Recent Developments in Multivariate Public Key Cryptosystems

The multivariate signature schemes UOV, Rainbow, and HFEv-have been considered to be secure and efﬁcient enough under suitable parameter selections. In fact, several second round candidates of NIST’s standardization project of Post-Quantum Cryptography are based on these schemes. On the other hand, there are few multivariate encryption schemes expected to be practical and despite that, various new schemes have been proposed recently. In the present paper, we summarize multi-variate schemes UOV, Rainbow, and (variants of) HFE generating the second round candidates and study the practicalities of several multivariate encryption schemes proposed recently.


Introduction
In 2016, NIST launched the standardization project of Post-Quantum Cryptography (NIST 2020). A lot of schemes were submitted to the first round of its project and 26 of them were chosen as the second round candidates in 2019 (NIST 2020). LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020) and GeMSS (Casanova et al. 2020) are multivariate signature schemes in the second round. These schemes are based on UOV Patarin 1997), Rainbow (Ding et al. 2005), and HFEv- (Patarin et al. 2001), respectively, which were proposed before or around 2000 and have been still considered to be secure and efficient enough under suitable parameter selections. On the other hand, there are few practical multivariate encryption schemes and despite that, various new schemes have been proposed in this decade.
The aim of this paper is to describe recent developments of multivariate public key cryptosystems, not yet presented in the previous paper (Hashimoto 2017). We first summarize in Sect. 2 the schemes UOV Patarin 1997), Rainbow (Ding et al. 2005), and (variants of) HFE (Patarin 1996) with short surveys on the second round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and GeMSS (Casanova et al. 2020). Besides, we study in Sect. 3 the encryption schemes HFERP , ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013) proposed recently, and show that the practicalities of these schemes are not much higher than the HFE variants for encryption, which are already known to be not too practical. Remark that MQDSS (Chen et al. 2016(Chen et al. , 2020 is also a second round candidate and has been considered as a multivariate signature scheme since a set of randomly chosen multivariate quadratic forms is used in key generation, signature generation, and signature verification. However, it is based on Fiat-Shamir's transform of the 5-pass identification scheme (Sakumoto et al. 2011) and is far from other multivariate schemes. We then avoid to study MQDSS in this paper.

Basic Constructions of Multivariate Public Key Cryptosystems
Let n, m ≥ 1 be integers, q a power of prime, and F q a finite field of order q. Most MPKCs are described as follows.
Secret key. Two invertible affine maps S : F n q → F n q , T : F m q → F m q and a quadratic map G : F n q → F m q to be inverted feasibly. Encryption. For a plaintext p ∈ F n q , the ciphertext is c = F(p) ∈ F m q .
Decryption. For a given ciphertext c ∈ F m q , compute z := T −1 (c) and find y ∈ F n q with G(y) = z. Then the plaintext is p = S −1 (y). Signature scheme. Signature generation. For a message m ∈ F m q , compute z := T −1 (m) and find y ∈ F n q with G(y) = z. Then the signature is s = S −1 (y). Signature verification. The signature s ∈ F n q is verified by m = F(s). Efficiency. The encryption and signature verification are done by substituting p, s ∈ F n q into m quadratic forms of n variables. Their complexities are then O(n 2 m) for most MPKCs under naive implementations. Furthermore, it is known (Hashimoto 2017) that the complexities of encrypting n plaintexts and of verifying n signatures simultaneously are O(n w m), where 2 ≤ w < 3 is a linear algebra constant. The complexities of decryption and signature generation depend mainly on how to invert G. We will discuss them in the individual schemes. Security. There are two types of attacks on MPKCs. One is the direct attack to recover the plaintext p of a given ciphertext c directly by solving a system of m quadratic equations F(x) = ( f 1 (x), . . . , f m (x)) = c of n variables. The Gröbner basis attack is considered to be the most standard approach, and its complexity depends on the degree d reg of regularity of the corresponding polynomial system F(x) − c. In general, d reg is known to be smaller when the system is more overdefined (m n) (Bardet et al. 2005). Furthermore, if q is small, the attacker will solve more efficiently by combining with the exhaustive search, which is called a hybrid method (Bettale et al. 2012). We also note that, if the system is massively under-defined (n m), the attacker can find (at least) one of the solutions more effectively than the case of n ∼ m (Cheng et al. 2014;Miura et al. 2013;Tomae and Wolf 2012).
The other type is to recover partial information of the secret key (S, T ) which is enough to invert F. In most known key recovery attacks on MPKCs, the attacker uses the property of the coefficient matrices of quadratic forms in G. Let G 1 , . . . , G m , F 1 , . . . , F m be the coefficient matrices of g 1 (x), . . . , g m (x), f 1 (x), . . . , f m (x), respectively, i.e., g l (x) = t xG l x + (linear form) and f l ( This shows that, if G 1 , . . . , G m have special properties, partial information S, T will be recovered by the public information F 1 , . . . , F m . How to recover and the complexity of the attack depend on G 1 , . . . , G m , and then we discuss them in the individual schemes.
Secret key. An invertible affine map S : F n q → F n q and the quadratic map G : F n q → F m q defined above. Public key. The quadratic map F := G • S : F n q → F m q . Signature generation. For a message m = (m 1 , . . . , m o ) ∈ F m q , choose u 1 , . . . , u v ∈ F q randomly and find y 1 , . . . , y o ∈ F q such that The signature is s = S −1 (y 1 , . . . , y o , u 1 , . . . , u v ). Signature verification. The signature s ∈ F n q is verified by m = F(s). Complexity of signature generation. Since (3) is a system of o linear equations of o variables, we see that the complexity of signature generation of UOV is O(n 3 ). Security. The most important attack on UOV is Kipnis-Shamir's attack Kipnis and Shamir 1998), which recovers an affine map S such that SS = * o * 0 * v by using the fact that G 1 , . . . , G m are matrices having the forms of , and then the parameter v must be sufficiently larger than o, namely n must be sufficiently larger than 2m. This causes two inconveniences on UOV; one is that the sizes of keys are relatively large, and the other is that the approaches in Tomae and Wolf (2012), Cheng et al. (2014) weakens the security against the direct attacks a little. The later is easily covered by taking (n, m) a little larger. For the former, several approaches have been given until now. However, since some of key reduction approaches yield critical vulnerabilities (e.g., Hashimoto 2019; Peng and Tang 2018), the security of such UOVs must be studied quite carefully.
LUOV. LUOV (Beullens et al. 2020) is a signature scheme based on UOV and is a second round candidate of NIST's project. It is constructed over a finite field of even characteristic field and the components and coefficients in S, G, F are elements of F 2 . The size of keys is smaller and the security against the direct attack is not too less than the original UOV. Remark that the security against Kipnis-Shamir's attack is O(2 v−o · n 4 ) and a new attack on LUOV was quite recently proposed in Ding et al. (2013). Then the parameters o, v should be taken larger than the original version. See Beullens et al. (2020) for the latest version.

Rainbow
Rainbow (Ding et al. 2005) is a multi-layer version of UOV. We now describe the twolayer version. Let o 1 , o 2 , v ≥ 1 be integers and put Define the quadratic map G : F n q → F m q by Rainbow is constructed as follows.
After that, find y 1 , . . . , y o 1 ∈ F q such that The signature is s = S −1 (y 1 , . . . , y m , u 1 , . . . , u v ). Signature verification. The signature s ∈ F n q is verified by m = F(s). Complexity of signature generation. Since (5) is a system of o 2 linear equations of o 2 variables and (6) is a system of o 1 linear equations of o 1 variables, we see that the complexity of signature generation is O(n 3 ).

Security. Kipnis-Shamir's attack and rank attacks are major attacks on Rain
complexity of Kipnis-Shamir's attack Kipnis and Shamir 1998) on Rainbow is O(q max(o 2 +v−o 1 ,0) · n 4 ). Furthermore, by checking the ranks of G 1 , . . . , G m , we see that the complexities of min-rank attack and high-rank attack are O(q o 2 +v · n 4 ) and O(q o 1 · n 4 ), respectively (Yang and Chen 2005). Note that there have been several approaches to improve the efficiency of Rainbow. However, some of improvements are known to be insecure (e.g., Hashimoto 2019; Peng and Tang 2018;Shim et al. 2017) and then the security of such efficient Rainbows must be studied carefully.
Rainbow on NIST's project. Rainbow (Ding et al. 2020) in the second round of NIST's project includes three versions; the standard Rainbow, the cyclic Rainbow, and the compressed Rainbow. The public keys and the numbers of arithmetics for signature verification for the later two Rainbows are smaller than the standard Rainbow. However, it is reported (Ding et al. 2020) that the verifications of the latter two versions are slower than the standard version. We consider that it is because the algorithms for verifications of the latter two versions are more complicated than the naive algorithm for the standard Rainbow. Better implementations are required for these arranged versions. (Patarin 1996) is constructed as follows. Secret key. Two invertible affine maps S, T : F n q → F n q and G : F q n → F q n defined above.

HFE
Public key. The quadratic map F : by the Berlekamp algorithm (Berlekamp 1967(Berlekamp , 1970. Then the parameter d should be d = O(log q n).
Security. Let {θ 1 , . . . , θ n } be a basis of F q n over F q and Θ := θ whereX . This means that there exist a 1 , . . . , a n ∈ F q n such that and then rank(a 1 F 1 + · · · + a n F n ) ≤ d + 1. The min-rank attack (Bettale et al. 2013;Kipnis and Shamir 1999) is an attack to recover such (a 1 , . . . , a n ) and its complexity Fröberg conjecture holds, where 2 ≤ w ≤ 3 is a linear algebra constant. It is not difficult to check that the tuple (a 1 , . . . , a n ) gives partial information of T Θ −1 and, once such a tuple is recovered, the attacker can recover partial information of Θ S, which is enough to decrypt arbitrary ciphertexts by elementary linear algebraic approaches. Since d = O(log q n), the security of HFE is n O(log q n) . Then the original HFE has been considered to be impractical. We also note that the security against Gröbner basis attack has been studied well (see e.g., Ding et al. 2011;Dubois and Gamma 2020;Faugère 2003;Granboulan et al. 2020;Huang et al. 2018). It is known that the rank condition (8) gives an upper bound of the degree d reg of regularity of the polynomial system F(x) = c, in fact, d reg ≤ 1 2 (q − 1)(d + 2) holds for HFE (Ding et al. 2011).
Plus (+). The "plus (+)" is a variant to add several polynomials on G. Let r + ≥ 1 be an integer and h 1 (x), . . . , h r + (x) random quadratic forms of x. For the map G : F n q → F m q of the original scheme, define G + : is an invertible affine map. It is mainly used for encryption when m ≥ n. The decryption is as follows. Decryption. For the ciphertext c ∈ F m+r + q , compute z = (z 1 , . . . , z m+r + ) := T −1 + (c). Find y ∈ F n q with G(y) = t (z 1 , . . . , z m ) and verify whether t (h 1 (y), . . . , h u + (y)) = t (z m+1 , . . . , z m+r + ). If it holds, the plaintext is p = S −1 (y). If not, try it again by another y. Complexity of decryption. If m ≥ n, the number of y with G(y) = z is (probably) small. Then the complexity of decryption of "plus" is not much larger than the original scheme. Security. It is easy to see that an equation similar to (8) holds for the "plus" of HFE.
Then the complexity of the min-rank attack on HFE+ is similar to the original HFE.
Minus (-). The "minus (-)" is to reduce several polynomials in F. Let r − ≥ 1 be an integer. For the public key F : F n q → F m q of the original scheme, the public key . It is mainly used for the signature scheme when n ≥ m. The signature generation is as follows.
If there exists such an s, the signature is s. If not, change u 1 , . . . , u r − and repeat until such an s appears. Complexities of signature generation. When n ≥ m, the probability that s does not exist is considered to be not large. Then the complexity of the signature generation of the "minus" is not much larger than the original scheme. Security. For the minus, it is easy to see that there exists an Then one can eliminate the contributions of n − r − − 1 matrices in the right hand side by taking a linear combination of F 1 , . . . , F n−r − , namely there exist a 1 , . . . , a n−r − , b 0 , . . . , b r − ∈ F q n such that The min-rank attack is thus available on HFE-and its complexity can be estimated by O( n+d+r − +2 . This means that the "minus" enhances the security of HFE (see also Vates and Smith-Tone 2017).
Vinegar (v). The "vinegar (v)" is to add several variables on G. Let r v ≥ 1 be an integer. For the map G : F n q → F m q of the original scheme, define is inverted similarly to G(x) for any (or most) u 1 , . . . , u r v ∈ F q . For example, the map G v of HFEv is given by is an invertible affine map. It is mainly used for signature when n ≥ m. The signature generation is as follows. Signature generation. For a message m ∈ F m q to be signed, compute z := T −1 (m). Choose u 1 , . . . , u r v ∈ F q randomly, and find y ∈ F n q with G v (y, u 1 , . . . , u r v ) = z. If such an y does not exist, change u 1 , . . . , u r v and try again. The signature is s = S −1 v (y, u 1 , . . . , u r v ). Complexity of signature generation. Since y is found similarly to the original scheme, the complexity of finding y is almost the same as the original scheme. If n ≥ m, the probability that y does not exist is considered to be not too large. Then the complexity of the "vinegar" is not too larger than the original scheme.

Security. For HFEv, we see that
Then there exist a 1 , . . . , a n ∈ F q n such that a 1 F 1 + · · · + a n F n = t Θ Since the rank of the matrix in the right hand side above is at most d + r v + 1, the security of HFEv against the min-rank attack is estimated by O( n+d+r v +2 Projection (p). The "projection" is to reduce several variables of the polynomials in F. Let r p ≥ 1 be an integer and u 1 , . . . , u r p ∈ F q . For the public key F : F n q → F m q of the original scheme, the public key F p : F n−r p q → F m q of the projection is generated by F p (x 1 , . . . , x n−r p ) := F(x 1 , . . . , x n−r p , u 1 , . . . , u r p ). It is mainly used for encryption when m ≥ n. The decryption is as follows. Decryption. For the ciphertext c ∈ F m q , find p ∈ F n q with F(p) = c similarly to the original scheme. If p = ( * , . . . , * , u 1 , . . . , u r p ), the plaintext isp := ( p 1 , . . . , p n−r p ) ∈ F n−r p q . If not, try it again by another p. Complexities of decryption. If m ≥ n, the number of p with F(p) = c is (probably) not too large. Then the complexity of decryption of the "projection" is not much larger than the original scheme.

Security.
For the projection of HFE, we see that there exist a 1 , . . . , a n ∈ F q n such that a 1 F 1 + · · · + a n F n = t (ΘS) whereS is an n × (n − r p ) matrix with S = (S, * ). Then the min-rank attack is available and its complexity is almost the same as the original scheme.
The most successful variant of HFE is probably the signature scheme HFEv- (Patarin et al. 2001), a combination of "minus" and "vinegar" of HFE, since the security against the min-rank attack is enhanced drastically without slowing down the signature generation. In fact, GeMSS (Casanova et al. 2020) based on HFEv-was chosen as a second round candidate of NIST's project (NIST 2020). There are three kinds of GeMSS, called GeMSS, BlueGeMSS, and RedGeMSS, The major difference among these three GeMSSs is the degree of G v ; the degrees are 513(= 2 9 + 1), 129(= 2 7 + 1), 17(= 2 4 + 1), i.e., d's are 10, 8, 5, respectively. Of course, the signature generation of RedGeMSS is fastest and the BlueGeMSS is the next. Furthermore, the securities against the min-rank attack are enough if r − , r v are sufficiently large. On the other hand, as pointed out in Hashimoto (2018) for HMFEv (Petzoldt et al. 2017) (the vinegar of multi-HFE (Chen et al. 2020), the minus and the vinegar do not enhance the security against the high-rank attack. Though critical vulnerabilities of HFE variants against the high-rank attack have not been reported until now, we consider that an HFEv-with smaller d has a higher risk against the high-rank attack.
We recall that Sflash (Akkar et al. 2003) (a minus of Matsumoto-Imai's scheme (Matsumoto and Imai 1988) is a signature scheme selected by NESSIE (Preneel 2020) and broken by a differential attack (Fouque et al. 2005). Recently, its projections called Pflash (Cartor and Smith-Tone 2017;Smith-Tone et al. 2015) and Eflash (Cartor and Smith-Tone 2018) were proposed. Pflash is a signature scheme with r p < r − and Eflash is an encryption scheme with r p > r − . The complexities of signature generation and decryption are about q min (r p ,r − ) times of Matsumoto-Imai's scheme (Matsumoto and Imai 1988) and then we should take r − , r p by min (r p , r − ) = O(log q n). It has been considered that the differential attack is not available on these schemes, and the security against the min-rank attack highly depends on r − . The security of Eflash is thus n O(log q n) . Similarly for the encryption scheme HFEp-with r p > r − , it is easy to see that the complexity of decryption is about q r − times of the original HFE and the complexity of the min-rank attack is roughly estimated by O(n (3d+r − +2)w ). Since 3d + r − = O(log q n), its security is also n O(log q n) .

New Encryption Schemes
In this section, we study the encryption schemes HFERP , ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013(Tao et al. , 2015 proposed recently. HFERP (Ikematsu et al. 2018) is an encryption scheme constructed by a "plus" and "projection" of a combination of HFE and Rainbow. We first describe a one-layer version HFERP without "plus" and "projection".

HFERP
Let v, o, l, d 0 ≥ 1 be integers, n := v + o and m : . HFERP (without "plus", "projection") is constructed as follows. Secret key. Two invertible affine maps S : F n q → F n q , T : F m q → F m q and the quadratic map G : F n q → F m q . Public key. The quadratic map F := T • G • S : F n q → F m q . Encryption. For a plaintext p ∈ F n q , the ciphertext is c = F(p) ∈ F m q . Decryption. For a given ciphertext c, compute z = t (z 1 , . . . , z m ) The plaintext is p = S −1 (y 1 , . . . , y n ). Complexity of decryption. Since the degree of G 0 (X ) is at most 2q d 0 , the complexity of finding Y 0 is O(q 3d 0 + vq 2d 0 log q) by Berlekamp's algorithm. We see that (10) is a system of o + l linear equations of o variables. We thus conclude that the total complexity of decryption is O(q 3d 0 + vq 2d 0 log q + n 3 ). The parameter d 0 should be taken by d 0 = O(log q n).
Security. Let {θ 1 , . . . , θ v } be a basis of F q v over F q and Θ 0 := θ . By the definition of G, F, we see that and then there exist a 1 , . . . , a m ∈ F q v such that The min-rank attack is thus available on HFERP and its complexity can be estimated ). This situation is similar for its plus and projection. Since d 0 = O(log q n), the security of HFERP is n O(log q n) , which is almost the same as HFE. For the minus, we can easily check that the complexity of decryption is at most q r − times of the original HFERP and the security against the min-rank attack is O( m+d 0 +2 . This means that the security of HFERP-is also n O(log q n) . ZHFE (Porras et al. 2020) is an encryption scheme constructed by two univariate polynomials over an extension field. In this subsection, we study the simplest version of ZHFE since the structure of the original version is not far from the simplest version. Let n, m, D ≥ 1 be integers with m = 2n and define the quadratic forms G 1 (X ), G 2 (X ) ofX = t (X, X q , . . . , X q n−1 ) such that the degree of Ψ (X ) := X q · G 1 (X ) + X · G 2 (X ) is at most D. It is easy to see that the coefficient matrices G (0) 1 , G (0) 2 of G 1 (X ), G 2 (X ) as quadratic forms ofX are
Secret key. Two invertible affine maps S : F n q → F n q , T : F m q → F m q and the quadratic map Security. Let {θ 1 , . . . , θ n } be a basis of F q n over F q and Θ 2 := θ We can easily check that and then there exist a 1 , . . . , a m ∈ F q n such that Since rankG (0) 1 ≤ d + 2 due to (11), the min-rank attack is available on ZHFE and its complexity can be estimated by O( m+d+3 d+3 w ) = O(m (d+3)w ) (Cabarcas et al. 2017; Perlne and Smith-Tone 2016). Since d = O(log q n), the security of ZHFE is also n O(log q n) .
We note that the plus and projection do not enhance the security. For the minus, we see that there exist a 1 , . . . , a m−r − , b 0 , . . . , b r − ∈ F q n such that Since the rank of the matrix above is d + r − + 2, the complexity of the min-rank attack is O( m+d+3 However, the complexity of decryption is at most q r − times of the original ZHFE, and then the security of ZHFE-is also n O(log q n) . Remark that (Perlne and Smith-Tone 2016) proposed a minus of ZHFE without slowing down the decryption by using a singular-type ZHFE. However, by studying the structure of such a ZHFE-carefully, we can easily check that such a minus does not enhance the security against the min-rank attack at all.

EFC
EFC (Szepieniec et al. 2016) is an encryption scheme constructed from the fact that an extension field can be expressed by a set of matrices. Let n, m ≥ 1 be integers with m = 2n, h(t) an irreducible univariate polynomial over F q and H an n × n matrix whose characteristic polynomial is h(t). It is easy to see that H := a 0 I n + a 1 H + · · · + a n−1 H n−1 | a 0 , . . . , a n−1 ∈ F q is isomorphic to F q [t]/ h(t) F q n . Choose A 1 , . . . , A m ∈ H and define the map G : EFC (Szepieniec et al. 2016) is constructed as follows.
Secret key. Two invertible affine maps S : F n q → F n q , T : F m q → F m q and the quadratic map G : F n q → F m q (i.e., the matrices A 1 , . . . , A m ) defined above. Public key. The quadratic map F := T • G • S : F n q → F m q . Encryption. For a plaintext p ∈ F n q , the ciphertext is c = F(p) ∈ F m q . Decryption. For a given ciphertext c, compute z = t (z 1 , . . . , z m ) := T −1 (c). Solve a system of linear equations given by and find a solution y of (12) satisfying G(y) = z. The plaintext is p = S −1 (y).
Then at least one of solutions of (12) satisfies G(y) = z if z ∈ G(F n q ). The equation (12) is written by (z 1 B 1 + · · · + z m B m ) x = 0 with n × n matrices B 1 , . . . , B m are n × n derived from A 1 , . . . , A m . The complexity of decryption is thus O(n 3 ).
Note that, since the map G in EFC is over-defined, the complexity of the "plus" and the "projection" is almost the same as the original EFC and that of the "minus" is at most q r − times of the original EFC.

ABC
ABC (Tao et al. 2013(Tao et al. , 2015 is an encryption scheme constructed by three polynomial matrices A, B, C. Let r, n, m ≥ 1 be integers with n = r 2 , m = 2r 2 . For x = t (x 1 , . . . , x n ), define the r × r matrices A(x), B(x), C(x) are linear forms of x. The quadratic map G : F n q → F m q is generated by E 1 (x) = g j+r (i−1) (x) 1≤i, j≤r and E 2 (x) = g n+ j+r (i−1) (x) 1≤i, j≤r . The encryption scheme ABC (Tao et al. 2013) is constructed as follows.
Secret key. Two invertible affine maps S : F n q → F n q , T : F m q → F m q and the quadratic map G defined above.
Public key. The quadratic map F := T • G • S : F n q → F m q . Encryption. For a plaintext p ∈ F n q , the ciphertext is c = F(p) ∈ F m q . Decryption. For a given ciphertext c, compute z = t (z 1 , . . . , z m ) := T −1 (c) and put Z 1 := z j+r (i−1) 1≤i, j≤r , Z 2 := z n+ j+r (i−1) 1≤i, j≤r . Find y ∈ F n q such that If Z 2 is not invertible, replace (14) into B(y)Z −1 1 Z 2 = C(y). The plaintext is p = S −1 (y). (14) yields a system of n linear equations of n variables. Then the complexity of decryption is O(n 3 ). Remark that the decryption fails if A(S(p)) is not invertible and its probability is about q −1 .

Security.
It is easy to check that the coefficient matrix G 1 of the first polynomial g 1 (x) in G(x) is G 1 = * r * * 0 n−r . Then the min-rank attack is available and its complexity is O(q 2r · n 4 ) (Tao et al. 2013). Moody et. al. (Moody et al. 2014(Moody et al. , 2017 proposed an asymptotically optimal attack with the complexity O(q r +2 · n 4 ) based on the structure of subspace differential invariants. Recently, Liu (Liu et al. 2018) proposed a key recovery attack by solving a system of linear equations derived from the construction of the polynomials, and extended its key recovery attack to the rectangular ABC (Tao et al. 2015) and Cubic ABC . They claimed that the complexities of these attacks are with the complexity O(n 2w ), which is critical for the security of ABC schemes. On the other hand, one of the anonymous reviewers on the present paper claimed in his/her report that its attack seems doubtful. He/She may present his/her opinion somewhere in the near future.

Conclusion
In Sect. 2, we describe the multivariate schemes UOV, Rainbow, HFE variants and the corresponding second round candidates of NIST's project. In Sect. 3, we discuss the practicalities of several new multivariate encryption schemes proposed recently. Tables 1 and 2 are rough sketches of the complexities of decryption/signature generation and the major attacks for the corresponding schemes. Remark that there are various other attacks concerned for implementations. Table 1 shows that practical signature schemes can be implemented easily since signatures can be generated in polynomial time and the proposed attacks are in exponential time. On the other hand, Table 2 shows that the issues on the practicality of HFE variants have not been eliminated on the new encryption schemes. While selecting parameters for 80-, 100-, 120-bit securities on such encryption schemes might be possible, they will not be able to follow the future inflation of security levels. Further drastic approaches will be required to construct practical multivariate encryption schemes.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.