Cryptanalysis of a code-based full-time signature

TL;DR

This paper presents a practical attack on a code-based signature scheme, revealing vulnerabilities due to biased signature distributions, and demonstrates that the scheme can be compromised with as few as 10 signatures.

Contribution

The paper introduces a novel cryptanalysis method exploiting distribution bias in a code-based signature scheme, proving its insecurity with minimal signatures.

Findings

The attack successfully recovers the private key with 10 signatures.

The scheme's distribution bias leads to significant security vulnerabilities.

It confirms the difficulty of creating secure, efficient code-based signatures comparable to lattice-based solutions.

Abstract

We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky's protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.