ALBERT

Description: At present, ‘mixed-type’ multivariate schemes are relatively rare except the Dragon scheme and its variants (Little Dragon Two scheme and Poly-Dragon scheme). However, they are insecure. In this paper, we first define a particular polynomial called Three-color Polynomial (this polynomial has three-class variables, and the form of the associated symmetric matrix of its quadratic part is similar to the ‘three-color model’ in colorimetry. So we call it three-color polynomial), and its corresponding Three-color Map. Based on the three-color map, we then present a mixed multivariate signature scheme named RGB (it means Red–Green–Blue, because the central map of this scheme is a three-color map, and the ‘three-color’ stands for RGB in colorimetry), which is a variant of the Unbalanced Oil–Vinegar (UOV) signature scheme. Compared with UOV, each polynomial of the central map of RGB has more cross-terms among all the variables $\{Y,Z,T\}$ . The variable $Y$ has much to do with message values. To a certain degree, the variable $Y$ stands for the message values. This means that the message values can be more fully mixed with other variable values in the central map, and the adversary is very difficult to forge the signature. Thus, in theory RGB is more secure than UOV. Through detailed analysis, we find that RGB can resist current known algebraic attacks under proper parameters, such as exhaustive search attack, separation attack, MinRank attack and direct attack (other algebraic attacks are inapplicable for RGB). Besides, our experiments show that under choosing the security level of $2^{80}$ , the signing time of Magma implementation of RGB is 0.046 s on an ordinary Linux-PC with 2.50 GHz, and the signing time of its C implementation is $\boldsymbol {\sim }$ 0.003 s on an 800 MHz machine. The comparisons show that the signing speed of RGB is faster than that of ${\rm Sflash}^{v2}$ , Quartz, UOV, Rainbow and RSA-1024, and is slightly slower than that of ECDSA-163 and NTRUSign-251. Overall, this new scheme can attain very good performance in terms of security and efficiency.