Compact Post-quantum Signatures from Proofs of Knowledge Leveraging Structure for the \(\textsf{PKP}\), \(\textsf{SD}\) and \(\textsf{RSD}\) Problems

Abstract

The MPC-in-the-head introduced in [IKOS07] has established itself as an important paradigm to design efficient digital signatures. For instance, it has been leveraged in the Picnic scheme [CDG+20] that reached the third round of the NIST Post-Quantum Cryptography Standardization process. In addition, it has been used in [Beu20] to introduce the Proof of Knowledge (PoK) with Helper paradigm. This construction permits to design shorter signatures but induces a non negligible performance overhead as it uses cut-and-choose. In this paper, we introduce the PoK leveraging structure paradigm along with its associated challenge space amplification technique. Our new approach to design PoK brings some improvements over the PoK with Helper one. Indeed, we show how one can substitute the Helper in these constructions by leveraging the underlying structure of the considered problem. This new approach does not suffer from the performance overhead inherent to the PoK with Helper paradigm hence offers different trade-offs between security, signature sizes and performances. In addition, we also present four new post-quantum signature schemes. The first one is based on a new PoK with Helper for the Syndrome Decoding problem. It relies on ideas from [BGKM22] and [FJR21] and improve the latter using a new technique that can be seen as performing some cut-and-choose with a meet in the middle approach. The three other signatures are based on our new PoK leveraging structure approach and as such illustrate its versatility. Indeed, we provide new PoK related to the Permuted Kernel Problem (\(\textsf{PKP}\)), Syndrome Decoding (\(\textsf{SD}\)) problem and Rank Syndrome Decoding \((\textsf{RSD})\) problem. Considering (public key + signature), we get sizes below 9 kB for our signature related to the \(\textsf{PKP}\) problem, below 15 kB for our signature related to the \(\textsf{SD}\) problem and below 7 kB for our signature related to the \(\textsf{RSD}\) problem. These new constructions are particularly interesting presently as the NIST has recently announced its plan to reopen the signature track of its Post-Quantum Cryptography Standardization process.

Appendices

A Proof of Theorem 1

Theorem 1

If the hash function used is collision-resistant and if the commitment scheme used is binding and hiding, then the protocol depicted in Fig. 2 is an honest-verifier zero-knowledge PoK with Helper for the \(\textsf{SD}\) problem over \(\mathbb {F}_2\) with soundness error 1/N.

Proof

We prove the correctness, special soundness and special honest-verifier zero-knowledge properties below.

Correctness. The correctness follows from the protocol description once the cut-and-choose with meet in the middle property \(\bar{\textbf{s}}_{\alpha } = \bar{\textbf{t}}_{\alpha } + \textbf{z}_4\) has been verified. From \(\textbf{s}_0 = \textbf{u} + \textbf{x}\) and \(\textbf{s}_i = \pi _i[\textbf{s}_{i - 1}] + \textbf{v}_i\) for all \(i \in [1, \alpha ]\), one can see that \(\bar{\textbf{s}}_{\alpha } = \pi _{\alpha } \circ \cdots \circ \pi _{1}[\textbf{u} + \textbf{x}] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _\alpha \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\). In addition, from \(\bar{\textbf{t}}_N = \pi [\textbf{u}] + \textbf{v}\), and \(\bar{\textbf{t}}_{i-1} = \pi ^{-1}_i[\bar{\textbf{t}}_i - \textbf{v}_i]\) for all \(i \in \{N, \ldots , \alpha +1 \}\), one can see that \(\bar{\textbf{t}}_{\alpha } = \pi _{\alpha } \circ \cdots \circ \pi _{1}[\textbf{u}] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _\alpha \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\). As \(\textbf{z}_4 = \pi _{\alpha } \circ \dots \circ \pi _1[\textbf{x}]\), one can conclude that \(\bar{\textbf{s}}_{\alpha } = \bar{\textbf{t}}_{\alpha } + \textbf{z}_4\).

Special Soundness. To prove the special soundness, one need to build an efficient knowledge extractor \(\textsf{Ext}\) which returns a solution of the \(\textsf{SD}\) instance defined by \((\textbf{H}, \textbf{y})\) given two valid transcripts \((\textbf{H}, \textbf{y}, \textsf{com}_1, \textsf{com}_2, \alpha , \textsf{rsp})\) and \((\textbf{H}, \textbf{y}, \textsf{com}_1, \textsf{com}_2, \alpha ', \textsf{rsp}')\) with \(\alpha \ne \alpha '\) where \(\textsf{com}_1 = \textsf{Setup}(\theta , \xi )\) for some random seeds (\(\theta , \xi )\). The knowledge extractor \(\textsf{Ext}\) computes the solution as:

1. 1.

   Compute \((\pi _i)_{i \in [1, n]}\) from \(z_2\) and \(z_2'\)

2. 2.

   Output \((\pi _{1}^{-1} \circ \cdots \circ \pi _{\alpha }^{-1}[\textbf{z}_4])\)

We now show that the output is a solution to the given \(\textsf{SD}\) problem. One can compute \((\bar{\pi }_i, \bar{\textbf{v}}_i)_{i \in [1, N]}\) from \(z_2\) and \(z_2'\). From the binding property of the commitments \((\textsf{com}_{1,i})_{i \in [1, N]}\), one has \((\pi _i, \textbf{v}_i)_{i \in [1, N]} = (\bar{\pi }_i, \bar{\textbf{v}}_i)_{i \in [1, N]}\). From the binding property of commitment \(\textsf{com}_1\), one has \(\textbf{H}(\textbf{z}_1 - \textbf{u}) = \textbf{y}\) and \(\bar{\textbf{t}}_N = \pi [\textbf{u}] + \textbf{v}\). Using \(\bar{\textbf{t}}_N\) and \((\pi _i, \textbf{v}_i)_{i \in [1, N]}\), one has \(\bar{\textbf{t}}_{\alpha } = \pi _{\alpha } \circ \cdots \circ \pi _{1}[\textbf{u}] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _\alpha \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\). From the binding property of commitment \(\textsf{com}_2\), one has \(\bar{\textbf{s}}_0 = \bar{\textbf{s}}_0' = \textbf{z}_1\). In addition, one has \(\bar{\textbf{s}}_i = \bar{\pi }_i[\bar{\textbf{s}}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha \) as well as \(\bar{\textbf{s}}_i' = \bar{\pi }_i[\bar{\textbf{s}}_{i - 1}'] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha '\). Using the binding property of commitment \(\textsf{com}_2\) once again, one can deduce that \(\bar{\textbf{s}}_i = \bar{\pi }_i[\bar{\textbf{s}}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N]\) hence \(\bar{\textbf{s}}_{\alpha } = \pi _{\alpha } \circ \cdots \circ \pi _{1}[\textbf{z}_1] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _{\alpha } \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\). From the binding property of commitment \(\textsf{com}_2\), one has \(\bar{\textbf{s}}_{\alpha } = \bar{\textbf{t}}_{\alpha } + \textbf{z}_4\) hence \(\textbf{z}_1 - \textbf{u} = \pi ^{-1}_{1} \circ \cdots \circ \pi ^{-1}_{\alpha }[\textbf{z}_4]\). As a consequence, one has \(\textbf{H}(\pi ^{-1}_{1} \circ \cdots \circ \pi ^{-1}_{\alpha }[\textbf{z}_4]) = \textbf{y}\) along with \(w_H\big (\textbf{z}_4\big ) = \omega \) thus \(\pi ^{-1}_{1} \circ \cdots \circ \pi ^{-1}_{\alpha }[\textbf{z}_4]\) is a solution of the considered \(\textsf{SD}\) problem instance.

Special Honest-Verifier Zero-Knowledge. We start by explaining why valid transcripts do not leak anything on the secret \(\textbf{x}\). A valid transcript contains \((\textbf{u} + \textbf{x}, \, (\pi _i, \textbf{v}_i)_{i \in [1, N] \setminus \alpha }, \, \pi [\textbf{u}] + \textbf{v}, \, \pi _{\alpha } \circ \cdots \circ \pi _{1}[\textbf{x}], \textsf{com}_{1, \alpha })\) namely the secret \(\textbf{x}\) is masked either by a random value \(\textbf{u}\) or by a random permutation \(\pi _{\alpha }\). The main difficulty concerns the permutation \(\pi _\alpha \) as the protocol requires \(\pi _{\alpha } \circ \cdots \circ \pi _1[\textbf{u} + \textbf{x}]\) to be computed while both \((\textbf{u} + \textbf{x})\) and \((\pi _i)_{i \in [1, \alpha -1]}\) are known. To overcome this issue, the protocol actually computes \(\pi _{\alpha } \circ \cdots \circ \pi _1[\textbf{u} + \textbf{x}] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _\alpha \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\) for some random value \(\textbf{v}_{\alpha }\) hence does not leak anything on \(\pi _{\alpha }\). In addition, if the commitment used is hiding, \(\textsf{com}_{1, \alpha }\) does not leak anything on \(\pi _{\alpha }\) nor \(\textbf{v}_{\alpha }\). Formally, one can build a \(\textsf{PPT}\) simulator \(\textsf{Sim}\) that given the public values \((\textbf{H}, \textbf{y})\), random seeds \((\theta , \xi )\) and a random challenge \(\alpha \) outputs a transcript \((\textbf{H}, \textbf{y}, \textsf{com}_1, \textsf{com}_2, \alpha , \textsf{rsp})\) such that \(\textsf{com}_1 = \textsf{Setup}(\theta , \xi )\) that is indistinguishable from the transcript of honest executions of the protocol:

1. 1.

   Compute \((\pi _i, \textbf{v}_i)_{i \in [1, N]}\) and \(\textbf{u}\) from \((\theta , \xi )\)

2. 2.

   Compute \(\mathbf {\tilde{x}}_1\) such that \(\textbf{H} \mathbf {\tilde{x}}_1 = \mathbf {\textbf{y}}\) and \(\mathbf {\tilde{x}}_2 \overset{\;\$}{\longleftarrow }\mathcal {S}_{\omega }(\mathbb {F}_{2}^n)\)

3. 3.

   Compute \(\mathbf {\tilde{s}}_0 = \textbf{u} + \mathbf {\tilde{x}}_1\) and \(\mathbf {\tilde{s}}_i = \pi _i[\tilde{\textbf{s}}_{i-1}] + \textbf{v}_i\) for all \(i \in [1, \alpha -1]\)

4. 4.

   Compute \(\mathbf {\tilde{s}}_{\alpha } = \pi _{\alpha } \circ \cdots \circ \pi _1[\textbf{u} + \mathbf {\tilde{x}}_2] + \textbf{v}_{\alpha } + \sum \nolimits _{i \in [1, \alpha - 1]} \pi _\alpha \circ \cdots \circ \pi _{i + 1}[\textbf{v}_i]\)

5. 5.

   Compute \(\mathbf {\tilde{s}}_i = \pi _i[\tilde{\textbf{s}}_{i-1}] + \textbf{v}_i\) for all \(i \in [\alpha +1,N]\)

6. 6.

   Compute \(\tilde{\textsf{com}}_2 = \textsf{Hash}\big (\textbf{u} + \mathbf {\tilde{x}}_1 \, || \, (\mathbf {\tilde{s}}_i)_{i \in [1, N]}\big )\)

7. 7.

   Compute \(\mathbf {\tilde{z}}_1 = \textbf{u} + \mathbf {\tilde{x}}_1, ~ z_2 = (\theta _{i})_{i \in [1, N] \setminus \alpha }, ~ z_3 = \xi , ~ \textbf{z}_4 = \pi _{\alpha } \circ \dots \circ \pi _1[\mathbf {\tilde{x}}_2]\)

8. 8.

   Compute \(\tilde{\textsf{rsp}} = (\mathbf {\tilde{z}}_1, z_2, z_3, \mathbf {\tilde{z}}_4, \textsf{com}_{1, \alpha })\) and output \((\textbf{H}, \textbf{y}, \textsf{com}_1, \tilde{\textsf{com}}_2, \alpha , \tilde{\textsf{rsp}})\)

The transcript generated by the simulator \(\textsf{Sim}\) is \((\textbf{H}, \textbf{y}, \textsf{com}_1, \tilde{\textsf{com}}_2, \alpha , \tilde{\textsf{rsp}})\) where \(\textsf{com}_1 \longleftarrow \textsf{Setup}(\theta , \xi )\). Since \(\mathbf {\tilde{x}}_1\) and \(\textbf{x}\) are masked by a random mask \(\textbf{u}\) unknown to the verifier, \(\mathbf {\tilde{z}}_1\) and \(\textbf{z}_1\) are indistinguishable. Similarly, since \(\mathbf {\tilde{x}}_2\) and \(\textbf{x}\) have the same Hamming weight and are masked by a random permutation \(\pi _{\alpha }\) unknown to the verifier, \(\mathbf {\tilde{z}}_4\) and \(\textbf{z}_4\) are indistinguishable. As \(\mathbf {\tilde{z}}_1\) and \(\textbf{z}_1\) are indistinguishable, \(\mathbf {\tilde{s}}_i\) and \(\textbf{s}_i\) are also indistinguishable for all \(i \in [1, \alpha - 1]\). Since \(\mathbf {\tilde{s}}_\alpha \) and \(\textbf{s}_\alpha \) both contains a random mask \(\textbf{v}_\alpha \) unknown to the verifier, they are indistinguishable. As \(\mathbf {\tilde{s}}_\alpha \) and \(\textbf{s}_\alpha \) are indistinguishable, so do \(\mathbf {\tilde{s}}_i\) and \(\textbf{s}_i\) for all \(i \in [\alpha +1, N]\). Finally, \(z_2\) and \(z_3\) are identical in both cases and \(\textsf{com}_{1, \alpha }\) does not leak anything if the commitment is hiding. As a consequence, \((\tilde{\textsf{rsp}}, \tilde{\textsf{com}}_2)\) in the simulation and \((\textsf{rsp}, \textsf{com}_2)\) in the real execution are indistinguishable. Finally, \(\textsf{Sim}\) runs in polynomial time which completes the proof.

B Proof of Theorem 2

Theorem 2

If the hash function used is collision-resistant and if the commitment scheme used is binding and hiding, then the protocol depicted in Fig. 3 is an honest-verifier zero-knowledge PoK for the \(\textsf{IPKP}\) problem with soundness error equal to \(\frac{1}{N} + \frac{N - 1}{N \cdot (q - 1)}\).

Proof

We prove the correctness, special soundness and special honest-verifier zero-knowledge properties below.

Correctness. The correctness follows from the protocol description once it is observed that \(\textbf{s}_N = \pi [\kappa \cdot \textbf{x}] + \textbf{v}\) which implies that \(\textbf{H} \textbf{s}_N - \kappa \cdot \textbf{y} = \textbf{H} \pi [\kappa \cdot \textbf{x}] + \textbf{H} \textbf{v} - \kappa \cdot \textbf{y} = \textbf{H} \textbf{v}\).

\((q-1,N)\)-Special Soundness. To prove the \((q-1,N)\)-special soundness, one need to build an efficient knowledge extractor \(\textsf{Ext}\) which returns a solution of the \(\textsf{IPKP}\) instance defined by \((\textbf{H}, \textbf{x}, \textbf{y})\) with high probability given a \((q-1,N)\)-tree of accepting transcripts. One only need a subset of the tree to complete the proof namely the four leafs corresponding to challenges \((\kappa , \alpha _1), (\kappa , \alpha _2), (\kappa ', \alpha _1)\) and \((\kappa ', \alpha _2)\) where \(\kappa \ne \kappa '\) and \(\alpha _1 \ne \alpha _2\). The knowledge extractor \(\textsf{Ext}\) computes the solution as:

1. 1.

   Compute \((\bar{\pi }_i)_{i \in [1, n]}\) from \(z_2^{(\kappa , \alpha _1)}\) and \(z_2^{(\kappa , \alpha _2)}\)

2. 2.

   Compute \(\bar{\pi } = \bar{\pi }_N \circ \cdots \circ \bar{\pi }_1\)

3. 3.

   Output \(\bar{\pi } \)

One can compute \((\bar{\pi }^{(\kappa )}_i, \bar{\textbf{v}}^{(\kappa )}_i)_{i \in [1, N]}\) and \((\bar{\pi }^{(\kappa ')}_i, \bar{\textbf{v}}^{(\kappa ')}_i)_{i \in [1, N]}\) from \(\big ( z_2^{(\kappa , \alpha _i)} \big )_{i \in [1,2]}\) and \(\big ( z_2^{(\kappa ', \alpha _i)} \big )_{i \in [1,2]}\) respectively. From the binding property of the commitments \((\textsf{com}_{1,i})_{i \in [1, N]}\), one has \((\bar{\pi }_i, \bar{\textbf{v}}_i)_{i \in [1, N]} = (\bar{\pi }^{(\kappa )}_i, \bar{\textbf{v}}^{(\kappa )}_i)_{i \in [1, N]} = (\bar{\pi }^{(\kappa ')}_i, \bar{\textbf{v}}^{(\kappa ')}_i)_{i \in [1, N]}\). By construction, one has \(\bar{\textbf{s}}^{(\kappa , \alpha _1)}_0 = \bar{\textbf{s}}^{(\kappa , \alpha _2)}_0 = \kappa \cdot \textbf{x}\). In addition, one has \(\bar{\textbf{s}}^{(\kappa , \alpha _1)}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\kappa , \alpha _1)}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha _1\) as well as \(\bar{\textbf{s}}^{(\kappa , \alpha _2)}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\kappa , \alpha _2)}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha _2\). From the binding property of commitment \(\textsf{com}_2\), one can deduce that \(\bar{\textbf{s}}^{(\kappa )}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\kappa )}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N]\) hence \(\bar{\textbf{s}}^{(\kappa )}_N = \bar{\pi }[\kappa \cdot \textbf{x}] + \bar{\textbf{v}}\). Following a similar argument, one also has \(\bar{\textbf{s}}^{(\kappa ')}_N = \bar{\pi }[\kappa ' \cdot \textbf{x}] + \bar{\textbf{v}}\). From the binding property of commitment \(\textsf{com}_1\), one has \(\textbf{H} \bar{\textbf{s}}^{(\kappa )}_N - \kappa \cdot \textbf{y} = \textbf{H} \bar{\textbf{s}}^{(\kappa ')}_N - \kappa ' \cdot \textbf{y}\). It follows that \(\textbf{H}(\bar{\pi }[\kappa \cdot \textbf{x}] + \bar{\textbf{v}}) - \kappa \cdot \textbf{y} = \textbf{H}(\bar{\pi }[\kappa ' \cdot \textbf{x}] + \bar{\textbf{v}}) - \kappa ' \cdot \textbf{y}\) hence \((\kappa - \kappa ') \cdot \textbf{H} \bar{\pi }[\textbf{x}] = (\kappa - \kappa ') \cdot \textbf{y}\). This implies that \(\textbf{H} \bar{\pi }[\textbf{x}] = \textbf{y}\) thus \(\bar{\pi }\) is a solution of the considered \(\textsf{IPKP}\) problem.

Special Honest-Verifier Zero-Knowledge. We start by explaining why valid transcripts do not leak anything on the secret \(\pi \). A valid transcript contains \((\textbf{s}_{\alpha }, \, (\pi _i, \textbf{v}_i)_{i \in [1, N] \setminus \alpha }, \, \textsf{com}_{1, \alpha })\) where the secret \(\pi \) is hiden by the unknown permutation \(\pi _{\alpha }\). In our protocol, one need to compute \(\pi [\textbf{x}]\) without leaking anything on the secret \(\pi \). To overcome this issue, the protocol actually computes \(\pi [\textbf{x}] + \textbf{v}\) for some value \(\textbf{v}\) that is masked by the unknown random value \(\textbf{v}_\alpha \). In addition, if the commitment used is hiding, \(\textsf{com}_{1, \alpha }\) does not leak anything on \(\pi _{\alpha }\) nor \(\textbf{v}_{\alpha }\). Formally, one can build a \(\textsf{PPT}\) simulator \(\textsf{Sim}\) that given the public values \((\textbf{H}, \textbf{x}, \textbf{y})\), random challenges \((\kappa , \alpha )\) outputs a transcript \((\textbf{H}, \textbf{x}, \textbf{y}, \textsf{com}_1, \kappa , \textsf{com}_2, \alpha , \textsf{rsp})\) that is indistinguishable from the transcript of honest executions of the protocol:

1. 1.

   Compute \((\pi _i, \textbf{v}_i, \tilde{\textsf{com}}_{1,i})\) as in the real protocol except for \(\tilde{\pi }_1 \overset{\;\$}{\longleftarrow }S_n\)

2. 2.

   Compute \(\tilde{\pi } = \pi _N \circ \cdots \tilde{\pi }_1\)

3. 3.

   Compute \(\textbf{v}\) and \(\tilde{\textsf{com}_1}\) as in the real protocol

4. 4.

   Compute \(\mathbf {\tilde{x}}\) such that \(\textbf{H} \mathbf {\tilde{x}} = \kappa \cdot \mathbf {\textbf{y}}\)

5. 5.

   Compute \(\textbf{s}_0 = \kappa \cdot \textbf{x}\) and \(\mathbf {\tilde{s}}_i = \pi _i[\mathbf {\tilde{s}}_{i-1}] + \textbf{v}_i\) for all \(i \in [1, \alpha -1]\)

6. 6.

   Compute \(\mathbf {\tilde{s}}_{\alpha } = \pi _{\alpha }[\mathbf {\tilde{s}}_{\alpha - 1}] + \textbf{v}_{\alpha } + \pi ^{-1}_{\alpha + 1} \circ \cdots \circ \pi ^{-1}_{N}[\mathbf {\tilde{x}} - \pi [\kappa \cdot \textbf{x}]]\)

7. 7.

   Compute \(\mathbf {\tilde{s}}_i = \pi _i[\mathbf {\tilde{s}}_{i-1}] + \textbf{v}_i\) for all \(i \in [\alpha +1,N]\)

8. 8.

   Compute \(\tilde{\textsf{com}}_2 = \textsf{Hash}\big ((\mathbf {\tilde{s}}_i)_{i \in [1, N]}\big )\) and \(\mathbf {\tilde{z}}_1 = \mathbf {\tilde{s}}_{_\alpha }\)

9. 9.

   Compute \(\tilde{z}_2 = \tilde{\pi }_1 \, || \, (\theta _{i})_{i \in [1, N] \setminus \alpha } \text { if } \alpha \ne 1\) or \(\bar{z}_2 = (\theta _{i})_{i \in [1, N] \setminus \alpha }\) otherwise

10. 10.

    Compute \(\tilde{\textsf{rsp}} = (\mathbf {\tilde{z}}_1, \tilde{z}_2, \tilde{\textsf{com}}_{1, \alpha })\) and output \((\textbf{H}, \textbf{x}, \textbf{y}, \tilde{\textsf{com}}_1, \kappa , \tilde{\textsf{com}}_2, \alpha , \tilde{\textsf{rsp}})\)

The transcript generated by the simulator \(\textsf{Sim}\) is \((\textbf{H}, \textbf{x}, \textbf{y}, \tilde{\textsf{com}}_1, \kappa , \tilde{\textsf{com}}_2, \alpha , \tilde{\textsf{rsp}})\). Since \(\mathbf {\tilde{s}}_{\alpha }\) (in the simulation) and \(\textbf{s}_{\alpha }\) (in the real world) are masked by a random mask \(\textbf{v}_{\alpha }\) unknown to the verifier, \(\mathbf {\tilde{z}}_1\) and \(\textbf{z}_1\) are indistinguishable. In addition, since \(\tilde{\pi }_1\) is sampled uniformly at random in \(\mathcal {S}_{n}\), \(\tilde{z}_2\) and \(z_2\) are indistinguishable. Finally, \(\tilde{\textsf{com}}_{1, \alpha }\) does not leak anything on \(\pi _{\alpha }\) nor \(\textbf{v}_{\alpha }\) if the commitment is hiding. As a consequence, \((\tilde{\textsf{com}}_1, \tilde{\textsf{com}}_2, \tilde{\textsf{rsp}})\) (in the simulation) and \((\textsf{com}_1, \textsf{com}_2, \textsf{rsp})\) (in the real execution) are indistinguishable. Finally, \(\textsf{Sim}\) runs in polynomial time which completes the proof.

C Proof of Theorem 3

Similarly to what was done in [AGS11], we introduce the intermediary \(\textsf{DiffSD}\) problem (Definition 23) in order to prove the security of the protocol depicted in Fig. 4. Its security (Theorem 3) relies of the \(\textsf{DiffSD}\) problem and is completed by a reduction from the \(\textsf{QCSD}\) problem to the \(\textsf{DiffSD}\) problem (Theorem 5). In our context, we consider \(\textsf{QCSD}\) instances with up to M vectors (decoding one out of many setting) which means that the adversary has access to Mk syndromes (M given syndromes combined with k possible shifts). In practice, one has to choose the \(\textsf{QCSD}\) parameters so that the PoK remains secure even taking into account both the number of given syndromes as well as the (small) security loss induced by the use of the \(\textsf{DiffSD}\) problem.

Definition 23

(\(\textsf{DiffSD}\) problem). Let \((n=2k, k, w, M, \varDelta )\) be positive integers, \(\textbf{H} \in \mathcal{Q}\mathcal{C}(\mathbb {F}_2^{(n - k) \times n})\) be a random parity-check matrix of a quasi-cyclic code of index 2, \((\textbf{x}_i)_{i \in [1, M]} \in (\mathbb {F}_2^{n})^M\) be vectors such that \(w_H\big (\textbf{x}_i\big ) = w\) and \((\textbf{y}_i)_{i \in [1, M]} \in (\mathbb {F}_2^{(n-k)})^M\) be vectors such that \(\textbf{H} \textbf{x}_i^\top = \textbf{y}_i^\top \). Given \((\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\), the Differential Syndrome Decoding problem \(\textsf{DiffSD}(n, k, w, M, \varDelta )\) asks to find \((\textbf{c}, (\textbf{d}_{j}, \kappa _j, \mu _j)_{j \in [1, \varDelta ]}) \in \mathbb {F}_2^{(n - k)} \times (\mathbb {F}_2^{n} \times [1, k] \times [1, M])^{\varDelta }\) such that \(\textbf{H}\textbf{d}_{j}^\top + \textbf{c} =\textbf{rot}_{\kappa _j}(\textbf{y}_{\mu _j}^\top )\) and \(w_H\big (\textbf{d}_{j}\big ) = w\) for each \(j \in [1, \varDelta ]\).

Theorem 5

If there exists a \(\textsf{PPT}\) algorithm solving the \(\textsf{DiffSD}(n,k, w, M, \varDelta )\) problem with probability \(\epsilon _{\textsf{DiffSD}}\), then there exists a \(\textsf{PPT}\) algorithm solving the \(\textsf{QCSD}(n, k, w, M)\) with probability \(\epsilon _{\textsf{QCSD}} \ge (1 - M \times p - (2^{(n - k)} - 2) \times p^{\varDelta }) \cdot \epsilon _{\textsf{DiffSD}}\) where \(p = \frac{{n \atopwithdelims ()\omega }}{2^{(n - k)}}\).

Sketch of Proof. We start by highlighting the main steps of the proof. One should note that the \(\textsf{DiffSD}\) problem is constructed from a \(\textsf{QCSD}\) instance and as such always admit at least a solution namely the solution of the underlying \(\textsf{QCSD}\) instance. Indeed, any solution to the \(\textsf{DiffSD}\) problem satisfying \(\textbf{c} = (0, \cdots , 0)\) can be transformed into a solution to the \(\textsf{QCSD}\) problem with similar inputs. Hereafter, we study the probability that there exists solutions to the \(\textsf{DiffSD}\) problem for any possible value of \(\textbf{c}\). To do so, we consider two cases depending on weather \(\textbf{c}\) is stable by rotation or not. The first case implies that either \(\textbf{c} = (0, \cdots , 0)\) or \(\textbf{c} = (1, \cdots , 1)\) while the second case encompasses every other possible value for \(\textbf{c}\). We show that for correctly chosen values n, k, w and \(\varDelta \), the probability that there exists solutions to the \(\textsf{DiffSD}\) problem satisfying \(\textbf{c} \ne (0, \cdots , 0)\) is small. Such solutions can’t be transformed into solutions to the \(\textsf{QCSD}\) problem hence induce a security loss in our reduction.

Given a [n, k] quasi-cyclic code \(\mathcal {C}\), we restrict our analysis (and our parameters choice) to the case where (i) n is a primitive prime and (ii) the weight \(\omega \) is lower than the Gilbert-Varshamov bound associated to \(\mathcal {C}\) i.e. the value for which the number of words of weight less or equal to w corresponds to the number of syndromes. Thus, given a syndrome \(\textbf{y}\), the probability p that there exists a pre-image \(\textbf{x}\) of \(\textbf{y}\) such that \(\textbf{Hx}^\top = \textbf{y}^\top \) and \(w_H\big (\textbf{x}\big ) = \omega \) is \(p = \left( {\begin{array}{c}n\\ w\end{array}}\right) / 2^{(n-k)}\) namely the number of possible words of weight \(\omega \) divided by the number of syndromes.

Let \(\mathcal {A}_{\textsf{DiffSD}}\) be an algorithm that given inputs \((\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\) generated following Definition 23 outputs a solution \((\textbf{c}, (\textbf{d}_j, \kappa _j, \mu _j)_{j \in [1, \varDelta ]})\) to the considered \(\textsf{DiffSD}\) instance. Let \(\mathcal {A}_{\textsf{QCSD}}\) be an algorithm that given access to \(\mathcal {A}_{\textsf{DiffSD}}\) and inputs \((\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\) corresponding to an instance of the \(\textsf{QCSD}\) problem in the decoding one out of many setting outputs a solution to this instance. We denote by \(\mathcal {A}_{\textsf{QCSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \) (respectively \(\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \)) the fact that \(\mathcal {A}_{\textsf{QCSD}}\) (respectively \(\mathcal {A}_{\textsf{DiffSD}}\)) outputs a valid solution to the \(\textsf{QCSD}\) (respectively \(\textsf{DiffSD}\)) problem.

\(\underline{\mathcal {A}_{\textsf{QCSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}):}\)

1. 1.

   Compute \((\textbf{c}, (\textbf{d}_j, \kappa _j, \mu _j)_{j \in [1, \varDelta ]}) \leftarrow \mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\)

2. 2.

   If \(\textbf{c} = (0, \cdots , 0)\), output \(\textbf{x} = {\textbf {rot}}_{k - \kappa _1}(\textbf{d}_1)\)

3. 3.

   If \(\textbf{c} \ne (0, \cdots , 0)\), output \(\bot \)

Let \(\mathtt {c_{0}}\) denote the event that the solution to the \(\textsf{DiffSD}\) problem is also the solution of the underlying \(\textsf{QCSD}\) instance. One has \(\epsilon _{\textsf{QCSD}} = P[\mathcal {A}_{\textsf{QCSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot ] \ge P[\mathcal {A}_{\textsf{QCSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{0}}] = P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{0}}]\). Let \(\mathtt {c_{stable}}\) and \(\mathtt {c_{unstable}}\) denote the events that the \(\textsf{DiffSD}\) problem admits another solution than the one of its underlying \(\textsf{QCSD}\) instance where \(\textbf{c}\) is stable (respectively unstable) by rotation. One has \(P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot ] = P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \cap \mathtt {c_{stable}}] + P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \cap \mathtt {c_{unstable}}]\). We show bellow that if \(\textbf{c}\) is stable by rotation then \(\textbf{c} = (0, \cdots , 0)\) or \(\textbf{c} = (1, \cdots , 1)\). Let \(\mathtt {c_{1}}\) denote the event that the \(\textsf{DiffSD}\) problem admits another solution than the one of its underlying \(\textsf{QCSD}\) instance where \(\textbf{c} = (1, \cdots , 1)\). It follows that \(P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{0}}] = P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot ] - P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{1}}] - P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{unstable}}]\) hence \(P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \, \cap \, \mathtt {c_{0}}] = \epsilon _{\textsf{DiffSD}} - P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \cap \mathtt {c_{1}}] - P[\mathcal {A}_{\textsf{DiffSD}}(\textbf{H}, (\textbf{y}_i)_{i \in [1, M]}) \ne \bot \cap \mathtt {c_{unstable}}] = (1 - P[\mathtt {c_1}] - P[\mathtt {c_{unstable}}]) \cdot \epsilon _{\textsf{DiffSD}}\). It follows that \(\epsilon _{\textsf{QCSD}} \ge (1 - P[\mathtt {c_1}] - P[\mathtt {c_{unstable}}]) \cdot \epsilon _{\textsf{DiffSD}}\).

Working modulo \(x^n-1\) and writing \(\textbf{c}\) as \(c(x)=\sum _{i=0}^{n-1} c_ix^i\) being stable by rotation of order j implies \(x^jc(x)=c(x) \mod x^n-1\) hence \((x^j+1)c(x)=0 \mod x^n-1\). In our case where 2 is primitive modulo n, one has \(x^n-1=(x - 1)(1 + x + x^2 + \cdots + x^{n-1})\) where \((1 + x + x^2 + \cdots + x^{n-1})\) is an irreducible polynomial [GZ08]. Since c(x) divides \(x^n-1\) and since \((x - 1)\) is not compatible with \(\textbf{c}\) being stable by rotation, the only non zero possibility is \(\textbf{c} = (1, \cdots , 1)\).

Hereafter, we compute \(P[\mathtt {c_1}]\) and \(P[\mathtt {c_{unstable}}]\). The probability that the \(\textsf{DiffSD}\) problem admits another solution than the one of its underlying \(\textsf{QCSD}\) instance where \(\textbf{c} = (1, \cdots , 1)\) is the same as the probability that the vector \(\textbf{y}_{\mu _j} - \textbf{c}\) has a preimage by \(\textbf{H}\) of weight w namely p. As M vectors \((\textbf{y}_{\mu _j})_{j \in [1, M]}\) can be considered, it follows that \(P[\mathtt {c_1}] = M \times p = M \times {n \atopwithdelims ()\omega }/2^{(n - k)}\).

In the case where \(\textbf{c}\) is not stable by rotation, one cannot use cyclicity to find several valid \(\textsf{DiffSD}\) equations from a unique one as in the previous case. Therefore, to compute the probability that the \(\textsf{DiffSD}\) admits another solution than the one of its underlying \(\textsf{QCSD}\) instance when \(\textbf{c}\) is unstable by rotation, one has to consider the probability that all the \(\varDelta \) vectors \(\textbf{rot}_{\kappa _j}(\textbf{y}_{\mu _j}) - \textbf{c}\) have a preimage by \(\textbf{H}\) of weight w. Each pre-image may exist with probability p thus there exists \(\varDelta \) pre-images with probability \(p^{\varDelta } = \big ({n \atopwithdelims ()\omega }/2^{(n - k)}\big )^{\varDelta }\). As \(2^{(n - k)} - 2\) possible values can be considered for \(\textbf{c}\) (all possible values except \(\textbf{0}\) and \(\textbf{1}\)), it follows that \(P[\mathtt {c_{unstable}}] = (2^{(n - k)} - 2) \times \big ({n \atopwithdelims ()\omega }/2^{(n - k)}\big )^{\varDelta }\).

Theorem 3

If the hash function used is collision-resistant and if the commitment scheme used is binding and hiding, then the protocol depicted in Fig. 4 is an honest-verifier zero-knowledge PoK for the \(\textsf{QCSD}(n, k, w, M)\) problem with soundness error equal to \(\frac{1}{N} + \frac{(N - 1)(\varDelta - 1)}{N \cdot M \cdot k}\) for some parameter \(\varDelta \).

Proof

The proofs of the correctness and special honest-verifier zero-knowledge properties follow the same arguments as the proofs given in Appendix A. Hereafter, we provide a proof for the (Mk, N)-special soundness property.

(Mk, N)-Special Soundness. To prove the (Mk, N)-special soundness, one need to build an efficient knowledge extractor \(\textsf{Ext}\) which returns a solution of the \(\textsf{QCSD}\) instance defined by \((\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\) with high probability given a (Mk, N)-tree of accepting transcripts. In our case, we build \(\textsf{Ext}\) as a knowledge extractor for the \(\textsf{DiffSD}\) problem and use it as extractor for the \(\textsf{QCSD}\) problem thanks to Theorem 5. One only need a subset of the tree of accepting transcripts to complete the proof namely \(2\varDelta \) leafs corresponding to challenges \(\big ( \mu _j, \kappa _j, \alpha _i \big )^{j \in [1, \varDelta ]}_{i \in [1,2]}\). The knowledge extractor \(\textsf{Ext}\) computes the solution as:

1. 1.

   Compute \((\bar{\pi }_i)_{i \in [1, n]} \text { from } z_2^{(\mu _1, \kappa _1, \alpha _1)} \text { and } z_2^{(\mu _1, \kappa _1, \alpha _2)}\)

2. 2.

   Compute \(\textbf{c}_1 = \textbf{H} \textbf{z}^{(\mu _1, \kappa _1)}_1 - {\textbf {rot}}_{\kappa _1}(\textbf{y}_{\mu _1}) = \cdots = \textbf{H} \textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_1 - {\textbf {rot}}_{\kappa _{\varDelta }}(\textbf{y}_{\mu _{\varDelta }})\)

3. 3.

   Compute \(\textbf{c}_2 = \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_1[\textbf{z}^{(\mu _1, \kappa _1)}_1] - \textbf{z}^{(\mu _1, \kappa _1, \alpha _1)}_4 = \cdots = \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_1[\textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_1]\)

                     \(- \textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta }, \alpha _{\varDelta })}_4\)

4. 4.

   Compute \(\textbf{c}_3 = \textbf{H}(\bar{\pi }^{-1}_{1} \circ \cdots \circ \bar{\pi }^{-1}_{\alpha _1}[\textbf{c}_2]) - \textbf{c}_1\)

5. 5.

   Compute \(\textbf{d}_j = \bar{\pi }^{-1}_{1} \circ \cdots \circ \bar{\pi }^{-1}_{\alpha _1}[\textbf{z}^{(\mu _j, \kappa _j, \alpha _j)}_4] \text { for all } j \in [1, \varDelta ]\)

6. 6.

   Output \((\textbf{c}_3, (\textbf{d}_{j}, \kappa _j, \mu _j)_{j \in [1, \varDelta ]})\)

One can compute \(\big ( \bar{\pi }^{(\mu _j, \kappa _j)}_i, \bar{\textbf{v}}^{(\mu _j, \kappa _j)}_i \big )^{j \in [1, \varDelta ]}_{i \in [1, N]}\) from \(\big ( z_2^{(\mu _j, \kappa _j, \alpha _i)} \big )^{j \in [1, \varDelta ]}_{i \in [1,2]}\). From the binding property of the commitments \((\textsf{com}_{1,i})_{i \in [1, N]}\), one can see that \((\pi _i, \textbf{v}_i)_{i \in [1, N]} = (\bar{\pi }^{(\mu _1, \kappa _1)}_i, \bar{\textbf{v}}^{(\mu _1, \kappa _1)}_i)_{i \in [1, N]} = \cdots = (\bar{\pi }^{(\mu _{\varDelta }, \kappa _{\varDelta })}_i, \bar{\textbf{v}}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_i)_{i \in [1, N]}\). From the binding property of commitment \(\textsf{com}_2\), one has \(\bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _1)}_0 = \bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _2)}_0 = \textbf{z}^{(\mu _j, \kappa _j)}_1\) for all \(j \in [1, \varDelta ]\). In addition, one has \(\bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _1)}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _1)}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha _1\) and all \(j \in [1, \varDelta ]\) as well as \(\bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _2)}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\mu _j, \kappa _j, \alpha _2)}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N] \setminus \alpha _2\) and all \(j \in [1, \varDelta ]\). Using the binding property of commitment \(\textsf{com}_2\) once again, one can deduce that \(\bar{\textbf{s}}^{(\mu _j, \kappa _j)}_i = \bar{\pi }_i[\bar{\textbf{s}}^{(\mu _j, \kappa _j)}_{i - 1}] + \bar{\textbf{v}}_i\) for all \(i \in [1, N]\) and \(j \in [1, \varDelta ]\) hence \(\bar{\textbf{s}}^{(\mu _j, \kappa _j)}_{\alpha _1} = \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_{1}[\textbf{z}^{(\mu _j, \kappa _j)}_1] + \textbf{v}_{\alpha _1} + \sum \nolimits _{i \in [1, \alpha _1 - 1]} \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_{i + 1}[\textbf{v}_i]\) for all \(j \in [1, \varDelta ]\). From the binding property of commitment \(\textsf{com}_1\), one has \(\textbf{c}_1 = \textbf{H} \textbf{z}^{(\mu _1, \kappa _1)}_1 - {\textbf {rot}}_{\kappa _1}(\textbf{y}_{\mu _1}) = \cdots = \textbf{H} \textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_1 - {\textbf {rot}}_{\kappa _{\varDelta }}(\textbf{y}_{\mu _{\varDelta }})\). In addition, one has \(\bar{\textbf{r}}^{(\mu _1, \kappa _1)} = \cdots = \bar{\textbf{r}}^{(\mu _{\varDelta }, \kappa _{\varDelta })}\) which implies that \(\bar{\textbf{t}}_{\alpha _1} = \bar{\textbf{t}}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_{\alpha _1} = \cdots = \bar{\textbf{t}}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_{\alpha _1}\). From the binding property of commitment \(\textsf{com}_2\), one has \(\bar{\textbf{s}}^{(\mu _j, \kappa _j)}_{\alpha _1} = \bar{\textbf{t}}^{(\mu _j, \kappa _j)}_{\alpha _1} + \bar{\textbf{z}}^{(\mu _j, \kappa _j)}_{4}\) for all \(j \in [1, \varDelta ]\). Using \(\bar{\textbf{t}}_{\alpha _1} = \bar{\textbf{t}}^{(\mu _1, \kappa _1)}_{\alpha _1} = \cdots = \bar{\textbf{t}}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_{\alpha _1}\), one can deduce that \(\textbf{c}_2 = \bar{\textbf{t}}_{\alpha _1} - \textbf{v}_{\alpha _1} - \sum \nolimits _{i \in [1, \alpha _1 - 1]} \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_{i + 1}[\textbf{v}_i] = \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_{1}[\textbf{z}^{(\mu _1, \kappa _1)}_1] - \textbf{z}^{(\mu _1, \kappa _1, \alpha _1)}_{4} = \cdots = \bar{\pi }_{\alpha _1} \circ \cdots \circ \bar{\pi }_{1}[\textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta })}_1] - \textbf{z}^{(\mu _{\varDelta }, \kappa _{\varDelta }, \alpha _{\varDelta })}_{4}\). It follows that \(\textbf{z}^{(\mu _j, \kappa _j)}_1 = \bar{\pi }^{-1}_{1} \circ \cdots \circ \bar{\pi }^{-1}_{\alpha _1}[\textbf{c}_2 + \textbf{z}^{(\mu _j, \kappa _j, \alpha _j)}_{4}]\) for all \(j \in [1, \varDelta ]\). As \(\textbf{c}_1 = \textbf{H} \textbf{z}^{(\mu _j, \kappa _j)}_1 - {\textbf {rot}}_{\kappa _j}(\textbf{y}_{\mu _j})\), one has \(\textbf{c}_1 = \textbf{H}(\bar{\pi }^{-1}_{1} \circ \cdots \circ \bar{\pi }^{-1}_{\alpha _1}[\textbf{c}_2 + \textbf{z}^{(\mu _j, \kappa _j, \alpha _j)}_{4}]) - {\textbf {rot}}_{\kappa _j}(\textbf{y}_{\mu _j})\) hence \(\textbf{H}(\bar{\pi }^{-1}_{1} \circ \cdots \circ \bar{\pi }^{-1}_{\alpha _1}[\textbf{z}^{(\mu _j, \kappa _j, \alpha _j)}_{4}]) \,+\, \textbf{c}_3 = {\textbf {rot}}_{\kappa _j}(\textbf{y}_{\mu _j})\) for all \(j \in [1, \varDelta ]\). Given that \(w_H\big (\textbf{z}^{(\mu _j, \kappa _j, \alpha _j)}_4\big ) = \omega \) for all \(j \in [1, \varDelta ]\), one can conclude that \((\textbf{c}_3, (\textbf{d}_{j}, \kappa _j, \mu _j)_{j \in [1, \varDelta ]})\) is a solution of the considered \(\textsf{DiffSD}\) problem instance. One completes the proof by using Theorem 5.

D Proof of Theorem 4

Theorem 4

If the hash function used is collision-resistant and if the commitment scheme used is binding and hiding, then the protocol depicted in Fig. 5 is an honest-verifier zero-knowledge PoK for the \(\textsf{IRSL}\) problem with soundness error equal to \(\frac{1}{N} + \frac{(N - 1)(\varDelta - 1)}{N (q^{Mk} - 1)}\) for some parameter \(\varDelta \).

Proof

The proof of our protocol in the rank metric (Theorem 4) is similar to the proof of our protocol in Hamming metric (Theorem 3) presented in Appendix C. It relies on the introduction of the intermediary \(\textsf{DiffIRSL}\) problem (Definition 24) along with a reduction from the \(\textsf{IRSL}\) problem to the \(\textsf{DiffIRSL}\) problem (Theorem 6).

Definition 24

(\(\textsf{DiffIRSL}\) problem ). Let \((q, m, n = 2k, k, w, M, \varDelta )\) be positive integers, \(P \in \mathbb {F}_q[X]\) be an irreducible polynomial of degree k, \(\textbf{H} \in \mathcal{I}\mathcal{D}(\mathbb {F}_{q^m}^{(n - k) \times n})\) be a random parity-check matrix of an ideal code of index 2, E be a random subspace of \(\mathbb {F}_{q^m}\) of dimension \(\omega \), \((\textbf{x}_i)_{i \in [1, M]} \in (\mathbb {F}_{q^m}^n)^M\) be random vectors such that \(\textit{Supp}(\textbf{x}_i) = E\) and \((\textbf{y}_i)_{i \in [1, M]} \in (\mathbb {F}_{q^m}^{(n - k)})^M\) be vectors such that \(\textbf{H} \textbf{x}_i^\top = \textbf{y}_i^\top \). Given \((\textbf{H}, (\textbf{y}_i)_{i \in [1, M]})\), the Differential Ideal Rank Support Learning problem \(\textsf{IRSL}(q, m, n, k, w, M, \varDelta )\) asks to find \((\textbf{c}, (\textbf{d}_{\delta }, (\gamma _{i,j}^{\delta })_{i \in [1, M], j \in [1, k]})_{\delta \in [1, \varDelta ]}) \in \mathbb {F}_2^{(n - k)} \times (\mathbb {F}_2^{n} \times (\mathbb {F}_q^{Mk} \setminus (0, \cdots , 0))^{\varDelta })\) such that \(\textbf{H} \textbf{d}_{\delta }^\top + \textbf{c} = \sum \nolimits _{(i, j) \in [1, M] \times [1, k]} \gamma ^{\delta }_{i, j} \cdot \textbf{rot}_{j}(\textbf{y}_{i}^{\top })\) with \(\textit{Supp}(\textbf{d}_{\delta }) = F\) and \(|F| = \omega \) for each \(\delta \in [1, \varDelta ]\).

Theorem 6

If there exists a \(\textsf{PPT}\) algorithm solving the \(\textsf{DiffIRSL}(q, m, n, k, w, M, \varDelta )\) with probability \(\epsilon _{\textsf{DiffIRSL}}\), then there exists a \(\textsf{PPT}\) algorithm solving the \(\textsf{IRSL}(q, m, n, k, w, M)\) problem with probability \(\epsilon _{\textsf{IRSL}} \ge (1 - (q^{m(n - k)} - 1) \times (q^{\omega (m - \omega ) + n\omega - m(n - k)})^{\varDelta }) \cdot \epsilon _{\textsf{DiffIRSL}}\).

Sketch of Proof. The proof of Theorem 6 in the rank metric setting is similar to the proof of Theorem 5 in the Hamming metric setting. A noticeable difference in the rank metric setting is related to the use of the irreducible polynomial \(P \in \mathbb {F}_q[X]\) of degree k. Indeed, the later implies that \(P[\mathtt {c_{stable}}] = 0\) namely there is no solution where both \(\textbf{c}\) is stable by rotation and \(\textbf{c} \ne (0, \cdots , 0)\).

Given an [n, k] ideal code \(\mathcal {C}\), we restrict our analysis to the case where the weight \(\omega \) is lower than the rank Gilber-Varshamov bound associated to \(\mathcal {C}\) i.e. the value for which the number of words of weight less or equal w corresponds to the number of syndromes. As a consequence, given a syndrome \(\textbf{y}\), the probability that there exists a pre-image \(\textbf{x}\) of \(\textbf{y}\) such that \(\textbf{Hx}^\top = \textbf{y}^\top \) and \(w_R\big (\textbf{x}\big ) = \omega \) is \(q^{\omega (m - \omega ) + n \omega - m(n - k)}\) where \(q^{\omega (m - \omega )}\) is an approximation of the Gaussian binomial which counts the number of vector spaces of dimension \(\omega \) in \(\mathbb {F}_{q^m}\), \(q^{n\omega }\) is the number of words in a basis of dimension \(\omega \) and \(q^{m(n - k)}\) is the number of syndromes. As such, this probability describes the number of codewords of rank weight \(\omega \) divided by the number of possible syndromes. Following the same steps than the proof of Theorem 5 (with \(\sum \nolimits _{(i, j) \in [1, M] \times [1, k]} \gamma ^{\delta }_{i, j} \cdot \textbf{rot}_{j}(\textbf{y}_{i}^{\top }) - \textbf{c}\) playing the role of \(\textbf{rot}_{\kappa _j}(\textbf{y}_{\mu _j}) - \textbf{c}\)) and taking into account that \(P[\mathtt {c_{stable}}] = 0\), one get \(\epsilon _{\textsf{IRSL}} \ge (1 - (q^{m(n - k)} - 1) \times (q^{\omega (m - \omega ) + n\omega - m(n - k)})^{\varDelta }) \cdot \epsilon _{\textsf{DiffIRSL}}\).

E PoK Leveraging Structure Related to the \(\mathcal{M}\mathcal{Q}\) Problem

(See Fig. 6).

Fig. 6.

PoK leveraging structure for the \(\mathcal{M}\mathcal{Q}^{+}_{\mathcal {H}}\) problem

F PoK Leveraging Structure Related to \(\textsf{SD}\) over \(\mathbb {F}_q\)

(See Fig. 7).

Fig. 7.

PoK leveraging structure for the \(\textsf{SD}\) problem over \(\mathbb {F}_q\)