Cryptanalysis of the SHMW signature scheme

Abstract

In recent research, Durandal, a signature scheme based on rank metrics following Schnorr's approach, was introduced to conceal secret key information by selectively manipulating the vector subspace of signatures. Later, an enhancement, namely the SHMW signature scheme, with smaller keys and signatures while maintaining EUF-CMA security, was proposed. Both Durandal and SHMW require adversaries to solve hard problems (i.e., Rank Support Learning, Rank Syndrome Decoding, and Affine Rank Syndrome Decoding) for secret key retrieval, in which the parameters are designed to withstand at least 128-bit computational complexity. The authors claimed that the security of the SHMW scheme is deemed superior to that of the original Durandal scheme. In this paper, we introduce a novel approach to identifying weak keys within the Durandal framework to prove the superiority of the SHMW scheme. This approach exploits the extra information in the signature to compute an intersection space that contains the secret key. Consequently, a cryptanalysis of the SHMW signature scheme was carried out to demonstrate the insecurity of the selected keys within the SHWM scheme. In particular, we proposed an algorithm to recover an extended support that contains the secret key used in the signature schemes. Applying our approach to the SHMW scheme, we can recover its secret key with only 97-bit complexity, although it was claimed that the proposed parameters achieve a 128-bit security level. The results of our proposed approaches show that the security level of the SHMW signature scheme is inferior compared to that of the original Durandal scheme.