# Unbalanced Oil and Vinegar Signature Schemes

## Abstract

In [16], J. Patarin designed a new scheme, called “Oil and Vinegar”, for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in *n* unknowns called “oil” and *v = n* unknowns called “vinegar” over a finite field *K*, with linear secret functions. This original scheme was broken in [10] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where *v* > *n* (instead of *v* = *n*). These schemes are called “Unbalanced Oil and Vinegar” (UOV), since we have more “vinegar” unknowns than “oil” unknowns. We show that, when *v* ⋍ *n*, the attack of [10] can be extended, but when *v* ≥ 2*n* for example, the security of the scheme is still an open problem. Moreover, when \(
v \simeq \tfrac{{n^2 }}
{2}\)
, the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in \(
\tfrac{{n^2 }}
{2}\) unknowns (with no trapdoor). However, we show that (in characteristic 2) when *v* ≥ *n* ^{2}, finding a solution is generally easy. Then we will see that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of [14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. The length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits.

## References

- 1.Anonymous,
*Cryptanalysis of the HFE Public Key Cryptosystem*, not yet published.Google Scholar - 2.Anonymous,
*Practical cryptanalysis of Hidden Field Equations (HFE)*, not yet published.Google Scholar - 3.Anonymous,
*Cryptanalysis of Patarin’s 2-Round Public Key System with S Boxes*, not yet published.Google Scholar - 4.D. Coppersmith,
*personal communication*, e-mail.Google Scholar - 5.Z. Dai, D. Ye, K.-Y. Lam,
*Factoring-attacks on Asymmetric Cryptography Based on Mapping-compositions*, not yet published.Google Scholar - 6.J.-C. Faugere,
*personal communication*.Google Scholar - 7.H. Fell, W. Diffie,
*Analysis of a public key approach based on polynomial substitutions*, Proceedings of CRYPTO’85, Springer-Verlag, vol. 218, pp. 340–349Google Scholar - 8.M. Garey, D. Johnson,
*Computers and Intractability, a Guide to the Theory of NP-Completeness*, Freeman, p. 251.Google Scholar - 9.H. Imai, T. Matsumoto,
*Algebraic Methods for Constructing Asymmetric Cryptosystems*, Algebraic Algorithms and Error Correcting Codes (AAECC-3), Grenoble, 1985, Springer-Verlag, LNCS no229.Google Scholar - 10.A. Kipnis, A. Shamir,
*Cryptanalysis of the Oil and Vinegar Signature Scheme*, Proceedings of CRYPTO’98, Springer, LNCS no1462, pp. 257–266.Google Scholar - 11.R. Lidl, H. Niederreiter,
*Finite Fields*, Encyclopedia of Mathematics and its applications, volume 20, Cambridge University Press.Google Scholar - 12.T. Matsumoto, H. Imai,
*Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption*, Proceedings of EUROCRYPT’88, Springer-Verlag, pp. 419–453.Google Scholar - 13.Jacques Patarin,
*Cryptanalysis of the Matsumoto and Imai public Key Scheme of Eurocrypt’88*, Proceedings of CRYPTO’95, Springer-Verlag, pp. 248–261.Google Scholar - 14.J. Patarin,
*Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms*, Proceedings of EUROCRYPT’96, Springer, pp. 33–48.Google Scholar - 15.Jacques Patarin,
*Asymmetric Cryptography with a Hidden Monomial*, Proceedings of CRYPTO’96, Springer, pp. 45–60.Google Scholar - 16.J. Patarin,
*The Oil and Vinegar Signature Scheme*, presented at the Dagstuhl Workshop on Cryptography, september 1997 (transparencies).Google Scholar - 17.J. Patarin, L. Goubin,
*Trapdoor One-way Permutations and Multivariate Polynomials*, Proceedings of ICICS’97, Springer, LNCS no1334, pp. 356–368.Google Scholar - 18.J. Patarin, L. Goubin,
*Asymmetric Cryptography with S-Boxes*, Proceedings of ICICS’97, Springer, LNCS no1334, pp. 369–380.Google Scholar - 19.J. Patarin, L. Goubin, N. Courtois,
*Improved Algorithms for Isomorphisms of Polynomials*, Proceedings of EUROCRYPT’98, Springer, pp. 184–200.Google Scholar - 20.J. Patarin, L. Goubin, N. Courtois,
*C*_{−+}^{*}*and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai*, Proceedings of ASIACRYPT’98, Springer, pp. 35–49.Google Scholar - 21.A. Shamir,
*A simple scheme for encryption and its cryptanalysis found by D. Coppersmith and J. Stern*, presented at the Luminy workshop on cryptography, september 1995.Google Scholar