Post-quantum Sigma Protocols and Signatures from Low-Rank Matrix Completions

Abstract

We introduce a new hard problem to cryptography, named Low-Rank Matrix Completion (LRMC), whose hardness is equivalence with MinRank in multivariate cryptography (NP-Complete and quantum-resistant). We present a Sigma Protocol to prove the knowledge of LRMC. Comparing with the need for several matrices in the public key of MinRank-based constructions such as Courtois (ASIACRYPT 2001) and Bellini et al. (PQCrypto 2022), the benefits of using LRMC are that only one matrix is required, leading to smaller public key sizes, lower computation and communication costs, and fewer operations and time-consuming. In addition, it is more intuitive and succinct in the system setup. Then, we take full advantage of recent progresses to reduce the soundness error, including the Sigma Protocol with Helper (EUROCRYPT 2020), the cut-and-choose techniques (CCS 2018), and so on. When applying the Fiat-Shamir transform to convert the improved sigma protocol to a signature scheme, with more optimizations, the sizes are competitive with SPHINCS+, which has been determined to be standardized by the NIST after three rounds of evaluation, and is the only one that does not rely on (structural) lattice problems. This work increases the diversity of provable and practical post-quantum signatures, as the NIST is calling.