Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature

<p dir="ltr">The threat of a coming quantum computer motivates the research for new zero-knowledge proof techniques for (or based on) post-quantum cryptographic problems. One of the few directions is code-based cryptography for which the strongest problem is the <i>syndrome decoding</i> (SD) of random linear codes. This problem is known to be NP-hard and the cryptanalysis state of affairs has been stable for many years. A zero-knowledge protocol for this problem was pioneered by Stern in 1993. As a simple public-coin three-round protocol, it can be converted to a post-quantum signature scheme through the famous Fiat-Shamir transform. The main drawback of this protocol is its high <i>soundness error</i> of 2/3, meaning that it should be repeated \(\approx 1.7 \lambda \) times to reach a \(\lambda \)-bit security. In this paper, we improve this three-decade-old state of affairs by introducing a new zero-knowledge proof for the syndrome decoding problem on random linear codes. Our protocol achieves a soundness error of 1/<i>n</i> for an <i>arbitrary</i> <i>n</i> in complexity \(\mathcal {O}(n)\). Our construction requires the verifier to <i>trust</i> some of the variables sent by the prover which can be ensured through a <i>cut-and-choose</i> approach. We provide an optimized version of our zero-knowledge protocol which achieves arbitrary soundness through parallel repetitions and merged cut-and-choose phase. While turning this protocol into a signature scheme, we achieve a signature size of 17 KB for a 128-bit security. This represents a significant improvement over previous constructions based on the syndrome decoding problem for random linear codes.</p>