Paper 2024/148

Preliminary Cryptanalysis of the Biscuit Signature Scheme

Charles Bouillaguet, Sorbonne University
Julia Sauvage, Sorbonne University
Abstract

Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
algebraic attackmultivariate cryptobiscuit signature scheme
Contact author(s)
charles bouillaguet @ lip6 fr
julia sauvage @ lip6 fr
History
2024-02-02: approved
2024-02-01: received
See all versions
Short URL
https://ia.cr/2024/148
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/148,
      author = {Charles Bouillaguet and Julia Sauvage},
      title = {Preliminary Cryptanalysis of the Biscuit Signature Scheme},
      howpublished = {Cryptology ePrint Archive, Paper 2024/148},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/148}},
      url = {https://eprint.iacr.org/2024/148}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.