One Vector to Rule Them All: Key Recovery from One Vector in UOV Schemes.

Unbalanced Oil and Vinegar is a multivariate signature scheme that was introduced in 1999. Most multivariate candidates for signature schemes at the NIST standardization competition are either based on UOV or closely related to it. The philosophy of the scheme is that the signer has to solve only a linear system to sign a message, while producing a forgery should be as hard as solving a random quadratic system. To achieve this, the signer uses the UOV trapdoor, which is a secret subspace, the “oil subspace”. We show how to recover an equivalent secret key from the knowledge of a single vector in the oil subspace in any characteristic. From this vector, we obtain linear equations that contain enough information to dismiss the public quadratic equations and retrieve the secret subspace with linear algebra for practical parametrizations of UOV, in at most 13 s for modern instantiations of UOV. This proves that the security of the UOV scheme lies in the complexity of finding exactly one vector in the oil space. We show how to extend this result to schemes related to UOV, such as MAYO and VOX.