Skip to main content
SpringerLink
Log in

PERK: compact signature scheme based on a new variant of the permuted kernel problem

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this work we introduce PERK a compact digital signature scheme based on the hardness of a new variant of the permuted kernel problem (PKP). PERK achieves the smallest signature sizes for any PKP-based scheme for NIST category I security with 6 kB, while obtaining competitive signing and verification timings. PERK also compares well with the general state-of-the-art. To substantiate those claims we provide an optimized constant-time AVX2 implementation, a detailed performance analysis and different size-performance trade-offs. Technically our scheme is based on a Zero-Knowledge Proof of Knowledge following the MPC-in-the-Head paradigm and employing the Fiat–Shamir transform. We provide comprehensive security proofs, ensuring EUF-CMA security for PERK in the random oracle model. The efficiency of PERK greatly stems from our particular choice of PKP variant which allows for an application of the challenge-space amplification technique due to Bidoux–Gaborit (C2SI 2023). Our second main contribution is an in-depth study of the hardness of the introduced problem variant. First, we establish a link between the hardness of our problem variant and the hardness of standard PKP. Then, we initiate an in-depth study of the concrete complexity to solve our variant. We present a novel algorithm which outperforms previous approaches for certain parameter regimes. However, the proximity of our problem variant to the standard variant can be controlled via a specific parameter. This enables us to effectively safeguard against our new attack and potential future extensions by a choice of parameters that ensures only a slight variation from standard PKP.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Algorithm 1

Similar content being viewed by others

Data availability

Data sharing not applicable to this article as no datasets were generated or analysed during the current study. The reference implementation for the scheme is available at https://pqc-perk.org/.

Notes

  1. Informally, this can be seen by observing that t only affects the amount of matches, i.e. the size of L (compare to Sect. 4.1). However, asymptotically the size of the initial lists \(L_i\) and L are balanced, therefore a decrease of L does not lead to runtime improvements.

  2. https://github.com/Crypto-TII/cryptographic_estimators.

References

  1. Adj G., Rivera-Zamarripa L., Verbel J.: MinRank in the head: Short signatures from zero-knowledge proofs. Cryptology ePrint Archive, Report 2022/1501 (2022). https://eprint.iacr.org/2022/1501.

  2. Aguilar-Melchor C., Gama N., Howe J., Hülsing A., Joseph D., Yue D.: The return of the sdith. In: Advances in Cryptology–EUROCRYPT 2023: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23–27, 2023, Proceedings, Part V. pp. 564–596. Springer (2023).

  3. Alekhnovich M.: More on average case vs approximation complexity. In: Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science. p. 298. FOCS ’03, IEEE Computer Society, USA (2003).

  4. Attema T., Cramer R., Kohl L.: A compressed \(\Sigma \)-protocol theory for lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 549–579. Springer, Heidelberg, Virtual Event (2021). https://doi.org/10.1007/978-3-030-84245-1_19.

  5. Attema T., Fehr S.: Parallel repetition of (\(k_1, \dots , k_{\mu }\))-special-sound multi-round interactive proofs. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 415–443. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_15.

  6. Attema T., Fehr S., Klooß M.: Fiat-shamir transformation of multi-round interactive proofs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part I. LNCS, vol. 13747, pp. 113–142. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22318-1_5.

  7. Baldi M., Bitzer S., Pavoni A., Santini P., Wachter-Zeh A., Weger V.: Zero knowledge protocols and signatures from the restricted syndrome decoding problem. Cryptology ePrint Archive (2023).

  8. Baritaud T., Campana M., Chauvaud P., Gilbert H.: On the security of the permuted kernel identification scheme. In: Brickell, E.F. (ed.) CRYPTO’92. LNCS, vol. 740, pp. 305–311. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_21.

  9. Bellare M., Davis H., Günther F.: Separate your domains: NIST PQC KEMs, oracle cloning and read-only indifferentiability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 3–32. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45724-2_1.

  10. Berger T.P., Gueye C.T., Klamti J.B.: A np-complete problem in coding theory with application to code based cryptography. In: Codes, Cryptology and Information Security: Second International Conference, C2SI 2017, Rabat, Morocco, April 10–12, 2017, Proceedings-In Honor of Claude Carlet. pp. 230–237. Springer (2017).

  11. Beullens W.: Not enough LESS: An improved algorithm for solving code equivalence problems over \(\mathbb{F} _q\). In: Dunkelman, O., Jr., M.J.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 387–403. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-81652-0_15.

  12. Beullens W.: Sigma protocols for MQ, PKP and SIS, and Fishy signature schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part III. LNCS, vol. 12107, pp. 183–211. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45727-3_7.

  13. Beullens W., Faugère J.C., Koussa E., Macario-Rat G., Patarin J., Perret L.: PKP-based signature scheme. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 3–22. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-35423-7_1.

  14. Beullens W., Feo L.D., Galbraith S.D., Petit C.: Proving knowledge of isogenies-a survey. Cryptology ePrint Archive, Paper 2023/671 (2023). https://eprint.iacr.org/2023/671.

  15. Bidoux L., Gaborit P.: Compact post-quantum signatures from proofs of knowledge leveraging structure for the PKP, SD and RSD problems. In: Codes, Cryptology and Information Security (C2SI). pp. 10–42. Springer (2023).

  16. Bidoux L., Gaborit P., Kulkarni M., Mateu V.: Code-based signatures from new proofs of knowledge for the syndrome decoding problem. Des. Codes Cryptogr. 91(2), 497–544 (2023).

    Article  MathSciNet  Google Scholar 

  17. Chase M., Derler D., Goldfeder S., Kales D., Katz J., Kolesnikov V., Orlandi C., Ramacher S., Rechberger C., Slamanig D., Wang X., Zaverucha G.: The picnic signature scheme design document (version 3.0). Available at https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/submissions/Picnic-Round3.zip (2020).

  18. Chou T., Niederhagen R., Persichetti E., Randrianarisoa T.H., Reijnders K., Samardjiska S., Trimoska M.: Take your MEDS: digital signatures from matrix code equivalence. Cryptology ePrint Archive (2022).

  19. Delfs C., Galbraith S.D.: Computing isogenies between supersingular elliptic curves over \({{\mathbb{F}}_{p}}\). Des. Codes Cryptogr. 78(2), 425–440 (2016). https://doi.org/10.1007/s10623-014-0010-1.

    Article  MathSciNet  Google Scholar 

  20. Esser A., Verbel J., Zweydinger F., Bellini E.: CryptographicEstimators: a software library for cryptographic hardness estimation. Cryptology ePrint Archive (2023).

  21. Feneuil T.: Building MPCitH-based signatures from MQ, MinRank, rank SD and PKP. Cryptology ePrint Archive, Report 2022/1512 (2022). https://eprint.iacr.org/2022/1512.

  22. Feneuil T., Joux A., Rivain M.: Syndrome decoding in the head: shorter signatures from zero-knowledge proofs. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 541–572. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_19.

  23. Feneuil T., Maire J., Rivain M., Vergnaud D.: Zero-knowledge protocols for the subset sum problem from MPC-in-the-head with rejection. In: Agrawal S., Lin D. (eds.) ASIACRYPT 2022, Part II. LNCS, vol. 13792, pp. 371–402. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22966-4_13.

  24. Feneuil T., Joux A., Rivain M.: Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. Des. Codes Cryptogr. 91(2), 563–608 (2023).

    Article  MathSciNet  Google Scholar 

  25. Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko A.M. (ed.) CRYPTO’86. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12.

  26. Gaborit P., Zémor G.: On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Inf. Theory 62(12), 7245–7252 (2016). https://doi.org/10.1109/TIT.2016.2616127.

    Article  MathSciNet  Google Scholar 

  27. Gaborit P., Hauteville A., Phan D.H., Tillich J.P.: Identity-based encryption from codes with rank metric. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 194–224. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63697-9_7.

  28. Garey M.R., Johnson D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. Series of Books in the Mathematical Sciences. W. H. Freeman, New York (1979).

    Google Scholar 

  29. Georgiades J.: Some remarks on the security of the identification scheme based on permuted kernels. J. Cryptol. 5(2), 133–137 (1992). https://doi.org/10.1007/BF00193565.

    Article  MathSciNet  Google Scholar 

  30. Gueron S., Persichetti E., Santini P.: Designing a practical code-based signature scheme from zero-knowledge proofs with trusted setup. Cryptography 6(1), 5 (2022).

    Article  Google Scholar 

  31. Hülsing A., Bernstein D.J., Dobraunig C., Eichlseder M., Fluhrer S., Gazdag S.L., Kampanakis P., Kölbl S., Lange T., Lauridsen M.M., Mendel F., Niederhagen R., Rechberger C., Rijneveld J., Schwabe P., Aumasson J.P., Westerbaan B., Beullens W.: SPHINCS+. Tech. rep., National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022.

  32. Ishai Y., Kushilevitz E., Ostrovsky R., Sahai A.: Zero-knowledge from secure multiparty computation. In: Johnson D.S., Feige U. (eds.) 39th ACM STOC. pp. 21–30. ACM Press (2007). https://doi.org/10.1145/1250790.1250794.

  33. Ishai Y., Kushilevitz E., Ostrovsky R., Sahai A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009). https://doi.org/10.1137/080725398.

    Article  MathSciNet  Google Scholar 

  34. Jaulmes É., Joux A.: Cryptanalysis of PKP: A new approach. In: Kim K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 165–172. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_12.

  35. Kales D., Zaverucha G.: An attack on some signature schemes constructed from five-pass identification schemes. In: Krenn S., Shulman H., Vaudenay S. (eds.) CANS 20. LNCS, vol. 12579, pp. 3–22. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-65411-5_1.

  36. Katz J., Kolesnikov V., Wang X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Lie D., Mannan M., Backes M., Wang X. (eds.) ACM CCS 2018. pp. 525–537. ACM Press (2018). https://doi.org/10.1145/3243734.3243805.

  37. Koussa E., Macario-Rat G., Patarin J.: On the complexity of the permuted kernel problem. Cryptology ePrint Archive, Report 2019/412 (2019), https://eprint.iacr.org/2019/412.

  38. Lampe R., Patarin J.: Analysis of some natural variants of the pkp algorithm. Cryptology ePrint Archive (2011).

  39. Lyubashevsky V., Ducas L., Kiltz E., Lepoint T., Schwabe P., Seiler G., Stehlé D., Bai S.: CRYSTALS-DILITHIUM. Tech. rep., National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022.

  40. NIST: Post-quantum cryptography standardization (2017). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf.

  41. NIST: Call for additional digital signature schemes for the post-quantum cryptography standardization process (2022). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf.

  42. Overbeck R., Sendrier N.: Code-based cryptography, pp. 95–145. Springer, Berlin. (2009). https://doi.org/10.1007/978-3-540-88702-7_4, https://doi.org/10.1007/978-3-540-88702-7_4.

  43. Paiva T.B., Terada R.: Cryptanalysis of the binary permuted kernel problem. In: Sako K., Tippenhauer N.O. (eds.) ACNS 21, Part II. LNCS, vol. 12727, pp. 396–423. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-78375-4_16.

  44. Patarin J., Chauvaud P.: Improved algorithms for the permuted kernel problem. In: Stinson D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 391–402. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_33.

  45. Peikert C.: A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939 (2015). https://eprint.iacr.org/2015/939.

  46. Prange E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962).

    Article  MathSciNet  Google Scholar 

  47. Prest T., Fouque P.A., Hoffstein J., Kirchner P., Lyubashevsky V., Pornin T., Ricosset T., Seiler G., Whyte W., Zhang Z.: FALCON. Tech. rep., National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022.

  48. Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (2009). https://doi.org/10.1145/1568318.1568324.

    Article  MathSciNet  Google Scholar 

  49. Santini P., Baldi M., Chiaraluce F.: Computational hardness of the permuted kernel and subcode equivalence problems. Cryptology ePrint Archive, Report 2022/1749 (2022), https://eprint.iacr.org/2022/1749.

  50. Shamir A.: An efficient identification scheme based on permuted kernels (extended abstract) (rump session). In: Brassard G. (ed.) CRYPTO’89. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990). https://doi.org/10.1007/0-387-34805-0_54.

  51. Shor P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th FOCS. pp. 124–134. IEEE Computer Society Press (1994). https://doi.org/10.1109/SFCS.1994.365700.

  52. Wang W.: Shorter signatures from MQ. Cryptology ePrint Archive, Report 2022/344 (2022). https://eprint.iacr.org/2022/344.

Download references

Acknowledgements

We would like to express our sincere gratitude to Alessandro Budroni, Victor Mateu and Lucas Perin for fruitful discussions and their contribution to the implementation of the scheme.

Author information

Authors and Affiliations

  1. Technology Innovation Institute, Abu Dhabi, UAE

    Slim Bettaieb, Loïc Bidoux, Andre Esser, Mukul Kulkarni & Marco Palumbi

  2. XLIM, University of Limoges, Limoges, France

    Victor Dyseryn & Philippe Gaborit

Authors
  1. Slim Bettaieb
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Loïc Bidoux
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Victor Dyseryn
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andre Esser
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Philippe Gaborit
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Mukul Kulkarni
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Marco Palumbi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Loïc Bidoux.

Ethics declarations

Conflict of interest

All authors of this paper are involved in the PERK submission to the NIST post-quantum additional call for digital signatures. The extended list of contributors to the PERK submission is available for consultation at https://pqc-perk.org/. There are no other competing interests to declare.

Additional information

Communicated by K. Matsuura.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supported by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation)—Project-ID MA 2536/12.

Supplementary Information

Below is the link to the electronic supplementary material.

Supplementary file 1 (pdf 310 KB)

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bettaieb, S., Bidoux, L., Dyseryn, V. et al. PERK: compact signature scheme based on a new variant of the permuted kernel problem. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-024-01381-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10623-024-01381-2

Keywords

Mathematics Subject Classification

Search

Navigation