Paper 2024/609

New Security Proofs and Techniques for Hash-and-Sign with Retry Signature Schemes

Benoît Cogliati, Thales (France)
Pierre-Alain Fouque, Institut de Recherche en Informatique et Systèmes Aléatoires
Louis Goubin, Versailles Saint-Quentin-en-Yvelines University, University of Paris-Saclay, French National Centre for Scientific Research
Brice Minaud, French Institute for Research in Computer Science and Automation, École Normale Supérieure - PSL
Abstract

Hash-and-Sign with Retry is a popular technique to design efficient signature schemes from code-based or multivariate assumptions. Contrary to Hash-and-Sign signatures based on preimage-sampleable functions as defined by Gentry, Peikert and Vaikuntanathan (STOC 2008), trapdoor functions in code-based and multivariate schemes are not surjective. Therefore, the standard approach uses random trials. Kosuge and Xagawa (PKC 2024) coined it the Hash-and-Sign with Retry paradigm. As many attacks have appeared on code-based and multivariate schemes, we think it is important for the ongoing NIST competition to look at the security proofs of these schemes. The original proof of Sakumoto, Shirai, and Hiwatari (PQCrypto 2011) was flawed, then corrected by Chatterjee, Das and Pandit (INDOCRYPT 2022). The fix is still not sufficient, as it only works for very large finite fields. A new proof in the Quantum ROM model was proposed by Kosuge and Xagawa (PKC 2024), but it is rather loose, even when restricted to the classical setting. In this paper, we introduce several tools that yield tighter security bounds for Hash-and-Sign with Retry signatures in the classical setting. These include the Hellinger distance, stochastic dominance arguments, and a new combinatorial tool to transform a proof in the non-adaptative setting to the adaptative setting. Ultimately, we obtain a sharp bound for the security of Hash-and-Sign with Retry signatures, applicable to various code-based and multivariate schemes. Focusing on NIST candidates, we apply these results to the MAYO, PROV, and modified UOV signature schemes. In most cases, our bounds are tight enough to apply with the real parameters of those schemes; in some cases, smaller parameters would suffice.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Provable securityPost-Quantum SignaturesMultivariate Cryptography
Contact author(s)
benoit-michel cogliati @ thalesgroup com
pierre-alain fouque @ univ-rennes1 fr
Louis Goubin @ uvsq fr
brice minaud @ ens fr
History
2024-04-22: approved
2024-04-20: received
See all versions
Short URL
https://ia.cr/2024/609
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/609,
      author = {Benoît Cogliati and Pierre-Alain Fouque and Louis Goubin and Brice Minaud},
      title = {New Security Proofs and Techniques for Hash-and-Sign with Retry Signature Schemes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/609},
      year = {2024},
      url = {https://eprint.iacr.org/2024/609}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.