International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Dual Support Decomposition in the Head: Shorter Signatures from Rank SD and MinRank

Authors:
Loïc BIDOUX , Technology Innovation Institute
Thibauld FENEUIL , Cryptoexperts
Philippe GABORIT , University of Limoges
Romaric NEVEU , University of Limoges
Matthieu RIVAIN , Cryptoexperts
Download:
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2024
Abstract: The MPC-in-the-Head (MPCitH) paradigm is widely used for building post-quantum signature schemes, as it provides a versatile way to design proofs of knowledge based on hard problems. Over the years, the MPCitH landscape has changed significantly, with the most recent improvements coming from VOLE-in-the-Head (VOLEitH) and Threshold-Computation-in-the-Head (TCitH). While a straightforward application of these frameworks already improve the existing MPCitH-based signatures, we show in this work that we can adapt the arithmetic constraints representing the underlying security assumptions (here called the modeling) to achieve smaller sizes using these new techniques. More precisely, we explore existing modelings for the rank syndrome decoding (RSD) and MinRank problems and we introduce a new modeling, named dual support decomposition, which achieves better sizes with the VOLEitH and TCitH frameworks by minimizing the size of the witnesses. While this modeling is naturally more efficient than the other ones for a large set of parameters, we show that it is possible to go even further and explore new areas of parameters. With these new modeling and parameters, we obtain low-size witnesses which drastically reduces the size of the ``arithmetic part'' of the signature. We apply our new modeling to both TCitH and VOLEitH frameworks and compare our results to RYDE, MiRitH, and MIRA signature schemes. We also note that recent techniques optimizing the sizes of GGM trees are applicable to our schemes and further reduce the signature sizes by a few hundred bytes. We obtain signature sizes below 3.5 kB for 128 bits of security with N=256 parties (a.k.a. leaves in the GGM trees) and going as low as 2.8 kB with N=2048, for both RSD and MinRank. This represents an improvement of more than 2\:kB compared to the original submissions to the 2023 NIST call for additional signatures.
BibTeX
@inproceedings{asiacrypt-2024-34649,
  title={Dual Support Decomposition in the Head: Shorter Signatures from Rank SD and MinRank},
  publisher={Springer-Verlag},
  author={Loïc BIDOUX and Thibauld FENEUIL and Philippe GABORIT and Romaric NEVEU and Matthieu RIVAIN},
  year=2024
}