Revisiting the Security of Salted UOV Signature

Abstract

Due to the recent attack of Beullens on Rainbow, the crypto community looks back again at the unbalanced oil-and-vinegar (UOV) signature. The original UOV does not have any formal security reduction. It was Sakumoto et al. who added a random salt to the original UOV signature to give a reduction under the UOV-inversion (UOVI) problem in the classical random oracle model (CROM).

In this paper, we revisit the security of salted UOV signature. We start by identifying some issues related to programming the random oracle and the distribution of the salt. Then provide a security reduction of the salted UOV signature in the CROM that clearly addresses these issues. One crucial requirement of our reduction is that the field size needs to be asymptotically superpolynomial in the security parameter. We also give a security reduction of the salted UOV under the UOVI problem in the quantum random oracle model. This work is hoped to aid further concrete security analysis and thereby guide parameter choice of UOV-based schemes in the context of future standardization of post-quantum signature.

Appendices

A Signature Using Trapdoor Information

1.1 A.1 Algorithm for Solving the Public Key System Using Trapdoor Information

In this section, we give the method for solving the public key system using the trapdoor information as an algorithm. The procedure was described in Sect. 4.1.

1.2 A.2 Signature Scheme

Let us write down the complete signature scheme based on this trapdoor.

• \(\textsf{KeyGen}\). This takes the security parameter \(1^\kappa \) as input and outputs the public and secret keys. The secret key is a description of the subspace \(\textsf{O}\subset \mathbb {F}^{n}\) and the public key is the system \(\mathcal {P}\) consisting of \({m}\) MQ-polynomials in \({n}\) variables which vanish at \(\textsf{O}\). Note that \(\textsf{O}\) can be represented by an \(n\times m\) matrix as described in Sect. 4.1. Thus \(\mathcal{S}\mathcal{K}= \textsf{O}\) and \(\mathcal{P}\mathcal{K}= \mathcal {P}\). A hash function \(\mathcal {H}:{\mathcal {M}}\rightarrow \mathbb {F}^{m}\) for converting message into a fixed-length digest is known publicly.

• \(\textsf{Sign}\). This takes message \(\textsf{m}\) and the secret key \(\mathcal{S}\mathcal{K}\) as input and outputs a signature \(\sigma \). The signature \(\sigma \) is obtained by solving \(\mathcal {P}(\cdot ) = \mathcal {H}(\textsf{m})\) using Algorithm 2.

• \(\textsf{Ver}\). This takes the message \(\textsf{m}\), the signature \(\sigma \) and the public key \(\mathcal{P}\mathcal{K}\) as input and outputs accept or reject. If \(\mathcal {P}(\sigma ) = \mathcal {H}(\textsf{m})\), holds, the signature is accepted. Otherwise, the signature is rejected.

B Signature of Sakumoto et al.

We reproduce the salted version of UOV signature given in [SSH11, Section 4.1]. The secret key is a UOV type MQ system \(\mathcal {F}\) of \({m}\) polynomials in \({n}\) variables. The authors consider non-homogeneous polynomials. Then, as usual, an affine invertible transformation \(\mathcal {T}\) is used for mixing the variables. The public key is obtained in the obvious way as \(\mathcal {P}= \mathcal {F}\circ \mathcal {T}\). The scheme uses a salt of length \({\ell _s}\), which is a polynomial in the security parameter \(\kappa \). The public and the secret keys contain a description of the salt space.

The verification follows the obvious procedure. We describe the signing algorithm in Algorithm 3. The variable list is parsed as \(({\boldsymbol{x}}_{v},{\boldsymbol{x}}_{m})\), where \({\boldsymbol{x}}_{v}\) denotes the vector of vinegar variables and \({\boldsymbol{x}}_{m}\) that of oil variables. There are \({v}\) vinegar variables and \({m}\) oil variables. The notation \(\mathcal {F}({\boldsymbol{x}}_{v}^{\prime }, {\boldsymbol{x}}_{m})\) is used to denote the linear system in oil variables which is obtained after the vinegar variables have been specialized to the vector \({\boldsymbol{x}}_{v}^{\prime }\).