A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes

The Unbalanced Oil and Vinegar scheme (UOV) is a signature scheme based on multivariate quadratic equations. It uses m equations and n variables. A total of v of these are called “vinegar variables”. In this paper, we study its security from several points of view. First, we are able to demonstrate that the constant part of the affine transformation does not contribute to the security of UOV and should therefore be omitted. Second, we show that the case n ≥ 2m is particularly vulnerable to Grobner basis attacks. This is a new result for UOV over fields of odd characteristic. In addition, we investigate a modification proposed by the authors of UOV, namely to chose coefficients from a small subfield. This leads to a smaller public key. But due to the smaller key-space, this modification is insecure and should therefore be avoided. Finally, we demonstrate a new attack which works well for the case of small v. It extends the affine approximation attack from Youssef and Gong against the Imai-Matsumoto Scheme B for odd characteristic and applies it against UOV. This way, we point out serious vulnerabilities in UOV which have to be taken into account when constructing signature schemes based on UOV.

[1]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes -extended Version , 1999 .

[2]  今井 浩 20世紀の名著名論:Peter Shor : Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 2004 .

[3]  Bart Preneel,et al.  Asymmetric Cryptography: Hidden Field Equations , 2004, IACR Cryptol. ePrint Arch..

[4]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[5]  T. T. Moh,et al.  A public key system with signature and master key functions , 1999 .

[6]  Bart Preneel,et al.  Efficient Cryptanalysis of RSE(2)PKC and RSSE(2)PKC , 2004, SCN.

[7]  Ilia Toli Cryptanalysis of HFE , 2003, IACR Cryptol. ePrint Arch..

[8]  Bart Preneel,et al.  Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations , 2005, IACR Cryptol. ePrint Arch..

[9]  Christopher Wolf,et al.  Efficient Public Key Generation for HFE and Variations , 2004, Cryptographic Algorithms and their Uses.

[10]  Adi Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization , 1999, CRYPTO.

[11]  Louis Goubin,et al.  SFLASHv3, a fast asymmetric signature scheme , 2003, IACR Cryptol. ePrint Arch..

[12]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[13]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[14]  Magnus Daum,et al.  On the Security of HFE, HFEv- and Quartz , 2003, Public Key Cryptography.

[15]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[16]  Amr M. Youssef,et al.  Cryptanalysis of Imai and Matsumoto Scheme B Asymmetric Cryptosystem , 2001, INDOCRYPT.

[17]  Ariel Shamir,et al.  Cryptanalysis of the oil and vinegar signature scheme , 1998 .

[18]  Adi Shamir,et al.  Cryptanalysis of the Oil & Vinegar Signature Scheme , 1998, CRYPTO.

[19]  Louis Goubin,et al.  Trapdoor one-way permutations and multivariate polynominals , 1997, ICICS.

[20]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[21]  Jacques Patarin,et al.  Asymmetric Cryptography with a Hidden Monomial , 1996, CRYPTO.

[22]  A. Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem , 1999 .

[23]  Hideki Imai,et al.  Algebraic Methods for Constructing Asymmetric Cryptosystems , 1985, AAECC.

[24]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[25]  Bart Preneel,et al.  Superfluous Keys in Multivariate Quadratic Asymmetric Systems , 2004, IACR Cryptol. ePrint Arch..

[26]  Louis Goubin,et al.  Cryptanalysis of the TTM Cryptosystem , 2000, ASIACRYPT.

[27]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[28]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[29]  Bart Preneel,et al.  Equivalent Keys in Hfe, C * , and Variations , 2005 .

[30]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[31]  Willi Meier,et al.  Solving Underdefined Systems of Multivariate Quadratic Equations , 2002, Public Key Cryptography.

[32]  Masao Kasahara,et al.  A Construction of Public Key Cryptosystem for Realizing Ciphertext of Size 100 Bit and Digital Signature Scheme , 2004, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[33]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.