Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank

  • Nicolas T. Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)


A Zero-knowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NP-hard problems. Among them, the problem SD of decoding linear codes is in spite of some 30y ears of research effort, still exponential. We study a more general problem called MinRank that generalizes SD and contains also other well known hard problems. MinRank is also used in cryptanalysis of several public key cryptosystems such as birational schemes (Crypto’93), HFE (Crypto’99), GPT cryptosystem (Eurocrypt’91), TTM (Asiacrypt’2000) and Chen’s authentication scheme (1996).

We propose a new Zero-knowledge scheme based on MinRank. We prove it to be Zero-knowledge by black-box simulation. An adversary able to fraud for a given MinRank instance is either able to solve it, or is able to compute a collision on a given hash function.

MinRank is one of the most efficient schemes based on NP-complete problems. It can be used to prove in Zero-knowledge a solution to any problem described by multivariate equations. We also present a version with a public key shared by a few users, that allows anonymous group signatures (a.k.a. ring signatures).


Zero-knowledge identification entity authentication MinRank problem NP-complete problems multivariate cryptography rankdistance codes syndrome decoding (SD) group signatures ring signatures 


  1. 1.
    Alexander Barg: Handbook of coding theory, Chapter 7: Complexity Issues in Coding Theory; North Holland, 1999.Google Scholar
  2. 2.
    E.R. Berlekamp, R.J. McEliece, H.C.A. van Tilborg: On the inherent intractability of certain coding problems; IEE Trans. Inf. Th., IT-24(3), pp. 384–386, May 1978.CrossRefGoogle Scholar
  3. 3.
    Anne Canteaut, Florent Chabaud: A newalgorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to BCH Codes of length 511 Google Scholar
  4. 4.
    Kefei Chen: A new identification algorithm. Cryptography Policy and algorithms conference, vol. 1029, LNCS, Springer-Verlag, 1996.Google Scholar
  5. 5.
    Amos Fiat, Adi. Shamir: Howto prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology, Crypto’ 86, pp. 186–194, Springer-Verlag, 1987.Google Scholar
  6. 6.
    Don Coppersmith, Jacques Stern, Serge Vaudenay: Attacks on the birational permutation signature schemes; Crypto 93, Springer-Verlag, pp. 435–443.Google Scholar
  7. 7.
    Don Coppersmith, Jacques Stern, Serge Vaudenay, The Security of the Birational Permutation Signature Schemes, in Journal of Cryptology, 10(3), pp. 207–221, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Nicolas Courtois: The security of Hidden Field Equations (HFE); Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS2020, Springer-Verlag.Google Scholar
  9. 10.
    Nicolas Courtois: The security of cryptographic primitives based on multivariate algebraic problems: MQ, MinRank, IP, HFE; PhD thesis, September 25th 2001, Paris 6 University, France. Mostly in French. Available at
  10. 11.
    Nicolas Courtois and Ernst M. Gabidulin.: Security of cryptographic schemes based on rank problems; work in progress.Google Scholar
  11. 12.
    Ronald Cramer, Ivan Damgård: Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free? Crypto’98, LNCS 1642, pp. 424–441, Springer Verlag. See Google Scholar
  12. 13.
    Ernst M. Gabidulin. Theory of codes with maximum rank distance. Problems of Information Transmission, 21:1–12, 1985.zbMATHGoogle Scholar
  13. 14.
    Ernst M. Gabidulin, A. V. Paramonov, O. V. Tretjakov: Ideals over a Non-Commutative Ring and their Applications in Cryptology. Eurocrypt 1991, pp. 482–489.Google Scholar
  14. 15.
    Ernst M. Gabidulin, Alexei V. Ourivski: Modified GPT PKC with Right Scrambler. WCC 2001, Paris, France, Daniel Augot and Claude Carlet Editor.Google Scholar
  15. 16.
    Marc Girault: A (non-practical) three pass identification protocol using coding theory; Advances in cryptology, AusCrypt’90, LNCS 453, pp. 265–272.CrossRefGoogle Scholar
  16. 17.
    Oded Goldreich, Y. Oren. Definitions and properties of Zero-knowledge proof systems. Journal of Cryptology 1994, vol.7, no.1, pp.1–32.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 18.
    S. Goldwasser, S. Micali and C. Racko., The knowledge Complexity of interactive proof systems; SIAM Journal of computing, 1997, Vol. 6, No.1, pp.84.Google Scholar
  18. 19.
    Louis Goubin, Nicolas Courtois Cryptanalysis of the TTM Cryptosystem; Advances of Cryptology, Asiacrypt’2000, 3–9 December 2000, Kyoto, Japan, Springer-Verlag.Google Scholar
  19. 20.
    Sami Harari. A newauthen tication algorithm. In Coding Theory and Applications, volume 388, pp.204–211, LNCS, 1989.Google Scholar
  20. 21.
    P. J. Lee and E. F. Brickell. An observation on the security of McEliece’s public-key cryptosystem; In Advances in Cryptology, Eurocrypt’88, LNCS 330, pp. 275–280. Springer-Verlag, 1988.Google Scholar
  21. 22.
    R.J. McEliece: A public key cryptosystem based on algebraic coding theory; DSN Progress Report42-44, Jet Propulsion Laboratory, 1978, pp. 114–116.Google Scholar
  22. 23.
    Jeffrey O. Shallit, Gudmund S. Frandsen, Jonathan F. Buss: The Computational Complexity of Some Problems of Linear Algebra problems, BRICS series report, Aaarhus, Denmark, RS-96-33, available on the net
  23. 24.
    Jacques Patarin: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms; Eurocrypt’96, Springer Verlag, pp. 33–48.Google Scholar
  24. 25.
    Jacques Patarin, Louis Goubin, Nicolas Courtois: Quartz, 128-bit long digital signatures; Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS2020, Springer-Verlag.Google Scholar
  25. 26.
    Jacques Patarin, Louis Goubin, Nicolas Courtois, + papers of Eli Biham, Aviad Kipnis, T. T. Moh, et al.: Asymmetric Cryptography with Multivariate Polynomials over a Small Finite Field; known as ‘orange script’, compilation of papers with added material. Available from Scholar
  26. 27.
    David Pointcheval: A new Identification Scheme Based on the Perceptrons Problem; In Advances in Cryptology, Proceedings of Eurocrypt’95, LNCS 921, pp.319–328, Springer-Verlag.Google Scholar
  27. 28.
    David Pointcheval: Les preuves de connaissance et leurs preuves de sécurité, PhD thesis, December 1996, Caen University, France.Google Scholar
  28. 29.
    Ronald R. Rivest, Adi Shamir and Yael Tauman: Howto leak a secret; Asiacrypt 2001, LNCS, Springer-Verlag.Google Scholar
  29. 30.
    Adi Shamir: Efficient signature schemes based on birational permutations; Crypto’93, Springer-Verlag, pp. 1–12.Google Scholar
  30. 31.
    Adi Shamir: An efficient Identification Scheme Based on Permuted Kernels, In Advances in Cryptology, Crypto’89, LNCS 435, pp.606–609, Springer-Verlag.Google Scholar
  31. 32.
    Adi Shamir, Aviad Kipnis: Cryptanalysis of the HFE Public Key Cryptosystem; In Advances in Cryptology, Proceedings of Crypto’99, Springer-Verlag, LNCS.Google Scholar
  32. 33.
    Nicolas Courtois, Adi Shamir, Jacques Patarin, Alexander Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer-Verlag, pp. 392–407.Google Scholar
  33. 34.
    Jacques Stern: A new identification scheme based on syndrome decoding; Crypto’93, LNCS 773, pp.13–21, Springer-Verlag.Google Scholar
  34. 35.
    Jacques Stern: Designing identification schemes with keys of short size; In Advances in Cryptology, Proceedings of Crypto’94, LNCS 839, pp.164–73, Springer-Verlag.Google Scholar
  35. 36.
    Jacques Stern: A method for finding codewords of small weight; Coding Theory and Applications, LNCS 434, pp.173–180, Springer-Verlag.Google Scholar
  36. 37.
    Jacques Stern, Florent Chabaud: The cryptographic security of the syndrome decoding problem for rank distance codes. In Advances in Cryptology, Asiacrypt’96, LNCS 1163, pp. 368–381, Springer-Verlag.CrossRefGoogle Scholar
  37. 38.
    L.G. Valiant: Completeness classes in algebra. In Proc. Eleventh Ann. ACM Symp. Theor. Comp., pp. 249–261, 1979.Google Scholar
  38. 39.
    Alexander Vardy: The intractability of computing the minimum distance of a code; IEEE Transactions on Information Theory, Nov 1997, Vol.43, No. 6; pp. 1757–1766.zbMATHCrossRefMathSciNetGoogle Scholar
  39. 40.
    Pascal Véron, Problème SD, Opérateur Trace, Schémas d’Identification et Codes de Goppa; PhD thesis in french, Toulon University, France, july 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
    • 2
    • 3
  1. 1.CP8 Crypto TeamSchlumbergerSemaLouveciennes CedexFrance
  2. 2.SISToulon UniversityLa Garde CedexFrance
  3. 3.Projet CodesINRIA RocquencourtLe Chesnay - CedexFrance

Personalised recommendations