Advertisement

Unbalanced Oil and Vinegar Signature Schemes

  • Aviad Kipnis
  • Jacques Patarin
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1592)

Abstract

In [16], J. Patarin designed a new scheme, called “Oil and Vinegar”, for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called “oil” and v = n unknowns called “vinegar” over a finite field K, with linear secret functions. This original scheme was broken in [10] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where v > n (instead of v = n). These schemes are called “Unbalanced Oil and Vinegar” (UOV), since we have more “vinegar” unknowns than “oil” unknowns. We show that, when vn, the attack of [10] can be extended, but when v ≥ 2n for example, the security of the scheme is still an open problem. Moreover, when \( v \simeq \tfrac{{n^2 }} {2}\) , the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in \( \tfrac{{n^2 }} {2}\) unknowns (with no trapdoor). However, we show that (in characteristic 2) when vn 2, finding a solution is generally easy. Then we will see that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of [14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. The length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits.

References

  1. 1.
    Anonymous, Cryptanalysis of the HFE Public Key Cryptosystem, not yet published.Google Scholar
  2. 2.
    Anonymous, Practical cryptanalysis of Hidden Field Equations (HFE), not yet published.Google Scholar
  3. 3.
    Anonymous, Cryptanalysis of Patarin’s 2-Round Public Key System with S Boxes, not yet published.Google Scholar
  4. 4.
    D. Coppersmith, personal communication, e-mail.Google Scholar
  5. 5.
    Z. Dai, D. Ye, K.-Y. Lam, Factoring-attacks on Asymmetric Cryptography Based on Mapping-compositions, not yet published.Google Scholar
  6. 6.
    J.-C. Faugere, personal communication.Google Scholar
  7. 7.
    H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, Proceedings of CRYPTO’85, Springer-Verlag, vol. 218, pp. 340–349Google Scholar
  8. 8.
    M. Garey, D. Johnson, Computers and Intractability, a Guide to the Theory of NP-Completeness, Freeman, p. 251.Google Scholar
  9. 9.
    H. Imai, T. Matsumoto, Algebraic Methods for Constructing Asymmetric Cryptosystems, Algebraic Algorithms and Error Correcting Codes (AAECC-3), Grenoble, 1985, Springer-Verlag, LNCS no229.Google Scholar
  10. 10.
    A. Kipnis, A. Shamir, Cryptanalysis of the Oil and Vinegar Signature Scheme, Proceedings of CRYPTO’98, Springer, LNCS no1462, pp. 257–266.Google Scholar
  11. 11.
    R. Lidl, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its applications, volume 20, Cambridge University Press.Google Scholar
  12. 12.
    T. Matsumoto, H. Imai, Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption, Proceedings of EUROCRYPT’88, Springer-Verlag, pp. 419–453.Google Scholar
  13. 13.
    Jacques Patarin, Cryptanalysis of the Matsumoto and Imai public Key Scheme of Eurocrypt’88, Proceedings of CRYPTO’95, Springer-Verlag, pp. 248–261.Google Scholar
  14. 14.
    J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms, Proceedings of EUROCRYPT’96, Springer, pp. 33–48.Google Scholar
  15. 15.
    Jacques Patarin, Asymmetric Cryptography with a Hidden Monomial, Proceedings of CRYPTO’96, Springer, pp. 45–60.Google Scholar
  16. 16.
    J. Patarin, The Oil and Vinegar Signature Scheme, presented at the Dagstuhl Workshop on Cryptography, september 1997 (transparencies).Google Scholar
  17. 17.
    J. Patarin, L. Goubin, Trapdoor One-way Permutations and Multivariate Polynomials, Proceedings of ICICS’97, Springer, LNCS no1334, pp. 356–368.Google Scholar
  18. 18.
    J. Patarin, L. Goubin, Asymmetric Cryptography with S-Boxes, Proceedings of ICICS’97, Springer, LNCS no1334, pp. 369–380.Google Scholar
  19. 19.
    J. Patarin, L. Goubin, N. Courtois, Improved Algorithms for Isomorphisms of Polynomials, Proceedings of EUROCRYPT’98, Springer, pp. 184–200.Google Scholar
  20. 20.
    J. Patarin, L. Goubin, N. Courtois, C −+* and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai, Proceedings of ASIACRYPT’98, Springer, pp. 35–49.Google Scholar
  21. 21.
    A. Shamir, A simple scheme for encryption and its cryptanalysis found by D. Coppersmith and J. Stern, presented at the Luminy workshop on cryptography, september 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Aviad Kipnis
    • 1
  • Jacques Patarin
    • 2
  • Louis Goubin
    • 2
  1. 1.NDS TechnologiesJerusalemIsrael
  2. 2.Bull SmartCards and TerminalsLouveciennes CedexFrance

Personalised recommendations