Abstract
The threat of a coming quantum computer motivates the research for new zeroknowledge proof techniques for (or based on) postquantum cryptographic problems. One of the few directions is codebased cryptography for which the strongest problem is the syndrome decoding (SD) of random linear codes. This problem is known to be NPhard and the cryptanalysis state of affairs has been stable for many years. A zeroknowledge protocol for this problem was pioneered by Stern in 1993. As a simple publiccoin threeround protocol, it can be converted to a postquantum signature scheme through the famous FiatShamir transform. The main drawback of this protocol is its high soundness error of 2/3, meaning that it should be repeated \(\approx 1.7 \lambda \) times to reach a \(\lambda \)bit security. In this paper, we improve this threedecadeold state of affairs by introducing a new zeroknowledge proof for the syndrome decoding problem on random linear codes. Our protocol achieves a soundness error of 1/n for an arbitrary n in complexity \(\mathcal {O}(n)\). Our construction requires the verifier to trust some of the variables sent by the prover which can be ensured through a cutandchoose approach. We provide an optimized version of our zeroknowledge protocol which achieves arbitrary soundness through parallel repetitions and merged cutandchoose phase. While turning this protocol into a signature scheme, we achieve a signature size of 17 KB for a 128bit security. This represents a significant improvement over previous constructions based on the syndrome decoding problem for random linear codes.
This is a preview of subscription content, access via your institution.
Data Availability
Not applicable.
Notes
We might for instance use a computationally hiding hashbased commitment scheme defined as \({\text {Com}}: (x,\rho ) \mapsto {\text {Hash}}(x \parallel \rho )\) for a longenough random nonce \(\rho \).
References
Abdalla M., An J.H., Bellare M., Namprempre C.: From identification to signatures via the FiatShamir transform: minimizing assumptions for security and forwardsecurity. In: Knudsen L.R. (ed.) Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 418–433. Springer, Amsterdam (2002). https://doi.org/10.1007/3540460357_28.
Aguilar C., Gaborit P., Schrek J.: A new zeroknowledge code based identification scheme with reduced communication. In: 2011 IEEE Information Theory Workshop, pp. 648–652 (2011). https://doi.org/10.1109/ITW.2011.6089577.
Alaoui S.M.E.Y., Cayrel P., Bansarkhani R.E., Hoffmann G.: Codebased identification and signature schemes in software. In: Cuzzocrea A., Kittl C., Simos D.E., Weippl E.R., Xu L. (eds.) Security Engineering and Intelligence Informatics—CDARES 2013 Workshops: MoCrySEn and SeCIHD, Regensburg, Germany, September 2–6, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8128, pp. 122–136. Springer, Berlin (2013).
Albrecht M.R., Rechberger C., Schneider T., Tiessen T., Zohner M.: Ciphers for MPC and FHE. In: Oswald E., Fischlin M. (eds.) Advances in Cryptology—EUROCRYPT 2015, Part I. Lecture Notes in Computer Science, vol. 9056, pp. 430–454. Springer, Sofia (2015). https://doi.org/10.1007/9783662468005_17.
Aragon N., Blazy O., Gaborit P., Hauteville A., Zémor G.: Durandal: a rank metric based signature scheme. In: Ishai Y., Rijmen V. (eds.) Advances in Cryptology—EUROCRYPT 2019, Part III. Lecture Notes in Computer Science, vol. 11478, pp. 728–758. Springer, Darmstadt (2019). https://doi.org/10.1007/9783030176594_25.
Baldi M., Barenghi A., Chiaraluce F., Pelosi G., Santini P.: A finite regime analysis of information set decoding algorithms. Algorithms 12(10), 209 (2019).
Barenghi A., Biasse J.F., Persichetti E., Santini P.: LESSFM: Finetuning signatures from the code equivalence problem. In: Cheon J.H., Tillich J.P. (eds.) PostQuantum Cryptography—12th International Workshop, PQCrypto 2021, pp. 23–43. Springer (2021). https://doi.org/10.1007/9783030812935_2.
Baum C., de Saint Guilhem C., Kales D., Orsini E., Scholl P., Zaverucha G.: Banquet: short and fast signatures from AES. In: Garay J. (ed.) PKC 2021: 24th International Conference on Theory and Practice of Public Key Cryptography, Part I. Lecture Notes in Computer Science, vol. 12710, pp. 266–297. Springer, Virtual Event (2021). https://doi.org/10.1007/9783030752453_11.
Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^{n/20}\): How 1 + 1 = 0 improves information set decoding. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, Cambridge (2012). https://doi.org/10.1007/9783642290114_31.
Bernstein D.J., Hülsing A., Kölbl S., Niederhagen R., Rijneveld J., Schwabe P.: The SPHINCS\(^+\) signature framework. In: Cavallaro L., Kinder J., Wang X., Katz J. (eds.) ACM CCS 2019: 26th Conference on Computer and Communications Security, pp. 2129–2146. ACM Press, London (2019). https://doi.org/10.1145/3319535.3363229.
Beullens W.: Sigma protocols for MQ, PKP and SIS, and Fishy signature schemes. In: Canteaut A., Ishai Y. (eds.) Advances in Cryptology—EUROCRYPT 2020, Part III. Lecture Notes in Computer Science, vol. 12107, pp. 183–211. Springer, Zagreb (2020). https://doi.org/10.1007/9783030457273_7.
Biasse J.F., Micheli G., Persichetti E., Santini P.: LESS is more: codebased signatures without syndromes. In: Nitaj A., Youssef A.M. (eds.) AFRICACRYPT 20: 12th International Conference on Cryptology in Africa. Lecture Notes in Computer Science, vol. 12174, pp. 45–65. Springer, Cairo (2020). https://doi.org/10.1007/9783030519384_3.
Chailloux A.: On the (In)security of optimized Sternlike signature schemes. In: WCC 2022: The Twelfth International Workshop on Coding and Cryptography. https://www.wcc2022.unirostock.de/storages/unirostock/Tagungen/WCC2022/Papers/WCC_2022_paper_54.pdf.
Chase M., Derler D., Goldfeder S., Katz J., Kolesnikov V., Orlandi C., Ramacher S., Rechberger C., Slamanig D., Wang X., Zaverucha G.: The picnic signature scheme—design document. Version 2.2—14 April 2020. https://raw.githubusercontent.com/microsoft/Picnic/master/spec/designv2.2.pdf.
de Saint Guilhem C., De Meyer L., Orsini E., Smart N.P.: BBQ: using AES in picnic signatures. In: Paterson K.G., Stebila D. (eds.) SAC 2019: 26th Annual International Workshop on Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 11959, pp. 669–692. Springer, Waterloo (2019). https://doi.org/10.1007/9783030384715_27.
DebrisAlazard T., Sendrier N., Tillich J.P.: Wave: a new family of trapdoor oneway preimage sampleable functions based on codes. In: Galbraith, S.D., Moriai, S. (eds.) Advances in Cryptology—ASIACRYPT 2019, Part I. Lecture Notes in Computer Science, vol. 11921, pp. 21–51. Springer, Kobe (2019). https://doi.org/10.1007/9783030345785_2.
Feneuil T., Joux A., Rivain M.: Syndrome decoding in the head: shorter signatures from zeroknowledge proofs. Cryptology ePrint Archive, Report 2022/188 (2022). https://eprint.iacr.org/2022/188.
Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko A.M. (ed.) Advances in Cryptology—CRYPTO’86. Lecture Notes in Computer Science, vol. 263, pp. 186–194. Springer, Santa Barbara (1987). https://doi.org/10.1007/3540477217_12.
Gaborit P., Girault M.: Lightweight codebased identification and signature. In: IEEE International Symposium on Information Theory, ISIT 2007, Nice, France, June 24–29, 2007, pp. 191–195. IEEE (2007).
Gueron S., Persichetti E., Santini P.: Designing a practical codebased signature scheme from zeroknowledge proofs with trusted setup. Cryptography (2022). https://doi.org/10.3390/cryptography6010005.
Ishai Y., Kushilevitz E., Ostrovsky R., Sahai A.: Zeroknowledge from secure multiparty computation. In: Johnson D.S., Feige U. (eds.) 39th Annual ACM Symposium on Theory of Computing, pp. 21–30. ACM Press, San Diego (2007). https://doi.org/10.1145/1250790.1250794.
Kales D., Zaverucha G.: An attack on some signature schemes constructed from fivepass identification schemes. In: Krenn S., Shulman H., Vaudenay S. (eds.) CANS 20: 19th International Conference on Cryptology and Network Security. Lecture Notes in Computer Science, vol. 12579, pp. 3–22. Springer, Vienna. (2020). https://doi.org/10.1007/9783030654115_1.
Kales D., Zaverucha G.: Improving the performance of the Picnic signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 4, 154–188 (2020).
Katz J., Kolesnikov V., Wang X.: Improved noninteractive zero knowledge with applications to postquantum signatures. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 525–537. ACM Press, Toronto (2018). https://doi.org/10.1145/3243734.3243805.
Lyubashevsky V.: FiatShamir with aborts: applications to lattice and factoringbased signatures. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 5912, pp. 598–616. Springer, Tokyo (2009). https://doi.org/10.1007/9783642103667_35.
May A., Meurer A., Thomae E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee D.H., Wang X. (eds.) Advances in Cryptology – ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 107–124. Springer, Seoul (2011). https://doi.org/10.1007/9783642253850_6.
Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003.
Schnorr C.P.: Efficient identification and signatures for smart cards. In: Brassard G. (ed.) Advances in Cryptology—CRYPTO’89. Lecture Notes in Computer Science, vol. 435, pp. 239–252. Springer, Santa Barbara (1990). https://doi.org/10.1007/0387348050_22.
Shor P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Santa Fe, NM, USA (1994). https://doi.org/10.1109/SFCS.1994.365700.
Stern J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) Advances in Cryptology—CRYPTO’93. Lecture Notes in Computer Science, vol. 773, pp. 13–21. Springer, Santa Barbara, CA, USA (1994). https://doi.org/10.1007/3540483292_2.
Torres R.C., Sendrier N.: Analysis of information set decoding for a sublinear error weight. In: Takagi T. (ed.) PostQuantum Cryptography—7th International Workshop, PQCrypto 2016, pp. 144–161. Springer, Fukuoka (2016). https://doi.org/10.1007/9783319293608_10.
Véron P.: Improved identification schemes based on errorcorrecting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996).
Acknowledgements
Thibauld Feneuil and Matthieu Rivain are financially supported by (employees of) CryptoExperts. Antoine Joux is financially supported by (employee of) CISPA. The research leading to these results was conducted in the context of Thibauld Feneuil’s PhD study which is partly supported by French “Association Nationale de la Recherche et de la Technologie” (ANRT) under a grant agreement “convention CIFRE”. This work has been supported by the European Union’s H2020 Programme under Grant Agreement Number ERC669891.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by S. D. Galbraith.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: splitting lemma
In our proofs, we shall make use of the following lemma from [27]:
Lemma 8
(Splitting Lemma) Let X and Y be two finite sets, and let \(A \subseteq X \times Y\) such that
For any \(\alpha \in [0,1)\), let
We have:

1.
\(\Pr \big [(x,y) \in B \mid (x,y) \leftarrow X\times Y\big ] \ge \alpha \cdot \varepsilon \)

2.
\(\Pr \big [(x,y) \in B \mid (x,y) \leftarrow A \big ] \ge \alpha \) .
Appendix B: Proof of Theorem 2 (Zero Knowledge of Protocol 2)
Proof
We first describe a way to generate an identical distribution to the internal variables of Protocol 2 and then describe the zeroknowledge simulator.
Identical distribution
One way to generate an identical distribution to that of variables of Protocol 2 is as follow:

1.
Sample \(\tilde{x} \leftarrow \{\tilde{x} \mid H\tilde{x} = y\}\).

2.
Sample \(q \leftarrow \mathbb {F}_2^m\).

3.
Sample \(v \leftarrow \{v\in \mathbb {F}_2^m \mid {\text {wt}}(v) = w\}\).

4.
For every \(i \in [n] \setminus \{i^*\}\), sample \(A_i \equiv (\sigma _i, s_i)\) uniformly.

5.
For \(i \in \{1, \ldots , i^*1\}\): compute \(u_i := A_i(u_{i1})\) with \(u_0 := \tilde{x}\).

6.
For i from \(n1\) down to \(i^*\): compute \(u_i := A_{i+1}^{1}(u_{i+1})\) with \(u_n := v+q\).

7.
Randomly sample \(A_{i^*} \equiv (\sigma _{i^*}, s_{i^*})\) such that:

\(u_i = A_{i^*}(u_{i^*1})\)

\(\alpha = \sigma _{i^*}(\beta )\) with
$$\begin{aligned} {\left\{ \begin{array}{ll} \alpha := \sigma _{i^*+1}^{1} \circ \cdots \circ \sigma _n^{1}(v) \\ \beta := \sigma _{i^*1} \circ \cdots \circ \sigma _1(x) \end{array}\right. } ~. \end{aligned}$$
ZeroKnowlegde Simulator
The simulator \(\mathcal {S}\) proceeds as follows:

It first samples a random challenge \(i^*\) from \(\{1, \ldots , n\}\);

It then performs steps 1 to 6 of the above description and computes commitments \(c_i\)’s for the \((\sigma _i, s_i)\)’s, for all \(i\ne i^*\);

Note that the simulator cannot perform step 7 because it requires the knowledge of x (to get \(\beta \)). Instead, the simulator computes a commitment \(c_{i^*}\) for a random pair \((\sigma _{i^*}, s_{i^*})\);

The simulator calls \(\tilde{\mathcal {V}}\) with \(\textsc {Com}:=(\{c_i\}_i,q,v,\tilde{x},\{u_i\}_i)\) and, restart the simulation from scratch if \(\tilde{\mathcal {V}}\) does not return \(i^*\), and output the simulated transcript otherwise.
The output transcript is independent and identically to the genuine transcript except for \(c_{i^*}\). Distinguishing then means breaking the commitment hiding property. \(\square \)
Appendix C: Proof of Theorem 3 (Soundness of Protocol 2)
Proof
Let us first show how to extract the syndrome decoding solution x from a few transcripts satisfying specific conditions. We will then show how to get such transcripts from a rewindable blackbox access to \(\tilde{\mathcal {P}}\).
Transcripts used for extraction
We assume that we can extract two transcripts
Using these two transcripts, we next show that it is possible to extract a solution of the syndrome decoding instance defined by H and y. We can assume that the \((\sigma _i, s_i)_{i\not \in \{i^*_1,i^*_2\}}\) and \((\sigma '_i, s'_i)_{i\not \in \{i^*_1,i^*_2\}}\) are mutually consistent between the two transcripts, since otherwise we find a commitment collision for at least one of the commitments \(\{c_i\}_i\). So, we know \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) for all \(i\in \{1,\ldots ,n\}\) from \(T_1\) and \(T_2\). We define \((\sigma _{i^*_1}, s_{i^*_1}) := (\sigma '_{i^*_1}, s'_{i^*_1})\).
Extraction of x from \(T_1\) and \(T_2\)
In the following, we will denote \(\mathcal {V}_{\textsc {Ch}_1}\) (resp. \(\mathcal {V}_{\textsc {Ch}_2}\)) the set of checked equations at the end of the transcript with \(\textsc {Ch}_1\) (resp. \(\textsc {Ch}_2\)) as challenge.
Let us define \(\sigma := \sigma _n \circ \cdots \circ \sigma _1\) and \(x':=\sigma ^{1}(v)\). We simply return \(x'\) as a candidate solution for x. Because \({\text {wt}}(v)=w\) (from \(\mathcal {V}_{\textsc {Ch}_1}\) or \(\mathcal {V}_{\textsc {Ch}_2}\)), we have \({\text {wt}}(x')=w\). We now show that we further have \(y = H x'\).
Thanks to \(\mathcal {V}_{\textsc {Ch}_1}\), we know that
And thanks to \(\mathcal {V}_{\textsc {Ch}_2}\), we get the remaining equation
So, we know that
Now, we have
Since q has been honestly built and \(\{(\sigma _i, s_i)\}_i\) has been extracted from \(\tilde{\mathcal {P}}\), we know there exists \(r\in {\text {Ker}}(H)\) such that
And so,
So, we well obtain \(H x' = y  H \sigma ^{1}(\sigma (r)) = y  H r = y\).
Extraction of \(T_1\) and \(T_2\) from \(\tilde{\mathcal {P}}\)
Let now show how to extract these two transcripts from \(\tilde{\mathcal {P}} \). We want these transcripts to be with the same commitment Com from the prover but with different challenges. We define the following extractor \(\mathcal {E}\).
Throughout the proof, we denote \(\mathsf {succ}_{\tilde{\mathcal {P}}}\) the event that \(\tilde{\mathcal {P}}\) succeeds in convincing \(\mathcal {V} \). By hypothesis, we have \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}] = \tilde{\varepsilon }\). We shall further denote by \(R_\textsc {Com}\) the randomness of \(\tilde{\mathcal {P}}\) that is used to generate the initial commitment \(\textsc {Com} = (\{c_i\}_i, {q}^{\star }, v, \tilde{x}, \{u_i\}_i)\).
Let us fix an arbitrary value \(\alpha \in (0, 1)\) such that \((1\alpha )\tilde{\varepsilon } > \varepsilon \), it exists since \(\tilde{\varepsilon } > \varepsilon \). Let \(r_\textsc {Com}\) be a possible realisation of \(R_\textsc {Com}\). We will say that \(r_\textsc {Com}\) is good if
By the Splitting Lemma 8 (see Appendix 1) we have
Let us define the collision event of T and \(T'\) as the event
When T is fixed and \(T'\) is random, the collision event occurs with probability
Let us lower bound the probability that an iteration of the inner loop find a right couple \((T,T')\) when \(R_\textsc {com}\) is good:
We have
Let define \(p_0 := (1\alpha )\cdot \tilde{\varepsilon } \varepsilon \). By running \(\tilde{\mathcal {P}}\) with the same \(r_\textsc {Com}\) as for the good transcript \(N_1\) times, we hence obtain a second noncolliding transcript \(T'\) with probability at least 1/2 when
Without assumption on \(R_\textsc {Com}\), the probability to find a couple when T is successful satisfies:
Let C denotes the number of calls to \(\tilde{\mathcal {P}}\) made by the extractor before finishing. While entering a new iteration:

The extractor makes one call to \(\tilde{\mathcal {P}}\) to obtain T,

If T is not successful, which occurs with probability \((1\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}])\),

\(\circ \) The extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

If T is successful, which occurs with probability \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]\),

\(\circ \) The extractor makes at most \(N_1\) calls to \(\tilde{\mathcal {P}}\) in the inner loop of \(\mathcal {E} \),

\(\circ \) Then \(\mathcal {E} \) quits the inner loop without returning a couple of transcripts, which occurs with probability \(\Pr [\text {not found} \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T}]\), the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

\(\circ \) Otherwise, if the inner loop returns a nonempty list, the extractor stops and no more calls to \(\tilde{\mathcal {P}}\) are necessary.
The mean number of calls to \(\tilde{\mathcal {P}}\) hence satisfies the following inequality:
which gives
To obtain an \(\alpha \)free formula, let us take \(\alpha \) such that \((1\alpha )\cdot \tilde{\varepsilon } = \frac{1}{2}(\tilde{\varepsilon } + \varepsilon )\). We have \(\alpha = \frac{1}{2}\left( 1\frac{\varepsilon }{\tilde{\varepsilon }}\right) \) and the average number of calls to \(\tilde{\mathcal {P}}\) is upper bounded as
which concludes the proof. \(\square \)
Appendix D: Proof of Theorem 5 (HVZK of Protocol 5)
Proof
Let us describe the simulator \(\mathcal {S}\). Let us denote \((J, L)\) the input of the simulator. First, \(\mathcal {S}\) randomly picks the master seeds \(\textsf {seed}^{[0]}\).

For \(j\in [M]\backslash J\), \(\mathcal {S}\) follows honestly the protocol since it does not need to know the secret.

For \(j\in J\), \(\mathcal {S}\) uses the same method than the one described in the proof of the Theorem 2 (appendix B):

\(\circ \) Sample \(\tilde{x}^{[j]} \leftarrow \{\tilde{x} \mid H\tilde{x} = y\}\).

\(\circ \) Sample \(q^{[j]} \leftarrow \mathbb {F}_2^m\).

\(\circ \) Sample \(v^{[j]} \leftarrow \{v\in \mathbb {F}_2^m \mid {\text {wt}}(v) = w\}\).

\(\circ \) For every \(i \in [n] \setminus \{i^*\}\), sample \(A_i^{[j]} \equiv (\sigma _i^{[j]}, s_i^{[j]})\) uniformly.

\(\circ \) For \(i \in \{1, \ldots , i^*1\}\):
compute \(u_i^{[j]} := A_i^{[j]}(u_{i1}^{[j]})\) with \(u_0^{[j]} := \tilde{x}^{[j]}\).

\(\circ \) For i from \(n1\) down to \(i^*\):
compute \(u_i^{[j]} := (A_{i+1}^{[j]})^{1}(u_{i+1}^{[j]})\) with \(u_n^{[j]} := v^{[j]}+q^{[j]}\).

\(\circ \) Compute commitments \(c_i^{[j]}\)’s for the \((\sigma _i^{[j]}, s_i^{[j]})\)’s, for all \(i\ne i^*\).

\(\circ \) Computes a commitment \(c_{i^*}^{[j]}\) for a random pair \((\sigma _{i^*}^{[j]}, s_{i^*}^{[j]})\).
The output transcript is independent and identically to the genuine transcript except for the randomness sampling and \(c_{i^*}^{[j]}\) when \(j\in J\). Distinguishing then means breaking the pseudorandomness property or breaking the commitment hiding property. \(\square \)
Appendix E: Proof of Theorem 6 (Soundness of Protocol 5)
Proof
Let us first show how to extract the syndrome decoding solution x from a few transcripts satisfying specific conditions. We will then show how to get such transcripts from a rewindable blackbox access to \(\tilde{\mathcal {P}}\).
Transcripts used for extraction
We assume that we can extract three transcripts
from \(\tilde{\mathcal {P}}\), with \(\textsc {Ch}_1^{(i)}:= J^{(i)}\), \( \textsc {Ch}_2^{(i)} := \{\ell ^{(i)}_j\}_{j \in J^{(i)}}\), which satisfy:

1.
\(\textsc {Com}^{(1)} = \textsc {Com}^{(2)} = \textsc {Com}^{(3)} = h\),

2.
there exists \( j_0 \in (J^{(1)} \cap J^{(2)}) \setminus J^{(3)}\) s.t. \(\ell _{j_0}^{(1)} \not = \ell _{j_0}^{(2)}\)

3.
\(T_1\) and \(T_2\) are success transcripts (i.e. which pass all the tests of \(\mathcal {V}\)),

4.
\(\textsf {seed}^{[j_0]}\) from \(\textsc {Rsp}_1^{(3)}\) is consistent with the \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) from \(T_1\) and \(T_2\).
Using these three transcripts, we next show that it is possible to extract a solution of the syndrome decoding instance defined by H and y. We can assume that all the revealed \(q^{[j]}\) and \((\sigma _i^{[j]}, s_i^{[j]})\) are mutually consistent between the three transcripts, since otherwise we find a hash collision. So, we know \((\sigma _i^{[j_0]}, s_i^{[j_0]})\) for all \(i\in \{1,\ldots ,n\}\) from \(T_1\) and \(T_2\).
Extraction of x from \(T_1\), \(T_2\) and \(T_3\)
For this part, we will only consider the variables of the form \((*)^{[j_0]}\), so we will omit the superscript for the sake of clarity. In the following, we will denote \(\mathcal {V}_{T_i}\) the set of checked equations at the end of the protocol with \(T_i\) for \(i\in \{1,2,3\}\).
Let us define \(\sigma := \sigma _n \circ ... \circ \sigma _1\) and \(x':=\sigma ^{1}(v)\). We simply return \(x'\) as a candidate solution for x. Because \({\text {wt}}(v)=w\) (from \(\mathcal {V}_{T_1}\) or \(\mathcal {V}_{T_2}\)), we have \({\text {wt}}(x')=w\). We now show that we further have \(y = H x'\).
Thanks to \(\mathcal {V}_{T_1}\), we know that
And thanks to \(\mathcal {V}_{T_2}\), we get the remaining equation
So, we know that
Now, we have
From \(\mathcal {V}_{T_3}\), we get that there exists \(r\in {\text {Ker}}(H)\) such that
So, we well obtain \(H x' = y  H \sigma ^{1}(\sigma (r)) = y  H r = y\).
Extraction of \(T_1\), \(T_2\) and \(T_3\) from \(\tilde{\mathcal {P}}\)
Throughout the proof, we denote \(\mathsf {succ}_{\tilde{\mathcal {P}}}\) the event that \(\tilde{\mathcal {P}}\) succeeds in convincing \(\mathcal {V} \). By hypothesis, we have \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}] = \tilde{\varepsilon }\). We shall further denote by \(R_h\) the randomness of \(\tilde{\mathcal {P}}\) which is used to generate the initial commitment \(\textsc {Com} = h\).
Let us fix an arbitrary value \(\alpha \in (0, 1)\) such that \((1\alpha )\tilde{\varepsilon } > \varepsilon \), it exists since \(\tilde{\varepsilon } > \varepsilon \). Let \(r_h\) be a possible realization of \(R_h\). We will say that \(r_h\) is good if it is such that
By the Splitting Lemma 8 (see Appendix 1) we have
Our extractor first obtains a successful transcript \(T_0\) by running the protocol making calls to \(\tilde{\mathcal {P}}\) with honest verifier requests. If this \(T_0\) corresponds to a good \(r_h\), then we can obtain further successful transcripts with “high” probability by rewinding the protocol just after the initial commitment \(\textsc {Com} = h\). Based on this assumption, a subextractor \(\mathcal {E} _0\) will build a list of successful transcripts \(\mathcal {T}\), all with same initial commitment. For every \(T \in \mathcal {T}\), we denote \(J_T\) the set J (first challenge) for this transcript, as well as \(\bar{J}_T := [M] \setminus J_T\), and \(L_T = \{\ell _{T,j}\}_{j\in J_T}\) the set L (second challenge) for this transcript. We further denote
which is the set of indexes \(j \in [M]\) for which \(q^{[j]}\) has been opened, as well as
which is the set of indexes \(j\in [M]\) for which all the \((\sigma _i^{[j]}, s_i^{[j]})_i\) have been revealed.
For a certain number \(N_1\) of iterations, the subextractor \(\mathcal {E} _0\) tries to feed the list \(\mathcal {T}\) until the following stop condition is reached:
If this condition is reached then we have three transcripts \(T_1, T_2,T_3 \in \mathcal {T}\) such that
which is what we need to recover x (as explained above). We formally describe the subextractor routine in the following pseudocode:
Let us know evaluate the probability that the stop condition is reached in a given number of iteration \(N_1\). In the following, we naturally denote \(J(\mathcal {T}) := \bigcup _{T\in \mathcal {T}} J_T\), the set of indexes \(j\in [M]\) which have been used in the second phase for at least one transcript \(T \in \mathcal {T}\). Note that we always have \(C(\mathcal {T}) \subseteq J(\mathcal {T})\).
Consider a loop iteration in \(\mathcal {E} _0\) at the beginning of which we have a list \(\mathcal {T}\) of successful transcripts such that \(C(\mathcal {T}) \cap \bar{J}(\mathcal {T}) = \emptyset \) (i.e. the stop condition has not been reached) and a transcript T sampled at Step 3. We consider the three following events:

the event \(E_1 := \{J(\mathcal {T}) \varsubsetneq J(\mathcal {T}\cup \{T\})\}\) which implies that the set \(J(\mathcal {T})\) will be increased at Step 5 when \(\mathcal {T}\leftarrow \mathcal {T}\cup \{T\}\) if T is a successful transcript,

the event \(E_2 := \{C(\mathcal {T}) \varsubsetneq C(\mathcal {T}\cup \{T\})\}\) which implies that the set \(C(\mathcal {T})\) will be increased at Step 5 when \(\mathcal {T}\leftarrow \mathcal {T}\cup \{T\}\) if T is a successful transcript,

the event \(E_3 := \{C(\mathcal {T}\cup \{T\}) \cap \bar{J}(\mathcal {T}\cup \{T\})\not =\emptyset \}\) which implies that the stop condition will be reached at Step 6 if T is a successful transcript.
The above events are defined with respect to the randomness of the two challenges in T. Note these events do not require that T is a successful transcript.
Let us lower bound the probability to have a good transcript T and one of the three events occuring in the presence of a good \(R_h\):
We have:
Now, we have
which also gives
So we can further lower bound p as:
By defining \(k:=MC(\mathcal {T}) \), we have
The first equality holds from \(\left( {\begin{array}{c}x\\ y\end{array}}\right) = \left( {\begin{array}{c}x\\ xy\end{array}}\right) \) (for any \(x,y \in \mathbb {N}\)) while the second holds by definition of k. The inequality holds from \(\left( {\begin{array}{c}x\\ y\end{array}}\right) \ge \left( {\begin{array}{c}xz\\ yz\end{array}}\right) \) (for any \(x,y,z \in \mathbb {N}\) with \(z<x,y\)). We hence finally get:
To summarize, in the presence of a good \(R_h\), the probability of the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (E_1 \cup E_2 \cup E_3)\) (i.e. getting a successful transcript T which yields one the the three events \(E_1\), \(E_2\), or \(E_3\)) is lower bounded by \((1\alpha )\cdot \tilde{\varepsilon } \varepsilon > 0\). Moreover, the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap E_1\) can occur at most \(M\tau \) times, because \(J_{T_0} \subseteq J(\mathcal {T}) \subseteq \{1, \ldots , M\}\). And the event \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap E_2\) can occur at most \(\tau \) times before further implying \(E_3\) (because if \(C(\mathcal {T})  \ge \tau \) then adding one more term to \(C(\mathcal {T})\) systematically implies \(E_3\)). We deduce that after \(M+1\) occurrences of \(\mathsf {succ}_{\tilde{\mathcal {P}}}\cap (E_1 \cup E_2 \cup E_3)\), the event \(E_3\) must have occurred at least once.
Let us now define
And let \(X\sim \mathcal {B}(N_1, p_0)\) a binomial distributed random variable with parameters \((N_1,p_0)\). The probability that \(\mathcal {E} _0\) reaches the stop condition and returns a nonempty list for a successful transcript \(T_0\) with good \(R_h\) satisfies:
The inequality (E9) holds from the BienayméTechbychev inequality. Thus, using \(N_1 = \frac{4 M}{p_0}\), the probability to reach the stop condition assuming a good \(R_h\) is at least 1/2. Without assumption on \(R_h\), the probability to reach the stop condition satisfies:
Let us now describe the complete extractor procedure:
Let C denotes the number of calls to \(\tilde{\mathcal {P}}\) made by the extractor before finishing. While entering a new iteration:

the extractor makes one call to \(\tilde{\mathcal {P}}\) to obtain \(T_0\),

if \(T_0\) is not successful, which occurs with probability \((1\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}])\),

\(\circ \) the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

if \(T_0\) is successful, which occurs with probability \(\Pr [\mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]\),

\(\circ \) the extractor makes at most \(N_1\) calls to \(\tilde{\mathcal {P}}\) in the loop of \(\mathcal {E} _0\),

\(\circ \) then \(\mathcal {E} _0\) returns an empty list (the stop condition is not reached), which occurs with probability \(\Pr [\mathcal {E} _0(T_0) = \emptyset \mid \mathsf {succ}_{\tilde{\mathcal {P}}}^{T_0}]\), the extractor continues to the next iteration and makes an average of \(\mathbb {E}[C]\) calls to \(\tilde{\mathcal {P}}\),

\(\circ \) otherwise, if \(\mathcal {E} _0(T_0)\) returns a nonempty list, the extractor stops and no more calls to \(\tilde{\mathcal {P}}\) are necessary.
The mean number of calls to \(\tilde{\mathcal {P}}\) hence satisfies the following inequality:
which gives
To obtain an \(\alpha \)free formula, let us take \(\alpha \) such that \((1\alpha )\cdot \tilde{\varepsilon } = \frac{1}{2}(\tilde{\varepsilon } + \varepsilon )\). We have \(\alpha = \frac{1}{2}\left( 1\frac{\varepsilon }{\tilde{\varepsilon }}\right) \) and the average number of calls to \(\tilde{\mathcal {P}}\) is upper bounded as
which concludes the proof. \(\square \)
Appendix F: Security proof of the signature scheme
We give herafter the proof of Theorem 7. This proof is a carbon copy of the security proof of the Picnic signature scheme [14, Theorem 6.2] with few adaptations to our context.
Theorem 7 Fix some attacker \(\mathcal {A}\). Let \(q_s\) denote the number of signing queries made by \(\mathcal {A}\); let \(q_0\), \(q_1\),\(q_2\), respectively, denote the number of queries to \({\text {Hash}}_0\), \({\text {Hash}}_1\), \({\text {Hash}}_2\) made by \(\mathcal {A}\), and let \(q'\) denote the number of queries to \({\text {Hash}}'\) made by \(\mathcal {A}\). To prove security we define a sequence of experiments involving \(\mathcal {A}\), where the first corresponds to the experiment in which \(\mathcal {A}\) interacts with the real signature scheme. We let \({\text {Pr}}_i[\cdot ]\) refer to the probability of an event in experiment i. We let t denote the running time of the entire experiment, i.e., including both \(\mathcal {A}\) ’s running time and the time required to answer signing queries and to verify \(\mathcal {A}\) ’s output.
Experiment 1 This corresponds to the interaction of \(\mathcal {A}\) with the real signature scheme. In more detail: first \({\text {KeyGen}}\) is run to obtain (H, y, x), and \(\mathcal {A}\) is given the public key (H, y). In addition, we assume the random oracles \({\text {Hash}}_0\), \({\text {Hash}}_1\), \({\text {Hash}}_2\), and \({\text {Hash}}'\) are chosen uniformly from the appropriate spaces. \(\mathcal {A}\) may make signing queries, which will be answered as in the signature algorithm; \(\mathcal {A}\) may also query any of the random oracles. Finally, \(\mathcal {A}\) outputs a message/signature pair; we let \({\text {Forge}}\) denote the event that the message was not previously queried by \(\mathcal {A}\) to its signing oracle, and the signature is valid. We are interested in upperbounding \({\text {Pr}}_1[{\text {Forge}} ]\).
Experiment 2 We abort the experiment if, during the course of the experiment, a collision in \({\text {Hash}}_0\), \({\text {Hash}}_1\), or \({\text {Hash}}_2\) is found. Suppose \(q=\max \{q_0, q_1,q_2\}\), then the number of queries to any oracle throughout the experiment (by either the adversary or the signing algorithm) is at most \((q + M n q_s)\). Thus,
Experiment 3 The difference with the previous experiment is that, when signing a message m we begin by choosing \((J,L)\) uniformly. Steps 1 and 3 of the signing algorithm are computed as before, but in step 2 we simply set the output of \({\text {Hash}}'\) equal to \((J,L)\). Formally, a signature on a message m is now computed as follows:

Step 0:

Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

Step 1: For each \(j\in [M]\):

1.
Use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\).

2.
For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3.
(Cutandchoose phase) Compute
$$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$ 
4.
(Sound phase) Compute
$$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$ 
5.
Compute \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\) and \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).
The only difference between this experiment and the previous one occurs if, in the course of answering a signing query, the query to \({\text {Hash}}'\) in step 2 was ever made before (by either the adversary or as part of answering some other signing query). Letting \({\text {InputColl}}_{G}\) denote this event, we have
Experiment 4 The difference with the previous experiment is that the signer now chooses uniform \(\{\textsf {seed}_i^{[j]}\}_{i\in [n]}\) for all \(j\in J\). That is, signatures are now computed as follows:

Step 0:

Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

Step 1: For each \(j\in [M]\):

1.
If \(j\not \in J\), use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\). If \(j\in J\), choose uniform \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]} \in \{0,1\}^\lambda \) and \(r^{[j]}\in {\text {Ker}}(H)\).

2.
For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3.
(Cutandchoose phase) Compute
$$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$ 
4.
(Sound phase) Compute
$$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$ 
5.
Compute \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\) and \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).
It is easy to see that if the pseudorandom generator is \((t, \epsilon _\text {PRG})\)secure, then
and
We now bound \({\text {Pr}}_4[{\text {InputColl}}_{G} ]\). Fix some previous query \((m,h_1,\ldots ,h_M,h')\) to \({\text {Hash}}'\), and look at a query \({\text {Hash}}'(\hat{m},\hat{h}_1,\ldots ,\hat{h}_M,\hat{h}')\) made while responding to some signing query. (In the rest of this discussion, we will use \(\hat{\cdot }\) to represent values computed as part of answering that signing query.) For some fixed \(j\in \hat{J}\), it is not hard to see that the probability of the event \(\hat{h}_j=h_j\) is maximized if \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\). (In all cases, the relevant prior query must be unique since the experiment is aborted if there is a collision in \({\text {Hash}}_0\) or \({\text {Hash}}_1\).) In that case, the probability that \(\hat{h}_j=h_j\) is at most
(assuming \(n\ge 3\)), and thus the probability that \(\hat{h}_j=h_j\) for all \(j\in \hat{J}\) is at most \(2^{\tau \cdot (2\lambda 1)}\). Taking a union bound over all signing queries and all queries made to \({\text {Hash}}'\) (including those made during the course of answering signing queries), we conclude that
Experiment 5 The difference with the previous experiment is that:

For each \(j\in J\), choose uniform \(c_{\ell _j}^{[j]}\) (i.e., without making the corresponding query to \({\text {Hash}}_0\)).

For each \(j\not \in J\), choose uniform \(h'_j\) (i.e., without making the corresponding query to \({\text {Hash}}_2\)).
So, signatures are now computed as follows:

Step 0:

Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

Step 1: For each \(j\in [M]\):

1.
If \(j\not \in J\), use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\). If \(j\in J\), choose uniform \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]} \in \{0,1\}^\lambda \) and \(r^{[j]}\in {\text {Ker}}(H)\).

2.
For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute
$$\begin{aligned} \left\{ \begin{array}{l} c_{\ell _j}^{[j]} \text { is chosen uniformly in }\{0,1\}^{2\lambda }\text { if } j\in J\\ c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]}) \text { for all other } i,j \end{array} \right. ~. \end{aligned}$$ 
3.
(Cutandchoose phase) Compute
$$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$ 
4.
(Sound phase) Compute
$$\begin{aligned} v^{[j]}&:= \sigma ^{[j]}(x) \\ \tilde{x}^{[j]}&:= x+r^{[j]} \\ u_0^{[j]}&:= \tilde{x}^{[j]} \\ u_i^{[j]}&:= \sigma _i^{[j]}(u_{i1}^{[j]})+s_i^{[j]} \text { for all } i\in [n] \end{aligned}$$ 
5.
Compute \(h_j {:=} {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, \ldots , c_n^{[j]})\). For \(j\in J\), set \(h'_j := {\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\); otherwise, choose uniform \(h'_j\in \{0,1\}^{2\lambda }\).

Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).
The only difference between this experiment and the previous one occurs if, during the course of answering a signing query, \(\textsf {seed}_{\ell _j}^{[j]}\) (for some \(j\in J\)) is queried to \({\text {Hash}}_0\) at some other point in the experiment, or \((v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\) (for some \(j\not \in J\)) is ever queried to \({\text {Hash}}_2\) at some other point in the experiment. Denoting this event by \({\text {InputColl}}_{H}\), we thus have
Experiment 6 We again modify the experiment. Now, for \(j\in J\) the signer uses the HVZK simulator (see Theorem 5), that we shall denote \(\mathcal {S} \), to generate the views of the parties in an execution of a sound phase. This results in \(\{\textsf {seed}_i^{[j]}\}_{i\not =\ell _j}\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\) and \(u_{\ell _j}^{[j]}\). From the respective views, \(\{u_i^{[j]}\}_{i\not =\ell _j}\) can be computed, and \(h_j\), \(h'_j\) can be computed as well. Thus, signatures are now computed as follows:

Step 0:

Choose uniform \((J,L)\), where \(J\subset [M]\) is a set of size \(\tau \), and \(L=\{\ell _j\}_{j\in J}\) with \(\ell _j\in [n]\).

Sample a random salt \(\textsf {salt}\leftarrow \{0,1\}^{2\lambda }\).

Choose uniform \(\textsf {mseed}^{[0]}\in \{0,1\}^\lambda \).

Compute the seeds \(\textsf {mseed}^{[1]}\), ..., \(\textsf {mseed}^{[M]}\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[0]})\).

Step 1: For \(j\not \in J\):

1.
Use \(\textsf {mseed}^{[j]}\) to generate values \(\textsf {seed}_1^{[j]}\), ..., \(\textsf {seed}_n^{[j]}\) and \(r^{[j]}\in {\text {Ker}}(H)\) with \({\text {TreePRG}}(\textsf {salt},\textsf {mseed}^{[j]})\).

2.
For \(i\in [n]\), sample \(\sigma _i^{[j]}, s_i^{[j]}\) using \(\textsf {seed}_i^{[j]}\) and compute \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3.
(Cutandchoose phase) Compute
$$\begin{aligned} \sigma ^{[j]}&:= \sigma _n^{[j]} \circ \cdots \circ \sigma _1^{[j]} \\ s^{[j]}&:= s_n^{[j]} + \sigma _n^{[j]}(\cdots + \sigma _2^{[j]}(s_1^{[j]})) \\ q^{[j]}&:= \sigma ^{[j]}(r^{[j]}) + s^{[j]} \end{aligned}$$ 
4.
Let \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\). Choose uniform \(h'_j\in \{0,1\}^{2\lambda }\).
For \(j\in J\):

1.
Compute \((\{\textsf {seed}_i^{[j]}\}_{i\not =\ell _j}, q^{[j]}, v^{[j]}, \tilde{x}^{[j]}, u_{\ell _j}^{[j]}) \leftarrow \mathcal {S} (\ell _j)\). Compute \(\{u_i^{[j]}\}_{i\not =\ell _j}\) based on this information.

2.
Choose uniform \(c_{\ell _j}^{[j]}\in \{0,1\}^{2\lambda }\). For all other i, set \(c_i^{[j]} := {\text {Hash}}_0(\textsf {salt}, j, i, \textsf {seed}_i^{[j]})\).

3.
Let \(h_j := {\text {Hash}}_1(q^{[j]}, c_1^{[j]}, ..., c_n^{[j]})\) and \(h'_j={\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, (u_i^{[j]})_i)\).

Step 2: Set \({\text {Hash}}'(m,\textsf {salt},h_1,\ldots ,h_M,h')\) equal to \((J,L)\), with \(h'{:=}{\text {Merkle}}(h'_1,\ldots ,h'_M),\). The signature includes \((J,L)\).

Step 3: For each \(j\not \in J\), the signer includes \(\textsf {mseed}^{[j]}\), \(h'\) in the signature. Also, for each \(j\in J\), the signer includes \(v^{[j]}\), \(\tilde{x}^{[j]}\), \((\textsf {seed}_i^{[j]})_{i\not =\ell _j}\), \(c_{\ell _j}^{[j]}\) and \(u_{\ell _j}^{[j]}\).
Observe that the secret x is no longer used for generating signatures. Recall, the adversary against simulator has distinguishing advantage \(\epsilon _\text {PRG}+\epsilon _\text {Com}\) where \(\epsilon _\text {Com}\) is zero since we are in the Random Oracle Model and we remove the collisions in Experiment 2. It is immediate that
and
We now bound \({\text {Pr}}_6[{\text {InputColl}}_{H} ]\). For any particular signing query and any \(j\in J\), the value \(\textsf {seed}_{\ell _j}^{[j]}\) has minentropy at least \(\lambda \) and is not used anywhere else in the experiment. Similarly, for any \(j\not \in J\), the value \((v^{[j]}, \tilde{x}^{[j]})\) has minentropy at least \(\lambda \), since the input is \(\lambda \)bit, and is not used anywhere else in the experiment. Thus,
Experiment 7 We first define some notation. At any point during the experiment, we classify a pair \((h_j, h'_j)\) in one of the following ways:

1.
If \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]},c_1^{[j]},\ldots ,c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous query \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\) where the \((\{\textsf {seed}_i^{[j]}\}_i,q^{[j]})\) forms a valid preprocessing (i.e., \(\left( \sigma ^{[j]}\right) ^{1}\left( q^{[j]}s^{[j]}\right) \in {\text {Ker}}(H)\)), then say \((h_j, h'_j)\) defines correct preprocessing.

2.
If \(h_j\) was output by a previous query \({\text {Hash}}_1(q^{[j]},c_1^{[j]},\ldots ,c_n^{[j]})\), and each \(c_i^{[j]}\) was output by a previous query \({\text {Hash}}_0(\textsf {seed}_i^{[j]})\), and \(h'_j\) was output by a previous query \({\text {Hash}}_2(v^{[j]}, \tilde{x}^{[j]}, u_1^{[j]},\ldots ,u_n^{[j]})\) where \(\{\textsf {seed}_i^{[j]}\}_i\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\), \(\{u_i^{[j]}\}_i\) are consistent with an online execution (but the \((\{\textsf {seed}_i^{[j]}\}_i,q^{[j]})\) may not form a valid preprocessing), then say \((h_j, h'_j)\) defines correct execution.

3.
In any other case, say \((h_j, h'_j)\) is bad.
(Note that in all cases the relevant prior query, if it exists, must be unique since the experiment is aborted if there is ever a collision in \({\text {Hash}}_0\), \({\text {Hash}}_1\), or \({\text {Hash}}_2\).)
In Experiment 7, for each query \({\text {Hash}}'(m,h_1,...,h_M,{\mathrm{Merkle}}(h'_1,\ldots ,h'_M))\) made by the adversary (where m was not previously queried to the signing oracle), check if there exists an index j for which \((h_j, h'_j)\) defines correct preprocessing and correct execution. We let Solve be the event that this occurs for some query to \({\text {Hash}}'\). Note that if that event occurs, the \(\{\textsf {seed}_i^{[j]}\}_i\), \(q^{[j]}\), \(v^{[j]}\), \(\tilde{x}^{[j]}\) (which can be determined from the oracle queries of the adversary) allow computation of \(x'\) for which \(Hx'=y\) and \({\text {wt}}(x')=w\). Thus, \({\text {Pr}}_7[\textsf {Solve}]\le \epsilon _\text {SD}\).
We claim that
To see this, assume \(\textsf {Solve}\) does not occur. For any query \({\text {Hash}}'(m,h_1,...,h_M, {\mathrm{Merkle}}(h'_1,\ldots ,h'_M))\) made during the experiment (where m was not previously queried to the signing oracle), let Pre denote the set of indices for which \((h_j, h'_j)\) defines correct preprocessing (but not correct execution), and let \(k=\textsf {Pre} \). Let \((J,L)\) be the (random) answers from this query to \({\text {Hash}}'\). The attacker can only possibly generate a forgery (using this \({\text {Hash}}'\)query) if (1) \([M]\backslash J\subset \textsf {Pre}\), and (2) for all \(j\in \textsf {Pre}\cap J\), the value \(\ell _j\) is chosen to be the unique party such that the views of the remaining parties are consistent. Since \(M\backslash J =M\tau \), the number of ways the first event can occur is \(\left( {\begin{array}{c}k\\ M\tau \end{array}}\right) \); given this, there are \(k(M\tau )\) elements remaining in \(\textsf {Pre}\cap J\). Thus, the overall probability with which the attacker can generate a forgery using this \({\text {Hash}}'\)query is
The final bound is obtained by taking a union bound over all queries to \({\text {Hash}}'\). \(\square \)
Appendix G: Boolean circuit for syndrome decoding problem
Let us define a circuit for the boolean function \(C_{H,y}\) defined as
Since \(H\in \mathbb {F}_2^{(mk)\times m}\) is public, it is hardcoded into the circuit so that computing Hx is free in terms of AND gates. To compute \({\text {wt}}(x)\), we need to sum all the bits of x, which involves AND gates to deal with carry propagation. To minimize the number of carries, and hence of AND gates, a possible strategy is to use a binary tree as follows:

Let us denote \(\ell :=\lceil \log _2(w+1)\rceil \). For the sake of simplicity, we assume that m is a multiple of \(2^\ell \).

We split the m bits of x in t blocks of \(2^\ell \) bits.

For each block of size \(2^\ell \), we sum all the bits with a tree:

\(\circ \) At the first level of the tree, we sum the bits two by two to obtain \(\frac{2^\ell }{2}\) 2bit values.

\(\circ \) At the second level of the tree, we sum the previous 2bit values two by two to obtain \(\frac{2^\ell }{4}\) 3bit values.
\(\vdots \)

\(\circ \) At the \(\ell \)th level of the tree, we sum the two previous \((\ell 1)\)bit values to obtain a single \(\ell \)bit value.
The resulting number of AND gates for one \(2^\ell \)bit block is
where a(i) denotes the number of AND gates in an addition on i bits.

We have t sumblocks of \(\ell \) bits. We now sum all these blocks using an additional overflow bit to keep in memory if the sum exceeds \(2^\ell \). The resulting number of AND gates for this step is
$$\begin{aligned} (t1)\cdot a'(\ell ) \end{aligned}$$
where \(a'(\ell )\) denotes the number of AND gates in an addition on \(\ell \) bits with the overflow bit.
So the total number of AND gates to compute \({\text {wt}}(x)\) is
For the addition circuit, we can use a full adder circuit and so
Once Hx and \({\text {wt}}(x)\) are computed, the circuit just need to check that \(Hx=y\) and \({\text {wt}}(w)\), and for that it needs \((mk) + l\) AND gates.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author selfarchiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Feneuil, T., Joux, A. & Rivain, M. Shared permutation for syndrome decoding: new zeroknowledge protocol and codebased signature. Des. Codes Cryptogr. 91, 563–608 (2023). https://doi.org/10.1007/s10623022011161
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623022011161