Abstract
In 2012, Lyubashevsky introduced a new framework for building lattice-based signature schemes without resorting to any trapdoor [such as Gentry C, Peikert C, Vaikuntanathan V, in: Ladner and Dwork (eds) 40th ACM STOC, ACM Press, Victoria, pp. 197–206, 2008 or Hoffstein J, Pipher J, Silverman JH in: Pfitzmann (ed) EUROCRYPT 2001. LNCS, vol. 2045, pp 211–228, Springer, Heidelberg, 2001]. The idea is to sample a set of short lattice elements and construct the public key as a Short Integer Solution (SIS for short) instance. Signatures are obtained using a small subset sum of the secret key, hidden by a (large) Gaussian mask. (Information leakage is dealt with using rejection sampling.) Recently, Persichetti proposed an efficient adaptation of this framework to coding theory (Persichetti E in Cryptography 2(4):30, 2018). In this paper, we show that this adaptation cannot be secure, even for one-time signatures (OTS), due to an inherent difference between bounds in Hamming and Euclidean metrics. The attack consists in rewriting a signature as a noisy syndrome decoding problem, which can be handled efficiently using the extended bit flipping decoding algorithm. We illustrate our results by breaking Persichetti’s OTS scheme built upon this approach (Persichetti 2018): using a single signature, we recover the secret (signing) key in about the same amount of time as required for a couple of signature verifications.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aguilar Melchor C., Blazy O., Deneuville J.-C., Gaborit P., Zémor G.: Efficient encryption from random quasi-cyclic codes. IEEE Trans. Inf. Theory 64(5), 3927–3943 (2018).
Berlekamp E.R., McEliece R.J., van Tilborg H.C.A.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978).
Bernstein D.J., Hülsing A., Lange T., Lorenz P.: OFFICIAL COMMENT: RaCoSS. Official comments about NIST PQC submissions, December 2017.
Deneuville J.-C., Gaborit P., Zémor G.: Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory. In: International Workshop on Post-Quantum Cryptography. Springer, Cham, pp. 18–34 (2017).
Fukushima K., Roy P.S., Xu R., Kiyomoto S., Morozov K., Takagi T.: RaCoSS: Random code-based signature scheme. Submission to NIST post-quantum standardization process, November 2017.
Gallager R.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962).
Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner R.E., Dwork C. (eds.) 40th ACM STOC. ACM Press, Victoria, pp. 197–206 (2008).
Hoffstein J., Pipher J., Silverman J.H.: NSS: an NTRU lattice-based signature scheme. In Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045. Springer, Heidelberg, pp. 211–228 (2001).
Lyubashevsky V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg, pp. 738–755 (2012).
Misoczki R., Tillich J.-P., Sendrier N., Barreto P.S.L.M.: Mdpc-mceliece: new mceliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory Proceedings (ISIT), pp. 2069–2073 (2013).
Persichetti E.: Efficient one-time signatures from quasi-cyclic codes: a full treatment. Cryptography 2(4), 30 (2018).
Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).
Roy P.S., Morozov K., Fukushima K., Kiyomoto S., Takagi T.: Code-based signature scheme without trapdoors. IEICE Tech. Rep., vol. 118, no. 151, ISEC2018-15, pp. 17–22, July 2018. https://www.ieice.org/ken/paper/20180725L1FF/eng/.
Santini P., Baldi M., Chiaraluce F.: Cryptanalysis of a one-time code-based digital signature scheme. In: 2019 IEEE International Symposium on Information Theory (ISIT), pp. 2594–2598 (2019).
Xagawa K.: Practical attack on RaCoSS-R. Cryptology ePrint Archive. Report 2018/831 (2018). https://eprint.iacr.org/2018/831.
Acknowledgements
The authors are grateful to the WCC 2019 and DCC reviewers for their careful reading and relevant comments that helped improving the quality of the present work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The first version of this work [30] was presented in the “Eleventh International Workshop on Coding and Cryptography (WCC 2019)”.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Coding and Cryptography 2019”.
Rights and permissions
About this article
Cite this article
Deneuville, JC., Gaborit, P. Cryptanalysis of a code-based one-time signature. Des. Codes Cryptogr. 88, 1857–1866 (2020). https://doi.org/10.1007/s10623-020-00737-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-020-00737-8