A New Code-Based Identity-Based Signature Scheme from the Ternary Large-Weight SDP

Abstract

Identity-based cryptography introduced by Shamir (Crypto’84) has seen many advances through the years. In the context of post-quantum identity-based schemes, most of the efficient designs are based on lattices. In this work, we propose an identity-based identification (IBI) scheme and an identity-based signature (IBS) scheme based on codes. Our design combines the hash-and-sign signature scheme, Wave, with a Stern-like signature scheme, BGKM-SIG1, instantiated over a ternary field using the large-weight Syndrome Decoding Problem (SDP). Our scheme significantly outperforms existing code-based identity-based signature constructions.

1. Introduction

Key management has been a challenging problem faced by cryptographers for many years. Public-key cryptography ($\mathsf{PKC}$) emerged as a solution to this challenge and eliminated the need to share the keys securely as a prerequisite for secure communication over adversarial channels. However, this posed a new challenge since now the participants were required to authenticate the public keys; otherwise, malicious parties could easily impersonate benign users. Public-key infrastructure ($\mathsf{PKI}$) attempted to solve this issue by providing certificates issued by trusted entities validating the authenticity of the keys.

Identity-based cryptography introduced by Shamir [1] envisioned a novel solution to this problem, where the parties could use recipients’ identities (such as unique email $\mathsf{id}$, name, etc.) to encrypt the data, or the signer’s identity to verify the digital signatures. This eliminated the need to maintain public directories for the public keys or certificates; however, in identity-based cryptographic schemes, the entities cannot generate their private keys on their own. The keys must be generated by a trusted third party and sent to the user. The trusted entity also holds a system-wide secret called the master-secret key. The master-secret key is used to generate user-specific private keys from their identity after verifying the identity of the user (offline). An important work related to this paper is [1,2,3] which proposed a general framework for constructing identity-based identification ($\mathsf{IBI}$) and identity-based signature ($\mathsf{IBS}$) schemes from standard signature and identification schemes.

The recent extensive research on quantum computing has driven a significant acceleration in post-quantum cryptography ($\mathsf{PQC})$, which aims to replace the current cryptographic primitives that are based on integer factorization and discrete logarithm problems with quantum-safe alternatives, as those problems are already proven to be insecure once a large-scale quantum computer becomes feasible due to Shor’s algorithm [4].

Code-based cryptography is one of the oldest and most promising areas in $\mathsf{PQC}$ that is believed to be quantum-safe. The most heavily used problem in code-based cryptography is the decoding problem, which is stated as follows:

Problem 1

(Syndrome Decoding Problem $\mathsf{SDP}$). Given a matrix $\mathbf{H}\leftarrow \${\mathbb{F}}_q^{(n-k)\times n}$, a syndrome $\mathit{s}\leftarrow \${\mathbb{F}}_q^{n-k}$ and $w\in \mathbb{N}$, find a vector $\mathit{e}\in {\mathbb{F}}_q^n$ such that $\mathit{e}{\mathbf{H}}^{\top }=\mathit{s}$ and $\left|\mathit{e}\right|=w$.

This can be seen as solving a linear system over the finite field ${\mathbb{F}}_q$ but with a specific constraint on the Hamming weight ($|.|$) of the desired solution, and for a suitable choice of this weight w, $\mathsf{SDP}$ is believed to be hard to solve.

Despite the rapid improvements in the area of code-based signatures in the last few years [5,6,7], there are still only a few proposals in the literature regarding advanced signature primitives. Moreover, most existing ones are mainly initiated from the $\mathsf{CFS}$ scheme [8] and the Stern identification scheme [9]. The $\mathsf{CFS}$ is the first code-based hash-and-sign signature scheme; it can be seen as an adaptation of the Niederreiter cryptosystem [10] (using Goppa codes) into a hash-and-sign signature. However, the construction itself requires the code rate to be high, which consequently invalidates the claim of the indistinguishability of Goppa codes from random ones [11]. In addition, the sizes it provides are very large, making it unattractive for use in constructing other primitives. Specifically, the first code-based $\mathsf{IBI}/\mathsf{IBS}$ scheme was proposed by Cayrel et al. [12]; their proposal essentially combines the $\mathsf{CFS}$ scheme with the Stern identification scheme ($\mathsf{m}$-$\mathsf{CFS}$-$\mathsf{Stern}$). However, this approach results in impractical sizes and is insecure with the proposed parameters, as it employs Goppa codes with a high rate. Later, Alaoui et al. [13] proposed a new $\mathsf{IBI}/\mathsf{IBS}$ employing the quasi-dyadic $\mathsf{CFS}$ signature [14], which was later shown to be vulnerable [15,16]. Two other subsequent works [17,18] mainly focused on proving the active and concurrent security of the $\mathsf{IBI}$. The work of Yang et al. [17] proves that $\mathsf{m}$-$\mathsf{CFS}$-$\mathsf{Stern}$-$\mathsf{IBI}$ [12] is secure under active attacks, and they used the $\mathsf{OR}$-proof technique [19] to enhance the security from the passive to concurrent one. Similarly, Song and Zhao [18] made the same contribution using the $\mathsf{PVR}$ signature scheme [20] instead of $\mathsf{CSF}$, yielding significantly larger sizes, as shown in

Table 1. Estimated sizes of existing code-based $\mathsf{IBS}$ schemes and our proposed scheme.

Scheme	$\mathsf{mpk}$	$\mathsf{usk}$	Signature	Security
$\mathsf{PVR}$-$\mathsf{IBS}$ [18]	30 MB	240 bit	35 MB	$2^{80}$
$\mathsf{LESS}$-$\mathsf{IBS}$ [5]	$0.20574$ MB	$15.43$ KB	$30.23$ KB	$2^{128}$
$\mathsf{Wave}$-$\mathsf{IBS}$  (this work)	$3.67739$ MB	$0.896$ KB	22 KB	$2^{128}$

. A more efficient $\mathsf{IBS}$ scheme was proposed by Barenghi et al. [5] constructed entirely from the $\mathsf{LESS}$ signature scheme [21], which is currently a candidate for $\mathsf{NIST}$’s additional call for post-quantum signature standardization. $\mathsf{LESS}$ is a signature scheme derived from transforming a zero-knowledge identification scheme into a signature using the Fiat–Shamir transform [22]; its security differs from the widely used $\mathsf{SDP}$ by relying on the Code-Equivalence Problem ($\mathsf{CEP}$) which asks: given two linear codes represented by their corresponding generator matrices, decide whether they are equivalent or not.

From the $\mathsf{CFS}$ to the $\mathsf{PVR}$, another code-based signature scheme enjoying short signatures and belonging to the category of hash-and-sign called $\mathsf{Wave}$ was proposed by Debris-Alazard et al. [23]. $\mathsf{Wave}$ [6,23] is based on the $\mathsf{GPV}$ framework [24] which utilizes a new family of trapdoor one-way preimage functions that are sampleable on average. In addition to the indistinguishability problem, it relies on the multi-target version of $\mathsf{SDP}$ [25] over the ternary field for a large weight, which was later proven to be harder than the binary one by Bricout et al. [26]. Furthermore, we add that $\mathsf{Wave}$ is the only scheme belonging to the hash-and-sign family that has remained secure, where the recent schemes $\mathsf{Enhanced}\mathsf{pqsigRM}$ [27] and $\mathsf{FuLeeca}$ [28] have been proven to be insecure due to signature leakages [29,30]. Therefore, in this work, we aim to construct a post-quantum $\mathsf{IBI}/\mathsf{IBS}$ scheme based mainly on $\mathsf{Wave}$ and the $\mathsf{SDP}$ in the large-weight setting. A choice that will improve previous code-based $\mathsf{IBS}$ schemes in terms of the size of the user secret key and the signature.

1.1. Contribution

We construct an identity-based identification scheme $\mathsf{Wave}$-$\mathsf{IBI}$, which combines the $\mathsf{Wave}$ signature scheme with a Stern-like identification scheme and proves its security against passive attacks. We also introduce an optimization technique for compressing the size of low or large-weight ternary vectors. This reduces the size of all recent $\mathsf{Wave}$ instances, and consequently, the size of the user secret key $\mathsf{usk}$, achieving a compression gain of $5\%$ to $10\%$. Using this compression alongside optimizations from Bidoux et al. [7], our $\mathsf{Wave}$-$\mathsf{IBS}$ combining $\mathsf{Wave}$ [6] and the signature scheme derived from proof of knowledge proposed by Bidoux et al. $\mathsf{BGKM}$-$\mathsf{SIG}1$ [7] outperforms the existing code-based $\mathsf{IBS}$ as shown in Table 1. In particular, we employed the $\mathsf{BGKM}$-$\mathsf{SIG}1$ adapted to the full-weight $\mathsf{SDP}$ ($w=n$) over the ternary field rather than the binary one.

1.2. Organization

The organization of the paper is as follows. Section 2 covers the necessary preliminaries, including background on identity-based identification and signature schemes, as well as a description of the original $\mathsf{Wave}$ signature scheme, which forms the core of our constructions. Section 3 is dedicated to describing our main code-based identity-based identification scheme, for which we rigorously prove security against passive attacks. In Section 4, we describe our identity-based signature that we construct following the generic approach presented in [1,2,3] by taking $\mathsf{Wave}$ [6] as the first signature and $\mathsf{BGKM}$-$\mathsf{SIG}1$ [7] based on full-weight $\mathsf{SDP}$ over the ternary field as the second one. Furthermore, we propose an improved compression that reduces the size of large-weight ternary vectors, and hence optimizes both of the size of the user’s secret key and signature as they contain ternary large-weight vectors. We also discuss the parameters chosen for our scheme and briefly describe how they should be selected to balance security and efficiency.

2. Preliminaries

2.1. Notation

For the rest of the paper, we will employ the following conventions:

• General

q	a prime number
${\mathbb{F}}_q$	a finite field of order q
$S_n$	group of permutations
$〚x,y〛$$(x,y\in \mathbb{N})$	the set of integers $\{x,x+1,\dots ,y\}$
$\#\mathcal{I}$ or $\left|\mathcal{I}\right|$ ($\mathcal{I}$ a set)	the cardinal of the set
$\overline{\mathcal{I}}$ ($\mathcal{I}$ a subset of $〚a,b〛$)	is the complementary of $\mathcal{I}.$

• A function is called negligible if for all sufficiently large $\lambda \in \mathbb{N}$, $\mathsf{negl}\left(\lambda \right)<{\lambda }^{-c}$, for all constant $c>0$.

• Vectors and Matrices

$\mathit{x}\in {\mathbb{F}}_q^n$	a row vector with n coordinates in ${\mathbb{F}}_q$
${\mathit{x}}^{\top }$	a column vector which is the transpose of $\mathit{x}$
$\left|\mathit{x}\right|$ ($\mathit{x}\in {\mathbb{F}}_q^n$)	the Hamming weight: number of non-zero entries in $\mathit{x}$
${\mathcal{S}}_w$	subset of vectors in ${\mathbb{F}}_q^n$ of Hamming weight w
$\mathit{x}\star \mathit{y}$	component-wise product
${\mathit{x}}_{\mathcal{I}}$	vector $\mathit{x}$ with only the coordinates indexed by $\mathcal{I}$, ${\left({\mathit{x}}_i\right)}_{i\in \mathcal{I}}$
$X\in {\mathbb{F}}_q^{m\times n}$	$(m,n)$-matrix with entries in ${\mathbb{F}}_q$
${\mathrm{GL}}_n\left({\mathbb{F}}_q\right)$	group of invertible square matrices of size n with entries in ${\mathbb{F}}_q$

• Probability for a finite set $\mathcal{I}$, the notation $i\leftarrow \$\mathcal{I}$ indicates that i is assigned to be an element chosen uniformly at random from $\mathcal{I}$ while $i\stackrel{\$,\theta }{⟵}\mathcal{I}$ indicates that i is assigned to be an element chosen uniformly at random using the seed $\theta$. We denote the uniform distribution on ${\mathcal{S}}_w$ by ${\mathcal{U}}_w$. The statistical distance between two discrete probability distributions over the same space $\mathcal{E}$ is defined as ${\displaystyle \rho ({\mathcal{D}}_0,{\mathcal{D}}_1)\frac{1}{2}\sum _{x\in \mathcal{E}}|{\mathcal{D}}_0\left(\mathit{x}\right)-{\mathcal{D}}_1\left(\mathit{x}\right)|}$.

2.2. Sigma Protocol and Identity-Based Identification

For a binary relation $R\subset {\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }$, $(y,x)\in R$ indicates that y is a statement and x is a witness for y. The set of statements y that admit a witness x is denoted by $L_R$, i.e., $L_R=\{y\mid \exists x$ such that $(y,x)\in R\}$, while the set of witnesses for a statement y is denoted by $R\left(y\right)$, i.e., $R\left(y\right)=\{x\mid (y,x)\in R\}$. R is said to be an NP relation if the validity of a witness x can be verified in time $\mathrm{poly}\left(\right|y\left|\right)$.

Definition 1

(Interactive proof [31]). An interactive proof $(\mathsf{P},\mathsf{V})$ for a relation R is an interactive protocol between two probabilistic polynomial-time machines; a prover $\mathsf{P}$ and a polynomial-time verifier $\mathsf{V}$. It allows a prover to convince a verifier that it knows a witness x for a public statement y, where both $\mathsf{P}$ and $\mathsf{V}$ take as public input the statement y and, additionally, $\mathsf{P}$ takes as private input the witness $x\in R\left(y\right)$, which is denoted $\left(\mathsf{P}\left(x\right),\mathsf{V}\right)\left(y\right)$. The verifier $\mathsf{V}$ outputs accept depending on whether the prover’s claim of knowing a witness $x\in R\left(y\right)$. Accordingly, we say the corresponding transcript is valid or invalid.

Definition 2

(Knowledge Soundness [31]). An interactive protocol proof $(\mathsf{P},\mathsf{V})$ for a relation R is knowledge sound with error ${\epsilon }_{KS}:{\{0,1\}}^{\ast }\to [0,1]$ if there exists PPT algorithm $\mathsf{Ext}$ called extractor such that for every prover ${\mathsf{P}}^{\ast }$ and every y, if ${\mathsf{P}}^{\ast }$ convinces the verifier $\mathsf{V}$ with probability $\epsilon (y,{\mathsf{P}}^{\ast })>{\epsilon }_{\mathsf{KS}}\left(y\right)$, i.e., $Pr[({\mathsf{P}}^{\ast },\mathsf{V})\left(y\right)=1]>{\epsilon }_{\mathsf{KS}}\left(y\right)$, then ${\mathsf{Ext}}^{{\mathsf{P}}^{\ast }}\left(y\right)$ outputs a witness $x\in R\left(y\right)$ with probability

$$Pr[(y;{Ext}^{{\mathsf{P}}^{\ast }}\left(y\right))\in R]\ge {\displaystyle \frac{\epsilon \left(y,{\mathsf{P}}^{\ast }\right)-{\epsilon }_{\mathsf{KS}}\left(y\right)}{poly\left(\right|y\left|\right)}}.$$

Definition 3

(k-special Soundness [31]). Let k and $N\in \mathbb{N}$ such that $k\le N$. A 3-round interactive protocol proof $(\mathsf{P},\mathsf{V})$ for a relation R and a challenge set of cardinality N where the $\mathsf{V}$’s random choices are public is said to be k-special sound if there exists a polynomial-time algorithm that, on input of a statement y and k accepting transcripts $\left(\mathsf{com},{\mathsf{ch}}_1,{\mathsf{res}}_1\right),\dots ,\left(\mathsf{com},{\mathsf{ch}}_k,{\mathsf{res}}_k\right)$ with common first message $\mathsf{com}$ and pairwise distinct challenges ${\mathsf{ch}}_1,\dots ,{\mathsf{ch}}_k$, outputs a witness $x\in R\left(y\right)$.

Corollary 1.

Let k and $N\in \mathbb{N}$ such that $k\le N$. Let $(\mathsf{P},\mathsf{V})$ be a k-special-sound 3-round interactive protocol for a relation R, where $\mathsf{V}$ samples each challenge uniformly at random from the challenge set of cardinality N. Then, $(\mathsf{P},\mathsf{V})$ is knowledge sound with knowledge error

$${\epsilon }_{KS}={\displaystyle \frac{k-1}{N}}.$$

Remark 1.

Corollary 1 is a consequence of [31] (Theorem 4) for the special case $\mu =1$, i.e., when $(\mathsf{P},\mathsf{V})$ is a 3-round interactive protocol.

Definition 4.

An interactive proof $(\mathsf{P},\mathsf{V})$ is called honest-verifier zero-knowledge (HVZK) if there exists a polynomial-time simulator that on input $y\in L_R$ outputs an accepting transcript that has close distribution to the transcripts generated by honest executions. If the simulator proceeds by first sampling the verifier’s messages uniformly at random, then $(\mathsf{P},\mathsf{V})$ is called special honest-verifier zero-knowledge (SHVZK).

Definition 5

($\mathsf{IBI}$ [3]). An identity-based identification scheme consists of a quadruplet of polynomial-time algorithms $\mathsf{IBI}=\left(\mathsf{MKGen},\mathsf{UKGen},\mathsf{P},\mathsf{V}\right)$, called master-key generation, user-key generation, proving algorithm (run by the prover), and verifying algorithm (run by a verifier), respectively.

• $\mathsf{MKGen}$: On input $1^{\lambda }$, where λ is a security parameter, returns a master-public and secret key pair $(\mathsf{mpk},\mathsf{msk})$.
• $\mathsf{UKGen}$: On input $\mathsf{msk}$ and identity $\mathsf{id}\in {\{0,1\}}^{\ast }$, it outputs a user secret key $\mathsf{usk}$, which is assumed to be securely communicated to the user with the identity $\mathsf{id}$. In some cases, we allow the $\mathsf{UKGen}$ algorithm to output additional auxiliary information $\mathsf{aux}$ which can be shared publicly/with a verifier during the interactive protocol without compromising the secret information.
• $\left(\mathsf{P},\mathsf{V}\right)$ Identification protocol: interactive protocol between a prover $\mathsf{P}$ with inputs $\left(\mathsf{mpk},\mathsf{id},\mathsf{usk}\right)$ and a verifier $\mathsf{V}$ with inputs $\left(\mathsf{id},\mathsf{mpk}\right)$. The protocol ends when $\mathsf{V}$ outputs $\mathsf{accept}$ or $\mathsf{reject}$.

Definition 6

($\mathsf{IBI}$ Security [3,32,33]). An identity-based identification $\mathsf{IBI}=\left(\mathsf{MKGen},\mathsf{UKGen},\mathsf{P},\mathsf{V}\right)$ is secure against impersonation under passive(pa), active(aa), concurrent(ca) attack if

$${\mathsf{Adv}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{atk}}\left(\lambda \right):=Pr[{\mathrm{Expt}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{atk}}\left(\lambda \right)=1]\mathit{is}\mathit{negligible},$$

where λ is the security parameter, $atk\in \{pa,aa,ca\}$ and ${\mathrm{Expt}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{atk}}\left(\lambda \right)$ is described in the following:

• Experiment ${\mathrm{Expt}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{atk}}\left(\lambda \right)$:

• $\mathsf{Setup}:$ The challenger obtains $(\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{MKGen}\left(1^{\lambda }\right)$, and initializes the sets/lists $HU,CU,AU,PS$ into ∅, where: $HU$ is the honest users set, $CU$ is the corrupted users set, $AU$ is the attacked user set, and $PS$ is the prover’s session set.
• Phase 1: the adversary $\mathcal{A}$ is allowed to query three different oracles, $\mathsf{Initialize}$, $\mathsf{Corrupt}$ and $\mathsf{Conversation}$ oracle if $atk=pa$, otherwise, the $\mathsf{Conversation}$ is replaced by $\mathsf{Prove}$ oracle.

  –

  $\mathsf{Initialize}\left(\mathsf{id}\right):$ if $\mathsf{id}\in HU\cup CU\cup AU$, then it returns ⊥. Otherwise, it updates the set $HU\leftarrow HU\cup \left\{\mathsf{id}\right\}$ and runs $\mathsf{UKGen}(\mathsf{msk},\mathsf{id})$ to obtain a user secret key $\mathsf{usk}\left(\mathsf{id}\right)$ that will be kept secret and returns 1 at the end.

  –

  $\mathsf{Corrupt}\left(\mathsf{id}\right):$ if $\mathsf{id}\in \overline{HU}\cup CU\cup AU$, then it returns ⊥. Otherwise, it updates the sets $CU\leftarrow CU\cup \left\{\mathsf{id}\right\}$, $HU\leftarrow HU\setminus \left\{\mathsf{id}\right\}$, and returns $\mathsf{usk}\left(\mathsf{id}\right)$.

  –

  $\mathsf{Conversation}\left(\mathsf{id}\right):$ if $\mathsf{id}\notin HU\setminus AU$, then it returns ⊥. Otherwise, it returns a conversation transcript $C\leftarrow \mathit{Run}\left(\mathsf{P}\left(\mathsf{id},\mathsf{usk}\left(\mathsf{id}\right),\mathsf{mpk}\right),\mathsf{V}\left(\mathsf{id},\mathsf{mpk}\right)\right)$.

  –

  $\mathsf{Prove}(\mathsf{id},s,m_{\mathit{input}}):$ if $\mathsf{id}\notin HU\setminus AU$, then it returns ⊥. Otherwise, if $atk=aa$: if $PS\ne \varnothing$, it updates $PS=\left\{\right(\mathsf{id},s\left)\right\}$, then, picks a random coin ρ, sets a state for the prover ${\mathsf{St}}_{\mathsf{P}}\left[(\mathsf{id},s)\right]\leftarrow (\mathsf{mpk},\mathsf{usk}\left(\mathsf{id}\right),\rho )$ and becomes $\left(m_{\mathit{output}},{\mathsf{St}}_{\mathsf{P}}\left[(\mathsf{id},s)\right]\right)\leftarrow \mathsf{P}\left(m_{\mathit{input}},{\mathsf{St}}_{\mathsf{P}}\left[(\mathsf{id},s)\right]\right)$. At the end it returns $m_{\mathit{output}}$. Furthermore, if $m_{\mathit{output}}$ is the final message of the protocol, it resets $PS$ back to ∅. Else if $atk=ca$, it updates $PS=PS\cup \left\{\right(\mathsf{id},s\left)\right\}$ and follows exactly the procedure as in $atk=aa$ except that it does not reset $PS$ back to ∅ even if $m_{\mathit{output}}$ is the final message of the protocol.

• Phase 2: the adversary $\mathcal{A}$ reveals the target identity ${\mathsf{id}}_t$ that it will impersonate. If ${\mathsf{id}}_t\notin HU$, the challenger halts; otherwise, it updates the set $AU\leftarrow AU\cup \left\{{\mathsf{id}}_t\right\}$. The adversary $\mathcal{A}$ is still allowed to query the three defined oracles in the first phase (except for ${\mathsf{id}}_t$).

Definition 7.

A digital signature scheme consists of a triple of polynomial-time algorithms, $\mathsf{Sig}=\left(\mathsf{KGen},\mathsf{Sign},\mathsf{Verify}\right)$, called the key-generation algorithm, signing algorithm, and verification algorithm, respectively.

• $\mathsf{KGen}$: on input $1^{\lambda }$, where λ is a security parameter, it generates a public key and secret key pair $(\mathsf{pk},\mathsf{sk})$.
• $\mathsf{Sign}$: on input secret key $\mathsf{sk}$ and a message m, returns a signature σ.
• $\mathsf{Verify}$: on input public key $\mathsf{pk}$, a message m, and the signature σ returns deterministically accept if the message was signed using the legitimate secret key, or reject otherwise.

• A signature scheme is required to satisfy the following property:

Correctness. for all $\lambda \in \mathbb{N}$ and all messages m it holds that

$$Pr\left[\mathsf{Verify}(\mathsf{pk},m,\sigma )=1\mid \begin{array}{c}(\mathsf{pk},\mathsf{sk})\leftarrow \mathsf{KGen}\left(1^{\lambda }\right),\hfill \\ \sigma \leftarrow \mathsf{Sign}(\mathsf{sk},m)\hfill \end{array}\right]=1.$$

Definition 8

(EUF-CMA). A signature scheme $\mathsf{Sig}=\left(\mathsf{KGen},\mathsf{Sign},\mathsf{Verify}\right)$ is secure against existential unforgeability under chosen-message attack (EUF-CMA), if for all (quantum) polynomial-time algorithm $\mathcal{A}$

$$Pr\left[\mathsf{Verify}(\mathsf{pk},m,\sigma )=1\mathrm{and}m\notin {\mathsf{Sign}}_{q-\mathit{list}}|\begin{array}{c}(\mathsf{pk},\mathsf{sk})\leftarrow \mathsf{KGen}\left(1^{\lambda }\right),\hfill \\ (m,\sigma )\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{Sign}}}\left(\mathsf{pk}\right)\hfill \end{array}\right]=1$$

where ${\mathsf{Sign}}_{q-\mathit{list}}$ is the list of all the queries made to the oracle ${\mathcal{O}}^{\mathsf{Sign}}$.

2.3. Identity-Based Signatures

Definition 9

($\mathsf{IBS}$ [3]). An identity-based signature scheme consists of quadrupled polynomial-time algorithms $\mathsf{IBS}=(\mathsf{MKGen},\mathsf{UKGen},\mathsf{Sign},\mathsf{Verify})$, called master-key generation, user-key generation, signing algorithm, and verification algorithm, respectively.

• $\mathsf{MKGen}$: on input $1^{\lambda }$, where λ is a security parameter, returns a master-public and secret key pair $(\mathsf{mpk},\mathsf{msk})$.
• $\mathsf{UKGen}$: on input $\mathsf{msk}$ and identity $\mathsf{id}\in {\{0,1\}}^{\ast }$, it outputs a user secret key $\mathsf{usk}$, which is assumed to be transmitted securely to the user with the identity $\mathsf{id}$.
• $\mathsf{Sign}$: a randomized algorithm that takes on its input a master-public key, a user secret key, and a message, and it returns a signature σ of the message.
• $\mathsf{Verify}$: a deterministic algorithm that on input an identity, a message, a signature σ, and the $\mathsf{mpk}$ returns a decision: accept if σ is a valid signature for m and $\mathsf{id}$, or reject otherwise.

• A third party (or a trusted authority) runs the first two algorithms. An identity-based signature scheme is required to satisfy the following property:

Correctness. for all $\lambda \in \mathbb{N}$, all messages m and for all identities $\mathsf{id}$ it must hold that

$$Pr\left[\mathsf{Verify}(\mathsf{mpk},\mathsf{id},m,\sigma )=1|\begin{array}{c}(\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{MKGen}\left(1^{\lambda }\right),\hfill \\ \mathsf{usk}\left(\mathsf{id}\right)\leftarrow \mathsf{UKGen}(\mathsf{msk},\mathsf{id}),\hfill \\ \sigma \leftarrow \mathsf{Sign}\left(\mathsf{usk}\right(\mathsf{id}),\mathsf{id},m)\hfill \end{array}\right]=1.$$

Definition 10

(IBS-EUF-CMA). An identity-based signature scheme $\mathsf{IBS}=(\mathsf{MKGen},\mathsf{UKGen},\mathsf{Sign},$$\mathsf{Verify})$ is secure against existential unforgeability under chosen-message attack ($\mathsf{IBS}$-EUF-CMA), if for all (quantum) polynomial-time algorithm $\mathcal{A}$, the following probability is negligible

$$Pr\left[\begin{array}{c}\mathsf{Verify}(\mathsf{mpk},\mathsf{id},m,\sigma )=1,\hfill \\ \mathsf{id}\notin CU,m\notin {\mathsf{Sign}}_{q-\mathit{list}}\left(\mathsf{id}\right)\hfill \end{array}|\begin{array}{c}(\mathsf{mpk},\mathsf{msk})\leftarrow \mathsf{MKGen}\left(1^{\lambda }\right),\hfill \\ (m,\sigma )\leftarrow {\mathcal{A}}^{\mathsf{Initialize},\mathsf{Corrupt}},{\mathcal{O}}^{\mathsf{Sign}}(\mathsf{mpk},\mathsf{id})\hfill \end{array}\right]$$

where $CU$ is the list of all corrupted users, ${\mathsf{Sign}}_{q-\mathit{list}}\left(\mathsf{id}\right)$ is the list of all the queries made to ${\mathcal{O}}^{\mathsf{Sign}\left(\mathsf{usk}\right(\mathsf{id}),·)}$. The oracles $\mathsf{Initialize}\left(\mathsf{id}\right)$ and $\mathsf{Corrupt}\left(\mathsf{id}\right)$ remain consistent with those described in Definition 6.

2.4. Code-Based Cryptography

Throughout the paper, we let $n,k$, and q be positive integers such that $k\le n$.

Definition 11

(Linear code). $(n,k)$-linear code $\mathcal{C}$ over ${\mathbb{F}}_q$ is a k-dimensional subspace of ${\mathbb{F}}_q^n$. The code $\mathcal{C}$ can be represented by its generator matrix $\mathbf{G}\in {\mathbb{F}}_q^{k\times n}$, such that $\mathcal{C}=\left\{\mathit{x}\mathbf{G}\mid \mathit{x}\in {\mathbb{F}}_q^k\right\}$ or by its parity-check matrix $\mathbf{H}\in {\mathbb{F}}_q^{(n-k)\times n}$ such that $\mathcal{C}=\left\{\mathit{x}\in {\mathbb{F}}_q^n\mid \mathit{x}{\mathbf{H}}^{\top }=\mathbf{0}\right\}$.

Problem 2

(Syndrome Decoding Problem $\mathsf{SDP}(n,k,w)$). Given $\mathbf{H}\leftarrow \${\mathbb{F}}_q^{(n-k)\times n}$, a syndrome $\mathit{s}\leftarrow \${\mathbb{F}}_q^{n-k}$ and $w\in \mathbb{N}$, find a vector $\mathit{e}\in {\mathbb{F}}_q^n$ such that $\mathit{e}{\mathbf{H}}^{\top }=\mathit{s}$ and $\left|\mathit{e}\right|=w$.

Remark 2.

The choice of the weight w is crucial for initiating cryptographic schemes using $\mathsf{SDP}$ as the average complexity of the best algorithms solving the problem are polynomial in n when $w\in 〚{\displaystyle \frac{q-1}{q}}(n-k),k+{\displaystyle \frac{q-1}{q}}(n-k)〛$ and becomes exponential outside that range.

2.5. Wave Signature Scheme

$\mathsf{Wave}$ is a hash-and-sign code-based signature scheme initially proposed by Debris-Alazard et al. [23] in 2019 and was submitted to NIST’s post-quantum cryptography ($\mathsf{PQC}$) standardization process [6,34] focusing on additional digital signature schemes. $\mathsf{Wave}$ is constructed using a new family of trapdoor one-way preimage functions that are sampleable on average, which is a relaxed requirement from the definition given in the $\mathsf{GPV}$ framework [24], which upon the lattice-based signature scheme $\mathsf{Falcon}$ [35] was built. Unlike $\mathsf{Falcon}$ that relies on the Short Integer Solution problem ($\mathsf{SIS}$) over the $\mathsf{NTRU}$ lattices, $\mathsf{Wave}$’s security is based on problems from coding theory over the ternary field ${\mathbb{F}}_3$, specifically (i) the multi-target version of $\mathsf{SDP}$ for a large weight that is known as the Decoding One Out of Many $\mathsf{DOOM}$ [25] and (ii) Distinguishing $\mathsf{Wave}$ Keys $\left(\mathsf{DWK}\right)$ (distinguishing a random code from the generalized $(U,U+V)$-code used as the base code for the scheme). Before detailing the description of the scheme, we recall some necessary notions used in constructing the $\mathsf{Wave}$ trapdoor.

From now on $q=3$. Let $n,k_u,k_v\in \mathbb{N}$, where n is even and $0\le k_v\le k_u\le n/2$. Additionally, let $\mathit{a},\mathbf{b},\mathit{c}$ and $\mathit{d}$ be vectors in ${\mathbb{F}}_q^{n/2}$, such that $\forall i\in 〚1,n/2〛$

$$\left\{\begin{array}{c}{\mathit{a}}_i{\mathit{c}}_i\ne \mathbf{0}\hfill \\ {\mathit{a}}_i{\mathit{d}}_i-{\mathbf{b}}_i{\mathit{c}}_i=\mathbf{1}.\hfill \end{array}\right.$$

(1)

Definition 12

($UV$-Normalized Mapping [23]). Let $\mathit{a},\mathbf{b},\mathit{c}$ and $\mathit{d}$ vectors in ${\mathbb{F}}_3^{n/2}$ verifying (1). The map

$$\begin{array}{cc}\hfill \phi :{\mathbb{F}}_q^{n/2}\times {\mathbb{F}}_q^{n/2}& ⟶{\mathbb{F}}_q^{n/2}\times {\mathbb{F}}_q^{n/2}\hfill \\ \hfill (\mathit{x},\mathit{y})& ⟼(\mathit{a}\star \mathit{x}+\mathbf{b}\star \mathit{y},\mathit{c}\star \mathit{x}+\mathit{d}\star \mathit{y})\hfill \end{array}$$

is a bijection called $UV$-normalized mapping.

Definition 13

(Normalized Generalized $(U,U+V)$-Code [23]). Let U and V be two linear codes of length $n/2$ and dimension $k_u$ and $k_v$, respectively, over ${\mathbb{F}}_q$. A Normalized Generalized $(U,U+V)$-Code is defined as:

$$\begin{array}{cc}\hfill \mathcal{C}& :=\left\{\phi ({\mathit{x}}_u,{\mathit{x}}_v):{\mathit{x}}_u\in U\mathrm{and}{\mathit{x}}_v\in V\right\}\hfill \\ & :=\left\{\left(\mathit{a}\star {\mathit{x}}_u+\mathbf{b}\star {\mathit{x}}_v,\mathit{c}\star {\mathit{x}}_u+\mathit{d}\star {\mathit{x}}_v\right):{\mathit{x}}_u\in U\mathrm{and}{\mathit{x}}_v\in V\right\},\hfill \end{array}$$

it has dimension $k:=k_u+k_v$ and admits the following matrix ${\mathbf{H}}_{\mathcal{C}}$ as its parity-check matrix,

$${\mathbf{H}}_{\mathcal{C}}=\left(\begin{array}{cc}\hfill {\mathbf{H}}_U\mathbf{D}& \hfill -{\mathbf{H}}_U\mathbf{B}\\ \hfill -{\mathbf{H}}_V\mathbf{C}& \hfill {\mathbf{H}}_V\mathbf{A}\end{array}\right)$$

where $({\mathbf{H}}_U,{\mathbf{H}}_V)\in {\mathbb{F}}_q^{\left({\displaystyle \frac{n}{2}}-k_u\right)\times {\displaystyle \frac{n}{2}}}\times {\mathbb{F}}_q^{\left({\displaystyle \frac{n}{2}}-k_v\right)\times {\displaystyle \frac{n}{2}}}$ are the parity-check matrices of linear codes U and V. Furthermore, the vectors $\mathit{a},\mathbf{b},\mathit{c},\mathit{d}\in {\mathbb{F}}_q^{n/2}$ satisfy (1), and for $\mathit{x}\in \left\{\mathit{a},\mathit{b},\mathit{c},\mathit{d}\right\}$, $\mathit{X}:=\mathrm{Diag}\left(\mathit{x}\right)\in {\mathbb{F}}_q^{n/2\times n/2}$.

Proposition 1

([23] (Proposition 3)). Let $\mathcal{C}$ be a normalized generalized ternary $(U,U+V)$-code and ${\mathbf{H}}_{\mathcal{C}}$ its associated parity-check matrix.

$$\mathit{Solving}\mathit{e}{\mathbf{H}}_{\mathcal{C}}^{\top }=\mathit{s}\in {\mathbb{F}}_q^{n-k}\mathit{is}\mathit{equivalent}\mathit{to}\mathit{solving}\left\{\begin{array}{c}{\mathit{e}}_u{\mathbf{H}}_U^{\top }={\mathit{s}}_u\in {\mathbb{F}}_q^{n/2-k_u}\hfill \\ {\mathit{e}}_v{\mathbf{H}}_V^{\top }={\mathit{s}}_v\in {\mathbb{F}}_q^{n/2-k_v}\hfill \end{array}\right.$$

where $\mathit{e}=\phi ({\mathit{e}}_u,{\mathit{e}}_v)\in {\mathbb{F}}_q^{n/2}\times {\mathbb{F}}_q^{n/2}$ and $\mathit{s}=({\mathit{s}}_u,{\mathit{s}}_v)\in {\mathbb{F}}_q^{(n/2-k_u)}\times {\mathbb{F}}_q^{(n/2-k_v)}$.

In Figure 1, we recall the original $\mathsf{Wave}$ signature scheme [23]. Let $\lambda$ be a security parameter from which we derive the system parameters $n,w,k=k_u+k_v$. Let $h:{\{0,1\}}^{\ast }⟶{\mathbb{F}}_q^{n-k}$ be a cryptographic hash function that will be modeled as a random oracle in the security proof. Additionally, we consider $\phi$ a $UV$-normalized mapping, ${\mathbf{H}}_U\in {\mathbb{F}}_q^{\left(n/2-k_u\right)\times n/2},{\mathbf{H}}_V\in {\mathbb{F}}_q^{\left(n/2-k_v\right)\times n/2}$, $\mathit{S}\in {\mathrm{GL}}_{n-k}\left({\mathbb{F}}_q\right)$ and a permutation matrix $\mathit{P}\in {\mathbb{F}}_q^{n\times n}$. Each of these elements is chosen uniformly at random from its respective domain. Moreover, we denote ${\mathbf{H}}_{\mathsf{sk}}:={\mathbf{H}}_{\mathcal{C}}$ as defined in Definition 13, where $\mathcal{C}$ is the normalized generalized ternary $(U,U+V)$-code.

The decoding algorithm ${\mathsf{decode}}_{u,v}$ consists of two sub-decoding algorithms. The first one, ${\mathsf{decode}}_v$, is related to the V-code and produces an error ${\mathit{e}}_v$ that solves the second equation in Proposition 1 ${\mathit{e}}_v{\mathbf{H}}_V^t={\mathit{s}}_v\in {\mathbb{F}}_q^{n/2-k_v}$ using Prange’s algorithm [36]. The second decoding algorithm ${\mathsf{decode}}_u$ is related to the U-code and benefits from ${\mathit{e}}_v$ to output an error ${\mathit{e}}_u$ that (i) solves the second equation in Proposition 1 ${\mathit{e}}_u{\mathbf{H}}_U^{\top }={\mathit{s}}_u\in {\mathbb{F}}_q^{n/2-k_u}$ using Prange’s algorithm and that (ii) ensures that $\left|\mathit{e}\right|=\left|\phi \right({\mathit{e}}_u,{\mathit{e}}_v\left)\right|=w$. As with other GPV-like schemes [24], the distribution of $\mathit{e}=\phi ({\mathit{e}}_u,{\mathit{e}}_v)$ output by the decoding algorithm ${\mathsf{decode}}_{u,v}$ must be independent of the trapdoor, i.e., the statistical distance between $\mathit{e}$ and ${\mathit{e}}^{\mathit{unif}}\leftarrow \${\mathcal{S}}_w$ should be negligible. This is achieved in the original $\mathsf{Wave}$ using rejection sampling, which ensures that the signature produced does not reveal anything about the secret. Furthermore, the weight w of the output of the decoding algorithm ${\mathsf{decode}}_{u,v}$ is large, and on average, it is expected to be,

$$w=\left|\mathit{e}\right|=2k_u+{\displaystyle \frac{q-1}{q}}\left(n-2k_u\right),$$

for which the decoding without $sk=(\mathit{P},\mathit{S},{\mathbf{H}}_U,{\mathbf{H}}_V,\phi )$ is hard. In order to demonstrate why it is hard, we shall start by briefly explaining Prange’s algorithm, which is the main core of ${\mathsf{decode}}_{u,v}$. For the sake of simplicity, let’s consider $(\mathbf{H},\mathit{s},w)$ an instance of the $\mathsf{SDP}$. The first step of the Prange algorithm consists of choosing a set $I\leftarrow \$\{1\dots n\}$ of size k and checks whether it is an information set, i.e., ${\mathbf{H}}_{\overline{I}}$ is invertible. If it is not, it chooses another one. By considering the matrix $\overline{\mathbf{H}}:={\mathbf{H}}_{\overline{I}}^{-1}{\mathbf{H}}_I$ and the vector ${\overline{\mathit{s}}}^{\top }:={\mathbf{H}}_{\overline{I}}^{-1}{\mathit{s}}^{\top }$, we get

$$\begin{array}{ccc}{\overline{\mathit{s}}}^{\top }& =& {\mathbf{H}}_{\overline{I}}^{-1}\mathbf{H}{\mathit{e}}^{\top }\hfill \\ & =& {\mathbf{H}}_{\overline{I}}^{-1}({\mathbf{H}}_I{\mathit{e}}_I^t+{\mathbf{H}}_{\overline{I}}{\mathit{e}}_{\overline{I}}^{\top })\hfill \\ & =& \overline{\mathbf{H}}{\mathit{e}}_I^t+{\mathit{e}}_{\overline{I}}^{\top }\hfill \end{array}$$

$$\Rightarrow {\mathit{e}}_{\overline{I}}=\overline{\mathit{s}}-{\mathit{e}}_I{\overline{\mathbf{H}}}^{\top }.$$

• Sampling ${\mathit{e}}_I\leftarrow \${\mathcal{S}}_{w_1}^k$ for $w_1\in 〚0,k〛$ will result a solution to the equation $\mathit{e}{\overline{\mathbf{H}}}^{\top }=\overline{\mathit{s}}$ that has an expected weight $\mathbb{E}\left(\right|\mathit{e}\left|\right)=\mathbb{E}\left(\right|{\mathit{e}}_I|+|{\mathit{e}}_{\overline{I}}\left|\right)=\mathbb{E}\left(\right|{\mathit{e}}_I|+|\overline{\mathit{s}}-{\mathit{e}}_I{\overline{\mathbf{H}}}^{\top }\left|\right)=w_1+{\displaystyle \frac{q-1}{q}}(n-k)\in 〚{\displaystyle \frac{q-1}{q}}(n-k),k+{\displaystyle \frac{q-1}{q}}(n-k)〛$. Going back to ${\mathsf{decode}}_{u,v}$, as we mentioned before, the first decoding algorithm ${\mathsf{decode}}_v$ outputs any solution to the first equation in Proposition 1 using Prange. Since the ${\mathit{e}}_u$ appears twice in $\mathit{e}=\phi ({\mathit{e}}_u,{\mathit{e}}_v)=\left(\mathit{a}\star {\mathit{e}}_u+\mathbf{b}\star {\mathit{e}}_v,\mathit{c}\star {\mathit{e}}_u+\mathit{d}\star {\mathit{e}}_v\right)$, it is used to maximize the weight of target vector $\mathit{e}$, and that by taking ${\left({\mathit{e}}_u\right)}_{I_u}\in {\mathbb{F}}_q^{k_u}$ such that ${\left({\mathit{e}}_u\right)}_{I_u}\notin \{-{\mathit{a}}_{I_u}^{-1}\star {\mathbf{b}}_{I_u}\star {\left({\mathit{e}}_v\right)}_{I_u},-{\mathit{c}}_{I_u}^{-1}\star {\mathit{d}}_{I_u}\star {\left({\mathit{e}}_v\right)}_{I_u}\}$, which implies that $|{\mathit{e}}_{I_u}|=|{\mathit{e}}_{(I_u+{\displaystyle \frac{n}{2}})}|=k_u$. Hence,

  $$\begin{array}{cc}\hfill \mathbb{E}\left(\right|\mathit{e}\left|\right)& =\mathbb{E}\left(\right|\left(\mathit{a}\star {\mathit{e}}_u+\mathbf{b}\star {\mathit{e}}_v,\mathit{c}\star {\mathit{e}}_u+\mathit{d}\star {\mathit{e}}_v\right)\left|\right)\hfill \\ \hfill & =2\left(\mathbb{E}\left(\right|{\mathit{e}}_{I_u}\left|\right)+\mathbb{E}\left(\right|{\mathit{e}}_{{\overline{I}}_u}\left|\right)\right)\hfill \\ \hfill & =2\left(k_u+{\displaystyle \frac{q-1}{q}}({\displaystyle \frac{n}{2}}-k_u)\right)\hfill \\ \hfill & =2k_u+{\displaystyle \frac{q-1}{q}}(n-2k_u)\hfill \end{array}$$

  and since $k=k_u+k_v$, we have $2k_u+{\displaystyle \frac{q-1}{q}}(n-2k_u)\ge k+{\displaystyle \frac{q-1}{q}}(n-k)$ which explains why the weight of the solution the $\mathsf{SDP}$ output by ${\mathsf{decode}}_{u,v}$ in $\mathsf{Wave}$ is hard to find without the trapdoor. We stress again that the original $\mathsf{Wave}$ uses a rejection sampling in its decoding algorithm in order to achieve solutions that are close to the ones that are uniformly distributed in ${\mathcal{S}}_w$. Furthermore, $\mathsf{Wave}$ has been proved to be EUF-CMA secure based on the two following assumptions: the first relies on the hardness of decoding random codes, and the second relies on distinguishing a random code from a normalized generalized $(U,U+V)$-code.

Problem 3

(Decoding One Out of Many $\mathsf{DOOM}(n,k,w,N)$ [25]). Given a matrix $\mathbf{H}\in {\mathbb{F}}_q^{(n-k)\times n}$, ${\left({\mathit{s}}_i\right)}_{i\in 〚1,N〛}\in {\mathbb{F}}_q^{n-k}$, and $w\in \mathbb{N}$, find $\mathit{e}\in {\mathbb{F}}_q^n$ and $i\in 〚1,N〛$ such that $\mathit{e}{\mathbf{H}}^{\top }={\mathit{s}}_i$ and $\left|\mathit{e}\right|=w$.

Problem 4

(Distinguishing Wave Keys Problem $\mathsf{DWK}\left(n,k_u,k_v\right)$ [6] (Problem 3)). Given $\mathbf{H}$$\in {\mathbb{F}}_q^{\left(n-\left(k_u+k_v\right)\right)\times n}$, decide whether $\mathbf{H}$ has been chosen uniformly at random or among parity-check matrices of permuted generalized $(U,U+V)$-codes where U resp. V has dimension $k_u$ resp. $k_v$ and length ${\displaystyle \frac{n}{2}}$.

3. Identity-Based Identification from Wave

In this section, we present the $\mathsf{Wave}$-$\mathsf{IBI}$ scheme and prove its security against passive attacks. Let $\mathsf{Wave}.\mathsf{Sig}=(\mathsf{KGen},\mathsf{Sign},\mathsf{Verify})$ be the triple algorithms defining the $\mathsf{Wave}$ signature scheme, as described in Figure 1. Let h be a hash function that will be modeled as a random oracle; $h:{\{0,1\}}^{\ast }⟶{\mathbb{F}}_q^{n-k}$. Additionally, let $\mathsf{Com}\left(\right)$ be a standard commitment scheme, which, in practice, is assumed to be implemented using a hash function.

The proposed $\mathsf{Wave}$-$\mathsf{IBI}$ scheme is detailed in the following Figure 2.

There are two strategies for impersonating a user with identity $\mathsf{id}$ if x and $\sigma$ were honestly generated using the seeds:

• Strategy 1: replacing ${\mathit{e}}_{\mathsf{id}}$ with an ${\mathit{e}}^{\prime }\in {\mathbb{F}}_q^n$ such that ${\mathit{e}}^{\prime }{\mathbf{H}}^{\top }=\mathit{y}=h(\mathsf{id},i)$, by that, a cheating prover hopes that $b=0$.
• Strategy 2: replacing ${\mathit{e}}_{\mathsf{id}}$ by an arbitrary ${\mathit{e}}^{\prime }\in {\mathbb{F}}_q^n$ of weight w, by that a cheating prover hopes that $b=1$.

Theorem 1.

The identification part of the $\mathsf{Wave}$-$\mathsf{IBI}$ Figure 2 is an honest-verifier zero-knowledge proof of knowledge with a challenge space ${\{0,1\}}^2$, 3-special soundness, and has soundness error of $1/2$.

Proof. 

In the following, we prove the three required properties.

• Completeness. evident from the construction that an honest prover possessing a valid solution to $\mathit{e}{\mathbf{H}}^{\top }=h(id,i)$ of weight w always passes the verification with probability one.
• 3-Special soundness. let $T_0=(\mathbf{H},\mathsf{id},i,\mathsf{com},(b_0,c_0),{\mathsf{res}}_0^{\left(0\right)},{\mathsf{res}}_0^{\left(1\right)})$, $T_1=(\mathbf{H},\mathsf{id},i,\mathsf{com},(b_1,c_1)$, ${\mathsf{res}}_1^{\left(0\right)},{\mathsf{res}}_1^{\left(1\right)})$ and $T_2=(\mathbf{H},\mathsf{id},i,\mathsf{com},(b_2,c_2),{\mathsf{res}}_2^{\left(0\right)},{\mathsf{res}}_2^{\left(1\right)})$ be three valid transcripts sharing the same commitment $\mathsf{com}=({\mathsf{com}}^{\left(0\right)},{\mathsf{com}}^{\left(1\right)})$ and distinct challenges, thus, there exists at least (i)- two valid transcripts with different $c_i$, and (ii)- two other valid transcripts with different $b_i$ with the same $c_i$. From (i)- we can deduce that all the setups were generated honestly, and from (ii)- we can clearly extract the witness by computing ${{\mathsf{res}}^{\left(c_i\right)}\left[3\right]}^{-1}\left({\mathsf{res}}^{\left(c_i\right)}\left[4\right]\right)$.
• Special honest-verifier zero-knowledge. we build a simulator $\mathsf{Sim}$ that can produce an indistinguishable transcript $T_{(b,c)}^{\ast }=(\mathbf{H},\mathsf{id},i,{\mathsf{com}}^{\ast },(b,c),{\mathsf{res}}^{\ast })$ from the one obtained by honest execution of the protocol $T_{(b,c)}$, without knowing a witness, when given $(\mathbf{H},\mathsf{id},i)$, the challenge $(b,c)\in {\{0,1\}}^2$ and the seed ${\left({\theta }^{\left(i\right)}\right)}_{i\in \{0,1\}}$ as input.
  • From the seed ${\left({\theta }^{\left(i\right)}\right)}_{i\in \{0,1\}}$, the simulator computes honestly ${\left({\sigma }^{\left(i\right)},{\mathit{x}}^{\left(i\right)},r_1^{\left(i\right)},r_2^{\left(i\right)}\right)}_{i\in \{0,1\}}$.
  • For $b=0$, the simulator follows Strategy 1; taking any solution $e\in {\mathbb{F}}_q^n$ to $\mathit{y}=\mathit{e}{\mathbf{H}}^{\top }$ and then computing ${\mathsf{com}}^{\ast }$ and ${\mathsf{res}}^{\ast }$ normally following the protocol. Since ${\mathit{x}}^{\left(c\right)}$ and ${\sigma }^{\left(c\right)}$ are sampled uniformly at random, the ${\mathsf{res}}^{\ast }$ generated by the simulator has the same distribution as $\mathsf{res}$. We have

    $$Pr[\mathsf{V}(\mathbf{H},\mathsf{id},i,{\mathsf{com}}^{\ast },\mathsf{ch},{\mathsf{res}}^{\ast })=1\mid ({\mathsf{com}}^{\ast },\mathsf{ch},{\mathsf{res}}^{\ast })\leftarrow \mathsf{Sim}(\mathbf{H},\mathsf{id},i,\mathsf{ch},\mathsf{seed})]=1$$

    where $\mathsf{ch}=(b,c)$ and $\mathsf{seed}={\left({\theta }^{\left(i\right)}\right)}_{i\in \{0,1\}}$.
  • For $b=1$, the simulator follows Strategy 2; taking any vector $\mathit{e}\leftarrow \${\mathcal{S}}_w$ and then computing ${\mathsf{com}}^{\ast }$ and ${\mathsf{res}}^{\ast }$ normally following the protocol. Since $\sigma$ is sampled uniformly at random from $S_n$ and $\rho ({\mathcal{D}}_w,{\mathcal{U}}_w)$ is negligible as $\mathsf{Wave}$’s trapdoor one-way function is preimage sampleable on average, then it satisfies the property of the preimage sampling on average. Therefore, ${\mathsf{res}}^{\ast }$ generated by the simulator has the same distribution as $\mathsf{res}$.

    $$Pr[\mathsf{V}(\mathbf{H},\mathsf{id},i,{\mathsf{com}}^{\ast },\mathsf{ch},{\mathsf{res}}^{\ast })=1\mid ({\mathsf{com}}^{\ast },\mathsf{ch},{\mathsf{res}}^{\ast })\leftarrow \mathsf{Sim}(\mathbf{H},\mathsf{id},i,\mathsf{ch},\mathsf{seed}]=1$$

    where $\mathsf{ch}=(b,c)$ and $\mathsf{seed}={\left({\theta }^{\left(i\right)}\right)}_{i\in \{0,1\}}$.
  If the commitment scheme $\mathsf{Com}$() is hiding, then ${\mathsf{com}}^{\ast }$ and $\mathsf{com}$ are indistinguishable, and consequently, the two transcripts are indistinguishable as well.

□

Theorem 2.

The $\mathsf{Wave}$-$\mathsf{IBI}$ depicted in Figure 2 is secure under passive attacks.

Proof. 

Let $q_h,q_e,$ and $q_c$ denote the maximum number of queries that the adversary $\mathcal{A}$ can make to the $\mathsf{Hash}$, $\mathsf{Corrupt}$, and $\mathsf{Conversation}$ oracles, respectively, in the imp-pa security model against $\mathsf{Wave}$-$\mathsf{IBI}$. Also, let $q:=q_h+q_e+q_c$ and $\left({\mathbf{H}}_0,{\mathit{s}}_1,\dots ,{\mathit{s}}_q\right)$ be an instance of $\mathsf{DOOM}(n,k,w,q)$ as defined in Problem 3. Additionally, we note that all queries to the $\mathsf{Hash}$ are consistent, meaning that the $\mathsf{Hash}$ will always return the same output for the same input.

• Game 0: This is the standard imp-pa game. The $\mathsf{Hash}$ and $\mathsf{UKGen}$ oracles in this game are defined as the following,

Let $S_0$ be the event that $\mathcal{A}$ wins the game 0, therefore,

$$Pr\left[S_0\right]={\mathsf{Adv}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{pa}}\left(\lambda \right).$$

• Game 1: This game has some differences in the $\mathsf{Setup}$, $\mathsf{Hash}$, and $\mathsf{UKGen}$ oracles from the previous game. These differences are specified in the following,

The oracles $\mathsf{UKGen}$ and $\mathsf{Hash}$, share a global string $i_{\mathsf{id}}^{\ast }$ for every identity $\mathsf{id}$ queried by the adversary. The string $i_{\mathsf{id}}^{\ast }$ is sampled uniformly at random from ${\{0,1\}}^{{\lambda }_0}$ when either of the oracles is queried with an identity $\mathsf{id}$ for the first time. After this, for every hash query $\mathsf{Hash}(\mathsf{id},i)$ the $\mathsf{Hash}$ oracle first checks if $i=i_{\mathsf{id}}^{\ast }$ and if it holds then samples a fresh ${\mathit{e}}_{\mathsf{id},i}\leftarrow \${\mathcal{S}}_w$ and returns ${\mathit{e}}_{\mathsf{id},i}{\mathbf{H}}^{\top }$. Otherwise, it returns a fresh syndrome ${\mathit{s}}_j$ from the $\mathsf{DOOM}$ instance. The $\mathsf{UKGen}$ oracle also maintains a list of returned user secret keys ${\mathit{e}}_{\mathsf{id},i}$ for each $\mathsf{id}$ queried by the adversary.

The main difference between Game 1 and Game 0 lies in the call of the $\mathsf{Hash}$. In Game 0, it was outputting a random value uniformly distributed over ${\mathbb{F}}_q^{n-k}$, whereas in this game, it outputs $\mathit{e}{\mathbf{H}}^{\top }$ where $\mathit{e}\leftarrow \${\mathcal{S}}_w$. The difference between the output of the two Hashes corresponds to the statistical distance between $\mathcal{U}$: the uniform distribution over ${\mathbb{F}}_q^{n-k}$ and ${\mathcal{D}}_w^{\mathbf{H}}$: the syndromes generated using $\mathbf{H}$, and $\mathit{e}\leftarrow \${\mathcal{S}}_w$, which is proven to be $\mathsf{negl}\left(\lambda \right)$ following [23] (Proposition 9).

Let $S_1$ be the event the adversary $\mathcal{A}$ wins Game 1,

$$Pr\left[S_0\right]\le Pr\left[S_1\right]+\mathsf{negl}\left(\lambda \right).$$

• Game 2: This game differs from Game 1 by making the following change to the $\mathsf{UKGen}$. Instead of computing $\mathit{e}$ from the decoding algorithm ${\mathsf{decode}}_{u,v}$, in Game 2 $\mathsf{UKGen}$ samples ${\mathit{e}}_{\mathsf{id},i}\leftarrow \${\mathcal{S}}_w$ uniformly at random and outputs $({\mathit{e}}_{\mathsf{id},i},i)$. Therefore, the difference between Game 1 and Game 2 corresponds to the statistical distance between ${\mathcal{D}}_w$, representing the distribution of the output of decoding ${\mathsf{decode}}_{u,v}$ and ${\mathcal{U}}_w$, representing the uniform distribution over ${\mathcal{S}}_w$. Hence, we have

  $$Pr\left[\left(S_1\right)\right]\le Pr\left[S_2\right]+\mathsf{negl}\left(\lambda \right).$$
• Game 3: In this game, the matrix $\mathbf{H}$ is replaced by ${\mathbf{H}}_0$, in this way, the adversary is forced to find a solution to the $\mathsf{DOOM}$ problem. The adversary $\mathcal{A}$ can detect the difference between this game and the previous one only if he can distinguish between ${\mathcal{D}}_{\mathrm{pub}}$: the distribution of the public key $\mathbf{H}$, and ${\mathcal{D}}_{\mathrm{rand}}$: the uniform distribution over ${\mathbb{F}}_q^{(n-k_u-k_v)\times n}$. Let $S_3$ be the event that $\mathcal{A}$ wins this game, then assuming the hardness of Problem 4,

  $$Pr\left[S_2\right]\le Pr\left[S_3\right]+\mathsf{negl}\left(\lambda \right).$$
• Game 4: In this game, once the adversary reveals the target identity ${\mathsf{id}}_t$ that he intends to impersonate, the challenger checks whether $({\mathsf{id}}_t,i_{{\mathsf{id}}_t}^{\ast })$ has already been queried to the $\mathsf{Hash}$ oracle before. If such a query has been made previously, the challenger aborts the game. Recall that $i_{\mathsf{id}}^{\ast }\leftarrow \${\{0,1\}}^{{\lambda }_0}$ is sampled uniformly at random. Therefore, by setting ${\lambda }_0=\lambda +2{log}_2\left(q\right)\ge 2{log}_2\left(q\right)={log}_2\left(q^2\right)$ and $q\ge 2$, we can ensure that the challenger does not abort with probability bounded by ${\displaystyle \frac{1}{2}}$ since

  $${\left(1-2^{-{\lambda }_0}\right)}^q\ge {\left(1-{\displaystyle \frac{1}{q^2}}\right)}^q\ge {\displaystyle \frac{1}{2}}$$

  hence,

  $$Pr\left[S_4\right]={\left(1-{\displaystyle \frac{1}{2^{{\lambda }_0}}}\right)}^{q}Pr\left[S_3\right]\ge {\displaystyle \frac{1}{2}}Pr\left[S_3\right].$$
• Game 5: Please note that at this point, none of the responses to the $\mathsf{Hash}$ and $\mathsf{UKGen}$ queries depend on the secret since they have been replaced by random values. Therefore, the challenger can now respond to the conversation oracle queries on any identity $\mathsf{id}$ by simulating the transcripts. This is indistinguishable from Game 4 due to the SHVZK property of the protocol. Let $S_5$ be the event that $\mathcal{A}$ wins this game, we have $Pr\left[S_5\right]=Pr\left[S_4\right]+\mathsf{negl}(\lambda$).

Please note that due to the special soundness property of the protocol, we know that if an adversary successfully impersonates some identity ${\mathsf{id}}^{\ast }$ (in Game 0) then we can extract the witness ${\mathit{e}}_{{\mathsf{id}}^{\ast }}$ such that ${\mathit{e}}_{{\mathsf{id}}^{\ast }}{\mathbf{H}}^{\top }=h({\mathsf{id}}^{\ast },i)$. Following the sequence of games from Game 0 to Game 5, we can use this adversary to compute ${\mathit{e}}_{{\mathsf{id}}^{\ast }}$ of weight w such that ${\mathit{e}}_{{\mathsf{id}}^{\ast }}{{\mathbf{H}}_0}^{\top }={\mathit{s}}_j$, for some $j\in \left[q\right]$ with a negligible difference in the success probabilities of the adversary. Thus, we can find a solution to the $\mathsf{DOOM}(n,k,q,w)$ instance $\left({\mathbf{H}}_0,{\mathit{s}}_1,\dots ,{\mathit{s}}_q\right)$. Therefore,

$${\mathsf{Adv}}_{\mathcal{A},\mathsf{IBI}}^{\mathrm{imp}-\mathrm{pa}}\left(\lambda \right)\le {Succ}_{\mathsf{DOOM}}+\mathsf{negl}\left(\lambda \right).$$

Hence, if the adversary $\mathcal{A}$ succeeds in impersonating $\mathsf{id}$ with a non-negligible advantage, then there exists an adversary who will succeed against $\mathsf{DOOM}$ or $\mathsf{DWK}$. □

Yang et al. [17] had given proof that the $\mathsf{mCFS}$-$\mathsf{IBI}$ scheme, proposed by Cayrel et al. [13], is secure under active attacks. However, we argue that their proof only holds when the scheme is executed sequentially, which inherently increases communication costs. To avoid this overhead, the scheme must be executed in parallel. Nevertheless, proving the security of the $\mathsf{mCFS}$-$\mathsf{IBI}$ (or the $\mathsf{Wave}$-$\mathsf{IBI}$) under active or concurrent attacks, in that case, is non-trivial. We recall that the difference between passive and active security consists in the $\mathsf{Conversation}$ and $\mathsf{Prove}$ oracles, where in passive attacks the challenger can always output a simulated transcript that is indistinguishable from one obtained with a real execution. However, this does not hold in the active situation where the challenger interacts with the adversary without holding a witness. Since the protocol is executed in parallel and the size of the challenge space is large, then, the probability of correctly guessing the challenge $b\in {\{0,1\}}^r$ is $2^{-r}$ (assuming that $\mathit{x}$ and $\sigma$ were honestly generated), which is exponentially small. Moreover, the adversary may act maliciously, consequently making the rewinding useless, as in each rewind, the adversary may change its challenge. This issue can be addressed following the same solution proposed by Goldreich and Kahan [37], where its main idea suggests the verifier commits to its challenge before the prover sends its commitment, which indeed prevents him from changing it later during the rewinding.

4. Identity-Based Signature

There are two approaches for constructing an identity-based signature scheme: (i) turning the $\mathsf{Wave}$-$\mathsf{IBI}$ into a signature using the Fiat–Shamir transform [22] $\mathsf{IBI}$-$\mathsf{2}$-$\mathsf{IBS}$ as the $\mathsf{IBS}$ schemes $\mathsf{PVR}$-$\mathsf{IBS}$ [18] and $\mathsf{m}$-$\mathsf{CFS}$ [17]. Alternatively, (ii) following the generic transformation described in [1,2,3] that was employed in the $\mathsf{LESS}$-$\mathsf{IBS}$ [5] that combines two signature schemes $\mathsf{SS}$-$\mathsf{2}$-$\mathsf{IBS}$. Following the first approach, our case can be seen as using $\mathsf{BGKM}$-$\mathsf{SIG}1$ that we recall in Figure A1 where the secret key $\mathit{e}$ is output by $\mathsf{Wave}.\mathsf{Sign}$. This is because our $\mathsf{IBI}$ is identical to $\mathsf{BGKM}$-$\mathsf{POK}1$ [7] when the helper is removed via the cut-and-choose technique [38], along with optimizations. However, the resulting signatures would be on the order of hundreds of kilobytes in size since the length of the vectors involved in the scheme is n, which is a parameter of the $\mathsf{Wave}$ signature (see

Table 2. $\mathsf{Wave}$-$\mathsf{IBS}$’s selected parameters for $\lambda =128$.

	$\mathit{\lambda }$	n	k	w	M	$\mathit{\tau }$
$\mathsf{Wave}$	128	8576	4288	7668	-	-
$\mathsf{BGKM}$-$\mathsf{SIG}1$	128	518	186	518	256	128

). On the other hand, following the second approach by taking $\mathsf{Wave}$ as the first signature and $\mathsf{BGKM}$-$\mathsf{SIG}1$ as the second one yields the most efficient scheme in terms of sizes. The description of the scheme that we refer to as $\mathsf{Wave}$-$\mathsf{IBS}$ is given in Figure 3 and Figure 4.

In particular, we instantiate the $\mathsf{BGKM}$-$\mathsf{SIG}1$ recalled in Figure A1 over the ternary field, and we consider $\mathsf{SDP}$ in the large-weight setting, as it has been shown to be harder than the binary $\mathsf{SDP}$ by Bricout et al. [26].

5. Security and Parameter Selection

For constructing the $\mathsf{Wave}$-$\mathsf{IBS}$, two critical aspects must be considered. The first is the $\mathsf{Wave}$ signature employed in generating a part of the user-secret key $\mathsf{usk}\left(\mathsf{id}\right)$, and the second is related to $\mathsf{BGKM}$-$\mathsf{SIG}1$ used for generating the final signature. For the $\mathsf{Wave}$ signature, it is essential to select parameters that ensure the scheme achieves a security level of $\lambda$ bits. This requires addressing two types of attacks:

• Forgery attack: in which the adversary attempts to solve the $\mathsf{DOOM}$ problem without the secret key.
• Key attack: in which the adversary seeks to either retrieve the secret key or solve the $\mathsf{DWK}$ problem.

Several studies over the years have analyzed these two types of attacks, both in the classical setting [23,25,26,39] and, more recently, in the quantum setting by Loyer [40].

In parallel, the MPC parameters $(M,\tau )$ selected for the $\mathsf{BGKM}$-$\mathsf{SIG}1$ must be chosen such that

$${\displaystyle \underset{0\le i\le \tau }{max}\left(\genfrac{}{}{0pt}{}{M-i}{\tau -i}\right)·{\left(\genfrac{}{}{0pt}{}{M}{\tau }\right)}^{-1}·2^{-(\tau -i)}\mathrm{is}\mathrm{negligible}\mathrm{with}\mathrm{respect}\mathrm{to}\lambda .}$$

• For the purpose of this work, the parameters selected for our proposed $\mathsf{Wave}$-$\mathsf{IBS}$-I scheme shown in Table 2 are directly taken from the latest version of $\mathsf{Wave}$ [6], Bidoux et al. [7] for the parameters $(M,\tau )$ and $(n,k,w)$ from [26] for $\mathsf{BGKM}$-$\mathsf{SIG}1$.

Before giving the size of the keys and the signature, in the following part, we propose an efficient method for reducing the size of large or low-weight ternary vectors. This method can be applied to the proposed $\mathsf{Wave}$-$\mathsf{IBS}$ scheme to reduce the size of the signature and the user’s secret key, and therefore to $\mathsf{Wave}$ as well since they all contain large-weight ternary vectors.

5.1. Optimizing the Size of Large-Weight Ternary Vectors

Given a vector $\mathit{e}\in {\mathbb{F}}_3^n$ of a large, or low-Hamming weight w, our approach is mainly based on straightforward observations that allowed us to become closer to the entropy limit, as we explain in the following:

• Compression:

• Step 1: we replace all the non-zero coordinates of $\mathit{e}$ with ones, hence we obtain a binary vector that we denote in this step by ${\mathit{e}}^{\prime }\in {\mathbb{F}}_2^n$. Notice that ${\mathit{e}}^{\prime }$ has the same large or low weight as the initial ternary vector $\mathit{e}$ and therefore, the size of vector ${\mathit{e}}^{\prime }$ can be encoded in the worst case in approximately $n/2$ bits using Golomb-Rice encoding. For more details, see [41,42]. (By “worst case” we mean $w=0.106n$ or $w=0.894n$. A Better compression can be achieved if $w\le 0.106n$ or $w\ge 0.894n$.)
• Step 2: we remove all the zero entries in $\mathit{e}$, and keep the rest in the same order. Let the resulting vector be denoted by ${\mathit{e}}^{″}\in {\mathbb{F}}_3^w\setminus 0={{\mathbb{F}}_3^{\ast }}^w$. Since the multiplicative group ${\mathbb{F}}_3^{\ast }$ has $g=2$ as its generator, i.e., ${\mathbb{F}}_3^{\ast }=<2>=\{2^0,2^1\}=\{1,-1\}$, we can represent the entries in ${\mathit{e}}^{″}$ using the exponents $\{0,1\}$: replace each 1 entry with exponent 0 and each $-1$ with exponent 1. By doing so, the vector ${\mathit{e}}^{″}$ becomes binary and can be encoded in w bits, i.e., ${\mathit{e}}^{″}\in {\mathbb{F}}_2^w$.

• Instead of sending $\mathit{e}\in {\mathbb{F}}_3^n$, which can be encoded optimally in ${log}_2\left(3\right)n$ bits or in $2n$ bits in bitsliced, we suggest sending $({\mathit{e}}^{\prime },{\mathit{e}}^{″})$, which can be encoded in less than $n/2+w$ bits. It is noteworthy to mention two cases in which maximum compression can be achieved:

• Case 1: if $\mathit{e}\in {\mathbb{F}}_3^n$ has full weight, we suggest only sending ${\mathit{e}}^{″}$ since there are no zeros in $\mathit{e}$. Hence, $\mathit{e}$ can be encoded only in approximately n bits.
• Case 2: if $\mathit{e}\in {\mathbb{F}}_3^n$ has low weight, $\mathit{e}$ can be encoded in approximately $n/2$ bits.

• Decompression: is simplified in the following.

Example 1.

For the parameters proposed in the original $\mathsf{Wave}$ paper [23], $n=8492$ and $w=0.9397n$, the signature is $\sigma =(i,\mathit{e})$, where $i\in {\{0,1\}}^{2\lambda }$ and $\mathit{e}\in {\mathbb{F}}_3^n$ of large weight w. Step 1 from Section 5.1 will transform the vector $\mathit{e}\in {\mathbb{F}}_3^n$ into a binary vector with the same length n and weight w.  Step   2 simply consist of keeping only the w non-zero entries of $\mathit{e}$. Since $w=0.9397n$, the vector output by  Step   1 can theoretically, according to the entropy ($h\left(x\right)=-x{log}_2\left(x\right)-(1-x){log}_2(1-x)$), be encoded in around $0.3286n$ bits, which indeed can be achieved using the Arithmetic encoding [43,44] or in around $0.3347n$ bits using the Golomb-Rice encoding [41] with $m=8$. The vector output by  Step   2 will have size w bits.

$$size\left(\sigma \right)=2\lambda +size\left(\mathit{e}\right)⟹size\left(\sigma \right)=\underset{i}{\underbrace{2\lambda }}+\underset{\mathit{step}1}{\underbrace{0.3347n}}+\underset{\mathit{step}2}{\underbrace{w}}$$

and therefore we obtain a signature of size 1385B instead of 1683B.

Example 2.

Using the public key in its systematic form i.e., $\mathbf{H}=\left({\mathbf{I}}_{n-k}\right|\mathit{R})\in {\mathbb{F}}_3^{(n-k)\times n}$ where $\mathit{R}\in {\mathbb{F}}_3^{(n-k)\times k}$ is not only beneficial in reducing the size of the public key, but also for minimizing the size of the signature. For $\mathit{e}=({\mathit{e}}_1,{\mathit{e}}_2)\in {\mathbb{F}}_q^{n-k}\mathrm{\times }{\mathbb{F}}_3^k,$

$$\mathbf{H}=\left({\mathbf{I}}_{n-k}\right|\mathit{R})⟹\mathit{y}=\mathit{e}{\mathbf{H}}^{\top }={\mathit{e}}_1+{\mathit{e}}_2{\mathit{R}}^{\top },$$

so, instead of sending the whole vector $\mathit{e}=({\mathit{e}}_1,{\mathit{e}}_2)=(\mathit{y}-{\mathit{e}}_2{\mathit{R}}^{\top },{\mathit{e}}_2)\in {\mathbb{F}}_3^n$ as a part of σ, it can simply be replaced by ${\mathit{e}}_2\in {\mathbb{F}}_3^k$.

Now, we apply the technique from Section 5.1 to the $\mathsf{Wavelet}$ [45] and the recent $\mathsf{Wave}$ signature scheme [6] that uses the matrix $\mathbf{H}$ in its systematic form. The signature in these two schemes is of the form: $\sigma =(i,{\mathit{e}}_2)\in {\{0,1\}}^{2\lambda }\times {\mathbb{F}}_3^k$

$$size\left(\sigma \right)\le \underset{i}{\underbrace{2\lambda }}+\underset{\mathit{step}1}{\underbrace{k/2}}+\underset{\mathit{step}2}{\underbrace{\mathbb{E}\left(\right|{\mathit{e}}_2\left|\right)}},$$

we recall that ${\mathbb{E}}_{\mathbf{H}}\left(\rho \left({\mathcal{U}}_w,{\mathcal{D}}_w\right)\right)$ is negligible, then we can say that the vector $\mathit{e}$ is uniformly distributed over ${\mathcal{S}}_w$ on average. Moreover,

$${\displaystyle |{\mathit{e}}_2|=\sum _{i=1}^k{\mathbb{1}}_{\{-1,1\}}\left({\mathit{e}}_2\left(i\right)\right)}$$

where ${\mathbb{1}}_{\{-1,1\}}$ is the indicator function of the set $\{-1,1\}$. By linearity of the expectation, we have,

$$\begin{array}{cc}\hfill \mathbb{E}\left(\right|{\mathit{e}}_2\left|\right)& {\displaystyle =\sum _{i=1}^k\mathbb{E}\left({\mathbb{1}}_{\{-1,1\}}\left({\mathit{e}}_2\left(i\right)\right)\right)}\hfill \\ \hfill & {\displaystyle =\sum _{i=1}^k\mathbb{P}\left({\mathit{e}}_2\left(i\right)\in \{-1,1\}\right)}\hfill \\ \hfill & {\displaystyle =\sum _{i=1}^k\mathbb{P}({\mathit{e}}_2\left(i\right)\ne 0)}\hfill \\ \hfill & =k{\displaystyle \frac{w}{n}}\hfill \end{array}$$

hence, $size\left(\sigma \right)\le 2\lambda +(0.5+w/n)k$.

• For the parameters proposed in $\mathsf{Wavelet}$ [45], $n=8492,k=0.66n$ and $w=0.94n$, we obtain a signature of size 924B instead of 930B.
• For the parameters proposed for $\mathsf{Wave}822$ [6] submitted to the NIST’s second call for additional digital signatures, $n=8576,k=n/2$ and $w=0.8941n$, applying Section 5.1 led to a signature of size $777.46$B instead of 822B.

Table 3. Comparison of signature sizes between different $\mathsf{Wave}$ instances found in [6] and those found using our technique.

$\mathsf{Wave}$ Instance	$\mathsf{Wave}$  Signature Size	$\mathsf{Wave}$ + Our Technique Signature Size	Compression %
$\mathsf{Wave}822$-I	822B	$\mathbf{778}$B	$5.35$
$\mathsf{Wave}1249$-III	1249B	$\mathbf{1121}$B	$10.24$
$\mathsf{Wave}1644$-V	1644B	$\mathbf{1464}$B	$10.94$

compares signature sizes for the $\mathsf{Wave}$ instances obtained using our method, contrasted with sizes found in the recent wave paper [6]. Our technique consistently reduces the size of the different $\mathsf{Wave}$ instances submitted to the NIST, achieving compression rates ranging from $5.35\%$ to $10.94\%$.

5.2. Key Sizes

• The master-public key $\mathsf{mpk}$ is a $(n-k)\times k$ matrix over ${\mathbb{F}}_3^n$. This matrix can be encoded in $1.6(n-k)k$ bits, using an efficient encoding achieved through a compact representation that requires only $1.6$ bits per trit (or 5 trits per byte), which is indeed close to the entropy limit ${log}_2\left(3\right)\approx 1.5849$. For more details about this encoding, we advise the reader to check [6] (Appendix C.1).
• The user-secret key is defined as $\mathsf{usk}=({\sigma }^{\prime },\mathsf{sk},\mathsf{pk})$, where ${\sigma }^{\prime }=(i,{\mathit{e}}_{\mathsf{id},2})$ replaces the earlier pair $(i,{\mathit{e}}_{\mathsf{id}})$, as explained above. Here, i is a $2\lambda$-bit salt, ${\mathit{e}}_{\mathsf{id},2}\in {\mathbb{F}}_q^k$, $\mathsf{sk}$ is generated from a seed of $\lambda$ bits, and $\mathsf{pk}$ has a seed of $\lambda$ bits and a ternary vector of length $n-k$.Consequently, the total size of $\mathsf{usk}$ is approximately less than $4\lambda +1.6(n-k)+\left(0.5+w/n\right)k$ bits.

5.3. Signature Size

The resulting transmitted signature is $\sigma =(\mathsf{pk},{\sigma }^{\prime },{\sigma }^{″})$, where $\mathsf{pk}=(\mathbf{H},\mathit{y})$ for $\mathsf{BGKM}$-$\mathsf{SIG}1$ Figure A1, ${\sigma }^{\prime }=(i,{\mathit{e}}_{\mathsf{id},2})$ and ${\sigma }^{″}=(\ell ,\mathsf{Res})$. Furthermore, $\mathsf{Res}=\left(\xi ,{({\mathsf{com}}_3^{\left(i\right)},{\theta }^{\left(i\right)})}_{i\in \overline{K}},{\left({\mathsf{res}}^{\left(i\right)}\right)}_{i\in K}\right)$ for a $\lambda$-bit security. For clarity purposes, we will denote the parameters related to $\mathsf{Wave}$ by $(\tilde{n},\tilde{k},\tilde{w})$, and by $(n,k,w)$ for the parameters related to $\mathsf{BGKM}$-$\mathsf{SIG}1$. The size of the signature can be computed by following the optimizations described in Bidoux et al. [7] (Section 6):

• $\mathsf{pk}$ of $\mathsf{BGKM}$-$\mathsf{SIG}1$ is of size $\lambda +1.6(n-k)$
• ${\sigma }^{\prime }$ signature output by $\mathsf{Wave}.\mathsf{Sign}\left(\right)$ is of size $2\lambda +\left(0.5+{\displaystyle \frac{\tilde{w}}{\tilde{n}}}\right)\tilde{k}$
• ℓ is a commitment of size $2\lambda$ bits.
• $\xi$ is a seed of size $\lambda$ bits.
• $(M-\tau )$ commitment ${\left({\mathsf{com}}_3^{\left(i\right)}\right)}_{i\in \overline{K}}$ of size ${\displaystyle \frac{3}{4}}(M-\tau )·2\lambda$ bits.
• $(M-\tau )$ seeds ${\left({\theta }^{\left(i\right)}\right)}_{i\in \overline{K}}$ of size ${\displaystyle \frac{3}{4}}(M-\tau )\lambda$ bits.
• ${\left({\mathsf{res}}^{\left(i\right)}\right)}_{i\in K}$ is of size: $\left(2·{\displaystyle \frac{7}{8}}·2\lambda +2\lambda +1.6n+w\right)\tau /2$ bits.

• As a result, by taking $M=2\tau$, we obtain a signature of size:

  $$\begin{array}{cc}\hfill Size\left(\sigma \right)& =Size\left(\mathsf{pk}\right)+Size\left({\sigma }^{\prime }\right)+Size\left({\sigma }^{″}\right)\hfill \\ & =\lambda +2\lambda +\left(0.5+{\displaystyle \frac{\tilde{w}}{\tilde{n}}}\right)\tilde{k}+1.6(n-k)+2\lambda +\lambda +{\displaystyle \frac{3}{4}}\tau ·2\lambda +{\displaystyle \frac{3}{4}}\tau \lambda +(2.75\lambda +0.5w+0.8n)\tau \hfill \\ & =6\lambda +\left(0.5+{\displaystyle \frac{\tilde{w}}{\tilde{n}}}\right)\tilde{k}+1.6(n-k)+(5\lambda +0.5w+0.8n)\tau \mathrm{bits}.\hfill \end{array}$$

We give in

Table 4. Size comparison of existing and proposed code-based $\mathsf{IBS}$ schemes.

Scheme	$\mathsf{mpk}$	$\mathsf{usk}$	Signature	Security
$\mathsf{PVR}$-$\mathsf{IBS}$ [18]	30 MB	240 bit	35 MB	$2^{80}$
$\mathsf{LESS}$-$\mathsf{IBS}$ [5]	$0.20574$ MB	$15.43$ KB	$30.23$ KB	$2^{128}$
$\mathsf{Wave}$-$\mathsf{IBS}$  (this work)	$3.67739$ MB	$0.896$ KB	22 KB	$2^{128}$

a comparison between the proposed $\mathsf{Wave}$-$\mathsf{IBS}$ initiated with the parameters provided in Table 2, and the current existing code-based $\mathsf{IBS}$. The $\mathsf{PVR}-\mathsf{IBS}$ archives a small $\mathsf{usk}$, but at the cost of large $\mathsf{mpk}=30$ MB and $\mathsf{msk}=35$ MB for 80-bit security only. Conversely, the $\mathsf{LESS}-\mathsf{IBS}$ offers improved sizes, with $\mathsf{mpk}=0.2057$ MB and $\mathsf{sk}=30.23$ KB for 128-bit security; however, this improvement does not extend the $\mathsf{usk}$, which remains large in comparison to the $\mathsf{PVR}-\mathsf{IBS}$. The proposed $\mathsf{Wave}$-$\mathsf{IBS}$ achieves a more balanced trade-off between these two, yielding a smaller $\mathsf{usk}=0.896$ KB and a signature size of 22 KB. Its major drawback lies in the relatively large $\mathsf{mpk}=3.67$ MB, which is essentially expected since it corresponds to the $\mathsf{pk}$ of $\mathsf{Wave}$.

6. Conclusions

In this work, we proposed a post-quantum secure, code-based identity-based identification scheme, along with an identity-based signature scheme. Our design combines the $\mathsf{Wave}$ signature scheme (a previous candidate in NIST’s additional round for standardizing post-quantum digital signatures) and the $\mathsf{BGKM}$-$\mathsf{SIG}1$, which is a Stern-like signature scheme that we adapted for ternary large-weight $\mathsf{SDP}$. Additionally, we proposed a technique for reducing the size of large-weight vectors over the ternary field, yielding competitive sizes compared to current code-based $\mathsf{IBS}$ schemes. Future work may focus on enhancing the security of the proposed $\mathsf{IBI}$ against active and concurrent attacks by employing the $\mathsf{OR}$-proof technique, as well as extending the $\mathsf{IBS}$ line of research to more constructions such as identity-based threshold signatures and forward-secure identity-based signatures, since there are no such code-based constructions.