<p>Lyubashevsky’s signature can be viewed as a lattice-based adaptation of the Schnorr signature, with the key difference being the use of aborts during the signature generation process. Since the proposal of Lyubashevsky’s signature, a number of other variants of Schnorr-type signatures with aborts have been proposed, both in lattice-based and code-based settings. In this paper, we examine the security of Schnorr-type signature schemes with aborts. We give a detailed analysis of when the expected value of the signature is correlated with the secret key, and when it is not. Our analysis shows that even when the abort condition is employed, it is crucial to set the parameters carefully in order to defend against statistical attacks. In particular, we propose a condition for avoiding statistical attacks. We prove that the signature does not reveal any information about the secret key if the condition is met. On the other hand, if this condition is not satisfied, then some information about the secret key is leaked, making the scheme susceptible to statistical attacks. For completeness, we also analyze the security of Schnorr-type signatures without aborts. In particular, we present a detailed key recovery attack using statistical methods on the EagleSign signature, which is one of the submissions to the NIST call for Additional PQC Signatures. Moreover, we derive a formula for determining the number of required signatures to successfully launch the statistical attack.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Concrete analysis of Schnorr-type signatures with aborts

  • Theo Fanuela Prabowo,
  • Chik How Tan

摘要

Lyubashevsky’s signature can be viewed as a lattice-based adaptation of the Schnorr signature, with the key difference being the use of aborts during the signature generation process. Since the proposal of Lyubashevsky’s signature, a number of other variants of Schnorr-type signatures with aborts have been proposed, both in lattice-based and code-based settings. In this paper, we examine the security of Schnorr-type signature schemes with aborts. We give a detailed analysis of when the expected value of the signature is correlated with the secret key, and when it is not. Our analysis shows that even when the abort condition is employed, it is crucial to set the parameters carefully in order to defend against statistical attacks. In particular, we propose a condition for avoiding statistical attacks. We prove that the signature does not reveal any information about the secret key if the condition is met. On the other hand, if this condition is not satisfied, then some information about the secret key is leaked, making the scheme susceptible to statistical attacks. For completeness, we also analyze the security of Schnorr-type signatures without aborts. In particular, we present a detailed key recovery attack using statistical methods on the EagleSign signature, which is one of the submissions to the NIST call for Additional PQC Signatures. Moreover, we derive a formula for determining the number of required signatures to successfully launch the statistical attack.