Zero-Knowledge for Multivariate Polynomials

  • Valérie Nachef
  • Jacques Patarin
  • Emmanuel Volte
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7533)


In [15] a protocol ZK(2) using zero-knowledge argument of knowledge was designed from a solution of a set of multivariate quadratic equations over a finite field (i.e. from MQ problem). In this paper, we propose a new scheme ZK(d) which is a generalization of ZK(2), i.e. we consider systems of polynomials of degree d. The key idea of the scheme ZK(d) is to use a polarization identity that allows to get a d-linear function and then use a cut-and-choose technique. We also observe that the scheme \(\tilde{ZK}(d)\), which is the natural generalization of the protocol based on the MQ problem to higher degree, is more efficient in terms of computations whereas the ZK(d) scheme is better in terms of bits to be sent. Moreover these properties are still true for all kinds of polynomials: for example if the polynomials are sparse or dense. Finally, we will present two examples of applications: with Brent equations, or with morphisms of polynomials.


Authentication scheme Zero-Knowledge Multivariate polynomials 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bard, G.V.: New Practical Strassen-like Approximate Matrix-multiplication Algorithms found via solving a system of cubic equations,
  2. 2.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: A Practical Stream Cipher with Provable Security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Courtois, N., Bard, G.V., Hulme, D.: A new general-purpose method to multiply 3x3 matrices using only 23 multiplications. CoRR, abs/1108.2830 (2011)Google Scholar
  4. 4.
    Garey, M.R., Johnson, D.S.: Computers and Intractability; A Guide to the Theory of NP-Completness. W.H. Freeman and Co. (1979)Google Scholar
  5. 5.
    Goldreich, O.: Foundations of Cryptography: Volume I. Basic Tools. Cambridge University Press, Cambridge (2001)CrossRefGoogle Scholar
  6. 6.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM 38, 690–728 (1991)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Halevi, S., Micali, S.: Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar Signature Schemes. In: Reisig, W., Rozenberg, G. (eds.) APN 1998. LNCS, vol. 1492, pp. 206–222. Springer, Heidelberg (1998)Google Scholar
  9. 9.
    Laderman, J.: A noncomuutative algorithm for multiplying 3 x3 matrices using 23 multiplication. Bulletin of the American Mathematical Society 82, 126–128 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  11. 11.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Patarin, J., Goubin, L.: Trapdoor One-Way Permutations and Multivariate Polynomials. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 356–368. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Pointcheval, D.: A New Identification Scheme Based on the Perceptrons Problem. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 319–328. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Sakumoto, K.: Public-Key Identification Schemes Based on Multivariate Cubic Polynomials. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 172–189. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011)Google Scholar
  16. 16.
    Shamir, A.: An Efficient Identification Scheme Based on Permuted Kernels (Extended Abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Stern, J.: A New Identification Scheme Based on Syndrome Decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)Google Scholar
  18. 18.
    Stern, J.: Designing Identification Schemes with Keys of Short Size. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 164–173. Springer, Heidelberg (1994)Google Scholar
  19. 19.
    Strassen, V.: Gaussion Elimination is not optimal. Numerische Mathematik 13(3), 354–356 (1969)MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Thomas, E.G.F.: A Polarizatin Identity for Multilinear Maps. University of Groningen - Preprint (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Valérie Nachef
    • 1
  • Jacques Patarin
    • 2
  • Emmanuel Volte
    • 1
  1. 1.Department of MathematicsUniversity of Cergy-Pontoise, CNRS UMR 8088Cergy-Pontoise CedexFrance
  2. 2.PRISMUniversity of VersaillesVersailles CedexFrance

Personalised recommendations