Round 2 (Additional Signatures) OFFICIAL COMMENT: SNOVA

327 views
Skip to first unread message

Hung Le

unread,
Feb 24, 2026, 4:15:23 AM (3 days ago) Feb 24
to pqc-co...@nist.gov, pqc-...@list.nist.gov

Dear all,

We would like to draw your attention to our recent work, which extends the wedge-product attack on SNOVA that we presented at the NIST 6th PQC Workshop in 2025. Beyond improving the overall complexity, our approach exploits SNOVA’s block-ring structure to eliminate spurious solutions - an issue that prevents the generic wedge-product attack from applying directly to SNOVA. We also introduce a new technique, which we call "unbalanced projection of oil coordinates". Taken together, these contributions yield an attack that reduces the security of 8 of the 11 currently proposed parameter sets. Notably, the improvement becomes more significant for larger l = 5, precisely the regime that underlies SNOVA’s advantage in public key and signature size, and where several earlier attacks become less effective. 

For example, for SNOVA-V with parameters (v, o, q, l) = (29, 6, 16, 5), our estimates reduce the security to approximately 181 bits, compared to 310 bits for the best previously known attack reported in SNOVA Round-2 specification. The summary of  bit-complexity estimates of the attack is given below. Note that numbers in bold refer to the best attack while italicized ones refer to the cost below the required security level.

Details can be found at: https://eprint.iacr.org/2026/237

Best regards,
Hung Le, Maxime Bros, Jacob Lichtinger, Brice Minaud, Ray Perlner, Daniel Smith-Tone, and Cristian Valenzuela.



Message has been deleted

Po-En Tseng

unread,
Feb 25, 2026, 3:23:16 AM (yesterday) Feb 25
to pqc-forum, Hung Le, pqc-...@list.nist.gov, pqc-co...@nist.gov
Dear all,

First, we would like to sincerely thank Hung Le, Maxime Bros, Jacob Lichtinger, Brice Minaud, Ray Perlner, Daniel Smith-Tone, and Cristian Valenzuela for their thorough and careful security analysis. While it may appear that SNOVA is in trouble as a result of their analysis, we believe that with some parameter changes the security of SNOVA can be fully restored.

1. On the wedge attack

Regarding the wedge attack we consider SNOVA to behave similarly to other members of the UOV family. This we already stated at the 6th NIST PQC Standardization Conference and we believe that this continues to be the case. In fact, we agree with their results. We have independently conducted a similar analysis and reached consistent conclusions. Please see our report at: https://eprint.iacr.org/2026/260.  For the affected parameter sets, resistance against the wedge attack can be achieved by slightly increasing the number of vinegar variables. We are pleased that both analyses lead to the same outcome. Compared to the situation at the NIST conference, nothing fundamental has changed. On the contrary, now that we are able to precisely estimate the dimension of the wedge map, we are in a better position to adjust parameters and to propose finely tuned parameter sets that satisfy the claimed security levels against all known attacks.

We also thank the authors for introducing the unbalanced projection-down technique. For completeness and ease of reference, we will include the relevant details and illustrative parameter adjustments (with increased vinegar variables) in the update of our ePrint report. We will also continue updating our draft specification on GitHub and the corresponding software implementation: https://github.com/PQCLAB-SNOVA/SNOVA.

It is worth noting that our main parameter set with ( l = 4 ) remains secure against the all considered attacks. Due to its balanced trade-off between key size and performance, it continues to be our preferred parameter choice. This remains unchanged since the 6th NIST PQC Standardization Conference.

2. On the new attack by Furue and Ikematsu

We have also taken note of the new attack proposed by Hiroki Furue and Yasuhiko Ikematsu: https://eprint.iacr.org/2026/298.pdf. It is worth emphasizing that this attack also impacts the security of UOV.

Before proposing new parameter sets, we believe that further cryptanalysis is necessary on the approach taken by Furue et al. Such analysis will help us derive parameter choices that are both better justified and practically meaningful. We are currently conducting a more detailed and comprehensive investigation of possible parameter adjustments.

3. Ongoing directions

In addition to closing the previously existing gap in the wedge attack analysis, we are also shifting part of our research focus toward SNOVA over odd characteristic fields. In particular, we are considering proposals in odd characteristic and exploring more flexible structural variants. See our github repository for the current results from this research.

Overall, we sincerely appreciate all analyses of SNOVA, as they allow us to scrutinize its security more carefully and optimize our parameters sets accordingly. We do not believe that the wedge attack poses a devastating threat to SNOVA but we will update our proposed parameters as a result of its discovery. We already have promising candidates for parameter adjustments. However, at this stage, we believe that more comprehensive and systematic analysis is essential in order to derive optimal parameter sets.

We will continue our investigations and report further results in forthcoming papers.

All the best,
SNOVA Team

Hung Le 在 2026年2月24日 星期二下午5:15:23 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages