Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature

Abstract

The threat of a coming quantum computer motivates the research for new zero-knowledge proof techniques for (or based on) post-quantum cryptographic problems. One of the few directions is code-based cryptography for which the strongest problem is the syndrome decoding (SD) of random linear codes. This problem is known to be NP-hard and the cryptanalysis state of affairs has been stable for many years. A zero-knowledge protocol for this problem was pioneered by Stern in 1993. As a simple public-coin three-round protocol, it can be converted to a post-quantum signature scheme through the famous Fiat-Shamir transform. The main drawback of this protocol is its high soundness error of 2/3, meaning that it should be repeated \(\approx 1.7 \lambda \) times to reach a \(\lambda \)-bit security. In this paper, we improve this three-decade-old state of affairs by introducing a new zero-knowledge proof for the syndrome decoding problem on random linear codes. Our protocol achieves a soundness error of 1/n for an arbitrary n in complexity \(\mathcal {O}(n)\). Our construction requires the verifier to trust some of the variables sent by the prover which can be ensured through a cut-and-choose approach. We provide an optimized version of our zero-knowledge protocol which achieves arbitrary soundness through parallel repetitions and merged cut-and-choose phase. While turning this protocol into a signature scheme, we achieve a signature size of 17 KB for a 128-bit security. This represents a significant improvement over previous constructions based on the syndrome decoding problem for random linear codes.

Appendices

Appendix A: splitting lemma

In our proofs, we shall make use of the following lemma from [27]:

Lemma 8

(Splitting Lemma) Let X and Y be two finite sets, and let \(A \subseteq X \times Y\) such that

$$\begin{aligned} \Pr \big [(x,y) \in A \mid (x,y) \leftarrow X\times Y\big ] \ge \varepsilon ~. \end{aligned}$$

For any \(\alpha \in [0,1)\), let

$$\begin{aligned} B = \Big \{(x,y) \in X \times Y ~\Big \vert ~ \Pr \big [(x,y') \in A \mid y' \leftarrow Y\big ] \ge (1-\alpha ) \cdot \varepsilon \Big \} ~. \end{aligned}$$

We have:

1. 1.

   \(\Pr \big [(x,y) \in B \mid (x,y) \leftarrow X\times Y\big ] \ge \alpha \cdot \varepsilon \)

2. 2.

   \(\Pr \big [(x,y) \in B \mid (x,y) \leftarrow A \big ] \ge \alpha \) .

Appendix B: Proof of Theorem 2 (Zero Knowledge of Protocol 2)

Proof

We first describe a way to generate an identical distribution to the internal variables of Protocol 2 and then describe the zero-knowledge simulator.

Identical distribution

One way to generate an identical distribution to that of variables of Protocol 2 is as follow:

1. 1.

   Sample \(\tilde{x} \leftarrow \{\tilde{x} \mid H\tilde{x} = y\}\).

2. 2.

   Sample \(q \leftarrow \mathbb {F}_2^m\).

3. 3.

   Sample \(v \leftarrow \{v\in \mathbb {F}_2^m \mid {\text {wt}}(v) = w\}\).

4. 4.

   For every \(i \in [n] \setminus \{i^*\}\), sample \(A_i \equiv (\sigma _i, s_i)\) uniformly.

5. 5.

   For \(i \in \{1, \ldots , i^*-1\}\): compute \(u_i := A_i(u_{i-1})\) with \(u_0 := \tilde{x}\).

6. 6.

   For i from \(n-1\) down to \(i^*\): compute \(u_i := A_{i+1}^{-1}(u_{i+1})\) with \(u_n := v+q\).

7. 7.

   Randomly sample \(A_{i^*} \equiv (\sigma _{i^*}, s_{i^*})\) such that:

• \(u_i = A_{i^*}(u_{i^*-1})\)

• \(\alpha = \sigma _{i^*}(\beta )\) with

  $$\begin{aligned} {\left\{ \begin{array}{ll} \alpha := \sigma _{i^*+1}^{-1} \circ \cdots \circ \sigma _n^{-1}(v) \\ \beta := \sigma _{i^*-1} \circ \cdots \circ \sigma _1(x) \end{array}\right. } ~. \end{aligned}$$

Zero-Knowlegde Simulator

The simulator \(\mathcal {S}\) proceeds as follows:

• It first samples a random challenge \(i^*\) from \(\{1, \ldots , n\}\);

• It then performs steps 1 to 6 of the above description and computes commitments \(c_i\)’s for the \((\sigma _i, s_i)\)’s, for all \(i\ne i^*\);

• Note that the simulator cannot perform step 7 because it requires the knowledge of x (to get \(\beta \)). Instead, the simulator computes a commitment \(c_{i^*}\) for a random pair \((\sigma _{i^*}, s_{i^*})\);

• The simulator calls \(\tilde{\mathcal {V}}\) with \(\textsc {Com}:=(\{c_i\}_i,q,v,\tilde{x},\{u_i\}_i)\) and, restart the simulation from scratch if \(\tilde{\mathcal {V}}\) does not return \(i^*\), and output the simulated transcript otherwise.

The output transcript is independent and identically to the genuine transcript except for \(c_{i^*}\). Distinguishing then means breaking the commitment hiding property. \(\square \)

Appendix C: Proof of Theorem 3 (Soundness of Protocol 2)

Proof

Let us first show how to extract the syndrome decoding solution x from a few transcripts satisfying specific conditions. We will then show how to get such transcripts from a rewindable black-box access to \(\tilde{\mathcal {P}}\).

Transcripts used for extraction

We assume that we can extract two transcripts

$$\begin{aligned} T_1&:= (\{c_i\}_i, {q}^{\star }, v, \tilde{x}, \{u_i\}_i, \textsc {Ch}_1:=i^*_1, (\sigma _i, s_i, \rho _i)_{i\not =i^*_1}) \\ T_2&:= (\{c_i\}_i, {q}^{\star }, v, \tilde{x}, \{u_i\}_i, \textsc {Ch}_2:=i^*_2, (\sigma '_i, s'_i, \rho '_i)_{i\not =i^*_2}) ~. \end{aligned}$$

Using these two transcripts, we next show that it is possible to extract a solution of the syndrome decoding instance defined by H and y. We can assume that the \((\sigma _i, s_i)_{i\not \in \{i^*_1,i^*_2\}}\) and \((\sigma '_i, s'_i)_{i\not \in \{i^*_1,i^*_2\}}\) are mutually consistent between the two transcripts, since otherwise we find a commitment collision for at least one of the commitments \(\{c_i\}_i\). So, we know \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) for all \(i\in \{1,\ldots ,n\}\) from \(T_1\) and \(T_2\). We define \((\sigma _{i^*_1}, s_{i^*_1}) := (\sigma '_{i^*_1}, s'_{i^*_1})\).

Extraction of x from \(T_1\) and \(T_2\)

In the following, we will denote \(\mathcal {V}_{\textsc {Ch}_1}\) (resp. \(\mathcal {V}_{\textsc {Ch}_2}\)) the set of checked equations at the end of the transcript with \(\textsc {Ch}_1\) (resp. \(\textsc {Ch}_2\)) as challenge.

Let us define \(\sigma := \sigma _n \circ \cdots \circ \sigma _1\) and \(x':=\sigma ^{-1}(v)\). We simply return \(x'\) as a candidate solution for x. Because \({\text {wt}}(v)=w\) (from \(\mathcal {V}_{\textsc {Ch}_1}\) or \(\mathcal {V}_{\textsc {Ch}_2}\)), we have \({\text {wt}}(x')=w\). We now show that we further have \(y = H x'\).

Thanks to \(\mathcal {V}_{\textsc {Ch}_1}\), we know that

$$\begin{aligned} \forall i\in [n]\backslash \{i^*_1\}, u_i = \sigma _i(u_{i-1}) + s_i . \end{aligned}$$

And thanks to \(\mathcal {V}_{\textsc {Ch}_2}\), we get the remaining equation

$$\begin{aligned} u_{i^*_1} = \sigma _{i^*_1}(u_{i^*_1-1}) + s_{i^*_1} . \end{aligned}$$

So, we know that

$$\begin{aligned} u_n= & {} s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(\ldots + \sigma _2(s_1 + \sigma _1(u_0)))) \nonumber \\= & {} s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(\ldots + \sigma _2(s_1 + \sigma _1(\tilde{x})))) \nonumber \\= & {} \underbrace{(\sigma _n \circ \cdots \circ \sigma _1)}_{\sigma }(\tilde{x}) + \underbrace{s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(\ldots + \sigma _2(s_1)))}_{s} \nonumber \\= & {} \sigma (\tilde{x}) + s \end{aligned}$$

(C1)

Now, we have

$$\begin{aligned} H x'&= H \sigma ^{-1}(v)&\\&= H \sigma ^{-1}(u_n-q)&\text {from }\mathcal {V}_{\textsc {Ch}_1} \text { or }\mathcal {V}_{\textsc {Ch}_2}\\&= H \sigma ^{-1}(\sigma (\tilde{x})+s-q)&\text {from }\mathrm{C1}&\\&= H \tilde{x} - H \sigma ^{-1}(q-s)\\&= y - H \sigma ^{-1}(q-s)&\text {from }\mathcal {V}_{\textsc {Ch}_1} \text { or }\mathcal {V}_{\textsc {Ch}_2} \end{aligned}$$

Since q has been honestly built and \(\{(\sigma _i, s_i)\}_i\) has been extracted from \(\tilde{\mathcal {P}}\), we know there exists \(r\in {\text {Ker}}(H)\) such that

$$\begin{aligned} q=\sigma (r)+s . \end{aligned}$$

And so,

$$\begin{aligned} H x' = y - H \sigma ^{-1}(\sigma (r)) = y - Hr = y. \end{aligned}$$

So, we well obtain \(H x' = y - H \sigma ^{-1}(\sigma (r)) = y - H r = y\).

Extraction of \(T_1\) and \(T_2\) from \(\tilde{\mathcal {P}}\)

Let now show how to extract these two transcripts from \(\tilde{\mathcal {P}} \). We want these transcripts to be with the same commitment Com from the prover but with different challenges. We define the following extractor \(\mathcal {E}\).

Throughout the proof, we denote \(\mathsf {succ}_{\tilde{\mathcal {P}}}\) the event that \(\tilde{\mathcal {P}}\) succeeds in convincing \(\mathcal {V} \). By hypothesis, we have \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}] = \tilde{\varepsilon }\). We shall further denote by \(R_\textsc {Com}\) the randomness of \(\tilde{\mathcal {P}}\) that is used to generate the initial commitment \(\textsc {Com} = (\{c_i\}_i, {q}^{\star }, v, \tilde{x}, \{u_i\}_i)\).

Let us fix an arbitrary value \(\alpha \in (0, 1)\) such that \((1-\alpha )\tilde{\varepsilon } > \varepsilon \), it exists since \(\tilde{\varepsilon } > \varepsilon \). Let \(r_\textsc {Com}\) be a possible realisation of \(R_\textsc {Com}\). We will say that \(r_\textsc {Com}\) is good if

$$\begin{aligned} {\text {Pr}}[\mathsf {succ}_{\tilde{\mathcal {P}}}\mid R_\textsc {Com} = r_\textsc {Com}] \ge (1-\alpha )\tilde{\varepsilon }. \end{aligned}$$

(C2)

By the Splitting Lemma 8 (see Appendix 1) we have

$$\begin{aligned} \Pr [R_\textsc {Com}~\text {is good} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}] \ge \alpha ~. \end{aligned}$$

(C3)

Let us define the collision event of T and \(T'\) as the event

$$\begin{aligned} \textsf {Col}(T, T') := ``T\text { and }T'\text { has the same challenge}\,\textsc {Ch}''~. \end{aligned}$$

When T is fixed and \(T'\) is random, the collision event occurs with probability

$$\begin{aligned} p_{col} := \Pr [\textsf {Col}(T,T')] = \frac{1}{n} = \varepsilon ~. \end{aligned}$$

Let us lower bound the probability that an iteration of the inner loop find a right couple \((T,T')\) when \(R_\textsc {com}\) is good:

$$\begin{aligned} p := {\text {Pr}}[\mathsf {succ}_{\tilde{\mathcal {P}}}^{T'} \cap \lnot \textsf {Col}(T,T')\mid R_\textsc {Com} \text { good}] ~. \end{aligned}$$

We have

$$\begin{aligned} p&= \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T'} \mid R_\textsc {Com} \text { good}] - {\text {Pr}}[\mathsf {succ}_{\tilde{\mathcal {P}}}^{T'} \cap \textsf {Col}(T,T')\mid R_\textsc {Com} \text { good}] \\&\ge (1-\alpha )\cdot \tilde{\varepsilon }- {\text {Pr}}[\mathsf {succ}_{\tilde{\mathcal {P}}}^{T'} \cap \textsf {Col}(T,T')\mid R_\textsc {Com} \text { good}] \qquad \text {by }\mathrm{C2} \\&\ge (1-\alpha )\cdot \tilde{\varepsilon }- {\text {Pr}}[\textsf {Col}(T,T')\mid R_\textsc {Com} \text { good}] \\&= (1-\alpha )\cdot \tilde{\varepsilon }- {\text {Pr}}[\textsf {Col}(T,T')] \qquad \text {by independence}\\&= (1-\alpha )\cdot \tilde{\varepsilon }- \varepsilon > 0 \end{aligned}$$

Let define \(p_0 := (1-\alpha )\cdot \tilde{\varepsilon }- \varepsilon \). By running \(\tilde{\mathcal {P}}\) with the same \(r_\textsc {Com}\) as for the good transcript \(N_1\) times, we hence obtain a second non-colliding transcript \(T'\) with probability at least 1/2 when

$$\begin{aligned} N_1 \approx \frac{\ln (2)}{\ln \left( \frac{1}{1-p_0}\right) } \le \frac{\ln (2)}{p_0} ~. \end{aligned}$$

(C4)

Without assumption on \(R_\textsc {Com}\), the probability to find a couple when T is successful satisfies:

$$\begin{aligned}&\Pr [\text {found} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T}] \\&\quad \ge \Pr [R_\text {COM}~\text {good} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]\cdot \Pr [\text {found} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T} \cap R_\text {COM}~\text {good}] \ge \frac{\alpha }{2}~. \end{aligned}$$

Let C denotes the number of calls to \(\tilde{\mathcal {P}}\) made by the extractor before finishing. While entering a new iteration:

• The extractor makes one call to \(\tilde{\mathcal {P}}\) to obtain T,

• If T is not successful, which occurs with probability \((1-\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}])\),

• \(\circ \) The extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

• If T is successful, which occurs with probability \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]\),

• \(\circ \) The extractor makes at most \(N_1\) calls to \(\tilde{\mathcal {P}}\) in the inner loop of \(\mathcal {E} \),

• \(\circ \) Then \(\mathcal {E} \) quits the inner loop without returning a couple of transcripts, which occurs with probability \(\Pr [\text {not found} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]\), the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

• \(\circ \) Otherwise, if the inner loop returns a non-empty list, the extractor stops and no more calls to \(\tilde{\mathcal {P}}\) are necessary.

The mean number of calls to \(\tilde{\mathcal {P}}\) hence satisfies the following inequality:

$$\begin{aligned} \mathbb {E}[C]= & {} 1 + \underbrace{(1-\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]) \cdot \mathbb {E}[C]}_{T~\text {unsuccessful}} \\&\quad + \underbrace{\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}] \cdot \big ( N_1 + \Pr [\text {not found} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T}] \cdot \mathbb {E}[C]}_{T~\text {successful}}\big ) \end{aligned}$$

which gives

$$\begin{aligned} \mathbb {E}[C]&\le 1 + (1-\tilde{\varepsilon }) \cdot \mathbb {E}[C] + \tilde{\varepsilon } \cdot \Big ( N_1 + \big (1-\frac{\alpha }{2}\big ) \cdot \mathbb {E}[C] \Big ) \\&\le 1 + \tilde{\varepsilon } \cdot N_1 + \mathbb {E}[C] \cdot \Big (1 - \frac{\tilde{\varepsilon } \cdot \alpha }{2} \Big ) \\&\le \frac{2}{\alpha \cdot \tilde{\varepsilon }} \cdot (1 + \tilde{\varepsilon } \cdot N_1) \\&\le \frac{2}{\alpha \cdot \tilde{\varepsilon }} \cdot \left( 1 + \tilde{\varepsilon } \cdot \frac{\ln (2)}{(1-\alpha )\cdot \tilde{\varepsilon }-\varepsilon }\right) \end{aligned}$$

To obtain an \(\alpha \)-free formula, let us take \(\alpha \) such that \((1-\alpha )\cdot \tilde{\varepsilon } = \frac{1}{2}(\tilde{\varepsilon } + \varepsilon )\). We have \(\alpha = \frac{1}{2}\left( 1-\frac{\varepsilon }{\tilde{\varepsilon }}\right) \) and the average number of calls to \(\tilde{\mathcal {P}}\) is upper bounded as

$$\begin{aligned} \frac{4}{\tilde{\varepsilon }-\varepsilon } \cdot \left( 1+\tilde{\varepsilon } \cdot \frac{2\cdot \ln (2)}{\tilde{\varepsilon }-\varepsilon }\right) \end{aligned}$$

which concludes the proof. \(\square \)

Appendix D: Proof of Theorem 5 (HVZK of Protocol 5)

Proof

Let us describe the simulator \(\mathcal {S}\). Let us denote \((J, L)\) the input of the simulator. First, \(\mathcal {S}\) randomly picks the master seeds \(\textsf {seed}^{[0]}\).

• For \(j\in [M]\backslash J\), \(\mathcal {S}\) follows honestly the protocol since it does not need to know the secret.

• For \(j\in J\), \(\mathcal {S}\) uses the same method than the one described in the proof of the Theorem 2 (appendix B):

• \(\circ \) Sample \(\tilde{x}^{[j]} \leftarrow \{\tilde{x} \mid H\tilde{x} = y\}\).

• \(\circ \) Sample \(q^{[j]} \leftarrow \mathbb {F}_2^m\).

• \(\circ \) Sample \(v^{[j]} \leftarrow \{v\in \mathbb {F}_2^m \mid {\text {wt}}(v) = w\}\).

• \(\circ \) For every \(i \in [n] \setminus \{i^*\}\), sample \(A_i^{[j]} \equiv (\sigma _i^{[j]}, s_i^{[j]})\) uniformly.

• \(\circ \) For \(i \in \{1, \ldots , i^*-1\}\):

  compute \(u_i^{[j]} := A_i^{[j]}(u_{i-1}^{[j]})\) with \(u_0^{[j]} := \tilde{x}^{[j]}\).

• \(\circ \) For i from \(n-1\) down to \(i^*\):

  compute \(u_i^{[j]} := (A_{i+1}^{[j]})^{-1}(u_{i+1}^{[j]})\) with \(u_n^{[j]} := v^{[j]}+q^{[j]}\).

• \(\circ \) Compute commitments \(c_i^{[j]}\)’s for the \((\sigma _i^{[j]}, s_i^{[j]})\)’s, for all \(i\ne i^*\).

• \(\circ \) Computes a commitment \(c_{i^*}^{[j]}\) for a random pair \((\sigma _{i^*}^{[j]}, s_{i^*}^{[j]})\).

The output transcript is independent and identically to the genuine transcript except for the randomness sampling and \(c_{i^*}^{[j]}\) when \(j\in J\). Distinguishing then means breaking the pseudorandomness property or breaking the commitment hiding property. \(\square \)

Appendix E: Proof of Theorem 6 (Soundness of Protocol 5)

Proof

Let us first show how to extract the syndrome decoding solution x from a few transcripts satisfying specific conditions. We will then show how to get such transcripts from a rewindable black-box access to \(\tilde{\mathcal {P}}\).

Transcripts used for extraction

We assume that we can extract three transcripts

$$\begin{aligned} T_i = (\textsc {Com}^{(i)}, \textsc {Ch}_1^{(i)}, \textsc {Rsp}_1^{(i)}, \textsc {Ch}_2^{(i)}, \textsc {Rsp}_2^{(i)}) ~~~\text {for }i\in \{1,2,3\}~, \end{aligned}$$

(E5)

from \(\tilde{\mathcal {P}}\), with \(\textsc {Ch}_1^{(i)}:= J^{(i)}\), \( \textsc {Ch}_2^{(i)} := \{\ell ^{(i)}_j\}_{j \in J^{(i)}}\), which satisfy:

1. 1.

   \(\textsc {Com}^{(1)} = \textsc {Com}^{(2)} = \textsc {Com}^{(3)} = h\),

2. 2.

   there exists \( j_0 \in (J^{(1)} \cap J^{(2)}) \setminus J^{(3)}\) s.t. \(\ell _{j_0}^{(1)} \not = \ell _{j_0}^{(2)}\)

3. 3.

   \(T_1\) and \(T_2\) are success transcripts (i.e. which pass all the tests of \(\mathcal {V}\)),

4. 4.

   \(\textsf {seed}^{[j_0]}\) from \(\textsc {Rsp}_1^{(3)}\) is consistent with the \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) from \(T_1\) and \(T_2\).

Using these three transcripts, we next show that it is possible to extract a solution of the syndrome decoding instance defined by H and y. We can assume that all the revealed \(q^{[j]}\) and \((\sigma _i^{[j]}, s_i^{[j]})\) are mutually consistent between the three transcripts, since otherwise we find a hash collision. So, we know \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) for all \(i\in \{1,\ldots ,n\}\) from \(T_1\) and \(T_2\).

Extraction of x from \(T_1\), \(T_2\) and \(T_3\)

For this part, we will only consider the variables of the form \((*)^{[j_0]}\), so we will omit the superscript for the sake of clarity. In the following, we will denote \(\mathcal {V}_{T_i}\) the set of checked equations at the end of the protocol with \(T_i\) for \(i\in \{1,2,3\}\).

Let us define \(\sigma := \sigma _n \circ ... \circ \sigma _1\) and \(x':=\sigma ^{-1}(v)\). We simply return \(x'\) as a candidate solution for x. Because \({\text {wt}}(v)=w\) (from \(\mathcal {V}_{T_1}\) or \(\mathcal {V}_{T_2}\)), we have \({\text {wt}}(x')=w\). We now show that we further have \(y = H x'\).

Thanks to \(\mathcal {V}_{T_1}\), we know that

$$\begin{aligned} \forall i\in [n]\backslash \{\ell _{j_0}\}, u_i = \sigma _i(u_{i-1}) + s_i ~. \end{aligned}$$

And thanks to \(\mathcal {V}_{T_2}\), we get the remaining equation

$$\begin{aligned} u_{j_0} = \sigma _{j_0}(u_{j_0-1}) + s_{j_0} ~. \end{aligned}$$

So, we know that

$$\begin{aligned} u_n&= s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(... + \sigma _2(s_1 + \sigma _1(u_0)))) \\&= s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(... + \sigma _2(s_1 + \sigma _1(\tilde{x})))) \\&= \underbrace{(\sigma _n \circ ... \circ \sigma _1)}_{\sigma }(\tilde{x}) + \underbrace{s_n + \sigma _n(s_{n-1} + \sigma _{n-1}(... + \sigma _2(s_1)))}_{s} \\&= \sigma (\tilde{x}) + s~. \end{aligned}$$

Now, we have

$$\begin{aligned} H x'&= H \sigma ^{-1}(v)&\\&= H \sigma ^{-1}(u_n-q)&\text {from }\mathcal {V}_{T_1}\text { or } \mathcal {V}_{T_2}\\&= H \sigma ^{-1}(\sigma (\tilde{x})+s-q)&\text {from the previous calculus}&\\&= H \tilde{x} - H \sigma ^{-1}(q-s)\\&= y - H \sigma ^{-1}(q-s)&\text {from }\mathcal {V}_{T_1}\text { or } \mathcal {V}_{T_2} \end{aligned}$$

From \(\mathcal {V}_{T_3}\), we get that there exists \(r\in {\text {Ker}}(H)\) such that

$$\begin{aligned} q=\sigma (r)+s ~. \end{aligned}$$

So, we well obtain \(H x' = y - H \sigma ^{-1}(\sigma (r)) = y - H r = y\).

Extraction of \(T_1\), \(T_2\) and \(T_3\) from \(\tilde{\mathcal {P}}\)

Throughout the proof, we denote \(\mathsf {succ}_{\tilde{\mathcal {P}}}\) the event that \(\tilde{\mathcal {P}}\) succeeds in convincing \(\mathcal {V} \). By hypothesis, we have \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}] = \tilde{\varepsilon }\). We shall further denote by \(R_h\) the randomness of \(\tilde{\mathcal {P}}\) which is used to generate the initial commitment \(\textsc {Com} = h\).

Let us fix an arbitrary value \(\alpha \in (0, 1)\) such that \((1-\alpha )\tilde{\varepsilon } > \varepsilon \), it exists since \(\tilde{\varepsilon } > \varepsilon \). Let \(r_h\) be a possible realization of \(R_h\). We will say that \(r_h\) is good if it is such that

$$\begin{aligned} \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}\mid R_h=r_h] \ge (1-\alpha )\cdot \tilde{\varepsilon }~. \end{aligned}$$

(E6)

By the Splitting Lemma 8 (see Appendix 1) we have

$$\begin{aligned} \Pr [R_h~\text {good} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}] \ge \alpha ~. \end{aligned}$$

(E7)

Our extractor first obtains a successful transcript \(T_0\) by running the protocol making calls to \(\tilde{\mathcal {P}}\) with honest verifier requests. If this \(T_0\) corresponds to a good \(r_h\), then we can obtain further successful transcripts with “high” probability by rewinding the protocol just after the initial commitment \(\textsc {Com} = h\). Based on this assumption, a sub-extractor \(\mathcal {E} _0\) will build a list of successful transcripts \(\mathcal {T}\), all with same initial commitment. For every \(T \in \mathcal {T}\), we denote \(J_T\) the set J (first challenge) for this transcript, as well as \(\bar{J}_T := [M] \setminus J_T\), and \(L_T = \{\ell _{T,j}\}_{j\in J_T}\) the set L (second challenge) for this transcript. We further denote

$$\begin{aligned} \bar{J}(\mathcal {T}) := \bigcup _{T\in \mathcal {T}} \bar{J}_T \end{aligned}$$

which is the set of indexes \(j \in [M]\) for which \(q^{[j]}\) has been opened, as well as

$$\begin{aligned} C(\mathcal {T}) := \left\{ j \mid \exists \, T, T' \in \mathcal {T}~\text {s.t.}~ j\in J_T \cap J_{T'} ~\text {and}~ \ell _{T,j} \ne \ell _{T',j} \right\} \end{aligned}$$

which is the set of indexes \(j\in [M]\) for which all the \((\sigma _i^{[j]}, s_i^{[j]})_i\) have been revealed.

For a certain number \(N_1\) of iterations, the sub-extractor \(\mathcal {E} _0\) tries to feed the list \(\mathcal {T}\) until the following stop condition is reached:

$$\begin{aligned} C(\mathcal {T}) \cap \bar{J}(\mathcal {T}) \not = \emptyset ~. \end{aligned}$$

If this condition is reached then we have three transcripts \(T_1, T_2,T_3 \in \mathcal {T}\) such that

$$\begin{aligned} \exists j \in (J_{T_1} \cap J_{T_2}) \cap \bar{J}_{T_3} : \ell _{T_1,j} \not = \ell _{T_2,j} \end{aligned}$$

which is what we need to recover x (as explained above). We formally describe the sub-extractor routine in the following pseudocode:

Let us know evaluate the probability that the stop condition is reached in a given number of iteration \(N_1\). In the following, we naturally denote \(J(\mathcal {T}) := \bigcup _{T\in \mathcal {T}} J_T\), the set of indexes \(j\in [M]\) which have been used in the second phase for at least one transcript \(T \in \mathcal {T}\). Note that we always have \(C(\mathcal {T}) \subseteq J(\mathcal {T})\).

Consider a loop iteration in \(\mathcal {E} _0\) at the beginning of which we have a list \(\mathcal {T}\) of successful transcripts such that \(C(\mathcal {T}) \cap \bar{J}(\mathcal {T}) = \emptyset \) (i.e. the stop condition has not been reached) and a transcript T sampled at Step 3. We consider the three following events:

• the event \(E_1 := \{J(\mathcal {T}) \varsubsetneq J(\mathcal {T}\cup \{T\})\}\) which implies that the set \(J(\mathcal {T})\) will be increased at Step 5 when \(\mathcal {T}\leftarrow \mathcal {T}\cup \{T\}\) if T is a successful transcript,

• the event \(E_2 := \{C(\mathcal {T}) \varsubsetneq C(\mathcal {T}\cup \{T\})\}\) which implies that the set \(C(\mathcal {T})\) will be increased at Step 5 when \(\mathcal {T}\leftarrow \mathcal {T}\cup \{T\}\) if T is a successful transcript,

• the event \(E_3 := \{C(\mathcal {T}\cup \{T\}) \cap \bar{J}(\mathcal {T}\cup \{T\})\not =\emptyset \}\) which implies that the stop condition will be reached at Step 6 if T is a successful transcript.

The above events are defined with respect to the randomness of the two challenges in T. Note these events do not require that T is a successful transcript.

Let us lower bound the probability to have a good transcript T and one of the three events occuring in the presence of a good \(R_h\):

$$\begin{aligned} p := \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (E_1 \cup E_2 \cup E_3) \mid R_h~\text {good}] ~. \end{aligned}$$

We have:

$$\begin{aligned} p&= \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}\mid R_h~\text {good}] - \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (\bar{E}_1 \cap \bar{E}_2 \cap \bar{E}_3) \mid R_h~\text {good}] \\&\ge (1-\alpha )\cdot \tilde{\varepsilon }- \Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (\bar{E}_1 \cap \bar{E}_2 \cap \bar{E}_3) \mid R_h~\text {good}]&\text {by } (\mathrm{E6}) \\&\ge (1-\alpha )\cdot \tilde{\varepsilon }- \Pr [\bar{E}_1 \cap \bar{E}_2 \cap \bar{E}_3 \mid R_h~\text {good}]\\&= (1-\alpha )\cdot \tilde{\varepsilon }- \Pr [\bar{E}_1 \cap \bar{E}_2 \cap \bar{E}_3]&\text {by independence.} \end{aligned}$$

Now, we have

$$\begin{aligned} \bar{E}_2 \cap \bar{E}_3&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ C(\mathcal {T}\cup \{T\}) \cap \bar{J}(\mathcal {T}\cup \{T\}) = \emptyset \\&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ C(\mathcal {T}) \cap \bar{J}(\mathcal {T}\cup \{T\}) = \emptyset \\&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ (C(\mathcal {T}) \cap \bar{J}(\mathcal {T})) \cup (C(\mathcal {T}) \cap \bar{J}_T) = \emptyset \\&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ (C(\mathcal {T}) \cap \bar{J}_T) = \emptyset \\&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ C(\mathcal {T}) \subseteq J_T \end{aligned}$$

which also gives

$$\begin{aligned} \bar{E}_2 \cap \bar{E}_1 \cap \bar{E}_3&~~\Leftrightarrow ~~ C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) ~~\cap ~~ C(\mathcal {T}) \subseteq J_T \subseteq J(\mathcal {T}) ~. \end{aligned}$$

So we can further lower bound p as:

$$\begin{aligned} p&\ge (1-\alpha )\cdot \tilde{\varepsilon }- \Pr [C(\mathcal {T}) \subseteq J_T \subseteq J(\mathcal {T}) \cap C(\mathcal {T}) = C(\mathcal {T}\cup \{T\})]\\&= (1-\alpha )\cdot \tilde{\varepsilon }- \Pr [C(\mathcal {T}) \subseteq J_T \subseteq J(\mathcal {T})]\\&\quad \times \Pr [C(\mathcal {T}) = C(\mathcal {T}\cup \{T\}) \mid C(\mathcal {T}) \subseteq J_T \subseteq J(\mathcal {T})] \\&= (1-\alpha )\cdot \tilde{\varepsilon }- \frac{\left( {\begin{array}{c}|J(\mathcal {T}) |-|C(\mathcal {T}) |\\ \tau -|C(\mathcal {T}) |\end{array}}\right) }{\left( {\begin{array}{c}M\\ \tau \end{array}}\right) }\cdot \left( \frac{1}{n}\right) ^{\tau -|C(\mathcal {T}) |} \end{aligned}$$

By defining \(k:=M-|C(\mathcal {T}) |\), we have

$$\begin{aligned} \left( {\begin{array}{c}|J(\mathcal {T}) |-|C(\mathcal {T}) |\\ \tau -|C(\mathcal {T}) |\end{array}}\right)&= \left( {\begin{array}{c}|J(\mathcal {T}) |-|C(\mathcal {T}) |\\ |J(\mathcal {T}) | - \tau \end{array}}\right) \\&= \left( {\begin{array}{c}k-(M-|J(\mathcal {T}) |)\\ M-\tau -(M-|J(\mathcal {T}) |)\end{array}}\right) \\&\le \left( {\begin{array}{c}k\\ M-\tau \end{array}}\right) \end{aligned}$$

The first equality holds from \(\left( {\begin{array}{c}x\\ y\end{array}}\right) = \left( {\begin{array}{c}x\\ x-y\end{array}}\right) \) (for any \(x,y \in \mathbb {N}\)) while the second holds by definition of k. The inequality holds from \(\left( {\begin{array}{c}x\\ y\end{array}}\right) \ge \left( {\begin{array}{c}x-z\\ y-z\end{array}}\right) \) (for any \(x,y,z \in \mathbb {N}\) with \(z<x,y\)). We hence finally get:

$$\begin{aligned} p \ge (1-\alpha )\cdot \tilde{\varepsilon }- \frac{\left( {\begin{array}{c}k\\ M-\tau \end{array}}\right) }{\left( {\begin{array}{c}M\\ M-\tau \end{array}}\right) \cdot n^{k-M+\tau }} \ge (1-\alpha )\cdot \tilde{\varepsilon }- \varepsilon \end{aligned}$$

To summarize, in the presence of a good \(R_h\), the probability of the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (E_1 \cup E_2 \cup E_3)\) (i.e. getting a successful transcript T which yields one the the three events \(E_1\), \(E_2\), or \(E_3\)) is lower bounded by \((1-\alpha )\cdot \tilde{\varepsilon }- \varepsilon > 0\). Moreover, the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap E_1\) can occur at most \(M-\tau \) times, because \(J_{T_0} \subseteq J(\mathcal {T}) \subseteq \{1, \ldots , M\}\). And the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap E_2\) can occur at most \(\tau \) times before further implying \(E_3\) (because if \(|C(\mathcal {T}) | \ge \tau \) then adding one more term to \(C(\mathcal {T})\) systematically implies \(E_3\)). We deduce that after \(M+1\) occurrences of \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (E_1 \cup E_2 \cup E_3)\), the event \(E_3\) must have occurred at least once.

Let us now define

$$\begin{aligned} N_1 = \frac{4 M}{p_0} ~~~\text {with}~~~ p_0 := (1-\alpha )\cdot \tilde{\varepsilon }- \varepsilon ~. \end{aligned}$$

(E8)

And let \(X\sim \mathcal {B}(N_1, p_0)\) a binomial distributed random variable with parameters \((N_1,p_0)\). The probability that \(\mathcal {E} _0\) reaches the stop condition and returns a non-empty list for a successful transcript \(T_0\) with good \(R_h\) satisfies:

$$\begin{aligned} \Pr [\mathcal {E} _0(T_0) \ne \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0} \cap R_h~\text {good}]&\ge \Pr [X>M] \nonumber \\&= \Pr \left[ \frac{X}{N_1}-p_0>\frac{M}{N_1}-p_0\right] \nonumber \\&= 1 - \Pr \left[ \frac{X}{N_1}-p_0<\frac{M}{N_1}-p_0\right] \nonumber \\&= 1 - \Pr \left[ \frac{X}{N_1}-p_0<-\frac{3}{4}p_0\right] \nonumber \\&\ge 1 - \Pr \left[ |\frac{X}{N_1}-p_0 |>\frac{3}{4}p_0\right] \nonumber \\&\ge 1 - \frac{p_0\cdot (1-p_0)}{N_1\cdot p_0^2 \cdot \left( \frac{3}{4}\right) ^2} \nonumber \\&= 1 - \frac{16}{9}\cdot \frac{1-p_0}{4\cdot M} = 1 - \frac{4}{9}\cdot \frac{1-p_0}{M} \nonumber \\&\ge 1 - \frac{4}{9} \ge \frac{1}{2} \end{aligned}$$

(E9)

The inequality (E9) holds from the Bienaymé-Techbychev inequality. Thus, using \(N_1 = \frac{4 M}{p_0}\), the probability to reach the stop condition assuming a good \(R_h\) is at least 1/2. Without assumption on \(R_h\), the probability to reach the stop condition satisfies:

$$\begin{aligned}&\Pr [\mathcal {E} _0(T_0) \ne \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}] \\&\quad \ge \Pr [R_h~\text {good} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]\cdot \Pr [\mathcal {E} _0(T_0) \ne \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0} \cap R_h~\text {good}] \ge \frac{\alpha }{2}~. \end{aligned}$$

Let us now describe the complete extractor procedure:

Let C denotes the number of calls to \(\tilde{\mathcal {P}}\) made by the extractor before finishing. While entering a new iteration:

• the extractor makes one call to \(\tilde{\mathcal {P}}\) to obtain \(T_0\),

• if \(T_0\) is not successful, which occurs with probability \((1-\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}])\),

• \(\circ \) the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

• if \(T_0\) is successful, which occurs with probability \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]\),

• \(\circ \) the extractor makes at most \(N_1\) calls to \(\tilde{\mathcal {P}}\) in the loop of \(\mathcal {E} _0\),

• \(\circ \) then \(\mathcal {E} _0\) returns an empty list (the stop condition is not reached), which occurs with probability \(\Pr [\mathcal {E} _0(T_0) = \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]\), the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

• \(\circ \) otherwise, if \(\mathcal {E} _0(T_0)\) returns a non-empty list, the extractor stops and no more calls to \(\tilde{\mathcal {P}}\) are necessary.

The mean number of calls to \(\tilde{\mathcal {P}}\) hence satisfies the following inequality:

$$\begin{aligned} \mathbb {E}[C]= & {} 1 + \underbrace{(1-\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]) \cdot \mathbb {E}[C]}_{T_0~\text {unsuccessful}} \\&+ \underbrace{\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}] \cdot \big ( N_1 + \Pr [\mathcal {E} _0(T_0) = \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}] \cdot \mathbb {E}[C]}_{T_0~\text {successful}}\big ) \end{aligned}$$

which gives

$$\begin{aligned} \mathbb {E}[C]&\le 1 + (1-\tilde{\varepsilon }) \cdot \mathbb {E}[C] + \tilde{\varepsilon } \cdot \Big ( N_1 + \big (1-\frac{\alpha }{2}\big ) \cdot \mathbb {E}[C] \Big ) \\&\le 1 + \tilde{\varepsilon } \cdot N_1 + \mathbb {E}[C] \Big (1 - \frac{\tilde{\varepsilon } \cdot \alpha }{2} \Big ) \\&\le \frac{2}{\alpha \cdot \tilde{\varepsilon }} \cdot (1 + \tilde{\varepsilon } \cdot N_1) \\&= \frac{2}{\alpha \cdot \tilde{\varepsilon }} \cdot \left( 1 + \tilde{\varepsilon } \cdot \frac{4\cdot M}{(1-\alpha )\cdot \tilde{\varepsilon }-\varepsilon }\right) \end{aligned}$$

To obtain an \(\alpha \)-free formula, let us take \(\alpha \) such that \((1-\alpha )\cdot \tilde{\varepsilon } = \frac{1}{2}(\tilde{\varepsilon } + \varepsilon )\). We have \(\alpha = \frac{1}{2}\left( 1-\frac{\varepsilon }{\tilde{\varepsilon }}\right) \) and the average number of calls to \(\tilde{\mathcal {P}}\) is upper bounded as

$$\begin{aligned} \mathbb {E}[C] \le \frac{4}{\tilde{\varepsilon }-\varepsilon } \cdot \left( 1+\tilde{\varepsilon } \cdot \frac{8\cdot M}{\tilde{\varepsilon }-\varepsilon }\right) \end{aligned}$$

which concludes the proof. \(\square \)

Appendix F: Security proof of the signature scheme

We give herafter the proof of Theorem 7. This proof is a carbon copy of the security proof of the Picnic signature scheme [14, Theorem 6.2] with few adaptations to our context.

Theorem 7 Fix some attacker \(\mathcal {A}\). Let \(q_s\) denote the number of signing queries made by \(\mathcal {A}\); let \(q_0\), \(q_1\),\(q_2\), respectively, denote the number of queries to \({\text {Hash}}_0\), \({\text {Hash}}_1\), \({\text {Hash}}_2\) made by \(\mathcal {A}\), and let \(q'\) denote the number of queries to \({\text {Hash}}'\) made by \(\mathcal {A}\). To prove security we define a sequence of experiments involving \(\mathcal {A}\), where the first corresponds to the experiment in which \(\mathcal {A}\) interacts with the real signature scheme. We let \({\text {Pr}}_i[\cdot ]\) refer to the probability of an event in experiment i. We let t denote the running time of the entire experiment, i.e., including both \(\mathcal {A}\) ’s running time and the time required to answer signing queries and to verify \(\mathcal {A}\) ’s output.

Experiment 1 This corresponds to the interaction of \(\mathcal {A}\) with the real signature scheme. In more detail: first \({\text {KeyGen}}\) is run to obtain (H, y, x), and \(\mathcal {A}\) is given the public key (H, y). In addition, we assume the random oracles \({\text {Hash}}_0\), \({\text {Hash}}_1\), \({\text {Hash}}_2\), and \({\text {Hash}}'\) are chosen uniformly from the appropriate spaces. \(\mathcal {A}\) may make signing queries, which will be answered as in the signature algorithm; \(\mathcal {A}\) may also query any of the random oracles. Finally, \(\mathcal {A}\) outputs a message/signature pair; we let \({\text {Forge}}\) denote the event that the message was not previously queried by \(\mathcal {A}\) to its signing oracle, and the signature is valid. We are interested in upper-bounding \({\text {Pr}}_1[{\text {Forge}} ]\).

Experiment 2 We abort the experiment if, during the course of the experiment, a collision in \({\text {Hash}}_0\), \({\text {Hash}}_1\), or \({\text {Hash}}_2\) is found. Suppose \(q=\max \{q_0, q_1,q_2\}\), then the number of queries to any oracle throughout the experiment (by either the adversary or the signing algorithm) is at most \((q + M n q_s)\). Thus,

$$\begin{aligned} |{\text {Pr}}_1[{\text {Forge}} ]-{\text {Pr}}_2[{\text {Forge}} ] |\le 3\cdot \frac{(q+M n q_s)^2}{2\cdot 2^{2\lambda }} . \end{aligned}$$

Experiment 3 The difference with the previous experiment is that, when signing a message m we begin by choosing \((J,L)\) uniformly. Steps 1 and 3 of the signing algorithm are computed as before, but in step 2 we simply set the output of \({\text {Hash}}'\) equal to \((J,L)\). Formally, a signature on a message m is now computed as follows:

• Step 0:

• Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

• Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

• Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

• Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

• Step 1: For each \(j\in [M]\):

1. 1.

   Use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\).

2. 2.

   For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3. 3.

   (Cut-and-choose phase) Compute

   $$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$
4. 4.

   (Sound phase) Compute

   $$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i-1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$
5. 5.

   Compute \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\) and \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

• Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

• Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).

The only difference between this experiment and the previous one occurs if, in the course of answering a signing query, the query to \({\text {Hash}}'\) in step 2 was ever made before (by either the adversary or as part of answering some other signing query). Letting \({\text {InputColl}}_{G}\) denote this event, we have

$$\begin{aligned} |{\text {Pr}}_3[{\text {Forge}} ]-{\text {Pr}}_2[{\text {Forge}} ] | \le {\text {Pr}}_3[{\text {InputColl}}_{G} ] . \end{aligned}$$

Experiment 4 The difference with the previous experiment is that the signer now chooses uniform \(\{\textsf {seed}_i^{[j]}\}_{i\in [n]}\) for all \(j\in J\). That is, signatures are now computed as follows:

• Step 0:

• Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

• Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

• Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

• Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

• Step 1: For each \(j\in [M]\):

1. 1.

   If \(j\not \in J\), use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\). If \(j\in J\), choose uniform \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]} \in \{0,1\}^\lambda \) and \(r^{[j]}\in {\text {Ker}}(H)\).

2. 2.

   For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3. 3.

   (Cut-and-choose phase) Compute

   $$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$
4. 4.

   (Sound phase) Compute

   $$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i-1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$
5. 5.

   Compute \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\) and \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

• Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

• Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).

It is easy to see that if the pseudorandom generator is \((t, \epsilon _\text {PRG})\)-secure, then

$$\begin{aligned} |{\text {Pr}}_4[{\text {Forge}} ]-{\text {Pr}}_3[{\text {Forge}} ] | \le q_s\cdot \tau \cdot \epsilon _\text {PRG} \end{aligned}$$

and

$$\begin{aligned} |{\text {Pr}}_4[{\text {InputColl}}_{G} ]-{\text {Pr}}_3[{\text {InputColl}}_{G} ] | \le q_s\cdot \tau \cdot \epsilon _\text {PRG} . \end{aligned}$$

We now bound \({\text {Pr}}_4[{\text {InputColl}}_{G} ]\). Fix some previous query \((m,h_1,\ldots ,h_M,h')\) to \({\text {Hash}}'\), and look at a query \({\text {Hash}}'(\hat{m},\hat{h}_1,\ldots ,\hat{h}_M,\hat{h}')\) made while responding to some signing query. (In the rest of this discussion, we will use \(\hat{\cdot }\) to represent values computed as part of answering that signing query.) For some fixed \(j\in \hat{J}\), it is not hard to see that the probability of the event \(\hat{h}_j=h_j\) is maximized if \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\). (In all cases, the relevant prior query must be unique since the experiment is aborted if there is a collision in \({\text {Hash}}_0\) or \({\text {Hash}}_1\).) In that case, the probability that \(\hat{h}_j=h_j\) is at most

$$\begin{aligned} (2^{-\lambda } + 2^{-2\lambda })^n + 2^{-2\lambda } \le 2 \cdot 2^{-2\lambda } \end{aligned}$$

(assuming \(n\ge 3\)), and thus the probability that \(\hat{h}_j=h_j\) for all \(j\in \hat{J}\) is at most \(2^{-\tau \cdot (2\lambda -1)}\). Taking a union bound over all signing queries and all queries made to \({\text {Hash}}'\) (including those made during the course of answering signing queries), we conclude that

$$\begin{aligned} {\text {Pr}}_4[{\text {InputColl}}_{G} ] \le q_s \cdot (q_s+q') \cdot 2^{-\tau \cdot (2\lambda -1)} . \end{aligned}$$

Experiment 5 The difference with the previous experiment is that:

• For each \(j\in J\), choose uniform \(c_{\ell _j}^{[j]}\) (i.e., without making the corresponding query to \({\text {Hash}}_0\)).

• For each \(j\not \in J\), choose uniform \(h'_j\) (i.e., without making the corresponding query to \({\text {Hash}}_2\)).

So, signatures are now computed as follows:

• Step 0:

• Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

• Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

• Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

• Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

• Step 1: For each \(j\in [M]\):

1. 1.

   If \(j\not \in J\), use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\). If \(j\in J\), choose uniform \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]} \in \{0,1\}^\lambda \) and \(r^{[j]}\in {\text {Ker}}(H)\).

2. 2.

   For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute

   $$\begin{aligned} \left\{ \begin{array}{l} c_{\ell _j}^{[j]} \text { is chosen uniformly in }\{0,1\}^{2\lambda }\text { if } j\in J\\ c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]}) \text { for all other } i,j \end{array} \right. ~. \end{aligned}$$
3. 3.

   (Cut-and-choose phase) Compute

   $$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$
4. 4.

   (Sound phase) Compute

   $$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i-1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$
5. 5.

   Compute \(h_j {:=} {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\). For \(j\in J\), set \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\); otherwise, choose uniform \(h'_j\in \{0,1\}^{2\lambda }\).

• Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

• Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).

The only difference between this experiment and the previous one occurs if, during the course of answering a signing query, \(\textsf {seed}_{\ell _j}^{[j]}\) (for some \(j\in J\)) is queried to \({\text {Hash}}_0\) at some other point in the experiment, or \((v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\) (for some \(j\not \in J\)) is ever queried to \({\text {Hash}}_2\) at some other point in the experiment. Denoting this event by \({\text {InputColl}}_{H}\), we thus have

$$\begin{aligned} |{\text {Pr}}_5[{\text {Forge}} ] - {\text {Pr}}_4[{\text {Forge}} ] | \le {\text {Pr}}_5[{\text {InputColl}}_{H} ] . \end{aligned}$$

Experiment 6 We again modify the experiment. Now, for \(j\in J\) the signer uses the HVZK simulator (see Theorem 5), that we shall denote \(\mathcal {S} \), to generate the views of the parties in an execution of a sound phase. This results in \(\{\textsf {seed}_i^{[j]}\}_{i\not =\ell _j}\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\) and \(u_{\ell _j}^{[j]}\). From the respective views, \(\{u_i^{[j]}\}_{i\not =\ell _j}\) can be computed, and \(h_j\), \(h'_j\) can be computed as well. Thus, signatures are now computed as follows:

• Step 0:

• Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

• Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

• Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

• Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

• Step 1: For \(j\not \in J\):

1. 1.

   Use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\).

2. 2.

   For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3. 3.

   (Cut-and-choose phase) Compute

   $$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$
4. 4.

   Let \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\). Choose uniform \(h'_j\in \{0,1\}^{2\lambda }\).

For \(j\in J\):

1. 1.

   Compute \((\{\textsf {seed}_i^{[j]}\}_{i\not =\ell _j}, q^{[j]}, v^{[j]}, \tilde{x}^{[j]}, u_{\ell _j}^{[j]}) \leftarrow \mathcal {S} (\ell _j)\). Compute \(\{u_i^{[j]}\}_{i\not =\ell _j}\) based on this information.

2. 2.

   Choose uniform \(c_{\ell _j}^{[j]}\in \{0,1\}^{2\lambda }\). For all other i, set \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3. 3.

   Let \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\) and \(h'_j={\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

• Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

• Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).

Observe that the secret x is no longer used for generating signatures. Recall, the adversary against simulator has distinguishing advantage \(\epsilon _\text {PRG}+\epsilon _\text {Com}\) where \(\epsilon _\text {Com}\) is zero since we are in the Random Oracle Model and we remove the collisions in Experiment 2. It is immediate that

$$\begin{aligned} |{\text {Pr}}_6[{\text {Forge}} ]-{\text {Pr}}_5[{\text {Forge}} ] | \le \tau \cdot q_s\cdot \epsilon _\text {PRG} \end{aligned}$$

and

$$\begin{aligned} |{\text {Pr}}_6[{\text {InputColl}}_{H} ]-{\text {Pr}}_5[{\text {InputColl}}_{H} ] | \le \tau \cdot q_s\cdot \epsilon _\text {PRG} . \end{aligned}$$

We now bound \({\text {Pr}}_6[{\text {InputColl}}_{H} ]\). For any particular signing query and any \(j\in J\), the value \(\textsf {seed}_{\ell _j}^{[j]}\) has min-entropy at least \(\lambda \) and is not used anywhere else in the experiment. Similarly, for any \(j\not \in J\), the value \((v^{[j]}, \tilde{x}^{[j]})\) has min-entropy at least \(\lambda \), since the input is \(\lambda \)-bit, and is not used anywhere else in the experiment. Thus,

$$\begin{aligned} {\text {Pr}}_6[{\text {InputColl}}_{H} ] \le M \cdot q_s \cdot (M q_s + q_0 + q_2) \cdot 2^{-\lambda } . \end{aligned}$$

Experiment 7 We first define some notation. At any point during the experiment, we classify a pair \((h_j, h'_j)\) in one of the following ways:

1. 1.

   If \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]},c_1^{[j]},\ldots ,c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous query \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\) where the \((\{\textsf {seed}_i^{[j]}\}_i,q^{[j]})\) forms a valid preprocessing (i.e., \(\left( \sigma ^{[j]}\right) ^{-1}\left( q^{[j]}-s^{[j]}\right) \in {\text {Ker}}(H)\)), then say \((h_j, h'_j)\) defines correct preprocessing.

2. 2.

   If \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]},c_1^{[j]},\ldots ,c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous query \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\), and \(h'_j\) was output by a previous query \({\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, u_1^{[j]},\ldots ,u_n^{[j]})\) where \(\{\textsf {seed}_i^{[j]}\}_i\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\), \(\{u_i^{[j]}\}_i\) are consistent with an online execution (but the \((\{\textsf {seed}_i^{[j]}\}_i,q^{[j]})\) may not form a valid preprocessing), then say \((h_j, h'_j)\) defines correct execution.

3. 3.

   In any other case, say \((h_j, h'_j)\) is bad.

(Note that in all cases the relevant prior query, if it exists, must be unique since the experiment is aborted if there is ever a collision in \({\text {Hash}}_0\), \({\text {Hash}}_1\), or \({\text {Hash}}_2\).)

In Experiment 7, for each query \({\text {Hash}}'(m,h_1,...,h_M,{\mathrm{Merkle}}(h'_1,\ldots ,h'_M))\) made by the adversary (where m was not previously queried to the signing oracle), check if there exists an index j for which \((h_j, h'_j)\) defines correct preprocessing and correct execution. We let Solve be the event that this occurs for some query to \({\text {Hash}}'\). Note that if that event occurs, the \(\{\textsf {seed}_i^{[j]}\}_i\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\) (which can be determined from the oracle queries of the adversary) allow computation of \(x'\) for which \(Hx'=y\) and \({\text {wt}}(x')=w\). Thus, \({\text {Pr}}_7[\textsf {Solve}]\le \epsilon _\text {SD}\).

We claim that

$$\begin{aligned} {\text {Pr}}_7[{\text {Forge}} \wedge \overline{\textsf {Solve}}] \le q'\cdot \varepsilon (M, n, \tau ) . \end{aligned}$$

To see this, assume \(\textsf {Solve}\) does not occur. For any query \({\text {Hash}}'(m,h_1,...,h_M, {\mathrm{Merkle}}(h'_1,\ldots ,h'_M))\) made during the experiment (where m was not previously queried to the signing oracle), let Pre denote the set of indices for which \((h_j, h'_j)\) defines correct preprocessing (but not correct execution), and let \(k=|\textsf {Pre} |\). Let \((J,L)\) be the (random) answers from this query to \({\text {Hash}}'\). The attacker can only possibly generate a forgery (using this \({\text {Hash}}'\)-query) if (1) \([M]\backslash J\subset \textsf {Pre}\), and (2) for all \(j\in \textsf {Pre}\cap J\), the value \(\ell _j\) is chosen to be the unique party such that the views of the remaining parties are consistent. Since \(|M\backslash J |=M-\tau \), the number of ways the first event can occur is \(\left( {\begin{array}{c}k\\ M-\tau \end{array}}\right) \); given this, there are \(k-(M-\tau )\) elements remaining in \(\textsf {Pre}\cap J\). Thus, the overall probability with which the attacker can generate a forgery using this \({\text {Hash}}'\)-query is

$$\begin{aligned} \varepsilon (M, n, \tau , k)&= \frac{\left( {\begin{array}{c}k\\ M-\tau \end{array}}\right) \cdot n^{M-\tau }}{\left( {\begin{array}{c}M\\ M-\tau \end{array}}\right) \cdot n^\tau } \\&= \frac{\left( {\begin{array}{c}k\\ M-\tau \end{array}}\right) }{\left( {\begin{array}{c}M\\ M-\tau \end{array}}\right) \cdot n^{\tau -M+\tau }} \\&\le \varepsilon (M,n,\tau ) := \max _k \{\varepsilon (M, n, \tau , k)\} . \end{aligned}$$

The final bound is obtained by taking a union bound over all queries to \({\text {Hash}}'\). \(\square \)

Appendix G: Boolean circuit for syndrome decoding problem

Let us define a circuit for the boolean function \(C_{H,y}\) defined as

$$\begin{aligned} C_{H,y}:x\in \mathbb {F}_2^m\mapsto \left\{ \begin{array}{l} 1 \text { if }Hx = y\text { and }{\text {wt}}(x)=w \\ 0 \text { else } \end{array} \right. ~. \end{aligned}$$

Since \(H\in \mathbb {F}_2^{(m-k)\times m}\) is public, it is hardcoded into the circuit so that computing Hx is free in terms of AND gates. To compute \({\text {wt}}(x)\), we need to sum all the bits of x, which involves AND gates to deal with carry propagation. To minimize the number of carries, and hence of AND gates, a possible strategy is to use a binary tree as follows:

• Let us denote \(\ell :=\lceil \log _2(w+1)\rceil \). For the sake of simplicity, we assume that m is a multiple of \(2^\ell \).

• We split the m bits of x in t blocks of \(2^\ell \) bits.

• For each block of size \(2^\ell \), we sum all the bits with a tree:

• \(\circ \) At the first level of the tree, we sum the bits two by two to obtain \(\frac{2^\ell }{2}\) 2-bit values.

• \(\circ \) At the second level of the tree, we sum the previous 2-bit values two by two to obtain \(\frac{2^\ell }{4}\) 3-bit values.

        \(\vdots \)

• \(\circ \) At the \(\ell \)-th level of the tree, we sum the two previous \((\ell -1)\)-bit values to obtain a single \(\ell \)-bit value.

The resulting number of AND gates for one \(2^\ell \)-bit block is

$$\begin{aligned} 2^{\ell -1}\cdot a(1) + 2^{\ell -2}\cdot a(2) + \ldots + 1\cdot a(\ell ) \end{aligned}$$

where a(i) denotes the number of AND gates in an addition on i bits.

• We have t sum-blocks of \(\ell \) bits. We now sum all these blocks using an additional overflow bit to keep in memory if the sum exceeds \(2^\ell \). The resulting number of AND gates for this step is

  $$\begin{aligned} (t-1)\cdot a'(\ell ) \end{aligned}$$

where \(a'(\ell )\) denotes the number of AND gates in an addition on \(\ell \) bits with the overflow bit.

So the total number of AND gates to compute \({\text {wt}}(x)\) is

$$\begin{aligned} t\cdot \sum _{i=1}^{\ell } 2^{\ell -i}\cdot a(i) + (t-1)\cdot a'(\ell ) ~. \end{aligned}$$

For the addition circuit, we can use a full adder circuit and so

$$\begin{aligned} \left\{ \begin{array}{l} a(i) = 1 + 2\cdot (i-1) = 2i-1 \\ a'(\ell ) = 1 + 2\cdot (\ell -1) + 1 = 2\ell \end{array}\right. ~. \end{aligned}$$

Once Hx and \({\text {wt}}(x)\) are computed, the circuit just need to check that \(Hx=y\) and \({\text {wt}}(w)\), and for that it needs \((m-k) + l\) AND gates.