Paper 2024/1297
Improved Cryptanalysis of SNOVA
Abstract
SNOVA is a multivariate signature scheme submitted to the NIST project for additional signature schemes by Cho, Ding, Kuan, Li, Tseng, Tseng, and Wang. With small key and signature sizes good performance, SNOVA is one of the more efficient schemes in the competition, which makes SNOVA an important target for cryptanalysis.
In this paper, we observe that SNOVA implicitly uses a structured version of the ``whipping'' technique developed for the MAYO signature scheme. We show that the extra structure makes the construction vulnerable to new forgery attacks. Concretely, we formulate new attacks that reduce the security margin of the proposed SNOVA parameter sets by a factor between
Note: 20/8/2024: Fix typo in affiliation. 24/2/2025: Minor editorial changes + add paragraph about NIST round2 version of SNOVA.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- SNOVAmultivarate cryptography
- Contact author(s)
- ward @ beullens com
- History
- 2025-02-24: last of 2 revisions
- 2024-08-19: received
- See all versions
- Short URL
- https://ia.cr/2024/1297
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1297, author = {Ward Beullens}, title = {Improved Cryptanalysis of {SNOVA}}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1297}, year = {2024}, url = {https://eprint.iacr.org/2024/1297} }