Quasi-Dyadic Girault Identification Scheme

Abstract

Zero-knowledge identification schemes allow a prover to convince a verifier that a certain fact is true, while not revealing any additional information.

In this paper, we propose a scheme whose security relies on the hardness of the Quasi-Dyadic Subcode Equivalence and the Quasi-dyadic syndrome decoding problems. Our code-based scheme is an improvement of the code-based identification scheme devised by Girault. Our construction uses quasi-dyadic subcode with a cheating probability of 1/2. Using quasi-dyadic subcode allows to reduce matrix size and also the communication cost by sending lower data.

A Proof of the NP-Completeness of the QD-ES Problem when We Fix the Order

1.1 A.1 Definitions

Four Dimensional Matching Problem (FDMP)

Definition 16

• Input: a subset \(U \subseteq T \times T \times T \times T\) where T is a finite set.

• Question: Does it exist a set \(W \subseteq U\) such that \(| W |=| T |\) and every two vectors of W have different i-th coordinate, \(i \in \{1, 2, 3, 4\}\)?

The Kronecker Product

Let A be a \(k \times \ell \) matrix, and B be a \(m \times n\) matrix.

Definition 17

The Kronecker product of A and B (denoted \((A \otimes B\)) is the \(km \times \ell n\) matrix:

$$ A \otimes B = \begin{pmatrix} a_{11}B &{} a_{12}B &{} \cdots &{} a_{1l}B \\ a_{21}B &{} a_{22}B &{} \cdots &{} a_{2l}B \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ a_{k1}B &{} a_{k2}B &{} \cdot &{} a_{kl}B \end{pmatrix} $$

Note that the Kronecker product of two matrices is another matrix, usually a much larger one.

1.2 A.2 Relation Between ES Problem and FDMP

Through the following illustration, we show the relation between the ES problem and the FDMP.

Let \(T = \{1, 2, 3, 4\}\) and \(U = \{U_1 , U_2 , U_3 , U_4 , U_5 , U_6\}\) with \(U_1 = (1, 2, 3, 4)\);

\(U_2 = (4, 1, 3, 2)\); \(U_3 = (2, 1, 4, 3)\); \(U_4 = (3, 4, 1, 2)\); \(U_5 = (4, 3, 2, 1)\);

\(U_6 = (4, 4, 3, 4)\).

A solution for the FDMP is the set W consisting of the elements \( U_1, U_3, U_4 \) et \(U_5\).

We apply differents transformations \(\mathcal {T}\) to U in order to obtain an \(| U | \times 4| T |\) matrix M:

• For each \(x =(x_1,x_2,x_3,x_4) \in U\), we give the vector \(l(x) = (y_1 ,\cdots , y_{4n})\) such that \(y_i = 0\) for all i except \(y_{x_1} = y_{n+x_2} = y_{2n+x_3} = y_{3n+x_4} = 1\).

  For our example, we obtain:

  $$\begin{aligned} \begin{aligned} l((1, 2, 3, 4)) = (1,0,0,0,~1,0,0,0,~1,0,0,0,~1,0,0,0)\\ l((4, 1, 3, 2)) = (0,0,0,1,~1,0,0,0,~0,0,1,0,~0,1,0,0)\\ l((2, 1, 4, 3)) = (0,1,0,0,~1,0,0,0,~0,0,0,1,~0,0,1,0)\\ l((3, 4, 1, 2)) = (0,0,1,0,~0,0,0,1,~1,0,0,0,~1,0,0,0)\\ l((4, 3, 2, 1)) = (0,0,0,1,~0,0,1,0,~0,1,0,0,~1,0,0,0)\\ l((4, 4, 3, 4)) = (0,0,0,1,~0,0,0,1,~0,0,1,0,~0,0,0,1)\\ \end{aligned} \end{aligned}$$

• We construct the matrix M of size \(| U | \times 4| T |\) by keeping the vectors l(x) of the ordered elements of U as following:

  $$M = \left( \begin{array}{cccccccc|cccccccc|cccccccc|cccccccc} 1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 \\ 0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 \\ 0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 \\ 0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 \\ 0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 \\ 0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 \end{array} \right) $$

With this new representation of U, a valid FDMP solution corresponds to the existence of |T| rows of M forming a matrix

$$M_{sol} = \left( \begin{array}{cccccccc|cccccccc|cccccccc|cccccccc} 1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 \\ 0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 \\ 0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 \\ 0 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}1 &{} &{}0 &{} &{}0 &{} &{}0 \end{array} \right) $$

Since \(M_{sol}\) contains only one 1 on each of its columns, it is equivalent by permutation to a matrix of the form \((I_{4}|I_{4}|I_{4}|I_{4})\).

Now, let consider \(\mathcal {D}\) and \(\mathcal {C}\), linear codes over \(\mathbb {F}_q\) of respective generator matrices \(G_{\mathcal {D}}\) and \(G_{\mathcal {C}}\) defined by:

$$ G_{\mathcal {D}} = (I_6|I_6|I_6|I_6|M) $$

$$ G_{\mathcal {C}} = (I_4|0_{4 \times 2}|I_4|0_{4 \times 2}|I_4|0_{4 \times 2}|I_4|0_{4 \times 2}|I_4|0_{4 \times 2}|I_{4}|I_{4}|I_{4}|I_{4}) $$

where \(0_{4 \times 2}\) is the \(4\times 2\) null matrix and \(I_4\) the \(4\times 4\) identity matrix.

So, for the same reasons as before, finding a valid FDMP solution is such as to determine a permutation \(\sigma \) such as \(\sigma (G_{\mathcal {C}})\) is a subcode of \( G_{\mathcal {D}}\). This corresponds to the ES problem.

1.3 A.3 Proof

We make a reduction of FDMP to QD-ES.

• Let us assume an algorithm \(\gamma \) is able to solve any instance of the QD-ES Problem.

• Let \(U \subset T \times T \times T \times T\) with T, a finite set of cardinality n. (n, U) is the inputs of FDMP.

• Let U be a set such that:

  $$ U = \{u_1, u_2,\cdots ,u_{r}\} \text { with } r = |U|. $$

  we apply the transformations \(\mathcal {T}\), view in the previous section, to U and obtain an \(|U|\times 4|T|\) matrix M. Let G be a \(r \times 4r + 4n\) matrix defined as follows:

  $$ G = (I_r|I_r|I_r|I_r|M) $$

  From this matrix G we construct the quasi-dyadic matrix \(\mathbf G _\mathcal {D}\) of size \(2r \times 8r+8n\):

  $$ \mathbf G _\mathcal {D} = G \otimes I_2$$

  (where \(I_2\) the identity matrix of size \( 2 \times 2 \))

  Let \(\mathcal {D}\) be the \([8r + 8n, 2r]\) linear code over \(\mathbb {F}_q\) generated by the matrix \(\mathbf G _\mathcal {D}\). \(\mathcal {D}\) is a quasi-dyadic code.

Lemma 1

The minimum distance of \(\mathcal {D}\) is exactly 8. In addition, the minimum codewords are exactly the rows of \(\mathbf G _\mathcal {D}\).

Proof

The rows of \(\mathbf G _\mathcal {D}\) correspond to codewords of weight 8. Since all the rows of M are distinct, it is the same with rows of \(M \otimes I_2\). Then the weight of the sum of two rows of \(\mathbf G _\mathcal {D}\) is at least 10. Finally, the weight of the sum of t distinct rows is at least 4t, which is greater than 12 for \(t \ge 3\).

• We transform a solution of the QD-ES into a solution of the FDMP. Let \(\mathbf G _\mathcal {C}\) be a \(2n \times 8r + 8n\) quasi-dyadic matrix defined by

  $$ \mathbf G _\mathcal {C} = (I_n | 0_{n\times (r- n)}|I_n | 0_{n\times (r- n)}|I_n | 0_{n\times (r-n)} | I_n | 0_{n \times (r-n)} |I_n|I_n|I_n|I_n)\otimes I_2 $$

  A solution to QD-ES Problem, with \(\mathbf G _\mathcal {D}\) and \(\mathbf G _\mathcal {C}\) as inputs, is a quasi-dyadic permutation \(\sigma \) such that \(\sigma (\mathcal {C})\) be a quasi-dyadic subcode of \(\mathcal {D}\).

  The image of any rowgroups of \(\mathbf G _\mathcal {C}\) by \(\sigma \) is rowgroups whose rows are codewords of \(\mathcal {D}\) of weight exactly 8. From Lemma 1, these elements are rows of \(\mathbf G _\mathcal {D}\). Thus, we obtain n distinct row quasi-dyadic block of \(\mathcal {D}\). We choose the first rows of each row quasi-dyadic block and we get n distinct rows with the particularity that no two rows agree on any coordinate. This leads directly to a matching W of U.