Abstract
We present two code-based identification protocols and signature schemes in the rank metric, providing detailed pseudocode and selecting practical parameters. The proposals are derived from their analogue in the Hamming metric. We discuss their security in the post-quantum scenario. With respect to other signature schemes based on codes, our constructions maintain a similar efficiency, possess large but still practical signatures, and the smallest key and public key sizes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Here decoding is referring to the half distance decoding scenario (with \(n \approx 2k\)), which is the one of interest in the cryptographic setting.
- 2.
Recall that the bounds provides d and than \(t=\left\lfloor (d-1)/2 \right\rfloor \).
- 3.
Recall that RankSign scheme has been proven to be broken with the above mentioned parameters.
References
ISO/IEC 9798–5:2009 Information technology - Security techniques - Entity authentication - Part 5: Mechanisms using zero-knowledge techniques, December 2009. https://www.iso.org/standard/50456.html
El Yousfi Alaoui, S.M., Cayrel, P.-L., El Bansarkhani, R., Hoffmann, G.: Code-based identification and signature schemes in software. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 122–136. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_9
Aragon, N., Gaborit, P., Hauteville, A., Tillich, J.P.: Improvement of generic attacks on the rank syndrome decoding problem (2017)
Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Using LDGM codes and sparse syndromes to achieve digital signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 1–15. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_1
Barreto, P.S., Misoczki, R., Simplicio Jr., M.A.: One-time signature scheme from syndrome decoding over generic error-correcting codes. J. Syst. Softw. 84(2), 198–204 (2011)
Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_6
Bernstein, D.J.: Grover vs. McEliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 73–80. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_6
Boneh, D., et al.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Cayrel, P.-L., Véron, P., El Yousfi Alaoui, S.M.: A zero-knowledge identification scheme based on the q-ary Syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_12
Chabaud, F., Stern, J.: The cryptographic security of the syndrome decoding problem for rank distance codes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 368–381. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034862
Chen, L., et al.: Report on Post-quantum Cryptography (2016). https://doi.org/10.6028/NIST.IR.8105
Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_10
Dagdelen, Ö., Galindo, D., Véron, P., Alaoui, S.M.E.Y., Cayrel, P.L.: Extended security arguments for signature schemes. Des. Codes Cryptogr. 78(2), 441–461 (2016)
Debris-Alazard, T., Tillich, J.P.: An attack on a NIST proposal: RankSign, a code-based signature in rank metric. arXiv preprint arXiv:1804.02556 (2018)
Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_14
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Finiasz, M.: Parallel-CFS. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_11
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_6
Gabidulin, E.M.: Theory of codes with maximum rank distance. Probl. Peredachi Informatsii 21(1), 3–16 (1985)
Gaborit, P., Ruatta, O., Schrek, J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016)
Gaborit, P., Ruatta, O., Schrek, J., Zémor, G.: RankSign: an efficient signature algorithm based on the rank metric. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 88–107. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_6
Gaborit, P., Schrek, J., Zémor, G.: Full cryptanalysis of the Chen identification protocol. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 35–50. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_3
Gaborit, P., Zémor, G.: On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Inf. Theory 62(12), 7245–7252 (2016)
Google: A preview of Bristlecone, Google’s new quantum processor (2018). https://research.googleblog.com/2018/03/a-preview-of-bristlecone-googles-new.html
Kabatianskii, G., Krouk, E., Smeets, B.: A digital signature scheme based on random error-correcting codes. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 161–167. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024461
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Landais, G., Tillich, J.-P.: An efficient attack of a McEliece cryptosystem variant based on convolutional codes. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 102–117. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_7
Lee, W., Kim, Y.S., Lee, Y.W., No, J.S.: Post quantum signature scheme based on modified Reed-Muller code, Post-Quantum Cryptography, Round 1 Submissions, November 2017. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Loidreau, P.: Properties of codes in rank metric. arXiv preprint cs/0610057 (2006)
Loidreau, P.: A new rank metric codes based encryption scheme. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 3–17. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_1
Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 461–470. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34129-8_45
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 376–392. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_24
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory 15(2), 159–166 (1986)
NIST: Call for proposals (2018). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization/Call-for-Proposals
NIST: Round 1 submissions (2018). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Ourivski, A.V., Johansson, T.: New technique for decoding codes in the rank metric and its cryptography applications. Prob. Inf. Trans. 38(3), 237–246 (2002)
Phesso, A., Tillich, J.-P.: An efficient attack on a code-based signature scheme. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 86–103. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_7
Roy, P.S., Xu, R., Fukushima, K., Kiyomoto, S., Morozov, K., Takagi, T.: Supporting documentation of RaCoSS, post-Quantum Cryptography, Round 1 Submissions (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Sendrier, N.: Code-based cryptography: state of the art and perspectives. IEEE Secur. Priv. 15(4), 44–50 (2017)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_2
Umana, V.G., Leander, G.: Practical key recovery attacks on two McEliece variants. In: International Conference on Symbolic Computation and Cryptography-SCC, vol. 2010, p. 62 (2010)
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Levy-dit Vehel, F., Perret, L.: Algebraic decoding of rank metric codes. In: Proceedings of YACC (2006)
Véron, P.: Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1997)
Wachter-Zeh, A.: Decoding of block and convolutional codes in rank metric. Ph.D. thesis, Universität Ulm (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Key and Signature Size Derivation for Other Code-Based Signature Schemes
A Key and Signature Size Derivation for Other Code-Based Signature Schemes
As far as it concerns Parallel-CFS, we recall that the scheme is defined by the parameters \(m,t,\delta ,i\), which yield a code of length \(n=2^m\) and dimension \(k = 2^m-mt\). The parameter t is the correction capability of the underlying Goppa code and also the degree of its defining polynomial g over \(\mathbb {F}_{2^m}\). The parameter i is the number of parallel hashes, which also determines the linear increase of the signature time and size with respect to the original scheme. The parameter \(\delta \) can be thought of as the increase that needs to be added to t in order for \(t+\delta \) to provide complete decoding. The public key is a hidden \(mt \times n\) parity-check matrix \(H \in \{0,1\}^{mt \times n}\) in systematic form of the Goppa code, which can then be represented using \((n-k)k = mt(2^m-mt)\) bits. The private key has size \(mt + mn\), since it is formed by g and the so called support \((\alpha _1,\ldots ,\alpha _n) \in (\mathbb {F}_{2^m})^n\) of the code. There are shortening techniques that can be used to represent the signature, depending on whether a larger signature or a slower scheme is desired. To obtain fast signature verification, a possible trade-off gives a size of \(i \log _2 \left( {\begin{array}{c}n\\ t+\delta -1\end{array}}\right) \) bits. To obtain short signatures with a longer verification, a possible trade-off gives a size of \(i \log _2 \left( {\begin{array}{c}n/m\\ t+\delta -3\end{array}}\right) \) bits. We report the two extremes presented in [17] for a security of at least 80 bits. For higher security levels or for the post-quantum scenario the key sizes become prohibitive.
The code parameters of RaCoSS are the length of the code n, its dimension k, its minimum distance \(\omega \), and a real constant \(\gamma \). The private and the public key of RaCoSS scheme are, respectively, a \(n \times n\) and a \((n-k) \times n\) binary matrix. The signature is composed by the elements z and c of size n bits each. The authors also use a compression technique to reduce the size of the secret key to \(n\omega \lceil \log _2 n \rceil \) and the signature to \(n+\lfloor \gamma \omega \rfloor \lceil \log _2 n \rceil \).
The parameters of the RankSign scheme are the cardinality q of the base field, the length n, the dimension k, and the weight d of the LRPC code, the extension degree m, the number t of random columns added to the LRPC code to obtain the augmented LRPC code, the rank weight \(t'\) of the error, and the rank weight r of the signature of a message. The public key is given by a parity-check matrix in systematic form of size \((n-k)\times (n+t)\), with entries in \(\mathbb {F}_{q^m}\), which can be represented with \((n-k)(t+k)m\lceil \log _2 q\rceil \) bits. The secret key is composed by 3 matrices of size \((n-k)\times (n-k)\), \((n+t)\times (n+t)\), and \((n-k)\times (n+t)\), for a total size of \(((n-k)^2 + (n+t)^2 + (n-k)(n+t))m\log _2 q\). The signature has size \(r(m+n+t)\lceil \log _2 q\rceil \).
The parameters of pqsignRM are the integers r, m defining the Reed-Mueller code of length \(n=2^m\) and dimension \(k = \sum _{i=0}^r \left( {\begin{array}{c}m\\ i\end{array}}\right) \), a positive integer p as the puncturing parameter, and the error weight parameter w. The public key is a binary \((n-k) \times n\) parity-check matrix in systematic form, thus requiring \((n-k)k\) bits for its representation. The secret key is made by 3 binary matrices of size, respectively, \((n-k)\times (n-k)\), \(n \times n\), and \(p \times (n-p)\), plus a vector of size \(n-k\). The signature is given by a vector e of n bits and integer \(i<2^{128}\).
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Bellini, E., Caullery, F., Hasikos, A., Manzano, M., Mateu, V. (2018). Code-Based Signature Schemes from Identification Protocols in the Rank Metric. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-00434-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)