New Identified Strategies to Forge Multivariate Signature Schemes

Abstract

A rogue certificate authority (RCA) is a dishonest entity that has the trust of web browsers and users to produce valid key pairs which are vulnerable. This work analyses two acknowledged post-quantum secure Multivariate Quadratic Problem (MQP) based signature schemes, namely the UOV and Rainbow signature schemes that obtain their key pair from a potential RCA methodology. We revisit two and provide a novel RCA methodology that would enable adversaries to forge UOV and Rainbow signatures. We also lay out two strategies to identify whether the public parameters are generated by the first two methodologies. To this end, strategies to identify the third strategy remain elusive. As such, the UOV and Rainbow schemes remain vulnerable to forgery if it was forged via the third methodology.

1. Introduction

Asymmetric key cryptosystems have solved the key distribution problem arising from the widespread use of symmetric key cryptosystems. In contrast to symmetric key cryptosystems which utilize the same key to encrypt and decrypt, asymmetric key cryptosystems use different keys known as public and private keys. Furthermore, asymmetric key cryptosystems not only solve the key distribution problem and provide confidentiality but also provide entity authentication, preserve message integrity and prevent identity repudiation. The public–private key pair is generated by the Certificate Authority (CA). However, a client might receive key pairs generated from a rogue Certificate Authority (RCA) who hides the fact that the produced key pairs have weaknesses that are only known to nobody else except the RCA [1]. The public key which works perfectly and satisfies the public security requirements during the key generation process, can be manipulated by an adversary in order to recover the secret parameters.

A digital signature is defined as a mathematical procedure which provides the authenticity and integrity of a message. The private signing key is used in the signing algorithm to sign the document and produce valid signatures; meanwhile, the public key is used in the verification algorithm to verify the validity of the signature corresponding to the document. In addition, forgery is an act of making a copy of a valid signature or document in order to deceive someone.

In 1994, [2] proved that classical cryptography will be no longer secure in the existence of a quantum computer. A quantum computer can solve hard problems such as Integer Factorization Problem (IFP) [3] and Discrete Log Problem (DLP) [4] in polynomial time. Hence, we require post-quantum cryptography algorithms which are resistant to a quantum computer. Among the candidates of post-quantum cryptography is multivariate cryptography.

In multivariate public key cryptography (MPKC), the underlying hard problem is defined as the Multivariate Quadratic Problem (MQP). In MQP, $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(m\right)})$ is a system of m quadratic equations in n variables under the finite field ${\mathbb{F}}_q$. One needs to identify a vector $\mathbf{x}=(x_1,\dots ,x_n)$ such that the system of polynomials $\mathcal{P}\left(\mathbf{x}\right)=0$ [5]. In order to forge a multivariate signature scheme, one has either to produce a valid signature s’ such that $\mathcal{P}\left({\mathbf{s}}^{\prime }\right)={\mathbf{z}}^{\prime }=\mathbf{z}$ or recover secret keys $\mathcal{S},\mathcal{F}$ and $\mathcal{T}$.

The Unbalanced Oil and Vinegar (UOV) scheme by [6] requires one to choose o number of equations and $n=o+v$ number of variables where $v>o$. This is an amendment to the Oil and Vinegar (OV) scheme [7] that was successfully cryptoanalysed by Kipnis and Shamir attack [8]. The initial OV scheme sets $v=o$ [7]. On the other hand, the Rainbow signature scheme [9] is a multilayer version of UOV with smaller key and signature sizes which initiate better performance. In 2017, another version of UOV which utilizes smaller key and signature sizes was proposed and coined the LUOV cryptosystem [10]. In 2020, Petzolt proposed an algorithm to speed up the key generation of Rainbow [11].

The National Institute of Standards and Technology (NIST) announced the request for nominations for public key post-quantum cryptographic algorithms in 2016 in preparation for the quantum computing era. Since then, many quantum algorithms resistant to quantum computers have been proposed, including [12,13,14,15,16]. The Rainbow signature scheme successfully advanced from Round 1 to Round 2 and was one of the finalists for the third-round candidates for digital signature algorithms other than CRYSTALS-DILITHIUM [17] and FALCON [18] whereas, Classic McEliece [19], CRYSTALS-Kyber [20], NTRU [21] and SABER [22] are the finalists for encryption algorithms. In 2020, Beullens [23] proposed two new attacks on Rainbow; the intersection attack which also works on the UOV scheme and the rectangular MinRank attack. Both attacks greatly reduce the key recovery cost and in consequence, the parameter sets fail to meet the security requirements set out by NIST. Additionally, another Beullens’ key recovery attack that completely breaks the Rainbow scheme on security SL1 disqualified it from making it to Round 4 [24]. Despite the total break of the Rainbow scheme, Cartor et al. [25] suggested adding an internal perturbation modifier in order to mend the scheme and make it secure again.

2. Related Works

The concept of an equivalent public key was first introduced in [26] where they generalized equivalent keys to increase the efficiency of algebraic key recovery attacks. [27] implemented the concept of an equivalent public key to give a detailed security analysis of their proposed encryption scheme. Furthermore, [28] showed that the algebraic system of an EFC public key has lower degree equations during the Gröbner basis computation compared to a random system having the same size. Consequently, solving the algebraic system of an EFC public key becomes simpler and easier.

We aim to construct the weakened multivariate signature schemes by focusing on generating the public–private key pair of which its vulnerability is only known to the RCA. The public key system $\mathcal{P}$ of multivariate signature schemes will be constructed by inducing some weaknesses but still inherits randomness. Furthermore, we put forward strategies to identify them so that the users could conduct due diligence upon receiving the key pair.

In this work, we provide three potential methodologies that could be executed by an RCA which will expose UOV and Rainbow signature schemes to forgery. All three methodologies are able to forge the UOV signature scheme, whilst the Rainbow signature scheme is only vulnerable to one methodology. We also discuss the reason why the Rainbow signature scheme is secure against the first and second forgery mechanisms. In addition, we provide two strategies to identify whether the public key of UOV and Rainbow signature schemes obtained from a potential RCA, has the potential to be utilized to forge signatures. Consequently, the users of the UOV and Rainbow signature schemes can refuse to use the key pairs from the RCA.

The layout of the paper is structured as follows. In Section 3, we summarize the UOV and Rainbow signature schemes. Section 4 summarizes the three forgery mechanisms denoted by DSFM1, DSFM2 and DSFM3. We also discuss methods to identify whether one is provided weak parameters via DSFM1 and DSFM2 methodologies. Moreover, in Section 5, we present our main results which show that the UOV scheme is vulnerable against the mentioned forgery mechanisms. We also provide examples for illustrative purposes. Moving on to Section 6, we discuss the reason why the Rainbow scheme is not vulnerable to DSFM1 and DSFM2. Next, we show that both UOV and Rainbow schemes are vulnerable against DSFM3 in Section 7. Section 8 provides the discussion from our work for comprehensive understanding. Finally, we conclude our work in Section 9.

3. Multivariate Signature Schemes

In this section, we show the key generation, signing and verification processes of two multivariate signature schemes, namely the UOV and Rainbow signature schemes.

The UOV signature scheme can be described as follow.

3.1. UOV Digital Signature

Let ${\mathbb{F}}_q$ be a finite field with q elements. The number of equations is equal to o and the number of variables is equal to $n=o+v$ where $v>o$. Let $V=1,\dots ,v$ and $O=v+1,\dots ,n.$$x_1,\dots ,x_v$ be known as the Vinegar variables and $x_{v+1},\dots ,x_n$ known as the Oil variables.

Key Generation: Choose an affine map $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$ and a central map $\mathcal{F}:{\mathbb{F}}^n\to {\mathbb{F}}^o$ which consists of o quadratic polynomials $f^{\left(1\right)},\dots ,f^{\left(o\right)}$ of the form

$$\begin{array}{c}\hfill f^{\left(k\right)}=\sum _{a,b\in V}{\alpha }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V,b\in O}{\beta }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V\cup O}{\gamma }_a^{\left(k\right)}{x}_a+{\delta }^{\left(k\right)}(k=1,\dots ,o).\end{array}$$

The private key consists of the two maps $\mathcal{F}:{\mathbb{F}}^n\to {\mathbb{F}}^o$ and $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$, whereas the public key is the composed map $\mathcal{P}=\mathcal{F}\circ \mathcal{T}$ consisting of o quadratic polynomials in n variables.

Signature Generation: To generate a signature z$\in {\mathbb{F}}^n$ for a document d, one uses a hash function $\mathcal{H}:\{0,1\}\to {\mathbb{F}}^o$ to compute the hash value $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$ and perform the following steps.

• Find a pre-image $\mathbf{y}\in {\mathbb{F}}^n$ of w under the central map $\mathcal{F}$.
  • Choose random values for the Vinegar variables $y_1,\dots ,y_v$ and substitute them into the polynomials $f^{\left(1\right)},\dots ,f^{\left(o\right)}$.
  • Choose the resulting linear system of o equations in the o Oil variables $y_{v+1},\dots ,y_n$ by Gaussian elimination. If the system does not have a solution, choose other values for the vinegar variables $x_1,\dots ,x_v$ and try again.
• Compute the signature $\mathbf{z}\in {\mathbb{F}}^n$ by $\mathbf{z}={\mathcal{T}}^{-1}(\mathbf{y})$.

Signature Verification: To check if $\mathbf{z}\in {\mathbb{F}}^n$ is indeed a valid signature for the document d, one computes $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$ and computes ${\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{z}\right)={\mathbb{F}}^o$. If ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature z is accepted, otherwise rejected.

Next, we describe the Rainbow signature scheme as follows.

3.2. Rainbow Digital Signature

Key Generation: Let ${\mathbb{F}}_q$ be a finite field with q elements. Let $v_1,\dots ,v_{u+1}$ be integers such that $0<v_1<v_2,\dots <v_u<v_{u+1}=n$ and define the sets of integers $V_i=\{1,\dots ,v_i\}$ for $i=1,\dots ,u.$ We set $o_i=v_{i+1}-v_i$ and $O_i=\{v_i+1,\dots ,v_{i+1}\}$ for $i=1,\dots ,u$. We have $|O_i|=o_i$.

The central map $\mathcal{F}$ consists of $m=n-v_1$ polynomials $f^{(v_1+1)},\dots ,f^{\left(n\right)}\in \mathbb{F}[x_1,\dots ,x_n]$ of the form

$$\begin{array}{c}\hfill f^{\left(k\right)}\left(\mathbf{x}\right)=\sum _{a,b\in V_{\ell },a\le b}{\alpha }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in O_{\ell },b\in V_{\ell }}{\beta }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V_{\ell }\cup O_{\ell }}{\gamma }_a^{\left(k\right)}{x}_a+{\eta }^{\left(k\right)}(k=v_1+1,\dots ,n),\end{array}$$

where ℓ is the only integer such that $k\in O_{\ell }$.

To hide the structure of $\mathcal{F}$ in the public key, one composes it with two invertible affine maps $\mathcal{S}:{\mathbb{F}}^m\to {\mathbb{F}}^m$ and $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$. Hence, the public key has the form $\mathcal{P}=\mathcal{S}\circ \mathcal{F}\circ \mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^m$, the private key consists of the three maps $\mathcal{S},\mathcal{F}$ and $\mathcal{T}$.

The following Algorithm 1 is to compute the inversion of the Rainbow central map.

Algorithm 1 Inversion of the Rainbow central map.

Input: Rainbow central map $\mathcal{F}=(f^{(v_1+1)},\dots ,f^{\left(n\right)}$, vector x$\in {\mathbb{F}}^m.$ Output: Vector $\mathbf{y}\in {\mathbb{F}}^n$ with $\mathcal{F}\left(\mathbf{y}\right)=\mathbf{x}$. Choose random values for the variables $y_1,\dots ,y_{v_1}$ and substitute them into the polynomials $f^{\left(i\right)}(i=v_1+1,\dots ,n)$. for$\ell =1$ to u do      Perform Gaussian Elimination on the polynomials $f^{\left(i\right)}(i\in O_{\ell })$ to get the values of the variables $x_i(i\in O_{\ell })$.      Substitute the values of $x_i(i\in O_{\ell })$ into the polynomials $f^{\left(i\right)}(i=v_{\ell +1}+1,\dots ,n)$. end for

Signature Generation: To generate a signature for a message d, one uses a hash function $\mathcal{H}:\{0,1\}\to {\mathbb{F}}^m$ to compute the hash value $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^m$ and perform the following steps.

• Compute $\mathbf{x}={\mathcal{S}}^{-1}\left(\mathbf{w}\right)\in {\mathbb{F}}^m$.
• Compute a pre-image $\mathbf{y}\in {\mathbb{F}}^n$ of x under the central map $\mathcal{F}$. This is done utilizing Algorithm 1.
• Compute the signature $\mathbf{z}\in {\mathbb{F}}^n$ by $\mathbf{z}={\mathcal{T}}^{-1}\left(\mathbf{y}\right)$.

Signature Verification: To check, if $\mathbf{z}\in {\mathbb{F}}^n$ is indeed a valid signature for the document d, one computes $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^m$ and computes ${\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{z}\right)={\mathbb{F}}^m$. If ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature z is accepted, otherwise rejected.

4. Novel Forgery Mechanisms for Multivariate Signature Schemes

This section outlines two forgery mechanisms which were first made known to the public by our research group during The International Conference on Mathematical Sciences and Technology 2022 (MathTech 2022) [29] namely the DSFM1 and DSFM2 mechanisms. We also provide another novel mechanism in this section, known as DSFM3. Upon executing these three methods on multivariate signature schemes, it would enable an adversary to forge signatures without the knowledge of $(\mathcal{S},\mathcal{F},\mathcal{T})$.

4.1. Digital Signature Forgery Mechanism 1 (DSFM1)

In this subsection, a public key system $\mathcal{P}$ which is generated by DSFM1 would enable forgery by those who know about it. The DSFM1 would result in polynomials in $\mathcal{P}$ to be multiples of each other. As such, one needs to solve only one of the polynomials $p^{\left(i\right)}(i=1,\dots ,m)$. This is due to the fact that a vector $\mathbf{x}=(x_1,\dots ,x_m)$ which satisfies $p^{\left(i\right)}\left(\mathbf{x}\right)=0$ also satisfies the other polynomials in the same system $\mathcal{P}$.

4.1.1. Generating DSFM1 Induced System of Equations

The following Algorithm 2 induces DSFM1 weaknesses on a system of equations.

Algorithm 2 Digital Signature Forgery Mechanism 1

Input: Integer q. Output: Public key system $\mathcal{P}:{\mathbb{F}}^n\to {\mathbb{F}}^m$ over ${\mathbb{F}}_q$. Choose two random invertible affine maps $\mathcal{S}:{\mathbb{F}}^m\to {\mathbb{F}}^m$ and $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$. Choose a central map $\mathcal{F}:{\mathbb{F}}^n\to {\mathbb{F}}^m$ of which its polynomials can also be written as $f^{\left(j\right)}=k_j{f}^{\left(1\right)}$ where $k_j\in {\mathbb{Z}}_q$. Compute $\mathcal{P}=\mathcal{S}\circ \mathcal{F}\circ \mathcal{T}$.

4.1.2. Identifying DSFM1

The user can check whether the public key system $\mathcal{P}$ received is a forgeable system via DSFM1 or not by utilizing the following Algorithm 3.

Algorithm 3 Identifying DSFM1

Input: The system $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(m\right)}$) of multivariate quadratic polynomials over ${\mathbb{F}}_q$ Output:$\mathcal{P}$ is a forgeable system for$j=2$ to m do     $k_j=c_{p^{\left(j\right)}}·c_{p^{\left(1\right)}}^{-1}\mathrm{mod}q$ where $c_{p^{\left(j\right)}}$ and $c_{p^{\left(1\right)}}$ are the coefficients of polynomial $p^{\left(j\right)}$ and $p^{\left(1\right)}$, respectively.     If $p^{\left(j\right)}=k_j{p}^{\left(1\right)}$ where $k_j\in {\mathbb{Z}}_q$, then $\mathcal{P}$ is a forgeable system. end for return

4.2. Digital Signature Forgery Mechanism 2 (DSFM2)

In this subsection, a public key system $\mathcal{P}$ which is generated by DSFM2 would enable forgery by those who know about it. The DSFM2 would result in polynomials in $\mathcal{P}$ to be summations of each other. As such, one needs to solve only two of the polynomials $p^{\left(i\right)}$ and $p^{\left(k\right)}$ where $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$. This is due to the fact that a vector $\mathbf{x}=(x_1,\dots ,x_m)$ which satisfies $p^{\left(i\right)}\left(\mathbf{x}\right)=0$ and $p^{\left(k\right)}\left(\mathbf{x}\right)=0$ also satisfies the other polynomials in the same system $\mathcal{P}$.

4.2.1. Generating DSFM2 Induced System of Equations

The following Algorithm 4 induces DSFM2 weaknesses in a system of equations.

Algorithm 4 Digital Signature Forgery Mechanism 2

Input: Integer q. Output: Public key system $\mathcal{P}:{\mathbb{F}}^n\to {\mathbb{F}}^m$ over ${\mathbb{F}}_q$. Choose two secret invertible affine maps $\mathcal{S}:{\mathbb{F}}^2\to {\mathbb{F}}^2$ and $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$. Choose a secret central map $\mathcal{F}:{\mathbb{F}}^n\to {\mathbb{F}}^2$. Compute $\mathcal{S}\circ \mathcal{F}\circ \mathcal{T}$ to output two equations $p^{\left(1\right)}$ and $p^{\left(2\right)}$. For $p^{\left(j\right)}$$(j=3,\dots ,m)$, set $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$ where $i=1,\dots ,j-1$ and $k=1,\dots ,j-1$. Publish $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(m\right)})$ as public key over ${\mathbb{F}}_q$.

4.2.2. Identifying DSFM2

The user can check whether the public key system $\mathcal{P}$ received is a forgeable system via DSFM2 or not by utilizing the following Algorithm 5.

Algorithm 5 Identifying DSFM2

Input: The system $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(m\right)}$) of multivariate quadratic polynomials over ${\mathbb{F}}_q$ Output:$\mathcal{P}$ is a forgeable system for$j=3$ to m do     for $i=1$ to $j-1$ do        for $k=i$ to $j-1$ do            $p^{\left(i\right)}+p^{\left(k\right)}$            If $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$, then $\mathcal{P}$ is a forgeable system.        end for     end for end for return

4.3. Digital Signature Forgery Mechanism 3 (DSFM3)

In this subsection, we discuss the method to forge multivariate signature schemes without having to alter the construction of the public key system $\mathcal{P}$. This is due to the fact that if an adversary successfully solicits x from an RCA and solves $\mathcal{P}(\mathbf{x}+\alpha )=\mathbf{w}$ for some $\alpha \in {\mathbb{Z}}_q$, the adversary can forge the signature $\mathbf{z}$ corresponding to the hash value $\mathbf{w}=\mathcal{H}\left(d\right)$.

Generating DSFM3 Forged Signature

The following Algorithm 6 explains DSFM3.

Algorithm 6 Digital Signature Forgery Mechanism 3

Input: Public key $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(m\right)})$, x$=(x_1,\dots ,x_n)$ such that $\mathcal{P}\left(\mathbf{x}\right)=0$ and w$=(w_1,\dots ,w_m)$ Output: Signature z’ such that $\mathcal{P}\left({\mathbf{z}}^{\prime }\right)={\mathbf{w}}^{\prime }=\mathbf{w}$ Compute $\mathcal{P}(\mathbf{x}+\alpha )=(p^{\left(1\right)}(x_1+\alpha ,\dots ,x_n+\alpha ),\dots ,p^{\left(m\right)}(x_1+\alpha ,\dots ,x_n+\alpha ))$ where $\alpha$ is an unknown variable. Solve m equations in the single variable $\alpha$ such that $\mathcal{P}(\mathbf{x}+\alpha )=\mathbf{w}$. Set ${\mathbf{z}}^{\prime }={\mathbf{x}}^{\prime }+\alpha =(x_1+\alpha ,\dots ,x_n+\alpha )$.

In Steps 1 and 2, computing and solving $\mathcal{P}(\mathbf{x}+\alpha )=\mathbf{w}$ would reduce the number of unknowns from n variables to only one variable. Instead of solving m equations in n variables, the adversary only needs to solve m univariable equations which is much easier.

5. Generating Weak UOV Signature Scheme

In this section, we show how a weak UOV signature scheme is generated by RCA from DSFM1 and DSFM2.

5.1. Generating Weak UOV Signature Scheme by DSFM1

From DSFM1, we put forward an algorithm to generate a weak UOV public key. In other words, we set up the UOV public key which is $\mathcal{P}$, where all of its polynomials satisfy the original form and also can be written into multiples of each other. The following Algorithm 7 explains the key generation of weak UOV signature scheme by DSFM1.

Algorithm 7 Key Generation of Weak UOV Signature Scheme by DSFM1

Input: Integers o and v such that $v>o$ and $n=o+v$. Let $V=1,\dots ,v$ and $O=v+1,\dots ,n.$ Let $x_1,\dots ,x_v$ be the Vinegar variables and $x_{v+1},\dots ,x_n$ be the Oil variables. Output: Public key $\mathcal{P}$ in the form of $p^{\left(j\right)}=k_j{p}^{\left(1\right)}$ for $j=2,\dots ,o.$ Choose a random invertible affine map $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$. Choose a random polynomial $f^{\left(1\right)}$ of the form $$\begin{array}{c}\hfill f^{\left(1\right)}=\sum _{a,b\in V}{\alpha }_{a,b}^{\left(1\right)}{x}_a{x}_b+\sum _{a\in V,b\in O}{\beta }_{a,b}^{\left(1\right)}{x}_a{x}_b+\sum _{a\in V\cup O}{\gamma }_a^{\left(1\right)}{x}_a+{\delta }^{\left(1\right)}\end{array}$$ and for $j=2,\dots ,m$ compute $f^{\left(j\right)}=k_j{f}^{\left(1\right)}$ where $k_j\in {\mathbb{Z}}_q$. Set the central map $\mathcal{F}=(f^{\left(1\right)},\dots ,f^{\left(o\right)}):{\mathbb{F}}^n\to {\mathbb{F}}^o$. Compute $\mathcal{P}=\mathcal{F}\circ \mathcal{T}$. The system $\mathcal{P}=(p^{\left(1\right)},\dots ,p^{\left(o\right)})$ consists of o quadratic polynomials in n variables.

To pass through the verification, the vectors in $\mathbf{w}$ must be multiple to each other, otherwise the verification fails. This is because, the polynomials in public key system $\mathcal{P}$ and the central map $\mathcal{F}$ are of the form $p^{\left(j\right)}=k_j{p}^{\left(1\right)}$ and $f^{\left(j\right)}=k_j{f}^{\left(1\right)}$, respectively. The following Algorithm 8 explains the signature generation of weak UOV signature scheme by DSFM1.

Algorithm 8 Signature Generation of Weak UOV Signature Scheme by DSFM1

Input: Document d Output: Signature z Compute $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$ such that $w_j=k_j{w}_1$$(j=2,\dots ,o)$. Find a pre-image $\mathbf{y}\in {\mathbb{F}}^n$ of w under the central map $\mathcal{F}$. Choose random values for the Vinegar variables $y_1,\dots ,y_v$ and substitute them into the polynomials $f^{\left(1\right)},\dots ,f^{\left(o\right)}$. Choose the resulting linear system of o equations in the o Oil variables $y_{v+1},\dots ,y_n$ by Gaussian elimination. If the system does not have a solution, choose other values for the vinegar variables $x_1,\dots ,x_v$ and try again. Compute the signature $\mathbf{z}\in {\mathbb{F}}^n$ by $\mathbf{z}={\mathcal{T}}^{-1}(\mathbf{y})$.

The signature verification of the UOV signature scheme generated by DSFM1 as in Algorithm 9 below works the same as the original UOV.

Algorithm 9 Signature Verification of Weak UOV Signature Scheme by DSFM1

Input: Public key $\mathcal{P}$, document d and signature z Output: Accept or reject signature Compute $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$ Compute ${\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{z}\right)$ If ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature z is accepted, otherwise rejected.

In the following example, we illustrate the generation of a weak UOV scheme via the DSFM1 methodology as well as the signing and verification process. The example below shows that a weak UOV scheme can still be used by a user without suspicion since the constants seem randomized and the signing and verification work as normal.

Example 1.

We will discuss key generation, signing and verification on $\mathbb{F}=GF\left(7\right)$.

Key Generation: We choose $(o,v)=(3,5)$, which will lead to a public key of 3 quadratic equations in 8 variables. The private key consists of the affine map $\mathcal{T}:{\mathbb{F}}^8\to {\mathbb{F}}^8$.

$$\mathcal{T}(x_1,\dots ,x_8)=\left(\begin{array}{cccccccc}2& 1& 5& 3& 1& 0& 3& 2\\ 4& 4& 1& 6& 2& 1& 4& 2\\ 3& 5& 3& 2& 1& 6& 4& 0\\ 5& 5& 3& 5& 6& 2& 3& 4\\ 1& 0& 1& 2& 4& 2& 5& 5\\ 3& 1& 1& 5& 1& 0& 6& 2\\ 1& 1& 2& 1& 6& 5& 2& 3\\ 0& 3& 4& 1& 6& 5& 6& 1\end{array}\right)\left(\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\\ x_6\\ x_7\\ x_8\end{array}\right)+\left(\begin{array}{c}1\\ 0\\ 4\\ 3\\ 6\\ 5\\ 4\\ 2\end{array}\right)$$

and the central map $\mathcal{F}:{\mathbb{F}}^8\to {\mathbb{F}}^3$ is given by polynomials

$$\begin{array}{cc}\hfill f^{\left(1\right)}=& x_1^2+x_1{x}_2+3x_1{x}_3+2x_1{x}_4+6x_1{x}_5+4x_1{x}_6+2x_1{x}_7+5x_1{x}_8+3x_2^2+x_2{x}_3+5x_2{x}_4\hfill \\ & +x_2{x}_6+3x_2{x}_7+3x_2{x}_8+4x_3{x}_4+6x_3{x}_6+2x_3{x}_7+5x_3{x}_8+4x_4{x}_5+5x_4{x}_6+3x_4{x}_7\hfill \\ & +2x_4{x}_8+3x_2+6x_3+3x_4+5x_5+6x_6+2x_7+2x_8+4\hfill \\ \hfill f^{\left(2\right)}=& 2f^{\left(1\right)}\left(mod7\right)\hfill \\ \hfill =& 2x_1^2+2x_1{x}_2+6x_1{x}_3+4x_1{x}_4+5x_1{x}_5+x_1{x}_6+4x_1{x}_7+3x_1{x}_8+6x_2^2+2x_2{x}_3+3x_2{x}_4\hfill \\ & +2x_2{x}_6+6x_2{x}_7+6x_2{x}_8+x_3{x}_4+5x_3{x}_6+4x_3{x}_7+3x_3{x}_8+x_4{x}_5+3x_4{x}_6+6x_4{x}_7\hfill \\ & +4x_4{x}_8+6x_2+5x_3+6x_4+3x_5+5x_6+4x_7+4x_8+1\hfill \\ \hfill f^{\left(3\right)}=& 5f^{\left(1\right)}\left(mod7\right)\hfill \\ \hfill =& 5x_1^2+5x_1{x}_2+x_1{x}_3+3x_1{x}_4+2x_1{x}_5+6x_1{x}_6+3x_1{x}_7+4x_1{x}_8+x_2^2+5x_2{x}_3+4x_2{x}_4\hfill \\ & +5x_2{x}_6+x_2{x}_7+x_2{x}_8+6x_3{x}_4+2x_3{x}_6+3x_3{x}_7+4x_3{x}_8+6x_4{x}_5+4x_4{x}_6+x_4{x}_7\hfill \\ & +3x_4{x}_8+x_2+2x_3+x_4+4x_5+2x_6+3x_7+3x_8+6\hfill \end{array}$$

We compute the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)}):{\mathbb{F}}^8\to {\mathbb{F}}^3$ by $\mathcal{P}=\mathcal{F}\circ \mathcal{T}$, which results in

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 6x_1{x}_2+4x_1{x}_3+3x_1{x}_4+5x_1{x}_5+2x_1{x}_6+3x_1{x}_7+5x_1{x}_8+6x_2^2+5x_2{x}_3+4x_2{x}_4+5x_2{x}_5\hfill \\ & +5x_3^2+3x_3{x}_4+2x_3{x}_5+5x_3{x}_6+5x_3{x}_8+5x_4^2+x_4{x}_6+5x_4{x}_8+3x_5^2+4x_5{x}_6+x_5{x}_7\hfill \\ & +4x_5{x}_8+4x_6^2+2x_6{x}_7+3x_6{x}_8+4x_7^2+6x_7{x}_8+4x_8^2+6x_1+x_2+4x_3+2x_4+x_5+6x_6\hfill \\ & +x_7+4x_8\hfill \\ \hfill p^{\left(3\right)}=& x_1{x}_2+3x_1{x}_3+4x_1{x}_4+2x_1{x}_5+5x_1{x}_6+4x_1{x}_7+2x_1{x}_8+x_2^2+2x_2{x}_3+3x_2{x}_4+2x_2{x}_5\hfill \\ & +2x_3^2+4x_3{x}_4+5x_3{x}_5+2x_3{x}_6+2x_3{x}_8+2x_4^2+6x_4{x}_6+2x_4{x}_8+4x_5^2+3x_5{x}_6+6x_5{x}_7\hfill \\ & +3x_5{x}_8+3x_6^2+5x_6{x}_7+4x_6{x}_8+3x_7^2+x_7{x}_8+3x_8^2+x_1+6x_2+3x_3+5x_4+6x_5+x_6\hfill \\ & +6x_7+3x_8.\hfill \end{array}$$

Signature Generation: In order to generate a signature for the message $\mathbf{w}=(3,6,1)$, we first need to compute $\mathbf{y}={\mathcal{F}}^{-1}\left(\mathbf{w}\right).$ We choose random values for the Vinegar variables $(x_1,x_2,x_3,x_4,x_5)=(3,3,6,1,2)$ and substitute them into the polynomials $f^{\left(1\right)},f^{\left(2\right)}$ and $f^{\left(3\right)}$. Thus, we obtain a linear system in the Oil variables $x_6,x_7$ and $x_8$ of the form

$$\begin{array}{cc}\hfill {\overline{f}}^{\left(1\right)}=& 6x_6+4x_7+2x_8+6\hfill \\ \hfill {\overline{f}}^{\left(2\right)}=& 5x_6+x_7+4x_8+4\hfill \\ \hfill {\overline{f}}^{\left(3\right)}=& 2x_6+6x_7+3x_8+3.\hfill \end{array}$$

By Gaussian elimination, this system has the solution $(x_6,x_7,x_8)=(0,4,3)$. Attaching the Vinegar variables yields

$$\begin{array}{c}\hfill \mathbf{y}={\mathcal{F}}^{-1}\left(\mathbf{w}\right)=(3,3,6,1,2,0,4,3).\end{array}$$

Finally, we compute

$$\begin{array}{c}\hfill \mathbf{z}={\mathcal{T}}^{-1}\left(\mathbf{y}\right)=(5,5,3,2,5,4,1,0)\end{array}$$

to obtain a signature $\mathbf{z}\in {\mathbb{F}}^8$ for the messagew.

Signature Verification: In order to check ifzis indeed a valid signature for the messagew, we compute

$$\begin{array}{c}\hfill {\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{z}\right)=(3,6,1).\end{array}$$

Since ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature is accepted.

5.1.1. A Weakened DSFM1 UOV Signature Scheme Forgery Methodology

The algorithm to forge the signature of a weak UOV scheme by DSFM1 is described in Algorithm 10 as below.

Algorithm 10 Forgery of Weakened DSFM1 UOV Signature Scheme

Input: Public key $\mathcal{P}$, document d Output: Signature z’ such that $\mathcal{P}{\left(\mathbf{z}\right)}^{\prime }={\mathbf{w}}^{\prime }=\mathbf{w}$ Solve $p^{\left(1\right)}\left(x\right)=0$ and obtain ${\mathbf{z}}^{\prime }=(z_1,\dots ,z_o)$.

Since $p^{\left(j\right)}=k_j{p}^{\left(1\right)}$, solving one of the polynomials would solve the whole system $\mathcal{P}$.

In the following example, we show how an impersonator successfully forge the signature of a weakened DSFM1 UOV scheme.

Example 2.

Given the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)})$ of a weakened DSFM1 UOV scheme as in Example 1:

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 6x_1{x}_2+4x_1{x}_3+3x_1{x}_4+5x_1{x}_5+2x_1{x}_6+3x_1{x}_7+5x_1{x}_8+6x_2^2+5x_2{x}_3+4x_2{x}_4+5x_2{x}_5\hfill \\ & +5x_3^2+3x_3{x}_4+2x_3{x}_5+5x_3{x}_6+5x_3{x}_8+5x_4^2+x_4{x}_6+5x_4{x}_8+3x_5^2+4x_5{x}_6+x_5{x}_7\hfill \\ & +4x_5{x}_8+4x_6^2+2x_6{x}_7+3x_6{x}_8+4x_7^2+6x_7{x}_8+4x_8^2+6x_1+x_2+4x_3+2x_4+x_5+6x_6\hfill \\ & +x_7+4x_8\hfill \\ \hfill p^{\left(3\right)}=& x_1{x}_2+3x_1{x}_3+4x_1{x}_4+2x_1{x}_5+5x_1{x}_6+4x_1{x}_7+2x_1{x}_8+x_2^2+2x_2{x}_3+3x_2{x}_4+2x_2{x}_5\hfill \\ & +2x_3^2+4x_3{x}_4+5x_3{x}_5+2x_3{x}_6+2x_3{x}_8+2x_4^2+6x_4{x}_6+2x_4{x}_8+4x_5^2+3x_5{x}_6+6x_5{x}_7\hfill \\ & +3x_5{x}_8+3x_6^2+5x_6{x}_7+4x_6{x}_8+3x_7^2+x_7{x}_8+3x_8^2+x_1+6x_2+3x_3+5x_4+6x_5+x_6\hfill \\ & +6x_7+3x_8.\hfill \end{array}$$

Letw$=(3,6,1)$. The impersonator computes ${\overline{p}}^{\left(i\right)}=p^{\left(i\right)}-w_i\left(mod7\right)$ where $i=1,2,3$. Then, to solve ${\overline{p}}^{\left(1\right)}\left(x\right)=0$, he chooses random variables $(x_1,x_2,x_3,x_4,x_5,x_6,x_7)=(4,5,2,5,4,3,3)$ and substitutes them into ${\overline{p}}^{\left(1\right)}$ which results a quadratic equation with one variable

$$\begin{array}{c}\hfill 2x_8^2+2x_8+3=0.\end{array}$$

Since this equation has two solutions $x_8=1$ and 5 hence the solution for $p^{\left(1\right)}$ are $(4,5,2,5,4,3,3,1)$ and $(4,5,2,5,4,3,3,5)$. These solutions are also the solutions to $p^{\left(2\right)}$ and $p^{\left(3\right)}$, which implies $\mathcal{P}\left({\mathbf{z}}^{\prime }\right)=\mathbf{w}$ where ${\mathbf{z}}^{\prime }=(4,5,2,5,4,3,3,1)$ or ${\mathbf{z}}^{\prime }=(4,5,2,5,4,3,3,5)$ are the forged signatures. Indeed both ${\mathbf{z}}^{\prime }\ne \mathbf{z}=(5,5,3,2,5,4,1,0).$

5.1.2. Identifying a Weakened DSFM1 UOV Scheme

We can directly use Algorithm 3 to identify a weakened DSFM1 UOV scheme.

Example 3.

Given the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)})$ of a weakened DSFM1 UOV scheme as in Example 1:

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 6x_1{x}_2+4x_1{x}_3+3x_1{x}_4+5x_1{x}_5+2x_1{x}_6+3x_1{x}_7+5x_1{x}_8+6x_2^2+5x_2{x}_3+4x_2{x}_4+5x_2{x}_5\hfill \\ & +5x_3^2+3x_3{x}_4+2x_3{x}_5+5x_3{x}_6+5x_3{x}_8+5x_4^2+x_4{x}_6+5x_4{x}_8+3x_5^2+4x_5{x}_6+x_5{x}_7\hfill \\ & +4x_5{x}_8+4x_6^2+2x_6{x}_7+3x_6{x}_8+4x_7^2+6x_7{x}_8+4x_8^2+6x_1+x_2+4x_3+2x_4+x_5+6x_6\hfill \\ & +x_7+4x_8\hfill \\ \hfill p^{\left(3\right)}=& x_1{x}_2+3x_1{x}_3+4x_1{x}_4+2x_1{x}_5+5x_1{x}_6+4x_1{x}_7+2x_1{x}_8+x_2^2+2x_2{x}_3+3x_2{x}_4+2x_2{x}_5\hfill \\ & +2x_3^2+4x_3{x}_4+5x_3{x}_5+2x_3{x}_6+2x_3{x}_8+2x_4^2+6x_4{x}_6+2x_4{x}_8+4x_5^2+3x_5{x}_6+6x_5{x}_7\hfill \\ & +3x_5{x}_8+3x_6^2+5x_6{x}_7+4x_6{x}_8+3x_7^2+x_7{x}_8+3x_8^2+x_1+6x_2+3x_3+5x_4+6x_5+x_6\hfill \\ & +6x_7+3x_8.\hfill \end{array}$$

To identify $\mathcal{P}$ is a forgeable system, we choose one coefficient from $p^{\left(1\right)},p^{\left(2\right)}$ and $p^{\left(3\right)}$ and compute

$$\begin{array}{c}\hfill k_2=6\times 3^{-1}(\mathrm{mod} 7)=2\\ \hfill k_3=1\times 3^{-1}(\mathrm{mod} 7)=5.\end{array}$$

Since

$$\begin{array}{c}\hfill p^{\left(2\right)}=2\times p^{\left(1\right)}(\mathrm{mod} 7)\\ \hfill p^{\left(3\right)}=5\times p^{\left(1\right)}(\mathrm{mod} 7)\end{array}$$

is true, we have successfully identified that $\mathcal{P}$ is a forgeable system.

5.2. Generating Weak UOV Signature Scheme by DSFM2

From DSFM2, we put forward an algorithm to generate a weak UOV public key. In other words, we set up the UOV public key, which is $\mathcal{P}$, where all its polynomials satisfy the original form and also can be written into summation of two polynomials from the same system. The following Algorithm 11 explains the key generation of weak UOV signature scheme by DSFM2.

Algorithm 11 Key Generation of Weak UOV Signature Scheme by DSFM2

Input: Integers o and v such that $v>o$ and $n=o+v$. Let $V=1,\dots ,v$ and $O=v+1,\dots ,n.$ Let $x_1,\dots ,x_v$ be the Vinegar variables and $x_{v+1},\dots ,x_n$ be the Oil variables. Output: Public key $\mathcal{P}$ in the form of $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$ for $j=3,\dots ,o$, $i=1,\dots ,j-1$ and $k=1,\dots ,j-1$. Choose a random invertible affine map $\mathcal{T}:{\mathbb{F}}^n\to {\mathbb{F}}^n$. Choose a random polynomial $f^{\left(1\right)}\left(x\right)=0$ and $f^{\left(2\right)}\left(x\right)=0$ of the form $$\begin{array}{c}\hfill f^{(1,2)}=\sum _{a,b\in V}{\alpha }_{a,b}^{(1,2)}{x}_a{x}_b+\sum _{a\in V,b\in O}{\beta }_{a,b}^{(1,2)}{x}_a{x}_b+\sum _{a\in V\cup O}{\gamma }_a^{(1,2)}{x}_a+{\delta }^{(1,2)}.\end{array}$$ For $j=3,\dots ,o$ compute $f^{\left(j\right)}=f^{\left(i\right)}+f^{\left(k\right)}$ where $i=1,\dots ,j-1$ and $k=1,\dots ,j-1$. Set the central map $\mathcal{F}=(f^{\left(1\right)},\dots ,f^{\left(o\right)}):{\mathbb{F}}^n\to {\mathbb{F}}^o$. Compute $\mathcal{P}=\mathcal{F}\circ \mathcal{T}$. The system $\mathcal{P}$ consists of o quadratic polynomials in n variables.

To pass through the verification, the vectors in $\mathbf{w}$ must be of the form $w_j=w_i+w_k$, otherwise the verification fails. This is because, the polynomials in public key system $\mathcal{P}$ and the central map $\mathcal{F}$ are of the form $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$ and $f^{\left(j\right)}=f^{\left(i\right)}+f^{\left(k\right)}$, respectively. The following Algorithm 12 explains the signature generation of weak UOV signature scheme by DSFM2.

Algorithm 12 Signature Generation of Weak UOV Signature Scheme by DSFM2

Input: Document d Output: Signature z Compute $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$ such that $w_j=w_i+w_k$ for $j=3,\dots ,o$, $i=1,\dots ,j-1$, $k=1,\dots ,j-1$. Find a pre-image $\mathbf{y}\in {\mathbb{F}}^n$ of w under the central map $\mathcal{F}$. Choose random values for the Vinegar variables $y_1,\dots ,y_v$ and substitute them into the polynomials $f^{\left(1\right)},\dots ,f^{\left(o\right)}$. Choose the resulting linear system of o equations in the o Oil variables $y_{v+1},\dots ,y_n$ by Gaussian elimination. If the system does not have a solution, choose other values for the vinegar variables $x_1,\dots ,x_v$ and try again. Compute the signature $\mathbf{z}\in {\mathbb{F}}^n$ by $\mathbf{z}={\mathcal{T}}^{-1}(\mathbf{y})$.

The signature verification of the UOV signature scheme generated by DSFM1 as in Algorithm 13 below works the same as the original UOV.

Algorithm 13 Signature Verification of Weak UOV Signature Scheme by DSFM2

Input: Public key $\mathcal{P}$, document d and signature z Output: Accept or reject signature Compute $\mathbf{w}=\mathcal{H}\left(d\right)\in {\mathbb{F}}^o$. Compute ${\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{x}\right)$. If ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature z is accepted, otherwise rejected.

In the following example, we illustrate the generation of a weak UOV scheme via the DSFM2 methodology as well as the signing and verification process. The example below shows that a weak UOV scheme can still be used by a user without suspicion since the constants seem randomized and the signing and verification work as normal.

Example 4.

We will discuss key generation, signing and verification on $\mathbb{F}=GF\left(7\right)$.

Key Generation: We choose $\mathbb{F}=GF\left(7\right)$, and $(o,v)=(3,5)$, which will lead to a public key of 3 quadratic equations in 8 variables. The private key consists of the affine map $\mathcal{T}:{\mathbb{F}}^8\to {\mathbb{F}}^8$.

$$\mathcal{T}(x_1,\dots ,x_8)=\left(\begin{array}{cccccccc}2& 1& 5& 3& 1& 0& 3& 2\\ 4& 4& 1& 6& 2& 1& 4& 2\\ 3& 5& 3& 2& 1& 6& 4& 0\\ 5& 5& 3& 5& 6& 2& 3& 4\\ 1& 0& 1& 2& 4& 2& 5& 5\\ 3& 1& 1& 5& 1& 0& 6& 2\\ 1& 1& 2& 1& 6& 5& 2& 3\\ 0& 3& 4& 1& 6& 5& 6& 1\end{array}\right)\left(\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\\ x_6\\ x_7\\ x_8\end{array}\right)+\left(\begin{array}{c}1\\ 0\\ 4\\ 3\\ 6\\ 5\\ 4\\ 2\end{array}\right)$$

and the central map $\mathcal{F}:{\mathbb{F}}^8\to {\mathbb{F}}^3$ is given by polynomials

$$\begin{array}{cc}\hfill f^{\left(1\right)}=& x_1^2+x_1{x}_2+3x_1{x}_3+2x_1{x}_4+6x_1{x}_5+4x_1{x}_6+2x_1{x}_7+5x_1{x}_8+3x_2^2+x_2{x}_3+5x_2{x}_4\hfill \\ & +x_2{x}_6+3x_2{x}_7+3x_2{x}_8+4x_3{x}_4+6x_3{x}_6+2x_3{x}_7+5x_3{x}_8+4x_4{x}_5+5x_4{x}_6+3x_4{x}_7\hfill \\ & +2x_4{x}_8+3x_2+6x_3+3x_4+5x_5+6x_6+2x_7+2x_8+4\hfill \\ \hfill f^{\left(2\right)}=& 2x_1^2+5x_1{x}_3+2x_1{x}_4+4x_1{x}_5+6x_1{x}_6+5x_1{x}_7+3x_1{x}_8+4x_2^2+x_2{x}_3+2x_2{x}_5+5x_2{x}_6\hfill \\ & +4x_2{x}_7+5x_2{x}_8+2x_3^2+3x_3{x}_4+6x_3{x}_6+x_3{x}_7+5x_3{x}_8+2x_4{x}_5+x_4{x}_6+x_4{x}_7+2x_4{x}_8\hfill \\ & +x_1+x_3+6x_4+2x_5+4x_6+6x_7+2x_8+6\hfill \\ \hfill f^{\left(3\right)}=& f^{\left(1\right)}+f^{\left(2\right)}=3x_1^2+x_1{x}_2+x_1{x}_3+4x_1{x}_4+3x_1{x}_5+3x_1{x}_6+x_1{x}_8+2x_2{x}_3+5x_2{x}_4\hfill \\ & +2x_2{x}_5+6x_2{x}_6+x_2{x}_8+2x_3^2+5x_3{x}_6+3x_3{x}_7+3x_3{x}_8+6x_4{x}_5+6x_4{x}_6+4x_4{x}_7\hfill \\ & +4x_4{x}_8+x_1+3x_2+2x_4+3x_6+x_7+4x_8+3\hfill \\ \hfill f^{\left(4\right)}=& f^{\left(2\right)}+f^{\left(3\right)}=5x_1^2+x_1{x}_2+6x_1{x}_3+6x_1{x}_4+2x_1{x}_6+5x_1{x}_7+4x_1{x}_8+4x_2^2+3x_2{x}_3\hfill \\ & +5x_2{x}_4+4x_2{x}_5+4x_2{x}_6+4x_2{x}_7+6x_2{x}_8+4x_3^2+3x_3{x}_4+4x_3{x}_6+4x_3{x}_7+x_3{x}_8\hfill \\ & +x_4{x}_5+5x_4{x}_7+6x_4{x}_8+2x_1+3x_2+x_3+x_4+2x_5+6x_8+2\hfill \end{array}$$

We compute the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)}):{\mathbb{F}}^8\to {\mathbb{F}}^3$ by $\mathcal{P}=\mathcal{F}\circ \mathcal{T}$, which results in

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 2x_1^2+4x_1{x}_2+x_1{x}_3+2x_1{x}_4+2x_1{x}_7+x_1{x}_8+x_2^2+5x_2{x}_3+6x_2{x}_4+2x_2{x}_5+2x_2{x}_6+x_2{x}_7\hfill \\ & +2x_2{x}_8+6x_3{x}_4+6x_3{x}_5+2x_3{x}_6+2x_3{x}_7+x_3{x}_8+5x_4{x}_6+3x_4{x}_7+x_4{x}_8+3x_5^2+3x_5{x}_6\hfill \\ & +3x_5{x}_8+6x_6{x}_7+6x_6{x}_8+x_7^2+x_7{x}_8+2x_8^2+3x_1+x_3+3x_4+3x_5+x_6+6x_8+5\hfill \\ \hfill p^{\left(3\right)}=& 2x_1^2+3x_1{x}_3+6x_1{x}_5+x_1{x}_6+4x_2^2+4x_2{x}_3+x_2{x}_4+x_2{x}_5+2x_2{x}_6+x_2{x}_7+2x_2{x}_8+6x_3^2\hfill \\ & +4x_3{x}_4+x_3{x}_6+2x_3{x}_7+6x_4^2+2x_4{x}_6+3x_4{x}_7+x_5^2+5x_5{x}_6+4x_5{x}_7+5x_5{x}_8+2x_6^2\hfill \\ & +4x_6{x}_8+3x_7^2+4x_7{x}_8+4x_8^2+6x_1+4x_2+3x_3+4x_4+4x_6+4x_7+x_8+5\hfill \\ \hfill p^{\left(4\right)}=& 4x_1^2+4x_1{x}_2+4x_1{x}_3+2x_1{x}_4+6x_1{x}_5+x_1{x}_6+2x_1{x}_7+x_1{x}_8+5x_2^2+2x_2{x}_3+3x_2{x}_5\hfill \\ & +4x_2{x}_6+2x_2{x}_7+4x_2{x}_8+6x_3^2+3x_3{x}_4+6x_3{x}_5+3x_3{x}_6+4x_3{x}_7+x_3{x}_8+6x_4^2+6x_4{x}_7\hfill \\ & +x_4{x}_8+4x_5^2+x_5{x}_6+4x_5{x}_7+x_5{x}_8+2x_6^2+6x_6{x}_7+3x_6{x}_8+4x_7^2+5x_7{x}_8+6x_8^2+2x_1\hfill \\ & +4x_2+4x_3+3x_5+5x_6+4x_7+3\hfill \end{array}$$

Signature Generation: In order to generate a signature for the message $\mathbf{w}=(2,2,4,6)$, we first need to compute $\mathbf{y}={\mathcal{F}}^{-1}\left(\mathbf{w}\right).$ We choose random values for the Vinegar variables $(x_1,x_2,x_3,x_4,x_5)=(5,1,6,1,1)$ and substitute them into the polynomials $f^{\left(1\right)},f^{\left(2\right)}$,$f^{\left(3\right)}$ and $f^{\left(4\right)}$. Thus, we obtain a linear system in the Oil variables $x_6,x_7$ and $x_8$ of the form

$$\begin{array}{cc}\hfill {\overline{f}}^{\left(1\right)}=& 5x_6+2x_7+6x_8+1\hfill \\ \hfill {\overline{f}}^{\left(2\right)}=& 6x_6+5x_8+2\hfill \\ \hfill {\overline{f}}^{\left(3\right)}=& 4x_6+2x_7+4x_8+3\hfill \\ \hfill {\overline{f}}^{\left(3\right)}=& 3x_6+2x_7+3x_8+5.\hfill \end{array}$$

By Gaussian elimination, this system has the solution $(x_6,x_7,x_8)=(1,3,3)$. Attaching the Vinegar variables yields

$$\begin{array}{c}\hfill \mathbf{y}={\mathcal{F}}^{-1}\left(\mathbf{w}\right)=(5,1,6,1,1,1,3,3).\end{array}$$

Finally, we compute

$$\begin{array}{c}\hfill \mathbf{z}={\mathcal{T}}^{-1}\left(\mathbf{y}\right)=(4,5,6,0,1,0,4,2)\end{array}$$

to obtain a signature $\mathbf{z}\in {\mathbb{F}}^8$ for the messagew.

Signature Verification: In order to check ifzis indeed a valid signature for the messagew, we compute

$$\begin{array}{c}\hfill {\mathbf{w}}^{\prime }=\mathcal{P}\left(\mathbf{z}\right)=(2,2,4,6).\end{array}$$

Since ${\mathbf{w}}^{\prime }=\mathbf{w}$ holds, the signature is accepted.

5.2.1. A Weakened DSFM2 UOV Signature Scheme Forgery Methodology

The algorithm to forge the signature of a weak UOV scheme by DSFM2 is described in Algorithm 14 as below.

Algorithm 14 Forgery of Weakened DSFM2 UOV Signature Scheme

Input: Public key $\mathcal{P}$, document d Output: Signature z’ such that $\mathcal{P}{\left(\mathbf{z}\right)}^{\prime }={\mathbf{w}}^{\prime }=\mathbf{w}$ Solve $p^{\left(i\right)}\left(x\right)=0$ and $p^{\left(k\right)}\left(x\right)=0$ where $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$, and obtain ${\mathbf{z}}^{\prime }=z_1,\dots ,z_o$.

Since $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$, solving the two polynomials $p^{\left(i\right)}$ and $p^{\left(k\right)}$ would solve the whole system $\mathcal{P}$.

In the following example, we show how an impersonator successfully forge the signature of a weakened DSFM2 UOV scheme.

Example 5.

Given the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)},p\left(4\right))$ of a weakened DSFM2 UOV scheme as in Example 4:

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 2x_1^2+4x_1{x}_2+x_1{x}_3+2x_1{x}_4+2x_1{x}_7+x_1{x}_8+x_2^2+5x_2{x}_3+6x_2{x}_4+2x_2{x}_5+2x_2{x}_6+x_2{x}_7\hfill \\ & +2x_2{x}_8+6x_3{x}_4+6x_3{x}_5+2x_3{x}_6+2x_3{x}_7+x_3{x}_8+5x_4{x}_6+3x_4{x}_7+x_4{x}_8+3x_5^2+3x_5{x}_6\hfill \\ & +3x_5{x}_8+6x_6{x}_7+6x_6{x}_8+x_7^2+x_7{x}_8+2x_8^2+3x_1+x_3+3x_4+3x_5+x_6+6x_8+5\hfill \end{array}$$

$$\begin{array}{cc}\hfill p^{\left(3\right)}=& 2x_1^2+3x_1{x}_3+6x_1{x}_5+x_1{x}_6+4x_2^2+4x_2{x}_3+x_2{x}_4+x_2{x}_5+2x_2{x}_6+x_2{x}_7+2x_2{x}_8+6x_3^2\hfill \\ & +4x_3{x}_4+x_3{x}_6+2x_3{x}_7+6x_4^2+2x_4{x}_6+3x_4{x}_7+x_5^2+5x_5{x}_6+4x_5{x}_7+5x_5{x}_8+2x_6^2\hfill \\ & +4x_6{x}_8+3x_7^2+4x_7{x}_8+4x_8^2+6x_1+4x_2+3x_3+4x_4+4x_6+4x_7+x_8+5\hfill \\ \hfill p^{\left(4\right)}=& 4x_1^2+4x_1{x}_2+4x_1{x}_3+2x_1{x}_4+6x_1{x}_5+x_1{x}_6+2x_1{x}_7+x_1{x}_8+5x_2^2+2x_2{x}_3+3x_2{x}_5\hfill \\ & +4x_2{x}_6+2x_2{x}_7+4x_2{x}_8+6x_3^2+3x_3{x}_4+6x_3{x}_5+3x_3{x}_6+4x_3{x}_7+x_3{x}_8+6x_4^2+6x_4{x}_7\hfill \\ & +x_4{x}_8+4x_5^2+x_5{x}_6+4x_5{x}_7+x_5{x}_8+2x_6^2+6x_6{x}_7+3x_6{x}_8+4x_7^2+5x_7{x}_8+6x_8^2+2x_1\hfill \\ & +4x_2+4x_3+3x_5+5x_6+4x_7+3\hfill \end{array}$$

Letw$=(2,2,4,6)$. The impersonator computes ${\overline{p}}^{\left(i\right)}=p^{\left(i\right)}-w_i\left(mod7\right)$ where $i=1,2,3,4$. Then, to solve ${\overline{p}}^{\left(1\right)}\left(x\right)=0$, he chooses random variables $(x_1,x_2,x_3,x_4,x_5,x_6,x_7)=(5,6,0,5,4,7,2)$ and substitutes them into ${\overline{p}}^{\left(1\right)}$ and ${\overline{p}}^{\left(2\right)}$ which results quadratic equations with one variable

$$\begin{array}{c}\hfill 2x_8^2+6x_8+4=0\\ \hfill 2x_8^2+6=0.\end{array}$$

Since these equations has a solution $x_8=5$ hence the solution for $p^{\left(1\right)}$ and $p^{\left(2\right)}$ are $(5,6,0,5,4,7,2,5)$. This solution is also the solution to $p^{\left(3\right)}$ and $p^{\left(4\right)}$, which implies $\mathcal{P}\left({\mathbf{z}}^{\prime }\right)=0$ where ${\mathbf{z}}^{\prime }=(5,6,0,5,4,7,2,5)$ is the forged signature. Indeed ${\mathbf{z}}^{\prime }\ne \mathbf{z}=(4,5,6,0,1,0,4,2).$

5.2.2. Identifying a Weakened DSFM2 UOV Scheme

We can directly use Algorithm 5 to identify a weakened DSFM2 UOV scheme.

Example 6.

Given the public key $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)},p^{\left(4\right)})$ of a weakened DSFM2 UOV scheme as in Example 4:

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 3x_1{x}_2+2x_1{x}_3+5x_1{x}_4+6x_1{x}_5+x_1{x}_6+5x_1{x}_7+6x_1{x}_8+3x_2^2+6x_2{x}_3+2x_2{x}_4+6x_2{x}_5\hfill \\ & +6x_3^2+5x_3{x}_4+x_3{x}_5+6x_3{x}_6+6x_3{x}_8+6x_4^2+4x_4{x}_6+6x_4{x}_8+5x_5^2+2x_5{x}_6+4x_5{x}_7\hfill \\ & +2x_5{x}_8+2x_6^2+x_6{x}_7+5x_6{x}_8+2x_7^2+3x_7{x}_8+2x_8^2+3x_1+4x_2+2x_3+x_4+4x_5+3x_6\hfill \\ & +4x_7+2x_8\hfill \\ \hfill p^{\left(2\right)}=& 2x_1^2+4x_1{x}_2+x_1{x}_3+2x_1{x}_4+2x_1{x}_7+x_1{x}_8+x_2^2+5x_2{x}_3+6x_2{x}_4+2x_2{x}_5+2x_2{x}_6+x_2{x}_7\hfill \\ & +2x_2{x}_8+6x_3{x}_4+6x_3{x}_5+2x_3{x}_6+2x_3{x}_7+x_3{x}_8+5x_4{x}_6+3x_4{x}_7+x_4{x}_8+3x_5^2+3x_5{x}_6\hfill \\ & +3x_5{x}_8+6x_6{x}_7+6x_6{x}_8+x_7^2+x_7{x}_8+2x_8^2+3x_1+x_3+3x_4+3x_5+x_6+6x_8+5\hfill \\ \hfill p^{\left(3\right)}=& 2x_1^2+3x_1{x}_3+6x_1{x}_5+x_1{x}_6+4x_2^2+4x_2{x}_3+x_2{x}_4+x_2{x}_5+2x_2{x}_6+x_2{x}_7+2x_2{x}_8+6x_3^2\hfill \\ & +4x_3{x}_4+x_3{x}_6+2x_3{x}_7+6x_4^2+2x_4{x}_6+3x_4{x}_7+x_5^2+5x_5{x}_6+4x_5{x}_7+5x_5{x}_8+2x_6^2\hfill \\ & +4x_6{x}_8+3x_7^2+4x_7{x}_8+4x_8^2+6x_1+4x_2+3x_3+4x_4+4x_6+4x_7+x_8+5\hfill \\ \hfill p^{\left(4\right)}=& 4x_1^2+4x_1{x}_2+4x_1{x}_3+2x_1{x}_4+6x_1{x}_5+x_1{x}_6+2x_1{x}_7+x_1{x}_8+5x_2^2+2x_2{x}_3+3x_2{x}_5\hfill \\ & +4x_2{x}_6+2x_2{x}_7+4x_2{x}_8+6x_3^2+3x_3{x}_4+6x_3{x}_5+3x_3{x}_6+4x_3{x}_7+x_3{x}_8+6x_4^2+6x_4{x}_7\hfill \\ & +x_4{x}_8+4x_5^2+x_5{x}_6+4x_5{x}_7+x_5{x}_8+2x_6^2+6x_6{x}_7+3x_6{x}_8+4x_7^2+5x_7{x}_8+6x_8^2+2x_1\hfill \\ & +4x_2+4x_3+3x_5+5x_6+4x_7+3\hfill \end{array}$$

To identify $\mathcal{P}$ is a forgeable system, we take two polynomials $p^{\left(1\right)}$ and $p^{\left(2\right)}$ and compute

$$\begin{array}{cc}\hfill p^{\left(1\right)}+p^{\left(2\right)}(\mathrm{mod} 7)=& 2x_1^2+4x_1{x}_2+x_1{x}_3+2x_1{x}_4+2x_1{x}_7+x_1{x}_8+x_2^2+5x_2{x}_3+6x_2{x}_4+2x_2{x}_5\hfill \\ & +2x_2{x}_6+x_2{x}_7+2x_2{x}_8+6x_3{x}_4+6x_3{x}_5+2x_3{x}_6+2x_3{x}_7+x_3{x}_8+5x_4{x}_6\hfill \\ & +3x_4{x}_7+x_4{x}_8+3x_5^2+3x_5{x}_6+3x_5{x}_8+6x_6{x}_7+6x_6{x}_8+x_7^2+x_7{x}_8+2x_8^2\hfill \\ & +3x_1+x_3+3x_4+3x_5+x_6+6x_8+5\hfill \\ \hfill p^{\left(2\right)}+p^{\left(3\right)}(\mathrm{mod} 7)=& 4x_1^2+4x_1{x}_2+4x_1{x}_3+2x_1{x}_4+6x_1{x}_5+x_1{x}_6+2x_1{x}_7+x_1{x}_8+5x_2^2+2x_2{x}_3\hfill \\ & +3x_2{x}_5+4x_2{x}_6+2x_2{x}_7+4x_2{x}_8+6x_3^2+3x_3{x}_4+6x_3{x}_5+3x_3{x}_6+4x_3{x}_7\hfill \\ & +x_3{x}_8+6x_4^2+6x_4{x}_7+x_4{x}_8+4x_5^2+x_5{x}_6+4x_5{x}_7+x_5{x}_8+2x_6^2+6x_6{x}_7\hfill \\ & +3x_6{x}_8+4x_7^2+5x_7{x}_8+6x_8^2+2x_1+4x_2+4x_3+3x_5+5x_6+4x_7+3\hfill \end{array}$$

Since

$$\begin{array}{c}\hfill p^{\left(1\right)}+p^{\left(2\right)}=p^{\left(3\right)}(\mathrm{mod} 7)\\ \hfill p^{\left(2\right)}+p^{\left(3\right)}=p^{\left(4\right)}(\mathrm{mod} 7)\end{array}$$

we have successfully identified that $\mathcal{P}$ is a forgeable system.

6. The Inability to Generate Weak Rainbow Signature Scheme via DSFM1 and DSFM2 Methodologies

Firstly, we observe that the central map $\mathcal{F}$ of a UOV scheme in the form of

$$\begin{array}{c}\hfill f^{\left(k\right)}=\sum _{a,b\in V}{\alpha }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V,b\in O}{\beta }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V\cup O}{\gamma }_a^{\left(k\right)}{x}_a+{\delta }^{\left(k\right)}(k=1,\dots ,o).\end{array}$$

Thus, all polynomials $f^{\left(j\right)}=k_j{f}^{\left(1\right)}$ where $j=2,\dots ,m$ and $f^{\left(j\right)}=f^{\left(i\right)}+f^{\left(k\right)}$ where $j=2,\dots ,m$ and $i,k=1,\dots ,j-1$ in the central map $\mathcal{F}$ are of the same form as above.

Thus, the inability to generate a weak Rainbow signature scheme via DSFM1 and DSFM2 methodologies is because of its central map $\mathcal{F}$ having the form of

$$\begin{array}{c}\hfill f^{\left(k\right)}\left(\mathbf{x}\right)=\sum _{a,b\in V_{\ell },a\le b}{\alpha }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in O_{\ell },b\in V_{\ell }}{\beta }_{a,b}^{\left(k\right)}{x}_a{x}_b+\sum _{a\in V_{\ell }\cup O_{\ell }}{\gamma }_a^{\left(k\right)}{x}_a+{\eta }^{\left(k\right)}(k=v_1+1,\dots ,n).\end{array}$$

The form of polynomials $f^{\left(k\right)}\left(\mathbf{x}\right)$ are different depending on the ℓ-th level. As we can see, the index i and j for the variables are from the index sets $V_{\ell }$ and $O_{\ell }$ where ℓ is the only integer such that $k\in O_{\ell }$. For instance, when $\ell =1$, we will have $O_1=\{v_1+1,\dots ,v_2\}$ and $V_1=\{1,\dots v_1\}$. The value of k is taken from the set $O_1$. Therefore, the polynomials $f^{(v_1+1)}\left(\mathbf{x}\right),\dots ,f^{\left(v_2\right)}\left(\mathbf{x}\right)$ will share the same form. For $\ell =2$, $O_2=\{v_2+1,\dots v_3\}$ and $V_2=\{1,\dots ,v_2\}$ where $k\in O_2$, the polynomials $f^{(v_2+1)}\left(\mathbf{x}\right),\dots ,f^{\left(v_3\right)}\left(\mathbf{x}\right)$ are of the same form. Since the polynomials have different variable forms, we cannot construct the central map $\mathcal{F}$ as in Algorithm 2 and the polynomials in $\mathcal{P}$ of the form $p^{\left(j\right)}=p^{\left(i\right)}+p^{\left(k\right)}$ as in Algorithm 4.

7. Generating Weak UOV and Rainbow Signature Scheme

In the following example, we illustrate the generation of weak UOV and Rainbow schemes via DSFM3 methodology as well as the signing and verification process. Firstly, the public–private key pair of either UOV or Rainbow is generated as in the original version of the schemes. Secondly, suppose the RCA computes $\mathbf{x}=(x_1,\dots ,x_m)$ such that $\mathcal{P}\left(\mathbf{x}\right)=0$ and shares the vector $\mathbf{x}$ with the adversary. The adversary can forge the signature $\mathbf{x}$ via DSFM3. The example below shows that weak UOV and Rainbow schemes can still be used by a user without suspicion since the constants seem randomized and the signing and verification work as normal.

Example 7.

Let $\mathcal{P}=(p^{\left(1\right)},p^{\left(2\right)},p^{\left(3\right)}):{\mathbb{F}}^7\to {\mathbb{F}}^3$ be a valid public key over $\mathbb{F}=GF\left(53\right)$ that can be utilized for both UOV and Rainbow signature schemes. Suppose $\mathbf{x}=(35,46,24,57,21,27,25)$ such that $\mathcal{P}\left(x\right)=0$. The adversary is given the integer set $\mathbf{x}$ from the RCA and suppose the adversary wants to forge the signaturez$=(40,46,24,57,21,3,34)$ corresponding to $\mathbf{w}=(1,30,46)$.

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 47x_1^2+33x_1{x}_2+22x_1{x}_3+38x_1{x}_4+45x_1{x}_5+17x_1{x}_6+18x_1{x}_7+8x_2^2+23x_2{x}_3+18x_2{x}_4\hfill \\ & +x_2{x}_5+44x_2{x}_6+41x_2{x}_7+12x_3^2+47x_3{x}_4+6x_3{x}_5+15x_3{x}_6+11x_3{x}_7+22x_4^2+x_4{x}_5\hfill \\ & +23x_4{x}_6+13x_4{x}_7+9x_5^2+39x_5{x}_6+42x_5{x}_7+30x_5+15x_6^2+48x_6{x}_7+11x_7^2+50x_1\hfill \\ & +13x_2+11x_3+5x_4+30x_5+x_6+50x_7+32\hfill \\ \hfill p^{\left(2\right)}=& 45x_1^2+6x_1{x}_3+12x_1{x}_4+16x_1{x}_5+26x_1{x}_6+46x_1{x}_7+3x_1{x}_2+13x_2^2+30x_2{x}_3+47x_2{x}_4\hfill \\ & +43x_2{x}_5+14x_2{x}_6+30x_2{x}_7+39x_3^2+17x_3{x}_4+15x_3{x}_5+46x_3{x}_6+40x_3{x}_7+45x_4^2\hfill \\ & +18x_4{x}_5+22x_4{x}_6+9x_4{x}_7+3x_5^2+37x_5{x}_6+35x_5{x}_7+14x_6^2+38x_6{x}_7+26x_7^2+46x_1\hfill \\ & +37x_2+37x_3+44x_4+28x_5+12x_6+10x_7+35\hfill \\ \hfill p^{\left(3\right)}=& 21x_1^2+13x_{1}x2+26x_1{x}_3+14x_1{x}_4+44x_1{x}_5+12x_1{x}_7+37x_2^2+18x_2{x}_3+18x_2{x}_4+49x_2{x}_5\hfill \\ & +4x_2{x}_6+29x_2{x}_7+11x_3^2+14x_3{x}_4+22x_3{x}_5+27x_3{x}_6+13x_3{x}_7+2x_4^2+30x_4{x}_5+4x_4{x}_6\hfill \\ & +14x_4{x}_7+45x_5^2+39x_5{x}_6+x_5{x}_7+2x_6^2+49x_6{x}_7+24x_7^2+20x_1+32x_2+30x_3+34x_4\hfill \\ & +43x_5+32x_6+30x_7+40\hfill \end{array}$$

The adversary computes $\mathcal{P}(\mathbf{x}+\alpha )$ and obtains

$$\begin{array}{cc}\hfill p^{\left(1\right)}=& 33{\alpha }^2+13\alpha \hfill \\ \hfill p^{\left(2\right)}=& 46{\alpha }^2+\alpha \hfill \\ \hfill p^{\left(3\right)}=& 52{\alpha }^2+25\alpha .\hfill \end{array}$$

Solving $p^{\left(1\right)}=w_1$, $p^{\left(2\right)}=w_2$ and $p^{\left(3\right)}=w_3$, the adversary will obtain $\alpha =23$. Therefore, ${\mathbf{z}}^{\prime }=(5,16,47,27,44,50,48)$ is the forged signature. Indeed ${\mathbf{z}}^{\prime }\ne \mathbf{z}=(40,46,24,57,21,3,34).$ The verification process will be successful since:

$$\begin{array}{c}\hfill p^{\left(1\right)}(5,16,47,27,44,50,48)=0\\ \hfill p^{\left(2\right)}(5,16,47,27,44,50,48)=0\\ \hfill p^{\left(3\right)}(5,16,47,27,44,50,48)=0.\end{array}$$

8. Discussion

Our work enabled us to showcase the practicality of the DSFM1, DSFM2 and DSFM3 methodologies to forge UOV and Rainbow signatures. The strategies outlined to identify whether DSFM1 or DSFM2 was applied on UOV and Rainbow parameters must be adhered to in order to ensure the security of the signature. As discussed on [29], the complexity to conduct due diligence are $O\left(m\right)$ and $O\left(m^3\right)$, respectively, where m is the number of equations. However, to this end, it is still unanswered whether there are possible mechanisms to identify DSFM3 weakened systems. The DSFM3 is deployed on random polynomials, and does not involve modification on polynomials to make it vulnerable. As such, the system $\mathcal{P}$ has no anomalies. Instead, the adversary only needs to solicit the vector x which satisfies $\mathcal{P}\left(\mathbf{x}\right)=0$ from the RCA.

9. Conclusions

In conclusion, we have revisited two signature forgery methodologies (DSFM1 and DSFM2) and put forward one novel signature forgery methodology, DSFM3. The public key system $\mathcal{P}$ of a UOV signature scheme is not secure if it is generated using DSFM1, DSFM2 and DSFM3 methodologies by RCA. Potential users of the UOV signature scheme are able to identify whether the public parameters are generated via DSFM1 and DSFM2 methodologies. As such they must conduct due diligence upon receiving the public key system $\mathcal{P}$. To this end, the Rainbow signature scheme is resistant to DSFM1 as well as DSFM2 methodologies and is only vulnerable to the DSFM3 methodology. However, it is still an open question whether a public key system $\mathcal{P}$ of UOV and Rainbow signature schemes can be identified if it is generated via DSFM3 methodology since there are no anomalies in the public key.