This is Not an Attack on Wave

Very recently, a preprint “Cryptanalysis of the Wave Signature Scheme”, eprint 2018/1111, appeared claiming to break Wave “Wave: A New Code-Based Signature Scheme”, eprint 2018/996. We explain here why this claim is incorrect. Wave [3] is a new digital signature scheme which is proven EUF-CMA secure under two computational assumptions: 1. Hardness of multiple target decoding, DOOM [5], 2. Indistinguishability of generalized (U,U+V) codes. The proof uses the GPV approach [4]. In particular it is proven in Theorem 1 of [3] that the Wave signature function produces words uniformly distributed in Sw the set of ternary words of length n and Hamming weight exactly w. With this property, no amount of signatures, coming from a genuine Wave signature oracle, can reveal any information on the secret. We will refer to rejection sampling to describe the features introduced in Algorithm 3 and 4 of [3], and which ensure the uniform distribution of the signatures. What the preprint [1] basically does is: (1) implement a degraded Wave scheme by stripping off its rejection sampling, (2) collect signatures produced by the degraded signature function, (3) recover the secret key from the collected signatures, (4) in addition, there is a claim in the paragraph “*** Update” p. 3 (version 3) that the attack does not depend on the rejection sampling. The claim (4) is incorrect since the attack only exploits statistical correlations between pairs of positions in signatures. This bias of (U,U + V ) decoders was previously identified (see [2] p. 23, §5.1), and is provably removed in Wave by rejection sampling. Ignoring the features which remove the bias, and then using this bias to recover the secret key is pointless and is by no mean a valid attack on Wave.