Security Analysis of Reusing Vinegar Values in UOV Signature Scheme

Multivariate quadratic equation-based cryptographic algorithms are one of the promising post-quantum alternatives to current public-key cryptographic algorithms based on the discrete logarithm problem and the integer factorization problem. In this paper, we provide advanced security analysis of UOV, a well-known signature scheme based on the multivariate quadratic equations, when Vinegar values are reused in signing for efficiency. We determine the minimum number of signatures generated by the reused Vinegar values required for UOV secret key recovery. More precisely, it is enough inverted left perpendicular v/o inverted right perpendicular + 1 signatures to recover the secret key in polynomial-time. According to our experimental results, we can recover the secret key of UOV from only three signatures generated by the reused Vinegar values in 72 ms, 498 ms and 1,527 ms on a desktop at the 128-bit, 192-bit and 256-bit security levels, respectively.