Attacks on Two Digital Signature Schemes Based on Error Correcting Codes

We examine the security of several digital signature schemes based on algebraic block codes. It is shown that Xinmei’s digital signature scheme cau be totally broken by a known plaintext attack with complexity O(k3), where t is the dimension of the code used in the scheme. Harn and Wang have proposed a modified version of Xinmei’s scheme that prevents selective forgeries. Their scheme is also shown to be vulnerable to a known plaintext attack. We then present a new signature scheme that we believe to be resistant to th,: previously described attacks. 1 Xinmei’s Digital Signature Scheme Xinmei’s digital signature scheme [l] attempts to base its security on the intractability of the general decoding problem and the difficulty of factoring large matrices. Each user, say user A, chooses an ( n , k ) binary Goppa code CA that has the ability to correct t A errors. A k X n binary generator matrix GA and an (n k) x n binary parity check matrix HA are selected for CA. User A then finds the n x k binary matrix GI such that GA(;: = I k , where I k is the k x k identity matrix. User A selects a nonsingular binary n x n matrix PA and a nonsingular binary k x k matrix SA. User A completes the set-up of the system by constructing the matrices J A = PLIGASi’, WA = GZS;’, and TA = PYl H,’. The public key consists of J A , WA, TA, H A , t A , and t’, where t’ is an integer such that t’ < CA. The private key consists of the two matrices SAGA and PA. User A obtains the n-bit signature cj of the k-bit message mJ by computing is an n-bit error vector with Hamming weight w 3 ( g j ) = t’ chosen at random by user A. The receiver validates the possibily noise corrupted signature $ through the use of the Berlekamp-Massey algorithm and the public = (gj @ rnjSAGA)PA, where