Dual Support Decomposition in the Head: Shorter Signatures from Rank SD and MinRank

Loïc Bidoux⁹,
Thibauld Feneuil¹⁰,
Philippe Gaborit¹¹,
Romaric Neveu¹¹ &
…
Matthieu Rivain¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15485))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

100 Accesses

Abstract

The MPC-in-the-Head (MPCitH) paradigm is widely used for building post-quantum signature schemes, as it provides a versatile way to design proofs of knowledge based on hard problems. Over the years, the MPCitH landscape has changed significantly, with the most recent improvements coming from VOLE-in-the-Head (VOLEitH) and Threshold-Computation-in-the-Head (TCitH).

While a straightforward application of these frameworks already improve the existing MPCitH-based signatures, we show in this work that we can adapt the arithmetic constraints representing the underlying security assumptions (here called the modeling) to achieve smaller sizes using these new techniques. More precisely, we explore existing modelings for the rank syndrome decoding ($\textsf{RSD}$) and $\textsf{MinRank}$ problems and we introduce a new modeling, named dual support decomposition, which achieves better sizes with the VOLEitH and TCitH frameworks by minimizing the size of the witnesses. While this modeling is naturally more efficient than the other ones for a large set of parameters, we show that it is possible to go even further and explore new areas of parameters. With these new modeling and parameters, we obtain low-size witnesses which drastically reduces the size of the “arithmetic part” of the signature.

We apply the TCitH and VOLEitH frameworks to our new modeling for both $\textsf{RSD}$ and $\textsf{MinRank}$ and compare our results to the NIST candidates RYDE, MiRitH, and MIRA (MPCitH-based schemes from $\textsf{RSD}$ and $\textsf{MinRank}$). We also note that recent techniques optimizing the sizes of GGM trees are applicable to our schemes and further reduce the signature sizes by a few hundred bytes. We obtain signature sizes below 3.5 kB for 128 bits of security with $N=256$ parties (a.k.a. leaves in the GGM trees) and going as low as $\approx $ 2.8 kB with $N=2048$, for both $\textsf{RSD}$ and $\textsf{MinRank}$. This represents an improvement of more than 2 kB compared to the original submissions to the 2023 NIST call for additional signatures.

You have full access to this open access chapter, Download conference paper PDF

$$\textsf{ReSolveD} $$ : Shorter Signatures from Regular Syndrome Decoding and VOLE-in-the-Head

Compact Post-quantum Signatures from Proofs of Knowledge Leveraging Structure for the $$\textsf{PKP}$$ , $$\textsf{SD}$$ and $$\textsf{RSD}$$ Problems

Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs

1 Introduction

The MPC-in-the-Head (MPCitH) paradigm is a popular framework to build post-quantum signatures. After sharing the secret key, the signer emulates “in his head” an MPC protocol and commits each party’s view independently. He then reveals the views of a pseudo-random subset of parties, where this subset is given by the hash digest of the commitments (in the setting of the Fiat-Shamir heuristic). By the privacy of the MPC protocol, nothing is revealed about the secret key, which implies the zero-knowledge property. On the other hand, a malicious signer needs to cheat for at least one party, which shall be discovered by the verifier with high probability, hence ensuring the unforgeability property.

In the new NIST call for additional post-quantum signatures [33], many submissions rely on the MPCitH paradigm applied on a large range of security assumptions. Three MPCitH candidates fall in the rank-based cryptography category:

RYDE [4], for which the security relies on the hardness of solving the rank syndrome decoding problem;
MIRA [5] and MiRitH [1], for which the security relies on the hardness of solving the MinRank problem (MIRA and MiRitH rely on the same security assumption, but use different modelings and MPC protocols).

Recently, new techniques of MPC-in-the-Head have been proposed:

the VOLE-in-the-Head (VOLEitH) framework [12] released in Summer 2023;^{Footnote 1}
the TC-in-the-Head (TCitH) framework [22] released in Autumn 2023.^{Footnote 2}

As shown in [22] a simple application of these frameworks leads to shorter and faster signature schemes compared to those submitted to the NIST call (for similar underlying security assumption).

For MPCitH-based schemes (including those based on VOLEitH and TCitH), the signatures are composed of two parts, a “symmetric part” made of seeds and hash digests and an “arithmetic part” composed of the open party views and broadcast shares of the MPC protocol. While for a given security level the symmetric part is of rather fixed size (for the considered MPCitH framework), the arithmetic part depends on the modeling of the used security assumption and the associated MPC protocol. In the traditional broadcast-based MPCitH framework (i.e. the MPCitH framework widely used before VOLEitH and TCitH), to minimize the signature size, the designers had minimize the sum of the sizes of the MPC input and of the broadcasted values while considering only linear multiparty computation. With the VOLEitH and TCitH frameworks, the game rules have changed. These frameworks enable quadratic (or higher degree) multiparty computation, which implies that minimizing the signature size is achieved only by minimizing the MPC protocol input (i.e., the witness of the modeling).

In rank-based cryptography, several modelings for the rank syndrome decoding problem and the MinRank problem have been proposed. The first one is derived from [37] and consists in working with a permuted version and an additively-masked version of the secret. The best scheme relying on it is proposed in [15]. The second modeling is based on q-polynomials and is first used in such a context in [20]. The third modeling consists in writing the low-rank object as the product of two small matrices and is first used in such a context in [2] and [20]. The last modeling relies on Kipnis-Shamir technique, initially proposed for the cryptanalysis of the MinRank problem [29] and used to build a scheme in [1]. We sum up the different techniques to handle the rank metric in Table 1.

Table 1. Techniques used in MPCitH-based signatures for $\textsf{RSD}$ and $\textsf{MinRank}$.

Full size table

In this work, we explore modelings for the rank syndrome decoding problem and the MinRank problems to identify the best option with the new VOLEitH and TCitH techniques. We show that the shortest signatures with RSD and MinRank are obtained thanks to the dual support decomposition modeling, which consists in finding a basis $(e_1,\ldots ,e_r)$ and coefficients $c_{1,1},\ldots ,c_{n,r}$ such that

$$y = H x ~~\text { and }~~ \forall i,~ x_i = \sum _{j=1}^r c_{i,r}\cdot e_j.$$

While this modeling is quite natural for the rank syndrome decoding problem, it requires to work with a dual matrix of a code in the MinRank problem: we need to consider the syndrome decoding problem for matrix codes. In fact, the MinRank problem being the message decoding problem for such codes, we define in this work the MinRank Syndrome problem, which is a equivalent variant of the MinRank problem which has not been previously used in cryptosystems. Working in the dual has the advantage to remove the encoded message from the witness of the code-based problem, leading to a shorter witness. With the dual support decomposition modeling, the witness size (and thus the signature size) is independent of the code dimension, thanks to the definition of the syndrome version of the MinRank problem. This enables us to optimize the parameters by taking codes of larger dimensions.

We then apply the TCitH and VOLEitH frameworks on the optimal modeling, yielding new signature schemes with smaller sizes as summarized in Table 2. We also put the signature sizes of the NIST candidates based on the same security assumptions (namely RYDE, MIRA and MiRitH) in the column “MPCitH” and their signature sizes when performing a straightforward application of VOLEitH and TCitH. We observe that the difference in signature sizes between VOLEitH and TCitH tends to disappear while increasing the parameter N, i.e., the number of leaves in GGM seed trees used for the commitment (a.k.a. the number of parties in standard MPCitH schemes). Since these two frameworks are faster than previous MPCitH schemes, it becomes natural to consider larger values of N. We obtain signature sizes down to 3.7 kB for TCitH with $N=256$ leaves, and down to 2.9 kB for VOLEitH and TCitH with $N=2048$ leaves (more details are given in Tables 7 and 10). The ranges of sizes reported in Table 2 correspond to a parameter N ranging between 256 and 2048. Let us note that new generic optimizations for MPCitH-based signatures have been proposed in [11] very recently. We applied these optimisations to our new signature schemes, enabling us to save an additional few hundred bytes. The obtained sizes are reported in Table 2 with the label “optimized”.

Table 2. Comparison of our schemes based on dual support decomposition (DSD) with the NIST candidates based on the same security assumptions. The sizes in the column “MPCitH” are given when using seed trees with 256 leaves, while the size range in columns “VOLEitH” and “TCitH” are given when using seed trees with between 256 and 2048 leaves.

Full size table

Paper Organization. The paper is organized as follows: In Sect. 2, we introduce the necessary background on the rank metric and sharing schemes. We present the existing attacks against $\textsf{RSD}$ and $\textsf{MinRank}$ in Sect. 3. We explore the possible modelings for rank-based cryptography in Sect. 4. We recall the TCitH and VOLEitH frameworks in Sect. 5 and we apply these frameworks to the dual support decomposition modeling to obtain new signature schemes in Sect. 6.

2 Preliminaries

2.1 Notations

We denote by $\mathbb {F}_q$ the finite field of size q. The set of vectors with n coordinates in $\mathbb {F}_q$ is referred as $\mathbb {F}_q^{n}$, the set of matrices with m rows and n columns in $\mathbb {F}_q$ is referred as $\mathbb {F}_q^{m\times n}$. We use lowercase bold letters to represent vectors and uppercase bold letters for matrices ($\boldsymbol{E} \in \mathbb {F}_q^{m \times n}$, $\boldsymbol{x} \in \mathbb {F}_q^k$, $x \in \mathbb {F}_q$). The subset of integers from 1 to n is represented with $[1, n]$. If S is a set, we write $x\overset{\;\$}{\longleftarrow }S$ the uniform sampling of a random element x in S. We note the $\mathbb {F}_q$-linear subspace of $\mathbb {F}_{q^m}$ generated by $(x_1,\dots ,x_n) \in \mathbb {F}_{q^m}^{n}$ as $\langle x_1,\dots ,x_n\rangle $. Let us define the gaussian coefficient ${ \begin{bmatrix} \textit{m} \\ \textit{r} \end{bmatrix}_q } = \prod _{i=0}^{r-1}\frac{q^m-q^i}{q^r-q^i} \approx q^{r(m-r)}$, it corresponds to the number of different dimension-r $\mathbb {F}_q$-linear subspaces of $\mathbb {F}_{q^m}$.

2.2 Secret Sharing

A threshold secret sharing scheme is a method to share a value v into a sharing $[\![ v ]\!]:=([\![ v ]\!]_1,\ldots ,[\![ v ]\!]_N)$ such that v can be reconstructed from any $\ell $+1 shares while no information is revealed on the secret from the knowledge of $\ell $ shares. We note by $[\![ x ]\!]_i$ the i^th share of $[\![ x ]\!]$ (i.e. the share of the i^th party). We can also note $[\![ x ]\!]_I$ where I is a set of indices, to denote all the shares of the parties in the set I.

Let us define Shamir’s secret sharing scheme [36], since the frameworks we will consider rely on it. Let $\ell $ and N two integers such that $1 \le \ell \le N$. Let $e, \omega _1, \ldots , \omega _N$ be $N+1$ distinct elements of $\mathbb {F}\cup \{\infty \}$. To share a value $v\in \mathbb {F}$ using Shamir’s secret sharing scheme, one should

1.
sample $\ell $ randoms values $r_1,\ldots ,r_\ell $ of $\mathbb {F}$;
2.
compute the polynomial P by interpolation such that
$$P(e) = v ~~~\text {and}~~~ \forall i\in [1,\ell ], P(\omega _i) = r_i;$$
3.
build the N shares $[\![ v ]\!]_1,\ldots ,[\![ v ]\!]_N$ as
$$\forall i\in [1,N],~ [\![ v ]\!]_i := P(\omega _i).$$

To recover the secret value from $\ell +1$ shares, we re-compute the polynomial P by interpolation and we just deduce P(e). Let us stress that $P(\infty )$ refers to the leading coefficient of the polynomial P. The most classical choice is to set e to zero but we may consider alternative choices depending on the context (and in particular $e = \infty $).

We define the degree of a Shamir’s secret sharing as the degree of the underlying polynomial. A sharing generated using the above process is of degree $\ell $. The sum of a $d_1$-degree sharing and a $d_2$-degree sharing is of degree $\max (d_1,d_2)$, while the multiplication is of degree $d_1+d_2$.

2.3 Rank Metric and Hard Problems for Cryptography

We will first recall some background on the Rank Metric, and we will then define hard problems we will use ($\textsf{RSD}$ and $\textsf{MinRank}$).

Definition 1

(Rank Metric over $\mathbb {F}_{q^m}^n$). Let $\boldsymbol{x} = (x_1,\dots ,x_n) \in \mathbb {F}_{q^m}^n$, and $\mathcal {B} = (b_1,\dots ,b_m) \in \mathbb {F}_{q^m}^m$ an $\mathbb {F}_q$-basis of $\mathbb {F}_{q^m}$. Each coordinate $x_j$ can be associated with a vector $(x_{j,1},\dots ,x_{j,m}) \in \mathbb {F}_q^m$ such that $x_j = \sum _{i=1}^m x_{j,i}b_i$. Let us define the following notations:

$\boldsymbol{M}_{\boldsymbol{x}} = (x_{j,i})_{(j,i) \in [1, n]\times [1, m]} $ is the matrix associated to the vector $\boldsymbol{x}$;
the rank weight is defined as: $w_R\big (\boldsymbol{x}\big ) = \textsf{rank}(\boldsymbol{M_x})$;
the distance between two vectors $\boldsymbol{x}$ and $\boldsymbol{y}$ in $\mathbb {F}_{q^m}^n$ is: $d(x,y) = w_R\big (\boldsymbol{x}-\boldsymbol{y}\big ) $;
the support of a vector $\operatorname {Supp}{(\boldsymbol{x})}$ is the $\mathbb {F}_q$-linear subspace of $\mathbb {F}_{q^m}$ generated by its coordinates: $\operatorname {Supp}{(\boldsymbol{x})} = \langle x_1,\dots ,x_n \rangle $.

Definition 2

A linear code $\mathcal {C}$ over $\mathbb {F}_{q^m}$ of dimension k and length n is a linear subspace of $\mathbb {F}_{q^m}^n$ of dimension k. The elements of $\mathcal {C}$ are called codewords. The code $\mathcal {C}$ can be represented in two ways:

by a generator matrix $\boldsymbol{G}$, where $\mathcal {C}= \{\boldsymbol{mG}, \boldsymbol{m} \in \mathbb {F}_{q^m}^k\}$, or
by a parity-check matrix $\boldsymbol{H} \in \mathbb {F}_{q^m}^{(n - k) \times n}$ where $\mathcal {C}= \{\boldsymbol{x} \in \mathbb {F}_{q^m}^{n}: \boldsymbol{H}\boldsymbol{x}^{\top } = \boldsymbol{0}^{\top } \}$

We now continue by formally recalling the definition of the rank syndrome decoding ($\textsf{RSD}$) problem.

Definition 3

($\textsf{RSD}$ problem). Let q, m, n, k and r be positive integers. Let $\boldsymbol{H} \overset{\;\$}{\longleftarrow }\mathbb {F}_{q^m}^{(n - k) \times n}$ and $\boldsymbol{x} \overset{\;\$}{\longleftarrow }\mathbb {F}_{q^m}^n$ such that $w_R\big (\boldsymbol{x}\big ) = r$. Let $\boldsymbol{y}^{\top } = \boldsymbol{H} \boldsymbol{x}^{\top }$. Given $(\boldsymbol{H}, \boldsymbol{y})$, the computational $\textsf{RSD}(q, m, n, k, r)$ problem asks to find a vector $\tilde{\boldsymbol{x}} \in \mathbb {F}_{q^m}^n$ such that $\boldsymbol{H}\tilde{\boldsymbol{x}}^\top = \boldsymbol{y}^{\top }$ and $w_R\big (\tilde{\boldsymbol{x}}\big ) = r$.

We now introduce a variant of the above problem, the $\textsf{RSD}_{\text {s}}$ problem and later argue that it is as hard as the standard $\textsf{RSD}$ problem.

Definition 4

($\textsf{RSD}_{\text {s}}$ problem). Let q, m, n, k and r be positive integers. Let $\boldsymbol{H} \overset{\;\$}{\longleftarrow }\mathbb {F}_{q^m}^{(n - k) \times n}$ and $\boldsymbol{x} = (x_i) \overset{\;\$}{\longleftarrow }\mathbb {F}_{q^m}^n$ such that $w_R\big (\boldsymbol{x}\big ) = r$, $x_1 = 1\in \mathbb {F}_{q^m}$ and $\langle x_1, \ldots , x_r \rangle _{\mathbb {F}_q} = \operatorname {Supp}{(\boldsymbol{x})}$. Let $\boldsymbol{y}^{\top } = \boldsymbol{H} \boldsymbol{x}^{\top }$. Given $(\boldsymbol{H}, \boldsymbol{y})$, the computational $\textsf{RSD}_{\text {s}}(q, m, n, k, r)$ problem asks to find a vector $\tilde{\boldsymbol{x}} \in \mathbb {F}_{q^m}^n$ such that $\boldsymbol{H}\tilde{\boldsymbol{x}}^\top = \boldsymbol{y}^{\top }$ and $w_R\big (\tilde{\boldsymbol{x}}\big ) = r$.

The last problem we will rely on is the well-known $\textsf{MinRank}$ problem:

Definition 5

($\textsf{MinRank}$ problem). Let q, m, n, k and r be positive integers. Let $\boldsymbol{M}_1, \dots , \boldsymbol{M}_k, \boldsymbol{E} \in \mathbb {F}_{q}^{m\times n}$ and $\boldsymbol{x} :=(x_1, \ldots , x_k) \in \mathbb {F}_q^k$ be uniformly sampled such that

$$\textsf{rank}(\boldsymbol{E}) \le r ~~~\text {with}~~~ \boldsymbol{M} := \boldsymbol{E} - \sum _{i=1}^{k} x_i \boldsymbol{M}_i.$$

Given $\boldsymbol{M} ,\boldsymbol{M}_1\dots , \boldsymbol{M}_k$, the computational $\textsf{MinRank}(q, m, n, k, r)$ problem asks to retrieve the vector $\boldsymbol{x}$.

The last notion to recall is the Gilbert-Varshamov bound for the rank metric and for MinRank. This bound in rank metric has been introduced in [30]. It can be seen as the probable minimum weight of a random code.

Definition 6

(Rank Gilbert-Varshamov Bound). Let $S_r$ be the number of elements of the sphere in $\mathbb {F}_{q^m}^n$ of radius r centered in 0, i.e., the number of elements in $\mathbb {F}_{q^m}^n$ of weight exactly r. We have $S_0 = 1$, and for $r \ge 1$,

$$S_r = \prod _{j=0}^{r-1}\frac{(q^n-q^j)(q^{m}-q^{j})}{q^{r}-q^{j}}.$$

Let $B_r := \sum _{i=0}^{r} S_r$ be the number of elements of the ball in $\mathbb {F}_{q^m}^n$ of radius r centered in 0. The Rank Gilbert-Varshamov (RGV) bound for an [n, k] linear code over $\mathbb {F}_{q^m}$ is the smallest integer r such that

$$ q^{m(n-k)} \le B_{r}$$

Using the approximation $B_r \approx q^{(m+n-r)r}$, one can say the RGV bound is the smallest r such that $m(n-k) \le (m-r)r+nr$. We call this value $d_{\textsf{RGV}}$. The same bound exists for matrix codes (i.e., for $\textsf{MinRank}$) as they are simply $\mathbb {F}_q$-linear codes. Courtois described this bound in [17, Section 24.2], and it can also be derived from the one above easily (consider a $[m\times n,k]$ linear code over $\mathbb {F}_q$ instead of [n, k] linear over $\mathbb {F}_{q^m}$). This bound is also mentioned in attacks on $\textsf{MinRank}$ ([8, 9] for instance). Concretely, this states that, for an instance of $\textsf{MinRank}$ with parameters (q, m, n, k, r), we do not expect to obtain more than one solution if r is chosen such that $k+1 \le (m-r)(n-r)$.

Complexity of Attacks for Parameters on the GV Bound. For $\textsf{RSD}$, the parameter r is taken as $d_{\textsf{RGV}}-1$, i.e., the highest r such that $ (m-r)r+nr <m(n-k)$. With this parameter, if $\boldsymbol{H}$ and $\boldsymbol{y}$ were to be randomly sampled, one would expect to have a solution with probability $q^{(m+n-r)r-m(n-k)}$. Since $\boldsymbol{y}$ is set so there is a solution and since we are below RGV, it is not expected to have another solution. For $\textsf{MinRank}$, we take parameters on the RGV bound, with $k+1 = (m-r)(n-r)$. For $k+1$ matrices randomly sampled ($\boldsymbol{M}, \boldsymbol{M}_1,\dots ,\boldsymbol{M}_k$), the probability to have a solution to the $\textsf{MinRank}$ instance is $q^{(m+n-r)r-(mn-k)}$. Since $\boldsymbol{M}$ is set so that there is a solution and since we are on GV, it is not expected to have another solution for the instance. Let us now explain why in addition to having only one solution, it is important to take parameters according to these bounds. Since the combinatorial attacks from [34] for $\textsf{RSD}$ and [26] for $\textsf{MinRank}$, very few improvements have been made in the complexity. For $\textsf{MinRank}$, the kernel attack is still the best combinatorial attack, and for $\textsf{RSD}$, the exponential part of the complexities is still quadratic and has known almost no improvement for over 20 years (with the exception of [6], which slightly improved the complexity). Regarding the algebraic attacks, introduced in [7] and improved in [10] and [8], they managed to greatly reduce the complexity for the $\textsf{RQC}$ and $\textsf{LRPC}$ schemes. However, this came from the fact that these parameters were not on RGV. The attacked parameters were in $\mathcal {O}\left( \sqrt{n-k}\right) $, which made them easier to attack, whereas we will consider parameters around the RGV bound, in $\mathcal {O}\left( n \right) $. In practice, for parameters taken at the RGV bound, or just below, the algebraic attacks have roughly the same complexity as the combinatorial ones ( [8]). Overall, this means that, for parameters taken on the Rank Gilbert-Varshamov bound, the attacks have known no significant amelioration for the last 20 years.

3 Security and Parameters for $\textsf{RSD}_{\text {s}}$ and $\textsf{MinRank}$

We give here the well known reduction from $\textsf{RSD}$ to $\textsf{RSD}_{\text {s}}$, and then the attacks considered against $\textsf{RSD}$ and $\textsf{MinRank}$, which we will use in order to establish parameters for the signature schemes. We will also use these attacks in order to establish parameters to compare the different modelings in Sect. 4.

3.1 Security of the Rank Syndrome Decoding Problem

We deal here with the $\textsf{RSD}$ problem, first by explaining the relation between $\textsf{RSD}$ and $\textsf{RSD}_{\text {s}}$, and then the attacks on $\textsf{RSD}$.

Security Reduction. The $\textsf{RSD}_{\text {s}}$ problem was most notably used in the $\textsf{RQC}$ scheme in order to optimize it [31]. In the following, we show that the $\textsf{RSD}_{\text {s}}$ problem is as hard as the standard $\textsf{RSD}$ problem. More precisely, we show that any $\textsf{RSD}$ instance can be solved by an $\textsf{RSD}_{\text {s}}$ solver. This is the same reduction as in [6, 7, 34], and others, used to specialize some variables. We exhibit below the reduction which has not formally been described in previous works (as part of the folklore of rank-based cryptography).

Proposition 1

Let q, m, n, k, r be positive integers such that $n > k$. Let $\mathcal {A}_\text {s}$ be an algorithm which solves a $(q,m,n,k+1,r)$-instance of the $\textsf{RSD}_{\text {s}}$ problem in time t with success probability $\varepsilon _s$. Then there exists an algorithm $\mathcal {A}$ which solves a (q, m, n, k, r)-instance of the $\textsf{RSD}$ problem in time t with probability $\varepsilon $, where

$$\varepsilon \ge \left( \prod _{i=0}^{r-1}\frac{ q^{n}-q^{n-r+i}}{q^{n}-q^{i}}\right) \cdot \varepsilon _s$$

under the assumption that the code $\mathcal {C}$ associated to the parity-check matrix $\boldsymbol{H}$ of the $\textsf{RSD}$ instance contains no words of weight r.

Proof

See the full version [16].

Remark 1

In practice, the loss factor in Proposition 1 tends to 1 when q grows. For our considered parameters, with $q=2$, its value is around 0.3. Moreover, one can get the average number of codewords of $\mathcal {C}$ of weight r to justify our assumption. Let $\mathcal {S}_r = \prod _{i=0}^{r-1}\frac{(q^n-q^i)(q^{m}-q^{i})}{q^{r}-q^{i}}$ be the number of words in $\mathbb {F}_{q^m}^n$ of weight exactly r. Then, on average, there are $\frac{S_r}{q^{m(n-k)}}$ words of rank r in the code. When below RGV, this makes the probability that a random code $\mathcal {C}$ contains no codeword of weight r close to 1.

Remark 2

The best known attacks on $\textsf{RSD}$ use the reduction to $\textsf{RSD}_{\text {s}}$ in order to solve the instance [6, 8, 10, 34], meaning that in practice we consider the best attacks on $\textsf{RSD}$ to evaluate the security of $\textsf{RSD}_{\text {s}}$.

3.2 Parameters Choice for $\textsf{RSD}_{\text {s}}$

Because of the space constraints, we recall the best attacks on $\textsf{RSD}$ in the full version [16]. According to these attacks, we give in Table 3 the parameters which we will use for our $\textsf{RSD}_{\text {s}}$ instances.

Table 3. Choice of parameters for $\textsf{RSD}_{\text {s}}$

Full size table

3.3 Parameters Choice for $\textsf{MinRank}$

Because of the space constraints, we recall the attacks on $\textsf{MinRank}$ in the full version [16]. According to these attacks, we give in Table 4 the parameters which we will use for our $\textsf{MinRank}$ instances.

Table 4. Choice of parameters for $\textsf{MinRank}$

Full size table

4 MPCitH Modeling for $\textsf{RSD}_{\text {s}}$ and $\textsf{MinRank}$

A zero-knowledge proof constructed using the MPCitH paradigm is composed of two parts, a “symmetric part” made of GGM trees (or Merkle trees) and an “arithmetic part” composed of the open party views and broadcast shares of the MPC protocol. While for a given security level the symmetric part is of rather fixed size (e.g., around 2kB for GGM trees and 4kB for Merkle trees at a 128-bit security level), the arithmetic part depends on the modeling (i.e., the way the problem instance is verified) and the associated MPC protocol. For the recent TCitH and VOLEitH techniques, the arithmetic part is actually mainly impacted by the size of the witness, which favors modelings with low-size witnesses.

In this section, we study different modelings for $\textsf{RSD}$ and $\textsf{MinRank}$ with respect to the witness size criterion. For the $\textsf{RSD}$ problem, we recall the permuted secret, q-polynomial and Kipnis-Shamir modelings. We propose an other modeling, named dual support decomposition, which can be seen as an improvement of the rank decomposition from [20]. We also slightly improve all the modelings by relying on the $\textsf{RSD}_{\text {s}}$ variant. For the $\textsf{MinRank}$ problem, we recall the q-polynomial and Kipnis-Shamir modelings and propose an adaptation of the dual support decomposition modeling for $\textsf{MinRank}$.

4.1 Modelings for the $\textsf{RSD}_{\text {s}}$ Problem

Permuted Secret. We start by recalling the permuted secret technique, which was used for $\textsf{RSD}$ in [15]. The idea of this technique consists in revealing a “permuted” and a “masked” versions of the secret: let us denote $\sigma $ an isometry in the rank metric (such a isometry consists of multiplying the secret matrix by a invertible matrices on both sides) and $\boldsymbol{u}$ a vector of the left kernel of $\boldsymbol{H}$, one reveals $\boldsymbol{v} := \sigma (\boldsymbol{x})$ and $\boldsymbol{\tilde{x}} := \boldsymbol{x} + \boldsymbol{u}$ and the goal is to find such values $\sigma $ and $\boldsymbol{u}$. More precisely, the rank syndrome decoding problem consists, from two vectors $\boldsymbol{v},\boldsymbol{\tilde{x}}\in \mathbb {F}_{q^m}^n$ satisfying $w_R(\boldsymbol{v}) = r$ and $\boldsymbol{H}\boldsymbol{\tilde{x}}^{\top }=\boldsymbol{y}^\top $, in finding an isometry $\sigma $ and a vector $\boldsymbol{u}\in \mathbb {F}_{q^m}^n$ such that

$${\left\{ \begin{array}{ll} \boldsymbol{H}\boldsymbol{u}^{\top } = \boldsymbol{0}^\top , \\ \sigma (\boldsymbol{\tilde{x}}) = \boldsymbol{v} + \sigma (\boldsymbol{u}). \end{array}\right. }$$

Indeed, if we get both $\sigma $ and $\boldsymbol{u}$, we can easily restore the initial secret as $\boldsymbol{x} := \boldsymbol{\tilde{x}}-\boldsymbol{u}$: we have $\boldsymbol{H}\boldsymbol{x}^{\top } = \boldsymbol{y}^\top - \boldsymbol{0}^\top $ and $w_R(\boldsymbol{x}) = w_R(\sigma (\boldsymbol{x})) = w_R(\sigma (\boldsymbol{\tilde{x}}) - \sigma (\boldsymbol{u})) = w_R(\boldsymbol{v}) = r$.

Unfortunately, this modeling is not compatible with the recent MPCitH techniques as TCitH or VOLEitH. Such techniques requires at least additive sharings over a commutative group (or for the more recent techniques, Shamir’s secret sharing over a ring). However, the isometry $\sigma $ lives in a non-commutative group, so it requires to rely on a special form of MPCitH named the shared-permutation framework [15, 21].

Rank Decomposition. The Rank Decomposition protocol proposed in [20] aims to verify the rank of the witness by using the rank decomposition theorem. In this modeling, the rank syndrome decoding problem consists in finding a vector $\boldsymbol{x}\in \mathbb {F}_{q^m}^n$ and two matrices $\boldsymbol{T} \in \mathbb {F}_q^{m\times r}$ and $\boldsymbol{R} \in \mathbb {F}_q^{r \times n}$ such that

$$\boldsymbol{H}\boldsymbol{x}^\top = \boldsymbol{y}^\top ~~~\text { and }~~~ \boldsymbol{X} = \boldsymbol{T}\boldsymbol{R},$$

where $\boldsymbol{X} \in \mathbb {F}_q^{m\times n}$ is the matrix associated to $\boldsymbol{x}$. Concretely, the MPC protocol takes as input some shares of $\boldsymbol{x}$, of $\boldsymbol{T}$ and of $\boldsymbol{R}$. The protocol then checks that $\boldsymbol{X} = \boldsymbol{T}\boldsymbol{R}$, where the shares of $\boldsymbol{X}$ is derived from those of $\boldsymbol{x}$. Using the standard representation $\boldsymbol{H} = \begin{pmatrix} \boldsymbol{I_{n-k}} \vert \vert \boldsymbol{H}'\end{pmatrix}$, one can send only the right part of $\boldsymbol{x}$ of size k, denoted as $\boldsymbol{x_B}$. Furthermore, it is possible to send one less column of the matrix $\boldsymbol{T}$, since $1 \in \operatorname {Supp}{(\boldsymbol{x})}$ (see [4] for the optimization) and as a result the size of witness is (in bits):

$$(\underbrace{k\cdot m}_{\boldsymbol{x_B}} + \underbrace{(r-1)\cdot m}_{\boldsymbol{T}} + \underbrace{r\cdot (n-r)}_{\boldsymbol{R}})\cdot \log _2(q).$$

q-Polynomial. The q-polynomial technique proposed in [20] to check the rank metric constitutes an improvement compared to a number of previous methods. Let us first recall the definition of a q-polynomial.

Definition 7

(q-polynomial). A q-polynomial of q-degree r is a polynomial in $\mathbb {F}_{q^m}[X]$ of the form:

$$P(X) = X^{q^r}+\sum _{i=0}^{r-1}p_i \cdot X^{q^i} \qquad \text {with } p_i \in \mathbb {F}_{q^m}.$$

The roots of a q-polynomial of q-degree r form a linear subspace of $\mathbb {F}_{q^m}$ of dimension at most r. Moreover, for each linear subspace of $\mathbb {F}_{q^m}$ of dimension at most r, there exists a unique monic q-polynomial of q-degree r annihilating all the elements of the subspace. Let $\boldsymbol{x} = (x_1, \ldots , x_n) \in \mathbb {F}_{q^m}^n$ of rank $w_R\big (\boldsymbol{x}\big ) = r$ and let $P_{\boldsymbol{x}}(X)$ the monic q-polynomial annihilating $\operatorname {Supp}{(\boldsymbol{x})}$. In this modeling, the rank syndrome decoding problem consists in finding a vector $\boldsymbol{x}\in \mathbb {F}_{q^m}^n$ and a q-polynomial $P_{\boldsymbol{x}}\in \mathbb {F}_{q^m}[X]$ of q-degree r such that

$$\boldsymbol{H}\boldsymbol{x}^\top = \boldsymbol{y}^\top ~~~\text { and }~~~ \forall i~, P_{\boldsymbol{x}}(x_i) = 0.$$

Concretely, the MPC protocol based on the q-polynomial technique takes as input some shares of $\boldsymbol{x}$ and some shares of $P_{\boldsymbol{x}}(X)$. The protocol then checks that $P_{\boldsymbol{x}}(x_i) = 0$ for all $i \in [1, n]$. As previously, one can send only the right part of $\boldsymbol{x}$ of size k using the standard representation of $\boldsymbol{H}$. Furthermore, it is possible to send one less coefficient of the polynomial $P_{\boldsymbol{x}}$ when relying on $\textsf{RSD}_{\text {s}}$. As a result the size of witness is (in bits):

$$(\underbrace{k\cdot m}_{\boldsymbol{x_B}}+\underbrace{(r-1)\cdot m}_{P_{\boldsymbol{x}}}) \cdot \log _2(q).$$

This modeling based on q-polynomials currently leads to the shortest communications for $\textsf{RSD}$ when considering linear multiparty computation, but it is not the best one when considering non-linear multiparty computation as in the new MPCitH frameworks.

Kipnis-Shamir. Historically, the Kipnis-Shamir modeling was introduced in the cryptanalysis of the $\textsf{MinRank}$ problem [29]. We can use the same idea to have a modeling of $\textsf{RSD}$. It consists in giving the right-kernel of the matrix of $\boldsymbol{x}$. We denote this matrix in $\mathbb {F}_q^{m\times n}$ by $\boldsymbol{X}$. If $w_R\big (\boldsymbol{x}\big ) = r$, then the right-kernel of $\boldsymbol{X}$ is of dimension $n-r$ and can be represented by an $r \times (n-r)$ matrix.

In the $\textsf{RSD}_{\text {s}}$ case, the witness is composed of $\boldsymbol{x}$ and of the matrix $\boldsymbol{A} \in \mathbb {F}_q^{r\times (n-r)}$. The MPC protocol takes as input $\boldsymbol{K} = \begin{pmatrix} \boldsymbol{I_{n-r}}\\ \boldsymbol{A}\\ \end{pmatrix}$, and then checks that $\boldsymbol{X}\boldsymbol{K} = \boldsymbol{0}$. It is possible to send only $\boldsymbol{x_B}$, as previously with q-polynomials, and since 1 is in the support, the size of the witness is:

$$(\underbrace{k\cdot m}_{\boldsymbol{x_B}}+\underbrace{(r-1)\cdot (n-r)}_{\boldsymbol{A}}) \cdot \log _2(q) ~.$$

Note that transmitting $\boldsymbol{A}$ costs $(r-1)\cdot (n-r)$ only since we know that 1 is in ${\boldsymbol{x}}$. This approach is slightly better than the q-polynomial technique in terms of witness size.

Dual Support Decomposition. Finally, we introduce an other modeling for $\textsf{RSD}_{\text {s}}$, using only the support and the coordinates. This can be seen as an improvement of the rank decomposition from [20], as our new modeling does not rely on having $\boldsymbol{x_B} \in \mathbb {F}_{q^m}^k$ as input. To that end, one has as inputs:

The support of $\boldsymbol{x}$, $\operatorname {Supp}{(\boldsymbol{x})} = \langle 1, x_2,\dots ,x_r\rangle $;
The coordinates of $\boldsymbol{x}$ in this basis, i.e., $\boldsymbol{C} \in \mathbb {F}_q^{r \times (n-r)}$ such that
$$(1,x_2,\dots ,x_r) \cdot \begin{pmatrix} \boldsymbol{I_r} & \boldsymbol{C} \end{pmatrix} = (1,x_2,\dots ,x_n) =\boldsymbol{x}$$

More precisely, in this modeling, the $\textsf{RSD}_{\text {s}}$ problem consists in finding $x_2,\ldots ,x_r\in \mathbb {F}_{q^m}$ and $\boldsymbol{C}\in \mathbb {F}_q^{r \times (n-r)}$ such that

$$\boldsymbol{H}\boldsymbol{x}^\top = \boldsymbol{y}^\top ~~~\text { where }~~~ \boldsymbol{x} := (1,x_2,\dots ,x_r) \cdot \begin{pmatrix} \boldsymbol{I_r} & \boldsymbol{C} \end{pmatrix} .$$

Concretely, after computing $\boldsymbol{x}= (x_1,\dots ,x_r) \cdot \begin{pmatrix} \boldsymbol{I_r} & \boldsymbol{C} \end{pmatrix} $, one verifies that $\boldsymbol{H}\boldsymbol{x}^T$ is indeed equal to $\boldsymbol{y}^T$. Since 1 is in the support of $\boldsymbol{x}$, it is possible to transmit only $r-1$ elements for $\operatorname {Supp}{(\boldsymbol{x})}$, and we can have a gain on the matrix $\boldsymbol{C}$ as well since the r first coordinates are linearly independent. This results in an efficient protocol, where the inputs are of size

$$(\underbrace{(r-1)\cdot m}_{\operatorname {Supp}{(\boldsymbol{x})}}+\underbrace{r\cdot (n-r)}_{\boldsymbol{C}}) \cdot \log _2(q)$$

We see here that the input size does not depend on k anymore, allowing us to take more efficient parameters.

Table 5. Witness size for different MPCitH modelings for the $\textsf{RSD}_{\text {s}}$ problem.

Full size table

Global Comparison. Table 5 provides a global comparison of the different modelings in terms of witness size for the $\textsf{RSD}$ problem. For each of the described modelings, we provide the size formula as well as the obtained concrete size for optimized parameters reaching a 128-bit security according to the attacks in Sect. 3.2.

4.2 Modelings for the $\textsf{MinRank}$ Problem

The $\textsf{MinRank}$ problem is closely related to the $\textsf{RSD}$ problem. The two problems indeed share a number of similarities as evidence of the algebraic attacks applying to both problems (see, e.g., [8, 10]). Quite naturally, most of the above modelings for $\textsf{RSD}$ can be adapted for $\textsf{MinRank}$.

Rank Decomposition. Similar to $\textsf{RSD}_{\text {s}}$, the Rank Decomposition protocol was introduced in [20]. This protocol takes as input (shares of) $\boldsymbol{x} \in \mathbb {F}_q^k$, $\boldsymbol{T} \in \mathbb {F}_q^{m\times r}$, and $\boldsymbol{R} \in \mathbb {F}_q^{r \times n}$. Then, after building $\boldsymbol{E} = \boldsymbol{M}+\sum _{i=1}^{k} x_i\boldsymbol{M}_i$, the protocol checks that $\boldsymbol{E} = \boldsymbol{T}\boldsymbol{R}$. This leads to a witness size (in bits) of

$$ (\underbrace{k}_{\boldsymbol{x}} + \underbrace{r\cdot (m-r)}_{\boldsymbol{T}} + \underbrace{r\cdot n}_{\boldsymbol{R}})\cdot \log _2(q).$$

q-Polynomial. The q-polynomial technique of [20] can be also applied to $\textsf{MinRank}$: the witness is composed of the shares of $\boldsymbol{x}\in \mathbb {F}_q^k$ and the coefficients $\boldsymbol{\beta } \in \mathbb {F}_{q^m}^r$ of the q-polynomial associated to $\boldsymbol{E}$. The MPC protocol computes $\boldsymbol{E}= \boldsymbol{M}+ \sum _{i=1}^{k} x_i \boldsymbol{M}_i$ and verifies that $P_{\boldsymbol{E}}(X) := \sum _{i=0}^{r-1}\beta _iX^{q^i}+X^{q^r}$ is the annihilator polynomial of $\boldsymbol{E}$. This verification relies on the isomorphism between $\mathbb {F}_{q^m}$ and $\mathbb {F}_q^m$, and associates each column of $\boldsymbol{E}$, denoted as $\boldsymbol{e}_i$, to an element of $\mathbb {F}_{q^m}$, $e_i$. The protocol hence simply checks that $P_{\boldsymbol{E}}(e_i) = 0$ for $i\in [1, n]$.

With this modeling, the size of the witness size is (in bits):

$$ (\underbrace{k}_{\boldsymbol{x}} + \underbrace{r\cdot m}_{P_{\boldsymbol{E}}})\cdot \log _2(q)~.$$

Kipnis-Shamir. This is the modeling used in MiRitH [1], which is an improvement of MinRank-in-the-Head [2]. The goal of this modeling is to use the right kernel of $\boldsymbol{E}$ in order to prove its rank. Let $\boldsymbol{K} = \begin{bmatrix} \boldsymbol{I_{n-r}}\\ \boldsymbol{A}\\ \end{bmatrix}$ a matrix of rank $n-r$ representing the right kernel of $\boldsymbol{E}$. The witness is composed of $\boldsymbol{x}$ and $\boldsymbol{A} \in \mathbb {F}_q^{r\times (n-r)}$. The protocol recomputes $\boldsymbol{E} = \boldsymbol{M} + \sum _{i=1}^{k} x_i \boldsymbol{M}_i$ and verifies that $\boldsymbol{E}\cdot \boldsymbol{K} = \boldsymbol{0}$. If the verification succeeds, one deduces that $\boldsymbol{E}$ is indeed of rank r since it has a kernel of rank $n-r$.

With this modeling, the witness is of size:

$$ (\underbrace{k}_{\boldsymbol{x}}+ \underbrace{r\cdot (n-r)}_{\boldsymbol{A}})\cdot \log _2(q)~.$$

As for $\textsf{RSD}_{\text {s}}$, the witness is smaller with this modeling than with the q-polynomials technique.

New Modeling for the $\textsf{MinRank}$ Problem: Dual Support Decomposition. We introduce hereafter a new MPCitH modeling for the $\textsf{MinRank}$ problem which achieves smaller witness sizes than the previous modelings. To build our modeling, we will rely on an alternative formulation of this problem, namely, its syndrome version, which has not been previously used to build cryptosystems. More precisely, this problem can be expressed in a syndrome decoding way by using the dual of the matrix code generated by $\boldsymbol{M}_1, \dots , \boldsymbol{M}_k$. First, one can define the map

$$\begin{aligned} \rho \text { : } ~~ &~~~~~~\mathbb {F}_q^{m\times n} & \rightarrow ~~~~ \mathbb {F}_q^{mn}\\ & \begin{pmatrix} a_{1,1}& \dots & a_{1,n}\\ \vdots & & \vdots \\ a_{m,1} & \dots & a_{m,n} \\ \end{pmatrix} & \mapsto ~~~~\big (a_{1,1},\dots ,a_{1,n},\dots ,a_{m,1},\dots ,a_{m,n}\big )~. \end{aligned}$$

The generator matrix of the code $\langle \boldsymbol{M}_1, \dots , \boldsymbol{M}_k \rangle $ is the matrix $\boldsymbol{G} \in \mathbb {F}_q^{k\times mn}$ whose lines are $\rho (\boldsymbol{M}_1),\dots ,\rho (\boldsymbol{M}_k)$, i.e.,

$$\boldsymbol{G} = \begin{pmatrix} \rho (\boldsymbol{M}_1) \\ \vdots \\ \rho (\boldsymbol{M}_k) \\ \end{pmatrix}~.$$

Solving the $\textsf{MinRank}$ problem then consists, given $\boldsymbol{G}$ and $\boldsymbol{M}$, in finding $\boldsymbol{x}$ and $\boldsymbol{E}$ such that $\rho (\boldsymbol{M}) = -\boldsymbol{x}\boldsymbol{G} + \rho (\boldsymbol{E})$ and $\textsf {rank}(\boldsymbol{E}) \le r$. The dual matrix of this code is, as usual, a full-rank matrix $\boldsymbol{H} \in \mathbb {F}_q^{(mn-k)\times mn}$ such that $\boldsymbol{G}\boldsymbol{H}^\top = \boldsymbol{0}$. Then, the $\mathsf {MinRank~Syndrome}$ problem can be defined by applying $\boldsymbol{H}^\top $ in the linear constraint: given $\boldsymbol{H}$ and $\boldsymbol{y} := \rho (\boldsymbol{M})\boldsymbol{H}^\top $, the $\mathsf {MinRank~Syndrome}$ problem consists in finding $\boldsymbol{E}$ such that $\boldsymbol{y} = \boldsymbol{0} + \rho (\boldsymbol{E}) \boldsymbol{H}^\top $ and $\textsf {rank}(\boldsymbol{E}) \le r$.

Definition 8

($\mathsf {MinRank~Syndrome}$ problem). Let q, m, n, k and r be positive integers. Let $\boldsymbol{H} := \begin{bmatrix} \boldsymbol{I_{mn-k}} & \boldsymbol{H'} \end{bmatrix} \in \mathbb {F}_q^{(mn-k) \times mn}$ where $\boldsymbol{H'} \in \mathbb {F}_q^{(mn-k)\times k}$, and $\boldsymbol{y} \in \mathbb {F}_q^{mn-k}$. The $\mathsf {MinRank~Syndrome}$ problem asks to find $\boldsymbol{E}$ such that $\rho (\boldsymbol{E})\boldsymbol{H}^\top = \boldsymbol{y}$ and $\textsf{rank}(\boldsymbol{E}) \le r$.

Proposition 2

The $\textsf{MinRank}$ problem and the $\mathsf {MinRank~Syndrome}$ problem are equivalent.

Proof

The proof is similar to the proof of equivalence between the decoding problem and the syndrome decoding problem for the Hamming metric.

Let us explain how to solve a $\mathsf {MinRank~Syndrome}$ instance $(\boldsymbol{H},y)$ using a $\textsf{MinRank}$ solver. The first step consists in finding a solution $\rho (\boldsymbol{M})$ to the linear system $\rho (\boldsymbol{M}) \boldsymbol{H}^\top = \boldsymbol{y}$ without any constraint on the rank of $\boldsymbol{M}$. Then, we consider a dual matrix $\boldsymbol{G}$ of $\boldsymbol{H}$, where we interpret each row as a flatten matrix among $\boldsymbol{M}_1, \ldots , \boldsymbol{M}_k$. We can then find $\boldsymbol{x}$ and $\boldsymbol{E}$ such that $\boldsymbol{M} + \sum _{i=1}^{k} x_i\boldsymbol{M}_i = \boldsymbol{E}$ and $\textsf{rank}(\boldsymbol{E}) \le r$ using the $\textsf{MinRank}$ solver. Such an $\boldsymbol{E}$ is directly a solution of our $\mathsf {MinRank~Syndrome}$ instance, since
$$\rho (\boldsymbol{E})\boldsymbol{H}^\top = [-\boldsymbol{x}\boldsymbol{G} + \rho (\boldsymbol{E})]\boldsymbol{H}^\top = \rho (\boldsymbol{M})\boldsymbol{H}^\top = \boldsymbol{y}.$$
Let us now explain how to solve a $\textsf{MinRank}$ instance $(\boldsymbol{M},\boldsymbol{M}_1,\ldots ,\boldsymbol{M}_k)$ using a MinRank Syndrome solver. First, we can build the dual matrix $\boldsymbol{H}$ from $\boldsymbol{M}_1,\ldots ,\boldsymbol{M}_k$, such that $\boldsymbol{G}\boldsymbol{H}^\top = \boldsymbol{0}$ where the rows of $\boldsymbol{G}$ are defined as $\rho (\boldsymbol{M}_1), \ldots , \rho (\boldsymbol{M}_k)$. We can then find $\boldsymbol{E}$ such that $\rho (\boldsymbol{E})\boldsymbol{H}^\top = \rho (\boldsymbol{M})\boldsymbol{H}^\top $ and $\textsf{rank}(\boldsymbol{E}) \le r$ using the MinRank Syndrome solver (defining the syndrome as $\boldsymbol{y} = \rho (\boldsymbol{M})\boldsymbol{H}^\top $). Therefore, $\rho (\boldsymbol{E}-\boldsymbol{M})$ is in the right kernel of $\boldsymbol{H}$, for which a basis is described by the rows of $\boldsymbol{G}$. By Gaussian elimination, we can thus find $\boldsymbol{x}$ such that $\rho (\boldsymbol{E}-\boldsymbol{M}) = \boldsymbol{x}\boldsymbol{G}$, i.e., such that $\rho (\boldsymbol{E}-\boldsymbol{M}) = \sum _{i=1}^k x_i \cdot \rho (\boldsymbol{M}_i)$. Such an $\boldsymbol{x}$, together with $\boldsymbol{E}$, forms a solution of our $\textsf{MinRank}$ instance.

$\square $

In the Dual Support Decomposition modeling, we rely on the MinRank Syndrome problem instead of the standard $\textsf{MinRank}$ problem. In this modeling, the protocol aims at verifying that a matrix $\boldsymbol{E}$ is solution of the constraints $\rho (\boldsymbol{E})\boldsymbol{H}^\top = \boldsymbol{y}$ and $\textsf{rank}(\boldsymbol{E}) \le r $ for some $\boldsymbol{H} \in \mathbb {F}_q^{(mn-k) \times mn}$ and $\boldsymbol{y} \in \mathbb {F}_q^{mn-k}$. As in the rank decomposition method from [20], one can view $\boldsymbol{E}$ as a product of two matrices, $\boldsymbol{E} = \boldsymbol{S}\boldsymbol{C}$, with $\boldsymbol{S} \in \mathbb {F}_q^{m\times r}$ and $\boldsymbol{C} \in \mathbb {F}_q^{r \times n}$. Furthermore, one can write without loss of generality $\boldsymbol{S}$ as $\begin{bmatrix} \boldsymbol{I_r}\\ \boldsymbol{S}'\\ \end{bmatrix}$ for some matrix $\boldsymbol{S}' \in \mathbb {F}_q^{(m-r) \times r}$ (this is always possible up to a permutation of the lines). Then, one can simply set $\boldsymbol{E} =\begin{bmatrix} \boldsymbol{I_r}\\ \boldsymbol{S}'\\ \end{bmatrix} \cdot \boldsymbol{C}$. Therefore, given $\boldsymbol{S'}$ and $\boldsymbol{C}$, the protocol simply checks:

$$\rho (\boldsymbol{S}\boldsymbol{C})\boldsymbol{H}^\top = \boldsymbol{y} ~~~\text { with }~ \boldsymbol{S} = \begin{bmatrix} \boldsymbol{I_r}\\ \boldsymbol{S}'\\ \end{bmatrix}.$$

The use of the dual form of the $\textsf{MinRank}$ matrix code makes a significant difference compared to the Rank Decomposition, as the scheme now avoids relying on the vector $\boldsymbol{x} \in \mathbb {F}_q^k$, leading to a much smaller witness. Overall, with the identity in $\boldsymbol{S}$, the inputs are of size

$$(\underbrace{r\cdot (m-r)}_{\boldsymbol{S}}+\underbrace{r \cdot n}_{\boldsymbol{C}})\cdot \log _2(q).$$

As for $\textsf{RSD}$, the size does not depend on k anymore, which allows a better selection of the parameters.

Global Comparison. Table 6 provides a global comparison of the different modelings in terms of witness size for the $\textsf{MinRank}$ problem. For each of the described modelings, we provide the size formula as well as the obtained concrete size for optimized parameters reaching a 128-bit security for the attacks described in Sect. 3.3.

Table 6. Modeling for $\textsf{MinRank}$ and resulting witness size in MPC protocols.

Full size table

5 The TCitH and VOLEitH Frameworks

The MPCitH paradigm [27] is a versatile method introduced in 2007 to build zero-knowledge proof systems using techniques from secure multi-party computation (MPC). This paradigm has been drastically practically improved in recent years (see, e.g., [3, 19, 23, 28]) and is particularly efficient to build zero-knowledge proofs for small circuits such as those involved in (post-quantum) signature schemes. The MPCitH paradigm can be summarized as follows. The prover emulates “in his head” an $\ell $-private MPC protocol with N parties and commits each party’s view independently. The verifier then challenges the prover to reveal the views of a random subset of $\ell $ parties. By the privacy of the MPC protocol, nothing is revealed about the plain input, which implies the zero-knowledge property. On the other hand, a malicious prover needs to cheat for at least one party, which shall be discovered by the verifier with high probability, hence ensuring the soundness property.

In what follows, we describe two recently introduced MPCitH-based frameworks, namely the VOLE-in-the-Head (VOLEitH) framework from [12] and the Threshold-Computation-in-the-Head (TCitH) framework from [22, 23]. We then present the recent optimisations proposed by [11].

5.1 Threshold-Computation-in-the-Head Framework

The TCitH framework has been recently introduced in [22] as an extension of a previous work [23] published at Asiacrypt 2023. While almost all the former MPCitH-based proof system relied on additive sharings, the TCitH framework shows how using Shamir’s secret sharings (instead of additives sharings) lead to faster schemes with shorter communication.

We refer the reader to [22, 23] for a detailed exposition of the TCitH framework which is only briefly abstracted here. In a nutshell, the TCitH framework relies on MPC protocols with broadcasting, randomness oracle and hint oracle (as previous MPCitH schemes) but using Shamir’s secret sharing unlocks the use of non-linear multiparty computation (whereas previous MPCitH schemes are based on linear multiparty computation). More precisely, in the considered MPC protocols, one can compute a sharing $[\![ a\cdot b ]\!]$ of a product $a\cdot b$ from the sharings $[\![ a ]\!]$ and $[\![ b ]\!]$ of the operands by share-wise multiplication (for all i, $[\![ a \cdot b ]\!]_i \leftarrow [\![ a ]\!]_i \cdot [\![ b ]\!]_i$).

The TCitH framework comes with two variants depending on how one commits the input shares: either relying on GGM trees [25] or on Merkle trees [32]. In the present work, we focus on the GGM-tree variant which leads to shorter signature sizes for the considered statements. Moreover, we only consider 1-private Shamir’s secret sharings, i.e. $\ell =1$, which gives the best results in our context.

Given some degree-d polynomials $f_1, \ldots , f_m$ from $\mathbb {F}[X_1,\ldots ,X_{|w|}]$, we want a zero-knowledge proof of knowledge of a witness w satisfying

$$\forall j\in [1,m],~ f_j(w) = 0.$$

We shall use the proof system TCitH-$\varPi _{\textsc {pc}}$ described in [22, Section 5.2]. We recall the underlying MPC protocol $\varPi _{\textsc {pc}}$ in Protocol 1. The sharing $[\![ 0 ]\!]$ used in Step 4 of the MPC protocol is a publicly-known degree-1 sharing of zero (for example, $[\![ 0 ]\!]_i=\omega _i$ when $e=0$). This MPC protocol is $\ell $-private and sound with false positive probability $\frac{1}{|\mathbb {F}|}$ (see [22, Lemma 2]). In practice, the MPC protocol is repeated $\rho $ times in parallel to achieve a false positive probability of $\frac{1}{|\mathbb {F}|^\rho }$. The soundness error of TCitH-$\varPi _{\textsc {pc}}$ (when $\ell =1$) is

$$\epsilon = \frac{1}{|\mathbb {F}|^\rho } + \left( 1-\frac{1}{|\mathbb {F}|^\rho }\right) \cdot \frac{d}{N}~.$$

To obtain a signature scheme, we first transform the above MPC protocol into a proof of knowledge (PoK) of soundness error $\epsilon $ by applying the TCitH transform. We then perform $\tau $ parallel repetitions of this PoK and apply the Fiat-Shamir transform [24]. To achieve a $\lambda $-bit security, we take the number $\rho $ of MPC repetitions such that $\frac{1}{|\mathbb {F}|^\rho } \le 2^{-\lambda }$ and the number $\tau $ of PoK repetitions such that $\left( \frac{d}{N}\right) ^\tau \le 2^{-\lambda }$.

The proof transcript (i.e. the signature) includes:

The opened shares $[\![ w ]\!]_I$ of the witness $w\in \mathbb {F}^{|w|}$, for each of the $\tau $ PoK repetitions. In practice, the sent values are the auxiliary values $\Delta w$.
The opened shares of $[\![ v ]\!]_I$: because v is uniformly-sampled, these shares are communication-free since we rely on the TCitH-GGM variant.
The degree-d sharing $[\![ \alpha ]\!]$, for each of the $\rho $ MPC repetitions of the $\tau $ PoK repetitions. Since $[\![ \alpha ]\!]_I$ can be recomputed by the verifier and since the $\alpha $ should be zero, the prover just needs to send $(d+1)-1-1 = (d-1)$ shares.
The sibling paths in the GGM trees, together with the unopened seed commitments.

Moreover, the signature includes a $2\lambda $-bit salt and a $2\lambda $-bit commitment digest that correspond to the last verifier challenge (in the Fiat-Shamir heuristic). Therefore, the signature size when using the TCitH framework in the above setting is (in bits):

$$\textsc {Size}_{\textsc {TCitH}} = 4\lambda + \tau \cdot \left( \underbrace{|w|\cdot \log _2 |\mathbb {F}|}_{[\![ w ]\!]_I} + \underbrace{(d-1) \cdot \rho \cdot \log _2 |\mathbb {F}|}_{[\![ \alpha ]\!]}+ \underbrace{\lambda \cdot \log _2 N}_{\text {GGM tree}} + 2\lambda \right) .$$

5.2 VOLE-in-the-Head Framework

The VOLEitH framework has been introduced at Crypto 2023 [12]. This work provides a way to compile any zero-knowledge protocol in the VOLE-hybrid model into a publicly verifiable protocol. While it has not been introduced as a MPCitH construction, it can yet be interpreted as such. Specifically, [22] shows that the VOLEitH framework can be described in the TCitH syntax. Indeed, this framework is similar to the TCitH framework with $\ell =1$ and GGM trees, up to several details:

The secret is stored at $P(\infty )$ when sharing, meaning that $e=\infty $. As a result, to share a value v, one samples a random value r and builds the Shamir’s polynomial P as $P(X) := v X + r$. While multiplying two Shamir’s sharings when $e=\infty $ is similar than when $e\not =\infty $, the addition operation is slightly different: to add two Shamir’s sharings $[\![ a ]\!]$ and $[\![ b ]\!]$ of degrees respectively $d_1$ and $d_2$ (such that $d_1\le d_2$) when $e=\infty $, the parties can compute the following $d_2$-degree sharing
$$\forall i,~ [\![ a+b ]\!]_i \leftarrow [\![ a ]\!]_i\cdot \omega _i^{d_2-d_1} + [\![ b ]\!]_i,$$
where $\omega _i$ is the evaluation point of the i^th party.
The VOLEitH framework relies on a large field embedding: in the commitment phase, the prover commits $\tau $ N-sharings $[\![ w ]\!]^{(1)},\ldots ,[\![ w ]\!]^{(\tau )}$ of the witness w. In the basic TCitH framework, the prover runs $\tau $ MPC protocols in parallel, each of them on a different sharing $[\![ w ]\!]^{(j)}$. In the VOLEitH framework, these N sharings are merged to obtain a $N^\tau $-sharing $[\![ w ]\!]^{(\phi )}$ living in a large field extension $\mathbb {K}$ such that the extension degree $[\mathbb {K}:\mathbb {F}]$ is $\rho $, then the prover runs a unique MPC protocol which takes as input this $N^\tau $-sharing. More precisely, the i^th share of $[\![ w ]\!]^{(\phi )}$ is computed as
$$[\![ w ]\!]^{(\phi )}_i \leftarrow \phi \left( [\![ w ]\!]^{(1)}_{i_1},\ldots ,[\![ w ]\!]^{(\tau )}_{i_\tau }\right) $$
where $i_1,\ldots ,i_\tau \in [1,N]$ satisfy $(i-1)=(i_1-1)+(i_2-1)\cdot N + \ldots + (i_\tau -1)\cdot N^{\tau -1}$ and $\phi $ is an one-to-one ring homomorphism between $\mathbb {F}^\tau $ and $\mathbb {K}$ ($\rho \ge \tau $). If the sharings $[\![ w ]\!]^{(1)},\ldots ,[\![ w ]\!]^{(\tau )}$ encode the same witness w, then we get that $[\![ w ]\!]^{(\phi )}$ is a valid Shamir’s secret sharing of w for which the evaluation point of the i^th party is $\phi (\omega _{i_1},\ldots ,\omega _{i_\tau })$ (with $\omega _i$ the i^th party evaluation point in the standard TCitH setting). The main advantage of this large field embedding is that the resulting soundness error of the proof system is $\frac{d}{N^\tau }$ instead of being $\left( \frac{d}{N}\right) ^\tau $ (up to the false positive probability).
The above optimisation requires that the prover ensures that the $\tau $ sharings encode the same value (without revealing this value). To ensure this property, the VOLEitH framework introduces an additional prover-verifier pair of rounds. After committing the input shares (including the hint sharings),
- the prover commits $\tau $ additional uniformly-random sharings $[\![ u ]\!]^{(1)}$,..., $[\![ u ]\!]^{(\tau )}$ of the same random value $u\in \mathbb {F}^{\rho +B}$, for $B\ge 0$ an additional parameter,
- the verifier sends a challenge $(H_1|H_2)\in \mathbb {F}^{(\rho +B)\times (n+\rho )}$,
- for all $j\in [1,\tau ]$, the prover reveals the digest sharing $[\![ \alpha ' ]\!]^{(j)} := H_1[\![ w ]\!]^{(j)} + H_2 [\![ v ]\!]^{(j)} + [\![ u ]\!]^{(j)}$, where $\alpha '\in \mathbb {F}^{\rho +B}$.
The idea behind this process is that the prover computes the digests of all the plain values encoded in $[\![ w ]\!]^{(1)},\ldots ,[\![ w ]\!]^{(\tau )}$ (and in $[\![ v ]\!]^{(1)},\ldots ,[\![ v ]\!]^{(\tau )}$) and compares them. If $([\![ w ]\!]^{(i)},[\![ v ]\!]^{(i)})$ and $([\![ w ]\!]^{(j)},[\![ v ]\!]^{(j)})$ encode different values, then their digests $[\![ \alpha ' ]\!]^{(i)}$ and $[\![ \alpha ' ]\!]^{(j)}$ will differ with high probability. In practice, the parameters $\rho $ and B are chosen such that the probability that two different plain values lead to the same digest is negligible. We further note that taking $(H_1|H_2)$ uniformly at random gives the smallest probability but requires to perform matrix-vector multiplications. Other strategies are possible for $(H_1|H_2)$ such as relying on a polynomial-based hash: this increases a bit the collision probability (so one needs to increase B to compensate) but lightens the computation. This strategy is used in the FAEST signature scheme [13].

We use the VOLEitH framework with the same MPC protocol than with the TCitH framework, namely the MPC protocol $\varPi _{\textsc {pc}}$ described in Protocol 1, which is equivalent to the QuickSilver VOLE-based protocol [39] in the VOLE setting. The publicly-known degree-1 sharing $[\![ 0 ]\!]$ in Protocol 1 when $e=\infty $ can be built as $[\![ 0 ]\!]_i=1$ for all i.

To achieve a PoK with $\lambda $-bit security (i.e. $2^{-\lambda }$ soundness error), we take the field extension $\mathbb {K}$ of degree $\rho $ such that $\frac{1}{|\mathbb {F}|^\rho } \le 2^{-\lambda }$, the number $\tau $ of sharings $[\![ w ]\!]^{(j)}$ such that $\frac{d}{N^\tau } \le 2^{-\lambda }$ and the additional parameter B such^{Footnote 3} that $B\cdot \log _2 |\mathbb {F}| \ge 16$ (the latter choice corresponds to the choice in the specification of FAEST [13]). Then we obtain a signature scheme by applying the Fiat-Shamir transform [24] as previously.

The proof transcript (i.e. the signature) includes:

The opened shares $[\![ w ]\!]_I$ of the witness $w\in \mathbb {F}^{|w|}$. In practice, one sends the auxiliary values of the sub-sharings $[\![ w ]\!]^{(1)},\ldots ,[\![ w ]\!]^{(\tau )}$.
The opened shares of $[\![ v ]\!]_I$. When v is uniformly-sampled, the shares are usually communication-free. However, we need $\tau $ sub-sharings of the same (uniformly-random) value v. While the first sharing is communication-free, the $\tau -1$ others require an auxiliary value to ensure that all the sub-sharings encode the same value.
The degree-d sharing $[\![ \alpha ]\!]$, for the single MPC execution. Since $[\![ \alpha ]\!]_I$ can be recomputed by the verifier and since the $\alpha $ should be zero, the prover just needs to send $(d+1)-1-1 = d-1$ shares.
The sibling paths in the GGM trees, together with the unopened seed commitments.
The opened shares $[\![ u ]\!]_I$. As for $[\![ v ]\!]_I$, since all the $\tau $ sub-sharings must encode the same random value u, only the first sharing is communication-free and the $\tau -1$ others require an auxiliary value.
The degree-1 sharings $[\![ \alpha ' ]\!]^{(1)},\ldots ,[\![ \alpha ' ]\!]^{(\tau )}$. Since the plaintext value $\alpha '$ is the same for all these sharings and since $[\![ \alpha ]\!]^{(j)}_I$ can be recomputed by the verifier for all j, sending all these sharings costs only $(\rho +B)$ field elements.

$$\begin{aligned} & \textsc {Size}_{\textsc {VOLEitH}} = \\ & \qquad \qquad 4\lambda + \tau \cdot \left( \underbrace{|w|\cdot \log _2 |\mathbb {F}|}_{[\![ w ]\!]_I} + \underbrace{\lambda \cdot \log _2 N}_{\text {GGM tree}} + 2\lambda \right) + \underbrace{(d-1) \rho \cdot \log _2 |\mathbb {F}|}_{[\![ \alpha ]\!]} \\ &\qquad \quad + (\tau -1)\cdot \left( \underbrace{(d-1)\rho \cdot \log _2 |\mathbb {F}|}_{[\![ v ]\!]_I}+\underbrace{(\rho +B)\log _2 |\mathbb {F}|}_{[\![ u ]\!]_I}\right) + \underbrace{(\rho +B)\cdot \log _2 |\mathbb {F}|}_{[\![ \alpha ' ]\!]}. \end{aligned}$$

5.3 Additional MPCitH Optimisations

New generic optimizations for MPCitH-based schemes relying on GGM trees have been proposed in a recent work [11]. The improvements are threefold:

1.
Instead of considering $\tau $ independent GGM trees of N leaves in parallel, the authors propose to rely on a unique large GGM tree of $\tau \cdot N$ leaves where the i^th share of the e^th PoK repetition is associated to the $(e\cdot N + i)$^th leaf of the large GGM tree. As explained in [11], “opening all but $\tau $ leaves of the big tree is more efficient than opening all but one leaf in each of the $\tau $ smaller trees, because with high probability some of the active paths in the tree will merge relatively close to the leaves, which reduces the number of internal nodes that need to be revealed.”
2.
The authors further propose to improve the previous approach using the principle of grinding. When the last Fiat-Shamir challenge is such that the number of revealed nodes in the revealed sibling paths exceed a threshold $T_{\text {open}}$, the signer rejects the challenge and recompute the hash with an incremented counter. This process is done until the number of revealed nodes is $\le T_{\text {open}}$. For example, if we consider $N=256$ and $\tau =16$, the number of revealed nodes is smaller than (or equal to) $T_{\text {open}}:=110$ with probability $\approx 0.2$. The selected value of $T_{\text {open}}$ induces a rejection probability $p_{\text {rej}} = 1 - 1/\theta $, for some $\theta \in (0,\infty )$, and the signer hence needs to perform an average of $\theta $ hash computations for the challenge (instead of 1). While this strategy decreases the challenge space by a factor $\theta $, it does not change the average number of hashes that must be computed to succeed an attack (since the latter is multiplied by $\theta $). As noticed by the authors of [11], this strategy can be thought of as loosing $\log _2 \theta $ bit of security (because of a smaller challenge space) which are regained thanks to a proof-of-work (performing an average of $\theta $ hash computations before getting a valid challenge).
3.
Finally, [11] proposes to add another explicit proof-of-work to the Fiat-Shamir hash computation of the last challenge. The signer must get a hash digest for which the w last bits are zero, for w a parameter of the scheme. The same counter as for the previous improvement is used as a nonce in this hash and increased until the w-zeros property is satisfied. This strategy increases the cost of hashing the last challenge by a factor $2^w$ and hence increases the security of w bits. This thus allows to take smaller parameters $(N,\tau )$ for the large tree, namely parameters achieving $\lambda - w$ bits of security instead of $\lambda $.

While the authors of [11] focus on VOLEitH, the same optimisations also apply to TCitH. In summary, for a given w, one picks parameters $(N,\tau )$ ensuring $\lambda -w$ bits of security. Then fixing $T_{\text {open}}$ for these $(N,\tau )$ yields a rejection probability $p_{\text {rej}} = 1 - 1/\theta $. The gain in size comes from the smaller parameters $(N,\tau )$ on the one hand, and the smaller sibling paths (of size $\le T_{\text {open}}$ instead of $\approx \tau \log _2 N$) on the other hand. This gain in size is traded for an increased number of Fiat-Shamir hash attempts ($\theta \cdot 2^w$ on average instead of 1).

6 New Signatures Based on $\textsf{RSD}_{\text {s}}$ and $\textsf{MinRank}$

In this section, we propose new signature schemes based on the rank syndrome decoding problem and on the MinRank problem. To proceed, we rely on the TCitH and VOLEitH frameworks to obtain non-interactive zero-knowledge proofs of knowledge for these two problems using the new Dual Support Decomposition model described in Sect. 4 and we use the recent MPCitH optimisation presented in Sect. 5.3. Moreover, to have more granularity in the choice of the parameters, we consider that the $\tau $ emulations of the MPC protocol might not involve the same number of parties: there will be $\tau _1$ emulations with $N_1$ parties and $\tau _2 := \tau -\tau _1$ emulations with $N_2$ parties. The schemes are then secure if $\left( \frac{d}{N_1}\right) ^{\tau _1}\cdot \left( \frac{d}{N_2}\right) ^{\tau _2}$ for TCitH and $\frac{d}{N_1^{\tau _1}\cdot N_2^{\tau _2}}$ for VOLEitH are negligible (instead of simply $\left( \frac{d}{N}\right) ^{\tau }$ and $\frac{d}{N^{\tau }}$).

6.1 New Signatures Based on $\textsf{RSD}_{\text {s}}$

The TCitH and VOLEitH frameworks enable us to prove the knowledge of a witness that satisfies some polynomial constraints. In order to get a signature scheme based on the rank syndrome decoding problem, one just needs to exhibit the polynomial constraints which is satisfied by a rank syndrome decoding solution. As shown in Sect. 4.1, solving an $\textsf{RSD}_{\text {s}}$ instance for $\boldsymbol{y}$ and $\boldsymbol{H}$ is equivalent to finding $\boldsymbol{s}=(x_2,\dots ,x_r)$ where $x_i \in \mathbb {F}_{q^m}$ for $i \in \{2,\dots , r \}$ and $\boldsymbol{C} \in \mathbb {F}_q^{r \times (n-r)}$ such that

$$\begin{aligned} \boldsymbol{x}\boldsymbol{H}^T - \boldsymbol{y} = \boldsymbol{0}~~~~\text {with}~~~~ \boldsymbol{x} := \begin{pmatrix} 1 & \boldsymbol{s} \end{pmatrix} \cdot \begin{pmatrix} \boldsymbol{I_r} & \boldsymbol{C} \end{pmatrix}\in \mathbb {F}_{q^m}^{n} \end{aligned}$$

(1)

Equation 1 directly gives degree-2 polynomial constraints into the coefficients of $\boldsymbol{s}$ and $\boldsymbol{C}$. Let us assume that the $\boldsymbol{H}$ is in standard form, meaning it can be written as $\boldsymbol{H}=\begin{pmatrix} \boldsymbol{I_{n-k}} & \boldsymbol{H'} \end{pmatrix}$, where $\boldsymbol{H'}\in \mathbb {F}_{q^m}^{(n-k)\times k}$. Given the inputs $[\![ \boldsymbol{s} ]\!]$ and $[\![ \boldsymbol{C} ]\!]$, the hint $[\![ \boldsymbol{v} ]\!]$ with $\boldsymbol{v}\in {\mathbb {F}_{q^m}^\rho }$ and the MPC randomness $\boldsymbol{\Gamma }=(\gamma _{i,j})_{i,j}\in \mathbb {F}_{q^m}^{(n-k)\times \rho }$, the emulated MPC protocol (repeated $\rho $ times) described in Protocol 1 thus consists of computing

$$[\![ \boldsymbol{\alpha } ]\!] \leftarrow [\![ \boldsymbol{v} ]\!]\cdot [\![ 0 ]\!] + ([\![ \boldsymbol{x_A} ]\!] + [\![ \boldsymbol{x_B} ]\!] \boldsymbol{H'}^T - \boldsymbol{y}) \boldsymbol{\Gamma }$$

where $[\![ \boldsymbol{x_A} ]\!]$ and $[\![ \boldsymbol{x_B} ]\!]$ are built such as $[\![ \begin{pmatrix} \boldsymbol{x_A} & \boldsymbol{x_B} \end{pmatrix} ]\!] = \begin{pmatrix} 1 & [\![ \boldsymbol{s} ]\!] \end{pmatrix} \cdot \begin{pmatrix} \boldsymbol{I_r} & [\![ \boldsymbol{C} ]\!] \end{pmatrix}$.

Signature Size. According to Sect. 5, the signature size using the TCitH framework is (in bits):

$$\begin{aligned} ~~~~\textsc {Size}_{\textsc {TCitH}} = 4\lambda + \underbrace{\lambda \cdot T_{\text {open}}}_{\text {GGM tree}} + \tau \cdot \left( \underbrace{|w|\cdot \log _2 q}_{[\![ \boldsymbol{s} ]\!]_I,[\![ \boldsymbol{C} ]\!]_I} + \underbrace{(d-1) \cdot \rho \cdot \log _2 q}_{[\![ \alpha ]\!]} + 2\lambda \right) ,~~~~ \end{aligned}$$

while the signature size using the VOLEitH framework is (in bits):

$$\begin{aligned} \textsc {Size}_{\textsc {VOLEitH}} = &4\lambda + \underbrace{\lambda \cdot T_{\text {open}}}_{\text {GGM tree}} + \tau \cdot \left( \underbrace{|w|\cdot \log _2 q}_{[\![ \boldsymbol{s} ]\!]_I,[\![ \boldsymbol{C} ]\!]_I} + 2\lambda \right) + \underbrace{(d-1) \cdot \rho \cdot \log _2 q}_{[\![ \alpha ]\!]} \\ &+ (\tau -1)\cdot \left( \underbrace{\rho \cdot \log _2 q}_{[\![ v ]\!]_I}+\underbrace{(\rho +B)\log _2 q}_{[\![ u ]\!]_I}\right) + \underbrace{(\rho +B)\cdot \log _2 q}_{[\![ \alpha ' ]\!]}~, \end{aligned}$$

where $|w|:=(r-1)m+r(n-r)$.

Computational Cost. The running time of the signing algorithm can be split in three main parts:

1.
The generation of the input shares using seed trees and their commitment. The computational cost scales linearly with the number of input shares. When there are $\tau _1$ MPC emulations with $N_1$ parties and $\tau _2$ MPC emulations with $N_2$ parties, the total number of input shares is $\tau _1\cdot N_1 + \tau _2 + N_2$.
2.
The MPC emulation. This step consists in computing the degree-2 broadcast sharing $[\![ \boldsymbol{\alpha } ]\!]$, knowing that $\boldsymbol{\alpha }=0$. Let us estimate the cost of emulating the MPC protocol. We only count multiplications which are predominant (compared to additions) for the considered extension fields. We recall that multiplying two degree-1 sharings costs 2 multiplications in the underlying field, assuming we already know the plain value.
- With TCitH, the MPC emulation will be repeated $\tau :=\tau _1+\tau _2$ times. Each repetition includes 2 vector-matrix multiplications with a matrix $\mathbb {F}_{q^m}^{(r-1)\times (n-r)}$ to compute $[\![ \boldsymbol{x} ]\!]:=[\![ \begin{pmatrix} \boldsymbol{x_A} & \boldsymbol{x_B} \end{pmatrix} ]\!]$, 2 vector-matrix multiplications with a matrix of $\mathbb {F}_{q^m}^{k\times (n-k)}$ to compute $[\![ \boldsymbol{r} ]\!]:=[\![ \boldsymbol{x_A} ]\!] + [\![ \boldsymbol{x_B} ]\!] \boldsymbol{H'}^T - \boldsymbol{y}$, and 2 vector-matrix multiplications with matrix of $\mathbb {F}_{q^m}^{(n-k)\times \rho }$ to compute $[\![ \boldsymbol{\alpha } ]\!]$.
- With VOLEitH, the MPC emulation is executed only once, but in a larger extension field $\mathbb {K}$ where $[\mathbb {K}:\mathbb {F}_{q^m}]=\rho $. The emulation includes 2 vector-matrix multiplications with a matrix $\mathbb {K}^{(r-1)\times (n-r)}$ to compute $[\![ \boldsymbol{x} ]\!]:=[\![ \begin{pmatrix} \boldsymbol{x_A} & \boldsymbol{x_B} \end{pmatrix} ]\!]$, $2\rho $ vector-matrix multiplications with a matrix of $\mathbb {F}_{q^m}^{k\times (n-k)}$ to compute $[\![ \boldsymbol{r} ]\!]:=[\![ \boldsymbol{x_A} ]\!] + [\![ \boldsymbol{x_B} ]\!] \boldsymbol{H'}^T - \boldsymbol{y}$, and 2 vector-matrix multiplications with matrix of $\mathbb {K}^{(n-k)\times 1}$ to compute $[\![ \boldsymbol{\alpha } ]\!]$.
3.
The global proof-of-work, composed of the grinding process on the seed trees and the explicit proof-of-work on the Fiat-Shamir hash computation. Its average cost is $ \theta \cdot 2^w$ Fiat-Shamir hash computations.

The running time of the other parts of the signing algorithm is negligible compared to those three components. Regarding the running time of the verification algorithm, since the verifier should also expand the seed trees and emulate some parties, the verification time will be similar (a bit smaller) than the signing time.

Parameter Selection. We select some parameter sets for our signature schemes. To have a fair comparison between both frameworks (TCitH and VOLEitH), we chose the parameters such that the cost of generating the input shares and the cost of the proof-of-work are similar (namely, we chose parameters such that $\tau _2\cdot N_1 + \tau _2\cdot \tau _2$ and $\theta \cdot 2^w$ are roughly equal). We present in Table 7 the sizes obtained for the signature scheme.

Table 7. Parameters and resulting sizes for the new signature scheme based on $\textsf{RSD}_{\text {s}}$. The used parameters for the rank syndrome decoding problem are those of Table 3.

Full size table

While proposing optimized implementations of our signature scheme is left for future work, we provide some (upper bound) estimates for its running time in Table 8. The timings of the symmetric components (generation and commitment of the input shares and proof of work) are estimated based on the benchmarks from [11]. Since we rely on the same parameters for the symmetric components (same $\tau _1\cdot N_1 + \tau _2\cdot N_2$ and same $\log _2 \theta + w$), we can use their timings as upper bounds. For example, their scheme MandaRain-3-128 s includes a generation and commitment of 22 528 input shares and has a total proof-of-work of 14 bits as our “short” instances. Since it runs in 2.8 ms on a 5 GHz CPU, we deduce that the symmetric components cost is at most 14 Mcycles.^{Footnote 4} Then, we derived and benchmarked a naive implementation of the MPC emulation, which gives us an upper bound for the emulation cost. Despite this pessimistic estimation, the results presented in Table 8 show that our scheme is competitive with the NIST candidate RYDE. In particular, all our variants relying on VOLEitH are faster than RYDE.

Comparison. Table 9 summarizes the state of the art of signature schemes based on $\textsf{RSD}$. We include in the comparison only short parameters, i.e., with $N = 256$ for MPCitH-based signatures, and $N= 32$ for [15]. We include the schemes of Stern [37] and Véron [38] applied to the rank metric. For 128 bits of security, these two schemes have signature sizes of around 30 kB. These sizes were roughly halved in [21] and [15]. Finally, [20] reduced it below 6 kB and our work achieves sizes below 4 kB.

Resilience Property. One should note that our scheme is highly resilient to hypothetical cryptanalytic progress on $\textsf{RSD}_{\text {s}}$. Indeed, if we were to take the set of parameters for $\textsf{RSD}_{\text {s}}$ corresponding to NIST III, applied to the proof of knowledge for NIST I, i.e., a security of $\lambda = 192$ for $\textsf{RSD}_{\text {s}}$ and $\lambda =128$ for the protocol, we would get an increase of only 0.4 kB (for $N=512$) or 0.3 kB (for $N=2048$) in the signature size. Namely, we can take a large margin of security for the parameters of $\textsf{RSD}_{\text {s}}$ at a moderate cost.

Table 8. Estimation of the signing times of the new signature scheme based on $\textsf{RSD}_{\text {s}}$ (in mega-cycles).

Full size table

Table 9. Comparison of the signatures relying on $\textsf{RSD}$, restricting to the schemes using the Fiat-Shamir transform.

Full size table

6.2 New Signatures Based on $\textsf{MinRank}$

The TCitH and VOLEitH frameworks enable us to prove the knowledge of a witness that satisfies some polynomial constraints. In order to get a signature scheme based on $\textsf{MinRank}$, one just needs to exhibit the polynomial constraints which that a $\textsf{MinRank}$ solution should satisfy. As shown in Sect. 4.2, we can use the $\mathsf {MinRank~Syndrome}$ problem, which asks to find $\boldsymbol{S'}\in \mathbb {F}_q^{(m-r)\times r}$ and $\boldsymbol{C}\in \mathbb {F}_q^{r\times n}$ such that

$$\begin{aligned} \rho (\boldsymbol{E})\cdot \boldsymbol{H}^T - \boldsymbol{y} = \boldsymbol{0}~~~~\text {with}~~~~ \boldsymbol{E} := \begin{pmatrix} \boldsymbol{I_r} \\ \boldsymbol{S'} \end{pmatrix}\cdot \boldsymbol{C}, \end{aligned}$$

(2)

where $\boldsymbol{H} \in \mathbb {F}_q^{(mn-k) \times mn}$ and $\boldsymbol{y}\in \mathbb {F}_q^{mn-k}$. Equation (2) directly gives degree-2 polynomial constraints into the coefficients of $\boldsymbol{S'}$ and $\boldsymbol{C}$. Let us assume that the matrix $\boldsymbol{H}$ is in standard form, meaning it can be written as $\boldsymbol{H}=\begin{pmatrix} \boldsymbol{I_{n\cdot m-k}} & \boldsymbol{H'} \end{pmatrix}$, where $\boldsymbol{H'}\in \mathbb {F}_{q}^{(n\cdot m-k)\times k}$. Given the inputs $[\![ \boldsymbol{S'} ]\!]$ and $[\![ \boldsymbol{C} ]\!]$, the hint $[\![ \boldsymbol{v} ]\!]$ with $\boldsymbol{v}\in {\mathbb {F}_{q}^\rho }$ and the MPC randomness $\boldsymbol{\Gamma }=(\gamma _{i,j})_{i,j}\in \mathbb {F}_{q}^{(n-k)\times \rho }$, the emulated MPC protocol (repeated $\rho $ times) described in Protocol 1 thus consists in computing

where $[\![ \boldsymbol{x_A} ]\!]$ and $[\![ \boldsymbol{x_B} ]\!]$ are built such as $[\![ \begin{pmatrix} \boldsymbol{x_A} & \boldsymbol{x_B} \end{pmatrix} ]\!] = \rho \left( \begin{pmatrix} \boldsymbol{I_r} \\ [\![ \boldsymbol{S'} ]\!] \end{pmatrix}\cdot [\![ \boldsymbol{C} ]\!]\right) $.

Signature Size. According to Sect. 5, the signature size using the TCitH framework is (in bits):

$$\begin{aligned} ~~~~\textsc {Size}_{\textsc {TCitH}} = 4\lambda + \underbrace{\lambda \cdot T_{\text {open}}}_{\text {GGM tree}} + \tau \cdot \left( \underbrace{|w|\cdot \log _2 q}_{[\![ \boldsymbol{S'} ]\!]_I,[\![ \boldsymbol{C} ]\!]_I} + \underbrace{(d-1) \cdot \rho \cdot \log _2 q}_{[\![ \alpha ]\!]}+2\lambda \right) ,~~~~ \end{aligned}$$

while the signature size using the VOLEitH framework is (in bits):

$$\begin{aligned} \textsc {Size}_{\textsc {VOLEitH}} = &4\lambda + \underbrace{\lambda \cdot T_{\text {open}}}_{\text {GGM tree}} + \tau \cdot \left( \underbrace{|w|\cdot \log _2 q}_{[\![ \boldsymbol{S'} ]\!]_I,[\![ \boldsymbol{C} ]\!]_I} + 2\lambda \right) + \underbrace{(d-1) \cdot \rho \cdot \log _2 q}_{[\![ \alpha ]\!]} \\ &+ (\tau -1)\cdot \left( \underbrace{\rho \cdot \log _2 q}_{[\![ v ]\!]_I}+\underbrace{(\rho +B)\log _2 q}_{[\![ u ]\!]_I}\right) + \underbrace{(\rho +B)\cdot \log _2 q}_{[\![ \alpha ' ]\!]}~, \end{aligned}$$

where $|w|:=r(m-r)+rn$.

Computational Cost. As in the previous section, the running time of the signing algorithm can be split in three main parts:

1.
The generation of the input share using seed trees and their commitment. The computational cost scales linearly with the number of input shares. When there are $\tau _1$ MPC emulations with $N_1$ parties and $\tau _2$ MPC emulations with $N_2$ parties, the total number of input shares is $\tau _1\cdot N_1 + \tau _2 + N_2$.
2.
The MPC emulation. This step consists in computing the degree-2 broadcast sharing $[\![ \boldsymbol{\alpha } ]\!]$, knowing that $\boldsymbol{\alpha }=0$. Let us estimate the cost of emulating the MPC protocol (while only counting multiplications as above).
- With TCitH, the MPC emulation will be repeated $\tau :=\tau _1+\tau _2$ times. Each repetition includes 2 multiplications between matrices of $\mathbb {F}_{N}^{(m-r)\times r}$ and $\mathbb {F}_{N}^{r\times n}$ to compute $[\![ \boldsymbol{x} ]\!]$, $2\cdot [\mathbb {F}_N:\mathbb {F}_q]$ vector-matrix multiplications with a matrix of $\mathbb {F}_{q}^{k\times (n\cdot m-k)}$ to compute $[\![ \boldsymbol{x_A} ]\!] + [\![ \boldsymbol{x_B} ]\!] \boldsymbol{H'}^T - \boldsymbol{y}$, and 2 vector-matrix multiplications with matrix of $\mathbb {F}_{N}^{(n\cdot m -k)\times \rho }$ to compute $[\![ \boldsymbol{\alpha } ]\!]$.
- With VOLEitH, the MPC emulation is executed only once, but in a larger extension field $\mathbb {K}$ where $[\mathbb {K}:\mathbb {F}_{N}]=\rho $. The emulation includes 2 matrix multiplications of $\mathbb {K}^{(m-r)\times r}$ and $\mathbb {K}^{r\times n}$ to compute $[\![ \boldsymbol{x} ]\!]$, $2\rho \cdot [\mathbb {F}_N:\mathbb {F}_q]$ vector-matrix multiplications with a matrix of $\mathbb {F}_{q}^{k\times (n\cdot m-k)}$ to compute $[\![ \boldsymbol{x_A} ]\!] + [\![ \boldsymbol{x_B} ]\!] \boldsymbol{H'}^T - \boldsymbol{y}$, and 2 vector-matrix multiplications with matrix of $\mathbb {K}^{(n\cdot m-k)\times 1}$ to compute $[\![ \boldsymbol{\alpha } ]\!]$.
3.
The global proof-of-work, composed of the grinding process on the seed trees and the explicit proof-of-work on the Fiat-Shamir hash computation. Its average cost is $ \theta \cdot 2^w$ Fiat-Shamir hash computations.

As previously, we leave optimized implementations for future work and provide (upper bound) estimates of the running time in Table 11 based on the benchmarks from [11] and a naive implementation of the MPC emulation of our scheme. Despite this pessimistic estimation, the results of Table 11 show that our scheme is competitive with the NIST sublmissions MIRA and MiRitH (both applying MPC-in-the-Head to $\textsf{MinRank}$). In particular, all our variants relying on TCitH are faster than MIRA and the short instances of MiRitH.

Table 10. Parameters and resulting sizes for the new signature scheme based on $\textsf{MinRank}$. The used parameters for the MinRank problem are those of Table 4.

Full size table

Comparison. Table 12 summarizes the state of the art of signature schemes based on $\textsf{MinRank}$. We include in the comparison only short parameters, i.e., with $N = 256$ for MPCitH-based signatures, and $N= 32$ for [15]. For the $\textsf{MinRank}$ parameters, we use $q=16, m= 16, n=16,k =142, r=4$. Historically, the first schemes from [18, 35], and [14] obtained signature sizes no less than 26 kB for 128 bits of security. Then, the technique from [15] applied to $\textsf{MinRank}$ achieved $\sim $10 kB, and [2] reduced it even below 7 kB. The recent work from [20] reduces it below 6 kB, and the MIRA and MiRitH submissions to the NIST have sizes below 6 kB as well. Finally, our work achieves sizes below 4 kB.

Resilience Property. As for our scheme based on $\textsf{RSD}_{\text {s}}$, our above scheme is highly resilient to hypothetical cryptanalytic progress on $\textsf{MinRank}$. Indeed, if we were to take the set of parameters for $\textsf{MinRank}$ corresponding to NIST III, applied to the proof of knowledge for NIST I, i.e., a security of $\lambda = 192$ for $\textsf{MinRank}$ and $\lambda =128$ for the protocol, we would get an increase of only 0.4 kB (for $N=512$) or 0.3 kB (for $N=2048$) in the signature size. Namely, we can take a large margin of security for the parameters of $\textsf{MinRank}$ at a moderate cost.

Table 11. Estimation of the running times of the new signature scheme based on $\textsf{MinRank}$ (in mega-cycles).

Full size table

Table 12. Comparison of the signatures relying on $\textsf{MinRank}$, restricting to the schemes using the Fiat-Shamir transform.

Full size table

Notes

1.
While VOLEitH has not been introduced as an MPCitH technique, [22] showed that it can be considered as such.
2.
The original version of the TCitH framework was released in Autumn 2022 [23] (and published at Asiacrypt 2023), we refer here to the improved version of the TCitH framework [22].
3.
As explained previously, the parameter B aims to compensate the security loss due to the use of a polynomial-based hash. Such a hash consists in evaluating in a large domain the polynomial which has the hashed values as coefficients. Thanks to the Schwartz-Zippel lemma, we get that the security loss is of a factor $n+\rho $ (which is the length of the hashed vector). By taking $B\cdot \log _2 |\mathbb {F}| \ge 16$ as in the specification of FAEST, we can securely hash vectors of length at most $2^{16}$.
4.
In making this consideration, we include the overhead of emulating their MPC protocol to our estimates of the symmetric part.

References

Gora Adj, Stefano Barbero, Emanuele Bellini, Andre Esser, Luis Rivera-Zamarripa, Carlo Sanna, Javier Verbel, and Floyd Zweydinger. MiRitH. NIST’s Post-Quantum Cryptography Standardization of Additional Digital Signature Schemes Project (Round 1), https://pqc-mirith.org/, 2023.
Gora Adj, Luis Rivera-Zamarripa, and Javier Verbel. Minrank in the head. In Nadia El Mrabet, Luca De Feo, and Sylvain Duquesne, editors, Progress in Cryptology - AFRICACRYPT 2023, pages 3–27, Cham, 2023. Springer Nature Switzerland.
Google Scholar
Carlos Aguilar Melchor, Nicolas Gama, James Howe, Andreas Hülsing, David Joseph, and Dongze Yue. The Return of the SDitH. In Carmit Hazay and Martijn Stam, editors, Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part V, volume 14008 of Lecture Notes in Computer Science, pages 564–596. Springer, 2023.
Google Scholar
Nicolas Aragon, Magali Bardet, Loïc Bidoux, Jesús-Javier Chi-Domínguez, Victor Dyseryn, Thibauld Feneuil, Philippe Gaborit, Antoine Joux, Matthieu Rivain, Jean-Pierre Tillich, and Adrien Vincotte. RYDE. NIST’s Post-Quantum Cryptography Standardization of Additional Digital Signature Schemes Project (Round 1), https://pqc-ryde.org/, 2023.
Nicolas Aragon, Magali Bardet, Loïc Bidoux, Jesús-Javier Chi-Domínguez, Victor Dyseryn, Thibauld Feneuil, Philippe Gaborit, Romaric Neveu, Matthieu Rivain, and Jean-Pierre Tillich. MIRA. NIST’s Post-Quantum Cryptography Standardization of Additional Digital Signature Schemes Project (Round 1), https://pqc-mira.org/, 2023.
Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. A New Algorithm for Solving the Rank Syndrome Decoding Problem. In 2018 IEEE International Symposium on Information Theory (ISIT), pages 2421–2425, 2018.
Google Scholar
Magali Bardet, Pierre Briaud, Maxime Bros, Philippe Gaborit, Vincent Neiger, Olivier Ruatta, and Jean-Pierre Tillich. An Algebraic Attack on Rank Metric Code-Based Cryptosystems. In Anne Canteaut and Yuval Ishai, editors, Advances in Cryptology – EUROCRYPT 2020, pages 64–93, Cham, 2020. Springer International Publishing.
Google Scholar
Magali Bardet, Pierre Briaud, Maxime Bros, Philippe Gaborit, and Jean-Pierre Tillich. Revisiting algebraic attacks on MinRank and on the rank decoding problem. Designs, Codes and Cryptography, 91:3671-3707, 2023.
Google Scholar
Magali Bardet, Maxime Bros, Daniel Cabarcas, Philippe Gaborit, Ray Perlner, Daniel Smith-Tone, Jean-Pierre Tillich, and Javier Verbel. Improvements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems. In Shiho Moriai and Huaxiong Wang, editors, Advances in Cryptology – ASIACRYPT 2020, pages 507–536, Cham, 2020. Springer International Publishing.
Google Scholar
Magali Bardet, Maxime Bros, Daniel Cabarcas, Philippe Gaborit, Ray Perlner, Daniel Smith-Tone, Jean-Pierre Tillich, and Javier Verbel. Improvements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems. In Advances in Cryptology – ASIACRYPT 2020, pages 507–536. Springer International Publishing, 2020.
Google Scholar
Carsten Baum, Ward Beullens, Shibam Mukherjee, Emmanuela Orsini, Sebastian Ramacher, Christian Rechberger, Lawrence Roy, and Peter Scholl. One tree to rule them all: Optimizing ggm trees and owfs for post-quantum signatures. Cryptology ePrint Archive, Paper 2024/490, 2024. https://eprint.iacr.org/2024/490.
Carsten Baum, Lennart Braun, Cyprien Delpech de Saint Guilhem, Michael Klooß, Emmanuela Orsini, Lawrence Roy, and Peter Scholl. Publicly verifiable zero-knowledge and post-quantum signatures from vole-in-the-head. In Helena Handschuh and Anna Lysyanskaya, editors, Advances in Cryptology – CRYPTO 2023, pages 581–615, Cham, 2023. Springer Nature Switzerland.
Google Scholar
Carsten Baum, Lennart Braun, Cyprien Delpech de Saint Guilhem, Michael Klooß, Christian Majenz, Shibam Mukherjee, Emmanuela Orsini, Sebastian Ramacher, Christian Rechberger, Lawrence Roy, and Peter Scholl. FAEST. NIST’s Post-Quantum Cryptography Standardization of Additional Digital Signature Schemes Project (Round 1), https://faest.info/, 2023.
Emanuele Bellini, Andre Esser, Carlo Sanna, and Javier Verbel. Mr-dss - smaller minrank-based (ring-)signatures. In Post-Quantum Cryptography: 13th International Workshop, PQCrypto 2022, Virtual Event, September 28-30, 2022, Proceedings, page 144-169, Berlin, Heidelberg, 2022. Springer-Verlag.
Google Scholar
Loïc Bidoux and Philippe Gaborit. Compact Post-quantum Signatures from Proofs of Knowledge Leveraging Structure for the PKP, SD and RSD Problems. In Codes, Cryptology and Information Security (C2SI), 2023.
Google Scholar
Loïc Bidoux, Thibauld Feneuil, Philippe Gaborit, Romaric Neveu, and Matthieu Rivain. Dual support decomposition in the head: Shorter signatures from rank SD and MinRank. Cryptology ePrint Archive, Paper 2024/541, 2024.
Google Scholar
Nicolas Courtois. La sécurité des primitives cryptographiques basées sur des problèmes algébriques multivariables mq, ip, minrank, hfe, 2001.
Google Scholar
Nicolas T. Courtois. Efficient zero-knowledge authentication based on a linear algebra problem minrank. In Colin Boyd, editor, Advances in Cryptology — ASIACRYPT 2001, pages 402–421, Berlin, Heidelberg, 2001. Springer Berlin Heidelberg.
Google Scholar
Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, and Titouan Tanguy. Limbo: Efficient Zero-knowledge MPCitH-based Arguments. In Yongdae Kim, Jong Kim, Giovanni Vigna, and Elaine Shi, editors, CCS ’21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, November 15 - 19, 2021, pages 3022–3036. ACM, 2021.
Google Scholar
Thibauld Feneuil. Building MPCitH-based signatures from MQ, MinRank, Rank SD and PKP. In International Conference on Applied Cryptography and Network Security (ACNS), 2024.
Google Scholar
Thibauld Feneuil, Antoine Joux, and Matthieu Rivain. Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. Designs, Codes and Cryptography, 91:563–608, 2022.
Google Scholar
Thibauld Feneuil and Matthieu Rivain. Threshold Computation in the Head: Improved Framework for Post-Quantum Signatures and Zero-Knowledge Arguments. Cryptology ePrint Archive, Report 2023/1573, 2023.
Google Scholar
Thibauld Feneuil and Matthieu Rivain. Threshold Linear Secret Sharing to the Rescue of MPC-in-the-Head. In International Conference on the Theory and Application of Cryptology and Information Security (Asiacrypt), 2023.
Google Scholar
Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology — CRYPTO’ 86, pages 186–194, Berlin, Heidelberg, 1987. Springer Berlin Heidelberg.
Google Scholar
Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions. J. ACM, 33(4):792-807, aug 1986.
Google Scholar
Louis Goubin and Nicolas T. Courtois. Cryptanalysis of the TTM Cryptosystem. In International Conference on the Theory and Application of Cryptology and Information Security, 2000.
Google Scholar
Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-knowledge from secure multiparty computation. In Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, STOC ’07, page 21-30, New York, NY, USA, 2007. Association for Computing Machinery.
Google Scholar
Jonathan Katz, Vladimir Kolesnikov, and Xiao Wang. Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures. In David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang, editors, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, pages 525–537. ACM, 2018.
Google Scholar
Aviad Kipnis and Adi Shamir. Cryptanalysis of the HFE public key cryptosystem by relinearization. In crypto ’99, volume 1666 of LNCS, pages 19–30, Santa Barbara, California, USA, August 1999. Springer.
Google Scholar
P. Loidreau. Properties of codes in rank metric, 2006.
Google Scholar
Carlos Aguilar Melchior, Nicolas Aragon, Slim Bettaieb, Loïc Bidoux, Olivier Blazy, Maxime Bros, Alain Couvreur, Jean-Christophe Deneuville, Philippe Gaborit, Adrien Hauteville, and Gilles Zémor. RQC. NIST’s Post-Quantum Cryptography Standardization Process, https://pqc-rqc.org/, 2017.
Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology — CRYPTO ’87, pages 369–378, Berlin, Heidelberg, 1988. Springer Berlin Heidelberg.
Google Scholar
NIST. Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process, 2022. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf.
A. V. Ourivski and T. Johansson. New Technique for Decoding Codes in the Rank Metric and Its Cryptography Applications. Probl. Inf. Transm., 38(3):237-246, jul 2002.
Google Scholar
Bagus Santoso, Yasuhiko Ikematsu, Shuhei Nakamura, and Takanori Yasuda. Three-pass identification scheme based on minrank problem with half cheating probability, 2022.
Google Scholar
Adi Shamir. How to share a secret. Commun. ACM, 22(11):612-613, nov 1979.
Google Scholar
Jacques Stern. A new identification scheme based on syndrome decoding. In International Cryptology Conference (CRYPTO), 1993.
Google Scholar
Pascal Véron. Improved Identification Schemes Based on Error-Correcting Codes. Applicable Algebra in Engineering, Communication and Computing, 8(1), January 1997.
Google Scholar
Kang Yang, Pratik Sarkar, Chenkai Weng, and Xiao Wang. Quicksilver: Efficient and affordable zero-knowledge proofs for circuits and polynomials over any field. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 2986-3001, New York, NY, USA, 2021. Association for Computing Machinery.
Google Scholar

Download references

Author information

Authors and Affiliations

Technology Innovation Institute, Abu Dhabi, UAE
Loïc Bidoux
CryptoExperts, Paris, France
Thibauld Feneuil & Matthieu Rivain
University of Limoges, Limoges, France
Philippe Gaborit & Romaric Neveu

Authors

Loïc Bidoux
View author publications
You can also search for this author in PubMed Google Scholar
Thibauld Feneuil
View author publications
You can also search for this author in PubMed Google Scholar
Philippe Gaborit
View author publications
You can also search for this author in PubMed Google Scholar
Romaric Neveu
View author publications
You can also search for this author in PubMed Google Scholar
Matthieu Rivain
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Loïc Bidoux .

Editor information

Editors and Affiliations

Academia Sinica, Taipei, Taiwan
Kai-Min Chung
NTT Social Informatics Laboratories, Tokyo, Japan
Yu Sasaki

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bidoux, L., Feneuil, T., Gaborit, P., Neveu, R., Rivain, M. (2025). Dual Support Decomposition in the Head: Shorter Signatures from Rank SD and MinRank. In: Chung, KM., Sasaki, Y. (eds) Advances in Cryptology – ASIACRYPT 2024. ASIACRYPT 2024. Lecture Notes in Computer Science, vol 15485. Springer, Singapore. https://doi.org/10.1007/978-981-96-0888-1_2

Download citation

DOI: https://doi.org/10.1007/978-981-96-0888-1_2
Published: 11 December 2024
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-0887-4
Online ISBN: 978-981-96-0888-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Dual Support Decomposition in the Head: Shorter Signatures from Rank SD and MinRank

Abstract

Similar content being viewed by others

$$\textsf{ReSolveD} $$ : Shorter Signatures from Regular Syndrome Decoding and VOLE-in-the-Head

Compact Post-quantum Signatures from Proofs of Knowledge Leveraging Structure for the $$\textsf{PKP}$$ , $$\textsf{SD}$$ and $$\textsf{RSD}$$ Problems

Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs

1 Introduction

2 Preliminaries

2.1 Notations

2.2 Secret Sharing

2.3 Rank Metric and Hard Problems for Cryptography

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Definition 6

3 Security and Parameters for \(\textsf{RSD}_{\text {s}}\) and \(\textsf{MinRank}\)

3.1 Security of the Rank Syndrome Decoding Problem

Proposition 1

Proof

Remark 1

Remark 2

3.2 Parameters Choice for \(\textsf{RSD}_{\text {s}}\)

3.3 Parameters Choice for \(\textsf{MinRank}\)

4 MPCitH Modeling for \(\textsf{RSD}_{\text {s}}\) and \(\textsf{MinRank}\)

4.1 Modelings for the \(\textsf{RSD}_{\text {s}}\) Problem

Definition 7

4.2 Modelings for the \(\textsf{MinRank}\) Problem

Definition 8

Proposition 2

Proof

5 The TCitH and VOLEitH Frameworks

5.1 Threshold-Computation-in-the-Head Framework

5.2 VOLE-in-the-Head Framework

5.3 Additional MPCitH Optimisations

6 New Signatures Based on \(\textsf{RSD}_{\text {s}}\) and \(\textsf{MinRank}\)

6.1 New Signatures Based on \(\textsf{RSD}_{\text {s}}\)

6.2 New Signatures Based on \(\textsf{MinRank}\)

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Search

Navigation