Ratio Attack on G+G Convoluted Gaussian Signature

TL;DR

This paper introduces a ratio attack on the G+G convoluted Gaussian signature, demonstrating how to recover secret keys and challenging its claimed security, with practical simulations and implications for parameter choices.

Contribution

It presents a novel ratio attack exploiting the distribution of signatures to recover secret keys, and evaluates its effectiveness through simulations and analysis of the signature scheme.

Findings

The secret key can be recovered from the expected ratio of signatures.

The attack is effective with certain parameters, enabling key recovery.

The revised signature scheme remains vulnerable under specific conditions.

Abstract

A lattice-based signature, called G+G convoluted Gaussian signature, was proposed in ASIACRYPT 2023 and was proved secure in the quantum random oracle model. In this paper, we propose a ratio attack on the G+G convoluted Gaussian signature to recover the secret key and comment on the revised eprint paper. The attack exploits the fact, proved in this paper, that the secret key can be obtained from the expected value of the ratio of signatures which follows a truncated Cauchy distribution. Moreover, we also compute the number of signatures required to successfully recover the secret key. Furthermore, we simulate the ratio attack in Sagemath with a few different parameters as a proof-of-concept of the ratio attack. In addition, although the revised signature in the revised eprint paper is secure against the ratio attack, we found that either a valid signature cannot be produced or a signature can be forged easily for their given parameters in the eprint.