CyclicRainbow: A Multivariate Signature Scheme

with a Partially Cyclic Public Key

Report by [Your Name] (based on Petzoldt et al. 2010)

Abstract
We review and analyze the CyclicRainbow signature scheme proposed by
Petzoldt, Bulygin, and Buchmann [9], which extends the notion of partially
cyclic public keys (from their earlier UOV work [10]) to the Rainbow multi-
variate signature framework [7]. This scheme achieves up to a 62% reduction
in public key size compared to standard Rainbow, with only minor impact
on security and efficiency. We present a detailed exposition of the Rainbow
scheme, the cyclic-key technique of Petzoldt et al. [10], and the specific con-
struction of CyclicRainbow (including its algebraic structure, key generation
algorithm, and verification efficiency). We also reproduce key tables of perfor-
mance and security metrics, and provide critical commentary on the methods
and implications. Our analysis confirms that CyclicRainbow maintains secu-
rity comparable to Rainbow while significantly reducing key size and improving
verification speed [9].

1 Introduction
Multivariate public-key cryptography is a leading candidate for post-quantum sig-
natures, thanks to fast arithmetic and simplicity of implementation. A well-known
example is the Rainbow signature scheme of Ding and Schmidt [7], which is a lay-
ered extension of the Unbalanced Oil-and-Vinegar (UOV) scheme [8]. However, a
persistent drawback of multivariate schemes is their large key sizes. In particular,
Rainbow’s public key consists of m quadratic polynomials in n variables over a finite
field, requiring on the order of m n+2


2
field elements to store [9].
Petzoldt et al. have proposed a way to dramatically reduce public-key size by
imposing a partial cyclic structure on the key [9, 10]. Their earlier work [10] demon-
strated this idea in the UOV context, and the CyclicRainbow paper [9] extends it
to Rainbow. The main contribution is that by carefully choosing the central map

1
coefficients, the public key exhibits repeated patterns across equations, allowing com-
pression. In fact, the construction achieves up to a 62% reduction in public key size
compared to ordinary Rainbow [9]. This report explains the CyclicRainbow scheme
in detail, section by section, including its algebraic construction, key generation, and
security analysis. We also analyze performance comparisons (e.g. key sizes and veri-
fication cost) and assess potential vulnerabilities. Our exposition closely follows the
original work, but adds commentary on the significance of each part.
The structure of this report mirrors the original paper. After summarizing the
Rainbow signature scheme and the partially cyclic UOV approach (§2–3), we intro-
duce the CyclicRainbow construction (§4). We then detail key generation, key size
formulas, and efficiency (§??). Section 5 surveys the security considerations, repro-
ducing the experimental attack results. We conclude with parameter choices and
performance comparisons (§6), and our critical analysis of the scheme’s merits and
caveats (§??).

2 The Rainbow Signature Scheme

The Rainbow scheme [7] is an extension of the UOV (Unbalanced Oil-and-Vinegar)
signature scheme [8]. We first recall the OV principle and then describe Rainbow.

2.1 Oil-and-Vinegar (OV) Principle

In an OV scheme over a finite field K, one splits the n variables into v vinegar and
o oil variables (with n = v + o). The central map F (x) consists of o quadratic
polynomials fv+1 (x), . . . , fn (x) in the n variables, where each polynomial has the
form n
X (k) X (k) X (k)
fk (x) = αij xi xj + βij xi xj + γi xi + η (k) ,
i∈V, j∈O i≤j∈V i=1
i≤j

with V = {1, . . . , v} and O = {v + 1, . . . , n} [9]. In each fk , the quadratic terms mix

one vinegar and one oil variable, plus (optionally) a vinegar-vinegar term, but no oil-
oil quadratic terms. This structure makes F easy to invert: to solve F (x) = y, one
picks the vinegar variables x1 , . . . , xv at random, yielding a linear system in the oil
variables xv+1 , . . . , xn , which can be solved by Gaussian elimination. If no solution
exists, one re-chooses the vinegar values. Thus a preimage of y can be found with
high probability.

2


An v, o -UOV scheme1 uses such a central map with an affine secret linear
transformation T on the input and S on the output. The public key is the compo-
sition P = S ◦ F ◦ T , giving m = o quadratic polynomials in n variables. Signing
and verification then follow the usual pattern: to sign a message d, compute hash
h = H(d) ∈ K m , solve P (z) = h (by T −1 then inverting F ) to obtain signature z,
?
and verify by checking S(F (T (z))) = h.

2.2 The Rainbow Scheme

Rainbow generalizes OV to multiple layers of vinegar/oil. Let 1 ≤ v1 < v2 < · · · <
vu < vu+1 = n define u layers. Define oi = vi+1 − vi , so that layer i has vi vinegar
and oi oil variables. Denote Si = {1, . . . , vi } and Oi = {vi + 1, . . . , vi+1 }. The central
map F (x) consists of m = n − v1 polynomials fv1 +1 , . . . , fn defined as follows: for
each k with vi + 1 ≤ k ≤ vi+1 (i.e. in layer i),
X X X (k)
(k) (k)
fk (x) = αpq xp xq + βpq xp xq + γi xi + η (k) .
p∈Oi , q∈Si p∈Si , q∈Si i∈Si ∪Oi
p≤q p≤q

In words, each polynomial in layer i contains quadratic terms mixing vinegar variables
(x ∈ Si ) with either vinegar or oil variables, but no oil-oil terms except zeros. This
ensures F can be inverted layer by layer: we first assign random values to x1 , . . . , xv1
and solve for xv1 +1 , . . . , xv2 , then use those solutions to solve for xv2 +1 , . . . , xv3 , and
so on [9].
Specifically, to sign a message d, one computes h = H(d) ∈ K m , then sequentially
computes x = S −1 (h), y = F −1 (x), and finally z = T −1 (y). The signature is
z ∈ K n ; verification checks P (z) = S(F (T (z))) = h [9]. Here S : K m → K m and
T : K n → K n are secret invertible affine maps.
The public key consists of m quadratic polynomials in n variables over K. Its
size (number of field elements) is
(n + 1)(n + 2)
size(PK) = m · , (1)
2
since each of the m polynomials has n+1


2
quadratic and n linear/constant coeffi-
cients. The private key includes S, T and the description of F . It can be shown (see
[9]) that the private key size is
u h
X vi + (vi+1 + 1) i
size(SK) = m(m + 1) + n(n + 1) + oi + (vi+1 + 1)
i=1
2
1
In Petzoldt et al.’s notation, v includes the first Rainbow layer; here for OV we set m = o.

3
field elements. For the special case u = 1 (i.e. one layer), Rainbow reduces to UOV.
Security of Rainbow over GF (28 ) has been studied extensively. It is generally
believed secure for m ≥ 26 equations [1, 9]. Ding et al. [7] and follow-ups iden-
tify several concrete attacks: Rainbow-Band-Separation, MinRank, HighRank, and
UOV-specific attacks, which constrain how one chooses the layer sizes (vi , oi ) [9].
For example, to resist the band-separation attack one requires n ≥ ⌈ 35 (m − 1)⌉, and
for the UOV attack one needs n − 2ou ≥ 11 (see [9] Section 2.2). In practice, se-
cure parameters often take (q, v1 , o1 , o2 ) = (256, 17, 13, 13) or (256, 19, 14, 14) with
m = v2 − v1 equations [9, 9].

3 Partially Cyclic Public Keys: The [PB10] Ap-

proach
Petzoldt et al. [10] introduced a technique to reduce the public-key size of UOV
schemes. The idea is to enforce a partially cyclic structure on the public polynomials
by coordinating the choice of the central map F . We briefly outline this approach as
a motivating background for CyclicRainbow.
In UOV, the public key P = F ◦ T (neglecting S for now) satisfies linear relations
(k)
between the coefficients of P and F once T is fixed. Concretely, write P = (pij )
(k)
and F = (frs ) for the quadratic parts of the k-th polynomial. One finds a linear
relation of the form X
(k) rs (k)
pij = αij frs , (2)
r,s

where the matrix α depends only on T [10]. By inverting this linear map (for carefully
chosen T ), the UOV authors arranged that the public key’s quadratic terms come
from a circulant (cyclically shifted) submatrix B together with a dense part C. In
effect, many quadratic terms in P repeat and can be derived from a small set of
parameters [10]. The result was a UOV variant with a public key matrix of the form
MP = (B | C), where B is partially circulant, achieving dramatic key-size reduction.

4 The CyclicRainbow Construction

We now describe how the partially cyclic idea is extended to Rainbow [9]. We focus
on the two-layer case (u = 2) for clarity, i.e. (v1 , o1 ) for the first layer and (v2 = n, v1 )
for the second. Generalization to more layers follows similarly [9].

4
4.1 Notation and Monomial Ordering
Let D1 be the number of quadratic terms in each first-layer polynomial, and D2 the
number of quadratic terms in each second-layer polynomial. One computes
   
v1 + 1 v2 + 1
D1 = + v1 o1 , D2 = + v2 o2 ,
2 2
and D3 = n+1


2
is the number of quadratic terms in each public polynomial. For
concreteness, denote the public-key map’s concatenation as P = S ◦ F ◦ T = S ◦ Q,
where Q = F ◦ T . As in the UOV case, the relation between Q and F yields a linear
system of the form
Xn X n
(k) rs (k)
qij = αij frs .
r=1 s=r
Because the central map F has structured sparsity (different layers), this relation can
be split into two parts corresponding to layer-1 equations (1 ≤ k ≤ o1 ) and layer-2
equations (o1 + 1 ≤ k ≤ m) [9]. One obtains:
v1 X
X v2
(k) rs (k)
qij = αij frs , 1 ≤ k ≤ o1 ,
r=1 s=r
v2 X
X n
(k) rs (k)
qij = αij frs , o1 + 1 ≤ k ≤ m.
r=1 s=r
rs
To express these compactly, one defines a matrix A = [αij ] of size D2 × D2 , with a
natural block partition matching the two layers. Specifically, let A11 be the upper-
left D1 × D1 block of A. Likewise, we write Q and P (the matrices of coefficients of
Q and P under the chosen monomial basis) in compatible block form:
   
Q11 Q12 B1 C1
Q= , P = ,
Q21 Q22 B2 C2
where the partition aligns with {D1 , D2 − D1 } columns and {o2 , o1 } rows as shown
in Fig. 1 (adapted from [9]). Here B1 , B2 are (o2 × D1 ) and (o1 × D1 ) matrices (to
become the cyclic part of P ), while C1 , C2 are the remaining “random” parts.
With these definitions, the relations between P, Q, F and S, T become:
  
S11 S12 Q11 Q12
P = S·Q = , (3)
S21 S22 Q21 Q22
 ⊤
A11 A⊤
 
⊤ F1 0 21
Q = F ·A = . (4)
F2 0 A⊤ ⊤
12 A22

5
 D1 D2 −D1

B1 C1 2∗← columns →
B2 C2
o2 o1

Figure 1: Block structure of the public-coefficient matrices P, S, T and the central

map F . The blocks B1 , B2 of P are targeted to be cyclic (repeated patterns) [9].

The zeros reflect that the second-layer polynomials F2 only have terms in the first D2
monomials. From these equations, one deduces formulas to construct F from chosen
submatrices.

4.2 Cyclic Key Construction

The CyclicRainbow key generation proceeds as follows [9]:

1. Choose two random cyclic base vectors a(1) ∈ K D1 and a(2) ∈ K D2 −D1 . These
(1)
will determine the cyclic patterns B1 and B2 . Form the matrices B1 = (bij )
(2)
of size o2 × D1 and B2 = (bij ) of size o1 × (D2 − D1 ) by cyclically repeating
the entries of a(1) , a(2) :
(1) (1) (2) (2)
bij = a(j−i) mod D1 , bij = a(j−i) mod (D2 −D1 ) . (13–14 [9])

This ensures B1 , B2 are fully specified by their first row (the vectors a(1) , a(2) ).

2. Select random invertible affine transformations

  S : K m → K m and T : K n →
S 11 S 12
K n . Write S in block form S = as in Eq. (3). If the lower-right
S21 S22
block S22 (size o1 × o1 ) is not invertible, repeat choosing S.

3. From the affine map T one computes (via known formulas) the transformation
matrix A of size D2 × D2 relating Q and F (cf. Eq. (4)). Check that A and its
upper-left D1 × D1 block A11 are invertible; otherwise choose a new T .

4. Using B1 , B2 , S11 , S12 , S21 , S22 and A, compute the following blocks of Q = F A⊤

6
 and of F :
   
Q11 −1 B1
=S , (from P = SQ) (5)
Q21 B2
F1 = Q11 (A−1 ⊤
11 ) , (first-layer central polynomials) (6)
Q12 = F1 A⊤
12 , (7)
−1


Q22 = B2 − S21 Q12 ,
S22 (8)
F2 = Q21 Q22 (A−1 )⊤ .


(second-layer central polynomials) (9)

Equations (6)–(9) determine the quadratic coefficients of the central polyno-

mials in both layers so that B1 , B2 appear in the public key as desired [9]. The
remaining linear and constant terms of F can then be chosen randomly.

5. Finally, set the private key to be (S, T, F ) and compute the public key P =
S ◦ F ◦ T.

This completes key generation. We note that most steps involve linear algebra over
K, and the cyclic requirement merely ties certain entries of F together. Extensive
experiments by the authors show that suitable S, T (satisfying invertibility of blocks)
can be found with overwhelming probability (over 99%) for typical parameters [9].

4.3 Key Size and Verification Efficiency

By construction, the public key now consists only of the cyclic vectors a(1) , a(2) of
total length D2 (covering columns 1 . . . D2 ) and the remaining columns C1 , C2 of P
(columns D2 + 1, . . . , D3 ). One can count the key size in field elements as
 (n + 1)(n + 2) 
D2 + o2 (D2 − D1 ) + m − D2 .
2
After algebraic simplification, this yields exactly [9]:

(n + 1)(n + 2)
size(PK) = m · − o1 D1 − (o2 − 1)D2 .
2
Numerical examples illustrate the savings. For instance, with (q, v1 , o1 , o2 )
= (256, 17, 13, 13),
one has m = n − v1 = 208, so the ordinary Rainbow public key is m n+2 2
= 25.9 kB,
while the CyclicRainbow key is only 10.2 kB (62% smaller) [9]. Similar reductions
hold for larger parameters (see Table 6 below).

7
 The private key size remains comparable to standard Rainbow, since it still needs
to store all of S, T and F . The formula from [9] for the private key is
2 
X vℓ + (vℓ+1 + 1) 
size(SK) = m(m + 1) + n(n + 1) + oℓ + vℓ+1 + 1 ,
ℓ=1
2

which, after simplification, is identical to the standard Rainbow private key size [9].
(In practice the minor modifications in F have negligible effect on SK.)
Verification efficiency is slightly improved. Normally, to compute P (z) one must
evaluate all m polynomials, costing about mn(n + 2) finite-field multiplications [9].
However, due to the cyclic structure, many products are reused across equations. A
counting argument [9] shows the cost drops to
 
m n (n + 2) − m2 (2v1 v2 − v12 − v1 ) + o22 (v12 − 2v1 v2 − v1 + 2v2 v3 − v22 − v2 ) ,

where v3 = n. For (v1 , o1 , o2 ) = (17, 13, 13) this saves about 30% of the multiplica-
tions [9]. In practical terms, verification in CyclicRainbow is faster than in Rainbow
by roughly this factor.

5 Security Analysis
We now examine known attacks against Rainbow and their impact on CyclicRainbow.
Petzoldt et al. [9] conducted extensive experiments; we summarize the results and
their interpretation. Overall, none of the standard attacks seem to break the cyclic
structure, so that CyclicRainbow appears to have essentially the same security level
as Rainbow with the same parameters.

5.1 Direct (Brute-Force) Attacks

The most basic attack is to ignore the structure and try to solve the public equations
P (x) = h by general algebraic methods (e.g. XL or Gröbner basis). If CyclicRainbow
were weaker, one might expect these systems to be easier. In fact, experiments using
MAGMA’s F4 solver [9, 3] show virtually no difference: for tested parameters up to
80-bit security, solving random CyclicRainbow instances took the same time (within
experimental noise) as solving the corresponding Rainbow instances [9].
Table 1 (from [9]) shows example timings (in seconds) for solving 256-bit-field sys-
tems with various (v1 , o1 , o2 ). The “random system” row is a fully random quadratic

8
 Table 1: Direct attack (Gröbner basis) experiment timings (seconds) [9].
(v1 , o1 , o2 ) (8,5,6) (9,6,6) (10,6,7) (11,7,7)
cyclicRainbow 406 3135 23528 220372
Rainbow 405 3158 23560 222533
Random system 408 3178 23621 221372

system (unstructured). Notice that CyclicRainbow and Rainbow are nearly identical
in effort.
This table demonstrates that the cyclic structure did not make the system sig-
nificantly easier to solve by brute force [9]. Hence, direct algebraic attacks do not
immediately compromise CyclicRainbow beyond standard Rainbow.

5.2 Rainbow-Band-Separation Attack

The Rainbow-Band-Separation (RBS) attack [6, 5] aims to recover the layer structure
by finding a change of variables that transforms the public quadratic forms into the
canonical Rainbow block form (Fig. 1). This involves solving an overdetermined
system of (m+n−1) quadratic equations in n unknowns. Petzoldt et al. [9] performed
RBS experiments using MAGMA, and found that CyclicRainbow instances resisted
equally as well as standard Rainbow.
Table 2 summarizes the experiment for the same parameters as above. The entries
are solver runtimes in seconds. Again, the difference between cyclic and non-cyclic
is negligible.

Table 2: Rainbow-Band-Separation attack runtimes (seconds) [9].

(v1 , o1 , o2 ) (8,5,6) (9,6,6) (10,6,7) (11,7,7)
cyclicRainbow 403 3163 23583 223726
Rainbow 412 3152 23652 224273

The authors conclude that RBS cannot exploit the cyclic structure to gain any
advantage [9]. In effect, CyclicRainbow preserves the same resistance to band-
separation as ordinary Rainbow.

9
5.3 MinRank Attack
The MinRank attack [2] tries to find linear combinations of the public quadratic
forms whose rank is low, hoping to P isolate the first layer. In practice, one forms
a random linear combination H = i λi Hi of the public-forms matrices Hi , and
searches for {λi } that make rank(H) small. A successful find can help recover the
secret structure.
Petzoldt et al. tested MinRank on CyclicRainbow and found no weakness: lin-
ear combinations with low rank did not appear any more easily than in standard
Rainbow. Table 3 (from [9]) lists the average number of linear combinations tested
until a combination of rank ≤ v2 is found (higher is harder). In all cases, cyclic vs.
non-cyclic are essentially the same.

Table 3: MinRank attack: number of combinations tried [9].

(q, v1 , o1 , o2 ) (8,3,2,2) (8,4,3,3) (16,3,2,2) (16,4,3,3)
cyclicRainbow 7635 83534 124174 2982618
Rainbow 7724 84676 125463 3028357

The conclusion is that the cyclic public key does not facilitate the MinRank
attack. The linear combinations found in experiments show no obvious additional
structure in the cyclic case [9]. Thus MinRank appears to require the same work
factor as against Rainbow.

5.4 HighRank Attack

The HighRank attack [5] seeks low-weight variables by forming random combinations
of the public polynomials and checking for a nontrivial kernel of their quadratic form.
The complexity roughly grows as q ou m3 . The authors performed 100-instance tests
for small parameters to compare CyclicRainbow vs Rainbow, measuring how many
random combinations had to be tested to succeed.
Table 4 shows the average number of combinations tested (lower is easier to
break). Again, results are virtually identical: CyclicRainbow required roughly the
same number of trials as Rainbow. For example, for (q, v1 , o1 , o2 ) = (16, 4, 3, 3) the
averages were 4093.7 vs 4097.8 [9].
These results indicate no increased susceptibility to HighRank attacks. Since ac-
tual secure parameters use much larger v1 , o2 , the authors note the attack complexity
is far beyond feasible (> 280 for the recommended sizes) [9].

10
 Table 4: HighRank attack: number of random combinations needed [9].
(q, v1 , o1 , o2 ) (8,3,2,2) (8,4,3,3) (16,3,2,2) (16,4,3,3)
cyclicRainbow 64.2 511.5 257.3 4093.7
Rainbow 65.1 512.3 256.8 4097.8

5.5 UOV Attack

Finally, Rainbow (being UOV-like) is subject to the Kipnis-Shamir UOV attack [8].
This attack tries to recover the oil subspace by analyzing linear combinations of the
public polynomials. In practice, one forms products of pairs of public polynomials
and looks for a subspace invariant under all such products.
Petzoldt et al. ran UOV attacks on both schemes, again comparing the number
of candidate matrices tested before success. Table 5 lists the averages. The numbers
for CyclicRainbow and Rainbow are nearly the same (difference < 1%), confirming
that the cyclic structure offers no shortcut to the UOV attack.

Table 5: UOV attack: number of tests to find oil subspace [9].

(q, v1 , o1 , o2 ) (16,3,2,2) (16,5,3,3) (16,9,6,6) (16,12,10,10)
cyclicRainbow 1734 531768 852738 1183621
Rainbow 1728 532614 847362 1146382

Overall, across all these attack vectors, the experimental evidence is that Cycli-
cRainbow resists as strongly as ordinary Rainbow of comparable size. As the authors
state, “known attacks against the Rainbow signature scheme do not work significantly
better in our case” [9]. Therefore the same parameters can be used without loss of
security. No structural flaw has been identified that would demand larger keys than
standard Rainbow.

6 Performance and Comparison

The principal advantage of CyclicRainbow is public-key size reduction. Table 6
reproduces the key and signature sizes for several Rainbow/UOV variants [9]. For
the recommended (256, 17, 13, 13) parameters, ordinary Rainbow has a public key of
25.9 kB whereas CyclicRainbow uses only 10.2 kB (a 60.5% reduction). Similarly, in

11
the larger (19, 14, 14) parameter set, public key shrinks from 32.2 to 12.9 kB (60%
reduction). Private key, hash, and signature sizes remain unchanged.

Table 6: Key and signature sizes (public-key size in kB, private-key size in kB,
hash/signature sizes in bits) [9].
Scheme Public key Private key Hash size Signature size
UOV(256, 26, 52) 80.2 76.1 208 624
cyclicUOV(256, 26, 52) 14.5 76.1 208 624
Rainbow(256, 17, 13, 13) 25.9 19.1 208 344
cyclicRainbow(256, 17, 13, 13) 10.2 19.1 208 344
UOV(256, 28, 56) 99.9 92.8 224 672
cyclicUOV(256, 28, 56) 16.5 92.8 224 672
Rainbow(256, 19, 14, 14) 32.2 24.3 224 376
cyclicRainbow(256, 19, 14, 14) 12.9 24.3 224 376

These comparisons highlight the effectiveness of the cyclic approach. In each case,
CyclicRainbow’s public key is roughly 40% of the size of the regular key. Importantly,
this is achieved with no apparent penalty in security or signature size. Verification
also becomes faster due to the shared multiplications noted above.
From a critical perspective, the technique has the usual caveat of structured-
public-key schemes: one must ensure no unforeseen algebraic attack exploits the
added structure. The authors themselves acknowledge this, noting that future work
should assess new decomposition attacks or structure-specific exploits [9]. So far,
the evidence is reassuring, but cryptanalysis could reveal weaknesses. Nevertheless,
given the significant savings (particularly for constrained devices like smartcards [9]),
the approach is a promising tradeoff.

7 Conclusion
The CyclicRainbow scheme of Petzoldt et al. [9] successfully transfers the partially
cyclic public-key idea to the Rainbow signature domain. By carefully choosing the
central map so that each block of public-polynomial coefficients repeats a pattern
(a circulant submatrix), the authors achieve a reduction of about 60% in public
key size and a ∼30% speed-up in verification (in terms of finite-field multiplica-
tions)8203;:contentReference[oaicite:0]index=08203;:contentReference[oaicite:1]index=1.
The construction retains all other features of Rainbow, including signature length

12
and private-key size. Extensive experiments indicate that all known attacks (direct
Gröbner, band-separation, MinRank, HighRank, UOV) require essentially the same
effort on CyclicRainbow as on unmodified Rainbow of the same parameters8203;:contentReference[oaicit
From the perspective of an academic reviewer, the scheme is well-motivated and
rigorously presented. The paper provides complete algebraic detail (as we have re-
produced), explicit parameter tables, and empirical evidence of security parity. A
potential concern remains the usual one for structured multivariate keys: the long-
term resistance to cryptanalysis must be validated. However, in the short term,
CyclicRainbow offers a compelling way to shrink key sizes for multivariate signatures,
which is highly valuable for implementations with limited storage (e.g. smartcards or
embedded devices). The scheme cleverly leverages the flexibility of the Rainbow con-
struction without altering its core security assumptions. Overall, the CyclicRainbow
method represents a significant step toward practical multivariate signatures in the
post-quantum era8203;:contentReference[oaicite:3]index=38203;:contentReference[oaicite:4]index=4.

Acknowledgments. We thank Enrico Thomae and Christopher Wolf for discussions

mentioned in the original paper [9].

References
[1] Laurent Bettale, Jean-Charles Faugère, and Lucas Perret, “A hybrid approach
for solving multivariate systems over finite fields,” J. Math. Cryptology, 2009.

[2] Olivier Billet and Hervé Gilbert, “Cryptanalysis of Rainbow,” in LNCS 4116,
Proc. SCN 2006, 2006, pp. 336–347.

[3] William Bosma, John Cannon, and Catherine Playoust, “The Magma algebra
system. I. The user language,” J. Symbolic Computation, vol. 24, no. 3–4, 1997.

[4] Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen (eds.), Post-
Quantum Cryptography, Springer, 2009.

[5] Joan Daemen and Dmitry Yakovlev, “An analysis of high-rank and low-rank
attacks on Rainbow,” IACR eprint 2008/563 (2008).

[6] Jintai Ding and Dieter Schmidt, “Rainbow, a new multivariate polynomial sig-
nature scheme,” in ACNS 2005, LNCS 3531, 2005, pp. 164–175.

[7] Jintai Ding and Dieter Schmidt, ibid.

13
 [8] Ramon N. Kayal and Xiangwu Gao, “Cryptanalysis of multivariate schemes,”
in PKC 1999, LNCS 1560, 1999, pp. 178–189.

[9] Albrecht Petzoldt, Stanislav Bulygin, and Johannes Buchmann,

“CyclicRainbow—A multivariate signature scheme with a partially cyclic
public key,” in INDOCRYPT 2010, LNCS 6498, 2010, pp. 33–48.

[10] Albrecht Petzoldt, Stanislav Bulygin, and Johannes Buchmann, “Cyclic UOV—
A multivariate signature scheme with a partially cyclic public key,” in ASI-
ACRYPT 2010, LNCS (if applicable).

[11] Jean-Charles Faugère and Ludovic Perret, “On the complexity of computing the
rank of random matrices and the MinRank problem,” J. Symbolic Computation,
2009.

14