Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes

Abstract: We present here a new family of trapdoor one-way Preimage Sampleable Functions (PSF) based on codes, the Wave-PSF family. The trapdoor function is one-way under two computational assumptions: the hardness of generic decoding for high weights and the indistinguishability of generalized (U, U + V )-codes. Our proof follows the GPV strategy [GPV08]. By including rejection sampling, we ensure the proper distribution for the trapdoor inverse output. The domain sampling property of our family is ensured by using and… Show more

“…This approach is actually very general and can be used to improve the efficiency of other cryptographic operations which involve a matrix/vector multiplication. In particular, we show how our technique improves also the verification procedure of the recent signature scheme called Wave and proposed by Debris-Alazard, Sendrier and Tillich in [16].…”

“…These resulting signature schemes are often less efficient (in computational complexity or communication complexity) than other schemes based on similar assumptions, but which do not support the linear progress of verification (e.g. [32] in factoring-based cryptography, [16] in code-based cryptography, [42] in lattice-based cryptography and [44] in multivariate cryptography). The latter schemes often significantly outperform the former ones even with probabilistic verification.…”

“…If we consider for example RSA-2048 (i.e. with λ = 2048) with e = 2 16 + 1, choosing one prime of length µ = 32 would make the error probability as small as 2 −4 , and choosing τ primes makes it smaller than 2 −4τ (which decreases exponentially with τ ). However, the problem with this method is that the output signature needs to be (σ, k), where the bit-length of k is approximatively equal to (e − 1)λ, and for large values of e (typically for e ≈ N ), outputting k in the signature becomes exponential in λ and totally impractical.…”

Speeding-up verification of digital signatures

“…This approach is actually very general and can be used to improve the efficiency of other cryptographic operations which involve a matrix/vector multiplication. In particular, we show how our technique improves also the verification procedure of the recent signature scheme called Wave and proposed by Debris-Alazard, Sendrier and Tillich in [16].…”

“…These resulting signature schemes are often less efficient (in computational complexity or communication complexity) than other schemes based on similar assumptions, but which do not support the linear progress of verification (e.g. [32] in factoring-based cryptography, [16] in code-based cryptography, [42] in lattice-based cryptography and [44] in multivariate cryptography). The latter schemes often significantly outperform the former ones even with probabilistic verification.…”

“…If we consider for example RSA-2048 (i.e. with λ = 2048) with e = 2 16 + 1, choosing one prime of length µ = 32 would make the error probability as small as 2 −4 , and choosing τ primes makes it smaller than 2 −4τ (which decreases exponentially with τ ). However, the problem with this method is that the output signature needs to be (σ, k), where the bit-length of k is approximatively equal to (e − 1)λ, and for large values of e (typically for e ≈ N ), outputting k in the signature becomes exponential in λ and totally impractical.…”

Speeding-up verification of digital signatures

“…To improve the security of CFS, two modifications on original CFS were published: mCFS [7] and parallel CFS [8]. Besides, there are some works in which different codes instead of Goppa codes are used while their overall structure is almost similar to CFS, such as the proposals based on LDGM (low‐density generator matrix) codes [9], binary codes [10], Reed–Muller codes [11], rank quasi‐cyclic codes [12], and generalised [13] which are all broken. The first one [9] is broken by an attack presented in [14] due to the bad statistical distribution of signatures.…”

“…A key recovery attack to the forth construction [12] is available in [16] but, to the best of our knowledge, the detailed version is not published yet. The last scheme [13] suffers from information leakage even from the honestly generated signature. This leakage is used to mount an attack on this scheme in [17, 18].…”

PolarSig: An efficient digital signature based on polar codes

Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes