Remark on Solved Challenges
Currently, all provided parameter sets have been solved. The attacks on the highest parameter sets all exploit the encoding of the flag into the secret key, which introduces artificial structure.
We want to stress that actual MAYO secret keys do not have this structure.
We will soon publish new parameter sets with random secret keys to address this issue.
Mayo
Mayo is a signature scheme which builds upon the Unbalanced-Oil-And-Vinegar (UOV) scheme.
We have a trapdoored multivariate-quadratic (MQ) map , i.e. where each is a homogeneous polynomial of degree 2.
Its corresponding symmetric bilinear form is defined as .
The trapdoor, called the oil space , is an -dimensional subspace of on which the map vanishes, i.e. for all .
For more information refer to the official webpage.
Parameters format
- n : number of variables in the MQ-map
- m : number of components in the MQ-map
- o : dimension of the Oil-Space
- q : number of elements of the underlying field (in our case always )
Public key format
Since the are homogeneous polynomials of degree 2, they can be described by the following matrices :
Moreover they can be chosen as upper triangular matrices:
The given public key file contains:
Always three lines, seperated by an empty line, containing , and as a list of lists where each inner list is a row of the corresponding matrix.
Flag encoded into the Oil-Space
For the key-recovery challenges, a secret flag has been embedded into the Oil-Space in the following way:
- Encode into bytes (UTF-8).
Each byte can be represented by two elements of . - Write the nibbles into an matrix from left to right, top to bottom.
Check if has full rank. - Enumerate the oil-space, i.e. compute for all , and sort the vectors lexicographically.
- The positions of the rows of (starting index 0) will be published.
If you were now able to recover a different basis of the oil-space, you can enumerate the Oil-Space, sort it lexicographically, find the vectors of the original basis via their positions and decode them into the flag.
Link to reference Sage code to extract (unembed) a secret message from a recovered private key