Abstract
Stern’s signature scheme is a historically important code-based signature scheme. A crucial optimization of this scheme is to generate pseudo-random vectors and permutation instead of random ones, and most proposals that are based on Stern’s signature use this optimization. However, its security has not been properly analyzed, especially when we use deterministic commitments. In this article, we study the security of this optimization. We first show that for some parameters, there is an attack that exploits this optimization and breaks the scheme in time \(O(2^{\frac{\lambda }{2}})\) while the claimed security is \(\lambda \) bits. This impacts in particular the recent Quasy-cyclic Stern signature scheme (Bidoux et al. in: IEEE international symposium on information theory (ISIT), IEEE Press, Piscataway, 2022). Our second result shows that there is an efficient fix to this attack. By adding a string \(salt \in \{0,1\}^{2\lambda }\) to the scheme, and changing slightly how the pseudo-random strings are generated, we prove not only that our attack doesn’t work but that for any attack, the scheme preserves \(\lambda \) bits of security, and this fix increases the total signature size by only \(2\lambda \) bits. We apply this construction to other optimizations on Stern’s signature scheme, such as the use of Lee’s metric or the use of hash trees, and we show how these optimizations improve the signature length of Stern’s signature scheme.
Similar content being viewed by others
Notes
When we write maintain \(\lambda \) bits of security, we mean that if the original scheme has \(\lambda \) bits of security then the optimized scheme should also have \(\lambda \) bits of security.
If the weight constraint from the syndrome decoding problem, \(wt_H(\textbf{e}) = w\), is replaced with the permutation constraint from the permuted kernel problem, \(\textbf{e}= \sigma (\textbf{v})\) (where \(\textbf{v}\) is given and it satisfies \(wt_H(\textbf{v}) = w\)), a solution to first problem yields a solution to the second, and vice versa.
The number of non-binary words of weight w, length n, and alphabet of size q is given as the number of permutations of any word of a given weight and length multiplied by the number of compositions of w into n parts taking values in \(\{0,\dots ,q-1\}\). In the binary case, there is only one possible such composition, while in the non-binary case the number of such compositions can be, and in most cases it is, greater than 1.
In this paper, we construct a scheme that is perfectly complete. In general, this condition can be relaxed so that "almost perfectly complete scheme", where the probability above is very close to 1, can also be considered as a proper identification scheme.
This last part is what motivates the use of the salt + index construction for seeds.
References
Aguilar C., Gaborit P., Schrek J.: A new zero-knowledge code based identification scheme with reduced communication. In: 2011 IEEE Information Theory Workshop, pp. 648–652 (2011).
Baldi M., Battaglioni M., Chiaraluce F., Horlemann-Trautmann A.-L., Persichetti E., Santini P., Weger V.: A new path to code-based signatures via identification schemes with restricted errors (2020). arXiv:2008.06403.
Berlekamp E., McEliece R., van Tilborg H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978).
Beullens W.: Sigma protocols for mq, pkp and sis, and fishy signature schemes. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, pp. 183–211 (2020).
Bidoux L., Gaborit P., Kulkarni M., Sendrier N.: Quasi-cyclic stern proof of knowledge. In: 2022 IEEE International Symposium on Information Theory (ISIT), pp. 1459–1464. IEEE Press, Piscataway (2022).
Bogart K.P.: Introductory Combinatorics. Pitman Publishing Inc., Belmont (1983).
Cayrel P.-L., Véron P., El Yousfi A., Sidi M.: A zero-knowledge identification scheme based on the q-ary syndrome decoding problem. In: SAC, pp. 171–186 (2011).
Chailloux A., Debris-Alazard T., Etinski S.: Classical and quantum algorithms for generic syndrome decoding problems and applications to the Lee metric. In: Cheon J.H., Tillich J.-P. (eds.) Post-quantum Cryptography, pp. 44–62. Springer International Publishing, Cham (2021).
Chen M.-S., Hülsing A., Rijneveld J., Samardjiska S., Schwabe P.: MQDSS specifications (2020).
Debris-Alazard T., Sendrier N., Tillich J.-P.: Wave: a new family of trapdoor one-way preimage sampleable functions based on codes. In: Galbraith S.D., Moriai S. (eds.) Advances in Cryptology–ASIACRYPT 2019, pp. 21–51. Springer International Publishing, Cham (2019).
Feneuil T., Joux A., Rivain M.: Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. In: IACR Cryptol. ePrint Arch., p. 1576 (2021).
Feneuil T., Joux A., Rivain M.: Syndrome decoding in the head: shorter signatures from zero-knowledge proofs. In: IACR Cryptol. ePrint Arch., p. 188 (2022).
Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko A.M. (ed.) Advances in Cryptology–CRYPTO’ 86, pp. 186–194. Springer, Berlin (1987).
Gaborit P., Ruatta O., Schrek J., Zemor G.: RankSign: an efficient signature algorithm based on the rank metric. In: Mosca M. (ed.) Post-quantum Cryptography, pp. 88–107 (2014).
Garey M.R., Johnson D.S.: Computers and Intractability. A Guide to the Theory of NP-Completeness. W. H. Freeman & Co., New York (1990).
Grilo A.B., Hövelmanns K., Hülsing A., Majenz C.: Tight Adaptive Reprogramming in the QROM. Springer, Berlin (2021).
Horlemann-Trautmann A.-L., Weger V.: Information set decoding in the Lee metric with applications to cryptography. Adv. Math. Commun. 15(4), 677–699 (2021).
Kachigar G., Tillich J.-P.: Quantum information set decoding algorithms. In: Lange T., Takagi T. (eds.) Post-quantum Cryptography, pp. 69–89. Springer, Cham (2017).
Leichtle D.: Post-quantum signatures from identification schemes. Masters Thesis (2018).
NIST. Nist post-quantum standardization. https://csrc.nist.gov/projects/post-quantum-cryptography (2017).
Prange E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory 8(5), 5–9 (1962).
Shamir A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard G. (ed.) Advances in Cryptology–CRYPTO’ 89 Proceedings, pp. 606–609. Springer, New York (1989).
Stern J.: A new identification scheme based on syndrome decoding. In: Stinson D.R. (ed.) Advances in Cryptology–CRYPTO’ 93, pp. 13–21. Springer, Berlin (1994).
Véron P.: Improved identification schemes based on error-correcting codes. Appl. Algebr. Eng. Commun. Comput. 8(1), 57–69 (1997).
Weger V., Khathuria K., Horlemann A.-L., Battaglioni M., Santini P., Persichetti E.: On the hardness of the lee syndrome decoding problem. Adv. Math. Commun. (2022). https://doi.org/10.3934/amc.2022029.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue: Coding and Cryptography 2022”.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Chailloux, A., Etinski, S. On the (in)security of optimized Stern-like signature schemes. Des. Codes Cryptogr. 92, 803–832 (2024). https://doi.org/10.1007/s10623-023-01329-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01329-y