Analysis and Construction of Zero-Knowledge Proofs for the MinRank Problem

Abstract

Abstract The MinRank problem is an NP-complete problem that is prevalent in multivariate cryptography and its goal is to find a non-zero linear combination of given a series of matrices over a ring such that the obtained matrix has a small rank. At Asiacrypt 2001, two Zero-Knowledge Proofs of Knowledge (ZKPoK) for the MinRank problem are proposed, and we call them MRZK and MRZK$^{\dagger }$, respectively. The latter is an improved version of the proof size of the former. However, the efficiency of MRZK$^{\dagger }$ has been open and not analyzed. While the MRZK protocol is secure, it must be repeated many times due to the soundness error $2/3$, which leads to the large proof size. For 128-bit security, the MRZK protocol is executed at least 219 iterations and the proof size is about 32 KB. In this paper, we first show that the efficiency of MRZK$^{\dagger }$ is impractical due to unreasonable parameter size. However, when the parameter size is tuned and the efficiency is improved, an imposter can be efficiently constructed. Then, to alleviate the large proof size of MRZK, inspired by the technique designing ZKPoK (Eurocrypt 2020), we propose a sigma protocol with helper to prove the solution to the MinRank problem. Finally, we transform the sigma protocol with helper into a standard ZKPoK (MRZK$^{\sharp }$) by removing the helper. The MRZK$^{\sharp }$ protocol can achieve any small soundness error and enjoy the proof size of about 15 KB (53% improvement over MRZK).