2024-09-10
Cryptanalysis of EagleSign
Publication
Publication
EagleSign is one of the 40 “Round 1 Additional Signatures” that is accepted for consideration in the supplementary round of the Post-Quantum Cryptography standardization process, organized by NIST. Its design is based on structured lattices, and it boasts greater simplicity and performance compared to the two lattice signatures already selected for standardization: Falcon and Dilithium. In this paper, we show that those claimed advantages come at the cost of security. More precisely, we show that the distribution of EagleSign signatures leaks information about the private key, to the point that only a few hundred signatures on arbitrary known messages suffice for a full key recovery, for all proposed parameters. A related vulnerability also affects EagleSign-V2, a subsequent version of the scheme specifically designed to thwart the initial attack. Although a larger number of signatures is required for key recovery, the idea of the attack remains largely similar. Both schemes come with proofs of security that we show are flawed.
Additional Metadata | |
---|---|
, , , | |
doi.org/10.1007/978-3-031-71073-5_8 | |
Lecture Notes in Computer Science , International Conference on Applied Cryptography and Network Security | |
A Reduction Theory for Codes and Lattices in Cryptography | |
14th International Conference, SCN 2024 | |
Organisation | Centrum Wiskunde & Informatica, Amsterdam (CWI), The Netherlands |
Pulles, L., & Tibouchi, M. (2024). Cryptanalysis of EagleSign. In International Conference on Applied Cryptography and Network Security (pp. 165–186). doi:10.1007/978-3-031-71073-5_8 |