Analysis of MQ-Sign

471 views
Skip to first unread message

Monika Trimoska

unread,
Mar 24, 2023, 8:17:02 AM3/24/23
to kpqc-b...@googlegroups.com, monika....@ru.nl, simona s, Thomas....@informatik.uni-regensburg.de

Dear all,


We would like to announce a practical key-recovery attack on the MQ-Sign signature candidate. The attack exploits the sparseness property of the quadratic maps and it applies to MQ-Sign-SS and MQ-Sign-RS.


An explanatory note of the attack is attached to this email.


We implemented a verification script (https://github.com/mtrimoska/MQ-Sign-attack) that performs the attack in less than 7 seconds for security level 5. For convenience, we also provide an equivalent SageMath script in the repository, which is fairly slower.


All the best,

Thomas Aulbach, Simona Samardjiska, Monika Trimoska

attack_MQ-Sign.pdf

Kyung-Ah Shim

unread,
Mar 28, 2023, 11:56:18 PM3/28/23
to KpqC-bulletin

We would like to thank you for sharing your analysis result. 

The result showed that two sparse variants of MQ-Sign using an equivalent key T are vulnerable to the key recover attacks. We think that the attacks work.

However, according to specification of key generation algorithm of MQ-Sign, it uses a random invertible affine map T. Thus, the proposed attack cannot applied to MQ-Sign using the random affine maps.

Although our scheme specified the use of the random affine maps, we implemented it using a form of equivalent key for efficiency as in Rainbow (our implementation is based on the code of Rainbow).

Our implementation code will be changed to use a random map and will be updated.

 

In fact, it has been published before that UOV and Rainbow are insecure against the CPA when they use the equivalent keys instead of random maps (CHES 2018). These results show that the use of the equivalent key for efficiency can break security of the MQ-scheme.

 We always only analyzed security of the case with random maps, so we missed security analysis of the case with equivalent keys.

We will also analyze the security of the sparse variants with a random affine map T. Please continue to pay attention to careful security analysis of our sparse variants.


Bestregards

Kyung-Ah Shim
2023년 3월 24일 금요일 오후 9시 17분 2초 UTC+9에 Monika Trimoska님이 작성:

Monika Trimoska

unread,
Apr 5, 2023, 5:08:05 AM4/5/23
to KpqC-bulletin

Dear authors,


Thank you for the clarification. However, we did not spot the use of the equivalent keys structure only in the reference implementation. The implementation specification in 4.1 explicitly states the form of T as used in the attack. Also, as far as we could tell, the secret key sizes that you report are derived using T in the specific structure (2vo for the central map + vo for T + (v+2o+32) for the linear and constant parts and the seed). If T is chosen as a random affine map, then the reported key sizes in Table 7 would not be correct.


With a random affine map, the secret key sizes are 26173, 63521, and 111749 Bytes for levels 1, 3, and 5 respectively. We agree that using a random affine map would protect against this attack, but the current version of MQ-Sign-{S/R}S, as described in its specification, is broken.


All the best,

Thomas, Simona, Monika

Hyungrok Jo

unread,
Apr 12, 2023, 9:14:21 AM4/12/23
to KpqC-bulletin
Dear all, 


We would like to inform you that we have successfully executed our proposed attack against MQ-Sign-SS and MQ-Sign-RS for security levels 1, 3, and 5 using a general secret key (without the assumption of a simple form of the secret key). 

We have provided the details of our attack in the attached document and have included the implementation of our attack using Magma. We have also attached the algorithm code here. 

We note that the implementation for all proposed parameters of security levels 1, 3, and 5 takes no longer than 30 minutes to run on a usual laptop. 


Best regards, 
Yasuhiko Ikematsu, Hyungrok Jo, Takanori Yasuda

2023년 4월 5일 수요일 오후 6시 8분 5초 UTC+9에 Monika Trimoska님이 작성:
A_security_analysis_on_the_MQ_Sign.pdf
MQ-Sign_attack_Magma.txt

Monika Trimoska

unread,
Nov 30, 2023, 6:16:08 AM11/30/23
to KpqC-bulletin
Dear all,

We are writing to announce an attack on the last sparse MQ-Sign variant: MQ-Sign-SR. We develop an algebraic forgery attack and show that the sparseness in the vinegar-vinegar part of the central map yields a very specific structure in the polynomial systems. As a first result, we present a simple attack that exploits this structure and shows that the parameters chosen for MQ-Sign-SR slightly fail to provide the required security levels.

Please find attached an updated version of our paper for the description of the new attack and the complexity analysis.


All the best,
Thomas, Simona, Monika

attack_MQ-Sign.pdf
Reply all
Reply to author
Forward
0 new messages