The Security of Hash-and-Sign with Retry against Superposition Attacks (original) (raw)

Paper 2025/363

The Security of Hash-and-Sign with Retry against Superposition Attacks

Keita Xagawa, Technology Innovation Institute

Abstract

Considering security against quantum adversaries, while it is important to consider the traditional existential unforgeability (EUF-CMA security), it is desirable to consider security against adversaries making quantum queries to the signing oracle: Plus-one security (PO security) and blind unforgeability (BU security) proposed by Boneh and Zhandry (Crypto 2013) and Alagic et al. (EUROCRYPT 2020), respectively. Hash-and-sign is one of the most common paradigms for constructing EUF-CMA-secure signature schemes in the quantum random oracle model, employing a trapdoor function and a hash function. It is known that its derandomized version is PO- and BU-secure. A variant of hash-and-sign, known as hash-and-sign with retry (HSwR), formulated by Kosuge and Xagawa (PKC 2024), is widespread since it allows for weakening the security assumptions of a trapdoor function. Unfortunately, it has not been known whether HSwR can achieve PO- and BU-secure even with derandomization. In this paper, we apply a derandomization with bounded loops to HSwR. We demonstrate that HSwR can achieve PO and BU security through this approach. Since derandomization with bounded loops offers advantages in some implementations, our results support its wider adoption, including in NIST PQC candidates.

BibTeX

@misc{cryptoeprint:2025/363, author = {Haruhisa Kosuge and Keita Xagawa}, title = {The Security of Hash-and-Sign with Retry against Superposition Attacks}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/363}, year = {2025}, url = {https://eprint.iacr.org/2025/363} }