Unbalanced Oil and Vinegar
In cryptography, the Unbalanced Oil and Vinegar (UOV) scheme is a modified version of the Oil and Vinegar scheme designed by J. Patarin. Both are digital signature schemes. They belong to the group of multivariate cryptography. The security of this signature scheme is based on an NP-hard mathematical problem. To create and validate signatures a minimal quadratic equations system has to be solved. Solving m equations with n variables is an NP-hard problem, even when using a real existing quantum computer. Therefore, the signature schemes based on multivariate equations systems are considered to be quantum resistant.
Public and private key
Every asymmetric scheme has a public and a private key (public-key cryptography). In known schemes like RSA the keys are bit strings. In the UOV scheme, and in every other multivariate signature scheme the keys are more complex.
The mathematical problem is to solve equations with variables. The whole equations system is the public key.
To use a mathematical problem for cryptography it has to be modified. The computing of the variables would need a lot of resources. A standard computer isn't able to compute this in an acceptable time. Therefore, a special Trapdoor gets inserted into the equations system. This trapdoor is the private key. It consists of three parts: Two affine transformations and and a polynomial vector . Both transformations are used to transform elements in certain groups. transforms to . The second transformation transforms the variable vector to the valid signature.
The third secret element provides certain tools for the equations creation. The equations are built with certain rules which are only known to the owner of the private key.
Creation of a signature
To create a valid signature the following equations system has to be solved
Here the is a given message which should be signed. The valid signature is .
To sign a given , the message must first be transformed to fit in the equations system. is used to "split" the message to acceptable pieces . Then the equations have to be built. Every single equation has the same form:
The next steps sign a given message and the result is a valid signature .
- The coefficients () must be chosen secretly.
- The vinegar variables () are chosen randomly
- The resulting linear equations system gets solved for the oil variables ()
The vinegar and oil variables build the pre-signature . Finally gets transformed by the private transformation to give the valid signature .
The system of equations becomes linear if the vinegar variables are fixed – no oil variable is multiplied with another oil variable in the equation. Therefore, the oil variables can be computed easily using, for example, a Gaussian reduction algorithm. The signature creation is itself fast and computationally easy.
Validation of a signature
The signature is transmitted to the communication partner. The validation of the signature is performed with the help of the public key, which is an equations system.
This system of equations is a slightly modified version of the system needed for signature creation. It is modified so that an attacker cannot get information about the secret coefficients and the special formatting of the oil and vinegar variables. Every equation of the public key has to be solved to validate the signature. The input is the signature itself. If every result is equal to the corresponding part of the original message, then the verification succeeded.
Problems and advantages of the UOV scheme
A primary advantage is that the mathematical problem to be solved in the algorithm is quantum-resistant. That is, if someday a quantum computer is built that can handle enough states to break commercial signature schemes like RSA or ElGamal, the Unbalanced Oil and Vinegar signature scheme remains secure, as no algorithm currently exists that gives a quantum computer a great advantage in solving these multivariate systems of equations.
The second advantage is that the operations used in the equations are relatively simple. Signatures get created and validated only with addition and multiplication of "small" values, making this signature viable for low-resource hardware like in smart cards.
A disadvantage is that UOV uses very long key-lengths, with the public key being the entire system of equations, which can require several kilobytes of storage. UOV is also a young digital signature scheme. While some attack methods are already known, many more will certainly appear if UOV becomes widely used. It is not yet ready for commercial use[why?].
- Buchmann, Johannes; Coronado, Carlos; Doring, Martin; Engelbert, Daniela; Ludwig, Christoph; Overbeck, Raphael; Schmidt, Arthur; Vollmer, Ulrich; Weinmann, Ralf-Philipp: Post-Quantum Signatures, –, October 29. 2004
- Wolf, Christopher: Multivariate Quadratic Polynomials in Public Key Cryptography, DIAMANT/EIDMA symposium 2005
- Braeken, An; Wolf, Christopher; Preneel, Bart: A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes, ESAT-COSIC, September 2. 2004
- Coron, Jean-Sebastien; de Weger, Benne: Hardness of the Main Computational Problems Used in Cryptography, ECRYPT D.AZTEC.6, March 14. 2007
- Kipnis, Aviad: Unbalanced Oil and Vinegar Signature Schemes – extended version, EURO-CRYPT, 1999