Designs, Codes and Cryptography

, Volume 78, Issue 2, pp 441–461 | Cite as

Extended security arguments for signature schemes

  • Özgür Dagdelen
  • David Galindo
  • Pascal Véron
  • Sidi Mohamed El Yousfi Alaoui
  • Pierre-Louis Cayrel


It is known how to transform certain canonical three-pass identification schemes into signature schemes via the Fiat–Shamir transform. Pointcheval and Stern showed that those schemes are existentially unforgeable in the random-oracle model leveraging the, at that time, novel forking lemma. Recently, a number of 5-pass identification protocols have been proposed. Extending the above technique to capture 5-pass identification schemes would allow to obtain novel unforgeable signature schemes. In this paper, we provide an extension of the forking lemma (and the Fiat–Shamir transform) in order to assess the security of what we call \(n\)-generic signature schemes. These include signature schemes that are derived from certain \((2n+1)\)-pass identification schemes. In doing so, we put forward a generic methodology for proving the security of a number of signature schemes derived from \((2n+1)\)-pass identification schemes for \(n\ge 2\). As an application of this methodology, we obtain two new code-based existentially-unforgeable signature schemes, along with a security reduction. In particular, we solve an open problem in multivariate cryptography posed by Sakumoto, Shirai and Hiwatari at CRYPTO 2011.


Code-based cryptography Multivariate cryptography  Signature schemes Forking lemma Identification schemes Fiat–Shamir 

Mathematics Subject Classification




We are thankful to an anonymous reviewer for pointing out that our security reduction for the MQ signature scheme in the conference version of this manuscript was incomplete. This observation lead us to a new reshaping of our previous work. This work was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE and by the Hessian LOEWE excellence initiative within CASED.


  1. 1.
    Abdalla M., An J.H., Bellare M., Namprempre C.: From identification to signatures via the Fiat–Shamir transform: Minimizing assumptions for security and forward-security. In: EUROCRYPT’02, pp. 418–433. Springer, Heidelberg (2002).Google Scholar
  2. 2.
    Aguilar Melchor C., Gaborit P., Schrek J.: A new zero-knowledge code based identification scheme with reduced communication, CoRR (2011). arXiv:1111.1644.
  3. 3.
    Alaoui S.M.E.Y., Dagdelen Ö., Véron P., Galindo D., Cayrel P.L.: Extended security arguments for signature schemes. In: Mitrokotsa A., Vaudenay S. (eds.) AFRICACRYPT. Lecture Notes in Computer Science, vol. 7374, pp. 19–34. Springer, Heidelberg (2012).Google Scholar
  4. 4.
    Bellare M., Neven G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06), pp. 390–399. ACM, New York (2006).Google Scholar
  5. 5.
    Bitansky N., Dachman-Soled D., Garg S., Jain A., Kalai Y., Lpez-Alt A., Wichs D.: Why Fiat–Shamir for proofs lacks a proof. In: Sahai A. (ed.) Theory of Cryptography. Lecture Notes in Computer Science, vol. 7785, pp. 182–201. Springer, Berlin (2013).Google Scholar
  6. 6.
    Boneh D., Dagdelen Ö., Fischlin M., Lehmann A., Schaffner C., Zhandry M.: Random oracles in a quantum world. In: ASIACRYPT, pp. 41–69 (2011).Google Scholar
  7. 7.
    Cayrel P.L., Lindner R., Rückert M., Silva R.: Improved zero-knowledge identification with lattices. In: ProvSec’10, pp. 1–17. Springer, Berlin (2010).Google Scholar
  8. 8.
    Cayrel P.L., Véron P., El Yousfi Alaoui S.M.: A zero-knowledge identification scheme based on the \(q\)-ary syndrome decoding problem. In: SAC’2010. LNCS, pp. 170–186. Springer, Berlin (2010).Google Scholar
  9. 9.
    Cramer R.: Modular design of secure, yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996).Google Scholar
  10. 10.
    Dagdelen Ö., Fischlin M., Gagliardoni T.: The Fiat–Shamir transformation in a quantum world. Adv. Cryptol 2, 62–81 (2013).Google Scholar
  11. 11.
    Dagdelen Ö., Venturi D.: A second look at Fischlin’s transformation. In: AFRICACRYPT, pp. 356–376 (2014).Google Scholar
  12. 12.
    Fiat A., Shamir F.: How to prove yourself: practical solutions to identification and signature problems. In: CRYPTO’86, pp. 186–194. Springer, Berlin (1987).Google Scholar
  13. 13.
    Fischlin M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: CRYPTO, pp. 152–168 (2005).Google Scholar
  14. 14.
    Gamal T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: CRYPTO’84, pp. 10–18. Springer, Berlin (1985).Google Scholar
  15. 15.
    Goldwasser S., Kalai Y.: On the (in)security of the Fiat–Shamir paradigm. In: Proceedings on 44th Annual IEEE Symposium on Foundations of Computer Science, pp. 102–113 (2003).Google Scholar
  16. 16.
    Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof-systems. In: STOC’85, pp. 291–304. ACM, New York (1985).Google Scholar
  17. 17.
    Lampe R., Patarin J.: Analysis of some natural variants of the PKP algorithm. In: Pierangela Samarati Wenjing Lou J.Z.E. (ed.) SECRYPT 2012—Proceedings of the International Conference on Security and Cryptography, pp. 209–2014. SciTePress, Lisbon (2012).Google Scholar
  18. 18.
    Ohta K., Okamoto T.: On concrete security treatment of signatures derived from identification. In: CRYPTO’98, pp. 354–369 (1998).Google Scholar
  19. 19.
    Pointcheval D.: A new identification scheme based on the perceptrons problem. In: EUROCRYPT’95, pp. 319–328. Springer, Berlin (1995).Google Scholar
  20. 20.
    Pointcheval D., Poupard G.: A new NP-complete problem and public-key identification. Des. Codes Cryptogr. 28, 5–31 (2003).Google Scholar
  21. 21.
    Pointcheval D., Stern J.: Security proofs for signature schemes. In: EUROCRYPT’96, pp. 387–398. Springer, Berlin (1996).Google Scholar
  22. 22.
    Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).Google Scholar
  23. 23.
    Sakumoto K., Shirai T., Hiwatari H.: Public-key identification schemes based on multivariate quadratic polynomials. In: CRYPTO’11. LNCS, vol. 6841, pp. 706–723. Springer, Berlin (2011).Google Scholar
  24. 24.
    Shamir A.: An efficient identification scheme based on permuted kernels (extended abstract). In: CRYPTO’89, pp. 606–609. Springer, Berlin (1990).Google Scholar
  25. 25.
    Silva R., Cayrel P.L., Lindner R.: Zero-knowledge identification based on lattices with low communication costs. XI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais 8, 95–107 (2011).Google Scholar
  26. 26.
    Stern J.: A new identification scheme based on syndrome decoding. In: CRYPTO’93, pp. 13–21. Springer, Berlin (1993).Google Scholar
  27. 27.
    Stern J.: Designing identification schemes with keys of short size. In: CRYPTO’94, pp. 164–173. Springer, Berlin (1994).Google Scholar
  28. 28.
    Yao A.C.C., Zhao Y.: Online/offline signatures for low-power devices. IEEE Trans. Inf. Forensics Secur. 8(2), 283–294 (2013).Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Özgür Dagdelen
    • 1
  • David Galindo
    • 2
  • Pascal Véron
    • 3
  • Sidi Mohamed El Yousfi Alaoui
    • 1
  • Pierre-Louis Cayrel
    • 4
  1. 1.Darmstadt University of TechnologyDarmstadtGermany
  2. 2.LORIA/CNRSNancyFrance
  3. 3.IML/IMATHUniversité du Sud Toulon-VarLa Garde CedexFrance
  4. 4.Laboratoire Hubert CurienUniversité de Saint-EtienneSaint-ÉtienneFrance

Personalised recommendations