In this paper, a new identity-based identification scheme based on error-correcting codes is proposed.

Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern.

A proof of security for the scheme in the Random Oracle Model is given.


Improved identity-based identification using correcting codes]Improved identity-based identification using correcting codes

CGGG] Pierre-Louis Cayrel \authorinfo 1 - Université de Paris 8, LAGA, Département de Mathématiques, 2, rue de la liberté, 93526 Saint-Denis cedex 02, France, email: cayrelpierrelouis@gmail.com and Philippe Gaborit \authorinfo 2 - Université de Limoges, XLIM-DMI, 123, Av. Albert Thomas 87060 Limoges Cedex France, email: philippe.gaborit@xlim.fr and David Galindo \authorinfo 3 - University of Luxembourg 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: david.galindo@uni.lu and and Marc Girault \authorinfo 4 - Orange Labs 42, rue des Coutures 14066 Caen France, email: marc.girault@orange-ftgroup.com \journalIEEE Trans. on Information Theory \firstpage1

dentification, Identity-based Cryptography, Correcting codes, Stern, Niederreiter.

1 Introduction


One of the most critical points of public key cryptography (PKC) is that of the management of the authenticity of the public key. It is the very single point that anchors public key cryptography to the real world. If no such a mechanism is provided the consequences are fatal. In fact, if Alice is able to take Bob’s identity by faking her own public key as Bob’s one, she would be able to decipher all messages sent to Bob or to sign any message on behalf of Bob.

In 1984, Shamir introduced the concept of Identity-based Public Key Cryptography ID-PKC [27] in order to simplify the management and the identification of the public key, which, time passing by, had become more and more complex.

In ID-PKC the public key of an user is obtained from his identity on the network. The identity can be a concatenation of any publicly known information that singles out the user : a name, an e-mail, or a phone number, to name a few. Hence it is not longer necessary to verify a certificate for the public key nor to access a public directory to obtain a certificate. At first glance it seems simple but producing private keys becomes more complex. In particular a user can not build his own private key by himself anymore, and it is necessary to introduce a trusted third party who constructs the private key from the user’s identity and sends it to the user. This process has to be done at least once for each user.

Shamir [27] calls this trusted third party the Key Generation Center (KGC). The KGC is the owner of a system-wide secret, thus called the master key. After successfully verifying (by non-cryptographic means) the identity of the user, the KGC computes the corresponding user private key from the master key, the user identity and a trapdoor function.

Identity-based systems resemble ordinary public-key systems, in the sense that both involve a private transformation (i.e. decrypting) as well as a public transformation (i.e. encrypting). However, in identity-based systems users do not have explicit public keys. Instead, the public key is effectively replaced by (or constructed from) a user’s publicly available identity information.

The motivation behind identity-based systems is to create a cryptographic system resembling an ideal mail system. In this ideal system, knowledge of a person’s name alone suffices for confidential mailing to that person, and for signature verification that only that person could have produced. In such an ideal cryptographic system :

  1. users need not exchange neither symmetric keys nor public keys;

  2. public directories (databases containing public keys or certificates) need not be kept;

  3. the services of a trusted authority are needed solely during a set-up phase (during which users acquire authentic public system parameters).

A drawback in many concrete proposals of identity-based systems is that the required user-specific identity data includes additional data, taking the form of an integer or public data value for instance, denoted DA, beyond an a priori identity ID. Ideally, DA is not required, as a primary motivation for identity-based schemes is to eliminate the need to transmit public keys, to allow truly non-interactive protocols with identity information itself sufficing as an authentic public key. We will refer to the latter systems as pure identity-based systems. The issue is less significant in signature and identification schemes where the public key of a claimant is not required until receiving a message from that claimant (in this case DA is easily provided); but in this case, the advantage of identity-based schemes diminishes. It is more critical in key agreement and public-key encryption applications where another party’s public key is needed at the outset.

In his paper Shamir proposed identity-based signature and identification systems based on the RSA or Discrete Logarithm problems. The first efficient provably secure identity-based encryption cryptosystem featuring the above mentioned non-interactive property was proposed in 2001 by Boneh and Franklin [16]. This system is based on the Weil pairing over certain families of elliptic curves. The same year, Cocks [10] published a system based on quadratic residuosity but a rather large message expansion makes it somewhat inefficient in practice.

Following the paper by Boneh and Franklin, research on ID-PKC has made great advances and lots of schemes have been published, most of them based on elliptic curves and bilinear pairings, such as identity-based encryption (IBE) schemes [4], identity-based key agreement schemes [5], identity-based identification (IBI) or identity-based signature (IBS) schemes [9, 32, 33]. In 2004 Bellare, Neven and Namprempre proposed in [1] a general framework deriving IBI or IBS from traditional public key-based signature and identification schemes and they applied it to concrete known schemes. The resulting systems are not pure identity-based and only schemes based on number theoretic problems were considered.

In this paper, we propose and formally study a new IBI scheme built from error-correcting codes.

Code-based cryptography was introduced by McEliece [23], a variation of which was later proposed by Niederreiter [25]. The idea of using error-correcting codes for identification purposes is due to Harari [20], followed by Stern (first protocol) and Girault [17]. But Harari and Girault protocols were subsequently broken, while Stern’s one was five-pass and unpractical. At Crypto’93, Stern proposed a new scheme [30], which is still today the reference in this area.

For a long time no code-based signature scheme was known, eventually the first (not yet cryptanalyzed) one was proposed by Courtois, Finiasz and Sendrier [11] (CFS) in 2001. The basic idea of the CFS signature scheme is to choose parameters such that an inversion of the otherwise non-invertible Niederreiter scheme is feasible. This is done at the cost of a rather large public key when comparing to other signature schemes. Still signature length is short.

We obtain our new IBI scheme by combining the CFS signature scheme and the identification scheme by Stern. The basic idea of our scheme is to start from a Niederreiter-like problem which can be inverted like in the CFS scheme. This permits to associate a secret to a random (public) value obtained from the identity of the user. The secret and public values are then used for the Stern zero-knowledge identification scheme.

The paper is organized as follows. In Section 2 we introduce notation and definitions, while in Section 3 we recall basic facts on code-based cryptography. Section 4 is devoted to describe the public key encryption scheme of Niederreiter and the signature scheme of Courtois, Finiasz and Sendrier. The identification protocol of Stern is presented in Section 5, and next our new protocol is described in Section 6. In Section 7 we give a proof of security for our scheme in the Random Oracle Model [2].

Finally in Section 8 we give concrete parameters and conclude in Section 9.

Publication info. This is the full version of a previously publish conference extended abstract [7].

2 Notation and definitions


We first introduce some notation. If is a string, then denotes its length, while if is a set then denotes its cardinality. If then denotes the string of ones.

If is a set then denotes the operation of picking an element in uniformly at random. Unless otherwise indicated, algorithms are modelled as Probabilistic Polynomial Time (PPT) algorithms. We write to indicate that is an algorithm with inputs and by we denote the operation of running with inputs and letting be the output. We write to indicate that is an algorithm with inputs and access to oracles and by we denote the operation of running with inputs and access to oracles and letting be the output.

Provers and verifiers. An interactive algorithm is a stateful PPT algorithm that on input an incoming message (this is if the party is initiating the protocol) and state information outputs an outgoing message and updated state . The initial state contains the initial inputs of the algorithm. We say that accepts if and rejects if . An interaction between a prover and a verifier , both modelled as interactive algorithms, ends when either accepts or rejects. The expression :

denotes that and have initiated in an interaction with inputs and respectively, getting a conversation transcript and a boolean decision , with 1 meaning that accepted, and 0 meaning it rejected.

Standard identification schemes. A standard identification scheme consists of three PPT algorithms :

  • algorithm takes as input a security parameter and returns a secret key and a matching public key . We use the notation .

  • protocol, where the prover runs with initial state , while the verifier has initial state . It is required that for all and valid key pairs , the output by in any interaction between (with input and (with input is with probability one.

Standard Signatures. A standard signature scheme consists of three PPT algorithms :

  • algorithm takes as input a security parameter and returns a secret key and a matching public key . We use the notation .

  • algorithm takes as input a secret key and a message . The output is a signature . This is denoted as .

  • algorithm takes as input a public key , a message , and a signature . The output is 1 if the signature is valid, or 0 otherwise. We use the notation to refer to one execution of this algorithm.

The standard security notion for signature schemes is unforgeability against adaptively-chosen message attacks, which can be found in [19].

Identity-Based identification. An identity-based identification scheme consists of four PPT algorithms, as follows :

  • algorithm takes as input a security parameter and returns, on one hand, the system public parameters and, on the other hand, the matching master secret key , which is known only to a master entity. It is denoted as .

  • algorithm takes as inputs the master secret key and an identity , and returns a secret key . We use the notation .

  • protocol, where the prover with identity runs the interactive algorithm with initial state , and the verifier runs with initial state .

Security of IBI schemes. An IBI scheme is said to be secure against impersonation under passive attacks (imp-pa) if any adversary , consisting of a cheating prover and a cheating verifier , has a negligible advantage in the following game :

Setup The challenger takes a security parameter and runs the master key generation algorithm . It gives to the adversary and keeps the master secret key to itself. It initializes an empty list .

Phase 1 The adversary issues queries of the form

  • User key query The challenger checks whether there exists an entry in the list . If this is the case, it retrieves the user secret key . Otherwise, it runs algorithm to generate the private key corresponding to . It sends to the adversary. It includes the entry in the list .

  • Conversation query The challenger checks whether there exists an entry in the list . If this is the case, it retrieves the user secret key . Otherwise, it runs algorithm to generate the private key corresponding to . The challenger returns where .

These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries.

Challenge The cheating verifier outputs a target identity and its state , such that the private key for was not requested in Phase 1.

Phase 2 The cheating prover , with input , interacts with a honest verifier with input . The cheating prover is allowed to query the same oracles as in Phase 1, except that the query is not allowed. Finally, wins if the output of is accept, i.e. in .

Such an adversary is called an imp-pa adversary , and its advantage is defined as

3 Code-based cryptography


In this section we recall basic facts about code-based cryptography. We refer to the work of Sendrier [26] for a general introduction to these problems.

3.1 Hard problems

Every public key cryptosystem relies on

a hard problem. In the case of coding theory, the main hard problems used are the Bounded Decoding (BD) and Code Distinguishing (CD) problems.

Definition 3.1 (Bounded Decoding Problem)

Let and be two integers such that and a parity check matrix. represents a random binary matrix of columns, rows and of rank
Input : and

Ouput : A word such that and

Let us denote by the probability that an algorithm has in solving the above problem.

This problem was proven to be NP-complete in [3].

Definition 3.2 (Code Distinguishing Problem)

Let and be two integers such that and a parity check matrix.
Input : or .

Ouput : if , otherwise.

The description of a Goppa code of length and dimension is to be found in [22].

3.2 McEliece scheme

[Key Generation] Let be a -ary linear code -correcting of length and of dimension We denote a such code. Let a generator matrix of We will use an matrix such that  :

is public and its decomposition and a syndrome decoding algorithm for are secret. To be clearer, we recall the various sizes of the matrices :

is is is

[Encryption] Let bet the space of words with Hamming weight . For a chosen cleartext , is the cryptogram corresponding to if and only if

[Decryption] For the knowledge of the secret key allows  :

  1. to compute

  2. to find from thanks to a syndrome decoding algorithm;

  3. to find

The syndrome decoding algorithm can be, for instance, in the case of Goppa’s codes, Patterson’s algorithm (see part 8.1).

3.3 Cryptanalytic Attacks

The security of code-based cryptosystems depends on the difficulty of the following two attacks :

  • Structural Attack  : Recover the secret transformation and the description of the secret code(s) from the public matrix.

  • Ciphertext-Only Attack : Recover the original message from the ciphertext and the public key.

3.3.1 Structural Attack

While no efficient algorithm for decomposing into has been discovered yet [24], a structural attack has been discovered in [21]. This attack reveals part of the structure of a so-called weak where ’weak’ means that has been generated from a binary Goppa polynomial in a special manner. However, this attack can be avoided simply by not using such weak public keys.

Structural attacks aim at recovering the structure of the permuted code, i.e. recovering the permutation from the code and its permuted version. The underlying problem is the equivalence of codes. This problem was considered by Sendrier for which he gave a nice solution : the Support Splitting Algorithm [26].

The complexity of this algorithm is in where is the dual of the code This means that in order to resist the attack one gets two options : either starting from a large family of codes with arbitrary small hulls (the intersection of and ) or starting from a small family of codes but with a large hull.

For instance the choice of Goppa codes corresponds to the first possibility.

3.3.2 Ciphertext-Only Attack

A first analysis using the Information-Set-Decoding was done by McEliece, then by Lee and Brickell, Stern and Leon and lastly by Canteaut and Chabaud (see [6] for all references).

The Information-Set-Decoding Attack is one of the known general attacks (i.e., not restricted to specific codes) and seems to have the lowest complexity.

One tries to recover the information symbols as follows : the first step is to pick of the coordinates randomly in the hope that none of the are in error. We then try to recover the message by solving the linear system (binary or over ). Let and denote the columns picked from and respectively. They have the following relationship

If and is non-singular, can be recovered by

The computation cost of this version is where

The quantity in the average work factor is the number of operations required to solve a linear system over . As mentioned in [23], solving a binary system takes about operations. Over , it would require at least operations.

All the papers which improve the complexity only impact the cost of the Gaussian elimination. In the best improvement by Canteaut and Chabaud [6] a good approximation of the cost besides the probability factor can be taken roughly in .

Apart from these general attacks there are some attacks targeting McEliece cryptosystem using specific codes(see [28, 21, 4, 13] for exemple).

4 Signature scheme of Courtois, Finiasz and Sendrier (or CFS scheme)


Before describing the CFS scheme we first recall the Niederreiter public key cryptosystem.

4.1 Niederreiter encryption scheme

[Key Generation] Let be a binary linear code -correcting of length and of dimension Let a parity check matrix of We will use an matrix such that  :

is public and its decomposition and a syndrome decoding algorithm for are secret.

To be clearer, we recall the various sizes of the matrices :

is is is

Let bet the space of words with Hamming weight .

[Encryption] For a chosen cleartext in , is the cryptogram corresponding to if and only if

[Decryption] For the knowledge of the secret key allows  :

  1. to compute

  2. to find from thanks to a syndrome decoding algorithm;

  3. to find applying to

The syndrome decoding algorithm can be, for instance, in the case of Goppa’s codes, Patterson’s algorithm (see part 8.1).

The McEliece or the Niederreiter schemes are not naturally invertible, i.e. if one starts from a random element of and a code that we are able to decode up to , it is almost sure that we won’t be able to decode into a codeword of . This comes from the fact that the density of the whole space that is decodable is very small.

4.2 CFS signature scheme

The idea of the CFS scheme is to find parameters that make successful the strategy of picking up random elements until one is able to decode it with high probability. More precisely, given a message to sign and a hash-function with range we try to find a way to build of given weight such that For a decoding algorithm, the CFS scheme works as follows :

[Key Generation]

  1. Select , and according to the security parameter .

  2. Pick a random parity check matrix of a -binary Goppa code decoding errors.

  3. Choose a random non-singular matrix , a random permutation matrix and a hash-function .

  4. The public key is and the private key is .

  5. Set .


  1. if no was found go to 1

  2. output

[Verify] Compute and . The signature is valid if and are equal.

We get at the end an couple, such that :

Let us notice that we can suppose that has weight In [12], a proof of security in the Random Oracle Model for a modified version of the CFS scheme is given. We use the modified CFS scheme described there, and named as mCFS, as a building block for our scheme. The mCFS scheme is explained next.

4.3 Modified CFS signature scheme

[Key Generation]

  1. Select , and according to .

  2. Pick a random parity check matrix of a -binary Goppa code decoding errors.

  3. Choose a random non-singular matrix , a random permutation matrix and a hash-function .

  4. The public key is and the private key is .

  5. Set .


  1. if no was found go to 1

  2. output

[Verify]Compute and . The signature is valid if and are equals.

5 Stern’s protocol


Stern’s scheme is an interactive zero-knowledge protocol which aims at enabling a prover to identify himself to a verifier .

Let and be two integers such that . Stern’s scheme assumes the existence of a public matrix defined over the two elements field . It also assumes that an integer has been chosen. For security reasons (discussed in [30]) it is recommended that is chosen slightly below the so-called Gilbert-Varshamov bound (see [22]). The matrix and the weight are protocol parameters and may be used by several (even numerous) different provers

Each prover receives a -bit secret key (also denoted by if there is no ambiguity about the prover) of Hamming weight and computes a public identifier such that . This identifier is calculated once in the lifetime of and can thus be used for several identifications. When a user needs to prove to that he is indeed the person associated to the public identifier , then the two protagonists perform the following protocol where denotes a standard hash-function :

[Commitment Step] randomly chooses and a permutation of Then sends to the commitments , and such that  :

where denotes the hash of the concatenation of the sequences and .

[Challenge Step] sends to .

[Answer Step] Three possibilities :

  • if reveals and

  • if reveals and

  • if reveals and

[Verification Step] Three possibilities :

  • if verifies that are correct.

  • if verifies that are correct.

  • if verifies that are correct, and that the weight of is .

[Soundness Amplification Step] Iterate the above steps until the expected security level is reached.

During the fourth Step, when equals , it can be noticed that derives directly from since we have :

As proved in [30], the protocol is zero-knowledge and for a round iteration, the probability that a dishonest person succeeds in cheating is . Therefore, to get a confidence level of , the protocol must be iterated a number of times such that holds. When the number of iterations satisfies the last condition, then the security of the scheme relies on the NP complete problem SD.

By virtue of the so-called Fiat-Shamir Paradigm [15], it is possible to convert Stern’s Protocol into a signature scheme, but the resulting signature size is long (about -kbit long for security). Notice that this is large in comparison with classical signature schemes, but it is more or less close to the size of many files currently used in everyday life.

6 New Identity-based identification scheme from Stern-Niederreiter protocols


We describe now the first code-based identity-based identification method. The prover is identifying herself to the verifier. Let be the prover and of the identifier identities respectively.

[Master key generation] Let the output of the key generation algorithm of the CFS signature scheme in Section 4. Let a hash function mapping to is made public, but the decomposition of is a secret of the authority.

[Key extraction] On inputs the the decomposition of and the user’s identity the goal of the key extraction algorithm is to output such that However might not be in the target of That is to say that is not necessarily in the space of decodable elements of . That problem can be solved thanks to the following algorithm. Given a decoding algorithm for the hidden code :

  1. If no was found go to 1

  2. output

We get at the end a couple such that We can note that we have of weight or less.

[Interactive identification] We use a slight derivation of Stern’s protocol. We suppose that the prover obtained a couple verifying is set to be the prover’s public key. Identification is then performed by modifying Stern’s protocol with respect to the public key . Details follow.

[Commitment Step] chooses randomly any word of bits and a permutation of Then sends to such that  :

[Challenge Step] sends to .

[Answer Step] Three possibilities :

  • if reveals and

  • if reveals and

  • if reveals and

[Verification Step] Three possibilities :

  • if verifies that the received at the second round are correct.

  • if verifies that the received at the second round are correct. For we can note that derives directly from by  :

  • if verifies that the received at the second round have really been honestly calculated, and that the weight of is .

[Soundness Amplification Step] Iterate the commitment, challenge, answer and verification steps until the expected security is reached.

Thanks to the Fiat-Shamir heuristic [15] it is possible to derive an identity-based signature scheme from the above identity-based identification scheme. Since this is a well-known cryptographic result, we refer the reader to [15, 1] for details.

7 Proving Security of mCFS-Stern IBI scheme

Theorem 1

The IBI scheme from Section 6 is secure in the sense of imp-pa if the BD and CD problems are hard to solve.


A security reduction is obtained by adapting the proofs by Dallot [12] and Stern [31] to our setting. We build the proof following a sequence of games Game 0, Game 1, Game 0 is the original attack game, i.e the standard imp-pa game. Successive games are obtained by small modifications of the preceding games, in such a way that the difference of the adversarial advantage in consecutive games is easily quantifiable. To compute this difference, the following lemma is used :

Lemma 1

Let ,, be events defined in some probability distribution, and suppose that . Then .

Let denote the maximum number of queries that adversary makes to the hash, user keys and conversation oracles.

We want to show there exists adversaries that break the BD and CD problems respectively.

To answer hash, user key and conversation queries, three lists and are maintained. If there is no value associated with an entry in a list, we denote its output by . The list consists of tuples of the form indexed by , where is an index in , is an identity, and if . The list , consists of entries of the form . The list contains indexes associated to a message , for which the simulator is able to produce a signature on .

Game 0. This the standard imp-pa game. The master public and secret keys are obtained by running algorithm In particular, the master public key plus a hash-function , and the master secret key is , where , is a non-singular matrix and is a permutation matrix. Therefore .

Game 1.(Simulation of hash and user key queries) We change the way in which hash and user key extraction queries are answered. For hash queries of the form , there are two situations, depending on whether . If this is the case, a decodable syndrome is given as the output, and the corresponding code-word is stored, i.e. is updated with in the entry indexed by . If hash queries are simulated by taking a random element in , and then these queries are distributed as with a random oracle. Details are shown in Figure 1.

On the other hand, user key queries on are answered by choosing the special index at random, calling the hash oracle on and outputting as the resulting user secret key. Details are shown in Figure 2.

At the end of the simulation, the random oracle has output syndromes. Some of them are produced with the special index ; these syndromes are not distributed uniformly at random in , instead they have been modified as to enable responding user secret key queries. It might be then the case that adversary queried on some pair such that later is set to . This will cause an incoherence, since then the output will be a random syndrome, instead of a decodable syndrome. The latter happens with probability at most (the indexes are only defined when answering key extraction queries). Therefore,

Game 2.(Changing the master key generation algorithm) The key generation algorithm is changed so that . Then,

where is an algorithm that simulates the environment of Game 2 for if and outputs if successfully impersonates the target identity , and otherwise; and simulates the environment of Game 3 for if and outputs if successfully impersonates the target identity , and otherwise. It is easy to see that


Input: A pair
Output: A syndrome
if then  if then  ;
end return ;
else  if then  ;
end return ;

Fig. 1 - Simulation of hash queries

Input: An identity
Output: A user secret key
if then  ;
end ;
return ;

Fig. 2 - Simulation of user key queries

Game 3.(Guessing the target identity) A random index is taken. The -th hash query to is set to be , where , i.e. . The probability space is not modified, since and is non-singular, and therefore .

Game 4.(Abort the game)

Let be the target identity and target index that impersonates. If or then the challenger aborts the game. Since Game 4 is obtained by conditioning Game 3 on an independent event of probability we obtain

Game 5. (Answering conversation queries on the target identity ) We have to answer conversation queries on without knowing the code word corresponding to , i.e. such that and . We can answer these queries in expected polynomial time by using the algorithm in Theorem 3 in [31]. Roughly, the algorithm uses a resettable simulation [18]. At the beginning of each iteration of the basic identification protocol, the algorithm chooses at random one out of three cheating strategies, where each strategy allows to successfully interact with a cheating verifier with probability . In case the algorithm can not successfully interact with , it resets the adversary for the current round (see [31] for details). All in all, the probability space is not modified, and then .

Theorem 1 in [31] implies that an adversary impersonating the user with identity when running rounds of the basic protocol and with advantage for a non-negligible , can be converted into a PPT algorithm computing such that with probability . A basic calculation shows that is a solution to the BD problem with inputs and . Let be an algorithm that simulates Game 5 for the impersonating adversary using the input of the BD problem. Then,

Collecting all the probabilities

and then

The latter equation can be read as follows : a successful impersonating adversary with advantage implies a successful adversary against the BD or CD problems.

8 Efficiency Analysis


We deal here with the security our protocol and its practicality. Let us remind that in the case of Niederreiter’s cryptosystem, its security relies on the hardness of decoding of a linear code (see section 3).

8.1 Parameters and security of the scheme

The protocol has two parts : in the first part one inverts the syndrome decoding problem for a matrix in order to construct a private key for the prover and in second part one applies Stern identification protocol with the same matrix . This shows that the overall parameters of the scheme are equivalent to the security of the CFS scheme, since the security of the Stern scheme with the same matrix parameters is implicitly included in the signature scheme.

In particular the scheme has to fulfill two imperative conditions :

  1. make the computation of (defined in advance) difficult without the knowledge of the description of

  2. make the number of trials to determine the correct not too important in order to reduce the cost of the computation of .

Following [11] the Goppa codes are a large class of codes which are compatible with condition 2. Indeed, for such a code, the proportion of the decodable syndromes is about (which is a relatively good proportion). We also have to choose a relatively small

The production process will thus be iterated, about times before finding the correct But each iteration forces to compute

The decoding of the Goppa codes consists of  :

  • computing a syndrome  : binary operations;

  • computing a locator polynomial  : binary operations;

  • computing its roots  : binary operations.

We thus get a total cost for the computation of the prover’s private key of about :

The cost of an attack by decoding thanks to the split syndrome decoding is estimated to :

The choice of parameters will have to be pertinent enough to conciliate cost and security. Although less important, some sizes have also to remain reasonable  : the length of the cost of the verification and the size of that is for a Goppa code :

Following [11] we can for example take and The cost of the signature stays then relatively reasonable for a security of about The others sizes remain in that context very acceptable.

8.2 Practical values

The big difference when using the parameters associated to the CFS scheme is that the code used is very long, against for the basic Stern scheme, it dramatically develops communication costs.

In the next table we sum up for the parameters , the general parameters of the IBI and IBS schemes.

public key private key matrix size
144 144 1 Mo
communication cost key generation
500 Ko (58 rounds) 1 s

Practical values for the IBI scheme :

signature length key generation
2.2 Mo (280 rounds) 1 s

Practical values for the IBS scheme :

Reduction of the size of the public matrix : At the difference of a pure signature scheme in which one wants to be able to sign fast, in our scheme the signature is only computed once for sending it to the prover, hence the time for signing may be judged less determinant and a longer time of signature may be accepted at the cost of reducing (a little) the parameters of the public matrix.

9 Conclusion


In this paper we present and prove secure a new identity-based identification scheme based on error-correcting codes. Our scheme combines two well known schemes by Courtois-Finiasz-Sendrier and Stern. It inherits some of their practical weaknesses, such as large system parameters. Interestingly the new scheme is one of the very few existing alternatives to number theory for identity-based cryptography, and we hope that it boosts future research on this area.


  • [1] M. Bellare, C.Namprempre and G. Neven : Security proofs for identity-based authentication and signature schemes. Eurocrypt 2004, LNCS 3027 : pp 268–286, 2004.
  • [2] M. Bellare and P. Rogaway: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. ACM Conference on Computer and Communications Security 1993, pp 62–73, 1993.
  • [3] E. Berlekamp, R. McEliece and H. van Tilborg : On the inherent intractability of certain coding problems. Information Theory, IEEE Transactions on, vol. 24(3) : pp 384–386, May 1978.
  • [4] T. Berson : Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. Crypto 97.
  • [5] T. Beth. and M. Frisch : Public-key Cryptography State of the Art and Future Directions. E.I.S.S. Workshop, Oberwolfach, Germany, July 3-6, 1991 Final Report LNCS.
  • [6] A. Canteaut and F. Chabaud : A new algorithm for finding minimum-weight words in a linear code : Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory, vol. 44(1) : pp 367–378, 1998.
  • [7] P.-L. Cayrel, P. Gaborit and M. Girault : Identity-based identification and signature schemes using correcting codes. WCC 2007.
  • [8] J. Cha and J. Cheon : An identity-based signature from gap Diffie-Hellman groups. PKC 2003, LNCS 2567 : pp 18–30.
  • [9] F. Chabaud : On the security of some cryptosystems based on error-correcting codes. LNCS 950 : pp 131–139, 1995.
  • [10] F. Chabaud : An identity-based encryption scheme based on quadratic residues. LNCS 2260 : pp 360–363, 2001.
  • [11] N. T. Courtois, M. Finiasz and N. Sendrier : How to achieve a McEliece-based digital signature scheme. LNCS 2248 : pp 157–174, 2001.
  • [12] L. Dallot : Towards a concrete security proof of Courtois Finiasz and Sendrier signature scheme. WEWORC 2007.
  • [13] D. Engelbert, R. Overbeck and A. Schmidt : A summary of McEliece-type cryptosystems and their security. Cryptology ePrint Archive, 2006, Report 2006/162.
  • [14] U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. J. Cryptology vol. 1(2) : pp 77-94, 1988.
  • [15] A. Fiat and A. Shamir : How to prove yourself : practical solutions to identification and signature problems. In A. Odyzko, editor, Advances in Cryptology – CRYPTO ’86, vol. 263, pp 186–194.
  • [16] M. Franklin and D. Boneh : Identity-based encryption from the Weil pairing. Advances in Cryptology-Crypto’01, 2001.
  • [17] M. Girault : A (non-practical) three-pass identification protocol using coding theory. Advances in Cryptology, Auscrypt’90. LNCS 453 : pp 265–272. Springer, 1990.
  • [18] S. Goldwasser, S. Micali and C. Rackoff : The knowledge complexity of interactive proof systems. SIAM, Journal of Computing, vol. 18 : pp 186–208, 1989.
  • [19] S. Goldwasser, S. Micali and R. Rivest : A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, vol. 17(2) : pp 281–308, April 1988.
  • [20] S. Harari : A new authentication algorithm. Coding Theory and Applications. LNCS 388 : pp 91–105. Springer, 1988.
  • [21] P. Loidreau and N. Sendrier : Weak keys in McEliece public key cryptosystem. IEEE Trans. Inf. Theory, 2001.
  • [22] F. J. McWilliams and N. J. A. Sloane : The Theory of Error-Correcting Codes. North–Holland, Amsterdam, fifth edition, 1986.
  • [23] R. J. McEliece : A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pp 114–116, 1978.
  • [24] A. Menezes, P. Oorschot and S. Vanstone : Mceliece public-key encryption. CRC Press, vol. 299, 1997.
  • [25] H. Niederreiter : Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inform. Theory, vol. 15 number 2 : pp 157–166, 1986.
  • [26] N. Sendrier : On the security of the McEliece public-key cryptosystem. Information Coding and Mathematics, 2002, In M. Blaum P.G. Farrell and H. van Tilborg editors, pp 141–163.
  • [27] A. Shamir : Identity-based cryptosystems and signature schemes. Advances in Cryptology-Crypto’84, 1984.
  • [28] V.M. Sidelnikov and S.O. Shestakov : On cryptosystems based on generalized Reed-Solomon codes. Diskretnaya Math, 1992, volume 4, pages 57-63.
  • [29] J. Stern : A method for finding codewords of small weight. In G. D. Cohen and J. Wolfmann, editors, Coding Theory and Applications, LNCS 288 : pp 106–113. Springer, 1988.
  • [30] J. Stern : A new identification scheme based on syndrome decoding. In D. Stinson, editor. Advances in Cryptology – CRYPTO ’93, vol. 773 : pp 13–21, 1993.
  • [31] J. Stern : A new paradigm for public key identification. IEEE Transactions on Information Theory, vol. 42 (6) : pp 1757–1768, 1996.
  • [32] X. Yi : An identity-based signature scheme from the Weil pairing. IEEE Communications Letters vol. 7(2) : pp 76–78.
  • [33] H. Yoon and J. H. Cheon and Y. Kim : Batch verifications with id-based signatures. ICISC 2004, LNCS 3506 : pp 223–248, 2005.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description