We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky’s protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.

我们提出了一种针对最近由 Song、Huang、Mu、Wu 和 Wang (SHMWW) 提出的基于 Lyubashevsky 协议的基于代码的签名方案的攻击。SHMWW 方案中的私钥包含部分来自单位矩阵和部分来自随机矩阵的列。两种类型的列的存在导致生成的签名中设置位分布的强烈偏差。我们的攻击利用这种偏见从一堆收集的签名中恢复私钥。我们提供了攻击的理论分析和实验评估，我们表明只要收集 10 个签名就足以成功恢复私钥。至于之前将 Lyubashevsky 的协议应用于基于代码的密码学情况的尝试，因此，SHMWW 方案被证明无法提供可接受的安全性。这证实了设计安全的基于代码的签名方案，其效率与其他后量子解决方案（例如，基于格）相当，仍然是一项具有挑战性的任务。