We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky's protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.
翻译:我们根据Song、Huang、Mu、Wu和Wang(SHMWW)最近提出的基于代码的签字计划提出攻击。SHMW计划中的私人钥匙包含部分来自身份矩阵的柱子,部分来自随机矩阵的柱子。两种类型的柱子的存在导致在所制作的签名中分配设定比特的强烈偏差。我们的攻击利用这种偏差从收集的签名群中收回私人钥匙。我们提供了对攻击的理论分析,并同时进行了实验性评价,我们表明,只有10个签名足以收集到成功恢复私人钥匙。正如以往试图将Lyubashevsky的协议改写成基于代码的加密程序一样,SHMMWW计划因此证明无法提供可接受的安全。这证明,设计基于代码的安全签名计划的效率与其他区后解决方案(例如,基于拉特)的效率相当,仍是一项艰巨的任务。