MinRank in the Head

Abstract

In recent years, many digital signature scheme proposals have been built from the so-called MPC-in-the-head paradigm. This has shown to be an outstanding way to design efficient signatures with security based on hard problems.

MinRank is an NP-complete problem extensively studied due to its applications to cryptanalysis since its introduction in 1999. However, only a few schemes base their security on its intractability, and their signature size is large compared with other proposals based on NP problems. This paper introduces the first MinRank-based digital signature scheme that uses the MPC-in-the-head paradigm, allowing to achieve small signature sizes and running times. For NIST’s category I parameter set, we obtain signatures of 6.5KB, which is competitive with the shortest proposals in the literature that are based on non-structured problems.

Appendices

A Proof of Theorem 2 (Soundness)

Proof

We follow the soundness proof by Feneuil, Joux and Rivain in [17]. For simplicity, we assume that the commitment scheme is perfectly binding, since otherwise, if is was computationally binding, we would have to deal with cases of commitment collisions. For any set of successful transcripts corresponding to the same commitment, with at least two different challenges \(i^*\):

• either the revealed shares of \([\![ \boldsymbol{\alpha } ]\!],[\![ K ]\!]\) are not consistent, and then a hash collision is found, since the commitment scheme is assumed perfectly binding;

• or the openings are unique, and then \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) is uniquely defined.

In the second case, this witness can be recovered from any two successful transcripts \(T_1\) and \(T_2\) corresponding to the same commitment and for which \(i^*_1 \ne i^*_2\). Let us call a witness \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) a good witness whenever \(\boldsymbol{M}_{\boldsymbol{\alpha }} ^{L} = \boldsymbol{M}_{\boldsymbol{\alpha }} ^{R} K\), i.e., \(\boldsymbol{\alpha }\) is a solution of the underlying MinRank problem.

Let \(\tilde{\mathcal {P}}\), \(\tilde{\varepsilon }\) and \(\varepsilon \) be as in Theorem 2. In figure Fig. 5, we describe an extractor \(\mathcal {E}\) to find two valid transcripts \(T_1\) and \(T_2\) with a different second challenge. In what follows, we consider that \(\mathcal {E}\) only receives transcripts with consistent shares since otherwise the extractor would find a hash collision.

Fig. 5.

Extractor \(\mathcal {E}\).

Now, we want to estimate the number of calls \(\mathcal {E}\) makes to \(\tilde{\mathcal {P}}\) before returning \((T_1, T_2)\) at step 7. We denote \(\textsf{succ}_{\tilde{\mathcal {P}}}\) the event that \(\tilde{\mathcal {P}}\) succeeds in convincing a honest verifier \(\textsf {V}{}\). By hypothesis, we have \(\Pr [\textsf{succ}_{\tilde{\mathcal {P}}}] = \tilde{\varepsilon } > \varepsilon \).

Let \(\alpha \in (0,1)\) be an arbitrary value such that \((1-\alpha )\tilde{\varepsilon } > \varepsilon \). Also, let \(X_h\) be the random variable that samples the randomness used by \(\tilde{\mathcal {P}}\) in the generation of the initial commitment h. We say that an \(x_h\) in the sample space of \(X_h\) is good if

$$\Pr [\textsf{succ}_{\tilde{\mathcal {P}}} \mid X_h = x_h] \ge (1-\alpha )\cdot \tilde{\varepsilon }.$$

By the Splitting Lemma [17, Lemma 5], we have for all realization \(x_h\) of \(X_h\),

$$\Pr [x_h \text{ good } \mid \textsf{succ}_{\tilde{\mathcal {P}}}] \ge \alpha .$$

Assume \(\mathcal {E}\) obtains a successful transcript \(T_1\) in Step 2 of Fig. 5, and let \(x_h\) be the underlying realization of \(X_h\). Assume \(x_h\) is good. By definition, we have

$$\Pr [\textsf{succ}_{\tilde{\mathcal {P}}} \mid X_h = x_h] \ge (1-\alpha ) \cdot \tilde{\varepsilon }> \varepsilon > \frac{1}{N},$$

implying that there must exist a successful transcript \(T_2\) with \(i^*_2 \ne i^*_1\). As explained above, this implies that there exists a unique and well-defined witness corresponding to these transcripts. Let \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) be that witness. Now, we show that \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) is a good witness. Assume \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) is bad (i.e., \(\boldsymbol{M}_{\boldsymbol{\alpha }} ^{L} \ne \boldsymbol{M}_{\boldsymbol{\alpha }} ^{R} K.\)). By contradiction, we will show that then we have \(\Pr [\textsf{succ}_{\tilde{\mathcal {P}}}| X_h = x_h] \le \varepsilon \), meaning that \(x_h\) is not good.

Denote \(\textsf{FP}\) the event that a genuine execution of the MPC protocol outputs a false positive, i.e. a zero matrix V. Then from Proposition 2, we have \(\Pr [\textsf{FP}] \le \frac{1}{q^n}.\) We now upper bound the probability that the inner loop of Fig. 5 succeeds:

$$\begin{aligned} \Pr [\textsf{succ}_{\tilde{\mathcal {P}}} \mid X_h = x_h]&= \Pr [\textsf{succ}_{\tilde{\mathcal {P}}}, \textsf{FP}\mid X_h = x_h]+\Pr [\textsf{succ}_{\tilde{\mathcal {P}}}, \overline{\textsf{FP}} \mid X_h = x_h].\\&\le \frac{1}{q^n}+(1-\frac{1}{q^n})\cdot \Pr [\textsf{succ}_{\tilde{\mathcal {P}}} \mid X_h = x_h,\overline{\textsf{FP}}]. \end{aligned}$$

Having a successful transcript means that the sharing \([\![ V ]\!]\) in the first response of the prover must encode the zero matrix. But, the event \(\overline{\textsf{FP}}\), when we have a bad witness, implies that a genuine execution outputs a non-zero matrix V. So, to have a successful transcript, the prover must cheat for the simulation of at least one party. If the prover cheats for several parties, there is no way it can produce a successful transcript, while if the prover cheats for exactly one party (among the N parties), the probability to be successful is at most 1/N. Thus, \(\Pr [\textsf{succ}_{\tilde{\mathcal {P}}} | X_h = x_h,\overline{\textsf{FP}}] \le 1/N\) and we have

$$\Pr [\textsf{succ}_{\tilde{\mathcal {P}}} | X_h = x_h] \le \frac{1}{q^n}+(1-\frac{1}{q^n})\cdot \frac{1}{N} = \varepsilon ,$$

meaning that \(x_h\) is not good. Thus, if \(x_h\) is good, then \(([\![ \boldsymbol{\alpha } ]\!], [\![ K ]\!])\) is good.

Now, we lower bound the probability that the i-th iteration of the inner loop of Fig. 5 finds a successful transcript \(T_2\) with \(i^*_{T_1} \ne i^*_{T_2}\) with a good \(x_h\). We have

$$\begin{aligned} \Pr [\textsf{succ}^{T_2}_{\tilde{\mathcal {P}}} \; \cap&\; (i^*_{T_1} \ne i^*_{T_2}) \mid x_h \text{ good } ]\\&=\Pr [\textsf{succ}^{T_2}_{\tilde{\mathcal {P}}} \mid x_h \text{ good } ] - \Pr [\textsf{succ}^{T_2}_{\tilde{\mathcal {P}}} \; \cap \; (i^*_{T_1} = i^*_{T_2}) \mid x_h \text{ good } ]\\&\ge (1-\alpha )\tilde{\varepsilon } - \Pr [i^*_{T_1} = i^*_{T_2} \mid x_h \text{ good } ] \ge (1-\alpha )\tilde{\varepsilon } - \Pr [i^*_{T_1} = i^*_{T_2}]\\&= (1-\alpha )\tilde{\varepsilon } - 1/N \ge (1-\alpha )\tilde{\varepsilon } - \varepsilon . \end{aligned}$$

Define \(p_0 := (1 - \alpha ) \cdot \tilde{\varepsilon } - \varepsilon \). By running \(\tilde{\mathcal {P}}\) with the same \(x_h\) as for the good transcript Z times, we hence obtain a second non-colliding transcript \(T_2\) with probability at least 1/2 when

$$Z \approx \frac{\ln (2)}{\ln \left( \frac{1}{1-p_0}\right) } \le \frac{\ln (2)}{p_0}.$$

Now, we upper bounded the average number of calls of \(\mathcal {E}\) to \(\tilde{\mathcal {P}}\) before finishing.

1. 1.

   \(\mathcal {E}\) makes an average number of calls \(1/\tilde{\varepsilon }\) to obtain \(T_1\)

2. 2.

   Then \(\mathcal {E}\) makes at most Z calls to \(\tilde{\mathcal {P}}\) using the same \(x_h\) as for \(T_1\) to obtain a successful transcript \(T_2\) such that \(i^*_{T_1} \ne i^*_{T_2}\). The probability that such a \(T_2\) is found is at least \(\alpha /2\), since the probability that \(x_h\) is good is at least \(\alpha \), and whenever \(x_h\) is good the probability of finding \(T_2\) is at least 1/2.

Hence, the average number of calls of the extractor \(\mathcal {E}\) to \(\tilde{\mathcal {P}}\) is upper bounded by

$$\left( \frac{1}{\tilde{\varepsilon }} + Z\right) \cdot \frac{2}{\alpha } = \left( \frac{1}{\tilde{\varepsilon }} + \frac{\ln (2)}{(1 - \alpha ) \cdot \tilde{\varepsilon } - \varepsilon }\right) \cdot \frac{2}{\alpha }$$

To obtain an \(\alpha \)-free formula, we take \(\alpha \) such that \((1-\alpha )\cdot \tilde{\varepsilon } = \frac{1}{2}(\tilde{\varepsilon } + \varepsilon )\), implying \(\alpha = \frac{1}{2}(1-\frac{\varepsilon }{\tilde{\varepsilon }})\). Hence, the average number of calls to \(\tilde{\mathcal {P}}\) is at most

$$\frac{4}{\tilde{\varepsilon } - \varepsilon } \left( 1 + \tilde{\varepsilon } \cdot \frac{2 \cdot \ln (2)}{ \tilde{\varepsilon } - \varepsilon }\right) .$$

B Proof of Theorem 3 (Zero-Knowledge)

Proof

As in the proof of the soundness, we follow the approach by Feneuil, Joux and Rivain in [17]. First, we describe in Fig. 6 an internal HVZK simulator \(\mathcal {S}\) and show that its responses are (\(t,\varepsilon _{\textrm{PRG}}\))-indistinguishable from the responses of an honest prover for the same challenge \(i^*\). Then we describe a global HVZK simulator that uses \(\mathcal {S}\) to output transcripts (\(t,\varepsilon _{\textrm{PRG}} + \varepsilon _\textsf{com}\))-indistinguishable from real transcripts of the protocol.

Fig. 6.

Internal HVZK simulator \(\mathcal {S}\) on input of challenges \((R,i^*)\).

To show the indistinguishability of outputs of simulator \(\mathcal {S}\) from outputs of the protocol, we describe the following sequence of simulators.

Simulator 0 (Actual protocol)

This simulator, described in Fig. 7, outputs \((\textsf {rsp}_{1}, \textsf {rsp}_{2})\) from the transcript of a genuine execution of the protocol with a prover that knowns a witness \((\boldsymbol{\alpha }, K)\) and receives challenges \((R,i^*)\).

Fig. 7.

Simulator 0 on input of challenges \((R,i^*)\).

Simulator 1

Same as Simulator 0, but uses true randomness instead of seed-derived randomness for party \(i^*\). If \(i^* = N\), the values \([\![ \boldsymbol{\alpha } ]\!]_N\), \([\![ K ]\!]_N\) and \([\![ C ]\!]_N\) are computed as described in the protocol (only \([\![ A ]\!]_N\) and \([\![ B ]\!]_N\) are generated from true randomness). It is easy to see that the probability of distinguishing Simulator 1 and Simulator 0 in running time t is no more than \(\varepsilon _{\textrm{PRG}}\).

Simulator 2

Replace \([\![ \boldsymbol{\alpha } ]\!]_N\), \([\![ K ]\!]_N\) and \([\![ C ]\!]_N\) in Simulator 1 by uniformly random elements of the same type and compute \([\![ V ]\!]_{i^{*}} = - \sum _{i \ne i^{*}} [\![ V ]\!]_{i}\). We note that the obtained simulator is independent of the witness \((\boldsymbol{\alpha },K)\) and solely takes the challenges \(({R,i^*})\) as input. Now we show that the output distributions of Simulator 1 and Simulator 2 are identical for \(i^* = N\) or \(i^* \ne N\).

If \(i^* = N\), the changes only impact the shares \([\![ S_1 ]\!]_{N}, [\![ S_2 ]\!]_{N}, [\![ V ]\!]_{N}\) in the simulated responses. We can see that the distributions of those shares are identical in Simulator 2 as in Simulator 1. Indeed, in both cases, the shares \([\![ S_1 ]\!]_{N}\) and \([\![ S_2 ]\!]_{N}\) are uniformly distributed because of the uniformly sampled (in Simulator 1) additive terms \([\![ A ]\!]_{N}\) and \([\![ B ]\!]_{N}\), respectively, and independent of the rest. The share \([\![ V ]\!]_{N}\), as in Simulation 1, verifies \([\![ V ]\!]_{N} = - \sum _{i \ne N} [\![ V ]\!]_i\).

If \(i^* \ne N\), the changes only impact \([\![ S_1 ]\!]_{N}, [\![ S_2 ]\!]_{N}, [\![ V ]\!]_{N}\), derived from \(\textsf {aux}= ([\![ \boldsymbol{\alpha } ]\!]_N, [\![ K ]\!]_N, [\![ C ]\!]_N)\), in the simulated response. But \(\textsf {aux}\) was already uniformly random in Simulator 1. Indeed, the shares in \(\textsf {aux}\) are computed by adding share values from parties \(i\ne N\), including party \(i^*\) (which is uniformly random in Simulator 1). Therefore, the output distributions of Simulator 1 and Simulator 2 are identical.

Simulator 3 (Internal HVZK simulator)

The only difference between Simulator 2 and the internal HVZK simulator \(\mathcal {S}\) in Fig. 6 is that the latter directly draws \([\![ S_1 ]\!]_{i^*}\) and \([\![ S_2 ]\!]_{i^*}\) uniformly at random. As explained above, this does not impact the output distribution.

To sum up, we have shown that the internal simulator \(\mathcal {S}\) outputs responses \((\textsf {rsp}_1,\textsf {rsp}_2)\) which are \((t, \varepsilon _{\textrm{PRG}})\)-indistinguishable from the responses of the real protocol on same challenges of an honest verifier. To obtain a global HVZK simulator, we proceed as in Fig. 8:

Fig. 8.

The global HVZK simulator.

Applying the hiding property of the commitment scheme on \(\textsf{com}_{i^*}\), we then have that the global HVZK simulator outputs a transcript which is \((t, \varepsilon _{\textrm{PRG}} + \varepsilon _{\textsf{com}})\)-indistinguishable from a real transcript of the protocol.    \(\square \)

C Proof of Theorem 4 (EUF-CMA)

Proof

Let \(\mathcal {A}\) be an adversary making \(q_s\) signing queries, and \(q_0\), \(q_1\), \(q_2\) queries to \(\textrm{Hash}_0\), \(\textrm{Hash}_1\) and \(\textrm{Hash}_2\), respectively. To prove the theorem, we define in the following a sequence of experiments involving \(\mathcal {A}\). We let \(\Pr _i[\cdot ]\) refer to the probability of an event in experiment i, and t denote the running time of the entire experiment, i.e., including \(\mathcal {A}\)’s running time, the time required to answer signing queries and to verify \(\mathcal {A}\)’s output.

Note that since \(\textrm{Hash}_0\), \(\textrm{Hash}_1\), and \(\textrm{Hash}_2\) are modeled as random oracles, \(\mathcal {A}\) can know the output of one of these on a prepared input only if it queries the oracle. Hence, if \(\mathcal {A}\) outputs a forgery \((\textsf {msg}, \sigma )\) at the end of an experiment, with

$$ \sigma = \textsf {salt}\; \vert \; h_1 \; \vert \; h_2 \; \vert \left( \big (\textsf {state}_{i}^{[\ell ]}\big ) _{i \ne i^{*[\ell ]}} \; \vert \; \textsf{com}_{i^{*, [\ell ]}}^{[\ell ]} \; \vert \; [\![ S_1^{[\ell ]} ]\!]_{i^{*, [\ell ]}} \; \vert \; [\![ S_2^{[\ell ]} ]\!]_{i^{*, [\ell ]}} \right) _{\ell \in [\tau ]}, $$

then there necessarily exists, at a given moment during the experiment, a query to \(\textrm{Hash}_2\) made by \(\mathcal {A}\) itself with output \(h_2\) input, and an input of the form

$$\Big (\textsf {msg}, \textsf {salt}, h_1, \Big ([\![ S_1^{[\ell ]} ]\!]_{i}, [\![ S_2^{[\ell ]} ]\!]_{i}, [\![ V_{1}^{[\ell ]} ]\!]_{i}\Big )_{i\in [N], \;\ell \in [\tau ]} \Big ).$$

Experiment 1

This is the interaction of \(\mathcal {A}\) with the real signature scheme. In more detail: first \(\textsf {KeyGen}{}\) is run to obtain \(\boldsymbol{M}, \boldsymbol{\alpha }, K\), and \(\mathcal {A}\) is given the public key \(\boldsymbol{M}\). At the end of this experiment, \(\mathcal {A}\) outputs a message/signature pair. We let \(\textsf{Forge}\) denote the event that the message was not previously queried by \(\mathcal {A}\) to its signing oracle, and the signature is valid. Our goal is to upper-bound \(\Pr _1[\textsf{Forge}]\).

Experiment 2

This is the previous experiment with the difference that we abort if, during the course of the experiment, a collision in \(\textrm{Hash}_0\) is found. Note that the number of queries to \(\textrm{Hash}_0\) throughout the experiment (by either the adversary or the signing algorithm) is \(q_0 + \tau N q_s\). Thus,

$$\begin{aligned} |\textrm{Pr}_1[\textsf{Forge}] - \textrm{Pr}_2[\textsf{Forge}]| \le \frac{(q_0 + \tau N q_s)^2}{2\cdot 2^{2\lambda }}. \end{aligned}$$

Experiment 3

The difference with the previous experiment is that, when signing a message m, we begin by choosing \(h_1\) and \(h_2\) uniformly and then expand them as the challenges \(\{R^{[1]}, \ldots , R^{[\tau ]}\}\) and \(\{i^{*, [1]}, \ldots , i^{*, [\tau ]}\}\). Phases 1, 3 and 5 of Fig. 4 remain unchanged, but in phases 2 and 4 we simply set the output of \(\textrm{Hash}_1\) to \(h_1\) and the output of \(\textrm{Hash}_2\) to \(h_2\).

A difference in the outcome of this experiment compared to the previous one occurs only when, in the course of answering a signing query, the query to \(\textrm{Hash}_1\) or the query to \(\textrm{Hash}_2\) was ever made before by \(\mathcal {A}\). The probability of each of these two events is upper bounded by that of having the same salt in the current signing query and in the relevant previous query, which is \(\frac{1}{2^{2\lambda }}\). Therefore, we have

$$\begin{aligned} |\textrm{Pr}_2[\textsf{Forge}] - \textrm{Pr}_3[\textsf{Forge}]| \le \frac{q_s\cdot (q_1 + q_2)}{2^{2\lambda }}. \end{aligned}$$

Experiment 4

The difference with the previous experiment is that, for each \(\ell \in [\tau ]\), we sample \(\textsf{com}_{i^{*, [\ell ]}}^{[\ell ]}\) uniformly at random (i.e., without making the corresponding query to \(\textrm{Hash}_0\)).

A difference between this experiment and the previous one occurs only when, in the course of answering a signing query, \(\textrm{Hash}_0\) receives an input that it was previously queried. However, such a collision cannot occur within the same signing query (since the indices i and \(\ell \) are part of the input to \(\textrm{Hash}_0\)), and it occurs from a previous query (signing query or \(\textrm{Hash}_0\) query made by the \(\mathcal {A}\)) with probability \(\frac{1}{2^{2\lambda }}\) since there would be the same salt in the current signing query as in that previous query. Thus,

$$\begin{aligned} |\textrm{Pr}_3[\textsf{Forge}] - \textrm{Pr}_4[\textsf{Forge}]| \le \frac{q_s\cdot (q_s + q_0)}{2^{2\lambda }}. \end{aligned}$$

Experiment 5

We again modify the experiment. Now, for \(\ell \in [\tau ]\), the signer uses the internal HVZK simulator in Fig. 6 to generate the parties’ views in one execution of Phases 1 and 3. We denote \(\mathcal {S}_\textsf {salt}(\cdot )\) a call to this simulator which appends \(\textsf {salt}\) to the sampled seed in input to \(\textrm{TreePRG}\). Thus, signature queries are now answered as depicted in Fig. 9.

Observe that the secret \((\boldsymbol{\alpha }, K)\) is no longer used for generating signatures. Recall that an adversary against the internal HVZK simulator has a distinguishing advantage \(\varepsilon _{\textrm{PRG}}\) (corresponding to execution time t) since commitments are built outside of the simulator. It results in \(|\textrm{Pr}_4[\textsf{Forge}] - \textrm{Pr}_5[\textsf{Forge}]| \le \tau \cdot q_s\cdot \varepsilon _{\textrm{PRG}}.\)

Fig. 9.

Experiment 5: Response to a signature query for a message \(\textsf {msg}\).

Experiment 6

At any point during this experiment, we say that we have a correct execution \(\ell ^*\) if, in a query to \(\textrm{Hash}_2\) with input

$$\begin{aligned} \Big (\textsf {msg}, \textsf {salt}, h_1, \Big ([\![ S_1^{[\ell ]} ]\!]_{i}, [\![ S_2^{[\ell ]} ]\!]_{i}, [\![ V_{1}^{[\ell ]} ]\!]_{i}\Big )_{i\in [N], \;\ell \in [\tau ],} \Big ): \end{aligned}$$

1. 1.

   there is a previous query \(h_1\leftarrow \textrm{Hash}_1\big (\textsf {msg}, \textsf {salt},\textsf{com}_{1}^{[1]}, \ldots , \textsf{com}_{N}^{[\tau ]}\big ),\)

2. 2.

   and each \(\textsf{com}_{i}^{[\ell ^*]}\) was output by a previous query (by either \(\mathcal {A}\) or the signing oracle) to \(\textrm{Hash}_0\) with input \(\big (\textsf {salt}, \ell , i, \textsf {state}_i^{[\ell ^*]}\big ),\)

3. 3.

   and a good witness \((\boldsymbol{\alpha }, K)\) can be extracted from \(\{\textsf {state}_i^{[\ell ^{*}]}\}_{i\in [N]}\).

In this experiment, it is checked in each query made by \(\mathcal {A}\) to \(\textrm{Hash}_2\) (where \(\textsf {msg}\) was not previously queried) if there is a correct execution. We call this event \(\textsf{Solve}\). Note that if \(\textsf{Solve}\) occurs then the \(\{\textsf {state}_i^{[\ell ]}\}_{i\in [N]}\) (which can be determined from the oracle queries of \(\mathcal {A}\)) allow to easily recover a solution \((\boldsymbol{\alpha }, K)\) of the MinRank instance given by \(\boldsymbol{M}\). Thus, \(\textrm{Pr}_6[\textsf{Solve}] \le \varepsilon _\textrm{MR}.\) Hence,

$$\begin{aligned} \begin{aligned} \textrm{Pr}_6[\textsf{Forge}]&= \textrm{Pr}_6[\textsf{Forge}\text { and } \textsf{Solve}] + \textrm{Pr}_6[\textsf{Forge}\text { and not } \textsf{Solve}] \\&\le \varepsilon _\textrm{MR}+ \textrm{Pr}_6[\textsf{Forge}\text { and not } \textsf{Solve}]. \end{aligned} \end{aligned}$$

Now, suppose we have a forgery \((\textsf {msg}, \sigma )\) and \(\textsf{Solve}\) does not occur. Then for every \(\ell \in [\tau ]\), exactly one of the three following cases must occur:

1. a)

   \(\textsf{com}_{i^{*,\ell }}^{[\ell ]}\) was not output by \(\textrm{Hash}_0\).

2. b)

   • for all \(i \in [N]\), \(\textsf{com}_{i}^{[\ell ]}\) was output by a query to \(\textrm{Hash}_0\) with input \(\big (\textsf {salt}, \ell , i, \textsf {state}_i^{[\ell ]}\big )\),

   • \([\![ S_2^{[\ell ]} ]\!]_{i^*}\) is obtained from \(\textsf {state}_{i^*}^{[\ell ]}\), \([\![ S_1^{[\ell ]} ]\!]_{i^*}\) is obtained from \(\textsf {state}_{i^*}^{[\ell ]}\) and \(h_1\), and \(\sum \nolimits _{i \ne i^{*, [\ell ]}} [\![ V^{[\ell ]} ]\!]_{i}\) is obtained from \(\textsf {state}_{i^*}^{[\ell ]}\), \(h_1\), \(S_1^{[\ell ]}\), \(S_2^{[\ell ]}\).

   • the witness \((\boldsymbol{\alpha }, K)\) extracted from \(\{\textsf {state}_i^{[\ell ]}\}_{i\in [N]}\) is a bad witness.

3. b’)

   • for all \(i \in [N]\), \(\textsf{com}_{i}^{[\ell ]}\) was output by a query to \(\textrm{Hash}_0\) with input \(\big (\textsf {salt}, \ell , i, \textsf {state}_i^{[\ell ]}\big )\),

   • \([\![ S_2^{[\ell ]} ]\!]_{i^*}\) is not obtained from \(\textsf {state}_{i^*}^{[\ell ]}\), or \([\![ S_1^{[\ell ]} ]\!]_{i^*}\) is not from \(\textsf {state}_{i^*}^{[\ell ]}\) and \(h_1\), or \(\sum \nolimits _{i \ne i^{*, [\ell ]}} [\![ V^{[\ell ]} ]\!]_{i}\) is not from \(\textsf {state}_{i^*}^{[\ell ]}\), \(h_1\), \(S_1^{[\ell ]}\), \(S_2^{[\ell ]}\).

   • the witness \((\boldsymbol{\alpha }, K)\) extracted from \(\{\textsf {state}_i^{[\ell ]}\}_{i\in [N]}\) is a bad witness.

Clearly, if b) occurs for a round \(\ell \in [\tau ]\), this means that the MPC protocol in Sect. 4 to verify matrix-multiplication triple is honestly followed by every party \(i \in [N]\). Hence, from Proposition 2, we have that the adversary had probability \(1/q^n\) to have b) satisfied for this round \(\ell \). This probability is in fact given by obtaining from \(h_1\) one precise first challenge \(R^{[\ell ]}\) out of the \(q^n\) possibilities. Therefore, the probability of having exactly \(s \in [\tau ]\) rounds satisfying b) is at most

$$P_b(s) = \biggl (\frac{1}{q^n}\biggr )^s\biggl (1-\frac{1}{q^n}\biggr )^{\tau - s} \left( {\begin{array}{c}\tau \\ s\end{array}}\right) .$$

If b) does not occur for a round \(\ell \in [\tau ]\), this clearly means that any other second challenge obtained from \(h_2\) different from \(i^{*,\ell }\) would make the forgery fail. Hence, the probability of having this round \(\ell \) not leading to rejection is at most 1/N. Therefore, the probability of having exactly \(\tau -s \in [\tau ]\) rounds satisfying a) or b’) is at most

$$P_{a,b'}(s) = \frac{1}{N^{\tau -s}}.$$

In view of the above, the probability of having \(\textsf{Forge}\) and not \(\textsf{Solve}\) with exactly s rounds satisfying b) after \(q_1\) queries to \(\textrm{Hash}_1\) and \(q_2\) queries to \(\textrm{Hash}_2\) is at most

$$\begin{aligned} P(s) = \Bigl (1 - \bigl (1-P_b(s)\bigr )^{q_1}\Bigr ) \Bigl (1 - \bigl (1-P_{a,b'}(s)\bigr )^{q_2}\Bigr ). \end{aligned}$$

Thus, we have

$$\textrm{Pr}_6[\textsf{Forge}\text { and not } \textsf{Solve}] \le \max _{0\le s\le \tau }P(s).$$