An Efficient Attack on All Concrete KKS Proposals

Kabastianskii, Krouk and Smeets proposed in 1997 a digital signature scheme based on a couple of random error-correcting codes. A variation of this scheme was proposed recently and was proved to be EUF-1CMA secure in the random oracle model. In this paper we investigate the security of these schemes and suggest a simple attack based on (essentially) Stern's algorithm for finding low weight codewords. It efficiently recovers the private key of all schemes of this type existing in the literature. This is basically due to the fact that we can define a code from the available public data with unusual properties: it has many codewords whose support is concentrated in a rather small subset. In such a case, Stern's algorithm performs much better and we provide a theoretical analysis substantiating this claim. Our analysis actually shows that the insecurity of the proposed parameters is related to the fact that the rates of the couple of random codes used in the scheme were chosen to be too close. This does not compromise the security of the whole KKS scheme. It just points out that the region of weak parameters is really much larger than previously thought.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[3]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[4]  Alexander Barg,et al.  Random codes: Minimum distances and error exponents , 2002, IEEE Trans. Inf. Theory.

[5]  E. Krouk,et al.  Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept , 2007 .

[6]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[7]  Gregory A. Kabatiansky,et al.  A Digital Signature Scheme Based on Random Error-Correcting Codes , 1997, IMACC.

[8]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[9]  Paulo S. L. M. Barreto,et al.  One-time signature scheme from syndrome decoding over generic error-correcting codes , 2011, J. Syst. Softw..

[10]  G. Winskel What Is Discrete Mathematics , 2007 .

[11]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[12]  Ilya Dumer,et al.  Suboptimal decoding of linear codes: partition technique , 1996, IEEE Trans. Inf. Theory.

[13]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[14]  Nicolas Sendrier,et al.  Decoding One Out of Many , 2011, PQCrypto.

[15]  Michael Darnell Proceedings of the 6th IMA International Conference on Cryptography and Coding , 1997 .

[16]  Dominique de Caen,et al.  A lower bound on the probability of a union , 1997, Discret. Math..

[17]  Pierre-Louis Cayrel,et al.  On Kabatianskii-Krouk-Smeets Signatures , 2007, WAIFI.