Practical key-recovery attack on MQ-Sign and more

Thomas Aulbach; Simona Samardjiska; Monika Trimoska

doi:10.1007/978-3-031-62746-0_8

Practical key-recovery attack on MQ-Sign and more

Thomas Aulbach (Corresponding author)
, Simona Samardjiska
, Monika Trimoska

Coding Theory and Cryptology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

14 Downloads (Pure)

Abstract

In this paper we describe attacks on the UOV-based signature scheme called MQ-Sign. MQ-Sign was submitted by Shim, Kim, and An as a first-round candidate for standardization in the (South) Korean post-quantum cryptography competition (KpqC). The scheme makes use of sparseness of the secret central polynomials and equivalent key construction to reduce the size of the private key. The authors propose four variants exploiting different levels of sparsity, MQ-Sign-SS, MQ-Sign-RS, MQ-Sign-SR, and MQ-Sign-RR with the last one being the standard UOV signature scheme.
We show that apart from the MQ-Sign-RR variant, all the others are insecure. Namely, we present a polynomial-time key-recovery attack on the variants MQ-Sign-SS and MQ-Sign-RS and a forgery attack on the variant MQ-Sign-SR below the claimed security level. Our attack exploits exactly the techniques used for reduction of keys - the sparsity of the central polynomials in combination with the specific structure of the secret linear map S.
We provide a verification script for the polynomial-time key-recovery attack, that recovers the secret key in less than seven seconds for security level V. Furthermore, we provide an implementation of the non-guessing part of the forgery attack, confirming our complexity estimates.

Original language	English
Title of host publication	Post-Quantum Cryptography
Subtitle of host publication	15th International Workshop, PQCrypto 2024, Oxford, UK, June 12–14, 2024, Proceedings, Part II
Editors	Markku-Juhani Saarinen, Daniel Smith-Tone
Place of Publication	Cham
Publisher	Springer
Pages	168-185
Number of pages	18
ISBN (Electronic)	978-3-031-62746-0
ISBN (Print)	978-3-031-62745-3
DOIs	https://doi.org/10.1007/978-3-031-62746-0_8
Publication status	Published - 11 Jun 2024
Event	15th International Workshop Post-Quantum Cryptography, PQCrypto 2024 - Oxford, United Kingdom Duration: 12 Jun 2024 → 14 Jun 2024

Publication series

Name	Lecture Notes in Computer Science (LNCS)
Volume	14772
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	15th International Workshop Post-Quantum Cryptography, PQCrypto 2024
Abbreviated title	PQCrypto 2024
Country/Territory	United Kingdom
City	Oxford
Period	12/06/24 → 14/06/24

Access to Document

10.1007/978-3-031-62746-0_8

pdfFinal published version, 313 KBLicence: TAVERNE

https://eprint.iacr.org/2023/432Licence: CC BY

Cite this

Aulbach, T., Samardjiska, S., & Trimoska, M. (2024). Practical key-recovery attack on MQ-Sign and more. In M.-J. Saarinen, & D. Smith-Tone (Eds.), Post-Quantum Cryptography: 15th International Workshop, PQCrypto 2024, Oxford, UK, June 12–14, 2024, Proceedings, Part II (pp. 168-185). (Lecture Notes in Computer Science (LNCS); Vol. 14772). Springer. https://doi.org/10.1007/978-3-031-62746-0_8

@inproceedings{642f1a057b794910883446e7d666665c,

title = "Practical key-recovery attack on MQ-Sign and more",

abstract = "In this paper we describe attacks on the UOV-based signature scheme called MQ-Sign. MQ-Sign was submitted by Shim, Kim, and An as a first-round candidate for standardization in the (South) Korean post-quantum cryptography competition (KpqC). The scheme makes use of sparseness of the secret central polynomials and equivalent key construction to reduce the size of the private key. The authors propose four variants exploiting different levels of sparsity, MQ-Sign-SS, MQ-Sign-RS, MQ-Sign-SR, and MQ-Sign-RR with the last one being the standard UOV signature scheme. We show that apart from the MQ-Sign-RR variant, all the others are insecure. Namely, we present a polynomial-time key-recovery attack on the variants MQ-Sign-SS and MQ-Sign-RS and a forgery attack on the variant MQ-Sign-SR below the claimed security level. Our attack exploits exactly the techniques used for reduction of keys - the sparsity of the central polynomials in combination with the specific structure of the secret linear map S. We provide a verification script for the polynomial-time key-recovery attack, that recovers the secret key in less than seven seconds for security level V. Furthermore, we provide an implementation of the non-guessing part of the forgery attack, confirming our complexity estimates.",

author = "Thomas Aulbach and Simona Samardjiska and Monika Trimoska",

year = "2024",

month = jun,

day = "11",

doi = "10.1007/978-3-031-62746-0\_8",

language = "English",

isbn = "978-3-031-62745-3",

series = "Lecture Notes in Computer Science (LNCS)",

publisher = "Springer",

pages = "168--185",

editor = "Markku-Juhani Saarinen and Daniel Smith-Tone",

booktitle = "Post-Quantum Cryptography",

address = "Germany",

note = "15th International Workshop Post-Quantum Cryptography, PQCrypto 2024, PQCrypto 2024 ; Conference date: 12-06-2024 Through 14-06-2024",

}

Aulbach, T, Samardjiska, S & Trimoska, M 2024, Practical key-recovery attack on MQ-Sign and more. in M-J Saarinen & D Smith-Tone (eds), Post-Quantum Cryptography: 15th International Workshop, PQCrypto 2024, Oxford, UK, June 12–14, 2024, Proceedings, Part II. Lecture Notes in Computer Science (LNCS), vol. 14772, Springer, Cham, pp. 168-185, 15th International Workshop Post-Quantum Cryptography, PQCrypto 2024, Oxford, United Kingdom, 12/06/24. https://doi.org/10.1007/978-3-031-62746-0_8

Practical key-recovery attack on MQ-Sign and more. / Aulbach, Thomas (Corresponding author); Samardjiska, Simona; Trimoska, Monika.
Post-Quantum Cryptography: 15th International Workshop, PQCrypto 2024, Oxford, UK, June 12–14, 2024, Proceedings, Part II. ed. / Markku-Juhani Saarinen; Daniel Smith-Tone. Cham: Springer, 2024. p. 168-185 (Lecture Notes in Computer Science (LNCS); Vol. 14772).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Practical key-recovery attack on MQ-Sign and more

AU - Aulbach, Thomas

AU - Samardjiska, Simona

AU - Trimoska, Monika

PY - 2024/6/11

Y1 - 2024/6/11

N2 - In this paper we describe attacks on the UOV-based signature scheme called MQ-Sign. MQ-Sign was submitted by Shim, Kim, and An as a first-round candidate for standardization in the (South) Korean post-quantum cryptography competition (KpqC). The scheme makes use of sparseness of the secret central polynomials and equivalent key construction to reduce the size of the private key. The authors propose four variants exploiting different levels of sparsity, MQ-Sign-SS, MQ-Sign-RS, MQ-Sign-SR, and MQ-Sign-RR with the last one being the standard UOV signature scheme. We show that apart from the MQ-Sign-RR variant, all the others are insecure. Namely, we present a polynomial-time key-recovery attack on the variants MQ-Sign-SS and MQ-Sign-RS and a forgery attack on the variant MQ-Sign-SR below the claimed security level. Our attack exploits exactly the techniques used for reduction of keys - the sparsity of the central polynomials in combination with the specific structure of the secret linear map S. We provide a verification script for the polynomial-time key-recovery attack, that recovers the secret key in less than seven seconds for security level V. Furthermore, we provide an implementation of the non-guessing part of the forgery attack, confirming our complexity estimates.

AB - In this paper we describe attacks on the UOV-based signature scheme called MQ-Sign. MQ-Sign was submitted by Shim, Kim, and An as a first-round candidate for standardization in the (South) Korean post-quantum cryptography competition (KpqC). The scheme makes use of sparseness of the secret central polynomials and equivalent key construction to reduce the size of the private key. The authors propose four variants exploiting different levels of sparsity, MQ-Sign-SS, MQ-Sign-RS, MQ-Sign-SR, and MQ-Sign-RR with the last one being the standard UOV signature scheme. We show that apart from the MQ-Sign-RR variant, all the others are insecure. Namely, we present a polynomial-time key-recovery attack on the variants MQ-Sign-SS and MQ-Sign-RS and a forgery attack on the variant MQ-Sign-SR below the claimed security level. Our attack exploits exactly the techniques used for reduction of keys - the sparsity of the central polynomials in combination with the specific structure of the secret linear map S. We provide a verification script for the polynomial-time key-recovery attack, that recovers the secret key in less than seven seconds for security level V. Furthermore, we provide an implementation of the non-guessing part of the forgery attack, confirming our complexity estimates.

U2 - 10.1007/978-3-031-62746-0_8

DO - 10.1007/978-3-031-62746-0_8

M3 - Conference contribution

SN - 978-3-031-62745-3

T3 - Lecture Notes in Computer Science (LNCS)

SP - 168

EP - 185

BT - Post-Quantum Cryptography

A2 - Saarinen, Markku-Juhani

A2 - Smith-Tone, Daniel

PB - Springer

CY - Cham

T2 - 15th International Workshop Post-Quantum Cryptography, PQCrypto 2024

Y2 - 12 June 2024 through 14 June 2024

ER -

Practical key-recovery attack on MQ-Sign and more

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this