{ MAYO-Rust Implementation }

MAYO is a variant of the Oil and Vinegar scheme whose public keys are smaller. A MAYO public key P has the same structure as an Oil and Vinegar public key, except that the dimension 1 of the space O on which P evaluates to zero is “too small”, i.e., dim(O) = o, with o less than m. The advantage of this is that the problem of recovering O from P becomes much harder, which allows for smaller parameters. This is especially advantageous in DLTs that value small signatures and strong security.

Advantages

Small key and signature sizes. Compared to other post-quantum digital signature algo- rithms, the MAYO signature scheme has short keys and very short signatures. Computational efficiency. MAYO offers good performance for key generation, signing, and verification. Our generic C implementation of MAYO is slower than the fastest (platform- specific) optimized implementations of lattice- based signatures by only a small factor. We hope this gap will shrink as more optimized imple- mentations of MAYO are developed. Flexible. Parameter sets are easily adjusted to reach a specific security level. For each target se- curity level, there is a flexible trade-off between signature size and public key size, as demon- strated in Table 2.2. Wide security margin against known attacks. State-of-the-art attacks against MAYO are well- understood and easy to analyze. We pick pa- rameters using a conservative methodology that only focuses on gate count and ignores the cost of memory accesses and which ignores how well attacks parallelize. Therefore, in realistic mod- els, the state-of-the-art attacks against MAYO are more costly than key-search attacks on AES (which define the NIST security levels 1,3, and 5) by a wide margin.

Limitations Scalability to higher security levels. Multivari- ate quadratic maps need O(λ3) coefficients to reach O(λ) bits of security. This causes multi- variate cryptosystems, such as MAYO, to scale less well to higher security levels, compared to e. g., lattice-based signature schemes. For exam- ple, even though at the lowest security level the combined public key and signature size of MAYO is only 40% of that of the Dilithium scheme, at security level 5, the combined size of MAYO is already 81% of that of Dilithium. At sufficiently higher security levels Dilithium would become more compact than MAYO. New design. MAYO, invented in 2021, is a rel- atively recent design. MAYO public keys have the same structure as Oil and Vinegar public keys, so decades of cryptanalysis inspire confi- dence in the security of MAYO against key re- covery attacks. However, for security against forgery attacks, MAYO relies on the hardness of the “Whipped MQ” problem, which has had rela- tively less public scrutiny.

Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding. Wyb coding.