Paper 2024/1137
Cryptanalysis of EagleSign
, Centrum Wiskunde & Informatica, NTT (Japan)Abstract
EagleSign is one of the 40 “Round 1 Additional Signatures” that is accepted for consideration in the supplementary round of the Post-Quantum Cryptography standardization process, organized by NIST. Its design is based on structured lattices, and it boasts greater simplicity and performance compared to the two lattice signatures already selected for standardization: Falcon and Dilithium. In this paper, we show that those claimed advantages come at the cost of security. More precisely, we show that the distribution of EagleSign signatures leaks information about the private key, to the point that only a few hundred signatures on arbitrary known messages suffice for a full key recovery, for all proposed parameters. A related vulnerability also affects EagleSign-V2, a subsequent version of the scheme specifically designed to thwart the initial attack. Although a larger number of signatures is required for key recovery, the idea of the attack remains largely similar. Both schemes come with proofs of security that we show are flawed.
Note: This is the full version of a publication at SCN 2024.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. Minor revision. SCN 2024
- Keywords
- EagleSignLattice-based signaturesCryptanalysisFiat– Shamir with aborts
- Contact author(s)
-
ludo pulles @ cwi nl
mehdi tibouchi @ ntt com - History
- 2024-07-15: approved
- 2024-07-12: received
- See all versions
- Short URL
- https://ia.cr/2024/1137
- License
-
CC0
BibTeX
@misc{cryptoeprint:2024/1137,
author = {Ludo N. Pulles and Mehdi Tibouchi},
title = {Cryptanalysis of {EagleSign}},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/1137},
year = {2024},
url = {https://eprint.iacr.org/2024/1137}
}
