View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by HAL-UNILIM A New Efficient Threshold Ring Signature Scheme Based on Coding Theory Carlos Aguilar Melchor, Pierre-Louis Cayrel, Philippe Gaborit, Fabien Laguillaumie To cite this version: Carlos Aguilar Melchor, Pierre-Louis Cayrel, Philippe Gaborit, Fabien Laguillaumie. A New Efficient Threshold Ring Signature Scheme Based on Coding Theory. IEEE Transactions on Information Theory, Institute of Electrical and Electronics Engineers, 2011, pp.4833-4842. <10.1007/978-3-540-88403-3 1>. <hal-01083807> HAL Id: hal-01083807 https://hal.archives-ouvertes.fr/hal-01083807 Submitted on 18 Nov 2014 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. 1 A New Efficient Threshold Ring Signature Scheme based on Coding Theory Carlos Aguilar, Pierre-Louis Cayrel, Philippe Gaborit and Fabien Laguillaumie Abstract|Ring signatures were introduced by applies an encoding mechanism to a message and add to Rivest, Shamir and Tauman in 2001 [32]. These sig- it a large number of errors, that can only be corrected natures allow a signer to anonymously authenticate a by Bob who has information about the secret decoding message on behalf of a group of his choice. This concept was then extended by Bresson, Stern and Szydlo into mechanism. A long time after, Stern proposed in [36] a t-out-of-N (threshold) ring signatures in 2002 [9]. We zero-knowledge identification protocol based on a well- propose in this article a generalization of Stern's code known error-correcting codes problem usually referred as based identification (and signature) scheme [36] to the Syndrome Decoding Problem (SD in short). design a practical t-out-of-N threshold ring signature The advantages of code-based cryptography are twofold. scheme. The size of the resulting signatures is in O(N) and does not depend on t, contrary to most of the First code-based cryptography constitutes an alternative existing protocols. Our scheme is existentially unforge- to classical number theory based cryptography, whose hard able under a chosen message attack in the random problems (factorization, discrete logarithm, discrete loga- oracle model assuming the hardness of the minimum rithm based on elliptic curve) would be broken through distance problem, is unconditionally source hiding, has P. Shor's quantum factorization algorithm, in the case a a very short public key and has an overall complexity in O(N). This protocol is the first efficient code-based quantum computer would come to exist. Second, code- ring signature scheme and the first code-based thresh- based cryptosystems are faster than classical number old ring signature scheme. Moreover it has a better theory based cryptosystems ([7],[20]). Notice that cryp- complexity than number-theory based schemes which tosystems based on hard problems potentially resistant have a complexity in O(Nt). This paper is an extended to a quantum computer, like code-based cryptography, version of [2] with complete proofs and definitions. lattice based cryptography or multivariate cryptography Keywords : Threshold ring signature, code-based have recently been gathered under the name post-quantum cryptography, Stern's scheme, syndrome decoding. cryptography, and a special conference dedicated to these systems, PQCrypto, has been recently created. The main I. Introduction drawbacks of code-based cryptosystems is historically a The constant need to electronically emulate real-life large size of public key, meanwhile in recent years, propo- applications with strong security properties leads to the sitions have been made, based on structured matrices design of sophisticated identification schemes with spe- (quasi-cyclic or dyadic) to deal with this issue [20], [4], cific properties. Ring signatures are such an identification [28]. In particular the double-circulant variation of the technique, where a signer anonymously authenticates a Stern identification scheme [20] is believed to be very message on behalf of a group of his own choice. The design hard to break, being based on the difficulty of decoding of such special purpose signatures almost always relies on a binary code up to the Gilbert-Varshamov bound, when arithmetic in the ring Z=NZ or in groups of points of an more scrutiny is needed for McEliece compact variations. algebraic curve equipped or not with a pairing. From the The Stern identification scheme (that we mainly con- point of view of the efficiency of the computations involved sider in this paper) can be used as a signature scheme in the whole cryptographic process, error correcting codes through the Fiat-Shamir heuristic [18]. From the two are a real alternative to such integral arithmetic. original drawbacks of the scheme : the relatively large 1) Code-based cryptography: In 1978 when McEliece size of key and the large length of signature (about 20 published his seminal work where he proposed to use kiloBytes), only the large size of signature remains. This the theory of error correcting codes for confidentiality scheme has very good features and despite its large size of purposes, he designed one of the most efficient encryption signature, it can potentially be used in many applications. schemes, which still resists to cryptanalysts. His asymmet- Overall code-based cryptography represents one of the ric encryption algorithm may be sum up as follows: Alice few credible alternative to classical cryptography, and one attends to a rising interest in the cryptographic commu- C. Aguilar and P. Gaborit are with University of Limoges, XLIM- nity for these systems, in particular practical implementa- DMI, 123, Av. Albert Thomas 87060 Limoges Cedex France. car- tion of such code-based schemes on smart cards, embedded [email protected],[email protected] P.L Cayrel is with CASED Center for Advanced Security Research devices or PC, have begun to be presented in conferences Darmstadt Mornewegstrasse, 32 64293 Darmstadt Germany pierre- likes CHES or CARDIS ([17], [11], [23], [7]). [email protected] F. Laguillaumie is with University of Caen, GREYC fa- 2) Ring signature: The concept of ring signature, which [email protected] is the subject of this article, was introduced in 2001 2 by Rivest, Shamir and Tauman [32] (called RST in the a complexity in O(N); but again, only a linkable ring following). Ring signatures are often considered as sim- signature which does not correspond to original required plified group signatures without group managers. If ring feature of [32] and [9], namely a fully anonymous scheme. signatures are related to this notion of group signatures in A first attempt to design ring signatures within the error [13], they are indeed quite different. On one hand, group correcting code setting was performed by Zheng, Li and signatures have the additional feature that the anonymity Chen [44], but their scheme is still inefficient. After the of a signer can be revoked (i.e. the signer can be traced) short version of the present paper, Dallot and Vergnaud by a designated group manager, on the other hand, ring proposed a code-based threshold ring signature scheme signatures allow greater flexibility: no centralized group [15], inspired by Bresson et al.'s construction with Cour- manager or coordination among the various users is re- tois, Finiasz and Sendrier's signatures [14]. Both previous quired (indeed, users may be unaware of each other at schemes use [14], which makes them very difficult to use the time they generate their public keys). Moreover, the in practice. anonymity of the signer is unconditionally guaranteed. 4) Contributions: In this paper, we present a general- The original motivation was to allow secrets to be leaked ization of Stern's identification and signature scheme [36] anonymously. For example, a high-ranking government that we use to design new ring and threshold ring signature official can sign information with respect to the ring of all schemes. Our scheme's performance does not depend on similarly high-ranking officials, the information can then the number t of signers in the ring, the overall complexity be verified as coming from someone reputable without and length of signatures only depend linearly in the max- exposing the actual signer. imum number of signers N. Our protocol also guarantees Bresson et al. [9] extended the ring signature scheme unconditional anonymity of the signers. Besides these into a threshold ring signature scheme using the concept features and its efficiency, our protocol is also the first non of partitioning and combining functions. Assume that t generic coding theory based ring signature (and threshold users want to leak some secret information, so that any ring signature) protocol and may constitute an interesting verifier will be convinced that t users among a select group alternative to number theory based protocols. Overall our held for its validity. The trivial construction consisting in protocol has a very short public key size, a signature producing t ring signatures clearly does not prove that the length linear in N and the best known complexity in O(N) message has been signed by different signers. A threshold when other number theory based threshold ring signature ring signature scheme effectively proves that a minimum schemes have a complexity in O(Nt). number of users of a certain group must have actually collaborated to produce the signature, while hiding the 5) Organization of the paper: The rest of this paper precise membership of the subgroup (for example the ring is organized as follows.