On the security of the Courtois-Finiasz-Sendrier signature

: We prove that a variant of the Courtois-Finiasz-Sendrier signature is strongly existentially unforge-able under chosen message attack in the random oracle model, assuming hardness of the Permuted Goppa Syndrome Decoding Problem (also known as the Niederreiter problem). In addition, we explicitly show that security against key substitution attacks can be arranged by a standard technique of Menezes and Smart, hashing the public key


Introduction
Post-quantum cryptography is concerned with classical cryptographic solutions that o er security in the presence of large-scale quantum computers.The importance of this line of research beyond the academic setting, is evidenced by NIST's interest in working toward a standardization in this area [1].Digital signatures [2] are one area of particular interest, and several proposals building on coding theory have been made-for a survey

Revised security analysis
In this paper, we adjust the security argument for the CFS scheme by observing that the distinguisher does not solve the underlying decoding problem, yet this problem is exactly the one that needs to be solved to obtain an existential forgery.Since the assumption of GD to be hard is no longer true, we use a stronger assumptionthe assumed hardness of the Permuted Goppa Syndrome Decoding (PGSD) Problem (see Section 2 for the de nition).It is sometimes referred to as the Niederreiter Problem.In fact, we prove that the CFS scheme is strongly existentially unforgeable under chosen message attacks (SEUF-CMA).We justify strengthening the assumption by observing that the problem, which the adversary is facing in creating an existential forgery, is indeed a decoding problem, while indistinguishability of the public key is not a concern in the context of (standard) digital signatures.This problem is related to one-wayness of the code-based Niederreiter publickey encryption [9], and it is a long-standing open problem [10].
We note that Dallot's original proof claiming EUF-CMA security can be xed by directly plugging the new assumption into it.In comparison, we show that the CFS signature is strongly EUF-CMA secure.Moreover, our proof allows us to make a precise security statement.Finally, using a technique by Coron [11], we obtain a tighter reduction in the proof compared to that of Dallot.However, our reduction is not as tight as Coron's result for an RSA-based signature: The RSA function can be viewed as a random permutation such that each element in the range has a pre-image in the domain.In comparison, when it comes to the syndrome decoding problem, we cannot guarantee that each element in the range is a valid syndrome (i.e., that it corresponds to an error vector of Hamming weight at most t).This distinction makes the re-randomization trick in Coron's proof inapplicable in our setting.

Security against key substitution attacks
Key substitution attacks target the signature, for which the adversary seeks to compute a new public key for which the signature would verify.Dou et al. [12] presented key substitution attacks against the CFS signature and mentioned the following countermeasure [13] to counter this attack: Pad the message with the public key before hashing.However, this approach does not work in general as pointed out in [14], and the formal proof is not provided in [12].We give a proof that for the CFS signature this simple countermeasure indeed works.

. Related work
Mathew et al. [15] proposed to mask the public key in the CFS scheme, and provided a heuristic argument that it defeats Faugère et al.'s distinguisher [8], hereby proposing an alternative solution to the one presented in this work.They assume hardness of PGSD and a stronger version of Goppa distinguishability (based on a special coding problem).The disadvantages, compared to our proposal, are the absence of strong EUF-CMA security, an additional (not well-studied) coding assumption, and an additional computational cost incurred by the masking.

Preliminaries
Throughout, we denote by wt(x) the Hamming weight of a vector x.To start out we recall some basic terminology.

. Security of digital signatures
A digital signature scheme Σ = (Gen, Sign, Verify) is comprised of three algorithms.
Gen: Takes a security parameter λ and outputs a pair of keys (sk, pk) which are the signing key and the veri cation key, respectively.The veri cation key is public.Sign: On input a message m and the signing key sk, outputs a signature σ on the message m.Verify: Takes as input the veri cation key, a message m and a signature σ, and outputs a bit denoting accept or reject, respectively.
The standard security notion for a signature scheme is Existential Unforgeability against Chosen Message Attack (EUF-CMA): The forger gets a public key pk from a challenger who generates a key pair (sk, pk).
The forger can query a signing oracle on polynomially many messages m i hereby obtaining signatures σ i .
The forger can also issue a hash query on a message m and obtains its hash value.We say that the forger wins the EUF-CMA game, if she successfully outputs a pair (m * , σ * ), where σ * is a valid signature of a message m * under the signing key sk with the restriction that the forger has never requested a signature for the message m * .For some applications, an upgraded version of the above property, called Strong Existential Unforgeability against Chosen Message Attack (SEUF-CMA) is required.The original EUF-CMA de nition requires that the adversary cannot forge a signature of a message, which has not been signed by the signer.The SEUF-CMA de nition requires that the adversary cannot even produce a di erent signature on a message which has already been signed.The SEUF-CMA game is almost identical to the EUF-CMA game except that when the forger outputs a valid message-signature pair (m * , σ * ), she succeeds, if σ * has never been returned by the challenger as the signature of m * .
We say that a signature scheme is (t, , q hash , q sig )-SEUF-CMA if the probability of a forger running in time t, who is allowed to query the hash oracle and the signature oracle at most q hash and q sig times, respectively, to win the above game is at most .The probability distribution is induced by the randomness of both the signature scheme and the internal random coins of the forger.

. Security assumptions
Next, we introduce a problem, which is closely related to the syndrome decoding problem.The di erence is that the underlying code is a permuted version of the Goppa code chosen exactly as the public key of the Niederreiter PKE [9].

Permuted Goppa Syndrome Decoding Problem (PGSDP):
Instance: An (n − k)× n parity check matrix H for a binary Goppa code G capable of correcting up to t errors, a random (n − k) × (n − k) binary non-singular matrix S and a random n × n permutation matrix P. Let H pub = SHP and s = (s , . . ., s n−k ).Problem: Find a binary vector x = (x , . . ., x n ) of Hamming weight at most t, such that H pub ⋅ x T = s (we will call the vector s a syndrome).
We say that PGSDP is (t, )-hard, if the probability of nding a solution to a randomly given syndrome is at most within time t.

. Modi ed CFS
Let us consider a variant of the CFS signature scheme [5], introduced by Dallot [7], where a randomly chosen value will be concatenated with the message rather than an accumulative counter used in the original CFS signature scheme.We refer to this random variable as a salt in the proof of the next section.A di erence from Dallot's scheme is that now the public key is also added to the hash (being concatenated with the message and the counter).The latter variant, which we refer to as mCFS, is proven to be secure against key substitution attacks as described in Section 4.
3. If no x was found, then go to Step .4. Output (r i , xP).
The signature is valid if s and s ′ are equal.

Security against Strong Existential Forgeries
In this section, we prove the SEUF-CMA security of the mCFS signature scheme presented above, based on the assumption that PGSDP is hard.One crucial property that is worth mentioning towards our result is that the errors, which are output by Sign mCFS algorithm in the random oracle model, follow the uniform distribution over words of Hamming weight at most t.Note that in this proof, for the sake of simplicity, we have ignored, without loss of generality, the public key inside the hash function.
Theorem 3.1.Suppose that h is a random oracle, PGSDP is (t ′ , ′ )-secure, and let T s (n, k) denote the time to compute a syndrome for an (n, k) Goppa code.Then, the mCFS scheme is (t, , q hash , q sig )-secure , where: Proof.Let F be a forger which (t, , q hash , q sig )-breaks the SEUF-CMA security of the mCFS signature scheme.We construct a decoder D that (t ′ , ′ )-solves the PGSDP.The decoder is given input (H, s * ) and tries to nd a vector e ∈ F n such that He T = s * and wt(e) ≤ t.The decoder will challenge the forger F and simulate the oracles for it.If the forger succeeds with a valid forgery of the mCFS signature then with non-negligible probability the decoder can use the forgery made by the forger to resolve its given instance of the syndrome decoding problem.Without loss of generality, we assume that the forger never repeats a hash query.However, the forger may repeat a signature query in order to get di erent signatures of the same message.The decoder maintains a counter i, initially set to zero.
When a message M appears for the rst time in the hash query or the signature query, the decoder increments the counter i and sets M i ← M. Then the decoder D generates a list R i of q sig random values (with repetition) in { , } n−k as the pre-de ned salts that, when concatenated with M i , hash to decodable syndromes.We use the expression decodable salts to denote all salts that correspond to decodable syndromes.Denote by N total the number of all available salts, and by N dec the number of decodable salts.Clearly N total = n−k .By the analysis from CFS [5], N dec ≈ N total t!.Since we model the hash function as a random In the NIST speci cations, it is mentioned that the number q sig of signing queries can be as large as for a security level of bits.In this case, the factor q sig × q hash is non-negligible, which shows that one much take extra care about these parameters, when dealing with practical implementations.oracle, the probability that a salt is decodable is the same for all salts.Thus we can generate the list R i of length q sig by sampling from all n−k salts with each of them being chosen with probability q sig (t! ⋅ N dec ).The decoder also randomly chooses an integer c from [ , . . ., q hash ] so that it answers the c-th hash query with s * .
When the forger F makes a hash query for M i r i , if it is the c-th hash query, the decoder D returns h(M c r c ) = s * .Otherwise, the decoder distinguishes the following two cases: Case 1: r ∈ R i .The decoder D generates a random syndrome s from F n−k and returns the value h(M i r) = s.Case 2: r ∈ R i .The decoder D generates a random vector x from F n such that wt(x) ≤ t, and returns h(M i r) = Hx T .
The decoder has to consider the problem that the c-th hash query made by the forger comes in the form M c r c , where r c ∈ R c , which means that h(M c r c ) has to be de ned as a seemingly decodeable syndrome.If this event occurs, the decoder aborts and admits failure.For convenience, we denote this event by E abort .Also note that Pr[E abort ≤ q sig n−k .When the forger makes a signature query for M i , the decoder picks a random r from the list R i and discards it from the list.Since there are at most q sig signature queries and the list R i initially contains q sig elements, this is always possible.Then the decoder D distinguishes the following two cases: Case 1: If there has already been a hash query for M i r, we have h(M i r) = s = Hx T for some randomly chosen x.The decoder returns x as the signature together with s and r.The forger can simply check the validity of the signature by deciding whether the equality Hx T = s holds or not.Case 2: If M i r has not been queried before, the decoder generates a random vector x from F n such that wt(x) ≤ t, and returns x as the signature along with h(M i r) = Hx T = s and r.The forger can simply verify the validity of the signature by checking whether the equality Hx T = s holds or not.Now, we argue that the view of the forger is indistinguishable in the two cases, whether she is facing a real signature challenger or the decoder.First, for the hash oracle, we ignore the event E abort since from the above discussion the probability that this event happens is negligible.In the real signature case, the distribution of the hash oracle is uniform over the range of the random oracle h(⋅).Now, in the decoder situation, there are two cases for a hash oracle h(m r): (1) If the random salt r ∈ R i , the output has the same distribution as a true random oracle.
(2) If the random salt r ∈ R i , the output of the hash oracle is h(m r) = Hx T , which looks like a decodable syndrome.
The probability that the second case occurs is negligible, which can be bounded by − N total −q sig q hash N total q hash .
To verify this claim, consider a game as follows: there are in total N total balls and N dec of them are red, the hash queries randomly choose q hash balls without replacement, while the signature queries randomly choose q sig red balls with replacement.The probability that the q sig red balls chosen by the signature queries do not contain any balls chosen by a hash query is lower bounded by the probability that the hash queries only choose the balls, which are not chosen by a signature query (assuming that the signature queries choose q sig di erent red balls), which is N total −q sig q hash N total q hash .With N total = n−k ≫ max(q sig , q hash ), the probability that case (2) occurs is negligible since Hence, it is evident that the case ( ) occurs with negligible probability and the view of the forger is almost identical between the cases, when she is facing a signature challenger or a decoder of case ( ).Combining the arguments above, we claim that the view of the forger is indistinguishable between the cases, when she is facing a signature challenger or a decoder.
When the forger outputs a forgery (M, r, x), we assume that it has already made a hash query for (M r) but none of the signature queries for M has used the salt r, so M = M i and r = r i for some i.Otherwise, the decoder goes ahead and simulates a hash query for (M r).We justify the assumption that the forger has made a hash query for her forgery (M r) as follows.If the forger has not made such a hash query before, the decoder simulates the query for (M r) and we denote the result as s = h(M r).First, we show that none of the signature queries for M has used the salt r.If it is an EUF-CMA forgery, which means that no signature of the message M has been queried before, then certainly (M r) has not been used in any of the signature queries.If it is an SEUF-CMA forgery, the forger may have queried the signature oracle for the message M.However, none of the signature oracle queries for M uses r as salt.Otherwise, (M, r, x) does not make a valid forgery, since it must be some signature, which has already been queried by the forger.Next, we show that M must be equal to some M i for i ∈ [ , . . ., q hash ] with overwhelming probability.If not, then the probability that h(M r) = s is at most k−n .Therefore, with probability at least − k−n , (M r) = (M i r i ) for some i.
Let S F denote the event that the forger F succeeds in the experiment with the constraint that it must have made a hash query on the forgery message and random salt (i.e., it has queried the hash of (M r) as we justi ed above).Note that if F succeeds it means that F outputs a valid forgery (M, r, x), which satis es M = M i and r = r i for some i.If i = c, then we get H x T = h(M c r c ) = s * , since the c-th hash query was answered by returning s * .So the decoder can solve the instance of the PGSDP by returning e = x as the answer.The forger F succeeds in this experiment if and only if the decoder does not abort at the c-th query, F has made a hash query for M r, and it outputs a valid forgery for message M with the salt r.Hence, Recall that ′ denotes the probability that the decoder successfully solves its decoding instance.Clearly, Now, let us consider the time, which it takes for the decoder to solve the PGSDP.In the experiment, the decoder generates at most q sig (q hash + q sig ) random elements as salts.When it answers a hash query, it searches a list of length q sig and when it answers a signature query, it computes a syndrome for an (n, k) Goppa code.So, we have t ′ = t + q sig (q hash + q sig )Θ(n − k) + q hash Θ(n − k) + q sig T s (n, k), which translates into where T s (n, k) denotes the time to compute a syndrome for an (n, k) Goppa code.

Security against Key Substitution Attacks
Given a signature scheme Σ = (Gen, Sign, Verify), a key substitution attack (with malicious signer) is a probabilistic polynomial time algorithm KSA which on input of valid parameters, outputs two di erent valid public keys pk and pk ′ and a message/signature pair (M, σ), where the veri cation algorithm accepts on input both (M, σ, pk) and (M, σ, pk ′ ).
A key substitution attack KSA is called weak if the KSA also needs to output private keys corresponding to public keys, otherwise the KSA is called strong.The proof of security against strong key substitution attacks for mCFS is shown in Theorem . .Proof.Suppose A KSA can successfully attack mCFS with non-negligible probability.Let B CRH be an adversary who wants to nd a collision of h.Now, as the signer is malicious, the signer can provide sk to A KSA after signing.Still, to succeed, A KSA has to nd some pk ′ such that h(M pk r i ) = h(M pk ′ r i ).It is required because A KSA has to pass the veri cation Hx T = H ′ x T .Now, after getting success, A KSA hands over (M pk r i , M pk ′ r i ) to B CRH .De nitely it is a collision for h.So, the probability of getting a collision of h is at least as large as the success probability of A KSA .But, h is assumed to be collision resistant.A KSA cannot get success with non-negligible probability, and the claim follows.

Conclusion
We showed that the code-based mCFS signature is both SEUF-CMA secure and KSA secure in the random oracle model under hardness of the Permuted Goppa Syndrome Decoding Problem.It remains an interesting challenge to construct (e cient) code-based signatures, which are provably secure under weaker assumptions and/or provably secure in the standard model.

Theorem 4 . 1 .
The modi ed CFS scheme mCFS is secure against strong key substitution attacks.Unauthenticated Download Date | 6/22/19 10:45 AM Gen mCFS ( λ ): Select n, k and t according to the security parameter λ.Pick a random parity check matrix H of an (n, k)-binary Goppa code C decoding t errors.This code remains secret.The public key is obtained by randomly permuting the coordinates of C and multiplying by a random non-singular matrix of dimension n − k.Speci cally, choose a random (n − k) × (n − k) non-singular matrix U, a random n × n permutation matrix P and a hash function h ∶ { , } * → F n−k .The public key pk is H = UH P and the private key sk is (U, H , P). Set t = n−k log n .Sign mCFS (M, H ):