 Hello everybody. My name is Rod Berlins and this is a short video from my paper Breaking Rainbow Takes a Weekend on a Laptop. So Rainbow is a digital signature scheme that was invented in 2005 by Ding and Schmidt and it's a variant of the older oil and vinegar signature scheme. I am mostly interested in this scheme because it was one of the three digital signature finalists of the NIST post quantum crypto project. The other two candidates being Dilithium and Falcon of course. One of the advantages of Rainbow is that it has small signatures for example 66 bytes for the security level one and it has good performance in terms of signing time and verification time but drawbacks are that the public keys are quite large for example 59 kilobytes and as it turns out that the scheme is not secure. So why is it not secure? That's what this video is all about. This work is not the first script analysis of Rainbow. We know about a lot of attacks like when Rainbow was first proposed we knew about oil and vinegar attacks and high rank attacks and then soon after people discovered two new attacks the min-rank attack and a rainbow band separation attack and then after 2008 the the crypt analysis situation seemed to have stabilized and there were no new attacks found. This was until Rainbow entered into the NIST competition and people started to look at Rainbow again. Then people found improvements for the for the min-rank attacks and namely they found better algorithms of solving for solving the min-rank problem and this translates to more efficient attacks on Rainbow but these attacks still didn't threaten the parameters that were submitted to NIST and also there was a better analysis of the rainbow band separation attack which reduced it didn't improve the complexity of the attack but improved our understanding of the attack but essentially so far no new attacks were found and this changed in 2021 when I gave a simplified formulation of Rainbow which is completely equivalent to the original Rainbow scheme but which doesn't make use of bases or coordinates it only talks about subspaces which is much more elegant and it makes it easier to to see what is really going on in the scheme which makes it easier to find new attacks of course. In this paper I found two new attacks that reduced the security level of Rainbow by 20 bits of security but the Rainbow team argued that Rainbow had enough security margin so it still met the security level one security level and then in this work based on the simplified formulation of Rainbow I found another attack which is much more efficient and it's even doable in practice for the round two security level one parameters and for higher security levels it also reduces the security level significantly. I'm only going to give a very high level of overview of the attack so basically the attack starts by guessing some vector x and then you hope that some event happens namely that the kernel of the differential at x contains some some vector in O2 which is a space that you're interested in then you solve some system for a vector in O2 if you have a solution then you're happy and then you can do a full key recovery very efficiently and otherwise you just try again with the different guess for x and it turns out that the probability that you'd make a good guess is quite large it's 1 in 15 and trying to solve the system takes roughly two and a half hours right so you have to repeat this 15 times on average which gives you an efficient attack it only takes 53 hours or one weekend on average so if you want more details then you should attend the full talk but for now let's move on to the conclusion so Rainbow is broken in practice at least around two security level one parameters it would be possible to move to higher parameters to save the scheme but this would be quite expensive and this would make rainbow more expensive than the oil and vinegar scheme on which rainbow is based and this wouldn't really make sense because originally the motivation of rainbow was to have some more efficient version of oil and vinegar but now because of these attacks it's no longer the case that rainbow is more efficient so we should just move back to the original oil and vinegar scheme which is much older and much simpler and easier to understand and crypto analyze so that's it thank you very much and I hope to see you at the full presentation