Hall Of Fame

Parameter Set

Authors

mayo-76

Mukesh Tiwari

Submitted	2026-06-12
Solution	TIP You need to season it
Algorithm	Reconciliation attack via the M4GB Gröbner engine, with probabilistic enumeration of the high-nibble guesses for row 0 https://github.com/mukeshdroid/mayo-bochum-challenge
Hardware	Macbook Pro M2 Max (10 cores used)
Runtime	24h

mayo-74

Mukesh Tiwari

Submitted	2026-06-11
Solution	strawberry jam and mayo?
Algorithm	Structured-reconciliation attack via the M4GB Gröbner engine, with probabilistic enumeration of the high-nibble guesses for row 0
Hardware	12-core Apple Silicon Mac (10 cores allocated), 64 GB RAM
Runtime	1h

mayo-70

Nico Pelleriti

Submitted	2026-06-06
Solution	Mayonnaise is versatile in recipes
Algorithm	Embedding-guided hybrid reconciliation
Hardware	Apple M4 Pro
Runtime	Roughly 3 hours AI-assisted search/code/validation; selected shard solved locally.
Comment	We used an AI-assisted workflow to improve and automate hybrid reconciliation, including shard selection, solver orchestration, and validation of recovered oil-space embeddings.

mayo-66

Anders Nilson

Submitted	2026-04-26
Solution	Dont get confused when mixing mayo & ketchup
Algorithm	Hybrid reconciliation. Reconciliation only scripts available at https://github.com/CryptoPenguin15/mayo_reconciliation.
Hardware	AMD Turin, 8 vCPU, 4 cores, 31 GB, approx. 3 GB in use.
Runtime	16^3 mq-instances at most to check, each one taking 5-15 min, depending on the HW.
Comment	The reason for using hybrid is to reduce the memory requirements. The mq-instances can be processed in parallel, if the HW is available.

mayo-63

Kevin Pucci

Submitted	2026-01-12
Solution	I like making spicy mayonnaise with chilli
Algorithm	Groebner basis (magma) + exploitation of structured secret (ASCII characters)
Runtime	8h

mayo-61

David Weiße, Elias Radtke

Submitted	2025-12-25
Solution	Add a pinch of salt and pepper to taste.
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	28.5h

mayo-59

David Weiße, Elias Radtke

Submitted	2025-12-24
Solution	Mayo can be substitute in baking instead of butter
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	7h

mayo-58

David Weiße, Elias Radtke

Submitted	2025-12-23
Solution	Did you try mayo with toast
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	3h

mayo-55

David Weiße, Elias Radtke

Submitted	2025-12-22
Solution	Homemade mayonnaise tastes fresher than the store-bought.
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	28m

mayo-52c

David Weiße, Elias Radtke

Submitted	2025-12-21
Solution	Enjoy your Mayo with french fries!
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	9m

mayo-52b

David Weiße, Elias Radtke

Submitted	2025-12-20
Solution	Slowly add the oil while whisking in cup.
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	44s

mayo-52a

David Weiße, Elias Radtke

Submitted	2025-12-19
Solution	Whisk egg yolk & salt.
Algorithm	M4GB + reconciliation
Hardware	2x AMD EPYC 7742 64-Core Processor
Runtime	59s

mayo-48

Kevin Pucci

Submitted	2025-11-10
Solution	1 Egg yolk, salt, oil
Algorithm	Groebner basis + bruteforce, sagemath
Hardware	amd64
Runtime	15h CPU time

Remark on Solved Challenges

Currently, all provided parameter sets have been solved. The attacks on the highest parameter sets all exploit the encoding of the flag into the secret key, which introduces artificial structure.

We want to stress that actual MAYO secret keys do not have this structure.

We will soon publish new parameter sets with random secret keys to address this issue.

Mayo

Mayo is a signature scheme which builds upon the Unbalanced-Oil-And-Vinegar (UOV) scheme.
We have a trapdoored multivariate-quadratic (MQ) map $P : F_{q}^{n} \to F_{q}^{m}$ , i.e. $x \mapsto (p_{1} (x), \dots, p_{m} (x))$ where each $p_{i}$ is a homogeneous polynomial of degree 2.
Its corresponding symmetric bilinear form is defined as $P^{'} (x, y) : = P (x + y) - P (x) - P (y)$ .

The trapdoor, called the oil space $O$ , is an $o$ -dimensional subspace of $F_{q}^{n}$ on which the map $P$ vanishes, i.e. $P (o) = 0$ for all $o \in O$ .

For more information refer to the official webpage.

Parameters format

n : number of variables in the MQ-map
m : number of components in the MQ-map
o : dimension of the Oil-Space
q : number of elements of the underlying field $F_{q^{n}}$ (in our case always $q = 2^{4} = 16$ )

Public key format

Since the $p_{i}$ are homogeneous polynomials of degree 2, they can be described by the following matrices $P_{i} \in F_{q}^{n \times n}$ :
$p_{i} (x) = x^{t} \cdot P_{i} \cdot x$
Moreover they can be chosen as upper triangular matrices:
$P_{i} = (P_{i}^{(1)} 0 P_{i}^{(2)} P_{i}^{(3)})$

The given public key file contains:
Always three lines, seperated by an empty line, containing $P_{i}^{(1)}$ , $P_{i}^{(2)}$ and $P_{i}^{(3)}$ as a list of lists where each inner list is a row of the corresponding matrix.

Flag encoded into the Oil-Space

For the key-recovery challenges, a secret flag $m$ has been embedded into the Oil-Space $O$ in the following way:

Encode $m$ into $⌊ o \cdot n /2 ⌋$ bytes (UTF-8).
Each byte can be represented by two elements of $F_{q} = F_{16}$ .
Write the nibbles into an $o \times n$ matrix $O$ from left to right, top to bottom.
Check if $O$ has full rank.
Enumerate the oil-space, i.e. compute $x \cdot O$ for all $x \in F_{q}^{o}$ , and sort the vectors lexicographically.
The positions of the rows of $O$ (starting index 0) will be published.

If you were now able to recover a different basis $O^{'}$ of the oil-space, you can enumerate the Oil-Space, sort it lexicographically, find the vectors of the original basis via their positions and decode them into the flag.

Link to reference Sage code to extract (unembed) a secret message from a recovered private key