Abstract
Baldi et al. have introduced in [BBC+13] a very novel code based signature scheme. However we will prove here that some of the bits of the signatures are correlated in this scheme and this allows an attack that recovers enough of the underlying secret structure to forge new signatures. This cryptanalysis was performed on the parameters which were devised for 80 bits of security and broke them with 100, 000 signatures originating from the same secret key.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Here || stands for the concatenation of strings.
References
Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Using LDGM codes and sparse syndromes to achieve digital signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 1–15. Springer, Heidelberg (2013)
Barreto, P.S.L.M., Misoczki, R., Simplicio Jr., M.A.: One-time signature scheme from syndrome decoding over generic error-correcting codes. J. Syst. Softw. 84(2), 198–204 (2011)
Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001)
Cayrel, P.-L., Otmani, A., Vergnaud, D.: On kabatianskii-krouk-smeets signatures. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 237–251. Springer, Heidelberg (2007)
Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high rate McEliece cryptosystems. In: Proceedings of IEEE Information Theory Workshop- ITW 2011, pp. 282–286, Paraty, Brasil, October 2011
Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, Jean-Pierre: A distinguisher for high rate McEliece cryptosystems. IEEE Trans. Inform. Theor. 59(10), 6830–6844 (2013)
Finiasz, M.: Parallel-CFS. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011)
Zémor, G., Ruatta, O., Schrek, J., Gaborit, P.: RankSign: an efficient signature algorithm based on the rank metric. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 88–107. Springer, Heidelberg (2014)
Gligoroski, D., Samardjiska, S., Jacobsen, H., Bezzateev, S.: McEliece in the world of Escher. IACR Cryptology ePrint Archive, Report 2014/360 (2014). http://eprint.iacr.org/
Kabatianskii, G., Krouk, E., Smeets, B.: A digital signature scheme based on random error-correcting codes. In: Darnell, Michael J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997)
Kabatianskii, G., Krouk, E., Smeets, B.J.M.: Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept. Wiley, New York (2005)
Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 461–470. Springer, Heidelberg (2012)
Landais, G., Sendrier, N.: Implementing CFS. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 474–488. Springer, Heidelberg (2012)
Landais, G., Tillich, J.-P.: An efficient attack of a McEliece cryptosystem variant based on convolutional codes. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 102–117. Springer, Heidelberg (2013)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, 5th edn. North-Holland, Amsterdam (1986)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theor. 15(2), 159–166 (1986)
Otmani, A., Tillich, J.-P.: An efficient attack on all concrete KKS proposals. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 98–116. Springer, Heidelberg (2011)
Acknowledgment
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions which were very helpful for improving the quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Proof of Proposition 2
Recall this proposition first.
Proposition. Let \(X_1,X_2,X_3\) be independent Bernoulli variables such that \(\mathbf {prob}(X_i=1)=p_i\), \(\sigma _1 \mathop {=}\limits ^{\text {def}}X_1+X_3\) and \(\sigma _2 \mathop {=}\limits ^{\text {def}}X_2+X_3\). Then if \(p_3 \notin \{0,1\}\), \(p_1,p_2 \ne \frac{1}{2}\) , we have that \(\sigma _1\) and \(\sigma _2\) are correlated with
Proof
Let us compute the probability that \(\sigma _1\) and \(\sigma _2\) are both equal to 1. We have
On the other hand by using Proposition 1 we have
A straighforward computation leads now to
Proof of Proposition 3
Before we prove this proposition it will be very convenient to recall the following ring isomorphism \(\varPsi \) between the ring of circulant binary matrices \({\mathcal {M}}_p\) of size \(p \times p\) and \(\mathbb {F}_2[X]/(1+X^p)\) which is given by
With this isomorphism we can view a \(r_0 p \times r_0 p\) binary matrix formed by circulant blocks of size \(p \times p\) as a \(r_0 \times r_0\) matrix over \(\mathbb {F}_2[X]/(1+X^p)\) by replacing each of these circulant blocks by its image by the isomorphism \(\varPsi \) to them.
We will also use the following property of the set \(C_p \mathop {=}\limits ^{\text {def}}\{0,1+X+\dots +X^{p-1}\}\) of \(\mathbb {F}_2[X]/(X^p-1)\)
Lemma 1
\(C_p\) is an ideal of \(\mathbb {F}_2[X]/(X^p-1)\).
Proof
This is just a straighforward use of the well known theory of cyclic codes: \(1+X+\dots +X^{p-1}\) divides \(1+X^p\) and \(C_p\) is nothing but the cyclic code generated by \(1+X+\dots +X^{p-1}\), see [MS86] (it is in fact a way of viewing the repetition code as a cyclic code). From this theory it follows that \(C_p\) is an ideal of \(\mathbb {F}_2[X]/(X^p-1)\).
Proposition 3 can now be rephrased as
Proposition 4
Let \(M^\psi _{r_0 \times r_0}\) be the ring of \(r_0 \times r_0\) matrices over \(\mathbb {F}_2[X]/(X^p-1)\) and let \(A^\psi _{r_0 \times r_0}\) be the ring of \(r_0 \times r_0\) matrices over \(C_p\). \(A^\psi _{r_0 \times r_0}\) is a subring of \(M^\psi _{r_0 \times r_0}\) which is stable by multiplication
The inverse of \(\varvec{Q}^\psi \) is of the form \((\varvec{T}^\psi )^{-1}+ \varvec{A}^\psi \) where \(\varvec{A}\) belongs to \(A^\psi _{r_0 \times r_0}\), where we denote for a matrix \(\varvec{M}\) in \(A_{r_0 \times r_0}\) by \(\varvec{M}^\psi \) the matrix where we have replaced every circulant block \(\varvec{M}_{ij}\) by \(\psi (\varvec{M}_{ij})\).
Proof
The first part follows immediately from Lemma 1. \(T^\psi \) is invertible and therefore
We use now the first part of the proposition to deduce that \(\varvec{A}^\varPsi \mathop {=}\limits ^{\text {def}}(\varvec{T}^\psi )^{-1}\varvec{R}^\psi \) belongs to \(A^\psi _{r_0 \times r_0}\). Now it easy to prove that \((\varvec{I}+ \varvec{A}^\varPsi )^{-1} = \varvec{I}+\varvec{B}^\varPsi \) for some matrix \(\varvec{B}^\varPsi \) in \(A^\varPsi _{r_0 \times r_0}\). This follows immediately from the formula
where \(\varvec{C}\) is the cofactor matrix of \(\varvec{I}+\varvec{A}^\varPsi \), namely the matrix where the entry \(c_{ij}\) is equal to the (i, j)-minor, that is the determinant of the \((r_0-1)\times (r_0-1)\) matrix that results from deleting row i and column j of \(\varvec{I}+\varvec{A}^\varPsi \). Here Lemma 1 is used to conclude that any product that contains an element of \(C_p\) yields an element in \(C_p\). We also use the fact that any product of the form \((1+a)(1+b)\) where a and b belong to \(C_p\) is of the form \(1+c\) where c belongs to \(C_p\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Phesso, A., Tillich, JP. (2016). An Efficient Attack on a Code-Based Signature Scheme. In: Takagi, T. (eds) Post-Quantum Cryptography. PQCrypto 2016. Lecture Notes in Computer Science(), vol 9606. Springer, Cham. https://doi.org/10.1007/978-3-319-29360-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-29360-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29359-2
Online ISBN: 978-3-319-29360-8
eBook Packages: Computer ScienceComputer Science (R0)