Cryptanalysis of the oil and vinegar signature scheme

  • Aviad Kipnis
  • Adi Shamir
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


Several multivariate algebraic signature schemes had been proposed in recent years, but most of them had been broken by exploiting the fact that their secret trapdoors are low rank algebraic structures. One of the few remaining variants is Patarin's”Oil & Vinegar” scheme, which is based on a system of n quadratic forms in 2n variables of two flavors (n ”oil” variables and n ”vinegar” variables). The security of the scheme depends on the difficulty of distinguishing between the two types, and does not seem to be susceptible to known low rank attacks. In this paper we describe two novel algebraic attacks which can efficiently separate the oil and vinegar variables, and thus forge arbitrary signatures.


Quadratic Form Signature Scheme Characteristic Polynomial Minimal Polynomial Algebraic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [CSV]
    D. Coppersmith, J. Stern and S. Vaudenay, The Security of the Birational Permutation Signature Scheme, Journal of Cryptology, 1997, pp. 207–221.Google Scholar
  2. [MI]
    T. Matsumoto and H. Imai, Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, Eurocrypt 88, Springer Verlag, pp.419–453.Google Scholar
  3. [OSS]
    H. Ong, C. P. Schnorr, and A. Shamir A Fast Signature Scheme Based on Quadratic Equations, Proc. 16-th ACM Symp. Theory of Computation, 1984, pp. 208–216.Google Scholar
  4. [PI]
    J.Patarin, Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, Crypto 95, Springer Verlag, pp.248–261.Google Scholar
  5. [P2]
    J. Patarin, The Oil and Vinegar Algorithm for Signatures, presented at the Dagstuhl Workshop on Cryptography, September 97.Google Scholar
  6. [P3]
    J.Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms, Eurocrypt 96, Springer Verlag, pp.33–48.Google Scholar
  7. [PS]
    J. M. Pollard and C. P. Schnorr, An Efficient Solution of the Congruence x2 + ky 2 = m(mod n), IEEE Trans. Information Theory, vol. IT-33, no. 5, 1987, pp. 702–709.MathSciNetCrossRefGoogle Scholar
  8. [S]
    A. Shamir Efficient Signature Schemes Based on Birational Permutations, Crypto 93, Springer Verlag, pp.1–12.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Aviad Kipnis
    • 1
  • Adi Shamir
    • 2
  1. 1.NDS TechnologiesIsrael
  2. 2.Dept. of Applied MathWeizmann InstituteIsrael

Personalised recommendations