Cryptanalysis of a code-based full-time signature
Karan Khathuria2020, arXiv (Cornell University)
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky's protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.
Related papers
Cryptanalysis of a Code-Based Signature Scheme Based on the Lyubashevsky Framework
IACR Cryptol. ePrint Arch., 2020
In this paper we cryptanalyze a recently proposed signature scheme consisting in a translation of the Lyubashevsky framework to the coding theory, whose security is based on the hardness of decoding low weight errors in the Hamming metric. We show that each produced signature leaks information about the secret key and that, after the observation of a bunch of signatures, the secret key can be fully recovered with simple linear algebra. We conservatively assess the complexity of our proposed attack and show that it grows polynomially in the scheme parameters; numerical simulations are used to confirm our analysis. Our results show that the weakness of the scheme is intrinsic by design, and that security cannot be restored by a mere change in the parameters.
Post-quantum Cryptography: Code-Based Signatures
Advances in Computer Science and Information …, 2010
This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ring and blind signatures.
A new code-based public-key cryptosystem resistant to quantum computer attacks
Journal of Physics: Conference Series, 2019
We propose a new type of public-key cryptosystems (PKC) which is based on repetition of different error-correcting codes. We give a brief analysis of some well known attacks on code-based PKC, including structural ones and show that the scheme could be used as a perspective post-quantum PKC.
Exploiting Determinism in Lattice-based Signatures
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. In particular, we extend the practicality of skip-addition fault attacks through exploitation of determinism in certain variants of Dilithium (Deterministic variant) and qTESLA signature scheme (originally submitted deterministic version), which are two leading candidates for the NIST standardization of post-quantum cryptography. We show that single targeted faults injected in the signing procedure allow to recover an important portion of the secret key. Though faults injected in the signing procedure do not recover all the secret key elements, we propose a novel forgery algorithm that allows the attacker to sign any given message with only the extracted portion of the secret key. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4 microcontroller. We also show that our attacks break two well known countermeasures known to protect against skip-addition fault attacks. We further propose an efficient mitigation strategy against our attack that exponentially increases the attacker's complexity at almost zero increase in computational complexity. CCS CONCEPTS • Security and privacy → Digital signatures; Hardware attacks and countermeasures; Side-channel analysis and countermeasures; Embedded systems security.
Evaluation of Code-based Signature Schemes
IACR Cryptol. ePrint Arch., 2019
Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to the currently employed numbertheoretic constructions, which do not resist quantum attacks. In this article, we discuss the Courtois-Finiasz-Sendrier signature scheme and derive code-based signature schemes using the Fiat-Shamir transformation from code-based zero-knowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the CayrelVeron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 80bit and 128-bit level of classical security. To derive the secure parameters, we have studied the hardness of Syndrome Decoding Problem. Furthermore, we implement the signature schemes, based on the Fiat-Shamir transform, which were mentioned above, and compare their performance on a PC.
Analysis of code-based digital signature schemes
International Journal of Electrical and Computer Engineering (IJECE), 2023
Digital signatures are in high demand because they allow authentication and non-repudiation. Existing digital signature systems, such as digital signature algorithm (DSA), elliptic curve digital signature algorithm (ECDSA), and others, are based on number theory problems such as discrete logarithmic problems and integer factorization problems. These recently used digital signatures are not secure with quantum computers. To protect against quantum computer attacks, many researchers propose digital signature schemes based on error-correcting codes such as linear, Goppa, polar, and so on. We studied 16 distinct papers based on various error-correcting codes and analyzed their various features such as signing and verification efficiency, signature size, public key size, and security against multiple attacks.
Security Analysis of One Quantum Digital Signature Scheme
2009 Sixth International Conference on Information Technology: New Generations, 2009
We point out that the quantum digital signature scheme proposed in ICACT 2005 has three problems. According to the original description of the scheme, we find: (1) the quantum one-way function is not specified clearly; (2) the signer Alice does not use her private key in the signing process; (3) both the signing and the verification can not work well.
An Efficient Attack on a Code-Based Signature Scheme
Post-Quantum Cryptography, 2016
Baldi et al. have introduced in [BBC + 13] a very novel code based signature scheme. However we will prove here that some of the bits of the signatures are correlated in this scheme and this allows an attack that recovers enough of the underlying secret structure to forge new signatures. This cryptanalysis was performed on the parameters which were devised for 80 bits of security and broke them with 100, 000 signatures originating from the same secret key.
A SOLUTION FOR CONSTRUCTING QUANTUM - RESISTANT DIGITAL SIGNATURE SCHEMES
Journal of Military Science and Technology, ISSN: 1859-1043, 2024
In this article, the authors propose a solution for constructing quantum -resistant digital signature schemes based on a new type of hard problem, which belongs to the group of unsolvable problems. Therefore, the algorithms constructed according to the solution proposed here can be resistant to quantum attacks based on the quantum algorithm proposed by P. Shor. In addition to quantum resistance, the signature schemes proposed here can also be used as pre-quantum digital signature schemes (RSA, DSA, etc.) that are widely used in current practical applications.
Walnutdsa: A Quantum-Resistant Digital Signature Algorithm
2017
In 2005 I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux introduced E-Multiplication, a quantum-resistant, group-theoretic, one-way function which can be used as a basis for many different cryptographic applications. To date, all analysis and attacks on E-Multiplication have been exponential in their runtime and all have been readily addressed and defeated. This paper introduces WalnutDSA, a new E-Multiplication-based public-key digital signature method that provides very efficient verification, allowing low-powered and constrained devices to quickly and inexpensively validate digital signatures (e.g., a certificate or authentication). This paper presents an in-depth discussion of the construction of the digital signature algorithm, analyzes the security of the scheme, provides a proof of security under EUF-CMA, and discusses the practical results from implementations on several constrained devices. With the implementation of parameters that defeat all known attacks, WalnutDSA is c...
K2SN-MSS: An Efficient Post-Quantum Signature (Full Version)
IACR Cryptol. ePrint Arch., 2019
With the rapid development of quantum technologies, quantumsafe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the oneway-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-function)...
A code-based group signature scheme
Designs, Codes and Cryptography, 2016
In this work we propose the first code-based group signature. As it will be described below, its security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. Furthermore, it has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to dynamically add new members and signature and public key sizes are constant with respect to the number of group members. Last but not least, our scheme can be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [19] (KTY model) and handles membership revocation. The main idea of our scheme consists in building a collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications, we consider the case of the code-based CFS signature scheme [11] of Courtois, Finiasz and Sendrier.
Code-based Post-Quantum Cryptography
2021
Cryptography has been used from time immemorial for preserving the confidentiality of 1 data/information in storage or in transit. Thus, cryptography research has also been evolving from 2 the classical Caesar cipher to the modern cryptosystems based on modular arithmetic to the con3 temporary cryptosystems based on quantum computing. The emergence of quantum computing 4 imposes a major threat on the modern cryptosystems based on modular arithmetic whereby, even 5 the computationally hard problems which constitute for the strength of the modular arithmetic 6 ciphers could be solved in deterministic time. This threat triggered post-quantum cryptography 7 research in order to design and develop post-quantum algorithms that can withstand quantum 8 computing attacks. This paper provides a review of the various post-quantum cryptography and, 9 in specific, code-based cryptography research dimensions. The research directions that are yet to 10 be explored in code-based cryptography resear...
Improved Secure Implementation of Code-Based Signature Schemes on Embedded Devices
Amongst areas of cryptographic research, there has recently been a widening interest for code-based cryptosystems and their implementations. Besides the a priori resistance to quantum computer attacks, they represent a real alternative to the currently used cryptographic schemes. In this paper we consider the implementation of the Stern authentication scheme and one recent variation of this scheme by Aguilar et al.. These two schemes allow public authentication and public signature with public and private keys of only a few hundreds bits. The contributions of this paper are twofold: first, we describe how to implement a code-based signature in a constrained device through the Fiat-Shamir paradigm, in particular we show how to deal with long signatures. Second, we implement and explain new improvements for code-based zero-knowledge signature schemes. We describe implementations for these signature and authentication schemes, secured against side channel attacks, which drastically improve the previous implementation presented at Cardis 2008 by Cayrel et al.. We obtain a factor 3 reduction of speed and a factor of about 2 for the length of the signature. We also provide an extensive comparison with RSA signatures.
Post-Quantum and Code-Based Cryptography—Some Prospective Research Directions
Cryptography
Cryptography has been used from time immemorial for preserving the confidentiality of data/information in storage or transit. Thus, cryptography research has also been evolving from the classical Caesar cipher to the modern cryptosystems, based on modular arithmetic to the contemporary cryptosystems based on quantum computing. The emergence of quantum computing poses a major threat to the modern cryptosystems based on modular arithmetic, whereby even the computationally hard problems which constitute the strength of the modular arithmetic ciphers could be solved in polynomial time. This threat triggered post-quantum cryptography research to design and develop post-quantum algorithms that can withstand quantum computing attacks. This paper provides an overview of the various research directions that have been explored in post-quantum cryptography and, specifically, the various code-based cryptography research dimensions that have been explored. Some potential research directions that...
13 Efficient arbitrated quantum signature and its proof of security.pdf
In this paper, an efficient arbitrated quantum signature scheme is proposed by combining quantum cryptographic techniques and some ideas in classical cryptography. In the presented scheme, the signatory and the receiver can share a long-term secret key with the arbitrator by utilizing the key together with a random number. While in previous quantum signature schemes, the key shared between the signatory and the arbitrator or between the receiver and the arbitrator could be used only once, and thus each time when a signatory needs to sign, the signatory and the receiver have to obtain a new key shared with the arbitrator through a quantum key distribution protocol. Detailed theoretical analysis shows that the proposed scheme is efficient and provably secure.
A Compact Digital Signature Scheme Based on the Module-LWR Problem
Lecture Notes in Computer Science, 2020
We propose a new lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the second-round candidates of NIST's call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.
Trojan-horse attacks threaten the security of practical quantum cryptography
A quantum key distribution system may be probed by an eavesdropper Eve by sending in bright light from the quantum channel and analyzing the backreflections. We propose and experimentally demonstrate a setup for mounting such a Trojan-horse attack. We show it in operation against the quantum cryptosystem Clavis2 from ID Quantique, as a proof-of-principle. With just a few back-reflected photons, Eve discerns Bob's secret basis choice, and thus the raw key bit in the Scarani-Acín-Ribordy-Gisin 2004 protocol, with higher than 90% probability. This would clearly breach the security of the cryptosystem. Unfortunately in Clavis2 Eve's bright pulses have a side effect of causing high level of afterpulsing in Bob's single-photon detectors, resulting in a high quantum bit error rate that effectively protects this system from our attack. However, in a Clavis2-like system equipped with detectors with less-noisy but realistic characteristics, an attack strategy with positive leakage of the key would exist. We confirm this by a numerical simulation. Both the eavesdropping setup and strategy can be generalized to attack most of the current QKD systems, especially if they lack proper safeguards. We also propose countermeasures to prevent such attacks.
On Provably Secure Code-based Signature and Signcryption Scheme
eprint.iacr.org
Signcryption is a cryptographic protocol that provides authentication and confidentiality as a single primitive at a cost lower than the combined cost of sign and encryption. Due to the improved efficiency, signcryption schemes have found significant applications in areas related to E-commerce. Shor's algorithm poses a threat to number-theoretic algorithms, as it can solve the number-theoretic hard problems in polynomial time using quantum computers. Therefore, code-based cryptography offers an exciting alternative to number-theoretic cryptography, as it is not only resistant to quantum algorithms, but also, the base operation (matrix-vector multiplication) is far less computationally intensive compared to the modular exponentiation required in number-theoretic schemes. Courtois, Finiasz and Sendrier proposed the only practical code-based signature(CFS signature) . It can be used to realise many cryptographic primitives. But the signature is currently not provably secure due to the existence of the high rate distinguisher . In this paper, we make use of an alternate key-construct for the CFS signature, and thus prove its existential unforgeability under chosen message attacks (EUF-CMA). Also, we propose a code-based signcryption scheme and proved its security. To the best of our knowledge, this is the first code-based, provably secure signature and signcryption scheme in literature.
Continuous-variable quantum digital signatures over insecure channels
2018
Digital signatures ensure the integrity of a classical message and the authenticity of its sender. Despite their far-reaching use in modern communication, currently used signature schemes rely on computational assumptions and will be rendered insecure by a quantum computer. We present a quantum digital signatures (QDS) scheme whose security is instead based on the impossibility of perfectly and deterministically distinguishing between quantum states. Our continuous-variable (CV) scheme relies on phase measurement of a distributed alphabet of coherent states, and allows for secure message authentication against a quantum adversary performing collective beamsplitter and entangling-cloner attacks. Crucially, for the first time in the CV setting we allow for an eavesdropper on the quantum channels and yet retain shorter signature lengths than previous protocols with no eavesdropper. This opens up the possibility to implement CV QDS alongside existing CV quantum key distribution (QKD) pl...
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.