QR-UOV performance data and supplementary evaluation
363 views
Skip to first unread message
Hiroshi Amagasa
Feb 26, 2026, 8:24:10 PMFeb 26
to pqc-...@list.nist.gov
Dear all,
We would like to share performance data for QR-UOV. The main results
are presented in the TCHES 2026 paper (H. Amagasa, R. Ueno, N. Homma,
"AVX2 Implementation of QR-UOV for Modern x86 Processors", TCHES 2026;
available on the IACR ePrint Archive [1]). All numbers below are in
Mcycles on Skylake. Under the Round 2 QR-UOV specification, QR-UOV's
key generation, signing, and verification costs are broadly comparable
to those of UOV.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 3.27 0.87 0.46
UOV Ip-pkc+skc 2.96 1.97 0.24
MAYO1 [reported] 0.20 0.57 0.25
In addition to the above TCHES results, we also evaluated a
no-rejection-sampling (NoRS) variant for coefficient sampling over
finite fields of odd characteristic, which accepts the resulting
modulo bias. We report selected results below for reference. Note that
the numbers across the two tables are not strictly comparable due to
differences in the benchmarking harness and recent implementation
updates.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 2.85 0.83 0.43
QR-UOV (127,3) NoRS 2.73 0.72 0.30
UOV Ip-pkc+skc 3.02 1.99 0.27
MAYO1 [measured] 0.24 0.70 0.29
Further details of this variant, including a security analysis, will
be reported in a forthcoming paper.
The results reported in the TCHES paper were obtained by Tohoku
University; the additional results were obtained jointly by Tohoku
University and the QR-UOV team.
[1] https://eprint.iacr.org/2025/1599
Best regards,
Tohoku University & QR-UOV team
We would like to share performance data for QR-UOV. The main results
are presented in the TCHES 2026 paper (H. Amagasa, R. Ueno, N. Homma,
"AVX2 Implementation of QR-UOV for Modern x86 Processors", TCHES 2026;
available on the IACR ePrint Archive [1]). All numbers below are in
Mcycles on Skylake. Under the Round 2 QR-UOV specification, QR-UOV's
key generation, signing, and verification costs are broadly comparable
to those of UOV.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 3.27 0.87 0.46
UOV Ip-pkc+skc 2.96 1.97 0.24
MAYO1 [reported] 0.20 0.57 0.25
In addition to the above TCHES results, we also evaluated a
no-rejection-sampling (NoRS) variant for coefficient sampling over
finite fields of odd characteristic, which accepts the resulting
modulo bias. We report selected results below for reference. Note that
the numbers across the two tables are not strictly comparable due to
differences in the benchmarking harness and recent implementation
updates.
Scheme KeyGen Sign Verify
------------------------------------------
QR-UOV (127,3) 2.85 0.83 0.43
QR-UOV (127,3) NoRS 2.73 0.72 0.30
UOV Ip-pkc+skc 3.02 1.99 0.27
MAYO1 [measured] 0.24 0.70 0.29
Further details of this variant, including a security analysis, will
be reported in a forthcoming paper.
The results reported in the TCHES paper were obtained by Tohoku
University; the additional results were obtained jointly by Tohoku
University and the QR-UOV team.
[1] https://eprint.iacr.org/2025/1599
Best regards,
Tohoku University & QR-UOV team
Hiroshi Amagasa
Mar 23, 2026, 11:02:26 PMMar 23
to pqc-...@list.nist.gov
Dear all,
Following up on our previous message regarding QR-UOV performance, we
would like to share a new ePrint on the no-rejection-sampling variant
of QR-UOV:
H. Amagasa, H. Furue, R. Ueno, and N. Homma,
"QR-UOV without Rejection Sampling: Security Analysis and High-Speed
Implementation,"
IACR ePrint Archive, 2026/527
URL: https://eprint.iacr.org/2026/527
This paper provides the security analysis and implementation details
of the variant mentioned in our earlier email. In this variant,
rejection sampling is removed from public-key expansion, and our
analyses indicate that the claimed security levels are preserved for
the proposed parameter sets. The paper also reports implementation
results showing consistent speedups for QR-UOV, especially in
verification.
For reference, the main benchmark results in the AES-128 setting are
as follows (Mcycles). Here, NoRS denotes the no-rejection-sampling
variant.
Scheme KeyGen Sign Verify
----------------------------------------------
QR-UOV SL=I AES-128 2.85 0.83 0.43
QR-UOV SL=I AES-128 NoRS 2.73 0.72 0.30
QR-UOV SL=III AES-128 10.12 2.31 1.22
QR-UOV SL=III AES-128 NoRS 9.79 1.98 0.87
UOV III-pkc+skc 16.92 10.97 1.14
MAYO3 0.56 1.45 0.65
QR-UOV SL=V AES-128 28.00 5.55 2.91
QR-UOV SL=V AES-128 NoRS 27.22 4.78 2.08
UOV V-pkc+skc 54.95 24.93 2.51
MAYO5 1.36 3.51 1.50
Best regards,
Tohoku University & QR-UOV team
2026年2月27日(金) 10:23 Hiroshi Amagasa <hiroshi.a...@dc.tohoku.ac.jp>:
Following up on our previous message regarding QR-UOV performance, we
would like to share a new ePrint on the no-rejection-sampling variant
of QR-UOV:
H. Amagasa, H. Furue, R. Ueno, and N. Homma,
"QR-UOV without Rejection Sampling: Security Analysis and High-Speed
Implementation,"
IACR ePrint Archive, 2026/527
URL: https://eprint.iacr.org/2026/527
This paper provides the security analysis and implementation details
of the variant mentioned in our earlier email. In this variant,
rejection sampling is removed from public-key expansion, and our
analyses indicate that the claimed security levels are preserved for
the proposed parameter sets. The paper also reports implementation
results showing consistent speedups for QR-UOV, especially in
verification.
For reference, the main benchmark results in the AES-128 setting are
as follows (Mcycles). Here, NoRS denotes the no-rejection-sampling
variant.
Scheme KeyGen Sign Verify
----------------------------------------------
QR-UOV SL=I AES-128 2.85 0.83 0.43
QR-UOV SL=I AES-128 NoRS 2.73 0.72 0.30
UOV Ip-pkc+skc 3.02 1.99 0.27
MAYO1 0.24 0.70 0.29
QR-UOV SL=III AES-128 10.12 2.31 1.22
QR-UOV SL=III AES-128 NoRS 9.79 1.98 0.87
UOV III-pkc+skc 16.92 10.97 1.14
MAYO3 0.56 1.45 0.65
QR-UOV SL=V AES-128 28.00 5.55 2.91
QR-UOV SL=V AES-128 NoRS 27.22 4.78 2.08
UOV V-pkc+skc 54.95 24.93 2.51
MAYO5 1.36 3.51 1.50
Best regards,
Tohoku University & QR-UOV team
Reply all
Reply to author
Forward
0 new messages