Ward Beullens
IBM Research Zurich, Zurich, Switzerland

Ming-Shing Chen
Academia Sinica, Taipei, Taiwan

Shih-Hao Hung
National Taiwan University, Taipei, Taiwan

Matthias J. Kannwischer
Academia Sinica, Taipei, Taiwan

Bo-Yuan Peng
Academia Sinica, Taipei, Taiwan; National Taiwan University, Taipei, Taiwan

Cheng-Jhih Shih
National Taiwan University, Taipei, Taiwan

Bo-Yin Yang
Academia Sinica, Taipei, Taiwan

Keywords: Oil and Vinegar, Intel AVX2, Arm Neon, Arm Cortex-M4, Xilinx Artix-7

Abstract

Two multivariate digital signature schemes, Rainbow and GeMSS, made it into the third round of the NIST PQC competition. However, neither made its way to being a standard due to devastating attacks (in one case by Beullens, the other by Tao, Petzoldt, and Ding). How should multivariate cryptography recover from this blow? We propose that, rather than trying to fix Rainbow and HFEv- by introducing countermeasures, the better approach is to return to the classical Oil and Vinegar scheme. We show that, if parametrized appropriately, Oil and Vinegar still provides competitive performance compared to the new NIST standards by most measures (except for key size). At NIST security level 1, this results in either 128-byte signatures with 44 kB public keys or 96-byte signatures with 67 kB public keys. We revamp the state-of-the-art of Oil and Vinegar implementations for the Intel/AMD AVX2, the Arm Cortex-M4 microprocessor, the Xilinx Artix-7 FPGA, and the Armv8-A microarchitecture with the Neon vector instructions set.