Code-Based Signature Schemes from Identification Protocols in the Rank Metric

Abstract

We present two code-based identification protocols and signature schemes in the rank metric, providing detailed pseudocode and selecting practical parameters. The proposals are derived from their analogue in the Hamming metric. We discuss their security in the post-quantum scenario. With respect to other signature schemes based on codes, our constructions maintain a similar efficiency, possess large but still practical signatures, and the smallest key and public key sizes.

A Key and Signature Size Derivation for Other Code-Based Signature Schemes

As far as it concerns Parallel-CFS, we recall that the scheme is defined by the parameters \(m,t,\delta ,i\), which yield a code of length \(n=2^m\) and dimension \(k = 2^m-mt\). The parameter t is the correction capability of the underlying Goppa code and also the degree of its defining polynomial g over \(\mathbb {F}_{2^m}\). The parameter i is the number of parallel hashes, which also determines the linear increase of the signature time and size with respect to the original scheme. The parameter \(\delta \) can be thought of as the increase that needs to be added to t in order for \(t+\delta \) to provide complete decoding. The public key is a hidden \(mt \times n\) parity-check matrix \(H \in \{0,1\}^{mt \times n}\) in systematic form of the Goppa code, which can then be represented using \((n-k)k = mt(2^m-mt)\) bits. The private key has size \(mt + mn\), since it is formed by g and the so called support \((\alpha _1,\ldots ,\alpha _n) \in (\mathbb {F}_{2^m})^n\) of the code. There are shortening techniques that can be used to represent the signature, depending on whether a larger signature or a slower scheme is desired. To obtain fast signature verification, a possible trade-off gives a size of \(i \log _2 \left( {\begin{array}{c}n\\ t+\delta -1\end{array}}\right) \) bits. To obtain short signatures with a longer verification, a possible trade-off gives a size of \(i \log _2 \left( {\begin{array}{c}n/m\\ t+\delta -3\end{array}}\right) \) bits. We report the two extremes presented in [17] for a security of at least 80 bits. For higher security levels or for the post-quantum scenario the key sizes become prohibitive.

The code parameters of RaCoSS are the length of the code n, its dimension k, its minimum distance \(\omega \), and a real constant \(\gamma \). The private and the public key of RaCoSS scheme are, respectively, a \(n \times n\) and a \((n-k) \times n\) binary matrix. The signature is composed by the elements z and c of size n bits each. The authors also use a compression technique to reduce the size of the secret key to \(n\omega \lceil \log _2 n \rceil \) and the signature to \(n+\lfloor \gamma \omega \rfloor \lceil \log _2 n \rceil \).

The parameters of the RankSign scheme are the cardinality q of the base field, the length n, the dimension k, and the weight d of the LRPC code, the extension degree m, the number t of random columns added to the LRPC code to obtain the augmented LRPC code, the rank weight \(t'\) of the error, and the rank weight r of the signature of a message. The public key is given by a parity-check matrix in systematic form of size \((n-k)\times (n+t)\), with entries in \(\mathbb {F}_{q^m}\), which can be represented with \((n-k)(t+k)m\lceil \log _2 q\rceil \) bits. The secret key is composed by 3 matrices of size \((n-k)\times (n-k)\), \((n+t)\times (n+t)\), and \((n-k)\times (n+t)\), for a total size of \(((n-k)^2 + (n+t)^2 + (n-k)(n+t))m\log _2 q\). The signature has size \(r(m+n+t)\lceil \log _2 q\rceil \).

The parameters of pqsignRM are the integers r, m defining the Reed-Mueller code of length \(n=2^m\) and dimension \(k = \sum _{i=0}^r \left( {\begin{array}{c}m\\ i\end{array}}\right) \), a positive integer p as the puncturing parameter, and the error weight parameter w. The public key is a binary \((n-k) \times n\) parity-check matrix in systematic form, thus requiring \((n-k)k\) bits for its representation. The secret key is made by 3 binary matrices of size, respectively, \((n-k)\times (n-k)\), \(n \times n\), and \(p \times (n-p)\), plus a vector of size \(n-k\). The signature is given by a vector e of n bits and integer \(i<2^{128}\).