Advances in Mathematics of Communications doi:10.3934/amc.2020046 Volume 15, No. 1, 2021, 113–130

A POST-QUANTUM UC-COMMITMENT SCHEME IN THE GLOBAL RANDOM ORACLE MODEL FROM CODE-BASED ASSUMPTIONS

Pedro Branco Instituto Superior T´ecnico - University of Lisbon SQIG - IT Lisbon, Portugal

(Communicated by Lih-Chung Wang)

Abstract. In this work, we propose a post-quantum UC-commitment scheme in the Global Random Oracle Model, where only one non-programmable ran- dom oracle is available. The security of our proposal is based on two well- established post-quantum hardness assumptions from coding theory: The Syn- drome Decoding and the Goppa Distinguisher. We prove that our proposal is perfectly hiding and computationally binding.

1. Introduction One of the most important cryptographic primitive in today’s world are commit- ment schemes, both in theory and in practice. A commitment scheme involves two parties, usually called the committer C and the receiver R. C commits to a message and sends the commitment to R. Later, C may open the commitment and reveal the message to R, which checks if the opening is a valid one. Two security properties are required for this primitive: the hiding property, which means that R is not able to extract information about the message from the commitment before the opening phase, and the binding property, which means that C cannot open a different message from the one it has committed before. This simple, yet powerful, primitive has found numerous applications such as zero-knowledge proofs, signature schemes, secure multi-party computation, e-voting or, even, key-exchange. Due to its versatility, a commitment scheme should be secure even when composed with the same or other protocols. Hence, security of commitment should be analyzed in the UC-framework [8], where security under arbitrary composition can be proven. It is well-known that commitment schemes can be obtained from oblivious trans- fer (OT) via a generic compiler [24]. However, in this work we focus on an explicit construction for a commitment scheme (that is, not constructed via generic trans- formations). As far as we know, all the explicit constructions for UC-commitment schemes in the Global Random Oracle (gRO) model [10] have their security based on number-theoretic hardness assumptions (e.g., [9, 26, 10]) and, thus, they can be

2020 Mathematics Subject Classification: Primary: 94A60; Secondary: 94A15. Key words and phrases: Commmitment, Universal Composability, global random oracle, code- based cryptography, post-quantum cryptography. The author is supported by DP-PMI and FCT (Portugal) through the grant PD/BD/135181/2017.

113 114 Pedro Branco broken using Shor’s algorithm [31]. With the growing interest in quantum technolo- gies and as we enter the post-quantum era, it becomes crucial to find post-quantum alternatives to this type of protocols. In this work, we address this problem by presenting the first explicit construction for a post-quantum UC-commitment scheme. Our proposal is proven to be secure in the gRO model. We prove that our scheme is perfectly hiding (meaning that even a receiver with unlimited computational power cannot break the hiding property) and computationally binding given that the Syndrome Decoding (SD) and the Goppa Distinguisher (GD) assumptions hold.

1.1. Previous work. Commitment schemes. There is a large amount of work done concerning UC-commit- ment schemes [9, 15, 22, 26, 19, 10, 20,6]. However, all of these protocols are based on number-theoretic assumptions. Thus, their security is threatened, since Shor’s quantum algorithm breaks all of these protocols [31]. A UC-commitment scheme must allow extraction and equivocation by the simula- tor. These properties are essential to perform the simulation and to prove security in the UC-framework [9]. Most of the schemes mentioned above take advantage of the nice properties inherent to number-theoretic assumptions to be able to extract and equivocate.1 However, it seems that most of the techniques used in these schemes cannot be straightforwardly adapted using post-quantum assumptions. Thus, the task of explicitly constructing a post-quantum commitment scheme that is both extractable and equivocable is highly non-trivial Post-quantum commitment schemes exist, e.g., [23], based on the LPN assump- tion, and [32], based on the RLWE assumption. However, we are not aware of any commitment scheme based on post-quantum assumptions and proven to be secure in the UC-framework. We remark that commitment schemes can also be obtained from OT [24, 21, 12, 13], and for which there are UC-secure post-quantum proposals (e.g., [30,1,5]). However, we are not aware of any OT that is fully secure in the gRO model. UC-commitment schemes are used as building block in the design of a wide range of applications, and they are known to imply general forms of secure two and multi-party computation [11]. Global random oracle model. As it is well-known, it is impossible to design UC- commitment schemes in the plain model [9], thus we work on the Global Random Oracle (gRO) Model. The gRO Model is a more realistic model where only one global random oracle is available for every party in every execution of the same, or other, protocol. The notion of a gRO was firstly introduced in [10] to overcome the fact that proofs in the Random Oracle Model (ROM)[3] assume a different random oracle for each execution of the protocol. Hence, security under composition may not be guaranteed when we replace the random oracles by a practical cryptographic hash function (which is usually the same for every execution of every protocol). The main difference between the gRO Model and the ROM is that, in the gRO Model, we restrict the observability and the programmability power of the simulator. More precisely, the simulator is restricted to observe only adversarial queries (queries made by an adversary and not by an honest party) and it is not allowed to program

1For example, the scheme in [26] uses efficient zero-knowledge proofs based on the discrete- logarithm assumption, and [10] uses a trapdoor version of the famous Pedersen commitment scheme. A PQ UC-Commitment scheme in the GROM 115 the random oracle. Observe that, if the simulator can program the random oracle, then we can not use the same random oracle in other executions of the same or other protocols. If we do so, an environment could distinguish the ideal and the real world executions by just asking the same queries in two different executions of the protocol, for example. Also, note that we cannot restrict completely the power of the simulator to observe queries. If we do so, the simulator has the same power of the parties involved in the protocol and cannot perform the simulation necessary for security proofs [10]. Hence, the simulator is given only the power to observe queries made by an adversary (but not by an honest party). By using this security model, the discrepancy between the abstract model and the practical usage of a protocol is softened, since we can just replace calls to the gRO by calls to a global cryptographic hash function. This model was also studied in [7], where it was called the restricted Observable Global Random Oracle Model. Protocols proven to be UC-secure in the gRO Model include number-theoretic OT and commitment schemes [10,6], and a two-party computation scheme [10]. Recall that an UC-commitment scheme should allow extractability and equivocabi- lity by a simulator. The scheme of [10] uses a trapdoor version of the Pedersen commitment scheme to achieve equivocation. However, as far as we know, there is no post-quantum analogue of this trapdoor version of Pedersen commitment. Hence, we have to follow a different strategy. The work of [7] presents alternatives to the gRO model (or restrited Observable Random Oracle, as it is called there) where efficient commitments are proposed and proven to be secure. However, we remark that these efficient commitments are proven secure in models where one is allowed to somehow program the random ora- cle. Note that we always have to give some power (either the capacity of observing or programming queries) to the simulator, otherwise it is impossible to design UC- commitments [9, 10,7]. Nonetheless, the capacity of observing adversarial queries is a weaker assumption and a more realistic one, since in real life, one cannot modify the outputs of a hash function (which emulates the behavior of the random oracle). 1.2. Outline of the protocol. The main contribution of this paper is the con- struction of a post-quantum UC-commitment scheme. As far as we know, this is the first post-quantum commitment scheme proven to be secure in the UC-framework, in the gRO Model. As mentioned before, to achieve UC-security for the commitment scheme, we have to construct a commitment scheme such that the simulator in the ideal-world execution is able to extract the committed message from a corrupted committer and it is able to equivocate a commitment. In our scheme, the committer C queries the gRO on an input that contains the message and this allows for extractability. On the other hand, equivocation is possible due to the use of a zero-knowledge proof- of-knowledge (ZKPoK) with the honest-verifier zero-knowledge (HVZK) property. More precisely, let B be a public random matrix. The receiver R starts by sending a matrix A together with the hash of a trapdoor for it. C commits to its message M by computing c1 = r1A + gRO(M, t) + e1 and c2 = gRO(r1, M, t)A + r2B + e2 where r1 and r2 are random vectors and e1 and e2 are error vectors. We can already see that the simulator is able to extract the message by looking at the queries to gRO and finding the ones that fulfill the conditions. To open a message, C opens r1, M, t. Then both C and R engage in a ZKPoK [23] where C proves that it has a witness for public information c2 − gRO(r1, M, t)A. In order for the simulator to equivocate in this phase of the protocol, it extracts 116 Pedro Branco

0 0 0 0 the trapdoor for A and finds another r1 such that c1 − (r1A + gRO(M , t )) has low Hamming weight. This can be done on polynomial time for certain classes of codes and for an appropriate choice of parameters (e.g. [14]). Now, the simulator 0 0 0 must prove that it has a secret for public information c2 − gRO(r1,M , t )A (which it does not have). We make R to commit to the challenge of the ZKPoK using gRO before C sends the first message of the ZKPoK. In this way, the simulator knows which is the challenge that R is going to ask and can cheat in the protocol, using the HVZK property of the ZKPoK. This technique is similar to the one used in [26]. However, since the scheme of [26] is proven in the CRS model, a dual-mode encryption scheme [30] is used as a commitment scheme (for technical reasons), while in our scheme, it is enough to use the gRO as a commitment scheme. We prove that the scheme is perfectly hiding and computationally binding. We also prove security against static malicious adversaries in the UC-framework, in the gRO Model. Since we base the security of our scheme in well-established code-based assump- tions, namely the SD and the GD assumptions, our protocol is considered to be post-quantum and it is the first explicit construction for UC-commitment that has this property.

2. Preliminaries We denote matrices by capital bold letters (e.g., A) and vectors by bold lowercase letters (e.g., v). If S is a finite set, |S| denotes its cardinality and x ←$ S denotes the experiment of choosing an element x uniformly at random from S. If A is an algorithm, y ← A(x) denotes the experiment of running A on input x and setting the output to be y. If x is a vector, w(x) denotes its Hamming weight, that is, the number of coordinates of x which are different from zero. If A is a matrix, we denote its transpose by AT . A k-dimensional binary (linear) code C of length n is defined by its generating matrix A ∈ {0, 1}k×n, that is, C = {c ∈ {0, 1}n : ∃s ∈ {0, 1}k s.t. c = sA}, or by its parity-check matrix H ∈ {0, 1}(n−k)×n, that is, C = {c ∈ {0, 1}n : HcT = 0}. The generating and parity-check matrices fulfill the condition HAT = 0. n n n Throughout this work, let B=ω = {e ∈ {0, 1} : w(e) = ω} and B≤ω = {e ∈ {0, 1}n : w(e) ≤ ω}. In the description of the protocols, we denote by x =? y the experiment of testing if x and y are equal. If they are not, then the party executing the experiment aborts the protocol. A PPT algorithm means a probabilistic polynomial-time algorithm. If Y is a random variable, we denote by E(Y ) its expected value. Let Xi be a Bernoulli random variable, for i = 1, . . . , n and let X = (X1 + ··· + Xn)/n. Recall that the Chernoff-Hoeffding’s inequality states that

−2nδ2 Pr [|X/E(X) − 1| ≥ δ] ≤ e . In other words, the Chernoff-Hoeffding’s inequality gives us an upper bound on the probability of the relative distance between X and E(X) being smaller than δ. If Xi is any random variable (for i = 1, . . . , n), the union bound states that A PQ UC-Commitment scheme in the GROM 117

" # X X Pr Xi ≤ Pr [Xi] . i i 2.1. Hardness assumptions in coding theory. We present the Syndrome De- coding (SD) problem, which states that it is hard to decode a linear code chosen uniformly at random. The problem is proven to be NP-complete in the worst- case [4].

Conjecture 1 (Syndrome Decoding). Let n, k, ω ∈ N, H ∈ {0, 1}(n−k)×n and n e ∈ B≤ω. We say that the SDn,k,ω problem is hard if for every PPT algorithm D we have Pre ← D(H, HeT ) ≤ ε, for a negligible value ε in the security parameter. The SD problem is a classical problem in coding theory and, by now, it is a well-established problem in code-based cryptography. Although no worst-case to average-case reduction is known, it is widely believed that, for an appropriate choice of parameters, the problem is hard for any random instance since the best known classical and quantum attacks still run in exponential time (e.g. [2, 17, 25]). The following problem is a particular case of the SD problem, which was presented in [23].

Conjecture 2 (Exact Learning Parity with Noise). Let τ ∈]0, 1/2[, n, k, ω ∈ N, k k×n n ω = bτne , s ←$ {0, 1} , A ←$ {0, 1} and e ←$ B=ω. We say that the decisional version of the xLPNn,k,τ problem is hard if for every PPT algorithm D we have

Pr[1 ← D(A, sA + e)] − Pr[1 ← D(A, r)] ≤ ε n where r ←$ {0, 1} , for a negligible value ε in the security parameter. The search version of the xLPNn,k,τ problem is hard if for every PPT algorithm D we have Pr[s ← D(A, sA + e)] ≤ ε, for a negligible value ε in the security parameter. It is easy to see that the xLPN is a particular case of the SD problem, that is, if we are able to solve the SDn,k,ω problem then we are able to solve the xLPNn,k,τ , where ω = bτne. The proof of knowledge of [23]. Recall that a sigma protocol is a three-round pro- tocol (commitment com, challenge ch and response resp) between two parties, a prover P and a verifier V. P tries to convince V that some statement is true. A zero-knowledge proof-of-knowledge (ZKPoK) is a sigma protocol where P, not only proves that the statement is true, but also proves that it has a witness for it. Fig- ure1 presents a scheme of any sigma protocol. Besides being correct and special sound, a ZKPoK should also be honest-verifier zero-knowledge (HVZK). This property ensures that no information is gained by V by looking at a valid transcript. This is usually proved by showing the existence of a simulator that can generate transcripts that are computationally indistinguishable from transcripts generated by the interaction between P and V. We present a ZKPoK where, given a matrix A and a vector y, the prover is able n to prove knowledge of vector s and e such that sA + e = y and e ∈ B=ω. This protocol was proposed in [23]. The protocol is presented in Figure2. 118 Pedro Branco

Prover P(x, w) Verifier V(x) com com ← P1(x, w)

ch ch ← V1

resp resp ← P2(x, w; com, ch) V2(x, com, ch, resp) =? 1

Figure 1. Sigma protocol structure. The value x is public infor- mation and w is usually called the witness. Let ∼ be a relation and R = {(x, w): x ∼ w}. A transcript T = (com, ch, resp) is the tuple of messages exchange and we say that it is valid when V2(x, T ) = 1.

Prover P(A, y, s, e) Verifier V(A, y) k n v ←$ {0, 1} , u ←$ {0, 1} δ ←$ S

c0 = Com(δ, a0 = vA + u)

c0, c1, c2 c1 = Com (a1 = δ (u)) ch ←$ {0, 1, 2}

ch c2 = Com (a2 = δ (u + e))

If ch = 0, Ver(c0, (δ, a0)) =? 1

If ch = 0, resp = (δ, a0, a1) Ver(c1, a1) =? 1 resp If ch = 1, resp = (δ, a0, a2) a0 + δ(a1) ∈? CA

If ch = 2, resp = (a1, a2) If ch = 1, Ver(c0, (δ, a0)) =? 1

Ver(c2, a2) =? 1

a0 + δ(a2) + y ∈? CA

If ch = 2, Ver(c1, a1) =? 1

Ver(c2, a2) =? 1 n (a1 + a2) ∈? B=ω

k×n k Figure 2. (P, V)xLPN scheme. Let A ∈ {0, 1} , s ∈ {0, 1} , n n n e ∈ {0, 1} such that e ∈ B=ω and let y ∈ {0, 1} such that sA + e = y. By CA we denote the code defined by A. Let S be the set of permutations of size n and let (Com, Ver) be a commitment scheme where Com is the commitment algorithm and Ver is the opening algorithm.

Theorem 2.1 ([23]). (P, V)xLPN is a complete, special sound and HVZK ZKPoK for the relation

RxLPN = {((A, y) , (s, e)) : sA + e = y ∧ w(e) = t} . A PQ UC-Commitment scheme in the GROM 119

The cheating probability of (P, V)xLPN is 2/3. This means that a cheating prover can still answer correctly for two possible values of the challenge ch. More precisely, as a consequence of being HVZK, if the prover knows the challenge beforehand, then it can cheat in the protocol. In this work, we use this property of (P, V)xLPN in the security proof of the commitment scheme of Section3. 2.2. On the existence of code-based trapdoor functions. We present the Goppa Distinguisher (GD) problem, one of the assumptions that guarantee the security of the McEliece public-key encryption scheme [29] and several code-based cryptosystems. This problem was firstly assumed to be hard in [14] in the context of signature schemes.

Conjecture 3 (Goppa Distinguisher). Let n, k ∈ N such that k < n. Let Gop(n, k) be an algorithm that outputs a matrix defining a binary Goppa code of size n × k. We say that the GDn,k is hard, if for every PPT algorithms D, we have  k×n |Pr [1 ← D(A): A ← Gop(n, k)] − Pr 1 ← D(A): A ←$ {0, 1} | ≤ ε, for a negligible value ε in the security parameter. Although the problem can be solved for codes with high-rate (that is, when k ≈ n)[18], the GD problem is assume to be computationally hard in the general case, since the best known attack still has exponential runtime [27]. The following lemma guarantees the existence of code-based trapdoors (also called decoding algorithms).

Lemma 2.2 ([14]). Let n, k, ω ∈ N such that k < n. There exists an algorithm GenTdH that receives as input n, k and ω and outputs a pair (H, td) where H ∈ {0, 1}(n−k)×n is a matrix and td is a trapdoor for H with the following properties: n−k • There is an algorithm DecodeH that takes as input td and a word z ∈ {0, 1} . It outputs either e, if zT = HeT and w(e) ≤ ω, or a message error ⊥, other- wise; • There is a non-negligible number of words z in {0, 1}n−k for which the algo- rithm DecodeH(z, td) does not output a message error ⊥; • H is indistinguishable from a uniformly chosen matrix U from {0, 1}(n−k)×n given that the GDn,k problem is hard. Again, for high-rate Goppa codes, the signature scheme of [14] can be broken. However, it is well-known that the security of the scheme in [14] scales superpoly- nomially with the security parameter, if we want a non-negligible number of words z in {0, 1}n−k for which we can invert H (see [16] and the discussion about [14] presented there). Hence, throughout this work, we assume that the scheme of [14] is secure and that Lemma 2.2 holds for a proper choice of parameters. From this lemma, we can derive the following corollary. It states that, if we have a trapdoor for parity-check matrices, then we also have a trapdoor for generating matrices.

Corollary 1. Let n, k, ω ∈ N such that k < n. There exists an algorithm GenTd that receives as input n, k and ω and outputs a pair (A, td) where A ∈ {0, 1}k×n is a matrix and td is a trapdoor for A with the following properties: n • There is an algorithm DecodeA that takes as input td and a word c ∈ {0, 1} . It outputs either s, if c = sA + e for some s ∈ {0, 1}k and w(e) ≤ ω, or a message error ⊥, otherwise; 120 Pedro Branco

n • There is a non-negligible number of words c in {0, 1} for which DecodeA(c, td) does not output a message error ⊥; • A is indistinguishable from a uniformly chosen matrix U from {0, 1}k×n given that the GDn,k problem is hard.

Proof. Let (H, td) ← GenTdH. Consider A to be the generating matrix associated T with H. That is, consider A such that HA = 0 and DecodeA to be the algorithm that takes td and c as input and does the following: 1. It computes HcT = yT ; 0 2. It computes e = DecodeH(td, y); 3. If e0 =⊥, it outputs ⊥; 4. Else, it outputs c0 = c − e0. Note that, if c is of the form sA + e, where e is an error vector, then HcT = T T T H(sA) + He = He , the DecodeH algorithm outputs e and the procedure 0 DecodeA outputs c = sA. Else, if c is not of the form sA + e, then the pro- cedure DecodeA outputs an error message ⊥. n−k If there is a non-negligible number of words y ∈ {0, 1} for which DecodeH does not output a message error ⊥, then there is also a non-negligible number of n words c ∈ {0, 1} such that DecodeA does not output a message error ⊥. If H is indistinguishable from a uniform matrix in {0, 1}(n−k)×n, then A is also indistinguishable from a uniform matrix in {0, 1}k×n. To see this, assume that we can distinguish A from a uniformly chosen matrix. Then we can construct a distinguisher algorithm for H, which contradicts the assumption.

Let ω be the error decoding capability of the code defined by H. In order to be able to use the trapdoor in polynomial time, ω must be chosen well below the Gilbert-Varshamov bound [14, 16]. Hence, 2ω is still much smaller than the Gilbert- Varshamov bound. In this work, we assume the hardness of the SDn,k,2ω, where ω is the decoding capability of the code H, and which is widely assumed to be hard in the average-case [16]. Remark. Recently, a new code-based trapdoor function was presented in [16]. It has the same properties as the one presented in Lemma1. The only difference is that this trapdoor is not based on the GD assumption but rather on the hardness of distinguish generalized admissible codes (U, U + V) from uniformly chosen codes. As we will see, the construction of Section3 works with any code-based trapdoor function fulfilling the conditions of Lemma1. However, for simplicity, we explicitly use the trapdoor function of [14], based on the GD assumption. The reason for using trapdoor functions based on the GD assumption in our construction is that its security well-study (or, at least, it is more studied than other code-based dis- tinguisher assumptions). We do not care about its efficiency, since the trapdoor is only used in the security proof, as long as it runs in polynomial time.

2.3. UC-security and the Global random oracle model. The Universal Composability (UC) framework of Canneti [8] guarantees security of a protocol un- der arbitrary composition. Let π be a protocol and let F be an ideal functionality that implement the same cryptographic primitive. Let E be an environment that oversees both executions of the real-world protocol π and of the ideal-world func- tionality F. We say that π is secure if no environment can distinguish the real-world execution from the ideal-world execution. A PQ UC-Commitment scheme in the GROM 121

The Global Random Oracle. The notion of a Global Random Oracle gRO was firstly introduced in [10]. We present its definition as in [10]. As mentioned in the intro- duction, the gRO is available to every party. However, contrarily to the ROM, the simulator will only be able to observe to adversarial queries, that is, queries made by an adversary.

gRO functionality Parameters: a range D of size `(κ) and a list F¯ of ideal functionalities. Upon receiving a query x from a party P = (pid, sid) or from an adversary A do: • If (x, v) ∈ Q, return v to P; `(κ) • Else, v ←$ {0, 1} , store (x, v) in Q and return v to P. 0 0 • Parse x as (s, x ). If sid 6= s, add (s, x , v) to Q|sid. Upon receiving a request from an ideal functionality in the list F¯, with SID sid, return the list Q|sid.

Let IDEALF,S,E denote the distribution of the output of the environment E after GgRO the ideal-world execution of F with adversary S and EXECπ,A,E denote the output of E after the real-world execution of π with adversary A where every party has access to the ideal functionality gRO. Security in the gRO-hybrid model is defined as follows.

Definition 2.3 ([10]). Let π be a protocol with n parties involved and an adversary A. We say that π UC-realizes F in the GgRO-hybrid model if for every PPT adversary A there is a PPT simulator S such that for all PPT environments E,

GgRO IDEALF,S,E ≈ EXECπ,A,E where F is an ideal functionality.

In this work, we consider only static malicious adversaries. That is, adversaries that may deviate in any arbitrary way from the protocol. However, parties involved in the protocol are corrupted before the beginning of the protocol and remain like that until the end. Some remarks regarding the gRO. The gRO Model assumes the existence of a single global random oracle, available to every party. However, we remark that, from this single global random oracle (which outputs strings of a given size `(κ)), we can create other global random oracles with the output size that we want. For example, if we want a global random oracle gRO0 with output size 2`(κ), we can define gRO0(x) = (gRO(x)||gRO(x + 1)) where || is the concatenation of binary strings. Note that, since the output of gRO is completely random, then so it is the output of gRO0. Throughout this work, the size of the output of gRO is specified in each case. When it is not explicit, then we consider the size of the output to be `(κ). The commitment ideal functionality. We present the ideal commitment functionality Ftcom, as presented in [10]. 122 Pedro Branco

Ftcom functionality Commitment phase: Upon receiving (sid, commit, C, R,M) from C, Ftcom stores (sid,M) and sends (sid, receipt, C, R) to R. It ignores future commit messages from C with the same sid. Opening phase: Upon receiving (sid, reveal, C, R) from C, Ftcom checks whether it has recorded (sid, commit, C, R,M). If so, returns (sid, reveal, C, Rs, M) to R and halts. .When the adversary S asks for the list Q|sid, with session ID sid, Ftcom obtains it from GgRO and sends it to S. We define the security properties for a commitment scheme: binding and hiding properties. A binding commitment scheme is a scheme such that a commitment cannot be opened to two different messages. A hiding commitment scheme is a scheme that hides the message from the receiver. We say that a scheme is perfectly hiding if the former holds for any adversary (not necessarily running in polynomial time).

3. UC-commitment scheme Consider two parties, a committer C and a receiver R. Suppose that C wants to commit to a message M of size λ. ε ε ε ε ε ε ε ε Let (P , V )xLPN, where P = (P1, P2) and V = (V1, V2) be the sigma-protocol (P, V)xLPN repeated O(1/ε) in order to obtain a negligible soundness error of ε. Public parameters. Let n, k, k0, ω, α ∈ such that n > k, n > k0 and α = λ + n, 0 N B ∈ {0, 1}n×k be a public matrix uniformly chosen at random and let gRO be the ideal Global Random Oracle. Here, λ is the size of the message M. Commitment phase. Both parties, the committer C and the receiver R, are activated by their inputs. They proceed as follows: α 1. R generates (A, td) ← GenTd(n, k, ω). It chooses a random string u1 ←$ {0, 1} and queries gRO on (sid, R, td, u1) setting the output to y1. It sends (sid, A, y1) to C. k k0 2. Upon receiving (sid, A, y) from R, C it chooses r1 ←$ {0, 1} and r2 ←$ {0, 1} n α and two error vectors e1, e2 ←$ B=ω. It chooses a random string t1 ←$ {0, 1} n and queries gRO on (sid, C, M, t1) setting the output to x1 ∈ {0, 1} . It computes

c1 = r1A + x1 + e1. α Next, it queries gRO on (sid, C, r1, M, t2), where t2 ←$ {0, 1} , setting the k0 output to x2 ∈ {0, 1} . It computes

c2 = x2A + r2B + e2.

It sends (sid, c1, c2) to R. A scheme can be found in Figure3. Opening phase. To open a message M, the parties proceed as follows. ε ε ε 1. R first chooses ch ← V1, consistent with the challenges from the (P , V )xLPN protocol. It chooses a random string u2 and queries gRO on (sid, R, ch, u2) setting the output to y2. It sends (sid, y2) to C. ε 2. Upon receiving (sid, y2) from R, C computes com ← P1 ((B, r2B + e2) , r2), ε ε a commitment of (P , V )xLPN for public information (B, r2B + e2) and se- α cret information r2. It chooses a random string t3 ←$ {0, 1} and queries A PQ UC-Commitment scheme in the GROM 123

Committer C Receiver R (A, td) ← GenTd(n, k, ω)

0 k k (sid, y1) r1 ←$ {0, 1} , r2 ←$ {0, 1} y1 ← gRO(td)

n e1, e2 ← B=ω

x1 ← gRO(sid,M), x2 ← gRO(sid, r1,M)

(sid, c1, c2) c1 ← r1A + x1 + e1

c2 ← x2A + r2B + e2

Figure 3. Commitment phase. GenTd creates a matrix A and a trapdoor, according to Lemma1 and gRO is the global random oracle. The random strings t1, t2 and u1 are omitted

(sid, C, com, r2B + e2, t3) to gRO setting the output to x3. It sends (sid, x3) to R. 3. Upon receiving (sid, x3) from C, R reveals td and ch by sending (sid, td, u1, ch, u2) to C. 4. Upon receiving (sid, td, u1, ch, u2) from R, C checks that the opening td, t1 is consistent with y1 and that ch, t2 is consistent with y2. It does this by querying gRO on (sid, R, td, u1) and on (sid, R, ch, u2), setting the output to 0 0 0 0 y1 and to y2 (respectively) and by checking if y1 = y1 and if y2 = y2. If any of these tests fails, C aborts the protocol. Otherwise, it computes resp ← ε P2 ((B, r2B + e2) , r2; com, ch) and sends (sid, r1, M, t1, t2, t3, com, resp) to R. Upon receiving (sid, r1, M, t1, t2, t3, com, resp) from C, R sets T = (com, ch, resp). It queries gRO on (sid, C, M, t1) and on (sid, C, r1, M, t2) and sets the 0 0 output to x1 and to x2 respectively. It also queries gRO on (sid, com, c2 − 0 0 0 0 x2A, t3) and sets the output to x3. It checks if x3 = x3, if w(c1 −(r1A+x1)) ≤ ε 0 ω and if V2(c2 − x2A,T ) = 1. If any of these tests fail, R outputs 0. Else, it accepts the opening and outputs 1. A scheme of the opening phase is presented in Figure4.

4. Security In this section, we prove the security of the scheme. We also present the simula- tion required to guarantee universal composability.

4.1. Committer’s and receiver’s privacy. Theorem 4.1. The commitment scheme is perfectly hiding and computationally binding in the gRO-model, given that the SDn,k,2ω and GDn,k problems are hard and that α = λ + n

Proof. We begin by proving the hiding property. Then we prove the binding prop- erty for our scheme. 124 Pedro Branco

Opening phase Committer C Receiver R ε ch ← V1

ε (sid, y2) com ← P1 ((B, r2B + e2) , r2) y2 ← gRO(sid, ch)

(sid, x3) x3 ← gRO(sid, com, r2B + e2)

(sid, td, ch)

0 y1 ← gRO(sid, td) 0 0 y2 ← gRO(sid, ch) x1 ← gRO(sid,M)

0 0 (sid, r1,M, com, resp) 0 y1 =? y1 , y2 =? y2 x2 ← gRO(sid, r1,M)

ε 0 resp ← P2 ((B, r2B + e2) , r2; com, ch) x3 ← gRO(sid, com, c2 − Ax2) 0 x3 =? x3 0 n c1 − (r1A + x1)) ∈? B≤ω ε 0 V2(c2 − x2A,T ) =? 1

Figure 4. Opening phase. (Pε, Vε) is the sigma-protocol ε ε ε ε ε ε (P, V)xLPN repeated O(1/ε), where P = (P1, P2) and V = (V1, V2). The random strings t1, t2, t3, u1 and u2 are omitted.

Perfectly hiding property. The commitment corresponds to c1 = r1A + x1 + e1 and c2 = x2A + r2B + e2, where x1 ← gRO(sid, M, t1) and x2 ← gRO(sid, r1, M, t2). This means that the message is hidden by the random oracle. We prove that the probability of an adversary to find M is negligible, even when it has unlimited computational power. To this end, we prove that, given an output y of gRO, the probability that the output of a query of the form (sid, C, M, t1) is y is negligible for every message M and random t1, if the size of t1 is equal to the size of M plus the size of y. We also need to prove that the probability that the output of a query of the form (sid, C, r1, M, t2) is y is also negligible, but this follows from the uniformly random behavior of gRO. Let Sy be the random variable that corresponds to the number of fixed size x such that y ← gRO(x), where x is of the form (sid, M, t) where M is a fixed message P n of size λ, t has size α and y has size n. We have that Sy = t Bert(2 ) where Ber denotes a Bernoulli distribution for each t. Hence, the expected value of Sy is α −n E(Sy) = 2 2 . We now prove that the (relative) distance δ between Sy and E(Sy) is negligible in α, except with negligible probability. If so, we can conclude that the number of elements in Sy is exponential in n, except with negligible probability. This turns the scheme (perfectly) hiding, since there are an exponential number of elements with the same image and an all-powerful adversary has just a negligible probability of guessing the right pre-image. We can view this argument from another perspec- tive: Basically, we choose a large enough pre-image space such that there are an exponential number of pre-images with the same image. In this case, information is A PQ UC-Commitment scheme in the GROM 125 lost and no adversary, even an all powerful one, can invert the function to the right pre-image. By the Chernoff-Hoeffding’s inequality (considering the relative distance between Sy and E(Sy)), we have −2α.δ2 Pr [|Sy/E(Sy) − 1| ≥ δ] ≤ γe −α/4 where γ is some constant. Consider δ to be 2 , so that the distance between Sy and E(Sy) is negligible in α. Finally, taking the union bound for every y and for every M, we get

h −α/4i λ+n −2α.δ2 Pr ∃M∃y : |Sy/E(Sy) − 1| ≥ 2 ≤ γ2 e . By hypothesis, consider α = λ + n. We conclude that the relative distance between (λ+n)/4 Sy and E(Sy) is at most 1/2 , except with negligible probability. Following a similar reasoning, we can also prove that the probability that the α output of a query of the form (sid, C, r1, M, t2) is y is negligible, if t2 ∈ {0, 1} . Note that t2 does not have to be larger than t1 since, in this case, there is an extra random vector r1. Binding property. Suppose that C is able to find c1 and c2, given A and y1, such that it is able to open different messages. That is, C is able to interact with R following the opening phase of the protocol such that R accepts the opening for two different messages. This situation is sketched below:

1. R sends y2; 1. R sends y2; 0 2. C sends x3; 2. C sends x3; 3. R sends td, ch, u1, u2; 3. R sends td, ch, u1, u2; 0 0 0 0 0 4. C sends com, resp ,r1, M, s, t1, 4. C sends com , resp , r1, M , s , 0 0 0 t2, t3. t1, t2, t3.

Since R accepts both openings as valid ones, they must fulfill the following con- ditions:

1. w(c1 + r1A + x1) ≤ ω, T = (com, ch, resp) is a valid transcript for public information (B, c2 + x2) and x3 = gRO(sid, c2 + x2, com, t3); 0 0 0 0 0 2. w(c1 + r1A + x1) ≤ ω, T = (com , ch, resp ) is a valid transcript for public 0 0 0 0 0 information (B, c2 + x2) and x3 = gRO(sid, c2 + x2, com , t3) 0 0 0 where x1 = gRO(sid, M, t1), x2 = gRO(sid, r1, M, t2), x1 = gRO(sid,M , t1) and 0 0 0 x2 = gRO(sid, r1,M , t2). Therefore, we have that 0 0 0 (r1 + r1)A + (e1 + e1) = x1 + x1. 0 0 0 Let r1 + r1 = ˜r, e1 + e1 = e˜ and x1 + x1 = x˜. Rewriting the equation, we have ˜rA + e˜ = x˜, where x˜ is chosen uniformly at random from {0, 1}n and w(e˜) ≤ 2ω. By the hardness of SDn,k,2ω, the probability that the receiver finds ˜r and e˜ for a random x˜ is negligible. Else, the receiver would be able to solve the SDn,k,2ω for random instances or to solve the GDn,k problem. ε ε Also, by the soundness of the (P , V )xLPN protocol, we have 0 0 0 x2A + r2B + e2 = x2A + r2B + e2 126 Pedro Branco

0 0 0 0 0 n where x2 ← gRO(sid, r1, M, t2), x2 ← gRO(sid, r1,M , t2) and e2, e2 ∈ B=ω, except with negligible probability. This means that the word  0 
x2 + x2 A|B 0 r2 + r2 has Hamming weight less or equal than 2ω. Let CA be the code defined by the generating matrix A and CB the code defined by B. By definition of CA, every c ∈ CA has Hamming weight greater than 2ω, otherwise we could not be able to n some words of the form y = c + e˜ where c ∈ CA and e˜ ∈ Bω. Moreover, if d ∈ CB then d has Hamming weight greater than 2ω, except with negligible probability,  0  x2 + x2 by the Gilbert-Varshamov bound [28]. We conclude that 0 = 0, except r2 + r2 0 0 with negligible probability. Therefore, x2 = x2 and r2 = r2, except with negligible probability. So, if it is infeasible to find collisions for gRO, then it is infeasible to open two different messages in the opening phase.

4.2. UC-security. In this section, we prove that the scheme is secure in the UC- framework.

Theorem 4.2. The commitment scheme presented securely UC-realizes Fcom against static malicious adversaries in the GgRO-hybrid model, given that the SDn,k,2ω and GDn,k problems are hard and that α = λ + n. Before delving deeper into the proof of the theorem, we give a brief overview of the main ideas of the proof. Recall that an UC-Commitment scheme has to be both extractable, so that S can extract the committed message M from a corrupted C before the opening phase, and equivocable, so that the simulator S can open any message it wants in the opening phase when R is corrupted. We first explain how extractability is achieved. In the gRO-model, S is able to observe the queries made by the corrupted C. By the proof of Theorem 4.1, there is only one pair of queries made by C of the form (sid, C, M, t1), with image x1 by gRO, and (sid, C, r1, M, t2) such that w(c1 + r1A + x1) ≤ ω, except with negligible probability. Hence, S can extract the message M by observing the queries the corrupted C does to gRO. To achieve equivocability, we use the trapdoor property of the Goppa code A used in the scheme. More precisely, S is able to observe the queries of the corrupted R and extract the trapdoor td of A. Now, equivocation is possible by choosing a 0 0 0 0 0 random value t1 and finding a vector r1, using td, such that r1A + e1 = c1 + x1 0 0 where x1 ← gRO(sid, C, M, t1). If this fails, S tries again with a new random string 0 t1. By Lemma1, S tries at most a polynomial number of times before finding a 0 valid r1, hence efficiency for S is guaranteed. Proof. Let A be an adversary in the real-world, S be an adversary in the ideal-world, called the simulator, and E be any environment. As usual, the communication between A and E is simulated by S by forwarding messages from one party to the other. The trivial case where the adversary corrupts both parties can be simulated by S. When A corrupts both parties, S just runs A internally and let it generate all the messages. Note that in this case, since both parties are corrupted, there is no information to protect. We now show how to construct the simulator in the remaining cases. A PQ UC-Commitment scheme in the GROM 127

Simulation when only the committer C is corrupted by A. Here, S controls R and tries to extract C’s input. Commitment phase. The simulator S does the following: – It generates (A, td) ← GenTd(n, m, ω) and sends (sid, A, y1) to C where y1 is the output of gRO when queried on (sid, td, u1). – Let Q|sid be the list of queries to gRO by any party with sid that does not pertain that session ID. Upon receiving (sid, c1, c2), S asks gRO for Q|sid and checks if there are two queries in Q|sid of the form (sid, C, M, t1), whose output is x1, and (sid, C, r1, M, t2) such that w(c1 +r1A+x1) ≤ ω. If there is such a query and it is unique, S sets M 0 = M. Else, it sets M 0 = 0λ. – It sends the message (sid, commit, C, R,M) to Ftcom. Opening phase. The simulator S follows the protocol honestly, controlling R. If S accepts the opening of M ∗ after interacting with C, S checks if M ∗ = M. If so, it sends the message (sid, reveal, C, R) to Ftcom. Else, it aborts the execution. The ideal-world and real-world execution differ only when S aborts when it is not supposed to. This happens only if C is able to open a message M ∗ different from the message M that S sends to Ftcom. This happens when:

1. There are no queries in Q|sid of the form (sid, C, M, t1) and (sid, C, r1, M, t2) that fulfill w(c1 + r1A + x1) ≤ ω, but S accepts the opening of C; 2. There are several queries in Q|sid of the form (sid, C, M, t1) and (sid, C, r1, M, t2) that fulfill w(c1 + r1A + x1) ≤ ω, but S accepts the opening of C; 3. There are such queries and they are unique, but C opens a different M ∗ than M. The probability of event1 is negligible, since C would have to find collisions for gRO. The probability of event2 is also negligible given that the SDn,k,2ω and the GDn,k problems are hard since this would break the binding property of the scheme, by the proof of Theorem 4.1. The third event happens with negligible probability by the hardness of finding collisions for gRO. We conclude that both executions are indistinguishable from the point-of-view of E, except with negligible probability. Hence, the protocol is secure in the UC- framework against a corrupted C. Simulation when only the receiver R is corrupted by A. Here, S controls C and commits to a message (for example 0λ). After receiving a message from the ideal functionality, S has to open the received message to R. This process is usually called equivocation. Commitment phase. Upon receiving a message (sid, receipt, C, R) from λ Ftcom, S follows the protocol honestly committing to the message 0 , for example. That is, upon receiving A and y1 from R, it computes c1 = λ r1A + x1 + e1 and c2 = x2A + r2B + e2, where x1 ← gRO(sid, C, 0 , t1) λ and x2 ← gRO(sid, C, r1, 0 , t2), and sends (sid, c1, c2) to R. Opening phase. The simulator S works as follows: – Upon receiving a message (sid, reveal, C, R,M) from Ftcom, S asks Ftcom for the list Q|sid from gRO. It checks if there is a query whose output is equal to y1. If there is such a query, let us say (sid, R, td, u1), and if td is a trapdoor for A, it sets td0 = td. Else, it sets td0 =⊥. – If td0 6=⊥, it does the following: 128 Pedro Branco

0 0 ∗ It sets x1 ← gRO(sid, C, M, t1), where t1 is a random string, and finds 0 0 0 0 0 r1 such that r1A + e1 = c1 + x1 using td . If this fails, it chooses 0 another random string t1 and tries again. it repeats the process until it is successful. Observe that this task can be done in polynomial time by Corollary1. ∗ Upon receiving (sid, y2) from R, S checks if there is a query of the form 0 (sid, R, w, u2) in Q|sid such that its output is y2. If there is, it sets ch = 0 ε w, else it chooses ch ← V1. It computes com for public information 0 (B, c˜2) where c˜2 = c2 + x2A and x2 ← gRO(sid, C, r1, M, t2) such that it can create valid transcripts (with challenge ch0), even without knowing the secret. Observe that, since the cheating probability of a ε ε dishonest prover in (P , V )xLPN is 2/3, then S can always find such com. It queries gRO on x3 ← (sid, C, c˜2, com, t3). It sends (sid, x3) to R. 0 ∗ Upon receiving (sid, td, u1, ch, u2) from R, S checks if ch = ch . If not, then it aborts the protocol. If td0 6=⊥, S follows the protocol as the honest C would do from this point on. – Else if td0 =⊥, S does the following: ∗ Upon receiving (sid, y2) from R, S it chooses x3 at random and sends (sid, x3) to R. ∗ (sid, td, u1, ch, u2) from R, S chooses random values for r1, t1, t2, t3 and sends them (together with M, com, resp) as the opening. The real-world and the ideal-world executions differ only when: 1. S is not able to extract a valid trapdoor for matrix A and R sends td such that it is a valid trapdoor for A and its output by gRO is y1. In this case, S has a negligible probability of completing the protocol with a valid opening for M; 2. S aborts when ch 6= ch0. The probability of S accepting the opening of td as a valid one is negligible since it is the probability of R finding collisions for gRO. Hence, S (controlling C) will abort the execution before sending the last message (corresponding to the opening of r1, M, t1, t3, com and resp), except with negligible probability. Moreover, the probability of the event2 happening is also negligible, by the gRO assumption. We conclude that both executions are indistinguishable from the point-of-view of E, except with negligible probability. Hence, the protocol is secure in the UC- framework against a corrupted R. Simulation when neither party is corrupted. In this case, the simulator S generates the messages between both parties, committing to 0λ in the commitment phase. Since it also generates the trapdoor td and the value for ch, it can open any message, say M, it wants in the opening case. By the proof of Theorem 4.1 (namely, by the hiding property of the scheme), we have that the transcript generated by S is indistinguishable from a honestly generated one, where C commits to M.

5. Conclusion We proposed the first ever post-quantum UC-commitment scheme in the global random oracle. The security of our proposal is based on the Syndrome Decoding A PQ UC-Commitment scheme in the GROM 129 and on the Goppa Distinguisher assumptions, two well-established assumptions in post-quantum cryptography. Our proposal is proven to be perfectly hiding, meaning that even an all-powerful receiver is not able to find the message that the committer is committing to, before the opening phase, and (computationally) binding. The scheme is proven secure in the UC-framework against static malicious adver- saries. However, a closer look at the protocol reveals that we cannot prove security against adaptive malicious adversaries, that is, adversaries that may corrupt parties at any point of the protocol. In particular, note that the adversary cannot adap- tively corrupt the committer after the execution of the opening phase, that is, after the first message of the committer being sent. We leave as future work to develop a post-quantum UC-commitment scheme secure against adaptive malicious adversaries.

Acknowledgments The author acknowledges the anonymous referees that contributed to the read- ability and improvement of the final manuscript. The author thanks Jo˜aoRibeiro for insightful discussions and comments on a early draft of this work.

References

[1] P. S. L. M. Barreto, B. David, R. Dowsley, K. Morozov and A. C. A. Nascimento, A Frame- work for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM, Cryptology ePrint Archive, Report 2017/993, 2017, https://eprint.iacr.org/2017/993. [2] A. Becker, A. Joux, A. May and A. Meurer, Decoding random binary linear codes in 2n/20: How 1 + 1 = 0 improves information set decoding, Advances in Cryptology—EUROCRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7237 (2012), 520–536. [3] M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, CCS ’93 Proceedings of the 1st ACM Conference on Computer and Communica- tions Security, (1993), 62–73. [4] E. R. Berlekamp, R. J. McEliece and H. C. A. van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, 24 (1978), 384–386. [5] P. Branco, J. T. Ding, M. Goul˜aoand P. Mateus, Universally Composable Oblivious Transfer Protocol Based on the RLWE Assumption, Cryptology ePrint Archive, Report 2018/1155, 2018, https://eprint.iacr.org/2018/1155. [6] Megha Byali, Arpita Patra, Divya Ravi and Pratik Sarkar. Fast and Universally-Composable Oblivious Transfer and Commitment Scheme with Adaptive Security, Cryptology ePrint Archive, Report 2017/1165, 2017, https://eprint.iacr.org/2017/1165. [7] J. Camenisch, M. Drijvers, T. Gagliardoni, A. Lehmann and G. Neven, The wonderful world of global random oracles, Advances in cryptology—EUROCRYPT 2018. Part I, Lecture Notes in Comput. Sci., Springer, Cham, 10820 (2018), 280–312. [8] R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, 42nd IEEE Symposium on Foundations of Computer Science (Las Vegas, NV, 2001), IEEE Computer Soc., Los Alamitos, CA, (2001), 136–145. [9] R. Canetti and M. Fischlin, Universally composable commitments, Advances in Cryptol- ogy—CRYPTO 2001, Berlin, Heidelberg, Springer Berlin Heidelberg, (2001), 19–40. [10] R. Canetti, A. Jain and A. Scafuro, Practical UC security with a global random oracle, Pro- ceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, New York, NY, USA, ACM , (2014), 597–608. [11] R. Canetti, Y. Lindell, R. Ostrovsky and A. Sahai, Universally composable two-party and multi-party secure computation, Proceedings of the Thirty-Fourth Annual ACM Symposium on Theory of Computing, ACM, New York, (2002), 494–503. [12] I. Cascudo, I. Damg˚ard,B. David, I. Giacomelli, J. B. Nielse and R. Trifiletti, Additively homomorphic uc commitments with optimal amortized overhead, Public-Key Cryptogra- phy—PKC 2015, Berlin, Heidelberg, Springer Berlin Heidelberg, 9020 (2015), 495–515. 130 Pedro Branco

[13] I. Cascudo, I. Damg˚ard,B. David, N. D¨ottlingand J. B.Nielsen, Rate-1, linear time and additively homomorphic uc commitments, Advances in Cryptology—CRYPTO 2016, Berlin, Heidelberg, Springer Berlin Heidelberg, (2016), 179–207. [14] N. T. Courtois, M. Finiasz and N. Sendrier, How to achieve a McEliece-based digital signature scheme, Advances in Cryptology—ASIACRYPT 2001, Berlin, Heidelberg, Springer Berlin Heidelberg, 2248 (2001), 157–174. [15] I. Damg˚ardand J. B. Nielsen, Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, Advances in Cryptology—CRYPTO 2002, Berlin, Heidelberg, Springer Berlin Heidelberg, 2442 (2002), 581–596. [16] T. Debris-Alazard, N. Sendrier and J.-P. Tillich, Wave: A New Code-Based Signature Scheme, Cryptology ePrint Archive, Report 2018/996, 2018, https://eprint.iacr.org/2018/996. [17] A. Esser, R. K¨ublerand A. May, LPN decoded, Advances in cryptology—CRYPTO 2017. Part II, Lecture Notes in Comput. Sci., Springer, Cham, 10402 (2017), 486–514. [18] J.-C. Faug`ere,V. Gauthier-Uma˜na,A. Otmani, L. Perret and J. Tillich, A distinguisher for high rate McEliece cryptosystems, IEEE Trans. Inform. Theory, 59 (2013), 6830–6844. [19] M. Fischlin, B. Libert and M. Manulis, Non-interactive and re-usable universally composable string commitments with adaptive security, Advances in Cryptology—ASIACRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7073 (2011), 468–485. [20] E. Fujisaki, Improving practical UC-secure commitments based on the DDH assumption, Security and Cryptography for Networks, Lecture Notes in Comput. Sci., Springer, [Cham], 9841 (2016), 257–272. [21] J. A. Garay, Y. Ishai, R. Kumaresan and H. Wee, On the complexity of UC commitments, Advances in Cryptology—EUROCRYPT 2014, Lecture Notes in Comput. Sci., Springer, Heidelberg, 8441 (2014), 677–694. [22] D. Hofheinz and J. M¨uller-Quade, Universally composable commitments using random ora- cles, Theory of cryptography, Lecture Notes in Comput. Sci., Springer, Berlin, 2951 (2004), 58–76. [23] A. Jain, S. Krenn, K. Pietrzak and A. Tentes, Commitments and efficient zero-knowledge proofs from learning parity with noise, Advances in Cryptology—ASIACRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7658 (2012), 663–680. [24] J. Kilian, Founding cryptography on oblivious transfer, Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, New York, NY, USA, ACM, (1988), 20–31. [25] E. Kirshanova, Improved quantum information set decoding, Post-quantum cryptography, Lecture Notes in Comput. Sci., Springer, Cham, 10786 (2018), 507–527. [26] Y. Lindell, Highly-efficient universally-composable commitments based on the DDH assump- tion, Advances in cryptology—EUROCRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 6632 (2011), 446–466. [27] P. Loidreau and N. Sendrier, Weak keys in the McEliece public-key cryptosystem, IEEE Transactions on Information Theory, 47 (2001), 1207–1211. [28] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. I, North- Holland Mathematical Library, Vol. 16. North-Holland Publishing Co., Amsterdam-New York- Oxford, 1977. [29] R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, JPL DSN Progress Report, 44 (1978). [30] C. Peikert, V. Vaikuntanathan and B. Waters, A framework for efficient and composable oblivious transfer, Advances in cryptology—CRYPTO 2008, Lecture Notes in Comput. Sci., Springer, Berlin, 5157 (2008), 554–571. [31] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal on Computing, 26 (1997), 1484–1509. [32] X. Xie, R. Xue and M. Q. Wang, Zero knowledge proofs from ring-LWE, Cryptology and network security, Lecture Notes in Comput. Sci., Springer, Cham, 8257 (2013), 57–73. Received May 2019; revised September 2019.

E-mail address: [email protected]