Abstract. A recently proposed class of multivariate Public-Key Cryptosystems, the Rainbow-Like Digital Signature Schemes, in which successive sets of central variables are obtained from previous ones by solving linear equations, seem to lead to e cient schemes (TTS, TRMS, and Rainbow) that perform well on systems of low computational resources. Recently SFLASH (C * − ) was broken by Dubois, Fouque, Shamir, and Stern via a di erential attack. In this paper, we exhibit similar algebraic and di ential attacks, that will reduce published Rainbow-like schemes below their security levels. We will also discuss how parameters for Rainbow and TTS schemes should be chosen for practical applications. Keywords: rank, di erential attack, algebraic attack, oil-and-vinegar Note: This is an update to the paper to appear at ACNS 2008, New York 1 Outline Multivariate Public-Key Cryptosystems (MPKCs, or trapdoor MQ schemes) are cryptosystems for which the public key is a set of polynomials P = (p 1 , . . . , p m ) in variables x = (x 1 , . . . , x n ) where all variables and coe cients are in K = GF(q). In practice this is always accomplished viaIn any given scheme, the central map Q belongs to a certain class of quadratic maps whose inverse can be computed relatively easily. The maps S, T are a ne. The polynomials giving y i in x are called the central polynomials, and the x j are called the central variables.In 1999, the Unbalanced Oil-and-Vinegar multivariate structure is proposed by Patarin et al [16]. Lately the Rainbow class of signatures [7,20,25], based on repeated applications of the Unbalanced Oil-and-Vinegar principle, shows some promise on systems of low computational resources.Given that the well-known C * − class of signature schemes including SFLASH was broken by di erential attacks [8], we examine similar attacks on Rainbow, with the following conclusions:Di erentials improve on the High-Rank attacks on Rainbow-like systems.
