Round 1 (Additional Signatures) OFFICIAL COMMENT: SNOVA
547 views
Skip to first unread message
Po-En Tseng
Jan 22, 2024, 1:19:36 AM1/22/24
to pqc-forum
Dear all,
We wish to inform you of the revised selection of SNOVA parameters for l=2.
For Security Level I:
(v, o, q, l) = (28, 17, 16, 2) ==> (37, 17, 16, 2)
For Security Level III:
(v, o, q, l) = (43, 25, 16, 2) ==> (56, 25, 16, 2)
For Security Level V:
(v, o, q, l) = (61, 33, 16, 2) ==> (75, 33, 16, 2)
In light of the preprint by Yasuhiko Ikematsu and Rika Akiyama, it has been noted that the SNOVA scheme exhibits a (q, lv, lo) UOV structure concerning key recovery. Consequently, a modification to the security analysis of SNOVA is essential, and the parameters for l=2 do not meet the NIST security level. However, parameters for l=3 and l=4 remain secure, satisfying the v>2o condition. The inadequacy of vinegar variables in the previous parameters for l=2 necessitates an increase to meet security requirements.
Stay tuned for the forthcoming updated security analysis of SNOVA.
Our heartfelt gratitude extends to Yasuhiko Ikematsu and Rika Akiyama for sharing their preprint and insights. Additionally, we appreciate Gilles Macario-Rat for providing us with similar insights.
Best regards,
SNOVA Team
We wish to inform you of the revised selection of SNOVA parameters for l=2.
For Security Level I:
(v, o, q, l) = (28, 17, 16, 2) ==> (37, 17, 16, 2)
For Security Level III:
(v, o, q, l) = (43, 25, 16, 2) ==> (56, 25, 16, 2)
For Security Level V:
(v, o, q, l) = (61, 33, 16, 2) ==> (75, 33, 16, 2)
In light of the preprint by Yasuhiko Ikematsu and Rika Akiyama, it has been noted that the SNOVA scheme exhibits a (q, lv, lo) UOV structure concerning key recovery. Consequently, a modification to the security analysis of SNOVA is essential, and the parameters for l=2 do not meet the NIST security level. However, parameters for l=3 and l=4 remain secure, satisfying the v>2o condition. The inadequacy of vinegar variables in the previous parameters for l=2 necessitates an increase to meet security requirements.
Stay tuned for the forthcoming updated security analysis of SNOVA.
Our heartfelt gratitude extends to Yasuhiko Ikematsu and Rika Akiyama for sharing their preprint and insights. Additionally, we appreciate Gilles Macario-Rat for providing us with similar insights.
Best regards,
SNOVA Team
Ikematsu Yasuhiko
Jan 26, 2024, 8:50:10 PM1/26/24
to pqc-forum, Po-En Tseng
Dear all,
Our preprint can be found here.
2024年1月22日月曜日 15:19:36 UTC+9 Po-En Tseng:
Reply all
Reply to author
Forward
0 new messages