Improved identity-based identification using correcting codes (original) (raw)

Identity-based identification and signature schemes using correcting codes

In this paper, we propose a new identity-based identification (and signature) scheme based on error-correcting codes. This scheme is up to date the first identity-based scheme not based on number theory. The scheme combines two well known code-based schemes: the signature scheme of Courtois, Finiasz and Sendrier and the zero-knowledge authentication scheme of Stern (which may also be used for signature). The scheme inherits from the characteristics of the previous schemes: it has a large public key of order 1Mo and necessitates a certain number of exchange rounds. The scheme can also work in signature but leads to a very large signature of size 1Mo.

Improved code-based identification scheme

2010

We revisit the 3-pass code-based identification scheme proposed by Stern at Crypto'93, and give a new 5-pass protocol for which the probability of the cheater is ≈ 1/2 (instead of 2/3 in the original Stern's proposal). Furthermore, we propose to use quasi-cyclic construction in order to dramatically reduce the size of the public key. The proposed scheme is zero-knowledge and relies on an NPcomplete problem coming from coding theory (namely the q-ary Syndrome Decoding problem). Taking into account a recent study of a generalization of Stern's information-set-decoding algorithm for decoding linear codes over arbitrary finite fields Fq, we suggest parameters so that the public key be 34Kbits while those of Stern's scheme is about 66Kbits. This provides a very practical identification (and possibly signature) scheme which is mostly attractive for lightweight cryptography.

Improved identification schemes based on error-correcting codes

Applicable Algebra in Engineering, Communication and Computing, 1997

As it is often the case in public-key cryptography, the first practical identification schemes were based on hard problems from number theory (factoring, discrete logarithms). The security of the proposed scheme depends on an NPcomplete problem from the theory of error correcting codes: the syndrome decoding problem which relies on the hardness of decoding a binary word of given weight and given syndrome. Starting from Stern's scheme [18], we define a dual version which, unlike the other schemes based on the SD problem, uses a generator matrix of a random linear binary code. This allows, among other things, an improvement of the transmission rate with regards to the other schemes. Finally, by using techniques of computation in a finite field, we show how it is possible to considerably reduce:-the complexity of the computations done by the prover (which is usually a portable device with a limited computing power),-the size of the data stored by the latter.

A new framework for the design and analysis of identity-based identification schemes

Theoretical Computer Science, 2008

Constructing an identification scheme is one of the fundamental problems in cryptography, and is very useful in practice. An identity-based identification (IBI) scheme allows a prover to identify himself to a public verifier who knows only the claimed identity of the prover and some public information. In this paper, we propose a new framework for both the design and analysis of IBI schemes. Our approach works in an engineering way. We first identify an IBI scheme as the composition of two building blocks, and then show that, with different security properties of these building blocks, the corresponding IBI schemes can achieve security against impersonation under different levels of attacks, namely, passive attack (id-imp-pa), active attack (id-imp-aa) or concurrent attack (id-imp-ca). In particular, we show that an id-imp-pa secure IBI scheme can be built if there exists a trapdoor weakone-more relation and an honest verifier zero-knowledge proof with special soundness, while an id-imp-aa and id-imp-ca secure IBI scheme can be built if there exists a trapdoor strong-one-more relation and a Witness Dualism proof with Special Soundness (WD-SS). This new framework can capture IBI construction techniques that are not captured by other known frameworks. It also helps to construct new and efficient schemes. We demonstrate this by proposing two new IBI schemes, one achieving id-imp-pa, and the other one achieving both id-imp-aa and id-imp-ca, and neither of them can be captured by existing frameworks. 371 of attack, corresponding security models are normally formalized into two stages. In stage one, the adversary obtains communication transcripts between the prover and an honest verifier, or plays the role of a (possibly malicious) verifier while communicating with the prover for a number of times. In stage two, given the information collected in stage one, the adversary's goal is to impersonate the prover, that is, to make an honest verifier accept it as the prover.

Identity based identification from algebraic coding theory

2014

Cryptographic identification schemes allow a remote user to prove his/her identity to a verifier who holds some public information of the user, such as the user public key or identity. Most of the existing cryptographic identification schemes are based on number-theoretic hard problems such as Discrete Log and Factorization. This paper focuses on the design and analysis of identity based identification (IBI) schemes based on algebraic coding theory. We first revisit an existing code-based IBI scheme which is derived by combining the Courtois-Finiasz-Sendrier signature scheme and the Stern zero-knowledge identification scheme. Previous results have shown that this IBI scheme is secure under passive attacks. In this paper, we prove that the scheme in fact can resist active attacks. However, whether the scheme can be proven secure under concurrent attacks (the most powerful attacks against identification schemes) remains open. In addition, we show that it is difficult to apply the conventional OR-proof approach to this particular IBI scheme in order to obtain concurrent security. We then construct a special OR-proof variant of this scheme and prove that the resulting IBI scheme is secure under concurrent attacks.

On concrete security treatment of signatures derived from identification

Lecture Notes in Computer Science, 1998

Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified E1Gamal schemes axe a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified E1Gamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multi-signature schemes.

Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes

Advances in Cryptology — CRYPTO’ 92

This paper presents a three-move interactive identification scheme and proves it to be as secure as t h e discrete logarithm problem. This provably secure scheme is almost as efficient as t,he Schnorr identification scheme, while the Schnorr scheme is not provably secure. This paper also presents another practical identification scheme which is proven to be as secure as the factoring problem arid is almost as efficient as the Guillou-Quisquater identification scheme: the Guillou-Quisquater scheme is not provably secure. We &so propose practical digital signature schemes based on these identification schemes. T h e signature schemes are almost as efficient as the Schnorr and Giiillou-Quisquater signature schemes, while the securit.y assumptions of our signature schemes are weaker than those of the Schnorr and Guillou-Quisquater.signature schemes. This paper also gives a theoretically generalized result: a threemove identification scheme can be constructed which is a s secure as the random-self-reducible problem. Moreover, this paper proposes a variant which is proven to be a s secure as the difficulty of solving both the discrete logarithm problem and the specific factoring problem simultaneously. Some other variants such as an identity-based variant and an elliptic curve variant are also proposed.

Hierarchical Identity-Based Identification Schemes

Hierarchical identity-based cryptography was introduced with the purpose of reducing the burden of a single Private Key Generator (PKG) and to limit damage to only domains whose lower-level PKGs are compromised. However, until now only security models and concrete schemes for hierarchical identity-based encryption and signature schemes are found in literature. In this paper, we propose the initial idea for hierarchical identity-based identification (HIBI) schemes. We provide the formal definition and security model for HIBI schemes and then proceed to propose a concrete HIBI scheme secure against passive attacks in the random oracle model under the Computational Diffie-Hellman assumption. We also prove the HIBI scheme secure against active and concurrent attacks in the random oracle model under the One-More Computational Diffie-Hellman assumption.

Security Upgrade for a K-Resilient Identity-Based Identification Scheme in the Standard Model

In 2010, proposed an identity-based identification (IBI) scheme in the standard model which was resilient to a coalition of attackers conspiring together to break the scheme. They argued that the scheme was desirable due to its proof in the standard model, which is still rare in existing literature. Also desirable was that the proposed scheme was designed without bilinear pairings, which costs greatly in terms of operation costs, thereby allowing the scheme to run more efficiently. However, the proof of security for the proposed scheme was only against impersonation under passive attacks, where the adversary is only allowed to eavesdrop on conversations between honest parties during the identification protocol. In this paper, we upgrade the security proof to prove that the scheme is also secure against impersonation under active and concurrent attacks, showing that the scheme is still secure even if the adversary is to interact with honest parties during the attack.