A New Signature Scheme Based on Punctured Reed--Muller Code With Random Insertion

In this paper, we propose a new signature scheme based on a punctured Reed–Muller (RM) code with random insertion, which improves the Goppa code-based signature scheme developed by Courtois, Finiasz, and Sendrier (CFS). The CFS signature scheme has certain drawbacks in terms of scaling of the parameters and a lack of existential unforgeability under adaptive chosen message attacks (EUF-CMA) security proof. Further, the proposed modified RM code-based signature scheme can use complete decoding, which can be implemented using a recursive decoding method, and thus syndromes for errors larger than the error correctability can be decoded for signing, which improves the probability of successful signing and reduces the signing time. Using the puncturing and insertion methods, the proposed RM code-based signature scheme can avoid some known attacks for RM code-based cryptosystems. The parameters of the proposed signature scheme such as error weight parameter $w$ and the maximum signing trial $N$, can be adjusted in terms of signing time and security level, and it is also proved that the proposed signature scheme achieves EUF-CMA security.

💡 Research Summary

The paper addresses the well‑known limitations of the Courtois‑Finiasz‑Sendrier (CFS) code‑based digital signature scheme, which relies on binary Goppa codes and suffers from two major drawbacks: (1) the error‑correction capability t must be kept very small because the probability that a randomly generated syndrome is decodable is only 1/t!; consequently, the average number of signing attempts grows factorially, leading to prohibitive signing times, and (2) the public parity‑check matrix of a high‑rate Goppa code can be distinguished from a random matrix, which undermines existential unforgeability under adaptive chosen‑message attacks (EUF‑CMA).

To overcome these issues, the authors propose a new signature scheme built on punctured Reed‑Muller (RM) codes with random column insertion. Reed‑Muller codes, defined as RM(r,m) with length n = 2^m, dimension k = ∑_{i=0}^r C(m,i) and minimum distance d = 2^{m‑r}, admit an efficient recursive decoding algorithm known as closest‑coset decoding. This algorithm solves the complete decoding problem: given a syndrome, it finds the coset leader (the minimum‑weight error vector) in the corresponding coset. By using complete decoding, the scheme can accept error vectors whose weight exceeds the traditional error‑correction bound t; the authors introduce an adjustable error‑weight parameter w = t + δ, where δ ≥ 0. This flexibility dramatically increases the probability that a randomly generated syndrome is decodable, reducing the expected number of signing trials from t! to a small constant that can be bounded by a user‑chosen maximum trial count N.

However, RM codes are vulnerable to structural attacks such as the Minder‑Shokrollahi attack and the Chizhov‑Borodin attack, which exploit the algebraic regularity of the generator matrix to recover the secret scrambler S, the parity‑check matrix H, and the permutation Q. To neutralize these attacks, the authors apply two complementary transformations: (i) puncturing, which deletes a carefully chosen set of columns from the systematic generator matrix G =