Abstract
We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.
This survey is based on the paper: Rong Hu, Kirill Morozov, Tsuyoshi Takagi: “Zero-Knowledge Protocols for Code-Based Public Key Encryption.” IEICE Transactions 98-A(10): 2139–2151 (2015) [26].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
If such the vector does not exist, \(\mathsf {Dec_{\mathscr {H}}}\) returns “failure.” When the encryption algorithm is run correctly, this situation does not occur. Although this detail is important for practical implementations, it is immaterial for the following presentation, so that we omit mentioning it for the sake of simplicity.
- 2.
If such the codeword does not exist, \(\mathsf {Dec_{\mathscr {G}}}\) returns “failure.” When the encryption algorithm is run correctly, this situation does not occur. Although this detail is important for practical implementations, it is immaterial for the following presentation, so that we omit mentioning it for the sake of simplicity.
- 3.
In fact, this is the way, in which Stern’s scheme was employed in the context of lattices by Kawachi et al. [29].
References
C. Aguilar Melchor, P. Cayrel, P. Gaborit, F. Laguillaumie, A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theory 57(7), 4833–4842 (2011)
N. Asokan, V. Shoup, M. Waidner, Optimistic fair exchange of digital signatures (Extended Abstract), in EUROCRYPT 1998 (1998), pp. 591–606
Y. Aumann, M.O. Rabin, A proof of plaintext knowledge protocol and applications. Manuscript. June, 2001. Available as slides from 1998 IACR Distinguished Lecture by M.O. Rabin: http://www.iacr.org/publications/dl/rabin98/rabin98slides.ps
A. Becker, A. Joux, A. May, A. Meurer, Decoding random binary linear codes in \(2^ {n/20}\): how \(1+1=0\) improves information set decoding, in EUROCRYPT 2012 (2012), pp. 520–536
M. Bellare, O. Goldreich, On defining proofs of knowledge, in CRYPTO 1992 (1992), pp. 390–420
M. Bellare, M. Fischlin, S. Goldwasser, S. Micali, Identification protocols secure against reset attacks, in EUROCRYPT 2001 (2001), pp. 495–511
R. Bendlin, I. Damgård, Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems, TCC 2010 (2010), pp. 201–218
E. Berlekamp, R. McEliece, H. van Tilborg, On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24, 384–386 (1978)
D.J. Bernstein, T. Lange, C. Peters, Smaller decoding exponents: ball-collision decoding, in CRYPTO 2011 (2011), pp. 743–760
J. Camenisch, I. Damgård, Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes, in ASIACRYPT 2000 (2000), pp. 331–345
J. Camenisch, V. Shoup, Practical verifiable encryption and decryption of discrete logarithms, CRYPTO 2003 (2003), pp. 126–144
P. Cayrel, P. Véron, S.M. El Yousfi Alaoui, A zero-knowledge identification scheme based on the q-ary syndrome decoding problem, in Selected Areas in Cryptography 2010 (2010), pp. 171–186
T. Cover, Enumerative source encoding. IEEE Trans. Inf. Theory 19(1), 73–77 (1973)
Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes, in AFRICACRYPT 2012 (2012), pp. 19–34. Journal version: Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes. Des. Codes Cryptogr. 78(2), 441–461 (2016)
I. Damgård, O. Goldreich, T. Okamoto, A. Wigderson, Honest verifier vs dishonest verifier in public coin zero-knowledge proofs, in CRYPTO 1995 (1995), pp. 325–338
D. Engelbert, R. Overbeck, A. Schmidt, A summary of McEliece-type cryptosystems and their security. J. Math. Cryptol. 1, 151–199 (2007)
M.F. Ezerman, H.T. Lee, S. Ling, K. Nguyen, H. Wang, A provably secure group signature scheme from code-based assumptions, in ASIACRYPT (1) (2015), pp. 260–285
J. Faugére, A. Gauthier-Umana, V. Otmani, L. Perret, J. Tillich, A distinguisher for high rate McEliece cryptosystems, in Information Theory Workshop (ITW) (2011), pp. 282–286
U. Feige, A. Fiat, A. Shamir, Zero knowledge proofs of identity, in STOC 1987 (1987), pp. 210–217. Journal version: U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)
A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in CRYPTO 1986 (1986), pp. 186–194
M. Finiasz, N. Sendrier, Security bounds for the design of code-based cryptosystems, in ASIACRYPT 2009 (2009), pp. 88–105
O. Goldreich, Foundations of Cryptography I: Basic Tools (Cambridge University Press, Cambridge, 2001)
S. Goldwasser, D. Kharchenko, Proof of plaintext knowledge for the Ajtai–Dwork cryptosystem, in TCC 2005 (2005), pp. 529–555
V. Goppa, A new class of linear error-correcting codes (in Russian). Probl. Peredachi Inf. 6, 24–30 (1970). Russian Academy of Sciences
R. Hu, K. Morozov, T. Takagi, On zero-knowledge identification based on q-ary syndrome decoding, in AsiaJCIS 2013 (2013), pp. 12–18
R. Hu, K. Morozov, T. Takagi, Proof of plaintext knowledge for code-based public-key encryption revisited, in ASIACCS 2013 (ACM, 2013), pp. 535–540. Journal version: R. Hu, K. Morozov, T. Takagi, Zero-knowledge protocols for code-based public-key encryption. IEICE Trans. 98-A(10), 2139–2151 (2015)
A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and efficient zero-knowledge proofs from learning parity with noise, in ASIACRYPT 2012, LNCS, vol. 7658 (2012), pp. 663–680. Full version: A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and Efficient Zero- Knowledge Proofs from Hard Learning Problems. Cryptology ePrint Archive, Report 2012/513 (2012), http://eprint.iacr.org/2012/513
J. Katz, Efficient and non-malleable proofs of plaintext knowledge and applications, in EUROCRYPT 2003 (2003), pp. 211–228
A. Kawachi, K. Tanaka, K. Xagawa, Concurrently secure identification schemes based on the worst-case hardness of lattice problems, in ASIACRYPT 2008 (2008), pp. 372–389
K. Kobara, K. Morozov, R. Overbeck, Coding-based oblivious transfer, in MMICS 2008 (2008), pp. 142–156
F. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes (North-Holland, Amsterdam, 1992)
R.J. McEliece, A public-key cryptosystem based on algebraic coding theory, Deep Space Network Progress Report (1978)
K. Morozov, Code-based public-key encryption, A Mathematical Approach to Research Problems of Science and Technology, Mathematics for Industry, vol. 5 (Springer, Berlin, 2014), pp. 47–55
K. Morozov, T. Takagi, Zero-knowledge protocols for the McEliece encryption, in ACISP 2012 (2012), pp. 180–193
H. Niederreiter, Knapsack-type Cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15(2), 159–166 (1986). Russian Academy of Sciences
R. Nojima, H. Imai, K. Kobara, K. Morozov, Semantic security for the McEliece cryptosystem without random oracles. Design. Codes Cryptogr. 49(1–3), 289–305 (2008)
R. Overbeck, N. Sendrier, Code-based cryptography, in Post-Quantum Cryptography, ed. by D.J. Bernstein, J. Buchmann, E. Dahmen (Springer, Berlin, 2009), pp. 95–145
J.N. Pierce, Limit distributions of the minimum distance of random linear codes. IEEE Trans. Inf. Theory 13, 595–599 (1967)
Request for Comments on Post-Quantum Cryptography Requirements and Evaluation Criteria: A Notice by the National Institute of Standards and Technology on 08/02/2016, http://csrc.nist.gov/groups/ST/post-quantum-crypto/rfc-july2016.html
R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
R. Roth, Introduction to Coding Theory (Cambridge University Press, Cambridge, 2006)
N. Sendrier, Encoding information into constant weight codewords, in ISIT’2005 (2005), pp. 435–438
M. Stadler, Publicly verifiable secret sharing, in EUROCRYPT 1996 (1996), pp. 190–199
J. Stern, A new identification scheme based on syndrome decoding, in CRYPTO 1993 (1993), pp. 13–21. Journal version: J. Stern, A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)
P. Véron, Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996)
K. Xagawa, K. Tanaka, Zero-knowledge protocols for NTRU: application to identification and proof of plaintext knowledge, in ProvSec 2009 (2009), pp. 198–213
K. Xagawa, A. Kawachi, K. Tanaka, Proof of plaintext knowledge for the Regev cryptosystems, Technical report C-236, Tokyo Institute of Technology (2007)
Acknowledgements
The author is supported by a Kakenhi Grant-in-Aid for Scientific Research (C) 15K00186 from Japan Society for the Promotion of Science. The author would like to thank anonymous reviewers for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
9 Appendix: Proof of Theorem 3.1
9 Appendix: Proof of Theorem 3.1
We adapt the proof of [26]. It generally follows the argument of [44], but for the proof of soundness it uses the argument from [45], since it is shorter. We emphasize that the gap in the proof of [45] pointed out in the full version of [27] concerned only the proof of the zero-knowledge property.
Completeness. It is easy to check that \(\mathsf {P}\) who knows the plaintext m can answer all the three challenges correctly. This implies that \(\langle \mathsf {P}(m),\mathsf {V}\rangle (pk,c)=1\).
Soundness.
Lemma 9.1
Protocol 1 is sound according to Definition 2.6, if the underlying commitment scheme is binding, the SD problem is hard, and \(r(\kappa )=\omega (\log \kappa )\).
The proof of this lemma follows from the two auxiliary lemmas presented next. In their proofs, we will omit mentioning the fact that the parameters r and \(\varepsilon \) depend on the security parameter \(\kappa \), for simplicity.
Lemma 9.2
If the witness does not exist, then the probability for \(\widetilde{\mathsf {P}}\) to be accepted in the above protocol is at most \(\left( \frac{2}{3}\right) ^r\), after r rounds.
Proof
We show that if \(\widetilde{\mathsf {P}}\)’s replies to all the three challenges are accepted, then a (valid) witness can be computed from them. This will contradict the assumption, and imply that \(\widetilde{\mathsf {P}}\) is not able to answer all the three challenges at the same time, hence his probability to be accepted is at most \(\frac{2}{3}\) in every round.
Consider the following challenge–response pairs:
-
\(b=0\) : \((y_0,\pi _0)\),
-
\(b=1\) : \((w_1,\pi _1)\) (\(w_1\) corresponds to \(y+m\)),
-
\(b=2\) : \((z_2,t_2)\) (correspond to \(y\pi \) and \(m\pi \), respectively).
Since, the information in the opened commitments is consistent by assumption, we have: \((\pi _0,H y_0^T)=Open(C_1)=(\pi _1,H w_1^T + c)\). Since binding holds, we conclude that \(\pi _0=\pi _1\) and \(H y_0^T=H w_1^T + c\). Similarly, by consistency of the commitments \(C_2\) and \(C_3\), and by the binding property, we can show that \(z_2=y_0\pi _0\), \(z_2+t_2=w_1\pi _1\), and \(w_H(t_2)=t\). Therefore, we have that \(t_2=z_2+(t_2+z_2)=(y_0+w_1)\pi _0\) such that \(w_H(y_0+w_1)=t\). Now from \(H(y_0+w_1)^T=H y_0^T+H w_1^T=c\), we conclude that \(y_0+w_1\) is a valid witness.
Lemma 9.3
If \(\mathsf {V}\) accepts \(\widetilde{\mathsf {P}}\)’s proof with probability at least \((\frac{2}{3})^r+\varepsilon \), then there exists an expected PPT algorithm WE which, with overwhelming probability, computes a witness m.
Proof
Let \(\mathscr {T}(RA)\) be an execution tree of the protocol \((\widetilde{\mathsf {P}},\mathsf {V})\), where RA is the random tape of \(\widetilde{\mathsf {P}}\). This tree is constructed as follows: A vertex will represent the commitments made by \(\widetilde{\mathsf {P}}\), and the edges will be labeled by the challenges of \(\mathsf {V}\). An edge will be present only if \(\widetilde{\mathsf {P}}\) is able to correctly reply to the challenge. Remember that \(\mathsf {V}\) can send 3 possible challenges at each stage. First, we will argue that as long as the binding property of the commitment holds, a witness m can be computed from a vertex with 3 descendants, that is from the correct answers to three challenges. Next, we will show that a PPT WE can find such a vertex in \(\mathscr {T}(RA)\) with overwhelming probability.
Let v be a vertex with three descendants. This corresponds to a situation, where three commitments \(C_1\), \(C_2\), and \(C_3\) have been made and where the three challenges were correctly answered. Then, the witness can be computed from these correct answers as described in Lemma 9.2.
Next, we can use the argument from [45] to show that the probability for \(\mathscr {T}(RA)\) to have a vertex with three descendants is at least \(\varepsilon \). We give this argument here for the sake of completeness.
Let us consider the random tape RA of \(\widetilde{\mathsf {P}}\) as a set of \(\mu \) elements, from which \(\widetilde{\mathsf {P}}\) randomly picks its values and let \(Q=\{1,2,3\}\). These two sets are considered as probability spaces, both of them with uniform distribution.
A pair \((a,b)\in (RA\times Q)^r\) represents the commitments, challenges, and responses communicated between \(\widetilde{\mathsf {P}}\) and \(\mathsf {V}\). This is indeed the case, since the random tape of the prover, along with the challenges, uniquely defines all the messages sent by her during the protocol. A pair (a, b) is called valid, if the execution of \((\widetilde{\mathsf {P}},\mathsf {V})\) is accepted.
Let V be the subset of valid pairs in \((RA\times Q)^r\). By the hypothesis of the lemma,
Let \(\varOmega _r\subset RA^r\) be such that:
\(\bullet \) If \(a\in \varOmega _r\), then \(2^r+1\le |\{b:(a,b)\text { are valid}\}| \le 3^r\),
\(\bullet \) If \(a\in RA^r\setminus \varOmega _r\), then \(0\le |\{b:(a,b) \text { are valid}\}| \le 2^r\).
Then, we write \(V=\{\text {valid } (a,b),a\in \varOmega _r\} \cup \{\text {valid } (a,b), a\in RA^r\setminus \varOmega _r\}\), therefore \(|V|\le |\varOmega _r|\cdot 3^r+(\mu ^r-|\varOmega _r|)\cdot 2^r\). Taking into account that \(|RA^r|=\mu ^r\) and \(|Q^r|=3^r\), we have
Now, it follows that \(|\varOmega _r|/|RA^r|\ge \varepsilon \), which shows that the probability that \(\widetilde{\mathsf {P}}\) replies correctly to at least \(2^r+1\) challenges, by choosing random values from RA, is at least \(\varepsilon \). Moreover, in this case, \(\mathscr {T}(RA)\) has at least \(2^r+1\) leaves. Indeed, by construction of \(\mathscr {T}(RA)\), a correctly answered challenge corresponds to an edge, and therefore, the number of leaves is lower bounded by the number of correctly answered challenges. This implies that \(\mathscr {T}(RA)\) has at least one vertex with three descendants. Now, the machine WE will simply rewind the above \(\widetilde{\mathsf {P}}\) polynomially many times, hereby finding an execution tree containing a vertex with three descendants with overwhelming probability, as claimed. Specifically, we can directly use the analysis by Stern from Lemma 1 in the journal version of [44] to verify that the number of necessary rewindings is \(\frac{10}{\varepsilon ^3}\). \(\square \)
Note that the machine WE constructed in the above proof, finds a valid witness, hereby contradicting hardness of the SD problem, unless the binding property of the commitment is violated. Therefore, for a cheating prover \(\widetilde{\mathsf {P}}\), we must have \(\mathrm {Pr}[\langle \widetilde{\mathsf {P}}, V\rangle (pk,c)=1] \le (2/3)^r+\varepsilon \), which is negligible in \(\kappa \).
Zero-knowledge. Let us denote by \(\mathscr {R}\) the communication tape for \(\mathsf {P}\) and \(\mathsf {V}\), that is a concatenation of all bits they exchange during the protocol. We consider the probability distributions on \(\mathscr {R}\).
Lemma 9.4
Protocol 1 is computational (respectively statistical) zero-knowledge according to Definition 5.1, if the underlying commitment scheme is computationally (respectively statistically) hiding.
Proof
We construct a simulator \(\mathsf {SIM}\), which generates, in expected PPT, a communication tape \(\mathscr {R}_s\), whose distribution is indistinguishable from that of \(\mathscr {R}\) in a computational or statistical sense (depending on the type of commitments, which are used).
Suppose that \(\widetilde{\mathsf {V}}\) chose a particular strategy depending on the information received from \(\mathsf {P}\). Denote this strategy by \(St(C_1,C_2,C_3)\).
The simulator \(\mathsf {SIM}\) works as follows:
-
1.
Pick a challenge \(b\mathop {\leftarrow }\limits ^{\$}\{0,1,2\}\).
-
If \(b=0\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), compute \(C_1=Com(\pi ,H^{pub} y^T)\), \(C_2=Com(y\pi )\), \(C_3=Com(0)\), and \(Rep=(y,\pi )\), where by Rep, we denote the reply of the prover. Clearly, the distributions of \(C_1\), \(C_2\), \(C_3\), and Rep are identical to those from the communication tape of the actual protocol.
-
If \(b=1\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), and \(w=y+z\), where \(z\in \mathbb {F}_2^n\) is such that \(H^{pub} z^T=c\), \(z\ne m\), \(w_H(z)\ne t\). Note that such the vector w can be computed in polynomial time as shown in [37, Proposition 1]. Then, compute \(C_1=Com(\pi ,H^{pub} y^T)\), \(C_2=Com(0)\), \(C_3=Com(w\pi )\), and \(Rep=(w,\pi )\). It is easy to check that the openings of the above commitments and Rep will pass the verification of Step 3 in Protocol 1, and also that distributions of the commitments and Rep are identical to those in the actual protocol. In particular, in the simulation, the distribution of w is uniform over \(\mathbb {F}_2^n\), and hence the contents of \(C_3\) has the distribution identical to that in Protocol 1.
-
If \(b=2\), choose \(y\mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^n\), \(\pi \mathop {\leftarrow }\limits ^{\$}\mathscr {S}_n\), and \(z\mathop {\leftarrow }\limits ^{\$}\{x\in \mathbb {F}_2^n|w_H(x)=t\}\). Then, compute \(C_1=Com(0)\), \(C_2=Com(y\pi )\), \(C_3=Com((y+z)\pi )\), and \(Rep=(y\pi ,z\pi )\). It is again easy to check that the values in Rep will pass the verification of Step 3 in Protocol 1, and that distributions of the commitments and Rep are identical to those in the actual protocol.
-
-
2.
\(\mathsf {SIM}\) computes \(b'=St(C_1,C_2,C_3)\).
-
3.
If \(b=b'\), then \(\mathsf {SIM}\) writes on the tape \(\mathscr {R}_s\) the values \(H^{pub}\), b, Rep, otherwise it goes to Step 1.
Note that in the above simulator, in the case of commitments to zero, we use the hiding property of the commitment to ensure that the distributions in question are identical.
We can see that in 3r rounds on the average, \(\mathsf {SIM}\) produces the communication tape \(\mathscr {R}_s\), which is indistinguishable from the communication tape \(\mathscr {R}\) produced by the honest parties, who execute r rounds of Protocol 1.
We conclude that \(\langle \mathsf {P}(m),\widetilde{\mathsf {V}}\rangle (pk,c)\), and \(\langle \mathsf {SIM},\widetilde{\mathsf {V}}\rangle (pk,c)\) are indistinguishable. Note that the simulation is perfect by itself, and the type of indistinguishability, statistical or computational—and hence the type of the ZK proof, which we obtain—depends solely on the underlying commitment scheme.
Using Lemmas 9.1 and 9.4, and the observation on the completeness, we conclude the proof of Theorem 3.1. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Morozov, K. (2018). Code-Based Zero-Knowledge Protocols and Their Applications. In: Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D. (eds) Mathematical Modelling for Next-Generation Cryptography. Mathematics for Industry, vol 29. Springer, Singapore. https://doi.org/10.1007/978-981-10-5065-7_3
Download citation
DOI: https://doi.org/10.1007/978-981-10-5065-7_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5064-0
Online ISBN: 978-981-10-5065-7
eBook Packages: EngineeringEngineering (R0)