arXiv:1812.03286v2 [cs.CR] 23 Jan 2019 tde adpolm,adn oyoiltm ovris [7 the most cryptography solver among and post-quantum time for are oldest solutions polynomial cryptosystems promising the most no code-based of and known, one currently problems, is hard SDP studied Since quantum therein). an [6]. on by references implemented computers characterized when and are even complexity, [5] algorithms exponential ISD [4], significantly current and (see all [3] However, years 1962 in over Prange improved general algorithms, by (ISD) for introduced for Decoding solvers first NP-complete Set were SDP Information be best as Prob- to The known Decoding proven codes, [2]. Syndrome codes been the random has general of which hardness (SDP), the lem on rely [1], signatures. ytesast ftesgaue hc ed oasignificant a to leads which key. signature, secret the motiv the below the is about far attack of secret leakage is the information sparsity the that of factor of the efficiency work The recovery by a level. full with security a performed claimed that be can asses show We key and decoding. set complexity ov information performed attack by analysis b followed The statistical intercepted signature, a complexity. signature a on single limited relies a and with exploits attacker, mounted propose successful we be a attack that can show attack and recovery Persichetti by proposed recently cee[] htue ihrt op oe n olw a follows and codes Goppa rate high uses ( that Courtois-Finiasz-Sendrier [9], the scheme is codes correcting error Standard this of of [8]. standardization Institute primitives proposal the post-quantum National for no competition the that (NIST) Technology within fact and the surviving by base is represented schemes type th is signature of evidence codes digital clear efficient on A finding cases). worst efficie of the either hardness be in to both, not (or tr proven secure been or Proposals have issue adopted. a this are in address result to solutions may special function, not unless hash stri do a failure general through a domains i obtained on example typically, ciphertext for decryption that, and applying fact Therefore, plaintext coincide. the The the by problem. systems open represented an these is still is difficulty theory main coding on based scheme oebsdcytsses nrdcdb cleei 1978 in McEliece by introduced cryptosystems, Code-based ne Terms Index Abstract itrcly h rtdgtlsgaueshm ae on based scheme signature digital first the Historically, signature digital efficient and secure a designing However, W osdraoetm iia intr scheme signature digital one-time a consider —We Cd-ae rporpy rpaayi,digital cryptanalysis, cryptography, —Code-based oeBsdDgtlSgaueScheme Signature Digital Code-Based .I I. NTRODUCTION rpaayi faOne-Time a of Cryptanalysis mi:psniip.nvmi,{.ad,f.chiaraluce} {m.baldi, [email protected], Email: al atn,MroBli n rnoChiaraluce Franco and Baldi, Marco Santini, Paolo iatmnod nenradell’Informazione Ingegneria di Dipartimento nvriàPltciadleMarche delle Politecnica Università rsuch er noa Italy Ancona, CFS) the y the s ying ated key ng, of nt ]. n d e s h esblt fteatc n[9 a nyb assessed be only can simulation [19] on rely in not do attack we simulations, the numerical through of whil So, parameters. feasibility system success the the on a of only for depend number needed which average complexity attack, the relevant for the formula and permi closed-form iterations which a ISD, obtain to exploits to possible attack us our not BF [19], is through from decoding it Differently of failure, attempts decoding randomized analyticall further a predicted perform of be success case cannot the in being However, decoding Moreover, of decoders. BF Bit advantage other of on the to probability based compared has is fast [19] which vary in decoding, attack (BF) The Flipping [19]. in developed dently sing a algorithm. on ISD performed an analysis with statistical and combined Ou a key signature, level. on secret security based the claimed is the of attack from below recovery far full suffers is a complexity scheme to complexity. whose this leads computational which allow afterwards, attack low show which an and we codes, keys as (QC) However, compact Quasi-Cyclic protoco both on identification for is Stern’s relies scheme of and a modification [18], Such a [17]. as Persichetti obtained by proposed scheme. recently the of was version since degraded [16], a in to disproved referred [15] been is in statistical has it proposed procedure the been a has on such signatures However, based of Wave hundreds of of analysis procedure cryptanalysis A ue,wihlmt h ieo t epis[3.Aohrre Another generalized on [13]. based sign keypairs [14], its Wave of of is thousands proposal life the of limits observation which the tures, forg has after allows that codes, signatures procedure a valid (LDGM) with [12] matrix in cryptanalized generator been low-density signatur on one BBC based just the after instance, refreshed one-tim For is to key-pair assumption, conservative (each In most schemes few-signatu the signatures. to in reduced of or, are systems schemes number attacked the large case, a sufficiently through such system a the of break can observation that procedures i.e., attacks, requires times. and signature [10]) long codes and codes public-keys Goppa random large rate from very (high distinguished flaws security be some can has it since tical, hash-and-sign nte takaanttesm ceehsbe indepen- been has scheme same the against attack Another that scheme signature one-time a consider we paper, this In npriua,sm cee ih ufrfo statistical from suffer might schemes some particular, In prah hsshm skont eunprac- be to known is scheme This approach. @univpm.it + ceepooe n[1,wihis which [11], in proposed scheme ( U ; U + V ) codes. cent ing the res ful e). a- le y. s: ts e e r . l . through an theoretical approach, we show that the security of The key generation is shown in Algorithm 1; the signing the scheme is reduced to the complexity of an SDP instance, key (i.e., secret key) is a vector e(x) = [e0(x),e1(x)], such which is far below any reasonable security level. In particular, that wt{e(x)} = w(e). The verification key (i.e., public key) our analysis shows how the security of the system is related to is obtained through the application of syndh on the secret the hardness of solving an SDP instance in which the weight of key. The signature generation and verification are shown, the searched vector is particularly low. Through this approach, respectively, in Algorithms 2 and 3. The signature verification we can make general statements about the effectiveness of the algorithm returns a boolean variable ⊥ that is false when the attack on modified parameters sets, showing that meaningful signature is valid and true otherwise. security levels cannot be achieved even resorting to extreme choices for the parameters set. Algorithm 1 Key generation The paper is organized as follows. In Section II we introduce Input: integers p, w(e), w(y) the notation used. In Section III we describe the scheme and its Output: signing key e(x), verification key se(x) design strategy. In Section IV we describe our attack procedure 1: procedure and derive estimates of its complexity. Finally, in Section V $ 2: e(x) ←−D (e) we report some conclusions. 2p,w 3: se(x) ← syndh{e(x)} II. NOTATION 4: return e(x), se(x) p We denote as R the polynomial ring F2[x]/(x + 1), where p is an integer and x is a symbolic variable. We use bold letters 2 Algorithm 2 Signature generation to denote vectors over R , in the form a(x) = [a0(x),a1(x)], 2 (y) (c) with ai(x) ∈ R. Each a(x) ∈ R can be unambiguously Input: message m, signing key e(x), integers w , w F2p represented as a vector a ∈ 2 in the form Output: signature σ = {c(x), z(x)} 1: procedure a = [a0,0,a0,1, ··· ,a0,p−1,a1,0,a1,1, ··· ,a1,p−1], $ 2: y(x) ←−D2p,w(y) where ai,j is the j-th coefficient of the i-th polynomial, ai(x), 3: sy(x) ← syndh{y(x)} in a(x). Let F be the binary field. Given a vector a over F , 2 2 4: c(x) ← Hw(c) {[m,sy(x)]} we denote as aˆ the vector obtained by lifting its entries over 5: z(x) ← c(x)e(x)+ y(x) Z the integer domain ; the same notation is used for vectors of 6: σ ←{c(x), z(x)} polynomials. Operations involving lifted vectors are performed 7: return σ in the integer domain (i.e., 1+1=2). Given a polynomial a(x), we define its Hamming weight, wt{a(x)}, as the number of its non-null coefficients. For a vector of polynomials a(x), Algorithm 3 Signature verification the Hamming weight corresponds to the sum of the Hamming Input: message m, verification key se(x), weights of its elements. The support of a polynomial a(x), Input: signature {c(x), z(x)} denoted as ℑ{a(x)}, is the set containing the indexes of the Output: verification confirmation ⊥ non-null coefficients of . Clearly, the Hamming weight of a(x) 1: procedure a polynomial corresponds to the cardinality of its support. 2: ⊥ ← 0 We denote as D the uniform distribution of all binary n- c e y n,w 3: if wt{z(x)}≤ w( )w( ) + w( ) then $ uples with weight w. Then, the expression a ←−Dn,w means 4: ⊥ ← 1 that a is randomly picked among all the elements in Dn,w. 5: return ⊥ ⊲ Signature rejected Since the distribution is uniform, each vector of weight w is 6: sz(x) ← syndh{z(x)} picked with probability 1/ n . In the following, we consider w 7: v(x) ← c(x)se(x)+ sz(x) only the case of n = 2p. With some abuse of notation, the 8: c′(x) ← H {[m, v(x)]} $
δ expression a(x) ←−Dn,w means that a(x) is randomly picked 9: if c′(x) 6= c(x) then among all pairs of polynomials having vectors of coefficients 10: ⊥ ← 1 2 in R , each with Hamming weight w. 11: return ⊥ ⊲ Signature rejected III. SYSTEM DESCRIPTION 12: return ⊥ ⊲ Signature accepted The one-time digital signature scheme we are considering is built upon a public polynomial h(x), that is fixed by the A. Security analysis protocol. We denote as synd : R2 → R the function that h The security of the scheme is based on the hardness of the takes as input a vector a(x) = [a (x),a (x)] and outputs 0 1 SDP that, in the binary case, is defined as follows. a0(x)+ a1(x)h(x). The scheme additionally requires a hash function Hδ(b) that takes as input b and outputs a weight-δ Syndrome Decoding Problem (e) Fr×n Fr N Fn polynomial. Parameters of the scheme are the integers p, w , Given H ∈ 2 , s ∈ 2 and w ∈ , find e ∈ 2 such that w(y), w(c) (with w(e), w(y), w(c) ≪ p). wt{e}≤ w and HeT = s. (v) An opponent can compute the polynomials zi (x) = −v The SDP is a well-known problem in coding theory, and has x zi(x), for i =0, 1 and for all v ∈ ℑ{c(x)}; we have been proven to be NP-complete [2]; in particular, the solution (v) −v −v of the SDP can be unique only when w does not exceed the zi (x)= x yi(x)+ x c(x)ei(x) (GV) −v −v+l Gilbert-Varshamov (GV) distance d , that is defined as the = x yi(x)+ ei(x)+ x ei(x) d(GV)−2 n−1 n−k l c x greatest integer such that j=0 j < 2 . When w ≤ ∈ℑ{ ( )} Xl v d(GV), the best solvers for SDP are ISD algorithms, whose 6= P
(v) (v−l) complexity crucially depends on w and on the code rate. = y (x)+ ei(x)+ ei (x). (5) The security of the scheme is based on the fact that the l∈ℑ{c(x)} Xl6=v inversion of syndh requires the solution of an SDP instance. Let H be the p × 2p QC matrix obtained by concatenating the The opponent can then lift all such polynomials in the integers identity with the circulant matrix having h(x) as first column. domain, and compute the sum Let e and se denote, respectively, the vectors associated to the p secret and the public key: then, the following relation holds ˆ ˆ j (v) di(x)= di,j x = zˆi (x), (6) j=0 v∈ℑ{c(x)} T X X He = se. (1) for i = 0, 1. We expect high coefficients in dˆi(x) to be (v) An opponent trying to recover the secret key e must solve an associated to ones in ei(x). In fact, all polynomials zi (x) are SDP instance; thus, the weight of e cannot be smaller than obtained as the sum of ei(x) with other sparse polynomials −v some security threshold value. In the verification procedure, that depend on the shift x . Hence, if an entry belongs to (v) a crucial aspect is represented by the weight of z(x), which the support of a large number of polynomials zi (x), then it has maximum value equal to w(c)w(e) + w(y). Indeed, the also belongs to the support of ei(x) with high probability. authenticity of the signature is guaranteed if there is only one The opponent can exploit this fact to estimate the coeffi- ′ ′ ′ 2 vector z(x) such that cients of e(x). In particular, let e (x) = [e0(x),e1(x)] ∈ R be a vector with coefficients

syndh{z(x)} = c(x)syndh{e(x)} + syndh{y(x)}, (2) ˆ ′ 0 if di,j 0, it is highly probable that e (x) has δ an extremely low weight: this results in Piter having very · P0{δ0}P1{δ − δ0}. (18) high values, only slightly influenced by the choice of w¯ (i.e., δ X0=0 choosing w¯ = 40 is already enough to guarantee Piter ≈ 1). complexity, and that changes in the system parameters are not able to restore meaningful security levels. We point out that, with a few modifications, our attack procedure can be applied to structures different from the QC one. This is because it exploits the sparsity of the signature. As this is an inherent feature of the considered scheme, restoring its security might require deep and structural changes.

REFERENCES

[1] R. J. McEliece, “A public-key cryptosystem based on algebraic coding theory.” DSN Progress Report, pp. 114–116, 1978. [2] E. Berlekamp, R. McEliece, and H. van Tilborg, “On the inherent intractability of certain coding problems,” IEEE Trans. Inf. Theory, ∗ Fig. 1. Probability distribution of wt{e (x)}. vol. 24, no. 3, pp. 384–386, May 1978. [3] E. Prange, “The use of information sets in decoding cyclic codes,” IRE Trans. Inf. Theory, vol. 8, no. 5, pp. 5–9, 1962. TABLE I [4] J. Stern, “A method for finding codewords of small weight,” in Coding EFFECTIVENESS OF THE KEY RECOVERY ATTACK INSTANCES PROPOSED Theory and Applications, ser. Lecture Notes in Computer Science, IN [17], FOR LEE-BRICKELL ISD WITH j = 2. G. Cohen and J. Wolfmann, Eds. Springer Verlag, 1989, vol. 388, pp. 106–113. (e) (y) (c) ∗ p w w w b P {wt{e (x)} = 0} CISD [5] A. Becker, A. Joux, A. May, and A. Meurer, “Decoding random binary 3072 85 85 7 5 2−3.37 235.10 linear codes in 2n/20: How 1 + 1 = 0 improves information set 4801 90 100 10 7 2−1.15 237.58 decoding,” in Advances in Cryptology - EUROCRYPT 2012, ser. Lecture 6272 125 125 10 7 2−1.84 238.37 Notes in Computer Science, D. Pointcheval and T. Johansson, Eds. 9857 150 200 15 9 2−0.23 242.54 Springer Verlag, 2012, vol. 7237, pp. 520–536. [6] D. J. Bernstein, “Grover vs. McEliece,” in Post-Quantum Cryptography, N. Sendrier, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 73–80. This means that the application of ISD normally requires a [7] L. Chen, Y.-K. Liu, S. Jordan, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone, “Report on post-quantum cryptography,” National very limited number of operations. Institute of Standards and Technology, Tech. Rep. NISTIR 8105, 2016. We can also show that changing the system parameters is not [8] National Institute of Standards and Technology. (2016, enough to significantly raise the security level of the scheme. Dec.) Post-quantum crypto project. [Online]. Available: http://csrc.nist.gov/groups/ST/post-quantum-crypto/ In order to give an evidence of this fact, we have considered [9] N. T. Courtois, M. Finiasz, and N. Sendrier, “How to achieve a the case of p = 4801, for which d(GV) = 1058, and tested McEliece-based digital signature scheme,” Advances in Cryptology - different values of w(e), w(y) and w(c). The results are reported ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 157–174, 2001. in Table II. As we can see, there are no significant changes in [10] J.-C. Faugère, A. Otmani, L. Perret, and J.-P. Tillich, “A distinguisher for the security of the system. In particular, the last three instances high rate McEliece cryptosystems,” in Proc. IEEE Information Theory in the table have been designed with a maximum weight of Workshop (ITW), Paraty, Brazil, Oct. 2011, pp. 282–286. ∗ (GV) [11] M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal, and D. Schipani, “Us- z (x) that is close to 2d . This choice is clearly extreme ing LDGM codes and sparse syndromes to achieve digital signatures,” since, as explained in Section III, this way the uniqueness in Post-Quantum Cryptography, P. Gaborit, Ed. Berlin, Heidelberg: of the signature is no longer achievable. One might think to Springer Berlin Heidelberg, 2013, pp. 1–15. apply some modifications to the protocol, to take into account [12] A. Phesso and J.-P. Tillich, “An efficient attack on a code-based signature scheme,” in Post-Quantum Cryptography, T. Takagi, Ed. Cham: also this possibility in the signature verification algorithm. Springer International Publishing, 2016, pp. 86–103. However, our results should discourage the attempt. [13] M. Baldi, A. Barenghi, F. Chiaraluce, G. Pelosi, J. Rosenthal, P. Santini, and D. Schipani, “Design and implementation of a digital signature scheme based on low-density generator matrix codes,” 2018, arXiv eprint V. CONCLUSION 1807.06127. We have discussed a serious weakness of a recently pro- [14] T. Debris-Alazard, N. Sendrier, and J.-P. Tillich. (2018) Wave: A new code-based signature scheme. Cryptology ePrint Archive, Report posed one-time digital signature scheme. Our analysis shows 2018/996. [Online]. Available: https://eprint.iacr.org/2018/996.pdf that the secret key can be fully recovered with very low [15] P. S. L. M. Barreto and E. Persichetti. (2018) Cryptanalysis of the wave signature scheme. Cryptology ePrint Archive, Report 2018/1111. [Online]. Available: https://eprint.iacr.org/2018/1111.pdf TABLE II [16] T. Debris-Alazard, N. Sendrier, and J.-P. Tillich. (2018) This is not EFFECTIVENESS OF THE KEY RECOVERY ATTACK ON SOME SYSTEM an attack on wave. Cryptology ePrint Archive, Report 2018/1216. INSTANCES WITH p = 4801, FOR LEE-BRICKELL ISD WITH j = 2. [Online]. Available: https://eprint.iacr.org/2018/1216.pdf [17] E. Persichetti, “Efficient one-time signatures from quasi-cyclic codes: A (e) (y) (c) ∗ full treatment,” Cryptography, vol. 2, no. 4, 2018. [Online]. Available: w w w b P {wt{e (x)} = 0} CISD http://www.mdpi.com/2410-387X/2/4/30 −4.01 37.05 90 300 8 6 2 2 [18] J. Stern, “A new identification scheme based on syndrome decoding,” −12.16 38.95 100 400 6 4 2 2 in Advances in Cryptology — CRYPTO’ 93, D. R. Stinson, Ed. Berlin, − 90 1000 10 7 2 13.10 239.18 Heidelberg: Springer Berlin Heidelberg, 1994, pp. 13–21. − 90 100 20 12 2 0.46 238.56 [19] J.-C. Deneuville and P. Gaborit, “Cryptanalysis of a code-based one- 180 100 10 7 2−16.60 254.98 time signature,” Dec 2018, https://hal.archives-ouvertes.fr/hal-01961491. [Online]. Available: https://hal.archives-ouvertes.fr/hal-01961491 [20] P. Lee and E. Brickell, “An observation on the security of McEliece’s public-key cryptosystem,” in Advances in Cryptology - EUROCRYPT 88. Springer Verlag, 1988, pp. 275–280.