTRU, and Saber. It is worth noting the distinctive characteristics of BIKE and HQC: BIKE boasts a larger public key and ciphertext size compared to HQC, yet its private key is more compact. Comparatively, BIKE stands out with a larger public key (1541 bytes) and ciphertext (1573 bytes), while having a more compact private key (281 bytes) compared to the other schemes. HQC exhibits the largest public key (2249 bytes) and ciphertext (4497 bytes) sizes, with a remarkably small private key (56 bytes). The MPPK schemes, including MPPK-325, MPPK-415, and MPPK-115, present competitive sizes, balancing public key, private key, and ciphertext considerations.

In Table 2, we present the key generation performance data for NIST security Level I across standardized Kyber, the fourth round candidates (McEliece,BIKE, HQC), NTRU, Saber, and three MPPK configurations. The data, expressed in clock cycles, has been obtained using the NIST SUPERCOP tool, providing a standardized testing environment, except for BIKE and HQC. BIKE and HQC data has been taken from their submissions to NIST. We put their data in the 50th percentile category.

The table categorizes the performance data into three percentiles—25th, 50th, and 75th. McEliece’s 75th-percentile performance data is notably higher, exceeding 100 million cycles, making it the slowest among all schemes and 2.5 times larger than the 25th-percentile. NTRU exhibits the second-slowest key generation performance among all listed schemes. Kyber is significantly faster than NTRU but slower than Saber. Saber positions itself as a competitive option, with MPPK-325 and MPPK-415 achieving similar key generation performances. MPPK-115 is the fastest scheme, requiring less than 20,000 clock cycles for key generation. Considering BIKE’s AVX2 performance (usually ten times faster than reference implementation), its reference performance should be comparable with NTRU. HQC performs five to ten times slower than MPPK schemes. Notably, MPPK-115 outperforms all other schemes in terms of key generation efficiency.

Table 3 categorizes the encapsulation performance data into three percentiles—25th, 50th, and 75th. McEliece demonstrates relatively consistent encapsulation performance across percentiles, exhibiting a moderate increase from the 25th to the 75th percentile. Kyber shows stable encapsulation speed, slightly increasing from the 25th to the 50th percentile. NTRU maintains consistent encapsulation performance across percentiles, with a relatively narrow range between the 25th and 75th percentiles. Saber exhibits a moderate increase in encapsulation speed from the 25th to the 75th percentile.

MPPK-325 [2] and MPPK-415 showcase similar encapsulation speeds, with MPPK-325 demonstrating slightly better performance. McEliece, Kyber, BIKE(AVX2), and MPPK-325 perform at similar speeds in encapsulation, around 100 K cycles. Saber and MPPK-415 exhibit comparable performance levels of about 60 K cycles. MPPK-115 consistently outperforms other schemes, requiring the fewest clock cycles for encapsulation across all percentiles. Overall, MPPK-115 stands out as the most efficient scheme for encapsulation, making it well-suited for applications demanding superior encapsulation efficiency.

For decapsulation of security Level I in Table 4, McEliece becomes the slowest scheme with over 45 million cycles. NTRU is the second-slowest scheme, with over one million cycles. MPPK-325 is at 480 kilocycles, much slower than Kyber and Saber at levels of around 100 kilocycles. The primary reason is that the secret is extracted through a modular square root over the field \(\mathbb {F}_p\). The fastest schemes are MPPK-415 and MPPK-115, with the same performance of 34 kilocycles. The fast speed is due to the linear polynomials \(f(x_0)\) and \(h(x_0)\), so the secret extraction is achieved with modular division. It is also noticed that the performance is independent of the order n of the base polynomial \(\beta (x_0, x_1, \dots , x_m)\). BIKE’s AVX2 performance is comparable with NTRU’s reference performance, with over 1 million cycles as the second-slowest scheme for decapsulation. The third slowest is HQC with 833 kilocycles.

5.2 NIST security level III

Table 5 contains the public, private, and ciphertext sizes required to achieve NIST security Level III. Relative performance results are very similar to security Level I. McEliece has the largest public key of 524,160 bytes, a private key of 13,608, and the smallest ciphertext size of 188. HQC and BIKE have the second and third largest for public key size but the largest and second largest for ciphertext size. HQC offers the smallest private key of only 64 bytes. Kyber and Saber have over one kilobyte public key and ciphertext sizes, but their private key sizes are more than double their public keys. MPPK-326 and MPPK-416 have bigger public key sizes, 588 bytes, than for the security Level I because they are six noise variables, compared with five noise variables in security Level I. However, their private keys and ciphertexts are the exact sizes as in the security Level I.

The performance results for key generation for security Level III are presented in Table 6. McEliece behaves similarly to its security Level I (Table 2) but is more than three times slower. NTRU also behaves like security Level I but is about 50\(\%\) slower at over 10 million cycles. The key generation performance for Kyber also increases its cycles by 50\(\%\) from security Level I to Level III, with about 100 kilocycles. Saber doubles its clock cycles from security Level I at 60 kilocycles to Level III at 128 kilocycles. BIKE’s key generation takes 1.8 million cycles (three times slower compared with its Level I performance) with the AVX2 implementation. HQC is also more than doubling its cycles, compared with its performance at Level I, and about three to four times slower than Kyber and Saber. However, the three MPPK KEM schemes only slightly increased their clock cycles from security Level I to Level III, continuing to position themselves as the fastest schemes compared with the NIST candidates.

Table 7 lays out the encapsulation performance data for security Level III. NTRU still has the slowest performance, with over 700 kilocycles. McEliece, Kyber, and Saber, are at the same level at 150 kilocycles. BIKE demonstrates a reasonable encapsulation performance with the AVX2 implementation. HQC stands at the slowest position, with over 900 kilocycles for encapsulation. The three MPPK KEM schemes are the fastest, with MPPK-116 being the quickest at 33 kilocycles. The MPPK KEM schemes are identical for decapsulation from security Level I to Level III. McEliece doubles its clock cycles from Level I at 45 million cycles to Level III at 93 million cycles. NTRU increases from 1.2 million cycles for Level I to 2.1 million cycles for Level III. Kyber and Saber behave the same as NTRU and McEliece, about doubling their clock cycles. BIKE is the second-slowest decapsulation scheme with about 3.9 million cycles in AVX2 implementation, compared with McEliece at its reference implementation. HQC takes the third slowest position at about 1.7 million cycles (Table 8).

5.3 NIST security level V

For security Level V, the parameter sets and performance figures for key generation, encapsulation, and decapsulation are enumerated in Tables 9, 10, 11, and 12. For this case, the MPPK KEM public keys are bigger because the number of noise variables is seven. There is no change in private key and ciphertext sizes. MPPK KEM produces the smallest keys compared with the NIST finalists. The most significant key sizes are still from McEliece, with a public key of over one MB and a 13 KB private key, then HQC and BIKE have the second and third largest public key sizes. The relative placement of all schemes is consistent with the security Levels I and III.

The performance for key generation in Table 10 reaches over 1 billion clock cycles for McEliece and 16 million clock cycles for NTRU. Kyber and Saber are in the mid-tens of kilocycles. HQC stands on the third slowest scheme with over 800 kilocycles for key generation at Level V. MPPK-327 takes about half the number of clock cycles of Saber, and MPPK-117 is the fastest at 20 kilocycles.

The slowest performance for encapsulation in Table 11 is HQC with over 1.8 million cycles then NTRU with one million cycles, then McEliece and Keyber with 200 kilocycles. Saber is at the mid-hundreds of kilocycles. MPPK-117 is again the fastest scheme with less than 40 kilocycles.

Table 12 shows that all MPPK KEM schemes have the same decapsulation performance as in security levels I and III. McEliece still has the worst performance with 179 million cycles in decapsulation, then NTRU and HQC with three million cycles. However, Kyber is about 240 kilocycles, and Saber is less than 200 kilocycles. MPPK-327 [2] is more than ten times slower than MPPK-417 and MPPK-117 due to its decapsulation requiring quadratic root computations.

Known attacks against MPPK KEM have been reviewed in Ref. [1]. Their corresponding complexities have been analyzed. Optimal configurations mitigating the risks of attacks for NIST security Levels I, III, and V have been identified. In the following, we discuss the time complexity of new potential attacks against MPPK KEM that have been uncovered since the publication of Ref. [1]. In no way do they weaken the strength of the MPPK KEM, but we feel it is essential to address and respond to what may seem to be problems, a priori.

6.1 Message recovery attack

A message recovery attack is based on intercepted ciphertexts to extract the secret message or usually called session key. A message recovery attack on MPPK KEM implies challenging an adversary with a system of equations generated by an encapsulated text quadruple of the form:

where \(m+1\) is greater than four. The adversary is looking to solve this system to obtain the value for the message variable \(x_0\) that carries the secret value s. A ciphertext-only attack strategy consists of first solving every equation separately and then finding a common solution. However, every equation has more than one variable. Another avenue for an adversary is to reduce the system in Eq. (9) to a single equation of the form:

However, the framework of MPPK KEM requires \(m+1\) to be greater than four. In [1], it is demonstrated that the best classical time complexity of a ciphertext-only attack is in \(\mathcal {O}(p^{m-3}).\)

6.2 Key recovery attack

In this article, we examine one new key recovery attack. The attack uses the public key, as defined in Eqs. (3) and (4). The attack is applicable to both the quadratic case (\(\lambda\) is two) and linear case (\(\lambda\) is one). Without loss of generality, we review the attack for the linear case. A system of equations generated by the coefficients of the polynomial \(\Phi (x_0, x_1, \dots , x_m)\) can be reduced to an equation of the form \(F(f_0, f_1, c_0, c_n)=0\).

For j in 1, ..., m, consider a system of equations of the form

(11)

with variables \(f_0\) and \(f_1\) of orders as high as n and linear orders for the terms \(c_{0j}\) and \(c_{nj}\). Similarly, we can derive an equation of that same form from the polynomial \(\Psi (.)\),

Using Gaussian eliminations for Eqs. (11) and (12), we can easily remove a common variable such as \(c_{nj}\) and obtain a single equation for a given j as follows:

with the highest order being 2n for \(j=1,\ldots ,m\), forming a typical homogeneous non-linear multivariate polynomial equation system. A total of \(m+4\) variables with m equations forms an underdetermined system. The time complexity of obtaining the correct coefficients for \(f_0\), \(f_1\), \(h_0\), and \(h_1\) is in \(\mathcal {O}\left( p^4\right)\). Therefore, the overall time complexity for the key recovery attack is in \(\mathcal {O}\left( tp^4\right)\), which is equivalent to \(\mathcal {O}\left( 2^{6log_2p+8}\right)\) for \(\lambda\) equal to one.

This article reports the detailed performance for \(\lambda\) equal to one, m equal to 5, 6, or 7, and the NIST security Levels I, III, and V. Table 13 provides the configurations required by the MPPK KEM scheme to achieve the NIST security levels I, III, and V for the private and secret recovery attacks. The entropy in bits is listed next to each configuration. By entropy, we imply the classical computational complexity needed to break MPPK KEM given in bits. The order n of the base multivariate polynomial \(\beta (x_0, x_1, \dots , x_m)\) does not impact the optimal complexity due to the Gaussian elimination technique in the private key attack. It has no significant impact on performance in the secret recovery attack. For example, the configurations (64, 4, 1, 5) and (64, 1, 1, 5) both offer 128-bit entropy in the secret recovery attack. Still, they have 384-bit entropy when the attack aims to break the private and public keys. That means we are required to select the field size to be at least 64 bits long. We evaluated both configurations (64, 4, 1, m) and (64, 1, 1, m) for the chosen security level and compare their performance. Of course, the public key size should be much larger for m equals four than for m equals one.

Sizes (bytes) of the public key, private key, and ciphertext are calculated as follows:

• Public Key(B): \(2 m(n+\lambda -1)|p|_8 + 2 m(2|p|_8 +1)\).

• Private Key(B): \(2(\lambda +1)|p|_8+3(2|p|_8+1)\).

• Ciphertext(B): \(\frac{32}{|p|_8}[2|p|_8 + 2(3|p|_8+2)]\).

The first parts of key and ciphertext sizes are determined by the elements over the field \(\mathbb {F}_p\). The elements over the unknown ring \(\mathbb {Z}/t\mathbb {Z}\) determine the second parts. The factor \(\frac{32}{|p|_8}\) is the segment of the secret over the field. The ciphertext second part term \(2(3|p|_8+2)\) includes the potential extra byte associated with calculating the elements \(\overline{\mathcal {N}}_0\) and \(\overline{\mathcal {N}}_n\) because of multiple integers added together over the ring \(\mathbb {Z}/t\mathbb {Z}\).

The study presented in this article highlights performance differences between the linear and quadratic cases of the MPPK KEM scheme. The described evaluation indicates performance gains when MPPK KEM degree-one private polynomials are chosen versus when they are degree two. The data presented indicates that performance gains are obtained for key generation and encapsulation. However, the gains are substantial for decapsulation. This is because the key decapsulation performance is greatly affected by finding the roots of the equation \(\frac{f(s)}{h(s)}=k.\) In the case of linear polynomials, the root can be found with simple arithmetic operations, such as addition and multiplication, over the Galois field \(\mathbb {F}_p\). In the case of quadratic polynomials, the root-finding problem is reduced to finding quadratic roots, which require iteration over field elements, significantly affecting the MPPK KEM decapsulation performance. Given that the security foundation of the scheme remains intact for any value of \(\lambda\), we conclude that the optimal configuration of MPPK KEM is achieved when the security parameter value \(\lambda\) is equal to one.

All the data and materials generated are included in this manuscript.

Not applicable

The 4th author acknowledges the financial support from the Natural Sciences and Engineering Research Council of Canada (NSERC).

Authors and Affiliations

1. Quantropi Inc., 1545 Carling Ave, Suite 620, Ottawa, K1Z 8P9, Canada

   Randy Kuang, Maria Perepechaenko & Ryan Toth

2. School of Computer Science, Carleton University, 1125 Colonel By Drive, Ottawa, K1S 5B6, Canada

   Michel Barbeau

Contributions

All authors contributed equally.

Corresponding author

Correspondence to Randy Kuang.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions