An Efficient Attack on a Code-Based Signature Scheme

Abstract

Baldi et al. have introduced in [BBC+13] a very novel code based signature scheme. However we will prove here that some of the bits of the signatures are correlated in this scheme and this allows an attack that recovers enough of the underlying secret structure to forge new signatures. This cryptanalysis was performed on the parameters which were devised for 80 bits of security and broke them with 100, 000 signatures originating from the same secret key.

Appendices

Proof of Proposition 2

Recall this proposition first.

Proposition. Let \(X_1,X_2,X_3\) be independent Bernoulli variables such that \(\mathbf {prob}(X_i=1)=p_i\), \(\sigma _1 \mathop {=}\limits ^{\text {def}}X_1+X_3\) and \(\sigma _2 \mathop {=}\limits ^{\text {def}}X_2+X_3\). Then if \(p_3 \notin \{0,1\}\), \(p_1,p_2 \ne \frac{1}{2}\) , we have that \(\sigma _1\) and \(\sigma _2\) are correlated with

$$\begin{aligned} {{\mathrm{Cov}}}(\sigma _1,\sigma _2) \mathop {=}\limits ^{\text {def}}\mathbb {E}(\sigma _1 \sigma _2) - \mathbb {E}(\sigma _1)\mathbb {E}(\sigma _2) = p_3(1-p_3)(1-2p_1)(1-2p_2). \end{aligned}$$

Proof

Let us compute the probability that \(\sigma _1\) and \(\sigma _2\) are both equal to 1. We have

$$\begin{aligned} \mathbf {prob}(\sigma _1=1,\sigma _2=1)= & {} \mathbf {prob}(X_3=1)\mathbf {prob}(X_1=0)\mathbf {prob}(X_2=0)\\&+\,\mathbf {prob}(X_3=0)\mathbf {prob}(X_1=1)\mathbf {prob}(X_2=1) \\= & {} p_3(1-p_1)(1-p_2) + (1-p_3)p_1p_2 \end{aligned}$$

On the other hand by using Proposition 1 we have

$$\begin{aligned} \mathbf {prob}(\sigma _1=1)= & {} p_1+p_3 - 2p_1p_3\\ \mathbf {prob}(\sigma _2=1)= & {} p_2+p_3 - 2p_2p_3 \end{aligned}$$

A straighforward computation leads now to

$$\begin{aligned} {{\mathrm{Cov}}}(\sigma _1,\sigma _2)= & {} \mathbf {prob}(\sigma _1=1,\sigma _2=1)-\mathbf {prob}(\sigma _1=1)\mathbf {prob}(\sigma _2=1)\\= & {} p_3(1-p_1)(1-p_2) + (1-p_3)p_1p_2\\&-(p_1+p_3-2p_1p_3)(p_2+p_3-2p_2p_3)\\= & {} p_3\left[ (1-p_1)(1-p_2)-p_1p_2-(1-2p_1)p_2-(1-2p_2)p_1\right. \\&\quad \left. -(1-2p_1)(1-2p_2)p_3\right] +p_1p_2-p_1p_2\\= & {} p_3\left[ 1-p_1-p_2+p_1p_2-p_1p_2-p_2+2p_1p_2-p_1\right. \\&\quad \left. +2p_1p_2 -(1-2p_1)(1-2p_2)p_3\right] \\= & {} p_3\left[ 1-2p_1-2p_2+4p_1p_2-(1-2p_1)(1-2p_2)p_3\right] \\= & {} p_3\left[ (1-2p_1)(1-2p_2)-(1-2p_1)(1-2p_2)p_3 \right] \\= & {} p_3(1-p_3)(1-2p_1)(1-2p_2) \end{aligned}$$

Proof of Proposition 3

Before we prove this proposition it will be very convenient to recall the following ring isomorphism \(\varPsi \) between the ring of circulant binary matrices \({\mathcal {M}}_p\) of size \(p \times p\) and \(\mathbb {F}_2[X]/(1+X^p)\) which is given by

$$\begin{aligned} \varPsi : {\mathcal {M}}_p\rightarrow & {} \mathbb {F}_2[X]/(1+X^p)\\ \begin{pmatrix} a_0 &{} a_1 &{} \dots &{} a_{p-1} \\ a_{p-1} &{} a_0 &{} \dots &{} a_{p-2}\\ \dots &{} \dots &{} \ddots &{} \dots \\ a_1 &{} a_2 &{} \dots &{} a_0 \end{pmatrix}\mapsto & {} a_0 + a_1 X + \dots + a_{p-1}X^{p-1} \end{aligned}$$

With this isomorphism we can view a \(r_0 p \times r_0 p\) binary matrix formed by circulant blocks of size \(p \times p\) as a \(r_0 \times r_0\) matrix over \(\mathbb {F}_2[X]/(1+X^p)\) by replacing each of these circulant blocks by its image by the isomorphism \(\varPsi \) to them.

We will also use the following property of the set \(C_p \mathop {=}\limits ^{\text {def}}\{0,1+X+\dots +X^{p-1}\}\) of \(\mathbb {F}_2[X]/(X^p-1)\)

Lemma 1

\(C_p\) is an ideal of \(\mathbb {F}_2[X]/(X^p-1)\).

Proof

This is just a straighforward use of the well known theory of cyclic codes: \(1+X+\dots +X^{p-1}\) divides \(1+X^p\) and \(C_p\) is nothing but the cyclic code generated by \(1+X+\dots +X^{p-1}\), see [MS86] (it is in fact a way of viewing the repetition code as a cyclic code). From this theory it follows that \(C_p\) is an ideal of \(\mathbb {F}_2[X]/(X^p-1)\).

Proposition 3 can now be rephrased as

Proposition 4

Let \(M^\psi _{r_0 \times r_0}\) be the ring of \(r_0 \times r_0\) matrices over \(\mathbb {F}_2[X]/(X^p-1)\) and let \(A^\psi _{r_0 \times r_0}\) be the ring of \(r_0 \times r_0\) matrices over \(C_p\). \(A^\psi _{r_0 \times r_0}\) is a subring of \(M^\psi _{r_0 \times r_0}\) which is stable by multiplication

$$\begin{aligned} A^\psi _{r_0 \times r_0}M^\psi _{r_0 \times r_0}= M^\psi _{r_0 \times r_0}A^\psi _{r_0 \times r_0}=A^\psi _{r_0 \times r_0}. \end{aligned}$$

The inverse of \(\varvec{Q}^\psi \) is of the form \((\varvec{T}^\psi )^{-1}+ \varvec{A}^\psi \) where \(\varvec{A}\) belongs to \(A^\psi _{r_0 \times r_0}\), where we denote for a matrix \(\varvec{M}\) in \(A_{r_0 \times r_0}\) by \(\varvec{M}^\psi \) the matrix where we have replaced every circulant block \(\varvec{M}_{ij}\) by \(\psi (\varvec{M}_{ij})\).

Proof

The first part follows immediately from Lemma 1. \(T^\psi \) is invertible and therefore

$$\begin{aligned} (\varvec{Q}^\psi )^{-1}= & {} (\varvec{T}^\psi + \varvec{R}^\psi )^{-1} \\= & {} (\varvec{T}^\psi )^{-1} (\varvec{I}+(\varvec{T}^\psi )^{-1}\varvec{R}^\psi )^{-1} \end{aligned}$$

We use now the first part of the proposition to deduce that \(\varvec{A}^\varPsi \mathop {=}\limits ^{\text {def}}(\varvec{T}^\psi )^{-1}\varvec{R}^\psi \) belongs to \(A^\psi _{r_0 \times r_0}\). Now it easy to prove that \((\varvec{I}+ \varvec{A}^\varPsi )^{-1} = \varvec{I}+\varvec{B}^\varPsi \) for some matrix \(\varvec{B}^\varPsi \) in \(A^\varPsi _{r_0 \times r_0}\). This follows immediately from the formula

$$\begin{aligned} (\varvec{I}+ \varvec{A}^\varPsi )^{-1} = \frac{1}{\det (\varvec{I}+\varvec{A}^\psi ) }\varvec{C}^T \end{aligned}$$

where \(\varvec{C}\) is the cofactor matrix of \(\varvec{I}+\varvec{A}^\varPsi \), namely the matrix where the entry \(c_{ij}\) is equal to the (i, j)-minor, that is the determinant of the \((r_0-1)\times (r_0-1)\) matrix that results from deleting row i and column j of \(\varvec{I}+\varvec{A}^\varPsi \). Here Lemma 1 is used to conclude that any product that contains an element of \(C_p\) yields an element in \(C_p\). We also use the fact that any product of the form \((1+a)(1+b)\) where a and b belong to \(C_p\) is of the form \(1+c\) where c belongs to \(C_p\).