THE SECURITY OF THE CODE-BASED SIGNATURE SCHEME BASED ON THE STERN IDENTIFICATION PROTOCOL Текст научной статьи по специальности «Математика»

2022 Математические методы криптографии № 57

удк 519.719.2 doi 10.17223/20710410/57/5

THE SECURITY OF THE CODE-BASED SIGNATURE SCHEME BASED ON THE STERN IDENTIFICATION PROTOCOL

V. V. Vysotskaya*'**, I. V. Chizhov*'**'***

* JSC "NPK Kryptonite", Moscow, Russia ** Lomonosov Moscow State University, Moscow, Russia *** Federal Research Center "Informatics and Control" of Russian Academy of Science, Moscow,

Russia

E-mail: {v.vysotskaya, i.chizhov}@kryptonite.ru

The paper provides a complete description of the digital signature scheme based on the Stern identification protocol. We also present the proof of the existential unforgeability of the scheme under the chosen message attack (EUF-CMA) in the random oracle model (ROM). Finally, we discuss the choice of the signature parameters, in particular providing 70-bit security.

Keywords: post-quantum cryptography, code-based cryptography, digital signature, Stern's scheme, Fiat-Shamir transform, provable security, EUF-CMA security.

О СТОЙКОСТИ КОДОВОЙ ЭЛЕКТРОННОЙ ПОДПИСИ НА ОСНОВЕ ПРОТОКОЛА ИДЕНТИФИКАЦИИ ШТЕРНА

В. В. Высоцкая*'**, И. В. Чижов*'**'***

* АО НПК «Криптонит», г. Москва, Россия ** МГУ им М. В. Ломоносова, г. Москва, Россия *** ФИЦ ИУ РАН, г. Москва, Россия

Представлено полное описание схемы электронной подписи на основе схемы идентификации Штерна. Доказана стойкость схемы относительно построения экзистенциальной подделки при атаке с выбором сообщений (EUF-CMA) в модели со случайным оракулом. Обсуждается выбор параметров подписи, в частности обеспечивающий стойкость, равную 70 битам.

Ключевые слова: постквантовая криптография, кодовая криптография, электронная подпись, схема Штерна, преобразование Фиата — Шамира, доказуемая стойкость, EUF-CMA-стойкость.

1. Introduction

The security of all standardized cryptographic algorithms used all around the world is based on the complexity of several number-theoretical problems. The latter includes the discrete logarithm and factorization problems. However, in 1994 P. Shor showed [1] that quantum computers could break all schemes constructed this way. And in 2001 the Shor's algorithm was implemented on a 7-qubit quantum computer. Since then, various companies have been actively developing more powerful quantum computers. Potential progress in this area poses a real threat to modern public-key cryptography.

This led to the emergence of so-called post-quantum cryptographic schemes. Most of them can be categorized into the following classes: code-based, lattice-based, multivariate,

hash-based, and isogeny-based. No successful quantum-computer attacks on "hard" problems from these areas are known.

The interest in code-based schemes as post-quantum ones can be noticed in the works submitted to the contest for prospective public-key post-quantum algorithms which was announced in 2016 by the US National Institute of Standards and Technology (NIST) [2]. The algorithms that win this contest will be accepted as US national standards. 21 of 69 applications filed (that is, almost a third of all works) were based on coding theory. However, it is worth noting that only three of them presented digital signature schemes. These were pqsigRM [3], RaCoSS [4] and RankSign [5] schemes. However, attacks on each of them were built during the peer review. The attack on the RankSign scheme was presented on Asiacrypt conference [6]. Out of the competition pqsigRM and RaCoSS schemes were fixed and presented as Modified pqsigRM [7] and RaCoSS-R [8], respectively. However, the RaCoSS-R scheme was also proven to be insecure [9]. As a result, none of the signatures based on the error-correcting codes made it to the final of the NIST competition.

In general, the development of code-based signature schemes was advancing less successfully than of the encryption ones. The first signature scheme of this type was KKS, presented by G. Kabatianskii, E. Krouk, and B. Smeets in [10] in 1997. However, in 2007 it was shown [11] that re-signing on one key pair leads to the disclosure of some information about the secret key. Thus, it is necessary either to use the signature as a one-time one or use additional resources for building and maintaining auxiliary structure.

After that for a rather long time, attacks on all proposed signature schemes were built so quickly that there was a fear that such schemes could not be created at all [12].

In 2001, N. Courtois, M. Finiasz and N. Sendrier presented a digital signature CFS [13] based on encryption schemes by R. McEliece [14] and H. Niederreiter [15] (provably secure version of this signature, called mCFS, was later proposed by L. Dallot in [16]). The authors used a decryption algorithm as the signature generation one. Unfortunately, due to the inner decoding procedure with extremely small probability of success on a random input, the signature generation algorithm has to be repeated many times. Also, a significant disadvantage of CFS-type schemes is that their security depends on the assumption that the base code is indistinguishable from a random one. This leads to the emergence of attacks on signatures, previously considered provably secure. One of the latest schemes of this type is Wave [17], based on generalized (U, U + V) codes.

Another approach to constructing a signature scheme is to apply the Fiat — Shamir transformation [18] to an identification protocol. For example, one may use identification schemes by J. Stern [19], A. Jain et al. [20], or CVE [21]. This method does not take into account features of codes. But it allows to prove the security without assumptions that depend on their structure. However, due to the fact that the basic scheme has a certain cheating probability, the signature algorithm has to be repeated several times, that leads to an increase in its operation time and in the resulting signature length.

This drawback is overcome in Lyubashevsky-type signatures, the original version of which is lattice-based [22]. Despite of the fact that the original version remains secure, all known attempts to replace lattices with codes in Hamming metric resulted in the loss of security. However, a code-based signature in the rank metric called Durandal was proposed in [23] and is still considered secure. Yet it is not proven that the signature distribution is independent from the secret key and reveals no information on it. Moreover, the security proof is based on the hardness of a new problem PSSI+. In turn, the security of Stern-type schemes is based only on NP-hard problems and the hardness of finding a collision of the underlying hash function.

Despite the fact that the signature based on the Stern identification scheme has been repeatedly mentioned in the literature, it has never been fully presented. For example, the review [24] by R. Overbeck and N. Sendrier only mentions the possibility of constructing such a signature without giving the algorithm itself. In the paper [25] the scheme is formulated with an error, which leads to the significant decrease of the security level compared to the expected value. A correct but short description of the scheme can be found in [26].

Moreover, the security proof of the scheme is considered to be provided by D. Pointcheval and J. Stern in [27]. This paper presents so-called Forking lemma, by which the security of the signature scheme to existential forgery under an adaptively chosen-message attack in the random oracle model may be proved. The authors mention there the applicability of the Forking lemma to the Stern signature scheme proof. However, this fact was not proven neither in this paper nor elsewhere later.

In the paper we provide a complete description of the signature scheme based on the Stern identification scheme along with the proof of the existential unforgeability under the chosen message attack (EUF-CMA) under assumptions of hardness of syndrome decoding and hash function collision finding problems.

The rest of this paper is structured as follows. In Section 2 we give basic definitions, describe some hard problems and show the original Stern identification protocol. We present the signature scheme together with the security model in Section 3. Section 4 is devoted to the security proof of our signature in the EUF-CMA model. We give some restrictions on the scheme parameters and introduce an example parameter set in Section 5. Finally, conclusions are presented in Section 6.

2. Definitions and Preliminary Results

Our signature is based on linear block error-correcting codes. We will call them codes for brevity. The set of all binary strings of length n we denote by {0,1}n and the set of strings of arbitrary length by {0,1}*. We denote the symmetric group of order n by Sn, i.e., the group of all permutations of elements of the set {1,..., n}. If a G Sn, u G {0,1}n, then a(u) G {0,1}n, a(u)i = uCT(j). The weight of the vector u is the number of its nonzero elements. It is denoted by wt(u).

The security of the signature scheme is based on the hardness of the following problems.

Problem SD(H, y,u). Syndrome Decoding

Input: (n-k) x n parity-check matrix H of some binary code, nonzero vector y G {0,1}n-k, called syndrome, and number u > 0.

Output: vector e G {0,1}n such that wt(e) = u and HeT = yT.

Problem Coll(h). Collision Finding

Input: hash function h : {0,1}* ^ {0,1}^.

Output: vectors x',x" G {0,1}*,x' = x", such that h(x') = h(x").

The former problem is known to be NP-hard [28]. The best known algorithm solves it in O (20'0885n) bit operations [29]. The complexity of the latter problem depends on the structure of the function h. In the general case, the complexity of solving such a problem using the birthday paradox can be estimated as O (2*/2).

Let us recall the Stern identification protocol presented in [19]. The protocol parameters depend on the parameters of the underlying code: its length n, dimension k and minimum

distance u. The parity-check matrix of this code is a random matrix H e {0, i}(n-k)xn. Also, the protocol is based on a hash function h(-) : {0,1}* ^ {0,1}^.

To generate a secret key, one randomly uniformly chooses s e {0,1}n such that wt(s) = u. Now public key can be derived as y = HsT. The description of the identification protocol is shown on Fig. 1. Here the notation s 4 S means that s is chosen from the set S uniformly at random. We also denote the assignment of value v to x by x 4 v.

Prover(s) Verifier(y)

u 4 {0,1}n,a 4 Sn Co 4 h(a||HuT) ci 4 h(a(u)) C2 4 h(a(u © s))

C0,Ci,C2

b 4 {0,1,2}

b

<-

if b = 0 : r0 4 a, r1 4 u if b = 1 : r0 4 a, r1 4 u © s if b = 2 : r0 4 a(u), r1 4 a(s)

ro,ri

if b = 0 :

Check C0 = h(r0||Hrf),

ci = h(r0(ri)) if b = 1 :

Check C0 = h(r0||(Hrf © y)),

C2 = h(r0(ri)) if b = 2 :

?

Check ci = h(r0),

?

C2 = h(r0 © ri), wt(ri) = u

Fig. 1. Stern identification scheme

In his paper, Stern proposes a strategy for an adversary to pass identification without knowing the secret key with probability of success equal to 2/3. So to reduce this value and to reach the required level of security, one should repeat the algorithm several times. Recall the general definition of a digital signature scheme.

Definition 1. A digital signature scheme is a triple E = (KeyGen, Sig, Ver) of (possibly probabilistic) polynomial time algorithms, where

1) KeyGen() outputs a key pair (pk, sk);

2) Sig(sk, m) receives as input the secret key sk and a message m G {0,1}* and outputs a signature Z ;

3) Ver(pk,m, Z) receives as input the public key pk, a message m and a signature Z• It outputs 0 or 1, where 1 means that Z is accepted as a signature for message m and public key pk, 0 means that the signature is not accepted. Moreover, Ver(pk,m, Sig(sk,m)) = 1 for a correct key pair (pk,sk).

3. Signature scheme

In this Section, we show the digital signature scheme that is the result of the Fiat — Shamir transformation applied to the Stern identification scheme. The transformation consists of replacing the random value b generated by the verifier, by some function f of the message and values received from the prover. It is important for f to depend on all of these values at once.

Parameters of the signature are the same as in the original identification protocol described in Section 2. Additionally, the scheme uses a hash function f (■) : {0,1}* ^ {0,1, 2}5. The length of the signature depends on the parameter ô that is determined by the security parameter A.

Stern.KeyGen()

Stern. Sig(s, m)

s £ {x e{0,1}n : wt(x) = w}

„T

y £ HsT return (y, s)

1 :

2 :

3 :

4 :

5 :

6 :

foreach 0 ^ i < ö :

Ui £ {0,1}n,at £ Sn Ci,0 £ h(CTi||HuT) Ci,i £ h(ai(ui)) Ci,2 £ h(<Ji(ui © s)) Ci £ Ci,o||Ci,i||Ci,2

7 : C £ C0|| ... ||C(5_1

8 : b £ f (m||C)

9 : foreach 0 ^ i < ö :

10 : if bi = 0 : ri £ Ji|ui

11 : if bi = 1 : ri £ Ji||(u © s)

12 : if bi = 2: ri £ Ji(ui)||Ji(s)

13 : r

ro|

.|r5-1

14 : return c\\r

1

2

3

Stern.Ver(y, m, (c||r))

1 : b ^ f (m||c)

2 : foreach 0 ^ i < ö :

3 : if [bi = 0] a \pi,o = h(ri;o||HrTi)] v [c»,i = h(ri>o(ri>i))]

4 :

return 0

5 : if [bi = 1 a [c*,o = h(ri,o|(HriTi © y))] v [c^ = hfoofoi))]

6 :

return 0

7 : if [bi = 2] a [ci,i = h(ri,o)] v [ci,2 = h(ri,o © m] v [wt(rM) = w]

8 :

return 0

9 : return 1

To estimate the scheme security, we construct experiments where the adversary is represented by a probabilistic polynomial-time Turing machine. The notation Exp ^ b means that b is the output of the experiment Exp. We write abort in the oracle pseudocode to denote that experiment should stop and return 0. We denote the set of all mappings from set A to set B by Func(A, B). To emphasize the fact that x is the result of a probabilistic algorithm A, we write x A(...).

To model a random oracle F : {0,1}* ^ {0,1, 2}5, we use lazy sampling. We introduce the set nF containing pairs of the form (a,F(a)). Further we write (a, •) G nF for a G {0,1}* to show that there exists ft G {0,1, 2}5 such that (a, ft) G nF. As far as nF contains not more than one pair (a, ft) for each a, then nF(a) denotes either ft if (a, ft) G nF or special value ± if there is no such a pair.

Definition 2. For the signature scheme Stern.E, we denote the advantage of the adversary A in the EUF-NMA model with a random oracle access by

Adv

EUF-NMA Stern

(A)

P[ExpEUFn-NMA (A) ^ 1],

where the experiment ExpEUFnNMA(A) is defined as follows:

EUF-NMA ExP Stern

(A)

Oracle F (a)

1 : (pk, sk) Stern.KeyGen()

2 : nF ^ 0

3 : (m, Z) af(pk)

4 : return Stern.Ver(pk, m, Z)

1 : if a g nF : ß ^ nF (a)

2 : else

3 : ß {0,1, 2}5

4 : nF ^ nF u {(a, ß)}

5 : return ß

Definition 3. For the signature scheme Stern.E, we denote the advantage of the adversary A in the EUF-CMA model with random oracle access by

Adv

EUF-CMA Stern

(A) = P[Exp

EUF-CMA

Stern (A) ^ 1],

where the experiment ExpEtgF"CMA is defined as follows:

ExpEUrFnCMA(A) Oracle F (a)

1 : (pk, sk) Stern.KeyGen() 1 : if a g nF : fî ^ nF(a)

2 : l 0 2 : else

3 : nF ^ 0 3 : fî {0,1,2|ô

4 : (m,Z) asign'f(pk) 4 : nF ^ nF u{(a,fî)|

5 : if m g l : return 0 5 : return fî

6 : return Stern.Ver(pk, m, Z)

Oracle Sign(m)

1 : Z Stern.Sig(sk, m)

2 : £^£u{m|

3 : return Z

4. Security bounds

Let us give several definitions that will be needed below.

Definition 4. If T is a ternary tree of depth ô with N leaves, then the density of T is defined as N/3Ô.

Definition 5. Let us call a tree p-dense if its density is not less than p.

Definition 6. We call a tree uniformly p-dense if each of its subtrees, excluding leaves, is a p-dense tree.

Proposition 1. A p-dense tree T with all leaves having depth ô, considered as a graph,

contains a subgraph that is a uniformly p-dense tree with the same root. Moreover, each

ô

of its leaves has depth ô.

Proof. Let us describe the algorithm to choose such a subgraph. We start from the (ô — 1)-th level of the tree and move to the root (level 0) disposing of vertices that are roots of subtrees of density less than 9 = p/ô. Note that until the algorithm stops (i.e. reaches the root), some leaves may have depth less than ô. However, after the algorithm completion each of the survived leaves will have depth ô.

Let us show that at each step of this algorithm the root density decreases by no more than 9. Suppose that there are vertices at the i-th level of the original tree T. The densities of subtrees formed by them are pi;i,... , pi,ni3. If we denote the number of leaves of T by t, then

t oi

pi,i + ... + pi,ni,3 = 3^— = 3 p.

After the step of the algorithm at the i-th level, some of these vertices may be disposed of, namely those that have density less than 9. Thus, the new density p',j may either be equal to pi;j or become 0 if pi;j < 9. So

pi,i + ... + p'i,m,3 ^ pi,i + ... + pi«i,3 — ni,39 ^ 3ip — ni,39. Thus, for the new density of the root p' holds 3'p' ^ 3'p — n',39 and

p ^ p — nr9 ^ p — 9.

As a result of all deletions, p has decreased by at most (0 — 1)0. Since 9 = p/0, then

p — (0 — 1)P = P° — ({ — 1)p = P = 9. 0 0 0

So the resulting tree is uniformly 9-dense. ■

Theorem 1. Let A be an adversary with time complexity at most T in the EUF-NMA model for the Stern signature scheme, making at most one query to the hashing oracle F, then it holds that

Adv—M) « max {l5 ^+ (f)', (f)' d + 20 • U')

where TSD and TCoii are complexities of optimal algorithms solving SD(H, y, w) and Coll(h) problems with probabilities of success at least 1 — 1/e.

Proof.

Denote

s = AdvEUFnNMA(A) — (2f '

In case s ^ 0 the proof is complete. Therefore, further we will consider the case

Adv™A(A) = (f)' + s, s> 0.

We can represent the execution of the adversary A at all outputs of the random oracle F as an incomplete ternary tree T(x), each leaf of which has depth 0. It is determined by A's random tape x. Each output b of the random oracle corresponds to a certain path in the tree. If the corresponding b equals 0, then the vertex has the left child, if b = 1, then the vertex has the middle one, and if bj = 2, then it has the right one. If the adversary was not able to build a signature for some output of the random oracle correctly, then the corresponding branch is removed from the tree. Note that fixing the adversary's random tape, we guarantee that at each level of the tree the same part of the signature corresponding to Cjo||cji||cj 2 is checked.

Let us show that if there exists a level i with a vertex with a left child, a vertex with a middle child and a vertex with a right child (denoted respectively v,0, v,i and v,2), then one of the SD(H, y,w) and Coll(h) problems can be solved. Note that some of vertices v,0,v, 1, and Vi,2 may coincide. Later we will present the algorithm that let some adversary B find such vertices in the tree T(x) with probability 1 — 1/e.

Let the tree has such vertices. In this case, the adversary has successfully generated three signatures on outputs of random oracle that all differ in the i-th trit. Let ri,0 = a0 and ri,1 = U0 for bi = 0. For bi = 1, let ri,0 = a1 and ri,1 = WW1, where WW1 corresponds to ui © s. Finally, for bi = 2, let ri,0 = z2 and ri,1 = i2, where z2 corresponds to ai(ui) and i2 corresponds to ai(s). Since ci,0 can be obtained in two cases (bi = 0 and bi = 1), then

Ci,0 = h(a0|HUT) = h(a1||№T © y).

Hence, either collision of hash function h can be found, or a0 = a1 and HUj = Hw^ © y. Similarly, it can be shown that if no collisions were found, then z2 = <j0(U0) and

z2 © ¿2 = cTi(Wi). Note that as the third answer was accepted, ¿2 satisfies the weight constraint. Denoting a = ao = a1, we have

¿2 = ¿2 © (¿2 © ¿2) = a(Uo © wWi).

Therefore, uo © WW1 also has the acceptable weight. Then

H(Uo © wii)T = HuT © HwT = y

and uo © Wt)1 is an acceptable secret key.

e

Let us denote 9 = — and describe an algorithm that finds a tree with vertices v o, v 1, 28

and Vj,2 with some probability. Algorithm 1

1) Randomly choose a value x of the adversary's random tape (i.e., fix the tree T(x)).

2) Randomly choose 60/92 inputs of the random oracle and evaluate its outputs (defining the of branches of the tree).

3) Traverse the tree level by level to find vertices v,o,Vj, 1 and v,2. If they are found, then solve either SD(H, y,w) or Coll(h) problem. Otherwise, return to Step 1.

Lemma 1. Under the assumptions of Theorem 1, the success probability of each run of Algorithm 1 is not less than e/4, where e is defined as in (1).

Proof. Define the set X as

X = Ix : there are at least 25 + ^ ■ 35 branches in T(x)|.

Then P[x G X] ^ e/2.

Let, on the contrary, P[x G X] < e/2. Let us denote the number of leaves of T(x) by t. Then P[A ^ 1 A x G X] = t/35 < (2/3)5 + e/2. Therefore, the success probability of A is

P[A ^ 1] = P[A ^ 1 A x G X] + P[A ^ 1 A x G X] ^ P[x G X]+ + P[A ^ 1 A x G X] < e/2 + ((2/3)5 + e/2) = (2/3)5 + e.

And we came to a contradiction.

Let us consider separately the case x G X. Note that X defines a set of e/2-dense trees. Therefore, by the Proposition 1 one can select a uniformly 9-dense subtree with leaves of depth 8 from each such tree. Let us call this tree T1(x).

For any index i, 0 ^ i ^ 8, we denote the number of vertices of T1(x) at i-th level having one, two, and three children by ni,1,ni,2, and n^3. We denote the total number of vertices at the i-th level by n^ Then for 0 ^ i < 8 it holds that

ni+1 = n»,1 + 2nj,2 + 3n»,3 = n + n»,2 + 2n»,3. (2)

Let q = max ni,3/ni. Then n»,3 ^ qn. From (2) it holds that

i ' '

n»+1 ^ nj + nj,2 + 2qnj ^ 2nj + 2qnj = 2nj(1 + q). From the definition of uniformly 9-dense tree for each i, 0 ^ i ^ 8, holds the inequality

n ^ 3j9.

Then

359 ^ ns ^ 25no(1 + q)5. Since n0 = 1 (i = 0 corresponds to the root of the tree), we have

5 ln(1 + q) + 5 ln 2 ^ ln 9 + 5 ln 3. Dividing by 5 we finally obtain

q ^ 91/5 - 1. y 2

Now let us fix a = log3/2 (1.1 (25)1/ô) and consider separately two cases. If e ^ (2/3)5(1-a), then

Adv™A(A) ^ Q)' (1 + (2) aS) = (f)' (1 + 20 • 1.1').

Otherwise, if s > (2/3)'(1—a) it holds that

/' = / ^ x1/' = / (2/3)'(1—\1/' = (2/3)(1—

V2^ V 20 J ^ .

It can be checked that for a defined as above it holds that q ^ 0.1. Note that q does not actually depend on 9.

Let j be the number of the level at which the maximum value of q is achieved. Then n^ = qnj. We denote by Lj (n) the predicate that the path n lies in T1(x) and goes through the left child of some vertex of level j. Similarly, we define predicates Cj (n) and Rj (n). By Lj we denote the predicate 3n (Lj (n)).

We can write for the probability of the event Lj:

nj, 3

P[Lj ] ^ P[3n((v1 G n V V2 G n V ... V Vnj3 G n) A Lj (n))] = £ P[3n(vi G n A Lj (n))].

, i=1

Here vi is a vertex from j-th level which has three children. For such a vertex the existence of the left child is guaranteed.

The probability P[3n(vi G n A Lj(n)] for 1 ^ i ^ nj,3 is equal to the number S of paths in T1(x) passing through the left child of vi divided by 3'. There are at most 3'-j-1 leaves in the subtree with root vi. But since T1(x) is a uniformly 9-dense tree, it holds that

3'—j—19

S ^ 3'—j—19 ^ P[3n(vi G n A Lj(n))] ^ .

From this we can conclude that

Drr 1 ^ 3'—j—19 nj,3 9 nj,3 nj 9 9 92

PIL? I ^ nj3 •-j— = -A- ■ - = ■ — • - ^ q • 9 ■ - ^ —.

L jJ j ,3 3' 3j 3 n 3J 3 H 3 30

Now let us find the probability P that by choosing 60/92 branches nj we find vertices vj, 0,vj, 1, and vj, 2 at the j-th level of T1(x).

P = P[3j0, j1, j2 (Lj (j) A Cj (j) A Rj (j))] =

= 1 — P[ j Lj (j) V j Cj (j) V j Ri(j)] ^

^ 1 — P[ j Lj(j)] — P[ j Cj (nj!)] — P j Rj (j)] =

= 1 — 3 P j Lj (j)] = 1 — 3 P[Lj ]60/02 = 1 — 3(1 — P[Lj ])60/02 ^

, 92 v60/02 3

> 1 — 3 1-- ^ 1 — —.

30 J e2

Thus, the success probability of Algorithm 1 searching vertices Vj,o,Vj,i, and Vj,2 is obtained from the probability of choosing a dense tree T(x) and the probability P. It equals p = e/2 (1 - 3/e2) > e/4. ■

B runs the algorithm 1/p times. The complexity of one run is T' = 60 T/02. The probability of failure is (1 - p)1/p and, accordingly, the probability of success is 1 — (1 — p)1/p. Let us show that

1 — (1 — P)1/p > 1 — 1.

e

Indeed, the Maclaurin series for 1/(1 — p) and ep are:

-1— = 1 + p + p2 + ..., ep =1 + P + p2 + ..., 1 — p 1! 2!

thus, for all p G (0,1) holds

1/(1 — p) > ep ^ (1 — p) < ep ^ (1 — p)1/p < e.

The resulting complexity of the adversary B is T'' = T'/p < 240T/(02e). Let B solve SD(H, y, w) and Coll(h) with probabilities p1 and p2 respectively. Then

1

p1 + p2 > 1--.

e

We denote complexities of optimal algorithms solving SD(H, y,w) and Coll(h) with the success probability 1 — 1/e by TSD,(1-1/e) and TCoii,(1-1/e). Then

TSD,(1-1/e) ^ — TSD,pi ^ — T'', p1 p1

11

TColl,(1-1/e) ^ -TColl,p2 ^ -T''.

p2 p2

The first inequalities follow from the fact that repeating an algorithm with the success probability p1 for 1/p1 times gives an algorithm with the success probability 1 — 1/e, but possibly suboptimal. The second inequality follows from the fact that B solves one of two problems. Accordingly, its complexity cannot be less than the complexity of the algorithm that solves one of them. Hence,

T'' > p1TsD,(1-1/e) and T'' > p2Tcoll,(1-1/e).

Therefore, denoting T = min{TSD,(1-1/e), TColl,(1-1/e)}, we can write

1 — 1/e

T'' > 2 (p!TSD,(1-1/e) + p2TColl,(1-1/e)) > ^ ^ + p2) T > -2-^

Equivalently,

96082T > 1 — 1/e,-e3 > 2 .

1920

Finding e from the last inequality and noting that -—— ^ 15, we obtain

e ^ 15 382T/T.

Finally, for s > (2/3)'(1 we obtain

AdvStei'n (A) < 15 \lmi„{T4-D ,Tcoll } Ha,

For an arbitrary s it holds that

Adv|-MA(A), max ^15 3 + (3)' •( 0' (1+20^L1')

Theorem 1 is proven.

Theorem 2. Let A be an adversary in the EUF-NMA model for the Stern signature scheme making at most q/ queries to the hashing oracle F. Then there exists an adversary B in the EUF-NMA model for the Stern signature scheme making at most one query to the hashing oracle and satisfying

q/ • Adv|UrFn-NMA(B) £ Adv|UrFnNMA(A) — 3—'.

Furthermore, if the complexity of A is T, then the complexity of B is T + c'q/, where d is a constant depending on the model of computation.

Proof. Let Exp0 denote the original experiment in the EUF-NMA security model with q/ queries to the hashing oracle F. In this experiment, A is the adversary that makes an existential forgery for the Stern signature scheme using the random oracle F. Therefore,

Adv™A(A) = P[Exp0(A) ^ 1].

Exp0(A) Oracle F(a)

1 : s £ {x g {0,1}n : wt(x) = w} 1 : if a g nF : 0 £ nF(a)

2 : y £ HsT 2 : else

3 : nF £ 0 3 : 0 £ {0,1,2}'

4 : (m,c||r) £$ af(y) 4 : nF £ nF u{(a,0)}

5 : return Stern.Ver(y, m, c||r) 5 : return 0

Now, basing on the adversary A, we construct an adversary B that makes an existential forgery in the model with one query to the random oracle. B simulates the oracle F that can give q/ answers to A's queries using algorithm SimFt. Here the notation ASimFt means that the only B's query to its own random oracle F* matches the A's t-th query to the oracle F. Note that the output of the oracle F* has a uniform distribution, i.e., values 0 obtained on lines 3 and 4 of SimFt cannot be distinguished.

BF* (y)__SimFt (a)_

1 : nF £ 0 1 : j £ j + 1

2 : j £ 0 2 : if (a, •) g nF : 0 £ nF(a)

3 : t £ {1,...,q/} 3 : elseif j = t : 0 £ F*(a)

4 : (m,c||r) £$ asimft (y) 4 : else : 0 £ {0,1, 2}'

5 : return (m,c||r) 5 : nF £ nF u{(a,0)}

6 : return 0

The adversary A can make a signature including answer for one of the queries made to the oracle F or none of them. Let I be a random variable that corresponds to the number of A's query to the oracle F that it uses to create a forgery. In case A does not use any, let I = 0. Hence,

P[Exp™A(B) ^ 1] > P[Exp0(A) ^ 1 A t = I] > P[Exp0(A) ^ 1 A t = I A I > 1] = = P[t = I] P[Exp0(A) ^ 1 A I > 1] > — P[Exp0(A) ^ 1 A I > 1].

The equality here follows from the independent random choice of t.

Note that A's probability of success in case it does not use any query to random oracle F is no more than as it has to guess full output b = F(a). From this and the definition of conditional probability holds

P[Exp0(A) ^ 1] ^ P[Exp0(A) ^ 1 A I > 1] + P[Exp0(A) ^ 1 A I = 0] ^ ^ P[Exp0(A) ^ 1 A I > 1] + 3-.

Consequently,

P[Exp0(A) ^ 1] — 3- ^ qf ■ P[ExpE™MA(B) ^ 1]. From the above holds

qf ■ AdvE™MA(B) = qf ■ P[ExpE™A(B) ^ 1] > > P[Exp0(A) ^ 1] — 3-5 = Adv|UrFn-NMA(A) — 3-5.

B runs A and simulate qf queries to oracle F, i.e., if the complexity of A is T, then the complexity of B does not exceed T + c'qf for some constant c'. ■

Theorem 3. Let A be an adversary in the EUF-CMA model for the Stern signature scheme making at most qf queries to the hashing oracle F and at most qs queries to the signing oracle Sign. Then there exists an adversary B in the EUF-NMA model for the Stern signature scheme making at most qf queries to the hashing oracle and

Adv™A(B) > Adv|UrFnCMA(A) — qs (^^Y ,

TColl

where TColl is the complexity of optimal algorithm solving Coll(h) problem with probability of success at least 1 — 1/e and c is a constant depending on the model of computation.

Furthermore, if the complexity of A is T, then the complexity of B is upper bounded by T + c''(qf + qsTSS;esrn), where TSt1frn is the complexity of the signature generation algorithm and c'' is a constant depending on the model of computation.

Proof. Let Exp0 denote the original experiment in the EUF-CMA security model. In this experiment, A is the adversary that makes an existential forgery for the Stern signature scheme using the random oracle F and signing oracle Sign. A can make at most qf queries to F and at most qs queries to Sign.

Exp0 (A) = ExpEeFnCMA(A)

s — {x g{0,1}n : wt(x) = w}

y — C

Hs

- 0

T

nF — 0

(m,c||r) —$ as1gn,f(y) if m g l : return 0 return Stern.Ver(y, m, c|

Oracle F(a)

1 : if a g nF : £ — nF (a)

2 : else

3 : £ — {0,1, 2}5

4 : nF — nF u {(a, £)}

5 : return £

Oracle Sign(s,m)

foreach 0 ^ i < 5 :

U — {0,1}n,^ — Sn Ci,0 — h(CTi|HuT) ci,1 — h(ai(ui)) ci,2 — h(ai(ui © s)) Ci — Cj,0 11 Ci, 1 ||Ci,2

1

2

3

4

5

6

7

8 9

10 11 12

13

14

15

C0|

||c<S-1

b — F (m||c) foreach 0 ^ i < 5 :

if bi = 0 : ri —

if bi = 1 : ri — CTi||(-Ui © s)

if bi = 2 : ri — CTi(-Ui)||CTi(s)

r

r0|

. ||r<S-1

l — lu {m} return C r

AdvEteFn-CMA(A) = P[Exp0(A) ^ 1].

The experiment Exp1 is a modification of Exp0 obtained by introducing sets nS, n C {0,1}* x {0,1, 2}5, nS is filled while communicating with the oracle Sign and n = nF U nS.

Modifications of algorithms F and Sign do not affect the distributions of their outputs, therefore,

P[Exp0(A) ^ 1] = P[Exp1(A) ^ 1].

The experiment Exp2 differs from Exp1 only in algorithm Sign. Now it does not use the secret key, and the result is formed by a random vector b.

We show that the distributions of outputs c||r of the algorithm Sign in experiments Exp1 and Exp2 are indistinguishable if the condition on the line 23 was not satisfied. If we show that the distribution of each such part ci|ri = ci,0|ci,1 ||ci,2 |ri,0 ||ri,1 for 0 ^ i ^ 8 — 1 in Exp2 coincides with the distribution of the corresponding part in Exp1, then the distributions of the signatures also coincide.

Further, we will consider arguments of the hash function h corresponding to ci,j instead of the values themselves. The reason for it is the fact that if distributions of variables £ and n coincide, then distributions of variables h(£) and h(n) also coincide. Indeed,

C

P[h(£) = a] = P[£ G h-1(a)] = P[n G h-1(a)] = P[h(n) = a].

Exp1(A)

Oracle Sign(s,m) (Exp1)

s £ {x G{0,1}n : wt(x) = w}

T

y £ Hs l £ 0

(nF, nS) £ (0, 0)

n £ nF u nS (m,c|r) £$ aslgn,f(y) if m g l : return 0 return Stern.Ver(y, m, c|r)

Oracle F(a)

1 : if (a, •) g n : return n(a)

2 : 0 £ {0,1, 2}'

3 : nF £ nF u {(a, 0)}

4 : n £ nF u nS

5 : return 0

1

2

3

4

5

6

7

8 9

10 11 12

13

14

15

16

17

18 19

foreach 0 ^ i < 5 :

Ui £ {0,1}n,^i £ Sn

Ci,0 £ h(CTi||HuT) ci,1 £ h(ai(ui)) ci,2 £ h(ai(ui © s)) Ci £ Ci,0 11 Ci, 1 ||Ci,2 C £ C0|| . . . ||C'—1 if (m|c, •) g n: b £ n(m|c) else

b £ {0,1,2}' nS £ nS u {(m|c, b)} n £ nF u nS foreach 0 ^ i < 5 : if bi = 0 : ri £ if bi = 1 : ri £ CTi||(-Ui © s) if bi = 2 : ri £ CTi(-Ui)||CTi(s)

r £ r0|| ... ||r'—1 l £ lu {m} return C| r

Oracle Sign(m) (Exp2)

4

5

6

7

8 9

10 11 12

13

14

s' £ {x G{0,1}n : wt(x) = w} foreach 0 ^ i < 5 :

u

bi £ {0,1,2} / V

u,

i£ if b

n J V q

{0,1}n 0:

Ci,0 £ ||Huf) ci,1 £ (ui)) Ci,2 £ (ui © s')) ri £ "i||ui if bi = 1 :

Ci,0 £ ||(Huf © y)) Ci,1 £ (s')) ci,2 £ (ui)) ri£ "i||ui

if bi = 2 :

Ci,0 £ h("i||H(ui © s')T) Ci,1 £ h("i(ui © s')) ci,2 £ h("i(ui)) ri £ "i (ui © s')|"i (s') Ci £ Ci,0 11 Ci, 1 ||Ci,2

15 :

16 :

17 :

18 :

19 :

20 :

21 : C £ C0|| ... 11C'—1

22 : r £ r01| ... ||r'—1

23 : if (m||C, •) g nF : abort

24 : nS £ nS u{(m|C,b)}

25 : n £ nF u nS

26 : l £ l u {m}

27 : return C| r

In the case bi = 0, for an external observer, the secret key s is a random variable. And other values are randomly selected in the same way as in the original protocol. So distributions, obviously, coincide.

3

If bi = 1, then the probability that in Exp1 the string ci||ri equals a1||a2||a3||a4||a5||a6 is

Pai,a2,a3,a4,a5,«a = P [a = a1,HuT = a2, 0i(Ui) = a3,0i(u © s) = a4,0i = a5,Ui © s = a^ = = I[a1 = a5, H(a6 © s)T = a2, a1(a6) = a^ P [a = a1, s = a-1(a3) © a6, U = a-1^)] ,

where I [#] is the indicator of expression 0. In Exp2 this probability is

P

01,02,03,04,05,06

= P [ai = ai, HuiT © y = a2, ai(s') = ai(ui) = 04, ai = a5, ui = a^ =

= I [a1 = a5, HaT © y = a2, a1 (a6) = a4] P [0 = a1, s' = a-1 (a3), ui = a6] .

As far as H(a6 © s)T = HaT © y, indicators of these two expressions coincide.

Let us evaluate the probabilities. Note that since all random variables are selected independently, the probability of the conjunction of events equals to the product of their probabilities. So we can find them separately:

P[0i = a1] = Pr[ai = a1] = -1,

n!

P[s = a-1(a3) © a6 = a'] = —-,

2n

P[ui = a- 1(a3) = a"] P[s' = a-1 (03) = a'"] p[ui = a6] =

1

2«, 1 2«,

for any constants a', a'' and a'''. Then

P [a = a1, s = a-1(a3) © a6, Ui = a-1^)] = P [ai = a1, s' = a3, ui = a^ =

and distributions are indistinguishable.

Finally, if bi = 2, then the similar probability in Exp1 is

n!22n

Pa

0,1,0,2,0.3,0.4,0.5,0.6

= P [ai = ai,HuT = a2,ai(ui) = a3,ai(ui © s) = a4,ai(ui) = a5,ai(s) = a^ =

T

I [a3 = a5, a3 © a6 = a4, H (a- 1(a3))T = a^ P [ai = ai,Ui = a- 1(a3), s = a- 1(a6)]

and in Exp2 it is

P

01,02,03,04,05,06

= P [ai = a1, H (ui © s')T = a2, ai (ui © s') = a3, ai(ui) = a4, ai (ui © s') = a5, a' (s') = a6] = I[a3 = a5, a4 © a6 = a3, H(a-1(a3))T = a2] P [ai = a1, ui = a-1(a4), s' = a-1 (a6)] .

Reasoning similar to above, we get

1

P [ai = a1, ui = a- 1(a3), s = a- 1(a6^ = P [ai = a1, ui = a- 1(a4), s'

-1

n!22n

and distributions coincide.

The check on the line 23 corresponds to the case when the value c, created while generating a signature for the message m, already exists in the set nF. Let us consider the

1

worst case and suppose that A makes q/ queries to the hashing oracle F first. We denote by p' the probability that for some message at one of qs queries the following condition was satisfied:

P = P [c e nf ] ,

where

nf = {c e {0,1}3<w : 3m e {0,1}* 30 e {0,1, 2}5 ((m||c, 0) e nf)}.

For a string c and a set n C {0,1}* x {0,1}3<w x {0,1, 2}5, we can introduce the projection of this set to the part of the string:

nc,(o,i) = {co,i : 3m e {0,1}* 3c e {0,1}3<w 30 e {0,1, 2}5 ((m||c, 0) e n)}.

Similarly, for a tuple c*,1 = (co,1,..., c^-1;1) we define

nc>(*,i) = {c*,1 : 3m e {0,1}* 3c e {0,1}3<w 30 e {0,1, 2}5 ((m||c, 0) e n)}.

Then for n C {0,1}* x {0,1}3<w x {0,1, 2}5 we can claim

p' P[nf = n A c*,1 e nc>(*,1)]. n

Note that the first event is determined by A's random oracle whereas the second is determined by the signing one. That is, the events are independent and

p' ^E P[nf = n] P[c*,1 e nc>(*,1)]. n

Since each c is a function of independent random variables for i e {0,0 — 1}, then events ci,1 e nf(i 1) are also independent. Hence

p' ^E P[nf = n] n1 P[ci,1 e nc>(i>1)] ^E P[nf = n]f max P[cM e ^,(¿,1)]) ^ n ¿=0 n yjei0,^-1} y

^ [max max P^ e ^,(¿,1)]^ E P[nf = n] =

V n ¿€{0,5-1} ' ,( , )7 n

I max max P[c,1 e ^,(¿,1)] 1 <

\ n ¿€{0,5-1} ' J \ n ¿€{0,5-1} y€n

max max P[ci,1 e n^,^] I ^ I max max E P[ci,1 = y] ) ^

c,(i,1)

^ ( max max ( |nc(i1)| max P[ci1 = y] 1 I ^ ( qf max max P[h(xj) = y] I ^ V n ¿€{0,5-1} ,(,)| yenc,(i,i) , y J V f ¿€{0,5-1} y€{0,1}^ 7

< q/ E max, P[h(xi) = y] ^ Uq/ max,P[h(x) = y]) .

\ ¿€{0,5-1} y€{0,1}£ J V y€{0,1}£ y

We can denote ph = max P[h(x) = y]. Then there exists an algorithm C that evaluates

y€{0,1}^

hash function collision by the following steps: C chooses t random inputs x and evaluates their hash values. It stops after finding a collision. Then the probability that C fails decomposes into two incompatible events: there is no such x e {x : i = 1,...,t} that h(x) = y and there is only one such x. We claim the algorithm makes not more than 14/ph steps and has the success probability at least 1 — 1/e.

5

To prove this fact, we separate to cases: ph ^ 0.25 and ph > 0.25. In the first one, the number of steps can be taken equal to t1 = 3/ph. Then

P[C failes] = (1 — Ph)'1 + £ Ph(1 — PhA-1 = (1 — Ph)'1 + t1Ph(1 — Ph)'1-1 ^

i=1

-3 , (3/Ph) Phe-3 o A , 3 \ ^ _ o ^ ^

^ e-3 + w,^^-= e-^ 1 +- ^ 5e-3 < e

1 — Ph V 1 — Ph J

Here we used the fact that for z > 0 the inequality (1 + w)z ^ ewz holds. If Ph > 0.25, we can fix t2 = 14 and

P[C failes] = (1 — Ph)t2 + £ Ph(1 — Ph)t2-1 = (1 — Ph)t2 + t2Ph(1 — Ph)t2-1 ^

i=1

^ 0.75t2 + t2Ph■ 0.75t2-1 = 0.75t2-1(0.75 + t2Ph) < 0.75t2-1(1 + t2) < e-1.

The complexity in the first case is 3c/ph and in the second one it is 14 c, where c is a constant depending on the model of computation and corresponding to the complexity of one hash function evaluation. So we can estimate the resulting complexity of the whole algorithm as T = 14c/ph. Note that if Ph > 0, then the algorithm stops with probability equal to 1. Indeed, P[C failes] tends to zero as t tends to infinity.

Then for the complexity of the optimal algorithm TColl solving the problem Coll(h) with probability at least 1 — 1/e it holds that

14 c

TColl ^ T and Ph ^ ——.

T Coll

Finally, we obtain

. 14 c 8 qfx<5 P' ^ '

TColl

Let us denote by G the event that the condition on the line 23 was never satisfied. On the other hand, if the event G happened, then the condition was satisfied at least once during qf A's queries. If mi|ci are strings formed in signature generating algorithm, then

P[G] = P[m1|c1 G nF V ■ ■ ■ V m9s ||c9s G nf] ^ P[c1 g nf V ■ ■ ■ V c9s G nf ]

9s

= 1 - P[c1 G nf A ■ ■ ■ A cqs G nf] = 1 - n P[ci G nf] =

9s

g n v ■ ■ ■ v g n ] ^ p [c

9s

ns

i=1

1 -II (1 - P[ci G nf ]) = 1 - (1 - p')qs

i=1

Then, using the Bernoulli's inequality together with the fact p' ^ 1 and qs > 0, we obtain

P[G] ^ 1 — 1 + qsp' ^ qj 145

IsF Hs , rri

T Coll

Since

P[Exp1(A) ^ 1] = P[Exp1 (A) ^ 1 A G] + P[Exp1(A) ^ 1 A G] ^ ^ P[Exp2(A) ^ 1] + P[G],

then

P[Exp1(A) ^ 1] - P[Exp2(A) ^ 1] ^ P[G] = qs

14 c Oqf

T

Coll

Now, based on the adversary A, we construct an adversary B that makes an existential forgery in the EUF-NMA model. It simulates oracles F and Sign using algorithms SimF and SimSign. The algorithm SimSign repeats the algorithm Sign in the experiment Exp2. The oracle F* is the random oracle of B.

BF * (y)

Oracle SimF(a)

C

0

1 : 0 £ F*(a)

nf £ 0

(m, c||r) £ if m g l return (m, c|

-$ asimsign'simf(y) return 0

n

F

nF u{(a,0)}

return 0

Now let us denote by Out(A) and Out(B) pairs (m,c||r) that are outputs of the adversary A in the experiment Exp2 and the adversary B in the experiment EUF-NMA, respectively. Out(A)m,c and Out(B)m,c are projections of the adversaries outputs to m||c. Note that the projection is not defined if an adversary returns zero (in case m G L). But further we consider only Exp2 and EUF-NMA experiments with output equal to one, which excludes this case. We also define

à

1

2

3

V(G, m, c, r) = Ver(y, m, c||r),

where Ver is the signature verification algorithm that uses function G. Then for m G {0,1}*, c G {0,1}3<w we define

Pm,c = P[ExpfUrFnNMA(B) ^ 1 A Out(B)m>c = m||c] = = P[ExpEtUF-NMA(B) ^ 1 A Out(B)m>c = m|c A m||c G nF] + + P[ExpftUFn"NMA(B) ^ 1 A Out(B)m,c = m||c A m|c G nF].

If m|c G nF, then the adversary does not know the correct hash-value for this string and has to guess it. This is possible with the probability equal to 3-à. Also, note that the result of the EUF-NMA experiment equals the result of the signature verification algorithm, so it holds

ExpEUF-NMA(B) = V(F,m,c,r). (3)

Hence,

Pm,c = P[V(F, m, c, r) A Out(B)m,c = m||c A m||c G nF] + 3-à. For m||c G nF it holds that

V(F*, m, c, r) = V(F, m, c, r) as A's hashing oracle F is strictly determined by B's oracle F*. Then

Pm,c = P[V(F*, m, c, r) A Out(B)m,c = m|c A m|c G nF] + 3-à.

Similar to (3) we claim

Exp2 (A) = V(F *,m,c,r).

The adversary B always returns A's output so

Out(B)m,c = Out(A)m,c.

Finally, the A's strategy in the case m||c G nF is the same as B's and therefore has the same success probability (1/3)*.

From the proceeding argument it becomes clear that

Pm,c = P[Exp2(A) ^ 1 A Out(A)m,c = m||c A m||c G nF] + + P[Exp2(A) ^ 1 A Out(A)m,c = m||c A m||c G nF] = = P[Exp2(A) ^ 1 A Out(A)m,c = m||c].

Thus,

P[Exp|tUerFn-NMA(B) ^ 1] = P[Exp(B) ^ 1 A V Out(B)m,c = m||c] =

(m,c)

= E Pm,c = E P[Exp2(A) ^ 1 A Out(A)m,c = m||c] = P[Exp2(A) ^ 1].

(m,c) (m,c)

Consequently,

Adv™A(B) > AdvEUFn-CMA(A) — qs (14c8qf^ '

is I rp

TColl

The adversary B runs A and simulates qf queries to the oracle F and qs queries to the oracle Sign. Note that the complexity of the oracle Sign does not exceed the complexity of the

original signing algorithm. Hence, B's complexity is no more than T + c''(qf + q^Stg.J.

Corollary 1. Let A be an adversary in the EUF-CMA model for the Stern signature scheme making at most qf queries to the hashing oracle F and at most qs queries to the signing oracle Sign. Then it holds that

ajwEUF-CMA/ a\ ^ AdvStern (A) ^

,ir J 82(T + c(2qf + qsTSgJ) /2\* , /14 c 8qA* ^ max 15qf {M-. + U (1 + qf) + qs ' f

min{TSD,Tcoii} \3J V T(

Coll

®' (1+qf (1+28 ■»+*( ^

where TSt1(grn is the complexity of the signature generation algorithm, T is the maximum possible time complexity of A, TSD and TColl are complexities of optimal algorithms solving SD(H, y,w) and Coll(h) problems with probabilities of success at least 1 — 1/e, c and c are constants depending on the model of computation.

Proof. The complexity T of an adversary in the EUF-NMA model with one query to the hashing oracle from Theorems 1-3 does not exceed T + c(2qf + qsTSt1,grn), where T is the complexity of an adversary in the EUF-CMA model and c = max{c', c''}.

Also, for an adversary B in the EUF-NMA model making at most 7/ queries to the hashing oracle follows that

AdvStern (B) *

* max WmnpEiw + ® (1 +f>•(i) (1+" (1+2i'L1'))

AdvEUF-CMA(A) * AdvEUF-NMA(B) + q,{^T^Y *

\ T Coll )

3/ 52T /2\', , /14 c ¿7fx'

' ' 1/1 ' ' 7a

* max < 15q/ \ . -™—r + 2 (1 + 7f) + 7;

min{TsD,TCoii} V3/ V TC

Coll

(2)' (1+ 7/ (1 + 2^ ■ 1-1')) + 7a (^^

Corollary 1 is proven. ■

5. Parameters

In this Section, we mention different constraints on the signature parameters and introduce a parameter set.

5.1. Choosing general parameters J. Stern showed [19] that his identification scheme can be forged with probability equal to 2/3. Similar reasoning allows to assert that an adversary can build a forgery of the signature without knowing the secret key with the probability (2/3)'. Thus, parameter 5 should be chosen to satisfy the condition

2)' < 2-

where A is the security parameter.

A(s it )was mentioned above, the complexity of the best collision-finding algorithm is where t is the length of the hash value. Since we want to maximize this

complexity, it is worth using hash functions with the maximal t. This can be, for example, such well-known functions as the American standard SHA3-512 or the Russian standard Streebog-512, in which t = 512 bits. For them TColl « 2256 bit operations. Further by default we suppose that hash function Streebog-512 is used.

In order to maximize the value of min{TSD, TColl}, it is necessary to choose the length of the code so that Tsd ^ Tcoll. From the fact that Tsd « 2°.°885n [29], a lower estimate for the length of the code n can be found. We choose the code dimension as k = n/2 and require the code to lie on the Varshamov — Gilbert boundary:

k=1-H(^

nn

whence it follows that

0.11n.

5.2. Public data and signature sizes The public key is a vector y of n — k bits in size. The public parameter H is an (n — k) x n-matrix that can be stored as k(n — k) bits in systematic form.

The size of c is 38£ bits. The maximal size of r is n + nlog2 n bits and, accordingly, size of r can be upper estimated as 8(n + n log2 n) bits. So the total size of the signature can be estimated from above as 8(3£ + n + n log2 n) bits.

5.3. Example parameter set Parameters q/, qs, T, and T^-1^ on practice depend on the desired level of security and the realization of hash functions. We assume that the maximal complexity T of the adversary does not exceed 270 bit operations. The structure of function f we specify as follows:

f (x)

2256

where h' is Streebog-256 hash function and the output is considered as a ternary vector. So the complexity of h' dominates in the complexity of f. Each of q/ queries to the hashing oracle consists in evaluation of the hash function of messages, which in practice can be several megabytes in size. In this case, according to [30], the complexity of Streebog is about 225 CPU cycles or more than 230 bit operations. Signing oracle has to evaluate at least hash function f, thus qs ^ q/. As a result, an adversary with complexity T is able to do no more that 240 queries to each oracle.

The value T^J^ consists of the complexity of function f and the complexity of 8 computations of the signature components. The complexity of one component (ci,rj) computation includes the triple calculation of the hash function h, which can be estimated as 223'5 bit operations using Streebog realization from [30], and other calculations, the complexity of which in total equals 222 bit operations. Finally, the computation of 8 components requires 231 bit operations, and T^J^ is about 23L5 bit operations.

The table presents an example parameter set for signature with 70-bit security.

A n k w 6 e H, mb y, kb Z, mb

70 2896 1448 318 137 512 0.25 0.18 0.62

The adversary's advantage in this case equals approximately 1.5 ■ 10-4.

Although the introduced parameter set guarantees 70 bits of security, we presume that our estimate is rather rough and in fact one can count on larger security level.

6. Conclusion

The paper presents the security bounds for a digital signature based on the Stern identification protocol. We connect the security of the scheme with the hardness of syndrome decoding and hash function collision finding problems. Basing on the security notions, we introduce a parameter set providing 70-bit security of the signature. As a direction for further research, we consider the refinement of the obtained estimate and the extension of the security proof to a model with quantum access to the random oracle.

7. Acknowledgments

The authors thank Lev Vysotsky, Liliya Akhmetzyanova, Alexandra Babueva and Kirill Tsaregorodtsev for helpful discussions.

REFERENCES

1. Shor P. V. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Computing, 1997, vol.26, no. 5, pp. 1484-1509.

2. https://csrc.nist.gov/Projects/post-quantum-cryptography/ Post-Quantum-Cryptography-Standardization/Call-for-Proposals — NIST PQC Call for Proposals, 2016.

3. LeeW., KimY.-S., LeeY.-W., and No J.-S. Post quantum signature scheme based on modified Reed — Muller code pqsigRM. First round submission to the NIST post-quantum cryptography call, 2017, https://csrc.nist.gov/CSRC/media/Projects/ Post-Quantum-Cryptography/documents/round-1/submissions/pqsigRM.zip.

4. Fukushima K., Roy P. S., Xu R., et al. Supporting documentation of RaCoSS (Random Code-based Signature Scheme). First round submission to the NIST post-quantum cryptography call, 2017, https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/ documents/round-1/submissions/RaCoSS.zip.

5. Aragon N., GaboritP., Hauteville A., et al. RankSign — a signature proposal for the NIST's call. First round submission to the NIST post-quantum cryptography call, 2017, https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/ documents/round-1/submissions/RankSign.zip.

6. Debris-Alazard T. and Tillich J.-P. Two attacks on rank metric code-based schemes: RankSign and an IBE scheme. LNCS, 2018, vol. 11272, pp. 62-92.

7. Lee Y., Lee W., Kim Y. S., and No J.-S. Modified pqsigRM: RM code-based signature scheme. IEEE Access, 2020, vol. 8, pp. 177506-177518.

8. Roy P. S., Morozov K., Fukushima K., et al. Code-based signature scheme without trapdoors. IEICE Tech. Rep., 2018, vol. 118, no. 151, pp. 17-22.

9. Xagawa K. Practical Attack on RaCoSS-R. Cryptology ePrint Archive, 2018, Report 2018/831, http://eprint.iacr.org/

10. Kabatianskii G., Krouk E., and Smeets B. A digital signature scheme based on random error-correcting codes. LNCS, 1997, vol. 1355, pp. 161-167.

11. Cayrel P.-L., Otmani A., and Vergnaud D. On Kabatianskii — Krouk — Smeets signatures. LNCS, 2007, vol.4547, pp. 237-252.

12. Stern J. Can one design a signature scheme based on error-correcting codes? LNCS, 1995, vol. 917, pp. 424-426.

13. Courtois N., Finiasz M., and Sendrier N. How to achieve a McEliece-based digital signature scheme. LNCS, 2001, vol.2248, pp. 157-174.

14. McEliece R. J. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 1978, vol. 42-44, pp. 114-116.

15. Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory. Problems Control Inform. Theory, 1986, vol. 15, no. 2, pp. 159-166.

16. Dallot L. Towards a concrete security proof of Courtois, Finiasz and Sendrier signature scheme. LNCS, 2008, vol. 4945, pp. 65-77.

17. Debris-Alazard T., Sendrier N., and Tillich J.-P. Wave: a new family of trapdoor one-way preimage sampleable functions based on codes. LNCS, 2019, vol. 11921, pp. 21-51.

18. Fiat A. and Shamir A. How to prove yourself: practical solutions to identification and signature problems. LNCS, 1987, vol.263, pp. 186-194.

19. Stern J. A new identification scheme based on syndrome decoding. LNCS, 1994, vol. 773, pp.13-21.

20. Jain A., KrennS., Pietrzak K., and Tentes A. Commitments and efficient zero-knowledge proofs from learning parity with noise. LNCS, 2012, vol. 7658, pp. 663-680.

21. Cayrel P.-L., Véron P., and El Y. A. S. M. A zero-knowledge identification scheme based on the q-ary SD problem. LNCS, 2010, vol.6544, pp. 171-186.

22. Lyubashevsky V. Lattice signatures without trapdoors. LNCS, 2012, vol. 7237, pp. 738-755.

23. Aragon N., Blazy O, Gaborit P., et al. Durandal: a rank metric based signature scheme. LNCS, 2019, vol. 11478, pp. 728-758.

24. Overbeck R. and Sendrier N. Code-based cryptography. Post-Quantum Cryptography, 2009, pp.95-145.

25. Roy P. S., Morozov K., Fukushima K., and Kiyomoto S. Evaluation of Code-Based Signature Schemes. Cryptology ePrint Archive, 2019, Report 2019/544, https://eprint.iacr.org/

26. ElY.A.S.M., CayrelP.-L., ElB.R., and Hoffmann G. Code-based identification and signature schemes in software. LNCS, 2013, vol.8128, pp. 122-136.

27. Pointcheval D. and Stern J. Security proofs for signature schemes. LNCS, 1996, vol. 1070, pp. 387-398.

28. Berlekamp E., McEliece R., and van Tilborg H. On the inherent intractability of certain coding problems (Corresp.). IEEE Trans. Inform. Theory, 1978, vol.24, no.3, pp. 384-386.

29. Both L. and May A. Decoding linear codes with high error rate and its impact for LPN security. LNCS, 2018, vol.10786, pp. 25-46.

30. Lebedev P. A. Comparison of old and new cryptographic hash function national standards of Russian Federation on CPUs and NVIDIA GPUs. Mat. Vopr. Kriptogr., 2013, vol.4, no.2, pp. 73-80.