### Unbalanced Oil and Vinegar Signature Schemes [chapter]

Aviad Kipnis, Jacques Patarin, Louis Goubin
1999 Lecture Notes in Computer Science
In 16], J. Patarin designed a new scheme, called \Oil and Vinegar", for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called \oil" and v = n unknowns called \vinegar" over a nite eld K, with linear secret functions. This original scheme was broken in 10] by A. Kipnis and A. Shamir. In this paper, we study some
more » ... y simple variations of the original scheme where v > n (instead of v = n). These schemes are called \Unbalanced Oil and Vinegar" (UOV), since we have more \vinegar" unknowns than \oil" unknowns. We show that, when v ' n, the attack of 10] can be extended, but when v 2n for example, the security of the scheme is still an open problem. Moreover, when v ' n 2 2 , the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in n 2 2 unknowns (with no trapdoor). However, we show that (in characteristic 2) when v n 2 , nding a solution is generally easy. In this paper, we also present some practical values of the parameters, for which no attacks are known. We also study schemes with public keys of degree three instead of two. We show that no signi cant advantages exist at the present to recommend schemes of degree three instead of two. However, we show that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of 14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. In UOV, the number of vinegar variables must be > n, but in HFEV this number can be very small or very large. Then length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits. Note: This paper is the extended version of the paper with the same title published at EURO-CRYPT'99.