Ternary forking lemma and its application to the analysis of one code-based signature

The paper is devoted to the generalization of the so-called “forking lemma” to the case when the hash function returns a tuple of trits (trit is a variable that can take one out of the three values 0, 1, 2). It can be stated as follows. Let $\mathcal{A}(par, b)$ be an algorithm that, when run on randomly chosen ${par \leftarrow^{\mathrm{R}}}$ Params and ${b \leftarrow^{\mathrm{R}} \{0, 1, 2\}^{\delta}}$, successfully stops and returns the correct answer $x$ with probability $\epsilon$. Then there exists an algorithm $\mathcal{B}$ that uses $\mathcal{A}$ as a subroutine and returns a triple $(x_1, x_2, x_3)$, where $x_i \gets \mathcal{A}(par, b^i)$, $i=1, 2, 3$, with the additional condition that there exists a position $j$ such that $\{ b^1_j, b^2_j, b^3_j \} = \{ 0, 1, 2\}$ (i.e., all trits in this position are different); the success probability of $\mathcal{B}$ can be bounded from above as follows: ${p_{\mathcal{B}} \ge \varepsilon^3 - \varepsilon ({17}/{27})^{\delta/2}}$, and the running time of $\mathcal{B}$ does not exceed $4 t_{\mathcal{A}}$, where $t_{\mathcal{A}}$ is the time complexity of $\mathcal{A}$. The lemma is then applied to the analysis of code-based signature based on Stern identification protocol in the (standard) SUF-CMA model (with the outer hash function modelled as a programmable random oracle). First, we show that the SUF-CMA model can be reduced to the NMA model (in which the adversary makes no sign queries, only random oracle queries), thanks to the zero-knowledge property of the original Stern identification scheme and the programmability of an oracle. We then show that in the NMA model we can restrict attention only to the case, where the adversary makes a single random oracle query. The $b$ value from the forking lemma acts as the random oracle’s answer to the adversarial query. Using the lemma, we are able to fork the process of forging a signature. Having three valid signatures for the same message, we can to extract a secret key (or to find a collision of an inner hash function). Hence, we can bound from above the probability of successful forgery in terms of the probability of successful execution of collision finding and syndrome decoding algorithms.