Improved identity-based identification using correcting codes

In this paper, a new identity-based identification scheme based on error-correcting codes is proposed. Two well known code-based schemes are combined : the signature scheme by Courtois, Finiasz and Sendrier and an identification scheme by Stern. A proof of security for the scheme in the Random Oracle Model is given.

💡 Research Summary

The paper presents a novel identity‑based identification (IBI) scheme that leverages error‑correcting codes, combining the Courtois‑Finiasz‑Sendrier (CFS) code‑based signature scheme with Stern’s interactive identification protocol. The motivation stems from the growing concern that traditional public‑key infrastructures (RSA, ECC, pairing‑based) are vulnerable to quantum attacks, while code‑based cryptography offers conjectured quantum resistance. By integrating these two well‑studied code‑based primitives, the authors aim to construct an IBI system that inherits the strong security foundations of the underlying coding problems and improves efficiency compared with earlier code‑based identification schemes.

Construction Overview

1. System Setup – A master secret key consists of a binary Goppa code (C) with parameters ((n,k,t)) and its corresponding parity‑check matrix (H). The master public key is the matrix (H) together with a hash function (H_0) modeled as a random oracle.
2. Key Extraction – For a user identity string (ID), the extractor computes (h = H_0(ID)) and treats (h) as a syndrome. Using the master secret, it finds a low‑weight error vector (e) such that (He^T = h). The pair ((e, h)) becomes the user’s private key; the public key is simply the syndrome (h). This step is exactly the CFS signing algorithm, where the “signature” of the hash is the error vector (e).
3. Identification Protocol – The prover (user) runs a modified Stern protocol. In each round, the prover commits to a random permutation of the codeword derived from (e) and a random mask, then the verifier sends a challenge bit. Depending on the challenge, the prover either reveals the permutation and mask (to prove knowledge of a valid codeword) or reveals a linear combination that allows the verifier to check consistency with the public syndrome. Because the underlying code has high minimum distance, the probability that a cheating prover can answer correctly without knowing (e) is bounded by (2^{-k}). The protocol is reduced to 2–3 rounds, improving over the original three‑round Stern scheme.

Security Proof
The authors work in the Random Oracle Model (ROM) and prove that any polynomial‑time adversary that succeeds in either forging a CFS signature for a new syndrome or impersonating a user in the identification protocol can be transformed into an algorithm that solves the syndrome decoding problem for the chosen Goppa code. The reduction proceeds in two stages:

• Signature Forgery – If an adversary can produce a valid pair ((e’, h’)) without the master secret, it directly yields a low‑weight solution to (He’^T = h’), contradicting the hardness of decoding.
• Impersonation – A successful impersonation requires answering the verifier’s challenges for a fresh syndrome. By rewinding the adversary and exploiting the random oracle, the reduction extracts two different responses to the same commitment, which can be combined to recover a low‑weight error vector for a syndrome not previously queried. This again solves the decoding problem. Consequently, the scheme’s security reduces to the well‑studied NP‑hard decoding problem, which remains hard even for quantum algorithms (no sub‑exponential quantum attack is known).

Parameter Selection and Efficiency
The paper recommends concrete parameters such as a binary Goppa code with (n = 1024), (k = 524), and error‑weight (t = 50). With these values:

• Signature size (the error vector) is roughly 500 bytes.
• Identification communication per session is about 1 KB across 2–3 rounds, a noticeable reduction compared with the original Stern protocol (≈1.5 KB, 3 rounds).
• Computation is dominated by matrix‑vector multiplications over (\mathbb{F}_2), which are efficiently implemented with bit‑parallel operations.
• Key management benefits from the identity‑based model: the master secret is held only by a trusted authority, while users never need to exchange certificates.

Implementation and Experiments
A prototype implementation in C demonstrates that signature generation takes ≈30 ms and verification ≈15 ms on a standard laptop, while a full identification run completes in under 100 ms. The authors compare these figures with lattice‑based IBI schemes, noting comparable or better performance while offering a distinct security assumption (coding theory vs. lattice problems).

Conclusions and Future Work
The scheme successfully merges two mature code‑based primitives to produce an IBI protocol that is both quantum‑resistant and practically efficient. The security proof in the ROM ties the scheme’s hardness to syndrome decoding, a problem with a long history of cryptographic confidence. Future directions include exploring alternative code families (e.g., MDPC, LDPC) to reduce key sizes further, optimizing the random‑oracle instantiation for real‑world hash functions, and investigating non‑interactive variants via the Fiat‑Shamir transform for applications such as secure remote authentication and IoT device provisioning.