I have examined KAZ-SIGN (https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/kaz-sign-spec-web.pdf), and it would appear that the hard problem it relies on is not Quantum Resistant (and hence the signature algorithm it is based on is not).
The problem they state is, given A, g, N (composite) and Q, find x such that:
g^{Q^x} = A \bmod N
However, it would appear that three applications of Shor’s algorithm would be sufficient to recover x:
Being able to solve this allows us to recover the private key from the public key
Section 4 of the submission (which covers Quantum Resistance) only addresses Grover’s algorithm.
In addition, this being hard is also in conflict with the key generation, signing and verification algorithms they give (Algorithms 1-3) – those have several steps where you are expected to solve a discrete logarithm (either to base N or to base \phi(N)).
Hence, unless either I completely misunderstood this submission, I think we can drop this one.
Immediately after hitting send, I noticed that they specify that N is a product of a number of smallish primes; this makes the discrete log problem easy – however it makes all the steps I outlined below in solving the hard problem also easy for a classical computer…
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM4PR11MB5455CFFD58AE7AE779BFDB37C13BA%40DM4PR11MB5455.namprd11.prod.outlook.com.