On the number of solutions to a random instance of the permuted kernel problem
Carlo Sanna
TL;DR
This work addresses how many solutions a random instance of the permuted kernel problem and its inhomogeneous variant tends to have, a question with cryptographic implications for post-quantum signatures. The authors derive explicit exact formulas for the expected number of solutions under four natural random-generation schemes, including star variants that impose distinctness constraints. They show that the common heuristic estimate can be drastically incorrect for the standard generations but aligns well for the starred models, highlighting the importance of the instance generation method. These results provide a rigorous foundation for parameter choices in PKP/IPKP based post-quantum schemes and point toward future work on higher moments, multidimensional cases, and more refined analyses of solution distributions.
Abstract
The Permuted Kernel Problem (PKP) is a problem in linear algebra that was first introduced by Shamir in 1989. Roughly speaking, given an $\ell \times m$ matrix $\mathbf{A}$ and an $m \times 1$ vector $\mathbf{b}$ over a finite field of $q$ elements $\mathbb{F}_q$, the PKP asks to find an $m \times m$ permutation matrix $\mathbfπ$ such that $\mathbfπ \mathbf{b}$ belongs to the kernel of $\mathbf{A}$. In recent years, several post-quantum digital signature schemes whose security can be provably reduced to the hardness of solving random instances of the PKP have been proposed. In this regard, it is important to know the expected number of solutions to a random instance of the PKP in terms of the parameters $q,\ell,m$. Previous works have heuristically estimated the expected number of solutions to be $m! / q^\ell$. We provide, and rigorously prove, exact formulas for the expected number of solutions to a random instance of the PKP and the related Inhomogeneous Permuted Kernel Problem (IPKP), considering two natural ways of generating random instances.