MAYO: Practical Post-quantum Signatures from Oil-and-Vinegar Maps

Abstract

The Oil and Vinegar signature scheme, proposed in 1997 by Patarin, is one of the oldest and best understood multivariate quadratic signature schemes. It has excellent performance and signature sizes but suffers from large key sizes on the order of 50 KB, which makes it less practical as a general-purpose signature scheme. To solve this problem, this paper proposes MAYO, a variant of the UOV signature scheme whose public keys are two orders of magnitude smaller. MAYO works by using a UOV map \(\mathcal {P}:\mathbb {F}_q^n \rightarrow \mathbb {F}_q^n\) with an unusually small oil space, which makes it possible to represent the public key very compactly. The usual UOV signing algorithm fails if the oil space is too small, but MAYO works around this problem by “whipping up” the oil and vinegar map \(\mathcal {P}\) into a larger map \(\mathcal {P}^\star :\mathbb {F}_q^{kn} \rightarrow \mathbb {F}_q^m\), that does have a sufficiently large oil space. With parameters targeting NISTPQC security level I, MAYO has a public key size of only 614 Bytes and a signature size of 392 Bytes. This makes MAYO more compact than state-of-the-art lattice-based signature schemes such as Falcon and Dilithium. Moreover, we can choose MAYO parameters such that, unlike traditional UOV signatures, signatures provably only leak a negligible amount of information about the private key.

This work was supported by CyberSecurity Research Flanders with reference number VR20192203 and the Research Council KU Leuven grant C14/18/067 on Cryptanalysis of post-quantum cryptography. Ward Beullens is funded by a Junior Postdoctoral Fellowship from the Research Foundation - Flanders (FWO), FWO fellowship 1S95620N.

Appendices

A Proof of Lemma 3

Before we prove the lemma, we recall the following result, which is useful to prove that certain random matrices are of full rank with high probability. In particular the result applies to uniformly random matrices, and uniformly random symmetric matrices.

Lemma 10

Let \(\mathcal {M}\) be a distribution of matrices in \(\mathbb {F}_q^{n \times m}\) with \(n \ge m\), such that for all \(\mathbf {x}\in \mathbb {F}_q^m \setminus \{0\}\), we have

$$ \mathop {\Pr }\limits _{\mathbf {M}\leftarrow \mathcal {M}} [\mathbf {M}\mathbf {x}= 0] = q^{-n} , $$

then the probability that \(\mathbf {M}\leftarrow \mathcal {M}\) does not have full rank is bounded by \(\frac{q^{m-n}}{q-1}\).

Proof

From the assumption, it follows that the average number of non-zero kernel vectors is \((q^m-1)q^{-n}\). Since every matrix which does not have full rank has at least \(q-1\) non-zero kernel vectors, it follows that

$$ \mathop {\Pr }\limits _{\mathbf {M}\leftarrow \mathcal {M}} [\text {rank}(\mathbf {M})< m](q-1) \le (q^m-1)q^{-n} < q^{m-n} . $$

   \(\square \)

1.1 A.1 Proof of Lemma 3

Proof

First of all, we show that if \(\mathbf {v}_1,\cdots ,\mathbf {v}_k \in \mathbb {F}_q^{n-o} \times \{0\}^o\) are linearly independent, then the linear maps \(\mathcal {P}'(\mathbf {v}_1,\cdot ),\dots ,\mathcal {P}'(\mathbf {v}_k,\cdot )\) from O to \(\mathbb {F}_q^m\) are all independent and uniformly distributed. To see this, it suffices to show that for a basis \(\mathbf {y}_1,\cdots \mathbf {y}_o\) of O, the matrices \(\{ p_i'(\mathbf {v}_a,\mathbf {y}_b)\}_{a \in [k], b \in [o]}\) are independent and uniformly random for all \(i \in [m]\). If we choose the basis where \(\mathbf {y}_b\) is the b-th row of \(\begin{pmatrix} \mathbf {O}&\mathbf {I}_o \end{pmatrix}\), then a calculation shows that these matrices are

$$ \mathbf {V}\begin{pmatrix} (\mathbf {P}_i^{(1)} + \mathbf {P}_i^{(1)\top }) \mathbf {O}^\top + \mathbf {P}_i^{(2)} \end{pmatrix} , $$

where the rows of \(\mathbf {V}\in \mathbb {F}_q^{k \times (n-o)}\) consists of the first \(n-o\) entries of the \(\mathbf {v}_i\). Therefore, if the \(\mathbf {v}_i\) are linearly independent, then \(\mathbf {V}\) has full rank, and if \(k<(n-o)\), then it follows that these matrices are uniformly random and independent because the \(\mathbf {P}_i^{(2)}\) matrices are chosen uniformly at random during the key generation algorithm.

In particular, if \(\mathbf {M}_1,\dots ,\mathbf {M}_k \in \mathbb {F}_q^{n \times o}\) are the matrix representations of \(\mathcal {P}'(\mathbf {v}_i,\cdot )\) (i.e. the matrices such that for all \(i \in [k]\), we have \(\mathcal {P}'(\mathbf {v}_i,\sum _{i} u_i \mathbf {y}_i) = \mathbf {M}_i \mathbf {u}\)). Then we have shown that if the \(\mathbf {v}_i\) are linearly independent, then the \(\mathbf {M}_i\) are independent and uniformly random matrices.

As a warm-up, let us now look at the case \(k=1\) first. In this case the linear part of \(\mathcal {P}^\star (\mathbf {v}+ \mathbf {o})\) is \({\mathcal {P}^\star }'(\mathbf {v},\mathbf {o}) = 4 \mathbf {E}_{11} \mathcal {P}'(\mathbf {v},\mathbf {o})\). This has the matrix representation \(\mathbf {E}_{11} \mathbf {M}_1\), where if \(\mathbf {v}\ne 0\), the matrix \(\mathbf {M}_1\) is uniformly random. Therefore, we see that the signing algorithm has to restart with probability bounded by

$$ q^{-m} + q^{o-n} + \frac{q^{m-o}}{q-1} $$

because either \(\mathbf {E}_{11} = 0\) or \(\mathbf {v}= 0\), which happens with probability bounded by \(q^{-m} + q^{o-n}\), and in which case \(\mathbf {E}_{11} \mathcal {P}(\mathbf {v}+ \mathbf {o})\) is exactly zero, so it definitely is not full rank, or otherwise the linear part of \(\mathbf {E}_{11} \mathcal {P}(\mathbf {v}+ \mathbf {o})\) is a uniformly random linear map from O to \(\mathbb {F}_q^m\), so it fails to have full rank with probability bounded by \(\frac{q^{m-o}}{q-1}\) (Lemma 10).

In general, the linear part of \(\mathcal {P}^\star (\mathbf {v}+ \mathbf {o})\) is equal to

$$\begin{aligned} \mathcal {P}'^\star (\mathbf {v}, \mathbf {o})&= \sum _{ij} \mathbf {E}_{ij} \mathcal {P}'(\mathbf {v}_i +\mathbf {v}_j, \mathbf {o}_i + \mathbf {o}_j) \end{aligned}$$

(2)

$$\begin{aligned}&= \sum _{ij} \mathbf {E}_{ij}\left( \mathcal {P}'(\mathbf {v}_i,\mathbf {o}_i) + \mathcal {P}'(\mathbf {v}_i,\mathbf {o}_j) + \mathcal {P}'(\mathbf {v}_j,\mathbf {o}_i) + \mathcal {P}'(\mathbf {v}_j,\mathbf {o}_j) \right) \end{aligned}$$

(3)

Let \(\mathbf {M}_1,\dots ,\mathbf {M}_k\) be the matrix representations of \(\mathcal {P}'(\mathbf {v}_i, \cdot )\), then the matrix representation of \({\mathcal {P}^\star }'(\mathbf {v},\cdot )\) is \(\begin{pmatrix} \mathbf {M}'_1&\dots&\mathbf {M}'_k \end{pmatrix} \in \mathbb {F}_q^{m \times ko}\), where

$$\begin{aligned} \begin{pmatrix} \mathbf {M}'_1 \\ \vdots \\ \mathbf {M}'_k \end{pmatrix} = \mathbf {E}\begin{pmatrix} \mathbf {M}'_1 \\ \vdots \\ \mathbf {M}'_k \end{pmatrix} = \begin{pmatrix} \mathbf {D}_{1} &{} \mathbf {E}_{12} &{} \dots &{} \mathbf {E}_{1k} \\ \mathbf {E}_{12} &{} \mathbf {D}_{2} &{} \dots &{} \vdots \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \mathbf {E}_{1k} &{} \dots &{} \dots &{} \mathbf {D}_{k} \end{pmatrix} \begin{pmatrix} \mathbf {M}'_1 \\ \vdots \\ \mathbf {M}'_k \end{pmatrix} \end{aligned}$$

(4)

where \(\mathbf {D}_i = \sum _{j<i} \mathbf {E}_{ji} + 4\mathbf {E}_{ii} + \sum _{j>i} \mathbf {E}_{ij}\). Since the \(\mathbf {E}_{ij}\) are chosen uniformly at random, we see that the matrix \(\mathbf {E}\) is just a uniformly random symmetric matrix in \(\mathbb {F}_{q^m}^{k \times k}\), so the probability that \(\mathbf {E}\) is singular is bounded by \(\frac{1}{q^m-1}\) (Lemma 10). Since the \(\mathbf {v}_i\) are chosen uniformly at random in \(\mathbb {F}_q^{n-o} \times \{0\}^o\), they are linearly dependent with probability bounded by \(\frac{q^{k-(n-o)}}{q-1}\) (Lemma 10 again), and otherwise the \(\mathbf {M}_i\) are independent and uniformly random matrices. Equation (4) shows that if the \(\mathbf {v}_i\) are linearly independent and \(\mathbf {E}\) is nonsingular, then the \(\mathbf {M}'_i\) are also uniformly random. Therefore, by Lemma 10, \(\mathcal {P}'^\star (\mathbf {v},\cdot )\) has full rank except with probability bounded by

$$ \frac{1}{q^m-1} + \frac{q^{k-(n-o)}}{q-1} + \frac{q^{m-ko}}{q-1}. $$

   \(\square \)

B Proof of Lemma 8

Proof

The \(\mathsf {EUF\text {-}KOA}\) adversary \(\mathcal {B}\) works as follows. When \(\mathcal {B}\) is given a public key \(\mathcal {P}\), it starts simulating \(\mathcal {A}\) on input \(\mathcal {P}\). To simulate random oracle queries \(\mathcal {B}\) maintains a list of queries L, that is initially empty. When \(\mathcal {A}\) queries a random oracle at input m, \(\mathcal {B}\) responds with \((\mathbf {E},\mathbf {t})\) if there is an entry \((m,\mathbf {E},\mathbf {t}) \in L\) and otherwise \(\mathcal {B}\) samples \(\mathbf {E}= \{\mathbf {E}_{ij}\}_{1\le i\le j\le k} \in \mathbb {F}_{q^m}\) and \(\mathbf {t}\in \mathbb {F}_q^m\) uniformly at random, adds \((m,\mathbf {E},\mathbf {t})\) to L and responds with \((\mathbf {E},\mathbf {t})\).

When \(\mathcal {A}\) makes a query to sign a message M, \(\mathcal {B}\) chooses a random \(\mathsf {salt}\) and aborts if there is an entry \((m||\mathsf {salt},\star ,\star )\) in L. Otherwise, \(\mathcal {B}\) samples \(\mathbf {E}= \{\mathbf {E}_{ij}\}_{1\le i\le j\le k} \in \mathbb {F}_{q^m}\) and \(\mathbf {s}_1,\dots ,\mathbf {s}_k \in \mathbb {F}_q^n\), and sets \(\mathbf {t}= \sum _{ij} \mathbf {E}_{ij} \mathcal {P}(\mathbf {s}_i + \mathbf {s}_j)\). Then \(\mathcal {B}\) adds \((m||\mathsf {salt},\mathbf {E},\mathbf {t})\) to L and outputs the signature \((\mathsf {salt},\mathbf {s}_1,\cdots ,\mathbf {s}_k)\).

Finally, when \(\mathcal {A}\) outputs a message-signature pair \((m,\sigma )\), \(\mathcal {B}\) just outputs the same pair.

It is clear that \(\mathcal {B}\) runs in time \(T + O((Q_h + Q_s + 1) \text {poly}(n,m,k,q))\), so to finish the proof we need to show that \(\mathcal {B}\) succeeds in the \(\mathsf {EUF\text {-}KOA}\) game with a sufficiently large probability. We prove this with a sequence of games.

• Let \(\mathsf {Game}_0\) be \(\mathcal {A}\)’s \(\mathsf {EUF\text {-}CMA}\) game against the MAYO signature scheme. By definition we have \(\Pr [\mathsf {Game}_0() = 1] = Adv^{\mathsf {EUF-CMA}}_{n,m,o,k,q}(\mathcal {A})\).

• Let \(\mathsf {Game}_1\) be identical to \(\mathsf {Game}_0\), except that the game aborts and outputs 0 if to answer a signing query m, the challenger picks a \(\mathsf {salt}\), such that the random oracle was already queried at input \(m||\mathsf {salt}\). Since there are in total \(Q_h + Q_s\) queries to the random oracle, the probability of an abort is at most \((Q_s + Q_h)2^{-2\lambda }\) for each signing query, which makes for a total probability of an abort of \((Q_s + Q_h)Q_s 2^{-2\lambda }\). Therefore, we have \(\Pr [\mathsf {Game}_1() = 1] \ge \Pr [\mathsf {Game}_0() = 1] - (Q_s + Q_h)Q_s 2^{-2\lambda }\).

• Let \(\mathsf {Game}_2\) be the same as \(\mathsf {Game}_1\) except that the game aborts and outputs 0 if during one of the calls to the signing oracle, the challenger has to restart the signing algorithm because he arrives at a linear system \({\mathcal {P}^\star (\mathbf {v}_1 + \mathbf {o}_1,\dots ,\mathbf {v}_k + \mathbf {o}_k) = \mathbf {t}}\) which does not have full rank. Note that the view of the adversary in \(\mathsf {Game}_1\) is independent of the number of signing attempts: if the signing algorithm encounters a system that does not have full rank, it just restarts from the beginning. Therefore, the output of the signing algorithm is independent of the number of signing attempts. It follows from Lemma 3 that

  $$\begin{aligned} \Pr [\mathsf {Game}_2() = 1]&= \Pr [\mathsf {Game}_1() = 1 \wedge \textsf {no restart}] = \Pr [\mathsf {Game}_1() = 1] \Pr [ \textsf {no restart}] \\&\ge \Pr [\mathsf {Game}_1() = 1]\left( 1 - Q_s \left( \frac{1}{q^m-1} + \frac{q^{k-(n-o)}}{q-1} + \frac{q^{m-ko}}{q-1} \right) \right) . \end{aligned}$$

• The final game \(\mathsf {Game}_3\) is just the \(\mathsf {EUF\text {-}KOA}\) game played by \(\mathcal {B}^\mathcal {A}\). If \(\mathsf {Game}_2\) does not abort, then the view of \(\mathcal {A}\) is identical in \(\mathsf {Game}_2\) and \(\mathsf {Game}_3\), because if no salt is chosen more than once for the same message, then \(\mathcal {B}\) simulates the random oracle perfectly. Moreover, since all of the linear systems have full rank, the signatures are computed as \(\mathbf {s}= \mathbf {v}+ \mathbf {o}\), where \(\mathbf {v}\) is chosen uniformly at random in \((\mathbb {F}_q^{n-o} \times \{0\}^o)^k\), and \(\mathbf {o}\) is uniformly random in \(O^k\). By construction we have \((\mathbb {F}_q^{n-o} \times \{0\}^o) + O = \mathbb {F}_q^n\), so the signatures in \(\mathsf {Game}_2\) are uniformly distributed, which means that \(\mathcal {B}\) simulates the signing oracle perfectly by just choosing random \(\mathbf {s}\in \mathbb {F}_q^{kn}\). Therefore, the probability that \(\mathcal {A}\) outputs a forgery in \(\mathsf {Game}_2\) is at least as big as the probability that it outputs a forgery in \(\mathsf {Game}_3\) (it could be larger, since \(\mathsf {Game}_3\) aborts less often, but this is not important for our analysis), so we have \(\Pr [\mathsf {Game}_3() = 1] > \Pr [\mathsf {Game}_2() = 1]\).

By combining the 3 inequalities we get that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {EUF-CMA}}_{n,m,o,k,q}(\mathcal {A})&\le \mathsf {Adv}^{\mathsf {EUF\text {-}KOA}}_{n,m,o,q}(\mathcal {B}) \left( 1- Q_s \left( \frac{1}{q^m-1} + \frac{q^{k-(n-o)}}{q-1} + \frac{q^{m-ko}}{q-1} \right) \right) ^{-1} \\&+ (Q_h+Q_s) Q_s 2^{-2\lambda } . \end{aligned}$$

   \(\square \)

C Proof of Lemma 9

Proof

We do the proof with a short sequence of games. The first game \(\mathsf {Game}_0\) is the \(\mathsf {EUF\text {-}KOA}\) game played by \(\mathcal {A}\). By definition we have \(\Pr [\mathsf {Game}_0() = 1] = \mathsf {Adv}^{\mathsf {EUF\text {-}KOA}}_{n,m,o,k,q}(\mathcal {A})\).

The next game is the same as \(\mathsf {Game}_0\), except that during the key generation step the challenger chooses a uniformly random \(\mathcal {P}\in \mathsf {MQ}_{n,m,q}\), instead of a \(\mathcal {P}\) that vanishes on some oil space O. We construct the adversary \(\mathcal {B}\) against the UOV assumption as follows. When \(\mathcal {B}\) is given a multivariate quadratic map \(\mathcal {P}\), it computes the matrix representation \(\{\mathbf {P}_i^{(1)}, \mathbf {P}_i^{(2)}, \mathbf {P}_i^{(3)}\}_{i \in [m]}\) of \(\mathcal {P}\). Then, \(\mathcal {B}\) pick a random \(\mathsf {seed}\), and runs \(\mathcal {A}\) on input \(\mathsf {pk}= (\mathsf {seed}, \{\mathbf {P}_i^{(3)}\}_{i \in [m]})\), while faithfully simulating a random oracle, and an \(\mathsf {Expand}\) oracle that outputs \(\mathbf {P}_i^{(1)}\) on input \(\mathsf {seed}||\mathsf {P1}||i\), that outputs \(\mathbf {P}_i^{(2)}\) on input \(\mathsf {seed}||\mathsf {P1}||i\), and that outputs random matrices of the appropriate shape otherwise. We designed \(\mathcal {B}\) in such a way, that if \(\mathcal {B}\) is given a \(\mathcal {P}\) that is a (n, m, o, q) UOV map, then \(\mathcal {B}\) is exactly \(\mathsf {Game}_0\), and if \(\mathcal {B}\) is given a random map \(\mathcal {P}\), then \(\mathcal {B}\) is \(\mathsf {Game}_1\). Therefore we have

$$ \mathsf {Adv}^{\mathsf {UOV}}_{n,m,o,q}(\mathcal {B}) = \left| \Pr [\mathsf {Game}_0() = 1] - \Pr [\mathsf {Game}_1() = 1] \right| . $$

For the next game we define the adversary \(\mathcal {B}'\) against the whipped MQ problem. When \(\mathcal {B}'\) is given a WMQ instance \(\mathcal {P},\{\mathbf {E}_{ij}\}_{ij}, \mathbf {t}\), it does the same thing as \(\mathsf {Game}_1\), except that instead of simulating a random oracle honestly, \(\mathcal {B}'\) chooses an integer \(I \in [Q_h]\) uniformly at random, and outputs \((\{\mathbf {E}_{ij}\}_{ij}, \mathbf {t})\) for the I-th distinct random oracle query (and all the subsequent queries for the same message). If \(\mathcal {A}\) outputs a valid message-signature pair \((m,(\mathsf {salt},\mathbf {s}))\), then the \(\mathcal {B}'\) adversary checks if \(m||\mathsf {salt}\) was the I-th random oracle query. If this is the case, then \(\mathcal {B}'\) outputs \(\mathbf {s}\), which is a correct solution to the WMQ instance, and otherwise \(\mathcal {B}'\) aborts. The view of \(\mathcal {A}\) in this game is the same as the view of a in \(\mathsf {Game}_1\), so \(\mathcal {A}\) outputs a valid message-signature pair with probability \(\Pr [\mathsf {Game}_1() = 1]\). The probability that \(\mathcal {A}\) outputs a valid pair \((m,(\mathsf {salt},\mathbf {s}))\) such that it has not queried the random oracle on input \(m||\mathsf {salt}\) is at most \(q^{-m}\). Note that the guess I is information-theoretically hidden from \(\mathcal {A}\), so if \(\mathcal {A}\) outputs a valid forgery for the J-th random oracle query, then the probability that \(I = J\) is \(1/Q_h\). Therefore we have \(\mathsf {Adv}^{\mathsf {WMQ}}_{n,m,k,q}(\mathcal {B}') \ge (\Pr [\mathsf {Game}_1() = 1] - q^{-m})/Q_h\).

We can now finish the proof by combining \(\Pr [\mathsf {Game}_0() = 1] = \mathsf {Adv}^{\mathsf {EUF\text {-}KOA}}_{n,m,o,k,q}(\mathcal {A})\) with inequalities from the two game transitions to get

$$ \mathsf {Adv}^{\mathsf {EUF\text {-}KOA}}_{n,m,o,k,q}(\mathcal {A}) \le \mathsf {Adv}^{\mathsf {UOV}}_{n,m,o,q}(\mathcal {B}) + Q_h \mathsf {Adv}^{\mathsf {WMQ}}_{n,m,k,q}(\mathcal {B}') + q^{-m} . $$

   \(\square \)