Paper 2025/363

The Security of Hash-and-Sign with Retry against Superposition Attacks

Haruhisa Kosuge, NTT (Japan)
Keita Xagawa, Technology Innovation Institute
Abstract

Considering security against quantum adversaries, while it is important to consider the traditional existential unforgeability (EUF-CMA security), it is desirable to consider security against adversaries making quantum queries to the signing oracle: Plus-one security (PO security) and blind unforgeability (BU security) proposed by Boneh and Zhandry (Crypto 2013) and Alagic et al. (EUROCRYPT 2020), respectively. Hash-and-sign is one of the most common paradigms for constructing EUF-CMA-secure signature schemes in the quantum random oracle model, employing a trapdoor function and a hash function. It is known that its derandomized version is PO- and BU-secure. A variant of hash-and-sign, known as hash-and-sign with retry (HSwR), formulated by Kosuge and Xagawa (PKC 2024), is widespread since it allows for weakening the security assumptions of a trapdoor function. Unfortunately, it has not been known whether HSwR can achieve PO- and BU-secure even with derandomization. In this paper, we apply a derandomization with bounded loops to HSwR. We demonstrate that HSwR can achieve PO and BU security through this approach. Since derandomization with bounded loops offers advantages in some implementations, our results support its wider adoption, including in NIST PQC candidates.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in PKC 2025
Keywords
Post-quantum cryptographyQuantum random oracle modelSuperposition attackDigital signatureHash-and-sign
Contact author(s)
hrhs kosuge @ ntt com
keita xagawa @ tii ae
History
2025-03-04: approved
2025-02-26: received
See all versions
Short URL
https://ia.cr/2025/363
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/363,
      author = {Haruhisa Kosuge and Keita Xagawa},
      title = {The Security of Hash-and-Sign with Retry against Superposition Attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/363},
      year = {2025},
      url = {https://eprint.iacr.org/2025/363}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.