[
Abstract
In this paper, a new identitybased identification scheme based on errorcorrecting codes is proposed.
Two well known codebased schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern.
A proof of security for the scheme in the Random Oracle Model is given.
Improved identitybased identification using correcting codes]Improved identitybased identification using correcting codes
CGGG] PierreLouis Cayrel \authorinfo 1  Université de Paris 8, LAGA, Département de Mathématiques, 2, rue de la liberté, 93526 SaintDenis cedex 02, France, email: cayrelpierrelouis@gmail.com and Philippe Gaborit \authorinfo 2  Université de Limoges, XLIMDMI, 123, Av. Albert Thomas 87060 Limoges Cedex France, email: philippe.gaborit@xlim.fr and David Galindo \authorinfo 3  University of Luxembourg 6, rue Richard CoudenhoveKalergi L1359 Luxembourg email: david.galindo@uni.lu and and Marc Girault \authorinfo 4  Orange Labs 42, rue des Coutures 14066 Caen France, email: marc.girault@orangeftgroup.com \journalIEEE Trans. on Information Theory \firstpage1
dentification, Identitybased Cryptography, Correcting codes, Stern, Niederreiter.
1 Introduction
\PARstartOne of the most critical points of public key cryptography (PKC) is that of the management of the authenticity of the public key. It is the very single point that anchors public key cryptography to the real world. If no such a mechanism is provided the consequences are fatal. In fact, if Alice is able to take Bob’s identity by faking her own public key as Bob’s one, she would be able to decipher all messages sent to Bob or to sign any message on behalf of Bob.
In 1984, Shamir introduced the concept of Identitybased Public Key Cryptography IDPKC [27] in order to simplify the management and the identification of the public key, which, time passing by, had become more and more complex.
In IDPKC the public key of an user is obtained from his identity on the network. The identity can be a concatenation of any publicly known information that singles out the user : a name, an email, or a phone number, to name a few. Hence it is not longer necessary to verify a certificate for the public key nor to access a public directory to obtain a certificate. At first glance it seems simple but producing private keys becomes more complex. In particular a user can not build his own private key by himself anymore, and it is necessary to introduce a trusted third party who constructs the private key from the user’s identity and sends it to the user. This process has to be done at least once for each user.
Shamir [27] calls this trusted third party the Key Generation Center (KGC). The KGC is the owner of a systemwide secret, thus called the master key. After successfully verifying (by noncryptographic means) the identity of the user, the KGC computes the corresponding user private key from the master key, the user identity and a trapdoor function.
Identitybased systems resemble ordinary publickey systems, in the sense that both involve a private transformation (i.e. decrypting) as well as a public transformation (i.e. encrypting). However, in identitybased systems users do not have explicit public keys. Instead, the public key is effectively replaced by (or constructed from) a user’s publicly available identity information.
The motivation behind identitybased systems is to create a cryptographic system resembling an ideal mail system. In this ideal system, knowledge of a person’s name alone suffices for confidential mailing to that person, and for signature verification that only that person could have produced. In such an ideal cryptographic system :

users need not exchange neither symmetric keys nor public keys;

public directories (databases containing public keys or certificates) need not be kept;

the services of a trusted authority are needed solely during a setup phase (during which users acquire authentic public system parameters).
A drawback in many concrete proposals of identitybased systems is that the required userspecific identity data includes additional data, taking the form of an integer or public data value for instance, denoted DA, beyond an a priori identity ID. Ideally, DA is not required, as a primary motivation for identitybased schemes is to eliminate the need to transmit public keys, to allow truly noninteractive protocols with identity information itself sufficing as an authentic public key. We will refer to the latter systems as pure identitybased systems. The issue is less significant in signature and identification schemes where the public key of a claimant is not required until receiving a message from that claimant (in this case DA is easily provided); but in this case, the advantage of identitybased schemes diminishes. It is more critical in key agreement and publickey encryption applications where another party’s public key is needed at the outset.
In his paper Shamir proposed identitybased signature and identification systems based on the RSA or Discrete Logarithm problems. The first efficient provably secure identitybased encryption cryptosystem featuring the above mentioned noninteractive property was proposed in 2001 by Boneh and Franklin [16]. This system is based on the Weil pairing over certain families of elliptic curves. The same year, Cocks [10] published a system based on quadratic residuosity but a rather large message expansion makes it somewhat inefficient in practice.
Following the paper by Boneh and Franklin, research on IDPKC has made great advances and lots of schemes have been published, most of them based on elliptic curves and bilinear pairings, such as identitybased encryption (IBE) schemes [4], identitybased key agreement schemes [5], identitybased identification (IBI) or identitybased signature (IBS) schemes [9, 32, 33]. In 2004 Bellare, Neven and Namprempre proposed in [1] a general framework deriving IBI or IBS from traditional public keybased signature and identification schemes and they applied it to concrete known schemes. The resulting systems are not pure identitybased and only schemes based on number theoretic problems were considered.
In this paper, we propose and formally study a new IBI scheme built from errorcorrecting codes.
Codebased cryptography was introduced by McEliece [23], a variation of which was later proposed by Niederreiter [25]. The idea of using errorcorrecting codes for identification purposes is due to Harari [20], followed by Stern (first protocol) and Girault [17]. But Harari and Girault protocols were subsequently broken, while Stern’s one was fivepass and unpractical. At Crypto’93, Stern proposed a new scheme [30], which is still today the reference in this area.
For a long time no codebased signature scheme was known, eventually the first (not yet cryptanalyzed) one was proposed by Courtois, Finiasz and Sendrier [11] (CFS) in 2001. The basic idea of the CFS signature scheme is to choose parameters such that an inversion of the otherwise noninvertible Niederreiter scheme is feasible. This is done at the cost of a rather large public key when comparing to other signature schemes. Still signature length is short.
We obtain our new IBI scheme by combining the CFS signature scheme and the identification scheme by Stern. The basic idea of our scheme is to start from a Niederreiterlike problem which can be inverted like in the CFS scheme. This permits to associate a secret to a random (public) value obtained from the identity of the user. The secret and public values are then used for the Stern zeroknowledge identification scheme.
The paper is organized as follows. In Section 2 we introduce notation and definitions, while in Section 3 we recall basic facts on codebased cryptography. Section 4 is devoted to describe the public key encryption scheme of Niederreiter and the signature scheme of Courtois, Finiasz and Sendrier. The identification protocol of Stern is presented in Section 5, and next our new protocol is described in Section 6. In Section 7 we give a proof of security for our scheme in the Random Oracle Model [2].
Publication info. This is the full version of a previously publish conference extended abstract [7].
2 Notation and definitions
\PARstartWe first introduce some notation. If is a string, then denotes its length, while if is a set then denotes its cardinality. If then denotes the string of ones.
If is a set then denotes the operation of picking an element in uniformly at random. Unless otherwise indicated, algorithms are modelled as Probabilistic Polynomial Time (PPT) algorithms. We write to indicate that is an algorithm with inputs and by we denote the operation of running with inputs and letting be the output. We write to indicate that is an algorithm with inputs and access to oracles and by we denote the operation of running with inputs and access to oracles and letting be the output.
Provers and verifiers. An interactive algorithm is a stateful PPT algorithm that on input an incoming message (this is if the party is initiating the protocol) and state information outputs an outgoing message and updated state . The initial state contains the initial inputs of the algorithm. We say that accepts if and rejects if . An interaction between a prover and a verifier , both modelled as interactive algorithms, ends when either accepts or rejects. The expression :
denotes that and have initiated in an interaction with inputs and respectively, getting a conversation transcript and a boolean decision , with 1 meaning that accepted, and 0 meaning it rejected.
Standard identification schemes. A standard identification scheme consists of three PPT algorithms :

algorithm takes as input a security parameter and returns a secret key and a matching public key . We use the notation .

protocol, where the prover runs with initial state , while the verifier has initial state . It is required that for all and valid key pairs , the output by in any interaction between (with input and (with input is with probability one.
Standard Signatures. A standard signature scheme consists of three PPT algorithms :

algorithm takes as input a security parameter and returns a secret key and a matching public key . We use the notation .

algorithm takes as input a secret key and a message . The output is a signature . This is denoted as .

algorithm takes as input a public key , a message , and a signature . The output is 1 if the signature is valid, or 0 otherwise. We use the notation to refer to one execution of this algorithm.
The standard security notion for signature schemes is unforgeability against adaptivelychosen message attacks, which can be found in [19].
IdentityBased identification. An identitybased identification scheme consists of four PPT algorithms, as follows :

algorithm takes as input a security parameter and returns, on one hand, the system public parameters and, on the other hand, the matching master secret key , which is known only to a master entity. It is denoted as .

algorithm takes as inputs the master secret key and an identity , and returns a secret key . We use the notation .

protocol, where the prover with identity runs the interactive algorithm with initial state , and the verifier runs with initial state .
Security of IBI schemes. An IBI scheme is said to be secure against impersonation under passive attacks (imppa) if any adversary , consisting of a cheating prover and a cheating verifier , has a negligible advantage in the following game :
Setup The challenger takes a security parameter and runs the master key generation algorithm . It gives to the adversary and keeps the master secret key to itself. It initializes an empty list .
Phase 1 The adversary issues queries of the form

User key query The challenger checks whether there exists an entry in the list . If this is the case, it retrieves the user secret key . Otherwise, it runs algorithm to generate the private key corresponding to . It sends to the adversary. It includes the entry in the list .

Conversation query The challenger checks whether there exists an entry in the list . If this is the case, it retrieves the user secret key . Otherwise, it runs algorithm to generate the private key corresponding to . The challenger returns where .
These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries.
Challenge The cheating verifier outputs a target identity and its state , such that the private key for was not requested in Phase 1.
Phase 2 The cheating prover , with input , interacts with a honest verifier with input . The cheating prover is allowed to query the same oracles as in Phase 1, except that the query is not allowed. Finally, wins if the output of is accept, i.e. in .
Such an adversary is called an imppa adversary , and its advantage is defined as
3 Codebased cryptography
\PARstartIn this section we recall basic facts about codebased cryptography. We refer to the work of Sendrier [26] for a general introduction to these problems.
3.1 Hard problems
Every public key cryptosystem relies on
a hard problem. In the case of coding theory, the main hard problems used are the Bounded Decoding (BD) and Code Distinguishing (CD) problems.
Definition 3.1 (Bounded Decoding Problem)
Let and be two integers such that and a parity check matrix.
represents a random binary matrix of columns, rows and of rank
Input : and
Ouput : A word
such that and
Let us denote by the probability that an algorithm has in solving the above problem.
This problem was proven to be NPcomplete in [3].
Definition 3.2 (Code Distinguishing Problem)
Let and be two integers such that and a parity check matrix.
Input : or .
Ouput : if , otherwise.
The description of a Goppa code of length and dimension is to be found in [22].
3.2 McEliece scheme
[Key Generation] Let be a ary linear code correcting of length and of dimension We denote a such code. Let a generator matrix of We will use an matrix such that :
is public and its decomposition and a syndrome decoding algorithm for are secret. To be clearer, we recall the various sizes of the matrices :
is is is
[Encryption] Let bet the space of words with Hamming weight . For a chosen cleartext , is the cryptogram corresponding to if and only if
[Decryption] For the knowledge of the secret key allows :

to compute

to find from thanks to a syndrome decoding algorithm;

to find
The syndrome decoding algorithm can be, for instance, in the case of Goppa’s codes, Patterson’s algorithm (see part 8.1).
3.3 Cryptanalytic Attacks
The security of codebased cryptosystems depends on the difficulty of the following two attacks :

Structural Attack : Recover the secret transformation and the description of the secret code(s) from the public matrix.

CiphertextOnly Attack : Recover the original message from the ciphertext and the public key.
3.3.1 Structural Attack
While no efficient algorithm for decomposing into has been discovered yet [24], a structural attack has been discovered in [21]. This attack reveals part of the structure of a socalled weak where ’weak’ means that has been generated from a binary Goppa polynomial in a special manner. However, this attack can be avoided simply by not using such weak public keys.
Structural attacks aim at recovering the structure of the permuted code, i.e. recovering the permutation from the code and its permuted version. The underlying problem is the equivalence of codes. This problem was considered by Sendrier for which he gave a nice solution : the Support Splitting Algorithm [26].
The complexity of this algorithm is in where is the dual of the code This means that in order to resist the attack one gets two options : either starting from a large family of codes with arbitrary small hulls (the intersection of and ) or starting from a small family of codes but with a large hull.
For instance the choice of Goppa codes corresponds to the first possibility.
3.3.2 CiphertextOnly Attack
A first analysis using the InformationSetDecoding was done by McEliece, then by Lee and Brickell, Stern and Leon and lastly by Canteaut and Chabaud (see [6] for all references).
The InformationSetDecoding Attack is one of the known general attacks (i.e., not restricted to specific codes) and seems to have the lowest complexity.
One tries to recover the information symbols as follows : the first step is to pick of the coordinates randomly in the hope that none of the are in error. We then try to recover the message by solving the linear system (binary or over ). Let and denote the columns picked from and respectively. They have the following relationship
If and is nonsingular, can be recovered by
The computation cost of this version is where
The quantity in the average work factor is the number of operations required to solve a linear system over . As mentioned in [23], solving a binary system takes about operations. Over , it would require at least operations.
All the papers which improve the complexity only impact the cost of the Gaussian elimination. In the best improvement by Canteaut and Chabaud [6] a good approximation of the cost besides the probability factor can be taken roughly in .
4 Signature scheme of Courtois, Finiasz and Sendrier (or CFS scheme)
\PARstartBefore describing the CFS scheme we first recall the Niederreiter public key cryptosystem.
4.1 Niederreiter encryption scheme
[Key Generation] Let be a binary linear code correcting of length and of dimension Let a parity check matrix of We will use an matrix such that :
is public and its decomposition and a syndrome decoding algorithm for are secret.
To be clearer, we recall the various sizes of the matrices :
is is is
Let bet the space of words with Hamming weight .
[Encryption] For a chosen cleartext in ,
is the cryptogram corresponding to if and only if
[Decryption] For the knowledge of the secret key allows :

to compute

to find from thanks to a syndrome decoding algorithm;

to find applying to
The syndrome decoding algorithm can be, for instance, in the case of Goppa’s codes, Patterson’s algorithm (see part 8.1).
The McEliece or the Niederreiter schemes are not naturally invertible, i.e. if one starts from a random element of and a code that we are able to decode up to , it is almost sure that we won’t be able to decode into a codeword of . This comes from the fact that the density of the whole space that is decodable is very small.
4.2 CFS signature scheme
The idea of the CFS scheme is to find
parameters that make successful the strategy of picking up random elements
until one is able to decode it with high probability.
More precisely, given a message to sign and a hashfunction with range
we try to find a way to build of given
weight such
that For a decoding
algorithm, the CFS scheme works as follows :
[Key Generation]

Select , and according to the security parameter .

Pick a random parity check matrix of a binary Goppa code decoding errors.

Choose a random nonsingular matrix , a random permutation matrix and a hashfunction .

The public key is and the private key is .

Set .
[Sign]



if no was found go to 1

output
[Verify] Compute and . The signature is valid if and are equal.
We get at the end an couple, such that :
Let us notice that we can suppose that has weight In [12], a proof of security in the Random Oracle Model for a modified version of the CFS scheme is given. We use the modified CFS scheme described there, and named as mCFS, as a building block for our scheme. The mCFS scheme is explained next.
4.3 Modified CFS signature scheme
[Key Generation]

Select , and according to .

Pick a random parity check matrix of a binary Goppa code decoding errors.

Choose a random nonsingular matrix , a random permutation matrix and a hashfunction .

The public key is and the private key is .

Set .
[Sign]



if no was found go to 1

output
[Verify]Compute and . The signature is valid if and are equals.
5 Stern’s protocol
\PARstartStern’s scheme is an interactive zeroknowledge protocol which aims at enabling a prover to identify himself to a verifier .
Let and be two integers such that . Stern’s scheme assumes the existence of a public matrix defined over the two elements field . It also assumes that an integer has been chosen. For security reasons (discussed in [30]) it is recommended that is chosen slightly below the socalled GilbertVarshamov bound (see [22]). The matrix and the weight are protocol parameters and may be used by several (even numerous) different provers
Each prover receives a bit secret key (also denoted by if there is no ambiguity about the prover) of Hamming weight and computes a public identifier such that . This identifier is calculated once in the lifetime of and can thus be used for several identifications. When a user needs to prove to that he is indeed the person associated to the public identifier , then the two protagonists perform the following protocol where denotes a standard hashfunction :
[Commitment Step] randomly chooses and a permutation of Then sends to the commitments , and such that :
where denotes the hash of the concatenation of the sequences and .
[Challenge Step] sends to .
[Answer Step] Three possibilities :

if reveals and

if reveals and

if reveals and
[Verification Step] Three possibilities :

if verifies that are correct.

if verifies that are correct.

if verifies that are correct, and that the weight of is .
[Soundness Amplification Step] Iterate the above steps until the expected security level is reached.
During the fourth Step, when equals , it can be noticed that derives directly from since we have :
As proved in [30], the protocol is zeroknowledge and for a round iteration, the probability that a dishonest person succeeds in cheating is . Therefore, to get a confidence level of , the protocol must be iterated a number of times such that holds. When the number of iterations satisfies the last condition, then the security of the scheme relies on the NP complete problem SD.
By virtue of the socalled FiatShamir Paradigm [15], it is possible to convert Stern’s Protocol into a signature scheme, but the resulting signature size is long (about kbit long for security). Notice that this is large in comparison with classical signature schemes, but it is more or less close to the size of many files currently used in everyday life.
6 New Identitybased identification scheme from SternNiederreiter protocols
\PARstartWe describe now the first codebased identitybased identification method. The prover is identifying herself to the verifier. Let be the prover and of the identifier identities respectively.
[Master key generation] Let the output of the key generation algorithm of the CFS signature scheme in Section 4.
Let a hash function mapping to
is made public, but the decomposition of is a secret of the authority.
[Key extraction]
On inputs the the decomposition of and the user’s identity the goal of the key extraction algorithm is to output
such that However might not be in the target of
That is to say that is not necessarily in the space
of decodable elements of . That problem can be solved thanks to the
following algorithm. Given a decoding algorithm for the hidden code :



If no was found go to 1

output
We get at the end a couple such that
We can note that we have of weight or less.
[Interactive identification]
We use a slight derivation of Stern’s protocol.
We suppose that the prover obtained a couple
verifying
is set to be the prover’s public key. Identification is then performed by modifying Stern’s protocol with respect to the public key . Details follow.
[Commitment Step] chooses randomly any word of bits and a permutation of Then sends to such that :
[Challenge Step] sends to .
[Answer Step] Three possibilities :

if reveals and

if reveals and

if reveals and
[Verification Step] Three possibilities :

if verifies that the received at the second round are correct.

if verifies that the received at the second round are correct. For we can note that derives directly from by :

if verifies that the received at the second round have really been honestly calculated, and that the weight of is .
[Soundness Amplification Step] Iterate the commitment, challenge, answer and verification steps until the expected security is reached.
7 Proving Security of mCFSStern IBI scheme
Theorem 1
The IBI scheme from Section 6 is secure in the sense of imppa if the BD and CD problems are hard to solve.
Proof.
A security reduction is obtained by adapting the proofs by Dallot [12] and Stern [31] to our setting. We build the proof following a sequence of games Game 0, Game 1, Game 0 is the original attack game, i.e the standard imppa game. Successive games are obtained by small modifications of the preceding games, in such a way that the difference of the adversarial advantage in consecutive games is easily quantifiable. To compute this difference, the following lemma is used :
Lemma 1
Let ,, be events defined in some probability distribution, and suppose that . Then .
Let denote the maximum number of queries that adversary makes to the hash, user keys and conversation oracles.
We want to show there exists adversaries that break the BD and CD problems respectively.
To answer hash, user key and conversation queries, three lists and are maintained. If there is no value associated with an entry in a list, we denote its output by . The list consists of tuples of the form indexed by , where is an index in , is an identity, and if . The list , consists of entries of the form . The list contains indexes associated to a message , for which the simulator is able to produce a signature on .
Game 0. This the standard imppa game. The master public and secret keys are obtained by running algorithm In particular, the master public key plus a hashfunction , and the master secret key is , where , is a nonsingular matrix and is a permutation matrix. Therefore .
Game 1.(Simulation of hash and user key queries) We change the way in which hash and user key extraction queries are answered. For hash queries of the form , there are two situations, depending on whether . If this is the case, a decodable syndrome is given as the output, and the corresponding codeword is stored, i.e. is updated with in the entry indexed by . If hash queries are simulated by taking a random element in , and then these queries are distributed as with a random oracle. Details are shown in Figure 1.
On the other hand, user key queries on are answered by choosing the special index at random, calling the hash oracle on and outputting as the resulting user secret key. Details are shown in Figure 2.
At the end of the simulation, the random oracle has output syndromes. Some of them are produced with the special index ; these syndromes are not distributed uniformly at random in , instead they have been modified as to enable responding user secret key queries. It might be then the case that adversary queried on some pair such that later is set to . This will cause an incoherence, since then the output will be a random syndrome, instead of a decodable syndrome. The latter happens with probability at most (the indexes are only defined when answering key extraction queries). Therefore,
Game 2.(Changing the master key generation algorithm) The key generation algorithm is changed so that . Then,
where is an algorithm that simulates the environment of Game 2 for if and outputs if successfully impersonates the target identity , and otherwise; and simulates the environment of Game 3 for if and outputs if successfully impersonates the target identity , and otherwise. It is easy to see that
and
Fig. 1  Simulation of hash queries
Fig. 2  Simulation of user key queries
Game 3.(Guessing the target identity) A random index is taken. The th hash query to is set to be , where , i.e. . The probability space is not modified, since and is nonsingular, and therefore .
Game 4.(Abort the game)
Let be the target identity and target index that impersonates. If or then the challenger aborts the game. Since Game 4 is obtained by conditioning Game 3 on an independent event of probability we obtain
Game 5. (Answering conversation queries on the target identity ) We have to answer conversation queries on without knowing the code word corresponding to , i.e. such that and . We can answer these queries in expected polynomial time by using the algorithm in Theorem 3 in [31]. Roughly, the algorithm uses a resettable simulation [18]. At the beginning of each iteration of the basic identification protocol, the algorithm chooses at random one out of three cheating strategies, where each strategy allows to successfully interact with a cheating verifier with probability . In case the algorithm can not successfully interact with , it resets the adversary for the current round (see [31] for details). All in all, the probability space is not modified, and then .
Theorem 1 in [31] implies that an adversary impersonating the user with identity when running rounds of the basic protocol and with advantage for a nonnegligible , can be converted into a PPT algorithm computing such that with probability . A basic calculation shows that is a solution to the BD problem with inputs and . Let be an algorithm that simulates Game 5 for the impersonating adversary using the input of the BD problem. Then,
Collecting all the probabilities
and then
The latter equation can be read as follows : a successful impersonating adversary with advantage implies a successful adversary against the BD or CD problems.
∎
8 Efficiency Analysis
\PARstartWe deal here with the security our protocol and its practicality. Let us remind that in the case of Niederreiter’s cryptosystem, its security relies on the hardness of decoding of a linear code (see section 3).
8.1 Parameters and security of the scheme
The protocol has two parts : in the first part one inverts the syndrome decoding problem for a matrix in order to construct a private key for the prover and in second part one applies Stern identification protocol with the same matrix . This shows that the overall parameters of the scheme are equivalent to the security of the CFS scheme, since the security of the Stern scheme with the same matrix parameters is implicitly included in the signature scheme.
In particular the scheme has to fulfill two imperative conditions :

make the computation of (defined in advance) difficult without the knowledge of the description of

make the number of trials to determine the correct not too important in order to reduce the cost of the computation of .
Following [11] the Goppa codes are a large class of codes which are compatible with condition 2. Indeed, for such a code, the proportion of the decodable syndromes is about (which is a relatively good proportion). We also have to choose a relatively small
The production process will thus be iterated, about times before finding the correct But each iteration forces to compute
The decoding of the Goppa codes consists of :

computing a syndrome : binary operations;

computing a locator polynomial : binary operations;

computing its roots : binary operations.
We thus get a total cost for the computation of the prover’s private key of about :
The cost of an attack by decoding thanks to the split syndrome decoding is estimated to :
The choice of parameters will have to be pertinent enough to conciliate cost and security. Although less important, some sizes have also to remain reasonable : the length of the cost of the verification and the size of that is for a Goppa code :
Following [11] we can for example take and The cost of the signature stays then relatively reasonable for a security of about The others sizes remain in that context very acceptable.
8.2 Practical values
The big difference when using the parameters associated to the CFS scheme is that the code used is very long, against for the basic Stern scheme, it dramatically develops communication costs.
In the next table we sum up for the parameters ,
the general parameters of the IBI and IBS schemes.
public key  private key  matrix size 

144  144  1 Mo 
communication cost  key generation 

500 Ko (58 rounds)  1 s 
Practical values for the IBI scheme :
signature length  key generation 

2.2 Mo (280 rounds)  1 s 
Practical values for the IBS scheme :
Reduction of the size of the public matrix : At the difference of a pure signature scheme in which one wants to be able to sign fast, in our scheme the signature is only computed once for sending it to the prover, hence the time for signing may be judged less determinant and a longer time of signature may be accepted at the cost of reducing (a little) the parameters of the public matrix.
9 Conclusion
\PARstartIn this paper we present and prove secure a new identitybased identification scheme based on errorcorrecting codes. Our scheme combines two well known schemes by CourtoisFiniaszSendrier and Stern. It inherits some of their practical weaknesses, such as large system parameters. Interestingly the new scheme is one of the very few existing alternatives to number theory for identitybased cryptography, and we hope that it boosts future research on this area.
References
 [1] M. Bellare, C.Namprempre and G. Neven : Security proofs for identitybased authentication and signature schemes. Eurocrypt 2004, LNCS 3027 : pp 268–286, 2004.
 [2] M. Bellare and P. Rogaway: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. ACM Conference on Computer and Communications Security 1993, pp 62–73, 1993.
 [3] E. Berlekamp, R. McEliece and H. van Tilborg : On the inherent intractability of certain coding problems. Information Theory, IEEE Transactions on, vol. 24(3) : pp 384–386, May 1978.
 [4] T. Berson : Failure of the McEliece publickey cryptosystem under messageresend and relatedmessage attack. Crypto 97.
 [5] T. Beth. and M. Frisch : Publickey Cryptography State of the Art and Future Directions. E.I.S.S. Workshop, Oberwolfach, Germany, July 36, 1991 Final Report LNCS.
 [6] A. Canteaut and F. Chabaud : A new algorithm for finding minimumweight words in a linear code : Application to McEliece’s cryptosystem and to narrowsense BCH codes of length 511. IEEE Transactions on Information Theory, vol. 44(1) : pp 367–378, 1998.
 [7] P.L. Cayrel, P. Gaborit and M. Girault : Identitybased identification and signature schemes using correcting codes. WCC 2007.
 [8] J. Cha and J. Cheon : An identitybased signature from gap DiffieHellman groups. PKC 2003, LNCS 2567 : pp 18–30.
 [9] F. Chabaud : On the security of some cryptosystems based on errorcorrecting codes. LNCS 950 : pp 131–139, 1995.
 [10] F. Chabaud : An identitybased encryption scheme based on quadratic residues. LNCS 2260 : pp 360–363, 2001.
 [11] N. T. Courtois, M. Finiasz and N. Sendrier : How to achieve a McEliecebased digital signature scheme. LNCS 2248 : pp 157–174, 2001.
 [12] L. Dallot : Towards a concrete security proof of Courtois Finiasz and Sendrier signature scheme. WEWORC 2007.
 [13] D. Engelbert, R. Overbeck and A. Schmidt : A summary of McEliecetype cryptosystems and their security. Cryptology ePrint Archive, 2006, Report 2006/162.
 [14] U. Feige, A. Fiat and A. Shamir : Zeroknowledge proofs of identity. J. Cryptology vol. 1(2) : pp 7794, 1988.
 [15] A. Fiat and A. Shamir : How to prove yourself : practical solutions to identification and signature problems. In A. Odyzko, editor, Advances in Cryptology – CRYPTO ’86, vol. 263, pp 186–194.
 [16] M. Franklin and D. Boneh : Identitybased encryption from the Weil pairing. Advances in CryptologyCrypto’01, 2001.
 [17] M. Girault : A (nonpractical) threepass identification protocol using coding theory. Advances in Cryptology, Auscrypt’90. LNCS 453 : pp 265–272. Springer, 1990.
 [18] S. Goldwasser, S. Micali and C. Rackoff : The knowledge complexity of interactive proof systems. SIAM, Journal of Computing, vol. 18 : pp 186–208, 1989.
 [19] S. Goldwasser, S. Micali and R. Rivest : A digital signature scheme secure against adaptive chosenmessage attacks. SIAM Journal on Computing, vol. 17(2) : pp 281–308, April 1988.
 [20] S. Harari : A new authentication algorithm. Coding Theory and Applications. LNCS 388 : pp 91–105. Springer, 1988.
 [21] P. Loidreau and N. Sendrier : Weak keys in McEliece public key cryptosystem. IEEE Trans. Inf. Theory, 2001.
 [22] F. J. McWilliams and N. J. A. Sloane : The Theory of ErrorCorrecting Codes. North–Holland, Amsterdam, fifth edition, 1986.
 [23] R. J. McEliece : A publickey cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pp 114–116, 1978.
 [24] A. Menezes, P. Oorschot and S. Vanstone : Mceliece publickey encryption. CRC Press, vol. 299, 1997.
 [25] H. Niederreiter : Knapsacktype cryptosystems and algebraic coding theory. Prob. Contr. Inform. Theory, vol. 15 number 2 : pp 157–166, 1986.
 [26] N. Sendrier : On the security of the McEliece publickey cryptosystem. Information Coding and Mathematics, 2002, In M. Blaum P.G. Farrell and H. van Tilborg editors, pp 141–163.
 [27] A. Shamir : Identitybased cryptosystems and signature schemes. Advances in CryptologyCrypto’84, 1984.
 [28] V.M. Sidelnikov and S.O. Shestakov : On cryptosystems based on generalized ReedSolomon codes. Diskretnaya Math, 1992, volume 4, pages 5763.
 [29] J. Stern : A method for finding codewords of small weight. In G. D. Cohen and J. Wolfmann, editors, Coding Theory and Applications, LNCS 288 : pp 106–113. Springer, 1988.
 [30] J. Stern : A new identification scheme based on syndrome decoding. In D. Stinson, editor. Advances in Cryptology – CRYPTO ’93, vol. 773 : pp 13–21, 1993.
 [31] J. Stern : A new paradigm for public key identification. IEEE Transactions on Information Theory, vol. 42 (6) : pp 1757–1768, 1996.
 [32] X. Yi : An identitybased signature scheme from the Weil pairing. IEEE Communications Letters vol. 7(2) : pp 76–78.
 [33] H. Yoon and J. H. Cheon and Y. Kim : Batch verifications with idbased signatures. ICISC 2004, LNCS 3506 : pp 223–248, 2005.