Paper 2024/279

Polynomial-Time Key-Recovery Attack on the $\mathtt{N}\mathtt{I}\mathtt{S}\mathtt{T}$ Specification of $\mathtt{P}\mathtt{R}\mathtt{O}\mathtt{V}$

Abstract

In this paper, we present an efficient attack against $\mathtt{P}\mathtt{R}\mathtt{O}\mathtt{V}$, a recent variant of the popular Unbalanced Oil and Vinegar ($\mathtt{U}\mathtt{O}\mathtt{V}$) multivariate signature scheme, that has been submitted to the ongoing $\mathtt{N}\mathtt{I}\mathtt{S}\mathtt{T}$ standardization process for additional post-quantum signature schemes. A notable feature of $\mathtt{P}\mathtt{R}\mathtt{O}\mathtt{V}$ is its proof of security, namely, existential unforgeability under a chosen-message attack ($\mathtt{E}\mathtt{U}\mathtt{F}\mathtt{-}\mathtt{C}\mathtt{M}\mathtt{A}$), assuming the hardness of solving the system formed by the public-key non-linear equations. We present a polynomial-time key-recovery attack against the first specification of $\mathtt{P}\mathtt{R}\mathtt{O}\mathtt{V}$ (v$1.0$). To do so, we remark that a small fraction of the $\mathtt{P}\mathtt{R}\mathtt{O}\mathtt{V}$ secret-key is leaked during the signature process. Adapting and extending previous works on basic $$, we show that the entire secret-key can be then recovered from such a small fraction in polynomial-time. This leads to an efficient attack against $$ that we validated in practice. For all the security parameters suggested in by the authors of $$, our attack recovers the secret-key in at most $$ seconds. We conclude the paper by discussing the apparent mismatch between such a practical attack and the theoretical security claimed by $$ designers. Our attack is not structural but exploits that the current specification of $$ differs from the required security model. A simple countermeasure makes $$ immune against the attack presented here and led the designers to update the specification of $$ (v$$).