Designing a Practical Code-based Signature Scheme from Zero-Knowledge Proofs with Trusted Setup

. This paper deﬁnes a new practical construction for a code-based signature scheme. We introduce a new protocol that is designed to follow the recent paradigm known as “Sigma protocol with helper”, and prove that the protocol’s security reduces directly to the Syndrome Decoding Problem. The protocol is then converted to a full-ﬂedged signature scheme via a sequence of generic steps that include: removing the role of the helper; incorporating a variety of protocol optimizations (using e.g., Merkle trees); applying the Fiat-Shamir transformation. The resulting signature scheme is EUF-CMA secure in the QROM, with the following advantages: a) Security relies on only minimal assumptions and is backed by a long-studied NP-complete problem; b) the trusted setup structure allows for obtaining an arbitrarily small soundness error. This minimizes the required number of repetitions, thus alleviating a major bottleneck associated with Fiat-Shamir schemes. We outline an initial performance estimation to conﬁrm that our scheme is competitive with respect to existing solutions of similar type.


Introduction
Most of the public-key cryptosystems currently in use are threatened by the development of quantum computers. Due to Shor's algorithm [37], for example, the widely used RSA and Elliptic-Curve Cryptography (ECC) will be rendered insecure as soon as a large-scale functional quantum computer is built. To prepare for this scenario, there is a large body of active research aimed at providing alternative cryptosystems for which no quantum vulnerabilities are known. The earliest among those is the McEliece cryptosystem [33], which was introduced over four decades ago, and relies on the hardness of decoding random linear codes. Indeed, a modern rendition of McEliece's scheme [4] is one of the major players in NIST's recent standardization effort for quantum-resistant public-key cryptographic schemes [1].
Lattice-based cryptosystems play a major role in NIST's process, especially due to their impressive performance figures. Yet, code-based cryptography, the area comprising the McEliece cryptosystem and its offspring, provides credible candidates for the task of key establishment (other examples being HQC [34] and BIKE [5], both admitted to the final round as "alternates"). The situation, however, is not the same when talking about digital signatures. Indeed, NIST identified a shortage of alternatives to lattice-based candidates, to the point of planning a reopening of the call for proposals (see for instance [2]).
There is a long history of code-based signatures, dating back to Stern's work [38], which introduced a Zero-Knowledge Identification Scheme (ZKID). It is known that ZKIDs can be turned into full-fledged signature schemes via the Fiat-Shamir transformation [26]. Stern's first proposal has since been extended, improved and generalized (e.g., [40,27,20]). However, all of these proposals share a common drawback: a high soundness error, ranging from 2/3 to (asymptotically close to) 1/2. This implies that the protocol requires multiple repetitions and leads to very long signatures. Other schemes, based on different techniques, have also been proposed in literature. Trapdoor-based constructions (e.g., [21,22]) usually suffer from a problem strictly connected to the (Hamming) codebased setting: to be precise, unlike the case of the RSA-based Full-Domain Hash (FDH) and similar schemes, a randomly chosen syndrome is, in general, not decodable. This makes signing very slow, since multiple attempts need to be made, and furthermore leads to parameter choices for the underlying linear codes that yield very large public keys. This issue is somewhat mitigated in [22], although key sizes are still large (3.2 MB for 128 security bits) and signing is still hindered by complex sampling techniques. Protocols based on code equivalence (e.g., [19,11]) show promising performance numbers, yet are very new and require further study before becoming established; the attack presented in [15], for instance, suggests that the exact hardness of the code equivalence problem has yet to be established in practice. Finally, there exists a literature on schemes using a different metric, such as the rank metric [28,6] or the "restricted" metric [7]. All of these schemes typically show very good performance, yet the hardness of the underlying problems is also not fully trusted; for instance, RankSign was broken in [23], Durandal attacked in [8], and the scheme of [7] appears to be vulnerable to subset-sum solvers.
Our Contribution. We present a new code-based zero-knowledge scheme that improves on the existing literature by featuring an arbitrarily low soundness error, typically equal to the reciprocal of the size q of the underlying finite field. This allows to greatly reduce the number of repetition rounds needed to obtain the target security level, consequently reducing the signature size. To do this, our construction leverages the recent approach by Katz et al. [29], using a Multi-Party Computation (MPC) protocol with preprocessing. More concretely, we design a "Sigma protocol with helper", following the nomenclature of [16]. We then show how to convert it to a full-fledged signature scheme and provide an in-depth analysis of various techniques utilized to refine the protocol. Our scheme is equipped with a wide range of optimizations, to balance the added computational cost that stems from the MPC construction. In the end, we are able to achieve very satisfactory performance figures, with a very small public key, and rather short signatures.
It is worth remarking on security aspects. First of all, our scheme rests on an incredibly solid basis: the security of the main building block, in fact, is directly connected to the Syndrome Decoding Problem (SDP). To the best of our knowledge, the only other code-based schemes to do so are the original Stern construction and its variants which, however, pay a heavy price in terms of signature size. Our signature scheme is obtained via standard theoretical tools, which exploit the underlying zero-knowledge and naturally do not add any vulnerabilities. In the end, we obtain a scheme which is secure in the QROM with strong security guarantees and minimal assumptions. We deem this as a very important feature of our proposal.

Preliminaries
We will use the following conventions throughout the rest of the paper: a a scalar a a vector A a matrix A a function or algorithm A a protocol I n the n × n identity matrix λ a security parameter [a; b] the set of integers {a, a + 1, . . . , b}

Coding Theory
An [n, k]-linear code C of length n and dimension k over F q is a k-dimensional vector subspace of F n q . It is usually represented in one of two ways. The first identifies a matrix G ∈ F k×n q , called generator matrix, whose rows form a basis for the vector space, i.e., C = {uG, u ∈ F k q }. The second way, instead, describes the code as the kernel of a matrix H ∈ F (n−k)×n q , called parity-check matrix, i.e. C = {x ∈ F n q : xH = 0}. Linear codes are usually measured using the Hamming weight, which corresponds to the number of non-zero positions in a vector. Isometries for the Hamming metric are given by monomial transformations τ = (v; π) ∈ F * n q S n , i.e. permutations combined with scaling factors. In this paper, we will denote by FWV(q, n, w) the set of vectors of length n with elements in F q and fixed Hamming weight w. The parity-check representation for a linear code leads to the following well-known problem.
Definition 1 (Syndrome Decoding Problem (SDP)). Let C be a code of length n and dimension k defined by a parity-check matrix H ∈ F (n−k)×n q , and let s ∈ F n−k q , w ≤ n. Find e ∈ F n q such that eH = s and e is of weight w.
SDP was proved to be NP-complete for both the binary and q-ary cases [14,12], and is thus a solid base to build cryptography on. In fact, the near-entirety of code-based cryptography relies more or less directly on SDP. The main solvers for SDP belong to the family of Information-Set Decoding (ISD); we will expand on this when discussing practical instantiations and parameter choices, in Section 5.

Technical Tools
We recall here the characteristics of a Sigma protocol with helper, as formalized in [16]. This is an interactive protocol between three parties (which we model as PPT algorithms): a prover P = (P 1 , P 2 ), a verifier V = (V 1 , V 2 ) and a trusted third party H called helper. The protocol takes place in the following phases: I. Setup: the helper takes a random seed seed as input, generates some auxiliary information aux, then sends the former to the prover and the latter to the verifier.
II. Commitment: the prover uses seed, in addition to his secret sk, to create a commitment c and sends it to the verifier.
III. Challenge: the verifier selects a random challenge ch from the challenge space and sends it to the prover.
IV. Response: the prover computes a response rsp using ch (in addition to his previous information), and sends it to the verifier.
V. Verification: the verifier checks the correctness of rsp, then checks that this was correctly formed using aux, and accepts or rejects accordingly.
A Sigma protocol with helper is expected to satisfy the following properties, which are closely related to the standard ones for ZK protocols: -Completeness: if all parties follow the protocol correctly, then the verifier always accepts. -2-Special Soundness: given an adversary A that outputs two valid transcripts (aux, c, ch, rsp) and (aux, c, ch , rsp ) with ch = ch , it is possible to extract a valid secret 4 sk . -Special Honest-Verifier Zero-Knowledge: there exists a probabilistic polynomial-time simulator algorithm that is capable, on input (pk, seed, ch), to output a transcript (aux, c, ch, rsp) which is computationally indistinguishable from one obtained via an honest execution of the protocol.
Of course, the existence of a helper party fitting the above description is not realistic, and thus it is to be considered just a technical tool to enable the design of the protocol. In Section 3.2, we will show the details of the transformation to convert a Sigma protocol with helper into a customary 3-pass ZK protocol.
The design of such a protocol will crucially rely on several building blocks, in addition to those coming from coding theory. In particular, we employ a noninteractive commitment function Com : {0, 1} λ × {0, 1} * → {0, 1} 2λ . The first λ bits of input, chosen uniformly at random, guarantee that the input message is hidden in a very strong sense, as captured in the next definition.
Definition 2. Given an adversary A, we define the two following quantities: We say that Com is computationally binding if, for all polynomial-time adversaries A, the quantity Adv Bind (A) is negligible in λ. We say that Com is computationally hiding if, for all polynomial-time adversaries A and every pair (x, x ), the quantity Adv Hide (A) is negligible in λ.
Informally, the two properties defined above ensure that nothing about the input is revealed by the commitment and that, furthermore, it is infeasible to open the commitment to a different input.

The New Scheme
We begin by describing the new Sigma protocol with helper, below.

Public Data
Parameters q, n, k, w ∈ N, a full-rank matrix H ∈ F (n−k)×n q and a commitment function

Private Key
A vector e ∈ FWV(q, n, w).

Public Key
The syndrome s = eH .

Security
We now proceed to prove that the scheme satisfies the three fundamental properties of a Sigma protocol with helper, which we described in Section 2.2.
Soundness: intuitively, this is based on the fact that enforcing τ to be an isometry is equivalent to checking thatẽ has the correct weight. In fact, we want to show that, given two transcripts that differ in the challenge, we are able to extract a solution for SDP. Consider then the two transcripts (aux, c, z, r, r z , τ, y) and (aux, c, z , r , r z , τ , y ) with z = z . Now let t = τ (y)H − zs and t = τ (y )H − z s. By the binding properties of the commitment (hash etc.), the verifier only accepts if c = Com(r, τ, t) = Com(r , τ , t ), so in particular this implies τ = τ and t = t . Since the helper computed everything honestly, and aux is properly formed, the verifier also requires that c z = Com(r z , u + zẽ) = Com(r z , y) and c z = Com(r z , u + z ẽ) = Com(r z , y ), from which it follows, respectively, that y = u+zẽ and y = u+z ẽ. We now put all the pieces together, starting from t = t , τ = τ and substituting in. We obtain that τ Rearranging and gathering common terms leads to (z − z )τ (ẽ)H = (z − z )s and since z = z , we conclude that τ (ẽ)H = s. It follows that τ (ẽ) is a solution to SDP as desired. Note that this can easily be calculated since y−y = (z −z )ẽ, from whichẽ can be obtained and hence τ (ẽ) (since τ is known).
Zero-knowledge: it is easy to prove that there is no knowledge leaked by honest executions. To show this, we construct a simulator which proceeds as follows. Take as input H, s a challenge z and the seed. The simulator then reconstructs aux, r z and y = u + zẽ, having obtained u andẽ from the seed. It then selects a random permutation π and computes t = π(y)H − zs. Finally, it generated a randomness r, calculates the commitment as c = Com(r, π, t), and outputs a transcript (aux, c, z, r, r z , π, y). It is easy to see that such a transcript passes verification, and in fact it is identical to the one produced by an honest prover, with the exception of π being used instead of τ .

Removing the Helper
We now explain how the protocol above can be converted into a standard Zero-Knowledge protocol (without the artificial helper). The main idea is to use a "cut-and-choose" technique, as suggested by Katz et al. [29]. The simplest way to accomplish this is the following. The prover can simulate the work of the helper by performing all the duties of the precomputation phase; namely, the prover is able to generate a seed, run the Setup process to obtain aux and generate the protocol commitment c. The verifier can then hold the prover accountable by asking to do this several times, and then querying on a single random instance, that gets executed. The other instances still get checked, by simply using the respective seeds, which get transmitted along with the protocol response of the one selected instance. To be more precise, we give below a schematic description of the new protocol.
Public Data, Private Key, Public Key Same as in Fig. 1.

I. Commitment (Prover)
Input: Public data and private key.
1. Compute rsp (I) = P2(ch, seed (I) ). 2. Send rsp (I) and {seed (i) } i =I to verifier. It is possible to see that this new protocol yields a zero-knowledge proof of knowledge. More specifically, we have the following result.

IV. Verification (Verifier)
Theorem 1. Let P be a Sigma protocol with helper with challenge space C, and let I be the identification protocol described in Figure 2. Then I is an honestverifier zero-knowledge proof of knowledge with challenge space [0; N −1]×C and soundness error ε = max{ 1 N , 1 |C| }.
A proof was given in [17,Theorem 3] in all generality. In our case the challenge space is F q , a challenge is a random value z ∈ F q , and therefore we have |C| = q. The protocol can then be iterated, as customary, to obtain the desired soundness error of 2 −λ ; namely, the protocol is repeated t times, with t = −λ/ log ε . Katz et al. [29] also show how it is possible to beat parallel repetition, by using a more sophisticated approach. In order to have a clearer description of the costs, we postpone the discussion on this approach until the end of the next section.

Obtaining a Signature Scheme
The standard way to obtain a signature scheme from a ZKID is the Fiat-Shamir transformation. In fact, this allows to securely convert an interactive scheme (identification) into a non-interactive one (signature). To be precise, the following theorem was proved in [3], stating the security of a generalized version of the Fiat-Shamir transformation.
Theorem 2. Let I be a canonical identification protocol that is secure against impersonation under passive attacks. Let S = FS(I) be the signature scheme obtained applying the Fiat-Shamir transformation to I. Then, S is secure against chosen-message attacks in the random oracle model.
The main idea is to replace the interaction with the verifier in the challenge step with an automated procedure. Namely, the prover can generate the challenge by himself, by computing it as a hash value of the message and commitment. The signature will consist of the commitment and the corresponding response. The verifier can then regenerate the challenge himself, and proceed with the same verification steps as in the identification protocol. The process is summarized below, where we indicate with the length of the challenge.

II. Verification (Verifier)
Input: Public data, public key, message m and signature σ.  Note that the security result in Theorem 2 is intentionally vague, as the exact result depends on the specific security notions defined for identification and signature schemes. In our case, we rely on the fact that the underlying identification scheme provides honest-verifier zero-knowledge, with negligible soundness error, to achieve EUF-CMA security (see for example [30]). Moreover, note that, as per theorem statement, security depends on the hash function being modeled as a random oracle. This could, in principle, generate doubts about whether such a scheme would still be secure in the scenario that considers an adversary equipped with quantum capabilities. However, following some recent works [24,31], we are able to claim that applying Fiat-Shamir to our identification scheme is enough to produce a signature scheme whose EUF-CMA security is preserved in the Quantum Random Oracle Model (QROM). The author in [17,Theorem 3] argues that the schemes satisfy the collapsing property, although this property is not explicitly defined in the paper. Thus, we present its definition below, following the generalized version of [24].
1} be a relation with |X| and |Y | superpolynomial in the security parameter λ, and define the following two games for any polynomial-time two-stage adversary A = (A 1 , A 2 ), where X and Y are quantum registers of dimension |X| and |Y |, respectively, M denotes a measurement in the computational basis, and applying R to quantum registers is done by computing the relation coherently and measuring it. We say that R is collapsing from X to Y , if an adversary cannot distinguish the two experiments when the relation holds, i.e. if for all adversaries A The above property allows to show that a Sigma protocol has quantum computationally unique responses, which is necessary to achieve existential unforgeability in the QROM. We then have the following result.
Theorem 3. Let Com and PRNG be modeled as a quantum random oracles. Then, the signature scheme obtained by applying the Fiat-Shamir transformation to the scheme in Fig. 2 is EUF-CMA secure in the QROM.
Proof. We follow the steps of [17,Theorem 4], and note that these are standard (for instance, they are similar to those given for the proof of the Picnic signature scheme, see Section 6.1 of [24]). First, consider the setup algorithm, which consists of expanding a randomness seed using PRNG, generating values accordingly, and then committing to them using Com. Note that, since Com is modeled as a quantum random oracle, then it is collapsing, as shown in [39]. As for PRNG, this is injective with overwhelming probability (as the output is much longer than the input), and so is the computation of the values derived from it. Since the composition of collapsing functions is also collapsing, as shown in [25], and composing a collapsing function with an injective one preserves collapsingness, we conclude that the setup algorithm is overall collapsing. Next, we examine protocol responses: these consist only of preimages of Com(the commitment openings) and preimages of the setup algorithm, and thus we are able to argue that the protocol has quantum computationally unique responses, as mentioned above. The thesis then follows by applying Theorems 22 and 25 from [24].

Communication Cost and Optimizations
Several optimizations are presented in [17], albeit in a rather informal way. Moreover, these are all combined together and nested into each other, so that, in the end, it is quite hard to have a clear view of the full picture. In here, we strive to present the optimizations in full detail, one at a time, show how they can all be applied to our protocol, and illustrate their impact on the communication cost. To begin, we analyze the communication cost of a single iteration of the protocol, before any optimizations are applied. This consists of several components: -N copies of the auxiliary information aux (i) , each consisting of q hash values; -N copies of the commitment c (i) , each consisting of a single hash value; the index I and the challenge z, respectively an integer and a field element; the protocol response (r, r z , τ, y), consisting of two λ-bit randomness strings, an isometry, and a length-n vector with elements in F q ; the N − 1 seeds {seed (i) } i =I , each a λ-bit string.
The bit-length of most of the objects listed above is self-explanatory. For linear isometries, recall from Section 2.1 that these are composed by a permutation, combined with scaling factors. The former can be compactedly represented with a list of entries using n log n bits, while the latter amount to n non-zero field elements (each corresponding to log q bits). This leads to the following formula for the communication cost (in bits): where all logarithms are assumed to be in base 2. Note that we have chosen to leave the above formula in its unsimplified version, in order to highlight all the various components. This will be helpful when analyzing the impact of the different optimizations.
Protocol Commitments. The first optimization that we discuss regards the commitments c (i) ; we choose to present this first, because it involves the first verifier check, and also because it can serve as a blueprint for other optimizations. Now, note that the prover transmits N copies of c (i) , but only one of them is actually employed in the verification (the one corresponding to instance I). It follows that the transmission cost can be reduced, by employing a Merkle tree T of depth d = log N , whose leaves are associated to c (0) , . . . , c (N −1) .
To be more precise, we define a function MerkleTree, that uses a collisionresistant hash function Hash tree : {0, 1} * → {0, 1} 2λ , and, on input a list of elements (a 0 , . . . , a 2 d −1 ), generates a Merkle tree in the following way. First, generate the leaves as for 0 ≤ l ≤ 2 d − 1. Then, the internal nodes are created, starting from the leaves and working upwards, as for 0 ≤ u < d and 0 ≤ l ≤ 2 u − 1. Only the root of the tree, root = T 0,0 , needs to be initially transmitted to the verifier; the prover will then include the authentication path of the tree in his response, after receiving the challenge. By authentication path, we mean the list of the hash values corresponding to the siblings of the nodes on the path from the leaf to the root. This can be used as input to a function ReconstructRoot, together with the corresponding leaf, to recalculate root, by using the supplied nodes inside (3). In our case, using a tree T c = MerkleTree(c (0) , . . . , c (N −1) ) and transmitting only its root and a path, the component 2λN in Equation (1) is reduced to 2λ(1 + log N ).
Auxiliary Information. We now illustrate how to deal with the cost of transmitting the N copies of the auxiliary information aux (i) . This can be greatly reduced, using two distinct optimizations.
First, notice that only one out of the q commitment values is employed in a single protocol execution, namely, in the second verifier check. This means that we can again use a Merkle tree, with a setup similar as the previous optimization; in this case, the leaves will be associated to the values {c v | v ∈ F q }. Thus, once more, only the root needs to be transmitted initially, and the authentication path can be included in the response phase. Accordingly, the component 2λqN in Equation (1) is reduced to 2λN (1 + log q ).
Furthermore, we can look at the previous improvement in another light: only one of the N instances is actually executed, while the other ones are simply checked by recomputing the setups using the seeds. Thus, there is no need to transmit all N copies of aux (i) , even in the above simplified version consisting of root + path. Instead, the prover can compute a hash of the roots, send it to the verifier, and include in his response only the authentication path for instance I. In the verification phase, the root for instance I is computed via protocol execution, while the other roots are recomputed via the seeds {seed (i) } i =I ; then, the verifier hashes the newly-computed roots and checks the resulting value against the transmitted one. In the end, with this second technique, the component 2λN (1+ log q ) that we previously obtained is reduced to 2λ(1 + log q ).
Seeds. We are going to use a binary tree again, to reduce the communication cost associated with the N − 1 seeds sent by the prover along with his response. However, this is not going to be a Merkle tree; instead, in this case, the tree is built starting from the root (i.e., the opposite of what one does to build Merkle trees). The prover begins by choosing a random seed to be the root of the tree. He then uses a pseudo-random generator PRNG : {0, 1} λ → {0, 1} 2λ to generate internal nodes.
To be precise, we define a function SeedTree that, on input seed, generates a full binary tree as follows. First, set T 0,0 = seed. Then, on input a node T u,l , returns two nodes (T u+1,2l ||T u+1,2l+1 ) = PRNG(T u,l ) for 0 ≤ u ≤ d − 1 and 0 ≤ l ≤ 2 u − 1, where d = log N . In the end, the tree will produce N values as leaves, which are going to be exactly the N seeds to be used in the protocol. Now, one seed is used and the remaining N − 1 need to be made available to the verifier. Indeed, seed I should not be revealed, so the prover cannot transmit the root of the tree. Instead, the prover transmits the list path seed of the d internal nodes that are "companions", i.e. siblings to the parents (and grandparents etc.) of seed I . An illustration is given in Fig. 4. With this technique, the component λ(N − 1) in Equation (1) is reduced to just λ log N . For more details about the "Seed Tree" primitive, we refer to [18], where an extensive treatment is given. Executions. We are now ready to discuss the more sophisticated approach of Katz et al. [29], which will yield better performance compared to a simple parallel repetion of the protocol. The main idea is to modify the "cut-and-choose" technique as follows. Currently, the protocol precomputes N distinct instances and only executes one, then repeats this process t times; thus, one has to precompute a total of tN instances, out of which only t are executed. As mentioned above, this leads to a soundness error of 2 −λ = ε t , where ε = max{1/N, 1/q}. ε = 1/N . Instead, the same soundness error can be obtained by having a larger number of instances, say M , but executing a subset of them, rather than just one; this entirely avoids the need for repetition. In fact, as explained in [17], the soundness error, in this case, is bounded above by where s is the number of executed instances (which are indexed by a set S ⊆ {0, . . . , M − 1}) and e ≤ s is a parameter that indicates how many instances are incorrectly precomputed by an adversary. Note that, for these instances, the adversary would not be able to produce values seed i , and therefore, the only chance he has to win, is if the verifier chooses to execute exactly all such instances; this happens with probability equal to M −e s−e / M s . The remaining term in Equation (4) is given by the probability of answering correctly (which is 1/q) in each of the remaining s − e instances. For a formal proof of this fact, we refer the reader to [29].
In terms of communication cost, the total amount for the method using plain parallel repetition is given by t times the cost of one execution, refined with the previous optimizations. This is given (in bits) by where we have simplified to C cr = 2λ + log N + n log n + (2n + 1) log q the cost of transmitting the challenge and response, which is fixed. In comparison, with the new method, the various tree roots need only be transmitted once. This would lead to the following total cost (again, in bits) with C cr = 2λ + log M + n log n + (2n + 1) log q . While the number of instances necessarily increases (i.e. M > N ), the number of executions remains about the same as for the case of parallel repetition (i.e. s ≈ t). Since the former number appears only logarithmically in the cost, while the latter is linear, the above optimization allows to greatly reduce the total number of setups needed (from tN down to M ) without increasing communication cost.
It is worth commenting on the behavior of some of the logarithmic terms in Equation (6), which correspond to the different trees used in the various optimizations. First of all, since the executed instances are chosen among the same set, all of the commitments {c (i) } are taken from a single tree. In this case, the different authentication paths will present some common nodes, and one could think that fewer nodes are necessary in practice. However, considering the ratio of s to M , such an intersection is rather small and would probably not lead to a meaningful reduction in cost. Thus, for ease of analysis, we choose to leave the term sλ log M as it is, which is an upper bound.
For the tree of the {seed (i) }, instead, there is a noticeable cost reduction. In this case, in fact, it is not necessary to send multiple paths. Instead, the required M −s seeds can all be obtained in batch using a variable number of nodes, which depends on the position of the chosen leaves; an illustration is given in Fig. 5.
With simple computations, one can find that, in the worst case, the number of nodes which must be transmitted is given by Conservatively, we will then estimate the cost as λ times this number, and substitute this in Equation (6), obtaining the final cost formula (again, in bits): To visually illustrate the particularity of this construction, we provide an example in the next figure. To give a complete picture, that sums up all the optimizations we consider, we present a schematic description below.

Public Data
Parameters q, n, k, w ∈ N, a full-rank matrix H ∈ F

Private Key
A vector e ∈ FWV(q, n, w).

Public Key
The syndrome s = eH .

Practical Considerations
We now move on to a discussion about practical instantiations. We start by summarizing some important facts about SDP.
As a first consideration, note that, once one fixes the code parameters (i.e., the values of q, k and n), the difficulty to solve SDP depends heavily on the weight w of the searched solution. Generically, hard instances are those in which the ratio w/n is outside the range [ q−1 q (1 − k n ); q−1 q + k nq ] (for a detailed discussion about this topic, we refer the interested reader to [22,Section 3]). Roughly speaking, the problem is hard when the weight of the solution is either high or low: in the first case SDP admits multiple solutions, while in the latter case we essentially expect to have a single solution. In this paper we will consider the low weight regime: as it is essentially folklore in coding theory, for random codes the hardest instances are obtained when w is close to the Gilbert-Varshamov (GV) distance, which is defined as In such a regime, the best SDP solvers are known as ISD algorithms, as we mentioned in Section 2.1. Introduced by Prange in 1962 [36], ISD techniques have been characterized by a significant interest along the years, which has ultimately led to a strong confidence about their performance. In particular, for the case of non-binary codes, the state of the art is represented by Peters' algorithm [35], proposed in 2010 and still unbeaten in practice. In our scheme we will always set w = d(q, n, k) and, to guarantee a security of λ bits, will choose parameters q, n and k so that the complexity resulting from Peters' ISD [35] is at least 2 λ .
Taking the above reasoning into account, we have devised several parameters sets, for different values of M . The resulting parameters are reported in Table 1 We observe that our scheme offers an interesting trade-off between the signature size and the computational efficiency: increasing M leads to a significant reduction in the signature size, but this comes at the cost of an increase in the number of operations for signing and verification. Indeed, we expect the computational overhead to be dominated by the computation of hash functions, whose number grows proportionally to M q (these are required to obtained the M values of {aux (i) } ). Optimization of the scheme can leverage a choice of efficient primitives for such short-input hashes. In addition, we note that these hashes operate on independent inputs, so software and hardware performance can enjoy potential parallelization efficiency.
Remark 1. We note that, in order to decrease the algorithmic complexity of the scheme, one can reduce the size of the challenge space. Recall that, in the commitment phase, the prover uses all the values from F q to prepare the values aux (i) ; this means that, for each setting, the prover has to compute a Merkle tree having q leaves in the base layer. The same operations are essentially repeated by the verifier and, as we have already said, we expect this step to be the most time-consuming. Indeed, to select the challenges (and consequently, to prepare the aux (i) values), one can use a subset C ⊆ F q , of size q < q. By doing so, the computation cost will decrease greatly. On the other hand the soundness error will also change, since in (4) we need to replace q with q , and thus the code parameters may have to change accordingly; however, this has very little impact on the communication cost, which will essentially remain unchanged (actually, it may become slightly smaller if representing the challenges requires fewer bits).
Remark 2. We would also like to point out that, while we have chosen all values of q that are powers of 2, this does not have to be the case. For the smallest parameter sets, for example, we estimate that a practical choice for the value of q would be either q = 2 8 or the prime q = 251. In both cases, the field arithmetic in the chosen field F q could be implemented efficiently. For example, for the case q = 2 8 , note that Intel has recently included (as of microarchitecture codename "Ice Lake") the Galois Field New Instructions (GF-NI). These instructions (namely VGF2P8AFFINEINVQB, VGF2P8AFFINEQB, VGF2P8MULB) allow software to computed multiplications and inversions in F 2 8 over the wide registers that are available with the AVX512 architectures.
To explain the potential of our scheme, we present next a comparison with the current scenario of code-based signature schemes. Note that most of the considered schemes make use of a public matrix which, however, does not depend on the private key. As suggested, for instance, in [6], this matrix can be generated from a seed and, consequently, its size can be excluded from the calculations relative to the public key (it is instead included in the column "Public data"). We have taken this into account to compute the various numbers for the schemes that we consider in Table 2. Note that the original papers of Durandal [6] and LESS-FM [11] already do this, while we have recomputed the public key size for the following schemes 5 : Stern [38], Veron [40], CVE [20] and cRVDC [13]. In the comparison we have also included Wave [22], which is based on the hash-and-sign framework and does not make use of any additional public matrix.  The results in Table 2 capture the status of code-based-signatures, highlighting the advantages and disadvantages of each type of approach. For the schemes that work with multiple repetitions of a single-round identification protocol (namely, Stern, Veron, CVE and cRVDC), we have extremely compact public keys, at the cost of rather large signatures. In this light, our scheme presents a clear improvement, as the signature size is smaller in all cases. On the other hand, the most compact signatures are obtained with Wave which, unfortunately, needs very large public keys. Durandal, which follows a modified version of the Schnorr-Lyubashevsky approach [32], yields very good performance overall; however, like cRVDC, the scheme is based on the rank metric, which relies on relatively recent security assumptions, which are sometimes ad hoc and whose security is not yet completely understood [23,9,10,8]. Still, our work compares well with such schemes, for example when considering the sum of public key and signature sizes, a measure which is relevant in several situations where key/signature pairs are transmitted, as in TLS. Finally, we have included numbers for the LESS-FM scheme, which is constructed via a very different method, exploiting a group action associated to the notion of code equivalence. Thanks to this, the scheme is able to leverage various techniques aimed at manipulating public key and signature size; this leads to a tradeoff between the two, with an overall high degree of flexibility (as is evident from the three parameter sets). In all cases, our scheme presents a clear advantage, especially when considering the size of the public key.