Multivariate Cryptography: What is the secret oil space in the MAYO signature scheme?

Question

IN UOV schemes, I understand that you need to choose a secret subspace $O \in \mathcal{F}^q_n$ such that $P(\mathbf{o}) = 0$ for all $\mathbf{o} \in O$. According to the paper Improved cryptanalysis of UOV and Rainbow, this is typically done by choosing the central map

$$\mathcal{F}: \mathbb{F}_q^{n} \rightarrow \mathbb{F}_q^{m}$$

whose components $f_1, \dots, f_m$ are chosen uniformly at random of the form: $$f_i(x) = \sum_{i=1}^n \sum_{j=i}^{n-m} \alpha_{i,j} x_i x_j$$ which means that secret oil space $O$ consists of the vectors whose first $n-m$ entries are zero.

In Mayo, the paper says that the secret oil space is generated as the row space of a random matrix $\mathbf{O} I_o \in \mathbb{F}_q^{o \times n}$. I am having trouble understanding that notation: Is the matrix concatenated with $I_o$ or multiplied with $I_o$? If so, is this equivalent to choosing vectors whose first $n-m$ entries are zero?

Answer 1

To quote Mayo's paper:

To generate a key-pair, a user first chooses a random oilspace by sampling a uniformly random $o$-by-$(n−o)$ matrix $\mathbf{O}$, and letting $O$ be the rowspace of $(\mathbf{O} I_o)$, where $I_o$ is the identity matrix of size $o$.

So the oilspace $O$ is the set of linear combinations of the rows of the $\mathbf{O}I_o$. In mayo, the oil-space has dimension $o$ and length $n$, so if the rowspace of $(\mathbf{O} I_o)$ to be a $o$-dimensional subspace of $\mathbb{F}_q^n$, you'd need $(\mathbf{O} I_o)\in \mathbb{F}_q^{o\times n}$. This only works if you treated this as matrix concatenation. The reason why you concatenate by $I_o$ is so that the rows are all pairwise linearly independent (i.e. the rows of $(\mathbf{O} I_o)$ form a basis of $O$, and $\dim(O)=o$).

The matrix multiplication wouldn't work since $\mathbf{O}\in\mathbb{F}_q^{o\times(n-o)}$ and $I_o\in \mathbb{F}_q^{o\times o}$, and it is not always the case that $n-o = o$.

If so, is this equivalent to choosing vectors whose first − entries are zero?

If you take $m=o$, It would be equivalent to choosing a random 'standard' basis of the $m$ dimensional subspace of $\mathbb{F}_q^n$: $$(*,\ldots,*,1,0,\ldots,0)$$ $$(*,\ldots,*,0,1,\ldots,0)$$ $$\ldots$$ $$(*,\ldots,*,0,0,\ldots,1)$$ where the first $(n-m)$ entries indicated by $*$ are uniformly sampled.