An Application of p -Fibonacci Error-Correcting Codes to Cryptography

: In addition to their usefulness in proving one’s identity electronically, identiﬁcation protocols based on zero-knowledge proofs allow designing secure cryptographic signature schemes by means of the Fiat–Shamir transform or other similar constructs. This approach has been followed by many cryptographers during the NIST (National Institute of Standards and Technology) standardization process for quantum-resistant signature schemes. NIST candidates include solutions in different settings, such as lattices and multivariate and multiparty computation. While error-correcting codes may also be used, they do not provide very practical parameters, with a few exceptions. In this manuscript, we explored the possibility of using the error-correcting codes proposed by Stakhov in 2006 to design an identiﬁcation protocol based on zero-knowledge proofs. We showed that this type of code offers a valid alternative in the error-correcting code setting to build such protocols and, consequently, quantum-resistant signature schemes.


Introduction
In many situations, it is necessary to electronically prove one's identity. Typical scenarios include local access to a computer account, remote login to a server over a network, ATM withdrawals, communication permissions through a port, and many others.
The identification protocols (which assure one party of the identity of a second party and also that the second party is participating in the execution of the protocol) allow one entity (the prover) to "prove" its identity to another entity (the verifier) by exchanging some data. Some types of identification protocols avoid the use of digital signatures, public key encryption, block ciphers, sequence numbers, and timestamps, but use asymmetric techniques and are based on interactive proof systems and zero-knowledge proofs. Such protocols allow the prover to be identified by demonstrating knowledge of a secret associated with the prover, without revealing the secret itself to the verifier. This is usually done in three steps, with the prover submitting a commitment, the verifier replying with a challenge, and the prover sending a response to the challenge. An interactive identification scheme involving a commitment-challenge-response sequence can often be converted into a non-interactive signature scheme, by replacing the random challenge of the verifier by the output of a one-way hash applied to the concatenation of the commitment and the message to be signed (the hash essentially plays the role of verifier). This technique has been used to design several quantum-resistant signature schemes based on error-correcting codes [1,2], lattices [3,4], multivariate systems [5], or multiparty computation [6], some of which are recent proposals in the NIST standardization process for quantum secure public key cryptosystems [7].
The topic of this work is identification protocols based on zero-knowledge proofs in the error-correcting code setting. Many proposals of this type have appeared in the literature, but very few can be applied in practice, due to the large size of the parameters of these schemes.
In Section 2, we present an overview of the main identification protocols, and corresponding signature schemes, based on error-correcting codes. In Section 3, we provide a quick review of the theory of p-Fibonacci error-correcting codes, also including some minor original results, and recall the main notions needed to define a zero-knowledge identification protocol. In Section 4, we describe an identification protocol based on p-Fibonacci codes and prove its security in the random oracle model. In Section 5, we compare our solution with similar schemes, and in Section 6, we finally draw the conclusions. In Appendix A, we provide a concrete example of our solution.

Related Works
In this section, we provide an overview of the literature regarding identification protocols and corresponding signature schemes, based on error-correcting codes (identification protocols based on other mathematical problems (e.g., [8]) or on symmetric primitives (e.g., [9]) might also exist).
The signature size of a proof of knowledge signature scheme is proportional to the communication cost of the identification protocol. Proof of knowledge signature schemes based on error-correcting codes usually provide very small keys, but large signatures. This comes from the fact that the identification protocol has a non-null cheating probability, i.e., the probability that someone not authorized is still able to authenticate to the verifier. Thus, the protocol must be repeated a certain number of times to reduce this probability close enough to zero.
The first of such schemes is due to Stern. In 1993, he proposed to use the Fiat-Shamir transform for turning a zero-knowledge identification protocol into a signature scheme. Stern's protocol has a cheating probability of 2/3. Many researchers followed Stern's approach, trying to improve either the key size or the signature of the scheme, by proposing variations of the underlying identification protocol. In 1997, Veron [2] presented the dual of the three-pass Stern proposal, still with cheating probability 2/3. Veron used a generator matrix G of the code, instead of the parity-check matrix as a public parameter, and used a pair (x, e) as a secret key and a codeword y = xG + e as a public key. This allows sending less data on average during the response step, implying slightly shorter signatures. More than ten years later, in 2010 [10], the authors presented a five-pass identification protocol with a cheating probability of 1/2, using codes over the binary extension field, rather than the binary field, as done by Stern and Veron. Passing from a cheating probability of 2/3 to 1/2 decreased significantly the number of times the identification protocol had to be run, and thus the corresponding signature size. In [11], it was shown how to extend the Fiat-Shamir transform to an n-pass protocol (with n odd). In 2011, Gaborit, Schrek, and Zémor [12] obtained a further significant reduction of both key and signature sizes by presenting the rank metric version of the Stern identification protocol. Switching from the Hamming to rank metric is a common strategy to reduce the parameters size of a codebased cryptosystem, since rank metric decoding has quadratic exponential complexity, while Hamming metric decoding is linear exponential. Again in 2011, Aguilar, Gaborit, and Schrek (AGS) [13], used double circulant codes in the Hamming metric. In this way, they reduced the key size of the Veron scheme; moreover, they presented a fivepass version of it, with the cheating probability approximately equal to 1/2. They also introduced a compression technique that reduced the signature size. Recently, a rank metric version of Veron and CVE (Cayrel-Véron-El Yousfi) was provided, though lacking a security proof [14]. Finally, in [15], the rank metric version of the AGS scheme was presented, currently holding the best signature plus public key size among all signature schemes based on error-correcting codes. A similar construction [16] was also used to build zero-knowledge proofs.
Proof of knowledge signature schemes are also quite common in other post-quantum settings, such as in lattice-based [3,4], multivariate-based [5], or multiparty computationbased [6] signatures.

Our Contribution
In this work, we present the analogue of the three-pass Veron identification protocol [2] using a new type of code, introduced by Stakhov in 2006 [17], which have a simpler set of parameters with respect to the rank metric, but a similar decoding complexity (quadratic in the exponent), thus allowing reaching similar sizes as in the rank metric, but with more simplicity in the selection of the parameters.
In 2006, Stakhov [17] introduced a new technique, based on the so-called Fibonacci p-numbers or p-sequence, further analyzed in [18], to obtain error-correcting codes. A few generalizations of his theory were explored in [17] (Fibonacci (p, m)-sequence) [19] (Fibonacci polynomial sequence), and [20] (Fibonacci M p -sequence), but apart from that, the theory behind these codes has not received much attention, probably due to the fact that their error model is very unlikely to be applicable in real life for error correction. The aim of this paper is to show that this type of code deserves to be investigated more deeply, as it could be very useful in cryptographic applications.

Preliminaries
In this section, we first introduce the p-Fibonacci error-correcting codes, and then, we provide the fundamental ideas and definitions regarding zero-knowledge identification protocols.

p-Fibonacci Error Correcting Codes
With M r (R), we indicate the set of all square matrices of size r × r with entries in the ring R. We also indicate with N <2 r the set of integers that are representable with r bits and with Q <2 r the set of rational numbers representable with two integers of r bits each.
The Fibonacci p-numbers, or Fibonacci p-sequence, are defined as the numerical sequence a p,n given by the recursive relation a p,n = a p,n−1 + a p,n−p−1 , with initial values a p,1 = . . . = a p,p+1 = 1.
For a given integer p ≥ 1, the p-Fibonacci matrix Q p is a (p + 1) × (p + 1) matrix of the following form: Some of the properties of the Q p matrix are stated in what follows (see [18]).

Proposition 1.
For any positive integer p and n = 0, ±1, ±2, . . . : • The n-th power of Q p is given by: where a p,n is the Fibonacci p-number.
Notice that since det(Q n p ) = 0, then the matrix Q n p is invertible. Fibonacci Q p matrices allow defining a method to encode and decode a message M and also detecting and correcting errors that might occur in the transmission of the encoding of M.
The message M must be represented as a (p + 1) × (p + 1) matrix over N <2 r \ {0}, i.e., whose entries are r bit strings representing a positive integer. For this reason, we consider M such that its bit size |M|, which can also be seen as the dimension of the code, is a multiple of (p + 1) 2 . Then, the encoding of M is performed with the matrix multiplication C = M · Q n p for a certain positive integer n, while the decoding of C, if no error occurred, is done simply by M = C · (Q n p ) −1 . Since det(C) = det(M · Q n p ) = (±1) pn det(M), if this relation does not hold, we can deduce that some errors occurred in the transmission of C, and the received matrix is R = M · Q n p ⊕ E, for some (p + 1) × (p + 1) matrix E. Notice that the errors occur by modifying some bits of the transmitted matrix; thus, we have to use the addition ⊕ in the binary field F 2 , i.e., the XOR operation, when adding the error, rather than the standard addition over the integers. The procedure to correct such errors exploits the fact that the entries c ij of C satisfy a relation of the type: [18] or [21]). In particular, the decoding method described by Stakhov allows correcting up to (p + 1) 2 − 1 incorrect entries of C, which we refer to as integer errors. As we will show later in this section, the initial analysis of Stakhov did not take into account information theoretic results, as, for example, the Singleton bound. After computing the redundancy of p-Fibonacci codes and applying the Singleton bound [22], we also provide a bound on the maximum number of bit errors that the p-Fibonacci code can correct. Among all possible integer error types, detecting and correcting (p + 1) 2 − 1 erroneous entries require the highest amount of work. In [19], the authors proved that in this worst case, the error correction can be performed in O2 (p+1) 2 operations. In particular, 2 (p+1) 2 − 2 sub-determinants of R must be computed.
In the following proposition, we provide an upper bound of the redundancy of the code. Proposition 2 (p-Fibonacci code redundancy). Let us consider the message space M = {0, 1} k , with k = (p + 1) 2 r for some integers p and r, so that we can split a message into (p + 1) 2 blocks of an equal bit size. Fix n, then a codeword of a p-Fibonacci code with generator matrix Q n p can be represented with l(p + 1) 2 bits , with: Proof. Let α 1 be the root greatest in modulo of x p+1 − x p − 1 and α 2 , . . . , α p+1 the remaining roots. We set a p,−p+1 = . . . = a p,0 = 0, so that (a p,n ) n≥−p+1 is a linear recurrent sequence with characteristic polynomial x p+1 − x p − 1. By the Binet formula, we have that: for any i ≥ 0, where A 1 , . . . , A p+1 are real numbers depending on the initial conditions of the sequence. Since, a p,−p+1 = . . . = a p,0 = 0, and a p,1 = 1, it is straightforward to find that: and |a p,i | ≤ (p + 1)|α i−1 1 |. Now, having M = (m ij ) the message, whose entries have bit size r, we consider C = (c ij ) the codeword obtained by C = MQ n p . Since (a p,n ) is an increasing sequence, the entry of C with the maximum length is in the first column. Recalling that all the m ij 's have bit size equal to r, the bit size of c ij will be at most r + log 2 (p + 1)α n−1 1 , i.e., l ≤ r + log 2 (p + 1) + (n − 1) log 2 α 1 .
Let us denote with w F (X) the number of non-zero entries of the integer matrix X. We refer to this value as the Fibonacci weight of the matrix X.
The following definition allows us to formally define the problem of decoding Fibonacci error-correcting codes.
Problem 1 (Search Fibonacci decoding problem). Given the positive integers r, l, n, p, w F , ∆ such that n > p + 1, l > r, (Q n p , R) ∈ M p+1 (N) × M p+1 (N) from the FD distribution, the Search Fibonacci Decoding problem SFD(r, n, p, w F , ∆) asks to find (M, E) ∈ M p+1 (N <2 r ) × M p+1 (N <2 r ) such that: Remark 1. Note that the SFD problem would be easy if we removed the last determinant condition, as one could simply fix a random E with w F (E ) = w F and then compute M = (R ⊕ E )Q −n p . In general, given R and Q n p , it seems not possible to find two matricesM andẼ such that the above three conditions are all satisfied. Indeed, this could be done only solving (p + 1) 2 non-linear diophantine equations. Moreover, we can observe that the number of possible matricesM is (2 r − 1) p+1 2 and the number of possible matricesẼ is (p + 1) 2 · (2 l − 1) (p+1) 2 −1 , with l > r. Thus, it is very hard to find two matricesM andẼ by brute force, also for small values of p. Indeed, if we randomly sample a matrixM, there is a unique corresponding matrixẼ; thus, the search space for such a matrixẼ is greater than (p + 1) 2 · (2 l − 1) (p+1) 2 −1 . Moreover, note that not all random matrices in M p+1 (N <2 r ) are suitable, sinceM must satisfy detM = ±∆.
The previous problem can be seen as the analogue of the Syndrome Decoding (SD) problem in the Hamming metric or the Rank Syndrome Decoding (RSD) problem in the rank metric. While for the Hamming metric, the SD problem has been proven to be NPcomplete [23], the RSD problem has recently been proven difficult with a probabilistic reduction to the Hamming setting in [24]. As we mentioned before, the FD problem is known to be hard in the case of w F = (p + 1) 2 − 1 errors and becomes easier as w F decreases.
We can apply a random permutation to the vector components, in order to send a binary vector of a certain Hamming weight to any other vector with the same Hamming weight. These maps are used to hide the error positions from an attacker, so the number of all these maps needs to be large enough so that an attacker cannot explore it in polynomial time. It is possible to define a set of maps with the analogue property in the Fibonacci code case, i.e., maps sending a matrix E with w F (E) = w F to any other matrix of the same Fibonacci weight as follows.
Moreover, let L E and R E be the set of matrices K 1 , K 2 ∈ M p+1 (Q) such that: The previous definition does not provide a methodology to construct the maps L E , R E . Such a construction turns out to be somehow complex and hard to manipulate in our scenario. We thus define a subset of this map, with a simpler representation, whose cardinality is still large enough to properly hide the secret of our protocol. We can observe that, for all E ∈ M p+1 (N <2 r ), the permutation matrices π 1 , π 2 of dimension (p + 1) × (p + 1) belong to L E and R E . Thus, given a matrix E ∈ M p+1 (N <2 r ), we have a number of possible transformations σ P 1 ,P 2 , which satisfy the three conditions of the above definition, greater than ((p + 1)!) 2 .
In the rest of the paper, we denote by S t the set of permutations over the integers {1, . . . , t}, so that, with an abuse of notation, σ P 1 ,P 2 (E) is defined by to permutations P 1 , P 2 ∈ S p+1 , permuting the rows and the columns of E. Proposition 3.

1.
Given X, Y ∈ M p+1 (N <2 r ) such that w F (X) = w F (Y) and det X = ± det Y, it is possible to find K 1 ∈ L Y and K 2 ∈ R Y such that X = σ K 1 ,K 2 (Y).

1.
It is sufficient to take K 1 as the identity matrix and K 2 = Y −1 · X or K 1 = X · Y −1 and K 2 as the identity matrix.

Zero-Knowledge Identification Protocols
For a complete introduction to the subject, we refer to [25], by which the following section was inspired. An interactive proof system is a randomized (messages are created by means of, ideally fair, coin tosses) communication protocol involving two parties: a prover, denoted by P, and a verifier, denoted by V. The goal of P is to demonstrate (or prove) to V that a certain assertion, formulated by P, is true. The role of V is to either accept or reject the proof (The term "proof" here differs from the traditional mathematical notion of a proof and refers to an interactive game wherein proofs are probabilistic rather than absolute. A proof in this context needs be correct only with bounded probability, although possibly arbitrarily close to one.). In general, it is possible to formulate interactive proofs for identification protocols as proofs of knowledge. In this case, P can demonstrate the knowledge of a secret s (e.g., a key or a password) by providing correct answers to pre-established queries about s. Note that proving the knowledge of a secret and proving its existence are two different problems.
When an interactive proof possesses the properties of completeness and soundness, it is called a proof of knowledge.
Informally, the property of completeness can be seen as requiring that the protocol behaves as intended, under the assumption that the parties are acting honestly.

Definition 3 (Completeness property
). An interactive proof (protocol) is complete if, given an honest prover and an honest verifier, the protocol succeeds with overwhelming probability (i.e., the verifier accepts the prover's claim).
Usually, with the term "overwhelming", it is intended that the protocol failure probability is not significant in practice (exponentially small with respect to the input size). For some applications, this term might indicate stricter or more relaxed requirements.

Definition 4 (Soundness property
). An interactive proof (protocol) is sound if there exists an expected polynomial time algorithm A with the following property: if a dishonest prover (impersonating P) can, with non-negligible probability, successfully execute the protocol with V, then A can be used to extract from this prover knowledge (essentially equivalent to P's secret), which, with overwhelming probability, allows successful subsequent protocol executions.
The property of soundness serves the purpose of guaranteeing that the protocol is generating an actual proof of knowledge. This is achieved since any impersonation of P requires the knowledge of P's secret or of equivalent information (for example, by extracting it from P in polynomial time by means of A). In other words, soundness assures that no dishonest prover can convince an honest verifier. On the other hand, by itself, soundness does not assure that deriving the secret from P is hard.
The conventional strategy to prove the soundness property of a protocol is to hypothesize about the existence of a dishonest prover that can run the protocol with a successful outcome and then illustrate how such a capability implies being able to derive the actual secret of P.
While the soundness property is required for an interactive proof of knowledge to be used in cryptography, the crucial aspect of a zero-knowledge protocol is the zero-knowledge property.
In the following, we refer to the the collection of messages resulting from the protocol execution as the transcript.

Definition 5 (Zero-knowledge property).
A protocol that is a proof of knowledge has the zeroknowledge property if it is simulatable in the following sense: there exists an expected polynomial time algorithm (simulator) that can produce, upon the input of the assertion(s) to be proven, but without interacting with the real prover, transcripts indistinguishable from those resulting from the interaction with the real prover.
The zero-knowledge property guarantees that from an execution of the protocol between a prover and a (even malicious) verifier, there is no leakage of information about the secret knowledge of the prover, except for the truth of the assertion. The only information that is allowed to be leaked is that that can be computed in polynomial time from the public information alone. As a consequence, assisting the communication does not help in impersonating the prover.

Veron Identification Protocol in the Fibonacci Setting
In this section, we describe a variation of the Veron identification protocol [2] using the p-Fibonacci error-correcting codes defined in Section 3.

Description of the Protocol
We denote by λ the security level of the scheme, and with H, we indicate a secure hash function. The key generation algorithm is listed in Figure 1, and we give here a brief example. The Fibonacci identification protocol is listed in Figure 2.
KGen(1 λ ) 1 : Define the public parameters r, n, p, so that the SFD(r, n, p, (p + 1) 2 − 1) problem is hard 2   The operation ⊕ used to add E to M · Q n p in Step 4 of the key generation is a bit-wise XOR of the corresponding entries of the two matrices. This is done to assure that when adding (over the integers) the artificially constructed error E to M · Q n p , the entries of the resulting matrix R do not exceed l bits (a Magma implementation of our algorithm is available on GitHub at https://github.com/peacker/p-Fibonacci_identification_protocol, accessed on 5 April 2021).

Commitment Compression
In [13], it was shown how it is possible to reduce the size of commitments of a Stern or Veron-like identification protocol from 3h to 2h, where h is the bit size of the underlying hash function. Furthermore, they showed how the technique can be applied to δ parallel rounds to reduce the size of commitments from 3δh to (δ + 1)h. The idea is that, since the verifier V is always able to recover two commitments given a certain value of b, then the prover P can send c 4 = H(c 1 , c 2 , c 3 ) instead of c 1 , c 2 , c 3 in the first commitment step and then attach the missing commitment c to the response r 1 , r 2 . At this point, V only needs to check if the initially received c 4 is equal to the hash of the values that it computed concatenated to c in the proper order. In the case of δ parallel rounds, P computes c = H(c 1,1 c 1,2 c 1,3 . . . c δ,1 c δ,2 c δ,3 ) and sends it to V as a commitment. Then, V sends δ challenges b i , i ∈ {1, . . . , δ} to P, who attaches the proper missing commitment to the response of the corresponding round. Finally, V checks if c is equal to the hash of the values that it computed concatenated to the respective c i in the proper order. Notice that when b i = 1, the verifier also needs to check the Fibonacci weight of r 2 . This compression can be applied to obtain a more compact, though slightly less efficient, signature.

Zero-Knowledge Properties
In this section, we prove the security of the scheme using standard zero-knowledge proof arguments, meaning that we prove the completeness, soundness, and the zeroknowledge property of the scheme.
The security of the scheme is based on the difficulty of solving the Fibonacci decoding problem, and the security proof exploits the properties of the functions γ and σ.

Completeness
Given the output (sk, pk) of the KGen function, we can easily see that for all possible sk = (M, E), then V always accepts after interacting with P on common input pk. Indeed, the honest prover, knowing sk, is able to construct the commitments c 1 , c 2 , c 3 . Moreover, since the verifications match with the given commitments, V is always able to identify P.

Soundness
Theorem 1. If a prover P correctly answers all three challenges, then either he/she can find a collision for the hash function or he/she accesses the secret key.
Proof. Let us define σ i = σ P 1,i ,P 2,i , P 1,i , P 2,i ∈ S p+1 , for some index i. Suppose that, given the three commitments c 1 , c 2 , c 3 , the prover P is able to answer in the three cases b = 0, 1, 2. This means P knows: ). Thus, either P has found a collision for the hash function or the preimages of c 1 , c 2 , c 3 are equal, meaning that: , and X 1 = −σ 2 (Z 2 · Q n p ). Combining the previous equations, we obtain that: σ 0 (Z 0 · Q n p ) + W 1 = σ 2 (Z 2 · Q n p + R). Thanks to the linearity and invertibility of σ 0 , we can isolate Since we also have that w F (σ −1 0 (W 1 )) = w F (W 1 ) = (p + 1) 2 − 1, this means that the secret key associated with the public key pk = R is (Z 0 − Z 2 , σ −1 0 (W 1 )). Thus, P is able to construct the unique secret solution of the Fibonacci decoding problem.
Since P is never able to answer the three cases, as a corollary, we have that the probability of cheating must be less than or equal to 2/3. We now prove that it is exactly 2/3. To properly guess any two challenges among three, a cheater must proceed as follows: • if b = 0 or 1: pick randomly the values Compute c 1 = H(P 1 , P 2 ), c 2 = H(σ P 1 ,P 2 (Z · Q n p )), c 3 = H(σ P 1 ,P 2 (Z · Q n p + F), − σ P 1 ,P 2 (Z · Q n p )).
We thus proved that the probability of cheating is exactly 2/3.

Zero-Knowledge
To prove zero-knowledge, a simulator Sim of the scheme must be constructed. Let V be a verifier. It is possible to construct Sim in such a way that it can answer any of the three challenges, as follows:

1.
Sim chooses randomly P 1 , Sim also chooses j ∈ {0, 1, 2} corresponding to the challenge it is trying to guess.
• If j = 0, Sim sends c 1 , c 2 , c 3 such that: If j = 1, Sim sends c 1 , c 2 , c 3 such that: Sim sends c 1 , c 2 , c 3 such that: If b = j, the execution provides a valid transcript (V verifies correctly), and Sim saves the execution. Otherwise, Sim restarts the execution.
Sim succeeds if it is able to store l transcripts of the execution with b = j. This can be achieved by running the execution 3l times, since the probability of b = j is 1/3. The simulated transcript is indistinguishable from the real one, since in the commitment step, only hash values are sent, while in the response step, the following distributions are sent: • b = 0: the simulated transcript contains P 1 , P 2 , V + V , while the real one P 1 , P 2 , U + M; • b = 1: the simulated transcript contains σ P 1 ,P 2 (V · Q n p ), σ P 1 ,P 2 ((V + V ) · Q n p ), σ P 1 ,P 2 (F), while the real one σ P 1 ,P 2 (U · Q n p ), σ P 1 ,P 2 ((U + M) · Q n p ), σ P 1 ,P 2 (E); • b = 2: the simulated transcript contains P 1 , P 2 , V, while the real one P 1 , P 2 , U.
The values V, V , P 1 , P 2 are sampled following the uniform distribution, and so do U + M and U in, respectively, steps b = 0 and b = 2. In step b = 1, σ P 1 ,P 2 ((V + V ) · Q n p ) follows again the uniform distribution the same way as σ P 1 ,P 2 ((U + M) · Q n p ), while, because of the property of P 1 , P 2 , σ P 1 ,P 2 (E) and σ P 1 ,P 2 (F) are taken uniformly from the set of all matrices of weight (p + 1) 2 − 1.
To conclude, anyone using Sim can simulate an execution of the scheme without knowledge of the secret key.
This concludes the proof that the scheme is zero-knowledge.

Comparisons
The aim of this section it to provide a fair comparison with other three-pass identification protocols based on error-correcting codes. For this comparison, we take into consideration the Veron identification protocol for security level λ = 128, 96, 80 and its instantiations using a generic linear code and double circulant codes, both in the Hamming and rank metric. We omit the Stern protocol in the comparison as the results would be very similar.
To choose the parameters of our instantiation of the Veron protocol with Fibonacci codes for security level λ = 128, we need to choose an integer p such that log 2 (2 (p+1) 2 ) = (p + 1) 2 ≥ 128 (this condition implies that the Fibonacci decoding problem is exponentially hard) and such that the space S 2 p+1 of the permutations P 1 , P 2 ∈ S p+1 is too large for an adversary to be explored, i.e., |S 2 p+1 | = ((p + 1)!) 2 ≥ 2 128 . The smallest such p is 20, for which log 2 (2 (p+1) 2 ) = 441 and log 2 (((p + 1)!) 2 ) ≈ 130.94 . Since n > p + 1, we can choose n = 22. The smallest meaningful r is two (recall that each entry of the message M has to be positive).
The public key is the matrix R ∈ M p+1 (N <2 l ), where each entry of the matrix has at most l bits, as shown in Proposition 2, thus requiring l(p + 1) 2 bits. It is easy to verify computationally that for (p, n) = (20, 2), then l = 10. The communication cost of each round of all the variations of the protocol is the same for the commitment and challenge step, i.e., it includes three hashes of length h for the commitment step and two bits for the challenge step, for a total of 3h + 2 bits. The response step cost is given by P 1 , P 2 plus a matrix in M p+1 (N <2 r ) with probability 2/3 (when b = 0, 2) and three matrices in M p+1 (Q <2 l ) (where l is the bit size of a single entry of the encoded matrix) with probability 1/3 (when b = 1). The function σ is determined by two permutations of p + 1 elements, which can be represented with (p + 1) log 2 (p + 1) bits. Then, the total communication cost sums to 3h + 2 + 2(p + 1) log 2 (p + 1) + r(p + 1) 2 when b = 0, 2 and to 3h + 2 + 3l(p + 1) 2 when b = 1.
In Table 1, we summarize the comparison with the parameters of the Veron protocol using Fibonacci codes against Generic Linear (GL) codes and Double Circulant (DC) codes both in the Hamming and rank metric. The first set of parameters that we proposed for the Fibonacci code offers a security of ∼131 bit, while the parameters for Hamming and rank metric offer a security of at most 128. To provide a more complete comparison, we also analyzed a set of parameters for the security levels of 96 and 80 bits. For the decoding complexity A, we used the formula provided in [26] for the Hamming metric and in [27] for the rank metric. It is worth noting that in the case of the rank metric, many different algebraic and combinatorial attacks exists (e.g., [27][28][29][30] ), depending on the relation among the parameters of the code, which are four (double circulant case) or five (generic linear code case). For this reason, the selection of parameters in the rank metric setting, which is the one providing better sizes, is somehow more involved. As a result of the comparison, we noticed that p-Fibonacci error-correcting codes allow reaching secret and public key sizes that are larger than the corresponding Hamming and rank metric analogues, unless one takes into account the public generator matrix of the code, which is orders of magnitude smaller in the Fibonacci case. The average communication cost is somehow in between the one of the Hamming and the one of rank metric, where a clear advantage is due to the compact communication used for the cases b = 0, 2.
To choose the number of rounds δ, we proceed as follows. The impersonation probability of one single round is P = 2/3. To reach a security level λ with an impersonation probability of P, that is to compute the number of rounds δ, we need to set δ = log P (1/2 λ ). This results in δ = 137 for λ = 128. Best known attack A min(2 (p+1) 2 [19], ((p + 1)!) 2 ) 2 0.097n [26] min((n − k) 3 m 3 q r (k+1)m n −m , Code parameters (r, p, n) (q, n, k, w) (q, n, w) (q, m, n, k, r) (q, m, n, r) Public param.size log 2 r + log 2 p + log 2 n k(n − k) + log r n + log 2 r mk(n − k) + log 2 r mn + log 2 r |sk| r(p + 1) 2 + l(p + 1) 2 k + n k + n m(k + n) m(k + n) |pk| l(p + 1) 2 n n mn mn Rsp.step cost b = 0, 2 2(p + 1) log 2 (p + 1) + r(p + 1) 2 n log n + k n log n + k m 2 + n 2 + mk m 2 + n 2 + mk Response step cost b = 1 3l(p + 1) 2 2n 2n 2mn 2mn Concrete parameters for λ ∼ 128 λ = log 2 (A) 130 128 128 124 124 a more precise estimation of the parameters. It would also be interesting to understand if there exists some quantum acceleration that allows simplifying the decoding and if a signature scheme derived from our proposed identification protocol can be used as a quantum-resistant signature scheme. Further improvements of the scheme might include the reduction of the the communication cost, either by reducing the cheating probability from 2/3 to 1/2 or by finding a way of reducing the response size in the case of the challenge b = 1. Finally, it would be interesting to compare our protocol with other instantiations of it using generalizations of the p-Fibonacci sequences, such as those based on Fibonacci polynomials sequences [19] or Fibonacci M p -sequences [20]. Institutional Review Board Statement: Not applicable.

Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.

Conflicts of Interest:
The authors declare no conflicts of interest.

Appendix A. Toy Example
To help the reader in the understanding of the protocol, in this section, we present a toy example of the execution of the zero-knowledge proof, using the following public parameters: r = 2, p = 3, n = 5, and l = 6. In this case, the security level of the scheme is λ = 16.
The message M must be represented as a (p + 1) × (p + 1) matrix over N <2 r \ {0}, i.e., whose entries are r-bit strings representing a positive integer less than 2 r = 4. For this reason, we consider M such that its bit size |M|, which can also be seen as the dimension of the code, is r(p + 1) 2 = 32, whereas the length of the code is l(p + 1) 2 = 96.
The fifth power of the p Fibonacci matrix Q n p is: The private key and public key are generated by the algorithm given in Figure 1. Specifically, we have that the private key sk is the pair (M, E), i.e., Note that R ∈ M p+1 (N <2 l ), where each entry of the matrix has at most l bits (Proposition 2) with l ≤ r + log 2 (p + 1) + (n − 1) log 2 α 1 = 6, and the bit size of R is 83 bits. Moreover, the bit size of sk and pk is 128 and 96 bits, respectively. Now, we illustrate the steps of the Veron identification protocol in the Fibonacci setting, as depicted in Figure 2.
First, the prover has to generate a random matrix U ∈ M p+1 (N <2 r ), the two random permutations P 1 , P 2 ∈ S p+1 :