Cryptology ePrint Archive: Report 2004/222

A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes

An Braeken and Christopher Wolf and Bart Preneel

Abstract: The Unbalanced Oil and Vinegar scheme (UOV) is a signature scheme based on multivariate quadratic equations. It uses $m$ equations and $n$ variables. A total of $v$ of these are called ``vinegar variables". In this paper, we study its security from several points of view. First, we are able to demonstrate that the constant part of the affine transformation does not contribute to the security of UOV and should therefore be omitted. Second, we show that the case $n \geq 2m$ is particularly vulnerable to Gr{\"o}bner basis attacks. This is a new result for UOV over fields of odd characteristic. In addition, we investigate a modification proposed by the authors of UOV, namely to chose coefficients from a small subfield. This leads to a smaller public key. But due to the smaller key-space, this modification is insecure and should therefore be avoided. Finally, we demonstrate a new attack which works well for the case of small $v$. It extends the affine approximation attack from Youssef and Gong against the Imai-Matsumoto Scheme~B for odd characteristic and applies it against UOV. This way, we point out serious vulnerabilities in UOV which have to be taken into account when constructing signature schemes based on UOV.

Category / Keywords: public-key cryptography / UOV, Multivariate Cryptography, Cryptanalysis, Linear Approximation

Publication Info: This is an extended version of the article with the same title published at CT-RSA 2005 --- The Cryptographer's Track at RSA Conference 2005, Lecture Notes in Computer Science, volume 3376. Alfred J. Menezes, editor, Springer, 2005.

Date: received 2 Sep 2004, last revised 6 Aug 2005

Contact author: Christopher Wolf at esat kuleuven ac be

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20051128:042935 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]