Skip to main content

Extended security arguments for signature schemes


It is known how to transform certain canonical three-pass identification schemes into signature schemes via the Fiat–Shamir transform. Pointcheval and Stern showed that those schemes are existentially unforgeable in the random-oracle model leveraging the, at that time, novel forking lemma. Recently, a number of 5-pass identification protocols have been proposed. Extending the above technique to capture 5-pass identification schemes would allow to obtain novel unforgeable signature schemes. In this paper, we provide an extension of the forking lemma (and the Fiat–Shamir transform) in order to assess the security of what we call \(n\)-generic signature schemes. These include signature schemes that are derived from certain \((2n+1)\)-pass identification schemes. In doing so, we put forward a generic methodology for proving the security of a number of signature schemes derived from \((2n+1)\)-pass identification schemes for \(n\ge 2\). As an application of this methodology, we obtain two new code-based existentially-unforgeable signature schemes, along with a security reduction. In particular, we solve an open problem in multivariate cryptography posed by Sakumoto, Shirai and Hiwatari at CRYPTO 2011.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. Alternatively, one could use Fischlin’s transformation [13] in order to derive signature schemes. A comparison between Fiat–Shamir and Fischlin’s transformation can be found in [11].

  2. This requirement is necessary for Lemma 3.

  3. Since \(l\) is the index of \(\mathcal {A}\)’s query and there are only polynomially number of queries made by \(\mathcal {A}\), our success probability remains non-negligible when picking \(l\) randomly.

  4. By \(\mathcal {V}.\mathsf {Vf}(\mathsf {pk},m,\sigma )\) we mean the verification algorithm performed by the verifier from the underlying identification scheme \(\textsc {IS}\).

  5. In the conference version of this work [3] a simpler security argument was given that turned out to be flawed.


  1. Abdalla M., An J.H., Bellare M., Namprempre C.: From identification to signatures via the Fiat–Shamir transform: Minimizing assumptions for security and forward-security. In: EUROCRYPT’02, pp. 418–433. Springer, Heidelberg (2002).

  2. Aguilar Melchor C., Gaborit P., Schrek J.: A new zero-knowledge code based identification scheme with reduced communication, CoRR (2011). arXiv:1111.1644.

  3. Alaoui S.M.E.Y., Dagdelen Ö., Véron P., Galindo D., Cayrel P.L.: Extended security arguments for signature schemes. In: Mitrokotsa A., Vaudenay S. (eds.) AFRICACRYPT. Lecture Notes in Computer Science, vol. 7374, pp. 19–34. Springer, Heidelberg (2012).

  4. Bellare M., Neven G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06), pp. 390–399. ACM, New York (2006).

  5. Bitansky N., Dachman-Soled D., Garg S., Jain A., Kalai Y., Lpez-Alt A., Wichs D.: Why Fiat–Shamir for proofs lacks a proof. In: Sahai A. (ed.) Theory of Cryptography. Lecture Notes in Computer Science, vol. 7785, pp. 182–201. Springer, Berlin (2013).

  6. Boneh D., Dagdelen Ö., Fischlin M., Lehmann A., Schaffner C., Zhandry M.: Random oracles in a quantum world. In: ASIACRYPT, pp. 41–69 (2011).

  7. Cayrel P.L., Lindner R., Rückert M., Silva R.: Improved zero-knowledge identification with lattices. In: ProvSec’10, pp. 1–17. Springer, Berlin (2010).

  8. Cayrel P.L., Véron P., El Yousfi Alaoui S.M.: A zero-knowledge identification scheme based on the \(q\)-ary syndrome decoding problem. In: SAC’2010. LNCS, pp. 170–186. Springer, Berlin (2010).

  9. Cramer R.: Modular design of secure, yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996).

  10. Dagdelen Ö., Fischlin M., Gagliardoni T.: The Fiat–Shamir transformation in a quantum world. Adv. Cryptol 2, 62–81 (2013).

  11. Dagdelen Ö., Venturi D.: A second look at Fischlin’s transformation. In: AFRICACRYPT, pp. 356–376 (2014).

  12. Fiat A., Shamir F.: How to prove yourself: practical solutions to identification and signature problems. In: CRYPTO’86, pp. 186–194. Springer, Berlin (1987).

  13. Fischlin M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: CRYPTO, pp. 152–168 (2005).

  14. Gamal T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: CRYPTO’84, pp. 10–18. Springer, Berlin (1985).

  15. Goldwasser S., Kalai Y.: On the (in)security of the Fiat–Shamir paradigm. In: Proceedings on 44th Annual IEEE Symposium on Foundations of Computer Science, pp. 102–113 (2003).

  16. Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof-systems. In: STOC’85, pp. 291–304. ACM, New York (1985).

  17. Lampe R., Patarin J.: Analysis of some natural variants of the PKP algorithm. In: Pierangela Samarati Wenjing Lou J.Z.E. (ed.) SECRYPT 2012—Proceedings of the International Conference on Security and Cryptography, pp. 209–2014. SciTePress, Lisbon (2012).

  18. Ohta K., Okamoto T.: On concrete security treatment of signatures derived from identification. In: CRYPTO’98, pp. 354–369 (1998).

  19. Pointcheval D.: A new identification scheme based on the perceptrons problem. In: EUROCRYPT’95, pp. 319–328. Springer, Berlin (1995).

  20. Pointcheval D., Poupard G.: A new NP-complete problem and public-key identification. Des. Codes Cryptogr. 28, 5–31 (2003).

  21. Pointcheval D., Stern J.: Security proofs for signature schemes. In: EUROCRYPT’96, pp. 387–398. Springer, Berlin (1996).

  22. Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).

  23. Sakumoto K., Shirai T., Hiwatari H.: Public-key identification schemes based on multivariate quadratic polynomials. In: CRYPTO’11. LNCS, vol. 6841, pp. 706–723. Springer, Berlin (2011).

  24. Shamir A.: An efficient identification scheme based on permuted kernels (extended abstract). In: CRYPTO’89, pp. 606–609. Springer, Berlin (1990).

  25. Silva R., Cayrel P.L., Lindner R.: Zero-knowledge identification based on lattices with low communication costs. XI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais 8, 95–107 (2011).

  26. Stern J.: A new identification scheme based on syndrome decoding. In: CRYPTO’93, pp. 13–21. Springer, Berlin (1993).

  27. Stern J.: Designing identification schemes with keys of short size. In: CRYPTO’94, pp. 164–173. Springer, Berlin (1994).

  28. Yao A.C.C., Zhao Y.: Online/offline signatures for low-power devices. IEEE Trans. Inf. Forensics Secur. 8(2), 283–294 (2013).

Download references


We are thankful to an anonymous reviewer for pointing out that our security reduction for the MQ signature scheme in the conference version of this manuscript was incomplete. This observation lead us to a new reshaping of our previous work. This work was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE and by the Hessian LOEWE excellence initiative within CASED.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Özgür Dagdelen.

Additional information

Communicated by K. Matsuura.

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dagdelen, Ö., Galindo, D., Véron, P. et al. Extended security arguments for signature schemes. Des. Codes Cryptogr. 78, 441–461 (2016).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


Mathematics Subject Classification