\(\textsf{ReSolveD} \): Shorter Signatures from Regular Syndrome Decoding and VOLE-in-the-Head

Abstract

We present \(\textsf{ReSolveD} \), a new candidate post-quantum signature scheme under the regular syndrome decoding (RSD) assumption for random linear codes, which is a well-established variant of the well-known syndrome decoding (SD) assumption. Our signature scheme is obtained by designing a new zero-knowledge proof for proving knowledge of a solution to the RSD problem in the recent VOLE-in-the-head framework using a sketching scheme to verify that a vector has weight exactly one. We achieve a signature size of 3.99 KB with a signing time of 27.3 ms and a verification time of 23.1 ms on a single core of a standard desktop for a 128-bit security level. Compared to the state-of-the-art code-based signature schemes, our signature scheme achieves \(1.5{\times }\)–\(2{\times }\) improvement in terms of the common “signature size + public-key size” metric, while keeping the computational efficiency competitive.

1 Introduction

Zero-knowledge (ZK) proof is an important cryptographic tool that enables a prover to convince a verifier of the validity of a statement without revealing any further information. ZK proofs find a lot of applications in various contexts, e.g., secure multi-party computation (MPC), machine learning, and blockchain. Using the Fiat-Shamir heuristic [28], we can transform public-coin zero-knowledge proofs into signature schemes. In particular, this is the main approach to building code-based signature schemes. The recent call of NIST for standardizing post-quantum signatures expressed its primary interest in additional signature schemes that are not based on structured lattices [44], which promotes the research of non-lattice-based signature schemes, particularly code-based signatures.

The well-known syndrome decoding (SD) problem over a binary field \(\mathbb F _2\) asks, given a matrix \(\textbf{H} \in \mathbb {F}_2^{(m-k) \times m}\) and a target vector \({\boldsymbol{y}}\in \mathbb {F}_2^{m-k}\), to recover a noise vector \({\boldsymbol{e}}\in \mathbb {F}_2^m\) such that \(\textbf{H}\cdot {{\boldsymbol{e}}}={{\boldsymbol{y}}}\) for some sparse \({{\boldsymbol{e}}}\) of exact weight \(w\ll m\). The worst-case SD problem in certain parameter regimes is known to be NP-hard [6, 13], and its average-case analogue is one of the most promising assumptions for post-quantum cryptography. In the seminal work from three decades ago, Stern [51] introduced the first zero-knowledge proof to prove knowledge of a solution to the SD problem. However, the communication cost is significant due to the high soundness error, and thus the signature size would be very large (i.e. about 37 KB for 128-bit security), when being compiled using the Fiat-Shamir transform. Since then, a few prior works (e.g., [2, 20, 29, 41, 52]) optimized Stern’s protocol, but the communication cost is still high. To avoid the issue of high soundness error, subsequent code-based signature schemes resort to different code-based problems, e.g., (a) LESS (and some subsequent improvements) [5, 14, 47] adopts the linear/permutation code equivalence problem, and (b) Durandal [3] depends on the rank SD problem over \(\mathbb F _{2^m}\). Recently, based on the SD problem, the works [1, 15, 18, 26, 27, 30, 42] obtain significantly lower soundness errors by building zero-knowledge proofs based on the MPC-in-the-head paradigm [35], and achieve the best efficiency for now in terms of the common “signature size + public-key size” metric. We summarize the efficiency and assumptions of recent code-based signature schemes in Table 1. Among these schemes, Wave [22] is the only signature scheme that departs from the line that transforms zero-knowledge proofs with Fiat-Shamir. Instead, Wave adopts the hash-and-sign paradigm that depends on the existence of a code-based trapdoor permutation, which leads to a very large size of public keys. Wave achieves smaller signature sizes but relies on a non-standard code-based assumption. For the common “signature size + public-key size” metric, the Fiat-Shamir-based schemes still offer better performance.

In this work, we focus on designing a new code-based signature scheme under the regular syndrome decoding (RSD) assumption [4], a well-established variant of the well-known SD assumption. Specifically, RSD is the same as SD, except for requiring that the noise vector \({\boldsymbol{e}}\) is regular, i.e., \({\boldsymbol{e}}\in \mathbb F _2^m\) is divided into w consecutive blocks of length m/w, where each block has exactly one noisy coordinate. Recent works [26, 38] presented a reduction from SD to RSD, which builds confidence in the hardness of the RSD problem from a theoretic point of view. Furthermore, the hardness of the RSD problem was thoroughly analyzed by Carozza et al. [18], which gives us more confidence. As far as we know, the regular structure of noises does not lead to significantly better attacks when the code rate is kept large (and thus the recent algebraic attack [17] can be bypassed).

Table 1. Comparison of code-based signature schemes for 128-bit security level. Reported runtimes are extracted from original publications, using a 3.5 GHz Intel Xeon E3-1240 v5 for Wave [22], a 2.8 GHz Intel Core i5-7440HQ for Durandal [3], a 2.1 GHz Intel Core i7-12700 CPU for LESS [47], a 3.8 GHz Intel Core i7 supports AVX2 and AES instructions for [26, 27], a 3.1 GHz Intel Core i9-9990K using AVX2 for [1], an Intel Xeon E-2378 with frequency fixed at 2.6 GHz for [42] and a conservative upper bound assuming a 3.8 GHz CPU for [18]. We benchmarked our \(\textsf{ReSolveD} \)-128 on a Ubuntu 20.04 LTS machine with AMD Ryzen 5 3600 CPU and 16 GB of RAM using AVX2.

1.1 Our Contributions

In this paper, we put forward a new zero-knowledge (ZK) protocol on proving knowledge of a solution to the RSD problem over \(\mathbb F _2\). By using the Fiat-Shamir transform, we compile the zero-knowledge protocol into a code-based signature scheme (called \(\textsf{ReSolveD} \)). Compared to the state-of-the-art code-based signature schemes, \(\textsf{ReSolveD} \) reduces the total size of the signature and public key by a factor of \(1.5{\times }\)–\(2{\times }\), while keeping the signing and verification performance competitive. In Table 1, we compare the efficiency of \(\textsf{ReSolveD} \) with the recent code-based signature schemes at the 128-bit security level. Note that LESS [47] and CF-LESS [21] lack of parameter sets for 128-bit security, instead we use their parameters for NIST category 1 security. While the work [1] describes three variants of their code-based signature scheme, Table 1 only shows the third one that has the best performance among the three. The shortest version of the signature scheme [1] has a signature size that is closest to the first variant of \(\textsf{ReSolveD} \) among prior code-based signature schemes, but the signing and verification timings are more than \(10{\times }\) larger than our scheme. Notice that the shortest version of [1] also offers the smallest size in the “signature + public key” metric. Our second variant achieves \(1.5{\times }\) improvement in terms of that metric with half of the running time. In Sect. 6.2, we also compare \(\textsf{ReSolveD} \) with other kinds of post-quantum signature schemes.

While most code-based signature schemes in the Fiat-Shamir line adopt the MPC-in-the-head framework to design ZK proofs, we construct a ZK proof on RSD problems in the VOLE-in-the-head framework [10]. In the VOLE-in-the-head framework, Baum et al.  present a non-interactive version of the SoftSpokenOT technique [49] to generate information-theoretic message authentication codes (IT-MACs), and then transform a designated-verifier ZK proof based on IT-MACs (e.g., QuickSilver [56]) to a publicly-verifiable ZK proof. Our starting point is to prove knowledge of a solution to the RSD problem using a ZK proof based on IT-MACs, and then transform it to a public-coin ZK proof using the VOLE-in-the-head paradigm. Due to the additive homomorphism and unforgeability of IT-MACs, the equation \(\textbf{H}\cdot {{\boldsymbol{e}}}={{\boldsymbol{y}}}\) is easy to prove. The key point is to prove that \({\boldsymbol{e}}\) is a regular noise with an exact Hamming weight t.

Notice that we can use the approaches implied in previous code-based signature schemes (e.g., [1, 26]) to prove the validity of \({\boldsymbol{e}}\), but fail to obtain a code-based signature scheme with signature size shorter than the state-of-the-art schemes listed in Table 1. This requires us to exploit an approach that has better compatibility with VOLE-in-the-head. In particular, we refine the sketching technique [16], which is used in verifiable function secret sharing (FSS), to prove the constraint on noise \({\boldsymbol{e}}\). Additionally, we adopt the recent half-tree technique [32] to optimize the computation of GGM-based random vector commitments. See Sect. 1.2 for more details of our technique.

1.2 Technical Overview

We give a high-level overview of the technical route underlying the \(\textsf{ReSolveD} \) signature scheme, then we highlight the technical contributions, which include a novel method for validating the noise vector of an RSD problem and the half-tree optimization integrated into the VOLE-in-the-Head framework.

Code-Based Signatures from VOLE-in-the-Head. A canonical paradigm in code-based signatures is to first design a public-coin ZK proof for code-based problems and then apply the Fiat-Shamir transform to make it a signature scheme. While there are multiple choices in the design of ZK proofs, the recent VOLE-in-the-Head framework [10] provides a promising new direction. In particular, within this framework, we can generate IT-MAC relations in a public-coin fashion and then convert designated-verifier ZK (which relies on such relations) into publicly-verifiable ones. Given the rapid development of designated-verifier ZK [7, 8, 11, 23, 24, 53,54,55,56], this inspires us to design a designated-verifier ZK tailored to the RSD problem and convert it into a code-based signature scheme using VOLE-in-the-Head.

In more detail, the IT-MAC generation of VOLE-in-the-Head begins with the prover committing to a series of GGM trees. For each tree, the prover opens all but one leaf node to the verifier, which allows them to generate a small field VOLE correlation with the punctured index as the global key using the technique in SoftSpokenOT [49]. By applying de-randomization and consistency checking [37, 45, 46, 49], the small field VOLE correlations can be aggregated so that the global key size is large enough to ensure the binding property of IT-MAC. Then the generated IT-MAC correlations are utilized by the subsequent designated-verifier ZK protocol.

One caveat of the above process is that to open the GGM-based vector commitment, the prover needs to know the punctured index, which is also the IT-MAC global key. Nevertheless, once the global key is known by the prover, the binding property fails to hold, and so does the soundness of the designated-verifier ZK upon which it relies. The crucial observation in [10, 19] is that since the DVZK proof is public-coin, the vector commitment opening can be postponed until the proof has been completed. In this way, even if the prover learns the global key, it can no longer change the proof messages that have already been sent.

Checking the Noise Vector Using IT-MAC. We introduce the design of IT-MAC-based designated-verifier ZK for the RSD problem. Our starting point is the QuickSilver protocol [56] that provides an efficient method to verify the quadratic relations among multiple IT-MAC authenticated triples. We now explain how the validity check of the RSD noise vector can be streamlined into the verification of multiple quadratic relations, a task in which the QuickSilver protocol excels.

We assume without loss of generality that the public matrix \(\textbf{H}\) is in the systematic form, i.e., \(\textbf{H} = [ \textbf{I} \Vert \mathbf {H_B} ]\) and that the witness is split accordingly as \({\boldsymbol{e}}= [{\boldsymbol{e}}_\textbf{A} \Vert {\boldsymbol{e}}_\textbf{B} ] \). Since IT-MACs are linearly homomorphic, the prover can commit to \({\boldsymbol{e}}_\textbf{B}\) and both parties check the Hamming weight constraint on the “virtual” witness \({\boldsymbol{e}}= [{\boldsymbol{y}}- \mathbf {H_B} \cdot {\boldsymbol{e}}_\textbf{B} \Vert {\boldsymbol{e}}_\textbf{B}]\) to implicitly check the linear constraint.

Instead of relying on polynomials [1, 26] or share-conversions [18] to check the weight constraint, we prove the validity for each noise block by utilizing the sketching technique introduced by Boyle, Gilboa and Ishai [16]. More concretely, when proving the validity of the solution \({{\boldsymbol{e}}} = [{{\boldsymbol{e}}}_0 \Vert {{\boldsymbol{e}}}_1 \Vert \dots \Vert {{\boldsymbol{e}}}_{w-1}]\in \mathbb {F}_2^m\) to a RSD problem, we first define w matrices \(L^i \in \mathbb {F}_{2^\lambda }^{4\times m/w}\) each consisting of four rows for all \(i\in [0,w)\) (i.e., the linear sketches). The first two rows are uniformly sampled and defined as \({{\boldsymbol{r}}}_0^i\), \({{\boldsymbol{r}}}_1^i \leftarrow \mathbb {F}_{2^\lambda }^{m/w}\). The third row is defined as the component-wise product of the first two rows, namely \({{\boldsymbol{r}}}_0^i \circ {{\boldsymbol{r}}}_1^i\). The last row is an all-1 vector. Then we can compute the sketch \(\llbracket z^{i} \rrbracket \) by right-multiplying \(L^i\) with \(\llbracket {{\boldsymbol{e}}}_i\rrbracket \) where \(\llbracket {{\boldsymbol{e}}}_{i}\rrbracket \) is the noise block authenticated using IT-MAC [12, 43].

Finally, the verification procedure checks that the sketch \(z^i=(z_0^i,z_1^i,z_2^i,z_3^i)\) satisfies the condition that \(z_0^i \cdot z_1^i -z_2^i=0\) and \(z_3^i -1 =0\) for all \(i\in [0,w)\). We view the above expression as a degree-2 polynomial in \(r_0^i,r_1^i,\dots ,r_{m/w}^i\) whose coefficients are determined by \({{\boldsymbol{e}}}_i\). Note that if \({{\boldsymbol{e}}}_i\) is not a unit vector, then the condition holds with probability less than \(2/2^{\lambda }\) from Schwartz-Zippel Lemma [50, 59].

Using the sketching technique, we can convert the validity check of each noise block into the verification of a simple multiplication relation. By running the QuickSilver protocol which shows a way to prove low-degree polynomials with very high efficiency, we can reduce all w linear checks to a single check by a random-linear combination. We note that due to the application of the sketching technique, our protocol still outperforms the polynomial-based protocols of [1, 26] even if we replace the MPC-in-the-Head proof with VOLE-in-the-Head.

Half-Tree Optimization. We observe that a large portion of the computational overhead in the VOLE-in-the-Head framework originates from generating the vector commitments. By applying the half-tree technique [32] we can populate the GGM tree with half the number of calls to symmetric-key ciphers in the random permutation model [31]. In VOLE-in-the-Head, the number of GGM trees is linearly correlated with the communication overhead. Therefore, by optimizing the computational complexity in GGM tree generation, we can use fewer but deeper trees, opening more possibilities in the communication-computation trade-off.

1.3 Paper Organization

This paper is organized as follows: In Sect. 2 and Sect. 3, we introduce notations and definitions for necessary background knowledge on regular syndrome decoding problem, VOLE-in-the-Head paradigm and linear sketching technique. We present our more efficient zero-knowledge proof and signature scheme which yields shorter proof and signature size in Sect. 4 and Sect. 5 respectively. To conclude, we provide experimental evaluations of our construction and make comparisons with other state-of-the-art signature schemes in Sect. 6.

2 Preliminaries

2.1 Notation

We use \(\lambda \) to denote the computational security parameter. We use \(\log \) to denote logarithms in base 2. We define \([a,b)=\{a,\dots , b-1\}\) and write \([a,b]=\{a, \dots , b\}\) and \([n] = [1, n]\). We write \(x \leftarrow S\) to denote sampling x uniformly at random from a finite set S. We use \(\{x_i\}_{i \in S}\) to denote the set that consists of all elements with indices in set S. When the context is clear, we abuse the notation and use \(\{x_i\}\) to denote such a set.

We use bold lower-case letters like \({\boldsymbol{a}}\) for column vectors and bold uppercase letters like \(\textbf{A}\) for matrices. We let \(a_i\) denote the i-th component of \({\boldsymbol{a}}\) (with \(a_0\) the first entry) and \({\boldsymbol{a}}[i,j]\) denote the subvector of \({\boldsymbol{a}}\) with indices [i, j]. Let \(\textsf{len}({\boldsymbol{a}})\) be the length of the vector \({\boldsymbol{a}}\). Let \(\textsf{wt}( {\boldsymbol{a}})\) be the Hamming weight of the vector \({\boldsymbol{a}}\) and let \([{\boldsymbol{a}}\Vert {\boldsymbol{b}}]\), \([\textbf{A} \Vert \textbf{B}]\) denote the concatenation of two vectors and matrices, respectively. Let \(\textbf{I}_k\) denote the \(k\times k\) identity matrix and \([1\,...\,1]\) denote the all-one row vector where the dimension is implicit in the context. Let \(\textsf{diag} ({\boldsymbol{a}})\) be the diagonal matrix with the vector \({\boldsymbol{a}}\) on its main diagonal. We use the notation \({\boldsymbol{a}}\circ {\boldsymbol{b}}\) to denote the component-wise multiplication between two vectors \({\boldsymbol{a}}\) and \({\boldsymbol{b}}\).

We consider the regular syndrome decoding problem over \(\mathbb {F}_2\) in this work. Let \(\tau , \tau ' \in \mathbb N \) and fix two monic irreducible polynomials \(f_1(X), f_2(X)\) of degrees \(\tau , \tau '\) respectively. We define \(\mathbb F _{2^{\tau '}} \cong \mathbb {F}_2[X]/f_2(X)\) and \(\mathbb F _{2^{\tau \tau '}} \cong \mathbb F _{2^{\tau '}}[X]/f_1(X)\). Therefore, we can pack \(\tau \) elements in \(\mathbb F _{2^{\tau '}}\) or \(\tau \tau '\) elements in \(\mathbb {F}_2\) into one element in \(\mathbb {F}_{2^\lambda }\). We also require \(\tau \tau ' \ge \lambda \). We list the symbols and their definitions of this paper in Table 2.

Table 2. Symbols and their meanings in this paper.

2.2 Hash Functions

In our protocol, we utilize universal hash functions and circular correlation robust hash functions. Following prior works [31], we define the security requirements in Definition 1 and Definition 2.

Definition 1

A linear \(\epsilon \)-almost universal family of hashes is a family of matrices \(\mathcal {H} \subseteq \mathbb F _{2}^{r \times (n+h)}\) such that for any nonzero \({\boldsymbol{v}}\in \mathbb F _{2}^{n+h}\), \(\Pr _{\textsf{H} \leftarrow \mathcal {H}}[\textsf{H} \cdot {\boldsymbol{v}}= 0] \le \epsilon \). A matrix \(\textsf{H} \) is n-hiding if the distribution \(\textsf{H} \cdot {\boldsymbol{v}}\) is independent of \({\boldsymbol{v}}[0,n)\) for a uniformly random \({\boldsymbol{v}}\leftarrow \mathbb {F}_2^{n+h}\). The hash family \(\mathcal {H} \) is n-hiding if every hash function in this family is n-hiding.

Definition 2

Let \(\textsf{H}:{{\{0,1\}}^{}} ^{\lambda }\rightarrow {{\{0,1\}}^{}} ^\lambda \) be a function. For \(\varGamma \in {{\{0,1\}}^{}} ^\lambda \), define \(\mathcal {O} ^\mathsf{{ccr}}_{\varDelta } (x,b) = \textsf{H} (x \oplus \varGamma ) \oplus b \cdot \varGamma \). We don’t allow the distinguisher to query the same x with both 0 and 1 to avoid the trivial attack. For a distinguisher \(\mathcal {D} \), we define the following advantage

$$ \textsf{Adv}_{\textsf{H}}^\mathsf{{ccr}} := \left| \mathop {\textrm{Pr}}\limits _{\varGamma \leftarrow {{\{0,1\}}^{\lambda }}} [\mathcal {D} ^{\mathcal {O} ^\mathsf{{ccr}}_{\varDelta } (\cdot )}(1^\lambda ) = 1] - \mathop {\textrm{Pr}}\limits _{f \leftarrow \mathcal {F} _{{\lambda +1}, \lambda }} [\mathcal {D} ^{f (\cdot )} (1^\lambda ) = 1] \right| , $$

where \(\mathcal {F} _{\lambda +1, \lambda }\) denotes the set of all functions mapping \((\lambda +1)\)-bit inputs to \(\lambda \)-bit outputs. \(\textsf{H} \) is \((t,q,\epsilon )\)-circular correlation robust if for all \(\mathcal {D} \) running in time t and making at most q queries to the oracle we have \(\textsf{Adv}_{\textsf{H}}^\mathsf{{ccr}} \le \epsilon \).

2.3 Regular Syndrome Decoding

We recall the regular syndrome decoding problem (RSD) where the noise vector is the concatenation of several unit vectors. We inherit the notations from [26] (named d-split syndrome decoding in that paper).

Definition 3

Let m, k, w, d be positive integers such that \(m > k\), \(m > w\) and \(d = w\). The regular noise syndrome decoding problem with parameters (m, k, w, d) is the following problem: Let \(\textbf{H}, {\boldsymbol{e}}\) and \({\boldsymbol{y}}\) be such that:

1. 1.

   \(\textbf{H}\) is uniformly sampled from \(\mathbb {F}_2^{(m - k) \times m},\)

2. 2.

   \({\boldsymbol{e}}\) is uniformly sampled from \( \{ [{\boldsymbol{e}}_0 \Vert ... \Vert {\boldsymbol{e}}_{w-1}] : \forall i \in [0,w), {\boldsymbol{e}}_i \in \mathbb {F}_2^{\frac{m}{w}}, \Vert {\boldsymbol{e}}_i \Vert _0 = 1 \},\)

3. 3.

   \({\boldsymbol{y}}\) is defined as \({\boldsymbol{y}}:= \textbf{H} \cdot {\boldsymbol{e}}\). From \((\textbf{H}, {\boldsymbol{y}})\), find \({\boldsymbol{e}}\).

Systematic Form of RSD. Following previous works [18, 26] we assume without loss of generality that the matrix \(\textbf{H}\) is in the systematic form, i.e., \(\textbf{H} = [\textbf{I}_{m-k} \Vert \mathbf {H_B} ]\). Therefore, in the zero-knowledge protocol, the solution \({\boldsymbol{e}}= [{\boldsymbol{e}}_\textbf{A} \Vert {\boldsymbol{e}}_\textbf{B} ]\) can be compressed into a smaller one \({\boldsymbol{e}}_\textbf{B}\) since the complete witness can be linearly expressed as \({\boldsymbol{e}}= [ {\boldsymbol{y}}- \mathbf {H_B} \cdot {\boldsymbol{e}}_\textbf{B} \Vert {\boldsymbol{e}}_\textbf{B} ]\).

The benefit of this optimization is two-fold. Firstly, by compressing the witness we can reduce the communication complexity of the ZK protocol, and therefore the signature size. Secondly, the linear expression implicitly enforces the constraint that \(\textbf{H} \cdot {\boldsymbol{e}}= {\boldsymbol{y}}\), and thus we only need to check the Hamming weight constraint on the “virtual” vector \({\boldsymbol{e}}= [ {\boldsymbol{y}}- \mathbf {H_B} \cdot {\boldsymbol{e}}_\textbf{B} \Vert {\boldsymbol{e}}_\textbf{B} ]\) in the ZK protocol.

The Hardness of RSD. A number of works studied the hardness of regular syndrome decoding under different parameter regimes [33, 38]. In particular, some recent works utilize the regular noise structure into the state-of-the-art cryptanalysis algorithms of syndrome decoding [17, 18, 25]. To the best of our knowledge, the chosen parameters for our signature scheme lie in a region where the exact relationship between the hardness of RSD and SD remains unclear [25]. In Table 3, we choose parameters such that the RSD solution is unique (\(\left( \frac{m}{w}\right) ^w < 2^{m-k}\)) while the same parameter would lead to multiple solutions if we drop the regularity constraint (\( \left( {\begin{array}{c}m\\ w\end{array}}\right) > 2^{m-k}\)). In this region, the regular structure of noises does not lead to significantly better attacks [17, 18, 25].

Fig. 1.

Functionality for DVZK proofs of authenticated multiplication triples.

2.4 Information-Theoretic Message Authentication Codes

We use information-theoretic message authentication codes (IT-MACs) [12, 43] over \(\mathbb {F}_{2^\lambda }\). Specifically, let \(\varDelta \in \mathbb {F}_{2^\lambda }\) be a global key. We use \( \llbracket x \rrbracket = (\textsf{K}[x], \textsf{M}[x], x)\) to denote that an element \( x \in \mathbb F \) (where \( \mathbb F \in \{\mathbb {F}_2, \mathbb {F}_{2^\lambda }\} \) known by one party can be authenticated by the other party who holds \(\varDelta \) and a local key \(\textsf{K}[x] \in \mathbb {F}_{2^\lambda }\), where a MAC tag \(\textsf{M}[x] = \textsf{K}[x] + x \cdot \varDelta \) is given to the party holding x. For a vector \({\boldsymbol{x}}\in \mathbb {F}_{2^\lambda }^\ell \), we denote by \( \llbracket {\boldsymbol{x}}\rrbracket = (\llbracket x_0 \rrbracket ,...,\llbracket x_{\ell - 1} \rrbracket )\) a vector of authenticated values. For a constant value \(c \in \mathbb {F}_{2^\lambda }\), it is easy to define \(\llbracket c \rrbracket = (-c \cdot \varDelta , 0, c)\). It is well known that IT-MACs are additively homomorphic. That is, given public coefficients \(c_0, c_1, \dots , c_\ell \in \mathbb {F}_{2^\lambda }\), two parties can locally compute \(\llbracket y \rrbracket :=\sum _{i=0}^{\ell - 1} c_i \cdot \llbracket x_i \rrbracket + c_{\ell } .\)

The IT-MAC authenticated value \(\llbracket x \rrbracket \) can be opened by revealing x and \(\textsf{M}[x]\) and the validity can be enforced by checking that \(\textsf{M}[x] = \textsf{K}[x] + x \cdot \varDelta \). The security holds since opening \(\llbracket x \rrbracket \) to any other value \((\textsf{K}[x], \textsf{M}[x'], x')\) is equivalent to guessing the global key since \(\varDelta = (\textsf{M}[x] - \textsf{M}[x']) \cdot (x - x')^{-1}\).

We can open multiple values \(\llbracket x_0 \rrbracket , ..., \llbracket x_{\ell -1} \rrbracket \) in a batch by sending one MAC tag as follows. The sender first reveals \( x'_0,...,x'_{\ell -1} ,\) then using the additive homomorphism of IT-MAC, both parties can define \( \llbracket y_i \rrbracket = \llbracket x_i \rrbracket - x'_i \) for \( i \in [0, \ell ). \) Now it suffices to check that \( \forall i \in [0, \ell ), y_i = 0. \)

For task of checking multiple zero values \(\llbracket y_0 \rrbracket , ..., \llbracket y_{\ell -1} \rrbracket \), we can save communication by opening a random linear combination \(\chi _0 \cdot \llbracket y_0 \rrbracket + ... + \chi _{\ell -1} \cdot \llbracket y_{\ell -1} \rrbracket \). In particular, the sender can only send \(\sum _{i = 0}^{\ell - 1} \chi _i \cdot \textsf{M}[y_i]\) since \(\sum _{i = 0}^{\ell - 1} \chi _i \cdot y_i = 0\) for uniformly random \(\chi _i\leftarrow {\mathbb {F}_{2^\lambda }}\).

Fig. 2.

The zero-knowledge functionality for regular syndrome decoding

2.5 Designated-Verifier Zero-Knowledge for Quadratic Relations

Based on IT-MACs, a family of streamable designated-verifier zero-knowledge (DVZK) proofs with fast prover time and a small memory footprint has been proposed [7, 8, 11, 23, 24, 53,54,55,56]. While these DVZK proofs can prove arbitrary circuits, we only need them to prove a simple multiplication relation for our purpose. Specifically, given a set of authenticated triples \(\{{(}\llbracket x_i \rrbracket , \llbracket y_i \rrbracket , \llbracket z_i \rrbracket {)}\}_{i \in [0, \ell )}\) over \(\mathbb F _{2^\lambda } \), these DVZK protocols can enable a prover \(\mathcal {P}\) to convince a verifier \(\mathcal {V}\) that \(z_i = x_i \cdot y_i \) for all \(i \in [0, \ell )\). This is modeled by an ideal functionality shown in Fig. 1. In this functionality, an authenticated value \(\llbracket x \rrbracket \) is input by two parties \(\mathcal {P}\) and \(\mathcal {V}\), meaning that \(\mathcal {P}\) inputs \((x, \textsf{M})\) and \(\mathcal {V}\) inputs \((\textsf{K}, \varDelta )\). We say that \(\llbracket x \rrbracket \) is valid, if \(\textsf{M}=\textsf{K}+ x \cdot \varDelta \).

QuickSilver. We use the QuickSilver protocol [56] to instantiate \(\mathcal {F}_\textsf{DVZK}\). The benefit of using this protocol is two-fold. Firstly, the protocol is public-coin in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model, making it compatible with the VOLE-in-the-Head technique to be explained next. Secondly, the QuickSilver protocol excels at proving many quadratic relations as required in proving the Hamming weight constraint in the RSD problem, which only requires sending \(2\lambda \) bits in total.

We briefly sketch how to prove multiple quadratic constraints in QuickSilver. Suppose the prover wants to prove \(z_i = x_i \cdot y_i\) for \(i \in [0, \ell )\), the verifier samples random challenges \(\chi _0,...,\chi _{\ell -1} \in \mathbb F \) and evaluates the following value using the IT-MAC relation \(\textsf{M}[x] = \textsf{K}[x] + x \cdot \varDelta \).

$$\begin{aligned} \sum _{i \in [0,\ell )} \chi _i \cdot &\left( \textsf{K}[x_i] \cdot \textsf{K}[y_i] + \varDelta \cdot \textsf{K}[z_i] \right) = \sum _{i} \chi _i \cdot (x_i y_i - z_i) \cdot \varDelta ^2 \\ &+ \sum _i \chi _i \cdot (-x_i \textsf{M}[y_i] - y_i \textsf{M}[x_i] + \textsf{M}[z_i]) \cdot \varDelta + \sum _i \chi _i \cdot \textsf{M}[x_i] \textsf{M}[y_i] . \end{aligned}$$

If the quadratic relations hold then this value should be a linear function of \(\varDelta \). To prove this, \(\mathcal {P}\) simply sends the masked coefficients \(c_1, c_0\) of that function to \(\mathcal {V}\), who checks that \(c_1 \cdot \varDelta + c_0\) equals the masked left-hand side.

2.6 The Zero-Knowledge Functionality

We recall the definition of the ideal zero-knowledge functionality in Fig. 2. Looking ahead, we will construct a public-coin designated-verifier zero-knowledge protocol that realizes the functionality \(\mathcal {F}_\mathsf {RSD-ZK}\) in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model, which can then be transformed into a publicly-verifiable zero-knowledge protocol using the techniques in [10].

3 VOLE-in-the-Head and Linear Sketching

In this section, we recapture the VOLE-in-the-head technique in [10] as well as the sketching technique of [16] that form the basis of our signature scheme in Sect. 5.

3.1 VOLE-in-the-Head

VOLE-in-the-Head is a technique proposed by Baum et al.  [10] which allows transforming the public-coin designated-verifier zero-knowledge protocols in the VOLE-hybrid model into the publicly verifiable counterparts¹. At the core of this technique is the observation that GGM-style vector commitment can realize an all-but-one random oblivious transfer functionality, which can then be transformed into a VOLE protocol using the technique in SoftSpokenOT [49]. One caveat is that to facilitate the simulation of OT from commitment, the verifier has to send its choice in the clear; Nevertheless, this suffices for a public-coin protocol since the verifier’s action is merely sending public coins and the OT’s output can be delayed to the very end of the protocol.

GGM-Style Vector Commitment. Given a n-level GGM tree, let \(r^{i}_{j}\) denotes the j-th node on the i-th level where \(0 \le i < n\) and \(0 \le j < 2^i\). It’s well-known that if the root node is uniformly random and the tree is generated as \( r^{i+1}_{2j} \Vert r^{i+1}_{2j+1}:= \textsf{PRG} (r^{i}_j) \) for some length-doubling PRG then the leaf nodes are pseudorandom. Moreover, for each leaf node, we can derive a random message and an authenticator. Then all messages can be committed by hashing the authenticators while all but one of them can be opened by presenting the sibling nodes on the punctured path and the authenticator of the punctured message. We model this vector commitment as an ideal functionality \(\mathcal {F}_\textsf{VC}\) in Fig. 3.

Fig. 3.

The ideal vector commitment scheme supporting all-but-one opening.

SoftSpokenOT. Let \(\textsf{PRG}: \mathbb F _2^\lambda \rightarrow \mathbb {F}_2^{n}\) be a pseudorandom generator. SoftSpokenOT [49] utilizes the fact that the all-but-one OT correlation is equivalent to the subfield VOLE correlation over the polynomial-sized extension field \(\mathbb F _{2^{\tau '}}\). Let \(\varDelta \in \mathbb F _{2^{\tau '}}\) be the OT index. The key observation (which is implicit in the classical IKNP protocol) is that by defining \({\boldsymbol{u}}':= \sum _{i \in [0, 2^{\tau '})} \textsf{PRG} (m_i)\), \({\boldsymbol{v}}:= \sum _{i \in [0, 2^{\tau '})} i \cdot \textsf{PRG} (m_i)\), and \({\boldsymbol{w}}':= \sum _{i \in [0, 2^{\ell })} (i + \varDelta ) \cdot \textsf{PRG} (m_i)\), the sender and receiver can locally compute the respective values and the transformation from OT to subfield VOLE can be done non-interactively. Notice that in the expression of \({\boldsymbol{w}}'\), the value \(\textsf{PRG} (m_\varDelta )\) which is unknown to the receiver is multiplied by 0 and the receiver can efficiently compute \({\boldsymbol{w}}'\). Therefore, \({\boldsymbol{w}}'= {\boldsymbol{v}}+ {\boldsymbol{u}}' \cdot \varDelta \).

Since the field \(\mathbb F _{2^{\tau '}}\) need to be enumerated, we require that \(\tau ' = O(\log \lambda )\) (i.e. small-field VOLE). Nevertheless, the VOLE global key needs to contain enough entropy to ensure soundness. Therefore, we need to repeat the base protocol \( \lceil \frac{\lambda }{\tau '} \rceil \) times and apply a consistency checking protocol to ensure that the same vector \({\boldsymbol{u}}\) is used in all small-field VOLE instances (so that the global keys can be concatenated).

In particular, the sender and receiver would run the above small-field VOLE protocol for \( \tau := \lceil \frac{\lambda }{\tau '} \rceil \) times, acquiring \(\llbracket {\boldsymbol{u}}'_0 \rrbracket , ..., \llbracket {\boldsymbol{u}}'_{\tau -1} \rrbracket \), where \({\boldsymbol{u}}'_i \in \mathbb {F}_2^{n+h}\). Then by viewing each row of the concatenated matrix \( \textbf{U}':= [{\boldsymbol{u}}'_0 \Vert ... \Vert {\boldsymbol{u}}'_{\tau -1}]\) as a noisy codeword of the length-\(\tau \) repetition code, as the sender sends the syndrome \(\textbf{C}\) of all the codewords to the receiver. Then the sender corrects the matrix \(\textbf{U}'\) into a structured matrix \(\textbf{U}:= [1\,...\,1]\cdot {\boldsymbol{u}}\) where each row is a repetition codeword while the receiver sets \(\textbf{W} = \textbf{W}' + [0\Vert \textbf{C}] \cdot \textsf{diag} (\boldsymbol{\varDelta })\) where \(\boldsymbol{\varDelta }\) denotes the concatenation of all small-field VOLE global keys. Notice that with the matrix \(\textbf{U}\) being structured, we can transform each row of \(\textbf{W}, \textbf{V}\) as well as \(\boldsymbol{\varDelta }\) as elements in the extension field \(\mathbb F _{2^\lambda } \), which gives the IT-MAC format.

Finally, we need to check that \(\textbf{U}\) is indeed structured. We do this by sacrificing the last h rows of \(\textbf{U}\). In particular, the sender sends \(\tilde{{\boldsymbol{u}}} = \textsf{H} ^\mathsf{{UHF}} \cdot {\boldsymbol{u}}\) and \(\tilde{\textbf{V}} = \textsf{H} ^\mathsf{{UHF}} \cdot \textbf{V}\) for some linear universal hash function \(\textsf{H} ^\mathsf{{UHF}} \in \mathbb F _{2}^{r \times (n + h)}\) while the receiver checks that \(\tilde{\textbf{V}} + \tilde{{\boldsymbol{u}}} \cdot [1\,...\,1] \cdot \textsf{diag} (\boldsymbol{\varDelta }) = \textsf{H} ^\mathsf{{UHF}} \cdot \textbf{W}\).

VOLE-in-the-Head. Now we can put together all the pieces and explain the technique in [10]. Recall that our goal is to transform a designated-verifier zero-knowledge protocol in the VOLE-hybrid model into a publicly verifiable one. We additionally require that the DVZK protocol be public-coin. The transformation proceeds as follows. We state the protocol in the interactive setting but the interaction can be removed using Fiat-Shamir [28].

1. 1.

   The prover locally runs the SoftSpokenOT protocol, instantiating the all-but-one random OT with vector commitment. In particular, the prover generates the GGM trees and sends the commitments to the verifier. Then the prover simulates the SoftSpokenOT protocol, sending the correction syndrome and checking information to the verifier.

2. 2.

   With the IT-MAC correlations from previous step, the parties simulate the zero-knowledge protocol using the previous subfield VOLE correlations.

3. 3.

   When all interactions of the zero-knowledge protocol are completed, the verifier simply sends the VOLE global key \(\varDelta \) to the prover, who then replies with the corresponding vector de-commitment. The verifier then checks that

   1. (a)

      the vector commitment openings are correct;

   2. (b)

      the consistency checks inside SoftSpokenOT are correct;

   3. (c)

      the zero-knowledge verification passes.

If all checks pass then the verifier accepts. Otherwise, it rejects the proof.

Intuitively, since the inner ZK protocol in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model is public-coin, the parties can still simulate the protocol before sampling the global key \(\varDelta \), and since the proof information is already sent in step 2, revealing the global key in step 3 does not grant the prover any advantage. In [10], this intuition is characterized by an ideal functionality \(\mathcal {F}_\textsf{sVOLE} ^{p, q, S_\varDelta , \mathcal {C}, \ell , \mathcal {L}}\) where the receiver’s outputs are revealed after the prover commits to its inputs. In this work, we only consider a special case of it, namely we only consider using repetition code and fixing the set \(S_\varDelta \) to be the entire field \(\mathbb F _{2^{\tau '}}\). We recall the functionality in Fig. 4.

Fig. 4.

The subspace VOLE functionality.

3.2 The Linear Sketching Technique

To verify the Hamming weight constraint, we use the linear sketching technique of Boyle et al.  [16]. For general field \(\mathbb F \), given an IT-MAC authenticated vector \(\llbracket {\boldsymbol{u}}\rrbracket \) where \({\boldsymbol{u}}\in \mathbb F ^n\), we can easily check that \(\Vert {\boldsymbol{u}}\Vert _0 = 1\). We first sample two public random vectors \({\boldsymbol{r}}_0, {\boldsymbol{r}}_1 \in \mathbb F ^n\) and define \(z_0,z_1,z_2,z_3\) as follows.

$$ {\boldsymbol{z}}= \begin{bmatrix} z_0 \\ z_1 \\ z_2 \\ z_3 \end{bmatrix} = \begin{bmatrix} {\boldsymbol{r}}_0^T \\ {\boldsymbol{r}}_1^T \\ ({\boldsymbol{r}}_0 \circ {\boldsymbol{r}}_1)^T \\ 1\,...\,1 \end{bmatrix} \cdot {\boldsymbol{u}}. $$

Here \(\circ \) denotes the component-wise product between two vectors. Finally, we check that \(z_0 \cdot z_1 = z_2\) and that \(z_3 = 1\). The first check ensures that \( \Vert {\boldsymbol{u}}\Vert _0 \le 1 .\) Conditioned on passing the first check, the second check ensures that \( {\boldsymbol{u}}\) is a unit vector. The second check is straightforward and we will elaborate on the intuition of the first check.

When viewing \( ({\boldsymbol{r}}_0 \circ {\boldsymbol{r}}_1)^T \cdot {\boldsymbol{u}}- \left( {\boldsymbol{r}}_0^T \cdot {\boldsymbol{u}}\right) \cdot \left( {\boldsymbol{r}}_1^T \cdot {\boldsymbol{u}}\right) \) as a multivariate polynomial over \( {\boldsymbol{r}}_0, {\boldsymbol{r}}_1 \), we have that if \(\Vert {\boldsymbol{u}}\Vert _0 > 1 \) then the polynomial is non-zero and has degree of two. Therefore, with the Schwartz-Zippel lemma [50, 59], we can show that the equation \( z_2 = z_0 \cdot z_1\) holds except with probability \( \frac{2}{ | \mathbb F | } \) over the choices of \( r_0,...,r_{n-1} .\) Formally, we have the following lemma by Boyle et al.  [16].

Lemma 1

Let \(\mathbb F \) be any finite field. Suppose \( {\boldsymbol{u}}\in \mathbb F ^n \) is not a unit vector then we have the probability

$$\begin{aligned} \Pr [L \leftarrow \mathcal {L} (\mathbb F, n), {\boldsymbol{z}}= L \cdot {\boldsymbol{u}}: z_0 \cdot z_1 = z_2 \wedge z_3 = 1 ] \le \frac{2}{|\mathbb F |} , \end{aligned}$$

where the distribution \(\mathcal {L} (\mathbb F, n)\) is defined by sampling \({\boldsymbol{r}}_0,{\boldsymbol{r}}_1\leftarrow \mathbb F ^n\) and returning

$$L = \begin{bmatrix} {\boldsymbol{r}}_0^T \\ {\boldsymbol{r}}_1^T \\ ({\boldsymbol{r}}_0 \circ {\boldsymbol{r}}_1)^T \\ 1\,...\,1 \end{bmatrix}.$$

Notice that since IT-MAC is linear homomorphic, we can get the authentication of \({\boldsymbol{z}}\) by evaluating \(\llbracket {\boldsymbol{z}}\rrbracket = L \cdot \llbracket {\boldsymbol{u}}\rrbracket \). Then, we can use the IT-MAC opening operation to check that \(z_3 = 1\) and use QuickSilver to prove that \(z_0 \cdot z_1 = z_2\).

In our protocol, we perform the checking on \({\boldsymbol{u}}\in \mathbb {F}_2\) over the extension field \(\mathbb {F}_{2^\lambda }\) to get negligible soundness error. For RSD over larger fields, we can adapt the above method to prove that the non-zero element is equal to an arbitrary value in the field. Nevertheless, we focus on RSD over \(\mathbb {F}_2\) in this work and using the above sketching technique is sufficient.

4 Designated-Verifier ZK from Linear Sketching

In this section, we present an efficient zero-knowledge proof for the RSD problem in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model and give a security proof for its soundness and zero-knowledge property.

Fig. 5.

The ZK protocol for syndrome decoding based on linear sketch in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model.

4.1 Protocol Description

Since we may view the matrix \(\textbf{H}\) in its systematic form and therefore implicitly enforce the linear constraint, we can turn our focus to proving the Hamming weight constraint. Using the linear sketching technique [16] we can check that the segment of the witness vector has a Hamming weight of exactly 1 by verifying a quadratic relation and performing an IT-MAC opening. Using the QuickSilver protocol, we can prove all w quadratic relations corresponding to the entire witness vector in a batch using a random linear combination, with essentially the same communication cost as proving one quadratic relation. The cost of w openings can also be reduced using another random linear combination. We describe the protocol in detail in Fig. 5 and prove its security in the next subsection.

4.2 Security Proof

We prove that the protocol \(\varPi _\mathsf {RSD-DVZK}\) is an honest verifier zero-knowledge protocol for regular syndrome decoding in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model in Theorem 1. Our proof is a straightforward extension of the proof in [10]. The only difference is that we use the linear sketch technique from [16] to check the validity of the witness vector.

Theorem 1

The protocol \(\varPi _\mathsf {RSD-DVZK}\) realizes the functionality \(\mathcal {F}_\mathsf {RSD-ZK}\) in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model. The security holds against a malicious prover or a semi-honest verifier and the soundness error in the former case is bounded by \(\frac{7}{2^\lambda }\).

Proof

Correctness of the proof follows by definition. In the following, we construct simulators for the malicious prover and verifier cases to argue soundness and zero-knowledge properties respectively.

Malicious Prover. The simulator \({\mathcal {S} _{\mathcal {P}}} \) is constructed as follows.

1. 1.

   \({\mathcal {S} _{\mathcal {P}}} \) simulates the (init) command of the functionality \(\mathcal {F}_\textsf{sVOLE}\) by receiving the \({\boldsymbol{u}}, \textbf{V}\) values from \({{\mathcal {A}_{}}} \). It also receives the difference vector \({\boldsymbol{d}}\) and recovers the witness \({\boldsymbol{e}}_\textbf{B} = {\boldsymbol{d}}+ {\boldsymbol{u}}[0,k)\). Let \({\boldsymbol{e}}= [{\boldsymbol{y}}- \mathbf {H_B} \cdot {\boldsymbol{e}}_\textbf{B} \Vert {\boldsymbol{e}}_\textbf{B} ]\). \({\mathcal {S} _{\mathcal {P}}} \) sends message (input, \({\boldsymbol{e}}\)) to the functionality \(\mathcal {F}_\mathsf {RSD-ZK}\).

2. 2.

   \({\mathcal {S} _{\mathcal {P}}} \) samples the random challenges \(L^{(i)}\) for \(i \in [0,w)\) and \(\boldsymbol{\chi }^{\textsf{QS}}, \boldsymbol{\chi }^{\textsf{open}} \leftarrow \mathbb {F}_{2^\lambda }^{w}\) and sends them to the adversary.

3. 3.

   \({\mathcal {S} _{\mathcal {P}}} \) receives the QuickSilver proof messages \(m_0^{\textsf{QS}}, m_1^{\textsf{QS}}, m_0^{\textsf{open}}\) from the adversary.

4. 4.

   \({\mathcal {S} _{\mathcal {P}}} \) simulates the (get) command of \(\mathcal {F}_\textsf{sVOLE}\) and the QuickSilver checking phase. In particular, \({\mathcal {S} _{\mathcal {P}}} \) sends \(\bot \) to the ideal functionality in the following two cases.

   • Let \({\boldsymbol{e}}= [{\boldsymbol{e}}_0 \Vert ... \Vert {\boldsymbol{e}}_{w-1}]\). There exists \(i \in [0,w)\) s.t. \(\Vert {\boldsymbol{e}}_i \Vert _0 \ne 1\) or \( \Vert {\boldsymbol{e}}_i \Vert _0 = 1\) but the non-zero element is not 1.

   • Let \(e_0^{\textsf{QS}} = \textsf{M}[u^{\textsf{QS}}] + \sum _{i \in [0,w)} \chi ^{\textsf{QS}}_{i} \cdot \textsf{M}[z^{(i)}_0] \cdot \textsf{M}[z^{(i)}_1] - m_0^{\textsf{QS}}\) and \(e_1^{\textsf{QS}} = u^{\textsf{QS}} + \sum _{i \in [0,w)} \chi ^{\textsf{QS}}_{i} \cdot (z_0^{(i)} \cdot \textsf{M}[z_1^{(i)}] + z_1^{(i)} \cdot \textsf{M}[z_0^{(i)}] - \textsf{M}[z_2^{(i)}]) - m_1^{\textsf{QS}} \) be the errors in the QuickSilver messages while \(e_0^{\textsf{open}} = \sum _{i \in [0,w)} \chi ^{\textsf{open}}_{i} \cdot \textsf{M}[z^{(i)}_3] - m_0^\textsf{open}\) be the error in the opening message. We have \(e_0^{\textsf{QS}} \ne 0\) or \(e_1^{\textsf{QS}} \ne 0\) or \(e_0^{\textsf{open}} \ne 0\).

   Otherwise, \({\mathcal {S} _{\mathcal {P}}} \) sends \(\textsf{continue} \) to the ideal functionality.

Since the protocol is public-coin, the simulation of the verifier’s messages is identically distributed with the interaction of the real verifier. Now we analyze the soundness error, which captures the difference between the abort probability of the real case and the ideal case. If the verifier in the real world rejects, then either the relation does not hold (i.e. the witness has too large or zero Hamming weight) or the QuickSilver messages are malformed. In both cases, the ideal verifier also rejects the proof.

Now we focus on the case where the real verifier accepts while the simulator rejects. If the extracted witness \({\boldsymbol{e}}\) does not satisfy the Hamming weight constraint, then by Lemma 1 we conclude that except with probability \(\frac{2}{2^\lambda }\) there exists at least one index \(i \in [0,w)\) such that the quadratic relation \(z^{(i)}_0 \cdot z^{(i)}_1 = z^{(i)}_2\) and \(z^{(i)}_3 = 1\) does not hold. In this case, we can re-write the real verifier’s first acceptance condition as follows.

$$\begin{aligned} m_0^{\textsf{QS}} + m_1^{\textsf{QS}} \cdot \varDelta &= \textsf{K}[u^{\textsf{QS}}] + (\sum _{i \in [0,w)} \chi ^{\textsf{QS}}_{i} \cdot (z_0^i \cdot z_1^i - z_2^i)) \cdot \varDelta ^2 \\ &+ \sum _{i \in [0,w)} \chi ^{\textsf{QS}}_{i} \cdot (z_0^i \cdot \textsf{M}[z_1^i] + z_1^i \cdot \textsf{M}[z_0^i] + \textsf{M}[z_2^i]) \cdot \varDelta \\ &+ \sum _{i \in [0,w)} \chi ^{\textsf{QS}}_{i} \cdot \textsf{M}[z^i_0] \cdot \textsf{M}[z^i_1] \end{aligned}$$

Since the \(\boldsymbol{\chi }^{\textsf{QS}}\) challenge is sampled uniformly at random and independent from other randomness, except with probability \(\frac{1}{2^\lambda }\) the quadratic term of the above equation is non-zero. In this case, there exists at most two solutions to the equation. Since \(\varDelta \) is sampled uniformly at random and independent from other randomness, the equation holds with at most \(\frac{2}{2^{\lambda }}\) probability.

Moreover, if \(z_3^{(i)} \ne 1\) for some \(i \in [0,w)\), since \(\boldsymbol{\chi }^{\textsf{open}}\) is uniformly random over \(\mathbb {F}_{2^\lambda }^{w}\), the equality \(\sum _{i \in [0,w)} \chi ^{\textsf{open}}_{i} \cdot z_3^{(i)} = \sum _{i \in [0,w)} \chi ^{\textsf{open}}_{i}\) holds except with \(\frac{1}{2^\lambda }\) probability. Assuming the equality does not hold, the adversary can pass the check except it correctly guesses the \(\varDelta \) value, which happens except with \(\frac{1}{2^\lambda }\) probability. Using the union bound, we conclude that the soundness error is upper bounded by \(\frac{7}{2^\lambda }\).

Semi-Honest Verifier. The simulator \({\mathcal {S} _{\mathcal {V}}} \) is constructed as follows.

1. 1.

   \({\mathcal {S} _{\mathcal {V}}} \) simulates the (init) command of the functionality \(\mathcal {F}_\textsf{sVOLE}\) and receives the messages \(\boldsymbol{\varDelta }\) and \(\textbf{W}'\) from the adversary. Then it samples \({\boldsymbol{d}}\leftarrow \mathbb {F}_2^{k}\) and sends it to the adversary.

2. 2.

   \({\mathcal {S} _{\mathcal {V}}} \) receives the random challenges \(L^{(i)}\) for \(i \in [0,w)\) and \(\boldsymbol{\chi }^{\textsf{QS}}, \boldsymbol{\chi }^{\textsf{open}} \in \mathbb {F}_{2^\lambda }^{w}\) from the adversary.

3. 3.

   \({\mathcal {S} _{\mathcal {V}}} \) samples a random value \(m_1^{\textsf{QS}} \leftarrow \mathbb {F}_{2^\lambda }\) and computes \(m_0^{\textsf{QS}} = \textsf{K}[u^{\textsf{QS}}] + \sum _{i \in [0,w)} \chi _i^{\textsf{QS}} \cdot (\textsf{K}[z_0^{(i)}] \cdot \textsf{K}[z_1^{(i)}] + \varDelta \cdot \textsf{K}[z_2^{(i)}]) - m_1^{\textsf{QS}} \cdot \varDelta \). It also prepares \(m_0^{\textsf{open}} = \sum _{i \in [0,w)} \chi ^{\textsf{open}}_{i} \cdot (\textsf{K}[z^{(i)}_3] + \varDelta )\). It sends \(m_0^{\textsf{QS}}, m_1^{\textsf{QS}}, m_0^{\textsf{open}}\) to the adversary.

4. 4.

   \({\mathcal {S} _{\mathcal {V}}} \) simulates the (get) command of \(\mathcal {F}_\textsf{sVOLE}\) by sending \(\boldsymbol{\varDelta }, \textbf{W}'\) to the adversary.

Notice that we only argue for security against a semi-honest adversary. Due to the masking of \({\boldsymbol{u}}[0,k)\), the message \({\boldsymbol{d}}\) is uniformly random in the view of the adversary. Also due to the masking of \({\boldsymbol{u}}[k,k+\lambda )\), the message \(m_1^{\textsf{QS}}\) is also uniformly random. Moreover, the messages \(m_0^{\textsf{QS}}, m_0^{\textsf{open}}\) can be deterministically evaluated using \(\varDelta , {\boldsymbol{d}}, \{ L^{(i)} \}, \boldsymbol{\chi }^{\textsf{QS}}, \boldsymbol{\chi }^{\textsf{open}}, \textbf{W}', m_1^{\textsf{QS}}\). Therefore, we conclude that the adversary’s view is identical between the simulated case and the real case.

5 \(\textsf{ReSolveD} \): Shorter Signatures from RSD and VOLEitH

We apply the generic transformation in [10] to convert the public-coin protocol \(\varPi _\mathsf {RSD-DVZK}\) in the \(\mathcal {F}_\textsf{sVOLE}\)-hybrid model into a publicly-verifiable zero-knowledge proof \(\varPi _\mathsf {RSD-PVZK}\). Then we apply the Fiat-Shamir transform and present \(\textsf{ReSolveD} \), a post-quantum digital signature scheme from RSD and VOLE-in-the-Head. We present the signature scheme in Fig. 6.

Fig. 6.

The \(\textsf{ReSolveD} \) signature scheme. We assume that the unary form of the security parameter \( \lambda \) is the implicit input of all three algorithms.

5.1 Signature Description

We describe the protocol \(\varPi _\mathsf {RSD-PVZK}\) in Fig. 8. We apply the half-tree optimization [32] when constructing the vector commitment scheme, which we recall in Fig. 7 and prove its security in Lemma 2. Notice that in this construction, we utilize the circular correlation robustness property which is usually instantiated in the ideal cipher model [31], of which we recall a simplified version in Definition 2.

Fig. 7.

The correlated GGM tree construction.

Lemma 2

Let \(G_1, G_2\) be two random oracles and \(\textsf{H} \) be a (\(t, q, \epsilon \))-circular correlation robust hash function. Then the vector commitment scheme \(\varPi _\mathsf {VC-cGGM}\) (Fig. 7) securely implements the vector commitment functionality \(\mathcal {F}_\textsf{VC}\) (Fig. 3).

Proof

The protocol correctness follows by definition. Now we argue security against a malicious \(\mathcal {P}\) and \(\mathcal {V}\) respectively.

Malicious Prover. The simulator \({\mathcal {S} _{\mathcal {P}}} \) receives the commitment com from the adversary and then recovers the hashed values \(\{ \texttt{com} _i \}_{i \in [0,N)}\) and \( \{ r^{\tau '}_i \}_{i \in [0,N)}\) from the random oracle queries and send \( \{ m_i \}_{i \in [0,N)}\) to \(\mathcal {F}_\textsf{VC}\) where \( (m_i, \texttt{com} _i) = G(r^{\tau '}_i)\) for \(i \in [0,N)\).

For the (get, \(\alpha \)) command, \({\mathcal {S} _{\mathcal {P}}} \) receives the de-commitment information \(\texttt{decom} _\alpha = \{ K_{\bar{\alpha }_i}^i \}_{i \in [1,\tau ']}\) from the adversary and runs the checking procedures of the verifier. If the check fails then it sends \(\bot \) to \(\mathcal {F}_\textsf{VC}\).

Unless there exists a collision in the random oracle queries, then the ideal execution successfully extracts the committed messages. The collision probability is upper bounded by \(\frac{Q}{2^\lambda }\) where Q is the number of random oracle queries from by \(\mathcal {A}_{}\).

Malicious Verifier. The simulator \({\mathcal {S} _{\mathcal {V}}} \) samples \(\texttt{com} \leftarrow {{\{0,1\}}^{\lambda }} \) and sends it to \(\mathcal {A}_{}\) to simulate (commit). For the (get, \(\alpha \)) command, the simulator samples \( K_{\bar{\alpha }_i}^i \leftarrow {{\{0,1\}}^{\lambda }} \) for \(i \in [1,\tau ']\), \(\texttt{com} _{\alpha } \leftarrow {{\{0,1\}}^{\lambda }} \) and sends them to \(\mathcal {A}_{}\). Then it receives the \( \{ m_i \}_{i \in [0,N), i \ne \alpha }\) message from \(\mathcal {F}_\textsf{VC}\) and programs the random oracle such that when evaluating the leaf nodes \(r^{\tau '}_i\) for \(i \in [0,N), i \ne \alpha \) the verification process would pass.

We argue indistinguishability via a hybrid argument.

• \(\mathbf {Hybrid_{1}}\). This is the real distribution of a malicious verifier.

• \(\mathbf {Hybrid_{2}}\). In this hybrid, we sample \( \texttt{com} _\alpha \) uniformly at random and update \( \texttt{com} = G_2 (\texttt{com} _0,...,\texttt{com} _{N-1} )\) accordingly. Since \( G_2 \) is a random oracle, the only way that an adversary can distinguish between \(\mathbf {Hybrid_{1}}\) and \(\mathbf {Hybrid_{2}}\) is by querying the pre-image of \( \texttt{com} _\alpha \) in \(\mathbf {Hybrid_{1}}\), which implies extracting \( \varGamma \) and contradicts the CCR security of \( \textsf{H} \).

• \(\mathbf {Hybrid_{3}}\). In this hybrid, we sample \( \{K^i_{\bar{\alpha }_i}\}_{i \in [1,\tau ']} \) uniformly at random. We show in Lemma 3 that the adversary’s advantage can be bounded by the CCR security of \( \textsf{H} \).

• \(\mathbf {Hybrid_{4}}\). This is the ideal distribution, which is identical to \(\mathbf {Hybrid_{3}}\).

Lemma 3

The advantage of distinguishing \(\mathbf {Hybrid_{2}}\) and \(\mathbf {Hybrid_{3}}\) in the proof of Lemma 2 can be bounded by the circular correlation robustness of the hash function \( \textsf{H} \).

Proof

We can sample the adversary’s view using an oracle \(\mathcal {O} (\cdot ) \) such that the view corresponds to \(\mathbf {Hybrid_{2}}\) (resp. \(\mathbf {Hybrid_{3}}\)) if \(\mathcal {O} \) is the real oracle \( \mathcal {O} ^{\textsf{ccr}}_{\varGamma } \) (resp. the ideal oracle \( f \)) as follows.

• For \( i = 1 \), we sample \( K^1_{\bar{\alpha }_1 }\) uniformly at random.

• For \( i \in [2,\tau '] \) we compute

  $$ K^i_{\bar{\alpha }_i} = {\left\{ \begin{array}{ll} \mathcal {O} (\bigoplus \nolimits _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}}, 0) &{} \text { if } \bar{\alpha }_i = 0, \\ \mathcal {O} (\bigoplus \nolimits _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}}, 1) \bigoplus \nolimits _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}} &{} \text { if } \bar{\alpha }_i = 1. \end{array}\right. } $$

• Sample \( \texttt{com} _\alpha \) uniformly at random and compute \(\texttt{com} = G_2 (\texttt{com} _0,...,\texttt{com} _{N-1})\).

Notice that if \( \mathcal {O} \) is a random function then the output distribution is \(\mathbf {Hybrid_{3}}\) whereas if \( \mathcal {O} = \mathcal {O} ^{\textsf{ccr}}_{\varGamma } (\cdot ) \) then we have if \( \bar{\alpha }_i = 0 \) then

$$\begin{aligned} K^i_{\bar{\alpha }_i} &= \textsf{H} (\bigoplus _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}}) \\ &= \textsf{H} (r^{i-1}_{\alpha _{i-1} \Vert ... \Vert \alpha _1}) \end{aligned}$$

And if \( \bar{\alpha }_i = 1 \) then

$$\begin{aligned} K^i_{\bar{\alpha }_i} &= \textsf{H} (\bigoplus _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}}) \oplus \varDelta \oplus \bigoplus _{j=1}^{i-1} K^{j}_{\bar{\alpha }_{j}} \\ &= \textsf{H} (r^{i-1}_{\alpha _{i-1} \Vert ... \Vert \alpha _1}) \oplus r^{i-1}_{\alpha _{i-1} \Vert ... \Vert \alpha _1}, \end{aligned}$$

which is the same as in \(\mathbf {Hybrid_{2}}\).

Remark 1

We note that the construction of CCR hash functions in the random permutation model [31] requires a permutation on \(\lambda \)-bit strings. For some block ciphers (e.g. AES-128) the offered security level matches the block size and we can model the block cipher as a random permutation and apply the construction in [31]. Whereas other block ciphers with \( \lambda \)-bit security level do not provide a permutation on \( \lambda \)-bit strings (e.g. AES-192 and AES-256 has block size of \(128\) bits despite having higher security levels.) In this case, we use the standard GGM tree construction based on length-doubling PRG. We leave the efficient construction of CCR hash functions at the security level beyond 128 from standard symmetric primitives in the latter case (e.g. AES-192 and AES-256) as a future work.

Fig. 8.

The publicly verifiable zero-knowledge protocol for regular syndrome decoding.

5.2 Security Proof

We state the security of our protocol \(\varPi _\mathsf {RSD-PVZK}\) under Fiat-Shamir transformation in Theorem 2. Since we prove the protocol \(\varPi _\mathsf {VC-cGGM}\) securely realizes the vector commitment functionality \(\mathcal {F}_\textsf{VC}\) in Lemma 2, the security proof of the conversion from designated-verifier zero-knowledge (Fig. 5) to the non-interactive zero-knowledge is identical to the work of [10], we omit it in this paper.

Theorem 2

Let \(\textsf{PRG}:{{\{0,1\}}^{\lambda }} \rightarrow \mathbb {F}_2^{n}\) be a pseudorandom generator, the zero-knowledge protocol \(\varPi _\mathsf {RSD-PVZK}\), after Fiat-Shamir transformation, is a zero-knowledge non-interactive proof system in the random oracle model.

5.3 Communication

We theoretically estimate the communication cost of \(\varPi _\mathsf {RSD-PVZK}\). Firstly, during the inner protocol \(\varPi _\mathsf {RSD-DVZK}\) the prover needs to send \({\boldsymbol{d}}\) and \(m_0^{\textsf{QS}}, m_1^{\textsf{QS}}, m_0^{\textsf{open}}\), which takes k elements in \(\mathbb {F}_2\) and 3 elements in \(\mathbb {F}_{2^\lambda }\) respectively.

Moreover, during the simulation of the \(\mathcal {F}_\textsf{sVOLE}\) setup, the prover needs to run \(\tau \) instances of the vector commitment protocol \(\varPi _\mathsf {VC-cGGM}\), each of which the communication cost is \( (\tau ' + 4) \cdot \lambda \) bits. Then, in SoftSpokenOT the prover needs to send the de-randomization matrix \(\textbf{C}\) as well as the checking information \(\tilde{{\boldsymbol{u}}}, \tilde{\textbf{V}}\), which takes \((\tau - 1) \cdot (k + \lambda + h)\) elements in \(\mathbb {F}_2\), r elements in \(\mathbb {F}_2\) and \(r \cdot \tau \) elements in \(\mathbb F _{2^{\tau '}}\) respectively.

Optimizations. We can use some existing techniques in the literature to optimize communication [9, 18]. We list three main optimizations as follows.

• When running \(\tau \) instances of \(\varPi _\mathsf {VC-cGGM}\) the commitment message \(\texttt{com} \) can be combined by hashing all the leaf nodes across \(\tau \) binary trees at once, saving \(2\lambda \cdot (\tau - 1)\) bits of communication.

• Since in the RSD witness all elements in a block XOR to 1, the prover can commit to the first \(\frac{m}{w} - 1\) coordinates of each block and linearly express the remaining element. Thus, we can reduce the witness length by a ratio of \(\frac{w}{m}\).

• The values \(\tilde{\textbf{V}}, m_0^{\textsf{QS}}, m_0^{\textsf{open}} \) can be computed by the verifier and therefore to check for equality, it suffices for the prover to send a hash of those values.

Taking into account all the optimizations outlined above, we conclude the theoretical estimate of the communication of \(\varPi _\mathsf {RSD-PVZK}\) as follows.

$$\begin{aligned} \text {Comm} &= \underbrace{\left( (1 - \frac{w}{m}) k + \lambda + h \right) \cdot (\tau - 1)}_{ \textbf{C} } + \underbrace{r}_{ \tilde{{\boldsymbol{u}}} } + \underbrace{(1 - \frac{w}{m}) k}_{{\boldsymbol{d}}} \\ &+ \underbrace{\lambda }_{ m_1^{\textsf{QS}} } + \underbrace{ ((\tau ' + 2) \cdot \tau + 2) \cdot \lambda }_{\text {VC Openings}} + \underbrace{2\lambda }_{\text {Equality Check}} \text { bits.} \end{aligned}$$

6 Performance Evaluation

In this section, we implement the \(\textsf{ReSolveD} \) signature scheme, which achieves highly competitive performance and a much smaller signature size when compared to other state-of-the-art code-based signature schemes. We first describe the parameters and implementation details of the scheme, then we report the evaluation results in terms of signature and key sizes as well as running time.

6.1 Parameters

We follow the approach from prior art [18] in the selection of parameters for the regular syndrome decoding instance. In particular, we select the minimal parameters that can offer the required bit security against state-of-the-art attacks that account for the regularity of the noise vector. Specifically, we estimate the complexity of the linearization attack, information syndrome decoding (ISD) attack and birthday paradox according to the formulas in [18] and take their minimal as the estimation of bit security. Using this estimation, we choose the smallest parameters that have complexity estimation of \(2^{128}\), \(2^{143}\), \(2^{207}\) and \(2^{272}\) according to the practice of previous works and the NIST’s L1, L3 and L5 security levels.²

Table 3. The parameters for the \(\textsf{ReSolveD} \) signature scheme.

Regarding the parameters of VOLE-in-the-Head, we follow the approach in the specification of FAEST [9]. In particular, with the security parameter \(\lambda \) and the repetition parameter \(\tau \), we compute \(\tau '_0 = \lceil \lambda / \tau \rceil \), \(\tau '_1 = \lfloor \lambda / \tau \rfloor \), and \(\tau _0 = \lambda \mod \tau \), \(\tau _1 = \tau - \tau _0\). In this way, since \(\tau _0 \tau _0' + \tau _1 \tau _1' = \lambda \), we can ensure that by sampling \(\tau _0\) instances of \(\mathcal {F}_\textsf{VC}\) with depth \(\tau _0'\) and \(\tau _1\) instances of \(\mathcal {F}_\textsf{VC}\) with depth \(\tau '_1\) we can get a global key with \(\lambda \) bits of entropy.

We select parameters such that our scheme demonstrates better performance in terms of the “signature size + public-key size” metric while still maintaining comparable running time compared to other NIST submissions. The parameters are shown in Table 3. We note that the parameter selection listed in Table 3 has considered recent attacks that exploit the regular noise structure [17, 25].

We implement our signature scheme by adapting the implementation of FAEST³.

We run the experiments on a Ubuntu 20.04 LTS machine with an AMD Ryzen 5 3600 CPU and 16 GB of RAM. For the time being, we only optimized the 128-bit version of \(\textsf{ReSolveD} \) with the AVX2 instruction set while we leave the respective optimization of \(\textsf{ReSolveD} \)-L1, \(\textsf{ReSolveD} \)-L3 and \(\textsf{ReSolveD} \)-L5 to a future work. The performance of \(\textsf{ReSolveD} \) under the first two sets of parameters with AVX2 optimization is reported in Table 1, while we compare the un-optimized version of \(\textsf{ReSolveD} \) under the other three sets of parameters with the reference implementation of other NIST submissions in the next subsection.

Table 4. Detailed comparison of \(\textsf{ReSolveD} \) compared to NIST’s new submissions SDitH and FAEST with its EM variants for NIST security L1, L3 and L5.

Table 5. Comparison of signature sizes and runtimes at NIST L1 security for some standardized schemes and previous/new submissions from the NIST PQC standardization project. Numbers for Picnic are taken from [36] running on a 3.6 GHz Intel Xeon W-2133, others are taken from their technical report with a base clock frequency of up 2.6 GHz Intel Core i7-6600U CPU for Dilithium, a 2.3 GHz Intel Core i5-8259U for Falcon, a 3.1 GHz Intel Xeon E3-1220 CPU for SPHINCS\({}^{+}\) and a 3.6 GHz AMD Ryzen 5 3600 CPU for SPHNICS-\(\alpha \).

6.2 Comparison with Other Post-Quantum Signature Schemes

We give a detailed comparison between \(\textsf{ReSolveD} \) and NIST’s new submissions SDitH [40] and FAEST [9] in Table 4. This is because SDitH shares a similarity in the underlying intractability assumption and FAEST utilizes the same VOLE-in-the-Head technique. In summary, \(\textsf{ReSolveD} \) and FAEST share almost the same secret key size, but \(\textsf{ReSolveD} \) is smaller in signature size while faster in signing and verification time than the short version of FAEST and its EM variant, with only slightly larger public key size and slower key generation time in the same security level. The size of \(\textsf{ReSolveD} \) outperforms SDitH where the signature size (resp., secret key size) is more than 2\(\times \) (resp., 12\(\times \)) smaller than that in SDitH. However, the running time of our scheme is much slower.

We also compare our \(\textsf{ReSolveD} \) with post-quantum signature schemes to be standardized by NIST including Dilithium [39], Falcon [48] and SPHINCS\({}^{+}\) [34] and other previous/new submissions to NIST such as Picnic [57] and SPHINCS-\(\alpha \) [58] in Table 5. Lattice-based signatures are currently the most efficient post-quantum signature schemes which achieve both smaller signature sizes and faster running times. However, these schemes are based on structured lattice problems such as Ring/Module-LWE and NTRU, on the contrary, our \(\textsf{ReSolveD} \) relies on no algebraic or geometric structures. Meanwhile, \(\textsf{ReSolveD} \) is competitive with Dilithium in the “signature size + public-key size” metric (with the former being 3.91 KB and the latter being 3.64 KB), although the runtimes of Dilithium significantly outperform us. Compared with the SPHINCS family and the Picnic family, our \(\textsf{ReSolveD} \) also achieves about \(2{\times }\)–\(4{\times }\) smaller in sizes than SPHINCS\({}^{+}\) and SPHINCS-\(\alpha \), and is more than 3\(\times \) smaller than Picnic. Nevertheless, our \(\textsf{ReSolveD} \) is slower in terms of signing and verification. We plan to develop an optimized implementation of our scheme in the future work.