Smaller public keys for MinRank-based schemes

Antonio J. Di Scala; Carlo Sanna

doi:10.1515/jmc-2024-0008

Article Open Access

Smaller public keys for MinRank-based schemes

Antonio J. Di Scala and Carlo Sanna

Published/Copyright: April 14, 2025

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 19 Issue 1

Abstract

MinRank is an NP-complete problem in linear algebra whose characteristics make it attractive to build post-quantum cryptographic primitives. Several MinRank-based digital signature schemes have been proposed. In particular, two of them, MIRA and MiRitH, have been submitted to the NIST post-quantum cryptography standardization process. In this article, we propose a key-generation algorithm for MinRank-based schemes that reduces the size of the public key to about 50% of the size of the public key generated by the previous best (in terms of public-key size) algorithm. Precisely, the size of the public key generated by our algorithm sits in the range of 328–676 bits for security levels of 128–256 bits. We also prove that our algorithm is as secure as the previous ones.

Keywords: digital signatures; key generation; MinRank problem; post-quantum cryptography; public key; zero-knowledge proof of knowledge

MSC 2010: 11T71; 15A99; 94A60; 94A62

1 Introduction

MinRank is a problem in linear algebra that was first introduced by Buss et al. [1]. Roughly speaking, given k + 1 matrices M 0 , … , M k of size m × n over a finite field F q , the decisional version of MinRank asks to determine if there exists a non-trivial linear combination of M 0 , … , M k whose rank does not exceed a fixed parameter r . The search version of MinRank, which is the one we will be focusing on hereafter, asks to find such a linear combination.

For several reasons, MinRank is an attractive candidate to build post-quantum cryptographic primitives. First, MinRank is completely based on simple linear algebra operations, which can be implemented easily and efficiently. Second, the hardness of MinRank is supported by a long line of research: MinRank is an NP-complete problem [1] and, due to its relevance in cryptanalysis [2–4], algorithms for solving it have been extensively studied, to the extent that random instances of MinRank are expected to be hard [5–12]. Finally, there are no known quantum algorithms to solve MinRank that go beyond straightforward quantum search applications.

Several digital signature schemes based on MinRank have been proposed, namely: a scheme due to Courtois (2001) [13], MR-DSS (2022) [14], MIRA (2023) [15] (see also [16]), and MiRitH (2023) [17] (see also [18]). In particular, MIRA and MiRitH have been submitted to the NIST post-quantum cryptography standardization process.

In all these schemes, the public key is a random instance of MinRank, the secret key is the solution of such an instance, and the signing and verification algorithms together are a non-interactive zero-knowledge proof of knowledge of the solution. While the secret key can be easily compressed as a seed of λ bits, where λ is the security parameter, compressing the public key is less obvious.

Courtois [13, Section 5.1] proposed an algorithm, which we call KeyGen1, that compresses the public key in λ + m n log q bits, where log is the logarithm in base 2. This method was improved in MR-DSS [14, Section 4.4] by reducing the compressed public key to λ + ( m n − k ) log q bits. This improvement, which we call KeyGen2, is employed by MIRA [15, Section 2.4.1], while MiRitH uses KeyGen1 [17, Section 3.2].

We propose a new key-generation algorithm for MinRank-based schemes, which we call KeyGen3, with a compressed public key of λ + ( m ( n − r ) − k ) log q bits. (Note that k < m ( n − r ) . In fact, all parameter sets satisfy the stronger inequality k < ( m − r ) ( n − r ) , in order to make the MinRank problem overdetermined, see Section 2.2.)

Table 1 provides a comparison of the sizes of the public keys^[1] of the three key-generation algorithms, for the parameter sets proposed for MiRitH [17, Table 1]. As it can be seen, the public-key size of KeyGen3 is about 50% of that of KeyGen2 and sits in the range of 328–676 bits for security levels of 128–256 bits.

Table 1

Comparison of the sizes of the public keys, for the parameter sets proposed for MiRitH [17, Table 1]

	Parameters					Public key (bits)
λ	q	m	n	k	r	KeyGen1	KeyGen2	KeyGen3
128	16	15	15	78	6	1,028	716	356
128	16	16	16	142	4	1,152	584	328
192	16	19	19	109	8	1,636	1,200	592
192	16	19	19	167	6	1,636	968	512
256	16	21	21	189	7	2,020	1,264	676
256	16	22	22	254	6	2,192	1,176	648

The next theorem reduces the security of KeyGen3 to that of KeyGen1. For every x > 0 , let τ ( x ) ≔ min ( 0.72 , 2.1 x ) .

Theorem 1

Assume that k < m ( n − r ) and n > 2 r (which are satisfied in practice, Table 1), and that no attacker has a non-negligible advantage against the pseudorandom generators employed by KeyGen1 and KeyGen3. Let A 3 be an attacker that, given a random public key generated by KeyGen3, can retrieve in time t 3 the corresponding secret key with probability p 3 . Then, there exists an attacker A 1 that, given a random public key generated by KeyGen1, can retrieve in time t 1 the corresponding secret key with probability p 1 , where

t 1 ≔ t 3 + poly ( q , m , n , k ) and p 1 > ( 1 − τ ( q − 1 ) ) 4 p 3 .

Note that if we take q = 16 as in Table 1, then ( 1 − τ ( q − 1 ) ) 4 > 0.56 . Roughly speaking, Theorem 1 says that the set of keys generated by KeyGen3 is equivalent (via an efficient transformation) to a large subset of the keys generated by KeyGen1 , where, for q = 16 , “large” means more than 56 % of the total. Since the MinRank problem is supposed to be hard to solve on average, considering a large subset of all the possible instances remains hard to solve on average. More precisely, KeyGen3 has a security loss of less than log 2 ( 1 ∕ 0.56 ) ≈ 0.836 bits compared to KeyGen1 .

The structure of the article is as follows: First, in Section 2, we provide the necessary notation (Section 2.1), the formal definition of the MinRank problem (Section 2.2), and we recall the key-generation algorithm KeyGen1 of Courtois (Section 2.3). Second, in Section 3, we describe our new key-generation algorithm KeyGen3. To simplify the exposition, we show first a partial (less efficient) version of the algorithm (Section 3.1), and then, after recalling a canonical form for MinRank instances (Section 3.2), we show the complete algorithm (Section 3.3). Finally, in Section 4, we prove Theorem 1.

2 Preliminaries

2.1 Notation

Let F q be a finite field of q elements. For all positive integers m , n , and r ≤ min ( m , n ) , let F q m × n be the vector space of m × n matrices over F q , and let F q m × n , r be the set of m × n matrices over F q having rank equal to r . For every A ∈ F q m × n , let A ⊺ ∈ F q n × m be the transpose of A . Moreover, let A L ∈ F q m × ( n − r ) , respectively, A R ∈ F q m × r , denote the matrix consisting of the first n − r , respectively, the last r , columns of A , so that A = ( A L ∣ A R ) . Note that r is omitted in the notation A L and A R , but it will be always clear from the context. Let ⟨ A ⟩ ∈ F q 1 × m n denote the row vector consisting of the entries of A in column-major order, that is, the entries of ⟨ A ⟩ are, in order, the entries of the first column of A , followed by the entries of the second column of A , etc. Let ⟨ A ⟩ i be the i th entry of ⟨ A ⟩ . Let I s , or just I when the dimension is clear from the context, be the identity matrix of F q s × s . With a slight abuse of notation, let 0 denote the zero matrix of F q s × t , the dimension s × t being always clear from the context. Finally, let δ i , j be the Kronecker delta, let # S be the cardinality of the finite set S , and let ∣ obj ∣ be the size in bits of the object obj .

2.2 MinRank

The search version of MinRank is formally defined as follows.

Definition 1

(MinRank) Let q , m , n , k , r be positive integers, with q being a prime power and m ≥ n > r . Given k + 1 matrices M 0 , … , M k ∈ F q m × n , the MinRank problem asks to find α 1 , … , α k ∈ F q (if they exist) such that

(1) E ≔ M 0 + ∑ i = 1 k α i M i

has rank at most r .

In MinRank-based schemes, the parameters q , m , n , k , r are selected so that: Every known algorithm to find a solution of MinRank with rank ( E ) = r requires on average at least 2 λ operations; and random instances of MinRank are expected to have exactly one solution with overwhelming probability. Consequently, the schemes have to construct the solution so that rank ( E ) = r . Furthermore, to enforce the uniqueness of the solution, it is required that MinRank is overdetermined, that is, k < ( m − r ) ( n − r ) [19, p. 33]. For details on the algorithms to solve MinRank, and consequentially on the selection of the parameters of MinRank-based schemes, see, for example, the documentation of MiRitH [17, Sections 4 and 5].

2.3 The key-generation algorithm of Courtois

We begin by briefly reviewing the algorithms proposed by Courtois [13, Section 5.1] to generate and decompress the public key and the secret key (Figure 1)^[2]. It is clear that KeyGen1 in Figure 1 generates a random uniformly distributed instance of MinRank, and that the public key has a size of ∣ seed pk ∣ + ∣ M 0 ∣ = λ + m n log q bits. The most computationally expensive step (not taking into account the cost of running the PRG) is the generation of E , which Courtois suggested to compute as E = S L T , where L ∈ F q m × n , r is a fixed matrix and S ∈ F q m × m and T ∈ F q n × n are pseudorandom invertible matrices.

Figure 1

The algorithms of Courtois to generate and decompress the keys.

3 New key-generation algorithm

3.1 A first improvement

To simplify the exposition, we provide first a key-generation algorithm with a public key of λ + m ( n − r ) log q bits.

This algorithm employs the facts that: If E ∈ F q m × n , r is taken at random with uniform distribution, then E R ∈ F q m × r , r with significant probability (Lemma 6); and, in such a case, there exists a unique matrix K ∈ F q r × ( n − r ) such that E L = E R K (Lemma 5). Then, assuming that E L = E R K , it follows from (1) that

(2) M 0 L = E R K − ∑ i = 1 k α i M i L .

Hence, we can generate pseudorandom M 0 R , M 1 , … , M k , and K , compute

(3) E R = M 0 R + ∑ i = 1 k α i M i R

and M 0 L via (2), and finally pack M 0 L into the public key (see Figure 2 for the details). In this way, the size in bits of the public key is equal to

∣ seed pk ∣ + ∣ M 0 L ∣ = λ + m ( n − r ) log q .

Note that we cannot be sure that the matrix E R computed by (3) has full rank (this, by E L = E R K , is equivalent to rank ( E ) = r ). Therefore, we have to test if rank ( E R ) < r (step 5 of KeyGen in Figure 2). Since E R is a uniformly distributed random matrix in F q m × r , the probability that E R is not full-rank is very small (less than 2 − 38.9 for the parameters in Table 1), see Lemma 3. Hence, the test has to be repeated only for a few times before finding a matrix E R of full-rank.

Figure 2

First version of the improved key-generation algorithm.

Furthermore, note that checking if rank ( E R ) < r must be done in way that prevents timing attacks, so either by a constant-time algorithm (see [20] for constant-time Gaussian elimination), or by a non-constant time algorithm that do not leak information about E R . For instance, one can multiply E R on the left and on the right by random invertible matrices and then check if the resulting product has rank less than r , so that the no information on E R is leaked from the execution time.

3.2 Canonical form of MinRank instances

In this section, we recall a canonical form of MinRank instances that was first introduced in [14, Section 4.4].

Given a MinRank instance ℳ = ( M 0 , … , M k ) ∈ ( F q m × n ) k + 1 , let L ∈ F q ( k + 1 ) × m n be the matrix whose rows are ⟨ M 1 ⟩ , … , ⟨ M k ⟩ and ⟨ M 0 ⟩ , in this order. Furthermore, write

L = L 1 L 2 ℓ 1 ℓ 2 ,

where L 1 ∈ F q k × k , L 2 ∈ F q k × ( m n − k ) , ℓ 1 ∈ F q 1 × k , and ℓ 2 ∈ F q 1 × ( m n − k ) .

If L 1 is invertible, then we say that ℳ is reducible to canonical form and that the canonical form of ℳ is ℳ ′ ≔ ( M 0 ′ , … , M k ′ ) ∈ ( F q m × n ) k + 1 , where ⟨ M 1 ′ ⟩ , … , ⟨ M k ′ ⟩ and ⟨ M 0 ′ ⟩ are the rows, in this order, of the matrix

L ′ ≔ L 1 − 1 0 − ℓ 1 L 1 − 1 1 L = I k L 1 − 1 L 2 0 ℓ 2 − ℓ 1 L 1 − 1 L 2 .

In particular, we have that ( M 0 ′ , … , M k ′ ) ∈ C 0 × C 1 , where

C 0 ≔ { N ∈ F q m × n : ⟨ N ⟩ i = 0 for i ∈ { 1 , … , k } }

and

C 1 ≔ { ( N 1 , … , N k ) ∈ ( F q m × n ) k : ⟨ N i ⟩ j = δ i , j for i , j ∈ { 1 , … , k } } .

In general, we say that MinRank instances belonging to C 0 × C 1 are in canonical form. If ℳ is reducible to the canonical form ℳ ′ , then an easy computation shows that (1) is equivalent to

E ≔ M 0 ′ + ∑ i = 1 k α i ′ M i ′ ,

where

(4) ( α 1 ′ … α k ′ ) = ( α 1 … α k ) L 1 + ℓ 1 .

Consequently, finding a solution to the instance ℳ is equivalent to finding a solution to the instance ℳ ′ .

3.3 The complete algorithm

Now, we can provide the key-generation algorithm with a public key of λ + ( m ( n − r ) − k ) log q bits.

The idea is to generate M 0 , … , M k so that they are in canonical form. In this way, the first k entries of ⟨ M 0 L ⟩ are equal to 0, and there is no need to pack them into the public key. Thus, the size of the public key is reduced to λ + ( m ( n − r ) − k ) log q bits.

The KeyGen algorithm of Figure 2 can be easily modified to generate ( M 1 , … , M k ) ∈ C 1 . However, the way in which M 0 L is computed does not guarantee that M 0 , … , M k are in canonical form, i.e., that M 0 ∈ C 0 . To achieve that, we have to choose α 1 , … , α k so that the first k entries of ⟨ M 0 L ⟩ are equal to 0. Since

M 0 L = M 0 R + ∑ j = 1 k α j M j R K − ∑ j = 1 k α j M j L

and ⟨ M i L ⟩ j = δ i , j for i , j ∈ { 1 , … , k } (note that k < m ( n − r ) ), this amount to solving the linear system

(⋆) ∑ j = 1 k ( δ i , j − ⟨ M j R K ⟩ i ) α j = ⟨ M 0 R K ⟩ i ( i = 1 , … , k ) .

We will prove that ( ⋆ ) has a unique solution with high probability (Lemma 8). The algorithms for the generation of the keys and their decompression are given in Figure 3.

Figure 3

The proposed key-generation algorithm.

Note that solving ( ⋆ ) must be done in constant time, in order to protect the secret α 1 , … , α k from timing attacks. Furthermore, note that this construction requires to store seed pk into the secret key (see Remark 1 for a way to avoid that). However, this should not be an issue since, usually, whoever has the secret key also has the public key.

Remark 1

One of the referees pointed out that, instead of storing seed pk into the secret key, one could derive seed pk from seed sk For instance, one can set seed pk ← Hash ( seed sk ) , where Hash is a cryptographically secure hash function.

4 Proof of Theorem 1

4.1 Preliminaries

In this section, we collect some preliminary lemmas. We begin with the following inequality.

Lemma 1

We have that

(5) ∏ j = s ∞ ( 1 − q − j ) > 1 − τ ( q − s )

for all integers s ≥ 1 .

Proof

Let P s ( q ) denote the product in (5). First, suppose that q s + 1 ≥ 8 . Since the logarithm is concave, we have that ln ( 1 − x ) ≥ − c 0 x , for all x 0 ∈ ( 0 , 1 ) and x ∈ [ 0 , x 0 ] , where

c 0 = c 0 ( x 0 ) ≔ − ln ( 1 − x 0 ) x 0 > 0 .

Hence, taking x 0 = q − ( s + 1 ) , we obtain that

P s + 1 ( q ) ≥ exp − c 0 ∑ j = s + 1 ∞ q − j = exp − c 0 q − ( s + 1 ) 1 − q − 1 > 1 − c 0 q − ( s + 1 ) 1 − q − 1 ,

where we also used the fact that exp ( − x ) > 1 − x for all x > 0 . Therefore, we obtain that

P s ( q ) > ( 1 − q − s ) 1 − c 0 q − ( s + 1 ) 1 − q − 1 > 1 − 1 + c 0 q − 1 q − s .

Since c 0 ( x 0 ) is an increasing function of x 0 , it follows that c 0 ( x 0 ) ≤ c 0 ( 1 ∕ 8 ) < 1.1 . Hence, we obtain that

P s ( q ) > 1 − ( 1 + c 0 ) q − s > 1 − 2.1 q − s = 1 − τ ( q − s ) ,

since 2.1 q − s < 0.72 .

Now, suppose that q s + 1 < 8 . Then, q = 2 and s = 1 . Moreover, we obtain that

P s ( q ) = ( 1 − 2 − 1 ) ( 1 − 2 − 2 ) ( 1 − 2 − 3 ) P 4 ( 2 ) > ( 1 − 2 − 1 ) ( 1 − 2 − 2 ) ( 1 − 2 − 3 ) ( 1 − 2.1 ⋅ 2 − 4 ) > 1 − 0.72 = 1 − τ ( q − s ) ,

since 2.1 q − s > 0.72 . The proof is complete.□

The next lemma provides a formula for the number of m × n matrices of rank r over F q .

Lemma 2

We have that

# F q m × n , r = ∏ i = 0 r − 1 ( q m − q i ) ( q n − q i ) q r − q i .

Proof

See, e.g., [21].□

The next three results are well known (more or less in these forms), but we include their proofs for completeness.

Lemma 3

Let s, t be positive integers, and let A ∈ F q s × t be a random matrix taken with uniform distribution. Then, the probability that rank ( A ) = min ( s , t ) is greater than 1 − τ ( q − ∣ s − t ∣ − 1 ) .

Proof

Since rank ( A ⊺ ) = rank ( A ) , we can assume that s ≥ t . Hence, the probability that rank ( A ) = min ( s , t ) is equal to the probability that A ∈ F q s × t , t . In turn, by Lemma 2, such a probability is equal to

# F q s × t , t # F q s × t = ∏ i = 0 t − 1 ( q s − q i ) ⋅ q − s t = ∏ i = 0 t − 1 ( 1 − q i − s ) > ∏ j = s − t + 1 ∞ ( 1 − q − j ) ,

and the claim follows from Lemma 1.□

Corollary 1

Let s be a positive integer and let A ∈ F q s × s be a random matrix taken with uniform probability. Then, the probability that A is invertible is greater than 1 − τ ( q − 1 ) .

Lemma 4

Let A ∈ F q s × s , s be a random matrix with an arbitrary probability distribution, and let B ∈ F q s × t (respectively, C ∈ F q t × s ) be a random uniformly distributed matrix independent from A. Then, the matrix AB (respectively, CA) is uniformly distributed in F q s × t (respectively F q t × s ) and independent from A.

Proof

It suffices to prove the claim for B . Then, the claim for C follows by matrix transposition. For each D ∈ F q s × t , we have that

Pr [ A B = D ] = ∑ A 0 ∈ F q s × s , s Pr [ A = A 0 ] Pr [ B = A 0 − 1 D ] = ∑ A 0 ∈ F q s × s , s Pr [ A = A 0 ] 1 # F q s × t = 1 # F q s × t .

Hence, we obtain that A B is uniformly distributed in F q s × t .

For each E ∈ F q s × s , s , we have

Pr [ A B = D ∣ A = E ] = Pr [ E B = D ] = Pr [ B = E − 1 D ] = 1 # F q s × t = Pr [ A B = D ] ,

since B and A B are uniformly distributed.□

Let ℰ be the set of E ∈ F q m × n , r such that E R ∈ F q m × r , r .

Lemma 5

Let E ∈ F q m × n , r . Then, E ∈ ℰ if and only if E L = E R K for some K ∈ F q r × ( n − r ) . In such a case, we have that K is unique.

Proof

First, suppose that E ∈ ℰ . Then, the columns of E R generate the column-space of E . Consequently, the columns of E L are a linear combination of those of E R , that is, E L = E R K for some K ∈ F q r × ( n − r ) . Moreover, the matrix K is unique, since the columns of E R are linearly independent. Vice versa, if E L = E R K for some K ∈ F q r × ( n − r ) , then the column-space of E is generated by the columns of E R . Since E has rank r , it follows that E R ∈ F q m × r , r , that is E ∈ ℰ .□

Lemma 6

Let E ∈ F q m × n , r be a random matrix taken with uniform distribution. Then, E ∈ ℰ with probability greater that 1 − τ ( q − 1 ) . In such a case, the unique matrix K ∈ F q r × ( n − r ) such that E L = E R K (Lemma 5) is uniformly distributed in F q r × ( n − r ) .

Proof

By Lemma 5, the map Φ that sends each E ∈ ℰ to ( E R , K ) , where K ∈ F q r × ( n − r ) is the unique matrix such that E L = E R K , is a bijection

ℰ → F q m × r , r × F q r × ( n − r ) .

Hence, by Lemma 2, the probability that E ∈ ℰ is equal to

# F q m × r , r ⋅ # F q r × ( n − r ) # F q m × n , r = ∏ i = 0 r − 1 ( q m − q i ) ⋅ q r ( n − r ) ⋅ ∏ i = 0 r − 1 ( q m − q i ) ( q n − q i ) q r − q i − 1 = ∏ i = 0 r − 1 ( q r − q i ) q n − r q n − q i = ∏ i = 0 r − 1 1 − q i − r 1 − q i − n > ∏ i = 0 r − 1 ( 1 − q i − r ) > ∏ j = 1 ∞ ( 1 − q − j ) > 1 − τ ( q − 1 ) ,

where the last inequality follows from Lemma 1.

Furthermore, again since Φ is a bijection, we obtain that K is uniformly distributed in F q r × ( n − r ) .□

The next lemma regards the probability that a MinRank instance can be reduced to canonical form, and the distributions of its canonical form and the corresponding solution.

Lemma 7

Assume that M 1 , … , M k ∈ F q m × n , α 1 , … , α k ∈ F q , and E ∈ F q m × n , r are independent and uniformly distributed in their respective spaces. Set

M 0 ≔ E − ∑ i = 1 k α i M i .

Then, M 0 , … , M k can be reduced to canonical form with probability greater than 1 − τ ( q − 1 ) . In such a case, letting M 0 ′ , … , M k ′ be the canonical form of M 0 , … , M k , and letting α 1 ′ , … , α k ′ be given by (4), we have that ( M 1 ′ , … , M k ′ ) and ( α 1 ′ , … , α k ′ ) are independent and uniformly distributed in C 1 and F q k , respectively.

Proof

With the notation of Section 3.2, we have that

⟨ M 1 ⟩ ⋮ ⟨ M k ⟩ = ( L 1 L 2 ) .

Hence, it follows that L 1 ∈ F q k × k and L 2 ∈ F q k × ( m n − k ) are independent and uniformly distributed. Since M 0 , … , M k can be reduced to canonical form exactly when the matrix L 1 is invertible, it follows from Corollary 1 that the probability that the reduction is possible is greater than 1 − τ ( q − 1 ) . Furthermore, if L 1 is invertible, we have that

⟨ M 1 ′ ⟩ ⋮ ⟨ M k ′ ⟩ = ( I k L 1 − 1 L 2 ) ,

and the claim about the distribution of ( M 1 ′ , … , M k ′ ) and ( α 1 ′ , … , α k ′ ) follows from Lemma 4.□

We conclude with a lemma concerning the invertibility of a certain matrix.

Lemma 8

Let N 1 , … , N k ∈ F q m × r and K ∈ F q r × ( n − r ) be random matrices that are independent and uniformly distributed in their respective spaces. Let X ∈ F q k × k be the matrix whose entry of the ith row and jth column is equal to ⟨ N j K ⟩ i . Then

Pr [ I − X ∈ F q k × k , k ] > ( 1 − τ ( q − 1 ) ) 2 .

Proof

Let ρ ( s ) be the probability that a uniformly distributed random matrix in F q s × s is invertible. Write K = ( K 1 ∣ K 2 ) , where K 1 ∈ F q r × r and K 2 ∈ F q r × ( n − 2 r ) (recall that n > 2 r ). Note that

(6) Pr [ I − X ∈ F q k × k , k ] ≥ Pr [ I − X ∈ F q k × k , k and K 1 ∈ F q r × r , r ] = Pr [ I − X ∈ F q k × k , k ∣ K 1 ∈ F q r × r , r ] Pr [ K 1 ∈ F q r × r , r ] = Pr [ I − X ∈ F q k × k , k ∣ K 1 ∈ F q r × r , r ] ρ ( r ) .

Therefore, it suffices to prove that the conditional probability in (6) is equal to ρ ( min ( m r , k ) ) , and then the claim follows from Corollary 1.

Hereafter, assume that K 1 is invertible. Let N j ′ ≔ N j K 1 for each j ∈ { 1 , … , k } . By Lemma 4, we have that N 1 ′ , … , N k ′ are independent, uniformly distributed in F q m × r and independent of K 1 . Moreover, we have that N j K = ( N j ′ ∣ N j ′ K 1 − 1 K 2 ) for each j ∈ { 1 , … , k } . Consequently, we obtain that ⟨ N j K ⟩ i = ⟨ N j ′ ⟩ i for all positive integers i ≤ m r and j ≤ k .

If m r ≥ k , then it follows that ⟨ N j K ⟩ i = ⟨ N j ′ ⟩ i for each i , j ∈ { 1 , … , k } . Hence, X is uniformly distributed in F q k × k . Thus, the conditional probability in (6) is equal to ρ ( k ) , as desired.

Assume that m r < k . It follows easily that there exists a matrix H ∈ F q m r × ( k − m r ) , which is completely determined by K , such that X = ( I m r ∣ H ) ⊺ J , where

J ≔ ( ⟨ N 1 ′ ⟩ ⊺ … ⟨ N k ′ ⟩ ⊺ )

is uniformly distributed in F q m r × k .

Note that the matrix

P ≔ I m r 0 H ⊺ − I k − m r

satisfies P ( I m r ∣ H ) ⊺ = ( I m r ∣ 0 ) ⊺ and P 2 = I . In particular, P is invertible. Hence, by Lemma 4, we have that J ′ ≔ J P is uniformly distributed in F q m r × k . Write J ′ = ( J 1 ′ ∣ J 2 ′ ) , where J 1 ′ ∈ F q m r × m r and J 2 ′ ∈ F q m r × ( k − m r ) are independent and uniformly distributed. Then, we have that

P ( I − X ) P = P 2 − P X P = I − P ( I m r ∣ H ) ⊺ J P = I − ( I m r ∣ 0 ) ⊺ J ′ = I m r − J 1 ′ − J 2 ′ 0 I k − m r .

Consequently, we obtain that I − X is invertible if and only if I − J 1 ′ is invertible. Therefore, the conditional probability in (6) is equal to ρ ( m r ) , as desired.□

4.2 Proof of Theorem 1

Our strategy to prove Theorem 1 is the following. First, we provide an algorithm ℛ that takes as input a random instance of MinRank ℳ generated by KeyGen1 and, with probability greater than ( 1 − τ ( q − 1 ) ) 4 , returns as output the canonical form ℳ ′ of ℳ together with the matrices L 1 , ℓ 1 described in Section 3.2. Second, we show that ℳ ′ follows the same probability distribution of a random MinRank instance generated by KeyGen3. Let A 1 be an attacker built from ℛ , A 3 , and T as in Figure 4, where T is the algorithm computing

( α 1 … α k ) = ( ( α 1 ′ … α k ′ ) − ℓ 1 ) L 1 − 1 ,

in light of (4). Since the attacker A 3 can solve ℳ ′ with probability p 3 , we obtain that A 1 can solve ℳ with probability p 1 > ( 1 − τ ( q − 1 ) ) 4 p 3 , as desired. Moreover, it will be clear that the algorithms ℛ and T have complexities that are polynomial in q , m , n , k . Hence, we obtain that t 1 = t 3 + poly ( q , m , n , k ) , as claimed.

$Figure 4 An illustration of the strategy of the proof of Theorem 1. The block labeled ∼ \sim KeyGen3 returns a random MinRank instance ℳ ′ {{\mathcal{ {\mathcal M} }}}^{^{\prime} } having the same probability distribution of the output of KeyGen3.$

Figure 4

An illustration of the strategy of the proof of Theorem 1. The block labeled ∼ KeyGen3 returns a random MinRank instance ℳ ′ having the same probability distribution of the output of KeyGen3.

Let M 0 , … , M k ∈ F q m × n , E ∈ F q m × n , r , and α 1 , … , α k ∈ F q be generated by KeyGen1. In particular, we have that M 1 , … , M k , E , and α 1 , … , α k are independent and uniformly distributed in their respective spaces.

The steps of the algorithm ℛ are the following.

The algorithm ℛ takes as input M 0 , … , M k .
If M 0 , … , M k cannot be reduced to canonical form, then stop. Otherwise, if M 0 , … , M k can be reduced to canonical form, then compute the canonical form M 0 ′ , … , M k ′ and the conversion matrices L 1 , ℓ 1 , as described in Section 3.2.
Return M 0 ′ , … , M k ′ and L 1 , ℓ 1 .

For the sake of the analysis of ℛ , we define the following events and objects.

Event O 1 occurs if M 0 , … , M k can be reduced to canonical form. In such a case, let α 1 ′ , … , α k ′ be given by (4). Note that, by Lemma 7, event O 1 happens with probability greater than 1 − τ ( q − 1 ) , while ( M 1 ′ , … , M k ′ ) and ( α 1 ′ , … , α k ′ ) are independent and uniformly distributed in C 1 and F q k , respectively. Furthermore, since k < m ( n − r ) , we have that M 1 ′ R , … , M k ′ R are independent and uniformly distributed in F q m × r .
Event O 2 occurs if E R ∈ F q m × r , r . In such a case, in light of Lemma 5, let K ∈ F q r × ( n − r ) be the unique matrix such that E L = E R K . Note that, by Lemma 6, event O 1 happens with probability greater than 1 − τ ( q − 1 ) , and K is uniformly distributed in F q r × ( n − r ) .
Event O 3 occurs if both O 1 and O 2 occur and the matrix I − X is invertible, where X ∈ F q k × k is the matrix having the entry of the i th row and j th column equal to ⟨ M j ′ R K ⟩ i . Note that, by Lemma 8, the probability that I − X is invertible is greater than ( 1 − τ ( q − 1 ) ) 2 .

By construction, we have that event O 3 happens with probability greater than ( 1 − τ ( q − 1 ) ) 4 . Therefore, the algorithm ℛ returns as output ℳ ′ and L 1 , ℓ 1 with probability greater than ( 1 − τ ( q − 1 ) ) 4 , as desired.

It remains to prove that ℳ ′ follows the same probability distribution of a MinRank instance generated by KeyGen3.

Let S be the set of

( M 0 * , … , M k * , E * , α 1 * , … , α k * ) ∈ C 0 × C 1 × ℰ × F q k

such that

E * = M 0 * + ∑ i = 1 k α i * M i * ;
α 1 * , … , α k * is the unique solution to the linear system
∑ j = 1 k ( δ i , j − ⟨ M j * R K * ⟩ i ) x i = ⟨ M 0 * R K * ⟩ i ( i = 1 , … , k ) ,
where K * ∈ F q r × ( n − r ) is the unique matrix such that E * L = E * R K * , by Lemma 5.

Note that each element of S is completely determined by either

M 1 * , … , M k * , E * , and α 1 * , … , α k * , since using (i) one can retrieve M 0 * from the former matrices and scalars; or
M 0 * R , M 1 * , … , M k * , and K * . In fact, given such matrices, one can retrieve α 1 * , … , α k * by using (ii). Then, using (i), one obtains that
E * R = M 0 * R + ∑ i = 1 k α i * M i * R .
Finally, one has that E * = ( E * R K * ∣ E * R ) .

Recall that M 0 , … , M k ∈ F q m × n , E ∈ F q m × n , r , and α 1 , … , α k ∈ F q are generated by KeyGen1. If O 1 occurs, let

S ′ ≔ ( M 0 ′ , … , M k ′ , E , α 1 ′ , … , α k ′ ) .

Note that ( M 1 ′ , … , M k ′ ) , E , and ( α 1 ′ , … , α k ′ ) are independent and uniformly distributed in C 1 , F q m × n , r , and F q k , respectively. It follows easily that the event O 3 happens if and only if S ′ ∈ S . Hence, thanks to (a), we obtain that, conditionally to the event O 3 , the random variable S ′ is uniformly distributed in S .

Let M 0 ∘ , … , M k ∘ , K ∘ , E ∘ R , and α 1 ∘ , … , α k ∘ be the matrices and the scalars generated by KeyGen3. Also, put E ∘ ≔ ( E ∘ R K ∘ ∣ E ∘ R ) and

S ∘ ≔ ( M 0 ∘ , … , M k ∘ , E ∘ , α 1 ∘ , … , α k ∘ ) .

It follows easily that KeyGen3 generates M 0 ∘ R , ( M 1 ∘ , … , M k ∘ ) , and K independently and with uniform distribution in F q m × r , r , C 1 , and F q r × ( n − r ) , respectively, until the condition S ∘ ∈ S is satisfied. Hence, by (b), we obtain that S ∘ is uniformly distributed in S .

The proof is complete.

Acknowledgements

The authors are members of GNSAGA of INdAM and of CrypTO, the group of Cryptography and Number Theory of the Politecnico di Torino. This work was partially supported by project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union – NextGenerationEU. These results have been accepted for presentation at CIFRIS24, the Italian congress of De Cifris (www.decifris.it/cifris24). The authors would like to thank the anonymous referees for providing insightful comments that improved the quality of the article.

Funding information: Authors state no funding involved.
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and approved its submission.
Conflict of interest: The authors state no conflict of interest.

References

[1] Buss JF, Frandsen GS, Shallit JO. The computational complexity of some problems of linear algebra. J. Comput. System Sci. 1999;58(3):572–96. 10.1006/jcss.1998.1608Search in Google Scholar

[2] Beullens W. Improved cryptanalysis of UOV and Rainbow. In: Advances in cryptology-EUROCRYPT 2021. Part I, volume 12696 of Lecture Notes in Comput. Sci., Cham: Springer; 2021. p. 348–73. 10.1007/978-3-030-77870-5_13Search in Google Scholar

[3] Gaborit P, Ruatta O, Schrek J. On the complexity of the rank syndrome decoding problem. IEEE Trans. Inform. Theory, 2016;62(2):1006–19. 10.1109/TIT.2015.2511786Search in Google Scholar

[4] Tao C, Petzoldt A, Ding J. Efficient key recovery for all HFE signature variants. In: Advances in cryptology-CRYPTO 2021. Part I, volume 12825 of Lecture Notes in Comput. Sci., Cham: Springer; 2021. p. 70–93. 10.1007/978-3-030-84242-0_4Search in Google Scholar

[5] Bardet M, Bertin M. Improvement of algebraic attacks for solving superdetermined MinRank instances. Lecture Notes Comput Sci. 2022;13512:107–23. 10.1007/978-3-031-17234-2_6Search in Google Scholar

[6] Bardet M, Briaud P, Bros M, Gaborit P, Tillich J-P. Revisiting algebraic attacks on MinRank and on the rank decoding problem. Cryptology ePrint Archive, Paper 2022/1031, 2022. https://eprint.iacr.org/2022/1031. Search in Google Scholar

[7] Bardet M, Bros M, Cabarcas D, Gaborit P, Perlner R, Smith-Tone D, et al. Improvements of algebraic attacks for solving the rank decoding and MinRank problems. In: Advances in cryptology-ASIACRYPT 2020. Part I, volume 12491 of Lecture Notes in Comput. Sci., Cham: Springer; 2020. p. 507–36. 10.1007/978-3-030-64837-4_17Search in Google Scholar

[8] Bettale L, Faugère J-C, Perret L. Cryptanalysis of HFE, multi-HFE and variants for odd and even characteristic. Des. Codes Cryptogr. 2013;69(1):1–52. 10.1007/s10623-012-9617-2Search in Google Scholar

[9] Faugère J-C, Levy-dit Vehel F, Perret L. Cryptanalysis of MinRank. In: Advances in cryptology-CRYPTO 2008, volume 5157 of Lecture Notes in Comput. Sci., Berlin: Springer; 2008. p. 280–96. 10.1007/978-3-540-85174-5_16Search in Google Scholar

[10] Faugère J-C, Safey El Din M, Spaenlehauer P-J. Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: ISSAC 2010-Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, New York: ACM; 2010. p. 257–64. 10.1145/1837934.1837984Search in Google Scholar

[11] Kipnis A, Shamir A. Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Advances in cryptology-CRYPTO ’99 (Santa Barbara, CA), volume 1666 of Lecture Notes in Comput. Sci., Berlin: Springer; 1999. p. 19–30. 10.1007/3-540-48405-1_2Search in Google Scholar

[12] Verbel J, Baena J, Cabarcas D, Perlner R, Smith-Tone D. On the complexity of “superdetermined” MinRank instances. In: Post-quantum cryptography, volume 11505 of Lecture Notes in Comput. Sci., Cham: Springer; 2019. p. 167–86. 10.1007/978-3-030-25510-7_10Search in Google Scholar

[13] Courtois NT. Efficient zero-knowledge authentication based on a linear algebra problem MinRank. In: Advances in cryptology-ASIACRYPT 2001 (Gold Coast), volume 2248 of Lecture Notes in Comput. Sci., Berlin: Springer; 2001. p. 402–21. 10.1007/3-540-45682-1_24Search in Google Scholar

[14] Bellini E, Esser A, Sanna C, Verbel J. M-DSS-Smaller MinRank-based (ring-)signatures. In: Post-quantum cryptography, volume 13512 of Lecture Notes in Comput. Sci., Cham: Springer; 2022. p. 144–69. 10.1007/978-3-031-17234-2_8Search in Google Scholar

[15] Aragon N, Bidoux L, Chi-Domínguez J-J, Feneuil T, Gaborit P, Neveu R, et al. MIRA: a Digital Signature Scheme based on the MinRank problem and the MPC-in-the-Head paradigm. 2023. https://arxiv.org/abs/2307.08575. Search in Google Scholar

[16] Feneuil T. Building MPCitH-based Signatures from MQ, MinRank, Rank SD and PKP. Cryptology ePrint Archive, Paper 2022/1512, 2022. https://eprint.iacr.org/2022/1512. Search in Google Scholar

[17] Adj G, Barbero S, Bellini E, Esser A, Rivera-Zamarripa L, Sanna C, et al. MiRitH: MinRank in the Head. Submission to NIST, 2023. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/MiRitH_spec-web.pdf. see also https://pqc-mirith.org. Search in Google Scholar

[18] Adj G, Rivera-Zamarripa L, Verbel J. MinRank in the head. In: El Mrabet N, De Feo L, Duquesne S, editors, Progress in Cryptology - AFRICACRYPT 2023, Cham: Springer Nature Switzerland; 2023. p. 3–27. 10.1007/978-3-031-37679-5_1Search in Google Scholar

[19] Faugère J-C, Safey El Din M, Spaenlehauer P-J. On the complexity of the generalized MinRank problem. J Symbolic Comput. 2013;55:30–58. 10.1016/j.jsc.2013.03.004Search in Google Scholar

[20] Bernstein DJ, Chou T, Schwabe P. McBits: fast constant-time code-based cryptography. In: Bertoni G, Coron J-S, editors, Cryptographic Hardware and Embedded Systems - CHES 2013, Berlin, Heidelberg: Springer; 2013. p. 250–72. 10.1007/978-3-642-40349-1_15Search in Google Scholar

[21] Fisher SD, Alexander MN. Classroom notes: matrices over a finite field. Amer Math Monthly. 1966;73(6):639–41. 10.2307/2314805Search in Google Scholar

Received: 2024-02-14

Revised: 2024-07-30

Accepted: 2024-10-15

Published Online: 2025-04-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2024-0008

Keywords for this article

digital signatures; key generation; MinRank problem; post-quantum cryptography; public key; zero-knowledge proof of knowledge

Creative Commons

BY 4.0