IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508

This article has now been updated. Please use the final version.

Lifting approach against the SNOVA scheme
Shuhei NAKAMURAYusuke TANIHiroki FURUE
Author information
Keywords: Post-Quantum Cryptography, Multivariate Cryptography, UOV, SNOVA, Key Recovery Attack
JOURNAL FREE ACCESS Advance online publication

Article ID: 2024EAP1124

The final version of this article is now available: Vol. E108.A (2025), No. 10 pp. 1373-1381
Details
Download PDF (2168K)
Download citation RIS

(compatible with EndNote, Reference Manager, ProCite, RefWorks)

BIB TEX

(compatible with BibDesk, LaTeX)

Text
How to download citation
Contact us
Abstract

In 2022, Wang et al. proposed the multivariate signature scheme SNOVA as a UOV variant over the non-commutative ring of l Γ— l matrices over 𝔽q. This scheme has small public key and signature size and is a second round candidate of NIST PQC additional digital signature project. Recently, Ikematsu and Akiyama, and Li and Ding show that the core matrices of SNOVA with v vinegar-variables and o oil-variables are regarded as the representation matrices of UOV with lv vinegar-variables and lo oil-variables over 𝔽q, and thus we can apply existing key recovery attacks as a plain UOV. In this article, we propose a method that reduces SNOVA to smaller UOV with v vinegar-variables and o oil-variables over 𝔽ql. As a result, we show that the previous first round parameter sets at l = 2 do not meet the NIST PQC security levels. We also confirm that the present parameter sets are secure from existing key recovery attacks with our approach.

Content from these authors
© 2025 The Institute of Electronics, Information and Communication Engineers
Favorites & Alerts

Recently viewed articles
Announcements from publisher
Share this page
feedback
 Top