A Structural Attack on Block-Anti-Circulant UOV at SAC 2019

Abstract

At SAC 2019, Szepieniec and Preneel proposed a new variant of the Unbalanced Oil and Vinegar signature scheme (UOV) called block-anti-circulant UOV (BAC-UOV). In this scheme, the matrices representing the quadratic parts of the public key are designed to be block-anti-circulant matrices, which drastically reduces its public key size compared to UOV that originally has a relatively large public key size.

In this paper, we show that this block-anti-circulant property enables us to do a special linear transformation on variables in the public key polynomials. By executing the UOV attack on quadratic terms in partial variables of the resulting polynomial system, we obtain a polynomial system with less quadratic terms, which can be algebraically solved faster than the plain direct attack. Our proposed attack reduces the bit complexity of breaking BAC-UOV by about 20% compared with the previously known attacks. For example, the complexity of our proposed attack on 147-bit BAC-UOV parameter (claimed security level II in NIST PQC project by its authors) can be reduced only to 119 bits.

Appendix: Toy Example

We show a toy example of the proposed attack on BAC-UOV (\(q=3,V=3,O=2,\ell =4\)).

1.1 1. Generating a BAC-UOV Public Key

- Private Key Generation

The matrix representing the linear map \(\mathcal {S}:\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{20}\) is generated as

and the matrices associated to the quadratic form of the central map \(\mathcal {F}=(f_1,\ldots ,f_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) are generated to be

- Public Key Generation

From \(\mathcal {S}\) and \(\mathcal {F},\) we can obtain a public key \(\mathcal {P}=(p_1,\ldots ,p_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) for BAC-UOV, and the matrices associated to their quadratic forms are

1.2 2. Our Proposed Attack

We first apply a linear transformation represented by \(L_4^{(5)}\) and a permutation on the public key \(\mathcal {P}=(p_1,\ldots ,p_n)\), which is explained in Subsect. 4.1. \(L_4^{(5)}\) and the matrices representing the permutation, respectively, are

Then we construct a linear transformation \(\mathcal L\) by composing these two transformations. The matrices associated to the quadratic forms of the resulting polynomial system \(\mathcal {P}\circ \mathcal {L}=(p'_1,\ldots ,p'_8):\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{8}\) are in the form of (8):

Then by just applying the UOV attack on the smaller upper left submatrices of those above matrices like Sect. 4.2, we obtain a linear transformation \(\mathcal {L}':\mathbb {F}_3^{20}\rightarrow \mathbb {F}_3^{20},\) whose linear representation is

and with this transformation, we obtain a new polynomial system \(\mathcal {P}\circ \mathcal {L}\circ \mathcal {L}'=(p''_1,\ldots ,p''_8)\), where its matrices associated to its quadratic terms are given by

which are in the form of (10).

Then, in the polynomial system \(\mathcal {P}\circ \mathcal {L}\circ \mathcal {L}'(x_1,\dots ,x_{20})\), by fixing \(x_1,x_2,x_3\) randomly, \(x_4,x_5\) disappear from the quadratic parts. This reduces the complexity of the direct attack.