Revised Digital Signature Scheme - DEFIv2
595 views
Skip to first unread message
Martin Feussner
Nov 6, 2024, 5:32:49 AM11/6/24
to pqc-forum
Dear all,
Last May, we shared our new digital signature scheme DEFI on this forum and not too long after it was broken by Henry Bambury and Phong Nguyen.
Fortunately, we have come up with a revision of the scheme. The difference with the previous version is in how vector Z is constructed when the signature is generated, see Section 3.7 of the paper. The construction in the earlier version implies that a lattice similar to L in Section 5.5 contains a very short vector. Since the lattice is of a small rank the vector may be recovered with BKZ algorithm. That leads to recovering the secret matrix B. The new version is immune to such lattice attacks as secret vectors are significantly larger than the vectors in L produced with BKZ.
You can find the revised paper here: https://eprint.iacr.org/2024/679
The paper provides parameters for DEFIv2-1 which follows the NIST security category 1 requirements. It is very fast (with its reference implementation) and has small key and signature sizes:
- Public Key - 515 bytes
- Private Key - 426 bytes
- Signature - 483 bytes
- Key Generation - 0.902 ms
- Signature Generation - 0.126 ms
- Signature Verification - 0.054 ms
We again invite cryptanalysts to have a look at our scheme and we also provide DEFIv2-c which is a 90-bit challenge for those of you keen to break it. We appreciate any comments or discussions on potential vulnerabilities or improvements.
Best regards,
Martin Feussner and Igor Semaev
Kevin Pucci
May 4, 2026, 12:15:56 PM (5 days ago) May 4
to pqc-forum, Martin Feussner
Dear Martin Feussner and Igor Semaev,
I believe I found an attack against the DEFI-v2 signature scheme.
I provide the solutions to the challenges DEFI-v2-0a and DEFI-v2-0b as a proof of concept.
B=[[[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]], [[3, -3, -1, -5, -7, -5, -2, -2, -7, 8, -3, 6, 7, -1, 2, 1], [4, 1, -5, 3, 8, 10, 1, -1, 1, -3, 6, -2, -8, -5, 0, 5], [-3, -10, -8, -7, -3, -6, 0, -2, 9, 2, 0, 6, 8, 11, -1, 13], [9, 17, 19, 22, 10, 5, 12, 7, -3, 6, 4, -2, -14, 2, -11, -6]], [[2, 6, -3, 2, -4, 7, 8, 4, -2, -6, -6, -4, 6, 6, -1, -1], [7, 19, 14, 4, -4, -6, 4, 3, -7, -16, -2, 8, 0, 1, 1, 0], [-2, -9, -6, -2, 7, 11, 2, 6, 14, 19, 10, 12, 16, 10, 8, 7], [7, 13, 18, 16, 7, 0, 12, 4, -13, -10, -11, -14, -14, -13, -21, -19]], [[-3, 5, 6, 7, -3, 6, 3, 2, 5, 3, -2, -3, 8, -8, 7, -7], [0, -5, 3, -4, -4, -1, -14, 2, 5, 10, 0, -10, 4, -1, 8, -6], [6, 6, 3, 5, -2, 5, 1, 3, -8, -3, 2, -9, 0, -7, 0, -3], [4, -2, -14, -15, -8, -3, -9, -3, 2, -8, 6, -8, 7, 7, 4, 13]]]
Z = IntegerRing()
R = PolynomialRing(Z, 'x'); x = R.gen()
S = R.quotient(x^16 + x + 1, 'a'); a = S.gen()
MM = MatrixSpace(S,4,4,sparse=False)
C=MM([[[-257, 48, 279, 445, 409, -71, -433, -385, -325, 177, 111, -41, -123, -314, -91, -51], [-143, -297, -139, 213, 150, -45, -249, -354, -44, 133, 293, 137, 61, -59, -145, 204], [247, 520, 377, 182, 19, -3, 44, -88, -158, -225, -278, -271, -413, -125, -267, -272], [-395, -682, -547, -395, -360, -463, -311, -203, 212, 211, 112, 255, 113, 252, 460, 455]], [[-143, -297, -139, 213, 150, -45, -249, -354, -44, 133, 293, 137, 61, -59, -145, 204], [182, 825, 554, -359, -1124, -376, 655, 10, -20, -20, 808, 743, -332, -211, -223, 575], [-146, -340, -640, -313, -167, -772, -706, -573, -205, -356, -743, -448, -325, 101, -365, -410], [-779, -570, 107, -63, 70, -6, 712, 862, 455, 218, 265, 1102, 505, 346, 459, 509]], [[247, 520, 377, 182, 19, -3, 44, -88, -158, -225, -278, -271, -413, -125, -267, -272], [-146, -340, -640, -313, -167, -772, -706, -573, -205, -356, -743, -448, -325, 101, -365, -410], [958, 2389, 2723, 2636, 2803, 2704, 2753, 2337, 1858, 1548, 1156, 950, 138, -251, -398, -729], [-78, -536, -1317, -2053, -2250, -2677, -3157, -3325, -3210, -2623, -2840, -2453, -1792, -1308, -799, -642]], [[-395, -682, -547, -395, -360, -463, -311, -203, 212, 211, 112, 255, 113, 252, 460, 455], [-779, -570, 107, -63, 70, -6, 712, 862, 455, 218, 265, 1102, 505, 346, 459, 509], [-78, -536, -1317, -2053, -2250, -2677, -3157, -3325, -3210, -2623, -2840, -2453, -1792, -1308, -799, -642], [-1870, -3170, -1740, -536, 320, 815, 1777, 3046, 2850, 3291, 3524, 3522, 3565, 2928, 2692, 1936]]])
J = MM([[1,0,0,0],[0,1,0,0],[0,0,-1,0],[0,0,0,-1]])
B=MM(B)
assert(C==(B.transpose()*J*B))
I believe I found an attack against the DEFI-v2 signature scheme.
I provide the solutions to the challenges DEFI-v2-0a and DEFI-v2-0b as a proof of concept.
**************************************************
B=[[[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]], [[3, -3, -1, -5, -7, -5, -2, -2, -7, 8, -3, 6, 7, -1, 2, 1], [4, 1, -5, 3, 8, 10, 1, -1, 1, -3, 6, -2, -8, -5, 0, 5], [-3, -10, -8, -7, -3, -6, 0, -2, 9, 2, 0, 6, 8, 11, -1, 13], [9, 17, 19, 22, 10, 5, 12, 7, -3, 6, 4, -2, -14, 2, -11, -6]], [[2, 6, -3, 2, -4, 7, 8, 4, -2, -6, -6, -4, 6, 6, -1, -1], [7, 19, 14, 4, -4, -6, 4, 3, -7, -16, -2, 8, 0, 1, 1, 0], [-2, -9, -6, -2, 7, 11, 2, 6, 14, 19, 10, 12, 16, 10, 8, 7], [7, 13, 18, 16, 7, 0, 12, 4, -13, -10, -11, -14, -14, -13, -21, -19]], [[-3, 5, 6, 7, -3, 6, 3, 2, 5, 3, -2, -3, 8, -8, 7, -7], [0, -5, 3, -4, -4, -1, -14, 2, 5, 10, 0, -10, 4, -1, 8, -6], [6, 6, 3, 5, -2, 5, 1, 3, -8, -3, 2, -9, 0, -7, 0, -3], [4, -2, -14, -15, -8, -3, -9, -3, 2, -8, 6, -8, 7, 7, 4, 13]]]
Z = IntegerRing()
R = PolynomialRing(Z, 'x'); x = R.gen()
S = R.quotient(x^16 + x + 1, 'a'); a = S.gen()
MM = MatrixSpace(S,4,4,sparse=False)
C=MM([[[-257, 48, 279, 445, 409, -71, -433, -385, -325, 177, 111, -41, -123, -314, -91, -51], [-143, -297, -139, 213, 150, -45, -249, -354, -44, 133, 293, 137, 61, -59, -145, 204], [247, 520, 377, 182, 19, -3, 44, -88, -158, -225, -278, -271, -413, -125, -267, -272], [-395, -682, -547, -395, -360, -463, -311, -203, 212, 211, 112, 255, 113, 252, 460, 455]], [[-143, -297, -139, 213, 150, -45, -249, -354, -44, 133, 293, 137, 61, -59, -145, 204], [182, 825, 554, -359, -1124, -376, 655, 10, -20, -20, 808, 743, -332, -211, -223, 575], [-146, -340, -640, -313, -167, -772, -706, -573, -205, -356, -743, -448, -325, 101, -365, -410], [-779, -570, 107, -63, 70, -6, 712, 862, 455, 218, 265, 1102, 505, 346, 459, 509]], [[247, 520, 377, 182, 19, -3, 44, -88, -158, -225, -278, -271, -413, -125, -267, -272], [-146, -340, -640, -313, -167, -772, -706, -573, -205, -356, -743, -448, -325, 101, -365, -410], [958, 2389, 2723, 2636, 2803, 2704, 2753, 2337, 1858, 1548, 1156, 950, 138, -251, -398, -729], [-78, -536, -1317, -2053, -2250, -2677, -3157, -3325, -3210, -2623, -2840, -2453, -1792, -1308, -799, -642]], [[-395, -682, -547, -395, -360, -463, -311, -203, 212, 211, 112, 255, 113, 252, 460, 455], [-779, -570, 107, -63, 70, -6, 712, 862, 455, 218, 265, 1102, 505, 346, 459, 509], [-78, -536, -1317, -2053, -2250, -2677, -3157, -3325, -3210, -2623, -2840, -2453, -1792, -1308, -799, -642], [-1870, -3170, -1740, -536, 320, 815, 1777, 3046, 2850, 3291, 3524, 3522, 3565, 2928, 2692, 1936]]])
J = MM([[1,0,0,0],[0,1,0,0],[0,0,-1,0],[0,0,0,-1]])
B=MM(B)
assert(C==(B.transpose()*J*B))
**************************************************
B=[[[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]], [[3, 7, 1, -8, -5, 4, -6, -7, 8, -2, -5, 8, 6, 7, 8, -3], [1, -10, -14, -9, -4, 9, 10, 5, 3, -4, 5, -2, 2, -6, -4, 4], [-3, 3, 2, -3, 4, 1, 20, 15, 9, 1, -10, 6, -2, 6, 1, -3], [0, -8, -13, -26, -26, -18, -1, 6, 6, 0, -8, -9, -5, 0, 0, 1]], [[3, 4, -1, -5, 7, -1, 4, -8, -2, -5, 6, 1, -7, -7, 6, 4], [4, 4, 22, 13, -4, 8, -16, -9, 2, -11, 6, 4, -1, 7, 10, -9], [6, 1, 6, 8, -8, -6, -15, -24, -7, -2, -5, 4, -1, -14, 5, -8], [-1, 10, 18, 18, 31, 16, -1, 0, -6, -3, 7, 11, 11, 10, 7, 6]], [[-3, 2, 2, -8, -8, -5, 7, -6, -2, 4, -8, 1, 5, -2, 6, 2], [5, 4, -6, -8, -10, -7, 3, 2, 0, 5, -4, 1, 1, -7, -2, -2], [-1, -6, -10, -5, -11, -8, -6, 6, 5, 0, 5, -8, 4, 1, 1, 8], [6, 16, 16, 9, -5, -5, -4, -1, 6, 7, 2, -4, -8, -9, -8, -12]]]
Z = IntegerRing()
R = PolynomialRing(Z, 'x'); x = R.gen()
S = R.quotient(x^16 + x + 1, 'a'); a = S.gen()
MM = MatrixSpace(S,4,4,sparse=False)
C=MM([[[-86, -66, 256, -117, 25, 489, -211, -554, -346, 118, -236, -408, -191, 750, -34, -403], [37, -29, -140, -395, -324, 70, -56, -11, 33, 9, 152, 61, -26, -212, -374, -322], [77, -228, -459, -484, -702, -400, -103, 71, 91, -308, -195, -68, -16, -4, -90, -46], [594, 1066, 753, 343, -85, -145, 335, 614, 416, 389, 286, 0, -17, 43, -271, -628]], [[37, -29, -140, -395, -324, 70, -56, -11, 33, 9, 152, 61, -26, -212, -374, -322], [517, 119, -232, 456, -521, -597, 45, -957, 96, 696, -128, 906, 233, -692, 95, -423], [386, 195, -982, -564, -174, -704, 425, 109, -361, 656, -59, 103, 588, -365, -348, -26], [548, 1026, 840, 39, -414, -35, -347, -400, -87, -331, 290, 719, 474, 493, -173, -862]], [[77, -228, -459, -484, -702, -400, -103, 71, 91, -308, -195, -68, -16, -4, -90, -46], [386, 195, -982, -564, -174, -704, 425, 109, -361, 656, -59, 103, 588, -365, -348, -26], [277, 547, -147, -489, 130, 150, 484, 1234, 508, 413, 582, -397, 376, 363, -272, 327], [638, 784, 220, -416, -1382, -1230, -716, -444, 160, -118, -434, -187, -313, -213, 8, -462]], [[594, 1066, 753, 343, -85, -145, 335, 614, 416, 389, 286, 0, -17, 43, -271, -628], [548, 1026, 840, 39, -414, -35, -347, -400, -87, -331, 290, 719, 474, 493, -173, -862], [638, 784, 220, -416, -1382, -1230, -716, -444, 160, -118, -434, -187, -313, -213, 8, -462], [455, 1452, 1902, 1372, 484, -407, -401, 236, 434, 620, 860, 707, 989, 1335, 1014, 351]]])
J = MM([[1,0,0,0],[0,1,0,0],[0,0,-1,0],[0,0,0,-1]])
B=MM(B)
assert(C==(B.transpose()*J*B))
I will provide more details later.
Thank you,
B=[[[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]], [[3, 7, 1, -8, -5, 4, -6, -7, 8, -2, -5, 8, 6, 7, 8, -3], [1, -10, -14, -9, -4, 9, 10, 5, 3, -4, 5, -2, 2, -6, -4, 4], [-3, 3, 2, -3, 4, 1, 20, 15, 9, 1, -10, 6, -2, 6, 1, -3], [0, -8, -13, -26, -26, -18, -1, 6, 6, 0, -8, -9, -5, 0, 0, 1]], [[3, 4, -1, -5, 7, -1, 4, -8, -2, -5, 6, 1, -7, -7, 6, 4], [4, 4, 22, 13, -4, 8, -16, -9, 2, -11, 6, 4, -1, 7, 10, -9], [6, 1, 6, 8, -8, -6, -15, -24, -7, -2, -5, 4, -1, -14, 5, -8], [-1, 10, 18, 18, 31, 16, -1, 0, -6, -3, 7, 11, 11, 10, 7, 6]], [[-3, 2, 2, -8, -8, -5, 7, -6, -2, 4, -8, 1, 5, -2, 6, 2], [5, 4, -6, -8, -10, -7, 3, 2, 0, 5, -4, 1, 1, -7, -2, -2], [-1, -6, -10, -5, -11, -8, -6, 6, 5, 0, 5, -8, 4, 1, 1, 8], [6, 16, 16, 9, -5, -5, -4, -1, 6, 7, 2, -4, -8, -9, -8, -12]]]
Z = IntegerRing()
R = PolynomialRing(Z, 'x'); x = R.gen()
S = R.quotient(x^16 + x + 1, 'a'); a = S.gen()
MM = MatrixSpace(S,4,4,sparse=False)
C=MM([[[-86, -66, 256, -117, 25, 489, -211, -554, -346, 118, -236, -408, -191, 750, -34, -403], [37, -29, -140, -395, -324, 70, -56, -11, 33, 9, 152, 61, -26, -212, -374, -322], [77, -228, -459, -484, -702, -400, -103, 71, 91, -308, -195, -68, -16, -4, -90, -46], [594, 1066, 753, 343, -85, -145, 335, 614, 416, 389, 286, 0, -17, 43, -271, -628]], [[37, -29, -140, -395, -324, 70, -56, -11, 33, 9, 152, 61, -26, -212, -374, -322], [517, 119, -232, 456, -521, -597, 45, -957, 96, 696, -128, 906, 233, -692, 95, -423], [386, 195, -982, -564, -174, -704, 425, 109, -361, 656, -59, 103, 588, -365, -348, -26], [548, 1026, 840, 39, -414, -35, -347, -400, -87, -331, 290, 719, 474, 493, -173, -862]], [[77, -228, -459, -484, -702, -400, -103, 71, 91, -308, -195, -68, -16, -4, -90, -46], [386, 195, -982, -564, -174, -704, 425, 109, -361, 656, -59, 103, 588, -365, -348, -26], [277, 547, -147, -489, 130, 150, 484, 1234, 508, 413, 582, -397, 376, 363, -272, 327], [638, 784, 220, -416, -1382, -1230, -716, -444, 160, -118, -434, -187, -313, -213, 8, -462]], [[594, 1066, 753, 343, -85, -145, 335, 614, 416, 389, 286, 0, -17, 43, -271, -628], [548, 1026, 840, 39, -414, -35, -347, -400, -87, -331, 290, 719, 474, 493, -173, -862], [638, 784, 220, -416, -1382, -1230, -716, -444, 160, -118, -434, -187, -313, -213, 8, -462], [455, 1452, 1902, 1372, 484, -407, -401, 236, 434, 620, 860, 707, 989, 1335, 1014, 351]]])
J = MM([[1,0,0,0],[0,1,0,0],[0,0,-1,0],[0,0,0,-1]])
B=MM(B)
assert(C==(B.transpose()*J*B))
**************************************************
I will provide more details later.
Thank you,
Kevin Pucci
Cong Ling
May 5, 2026, 7:20:46 AM (4 days ago) May 5
to pqc-forum, Kevin Pucci, Martin Feussner
Dear All,
https://github.com/defiv2magmacodes/defiv2codes
Since then, we have also succeeded in breaking DEFIv2 with $m = 28$, which took $15$ days on a PC to recover a matrix $T$. The new MAGMA code and matrices $C$ and $T$ are available on the above GitHub project.
Earlier, we presented an attack on DEFIv2 in our paper
Title: Cryptanalysis of Definite and Indefinite Lattice Isomorphism Problems With Applications to HAWK and DEFI
Authors: Markus Kirschmer, Cong Ling, and Ali Sadreddin
This paper was submitted to CRYPTO on Feb 13, 2026 (and has been accepted now), with the Magma code for “cryptanalysis of DEFIv2” published at the same time:https://github.com/defiv2magmacodes/defiv2codes
Since then, we have also succeeded in breaking DEFIv2 with $m = 28$, which took $15$ days on a PC to recover a matrix $T$. The new MAGMA code and matrices $C$ and $T$ are available on the above GitHub project.
The paper has been uploaded to the IACR ePrint and will be available online soon. It will undergo a revision for publication in the proceedings of CRYPTO 2026.
Best regards,
Markus Kirschmer, Cong Ling, and Ali Sadreddin
Reply all
Reply to author
Forward
0 new messages