Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the (In)security of optimized Stern-like signature schemes

André Chailloux, Simona Etinski

TL;DR

The paper analyzes Stern-like code-based signatures, focusing on optimizations that replace randomness with pseudo-random seeds and often use deterministic commitments. It demonstrates a vulnerability: with seed length $l_{seed}=\lambda$ and deterministic commitments, an attack runs in time $O(2^{\lambda/2})$ and undermines the claimed $\lambda$-bit security. To fix this, the authors propose a simple salt + index construction that fixes a $2\lambda$-bit salt and a per-signature index, restoring $\lambda$-bit security (with only a $2\lambda$-bit signature-size increase) and ensuring multi-HVZK, hence EUF-CMA security via Fiat-Shamir. They also extend the framework to other optimizations, such as using Lee’s metric and hash trees, showing how these can further reduce signature length while maintaining security. Overall, the work provides concrete guidance for securely balancing efficiency and post-quantum security in Stern-based schemes, with practical impact for next-generation code-based signatures.

Abstract

Stern's signature scheme is a historically important code-based signature scheme. A crucial optimization of this scheme is to generate pseudo-random vectors and a permutation instead of random ones, and most proposals that are based on Stern's signature use this optimization. However, its security has not been properly analyzed, especially when we use deterministic commitments. In this article, we study the security of this optimization. We first show that for some parameters, there is an attack that exploits this optimization and breaks the scheme in time $O(2^{\fracλ{2}})$ while the claimed security is $λ$ bits. This impacts in particular the recent Quasy-cyclic Stern signature scheme [BGMS22]. Our second result shows that there is an efficient fix to this attack. By adding a string $salt \in \{0,1\}^{2λ}$ to the scheme, and changing slightly how the pseudo-random strings are generated, we prove not only that our attack doesn't work but that for any attack, the scheme preserves $λ$ bits of security, and this fix increases the total signature size by only $2λ$ bits. We apply this construction to other optimizations on Stern's signature scheme, such as the use of Lee's metric or the use of hash trees, and we show how these optimizations improve the signature length of Stern's signature scheme.

On the (In)security of optimized Stern-like signature schemes

TL;DR

The paper analyzes Stern-like code-based signatures, focusing on optimizations that replace randomness with pseudo-random seeds and often use deterministic commitments. It demonstrates a vulnerability: with seed length and deterministic commitments, an attack runs in time and undermines the claimed -bit security. To fix this, the authors propose a simple salt + index construction that fixes a -bit salt and a per-signature index, restoring -bit security (with only a -bit signature-size increase) and ensuring multi-HVZK, hence EUF-CMA security via Fiat-Shamir. They also extend the framework to other optimizations, such as using Lee’s metric and hash trees, showing how these can further reduce signature length while maintaining security. Overall, the work provides concrete guidance for securely balancing efficiency and post-quantum security in Stern-based schemes, with practical impact for next-generation code-based signatures.

Abstract

Stern's signature scheme is a historically important code-based signature scheme. A crucial optimization of this scheme is to generate pseudo-random vectors and a permutation instead of random ones, and most proposals that are based on Stern's signature use this optimization. However, its security has not been properly analyzed, especially when we use deterministic commitments. In this article, we study the security of this optimization. We first show that for some parameters, there is an attack that exploits this optimization and breaks the scheme in time while the claimed security is bits. This impacts in particular the recent Quasy-cyclic Stern signature scheme [BGMS22]. Our second result shows that there is an efficient fix to this attack. By adding a string to the scheme, and changing slightly how the pseudo-random strings are generated, we prove not only that our attack doesn't work but that for any attack, the scheme preserves bits of security, and this fix increases the total signature size by only bits. We apply this construction to other optimizations on Stern's signature scheme, such as the use of Lee's metric or the use of hash trees, and we show how these optimizations improve the signature length of Stern's signature scheme.
Paper Structure (31 sections, 7 theorems, 25 equations)

This paper contains 31 sections, 7 theorems, 25 equations.

Table of Contents

  1. Introduction
  2. Random seeds for constructing pseudo-random strings.
  3. Using commitment from hash functions
  4. Contributions
  5. Showing the insecurity of some optimized Stern's signature schemes.
  6. Mitigating the attack: the salt + index construction
  7. On multi-HVZK advantage.
  8. The salt + index construction.
  9. Adding other optimizations
  10. Changing the metric.
  11. Hash trees.
  12. Hard Problems in Code-Based Cryptography
  13. Syndrome Decoding (SD) problem
  14. Permuted Kernel Problem (PKP)
  15. Reduction from SD to PKP
  16. ...and 16 more sections

Key Result

theorem 1

If we use seeds of size $\lambda$ and deterministic commitments in Stern's signature scheme, then there is an attack that recovers the secret key in time $O(2^{\lambda/2})$.

Theorems & Definitions (22)

  • theorem 1
  • theorem 2
  • corollary 1
  • definition 1: Weight function from distance function
  • definition 2: Vector decomposition
  • lemma 1: Bo83
  • proposition 1: Reduction from SD to PKP
  • proof
  • definition 3: 3-round identification scheme
  • definition 4: Distributions of transcripts, honest behavior
  • ...and 12 more