Codes Cryptology and Information Security 4th International Conference C2SI 2023 Rabat Morocco May 29 31 2023 Proceedings 1st Edition Said El Hajji

Codes Cryptology and Information
Security 4th International Conference

C2SI 2023 Rabat Morocco May 29 31
2023 Proceedings 1st Edition Said El
Hajji
Visit to download the full and correct content document:
https://ebookmeta.com/product/codes-cryptology-and-information-security-4th-interna
tional-conference-c2si-2023-rabat-morocco-may-29-31-2023-proceedings-1st-edition-
said-el-hajji/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Business Intelligence 6th International Conference CBI

2021 Beni Mellal Morocco May 27 29 2021 Proceedings 1st
Edition Mohamed Fakir
https://ebookmeta.com/product/business-intelligence-6th-
international-conference-cbi-2021-beni-mellal-morocco-
may-27-29-2021-proceedings-1st-edition-mohamed-fakir/
Proceedings of the 3rd International Conference on

Electronic Engineering and Renewable Energy Systems:
ICEERE 2022, 20 -22 May 2022, Saidia, Morocco 1st
Edition Hajji Bekkay
https://ebookmeta.com/product/proceedings-of-the-3rd-
international-conference-on-electronic-engineering-and-renewable-
energy-systems-iceere-2022-20-22-may-2022-saidia-morocco-1st-
edition-hajji-bekkay/
Tests and Proofs 17th International Conference TAP 2023

Leicester UK July 18 19 2023 Proceedings Virgile
Prevosto
https://ebookmeta.com/product/tests-and-proofs-17th-
international-conference-tap-2023-leicester-uk-
july-18-19-2023-proceedings-virgile-prevosto/
Applied Informatics 6th International Conference ICAI

2023 Guayaquil Ecuador October 26 28 2023 Proceedings
Hector Florez
https://ebookmeta.com/product/applied-informatics-6th-
international-conference-icai-2023-guayaquil-ecuador-
october-26-28-2023-proceedings-hector-florez/
Advances in Cryptology ASIACRYPT 2016 22nd
International Conference on the Theory and Application
of Cryptology and Information Security Hanoi Vietnam
December 4 8 2016 Proceedings Part II Jung Hee Cheon
https://ebookmeta.com/product/advances-in-cryptology-
asiacrypt-2016-22nd-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-hanoi-vietnam-
december-4-8-2016-proceedings-part-ii-jung-hee-ch/
Augmented Intelligence and Intelligent Tutoring Systems

19th International Conference ITS 2023 Corfu Greece
June 2 5 2023 Proceedings Claude Frasson
https://ebookmeta.com/product/augmented-intelligence-and-
intelligent-tutoring-systems-19th-international-conference-
its-2023-corfu-greece-june-2-5-2023-proceedings-claude-frasson/
Cross Cultural Design 15th International Conference CCD

2023 Held as Part of the 25th International Conference
HCII 2023 Copenhagen Denmark July 23 28 2023
Proceedings Part II Pei-Luen Patrick Rau
https://ebookmeta.com/product/cross-cultural-design-15th-
international-conference-ccd-2023-held-as-part-of-the-25th-
international-conference-hcii-2023-copenhagen-denmark-
july-23-28-2023-proceedings-part-ii-pei-luen-patrick-rau/
15th International Conference on Turbochargers and

Turbocharging: Proceedings of the 15th International
Conference on Turbochargers and Turbocharging
(Twickenham, London, 16-17 May 2023) 1st Edition
Institution Of Mechanical Engineers (Editor)
https://ebookmeta.com/product/15th-international-conference-on-
turbochargers-and-turbocharging-proceedings-of-the-15th-
international-conference-on-turbochargers-and-turbocharging-
twickenham-london-16-17-may-2023-1st-edition-i/
Integer Programming and Combinatorial Optimization 24th

International Conference IPCO 2023 Madison WI USA June
21 23 2023 Proceedings Alberto Del Pia
https://ebookmeta.com/product/integer-programming-and-
combinatorial-optimization-24th-international-conference-
ipco-2023-madison-wi-usa-june-21-23-2023-proceedings-alberto-del-
Said El Hajji
Sihem Mesnager
El Mamoun Souidi (Eds.)
LNCS 13874
Codes, Cryptology
and Information Security
4th International Conference, C2SI 2023
Rabat, Morocco, May 29–31, 2023
Proceedings
Lecture Notes in Computer Science 13874
Founding Editors
Gerhard Goos
Juris Hartmanis
Editorial Board Members

Elisa Bertino, Purdue University, West Lafayette, IN, USA
Wen Gao, Peking University, Beijing, China
Bernhard Steffen , TU Dortmund University, Dortmund, Germany
Moti Yung , Columbia University, New York, NY, USA
The series Lecture Notes in Computer Science (LNCS), including its subseries Lecture
Notes in Artificial Intelligence (LNAI) and Lecture Notes in Bioinformatics (LNBI),
has established itself as a medium for the publication of new developments in computer
science and information technology research, teaching, and education.
LNCS enjoys close cooperation with the computer science R & D community, the
series counts many renowned academics among its volume editors and paper authors, and
collaborates with prestigious societies. Its mission is to serve this international commu-
nity by providing an invaluable service, mainly focused on the publication of conference
and workshop proceedings and postproceedings. LNCS commenced publication in 1973.
Said El Hajji · Sihem Mesnager ·
El Mamoun Souidi
Editors
Codes, Cryptology
and Information Security
4th International Conference, C2SI 2023
Rabat, Morocco, May 29–31, 2023
Proceedings
Editors
Said El Hajji Sihem Mesnager
Mathematics Department, Faculty of Sciences University of Paris VIII
Mohammed V University Paris, France
Rabat, Morocco
El Mamoun Souidi
Computer Science Department, Faculty
of Sciences
Mohammed V University
Rabat, Morocco
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-031-33016-2 ISBN 978-3-031-33017-9 (eBook)
https://doi.org/10.1007/978-3-031-33017-9
© The Editor(s) (if applicable) and The Author(s), under exclusive license
to Springer Nature Switzerland AG 2023
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
These are the proceedings of the 4th edition of the International Conference on Codes,
Cryptology and Information Security (C2SI 2023), organized in cooperation with the
International Association for Cryptologic Research – IACR. The conference should have
taken place in the beautiful city of Rabat (Morocco) from May 29 to May 31, 2023. This
edition of the C2SI conference took place in 2021 but was postponed to 2023 due to the
pandemic.
We are very grateful to the Program Committee members and the external reviewers
for their professionalism and excellent hard work! The conference received 62 sub-
missions, of which 21 contributed papers were finally selected for presentation after a
single-blind peer review. At least two reviewers reviewed each paper.
All final decisions were taken only after a clear position could be clarified through
additional reviews and comments. The submission and selection of papers were made
using the Easychair software.
The Committee also invited Yvo G. Desmedt (University of Texas at Dallas, USA
and University College London, UK), Philippe Gaborit (University of Limoges, France),
David Naccache (ENS Paris and PSL University, Paris, France) and Pierangela Samarati
(Università degli Studi di Milano, Italy) to present a talk on topics of their choice, and
we thank them for having accepted! The first three invited speakers mentioned above
have submitted an invited paper to be presented during the conference.
Special compliments go out to the Moroccan team and the local organizer of C2SI
2023, who brought the workshop much success. We also would like to thank all who
provided us with excellent help with publicity and guidance regarding the website.
We warmly thank several high institutes and organizations for their financial support,
notably the Hassan II Academy of Sciences and Technology, CNRST (National Cen-
ter for Scientific and Technical Research in Morocco) and ICESCO (Islamic World
Educational, Scientific and Cultural Organization). Last but not least, we deeply thank
Mohammed Regragui, Dean of the Faculty of Sciences of Rabat, for his financial support,
encouragement, and continued unfailing support.
March 2023 Said El Hajji

Sihem Mesnager
El Mamoun Souidi
Organization
Co-chairs
Sihem Mesnager University of Paris VIII, France

Said El Hajji Mohammed V University in Rabat, Morocco
El Mamoun Souidi Mohammed V University in Rabat, Morocco
Steering Committee
Abderrahim Ait Wakrime Mohammed V University in Rabat, Morocco

Karima Alaoui Ismaili Mohammed V University in Rabat, Morocco
Sophia Alami Kamouri Mohammed V University in Rabat, Morocco
Mohammed Ammari Mohammed V University in Rabat, Morocco
Mohamed A. Belhamra Mohammed V University in Rabat, Morocco
Hafida Benazza Mohammed V University in Rabat, Morocco
Youssef Bentaleb ENSA, Kenitra, Morocco
Abdelkader Betari Mohammed V University in Rabat, Morocco
Azzouz Cherrabi Mohammed V University in Rabat, Morocco
Sidi Mohamed Douiri Mohammed V University in Rabat, Morocco
Hassan Echoukairi Mohammed V University in Rabat, Morocco
Abderrahim EL Abdllaoui Mohammed V University in Rabat, Morocco
M. El Ghomari Mohammed V University in Rabat, Morocco
Said El Hajji (Co-chair) Mohammed V University in Rabat, Morocco
Ahmed El Yahyaoui Mohammed V University in Rabat, Morocco
Mustapha Esghir Mohammed V University in Rabat, Morocco
Mohamed Fihri Mohammed V University in Rabat, Morocco
Allal Ghanmi Mohammed V University in Rabat, Morocco
Ahmed Hajji Mohammed V University in Rabat, Morocco
Ouafaa Ibrihich Mohammed V University in Rabat, Morocco
Sihem Mesnager Université Paris 8, France
Mounia Mikram ESI, Rabat, Morocco
Ghizlane Orhanou Mohammed V University in Rabat, Morocco
Ali Ouacha Mohammed V University in Rabat, Morocco
Ali Ouadfel Mohammed V University in Rabat, Morocco
Youssef Zahir Mohammed V University in Rabat, Morocco
Youssef Zaitar Mohammed V University in Rabat, Morocco
viii Organization
Khalid Zine-Dine Mohammed V University in Rabat, Morocco

Fouad Zinoun Mohammed V University in Rabat, Morocco
Program Committee
Abderrahim Ait Wakrime Mohammed V University in Rabat, Morocco

Elena Andreeva TU Wien, Austria
Muhammad Rezal K. Ariffin Universiti Putra Malaysia, Malaysia
François Arnault Limoges University, France
Emanuele Bellini Technology Innovation Institute, Abu Dhabi, UAE
Alexis Bonnecaze Aix-Marseille University, France
Martino Borello University of Paris 8, France
Ridha Bouallegue Ecole Nationale d’Ingénieurs de Tunis, Tunisia
Lilya Budaghyan University of Bergen, Norway
Claude Carlet Univ. of Paris 8, France & Univ. of Bergen,
Norway
Sumit Debnath National Institute of Technology, Jamshedpur,
India
Yvo Desmedt University College London, UK
Said El Hajji Mohammed V University in Rabat, Morocco
Philippe Gaborit Université de Limoges, France
Cuiling Fan Southwest Jiaotong University, China
Sylvain Guilley Telecom-ParisTech and Secure-IC, France
Qian Guo Lund University, Sweden
Abdelkrim Haqiq Hassan 1st University, Morocco
Shoichi Hirose University of Fukui, Japan
Vincenzo Iovino University of Salerno, Italy
Michael-John Jacobson University of Calgary, Canada
Juliane Krämer University of Regensburg, Germany
Nian Li Hubei University, China
Juan Antonio Lopez Ramos Universidad de Almería, Spain
Subhamoy Maitra Indian Statistical Institute, India
Edgar Martinez-Moro University of Valladolid Castilla, Spain
Sihem Mesnager University of Paris VIII, France
Marine Minier Université de Lorraine, France
Abderrahmane Nitaj CNRS - Université de Caen, France
Ferruh Ozbudak Middle East Technical University, Turkey
Aris T. Pagourtzis National Technical University of Athens, Greece
Raquel Pinto University of Aveiro, Portugal
Elizabeth A. Quaglia Royal Holloway, University of London, UK
Santanu Sarkar Indian Institute of Technology Madras, India
Organization ix
Palash Sarkar Indian Statistical Institute, India

Pantelimon Stanica Naval Postgraduate School, USA
Damien Stehlé ENS Lyon, France
Leo Storme Ghent University, Belgium
Deng Tang Shanghai Jiao Tong University, China
Miguel Carriegos Vieira Universidad de León, Spain
Zhengchun Zhou Southwest Jiaotong University, China
Additional Reviewers
Paulo Almeida Michael Kiermaier

Kévin Atighehchi Lukas Kölsch
Gennaro Avitabile Julia Lieb
Daniele Bartoli David Marquis
Vincenzo Botta Michael Meyer
Marco Calderini Tapaswini Mohanty
Zhixiong Chen Miguel Ángel Navarro-Pérez
Debendranath Das Abdellah Ouammou
Siemen Dhooghe
Tapas Pandit
Samed Düzlü
Leo Robert
Said El Kafhali
Sushmita Sarkar
Mohammed Ennahbaoui
Luca De Feo Vikas Srivastava
Loïc Ferreira Sihong Su
Tako Boris Fouotsa Violetta Weger
Artem Grigor Yanan Wu
Mohamed Hanini Xi Xie
Idrissi Hind Haode Yan
Zhao Hu Qin Yue
Nikolay Kaleyski Lijing Zheng
C2SI Conference in Honor of Jean-Louis Lanet
J.-L. Lanet started his career as a technician researcher at Snecma, now part of the Safran
group. He worked on hard real-time techniques for jet engine control (1984–1995). He
designed a distributed architecture able to tolerate several failures while keeping its real-
time capabilities. During that period, he got an engineering degree in computer science,
and his PhD degree.
Next, he was a senior researcher at Gemplus Research Labs (1996–2007) the smart
card manufacturer. During this period, he spent two years at Inria (2003–2004) as a
senior research associate in the Everest team. At that time, he got his French Habilitation
(Computer Science) from the University of Marseille, France.
He was a professor at the University of Limoges (2007–2014) at the Computer
Science department, where he was the head of the Smart Secure Device group. He was
also an associate professor at the University of Sherbrook and was in charge of the
Security and Cryptology course of the USTH Master’s (Hanoi). His research interests
include the security of small systems like smart cards and software engineering, malware
analysis and hardware security. Finally, he joined Inria-Rennes Bretagne Atlantique in
September 2014 as director of the High-Security Labs (LHS) until 2020. He has more
than 200 papers in the fields of security and software engineering in scientific journals
and proceedings.
Contents
Invited Papers
Cryptologists Should Not Ignore the History of Al-Andalusia . . . . . . . . . . . . . . . . 3

Yvo Desmedt
Compact Post-quantum Signatures from Proofs of Knowledge Leveraging

Structure for the PKP, SD and RSD Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Loïc Bidoux and Philippe Gaborit
On Catalan Constant Continued Fractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

David Naccache and Ofer Yifrach-Stav
Cryptography
Full Post-Quantum Datagram TLS Handshake in the Internet of Things . . . . . . . 57

Callum McLoughlin, Clémentine Gritti, and Juliet Samandari
Moderate Classical McEliece Keys from Quasi-Centrosymmetric Goppa

Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Ousmane Ndiaye
QCB is Blindly Unforgeable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Jannis Leuther and Stefan Lucks
A Side-Channel Secret Key Recovery Attack on CRYSTALS-Kyber Using

k Chosen Ciphertexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Ruize Wang and Elena Dubrova
A New Keyed Hash Function Based on Latin Squares and Error-Correcting

Codes to Authenticate Users in Smart Home Environments . . . . . . . . . . . . . . . . . . 129
Hussain Ahmad and Carolin Hannusch
Attack on a Code-Based Signature Scheme from QC-LDPC Codes . . . . . . . . . . . 136

Theo Fanuela Prabowo and Chik How Tan
Computational Results on Gowers U2 and U3 Norms of Known S-Boxes . . . . . . 150

Vikas Kumar, Bimal Mandal, Aditi Kar Gangopadhyay,
and Sugata Gangopadhyay
xiv Contents
Multi-input Non-interactive Functional Encryption: Constructions

and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Grigor Artem, Vincenzo Iovino, and Răzvan Ros, ie
Indifferentiability of the Confusion-Diffusion Network and the Cascade

Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Mridul Nandi, Sayantan Paul, and Abishanka Saha
Quantum Cryptanalysis of 5 Rounds Feistel Schemes and Benes Schemes . . . . . 196

Maya Chartouny, Jacques Patarin, and Ambre Toulemonde
Lattice-Based Accumulator with Constant Time List Update and Constant

Time Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Yuta Maeno, Hideaki Miyaji, and Atsuko Miyaji
Information Security
Malicious JavaScript Detection Based on AST Analysis and Key Feature

Re-sampling in Realistic Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Ngoc Minh Phung and Mamoru Mimura
Searching for Gemstones: Flawed Stegosystems May Hide Promising Ideas . . . . 242
Evgnosia-Alexandra Kelesidis, Diana Maimuţ, and Ilona Teodora Ciocan
A Study for Security of Visual Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Binh Le Thanh Thai and Hidema Tanaka
Forecasting Click Fraud via Machine Learning Algorithms . . . . . . . . . . . . . . . . . . 278

Nadir Sahllal and El Mamoun Souidi
An Enhanced Anonymous ECC-Based Authentication for Lightweight

Application in TMIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Hind Idrissi and Mohammed Ennahbaoui
Discrete Mathematics
Symmetric 4-Adic Complexity of Quaternary Generalized Cyclotomic

Sequences of Order Four with Period 2pn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Vladimir Edemskiy and Sofia Koltsova
Weightwise Perfectly Balanced Functions and Nonlinearity . . . . . . . . . . . . . . . . . . 338

Agnese Gini and Pierrick Méaux
Contents xv
Chudnovsky-Type Algorithms over the Projective Line Using Generalized

Evaluation Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Stéphane Ballet and Bastien Pacifico
Coding Theory
Security Enhancement Method Using Shortened Error Correcting Codes . . . . . . 379

Tomohiro Sekiguchi and Hidema Tanaka
An Updated Database of Z4 Codes and an Open Problem About

Quasi-cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Nuh Aydin, Yiyang Lu, and Vishad Onta
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Invited Papers
Cryptologists Should Not Ignore
the History of Al-Andalusia
Yvo Desmedt(B)
Department of Computer Science, University of Texas at Dallas, Richardson, USA

y.desmedt@cs.ucl.ac.uk
Abstract. Most cryptographers believe our modern systems and proven

secure protocols cannot be broken. Some are now convincing Treasure
Departments to make their own versions of Bitcoin. Today cryptosystems
are considered secure as long as academics have not broken them. Earlier
we argued that this approach might be badly flawed, by presenting a
minority viewpoint.
In this paper, we look at what the history of Al-Andalusia might teach
us in regard to our research community. We also wonder how “open” our
so called “open” research is.
Keywords: cryptography · cryptanalysis · the new dark ages
1 Introduction
The use of computational complexity allowed the introduction of public key
cryptography [4,8]. It opened the door to a lot of research in academia, which was
followed by having several conferences and journals on the topic. At Catacrypt
2014 (see [3] for the full paper), the author argued that this description is too
optimistic. In Sect. 2 we briefly survey these viewpoints.
Besides using history as a way to motivate our minority viewpoint, we use
two other approaches. First of all we look at the lack of major progress on
cryptanalysis and analyze why this might be the case. For this we first look in
Sect. 3 at closed research. In this context we will use history to motivate our
viewpoints. We then consider the “open” research on the topic in Sect. 5. The
last part is partially based on research on anthropology.
2 Earlier Viewpoints
We summarize the main viewpoints expressed by the author at Catacrypt 2014
(see [3]) about modern cryptologic research. These were:
A part of this work was presented at the Rump Session of Crypto 2020, August 18,
2020, with title: “40 years Advances in Cryptology: How Will History Judge Us?”
Yvo Desmedt thanks the organizers for the invited paper and the Jonsson Endowment
for, e.g., the airfare.
c The Author(s), under exclusive license to Springer Nature Switzerland AG 2023
S. El Hajji et al. (Eds.): C2SI 2023, LNCS 13874, pp. 3–9, 2023.
https://doi.org/10.1007/978-3-031-33017-9_1
4 Y. Desmedt
– lack of cryptanalytic efforts: “at the first Crypto conferences we had 33–
48% of the papers on cryptanalysis. At Crypto 2012 it was only 6%”.
– related to RSA: “no new algorithms—at least ignoring quantum
computers—have been developed since 1990 on factoring (see [7])”.
– related to AES: the attitude it was very carefully designed can not be
justified when studying the history of cryptanalysis. From Kahn [6] we learn
that the longest a cryptosystem withstood cryptanalysis was for roughly 300
years.
– security of conventional cryptography: “standards have primarily been
developed based on work only presented at workshops, such as FSE, instead
of at the flagship conferences such as Asiacrypt, Crypto and Eurocrypt.”
– academia: “who in academia will “waste” years trying to break some cryp-
tosystem”?
The talk (see [3]) also stated that:
Modern cryptographers believe that the gap between encryption (signing,

etc.) and cryptanalysis is superpolynomial (in the security parameter), but
we have no proof!
and that we were not the first “scientific” discipline that was “believed” based.
Indeed:
– “alchemists believed they would succeed in transforming lead into gold. New-
ton’s work involved a lot of research on alchemy. It took until Mendeleev
before we had chemistry.
– astrologists believed they could predict the future by looking at the movement
of the stars.” “Today astrology has fallen into disbelief (at least for scientists)
and has been replaced by astronomy.”
3 Closed Research
Huge closed research laboratories have been set up during (and after) WWII,
which is more than 80 years ago. We try to estimate how much academia might
have fallen behind in these 80 years.
With the development of the atomic bomb huge closed research laboratories
have been set up. However, these are only the top of a huge iceberg. Indeed,
besides govermental laboratories, several universities have closed research labs,
such as the Institute for Advanced Study at Princeton.
One might easily speculate that most of the research done in that community
remains classified. Seeing that these labs have existed for more than 80 years,
one should wonder how much science and technology might have been created.
To better understand this, consider the time period 1860–1940. One then finds
that a whole range of technologies were developed, such as the Edison Lamb,
Bell’s telephone, the car, the airplane, electric trains, the cruise missile (V1) and
the first ballistic missile (V2), which was the basis for the Saturn rocket. From a
Cryptologists Should Not Ignore the History of Al-Andalusia 5
physics viewpoint, one sees the development of both Quantum Mechanics, and
Relativity Theory.
One should also not forget that most of researchers in these labs have no
teaching duties. This allows them to produce results much faster than these
working in academia. Moreover, these labs/institutes were able to attract top
researchers. Indeed the Princeton Institute was able to attract researchers such
as Einstein and Weyl1 .
A question in this regard is whether there is a historic precedent that might
help better speculate about the scale of science and technology that might have
been created in secrecy.
3.1 Some Al-Andalusian History
It is well known that while Europe had its “Dark Ages,” the Muslim Empire was
flourishing. Less known is that Cordoba (Al-Andalusia) had the largest library2
at that time. The (West) European Crusaders when conquering some land from
the Muslims, quickly realized they were living in the Dark Ages. The existence
of the Library of Cordoba did not remain secret. Gerard of Cremona translated
more than 87 books of this library from Arabic science3 . The rest of the history
is well known and not relevant to our argument.
3.2 Comparing the Two Worlds

If we compare what is going on today with what happened during the Dark Ages,
then until now, secrecy has been maintained much better. We can only speculate
secret books exist which might be in secret libraries, of which the existence can
not be verified.
4 Using Information Flow to Analyze “Leaks”
Seeing that the secrecy is maintained well, estimating how many decades the
closed community is ahead on the academic one is very difficult.
An approach we suggest to use is the technique of Information Flow, see
e.g. [2]. Anything which is declassified about x might leak something about y if
there is a correlation. An interesting question is how to do this in a systematic
way. This approach properly will require quite an extensive research before it
can be used. Instead we only look at a few things that have been declassified
and wonder whether that data might be useful.
1
https://www.ias.edu/about/mission-history.
2
https://islamicbridge.com/2021/10/the-lost-library-of-cordoba/.
3
https://en.wikipedia.org/wiki/Toledo School of Translators.
6 Y. Desmedt
4.1 Some Heuristic Arguments
We now give a first example of something that was declassified.

It is now known that US President Carter did not have access to the US UFO
files, despite having requested these while he was president. From this, one could
conclude that data is only provided on a need to know basis. If that conclusion
is true, the progress that the closed community might have made, could be
very limited. Indeed, some research results have interdisciplinary impact. As an
example, imagine a person who wants to do physics, but is not giving access to
books on calculus.
So, if access to books in the secret library is controlled too strictly, then the
use within the closed research community might not have lead to the explosion
of science and technology we saw between 1860 and 1940 in the open community.
Using the last argument to claim that the closed community has made little
progress is obviously wrong. The dropping of two atomic bombs on Japan leaked
to the world the progress Los Alamos made.
4.2 Information Flow in Crypto Context
Churchill (or one of his advisors) realized quickly that each time the breaking
of the Enigma or Lorenz cipher would be used by the military it might4 leak to
the Germans the breaking.
Misinformation is also used in our crypto context. As an example, consider
what was known about the Colossus, i.e., the first computer. The author visited
UK’s “National Museum of Computing” twice. During his 1996 visit he was
told that despite the order from Churchill to destroy all machines, “some were
kept for practicing with similar machines.” During his 2014 visit he was told
that “some were kept to continue breaking Lorenz ciphers”. The author told the
guide of the previous visit. The guide then stated that “the Soviet Union knew
the UK had broken Enigma, but did not know that they also broke the Lorenz
cipher. Since they assumed the UK could not break it, they used the Lorenz
cipher for a while. That information was still classified in 1996.”
5 “Open” Research
We critically look at the research in the so called “open” community. We wonder:
– whether academia is the right environment for research?

– whether the research in academia is truly open?
4
Rommel sent a message to Hitler in which he wondered Enigma had been broken,
to which Hitler replied “impossible” [6].
5.1 How Anthropology Can Help

Anthropologist observed that in the last 40,000 years our brain has decreased by
10% in size [5]. Human biologists have wondered why we are “evolving” in such a
way. One theory that has been put forward is that since we live in a society we no
longer need individual intelligence, but instead need collective intelligence [10].
The argument that Stonier [10] used for collective intelligence is that the
1980’s research on the W-boson involved 135 authors at CERN, while the work
on X-rays was done by an individual, being Roentgen.
When comparing the closed laboratories with the current academic environ-
ment, in particular in the context of the research on cryptology, we see that
academia is still relying heavily on the researcher as an individual. Indeed, for
example, the tenure process in the US typically requires that the person has
shown independence from the prior advisor. In computer science, having sys-
tematically 10 co-authors on a paper is not something that is encouraged. So,
one can wonder whether academia is still the right environment for research.
Note that in cryptology some faculty members have been succesful in attract-
ing a lot of funding and be able to build a research group with several PhD
students. However, since there is typically a single advisor, such a group usually
follows the advisor blindly. For example, we see such groups working on linear
and differential cryptanalysis, without trying to come up with new cryptanalytic
approaches.
5.2 Condoned Research

We now wonder whether modern research is truly open. The silencing during
COVID of dissenting medical experts has now finally received some attention.
Daley [1] for example wrote:
We have returned to the world of Galileo vs the Vatican. Scientific dissi-
dents are again silenced and ostracised for their opinions
. . . the comprehensive suppression of dissent even when it came from expert
sources - and the prohibition on argument even when it was accompanied
by counter-evidence . . .
We now wonder whether
1. the approach of having govermental agencies be the main source for research,
in particular on cryptologic research, and
2. the use of peer reviewers
might lead to suppression of dissent. First, at Catacrypt 2014 (see [3]) the author
already pointed out that at Crypto 2012 only 6% of the papers were on crypt-
analysis. Shamir [9] stated in a personal communication that:
There were not so many papers on cryptanalysis at the Crypto conference
because in the past, the US National Science Foundation did not tend to
fund cryptanalysis.
8 Y. Desmedt
Since the US attracts the top PhD students and has most of the top universities
in the world, this NSF policy might have a dramatic negative impact on our
understanding of the (in)security of our cryptosystems. So, this argues our first
point we wanted to make.
Let us now consider the impact of peer review on the suppression of dissent.
Kahneman (Nobel Prize winner) pointed out, in the context of economics, that
humans are not rational. The same can be stated for peer reviewers. Moreover,
peer reviewers tend to support the majority viewpoint, which unfortunately in
science is sometimes the wrong one (see Sect. 2).
5.3 The Crypto Context
At Catacrypt 2014 (see [3]), related to block ciphers, the author stated:
the emphasis is on developing systems that can only withstand some spe-
cific attacks, such as “linear” and “differential cryptanalysis.”
At Catacrypt 2017, Courtois revealed that EPSRC has rejected all his proposals
to fund research on Algebraic Cryptanalysis, which uses multivariate polynomi-
als. By not having this funding, we currently do not know whether an alterna-
tive technology to Algebraic Cryptanalysis might be succesful in breaking block
ciphers. Note that sometimes the first versions of an invention have limited use.
Bell Labs invention of the transistor is such an example that needed extra tech-
nology to become useful5 .
6 Conclusions
With 80 years closed research, we suggested that we are living in the new dark
ages. We briefly compared the current one with the one of the Middle Ages. We
saw that the progress the Muslim World had made did not remain secret, while
today most people are not aware they are living in the new dark ages. Many
books of the library of Cordoba got translated. Today we can only guess a secret
library with secret books exist.
To make matters worse, open research on the topic of cryptanalysis is quite
limited, in particular in the USA. The implications of all that for cryptology are
far going. Since our academic knowledge might be quite restricted, we should
promote the use of unconditionally secure cryptosystems, a recommendation the
author already made at Catacrypt 2014 (see [3]).
Acknowledgment. The author thanks Karel Desmedt, for having observed decades
ago, the significant reduction in new life changing inventions between the 1940–1980
area compared to the 1900–1940 area.
5
https://www.sony.com/en/SonyInfo/CorporateInfo/History/capsule/12/.
References
1. Daley, J.: Governments have learnt that fear works - and that is truly terrifying.
The Telegraph (2022)
2. Denning, D.E.R.: Cryptography and Data Security. Addison-Wesley, Reading
(1982)
3. Desmedt, Y.: What is the future of cryptography? In: Ryan, P.Y.A., Naccache,
D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 109–122.
Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4 7
4. Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryp-
tography. Proc. IEEE 67, 397–427 (1979)
5. Henneberg, M.: Decrease of human skull size in the Holocene. Hum. Biol. 60,
395–405 (1988)
6. Kahn, D.: The Codebreakers. MacMillan Publishing Co., New York (1967)
7. Lenstra, A.K., Lenstra, H.W., Jr., Manasse, M.S., Pollard, J.M.: The number field
sieve. In: Proceedings of the Twenty Second Annual ACM Symposium Theory of
Computing, STOC, 14–16 May 1990, pp. 564–572 (1990)
8. Merkle, R.C.: Secure communications over insecure channels. Comm. ACM 21,
294–299 (1978)
9. Shamir, A.: Personal communication during CANS 2022 (2022)
10. Stonier, T.: Information technology, collective intelligence and the evolution of
human societies. In: Stonier, T. (ed.) Beyond Information, pp. 85–106. Springer,
London (1992). https://doi.org/10.1007/978-1-4471-1835-0 5
Compact Post-quantum Signatures
from Proofs of Knowledge Leveraging
Structure for the PKP, SD and RSD
Problems
Loïc Bidoux1 and Philippe Gaborit2(B)

1
Technology Innovation Institute, Abu Dhabi, UAE
2
University of Limoges, Limoges, France
gaborit@unilim.fr
Abstract. The MPC-in-the-head introduced in [IKOS07] has estab-

lished itself as an important paradigm to design efficient digital signa-
tures. For instance, it has been leveraged in the Picnic scheme [CDG+20]
that reached the third round of the NIST Post-Quantum Cryptogra-
phy Standardization process. In addition, it has been used in [Beu20]
to introduce the Proof of Knowledge (PoK) with Helper paradigm. This
construction permits to design shorter signatures but induces a non neg-
ligible performance overhead as it uses cut-and-choose. In this paper, we
introduce the PoK leveraging structure paradigm along with its associ-
ated challenge space amplification technique. Our new approach to design
PoK brings some improvements over the PoK with Helper one. Indeed,
we show how one can substitute the Helper in these constructions by
leveraging the underlying structure of the considered problem. This new
approach does not suffer from the performance overhead inherent to the
PoK with Helper paradigm hence offers different trade-offs between secu-
rity, signature sizes and performances. In addition, we also present four
new post-quantum signature schemes. The first one is based on a new
PoK with Helper for the Syndrome Decoding problem. It relies on ideas
from [BGKM22] and [FJR21] and improve the latter using a new tech-
nique that can be seen as performing some cut-and-choose with a meet
in the middle approach. The three other signatures are based on our
new PoK leveraging structure approach and as such illustrate its ver-
satility. Indeed, we provide new PoK related to the Permuted Kernel
Problem (PKP), Syndrome Decoding (SD) problem and Rank Syndrome
Decoding (RSD) problem. Considering (public key + signature), we get
sizes below 9 kB for our signature related to the PKP problem, below
15 kB for our signature related to the SD problem and below 7 kB for
our signature related to the RSD problem. These new constructions are
particularly interesting presently as the NIST has recently announced its
plan to reopen the signature track of its Post-Quantum Cryptography
Standardization process.
c The Author(s), under exclusive license to Springer Nature Switzerland AG 2023

S. El Hajji et al. (Eds.): C2SI 2023, LNCS 13874, pp. 10–42, 2023.
https://doi.org/10.1007/978-3-031-33017-9_2
Compact Post-quantum Signatures 11
1 Introduction
Zero-Knowledge Proofs of Knowledge (PoK) are significant cryptographic prim-
itives thanks to their various applications. They allow a prover to convince a
verifier that he knows some secret without revealing anything about it. Design-
ing compact PoK is an important problem as one can convert such proofs into
signature schemes using the Fiat-Shamir transform [FS86,PS96] or the Unruh
[Unr15] transform. Over the years, many post-quantum signatures have been
constructed following this approach using for instance the Syndrome Decoding
problem [Ste93], the Multivariate Quadratic problem [SSH11] or the Permuted
Kernel Problem [Sha89]. The Picnic [CDG+20] and MQDSS [CHR+20] signa-
ture schemes that have been submitted to the NIST Post-Quantum Cryptog-
raphy Standardization process also follow this approach. More recently, Katz,
Kolesnikov and Wang [KKW18] proposed a protocol based on the MPC-in-the-
head paradigm [IKOS07] in the preprocessing model. Two years later, Beullens
generalized their work by introducing the concept of PoK with Helper [Beu20].
The Helper is a trusted third party that can ease the design of PoK and later
be removed using cut-and-choose. Since then, the PoK with Helper paradigm
have been extensively used to design post-quantum signature schemes; see for
instance [GPS21,FJR21,BGKM22,Wan22]. This approach is quite interesting as
it produces shorter signatures than existing ones however using a Helper along
with cut-and-choose also induces a non negligible performance overhead.
In this paper, we introduce the notion of PoK leveraging structure as a new
paradigm to design PoK. Formally, our approach consists in using standard (to be
read as without Helper) PoK however we believe that it is more easily understood
when described by analogy to the PoK with Helper paradigm. Indeed, our new
approach can be seen as a way to remove the trusted Helper without using
cut-and-choose. In order to do so, we leverage some structure within the hard
problem used to design the PoK. Interestingly, the required additional structure
has generally either been already well studied in the literature or is closely related
to the considered problem. PoK following our new framework differs from PoK
with Helper ones in several ways. These differences motivate the introduction
of a new technique called challenge space amplification that is particularly well
suited for our new way to design PoK. In practice, PoK leveraging structure can
lead to smaller signature schemes than PoK with Helper ones but rely on the
use of some structure within the considered hard problem.
Contributions. We propose a new approach to design PoK as well as four new
post-quantum signature schemes. Our main contribution is the introduction of
the Proof of Knowledge leveraging structure paradigm along with its associated
challenge space amplification technique. In addition, we present a new PoK with
Helper for the SD problem that outperforms all existing constructions with the
notable exception of the [FJR22] one. This new PoK is particularly interest-
ing when combined with our PoK leveraging structure framework. Moreover,
we demonstrate the versatility of our new approach by designing three post-
quantum signature schemes respectively related to the Permuted Kernel Prob-
12 L. Bidoux and P. Gaborit
lem (PKP), Syndrome Decoding (SD) problem and Rank Syndrome Decoding
(RSD) problem. Considering (public key + signature), we get sizes below 9 kB
for our signature related to the PKP problem, below 15 kB for our signature
related to the SD problem and below 7 kB for our signature related to the RSD
problem.
Paper Organization. We provide definitions related to PoK, coding theory
and hard problems in Sect. 2. Our PoK leveraging structure paradigm and our
amplification technique are respectively described in Sects. 3 and 4. Our PoK
with Helper for the SD problem is depicted in Sect. 5 while our PoK leveraging
structure for the PKP, SD and RSD problems are presented in Sect. 6. To finish,
we provide a comparison of resulting signature schemes with respect to existing
ones in Sect. 7.
2 Preliminaries
Notations. Vectors (respectively matrices) are represented using bold lower-

case (respectively upper-case) letters. For an integer n > 0, we use Sn to denote
the symmetric group of all permutations of n elements. In addition, we use
GLn (Fq ) to denote the linear group of invertible n × n matrices in Fq . For a finite
$
set S, x ←− S denotes that x is sampled uniformly at random from S while
$,θ
x ←− denotes that x is sampled uniformly at random from S using the seed θ.
Moreover, the acronym PPT is used as an abbreviation for the term “probabilistic
polynomial time”. A function is called negligible if for all sufficiently large λ ∈ N,
negl(λ) < λ−c , for all constants c > 0.
2.1 Proof of Knowledge and Commitment Schemes

We start by defining Proof of Knowledge (PoK) following [AFK21] notations. Let
R ⊆ {0, 1}∗ × {0, 1}∗ be an NP relation, we call (x, w) ∈ R a statement-witness
pair where x is the statement and w is the witness. The set of valid witnesses
for x is R(x) = {w | (x, w) ∈ R}. In a PoK, given a statement x, a prover P aims
to convince a verifier V that he knows a witness w ∈ R(x).
Definition 1 (Proof of Knowledge). A (2n + 1)-round PoK for relation R

with soundness error is a two-party protocol between a prover P(x, w) with
a statement x and witness w and a verifier V(x) with input x. We denote
input
by P(x, w), V(x) the transcript between P and V. A PoK is correct if

Pr accept ← P(x, w), V(x) = 1.
Definition 2 (Tree of Transcripts). Let k1 , . . . , kn ∈ N, a (k1 , . . . , kn )-

tree of
ntranscripts for a (2n + 1)-round public coin protocol PoK is a set of
K = i=1 ki transcripts arranged in a tree structure. The nodes in the tree rep-
resent the prover’s messages and the edges between the nodes correspond to the
challenges sent by the verifier. Each node at depth i has exactly ki children cor-
responding to the ki pairwise distinct challenges. Every transcript is represented
by exactly one path from the root of the tree to a leaf node.
Definition 3 ((k1 , . . . , kn )-out-of-(N1 , . . . , Nn ) Special-Soundness). Let
k1 , . . . , kn , N1 , . . . , Nn ∈ N. A (2n + 1)-round public-coin P oK, where V samples
the i-th challenge from a set of cardinality Ni ≥ ki for i ∈ [n], is (k1 , . . . , kn )-out-
of-(N1 , . . . , Nn ) special-sound if there exists a PPT algorithm that on an input
statement x and a (k1 , . . . , kn )-tree of accepting transcripts outputs a witness w.
We also say P oK is (k1 , . . . , kn )-special-sound.
Definition 4 (Special Honest-Verifier Zero-Knowledge). A PoK satisfies
the Honest-Verifier Zero-Knowledge (HZVK) property if there exists a PPT sim-
ulator Sim that givenas input a statement x and random challenges (κ1 , . . . , κn ),
outputs a transcript Sim(x, κ1 , · · · , κn ), V(x) that is computationally indistin-
guishable from the probability distribution of transcripts of honest executions
between a prover P(x, w) and a verifier V(x).
PoK with Helper introduced in [Beu20] are protocols that leverage a trusted
third party (the so-called Helper) within their design. They can be seen as 3-
round PoK following an initial step performed by the Helper. We defer the
reader to [Beu20] for their formal definition. PoK are significant cryptographic
primitives as they can be turned into digital signatures using the Fiat-Shamir
transform [FS86,PS96,AFK21]. Hereafter, we define commitment schemes which
are an important building block used to construct PoK.
Definition 5 (Commitment Scheme). A commitment scheme is a tuple of
algorithms (Com, Open) such that Com(r, m) returns a commitment c for the
message m and randomness r while Open(c, r, m) returns either 1 (accept) or 0
(reject). A commitment scheme is said to be correct if:

Pr b = 1 c ← Com r, m , b ← Open c, r, m = 1.
Definition 6 (Computationally Hiding). Let (m0 , m1 ) be a pair of mes-
sages, the advantage of A against the hiding experiment is defined as:

$ $ 1
hiding λ b ←− {0, 1}, r ←− {0, 1}λ
AdvA (1 ) = Pr b = b − .
c ←− Com r, mb , b ←− A.guess(c) 2
A commitment scheme is computationally hiding if for all PPT adversaries A
and every pair of messages (m0 , m1 ), Advhiding
A (1λ ) is negligible in λ.
Definition 7 (Computationally Binding). The advantage of an adversary
A against the commitment binding experiment is defined as:
⎡ ⎤
m0 = m1

(1 ) = Pr ⎣ 1 ←− Openc, r, m0 (c, r, m0 , m1 ) ←− A.choose(1λ ) ⎦ .
binding λ
AdvA
1 ←− Open c, r, m1
A commitment scheme is computationally binding if for all PPT adversaries A,
Advbinding
A (1λ ) is negligible in λ.
2.2 Coding Theory
We recall some definitions for both Hamming and rank metrics. Let n be a
positive integer, q a prime power, m a positive integer, Fqm an extension of
degree m of Fq and β := (β1 , . . . , βm ) a basis of Fqm over Fq . Any vector x ∈ Fnqm
can be associated to the matrix Mx ∈ Fm×n q by expressing its coordinates in β.
Definition 8 (Hamming weight). Let x ∈ Fn2 , the Hamming weight of x,

denoted wH x , is the number of non-zero coordinates of x.
Definition 9 (Rank weight). Let x ∈ Fnqm , the rank weight of x, denoted

m×n
Rm x , is defined as the rank of the matrix Mx = (xij ) ∈ Fq
w where xj =
i=1 xi,j βi .
Definition 10 (Support). Let x ∈ Fnqm , the support of x denoted Supp(x),

is the Fq -linear space generated by the coordinates of x namely Supp(x) =
x1 , . . . , xn Fq . It follows from the definition that wR x = |Supp(x)|.
We define linear codes over a finite field F where F = F2 in Hamming metric

and F = Fqm in rank metric as well as quasi-cyclic codes and ideal codes. We
restrict our definitions to codes of index 2 as they are the ones used hereafter.
Definition 11 (F-linear code). An F-linear code C of length n and dimension

n
k denoted [n, k] is an F-linear subspace of F k. A generator matrix
of dimension
k×n
for C is a matrix G ∈ F such that C = xG, m ∈ Fk . A parity-check matrix

for C is a matrix H ∈ F(n−k)×n such that C = x ∈ Fn , Hx = 0 .
Definition 12 (Quasi-cyclic code). A systematic binary quasi-cyclic code of

index 2 is a [n = 2k, k] code that can be represented by a generator matrix G ∈
Fk×n
2 of the form G = [Ik A] where A is a circulant k×k matrix. Alternatively, it
(n−k)×k
can be represented by a parity-check matrix H ∈ F2 of the form H = [Ik B]
where B is a circulant k × k matrix.
Definition 13 (Ideal matrix). Let P ∈ Fq [X] a polynomial of degree k and

let v ∈ Fkqm . The ideal matrix IMP (v) ∈ Fk×k
q m is of the form
⎛ ⎞
v mod P
⎜ X · v mod P ⎟
⎜ ⎟
IMP (v) = ⎜ .. ⎟.
⎝ . ⎠
X k−1 · v mod P
Definition 14 (Ideal code). Let P ∈ Fq [X] a polynomial of degree k, g ∈ Fkqm

and h ∈ Fkqm . An ideal code of index 2 is a [n = 2k, k] code C that can be
represented by a generator matrix G ∈ Fk×n
q m of the form G = [Ik IMP (g)].
(n−k)×k
Alternatively, it can be represented by a parity-check matrix H ∈ Fqm of
the form H = [Ik IMP (h)].
Let a = (a1 , . . . , ak ) ∈ Fk2 , for r ∈ [1, k − 1], we define the rot() operator
as rotr (a) = (ak−r+1 , . . . , ak−r ). For b = (b1 , b2 ) ∈ F2k 2 , we slightly abuse
notations and define rotr (b) = (rotr (b1 ), rotr (b2 )). Whenever H is the parity-
check matrix of a quasi-cyclic code or an ideal code, if one has Hx = y , then
it holds that H · rotr (x) = rotr (y) .
2.3 Hard Problems
We introduce several hard problems along with some of their variants. They are
used to design signature schemes in the remaining of this paper.
Definition 15 (PKP problem). Let (q, m, n) be positive integers, H ∈ Fm×nq

be a random matrix, π ∈ Sn be a random permutation and x ∈ Fnq be a vector
such that H(π[x]) = 0. Given (H, x), the Permuted Kernel Problem PKP(q, m, n)
asks to find a permutation π.
$
Definition 16 (IPKP problem). Let (q, m, n) be positive integers, H ←−
Fm×n
q be a random matrix, π ∈ Sn be a random permutation, x ∈ Fnq be a
random vector and y ∈ Fm
q be a vector such that H(π[x]) = y. Given (H, x, y),
the Inhomogeneous Permuted Kernel Problem IPKP(q, m, n) asks to find π.
(n−k)×n
Definition 17 (SD problem). Let (n, k, w) be positive integers, H ∈ F2
be a random parity-check matrix, x ∈ Fn2 be a random vector such that wH x =
(n−k)
w and y ∈ F2 be a vector such that Hx = y . Given (H, y), the binary
Syndrome Decoding problem SD(n, k, w) asks to find x.
Definition 18 (QCSD problem). Let (n = 2k, k, w) be positive integers, H ∈

(n−k)×n
QC(F2 ) be a random parity-check matrix of a quasi-cyclic code of index 2,
n
(n−k)
x ∈ F2 be a random vector such that wH x = w and y ∈ F2 be a vector
such that Hx = y . Given (H, y), the binary Quasi-Cyclic Syndrome Decoding
problem QCSD(n, k, w) asks to find x.
Decoding One Out of Many Setting. We denote by QCSD(n, k, w, M ) the

QCSD problem in the decoding one out of many setting [Sen11]. In this setting,
several small weight vectors (xi )i∈[1,M ] are used along with several syndromes
(yi )i∈[1,M ] and one is asked to find any xi . This setting is natural for the QCSD
problem as one can get additional syndromes using rotations.
Definition 19 (RSD problem). Let (q, m, n, k, w) be positive integers, H ∈

(n−k)×n
Fqm be a random parity-check matrix, x ∈ Fnqm be a random vector such
(n−k)
that wR x = w and y ∈ Fqm be a vector such that Hx = y . Given (H, y),
the Rank Syndrome Decoding problem RSD(q, m, n, k, w) asks to find x.
Definition 20 (IRSD problem). Let (q, m, n = 2k, k, w) be positive integers,

(n−k)×n
P ∈ Fq [X] be an irreducible polynomial of degree k, H ∈ ID(Fqm ) be a
random parity-check matrix of an ideal code of index 2, x ∈ Fnqm be a random

(n−k)
vector such that wR x = w and y ∈ Fqm be a vector such that Hx = y .
Given (H, y), the Ideal Rank Syndrome Decoding problem IRSD(q, m, n, k, w)
asks to find x.
Definition 21 (RSL problem). Let (q, m, n, k, w, M ) be positive integers, H ∈
(n−k)×n
Fqm be a random parity-check matrix, E be a random subspace of Fqm of
dimension ω, (xi )i∈[1,M ] ∈ (Fnqm )M be random vectors such that Supp(xi ) = E
(n−k)
and (yi ) ∈ (Fqm )M be vectors such that Hx
i = yi . Given (H, (yi )i∈[1,M ] ),
the Rank Support Learning problem RSL(q, m, n, k, w, M ) asks to find E.
Definition 22 (IRSL problem). Let (q, m, n = 2k, k, w, M ) be positive inte-
(n−k)×n
gers, P ∈ Fq [X] be an irreducible polynomial of degree k, H ∈ ID(Fqm )
be a random parity-check matrix of an ideal code of index 2, E be a ran-
dom subspace of Fqm of dimension ω, (xi )i∈[1,M ] ∈ (Fnqm )M be random vec-
(n−k)
tors such that Supp(xi ) = E and (yi )i∈[1,M ] ∈ (Fqm )M be vectors such that
Hx
i = yi . Given (H, (yi )i∈[1,M ] ), the Ideal Rank Support Learning problem
IRSL(q, m, n, k, w, M ) asks to find E.
3 New Paradigm to Design PoK Leveraging Structure

3.1 Overview of Our PoK Leveraging Structure Approach
The PoK with Helper paradigm introduced in [Beu20] eases the design of PoK
and has historically led to shorter signatures. It relies on introducing a trusted
third party (the so called Helper) that is later removed using cut-and-choose.
In this section, we introduce a new paradigm that can be seen as an alternate
way to remove the Helper in such PoK. Formally, our approach consists in using
standard (to be read as without Helper) PoK however we believe that it is more
easily understood when described by analogy to the PoK with Helper paradigm.
PoK Leveraging Structure. Our main idea can be seen as using the underly-
ing structure of the considered problem in order to substitute the Helper in the
PoK with Helper approach. As a consequence, all the PoK designed following
our paradigm share the framework described in Fig. 1. Indeed, all our PoK lever-
aging structure are 5-round PoK whose first challenge space Cstruct is related to
some structure and whose second challenge space can be made arbitrarily large.
This specific framework impacts the properties of the considered protocols which
can be leveraged to bring an improvement over existing constructions. Indeed,
removing the Helper provides an improvement on performances that can lead to
smaller signature sizes when some additional conditions are verified. We describe
in Table 1 how our new paradigm can be applied to the PoK with Helper from
[Beu20] and Sect. 5 in order to design new PoK leveraging structure related to the
PKP, SD and RSD problems. For instance, starting from the SD problem over
F2 , one may introduce the required extra structure by considering the QCSD
problem over F2 or the SD problem over Fq .
Prover(w, x) Verifier(x)
(com1 , state P1 ) ←− P1 (w, x)

com1
$
chstruct ←− Cstruct
chstruct
(com2 , state P2 ) ←− P2 (w, x, chstruct , state P1 )

com2
$
α ←− [1, N ]
α
rsp ←− P3 (w, x, chstruct , α, state P2 )

rsp
return V(x, com1 , chstruct , com2 , α, rsp)
Fig. 1. Overview of PoK leveraging structure
Table 1. Substitution of the Helper using PoK leveraging structure
Scheme First Challenge Second Challenge Problem

SUSHYFISH [Beu20] Helper Linearity over Fq IPKP
Section 6.1 Linearity over Fq Shared Permutation IPKP
[FJR21, BGKM22] Helper (Shared Permutation) SD over F2
Section 5 Helper Shared Permutation SD over F2
Section 6.2 Cyclicity Shared Permutation QCSD over F2
Section 5 Helper Shared Permutation RSD
Section 6.3 Cyclicity Shared Permutation IRSD
Cyclicity, Linearity, Same Support Shared Permutation IRSL
3.2 Properties of PoK Leveraging Structure
Hereafter, we discuss the advantages and limits of our new approach by des-
cribing its impact on soundness, performance, security and size of the resulting
signature scheme. We denote by C1 and C2 the sizes of the two considered chal-
lenge spaces and by τ the number of iterations that one need to execute to
achieve a negligible soundness error for some security parameter λ.
Impact on Soundness Error. Removing the trusted setup induced by the
Helper allows new cheating strategies for malicious provers. In most cases, this
means that the soundness error is increased from max( C11 , C12 ) for protocols using
a Helper to C11 + (1 − C11 ) · C12 for protocols without Helper. A malicious prover
has generally a cheating strategy related to the first challenge that is successful
with probability C11 as well as a cheating strategy related to the second challenge
for the remaining cases that is sucessful with probability (1 − C11 ) · C12 . The
aforementioned expression is equal to C12 + CC12 ·C −1
2
hence one can see that for
challenge spaces such that C2 1, the resulting soundness error is close to
1 1
C2 + C1 . In addition, if one has also C1 C2 , the soundness error is close to C12 .
Impact on Performances. Using a Helper, one has to repeat several operations

(some sampling and a commitment in most cases) τ · C1 · C2 times during the
trusted setup phase where C1 is the number of repetitions involved in the cut and
choose used to remove the Helper. While in practice the beating parallel repetition
optimization from [KKW18] allows to reduce the number of operations to X · C2
where X ≤ τ ·C1 , the trusted setup phase still induces an important performance
overhead. Removing the Helper generally reduces the cost of this phase to τ · C2
operations thus improving performances as τ ≤ X. One should note that the
PoK constructed from our new technique inherently have a 5-round structure. A
common technique consists to collapse 5-round PoK to 3-round however doing
so would re-introduce the aforementioned performance overhead in our case.
Impact on Security. PoK following our new paradigm are slightly less con-
servative than PoK with Helper collapsed to 3-round. Indeed, the underlying
5-round structure can be exploited as demonstrated by the attack from [KZ20].
In practice, one can increase the number of iterations τ to take into account this
attack. One can also amplify the challenge spaces sizes in order to reduce the
effectiveness of this attack as explained in Sect. 4. In addition, the security proofs
of the PoK following our new paradigm might be a bit more involved. Indeed,
one might need to introduce an intermediary problem and rely on a reduction
from the targeted problem to this intermediary problem. This strategy was used
in [AGS11] with the introduction of the DiffSD problem and its reduction to the
QCSD problem. More recently, such a strategy has also been used in [FJR22]
where the d-split SD problem is used as an intermediary problem along with
a reduction to the SD problem. In practice, one generally need to increase the
considered parameters for these reductions to hold securely.
Impact on Resulting Signature Size. Several of the aforementioned elements
impact the signature size in conflicting ways. For instance, removing the Helper
increases the soundness which impacts the signature size negatively however it
also reduces the number of seeds to be sent which impacts the signature size
positively. In addition, many PoK with Helper feature a trade-off between per-
formances and signature sizes hence our performance improvement related to
the Helper’s removal directly translate into a reduction of the signature size in
these cases. Moreover, using a 5-round structure reduces the number of com-
mitments to be sent but requires to take into account the attack from [KZ20].
In practice, our new paradigm lead to smaller signature sizes over comparable
PoK with Helper when the parameters are chosen carefuly. This is mainly due
to the performance improvement related to the Helper’s removal while the work
from [KZ20] constitutes a limiting factor thus motivating the new technique
introduced in Sect. 4.
Our new paradigm exploits the structure of the considered problems in order
to build more compact PoK. As a result, our protocols differs from existing ones
in several ways thus leading to different features when it comes to soundness,
performances, security and resulting signature sizes. Interestingly, the required
additional structure has been either already well studied (such as cyclicity for
the QCSD and IRSD problems) or is closely related to the considered problem
(such as linearity over Fq for the inhomegeneous IPKP problem).
4 Amplifying Challenge Space to Mitigate [KZ20] Attack
4.1 Overview of Our Challenge Space Amplification Technique
It was shown in [KZ20] that 5-round PoK that use parallel repetition to achieve
a negligible soundness error are vulnerable to an attack when they are made
non-interactive with the Fiat-Shamir transform. One can easily mitigate this
attack by increasing the number of considered repetitions τ . This countermeasure
increases the resulting signature size hence most designers choose to collapse 5-
round schemes into 3-round ones instead. In the case of our new paradigm, such
a strategy is not desirable as explained in Sect. 3. These considerations motivate
the research for an alternate way to mitigate the [KZ20] attack.
Challenge Space Amplification. Our new mitigation strategy consists in
amplifying the challenge space sizes rather than increasing the number of repe-
titions. In particular, we are interested in amplifying the first challenge space of
our PoK leveraging structure. Hereafter, we show how such an amplification can
be performed by increasing the size of the public key. Interestingly, in some cases,
one may increase the size of the challenge space exponentially while increasing
the size of the public key only linearly. In such cases, our new mitigation strategy
is more efficient than increasing the number of repetitions τ .
4.2 The [KZ20] Attack Against 5-Round PoK
We start by recalling that most PoK from the litterature feature a soundness
error ranging from 2/3 to 1/N for N up to 1024. In order to achieve a negligible
soundness error, one has to execute τ repetitions of the underlying protocol.
The main idea of the [KZ20] result is to separate the attacker work in two steps
respectively related to the first and second challenges. A malicious prover tries
to correctly guess the first challenges for τ ∗ ≤ τ repetitions as well as the second
challenges for the remaining τ − τ ∗ repetitions leveraging the fact that a correct
guess for any challenge allows to cheat in most protocols. The efficiency of the
attack depends on the number of repetitions τ , the sizes of the challenge spaces
C1 and C2 as well as a property of the PoK called the capability for early abort.
PoK with Helper have the capability for early abort however schemes constructed
following our new paradigm don’t. As a consequence, finding a way to mitigate
the [KZ20] attack is of great importance in our context. Our mitigation strategy
relies on the fact that the attack complexity increases if the two challenges spaces
C1 and C2 are not of equal size. Indeed, in our context (no capability for early
∗
abort), the attack complexity is equal to Cost(τ ) = P1 (τ ∗1,τ,C1 ) + (C2 )τ −τ where
P1 (r, τ, C1 ) is the probability to correctly guess at least r amongst τ challenges
τ i τ −i
in a challenge space of size C1 namely P1 (r, τ, C1 ) = i=r C11 · C1C−1 1
· τi
with τ ∗ being the number of repetitions in the first step of the attack that
1
minimizes the attack cost namely τ ∗ = arg min P1 (r,τ,C 1)
+ (C2 )τ −r .
0≤r≤τ
4.3 Trade-Off Between Public Key Size and Challenge Space Size
In order to mitigate the attack from [KZ20], we propose to increase the size of
the first challenge space. This decreases the probability that a malicious prover is
able to correctly guess τ ∗ random challenges in the first step of the attack hence
reduces its efficiency. In order to do so, one can introduce several instances of the
considered hard problem in a given public key as suggested in [BBBG21]. Using
the SD problem
for illustrative purposes, one replaces the secret key sk = (x)
where wH x = ω and public key pk = (H, y = Hx ) by M instances such
that sk = (xi )i∈[1,M ] and pk = (H, (yi = Hx i )i∈[1,M ] ) where w H x i = ω. In
practice, this implies that the parameters of the schemes have to be chosen taking
into account that the attacker has now access to M instances (H, (yi )i∈[1,M ] ).
This setting has been studied within the code-based cryptography community
and is commonly referred as decoding one out of many in the literature [Sen11].
Using this technique, the first challenge space size is increased by a factor M
however the size of the public key is also increased by a factor M . Overall, the
challenge space amplification approach reduces the (public key + signature) size
as suggested by numbers in Sect. 7.
We now present a new idea that greatly improves the efficiency of the afore-
mentioned amplification technique. Interestingly, in some cases, it is possible to
increase the challenge space size exponentially while only increasing the public
key size linearly. We illustrate such cases using the RSD problem namely the syn-
drome decoding problem in the rank metric setting. As previously, let us consider
M instances such that sk = (xi )i∈[1,M ] and pk = (H, (yi = Hx i )i∈[1,M ] ) where
wR xi = ω. Moreover, if we choose the xi such that they all share the same
support E, then we end up working with the RSL problem. The RSL problem can
be seen as a generalization of the RSD problem whose security has been studied
in [GHPT17,DAT18,BB21]. Due to the properties of the rank metric, any linear
combination of xi has a support E ⊆ E (with E = E with good probability)
and a rank weight equal to ω ≤ ω (with ω = ω with good probability). One
can leverage this property to design more efficient protocols by substituting a
random choice of a xi value by a random choice of a linear combination of the xi
values. Doing so, a random choice amongst M values is substituted by a random
choice amongst q M values thus amplifying the considered challenge space size
exponentially rather than linearly while still requiring the public key size to be
increased only linearly by the factor M . This makes our amplification technique
quite efficient as a mitigation strategy against the [KZ20] attack as suggested by
the numbers presented in Sect. 7.3. Indeed, one can see that amplifying the first
challenge space size exponentially reduces the number of repetitions τ from 37
to 23 namely an improvement approximately greater than 35%.
5 New PoK with Helper for the SD Problem
The first efficient PoK for the SD problem was introduced by Stern in [Ste93].
Over the years, many variants and improvements have been proposed in [Vér97,
AGS11,CVE11] for instance. Several PoK achieving an arbitrarily small sound-
ness error have been proposed recently in [GPS21,FJR21,BGKM22,FJR22].
Most of these schemes (with the notable exception of [FJR22]) relies on per-
mutations to mask the secret value x associated to the considered SD prob-
lem. Hereafter, we present a new PoK with Helper that outperforms previous
permutation-based schemes. It is described in Fig. 2 and encompasses several
ideas from [BGKM22], [FJR21] and [BGKS21]. Indeed, our protocol follows the
same paradigm as PoK 2 from [BGKM22] as it introduces several permutations
(πi )i∈[1,N ] and masks the secret x using the permutation πα for α ∈ [1, N ] while
revealing the other permutations (πi )i∈[1,N ]\α . A notable difference comes from
the fact that it also leverages the shared permutations paradigm from [FJR21]
where the permutations (πi )i∈[1,N ] are nested around a global permutation π
such that π = πN ◦ · · · ◦ π1 . As a consequence, our protocol masks the secret x
using πα ◦ · · · ◦ π1 [x] for α ∈ [1, N ]. This differs from [FJR21] where the secret
is masked by π[x] and where π[u + x] + v is computed without revealing π.
This difference allows us to perform a cut-and-choose with a meet in the middle
approach where the recurrence relation related to π is used in both directions
rather than just one. Thanks to this new property, our protocol can benefit from
an optimization introduced in [BGKS21] that allows to substitute a vector by
a random seed. This improvement is of great importance as it implies that our
PoK size scales with 1.5 τ n (where τ is the number of repetitions required to
achieve a negligible soundness error and n is the vector length considered within
the SD instance) while all previous protocols feature sizes scaling with a factor
2 τ n instead. As a consequence, our protocol outperforms the protocols from
[BGKM22] and [FJR21]. We defer the reader to Tables 4 and 5 for a comparison
with existing protocols including the recent [FJR22] proposal.
Inputs & Public Data

w = x, x = (H, y)
Helper(x)
$ $
θ ←− {0, 1}λ , ξ ←− {0, 1}λ
for i ∈ [1, N ] do
$,θ $,θ $,φ $,φ $,θ
θi ←− {0, 1}λ , φi ←−i {0, 1}λ , πi ←−i Sn , vi ←−i Fn i λ
2 , r1,i ←− {0, 1} , com1,i = Com r1,i , φi
end
$,ξ
π = πN ◦ · · · ◦ π1 , v = vN + πN ◦ · · · ◦ πi+1 [vi ], r ←− Fn
2, u = π
−1
[r − v]
i∈[1,N −1]
com1 = Hash Hu || π[u] + v || (com1,i )i∈[1,N ]
Send (θ, ξ) to the Prover and com1 to the Verifier
P1 (w, x, θ, ξ)
Compute (θi , πi , vi )i∈[1,N ] and u from (θ, ξ)
s0 = u + x
for i ∈ [1, N ] do
si = πi [si−1 ] + vi
end
com2 = Hash u + x || (si )i∈[1,N ]
V1 (x, com1 )
$
α ←− [1, N ]
P2 (w, x, θ, ξ, α)
z1 = u + x, z2 = (θi )i∈[1,N ]\α , z3 = ξ, z4 = πα ◦ · · · ◦ π1 [x]
rsp = (z1 , z2 , z3 , z4 , com1,α )
V2 (x, com1 , com2 , α, rsp)

Compute (φ̄i , r̄1,i , π̄i , v̄i )i∈[1,N ]\α from z2 and t̄N = r̄ from z3
for i ∈ {N, . . . , α + 1} do
t̄i−1 = π̄i−1 [t̄i − v̄i ]
end
s̄0 = z1 , s̄α = t̄α + z4 , com
¯ 1,α = com1,α
for i ∈ [1, N ] \ α do
s̄i = π̄i [s̄i−1 ] + v̄i
com
¯ 1,i = Com r̄1,i , φ̄i
end
b1 ←− com1 = Hash Hz1 − y || r̄ || (com
¯ 1,i )i∈[1,N ]
b2 ←− com2 = Hash z1 || (s̄i )i∈[1,N ]
b3 ←− wH z4 = ω
return b1 ∧ b2 ∧ b3
Fig. 2. PoK with Helper for the SD problem over F2

Theorem 1. If the hash function used is collision-resistant and if the commit-

ment scheme used is binding and hiding, then the protocol depicted in Fig. 2 is
an honest-verifier zero-knowledge PoK with Helper for the SD problem over F2
with soundness error 1/N .
Proof. Proof of Theorem 1 can be found in Appendix A.
6 New PoK Related to the PKP, SD and RSD Problems

6.1 PoK Leveraging Structure for the IPKP Problem
We present in Fig. 3 a PoK leveraging structure for the IPKP problem using
linearity over Fq along with the shared permutation from [FJR21].
ment scheme used is binding and hiding, then the protocol depicted in Fig. 3 is an
honest-verifier zero-knowledge PoK for the IPKP problem with soundness error
equal to N1 + NN −1
·(q−1) .
Proof. Proof of Theorem 2 can be found in Appendix B.
6.2 PoK Leveraging Structure for the QCSD Problem over F2

We apply results from Sects. 3 and 4 on top of the PoK with Helper from Sect. 5.
This PoK leverages quasi-cyclicity over F2 and is depicted in Fig. 4.
an honest-verifier zero-knowledge PoK for the QCSD(n, k, w, M ) problem with
soundness error equal to N1 + (N −1)(Δ−1)
N ·M ·k for some parameter Δ.
Proof. Proof of Theorem 3 can be found in Appendix C.
Remark. The parameter Δ is related to the security of the DiffSD problem.
The QCSD problem reduces to the intermediary DiffSD problem for sufficient
large values of Δ as showed in Appendix C. When Δ is not large enough, the
security reduction does not hold which enable additional cheating strategies for
the adversary hence impact the soundness of the protocol.
6.3 PoK Leveraging Structure for the IRSL Problem

One can adapt the protocols described in Sects. 5 and 6.2 to the rank metric
setting by replacing permutations by isometries for the rank metric. Doing so,
one get a PoK with Helper for the RSD problem as well as a PoK leveraging
structure for the IRSD problem. In addition, one can apply the challenge space
amplification technique presented in Sect. 4 in order to get a PoK leveraging
structure for IRSL problem as depicted in Fig. 5. In practice, one has to take into
account the cases where ω < ω mentioned in Sect. 4 however we omit such cases
in Fig. 5 for conciseness.

w = π, x = (H, x, y)
Cstruct = F∗q , chstruct = κ
P1 (w, x)
$
θ ←− {0, 1}λ
for i ∈ {N, . . . , 1} do
$,θ $,θ
θi ←− {0, 1}λ , φi ←−i {0, 1}λ
if i = 1 do
$,φ $,φ $,θ
πi ←−i Sn , vi ←−i Fn i λ
q , r1,i ←− {0, 1} , com1,i = Com r1,i , φi
else
$,φ $,θ
π1 = π2−1 ◦ · · · ◦ πN
−1
◦ π, v1 ←−1 Fn 1 λ
q , r1,1 ←− {0, 1} , com1,1 = Com r1,1 , π1 || φ1
end
end
v = vN + πN ◦ · · · ◦ πi+1 [vi ]
i∈[1,N −1]
com1 = Hash Hv || (com1,i )i∈[1,N ]
P2 (w, x, κ)
s0 = κ · x
for i ∈ [1, N ] do
end
com2 = Hash (si )i∈[1,N ]
P2 (w, x, κ, α)
z1 = sα
if α = 1 do
z2 = π1 || (θi )i∈[1,N ]\α
else
z2 = (θi )i∈[1,N ]\α
end
rsp = (z1 , z2 , com1,α )
V(x, com1 , κ, com2 , α, rsp)

Compute (φ̄i , r̄1,i , π̄i , v̄i )i∈[1,N ]\α from z2
s̄0 = κ · x, s̄α = z1 , com
¯ 1,α = com1,α
for i ∈ [1, N ] \ α do
s̄i = π̄i [s̄i−1 ] + v̄i
if i = 1 do
com
¯ 1,i = Com r̄1,i , φ̄i
else
¯ 1,1 = Com r̄1,1 , π̄1 || φ̄1
com
end
end
b1 ←− com1 = Hash Hs̄N − κ · y || (com1,i )i∈[1,N ]
b2 ←− com2 = Hash (s̄i )i∈[1,N ]
return b1 ∧ b2
Fig. 3. PoK leveraging structure for the IPKP problem


w = (xi )i∈[1,M ] , x = (H, (yi )i∈[1,M ] ),
Cstruct = [1, M ] × [1, k], chstruct = (μ, κ)
P1 (w, x)
$ $
θ ←− {0, 1}λ , ξ ←− {0, 1}λ
for i ∈ [1, N ] do
$,θ $,θ $,φ $,φ $,θ
θi ←− {0, 1}λ , φi ←−i {0, 1}λ , πi ←−i Sn , vi ←−i Fn i λ
2 , r1,i ←− {0, 1} , com1,i = Com r1,i , φi
end
$,ξ
π = πN ◦ · · · ◦ π1 , v = vN + πN ◦ · · · ◦ πi+1 [vi ], r ←− Fn
2, u = π
−1
[r − v]
i∈[1,N −1]
com1 = Hash Hu || π[u] + v || (com1,i )i∈[1,N ]
P2 (w, x, μ, κ)
xμ,κ = rotκ (xμ ), s0 = u + xμ,κ
for i ∈ [1, N ] do
end
com2 = Hash u + xμ,κ || (si )i∈[1,N ]
P3 (w, x, μ, κ, α)
z1 = u + xμ,κ , z2 = (θi )i∈[1,N ]\α , z3 = ξ, z4 = πα ◦ · · · ◦ π1 [xμ,κ ]
rsp = (z1 , z2 , z3 , z4 , com1,α )
V(x, com1 , (μ, κ), com2 , α, rsp)

Compute (φ̄i , r̄1,i , π̄i , v̄i )i∈[1,N ]\α from z2 and t̄N = r̄ from z3
for i ∈ {N, . . . , α + 1} do
t̄i−1 = π̄i−1 [t̄i − v̄i ]
end
s̄0 = z1 , s̄α = t̄α + z4 , com
¯ 1,α = com1,α
for i ∈ [1, N ] \ α do
s̄i = π̄i [s̄i−1 ] + v̄i , com
¯ 1,i = Com r̄1,i , φ̄i
end
b1 ←− com1 = Hash Hz1 − rotκ (yμ ) || r̄ || (com
¯ 1,i )i∈[1,N ]
b2 ←− com2 = Hash z1 || (s̄i )i∈[1,N ]
b3 ←− wH z4 = ω
Fig. 4. PoK leveraging structure for the QCSD(n, k, w, M ) problem over F2

honest-verifier zero-knowledge PoK for the IRSL problem with soundness error
equal to N1 + (N −1)(Δ−1)
N (q M k −1)
for some parameter Δ.
Proof. Proof of Theorem 4 can be found in Appendix D.


w = (xi )i∈[1,M ] , x = (H, (yi )i∈[1,M ] ),
Cstruct = (Fq )M k \ (0, · · · , 0), chstruct = γ = (γi,j )i∈[1,M ],j∈[1,k]
P1 (w, x)
$ $
θ ←− {0, 1}λ , ξ ←− {0, 1}λ
for i ∈ [1, N ] do
$,θ $,θ $,φ $,φ $,φ $,θ
θi ←− {0, 1}λ , φi ←−i {0, 1}λ , Pi ←−i GLm (Fq ), Qi ←−i GLn (Fq ), vi ←−i Fn i λ
q m , r1,i ←− {0, 1} , com1,i = Com r1,i , φi
end

P = PN × · · · × P1 , Q = QN × · · · × Q1 , v = vN + PN × · · · × Pi+1 · vi · Qi+1 × · · · × QN
i∈[1,N −1]
$,ξ
r ←− Fn
2, u=P −1
· (r − v) · Q −1

com1 = Hash Hu || P · u · Q + v || (com1,i )i∈[1,N ]
P2 (w, x, γ)

xγ = γi,j · rotj (xi ), s0 = u + xγ
(i,j)∈[1,M ]×[1,k]
for i ∈ [1, N ] do
si = Pi · si−1 · Qi + vi
end

com2 = Hash u + xγ || (si )i∈[1,N ]
P3 (w, x, γ, α)
z1 = u + xγ , z2 = (θi )i∈[1,N ]\α , z3 = ξ, z4 = Pα × · · · × P1 · xγ · Q1 × · · · × Qα
rsp = (z1 , z2 , z3 , z4 , com1,α )
V(x, com1 , γ, com2 , α, rsp)

Compute (φ̄i , r̄1,i , P̄i , Q̄i , v̄i )i∈[1,N ]\α from z2 and t̄N = r̄ from z3
for i ∈ {N, . . . , α + 1} do
t̄i−1 = P̄−1
i · (t̄i − v̄i ) · Q̄−1
i
end
s̄0 = z1 , s̄α = t̄α + z4 , com
¯ 1,α = com1,α
for i ∈ [1, N ] \ α do
s̄i = P̄i · s̄i−1 · Q̄i + v̄i

com¯ 1,i = Com r̄1,i , φ̄i
end

b1 ←− com1 = Hash Hz1 − γi,j · rotj (yi ) || r̄ || (com
¯ 1,i )i∈[1,N ]
(i,j)∈[1,M ]×[1,k]

b2 ←− com2 = Hash z1 || (s̄i )i∈[1,N ]

b3 ←− wH z4 = ω
Fig. 5. PoK leveraging structure for the IRSL problem
7 Resulting Signatures and Comparison

PoK can be transformed into signature schemes using the Fiat-Shamir trans-
form [FS86]. Several optimizations can be employed in the process, we defer the
interested reader to previous work such as [KKW18,Beu20,GPS21,BGKM22]
for additional details. Hereafter, we keep the inherent 5-round structure of our
PoK (except for the one from Sect. 5 that is collapsed to 3-round) hence param-
eters are chosen taking into account the attack from [KZ20]. Moreover, we only
consider parameters for λ = 128 bits of security. The commitments are instan-
tiated using hash functions along with some randomness. For the signatures,
random salts are added to the hash functions.
7.1 Signatures Based on PoK Related to the PKP Problem
The signature size of our protocol from Sect. 6.1 is detailed in Table 2. Table 3
provides a comparison with respect to other PoK for the PKP problem. The
complexity of the PKP problem has been studied in [KMRP19]. We consider
parameters from [Beu20] for our comparison namely (q = 997, n = 61, m = 28).
In addition, we use both (N = 32, τ = 42) and (N = 256, τ = 31).
Table 2. Signature sizes for our PKP based construction
Signature size
Our Work (Sect. 6.1) 5λ + τ · (n · log2 (q) + n · log2 (n) + λ · log2 (N ) + 2λ)
Table 3. Signatures based on PKP for λ = 128 (sorted by decreasing size)
Type pk σ Structure Security Assumption

SUSHYFISH [Beu20] Fast 0.1 kB 18.1 kB 3-round IPKP
Short 0.1 kB 12.1 kB
[Fen22] Fast 0.1 kB 16.4 kB 5-round IPKP
Our Work (Sect. 6.1) Fast 0.1 kB 10.0 kB 5-round IPKP
Short 0.1 kB 8.9 kB
7.2 Signatures Based on PoK Related to the SD Problem
Table 4 compares signature sizes of our new protocol with respect to existing
ones. One can see that our signatures scale with a factor 1.5n · τ which bring
an improvement with respect to previous (comparable) schemes that scale with
a factor 2n · τ . Table 5 provides a comparison to other code-based signatures
constructed from PoK for the SD problem. Parameters are chosen taking into
account attacks from [BJMM12] and [Sen11]. For our protocol from Sect. 5, we
have used (n = 1190, k = 595, ω = 132) as well as (N = 8, τ = 49, M =
187) and (N = 32, τ = 28, M = 389). In these cases, M is the parameter
related to the beating parallel repetition from [KKW18] namely M instances are
prepared during the preprocessing step amongst which τ are actually executed.
For our protocol from Sect. 6.2, we have used (n = 1306, k = 653, ω = 132, Δ =
17) as well as (N = 32, τ = 42, M = 22) and (N = 256, τ = 33, M = 12).

Numbers for [FJR22] are from the original paper while numbers for [FJR21]
have been recomputed using the aforementioned parameters in order to provide
a fair comparison.
Table 4. Signature sizes (sorted by decreasing size)
Signature size
[BGKM22] 2λ + τ · (2n + 3λ · log2 (N ) + 3λ · log2 (M/τ ))
[FJR21] 2λ + τ · (2n + λ · log2 (N ) + 2λ + 3λ · log2 (M/τ ))
Our Work (Sect. 5) 3λ + τ · (1.5n + λ · log2 (N ) + 2λ + 3λ · log2 (M/τ ))
Our Work (Sect. 6.2) 5λ + τ · (1.5n + λ · log2 (N ) + 2λ)
Table 5. Signatures based on SD for λ = 128 (sorted by decreasing size)

[BGKM22] Fast 0.1 kB 26.4 kB 3-round SD over F2
[FJR21] Fast 0.1 kB 23.3 kB 3-round SD over F2
Our Work (Sect. 5) Fast 0.1 kB 19.6 kB 3-round SD over F2
Our Work (Sect. 6.2) Fast 1.8 kB 15.1 kB 5-round QCSD over F2
[FJR22] Fast 0.1 kB 17.0 kB 5-round SD over F2
Fast 0.2 kB 11.5 kB 5-round SD over Fq
Short 0.2 kB 8.3 kB
7.3 Signatures Based on PoK Related to the RSD/RSL Problem

Parameters for our PoK based on the rank metric are chosen to resist best known
attacks against RSD [GRS15,BBC+20] and RSL [BB21,GHPT17,DAT18]. For
our protocol from Sect. 5, we have used (q = 2, m = 31, n = 30, k = 15, ω = 9)
as well as (N = 8, τ = 49, M = 187) and (N = 32, τ = 28, M = 389). For our
protocol from Sect. 6.3, we have used (q = 2, m = 37, n = 34, k = 17, ω = 9, Δ =
10) as well as (N = 32, τ = 37) and (N = 512, τ = 25) for the variant relying
on the IRSD problem. In addition, we have used (q = 2, m = 37, n = 34, k =
17, ω = 10, Δ = 40, M = 5) as well as (N = 64, τ = 23) and (N = 1024, τ = 14)
for the variant relying on the IRSL problem (Tables 6 and 7).
Table 6. Signature sizes for our RSD based constructions
Signature size
Our Work (Sect. 5) 3λ + τ · (mn + ω(m + n − ω) + λ · log2 (N ) + 2λ + 3λ · log2 (M/τ ))
Our Work (Sect. 6.3) 5λ + τ · (mn + ω(m + n − ω) + λ · log2 (N ) + 2λ)
Table 7. Signatures based on RSD for λ = 128 (sorted by decreasing size)

[BCG+19] – 0.2 kB 22.5 kB 5-round IRSD
Our Work (Sect. 5) Fast 0.1 kB 17.2 kB 3-round RSD
Our Work (Sect. 6.3) Fast 0.1 kB 12.6 kB 5-round IRSD
Fast 0.5 kB 8.4 kB 5-round IRSL
Short 0.5 kB 6.1 kB
[Fen22] Fast 0.1 kB 7.4 kB 5-round RSD
Short 0.1 kB 5.9 kB
8 Conclusion
In this paper, we have introduced a new approach to design PoK along with its
associated amplification technique. Using this new paradigm, we have provided
new post-quantum signatures related to the PKP, SD and RSD problems. Our
signature related to the PKP problem features a (public key + signature) size
ranging from 9 kB to 10 kB which is up to 45% shorter than existing ones. Our
signature related to the SD problem features a (public key + signature) size
ranging from 15 kB to 17 kB which outperforms existing constructions such as
Wave [DAST19] and LESS [BBPS21] but is outperformed by [FJR22]. Our sig-
nature related to the RSL problem has a (public key + signature) size ranging
from 7kB to 9kB which outperforms Durandal [ABG+19] but is outperformed by
[Fen22]. One should nonetheless note that Wave and Durandal have smaller sig-
nature sizes (but bigger public key sizes) than our schemes. These constructions
are interesting as they are also competitive with SPHINCS+ [BHK+19] that
have been recently selected during the NIST Standardization Process. While the
MPC-in-the-head approach have opened the way to several trade-offs between
signature size and performances, our work extend these possibilities even more
by leveraging structured versions of the considered hard problems. These new
trade-offs are significant as they can lead to shorter signatures as demonstrated
in this work. Future work will include applying our new approach to other hard
problems such as the MQ problem and SD over Fq one (see Appendices E and
F).
A Proof of Theorem 1
an honest-verifier zero-knowledge PoK with Helper for the SD problem over F2
with soundness error 1/N .
Proof. We prove the correctness, special soundness and special honest-verifier

zero-knowledge properties below.
Correctness. The correctness follows from the protocol description once the
cut-and-choose with meet in the middle property s̄α = t̄α + z4 has been verified.
From s0 = u + x and si = πi [s i−1 ] + vi for all i ∈ [1, α], one can see that
s̄α = πα ◦ · · · ◦ π1 [u + x] + vα + i∈[1,α−1] πα ◦ · · · ◦ πi+1 [vi ]. In addition, from
−1
t̄N = π[u]+v, and t̄i−1 = π i [t̄i −vi ] for all i ∈ {N, . . . , α+1}, one can see that
t̄α = πα ◦ · · · ◦ π1 [u] + vα + i∈[1,α−1] πα ◦ · · · ◦ πi+1 [vi ]. As z4 = πα ◦ · · · ◦ π1 [x],
one can conclude that s̄α = t̄α + z4 .
Special Soundness. To prove the special soundness, one need to build an
efficient knowledge extractor Ext which returns a solution of the SD instance
defined by (H, y) given two valid transcripts (H, y, com1 , com2 , α, rsp) and
(H, y, com1 , com2 , α , rsp ) with α = α where com1 = Setup(θ, ξ) for some ran-
dom seeds (θ, ξ). The knowledge extractor Ext computes the solution as:
1. Compute (πi )i∈[1,n] from z2 and z2

2. Output (π1−1 ◦ · · · ◦ πα−1 [z4 ])
We now show that the output is a solution to the given SD problem. One can
compute (π̄i , v̄i )i∈[1,N ] from z2 and z2 . From the binding property of the commit-
ments (com1,i )i∈[1,N ] , one has (πi , vi )i∈[1,N ] = (π̄i , v̄i )i∈[1,N ] . From the binding
property of commitment com1 , one has H(z1 − u) = y and t̄ N = π[u] + v. Using
t̄N and (πi , vi )i∈[1,N ] , one has t̄α = πα ◦ · · · ◦ π1 [u] + vα + i∈[1,α−1] πα ◦ · · · ◦
πi+1 [vi ]. From the binding property of commitment com2 , one has s̄0 = s̄0 = z1 .
In addition, one has s̄i = π̄i [s̄i−1 ] + v̄i for all i ∈ [1, N ] \ α as well as
s̄i = π̄i [s̄i−1 ]+ v̄i for all i ∈ [1, N ]\α . Using the binding property of commitment
com2 once again, one can deduce that s̄i = π̄i [s̄i−1 ] + v̄i for all i ∈ [1, N ] hence
s̄α = πα ◦ · · · ◦ π1 [z1 ] + vα + i∈[1,α−1] πα ◦ · · · ◦ πi+1 [vi ]. From the binding prop-
erty of commitment com2 , one has s̄α = t̄α +z4 hence z1 −u = π1−1 ◦· · ·◦π −1
α [z4 ].
−1 −1
As a consequence, one has H(π1 ◦ · · · ◦ πα [z4 ]) = y along with wH z4 = ω
thus π1−1 ◦ · · · ◦ πα−1 [z4 ] is a solution of the considered SD problem instance.
Special Honest-Verifier Zero-Knowledge. We start by explaining why valid
transcripts do not leak anything on the secret x. A valid transcript contains
(u + x, (πi , vi )i∈[1,N ]\α , π[u] + v, πα ◦ · · · ◦ π1 [x], com1,α ) namely the secret x is
masked either by a random value u or by a random permutation πα . The main
difficulty concerns the permutation πα as the protocol requires πα ◦· · ·◦π1 [u+x]
to be computed while both (u+x) and (πi )i∈[1,α−1] are known. To overcome this

issue, the protocol actually computes πα ◦ · · · ◦ π1 [u + x] + vα + i∈[1,α−1] πα ◦
· · · ◦ πi+1 [vi ] for some random value vα hence does not leak anything on πα . In
addition, if the commitment used is hiding, com1,α does not leak anything on
πα nor vα . Formally, one can build a PPT simulator Sim that given the public
values (H, y), random seeds (θ, ξ) and a random challenge α outputs a transcript
(H, y, com1 , com2 , α, rsp) such that com1 = Setup(θ, ξ) that is indistinguishable
from the transcript of honest executions of the protocol:
1. Compute (πi , vi )i∈[1,N ] and u from (θ, ξ)

$
2. Compute x̃1 such that Hx̃1 = y and x̃2 ←− Sω (Fn2 )
3. Compute s̃0 = u + x̃1 and s̃i = πi [s̃i−1 ] + vi for all i ∈ [1, α − 1]
4. Compute s̃α = πα ◦ · · · ◦ π1 [u + x̃2 ] + vα + i∈[1,α−1] πα ◦ · · · ◦ πi+1 [vi ]
5. Compute s̃i = πi [s̃i−1 ] + vi for all i ∈ [α + 1, N ]
6. Compute com˜ 2 = Hash u + x̃1 || (s̃i )i∈[1,N ]
7. Compute z̃1 = u + x̃1 , z2 = (θi )i∈[1,N ]\α , z3 = ξ, z4 = πα ◦ · · · ◦ π1 [x̃2 ]
8. Compute ˜ = (z̃1 , z2 , z3 , z̃4 , com1,α ) and output (H, y, com1 , com
rsp ˜ 2 , α, rsp)
˜
The transcript generated by the simulator Sim is (H, y, com1 , com ˜ 2 , α, rsp)
˜ where
com1 ←− Setup(θ, ξ). Since x̃1 and x are masked by a random mask u unknown
to the verifier, z̃1 and z1 are indistinguishable. Similarly, since x̃2 and x have the
same Hamming weight and are masked by a random permutation πα unknown to
the verifier, z̃4 and z4 are indistinguishable. As z̃1 and z1 are indistinguishable, s̃i
and si are also indistinguishable for all i ∈ [1, α−1]. Since s̃α and sα both contains
a random mask vα unknown to the verifier, they are indistinguishable. As s̃α and
sα are indistinguishable, so do s̃i and si for all i ∈ [α + 1, N ]. Finally, z2 and z3
are identical in both cases and com1,α does not leak anything if the commitment
is hiding. As a consequence, (rsp,˜ com
˜ 2 ) in the simulation and (rsp, com2 ) in the
real execution are indistinguishable. Finally, Sim runs in polynomial time which
completes the proof.
B Proof of Theorem 2

honest-verifier zero-knowledge PoK for the IPKP problem with soundness error
equal to N1 + NN −1
·(q−1) .
Proof. We prove the correctness, special soundness and special honest-verifier

zero-knowledge properties below.
Correctness. The correctness follows from the protocol description once it is
observed that sN = π[κ · x] + v which implies that HsN − κ · y = Hπ[κ · x] +
Hv − κ · y = Hv.
(q − 1, N )-Special Soundness. To prove the (q − 1, N )-special soundness, one
need to build an efficient knowledge extractor Ext which returns a solution of
the IPKP instance defined by (H, x, y) with high probability given a (q − 1, N )-

tree of accepting transcripts. One only need a subset of the tree to complete the
proof namely the four leafs corresponding to challenges (κ, α1 ), (κ, α2 ), (κ , α1 )
and (κ , α2 ) where κ = κ and α1 = α2 . The knowledge extractor Ext computes
the solution as:
(κ,α1 ) (κ,α2 )
1. Compute (π̄i )i∈[1,n] from z2 and z2
2. Compute π̄ = π̄N ◦ · · · ◦ π̄1
3. Output π̄
(κ) (κ) (κ ) (κ ) (κ,α )
One can compute (π̄i , v̄i )i∈[1,N ] and (π̄i , v̄i )i∈[1,N ] from z2 i i∈[1,2]
(κ ,α )
and z2 i i∈[1,2] respectively. From the binding property of the commitments
(κ) (κ) (κ ) (κ )
(com1,i )i∈[1,N ] , one has (π̄i , v̄i )i∈[1,N ] = (π̄i , v̄i )i∈[1,N ] = (π̄i , v̄i )i∈[1,N ] .
(κ,α ) (κ,α ) (κ,α )
By construction, one has s̄0 1 = s̄0 2 = κ · x. In addition, one has s̄i 1 =
(κ,α ) (κ,α ) (κ,α )
π̄i [s̄i−1 1 ] + v̄i for all i ∈ [1, N ] \ α1 as well as s̄i 2 = π̄i [s̄i−1 2 ] + v̄i for all
i ∈ [1, N ] \ α2 . From the binding property of commitment com2 , one can deduce
(κ) (κ) (κ)
that s̄i = π̄i [s̄i−1 ] + v̄i for all i ∈ [1, N ] hence s̄N = π̄[κ · x] + v̄. Following a
(κ )
similar argument, one also has s̄N = π̄[κ · x] + v̄. From the binding property
(κ) (κ )
of commitment com1 , one has Hs̄N − κ · y = Hs̄N − κ · y. It follows that
H(π̄[κ · x] + v̄) − κ · y = H(π̄[κ · x] + v̄) − κ · y hence (κ − κ ) · Hπ̄[x] = (κ − κ ) · y.
This implies that Hπ̄[x] = y thus π̄ is a solution of the considered IPKP problem.
Special Honest-Verifier Zero-Knowledge. We start by explaining why valid
transcripts do not leak anything on the secret π. A valid transcript contains
(sα , (πi , vi )i∈[1,N ]\α , com1,α ) where the secret π is hiden by the unknown per-
mutation πα . In our protocol, one need to compute π[x] without leaking anything
on the secret π. To overcome this issue, the protocol actually computes π[x] + v
for some value v that is masked by the unknown random value vα . In addition, if
the commitment used is hiding, com1,α does not leak anything on πα nor vα . For-
mally, one can build a PPT simulator Sim that given the public values (H, x, y),
random challenges (κ, α) outputs a transcript (H, x, y, com1 , κ, com2 , α, rsp) that
is indistinguishable from the transcript of honest executions of the protocol:
$
1. Compute (πi , vi , com
˜ 1,i ) as in the real protocol except for π̃1 ←− Sn
2. Compute π̃ = πN ◦ · · · π̃1
3. Compute v and com ˜ 1 as in the real protocol
4. Compute x̃ such that Hx̃ = κ · y
5. Compute s0 = κ · x and s̃i = πi [s̃i−1 ] + vi for all i ∈ [1, α − 1]
−1 −1
6. Compute s̃α = πα [s̃α−1 ] + vα + πα+1 ◦ · · · ◦ πN [x̃ − π[κ · x]]
7. Compute s̃i = πi [s̃i−1 ] + vi for all i ∈ [α + 1, N ]
8. Compute com˜ 2 = Hash (s̃i )i∈[1,N ] and z̃1 = s̃α
9. Compute z̃2 = π̃1 || (θi )i∈[1,N ]\α if α = 1 or z̄2 = (θi )i∈[1,N ]\α otherwise
10. Compute ˜ = (z̃1 , z̃2 , com
rsp ˜ 1,α ) and output (H, x, y, com ˜ 1 , κ, com
˜ 2 , α, rsp)
˜
The transcript generated by the simulator Sim is (H, x, y, com˜ 1 , κ, com

˜ 2 , α, rsp).
˜
Since s̃α (in the simulation) and sα (in the real world) are masked by a random
mask vα unknown to the verifier, z̃1 and z1 are indistinguishable. In addition,
since π̃1 is sampled uniformly at random in Sn , z̃2 and z2 are indistinguishable.
˜ 1,α does not leak anything on πα nor vα if the commitment is hiding.
Finally, com
As a consequence, (com˜ 1 , com
˜ 2 , rsp)
˜ (in the simulation) and (com1 , com2 , rsp) (in
the real execution) are indistinguishable. Finally, Sim runs in polynomial time
which completes the proof.
C Proof of Theorem 3
Similarly to what was done in [AGS11], we introduce the intermediary DiffSD
problem (Definition 23) in order to prove the security of the protocol depicted in
Fig. 4. Its security (Theorem 3) relies of the DiffSD problem and is completed by
a reduction from the QCSD problem to the DiffSD problem (Theorem 5). In our
context, we consider QCSD instances with up to M vectors (decoding one out of
many setting) which means that the adversary has access to M k syndromes (M
given syndromes combined with k possible shifts). In practice, one has to choose
the QCSD parameters so that the PoK remains secure even taking into account
both the number of given syndromes as well as the (small) security loss induced
by the use of the DiffSD problem.
Definition 23 (DiffSD problem). Let (n = 2k, k, w, M, Δ) be positive inte-
(n−k)×n
gers, H ∈ QC(F2 ) be a random parity-check matrix of a quasi-cyclic
code of index 2, (xi )i∈[1,M ] ∈ (Fn2 )M be vectors such that wH xi = w and
(n−k) M
(yi )i∈[1,M ] ∈ (F2 ) be vectors such that Hx
i = yi . Given (H, (yi )i∈[1,M ] ),
the Differential Syndrome Decoding problem DiffSD(n, k, w, M, Δ) asks to find
(n−k)
(c, (dj , κj , μj )j∈[1,Δ] ) ∈ F2 × (Fn2 × [1, k] × [1, M ])Δ such that Hd j +c =

rotκj (yμj ) and wH dj = w for each j ∈ [1, Δ].
Theorem 5. If there exists a PPT algorithm solving the DiffSD(n, k, w, M, Δ)
problem with probability DiffSD , then there exists a PPT algorithm solving the
QCSD(n, k, w, M ) with probability QCSD ≥ (1 − M × p − (2(n−k) − 2) × pΔ ) · DiffSD
(ωn)
where p = 2(n−k) .
Sketch of Proof. We start by highlighting the main steps of the proof. One should
note that the DiffSD problem is constructed from a QCSD instance and as such
always admit at least a solution namely the solution of the underlying QCSD
instance. Indeed, any solution to the DiffSD problem satisfying c = (0, · · · , 0)
can be transformed into a solution to the QCSD problem with similar inputs.
Hereafter, we study the probability that there exists solutions to the DiffSD
problem for any possible value of c. To do so, we consider two cases depending
on weather c is stable by rotation or not. The first case implies that either
c = (0, · · · , 0) or c = (1, · · · , 1) while the second case encompasses every other
possible value for c. We show that for correctly chosen values n, k, w and Δ,
Another random document with
no related content on Scribd:
Father has had some heavy losses, due, we all know, to your brother
Justus. Justus is certainly a charming personality, but business is not
his strong point, and he has had bad luck too. According to all
accounts he has had to pay up pretty heavily, and transactions with
bankers make dear money. Your Father has come to the rescue
several times, to prevent a smash. That sort of thing may happen
again—to speak frankly, I am afraid it will. You will forgive me, Betsy,
for my plain speaking, but you know that the style of living which is
so proper and pleasing in your Father is not at all suitable for a
business man. Your Father has nothing to do with business any
more; but Justus—you know what I mean—he isn’t very careful, is
he? His ideas are too large, he is too impulsive. And your parents
aren’t saving anything. They live a lordly life—as their circumstances
permit them to.”
The Frau Consul smiled forbearingly. She well knew her husband’s
opinion of the luxurious Kröger tastes.
“That’s all,” he said, and put his cigar into the ash-receiver. “As far as
I’m concerned, I live in the hope that God will preserve my powers
unimpaired, and that by His gracious help I may succeed in
reëstablishing the firm on its old basis.... I hope you see the thing
more clearly now, Betsy?”
“Quite, quite, my dear Jean,” the Frau Consul hastened to reply; for
she had given up the man-servant, for the evening. “Shall we go to
bed? It is very late—”
A few days later, when the Consul came in to dinner in an unusually
good mood, they decided at the table to engage the Möllendorpfs’
Anton.
CHAPTER VI
“We shall put Tony into Fräulein Weichbrodt’s boarding-school,” said
the Consul. He said it with such decision that so it was.
Thomas was applying himself with talent to the business; Clara was
a thriving, lively child; and the appetite of the good Clothilde must
have pleased any heart alive. But Tony and Christian were hardly so
satisfactory. It was not only that Christian had to stop nearly every
afternoon for coffee with Herr Stengel—though even this became at
length too much for the Frau Consul, and she sent a dainty missive
to the master, summoning him to conference in Meng Street. Herr
Stengel appeared in his Sunday wig and his tallest choker, bristling
with lead-pencils like lance-heads, and they sat on the sofa in the
landscape-room, while Christian hid in the dining-room and listened.
The excellent man set out his views, with eloquence if some
embarrassment: spoke of the difference between “line” and “dash,”
told the tale of “The Forest Green” and the scuttle of coals, and
made use in every other sentence of the phrase “in consequence.” It
probably seemed to him a circumlocution suitable to the elegant
surroundings in which he found himself. After a while the Consul
came and drove Christian away. He expressed to Herr Stengel his
lively regret that a son of his should give cause for dissatisfaction.
“Oh, Herr Consul, God forbid! Buddenbrook minor has a wide-awake
mind, he is a lively chap, and in consequence— Just a little too lively,
if I might say so; and in consequence—” The Consul politely went
with him through the hall to the entry, and Herr Stengel took his
leave.... Ah, no, this was far from being the worst!
The worst, when it became known, was as follows: Young Christian
Buddenbrook had leave one evening to go to the theatre in company
with a friend. The performance was Schiller’s Wilhelm Tell; and the
rôle of Tell’s son Walter was played by a young lady, a certain
Mademoiselle Meyer-de-la-Grange. Christian’s worst, then, had to
do with this young person. She wore when on the stage, whether it
suited her part or not, a diamond brooch, which was notoriously
genuine; for, as everybody knew, it was the gift of young Consul
Döhlmann—Peter Döhlmann, son of the deceased wholesale dealer
in Wall Street outside Holsten Gate. Consul Peter, like Justus Kröger,
belonged to the group of young men whom the town called “fast.” His
way of life, that is to say, was rather loose! He had married, and had
one child, a little daughter; but he had long ago quarrelled with his
wife, and he led the life of a bachelor. His father had left him a
considerable inheritance, and he carried on the business, after a
fashion; but people said he was already living on his capital. He lived
mostly at the Club or the Rathskeller, was often to be met
somewhere in the street at four o’clock in the morning; and made
frequent business trips to Hamburg. Above all, he was a zealous
patron of the drama, and took a strong personal interest in the cast.
Mademoiselle Meyer-de-la-Grange was the latest of a line of young
ladies whom he had, in the past, distinguished by a gift of diamonds.
Well, to arrive at the point, this young lady looked so charming as
Walter Tell, wore her brooch and spoke her lines with such effect,
that Christian felt his heart swell with enthusiasm, and tears rose to
his eyes. He was moved by his transports to a course that only the
very violence of emotion could pursue. He ran during the entr’acte to
a flower-shop opposite, where, for the sum of one mark eight and a
half shillings, he got at a bargain a bunch of flowers; and then this
fourteen-year-old sprat, with his big nose and his deep-lying eyes,
took his way to the green-room, since nobody stopped him, and
came upon Fräulein Meyer-de-la-Grange, talking with Consul Peter
Döhlmann at her dressing-room door. Peter Döhlmann nearly fell
over with laughing when he saw Christian with the bouquet. But the
new wooer, with a solemn face, bowed in his best manner before
Walter Tell, handed her the bouquet, and, nodding his head, said in a
voice of well-nigh tearful conviction: “Ah, Fräulein, how beautifully
you act!”
“Well, hang me if it ain’t Krishan Buddenbrook!” Consul Döhlmann
cried out, in his broadest accent. Fräulein Meyer-de-la-Grange lifted
her pretty brows and asked: “The son of Consul Buddenbrook?” And
she stroked the cheek of her young admirer with all the favour in the
world.
Such was the story that Consul Peter Döhlmann told at the Club that
night; it flew about the town like lightning, and reached the ears of
the head master, who asked for an audience with Consul
Buddenbrook. And how did the Father take this affair? He was, in
truth, less angry than overwhelmed. He sat almost like a broken
man, after telling the Frau Consul the story in the landscape-room.
“And this is our son,” he said. “So is he growing up—”
“But Jean! Good heavens, your Father would have laughed at it. Tell
it to my Father and Mother on Thursday—you will see how Papa will
enjoy it—”
But here the Consul rose up in anger. “Ah, yes, yes! I am sure he will
enjoy it, Betsy. He will be glad to know that his light blood and
impious desires live on, not only in a rake like Justus, his own son,
but also in a grandson of his as well! Good God, you drive me to say
these things!— He goes to this—person; he spends his pocket-
money on flowers for this—lorette! I don’t say he knows what he is
doing—yet. But the inclination shows itself—it shows itself, Betsy!”
Ah, yes, this was all very painful indeed. The Consul was perhaps
the more beside himself for the added reason that Tony’s behaviour,
too, had not been of the best. She had given up, it is true, shouting
at the nervous stranger to make him dance; and she no longer rang
the doorbell of the tiny old woman who sold worsted dolls. But she
threw back her head more pertly than ever, and showed, especially
after the summer visits with her grandparents, a very strong
tendency to vanity and arrogance of spirit.
One day the Consul surprised her and Mamsell Jungmann reading
together. The book was Clauren’s “Mimili”; the Consul turned over
some of the leaves, and then silently closed it—and it was opened
no more. Soon afterward it came to light that Tony—Antonie
Buddenbrook, no less a person—had been seen walking outside the
City wall with a young student, a friend of her brother. Frau Stuht,
she who moved in the best circles, had seen the pair, and had
remarked at the Möllendorpfs’, whither she had gone to buy some
cast-off clothing, that really Mademoiselle Buddenbrook was getting
to the age where— And Frau Senator Möllendorpf had lightly
repeated the story to the Consul. The pleasant strolls came to an
end. Later it came out that Fräulein Antonie had made a post-office
of the old hollow tree that stood near the Castle Gate, and not only
posted therein letters addressed to the same student, but received
letters from him as well by that means. When these facts came to
light, they seemed to indicate the need of a more watchful oversight
over the young lady, now fifteen years old; and she was accordingly,
as we have already said, sent to boarding-school at Fräulein
Weichbrodt’s, Number seven, Millbank.
CHAPTER VII
Therese Weichbrodt was humpbacked. So humpbacked that she
was not much higher than a table. She was forty-one years old. But
as she had never put her faith in outward seeming, she dressed like
an old lady of sixty or seventy. Upon her padded grey locks rested a
cap the green ribbons of which fell down over shoulders narrow as a
child’s. Nothing like an ornament ever graced her shabby black frock
—only the large oval brooch with her mother’s miniature in it.
Little Miss Weichbrodt had shrewd, sharp brown eyes, a slightly
hooked nose, and thin lips which she could compress with
extraordinary firmness. In her whole insignificant figure, in her every
movement, there indwelt a force which was, to be sure, somewhat
comic, yet exacted respect. And her mode of speech helped to
heighten the effect. She spoke with brisk, jerky motions of the lower
jaw and quick, emphatic nods. She used no dialect, but enunciated
clearly and with precision, stressing the consonants. Vowel-sounds,
however, she exaggerated so much that she said, for instance,
“botter” instead of “butter”—or even “batter!” Her little dog that was
forever yelping she called Babby instead of Bobby. She would say to
a pupil: “Don-n’t be so stu-upid, child,” and give two quick knocks on
the table with her knuckle. It was very impressive—no doubt
whatever about that! And when Mlle. Popinet, the Frenchwoman,
took too much sugar to her coffee, Miss Weichbrodt had a way of
gazing at the ceiling and drumming on the cloth with one hand while
she said: “Why not take the who-ole sugar-basin? I would!” It always
made Mlle. Popinet redden furiously.
As a child—heavens, what a tiny child she must have been!—
Therese Weichbrodt had given herself the nickname of Sesemi, and
she still kept it, even letting the best and most favoured of the day as
well as of the boarding-pupils use it. “Call me Sesemi, child,” she
said on the first day to Tony Buddenbrook, kissing her briefly, with a
sound as of a small explosion, on the forehead. “I like it.” Her elder
sister, however, Madame Kethelsen, was called Nelly.
Madame Kethelsen was about forty-eight years old. She had been
left penniless when her husband died, and now lived in a little
upstairs bedroom in her sister’s house. She dressed like Sesemi, but
by contrast was very tall. She wore woollen wristlets on her thin
wrists. She was not a mistress, and knew nothing of discipline. A sort
of inoffensive and placid cheerfulness was all her being. When one
of the pupils played a prank, she would laugh so heartily that she
nearly cried, and then Sesemi would rap on the table and call out
“Nelly!” very sharply—it sounded like “Nally”—and Madame
Kethelsen would shrink into herself and be mute.
Madame Kethelsen obeyed her younger sister, who scolded her as if
she were a child. Sesemi, in fact, despised her warmly. Therese
Weichbrodt was a well-read, almost a literary woman. She struggled
endlessly to keep her childhood faith, her religious assurance that
somewhere in the beyond she was to be recompensed for the hard,
dull present. But Madame Kethelsen, innocent, uninstructed, was all
simplicity of nature. “Dear, good Nelly, what a child she is! She never
doubts or struggles, she is always happy.” In such remarks there
was always as much contempt as envy. Contempt was a weakness
of Sesemi’s—perhaps a pardonable one.
The small red-brick suburban house was surrounded by a neatly
kept garden. Its lofty ground floor was entirely taken up by
schoolrooms and dining-room; the bedrooms were in the upper
storey and the attic. Miss Weichbrodt did not have a large number of
pupils. As boarders she received only older girls, while the day-
school consisted of but three classes, the lowest ones. Sesemi took
care to have only the daughters of irreproachably refined families in
her house. Tony Buddenbrook, as we have seen, she welcomed
most tenderly. She even made “bishop” for supper—a sort of sweet
red punch to be taken cold, in the making of which she was a past
mistress. “A little more beeshop,” she urged with a hearty nod. It
sounded so tempting; nobody could resist!
Fräulein Weichbrodt sat on two sofa-cushions at the top of the table
and presided over the meal with tact and discretion. She held her
stunted figure stiffly erect, tapped vigilantly on the table, cried “Nally”
or “Babby,” and subdued Mlle. Popinet with a glance whenever the
latter seemed about to take unto herself all the cold veal jelly. Tony
had been allotted a place between two other boarders, Armgard von
Schilling, the strapping blond daughter of a Mecklenburg landowner,
and Gerda Arnoldsen, whose home was in Amsterdam—an unusual,
elegant figure, with dark-red hair, brown eyes close together, and a
lovely, pale, haughty face. Opposite her sat a chattering French girl
who looked like a negress, with huge gold earrings. The lean English
Miss Brown, with her sourish smile, sat at the bottom of the table.
She was a boarder too.
It was not hard, with the help of Sesemi’s bishop, to get acquainted.
Mlle. Popinet had had nightmares again last night—ah, quel horreur!
She usually screamed “Help, thieves; help, thieves!” until everybody
jumped out of bed. Next, it appeared that Gerda Arnoldsen did not
take piano like the rest of them, but the violin, and that Papa—her
Mother was dead—had promised her a real Stradivarius. Tony was
not musical—hardly any of the Buddenbrooks and none of the
Krögers were. She could not even recognize the chorals they played
at St. Mary’s.—Oh, the organ in the new Church at Amsterdam had
a vox humana—a human voice—that was just wonderful. Armgard
von Schilling talked about the cows at home.
It was Armgard who from the earliest moment had made a great
impression on Tony. She was the first person from a noble family
whom Tony had ever known. What luck, to be called von Schilling!
Her own parents had the most beautiful old house in the town, and
her grandparents belonged to the best families; still, they were called
plain Buddenbrook and Kröger—which was a pity, to be sure. The
granddaughter of the proud Lebrecht Kröger glowed with reverence
for Armgard’s noble birth. Privately, she sometimes thought that the
splendid “von” went with her better than it did with Armgard; for
Armgard did not appreciate her good luck, dear, no! She had a thick
pigtail, good-natured blue eyes, and a broad Mecklenburg accent,
and went about thinking just nothing at all on the subject. She made
absolutely no pretentions to being aristocratic; in fact, she did not
know what it was. But the word “aristocratic” stuck in Tony’s small
head; and she emphatically applied it to Gerda Arnoldsen.
Gerda was rather exclusive, and had something foreign and queer
about her. She liked to do up her splendid red hair in striking ways,
despite Sesemi’s protests. Some of the girls thought it was “silly” of
her to play the violin instead of the piano—and, be it known, “silly”
was a term of very severe condemnation. Still, the girls mostly
agreed with Tony that Gerda was aristocratic—in her figure, well-
developed for her years; in her ways, her small possessions,
everything. There was the ivory toilet set from Paris, for instance;
that Tony could appreciate, for her own parents and grandparents
also had treasures which had been brought from Paris.
The three girls soon made friends. They were in the same class and
slept together in the same large room at the top of the house. What
delightful, cosy times they had going to bed! They gossiped while
they undressed—in undertones, however, for it was ten o’clock and
next door Mlle. Popinet had gone to bed to dream of burglars. Eva
Ewers slept with her. Eva was a little Hamburger, whose father, an
amateur painter and collector, had settled in Munich.
The striped brown blinds were down, the low, red-shaded lamp
burned on the table, there was a faint smell of violets and fresh
wash, and a delicious atmosphere of laziness and dreams.
“Heavens,” said Armgard, half undressed, sitting on her bed, “how
Dr. Newmann can talk! He comes into the class and stands by the
table and tells about Racine—”
“He has a lovely high forehead,” remarked Gerda, standing before
the mirror between the windows and combing her hair by the light of
two candles.
“Oh, yes, hasn’t he?” Armgard said eagerly.
“And you are taking the course just on his account, Armgard; you
gaze at him all the time with your blue eyes, as if—”
“Are you in love with him?” asked Tony. “I can’t undo my shoe-lace;
please, Gerda. Thanks. Why don’t you marry him? He is a good
match—he will get to be a High School Professor.”
“I think you are both horrid. I’m not in love with him, and I would not
marry a teacher, anyhow. I shall marry a country gentleman.”
“A nobleman?” Tony dropped her stocking and looked thoughtfully
into Armgard’s face.
“I don’t know, yet. But he must have a large estate. Oh, girls, I just
love that sort of thing! I shall get up at five o’clock every morning,
and attend to everything....” She pulled up the bed-covers and stared
dreamily at the ceiling.
“Five hundred cows are before your mind’s eye,” said Gerda, looking
at her in the mirror.
Tony was not ready yet; but she let her head fall on the pillow, tucked
her hands behind her neck, and gazed dreamily at the ceiling in her
turn.
“Of course,” she said, “I shall marry a business man. He must have a
lot of money, so we can furnish elegantly. I owe that to my family and
the firm,” she added earnestly. “Yes, you’ll see, that’s what I shall
do.”
Gerda had finished her hair for the night and was brushing her big
white teeth, using the ivory-backed hand-mirror to see them better.
“I shall probably not marry at all,” she said, speaking with some
difficulty on account of the tooth-powder. “I don’t see why I should. I
am not anxious. I’ll go back to Amsterdam and play duets with
Daddy and afterwards live with my married sister.”
“What a pity,” Tony said briskly. “What a pity! You ought to marry
here and stay here for always. Listen: you could marry one of my
brothers—”
“The one with the big nose?” asked Gerda, and gave a dainty little
yawn, holding the hand-mirror before her face.
“Or the other; it doesn’t matter. You could furnish beautifully. Jacobs
could do it—the upholsterer in Fish Street. He has lovely taste. I’d
come to see you every day—”
But then there came the voice of Mlle. Popinet. It said: “Oh,
mademoiselles! Please go to bed. It is too late to get married any
more this evening!”
Sundays and holidays Tony spent in Meng Street or outside the town
with her grandparents. How lovely, when it was fine on Easter
Sunday, hunting for eggs and marzipan hares in the enormous
Kröger garden! Then there were the summer holidays at the
seashore; they lived in the Kurhouse, ate at the table-d’hôte, bathed,
and went donkey-riding. Some seasons when the Consul had
business, there were long journeys. But Christmases were best of
all. There were three present-givings: at home, at the grandparents’,
and at Sesemi’s, where bishop flowed in streams. The one at home
was the grandest, for the Consul believed in keeping the holy feast
with pomp and ceremony. They gathered in the landscape-room with
due solemnity. The servants and the crowd of poor people thronged
into the pillared hall, where the Consul went about shaking their
purple hands. Then outside rose the voices of the choir-boys from
St. Mary’s in a quartette, and one’s heart beat loudly with awe and
expectation. The smell of the Christmas tree was already coming
through the crack in the great white folding doors; and the Frau
Consul took the old family Bible with the funny big letters, and slowly
read aloud the Christmas chapter; and after the choir-boys had sung
another carol, everybody joined in “O Tannenbaum” and went in
solemn procession through the hall into the great salon, hung with
tapestries that had statuary woven into them. There the tree rose to
the ceiling, decorated with white lilies, twinkling and sparkling and
pouring out light and fragrance; and the table with the presents on it
stretched from the windows to the door. Outside, the Italians with the
barrel-organ were making music in the frozen, snowy streets, and a
great hubbub came over from the Christmas market in Market
Square. All the children except little Clara stopped up to late supper
in the salon, and there were mountains of carp and stuffed turkey.
In these years Tony Buddenbrook visited two Mecklenburg estates.
She stopped for two weeks one summer with her friend Armgard, on
Herr von Schilling’s property, which lay on the coast across the bay
from Travemünde. And another time she went with Cousin Tilda to a
place where Bernard Buddenbrook was inspector. This estate was
called “Thankless,” because it did not bring in a penny’s income; but
for a summer holiday it was not to be despised.
Thus the years went on. It was, take it all in all, a happy youth for
Tony.
PART THREE
CHAPTER I
On a June afternoon, not long after five o’clock, the family were
sitting before the “portal” in the garden, where they had drunk coffee.
They had pulled the rustic furniture outside, for it was too close in the
whitewashed garden house, with its tall mirror decorated with
painted birds and its varnished folding doors, which were really not
folding doors at all and had only painted latches.
The Consul, his wife, Tony, Tom, and Clothilde sat in a half-circle
around the table, which was laid with its usual shining service.
Christian, sitting a little to one side, conned the second oration of
Cicero against Catiline. He looked unhappy. The Consul smoked his
cigar and read the Advertiser. His wife had let her embroidery fall
into her lap and sat smiling at little Clara; the child, with Ida
Jungmann, was looking for violets in the grass-plot. Tony, her head
propped on both hands, was deep in Hoffman’s “Serapion Brethren,”
while Tom tickled her in the back of the neck with a grass-blade, an
attention which she very wisely ignored. And Clothilde, looking thin
and old-maidish in her flowered cotton frock, was reading a story
called “Blind, Deaf, Dumb, and Still Happy.” As she read, she
scraped up the biscuit-crumbs carefully with all five fingers from the
cloth and ate them.
A few white clouds stood motionless in the slowly paling sky. The
small town garden, with its carefully laid-out paths and beds, looked
gay and tidy in the afternoon sun. The scent of the mignonette
borders floated up now and then.
“Well, Tom,” said the Consul expansively, and took the cigar out of
his mouth, “we are arranging that rye sale I told you about, with van
Henkdom and Company.”
“What is he giving?” Tom asked with interest, ceasing to tickle Tony.
“Sixty thaler for a thousand kilo—not bad, eh?”
“That’s very good.” Tom knew this was excellent business.
“Tony, your position is not comme il faut,” remarked the Frau Consul.
Whereat Tony, without raising her eyes from her book, took one
elbow off the table.
“Never mind,” Tony said. “She can sit how she likes, she will always
be Tony Buddenbrook. Tilda and she are certainly the beauties of the
family.”
Clothilde was astonished almost to death. “Good gracious, Tom,” she
said. It was inconceivable how she could drawl out the syllables.
Tony bore the jeer in silence. It was never any use, Tom was more
than a match for her. He could always get the last word and have the
laugh on his side. Her nostrils dilated a little, and she shrugged her
shoulders. But when the Consul’s wife began to talk of the coming
dance at the house of Consul Huneus, and let fall something about
new patent leather shoes, Tony took the other elbow off the table
and displayed a lively interest.
“You keep talking and talking,” complained Christian fretfully, “and
I’m having such a hard time. I wish I were a business man.”
“Yes, you’re always wanting something different,” said Tom. Anton
came across the garden with a card on his tray. They all looked at
him expectantly.
“Grünlich, Agent,” read the Consul. “He is from Hamburg—an
agreeable man, and well recommended, the son of a clergyman. I
have business dealings with him. There is a piece of business now.
—Is it all right, Betsy, if I ask him to come out here?”
A middle-sized man, his head thrust a little forward of his body,
carrying his hat and stick in one hand, came across the garden. He
was some two-and-thirty years old; he wore a fuzzy greenish-yellow
suit with a long-skirted coat, and grey worsted gloves. His face,
beneath the sparse light hair, was rosy and smiling; but there was an
undeniable wart on one side of his nose. His chin and upper lip were
smooth-shaven; he wore long, drooping side-whiskers, in the English
fashion, and these adornments were conspicuously golden-yellow in
colour. Even at a distance, he began making obsequious gestures
with his broad-brimmed grey hat, and as he drew near he took one
last very long step, and arrived describing a half-circle with the upper
part of his body, by this means bowing to them all at once.
“I am afraid I am disturbing the family circle,” he said in a soft voice,
with the utmost delicacy of manner. “You are conversing, you are
indulging in literary pursuits—I must really beg your pardon for my
intrusion.”
“By no means, my dear Herr Grünlich,” said the Consul. He and his
sons got up and shook hands with the stranger. “You are very
welcome. I am delighted to see you outside the office and in my
family circle. Herr Grünlich, Betsy—a friend of mine and a keen man
of business. This is my daughter Antonie, and my niece Clothilde.
Thomas you know already, and this is my second son, Christian, in
High School.” Herr Grünlich responded to each name with an
inclination of the body.
“I must repeat,” he said, “that I have no desire to intrude. I came on
business. If the Herr Consul would be so good as to take a walk with
me round the gardens—” The Consul’s wife answered: “It will give us
pleasure to have you sit down with us for a little before you begin to
talk business with my husband. Do sit down.”
“A thousand thanks,” said Herr Grünlich, apparently quite flattered.
He sat down on the edge of the chair which Tom brought, laid his hat
and stick on his knees, and settled himself, running his hand over his
long beard with a little hemming and hawing, as if to say, “Well, now
we’ve got past the introduction—what next?”
The Frau Consul began the conversation. “You live in Hamburg?”
she asked, inclining her head and letting her work fall into her lap.
“Yes, Frau Consul,” responded Herr Grünlich with a fresh bow. “At
least, my house is in Hamburg, but I am on the road a good deal. My
business is very flourishing—ahem—if I may be permitted to say so.”
The Frau Consul lifted her eyebrows and made respectful motions
with her mouth, as if she were saying “Ah—indeed?”
“Ceaseless activity is a condition of my being,” added he, half turning
to the Consul. He coughed again as he noticed that Fräulein
Antonie’s glance rested upon him. She gave him, in fact, the cold,
calculating stare with which a maiden measures a strange young
man—a stare which seems always on the point of passing over into
actual contempt.
“We have relatives in Hamburg,” said she, in order to be saying
something.
“The Duchamps,” explained the Consul. “The family of my late
Mother.”
“Oh, yes,” Herr Grünlich hastened to say. “I have the honour of a
slight acquaintance with the family. They are very fine people, in
mind and heart. Ahem! This would be a better world if there were
more families like them in it. They have religion, benevolence, and
genuine piety; in short, they are my ideal of the true Christlike spirit.
And in them it is united to a rare degree with a brilliant
cosmopolitanism, an elegance, an aristocratic bearing, which I find
most attractive, Frau Consul.”
Tony thought: “How can he know my Father and Mother so well? He
is saying exactly what they like best to hear.” The Consul responded
approvingly, “The combination is one that is becoming in everybody.”
And the Frau Consul could not resist stretching out her hand to their
guest with her sweeping gesture, palm upward, while the bracelets
gave a little jingle. “You speak as though you read my inmost
thoughts, dear Herr Grünlich,” she said.
Upon which, Herr Grünlich made another deep bow, settled himself
again, stroked his beard, and coughed as if to say: “Well, let us get
on.”
The Frau Consul mentioned the disastrous fire which had swept
Hamburg in May of the year 1842. “Yes, indeed,” said Herr Grünlich,
“truly a fearful misfortune. A distressing visitation. The loss
amounted to one hundred and thirty-five millions, at a rough
estimate. I am grateful to Providence that I came off without any loss
whatever. The fire raged chiefly in the parishes of St. Peter and St.
Nicholas.—What a charming garden!” he interrupted himself, taking
the cigar which the Consul offered. “It is so large for a town garden,
and the beds of colour are magnificent. I confess my weakness for
flowers, and for nature in general. Those climbing roses over there
trim up the garden uncommonly well.” He went on, praising the
refinement of the location, praising the town itself, praising the
Consul’s cigar. He had a pleasant word for each member of the
circle.
“May I venture to inquire what you are reading, Fräulein Antonie?” he
said smiling.
Tony drew her brows together sharply at this, for some reason, and
answered without looking at him, “Hoffmann’s ‘Serapion Brethren.’”
“Really! He is a wonderful writer, is he not? Ah, pardon me—I forget
the name of your younger son, Frau Consul?”
“Christian.”
“A beautiful name. If I may so express myself”—here he turned again
to the Consul—“I like best the names which show that the bearer is a
Christian. The name of Johann, I know, is hereditary in your family—
a name which always recalls the beloved disciple. My own name—if
I may be permitted to mention it,” he continued, waxing eloquent, “is
that of most of my forefathers—Bendix. It can only be regarded as a
shortened form of Benedict. And you, Herr Buddenbrook, are
reading—? ah, Cicero. The works of this great Roman orator make
pretty difficult reading, eh? ‘Quousque tandem—Catalina’ ... ahem.
Oh, I have not forgotten quite all my Latin.”
“I disagree with my late Father on this point,” the Consul said. “I have
always objected to the perpetual occupation of young heads with
Greek and Latin. When there are so many other important subjects,
necessary as a preparation for the practical affairs of life—”
“You take the words out of my mouth,” Herr Grünlich hastened to
say. “It is hard reading, and not by any means always
unexceptionable—I forgot to mention that point. Everything else
aside, I can recall passages that were positively offensive—”
There came a pause, and Tony thought “Now it’s my turn.” Herr
Grünlich had turned his gaze upon her. And, sure enough: he
suddenly started in his chair, made a spasmodic but always highly
elegant gesture toward the Frau Consul, and whispered ardently,
“Pray look, Frau Consul, I beg of you.—Fräulein, I implore you,” he
interrupted himself aloud, just as if Tony could not hear the rest of
what he said, “to keep in that same position for just a moment. Do
you see,” he began whispering again, “how the sunshine is playing in
your daughter’s hair? Never,” he said solemnly, as if transported,
speaking to nobody in particular, “have I seen more beautiful hair.” It
was as if he were addressing his remarks to God or to his own soul.
The Consul’s wife smiled, well pleased. The Consul said, “Don’t be
putting notions into the girl’s head.” And again Tony drew her brows
together without speaking. After a short pause, Herr Grünlich got up.
“But I won’t disturb you any longer now—no, Frau Consul, I refuse to
disturb you any longer,” he repeated. “I only came on business, but I
could not resist—indeed, who could resist you? Now duty calls. May
I ask the Consul—”
“I hope I do not need to assure you that it would give us pleasure if
you would let us put you up while you are here,” said the Frau
Consul. Herr Grünlich appeared for the moment struck dumb with
gratitude. “From my soul I am grateful, Frau Consul,” he said, and
his look was indeed eloquent with emotion. “But I must not abuse
your kindness. I have a couple of rooms at the City of Hamburg—”
“A couple of rooms,” thought the Frau Consul—which was just what
Herr Grünlich meant her to think.
“And, in any case,” he said, as she offered her hand cordially, “I hope
we have not seen each other for the last time.” He kissed her hand,
waited a moment for Antonie to extend hers—which she did not do—
described another half-circle with his upper torso, made a long step
backward and another bow, threw back his head and put his hat on
with a flourish, then walked away in company with the Consul.
“A pleasant man,” the Father said later, when he came back and
took his place again.
“I think he’s silly,” Tony permitted herself to remark with some
emphasis.
“Tony! Heavens and earth, what an idea!” said the Consul’s wife,
displeased. “Such a Christian young man!”
“So well brought up, and so cosmopolitan,” went on the Consul. “You
don’t know what you are talking about.” He and his wife had a way of
taking each other’s side like this, out of sheer politeness. It made
them the more likely to agree.
Christian wrinkled up his long nose and said, “He was so important.
‘You are conversing’—when we weren’t at all. And the roses over
there ‘trim things up uncommonly.’ He acted some of the time as if
he were talking to himself. ‘I am disturbing you’—‘I beg pardon’—‘I
have never seen more beautiful hair.’” Christian mocked Herr
Grünlich so cleverly that they all had to laugh, even the Consul.
“Yes, he gave himself too many airs,” Tony went on. “He talked the
whole time about himself—his business is good, and he is fond of
nature, and he likes such-and-such names, and his name is Bendix
—what is all that to us, I’d like to know? Everything he said was just
to spread himself.” Her voice was growing louder all the time with
vexation. “He said all the very things you like to hear, Mamma and
Papa, and he said them just to make a fine impression on you both.”
“That is no reproach, Tony,” the Consul said sternly. “Everybody puts
his best foot foremost before strangers. We all take care to say what
will be pleasant to hear. That is a commonplace.”
“I think he is a good man,” Clothilde pronounced with drawling
serenity—she was the only person in the circle about whom Herr
Grünlich had not troubled himself at all. Thomas refrained from
giving an opinion.
“Enough,” concluded the Consul. “He is a capable, cultured, and
energetic Christian man, and you, Tony, should try to bridle your
tongue—a great girl of eighteen or nineteen years old, like you! And
after he was so polite and gallant to you, too. We are all weak
creatures; and you, let me say, are one of the last to have a right to
throw stones. Tom, we’ll get to work.”
Pert little Tony muttered to herself “A golden goat’s beard!” and
scowled as before.

Codes Cryptology and Information Security 4th International Conference C2SI 2023 Rabat Morocco May 29 31 2023 Proceedings 1st Edition Said El Hajji

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Codes Cryptology and Information Security 4th International Conference C2SI 2023 Rabat Morocco May 29 31 2023 Proceedings 1st Edition Said El Hajji

Uploaded by

Copyright:

Available Formats

Codes Cryptology and Information

Security 4th International Conference

Business Intelligence 6th International Conference CBI

Proceedings of the 3rd International Conference on

Tests and Proofs 17th International Conference TAP 2023

Applied Informatics 6th International Conference ICAI

Augmented Intelligence and Intelligent Tutoring Systems

Cross Cultural Design 15th International Conference CCD

15th International Conference on Turbochargers and

Integer Programming and Combinatorial Optimization 24th

Editorial Board Members

ISSN 0302-9743 ISSN 1611-3349 (electronic)

March 2023 Said El Hajji

Sihem Mesnager University of Paris VIII, France

Abderrahim Ait Wakrime Mohammed V University in Rabat, Morocco

Khalid Zine-Dine Mohammed V University in Rabat, Morocco

Abderrahim Ait Wakrime Mohammed V University in Rabat, Morocco

Palash Sarkar Indian Statistical Institute, India

Paulo Almeida Michael Kiermaier

Cryptologists Should Not Ignore the History of Al-Andalusia . . . . . . . . . . . . . . . . 3

Compact Post-quantum Signatures from Proofs of Knowledge Leveraging

On Catalan Constant Continued Fractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Full Post-Quantum Datagram TLS Handshake in the Internet of Things . . . . . . . 57

Moderate Classical McEliece Keys from Quasi-Centrosymmetric Goppa

QCB is Blindly Unforgeable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

A Side-Channel Secret Key Recovery Attack on CRYSTALS-Kyber Using

A New Keyed Hash Function Based on Latin Squares and Error-Correcting

Attack on a Code-Based Signature Scheme from QC-LDPC Codes . . . . . . . . . . . 136

Computational Results on Gowers U2 and U3 Norms of Known S-Boxes . . . . . . 150

Multi-input Non-interactive Functional Encryption: Constructions

Indifferentiability of the Confusion-Diffusion Network and the Cascade

Quantum Cryptanalysis of 5 Rounds Feistel Schemes and Benes Schemes . . . . . 196

Lattice-Based Accumulator with Constant Time List Update and Constant

Malicious JavaScript Detection Based on AST Analysis and Key Feature

A Study for Security of Visual Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Forecasting Click Fraud via Machine Learning Algorithms . . . . . . . . . . . . . . . . . . 278

An Enhanced Anonymous ECC-Based Authentication for Lightweight

Symmetric 4-Adic Complexity of Quaternary Generalized Cyclotomic

Weightwise Perfectly Balanced Functions and Nonlinearity . . . . . . . . . . . . . . . . . . 338

Chudnovsky-Type Algorithms over the Projective Line Using Generalized

Security Enhancement Method Using Shortened Error Correcting Codes . . . . . . 379

An Updated Database of Z4 Codes and an Open Problem About

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Department of Computer Science, University of Texas at Dallas, Richardson, USA

Abstract. Most cryptographers believe our modern systems and proven

Keywords: cryptography · cryptanalysis · the new dark ages

The talk (see [3]) also stated that:

Modern cryptographers believe that the gap between encryption (signing,

3.1 Some Al-Andalusian History

3.2 Comparing the Two Worlds

4 Using Information Flow to Analyze “Leaks”

4.1 Some Heuristic Arguments

We now give a ﬁrst example of something that was declassiﬁed.

4.2 Information Flow in Crypto Context

We critically look at the research in the so called “open” community. We wonder:

– whether academia is the right environment for research?

5.1 How Anthropology Can Help

5.2 Condoned Research

5.3 The Crypto Context

Loïc Bidoux1 and Philippe Gaborit2(B)

Abstract. The MPC-in-the-head introduced in [IKOS07] has estab-

c The Author(s), under exclusive license to Springer Nature Switzerland AG 2023

Notations. Vectors (respectively matrices) are represented using bold lower-

Deﬁnition 8 (Hamming weight). Let x ∈ Fn2 , the Hamming weight of x,