Content uploaded by Pierre-Louis Cayrel
Author content
All content in this area was uploaded by Pierre-Louis Cayrel on Jul 11, 2016
Content may be subject to copyright.
A Multi-Signature Scheme based on Coding Theory
Mohammed Meziani and Pierre-Louis Cayrel
CASED–Center for Advanced Security Research Darmstadt
Mornewegstrasse 32, 64293 Darmstadt, Germany
Email: {mohammed.meziani, pierre-louis.cayrel@cased.de}
Abstract—In this paper we propose two first non-generic con-
structions of multisignature scheme based on coding theory. The
first system make use of the CFS signature scheme and is secure
in random oracle while the second scheme is based on the KKS
construction and is a few times. The security of our construction relies
on a difficult problems in coding theory: The Syndrome Decoding
problem which has been proved NP-complete [4].
Keywords—Post-quantum cryptography, Coding-based cryptogra-
phy, Digital signature, Multisignature scheme.
I. INTRODUCTION
Digital signature schemes, similar to handwritten signatures,
are a fundamental cryptographic primitive used in practice
for authenticity and non-repudiation of messages. Several
signature schemes exist, but most of them are based on the
computational difficulty of solving number theoretic problems
such factoring problem, discrete logarithm problem in the
multiplicative group of a prime field or in the group of points
of an elliptic curve over a finite field. But, in the event
of quantum computers all these schemes could be broken
due to Shor’s algorithm [29] proposed in 1997. Indeed, the
Shor’s algorithm can solve both the factoring problem and the
discrete log problem in finite filelds and on elliptic curves in
polynomial time. Therefore, the cryptographic community has
to investigate other mathematical problems that are believed to
be hard to solve by quantum algorithms. Among these there
are problems in coding theory using error correcting codes.
The problem of decoding general codes is such a problem,
which has been proven to be NP-compelete by Berlekamp,
McEliece and Van Tilborg [4].
In 1978, McEliece [22] first proposed an asymmetric cryp-
tosystem which is based on the coding theory and derives
its security from the general decoding problem. No efficient
attack on this schemes has been found up to date, though nu-
merous computationally intensive attacks have been published
in the literature [5], [12]. The idea behind this scheme is to first
select a particular (linear) code for which an efficient decoding
algorithm is known, and then to use a trapdoor function to
disguise the code as a general linear code.
The encryption in the McEliece cryptosytem is not
invertible, and therefore it cannot be used for authentication
or signature schemes, this is indeed why very few signature
schemes based on coding theory have been proposed. This
problem was open until 2001 in when Courtois et.al [9]
showed how to achieve a code-based signature scheme
whose security is based on the syndrome decoding problem.
While this problem is NP-complete, their construction is
still inefficient for large numbers of errors. Recently, a few
code-based signature schemes with additional properties have
been published and most of them make use the construction
proposed in [9].
ID-based cryptography. The motivation behind the identity
based cryptography, proposed by Shamir in 1984 [28], was
to simplify the PKI requirements. Instead of using the public
key, a user can use his identity (e.g. e-mail address or
IP-address) while the associated secret key can be issued by
a trusted key generation center (KGC) thanks to a master
secret key that only the KGC knows. And thereby some of
the costs associated to PKI and certificates can be avoided.
Despite this, the identity-based cryptography suffers from a
major drawback since a complete trust must be placed on the
KGC. This problem is known as the key escrow problem.
To overcome this problem, a solution has been proposed in
[6] which consists in employing multiple KGCs to jointly
produce the master secret key.
Multisignature schemes. A multisignature scheme (MSS)
is a normal signature scheme that enables a group of users to
cooperatively sign the same document and can be verified by
any user. Multisignature schemes have many practical uses
such as signing legal electronic documents (e.g. contracts,
cheque, etc) by multiple managers in a company. Based on
the nature of the application scenarios, the multisignature
schemes are divided into categories depending on the signing
manner: serial and parallel signing. In the first case, the
resulting multisignature is equal to the signature generated
by the last signer. More precisely, a signer produces his own
signature on a document then broadcasts it to the next signer
which after verifying it signs the received components and
so on. Here the signing order property should be taken into
account. That is, the resulting multisignature depends on
the signing order. In the second case the multisignature is
produced by a designated signer, called a clerk, which has
to collect individual signatures generated by each signer and
then combine them into a single signature.
Multisignature schemes have been first introduced in [16].
However, these schemes have an efficiency issue because
the generation and the verification cost of the multisignature
increases linearly with the number of signers. Since then,
various multisignature schemes have been realized. For
example, multisignature schemes that are based on RSA
assumption [15], [14], [26], constructed form bilinear maps
World Academy of Science, Engineering and Technology 63 2010
244
[7], [30], based on DL assumption [13], [2] and derived from
identification schemes like the Fiat-Shamir [27].
With regard to security, the author of [23] provided the
first formal security model of multisignature schemes called
Accountable-subgroup multisignatures. In this model, a
provably secure multisignature scheme has to satisfy two
important properties: flexibility and accountability. The first
property guarantees that any subset of signers can jointly
produce a signature on a document and any verifier can decide
whether this subset was sufficient to accept the signature
while the second property ensures that the identity of any
signer can be revealed from the signed document without a
trusted third party. This property is very interesting in the
sense that if an incorrectly issued multisignature is detected,
then it is necessary to identify the corrupted signer. Moreover,
this model assumes that the set of signers is known a priori
and a signer is not allowed to generate own partial signature
before the previous one has been completed. Following
this model, [18] proposed multisignature schemes based
on the probabilistic signature scheme while [25] designed
multisignature schemes using the full domain hash. In these
constructions, the signing order is performed in a serial
manner and the length of signature as well as the signing
cost grows with the number of signers.
Recently, provably secure multisignature schemes using
trapdoor one-way permutations [20], [19] have been proposed.
These schemes make use of the probabilistic full domain
hash and the probabilistic signature scheme, respectively and
they are both tightly secure in the random oracle model.
Furthermore, the key length in these schemes is independent
from the signing order and the length of the signature
increases by 30 bits per a signer.
Our contribution:
In this paper, we propose two serial multisignature schemes
using error correcting codes. To the best of our knowledge
there is no existing multisignature schemes based on coding
theory. We use the modified version of CFS signature scheme
[9] and the KKS signature scheme [17] as the base of our
multisignature schemes. These schemes are secure against
existential forgery under adaptive chosen message attack in
the random oracle model assuming computational syndrome
decoding problem is hard. The first scheme achieves a
signature size of 377+18.47Nbits for a security level of
281.5, where Nis the number of signers. The second scheme
produces signatures whose length is independent of N.For
instance, 1873.8bits for a security level of 280.22. However,
both systems require large public keys of size 0.7MB and
0.13 MB, respectively.
Organisation:
After recalling some basic definitions and hard problems in
coding theory in Section II, we list two code-based signature
schemes that we need in our constructions in Section III.
In Section IV, we present our code-based multisignature
schemes, and we conclude in Section V.
II. CODING THEORY BACKGROUND
This section will first provide a brief introduction to coding
theory, then give the basic definitions and list some hard
problems we use throughout this paper.
A. Coding theory
The term coding theory refers to a broad branch of mathe-
matics concerned with transmitting data across noisy channels
and recovering the message. It provides secure transmission
of messages, in the sense that any errors which are introduced
during the transmission can be corrected.
B. Notations and Definitions
Let Fqto denote the finite field with qelements.
a) Codes: An (n, k)-code over Fqis a linear subspace C
of the linear space Fn
q. Elements of Fn
qare called words and
elements of Care codewords. We call nthe length, and kthe
dimension of the code. If q=2, the code is called binary, and
is denoted by [n, k].
b) Hamming distance, Hamming weight: The Hamming
distance d(x, y)between two words x, y ∈Fn
qcounts the
number of positions in which xand ydiffer. More for-
mally, denote x=(x1,...,x
n)and y=(y1,...,y
n). Then
d(x, y)=|{i:xi=yi}|. Here, we use |S|to denote the
number of elements, or cardinality, of a set S. The Hamming
weight (or just weight) of a word x∈Fn
qis denoted by wt(x)
and represents the number of non-zero entries of this word,
i.e., wt(x)=d(0,x),where 0is the vector containing n0’s.
c) Minimum distance: The minimum distance dof an
(n, k)-code Cis the minimum Hamming distance between two
codewords, i.e., d= minx,y∈C, x=yd(x, y).
d) Generator matrix, systematic codes: Agenerator
matrix of an (n, k)-linear code Cis a k×nmatrix G
whose rows form a basis for the vector subspace C, i.e.,
C={xG :x∈Fk
q}.Notice that Cis not unique for a
code C. We call a code systematic if it can be characterized
by a generator matrix Cof the form G=(Ik×k|Ak×(n−k)),
where Ik×kis the k×kidentity matrix and Aan k×(n−k)
matrix.
e) Parity-check matrix, dual code: Aparity-check matrix
of an (n, k)-linear code Cis an (n−k)×nmatrix Hwhose
rows form a basis of the orthogonal complement of the vector
subspace C, i.e. it holds that, C={c∈Fn
q:HcT=0}.
Note that Hcan be viewed as the generator matrix of an
(n, n −k)linear code C⊥containing codewords ˜csuch that
for all codewords c∈C, it holds that ˜cT.c =0. The C⊥is
generally referred to as the dual code of C.
f) Syndrome: Let Hbe a parity check matrix of the code
C. The syndrome of a word x∈Fn
qis a vector s∈Fn−k
q
defined by s=HxT.
C. Hard problems
In what follows, we recall some hard problems. The security
of most code-based cryptosystems is related to hardness of
solving these problems.
World Academy of Science, Engineering and Technology 63 2010
245
1) Syndrome Decoding problem (SD):
•Input: An r×nmatrix Hover Fq, a target vector s∈Fr
q
and an integer t>0.
•Question: Is there a vector x∈Fn
qof weight ≤t, such
that s=HxT?.
This problem has been proved to be NP-complete by
Berlekamp, McEliece, and van Tilborg [4] in 1978 for the
general class of binary linear codes. In 1994, Barg [1] extended
this result over linear codes defined over Fq. NP-completeness
ensures that this problem can not be solved in polynomial time
in the worse case, meaning that there are some hard instances,
not that every instance is hard.
To end this section, we state another hard problem, Goppa
Parametrized Bounded Decoding problem (GPBD), which is
a variation of SD problem and have been proved to be NP-
complete by Finiasz [11] in 2004.
2) Goppa Parametrized Bounded Decoding (GPBD):
•Input: An (n−k)×nmatrix Hover F2and a syndrome
s∈Fn−k
2
•Question: A word x∈Fn
2of weight ≤n−k
log2(n), such that
HxT=s?.
III. THE UNDERLYING CODE-BASED SIGNATURE SCHEMES
Our constructions are based on two code-based signature
schemes that are the Courtois et al.’s signature (CFS) [9] and
the Kabatianskii et al.’s signature scheme (KKS) [17]. Here is
the description of two schemes.
A. CFS Signature Scheme
1) Description: For a long time no code-based signature
scheme was known, until the first (unbroken) was proposed by
Courtois, Finiasz and Sendrier [9] (CFS) in 2001. The basic
idea of the CFS signature scheme is to choose parameters such
that an inversion for the Niederreiter scheme is practically
possible. This is done at the cost of rather large parameters
(except for the length of the signature) when comparing to
other signature schemes, but at least it does exist !. Before
describing the CFS scheme we first recall the Niederreiter
public key cryptosystem in Algorithm 1.
Algorithm 1 The Niederreiter PKC
Key Generation:
- Consider an (n, k)-code Cover Fqhaving a decoding
algorithm γ.
- Construct an (n−k)×nparity check matrix Hof C.
- Choose randomly an (n−k)×(n−k)invertible matrix
Qover Fq.
- Choose randomly an n×npermutation matrix Pover Fq.
- Set
H=PHQ as public, and (P, H, Q, γ)as secret.
Encryption: To encrypt a message x∈Fn
qof weight t
- Compute y=
HxT.
Decryption: To decrypt a cipher y∈Fn−k
qs.t. y=
HxT
- Compute Q−1y(= HPxT)
- Find Px
Tfrom Q−1yby applying γ
- Find xby applying P−1to Px
T.
The McEliece or the Niederreiter schemes are not naturally
invertible, i.e. if one starts from a random element yof Fn
2and
a code C[n, k, d]capable of correcting d−1
2errors, it is almost
sure that we won’t be able to decode yinto a codeword of C.
This comes from the fact that the density of decodable words
is very small.
Courtois, Finiasz and Sendrier proposed in [9] the first
practical signature scheme based on coding theory. The Full
Domain Hash (FDH) approach assumes that all the hash values
can be inverted by decryption.
The CFS signature scheme is based on the Niederreiter
cryptosystem: signing a document requires to hash it into a
syndrome and then to try to decode this syndrome. However,
for a t-error correcting Goppa code of length n=2
m, only a
fraction of approximately 1/t!of the syndromes are decodable.
Thus, a counter is appended to the message and the signer tries
successive counter values until the hash value is decodable.
The signature consists of both the error pattern of weight t
corresponding to the syndrome, and the value of the counter
giving this syndrome.
Algorithm 2 The CFS signature
Key Generation:
- Pick a random parity check matrix Hof a (n, k)-binary
Goppe code correcting up to terrors and having a
decoding algorithm γ.
- Construct the matrices Q,
Hand Pas in Algorithm 1.
Signature: To sign a message m
(1) i←i+1
(2) x′=γQ−1h(mi)
(3) if no x′was found go to 1
- Output (i, x′P)
Verification:
- Compute s′=Hx′Tand s=h(mi).
- The signature is valid if sand s′are equals.
2) Security: In [12], the authors present an attack against
the CFS scheme due to Daniel Bleichenbacher. Due to this
attack, the values of mand tused in the CFS scheme have to
change. The authors of [12] propose m=21and t=10,or
m=19and t=11,orm=15and t=12, as new parameters
for a security of more than 280 binary operations. Due to this
attack, the values of mand tused in the CFS scheme have
to change. The authors of [12] propose m=21and t=10,
or m=19and t=11,orm=15and t=12,asnew
parameters for a security of more than 280 binary operations.
3) Security proof in the random oracle model: In [10],
the author proposes to choose this counter randomly in
{1,...,2n−k}, and then obtain a proof of security in the
random oracle model.
B. KKS signature scheme
Kabatianskii et al. [17] proposed a signature scheme based
on arbitrary linear error-correcting codes. Actually, they pro-
posed to use a linear application f. Three versions are given
which are presented in the sequel but all have one point in
common: for any m∈Fk
q, the signature f(m)is a codeword
World Academy of Science, Engineering and Technology 63 2010
246
of a linear code U. Each version of KKS proposes different
linear codes in order to improve the scheme. We now give a
full description of their scheme.
1) Description: Firstly, we suppose that Cis defined by
a random parity check matrix H. We also assume that we
have a very good estimate dof its minimum distance.Next,
we consider a linear code Uof length n′≤nand dimension
kdefined by a generator matrix G=[gi,j ]. We suppose that
there exist two integers t1and t2such that t1≤w(u)≤t2
for any non-zero codeword u∈U.
Let Jbe a subset of {1,...,n}of cardinality n′,H(J)be
the sub matrix of Hconsisting of the columns hiwhere i∈J
and define an r×n′matrix Fdef
=H(J)GT. The application
f:Fk
q→Mn,t is then defined by f(m)=mG∗for any
m∈Fk
qwhere G∗=[g∗
i,j ]is the k×nmatrix with g∗
i,j =gi,j
if j∈Jand g∗
i,j =0otherwise. The public application
χis then χ(m)=Fm
Tbecause HG∗T=H(J)GT. The
main difference with Niederreiter signatures resides in the
verification step where the receiver checks that:
t1≤w(z)≤t2and F·mT=H·zT.
Algorithm 3 The KKS signature
Key Generation:
- Select two positive integers t1and t2s.t. t1≤t2.
- Pick a random parity check matrix H=[Ir|D]of an
(n, n −r)-code.
- Construct the matrices Q,
Hand Pas in Algorithm 1.
Signature: To sign a message m
(1) i←i+1
(2) x′=γQ−1h(mi)
(3) if no x′was found go to 1
- Output (i, x′P)
Verification:
- Compute s′=Hx′Tand s=h(mi).
- The signature is valid if sand s′are equals.
It has been proved in [8], that this scheme is few times.
IV. OUR PROPOSED SERIAL MULTISIGNATURE SCHEMES
Before presenting our constructions, we give first the
formal definition of a multisignature scheme. We denote by
S={S1,...,S
N}the set of Nsigners intended to sign the
message M.
A. Definition
A multisignature scheme MS consists of three algorithms:
the key generation MK, the mutisignature generation MS
and the multisignature verification MV)that are defined as
follows:
•MK takes a security parameter and returns a pub-
lic/secret key pair (pki,sk
i)for a signer Si.
•MS takes the set of secert keys (ski)and a message M
and outputs a common a multisignature σ.
•MV takes the set of public keys (pki)(or only one public
key), a multisignature σand the message Mand outputs
1 (acceptes) or 0 (rejectes).
The proposed serial multisignature schemes here follow the
model of [23] which requires a priori knowledge of an ordered
signers set {S1,...S
N}. The basic idea of our multisignature
schemes is that a signer Sifirst generates a signature σion
a message Mand broadcasts it to the next signer Si+1 for
further processing. After verifying σi,Si+1 produces a valid
signature on the received components. The generation of the
multisignature will be complete when the last signer SNsigns
the message.
B. CFS-based serial multisignature
1) Description: Our scheme can be regarded as the ex-
tended version of the modified CFS algorithm [10]. In this
scheme a signer Simakes use of the CFS signature decoding
algorithm to generate its signature based on the previous
signature produced by the signer Si−1. Before the signing
step, all signers first collaborate to produce a public random
vector rin a serial manner which will be signed together
with the message M. In order to check the validity of the
resulting multisignature, only the public key of the last signer
in the queue will be needed. The CFS multisignature scheme
is illustrated in Algorithm 4.
2) Performance Analysis: Using an (2m,2m−mt)Goppa
code, each public key Hiis a binary matrix of size mt ×2m
bits which takes about 99 Mbytes for t=9and m=22,
the multisignature generation consists in producing of N
successive CFS signatures of each signer, each of them re-
quires t2m3t!binary operations, where Nis the number of
signers. Verification requires one matrix-vector multiplication
and Nhash computing. A matrix-vector multiplication can be
performed in approximately t2mbinary operations using the
mailman algorithm [21]. The CFS-multisignature is composed
of a vector of F2m
2of weight less than t,Nindexes from
{1,...,2tm}and a vector of Ftm
2. Thus the size of CFS-
multisignature is bounded by ⌊log22m
t⌋+Nlog2(t!) + tm.
We can easily see that the performance evaluation of the
proposed multisignature scheme depends mainly on the choice
of parameters mand t. If we want to get a reasonable signature
cost, we will need a tnot greater than 10, for example (m, t)=
(22,9) that give a security level of 281.7according [12]. But
if we want to minimize the public key size as well as the
signature length, we take (m, t) = (15,12) for a security level
of 281.5[12]. In this case, the signature length amounts to
377+18.47Nbits.
3) Security Analysis: Since the modified version of CFS
signature scheme is secure in the random oracle model [10],
We can prove the security of our scheme. The details of
our analysis will appear in a full version of the this paper,
but we can give some arguments about the security of our
scheme. Our scheme satisfies the non-repudiation and the
non-forgeability. Indeed, when N=1, our signature scheme
degenerates into mCFS signature scheme which satisfies these
two properties. If N>1, an attacker who does not belong
to the signer set, can not forge the multisignature because
World Academy of Science, Engineering and Technology 63 2010
247
Algorithm 4 CFS-based multisignature
Key Generation: Each signer Sihas to:
- generate his public/private key as in the CFS algorithm,i.e,
Hi=Qi
HiPi(Qi,
Hi,P
i,γ
i)
Signature:
1- Generation of a random vector r∈Fn−k
q
*S1selects randomly k1∈Fn
qof weight up to tand
computes r1=H1·kT
1.
*From i=2to Ndo
Si−1broadcasts ri−1to Si.
Siselects randomly ki∈Fn
qof weight up to tand
computes ri=ri−1+Hi·kT
i.
*Set r=rN.
2- Multisignature Generation
*S1computes a n-bit vector s1of weight up to t
and an index i1s.t. H1·sT
1=h((M+r)|i1)
*For i:= 2 to Ndo
-Sj−1sends (sj−1,i
j−1)to Sj.
-Sjchecks the validity of sj−1by
Hj−1·sT
j−1=h((M+r)|ij−1)and w(sj−1)≤t
-Sjcomputes a n-bit vector sjof weight up to t
and an index ijs.t.
Hj·sT
j=h((Hj−1·sT
j−1+h(M+r))|ij)
*Set s=sN.
*σcfs =(s, i1,...,i
N,r)is the multisignature.
Verification: Given a tuple σ=(s, i1,...,i
N,r)
*Check that w(s)≤t
*Compute x=HN·sT.
*Compute iteratively the sequence (zi)i=1,...,N
defined by:
-z1=h((M+r)|i1)
-Forj:= 2 to N:zj=h((zj−1+h(M+r))|ij).
*The multisignature σis valid if xand zNare equals.
the signer set has been already known in advance and if he
generates a couple (sA,i
A)as own signature, this signature
will be invalid after checking it by the next signer.
C. KKS-based serial multisignature scheme
1) Description: Our scheme extends the regular KKS-
signature into a multi-signer one. In this scheme each signer
applies the KKS-signature algorithm to produce his own
signature on received components before he forwards it to
the next signer for consecutive handling. Before the beginning
of signing process, all signers first collaborate to create a
public a vector rof {0,1}n−kin a serial way which will be
concatenated with the original message M. During the signing
step, a signer Sihas first to verify the previous signature σi−1
generated by previous signer and then to produce his own
signature σias follows: The signer hashes the bitwise addition
of Mlinked with rand the preceding KKS-signature σi−1
generated by Si−1and then he applies the KKS-algorithm on
the result. After that, he replaces the resulting signature by
substraying the quantity (σi−1·Gi) from it. The last operation
is designed in order that the new signature can be verified
by the succeeding signer in the same manner as the standard
KKS-signature. The KKS-multisignature σkks consists finally
of the KKS-signature produced by the last signer in the queue
(say sN) and the vector rconstructed before. To test whether
this multisignature is valid, the verifier has to apply the KKS-
verification algorithm. The Algorithm 5 explains in more detail
our scheme.
Algorithm 5 KKS-based multisignature
Key Generation: Given a hash-function of range {0,1}n−k,
each signer Sihas to:
- select n,k,t1and t2as security parameter.
- select a random matrix Hias a parity check matrix of
a random (n, k)code Ci.
- Choose secretly and randomly:
*a generator matrix Giof a linear code Uiof length
n′≤nand dimension ks.t. t1≤w(u)≤t2
for all u∈U
i.
*a subset Jiof {1,...,n}of cardinality n′.
- Build the sub matrix Hi(Ji)of Hiconsisting of the
columns hjwhere j∈Ji.
- Define the matrix Fi=Hi(Ji)GT
i
- The public key: (Fi,H
i,t
1,t
2)
- The private key : (Ji,G
i).
Signature:
1- Generation of a random vector r∈Fn−k
q
*S1selects a random vector r1∈Fn−k
q.
*For i:= 2 to Ndo
-Si−1broadcasts ri−1to Si.
-Siselects a random vector ri∈Fn−k
q
and assigns (ri−1+ri)to ri, i.e. ri←− (ri−1+ri).
*Set r=rN.
2- Multisignature Generation
*S1calculates σ∗
1=h(M|r)·G1and produces σ1s.t.
σ1,j =σ∗
1,j if j∈J1,
0if j/∈J1.
*For i:= 2 to Ndo
-Si−1sends σi−1to Si.
-Sichecks the validity of σi−1by
t1≤w(σi−1)≤t2
and Fi−1·(h(M|r))T=Hi−1·σT
i−1.
-Sicalculates σ∗
i=(h(M|r)+σi−1)·Gi
and produces σis.t.
σi,j =σ∗
i,j if j∈Ji,
0if j/∈Ji.
-Sireplaces σ∗
jby the quantity (σ∗
i−σi−1·Gi)
*The multisignature is σkks =(σN,r).
Verification: Given a tuple (z,r), the multisignature is
valid if:
*t1≤w(z)≤t2
*FN·(h(M|r))T=HN·zT.
2) Performance Analysis: In [17], three KKS-signature
schemes were proposed, named KKS-1, KKS-2 and KKS-3 in
[8] respectively. The KKS-1 version introduced an equidistant
code (t=t1=t2)of length n′=2
k−1correcting t=2
k
errors, where kis its dimension. However, since the length
World Academy of Science, Engineering and Technology 63 2010
248
of this code is huge for any practical applications, the KKS-1
is still impracticable. Therefore, [17] replaced the equidistant
code by another code whose non-zero codewords have a
weight between two different values t1and t2and proposed
two improvements of KKS-1, KKS-2 and KKS-3.
The KKS-2 is based on the dual of a BCH code while the
KKS-3 is fully random construction and uses a random linear
code. In this section we restrict our analysis to the KKS-3
signature scheme.
In KKS-3, each signer choose a random k×n′generator
matrix Gigiven in the systematic form [Ik|Bi]. The public
key is composed of Fiand Hi=[Ir|Di]where Diis a
random r×(n−k)binary matrix. The secret key consists
of the set Jiand the matrix Bi. Thus, to store each public
key, we need in total r(n−r+k)bits. For each secret
key, we have to store nh2(n′
n)+k(n′−k)bits1, where
h2(x)=−xlog2(x)−(1 −x) log2(1 −x). The multisignature
consists of a vector of length nand a weight up to t2
and a random vector of {0,1}n−k. Thus, the total length of
our multisignature is about ⌈t2h2(t2
n)⌉+(n−k)bits which
not depends on the number of signers. The essential part in
generating the multisignature is the second step in which each
user has to produce his own KKS-like signature while the
first phase for producing a common random vector can be
performed off-line. Thus, to generate a multisignature, each
signer first have to verify the preceding signature and then to
produce his KKS-signature. Therefore, the overall cost of our
multisignature is approximate to Nn′k+(N−1)r(n+k)
binary operations. After receiving a multisignature, any user
can check its validity by comparing the results of two vector-
matrix multiplications that require about r(n+k)binary
operations.
3) Security Analysis: In [17] the authors claimed that their
constructions are secure as Niederreiter scheme if the public
parameters do not provide any information. Unfortunately [8]
showed that a generated KKS-signature discloses a lot of
information about the secret set Jleading to find the secret
matrix Gwith high probability. Furthermore, [8] proved that
just a few intercepted signatures damages the KKS-system.
For instance, an attacker needs at most 20 signatures to break
the original KKS-3 scheme with an approximate amount of
277 binary operations. Regarding the security of our multisig-
nature, since our construction is based on the KKS-signature,
we can assume that our scheme is a few times. Following [8],
we propose the same parameters for our multisignature scheme
to achieve a security level more than 280. These parameters
are as follows: n= 2000,k= 160,n′= 1000,r= 1100,
t1=90and t2= 110.
V. C ONCLUSION
We have proposed two multisignature schemes using error
correcting codes that are the first non-generic constructions in
post-quantum cryptography. Our schemes make use of the CFS
signature KKS-signature scheme and achieve signatures of size
377 + 18.47Nbits and 1873.8bits, respectively, both for a
1We use the approximation a
b≈2ah2(b
a)
security of more than 280 binary operations. However, the first
system suffers from slow signature cost and large key sizes
while the second scheme is only few times and very fast but
also requires big key sizes. Recently, two works are published
for reducing the key sizes (see [3], [24]) and further progress
on this topic should increase significantly the performance of
our schemes.
REFERENCES
[1] S. Barg. Some New NP-Complete Coding Problems. Probl. Peredachi
Inf., 30:23–28, 1994.
[2] M. Bellare and G. Neven. Multi-signatures in the plain public-key model
and a general forking lemma. In CCS ’06: Proc. of the 13th ACM
conference on Computer and communications security, pages 390–399.
ACM, 2006.
[3] T. P. Berger, P.-L. Cayrel, P. Gaborit, and A. Otmani. Reducing key
length of the McEliece cryptosystem. In Progress in Cryptology –
Africacrypt’2009, LNCS, pages 77–97. Springer, 2009.
[4] E. Berlekamp, R. McEliece, and H. van Tilborg. On the inherent
intractability of certain coding problems. IEEE Transactions on In-
formation Theory, 24(3):384–386, 1978.
[5] D. J. Bernstein, T. Lange, and C. Peters. Attacking and defending the
McEliece cryptosystem. Cryptology ePrint Archive, Report 2008/318,
2008. http://eprint.iacr.org/.
[6] D. Boneh and M. Franklin. Identity-based encryption from the weil
pairing. In CRYPTO ’01: Proceedings of the 21st Annual International
Cryptology Conference on Advances in Cryptology, pages 213–229.
Springer, 2001.
[7] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and
verifiably encrypted signatures from bilinear maps. In EUROCRYPT,
pages 416–432. Springer, 2003.
[8] P.L. Cayrel, A. Otmani, and D. Vergnaud. On Kabatianskii-Krouk-
Smeets Signatures. In Proceedings of the first International Workshop on
the Arithmetic of Finite Fields (WAIFI 2007), Springer, pages 237–251,
Madrid, Spain, June 21–22 2007.
[9] N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-
based digital signature scheme. In Advances in Cryptology – Asi-
acrypt’2001, volume 2248 of LNCS, pages 157–174, Gold Coast,
Australia, 2001. Springer.
[10] L. Dallot. Towards a concrete security proof of courtois, finiasz and
sendrier signature scheme. Proceedings of WEWoRC 2007, Bochum,
Germany„ 2007. http://users.info.unicaen.fr/~ldallot/download/articles/
CFSProof-dallot.pdf.
[11] M. Finiasz. Nouvelles constructions utilisant des codes correcteurs
d’erreurs en cryptographie à clef publique. PhD thesis, INRIA-Ecole
polytechnique, October 2004.
[12] M. Finiasz and N. Sendrier. Security bounds for the design of code-
based cryptosystems. In to appear in Advances in Cryptology –
Asiacrypt’2009, 2009. http://eprint.iacr.org/2009/414.pdf.
[13] T. Hardjono and Y. Zheng. A practical digital multisignature scheme
based on discrete logarithms (extended abstract). In in AUSCRYPT’92,
pages 122–132. Springer, 1993.
[14] L. Harn and T. Kiesler. Rsa blocking and multisignature schemes with
no bit expansion. Electron Letters, 26(18):1490.1491, August 1990.
[15] L. Harn and T. Kiesler. New scheme for digital multisignature. Electron
Letters, 25(15):1002.1003, July 1989.
[16] K. Itakura and K. Nakamura. New scheme for digital multisignature.
NEC Research and Development, 71:1–8, October 1983.
[17] G. Kabatianskii, E.Krouk, and B. J. M. Smeets. A digital signature
scheme based on random error-correcting codes. IMA Int. Conf.,
Springer LNCS 1355:161–167, 1997.
[18] K. Kawauchi and M. Tada. On the exact security of multi-signature
schemes based on rsa. In ACISP 2003, volume 2727.
[19] K. Kawauchi and M. Tada. On the security and the efficiency of multi-
signature schemes based on a trapdoor one-way permutation. IEICE
Trans. Fundam. Electron. Commun. Comput. Sci., E88-A(5):1274–1282,
2005.
[20] Y. Komano, K. Ohta, A. Shimbo, and S. Kawamura. Formal security
model of multisignatures. In ISC, pages 146–160, 2006.
[21] E. Liberty and S. W. Zucker. The mailman algorithm: A note on matrix-
vector multiplication. Inf. Process. Lett., 109(3):179–182, 2009.
[22] R.J. McEliece. A public-key cryptosystem based on algebraic coding
theory. Jpl dsn progress report 42-44 , pages 114-116, 1978.
World Academy of Science, Engineering and Technology 63 2010
249
[23] S. Micali, K. Ohta, and L. Reyzin. Accountable-subgroup multisig-
natures: extended abstract. In ACM Conference on Computer and
Communications Security, pages 245–254, 2001.
[24] R. Misoczki and P. S. L. M. Barreto. Compact mceliece keys from
goppa codes. Preprint, 2009. http://eprint.iacr.org/2009/187.pdf.
[25] S. Mitomi and A. Miyaji. A general model of multisignature schemes
with message flexibility, order flexibility, and order verifiability. IEICE
Trans. Fundam., E-84-A(5):2488–2499, 2001.
[26] T. Okamoto. A digital multisignature scheme using bijective public-key
cryptosystems. ACM Trans. Comput. Syst., 6(4):432–441, 1988.
[27] O.Kazuo and O. Tatsuaki. A digital multisignature scheme based on
the fiat-shamir scheme. In ASIACRYPT ’91: Proc. of the International
Conference on the Theory and Applications of Cryptology, pages 139–
148. Springer, 1993.
[28] A. Shamir. Identity-based cryptosystems and signature schemes. In
Proceedings of CRYPTO 84 on Advances in cryptology, pages 47–53.
Springer-Verlag., 1984.
[29] P. W. Shor. Polynomial-time algorithms for prime factorization and dis-
crete logarithms on a quantum computer. SIAM Journal on Computing,
26:1484–1509, 1997.
[30] L. Wang, E. Okamoto, Y. Miao, T. Okamoto, and H. Doi. Id-based
series-parallel multisignature schemes for multi-messages from bilinear
maps. In WCC, pages 291–303, 2005.
World Academy of Science, Engineering and Technology 63 2010
250
