International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs

Authors:
Thibauld Feneuil , CryptoExperts, Sorbonne Université
Antoine Joux , CISPA
Matthieu Rivain , CryptoExperts
Download:
Search ePrint
Search Google
Conference: CRYPTO 2022
Abstract: Zero-knowledge proofs of knowledge are useful tools to design signature schemes. The ongoing effort to build a quantum computer motivates the cryptography community to develop new secure cryptographic protocols based on quantum-hard cryptographic problems. One of the few directions is code-based cryptography for which the strongest problem is the syndrome decoding (SD) for random linear codes. This problem is known to be NP-hard and the cryptanalysis state of the art has been stable for many years. A zero-knowledge protocol for this problem was pioneered by Stern in 1993. Since its publication, many articles proposed optimizations, implementation, or variants. In this paper, we introduce a new zero-knowledge proof for the syndrome decoding problem on random linear codes. Instead of using permutations like most of the existing protocols, we rely on the MPC-in-the-head paradigm in which we reduce the task of proving the low Hamming weight of the SD solution to proving some relations between specific polynomials. We propose a 5-round zero-knowledge protocol that proves the knowledge of a vector x such that y=Hx and \wt(x) <= w and which achieves a soundness error closed to 1/N for an arbitrary N. While turning this protocol into a signature scheme, we achieve a signature size of 11-12 KB for a 128-bit security when relying on the hardness of the SD problem on binary fields. Using bigger fields (like \F_{2^8}), we can produce fast signatures of around 8 KB. This allows us to outperform Picnic3 and to be competitive with SPHINCS+, both post-quantum signature candidates in the ongoing NIST standardization effort. Moreover, our scheme outperforms all the existing code-based signature schemes for the common ``signature size + public key size'' metric.
Video from CRYPTO 2022
BibTeX
@inproceedings{crypto-2022-32196,
  title={Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs},
  publisher={Springer-Verlag},
  author={Thibauld Feneuil and Antoine Joux and Matthieu Rivain},
  year=2022
}