VOX: post-quantum signature scheme

Vinegar, Oil, and Multiplications for short post-quantum signatures


About VOX/FOX

VOX is family a post-quantum signature algorithms submitted to NIST Post-Quantum Cryptography Project on May 31th, 2023. It has been designed by: Benoît Cogliati, Jean-Charles Faugère, Pierre-Alain Fouque, Louis Goubin, Robin Larrieu, Gilles Macario-Rat, Brice Minaud and Jacques Patarin.

The VOX family includes a specific instantiation called “VOX-F” (or Full VOX, nicknamed “FOX”) that does not use the QR technique and allows to obtain easier security arguments.

Due to attacks on the QR technique (see the Updates/News section below for more details), FOX is at present our main version of VOX.

VOX/FOX is based on multivariate cryptography (UOV problem and the problem of solving algebraic equations).

Updates / News

Why FOX?

Security arguments for FOX

Thanks to the ^+ trick, it is possible to follow two opposite strategies.

First, one can use this security increase to reduce parameter sizes, and try to use more aggressive optimizations.

Second, one can keep a secure UOV instance, and then further enhance its security with the ˆ+ variant.

In the design of FOX, we chose the second approach. Thus, FOX has very conservative parameters. Moreover, we selected our parameter sets so that the cost of canceling the added random polynomials for two public equations is the same as breaking the underlying UOV problem.

FOX: a UOV-based hash-and-sign signature scheme

FOX is a UOV-based hash-and-sign signature scheme from the Multivariate Quadratic (MQ) family, built around a new variant proposed by Faugère, Macario-Rat, Patarin, and Perret under the name UOVˆ+ [pdf].

While the quadratic forms of a UOV public key have a large common isotropic subspace, which is unusual for a random quadratic system, UOVˆ+ adds a small number of uniformly random quadratic forms to the public keys to hide this subspace. For the same parameter sizes, UOVˆ+ is then more secure than the corresponding UOV instance.

Hence, FOX can keep all benefits of UOV, such as small signature sizes, fast signature generation, and extremely fast verification, while also offering an additional security guarantee.

As an illustration, the size of the signature is only 124 bytes for FOX-I with security level I for public key size 50.3 Kbytes. The verification time is very good and we can sign 277 messages per second if the secret key is decompressed.

FOX Parameters

We define the parameters for each variant of FOX according to the three security levels defined by the NIST.

FOX Parameters

The size of the signature (|sig|), the public key (|cpk|), the secret key (|sk|) and the compressed secret key (|csk|) are expressed in bytes.

Performance (C Intel x86-64 and AVX2)

Using the reference implementation on a common laptop computer (11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz , TurboBoost enabled), FOX achieves the following performance:

Level Keygen Sign Sign [cached SK] Verify Verify [cached PK]
FOX-I 13.25ms / 34339422 c 5.07ms / 13153496 c 4.34ms / 11252449 c 1.32ms / 3423563 c 0.06ms / 168437 c
FOX-III 51.53ms / 133580482 c 7.90ms / 20484823 c 4.94ms / 12798162 c 6.83ms / 17712780 c 0.13ms / 330683 c
FOX-V 562.99ms / 1459339050 c 45.61ms / 118235215 c 40.51ms / 105005378 c 16.70ms / 43293387 c 2.98ms / 7737203 c

All the timings are given in milliseconds (ms) and in cycles (c)

Using AVX2 implementation on a common laptop computer (11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz , TurboBoost enabled), FOX achieves the following performance:

Level Keygen Sign Sign [cached SK] Verify Verify [cached PK]
FOX-I 11.49ms / 29771117 c 4.24ms / 11000844 c 3.61ms / 9362493 c 1.05ms / 2723488 c 0.04ms / 106974 c
FOX-III 48.33ms / 125270708 c 7.27ms / 18834197 c 4.61ms / 11946513 c 6.37ms / 16516109 c 0.13ms / 348334 c
FOX-V 166.38ms / 431306224 c 29.28ms / 75903168 c 23.51ms / 60961314 c 10.40ms / 26965333 c 0.59ms / 1532779 c

All the timings are given in milliseconds (ms) and in cycles (c)

The verification time is very good and we can sign 277 messages per second if the secret key is decompressed and 236 otherwise.

Resources

(Version 2024-05-17): .

(Version 2023-07-28): .

(Version 2023-05-31): .