Mayo
Mayo is a signature scheme which builds upon the Unbalanced-Oil-And-Vinegar (UOV) scheme.
We have a trapdoored multivariate-quadratic (MQ) map , i.e. where each is a homogeneous polynomial of degree 2.
Its corresponding symmetric bilinear form is defined as .
The trapdoor, called the oil space , is an -dimensional subspace of on which the map vanishes, i.e. for all .
In UOV, a signature for some message is created in the following way:
- Choose some , called the vinegar.
- Compute a message digest of the message
- Solve the linear system which is equivalent to
- The signature is
For Mayo, which means that the above linear system does not have a solution in general.
Therefore a new “whipped up” map is constructed in the following way:
The parameter is chosen such that .
In this way proceeding like above, the linear system will have a solution with high probability.
The invertible matrices for are called emulsifier matrices.
A signature in Mayo is generated analogously to UOV with the only difference that you have to choose many vinegars and solve the linear system .
For more information refer to the official webpage.
Parameters format
- n : number of variables in the MQ-map
- m : number of components in the MQ-map
- o : dimension of the Oil-Space
- k : Whipping-parameter s.t.
- q : number of elements of the underlying field (in our case always )
- : invertible “emulsifier”-matrices in .
Each line corresponds to one emulsifier-matrix and each inner list is a row of the matrix.
Each entry is an element of , represented as an decimal integer.
The Big-Endian binary representation of this integer corresponds to the coefficients of the polynomial in , where .
For example:
This list of emulsifier matrices will be arranged in the following way to a 2-dimensional array (same as in the official specifications):
- : security parameter, length of the seed and half the length of the message digest.
Public key format
Since the are homogeneous polynomials of degree 2, they can be described by the following matrices :
Moreover they can be chosen as upper triangular matrices:
The given public key file contains:
Always three lines, seperated by an empty line, containing , and as a list of lists where each inner list is a row of the corresponding matrix.
Flag encoded into the Oil-Space
For the key-recovery challenges, a secret flag has been embedded into the Oil-Space in the following way:
- Encode into bytes (UTF-8).
Each byte can be represented by two elements of . - Write the nibbles into an matrix from left to right, top to bottom.
Check if has full rank. - Enumerate the oil-space, i.e. compute for all , and sort the vectors lexicographically.
- The positions of the rows of (starting index 0) will be published.
If you were now able to recover a different basis of the oil-space, you can enumerate the Oil-Space, sort it lexicographically, find the vectors of the original basis via their positions and decode them into the flag.
Link to reference Sage code to extract (unembed) a secret message from a recovered private key