## Designing Identification Schemes with Keys of Short Size (1994)

Venue: | Advances in Cryptology -- proceedings of CRYPTO '94 |

Citations: | 25 - 4 self |

### BibTeX

@INPROCEEDINGS{Stern94designingidentification,

author = {Jacques Stern},

title = {Designing Identification Schemes with Keys of Short Size},

booktitle = {Advances in Cryptology -- proceedings of CRYPTO '94},

year = {1994},

pages = {164--173},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the so-called Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding problem (SD) form the theory of error correcting codes ([11]). In this paper, we introduce a new scheme of the same family with the distinctive character that both the secret key and the public identification key can be taken to be of short length. By short, we basically mean the usual size of conventional symmetric cryptosystems. As is known, the possibility of using short keys has been a challenge in public key cryptography and has practical applications. Our scheme relies on a combinatorial problem which we call Constrained Linear Equations (CLE in short) and which consists of solving a set of linear equations modulo some small prime q, the unknowns being subject to belong to a specific subset of the integers mod q. Thus, we enlarge the set of tools that can be used in cryptography.

### Citations

1341 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... zero-knowledge as they leak equally from the actual executions and the simulated ones. 2. Hash values make the simulation a bit harder: a convenient setting is the so-called random oracle model (see =-=[2]-=-). Alternatively, one has to assume specific statistical independance properties for the hash function. 6 Performances of the Scheme. The performances of our scheme are very comparable to those of [8,... |

1046 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...sically all practical schemes have been based on hard problems from number theory. This has remained true with zero-knowledge proofs, introduced in 1985, in a paper by Goldwasser, Micali and Rackoff (=-=[6]-=-) and whose practical significance was soon demonstrated in the work of Fiat and Shamir ([4]). In 1989, there were two attempts to build identification protocols that only use simple operations (see [... |

837 | How to prove yourself : practical solutions to identification and signature problems
- Fiat, Shamir
(Show Context)
Citation Context ...remained true with zero-knowledge proofs, introduced in 1985, in a paper by Goldwasser, Micali and Rackoff ([6]) and whose practical significance was soon demonstrated in the work of Fiat and Shamir (=-=[4]-=-). In 1989, there were two attempts to build identification protocols that only use simple operations (see [10, 8]). One relied on the intractability of some coding problems, the other on the Permuted... |

371 | The MD4 Message Digest Algorithm - Rivest - 1990 |

312 |
Zero-knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...ordinates in X. Also M:(U 0 \Gamma U ) = P\Omega (V \Gamma V 0 ), as observed above. It follows that the underlying system of constrained linear equations has been solved. Following the techniques in =-=[5]-=-, it is possible to prove a more foundational result, which shows that repetition of either protol is a proof of knowledge of a solution of the constrained system P\Omega T = M:S We state such a resul... |

62 | A new identification scheme based on syndrome decoding
- Stern
- 1993
(Show Context)
Citation Context ...and depends on the so-called Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding problem (SD) form the theory of error correcting codes (=-=[11]-=-). In this paper, we introduce a new scheme of the same family with the distinctive character that both the secret key and the public identification key can be taken to be of short length. By short, w... |

42 |
An Efficient Identification Scheme based on Permuted Kernels. CRYPTO
- Shamir
- 1989
(Show Context)
Citation Context ... Abstract. In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see =-=[10, 8]-=-). One was presented at the CRYPTO 89 rump session ([8]) and depends on the so-called Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding... |

27 | On the security of some cryptosystems based on error-correcting codes
- Chabaud
- 1995
(Show Context)
Citation Context ...m as a convenient benchmark in order to establish comparisons with the minimal sizes provided for PKP or SD. The minimal size suggested for the SD identification scheme has been carefully analyzed in =-=[3]-=-, where it is shown that the workload of the best possible known attacks is about 2 68 . The minimal size of the parameters in the original PKP proposal (see [8]) has been extensively discussed in [1,... |

7 |
On the Security of the Permuted Kernel Identification Scheme
- Baritaud, Campana, et al.
- 1992
(Show Context)
Citation Context ...[3], where it is shown that the workload of the best possible known attacks is about 2 68 . The minimal size of the parameters in the original PKP proposal (see [8]) has been extensively discussed in =-=[1, 7]-=-. Attacks based on intelligent gaussian elimination and a space-time trade off yield a workload of 2 52 . Similar attacks can be carried against CLE and it can be seen that the figures chosen above yi... |

5 |
An alternative to the fiat-shamir protocol
- Stern
(Show Context)
Citation Context ... Abstract. In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see =-=[10, 8]-=-). One was presented at the CRYPTO 89 rump session ([8]) and depends on the so-called Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding... |

4 |
Improved Algorithms for the Permuted Kernel Problem
- Chauvaud, Patarin
- 1994
(Show Context)
Citation Context ...[3], where it is shown that the workload of the best possible known attacks is about 2 68 . The minimal size of the parameters in the original PKP proposal (see [8]) has been extensively discussed in =-=[1, 7]-=-. Attacks based on intelligent gaussian elimination and a space-time trade off yield a workload of 2 52 . Similar attacks can be carried against CLE and it can be seen that the figures chosen above yi... |