# An Application of p-Fibonacci Error-Correcting Codes to Cryptography

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Works

#### Our Contribution

## 3. Preliminaries

#### 3.1. p-Fibonacci Error Correcting Codes

**Proposition**

**1.**

- The n-th power of ${Q}_{p}$ is given by:$${Q}_{p}^{n}=\left[\begin{array}{ccccc}{a}_{p,n+1}& {a}_{p,n}& \dots & {a}_{p,n-p+2}& {a}_{p,n-p+1}\\ {a}_{p,n-p+1}& {a}_{p,n-p}& \dots & {a}_{p,n-2p+2}& {a}_{p,n-2p+1}\\ \vdots & \vdots & \ddots & \vdots & \vdots \\ {a}_{p,n-1}& {a}_{p,n-2}& \dots & {a}_{p,n-p}& {a}_{p,n-p-1}\\ {a}_{p,n}& {a}_{p,n-1}& \dots & {a}_{p,n-p+1}& {a}_{p,n-p}\end{array}\right],$$
- ${Q}_{p}^{n}\xb7{Q}_{p}^{m}={Q}_{p}^{m}\xb7{Q}_{p}^{n}={Q}_{p}^{n+m}$,
- ${Q}_{p}^{n}={Q}_{p}^{n-1}+{Q}_{p}^{n-p-1}$,
- $det\left({Q}_{p}\right)={(-1)}^{p}$, and $det\left({Q}_{p}^{n}\right)={(-1)}^{pn}$.

**Proposition**

**2.**

**.**Let us consider the message space $\mathcal{M}={\{0,1\}}^{k}$, with $k={(p+1)}^{2}r$ for some integers p and r, so that we can split a message into ${(p+1)}^{2}$ blocks of an equal bit size. Fix n, then a codeword of a p-Fibonacci code with generator matrix ${Q}_{p}^{n}$ can be represented with $l{(p+1)}^{2}$ bits, with:

**Proof.**

**Definition**

**1**

**.**For positive integers $r,l,n,p,{w}_{F},\Delta $ with $n>p+1$, $l>r$, the Fibonacci Decoding FD($r,n,p,{w}_{F},\Delta $) distribution chooses $M\in {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$ and $E\in {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$ with ${\mathsf{w}}_{\mathsf{F}}\left(E\right)={w}_{F}$, and $det\left(M\right)={(\pm 1)}^{pn}\Delta $ and outputs $({Q}_{p}^{n},R=M\xb7{Q}_{p}^{n}\oplus E)$.

**Problem**

**1**

**.**Given the positive integers $r,l,n,p,{w}_{F},\Delta $ such that $n>p+1$, $l>r$, $({Q}_{p}^{n},R)\in {\mathcal{M}}_{p+1}\left(\mathbb{N}\right)\times {\mathcal{M}}_{p+1}\left(\mathbb{N}\right)$ from the FD distribution, the Search Fibonacci Decoding problem SFD($r,n,p,{w}_{F},\Delta $) asks to find $(M,E)\in {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)\times {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$ such that:

- 1.
- $R=M\xb7{Q}_{p}^{n}+E$,
- 2.
- ${\mathsf{w}}_{\mathsf{F}}\left(E\right)={w}_{F}$,
- 3.
- $det\left(M\right)={(\pm 1)}^{pn}\Delta $.

**Remark**

**1.**

**Definition**

**2.**

- $det{\sigma}_{{K}_{1},{K}_{2}}\left(E\right)=\pm detE$,
- ${\mathsf{w}}_{\mathsf{F}}\left({\sigma}_{{K}_{1},{K}_{2}}\left(E\right)\right)={\mathsf{w}}_{\mathsf{F}}\left(E\right)$,
- ${\sigma}_{{K}_{1},{K}_{2}}\left(E\right)\in {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$.

**Proposition**

**3.**

- 1.
- Given $X,Y\in {\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$ such that ${\mathsf{w}}_{\mathsf{F}}\left(X\right)={\mathsf{w}}_{\mathsf{F}}\left(Y\right)$ and $detX=\pm detY$, it is possible to find ${K}_{1}\in {\mathcal{L}}_{Y}$ and ${K}_{2}\in {\mathcal{R}}_{Y}$ such that $X={\sigma}_{{K}_{1},{K}_{2}}\left(Y\right)$.
- 2.
- Given $X={\sigma}_{{K}_{1},{K}_{2}}\left(Y\right)$, there exist ${H}_{1}\in {\mathcal{L}}_{X}$ and ${H}_{2}\in {\mathcal{R}}_{X}$ such that ${\sigma}_{{H}_{1},{H}_{2}}\left(X\right)=Y$.

**Proof.**

- It is sufficient to take ${K}_{1}$ as the identity matrix and ${K}_{2}={Y}^{-1}\xb7X$ or ${K}_{1}=X\xb7{Y}^{-1}$ and ${K}_{2}$ as the identity matrix.
- It is sufficient to take ${H}_{1}={K}_{1}^{-1}$ and ${H}_{2}={K}_{2}^{-1}$.

#### 3.2. Zero-Knowledge Identification Protocols

**Definition**

**3**

**.**An interactive proof (protocol) is complete if, given an honest prover and an honest verifier, the protocol succeeds with overwhelming probability (i.e., the verifier accepts the prover’s claim).

**Definition**

**4**

**.**An interactive proof (protocol) is sound if there exists an expected polynomial time algorithm $\mathcal{A}$ with the following property: if a dishonest prover (impersonating $\mathsf{P}$) can, with non-negligible probability, successfully execute the protocol with $\mathsf{V}$, then $\mathcal{A}$ can be used to extract from this prover knowledge (essentially equivalent to $\mathsf{P}$’s secret), which, with overwhelming probability, allows successful subsequent protocol executions.

**Definition**

**5**

**.**A protocol that is a proof of knowledge has the zero-knowledge property if it is simulatable in the following sense: there exists an expected polynomial time algorithm (simulator) that can produce, upon the input of the assertion(s) to be proven, but without interacting with the real prover, transcripts indistinguishable from those resulting from the interaction with the real prover.

## 4. Veron Identification Protocol in the Fibonacci Setting

#### 4.1. Description of the Protocol

#### Commitment Compression

#### 4.2. Zero-Knowledge Properties

#### 4.2.1. Completeness

#### 4.2.2. Soundness

**Theorem**

**1.**

**Proof.**

- ${\sigma}_{0},{Z}_{0}$ such that ${\mathsf{c}}_{1}=\mathsf{H}\left({\sigma}_{0}\right)$ and ${\mathsf{c}}_{2}=\mathsf{H}\left({\sigma}_{0}({Z}_{0}\xb7{Q}_{p}^{n})\right)$;
- ${V}_{1},{W}_{1},{X}_{1}$ such that ${\mathsf{c}}_{2}=\mathsf{H}\left({V}_{1}\right)$, ${\mathsf{c}}_{3}=\mathsf{H}({V}_{1}+{W}_{1},{X}_{1})$, $det\left(M\right)=\pm det({V}_{1}+{X}_{1})$, and ${\mathsf{w}}_{\mathsf{F}}\left({W}_{1}\right)={(p+1)}^{2}-1$;
- ${\sigma}_{2},{Z}_{2}$ such that ${\mathsf{c}}_{1}=\mathsf{H}\left({\sigma}_{2}\right)$ and ${\mathsf{c}}_{3}=\mathsf{H}({\sigma}_{2}({Z}_{2}\xb7{Q}_{p}^{n}+R),-{\sigma}_{2}({Z}_{2}\xb7{Q}_{p}^{n}))$.

- From ${\mathsf{c}}_{1}$ preimages: ${\sigma}_{0}={\sigma}_{2}$,
- From ${\mathsf{c}}_{2}$ preimages: ${V}_{1}={\sigma}_{0}({Z}_{0}\xb7{Q}_{p}^{n})$,
- From ${\mathsf{c}}_{3}$ preimages: ${V}_{1}+{W}_{1}={\sigma}_{2}({Z}_{2}\xb7{Q}_{p}^{n}+R)$, and ${X}_{1}=-{\sigma}_{2}({Z}_{2}\xb7{Q}_{p}^{n})$.

- if $b=0$ or 1:
- −
- pick randomly the values${P}_{1},{P}_{2}$ ${S}_{p+1}$, $Y,Z$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$ such that $det\left(M\right)=\pm det(Y+Z)$, F ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$,such that ${\mathsf{w}}_{\mathsf{F}}\left(F\right)={(p+1)}^{2}-1$.
- −
- Compute ${\mathsf{c}}_{1}=\mathsf{H}({P}_{1},{P}_{2}),{\mathsf{c}}_{2}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}(Z\xb7{Q}_{p}^{n})\right),{\mathsf{c}}_{3}=\mathsf{H}({\sigma}_{{P}_{1},{P}_{2}}(Z\xb7{Q}_{p}^{n}+F),-$${\sigma}_{{P}_{1},{P}_{2}}(Z\xb7{Q}_{p}^{n}))$.
- −
- If $b=0$, reveal ${P}_{1},{P}_{2},Z$.If $b=1$, reveal ${\sigma}_{{P}_{1},{P}_{2}}(Y\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}(Z\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}\left(F\right)$.

Verification follows. - if $b=0$ or 2:
- −
- pick randomly the values${P}_{1},{P}_{2}$ ${S}_{p+1},U$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$, $Z$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$.
- −
- Compute ${\mathsf{c}}_{1}=\mathsf{H}({P}_{1},{P}_{2}),{\mathsf{c}}_{2}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}(Z\xb7{Q}_{p}^{n})\right),{\mathsf{c}}_{3}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}+R)\right)$.
- −
- If $b=0$, reveal ${P}_{1},{P}_{2},Z$.If $b=2$, reveal ${P}_{1},{P}_{2},U$.

Verification follows. - if $b=1$ or 2:
- −
- pick randomly the values${P}_{1},{P}_{2}$ ${S}_{p+1},U$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$ such that $det\left(M\right)=\pm det\left(U\right)$,$F$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$, such that ${\mathsf{w}}_{\mathsf{F}}\left(F\right)={(p+1)}^{2}-1$
- −
- Compute ${\mathsf{c}}_{1}=\mathsf{H}({P}_{1},{P}_{2}),{\mathsf{c}}_{2}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}+R-F)\right),{\mathsf{c}}_{3}=\mathsf{H}({\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}+R),-{\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}))$.
- −
- If $b=1$, reveal ${\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}-F),{\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}+R-F),{\sigma}_{{P}_{1},{P}_{2}}\left(F\right)$.If $b=2$, reveal ${P}_{1},{P}_{2},U$.

Verification follows.

#### 4.2.3. Zero-Knowledge

- $\mathsf{Sim}$ chooses randomly ${P}_{1},{P}_{2}$ ${S}_{p+1},V,{V}^{\prime}$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{r}}\right)$ such that $det(V+{V}^{\prime})=det\left(M\right)$, and $F$ ${\mathcal{M}}_{p+1}\left({\mathbb{N}}_{<{2}^{l}}\right)$ such that ${\mathsf{w}}_{\mathsf{F}}\left(F\right)={(p+1)}^{2}-1$.$\mathsf{Sim}$ also chooses $j\in \{0,1,2\}$ corresponding to the challenge it is trying to guess.
- If $j=0$, $\mathsf{Sim}$ sends ${\mathsf{c}}_{1},{\mathsf{c}}_{2},{\mathsf{c}}_{3}$ such that:${\mathsf{c}}_{1}=\mathsf{H}({P}_{1},{P}_{2}),{\mathsf{c}}_{2}=\mathsf{H}({\sigma}_{{P}_{1},{P}_{2}}(V+{V}^{\prime})\xb7{Q}_{p}^{n}),{\mathsf{c}}_{3}=\mathsf{H}\left(V\right)$.
- If $j=1$, $\mathsf{Sim}$ sends ${\mathsf{c}}_{1},{\mathsf{c}}_{2},{\mathsf{c}}_{3}$ such that:${\mathsf{c}}_{1}=\mathsf{H}\left(V\right),{\mathsf{c}}_{2}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}((V+{V}^{\prime})\xb7{Q}_{p}^{n})\right),{\mathsf{c}}_{3}=\mathsf{H}({\sigma}_{{P}_{1},{P}_{2}}(V\xb7{Q}_{p}^{n}+{V}^{\prime}\xb7{Q}_{p}^{n}+F),-{\sigma}_{{P}_{1},{P}_{2}}(V\xb7{Q}_{p}^{n}))$.
- If $j=2$, $\mathsf{Sim}$ sends ${\mathsf{c}}_{1},{\mathsf{c}}_{2},{\mathsf{c}}_{3}$ such that:${\mathsf{c}}_{1}=\mathsf{H}({P}_{1},{P}_{2}),{\mathsf{c}}_{2}=\mathsf{H}\left(V\right),{\mathsf{c}}_{3}=\mathsf{H}\left({\sigma}_{{P}_{1},{P}_{2}}(V\xb7{Q}_{p}^{n}+R)\right)$.

- $\mathsf{V}$ chooses $b\in \{0,1,2\}$.
- If $b=0$, $\mathsf{Sim}$ sends ${P}_{1},{P}_{2},V+{V}^{\prime}$.If $b=1$, $\mathsf{Sim}$ sends ${\sigma}_{{P}_{1},{P}_{2}}({V}^{\prime}\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}((V+{V}^{\prime})\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}\left(F\right)$.If $b=2$, $\mathsf{Sim}$ sends ${P}_{1},{P}_{2},V$.
- If $b=j$, the execution provides a valid transcript ($\mathsf{V}$ verifies correctly), and $\mathsf{Sim}$ saves the execution. Otherwise, $\mathsf{Sim}$ restarts the execution.

- $b=0$: the simulated transcript contains ${P}_{1},{P}_{2},V+{V}^{\prime}$, while the real one ${P}_{1},{P}_{2},U+M$;
- $b=1$: the simulated transcript contains ${\sigma}_{{P}_{1},{P}_{2}}(V\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}((V+{V}^{\prime})\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}\left(F\right)$, while the real one ${\sigma}_{{P}_{1},{P}_{2}}(U\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}((U+M)\xb7{Q}_{p}^{n}),{\sigma}_{{P}_{1},{P}_{2}}\left(E\right)$;
- $b=2$: the simulated transcript contains ${P}_{1},{P}_{2},V$, while the real one ${P}_{1},{P}_{2},U$.

## 5. Comparisons

## 6. Conclusions and Future Works

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Appendix A. Toy Example

- If $b=0$, then the prover sends:$${\mathsf{r}}_{1}=({P}_{1},{P}_{2})=\left((2,1,4,3),(3,4,1,2)\right)\mathrm{and}{\mathsf{r}}_{2}=\left[\begin{array}{cccc}5& 4& 3& 3\\ 3& 4& 3& 4\\ 6& 2& 3& 5\\ 5& 3& 4& 2\end{array}\right].$$The verifier returns TRUE, that is identification success, if:$${\mathsf{c}}_{1}=\mathsf{SHA}\mathsf{1}({\mathsf{r}}_{1,1},{\mathsf{r}}_{1,2})\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{c}}_{2}=\mathsf{SHA}\mathsf{1}\left({\sigma}_{{\mathsf{r}}_{1,1},{\mathsf{r}}_{1,2}}({\mathsf{r}}_{2}\xb7{Q}_{p}^{n})\right).$$The response step costs 48 bits, because it is given by ${P}_{1},{P}_{2}$ plus a matrix in ${\mathcal{M}}_{4}\left({\mathbb{N}}_{<4}\right)$.
- If $b=1$, then the prover sends:$${\mathsf{r}}_{0}=\left[\begin{array}{cccc}14& 10& 24& 17\\ 15& 11& 28& 20\\ 14& 11& 26& 19\\ 16& 14& 33& 22\end{array}\right],{\mathsf{r}}_{1}=\left[\begin{array}{cccc}21& 50& 10& 8\\ 27& 2& 3& 4\\ 44& 49& 20& 19\\ 42& 16& 0& 16\end{array}\right]\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{r}}_{2}=\left[\begin{array}{cccc}7& 6& 12& 8\\ 6& 5& 13& 9\\ 5& 4& 10& 7\\ 9& 8& 18& 12\end{array}\right].$$Then, the verifier returns TRUE if:$$\begin{array}{cc}\hfill {\mathsf{c}}_{2}& =\mathsf{SHA}\mathsf{1}\left({\mathsf{r}}_{1}\right)\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{c}}_{3}=\mathsf{SHA}\mathsf{1}({\mathsf{r}}_{1}+{\mathsf{r}}_{2},-{\mathsf{r}}_{0})\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}\hfill \\ \hfill det\left(M\right)& =\pm det({\mathsf{r}}_{1}+{\mathsf{r}}_{0})\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{w}}_{\mathsf{F}}\left({\mathsf{r}}_{2}\right)={(p+1)}^{2}-1\hfill \end{array}$$The response step cost is 288 bits, since is given by the three matrices in ${\mathcal{M}}_{4}\left({\mathbb{Q}}_{<{2}^{6}}\right)$.
- If $b=2$, then the prover sends:$${\mathsf{r}}_{1}=({P}_{1},{P}_{2})=\left((2,1,4,3),(3,4,1,2)\right)\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{r}}_{2}=\left[\begin{array}{cccc}3& 1& 1& 1\\ 1& 1& 2& 3\\ 3& 1& 2& 3\\ 2& 1& 1& 1\end{array}\right].$$The verifier returns TRUE if:$$\begin{array}{c}\hfill {\mathsf{c}}_{1}=\mathsf{H}({\mathsf{r}}_{1,1},{\mathsf{r}}_{1,2})\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{\mathsf{c}}_{3}=\mathsf{H}({\sigma}_{{\mathsf{r}}_{1,1},{\mathsf{r}}_{1,2}}({\mathsf{r}}_{2}\xb7{Q}_{p}^{n}+R),-{\sigma}_{{\mathsf{r}}_{1,1},{\mathsf{r}}_{1,2}}({\mathsf{r}}_{2}\xb7{Q}_{p}^{n}))\end{array}$$The response step cost 48 bits as in the case of $b=0$.

## References

- Stern, J. A new identification scheme based on syndrome decoding. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; pp. 13–21. [Google Scholar]
- Véron, P. Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput.
**1997**, 8, 57–69. [Google Scholar] [CrossRef] [Green Version] - Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehle, D.; Bai, S. CRYSTALS-Dilithium: Algorithm Specifications and Supporting Documentation; 2020. Available online: https://pq-crystals.org/ (accessed on 5 April 2021).
- Bindel, N.; Akleylek, S.; Alkim, E.; Barreto, P.S.; Buchmann, J.; Eaton, E.; Gutoski, G.; Kramer, J.; Longa, P.; Polat, H.; et al. Submission to NIST’s Post-Quantum Project: Lattice-Based Digital Signature Scheme qTESLA; 2019. Available online: https://qtesla.org/ (accessed on 5 April 2021).
- Chen, M.S.; Hülsing, A.; Rijneveld, J.; Samardjiska, S.; Schwabe, P. MQDSS Specifications; Version 2.0; 2019. Available online: http://mqdss.org/ (accessed on 5 April 2021).
- Chase, M.; Derler, D.; Goldfeder, S.; Orlandi, C.; Ramacher, S.; Rechberger, C.; Slamanig, D.; Katz, J.; Wang, X.; Kolesnikov, V.; et al. The Picnic Signature Algorithm Specification; Version 3.0; 2020. Available online: https://microsoft.github.io/Picnic/ (accessed on 5 April 2021).
- NIST. Round 1 Submissions. 2018. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions (accessed on 5 April 2021).
- Boorghany, A.; Jalili, R. Implementation and Comparison of Lattice-based Identification Protocols on Smart Cards and Microcontrollers. IACR Cryptol. ePrint Arch.
**2014**, 2014, 78. [Google Scholar] - Bellini, E.; Caullery, F.; Hasikos, A.; Manzano, M.; Mateu, V. You Shall Not Pass!(Once Again) An IoT Application of Post-quantum Stateful Signature Schemes. In Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, Incheon, Korea, 4 June 2018; pp. 19–24. [Google Scholar]
- Cayrel, P.L.; Véron, P.; Alaoui, S.M.E.Y. A zero-knowledge identification scheme based on the q-ary syndrome decoding problem. In Proceedings of the International Workshop on Selected Areas in Cryptography, Waterloo, ON, Canada, 12–13 August 2010; pp. 171–186. [Google Scholar]
- Dagdelen, Ö.; Galindo, D.; Véron, P.; Alaoui, S.M.E.Y.; Cayrel, P.L. Extended security arguments for signature schemes. Des. Codes Cryptogr.
**2016**, 78, 441–461. [Google Scholar] [CrossRef] - Gaborit, P.; Schrek, J.; Zémor, G. Full cryptanalysis of the chen identification protocol. In Proceedings of the International Workshop on Post-Quantum Cryptography, Taipei, Taiwan, 29 November–2 December 2011; pp. 35–50. [Google Scholar]
- Aguilar, C.; Gaborit, P.; Schrek, J. A new zero-knowledge code based identification scheme with reduced communication. In Proceedings of the Information Theory Workshop (ITW), Paraty, Brazil, 16–20 October 2011; pp. 648–652. [Google Scholar]
- Bellini, E.; Caullery, F.; Hasikos, A.; Manzano, M.; Mateu, V. Code-Based Signature Schemes from Identification Protocols in the Rank Metric. In Proceedings of the International Conference on Cryptology and Network Security, Naples, Italy, 30 September–3 October 2018; pp. 277–298. [Google Scholar]
- Bellini, E.; Caullery, F.; Gaborit, P.; Manzano, M.; Mateu, V. Improved Veron Identification and Signature Schemes in the rank metric. In Proceedings of the 2019 IEEE International Symposium on Information Theory (ISIT), Paris, France, 7–12 July 2019; pp. 1872–1876. [Google Scholar]
- Bellini, E.; Gaborit, P.; Hasikos, A.; Mateu, V. Enhancing Code Based Zero-Knowledge Proofs Using Rank Metric. In Proceedings of the International Conference on Cryptology and Network Security, Vienna, Austria, 14–16 December 2020; pp. 570–592. [Google Scholar]
- Stakhov, A.P. Fibonacci matrices, a generalization of the Cassini formula, and a new coding theory. Chaos Solitons Fractals
**2006**, 30, 56–66. [Google Scholar] [CrossRef] - Basu, M.; Prasad, B. The generalized relations among the code elements for Fibonacci coding theory. Chaos Solitons Fractals
**2009**, 41, 2517–2525. [Google Scholar] [CrossRef] - Esmaili, M.; Esmaeili, M. A Fibonacci–polynomial based coding method with error detection and correction. Comput. Math. Appl.
**2010**, 60, 2738–2752. [Google Scholar] [CrossRef] [Green Version] - Esmaili, M.; Moosavi, M.; Gulliver, T.A. A new class of Fibonacci sequence based error-correcting codes. Cryptogr. Commun.
**2017**, 9, 379–396. [Google Scholar] [CrossRef] - Bellini, E.; Marcolla, C.; Murru, N. On the decoding of 1-Fibonacci error-correcting codes. Discret. Math. Algorithms Appl.
**2020**. [Google Scholar] [CrossRef] - Pless, V.S.; Huffman, W.; Brualdi, R.A. Handbook of Coding Theory; Elsevier: Amsterdam, The Netherlands, 1998. [Google Scholar]
- Berlekamp, E.; McEliece, R.; Van Tilborg, H. On the inherent intractability of certain coding problems (Corresp.). IEEE Trans. Inf. Theory
**1978**, 24, 384–386. [Google Scholar] [CrossRef] - Aguilar, C.; Blazy, O.; Deneuville, J.C.; Gaborit, P.; Zémor, G. Efficient Encryption from Random Quasi-Cyclic Codes. arXiv
**2016**, arXiv:1612.05572. [Google Scholar] - Katz, J.; Menezes, A.J.; Van Oorschot, P.C.; Vanstone, S.A. Handbook of Applied Cryptography; CRC Press: Boca Raton, FL, USA, 1996. [Google Scholar]
- May, A.; Ozerov, I. On computing nearest neighbors with applications to decoding of binary linear codes. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 26–30 April 2015; pp. 203–228. [Google Scholar]
- Aragon, N.; Gaborit, P.; Hauteville, A.; Tillich, J.P. A new algorithm for solving the rank syndrome decoding problem. In Proceedings of the 2018 IEEE International Symposium on Information Theory (ISIT), Vail, CO, USA, 17–22 June 2018; pp. 2421–2425. [Google Scholar]
- Chabaud, F.; Stern, J. The cryptographic security of the syndrome decoding problem for rank distance codes. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Seoul, Korea, 23–24 November 1996; pp. 368–381. [Google Scholar]
- Ourivski, A.V.; Johansson, T. New technique for decoding codes in the rank metric and its cryptography applications. Probl. Inf. Transm.
**2002**, 38, 237–246. [Google Scholar] [CrossRef] - Gaborit, P.; Ruatta, O.; Schrek, J. On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory
**2016**, 62, 1006–1019. [Google Scholar] [CrossRef] [Green Version]

**Table 1.**Comparison of parameters, keys, and communication bit sizes in various instantiations of the Veron identification protocol. GL, Generic Linear; DC, Double Circulant.

Hamming | Rank | ||||
---|---|---|---|---|---|

Code | Fibonacci | GL [2] | DC [13] | GL [14] | DC [15] |

Best known attack A | $min({2}^{{(p+1)}^{2}}$ [19], ${((p+1)!)}^{2})$ | ${2}^{0.097n}$ [26] | $\begin{array}{cc}\hfill min(& {(n-k)}^{3}{m}^{3}{q}^{r\frac{(k+1)m}{n}-m},\hfill \\ & {r}^{3}{k}^{3}{q}^{r\u2308\frac{(r+1)(k+1)-(n+1)}{r}\u2309})\hfill \end{array}$ [27] | ||

Code parameters | $(r,p,n)$ | $(q,n,k,w)$ | $(q,n,w)$ | $(q,m,n,k,r)$ | $(q,m,n,r)$ |

Public param.size | ${log}_{2}r+{log}_{2}p+{log}_{2}n$ | $k(n-k)+{log}_{r}$ | $n+{log}_{2}r$ | $mk(n-k)+{log}_{2}r$ | $mn+{log}_{2}r$ |

$\left|\mathsf{sk}\right|$ | $r{(p+1)}^{2}+l{(p+1)}^{2}$ | $k+n$ | $k+n$ | $m(k+n)$ | $m(k+n)$ |

$\left|\mathsf{pk}\right|$ | $l{(p+1)}^{2}$ | n | n | $mn$ | $mn$ |

Rsp.step cost $b=0,2$ | $2(p+1){log}_{2}(p+1)+r{(p+1)}^{2}$ | $nlogn+k$ | $nlogn+k$ | ${m}^{2}+{n}^{2}+mk$ | ${m}^{2}+{n}^{2}+mk$ |

Response step cost $b=1$ | $3l{(p+1)}^{2}$ | $2n$ | $2n$ | $2mn$ | $2mn$ |

Concrete parameters for $\lambda \sim 128$ | |||||

$\lambda ={log}_{2}\left(A\right)$ | 130 | 128 | 128 | 124 | 124 |

Code parameters | ( 2, 20, 22) | ( 2, 1320, 660, 140) | ( 2, 1320, 140) | ( 2, 31, 26, 13, 8) | ( 2, 31, 26, 8) |

Public param. size | 10 | 435,601 | 1321 | 5242 | 809 |

$\left|\mathsf{sk}\right|$ | 5292 | 1980 | 1980 | 1209 | 1209 |

$\left|\mathsf{pk}\right|$ | 4410 | 1320 | 1320 | 806 | 806 |

Rsp. step cost $b=0,2$ | 1066 | 14,343 | 14,343 | 2040 | 2040 |

Rsp. step cost $b=1$. | 13,230 | 2640 | 2640 | 1612 | 1612 |

Concrete parameters for $\lambda \sim 96$ | |||||

$\lambda ={log}_{2}\left(A\right)$ | 96 | 96 | 96 | 95 | 95 |

Code parameters | ( 2, 16, 18) | ( 2, 990, 495, 110) | ( 2, 990, 110) | ( 2, 29, 22, 11, 7) | ( 2, 29, 22, 7) |

Public param. size | 10 | 245,026 | 991 | 3511 | 640 |

$\left|\mathsf{sk}\right|$ | 3468 | 1485 | 1485 | 957 | 957 |

$\left|\mathsf{pk}\right|$ | 2890 | 990 | 990 | 638 | 638 |

Rsp. step cost $b=0,2$ | 717 | 10,346 | 10,346 | 1644 | 1644 |

Rsp. step cost $b=1$. | 8670 | 1980 | 1980 | 1276 | 1276 |

Concrete parameters for $\lambda \sim 80$ | |||||

$\lambda ={log}_{2}\left(A\right)$ | 80 | 80 | 80 | 78 | 78 |

Code parameters | ( 2, 14, 16) | ( 2, 826, 413, 90) | ( 2, 826, 90) | ( 2, 23, 22, 11, 6) | ( 2, 23, 22, 6) |

Public param. size | 9 | 170,570 | 827 | 2785 | 508 |

$\left|\mathsf{sk}\right|$ | 2475 | 1239 | 1239 | 759 | 759 |

$\left|\mathsf{pk}\right|$ | 2025 | 826 | 826 | 506 | 506 |

Rsp. step cost $b=0,2$ | 567 | 8416 | 8416 | 1266 | 1266 |

Rsp. step cost $b=1$. | 6075 | 1652 | 1652 | 1012 | 1012 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Bellini, E.; Marcolla, C.; Murru, N.
An Application of *p*-Fibonacci Error-Correcting Codes to Cryptography. *Mathematics* **2021**, *9*, 789.
https://doi.org/10.3390/math9070789

**AMA Style**

Bellini E, Marcolla C, Murru N.
An Application of *p*-Fibonacci Error-Correcting Codes to Cryptography. *Mathematics*. 2021; 9(7):789.
https://doi.org/10.3390/math9070789

**Chicago/Turabian Style**

Bellini, Emanuele, Chiara Marcolla, and Nadir Murru.
2021. "An Application of *p*-Fibonacci Error-Correcting Codes to Cryptography" *Mathematics* 9, no. 7: 789.
https://doi.org/10.3390/math9070789