Abstract
Unbalanced Oil and Vinegar (UOV) is one of the oldest, simplest, and most studied ad-hoc multivariate signature schemes. UOV signature schemes are attractive because they have very small signatures and fast verification. On the downside, they have large public and secret keys. As a result, variations of the traditional UOV scheme are usually developed with the goal to reduce the key sizes. Seven variants of UOV were submitted to the additional call for digital signatures by NIST, prior to which, a variant named MQ-Sign was submitted to the (South) Korean post-quantum cryptography competition (KpqC). MQ-Sign is currently competing in the second round of KpqC with two variants. One of the variants corresponds to the classic description of UOV with certain implementation and parameter choices. In the other variant, called MQ-Sign-LR, a part of the central map is constructed from row shifts of a single matrix. This design makes for smaller secret keys, and in the case where the equivalent keys optimization is used, it also leads to smaller public keys. However, we show in this work that the polynomial systems arising from an algebraic attack have a specific structure that can be exploited. Specifically, we are able to find preimages for d-periodic targets under the public map with a probability of \(63\%\) for all security levels. The complexity of finding these preimages, as well as the fraction of d-periodic target increases with d and hence provides a trade-off. We show that for all security levels one can choose \(d=\frac{v}{2}\), for v the number of vinegar variables, and reduce the security claim. Our experiments show practical running times for lower d ranging from 6 s to 14 h.
This research has been supported by the Dutch government through the NWO grant OCNW.M.21.193 (ALPaQCa).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The submission counts \(v(v+m)\) elements, which corresponds to the evaluation costs, but not to the number of stored elements.
- 2.
In fact, we also need \(d < m\). However, for the systems considered, this holds for all divisors d of v except v itself.
- 3.
All timing experiments were run on an AMD EPYC 7502P.
References
Aulbach, T., Campos, F., Krämer, J., Samardjiska, S., Stöttinger, M.: Separating oil and vinegar with a single trace side-channel assisted Kipnis-Shamir attack on UOV. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2023(3), 221–245 (2023)
Aulbach, T., Samardjiska, S., Trimoska, M.: Practical key-recovery attack on MQ-sign and more. In: Saarinen, M.-J., Smith-Tone, D. (eds.) Post-Quantum Cryptography - 15th International Workshop, PQCrypto 2024, Part II, pp. 168–185. Springer, Cham (2024)
B.B. Ein algorithmus zum auffinden der basiselemente des restklassenringes nach einem nulldimensionalen polynomideal. Ph.D. thesis, Math. Inst., University of Innsbruck (1965)
Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Theses, Université Pierre et Marie Curie - Paris VI (2004)
Bosma, W., Cannon, J., Playoust, C.: The magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997). Computational algebra and number theory (London, 1993)
Caminata, A., Gorla, E.: Solving degree, last fall degree, and related invariants. J. Symb. Comput. 114, 322–335 (2023)
Cottaar, J., et al.: Report on evaluation of KpqC candidates. Cryptology ePrint Archive, Report 2023/1853 (2023)
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_27
Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New differential-algebraic attacks and reparametrization of rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_15
Faugère, J.-C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1), 61–88 (1999)
Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Association for Computing Machinery, New York (2002)
Faugère, J.-C., Bardet, M., Salvy, B.: On the complexity of gröbner basis computation of semi-regular overdetermined algebraic equations (2004)
Ikematsu, Y., Jo, H., Yasuda, T.: A security analysis on MQ-Sign. Cryptology ePrint Archive, Paper 2023/581 (2023). https://eprint.iacr.org/2023/581
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the oil & vinegar signature scheme. In: Krawczyk, H. (ed.) Advances in Cryptology - CRYPTO’98. Lecture Notes in Computer Science, vol. 1462, pp. 257–266. Springer, Berlin, Heidelberg (1998)
NIST. Post-Quantum Cryptography: Additional Digital Signature Schemes. Round 2 Additional Signatures (2024). https://csrc.nist.gov/Projects/pqc-dig-sig/round-2-additional-signatures
Patarin, J.: The oil and vinegar signature scheme. Dagstuhl Workshop on Cryptography (1997)
Pébereau, P.: One vector to rule them all: Key recovery from one vector in UOV schemes. In: Saarinen, M.-J., Smith-Tone, D. (eds.) Post-Quantum Cryptography - 15th International Workshop. PQCrypto 2024, Part II, pp. 92–108. Springer, Cham (2024)
Petzoldt, A.: Selecting and reducing key sizes for multivariate cryptography. Ph.D. thesis, Darmstadt University of Technology, Germany (2013)
Salizzoni, F.: An upper bound for the solving degree in terms of the degree of regularity (2023)
The KpqC project. Korean post-quantum Cryptography (2022). https://www.kpqc.or.kr/
Acknowledgement
We thank Simona Samardjiska for initial discussions on the attack idea. We thank Magali Bardet for meticulously reviewing our work and for many helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ran, L., Trimoska, M. (2025). Shifting Our Knowledge of MQ-Sign Security. In: Niederhagen, R., Saarinen, MJ.O. (eds) Post-Quantum Cryptography. PQCrypto 2025. Lecture Notes in Computer Science, vol 15577. Springer, Cham. https://doi.org/10.1007/978-3-031-86599-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-86599-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-86598-5
Online ISBN: 978-3-031-86599-2
eBook Packages: Computer ScienceComputer Science (R0)