A Zero-Knowledge Proof of Knowledge for Subgroup Distance Problem
Abstract
In this study, we introduce a novel zero-knowledge identification scheme based on the hardness of the subgroup distance problem in the Hamming metric. The proposed protocol, named Subgroup Distance Zero Knowledge Proof (SDZKP), employs a cryptographically secure pseudorandom number generator to mask secrets and utilizes a Stern-type algorithm to ensure robust security properties.
Index Terms:
Zero-knowledge proofs, Subgroup Distance Problem, Hamming DistanceI Introduction
Zero-knowledge proofs (ZKPs) are cryptographic protocols that enable one party (the prover) to convince another party (the verifier) to the truth of a statement without disclosing any additional information beyond the fact that the statement is true [9, 7, 6]. Since their inception, ZKPs have become a fundamental tool in cryptographic research and applications, providing a robust method for secure authentication and privacy-preserving computations. Various identification schemes leveraging ZKPs have been proposed, each relying on different hard mathematical problems to ensure security. One of the pioneering works in this area is Stern’s identification scheme, introduced in 1993, which is based on the hardness of the Syndrome Decoding (SD) problem. Stern’s protocol laid the groundwork for code-based cryptographic systems, renowned for their resilience to structural attacks and potential for quantum security through the Fiat-Shamir transform. Over the years, numerous enhancements and variations of Stern’s protocol have been developed, focusing on improving efficiency and reducing soundness errors.
In this study, we introduce a zero-knowledge identification scheme that relies on the Subgroup Distance Problem (SDP) in the Hamming metric, a problem known for its computational hardness in various metrics and its NP-completeness under certain conditions. The proposed protocol, named Subgroup Distance Zero Knowledge Proof (SDZKP), differs from existing schemes by leveraging the SDP, thus providing a fresh approach to zero-knowledge identification. By converting the confidential information held by the prover into integer tuples and employing a Stern-type algorithm, we ensure that our protocol inherits the robustness and security features of code-based systems.
SDZKP differs from other identification schemes in the literature in terms of the mathematical hard problem on which it is based. However, the confidential information held by the prover is converted into an integer tuple and a Stern type algorithm is executed in SDZKP. For this reason, we place our study in association with code-based protocols. The SDZKP protocol is designed to be both secure and efficient, making use of a cryptographically secure pseudorandom number generator (CSPRNG) for masking secrets. The protocol follows a three-step challenge-response structure, ensuring that the prover can convince the verifier of their knowledge of a secret without revealing any information about it. Our security analysis demonstrates that SDZKP achieves perfect completeness, 3-special-soundness, and statistical zero-knowledge, providing strong guarantees against potential attacks.
In 1993, Stern introduced a code-based identification scheme based on the hardness of the Syndrome Decoding (SD) problem[11]. His work became a foundational work on code-based cryptography. One major feature that makes Stern scheme attractive is its robustness to structural attacks. In other words, possible attacks appears only to the underlying hard problem. Using Fiat-Shamir transform, Stern protocol can be converted to a quantum secure signature scheme. Various studies have been published focusing on improvement on efficiency and security of Stern protocol. These works are named as Stern-type protocols. First improvement given by Véron [12] using General Syndrome Decoding problem and reduced the number of rounds required. Both protocols have soundness error. In 2011, Cayrel et. al. [4] and Aguilar et. al. [1] reduced Stern and Véron protocols soundness error respectively up to using -round protocols. In 2022, Bidoux et. al. [2] introduced an adaptation of the protocol given by Aguilar, Gaborit and Schrek (AGS) [1] on quasi-cyclic SD problem. Also in [5] a zero knowledge protocol achieving soundness error for arbitrary chosen is presented under the constrain that the verifier trust some of the variables sent by the prover.
This paper is organized as follows: Section II covers the necessary preliminaries, including basic cryptographic definitions and an overview of the Subgroup Distance Problem. In Section III, we present the detailed design of the SDZKP protocol. Section IV provides a comprehensive security analysis. Finally, we conclude the paper highlighting the contributions and potential future directions for research.
II Preliminaries
For any positive integer the set is denoted by The group of permutations on the set is denoted by For a finite set denotes that is taken uniformly at random form The term “probabilistic polynomial time” is abbreviated by PPT. On inputs respectively, the transcript of two parties and is denoted by and an execution between and giving output is denoted by As the subgroup distance problem is defined on the symmetric group the security parameter of the given scheme is
II-A Subgroup Distance Problem (SDP)
Given a metric on the Symmetric group The distance of a permutation to a subgroup is defined as
Definition II.1
(Subgroup Distance Problem (SDP)) Given a set of elements from and given an integer Decide whether the distance between and the subgroup is at most
We would like to draw readers attention to similarity of SDP problem and one of the closest vector problem (CVP) on integer lattices which is considered to be one of the hard problems for post-quantum cryptographic protocols. Roughly speaking, in both problems one is asked to decide (or search) existance of an element from a given subset close enough to given fixed element.
The computational complexity of SDP has been analyzed through various of metrics. In 2006, Pinch showed that SDP is NP-Complete[10] with respect to Cayley Distance. Subsequently, in 2009, Buchheim et al. extended this result to other metrics such as Hamming, Kendall’s tau, , Lee’s and Ulam’s distances. Moreover, even when the subgroup is restricted to be an Abelian group of exponent two, the problem remains NP-complete across all these metrics.
The Hamming distance of given two permutations in is defined as the number of different entries of and
II-B Basic Cryptographic Definitions
Definition II.2
A function is called negligible function if for any natural number there exists a lower bound such that for all
If the probability of a situation occurring is for some negligible function we say that the situation appears with overwhelming probability.
Definition II.3
For security parameter two distribution ensembles are said to be computationally indistinguishable if for any PPT algorithm the value of the difference
is a negligable function.
If the condition is true even if is allowed to be unbounded, then these distributions are said to be statistically indistinguishable.
Next we define commitment schemes which are effective building blocks frequently used in ZKP design. A commitment scheme should satisfy three basic properties: correctness, binding and hiding properties. We give the definitions of these properties consequently after the definition of commitment schemes.
Definition II.4
A commitment scheme is a polynomial time algorithm triple satisfying correctness, binding and hiding properties. The components of are described as below:
-
•
: On input , it outputs public parameters determining the message, the randomness, the commitment and the opening spaces. Notation:
-
•
: On input and a message it outputs a commitment-opening pair formally represented as
-
•
: On input sequence it outputs a bit The case refers to is a valid commitment for and accepts. In the case , the committed value fails and rejects it. Formally, we represent as
It is often that commitment algorithm triples take also some randomness as input. It is implicitly used in the above given definitions.
Definition II.5
A commitment scheme satisfies the following properties:
-
•
Correctness if
-
•
Computationally (resp. Statistically) Binding if there exists a negligible function such that for every PPT (resp. unbounded) algorithm below inequality holds:
-
•
Computationally (resp. Statistically) Hiding if for any two massages and the distributions and are computationally (resp. statistically) indistinguishable.
Next we define interactive protocols and zero-knowledge proof of knowledge. Informally, a zero-knowledge proof of knowledge is a two party protocol between a prover and a verifier such that convinces that it has the knowledge of a desired secret without revealing any information about the secret. Let us put this in more symbolic language.
Let be an NP-relation and be the language corresponding to That is In a zero-knowledge proof of knowledge protocol, for a common input value , the prover convinces that it knows a witness such that
Definition II.6 (Zero-knowledge proof of knowledge (ZKPoK))
A zero-knowledge proof of knowledge protocol for language with respect to a relation is a protocol between a pair of interactive machines and named prover and verifier where is computationally unbounded and is probabilistic polynomial-time. It should satisfy the following conditions:
-
•
Completeness: For every , verifier always accepts after interacting with a prover having a witness
-
•
Proof of Knowledge (with error ): For every possibly cheating -time PPT prover with there exists a PPT algorithm (with running time polynomial in and ) such that; given rewindable black-box access to on input the algorithm outputs a such that with success probability at least Here is called the knowledge extractor.
-
•
Zero Knowledge: For every possibly cheating PPT verifier , there exists a PPT algorithm called simulator, such that on input it outputs a transcript which is indistinguishable from The zero knowledge property is called computational, statistical or perfect zero knowledge depending on whether the two distributions are computationally indistinguishable, statistical indistinguishable or equal respectively.
Under the restriction that is a PPT algorithm in above definition, the protocol refereed as ”argument” instead of ”proof.” i.e. we define zero knowledge argument of knowledge (ZKAoK). A zero knowledge proof of knowledge is specified as honest verifier zero knowledge proof(or argument) of knowledge if the existence of a PPT simulator S giving output with indistinguishable distribution from guarantied only for the honest verifier
A stronger notion of knowledge soundness is (two)special-soundness. Here we give the definition of special-soundness for more generic case. Consider -move protocols such that the rounds starts with the prover’s move. The moves are named as commitment, challenge and response respectively. The transcripts are denoted by in the sequel.
Definition II.7
A -round protocol is said to have -special-soundness property if there exists a PPT algorithm such that for any given distinct excepted transcripts for the same commitment say the algorithm outputs a valid witness .
Under the assumption that for some polynomial, -special-soundness strictly implies knowledge soundness by a generic reduction with soundness error , where is the cardinality of challenge space [8].
Definition II.8
A sigma () protocols is a -round honest-verifier zero-knowledge proof of knowledge protocol satisfying -special-soundness.
III Subgroup Distance Zero Knowledge Proof (SDZKP)
In this section, we present Subgroup Distance Zero Knowledge Proof (SDZKP) in steps and illustrate it in Figure 1.
III-A Setup
In this section, under the assumption that the subgroup distance problem in Hamming metric is hard for parameters and the subgroup determined by the generators we introduce a zero knowledge identification scheme.
The integers and a set of elements from the Symmetric group are assumed to be publicly known. The prover claims that it knows an element such that
III-B Protocol Design
Employing subgroup distance problem we design a black-box statistical zero knowledge proof of knowledge protocol that we refer to as Subgroup Distance Zero Knowledge Proof (SDZKP). In this protocol, a cryptographically secure pseudorandom number generator (CSPRNG) is used for masking secrets.
Step 1: The prover selects an element and a seed integer for uniform randomly. It generates length- integer tuples and where the th-entry of these tuples are and respectively. Finally, it queries a random masking tuple evaluates and sends the commitments , Here addition and are component-wise addition of tuples.
Step 2: The verifier generates a random challenge and sends it to the prover.
Step 3: Depending on challenge, the prover generates and sends a response as follows:
-
•
If , where
-
•
If , where
-
•
If ,
Step 4: This is the verification step. If all checks are valid, then verifier accepts. Otherwise, it rejects.
-
•
For the verifier first checks the validity of the commitments Then using the seed , it obtains the tuple It evaluates the tuple and checks whether the corresponding permutation is in
-
•
For , the verifier first checks the validity of the commitments and Then it obtains , computes It reconstructs the permutation and evaluates . Then it checks whether
-
•
For , the verifier checks commitments Finally it evaluates the tuple and checks whether the number of non-zero entries in is less than
IV Security Analysis
In this section, we will prove that the given protocol is a zero-knowledge proof system.
Theorem IV.1
Protocol SDZKP is a black-box statistical zero knowledge proof of knowledge protocol with knowledge soundness error
Proof IV.1
We will show completeness, -special-soundness and statistical zero knowledge properties.
-
•
Perfect Completeness: If a prover P having knowledge of an element with follows the steps of the protocol, an honest verifier always accepts. It is known that the Hamming on permutation groups are left-invariant [3]. Therefore for any arbitrarily chosen Hence the proof of completeness is straightforward.
-
•
3-special-soundness: We show that under the assumption that the subgroup distance problem in Hamming metric is hard for parameters and for the subgroup determined by the generators and under the assumption that the used commitment function is computationally binding, SDZKP is 3-special-sound.
We describe a knowledge extractor rewinding the protocol for the same randomness and . We assume that gathers three excepted transcripts , , from where As there are only three choices for without loss of generality we assume and Then Commitment is verified for the cases and the commitment is verified for the cases Then and by the binding property of Similarly guarantied by the validity of Therefore we will express the values as without using the index numbers. The extractor evaluates and Then converts the sequences to permutations and Lastly, it outputs
The validity of first two transcripts guaranties that and Then, as is a group, we guarantee that
Also the last accepted transcript shows that the output satisfies the requred distance property
-
•
Zero Knowledge: Under the assumption that the used commitment scheme is statistically hiding, we show that the given protocol is statistically zero-knowledge by describing a simulator having black-box access to a malicious verifier The simulator given in Algorithm 1 is build on challenge value prediction that will be chosen by . Obviously, runs in polynomial-time. It is allowed to rewind at most times. To see that generates a transcript statistically indistinguishable from the view of a real interaction, we present an alternative simulator as an intermediate step in the discussion. The simulator has the knowledge of the secret and it follows the same stages with i.e., it guesses the challenge value at stage 1 and it rewinds at stage 3 under the described situations in The difference is, does not define or use a fake value. It evaluates commitments as described in . Therefore, when makes a successful guess in the distribution over the commitments viewed in and in a real proof is identical. At each attempt, it has success probability That is outputs with at most probability Next we see that and gives statistically indistinguishable outputs. Algorithms and executes exactly in the same way except stage 2. At stage 2, While uses the knowlegde of the secret uses a fake value. Both algorithm gives successful output only when or In each case, the committed values are and In both algorithms is a uniform randomly chosen seed integer for known cryptographically secure pseudorandom number generator CSPRNG. So, the distribution of chosen element and the generated integer string in is the same as the distribution of and obtained in respectively. In both algorithms and are random shuffles of length-n integer the tuple Therefore the distribution of the evaluated tuples in and are statistically indistinguishable.
V Conclusion
In this paper, we have introduced a novel zero-knowledge identification scheme based on the Subgroup Distance Problem (SDP) in the Hamming metric, named Subgroup Distance Zero Knowledge Proof (SDZKP). Our protocol leverages the inherent computational hardness of the SDP to ensure robust security properties while maintaining efficiency. By utilizing a cryptographically secure pseudorandom number generator (CSPRNG) and a Stern-type algorithm, the SDZKP protocol achieves perfect completeness, 3-special-soundness, and statistical zero-knowledge proof of knowledge, making it resilient against adversaries.
Through this work, we contribute to the ongoing research in zero-knowledge proofs by presenting a new identification scheme that expands the toolkit available to cryptographers and security practitioners. The use of the Subgroup Distance Problem as the underlying hard problem opens new avenues for designing secure cryptographic protocols.
Future work may explore further optimizations of the SDZKP protocol, as well as its application in various cryptographic settings. Additionally, investigating the integration of SDZKP with other cryptographic primitives and protocols could provide new insights and advancements in the field of secure authentication and privacy-preserving computations.
Acknowledgement
This work is partially supported by the NLnet foundation under the MoU number 2021-12-510.
References
- [1] C. Aguilar, P. Gaborit, and J. Schrek, “A new zero-knowledge code based identification scheme with reduced communication,” in 2011 IEEE Information Theory Workshop. IEEE, 2011, pp. 648–652.
- [2] L. Bidoux, P. Gaborit, M. Kulkarni, and N. Sendrier, “Quasi-cyclic stern proof of knowledge,” in 2022 IEEE International Symposium on Information Theory (ISIT). IEEE, 2022, pp. 1459–1464.
- [3] P. J. Cameron and T. Wu, “The complexity of the weight problem for permutation and matrix groups,” Discrete Mathematics, vol. 310, no. 3, pp. 408–416, 2010.
- [4] P.-L. Cayrel, P. Véron, and S. M. El Yousfi Alaoui, “A zero-knowledge identification scheme based on the q-ary syndrome decoding problem,” in International Workshop on Selected Areas in Cryptography. Springer, 2010, pp. 171–186.
- [5] T. Feneuil, A. Joux, and M. Rivain, “Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature,” Designs, Codes and Cryptography, vol. 91, no. 2, pp. 563–608, 2023.
- [6] O. Goldreich, “Zero-knowledge twenty years after its invention.” IACR Cryptol. ePrint Arch., vol. 2002, p. 186, 2002.
- [7] O. Goldreich, S. Micali, and A. Wigderson, “Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems,” Journal of the ACM (JACM), vol. 38, no. 3, pp. 690–728, 1991.
- [8] C. Hazay and Y. Lindell, Efficient secure two-party protocols: Techniques and constructions. Springer Science & Business Media, 2010.
- [9] A. Mohr, “A survey of zero-knowledge proofs with applications to cryptography,” Southern Illinois University, Carbondale, pp. 1–12, 2007.
- [10] R. Pinch, “The distance of a permutation from a subgroup of sn, in “combinatorics and probability”(g. brightwell, i. leader, a. scott, a. thomason eds),” 2007.
- [11] J. Stern, “A new identification scheme based on syndrome decoding,” in Annual International Cryptology Conference. Springer, 1993, pp. 13–21.
- [12] P. Véron, “Improved identification schemes based on error-correcting codes,” Applicable Algebra in Engineering, Communication and Computing, vol. 8, pp. 57–69, 1997.