Cryptanalysis of a code-based full-time signature

Abstract

We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky’s protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.

Appendix: A computing the number of signatures for a desired confidence level

We here prove Proposition 2. To bound the probabilities \(\epsilon _R\) and \(\epsilon _I\) which appear in (4) we will use the Chernoff bound, which we recall in the following.

Theorem 1

Chernoff bound

Let \(X = \sum _{u = 1}^{M}x_u\), where the \(x_u\) are all independent and \(x_u\sim \mathfrak B( \rho )\); then

1. (i)

   \(\mathrm {Pr}\left[ X\le (1 - \gamma ) \rho M\right] \le e^{-\frac{\gamma ^2}{2}\rho M}\), for all \(0<\gamma <1\);

2. (ii)

   \(\mathrm {Pr}\left[ X\ge (1+\gamma )\rho M\right] \le e^{-\frac{\gamma ^2}{2+\gamma }\rho M}\), for all \(\gamma >0\).

Applying condition (i) of the Chernoff bound on (2), we have \(\rho = \frac{1}{2}\) and \(\gamma = 1-2\delta \), such that

$$\begin{aligned} \epsilon _R\le e^{-\frac{(1-2\delta )^2}{4}N} = \epsilon _R^*. \end{aligned}$$

(7)

In analogous way, applying condition (ii) of the Chernoff bound on (3), we have \(\rho = \rho _I\) and \(\gamma = \frac{\delta }{\rho _I}-1\), such that

$$\begin{aligned} \epsilon _I\le e^{-\frac{(\delta -\rho _I)^2}{\delta +\rho _I}N} = \epsilon _I^*. \end{aligned}$$

(8)

Using these bounds for \(\epsilon _R\) and \(\epsilon _I\), we derive the following inequality on the success probability

$$\begin{aligned} \alpha \ge (1-\epsilon _R^*)^{\ell (n'-k')}(1-\epsilon _I^*)^{\ell k'}. \end{aligned}$$

We first note that, regardless of the particular choice for \(\delta \), the probabilities \(\epsilon _R^*\) and \(\epsilon _I^*\) decay exponentially with N; thus, we can always choose N sufficiently high to make them extremely low. Using a well known approximation, we have

$$\begin{aligned}&(1- {\epsilon _R^*}) ^{\ell (n'- k')}\approx 1 - \ell (n'-k') {\epsilon _R^*},\\&(1-{\epsilon _I^*}) ^{\ell k'}\approx 1 - \ell k' {\epsilon _I^*}. \end{aligned}$$

Now, let

$$\begin{aligned} N \ge N^* = \max \left\{ \frac{4}{(1-2\delta )^2} \ln \left( \frac{2\ell (n'-k')}{1-\alpha ^*}\right) , \frac{(\delta +\rho _I)}{(\delta -\rho _I)^2} \ln \left( \frac{2\ell k'}{1-\alpha ^*}\right) \right\} . \end{aligned}$$

Then, \(N \ge \frac{4}{(1-2\delta )^2} \ln \left( \frac{2\ell (n'-k')}{1-\alpha ^*}\right) \) and (7) implies that

$$\begin{aligned} \epsilon _R^* \le \frac{1-\alpha ^*}{2 \ell (n'-k')}, \end{aligned}$$

and, \(N \ge \frac{(\delta +\rho _I)}{(\delta -\rho _I)^2} \ln \left( \frac{2\ell k'}{1-\alpha ^*}\right) \) and (8) implies that

$$\begin{aligned} \epsilon _I^* \le \frac{1-\alpha ^*}{2 \ell k'}. \end{aligned}$$

Therefore, we obtain the following bound on the probability of success

$$\begin{aligned} \alpha&\ge (1-\epsilon _R^*)^{\ell (n'-k')}(1-\epsilon _I^*)^{\ell k'} \\&\approx 1 - \ell (n'-k') \epsilon _R^* - \ell k' \epsilon _I^* + \ell ^2 k' (n'-k')\epsilon _R^* \epsilon _I^*\\&\ge 1 - \ell (n'-k') \epsilon _R^* - \ell k' \epsilon _I^* \\&\ge \alpha ^*. \end{aligned}$$