In this section, we prove the SEUF-CMA security of the mCFS signature scheme presented above, based on the assumption that PGSDP is hard. One crucial property that is worth mentioning towards our result is that the errors, which are output by **Sign**_{mCFS} algorithm in the random oracle model, follow the uniform distribution over words of Hamming weight at most *t*. Note that in this proof, for the sake of simplicity, we have ignored, without loss of generality, the public key inside the hash function.

#### Proof

Let 𝓕 be a forger which (*t*, *ϵ*, *q*_{hash}, *q*_{sig})-breaks the SEUF-CMA security of the mCFS signature scheme. We construct a decoder 𝓓 that (*t*′,*ϵ*′)-solves the PGSDP. The decoder is given input (*H*, *s*^{∗}) and tries to find a vector *e* ∈$\begin{array}{}{\mathbb{F}}_{2}^{n}\end{array}$ such that *He*^{T} = *s*^{∗} and wt(*e*) ≤ *t*. The decoder will challenge the forger 𝓕 and simulate the oracles for it. If the forger succeeds with a valid forgery of the mCFS signature then with non-negligible probability the decoder can use the forgery made by the forger to resolve its given instance of the syndrome decoding problem.

Without loss of generality, we assume that the forger never repeats a hash query. However, the forger may repeat a signature query in order to get different signatures of the same message. The decoder maintains a counter *i*, initially set to zero.

When a message *M* appears for the first time in the hash query or the signature query, the decoder increments the counter *i* and sets *M*_{i} ← *M*. Then the decoder 𝓓 generates a list *R*_{i} of *q*_{sig} random values (with repetition) in {0, 1}^{n−k} as the pre-defined salts that, when concatenated with *M*_{i}, hash to decodable syndromes. We use the expression *decodable salts* to denote all salts that correspond to decodable syndromes. Denote by *N*_{total} the number of all available salts, and by *N*_{dec} the number of decodable salts. Clearly *N*_{total} = 2^{n−k}. By the analysis from CFS [5], *N*_{dec} ≈ *N*_{total}/*t*!. Since we model the hash function as a random oracle, the probability that a salt is decodable is the same for all salts. Thus we can generate the list *R*_{i} of length *q*_{sig} by sampling from all 2^{n−k} salts with each of them being chosen with probability *q*_{sig}/(*t*!⋅ *N*_{dec}). The decoder also randomly chooses an integer *c* from [1, …, *q*_{hash}] so that it answers the *c*-th hash query with *s*^{∗}.

When the forger 𝓕 makes a hash query for *M*_{i}∥*r*_{i}, if it is the *c*-th hash query, the decoder 𝓓 returns *h*(*M*_{c}∥*r*_{c}) = *s*^{∗}. Otherwise, the decoder distinguishes the following two cases:

Case 1

*r* ∉ *R*_{i}. The decoder 𝓓 generates a random syndrome *s* from $\begin{array}{}{\mathbb{F}}_{2}^{n-k}\end{array}$ and returns the value *h*(*M*_{i}∥*r*) = *s*.

Case 2

*r* ∈ *R*_{i}. The decoder 𝓓 generates a random vector *x* from $\begin{array}{}{\mathbb{F}}_{2}^{n}\end{array}$ such that wt(*x*) ≤ *t*, and returns *h*(*M*_{i}∥*r*) = *Hx*^{T}.

The decoder has to consider the problem that the *c*-th hash query made by the forger comes in the form *M*_{c}∥*r*_{c}, where *r*_{c} ∈ *R*_{c}, which means that *h*(*M*_{c}∥*r*_{c}) has to be defined as a seemingly decodeable syndrome. If this event occurs, the decoder aborts and admits failure. For convenience, we denote this event by *E*_{abort}. Also note that Pr[*E*_{abort}] ≤ $\begin{array}{}\le \frac{{q}_{sig}}{{2}^{n-k}}.\end{array}$

When the forger makes a signature query for *M*_{i}, the decoder picks a random *r* from the list *R*_{i} and discards it from the list. Since there are at most *q*_{sig} signature queries and the list *R*_{i} initially contains *q*_{sig} elements, this is always possible. Then the decoder 𝓓 distinguishes the following two cases:

Case 1

If there has already been a hash query for *M*_{i}∥*r*, we have *h*(*M*_{i}∥*r*) = *s* = *Hx*^{T} for some randomly chosen *x*. The decoder returns *x* as the signature together with *s* and *r*. The forger can simply check the validity of the signature by deciding whether the equality *Hx*^{T} = *s* holds or not.

Case 2

If *M*_{i}∥*r* has not been queried before, the decoder generates a random vector *x* from $\begin{array}{}{\mathbb{F}}_{2}^{n}\end{array}$ such that wt(*x*) ≤ *t*, and returns *x* as the signature along with *h*(*M*_{i}∥*r*) = *Hx*^{T} = *s* and *r*. The forger can simply verify the validity of the signature by checking whether the equality *Hx*^{T} = *s* holds or not.

Now, we argue that the view of the forger is indistinguishable in the two cases, whether she is facing a real signature challenger or the decoder. First, for the hash oracle, we ignore the event *E*_{abort} since from the above discussion the probability that this event happens is negligible. In the real signature case, the distribution of the hash oracle is uniform over the range of the random oracle *h*(⋅). Now, in the decoder situation, there are two cases for a hash oracle *h*(*m*∥*r*):

If the random salt *r* ∉ *R*_{i}, the output has the same distribution as a true random oracle.

If the random salt *r* ∈ *R*_{i}, the output of the hash oracle is *h*(*m*∥*r*) = *Hx*^{T}, which looks like a decodable syndrome.

The probability that the second case occurs is negligible, which can be bounded by

$$\begin{array}{}{\displaystyle 1-\frac{\left(\genfrac{}{}{0em}{}{{N}_{total}-{q}_{sig}}{{q}_{hash}}\right)}{\left(\genfrac{}{}{0em}{}{{N}_{total}}{{q}_{hash}}\right)}.}\end{array}$$

To verify this claim, consider a game as follows: there are in total *N*_{total} balls and *N*_{dec} of them are red, the hash queries randomly choose *q*_{hash} balls without replacement, while the signature queries randomly choose *q*_{sig} red balls with replacement. The probability that the *q*_{sig} red balls chosen by the signature queries do not contain any balls chosen by a hash query is lower bounded by the probability that the hash queries only choose the balls, which are not chosen by a signature query (assuming that the signature queries choose *q*_{sig} different red balls), which is $\begin{array}{}\left(\genfrac{}{}{0em}{}{{N}_{total}-{q}_{sig}}{{q}_{hash}}\right)/\left(\genfrac{}{}{0em}{}{{N}_{total}}{{q}_{hash}}\right).\end{array}$ With *N*_{total} = 2^{n−k} ≫ max(*q*_{sig}, *q*_{hash}), the probability that case (2) occurs is negligible since

$$\begin{array}{}{\displaystyle 1-\left(\genfrac{}{}{0em}{}{{N}_{total}-{q}_{sig}}{{q}_{hash}}\right)/\left(\genfrac{}{}{0em}{}{{N}_{total}}{{q}_{hash}}\right)=1-\frac{\mathit{\Theta}(({2}^{n-k}-{q}_{sig}{)}^{{q}_{hash}})}{\mathit{\Theta}(({2}^{n-k}{)}^{{q}_{hash}})}=O({2}^{k-n}).}\end{array}$$

Hence, it is evident that the case (2) occurs with negligible probability and the view of the forger is almost identical between the cases, when she is facing a signature challenger or a decoder of case (1). Combining the arguments above, we claim that the view of the forger is indistinguishable between the cases, when she is facing a signature challenger or a decoder.

When the forger outputs a forgery (*M*, *r*, *x*), we assume that it has already made a hash query for (*M*∥*r*) but none of the signature queries for *M* has used the salt *r*, so *M* = *M*_{i} and *r* = *r*_{i} for some *i*. Otherwise, the decoder goes ahead and simulates a hash query for (*M*∥*r*). We justify the assumption that the forger has made a hash query for her forgery (*M*∥*r*) as follows. If the forger has not made such a hash query before, the decoder simulates the query for (*M*∥*r*) and we denote the result as *s* = *h*(*M*∥*r*). First, we show that none of the signature queries for *M* has used the salt *r*. If it is an EUF-CMA forgery, which means that no signature of the message *M* has been queried before, then certainly (*M*∥*r*) has not been used in any of the signature queries. If it is an SEUF-CMA forgery, the forger may have queried the signature oracle for the message *M*. However, none of the signature oracle queries for *M* uses *r* as salt. Otherwise, (*M*, *r*, *x*) does not make a valid forgery, since it must be some signature, which has already been queried by the forger. Next, we show that *M* must be equal to some *M*_{i} for *i* ∈ [1,…,*q*_{hash}] with overwhelming probability. If not, then the probability that *h*(*M*∥*r*) = *s* is at most 2^{k−n}. Therefore, with probability at least 1 − 2^{k−n}, (*M*∥*r*) = (*M*_{i}∥*r*_{i}) for some *i*.

Let *S*_{F} denote the event that the forger 𝓕 succeeds in the experiment with the constraint that it must have made a hash query on the forgery message and random salt (i.e., it has queried the hash of (*M*∥*r*) as we justified above). Note that if 𝓕 succeeds it means that 𝓕 outputs a valid forgery (*M*, *r*, *x*), which satisfies *M*=*M*_{i} and *r* = *r*_{i} for some *i*. If *i* = *c*, then we get *H*_{0}*x*_{T} = *h*(*M*_{c}∥*r*_{c}) = *s*^{∗}, since the *c*-th hash query was answered by returning *s*^{∗}. So the decoder can solve the instance of the PGSDP by returning *e* = *x* as the answer. The forger 𝓕 succeeds in this experiment if and only if the decoder does not abort at the *c*-th query, 𝓕 has made a hash query for *M*∥*r*, and it outputs a valid forgery for message *M* with the salt *r*. Hence,

$$\begin{array}{}{\displaystyle \mathrm{P}\mathrm{r}[{S}_{F}]\ge (1-\frac{{q}_{sig}}{{2}^{n-k}})(1-{2}^{k-n})\u03f5.}\end{array}$$

Recall that *ϵ*′ denotes the probability that the decoder successfully solves its decoding instance. Clearly,

$$\begin{array}{}{\displaystyle {\u03f5}^{\prime}=\mathrm{P}\mathrm{r}[{S}_{F}\wedge i=c]\ge \frac{1}{{q}_{hash}}\mathrm{P}\mathrm{r}[{S}_{F}]\ge \frac{1}{{q}_{hash}}\left(1-\frac{{q}_{sig}}{{2}^{n-k}}\right)(1-{2}^{k-n})\u03f5,}\end{array}$$

which translates into

$$\begin{array}{}{\displaystyle \u03f5\le \frac{{2}^{n-k}}{{2}^{n-k}-{q}_{sig}}\frac{1}{1-{2}^{k-n}}{q}_{hash}{\u03f5}^{\prime}.}\end{array}$$

Now, let us consider the time, which it takes for the decoder to solve the PGSDP. In the experiment, the decoder generates at most *q*_{sig}(*q*_{hash}+*q*_{sig}) random elements as salts. When it answers a hash query, it searches a list of length *q*_{sig} and when it answers a signature query, it computes a syndrome for an (*n*, *k*) Goppa code. So, we have

$$\begin{array}{}{\displaystyle {t}^{\prime}=t+{q}_{sig}({q}_{hash}+{q}_{sig})\mathit{\Theta}(n-k)+{q}_{hash}\mathit{\Theta}(n-k)+{q}_{sig}{T}_{s}(n,k),}\end{array}$$

which translates into

$$\begin{array}{}{\displaystyle t={t}^{\prime}-{q}_{sig}({q}_{hash}+{q}_{sig})\mathit{\Theta}(n-k)-{q}_{hash}\mathit{\Theta}(n-k)-{q}_{sig}{T}_{s}(n,k),}\end{array}$$

where *T*_{s}(*n*, *k*) denotes the time to compute a syndrome for an (*n*, *k*) Goppa code. □

## Comments (0)

General note:By using the comment function on degruyter.com you agree to our Privacy Statement. A respectful treatment of one another is important to us. Therefore we would like to draw your attention to our House Rules.