New Security Proofs and Techniques for Hash-and-Sign with Retry Signature Schemes

Benoît Cogliati; Pierre-Alain Fouque; Louis Goubin; Brice Minaud

Paper 2024/609

New Security Proofs and Techniques for Hash-and-Sign with Retry Signature Schemes

Benoît Cogliati

, Thales (France)

Pierre-Alain Fouque

, Institut de Recherche en Informatique et Systèmes Aléatoires

Louis Goubin, Versailles Saint-Quentin-en-Yvelines University, University of Paris-Saclay, French National Centre for Scientific Research

Brice Minaud, French Institute for Research in Computer Science and Automation, École Normale Supérieure - PSL

Abstract

Hash-and-Sign with Retry is a popular technique to design efficient signature schemes from code-based or multivariate assumptions. Contrary to Hash-and-Sign signatures based on preimage-sampleable functions as defined by Gentry, Peikert and Vaikuntanathan (STOC 2008), trapdoor functions in code-based and multivariate schemes are not surjective. Therefore, the standard approach uses random trials. Kosuge and Xagawa (PKC 2024) coined it the Hash-and-Sign with Retry paradigm. As many attacks have appeared on code-based and multivariate schemes, we think it is important for the ongoing NIST competition to look at the security proofs of these schemes. The original proof of Sakumoto, Shirai, and Hiwatari (PQCrypto 2011) was flawed, then corrected by Chatterjee, Das and Pandit (INDOCRYPT 2022). The fix is still not sufficient, as it only works for very large finite fields. A new proof in the Quantum ROM model was proposed by Kosuge and Xagawa (PKC 2024), but it is rather loose, even when restricted to the classical setting. In this paper, we introduce several tools that yield tighter security bounds for Hash-and-Sign with Retry signatures in the classical setting. These include the Hellinger distance, stochastic dominance arguments, and a new combinatorial tool to transform a proof in the non-adaptative setting to the adaptative setting. Ultimately, we obtain a sharp bound for the security of Hash-and-Sign with Retry signatures, applicable to various code-based and multivariate schemes. Focusing on NIST candidates, we apply these results to the MAYO, PROV, and modified UOV signature schemes. In most cases, our bounds are tight enough to apply with the real parameters of those schemes; in some cases, smaller parameters would suffice.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: Provable security Post-Quantum Signatures Multivariate Cryptography
Contact author(s): benoit-michel cogliati @ thalesgroup com
pierre-alain fouque @ univ-rennes1 fr
Louis Goubin @ uvsq fr
brice minaud @ ens fr
History: 2024-04-22: approved; 2024-04-20: received; See all versions
Short URL: https://ia.cr/2024/609
License: CC BY

BibTeX

@misc{cryptoeprint:2024/609,
      author = {Benoît Cogliati and Pierre-Alain Fouque and Louis Goubin and Brice Minaud},
      title = {New Security Proofs and Techniques for Hash-and-Sign with Retry Signature Schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2024/609},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/609}},
      url = {https://eprint.iacr.org/2024/609}
}