QR-UOV performance data and supplementary evaluation
94 views
Skip to first unread message
Hiroshi Amagasa
Feb 26, 2026, 8:24:10 PM (yesterday) Feb 26
to pqc-...@list.nist.gov
Dear all,
We would like to share performance data for QR-UOV. The main results
are presented in the TCHES 2026 paper (H. Amagasa, R. Ueno, N. Homma,
"AVX2 Implementation of QR-UOV for Modern x86 Processors", TCHES 2026;
available on the IACR ePrint Archive [1]). All numbers below are in
Mcycles on Skylake. Under the Round 2 QR-UOV specification, QR-UOV's
key generation, signing, and verification costs are broadly comparable
to those of UOV.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 3.27 0.87 0.46
UOV Ip-pkc+skc 2.96 1.97 0.24
MAYO1 [reported] 0.20 0.57 0.25
In addition to the above TCHES results, we also evaluated a
no-rejection-sampling (NoRS) variant for coefficient sampling over
finite fields of odd characteristic, which accepts the resulting
modulo bias. We report selected results below for reference. Note that
the numbers across the two tables are not strictly comparable due to
differences in the benchmarking harness and recent implementation
updates.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 2.85 0.83 0.43
QR-UOV (127,3) NoRS 2.73 0.72 0.30
UOV Ip-pkc+skc 3.02 1.99 0.27
MAYO1 [measured] 0.24 0.70 0.29
Further details of this variant, including a security analysis, will
be reported in a forthcoming paper.
The results reported in the TCHES paper were obtained by Tohoku
University; the additional results were obtained jointly by Tohoku
University and the QR-UOV team.
[1] https://eprint.iacr.org/2025/1599
Best regards,
Tohoku University & QR-UOV team
We would like to share performance data for QR-UOV. The main results
are presented in the TCHES 2026 paper (H. Amagasa, R. Ueno, N. Homma,
"AVX2 Implementation of QR-UOV for Modern x86 Processors", TCHES 2026;
available on the IACR ePrint Archive [1]). All numbers below are in
Mcycles on Skylake. Under the Round 2 QR-UOV specification, QR-UOV's
key generation, signing, and verification costs are broadly comparable
to those of UOV.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 3.27 0.87 0.46
UOV Ip-pkc+skc 2.96 1.97 0.24
MAYO1 [reported] 0.20 0.57 0.25
In addition to the above TCHES results, we also evaluated a
no-rejection-sampling (NoRS) variant for coefficient sampling over
finite fields of odd characteristic, which accepts the resulting
modulo bias. We report selected results below for reference. Note that
the numbers across the two tables are not strictly comparable due to
differences in the benchmarking harness and recent implementation
updates.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 2.85 0.83 0.43
QR-UOV (127,3) NoRS 2.73 0.72 0.30
UOV Ip-pkc+skc 3.02 1.99 0.27
MAYO1 [measured] 0.24 0.70 0.29
Further details of this variant, including a security analysis, will
be reported in a forthcoming paper.
The results reported in the TCHES paper were obtained by Tohoku
University; the additional results were obtained jointly by Tohoku
University and the QR-UOV team.
[1] https://eprint.iacr.org/2025/1599
Best regards,
Tohoku University & QR-UOV team
Reply all
Reply to author
Forward
0 new messages