Paper 2024/219
Singular points of UOV and VOX
, Laboratoire de Recherche en Informatique de Paris 6, Thales (France)Abstract
In this work, we study the singular locus of the varieties defined by the public keys of UOV and VOX, two multivariate quadratic signature schemes submitted to the additional NIST call for signature schemes. Singular points do not exist for generic quadratic systems, which enables us to introduce a new algebraic attack against UOV-based schemes. We show that this attack can be seen as an algebraic variant of the Kipnis-Shamir attack, which can be obtained in our framework as an enumerative approach of solving a bihomogeneous modeling of the computation of singular points. We give a new attack for UOV$\hat +$ and VOX targeting singular points of the underlying UOV key. Our attacks lower the security of the schemes, both asymptotically and in number of gates, showing in particular that the parameter sets proposed for these schemes do not meet the NIST security requirements. More precisely, we show that the security of VOX/UOV$\hat +$ was overestimated by factors $2^{2}, 2^{18}, 2^{37}$ for security levels I, III, V respectively. As an essential element of the attack on VOX, we introduce a polynomial time algorithm performing a key recovery from one vector, with an implementation requiring only $15$ seconds at security level V.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Multivariate cryptographyCryptanalysisSingular pointsBihomogeneous polynomial system
- Contact author(s)
- pierre pebereau @ lip6 fr
- History
- 2024-09-02: revised
- 2024-02-13: received
- See all versions
- Short URL
- https://ia.cr/2024/219
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/219,
author = {Pierre Pébereau},
title = {Singular points of {UOV} and {VOX}},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/219},
year = {2024},
url = {https://eprint.iacr.org/2024/219}
}
