Elsevier

Theoretical Computer Science

Volume 835, 2 October 2020, Pages 15-30
Theoretical Computer Science

A code-based signature scheme from the Lyubashevsky framework

https://doi.org/10.1016/j.tcs.2020.05.011Get rights and content

Abstract

We propose a new method to construct code-based signature scheme following the Lyubashevsky's lattice-based framework. Our technique ensures that the Hamming weight of each row of the private key matrix is below the GV bound instead of fixed weight. Our scheme can generate signatures whose maximum Hamming weight is below the GV bound of random linear codes with the public key matrix as parity-check matrix. We argue that our scheme can resist existing attacks on code-based signatures. We provide a detailed security analysis and prove that our scheme is existentially unforgeable under adaptive chosen-message attacks (EUF-CMA) in the random oracle model through exploiting and expanding code-based complex problems. Our scheme enjoys the shorter signature size than the Durandal signature scheme (EUROCRYPT 2019) and the Wave signature scheme (ASIACRYPT 2019) for security level of 128 bits. We also show that there is a generic method to construct Weight Restricted Hash (WRH) functions which can produce hash value with a given Hamming weight.

Introduction

Security assumptions on which traditional signature algorithms such as the DSA and the ECDSA are based could be broken by quantum computing according to Peter Shor's algorithm [1]. Therefore, quantum-attack-resistant signature has become an urgent need. The code-based cryptosystems are the promising candidates to resist quantum attacks. They stem from the McEliece cryptosystem [2] and the Niederreiter cryptosystem [3], which are two public key encryption schemes and have been proven to be equivalent [4]. Their security is based on the conjectured intractability problems in coding theory, such as the syndrome decoding problem, which has been proven to be NP-complete by Berlekamp, McEliece, and Van Tilborg [5]. However, contrary to code-based encryption schemes, constructing efficient and secure signature schemes from code-based assumptions is a long standing open problem.

Traditionally, there exist two approaches to construct code-based signature schemes. The first approach is the hash-and-sign method such as the CFS signature scheme [6] and the Wave signature scheme [7] from the Hamming metric, and the RankSign signature scheme [8] from the rank metric. The main drawback of the CFS scheme is that the signature computation time grows significantly to increase the complexity of known attacks. In the case of the RankSign, a structure attack has been presented in [9]. The second approach is based on identification schemes through the Fiat-Shamir transformation, such as the Stern identification scheme [10] and the CVA identification scheme [11]. However, this approach will lead to a large signature size because these identification schemes have the cheating probability of 2/3 or 1/2 in each round.

Recently, some works [12], [13], [14], [15], [16] utilized a new method of constructing code-based signature schemes based on the Lyubashevsky's lattice-based identification scheme [17]. This method does not use any trapdoor values or decoding algorithm. Importantly, this method can overcome the weaknesses of the traditional methods described above. We briefly describe Lyubashevsky's framework [17] in the following. Two matrices H and S over a finite field are the public keys, and a prover wishes to prove that she has a private matrix E with small entries such that S=HET. The prover appropriately chooses a random vector e with small norm, computes the syndrome y=HeT, and sends it to the verifier. The verifier randomly chooses a vector c with small norm, and transmits it as a challenge to the prover. The prover computes z=e+cE, and sends it to the verifier. The verifier checks that z has a small norm and HzTScT=y.

In fact, Persichetti discussed a very simple form [12] of the aforementioned framework, which is also similar to the Schnorr identification, in the Hamming and rank setting. In Persichetti's scheme, the challenge is a non-zero value in a finite field, and the signature is generated by adding a random error to the product of the challenge and the private vector. However, the private key can be recovered by statistical analysis in the Hamming setting and by an algebra attack in the rank setting [12]. In other words, the private key cannot be perfectly hidden through a non-zero value and a random error in a finite field.

Another similar work is RaCoSS [14] submitted to the NIST, which is based on the syndrome decoding problem of a random parity-check matrix in the Hamming setting. This signature scheme has been broken [18] because of using the (very weak) Chernoff bound (to restrict the signature weight) and small security parameters. The adversary can easily forge signatures which are below the Chernoff bound. Afterwards, it was patched in [15] by choosing large security parameters and adjusting the restriction of the signature weight. However, it was broken again [19] due to the fact that this adjusted restriction is still loose.

In 2018, Persichetti came up with an improvement [13] by using quasi-cyclic codes, where the private key is a double circulant matrix produced by vectors with appropriate weight and the challenge is a fixed-weight vector. It is claimed that the improved scheme is an efficient one-time signature scheme. Unfortunately, this scheme is flawed in two ways. The first attack is proposed by Deneuville and Gaborit [20], which is based on the Bit Flipping (BF) decoding algorithm. Another attack [21] showed that statistical analysis performed on a single signature is enough to recover the private key by combining with the Information Set Decoding (ISD) algorithm [22].

Meanwhile, Deneuville and Gaborit [20] also presented a matrix adaptation of Lyubashevsky's framework [17] to construct the code-based signature scheme. The private key is a matrix that comprises a series of fixed-weight vectors, which is equivalent to making the private key more complex than that in [13]. The challenge is still a vector of appropriate weight generated by a hash function which can produce a fixed-weight hash value. The authors claimed that this adaptation is only secure for a limited amount of signatures since the support of the private key would be leaked out in the process of generating signatures.

Through the above analysis, most of the code-based signature schemes which are adapted from the Lyubashevsky's framework are not secure in the Hamming setting. Only the matrix adaptation [20] due to Deneuville and Gaborit does not suffer from obvious attacks. However, the support of the private key in [20] can be leaked out when generating signatures. In addition, they did not use a specific bound to restrict the signature weight or gave specific secure parameters. Neither did the authors present detailed security analysis or the suggestion of the public key size and the signature size. Furthermore, the Weight Restricted Hash (WRH) function was used in the design, however, they did not give a clear way to construct such functions.

Therefore, the following problems need to be solved if we use the Lyubashevsky's framework to construct code-based signature schemes: (1) How to choose a private key with less structure and stronger randomness. (2) How to select the private key and design the process of generating signatures in such a way that the weight of the generated signatures is less than a better bound, such as the Gilbert-Varshamov (GV) bound. (3) How to design the process of generating signatures to hide private keys. (4) How to construct Weight Restricted Hash (WRH) functions by a generic and efficient way.

The contributions of this paper are as follows:

  • 1.

    We propose a new code-based signature scheme by adopting the lattice-based Lyubashevsky's framework [17]. Our technique can ensure that the Hamming weight of each row of the private key matrix is below the GV bound instead of fixed weight. In addition, this technique can generate signatures whose maximum Hamming weight is below the GV bound of random codes with the public key matrix as a parity-check matrix.

  • 2.

    In order to analyze the security of our scheme in detail, we introduce the GSD problem, the GDSD problem, and the RDGD problem. We prove that these problems are at least as difficult as existing code-based complex problems. We show that the private key is unique under given public keys according to the GSD problem. We also prove that our scheme is existentially unforgeable under adaptive chosen-message attacks (EUF-CMA) in the random oracle model by reducing it to the RDGD problem, the DSD problem, the GDSD problem, and the SD problem.

  • 3.

    For the security level of 128 bits, the minimum public key size is 3.0 MB, and the signature size is 1.4 KB in our scheme. Our signature scheme features a shorter signature size than the latest Durandal scheme [16]. Importantly, our scheme can overcome the shortcomings of the previous schemes [12], [13], [14], [15] and resist existing attacks [12], [20], [18], [19].

  • 4.

    We present a generic method to construct Weight Restricted Hash (WRH) functions by combining a collision-resistant hash function with an encode algorithm [23], [24], [25], [26], [27], [28], [29] which can encode any message into the one with a given Hamming weight.

Like other schemes [12], [13], [14], [15], [16], our public keys include a parity-check matrix H of random [n,k]-linear codes. The core technique of our scheme is how to construct the private key matrix.

The signer randomly chooses l systematic generator matrices Ei=[I|Ri] of distinct random [n,k]-linear codes where I is k×k identity matrix and Ri is k×(nk) matrix for i=1,2,,l. Meanwhile, the signer ensures that n=nl and l(1+nk)dGV where dGV represents the GV bound of random [n,k]-linear code with H as parity-check matrix. Then the signer constructs matrix [E1|E2||El], and obtains the private key E=P1[E1|E2||El]P2 where P1 and P2 are k×k and n×n permutation matrices. The permutation matrices P1 and P2 are applied to scramble matrix [E1|E2||El] and obtain irregular private key E in order to strengthen the security of the private key. This process is also depicted in Fig. 1.

Through the above process, the signer obtains a public key H and the matching private key E, and then generates another public key S=HET. Finally, the signature z=cE+e is generated where cF2k and eF2n are random vector of Hamming weight w1 and w2. The generation of the signature is described in Fig. 2.

Since permutation matrices do not change the Hamming weight of vectors, the Hamming weight of cP1 is still w1. The Hamming weight of cP1Ri must be less than or equal to nk for i=1,2,,l. Thus the Hamming weight of cE is less than or equal to l(w1+nk). Eventually, the maximum Hamming weight of the signature z is l(w1+nk)+w2. Our construction is also able to guarantee l(w1+nk)+w2dGV by choosing proper security parameters.

The remainder of this paper is organized as follows. In Section 2, we present some preliminaries required in this paper. Section 3 describes a Weight Restricted Hash (WRH) function. Section 4 presents our signature scheme and the computational cost. Section 5 presents security analysis of our signature scheme. In Section 6, we set security parameters of our signature scheme. We conclude this paper in Section 7.

Section snippets

Notations

We say that an adversary is a PPT adversary if it is a probabilistic polynomial-time adversary. If X is a finite set, x$X denotes that x is chosen uniformly from set X. The logarithm log is of base 2. We say that a function f: NR+{0} is a negligible function if for any polynomial p() there exists k0N such that for all k>k0 it holds that f(k)<1/p(k). Vectors (resp. matrices) are represented by lower-case (resp. upper-case) bold letters. We denote by [A|B] the horizontal concatenations of

Weight restricted hash function

In our signature scheme, we use Weight Restricted Hash (WRH) function proposed in the RaCoSS scheme [14] to generate a fixed-weight challenge. Although the RaCoSS scheme is broken [18], the hash function is secure as long as the range is large enough according to the analysis in [18].

It takes a byte string message m, a positive integer w, and a positive integer n as input. It outputs a bit string of length n and Hamming weight w. It uses SHA3-512 hash function to calculate the positions of 1.

Our digital signature scheme

In this section, we firstly recall the definition and the security model of digital signature scheme, and then give our digital signature scheme.

Analysis of the security

We mainly analyze the security of our scheme from the following aspects.

  • 1.

    Complexity of Recovering the Private Key. Given the public keys H and S=HET, we show that recovering the private key is hard, and each public key only corresponds to a unique private key by expanding the SD problem to the GSD problem.

  • 2.

    Randomness of the Public Key S. We extend the DSD problem to the General DSD (GDSD) problem, and show that, once given S, the adversary is not able to distinguish whether S is a random matrix

Security parameters

In this section, we choose sets of parameters according to the classical information set decoding algorithm [22].

Conclusions

In this paper, we proposed a new code-based signature scheme by adopting a lattice-based Lyubashevsky's framework [17]. Our technique can ensure that the Hamming weight of each row of the private key matrix is below the GV bound instead of fixed weight. In addition, this technique can generate signatures whose maximum Hamming weight is below the GV bound of random codes with the public key matrix as parity-check matrix.

In order to analyze the security of our scheme in detail, we introduced the

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

This work was supported by National Natural Science Foundation of China (Grant Nos. 61822202, 61872087, 61841701, 61902070, and 61872089).

References (44)

  • P.W. Shor

    Algorithms for quantum computation: discrete logarithms and factoring

  • R.J. Mceliece

    A Public-Key Cryptosystem Based on Algebraic Coding Theory

    (1978)
  • H. Niederreiter

    Knapsack-type cryptosystems and algebraic coding theory

    Probl. Control Inf. Theory

    (1986)
  • Y. Li et al.

    On the equivalence of McEliece's and Niederreiter's public-key cryptosystems

    IEEE Trans. Inf. Theory

    (1994)
  • E.R. Berlekamp et al.

    On the inherent intractability of certain coding problems (corresp.)

    IEEE Trans. Inf. Theory

    (1978)
  • N. Courtois et al.

    How to achieve a McEliece-based digital signature scheme

  • T. Debris-Alazard et al.

    A new family of trapdoor one-way preimage sampleable functions based on codes

  • P. Gaborit et al.

    RankSign: an efficient signature algorithm based on the rank metric

  • T. Debris-Alazard et al.

    Two attacks on rank metric code-based schemes: RankSign and an IBE scheme

  • J. Stern

    A new identification scheme based on syndrome decoding

  • P. Cayrel et al.

    A zero-knowledge identification scheme based on the q-ary syndrome decoding problem

  • E. Persichetti

    Improving the Efficiency of Code-Based Cryptography

    (2012)
  • E. Persichetti

    Efficient one-time signatures from quasi-cyclic codes: a full treatment

    Cryptography

    (2018)
  • K. Fukushima et al.

    Random code-based signature scheme (RaCoSS). First round submission to the NIST post-quantum cryptography call

  • P.S. Roy et al.

    Code-Based Signature Scheme Without Trapdoors

    (2018)
  • N. Aragon et al.

    Durandal: a rank metric based signature scheme

  • V. Lyubashevsky

    Lattice signatures without trapdoors

  • D.J. Bernstein et al.

    Comments on RaCoSS. A submission to NISTaAZs PQC competition

  • K. Xagawa

    Practical attack on RaCoSS-R, IACR cryptology ePrint archive

  • J. Deneuville et al.

    Cryptanalysis of a code-based one-time signature, IACR cryptology ePrint archive

  • P. Santini et al.

    Cryptanalysis of a one-time code-based digital signature scheme

  • E. Prange

    The use of information sets in decoding cyclic codes

    IRE Trans. Inf. Theory

    (1962)
  • Cited by (17)

    • Post-quantum Secure Stateful Deterministic Wallet from Code-Based Signature Featuring Uniquely Rerandomized Keys

      2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    • A code-based hybrid signcryption scheme

      2023, Journal of Mathematical Cryptology
    View all citing articles on Scopus

    Fully documented templates are available in the elsarticle package on CTAN.

    View full text