Provably Secure Identity-Based Identification and Signature Schemes with Parallel-PVR

Abstract

Identity-based identification and signature (IBI/IBS) schemes are two of the most fundamental cryptographic primitives with greatly simplified public key management. Meanwhile, code-based cryptography is one of few alternatives supposed to be secure in a post-quantum world, so several code-based IBI/IBS schemes have been proposed. However, with increasingly profound researches on coding theory, the security reduction and efficiency of such schemes have been invalidated and challenged. In this paper, we construct provably secure IBI/IBS schemes from code assumptions against impersonation under active and concurrent attacks through PVR signature and Or-proof technique. We also present the parallel-PVR technique to decrease parameter values while maintaining the standard security level. Compared to other code-based IBI/IBS schemes, our schemes achieve not only preferable public parameter size, private key size, communication cost and signature length due to better parameter choices, but also provably secure.

1 Introduction

Public key management is one of the most critical issues on multi-party communications and public key cryptography. In 1984, Shamir [24] introduced identity-based public key cryptography, which largely simplifies the management of public keys for the authentication of users. The key point is that the public key of a user can be his identity id, i.e., public information about that user, such as a name, a phone number, or an e-mail address. Therefore, it is very appealing to make fundamental cryptographic primitives, i.e., identification protocol and digital signature, gain such advantages [4, 15, 18].

With identity-based identification and signature (IBI/IBS) schemes, people could prove their identities and the authenticity of their messages to others without specific public keys [15]. After identity initialization, no further interaction with the authority is required during the identity verification. A list of valid identities is not necessary. Literally unlimited number of identities can join the system. Meanwhile the confidentiality and integrity of the identity are kept regardless of the number of verification. It make possible to digitize identity cards, passports, credit cards and other indispensable identity tools in the modern society with availability and provable security.

At the same time, with the development of quantum computers and other attacks on number factoring or discrete logarithm problems [3, 27], code-based cryptography represents one of few alternatives supposed to be secure under such circumstance. McEliece [20] proposed the first code-based public cryptosystem in 1978. Since then, as we never put all eggs in one basket, a wide range of code-based cryptographic primitives has been proposed, such as digital signatures, identification protocols and hash functions [21]. Moreover, compared to traditional cryptosystems, many of them also show the advantage on fast computation [11, 21]. In 2009, Cayrel et al. [7] proposed first code-based IBI/IBS schemes, or the mCFS-Stern scheme. It can be regarded as a combination of the CFS signature scheme [9] and the Stern identification protocol [25, 26]. There are several improved mCFS-Stern schemes are proposed since then [2, 28].

However, with the development of code-based cryptography, security and efficiency issues on the mCFS-Stern scheme have arisen. Firstly, Faug\(\grave{e}\)re et al. [12] developed a high rate distinguisher for Goppa codes so that the security proof of mCFS-Stern scheme is invalidated. Secondly, Bleichenbacher [17] showed an attack based on the Generalized Birthday Algorithm [19]. It decreases the security level from \(2^\frac{mt}{2}\) to \(2^\frac{mt}{3}\) so that increased parameters are required to maintain a required security level, i.e., \(2^{80}\). Thirdly, other improved mCFS-Stern schemes, either using quasi-dyadic Goppa codes in the user key extraction algorithm [2] or modifying the Stern protocol so that the cheating probability of each round reduced from \(\frac{2}{3}\) to \(\frac{1}{2}\) [1, 8], are vulnerable to the very recent structural attack on quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes [13].

Our Contribution. In this paper, we first propose provably secure identity-based identification and signature schemes with the PVR signature [23] technique applied in the user key extraction algorithm. It does not rely on the indistinguishability between a binary Goppa code and a random code, whereas it is required in the CFS signature scheme and has been invalidated by the distinguisher. Moreover, we present the parallel-PVR technique, inspired by the parallel-CFS technique [16]. It decreases the value of parameters while maintaining the standard security level, which used to be highly influenced by the Bleichenbacher attack. It also might be of an independent interest in the code-based digital signature. Finally, we adapt the Or-proof technique [18, 28] to our schemes so that they are secure against impersonation under active and concurrent attacks (id-imp-ca) instead of passive attacks (id-imp-pa). Currently, our schemes are the only code-based IBI/IBS schemes which are provably secure and they also achieve better efficiency compared to the mCFS-Stern scheme.

The paper is organized as follows: In Sect. 2, we provide some preliminaries. We propose basic provably secure IBI/IBS schemes from code assumptions in Sect. 3. In Sect. 4, we further optimize our schemes with parallel-PVR and improve their security level. We discuss the parameters in Sect. 5 and conclude in Sect. 6.

2 Preliminaries

We first provide some backgrounds and notions for code-based cryptography and then review the definition of identity-based identification and signature schemes in this section.

2.1 Code-Based Cryptography

Let C denotes a binary linear-error correcting code of length \(n = 2^m\) and dimension k, or a [n, k] code is a subspace of dimension k of \(\mathbb {F}^n_2\). The elements of the set C are called codewords. A generator matrix G of a [n, k] code C is a matrix whose rows form a basis of C. A parity check matrix H of C is an \((n - k) \times n\) matrix whose rows form a basis of the orthogonal complement of C. The syndrome of a vector \(x \in \mathbb {F}^n_2\) with respect to H is the vector \(Hx^T \in \mathbb {F}^{n-k}_2\). The error correcting capability of the code is \(t \leqslant [\frac{d-1}{2}]\), where d is the minimum Hamming distance of C. The Hamming distance between two words refers to the number of coordinates where they differ. The Hamming weight of a vector x, or wt(x), is the number of non-zero entries. We use the symbol \(\xleftarrow {\$}\) to denote the uniformly random selection, and use the symbol \(\Vert \) to denote the concatenation.

The Bounded Decoding Problem (BD). Let n and k be two positive integers and \(n \geqslant k\).

• Input. \(s \xleftarrow {\$} \mathbb {F}^{n-k}_2\), \(\omega = \frac{n-k}{\log _2n}\), and \(H \xleftarrow {\$} \mathbb {F}^{(n-k) \times n}_2\).

• Find. a word \(x \in \mathbb {F}^n_2\) such that wt(x) \( \leqslant \omega \) and \(Hx^T = s\).

The BD problem is showed to be NP-complete in [5]. The advantage of a probabilistic polynomial-time (PPT) algorithm solving the BD problem for [n, k] code should be negligible.

Randomized Courtois-Finiasz-Sendrier Signature Scheme. Courtois et al. [9] first proposed a practical code-based signature scheme, or the CFS scheme. Dallot [10] proposed a randomized variant mCFS and proved mCFS is strongly unforgeable under chosen message attack at that time. The scheme works as follows:

• Key Generation. Set \(t = \frac{n-k}{\log _2n}\). The private key is a \((n - k) \times n\) parity check matrix H of a t-error correcting Goppa code, a non-singular matrix Q and a permutation matrix P. The public key is the \((n - k) \times n\) matrix \(\tilde{H} = QHP\).

• Sign.

  1. 1.

     \(i \xleftarrow {\$} \mathbb {F}^{n-k}_2\)

  2. 2.

     Use the decoding algorithm to decode \(Q^{-1}h(m\Vert i)\). h is a cryptographic hash function and m is the signing message.

  3. 3.

     If the decoding result \(x' =\bot \), go back to step 1. It needs t! decodings on average.

  4. 4.

     Output (i, x = \(x'P\)).

• Verify.

  1. 1.

     Compute \(s' = \tilde{H}x^T\) and \(s = h(m\Vert i)\).

  2. 2.

     If \(s' = s\) and wt(x) \(\leqslant t\), then the signature is valid; otherwise return false.

The security reduction of the scheme relies on the indistinguishability between a binary Goppa code and a random code. However, it is invalidated by a high rate distinguisher for Goppa codes  [12]. Recently, Mathew et al. [23] proposed the PVR signature scheme. Which altered the key-construct of the CFS signature and presented a formal proof of PVR without such assumption. Meanwhile, Bleichenbacher [17] showed an attack so that it has to increase the parameters of CFS such as m and t to achieve the same security level. Finiasz proposed the Parallel-CFS [16], which resisted such attack through performing multiple complete-decoding-based signing processes.

The Stern Identification Scheme. Stern [25, 26] proposed a standard identification scheme based on error-correcting codes. Given a random public \((n - k) \times n\) matrix H over \(\mathbb {F}_2\). Each user P receives a secret key x of n bits and wt(x) \(= t\). The public key of P is \(s = Hx^T\). To prove to a verifier V that the prover P is the user corresponding to the public key s, P runs the following identification protocol with his secret key x:

• Commitment. P randomly chooses \(y \in \mathbb {F}^n_2\) and a permutation \(\sigma \) of \(\{1,2,\cdots ,n\}\). P sends to V the commitments \(c_1\), \(c_2\), and \(c_3\) such that: \(c_1 = h(\sigma \Vert Hy^T); c_2 = h(\sigma (y)); c_3 = h(\sigma (y \oplus x))\), where h denotes a cryptographic hash function.

• Challenge. V randomly sends \(b \in \{0,1,2\}\) to P.

• Answer.

  • If \(b = 0\) : P reveals y and \(\sigma \).

  • If \(b = 1\) : P reveals \((y \oplus x)\) and \(\sigma \).

  • If \(b = 2\) : P reveals \(\sigma (y)\) and \(\sigma (x)\).

• Verification.

  • If \(b = 0\) : V verifies that \(c_1\), \(c_2\) have been honestly calculated.

  • If \(b = 1\) : V verifies that \(c_1\), \(c_3\) have been honestly calculated.

  • If \(b = 2\) : V verifies that \(c_2\), \(c_3\) have been honestly calculated, and wt(\(\sigma (x)\)) is t.

• Repeat. Repeat the above four steps for \(\gamma \) times so that the expected security level is reached.

Remark 1

During the verification step, if b equals 1, \(Hy^T\) can be directly derived from \(H(y \oplus x)^T\) through: \(Hy^T = H(y \oplus x)^T \oplus Hx^T = H(y \oplus x)^T \oplus s\).

Theorem 1

The Stern identification protocol (P, V) is a proof of knowledge system with knowledge error \((\frac{2}{3})^\gamma \)[26].

2.2 Identity-Based Identification and Signature

In this section, we review the definition and security model for an identity-based identification scheme (IBI) following [4, 28]. An identity-based signature scheme (IBS) can be derived from IBI through Fiat-Shamir heuristic [15].

IBI Definition. An identity-based identification scheme \(\mathcal {IBI}\) = (MKGen, UKGen, \(\overline{\mathrm {P}}\), \(\overline{\mathrm {V}}\)) consists of four PPT algorithms as follows:

• Master key generation algorithm (MKGen). It takes 1\(^\kappa \) as input, where \(\kappa \) is the security parameter. It returns a pair of the system public parameters mpk, and the master secret key msk, which is known only to a master entity.

• User key extraction algorithm (UKGen). It takes msk and an identity \(id \in \{0,1\}^*\) as inputs. It returns a user secret key usk[id].

• Interactive identification protocol ( \(\overline{\mathrm {P}}\) , \(\overline{\mathrm {V}}\) ). The prover P with identity id runs algorithm \(\overline{\mathrm {P}}\) with initial state usk[id], and the verifier V runs \(\overline{\mathrm {V}}\) with (mpk, id). When \(\overline{\mathrm {V}}\) returns ‘accept’ or ‘reject’, the protocol ends.

Completeness: For all \(\kappa \in \mathbb {N}, ~id \in \{0,1\}^*, ~(mpk, msk) \leftarrow \) MKGen(1\(^\kappa \)), and \(usk[id] \leftarrow \) UKGen(msk, i), the protocol between \(\overline{\mathrm {P}}\) with initial state usk[id] and \(\overline{\mathrm {V}}\) with (mpk, id) always ends with \(\overline{\mathrm {V}}\) outputing ‘accept’.

Security Models. There are three security models, i.e., impersonation under passive (id-imp-pa) attacks, active (id-imp-aa), and concurrent (id-imp-ca) attacks. The id-imp-pa secure implies the adversary can query the conversation between P and V while the id-imp-aa/ca secure implies the adversary acts a malicious V to communicate with P. The id-imp-ca security implies the adversary can concurrently issue proving queries instead of only one interactive query at a time for the id-imp-aa secure. The formal definitions will be shown in the full paper due to page limitation.

Code-Based IBI Schemes. Cayrel et al. [7] proposed the first IBI scheme from code assumption with security proof. It combines the mCFS signature scheme and the Stern identification protocol (mCFS-Stern) as follows:

• MKGen. Set mpk and msk as the public parameters and the private key of mCFS scheme respectively.

• UKGen. Generate a mCFS signature (i, x) of the identity id. Set usk[id] = (i, x).

• Interactive identification protocol. P first sends i to V. Then P is initialized with x and V is initialized with \(h(id\Vert i)\). P communicates with V through the Stern identification protocol.

Cayrel et al. [7] show the mCFS-Stern scheme is id-imp-pa secure. Moreover, Yang et al. [28] proved the scheme also implies id-imp-aa secure. To achieve id-imp-ca secure, Yang et al. also proposed a new variant of the mCFS-Stern scheme, which introduced the OR-proof technique [18].

Theorem 2

Yang’s identification protocol (P, V) is a proof of knowledge system with knowledge error \((\frac{2}{3})^\gamma \) [28].

Remark 2

It should be noticed that the user key extraction of the mCFS-Stern scheme cannot resist the Bleichenbacher attack and the security proof relies on the indistinguishability between a binary Goppa code and a random code, which has been already invalidated.

Fiat-Shamir Heuristic and IBS Schemes. According to Bellare et al. [4], identity-based signature (IBS) schemes could be constructed from convertible standard signatures or IBI schemes through Fiat and Shamir Heuristic. Unfortunately, code-based signature schemes, e.g., mCFS signature, are not convertible since no trapdoor samplable relation has been found to fit the key generation of existing signature schemes. Therefore, we adopt the latter method to construct IBS schemes.

Fiat and Shamir [15] proposed a general paradigm to drive a secure signature scheme from an identification scheme. Specifically, given a identification scheme with the commitment \(\alpha \), the challenge bit \(\beta \), and the response \(\gamma \), the signature for the message m is the transcript (\(\alpha \), \(\beta \), \(\gamma \)), where \(\beta = h(\alpha , n)\) and h is a cryptographic hash function. The verifier verifies the signature as V in the identification scheme. The paradigm will be used to derive the IBS schemes from our IBI schemes in the paper without security loss [22].

3 Provably Secure IBI/IBS Schemes

In this section, we propose a provably secure identity-based identification scheme, the PVR-Stern scheme. It is id-imp-pa secure and the security reduction is no longer depending on the indistinguishability between Goppa codes and random codes through the PVR signature technique. We describe the scheme as follows:

• Master key generation. Based on the input parameter \(1^\kappa \), choose parameters n, k, \(t = \frac{n-k}{\log {2}{n}}\), \(n' = n -k + 1\), and a cryptographic hash functions \(\mathcal {G}: \mathbb {F}_2^{n-k} \times \{0, 1\}^n \rightarrow \mathbb {F}_2^{n'}\). Select a \((n - k) \times n\) parity check matrix H of a t-error correcting binary Goppa code. Select a \(n \times n\) permutation matrix P. Select a vector \(a \xleftarrow {\$} \mathbb {F}^{n'}_2\). Select a vector \(b \xleftarrow {\$} \mathbb {F}^{n}_2\). Compute a \((n - k) \times n'\) matrix \(H'\) such that \(H'a^T = 0\). Select a full-rank matrix \(Q' \xleftarrow {\$} \mathbb {F}^{n'\times (n-k)}_2\), such that it makes a \((n - k) \times (n - k)\) matrix \(Q = H'Q'\) invertible. Generate a \(n' \times n\) parity check matrix \(\tilde{H} = Q'HP\oplus a^Tb\). If \(\tilde{H}\) is not full-rank, choose another b to re-generate \(\tilde{H}\) until it is full-rank. The master secret key \(msk = (H, P, Q, H')\) and the master public parameters \(mpk = (\tilde{H}, n, k, t, n', \mathcal {G})\).

• User key extraction. Select \(i \xleftarrow {\$} \mathbb {F}_2^{n-k}\). Using the decoding algorithm to decode \(Q^{-1}H'\mathcal {G}(i, id)^T\). If the decoding result \(x'\) is not found, then go back to select i again. When \(x'\) is found, \(x = P^Tx'\), where wt(x) is t or less. The user public key is \(\mathcal {G}(i, id)\), and the corresponding user secret key, usk[id] is x.

• Interactive identification protocol. P first sends i to V. Then P is initialized with x and V is initialized with \(\mathcal {G}(id\Vert i)\). P communicates with V through the Stern identification protocol.

3.1 Security

Theorem 3

The PVR-Stern  scheme is secure under passive attacks in the random oracle model.

Proof

The proof adapts the reduction of the mCFS-Stern scheme [7] and the PVR signature scheme [23]. We show a skeleton of the proof due to the page limitation, and a detail proof will be given in the full paper.

The proof follows through a series of games. Game 0 is the standard id-imp-pa game, and \(\Pr [X_0]\) = Adv\(_{\mathcal {A}}^{\mathrm {id-imp-pa}}(\kappa )\). Game 1 simulates the hash oracle for \(\mathcal {G}\) and the user key extraction oracle. The incoherence between the simulation of two oracles causes failure with a negligible probability \(\epsilon \). Therefore, \(|\Pr [X_0] - \Pr [X_1]| \leqslant \epsilon \). Game 2 changes the user key extraction algorithm, it replaces H with R and \(\tilde{H}\) with \(R'\), where \(R'^T = [R^T|z^T]\), \(R \xleftarrow {\$} \mathbb {F}_2^{(n-k) \times n}\), and \(z \xleftarrow {\$} \mathbb {F}_2^n\). The adversary \(\mathcal {A}\) can differentiate between Game 3 and Game 2 only if he can distinguish the random matrix \(R'\) from \(\tilde{H}\). Since \(a,b,H'\) are secret and b cannot be identified from \(\tilde{H}\) [23], such differentiation happens with negligible probability. Instead of depending on the probability to distinguish the Goppa code and the random code, \(\Pr [X_2] = \Pr [X_1]\). Game 3 selects a random index as the target identity index, and \(\Pr [X_3] = \Pr [X_2]\). Game 4 modifies the winning condition so that if the impersonating identity is not equal to the target identity, then the game is aborted. \(\Pr [X_4] = \frac{\Pr [X_3]}{c}\), where c is a constant related to the number of queries. Game 5 answers conversation queries on the target identity, and \(\Pr [X_5] = \Pr [X_4]\). Based on Theorem 1, it can be calculated that Adv\(_{\mathcal {A}}^{\mathrm {id-imp-pa}}(\kappa ) = \Pr [X_0]\) is equivalent to the advantage of breaking the BD problem. Therefore, the PVR-Stern scheme is id-imp-pa secure. Actually, it also implies id-imp-aa secure with the proof of [28].

4 IBI/IBS Schemes with Parallel-PVR

The PVR-Stern scheme is id-imp-pa/aa secure and the parameter choice depends on the Bleichenbacher attack, which decreases the security level from \(2^\frac{mt}{2}\) to \(2^\frac{mt}{3}\). In this section, we propose the Parallel-PVR-caStern scheme. We first convert from the original counter-based PVR for the user key generation to complete decoding based PVR, so that we can construct parallel-PVR for better efficiency. Then we improve the security from id-imp-pa/aa secure to id-imp-ca secure through the OR-proof technique. We describe the scheme as follows:

• Master key generation. The master key generation algorithm of Parallel-PVR-caStern is identical to that of PVR-Stern except for some additional public parameters: cryptographic hash functions \(\mathcal {G}_1, \cdots ,\mathcal {G}_\lambda : \{0, 1\}^n \rightarrow \mathbb {F}_2^{n'}\), injective mapping \(\phi \), parallel degree \(\lambda \) and additional weight \(\delta \) for complete decoding such that \({n \atopwithdelims ()t + \delta } > n^t\). The master secret key \(msk = (H, P, Q, H')\) and the master public parameters \(mpk = (\tilde{H}, n, k, t, n', \lambda , \mathcal {G}_1, \cdots , \mathcal {G}_\lambda , \phi , \delta )\).

• User key extraction. For \(\lambda \) signatures for the user identity id in parallel, compute \(s_i' = \mathcal {G}_i(id)\), where \(i \in \{1, 2, \cdots , \lambda \}\), and compute \(s_i = H's_i'^T\). Search all error patterns of \(\phi _\delta (j)\) weight \(\delta \), compute \(s_{j,i} = s_i + \tilde{H}\phi _\delta (j)^T\), and then apply the decoding algorithm to the \(s_{j,i}\) where the result is \(P^TDecode_H(Q^{-1}s_{j,i})\). Once the decodable syndrome \(s_{j_0,i}\) is found, then we have found a \(p'_{j_0,i}\) such that \(\tilde{H}\phi _t(p'_{j_0,i})^T = s_{j_0,i}\). The ith signature for the user identity id is \(p_{j_0,i} = \phi _{t + \delta }^{-1}(\phi _t(p'_{j_0,i}) + \phi _\delta (j))\) such that \(\tilde{H}\phi _{t + \delta }(p_{j_0,i})^T = \mathcal {G}_i(id)\). Then the parallel signature for the user identity id is \(x = (p_{j_0,1}\Vert \cdots \Vert p_{j_0,\lambda })\).

  Run the above process twice to generate two different parallel signatures \(x_0\) and \(x_1\) for the user identity id, and toss a coin \(\varpi \). The user public key is \((\mathcal {G}_1(id)\Vert \cdots \Vert \mathcal {G}_\lambda (id))\) and the corresponding user secret key usk[id] is \((\varpi , x_{\varpi })\).

• Interactive identification protocol. For each \(i \in \{1, 2, \cdots , \lambda \}\), the prover P is initialized with \(\varpi , p_{j_0,i} \in x_{\varpi }\) to verify \(\tilde{H}\phi _{t + \delta }(p_{j_0,i})^T = \mathcal {G}_i(id)\), and the verifier V is initialized with the \(\mathcal {G}_i(id)\). The detail is as follows:

  • Commitment. Based on \(\mathcal {G}_i(id)\) and \(p_{j_0,i}\), calculate \(c^\varpi _1, c^\varpi _2\), and \(c^\varpi _3\) according to the original Stern identification protocol. P randomly choose \(b_{1-\varpi }, b'_{1-\varpi } \in \{0, 1, 2\}\). Based on the values of \(b_{1-\varpi }\) and \(b'_{1-\varpi }\), select one of three impersonation strategies for Stern protocol listed follow and calculate corresponding \(c^{1-\varpi }_1, c^{1-\varpi }_2\), and \(c^{1-\varpi }_3\):

    1. 1.

       If \(b_{1-\varpi }\) and \(b'_{1-\varpi }\) are not 0, change y in the original commitment to \(y \oplus \phi _{t+\delta }(p_{j_0,i})\).

    2. 2.

       If \(b_{1-\varpi }\) and \(b'_{1-\varpi }\) are not 1, change \(\phi _{t+\delta }(p_{j_0,i})\) in the original commitment to a random vector v where wt(v) = t.

    3. 3.

       If \(b_{1-\varpi }\) and \(b'_{1-\varpi }\) are not 2, change \(y \oplus \phi _{t+\delta }(p_{j_0,i})\) in the original commitment to \(v \oplus y\) where \(\tilde{H}v^T = \mathcal {G}_i(id)\) and wt(v) is arbitrary.

  • P sends \((c^0_1, c^0_2, c^0_3, c^1_1, c^1_2, c^1_3)\) to V.

  • Challenge. V randomly sends \(b \in \{0, 1, 2\}\) to P.

  • Answer. P calculates \(b_\varpi = b - b_{1-\varpi } \mod 3\) and \(b'_\varpi = b - b'_{1-\varpi } \mod 3\). Based on \(b_\varpi \) and \(b'_\varpi \), P calculates two responses \(r_\varpi \) and \(r'_\varpi \) respectively according to the original Stern protocol. Based on \(b_{1-\varpi }\) and \(b'_{1-\varpi }\), P calculates two responses \(r_{1-\varpi }\) and \(r'_{1-\varpi }\) respectively according to the chosen impersonation strategy. P then sends \((b_0, b_1, b'_0, b'_1)\) to V.

  • Check. V checks whether \(b_0 \ne b'_0\), \(b_1 \ne b'_1\), \(b_0 + b_1 = b \mod 3\), and \(b'_0 + b'_1 = b \mod 3\). V then randomly sends \(\rho \in \{0, 1\}\) to P.

  • Response. If \(\rho \) is 0, P sends \(r_0\) and \(r_1\). If \(\rho \) is 1, P sends \(r'_0\) and \(r'_1\).

  • Verification. If \(\rho \) is 0, V checks \(r_0\) and \(r_1\). If \(\rho \) is 1, P checks \(r'_0\) and \(r'_1\).

  • Repeat. Repeat the above four steps for \(\gamma \) times so that the expected security level is reached.

Remark 3

In the practical implementation, the parity matrix \(\tilde{H}\) may be hidden with the support and the generator polynomial of the Goppa code in the master key generation algorithm according to [6, 16]. Since the calculation of \(\tilde{H}\) is a key point to avoid the assumption on the indistinguishability between Goppa codes and random codes, we still use original notions here for clarity.

4.1 Security

We first consider the security of the PVR-caStern scheme, which could be regarded as a special case of the Parallel-PVR-caStern scheme whose \(\lambda \) is always equal to one. Then we show the security of the Parallel-PVR-caStern scheme.

Theorem 4

The PVR-caStern scheme is secure against impersonation under active and concurrent attacks in the random oracle model.

The proof is obtained by contradiction and adapting the proofs by [14, 18]. If there is an adversary \(\mathcal {A}\) who can win the id-imp-ca game with non-negligible probability, then we can construct an adversary \(\mathcal {F}\) who can win the id-imp-pa game with non-negligible probability. We will show the proof in the full paper due to the page limitation.

Theorem 5

The Parallel-PVR-caStern scheme is secure against impersonation under active and concurrent attacks in the random oracle model.

Proof

Based on Theorem 4, for each \(i \in \{1, 2, \cdots , \lambda \}\), the i-th identification is secure under concurrent attacks in the random oracle model. Finiasz [16] has proposed that the parallel signatures keep a practical selection of parameters without the loss of security when the signing message (user identity here) is consistency, i.e., \(\lambda \) different cryptographic hashes for a user identity id constitute the user public key. Hence, since the PVR-caStern scheme is id-imp-ca secure, the Parallel-PVR-caStern scheme is id-imp-ca secure.

5 Parameters and Security

Table 1. The asymptotic and estimated costs and sizes of our IBI/IBS schemes and the mCFS-Stern scheme.

We compare the costs and sizes of the mCFS-Stern scheme and our four schemes the as shown in Table 1. Our schemes differ in the ability to resist the Bleichenbacher attack (with/without parallel-PVR) and the security level (id-imp-pa/id-imp-ca). The mCFS-Stern scheme is not provably secure while our schemes are all provably secure. For each scheme in the table, the upper row shows the asymptotic sizes and costs, and the lower row presents the estimated costs and sizes with the parameters suggested by  [7, 16, 17, 23] to achieve a security level of about \(2^{80}\). Specifically, for the schemes without parallel-PVR, \(m = \log _2n = 20\) and \(t = 12\), otherwise, \(m = 18\), \(t = 9\), \(\lambda = 2\), and \(\delta = 2\). For IBI schemes, the \(\gamma \) for communication cost is 58, and for converted IBS schemes through Fiat-Shamir paradigm, the \(\gamma \) for signature length is 280.

Parallel-PVR based schemes seem to cost more for their multiple signature and communication procedure, but they actually decrease the parameters values, especially for m and t. It shows that, with parallel-PVR, it improves a lot on mpk size, msk size, usk size, communication cost and signature length with few costs of usk size since the security level is optimized to \(2^{tm\frac{2^\lambda -1}{2^{\lambda +1}-1}}\). If id-imp-ca secure is required, the communication cost and signature length will be double compared to the lower security level. It can be concluded that our schemes improve the efficiency of the mCFS-Stern scheme while maintaining the provable security.

6 Conclusion

In this paper, we propose identity-based identification and signature schemes from code assumptions with parallel-PVR. They are not only provably secure against impersonation under active and concurrent attacks but also have better efficiency.

It is worth noting that it still need lots of works to study more robust assumptions on coding theory and construct broader identity-based cryptosystems from code assumptions. Also, we will make more efforts to achieve better system parameters so that code-based schemes will be more practical.