SURF: A new code-based signature scheme

We present here a new code-based digital signature scheme. This scheme uses (U,U + V ) codes where both U and V are random. We show that the distribution of signatures is uniform by suitable rejection sampling. This is one of the key ingredients for our proof that the scheme achieves existential unforgeability under adaptive chosen message attacks (EUF-CMA) in the random oracle model (ROM) under two assumptions from coding theory, both strongly related to the hardness of decoding in a random linear code. Another crucial ingredient is the proof that the syndromes produced by (U,U + V ) codes are statistically indistinguishable from random syndromes. Note that these two key properties are also required for applying a recent and generic proof for code-based signature schemes in the QROM model [CD17]. As noticed there, this allows to instantiate the code family which is needed and yields a security proof of our scheme in the QROM. Our scheme also enjoys an efficient signature generation and verification. For a (classical) security of 128 bits, the signature size is less than one kilobyte. Contrarily to a current trend in code-based or lattice cryptography which reduces key sizes by using structured codes or lattices based on rings, we avoid this here and still get reasonable public key sizes (less than 2 megabytes for the aforementioned security level). Our key sizes compare favorably with TESLA-2, which is an (unstructured) lattice based signature scheme that has also a security reduction in the QROM model. This gives the first practical signature scheme based on binary codes which comes with a security proof and which scales well with the security parameter: for a security level of 2, the signature size is of order O(λ), public key size is of size O(λ), signature generation cost is of order O(λ), and signature verification cost is of order O(λ).

[1]  Jean-Pierre Tillich,et al.  Using Reed-Solomon codes in the (U | U + V ) construction and an application to cryptography , 2016, 2016 IEEE International Symposium on Information Theory (ISIT).

[2]  Erdem Alkim,et al.  Revisiting TESLA in the Quantum Random Oracle Model , 2017, PQCrypto.

[3]  Antoine Joux,et al.  Cryptanalysis of a Provably Secure Cryptographic Hash Function , 2004, IACR Cryptol. ePrint Arch..

[4]  Alexander May,et al.  On Computing Nearest Neighbors with Applications to Decoding of Binary Linear Codes , 2015, EUROCRYPT.

[5]  Alexander Barg,et al.  Complexity Issues in Coding Theory , 1997, Electron. Colloquium Comput. Complex..

[6]  E. Krouk,et al.  Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept , 2007 .

[7]  Ayoub Otmani,et al.  Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes , 2016, PQCrypto.

[8]  Alistair Sinclair,et al.  The Extended k-tree Algorithm , 2011, Journal of Cryptology.

[9]  Joachim Rosenthal,et al.  Using LDGM Codes and Sparse Syndromes to Achieve Digital Signatures , 2013, PQCrypto.

[10]  Jean-Pierre Tillich,et al.  Quantum Information Set Decoding Algorithms , 2017, PQCrypto.

[11]  Thierry P. Berger,et al.  A NP-Complete Problem in Coding Theory with Application to Code Based Cryptography , 2017, C2SI.

[12]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[13]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[14]  Jean-Pierre Tillich,et al.  An Efficient Attack of a McEliece Cryptosystem Variant Based on Convolutional Codes , 2013, PQCrypto.

[15]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[16]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[17]  Martin Bossert,et al.  Code-Based Cryptosystems Using Generalized Concatenated Codes , 2015, ArXiv.

[18]  Thomas Johansson,et al.  On the complexity of some cryptographic problems based on the general decoding problem , 2002, IEEE Trans. Inf. Theory.

[19]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[20]  Gregory A. Kabatiansky,et al.  A Digital Signature Scheme Based on Random Error-Correcting Codes , 1997, IMACC.

[21]  Hugo Krawczyk,et al.  Leftover Hash Lemma, Revisited , 2011, IACR Cryptol. ePrint Arch..

[22]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[23]  Thomas Debris-Alazard,et al.  A tight security reduction in the quantum random oracle model for code-based signature schemes , 2017, IACR Cryptol. ePrint Arch..

[24]  Thomas Johansson,et al.  A New Version of McEliece PKC Based on Convolutional Codes , 2012, ICICS.

[25]  Rüdiger L. Urbanke,et al.  Polar Codes for Channel and Source Coding , 2009, ArXiv.

[26]  Paulo S. L. M. Barreto,et al.  One-time signature scheme from syndrome decoding over generic error-correcting codes , 2011, J. Syst. Softw..

[27]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[28]  Jean-Pierre Tillich,et al.  An Efficient Attack on a Code-Based Signature Scheme , 2016, PQCrypto.

[29]  Nicolas Sendrier,et al.  Decoding One Out of Many , 2011, PQCrypto.

[30]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[31]  Gilles Zémor,et al.  New Results for Rank-Based Cryptography , 2014, AFRICACRYPT.

[32]  Pierre-Louis Cayrel,et al.  On Kabatianskii-Krouk-Smeets Signatures , 2007, WAIFI.

[33]  Erdal Arikan,et al.  Channel Polarization: A Method for Constructing Capacity-Achieving Codes for Symmetric Binary-Input Memoryless Channels , 2008, IEEE Transactions on Information Theory.

[34]  Philippe Gaborit,et al.  Efficient code-based one-time signature from automorphism groups with syndrome compatibility , 2012, 2012 IEEE International Symposium on Information Theory Proceedings.

[35]  Ayoub Otmani,et al.  An Efficient Attack on All Concrete KKS Proposals , 2011, PQCrypto.

[36]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[37]  Nicolas Sendrier,et al.  Analysis of Information Set Decoding for a Sub-linear Error Weight , 2016, PQCrypto.

[38]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[39]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[40]  Ilya Dumer,et al.  Soft-decision decoding of Reed-Muller codes: recursive lists , 2006, IEEE Transactions on Information Theory.

[41]  Adrien Hauteville,et al.  Identity-Based Encryption from Codes with Rank Metric , 2017, CRYPTO.

[42]  Matthieu Finiasz Parallel-CFS - Strengthening the CFS McEliece-Based Signature Scheme , 2010, Selected Areas in Cryptography.

[43]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[44]  Jean-Pierre Tillich,et al.  A new signature scheme based on (U|U+V) codes , 2017, IACR Cryptol. ePrint Arch..

[45]  Danilo Gligoroski,et al.  McEliece in the world of Escher , 2014, IACR Cryptol. ePrint Arch..

[46]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.