Code-based cryptosystems, introduced by McEliece in 1978 , rely on the hardness of the SDP, which has been proven to be NP-complete for general random codes . The best SDP solvers for general codes, known as ISD algorithms, were first introduced by Prange in 1962  and significantly improved over years (see [4, 5] and references therein). However, all current ISD algorithms are characterized by an exponential complexity, even when implemented on quantum computers . Since SDP is one of the oldest and most studied hard problems, and no polynomial time solver is currently known, code-based cryptosystems are among the most promising solutions for post-quantum cryptography .
However, designing a secure and efficient digital signature scheme based on coding theory is still an open problem. The main difficulty is represented by the fact that, typically, in these systems the plaintext and ciphertext domains do not coincide. Therefore, applying decryption on a general string, for example obtained through a hash function, may result in a failure unless special solutions are adopted. Proposals trying to address this issue have been proven not to be either efficient or secure (or both, in the worst cases). A clear evidence of the hardness of finding efficient digital signature schemes based on codes is represented by the fact that no proposal of this type is surviving within the National Institute of Standards and Technology (NIST) competition for the standardization of post-quantum primitives .
Historically, the first digital signature scheme based on error correcting codes is the Courtois-Finiasz-Sendrier (CFS) scheme , that uses high rate Goppa codes and follows a hash-and-sign approach. This scheme is known to be unpractical, since it has some security flaws (high rate Goppa codes can be distinguished from random codes ) and requires very large public-keys and long signature times.
In particular, some schemes might suffer from statistical attacks, i.e., procedures that can break the system through the observation of a sufficiently large number of signatures. In such a case, the attacked systems are reduced to few-signatures schemes or, in the most conservative assumption, to one-time schemes (each key-pair is refreshed after just one signature). For instance, the BBC scheme proposed in , which is based on LDGM codes, has been cryptanalized in  with a procedure that allows forging valid signatures after the observation of thousands of signatures, which limits the life of its keypairs . Another recent proposal is Wave , based on generalized codes. A cryptanalysis procedure of Wave based on the statistical analysis of hundreds of signatures has been proposed in . However, such a procedure has been disproved in , since it is referred to a degraded version of the scheme.
In this paper, we consider a one-time signature scheme that was recently proposed by Persichetti . Such a scheme is obtained as a modification of Stern’s identification protocol , and relies on QC codes, which allow for both compact keys and low computational complexity. However, as we show afterwards, this scheme suffers from an attack which leads to a full recovery of the secret key and whose complexity is far below the claimed security level. Our attack is based on a statistical analysis performed on a single signature, combined with an ISD algorithm.
is based on BF decoding, which has the advantage of being vary fast compared to other decoders. However, the success probability of BF decoding cannot be predicted analytically. Moreover, in case of a decoding failure, it is not possible to perform further randomized attempts of decoding through BF. Differently from, our attack exploits ISD, which permits us to obtain a closed-form formula for the average number of iterations and the relevant complexity needed for a successful attack, which depend only on the system parameters. So, while the feasibility of the attack in 
can only be assessed through numerical simulations, we do not rely on simulations: through an theoretical approach, we show that the security of the scheme is reduced to the complexity of an SDP instance, which is far below any reasonable security level. In particular, our analysis shows how the security of the system is related to the hardness of solving an SDP instance in which the weight of the searched vector is particularly low. Through this approach, we can make general statements about the effectiveness of the attack on modified parameters sets, showing that meaningful security levels cannot be achieved even resorting to extreme choices for the parameters set.
We denote as the polynomial ring , where is an integer and is a symbolic variable. We use bold letters to denote vectors over , in the form , with . Each can be unambiguously represented as a vector in the form
where is the -th coefficient of the -th polynomial, , in . Let be the binary field. Given a vector over , we denote as the vector obtained by lifting its entries over the integer domain ; the same notation is used for vectors of polynomials. Operations involving lifted vectors are performed in the integer domain (i.e., ). Given a polynomial , we define its Hamming weight, , as the number of its non-null coefficients. For a vector of polynomials , the Hamming weight corresponds to the sum of the Hamming weights of its elements. The support of a polynomial , denoted as , is the set containing the indexes of the non-null coefficients of . Clearly, the Hamming weight of a polynomial corresponds to the cardinality of its support.
We denote as
the uniform distribution of all binary-uples with weight . Then, the expression means that is randomly picked among all the elements in . Since the distribution is uniform, each vector of weight is picked with probability . In the following, we consider only the case of . With some abuse of notation, the expression means that is randomly picked among all pairs of polynomials having vectors of coefficients in , each with Hamming weight .
Iii System description
The one-time digital signature scheme we are considering is built upon a public polynomial , that is fixed by the protocol. We denote as the function that takes as input a vector and outputs . The scheme additionally requires a hash function that takes as input and outputs a weight- polynomial. Parameters of the scheme are the integers , , , (with ).
The key generation is shown in Algorithm 1; the signing key (i.e., secret key) is a vector , such that . The verification key (i.e., public key) is obtained through the application of on the secret key. The signature generation and verification are shown, respectively, in Algorithms 2 and 3. The signature verification algorithm returns a boolean variable that is false when the signature is valid and true otherwise.
Iii-a Security analysis
The security of the scheme is based on the hardness of the SDP that, in the binary case, is defined as follows.
Syndrome Decoding Problem
Given , and , find such that and .
The SDP is a well-known problem in coding theory, and has been proven to be NP-complete ; in particular, the solution of the SDP can be unique only when does not exceed the Gilbert-Varshamov (GV) distance , that is defined as the greatest integer such that . When , the best solvers for SDP are ISD algorithms, whose complexity crucially depends on and on the code rate.
The security of the scheme is based on the fact that the inversion of requires the solution of an SDP instance. Let be the QC matrix obtained by concatenating the identity with the circulant matrix having as first column. Let and denote, respectively, the vectors associated to the secret and the public key: then, the following relation holds
An opponent trying to recover the secret key must solve an SDP instance; thus, the weight of cannot be smaller than some security threshold value. In the verification procedure, a crucial aspect is represented by the weight of , which has maximum value equal to . Indeed, the authenticity of the signature is guaranteed if there is only one vector such that
since this proves that has been computed through the signing key. Then, a necessary condition for such a vector to be unique is
Obviously, the system is fully broken also if the opponent can perform ISD on : then, even cannot be lower than some security threshold value.
Finally, we must take into account that is obtained through linear operations involving sparse polynomials, one of them being , which is part of the signature, and is hence public. In , the possibility of attacks exploiting such facts has been considered; for this reason, the scheme has been proposed only for the one-time signature case. However, as we show next, the analysis of a single signature, combined with an ISD algorithm, is enough to recover the secret key.
Iv An efficient key recovery attack
We remember that the signature is composed by the pair , with . Let us write
where contains distinct integers.
An opponent can compute the polynomials , for and for all ; we have
The opponent can then lift all such polynomials in the integers domain, and compute the sum
for . We expect high coefficients in to be associated to ones in . In fact, all polynomials are obtained as the sum of with other sparse polynomials that depend on the shift . Hence, if an entry belongs to the support of a large number of polynomials , then it also belongs to the support of with high probability.
The opponent can exploit this fact to estimate the coefficients of . In particular, let be a vector with coefficients
where is an integer . The vector represents an estimate of , whose accuracy depends on the choice of .
The opponent can then compute
where . If , then , otherwise ISD can be used to obtain from , and then the secret key can be recovered as .
The complexity of the whole attack crucially depends on the weight of , which is related to the accuracy of the estimate . As shown in the next section, for the system we consider it is always possible to choose such that the weight of has a high probability of being very small.
Iv-a Attack complexity
Let us denote as and the weights of and , respectively. A specific weights partition is uniquely determined by and , as and . The probability to have this partition is
Recall (IV), and let us define
from which . Let be the probability that a particular coefficient in the sum is null. We can assume that each is a random polynomial with weight , and define
such that can be estimated as
Each null coefficient in results in a match between and ; thus, the probability that a set coefficient in is also set in can be estimated as
Similarly, the probability that a null coefficient in is set in can be obtained as
Let us denote as and as the number of coefficients that are correctly and incorrectly set in ; then, we have
Let us define
The probability that has weight results in
where . Let , then
Through the probability distribution of, we can estimate the effectiveness and the complexity of our cryptanalysis. The first part of the attack consists in the computation of : since it only involves a limited number of shifts, multiplications and sums, we can neglect the complexity of this step. If , then the opponent has already fully recovered the secret key. In all the other cases, the opponent applies ISD on , in order to determine the vector , whose weight is unknown and is distributed according to Eq. (IV-A). For the sake of simplicity we consider the Lee-Brickell ISD algorithm , which takes as input an integer and, at each iteration, picks an information set and tests all patterns having a maximum of ones in the selected positions: an iteration is successful if the selected information set contains a maximum of errors. In particular, the complexity of each iteration can be estimated as
Let denote the probability of success for a single iteration. Then, we have
where is a sufficiently large integer. The average complexity of ISD can then be estimated as
As we show next, for all instances proposed in  we can determine a value of for which holds with high probability or applying ISD on has extremely low complexity. In particular, these statements are motivated by the fact that, with overwhelming probability, has an extremely low weight, such that finding it through an ISD algorithm requires just a small number of iterations.
In Fig. 1 we report the distribution of the weights of for two instances proposed in . The empirical distributions have been obtained through numerical simulations on pairs of verification keys and signatures, and have been compared with the theoretical ones expressed by (IV-A), showing everywhere an excellent agreement. As we can see, the weight of assumes very low values with high probability. This is a clear evidence of the system weakness against the attack.
In Table I we have considered the applicability of the attack on the instances proposed in ; as we can see, all the instances can be completely broken. Indeed, always has high values: thus, with non-negligible probability, the secret key can be fully recovered without invoking ISD. When , it is highly probable that has an extremely low weight: this results in having very high values, only slightly influenced by the choice of (i.e., choosing is already enough to guarantee ). This means that the application of ISD normally requires a very limited number of operations.
We can also show that changing the system parameters is not enough to significantly raise the security level of the scheme. In order to give an evidence of this fact, we have considered the case of , for which , and tested different values of , and . The results are reported in Table II. As we can see, there are no significant changes in the security of the system. In particular, the last three instances in the table have been designed with a maximum weight of that is close to . This choice is clearly extreme since, as explained in Section III, this way the uniqueness of the signature is no longer achievable. One might think to apply some modifications to the protocol, to take into account also this possibility in the signature verification algorithm. However, our results should discourage the attempt.
We have discussed a serious weakness of a recently proposed one-time digital signature scheme. Our analysis shows that the secret key can be fully recovered with very low complexity, and that changes in the system parameters are not able to restore meaningful security levels. We point out that, with a few modifications, our attack procedure can be applied to structures different from the QC one. This is because it exploits the sparsity of the signature. As this is an inherent feature of the considered scheme, restoring its security might require deep and structural changes.
-  R. J. McEliece, “A public-key cryptosystem based on algebraic coding theory.” DSN Progress Report, pp. 114–116, 1978.
-  E. Berlekamp, R. McEliece, and H. van Tilborg, “On the inherent intractability of certain coding problems,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 384–386, May 1978.
-  E. Prange, “The use of information sets in decoding cyclic codes,” IRE Trans. Inf. Theory, vol. 8, no. 5, pp. 5–9, 1962.
-  J. Stern, “A method for finding codewords of small weight,” in Coding Theory and Applications, ser. Lecture Notes in Computer Science, G. Cohen and J. Wolfmann, Eds. Springer Verlag, 1989, vol. 388, pp. 106–113.
-  A. Becker, A. Joux, A. May, and A. Meurer, “Decoding random binary linear codes in : How 1 + 1 = 0 improves information set decoding,” in Advances in Cryptology - EUROCRYPT 2012, ser. Lecture Notes in Computer Science, D. Pointcheval and T. Johansson, Eds. Springer Verlag, 2012, vol. 7237, pp. 520–536.
-  D. J. Bernstein, “Grover vs. McEliece,” in Post-Quantum Cryptography, N. Sendrier, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 73–80.
-  L. Chen, Y.-K. Liu, S. Jordan, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone, “Report on post-quantum cryptography,” National Institute of Standards and Technology, Tech. Rep. NISTIR 8105, 2016.
-  National Institute of Standards and Technology. (2016, Dec.) Post-quantum crypto project. [Online]. Available: http://csrc.nist.gov/groups/ST/post-quantum-crypto/
-  N. T. Courtois, M. Finiasz, and N. Sendrier, “How to achieve a McEliece-based digital signature scheme,” Advances in Cryptology - ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 157–174, 2001.
-  J.-C. Faugère, A. Otmani, L. Perret, and J.-P. Tillich, “A distinguisher for high rate McEliece cryptosystems,” in Proc. IEEE Information Theory Workshop (ITW), Paraty, Brazil, Oct. 2011, pp. 282–286.
-  M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal, and D. Schipani, “Using LDGM codes and sparse syndromes to achieve digital signatures,” in Post-Quantum Cryptography, P. Gaborit, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 1–15.
-  A. Phesso and J.-P. Tillich, “An efficient attack on a code-based signature scheme,” in Post-Quantum Cryptography, T. Takagi, Ed. Cham: Springer International Publishing, 2016, pp. 86–103.
-  M. Baldi, A. Barenghi, F. Chiaraluce, G. Pelosi, J. Rosenthal, P. Santini, and D. Schipani, “Design and implementation of a digital signature scheme based on low-density generator matrix codes,” 2018, arXiv eprint 1807.06127.
-  T. Debris-Alazard, N. Sendrier, and J.-P. Tillich. (2018) Wave: A new code-based signature scheme. Cryptology ePrint Archive, Report 2018/996. [Online]. Available: https://eprint.iacr.org/2018/996.pdf
-  P. S. L. M. Barreto and E. Persichetti. (2018) Cryptanalysis of the wave signature scheme. Cryptology ePrint Archive, Report 2018/1111. [Online]. Available: https://eprint.iacr.org/2018/1111.pdf
-  T. Debris-Alazard, N. Sendrier, and J.-P. Tillich. (2018) This is not an attack on wave. Cryptology ePrint Archive, Report 2018/1216. [Online]. Available: https://eprint.iacr.org/2018/1216.pdf
-  E. Persichetti, “Efficient one-time signatures from quasi-cyclic codes: A full treatment,” Cryptography, vol. 2, no. 4, 2018. [Online]. Available: http://www.mdpi.com/2410-387X/2/4/30
-  J. Stern, “A new identification scheme based on syndrome decoding,” in Advances in Cryptology — CRYPTO’ 93, D. R. Stinson, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1994, pp. 13–21.
-  J.-C. Deneuville and P. Gaborit, “Cryptanalysis of a code-based one-time signature,” Dec 2018, https://hal.archives-ouvertes.fr/hal-01961491. [Online]. Available: https://hal.archives-ouvertes.fr/hal-01961491
-  P. Lee and E. Brickell, “An observation on the security of McEliece’s public-key cryptosystem,” in Advances in Cryptology - EUROCRYPT 88. Springer Verlag, 1988, pp. 275–280.