MIRANDA: short signatures from a leakage-free full-domain-hash scheme
Alain Couvreur, Thomas Debris-Alazard, Philippe Gaborit, Adrien Vinçotte
TL;DR
Miranda introduces a quantum-resistant FDH signature family built on matrix codes by integrating the GPV trapdoor framework with an AddRemove masking of Gabidulin codes. The core idea is to decode a public, randomly masked code by sampling a random component from a trapdoor code, yielding many preimages while preserving uniformity to prevent leakage of the trapdoor. The scheme achieves short signatures (as small as ~90 bytes) and moderate public-key sizes (~2.6 MB) at 128-bit classical security, with signing that can be parallelized and does not require rejection sampling. Miranda’s security relies on the hardness of inverting a MinRank-type problem in the masked-code setting, complemented by an average trapdoor preimage sampling property proven via the leftover hash lemma, making the signatures non-informative about the trapdoor. Beyond Gabidulin codes, the authors show the framework can accommodate any code that decodes uniquely, offering a versatile approach to secure, FDH-based signatures in the post-quantum era.
Abstract
We present $\mathsf{Miranda}$, the first family of full-domain-hash signatures based on matrix codes. This signature scheme fulfils the paradigm of Gentry, Peikert and Vaikuntanathan ($\mathsf{GPV}$), which gives strong security guarantees. Our trapdoor is very simple and generic: if we propose it with matrix codes, it can actually be instantiated in many other ways since it only involves a subcode of a decodable code (or lattice) in a unique decoding regime of parameters. Though $\mathsf{Miranda}$ signing algorithm relies on a decoding task where there is exactly one solution, there are many possible signatures given a message to sign and we ensure that signatures are not leaking information on their underlying trapdoor by means of a very simple procedure involving the drawing of a small number of uniform bits. In particular $\mathsf{Miranda}$ does not use a rejection sampling procedure which makes its implementation a very simple task contrary to other $\mathsf{GPV}$-like signatures schemes such as $\mathsf{Falcon}$ or even $\mathsf{Wave}$. We instantiate $\mathsf{Miranda}$ with the famous family of Gabidulin codes represented as spaces of matrices and we study thoroughly its security (in the EUF-CMA security model). For~$128$ bits of classical security, the signature sizes are as low as~$90$ bytes and the public key sizes are in the order of~$2.6$ megabytes.