Professional Documents
Culture Documents
4 Uov Revisited 05192023
4 Uov Revisited 05192023
Jintai Ding
Tsinghua University
Jintai.Ding@gmail.com
Tartaglia Cardano
x1 x2 x3 = 5,
is equivalent to
x1 x2 − y =0
yx3 = 5.
In order to create a key pair for the Oil and Vinegar signature scheme,
Alice chooses
an affine map T : Fn → Fn with randomly chosen coefficients and
an OV central map F = (f (1) , . . . , f (o) ) : Fn → Fo . The polynomials
f (1) , . . . , f (o) are of the form
X (i) X (i)
X (i)
f (i) = αj,k xj xk + βj,k xj xk + γj xj +δ (i) (i = 1, . . . , o)
j,k∈V j∈V ,k∈O j∈V ∪O
A key pair of the Oil and Vinegar signature scheme can be described
as follows.
Private Key: The private key of the Oil and Vinegar signature
scheme consists of the two maps F : Fn → Fo and T : Fn → Fn .
Public Key: The public key P of the Oil and Vinegar signature
scheme is the composed map P = F ◦ T and consists of o
quadratic polynomials in n variables.
In contrast to the standard construction of multivariate
cryptography , we do not use a second affine map S in the
construction of the public key of the Oil and Vinegar scheme.
(n + 1) · (n + 2)
sizepk UOV = o ·
2
field elements
The size of the private key
v · (v + 1)
sizesk UOV = n · (n + 1) + o · + ov + n + 1
| {z } 2
map T | {z }
map F
field elements.
The signature generation process of UOV only requires the
solution of a linear system, which can be efficiently done by
Gaussian elimination. Therefore, the UOV signature scheme can
be implemented much easily and efficiently.
Jintai Ding NIST PQC Seminar, May 2023 20 / 51
The Kipnis-Shamir Attack on balanced Oil and Vinegar
and UOV
P = TT · F · T,
Definition
We define the Oil subspace of Fn as
O = {x = (x1 , . . . , xn )T ∈ Fn : x1 = . . . = xv = 0}.
V = {x = (x1 , . . . , xn )T ∈ Fn : xv +1 = . . . = xn = 0}.
Then we have
Lemma
1. For any u1 , u2 ∈ O we have
uT1 · F · u2 = 0.
vT1 · P · v2 = 0.
The attack is to find the pre-image of the Oil subspace under the
map T .
Jintai Ding NIST PQC Seminar, May 2023 25 / 51
Let E : Fn → Fn be a linear transformation of the form (1). Then we
have
Lemma
1. E(O) ⊂ V.
2. If E is invertible, we have E(O) = V and E −1 (V) = O.
E2 · o0
E1 E2 0
· = ∈ V.
E3 0v ×v o0 0
Proof.
This follows directly from Lemma 3.
Theorem
The space T −1 (O) is a common invariant subspace of all the matrices
W = W1−1 · W2 .
Here, the last “=” holds due to the fact that O is an invariant subspace
of F̂1−1 · F̂2 (Corollary 4).
xT · Q̄ (1) · x, . . . , xT · Q̄ (o) · x
(i)
with symmetric matrices Q̄ (i) (i = 1, . . . , o) The entries qjk of the
matrix Q̄ (i) are given as
(
(i) MonomialCoefficient(p(i) , xj2 ) j = k,
qjk = (i)
MonomialCoefficient(p , xj xk )/2 j 6= k .
Theorem
Let W1 and W2 be randomly chosen linear combinations of the
matrices P (i) (i = 1, . . . , o) and let W1 be invertible. Then the
probability that the matrix W1−1 · W2 has a nontrivial invariant subspace
(which is also a subspace of T −1 (O)) is roughly q o−v .
v =o
Defeated by Kipnis and Shamir using invariant subspace (1998).
v <o
by guessing some variables will be most likely turn into a OV
system where v = o
v >> o
2
Finding a solution is generally easy. When choosing v ≈ o2 , the
complexity of a direct attack against the scheme even becomes
polynomial
v = 2o, 3o
Direct attack
The reconciliation attack
Collision attacks
1. Introduction of Salt
Randomize the signing process and signatures
2. Provable security
SSH paper in 2011. Fixing Salt or Vinegar?
The salt is essential for the security proof: which reduces the UOV
problem for any vinegar vector chosen, we can always find a
signature by managing Salt
Our deign does do that? Efficiency ?
The definition of UOV problem in [SSH11]?
3. Compression of the public key and private keys
1. Provable Security?
2. A PQ problem with
E = n; V = αn2