Entanglement Between Hash Encodings and Signatures from ID Schemes with Non-binary Challenges: A Case Study on Lightweight Code-Based Signatures

  • Bagus SantosoEmail author
  • Taiyo Yamaguchi
  • Tomoyuki Ohkubo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11125)


We are interested in investigating the following issue which rises during the implementation of signature schemes derived from identification (ID) schemes via Fiat-Shamir (FS) transform. In FS transform, the “challenge” part of the ID scheme is substituted with the output of a hash function. However, the“challenge” part of several ID schemes, such as Stern’s code-based ID scheme, is a ternary sequence \((\{0, 1, 2\}^*)\), while all standard hash functions, e.g., SHA-256, outputs a binary sequence. Hence, we have to apply an encoding to transform the binary sequence of the hash functions’ outputs into the ternary sequence. A naive encoding method is to store the whole outputs of the hash function in memory and then convert them into ternary afterwards. Although this naive encoding method seems sufficient, it is an interesting question whether we can have better encoding options with lower computing and storage costs, especially when we deal with implementation on lightweight devices with critical resources.

In this paper, we select two other simple hash encoding methods and plug them into the signature scheme generated from Stern’s ID scheme. We summarize our results as follows.

  • We discover an interesting phenomenon that the choice of the hash encoding method, which is widely considered as a mere implementation issue that is supposed to be independent to the stage of scheme design and the stage of the theoretical security proof construction, raises problems which make us redesign the scheme and reconstruct the security proof.

  • Our machine experiment shows that our newly selected encoding methods combined with the redesigned signature schemes bring a significant performance improvement in practice. For the case of 128-bit security which is the standard for post-quantum security, in a single-board credit-card sized computer, i.e., Raspberry Pi, the first newly selected encoding method and the second one are shown to be around 53 times faster and 187 faster respectively with few kilobytes additional length in signature compared to the naive method above.



This work was supported by JSPS Grants-in-Aid for Scientific Research (KAKENHI) Grant Number JP18K11292.


  1. 1.
    Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). Scholar
  2. 2.
    Alamélou, Q., Blazy, O., Cauchie, S., Gaborit, P.: A code-based group signature scheme. Des. Codes Crypt. 82(1), 469–493 (2017)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002). Scholar
  4. 4.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)CrossRefGoogle Scholar
  5. 5.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  6. 6.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). Scholar
  7. 7.
    Stackoverflow: Conversion of binary bitstream to and from ternary bitstream? August 2012. Code is from answer provided by Stephen Ressler ( under pseudonym Gene
  8. 8.
    Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theor. 42(6), 1757–1768 (1996)MathSciNetCrossRefGoogle Scholar
  9. 9.
    von Neumann, J.: Various techniques used in connection with random digits. Monte Carlo methods. Nat. Bur. Stand. 12, 36–38 (1951)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Bagus Santoso
    • 1
    Email author
  • Taiyo Yamaguchi
    • 1
  • Tomoyuki Ohkubo
    • 1
  1. 1.Department of Computer and Network EngineeringUniversity of Electro-CommunicationsChofuJapan

Personalised recommendations