Code-Based Zero-Knowledge Protocols and Their Applications

  • Kirill MorozovEmail author
Part of the Mathematics for Industry book series (MFI, volume 29)


We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.


Code-based encryption Zero-knowledge Identification Proof of plaintext knowledge Verifiable encryption Signatures 



The author is supported by a Kakenhi Grant-in-Aid for Scientific Research (C) 15K00186 from Japan Society for the Promotion of Science. The author would like to thank anonymous reviewers for their helpful comments.


  1. 1.
    C. Aguilar Melchor, P. Cayrel, P. Gaborit, F. Laguillaumie, A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theory 57(7), 4833–4842 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    N. Asokan, V. Shoup, M. Waidner, Optimistic fair exchange of digital signatures (Extended Abstract), in EUROCRYPT 1998 (1998), pp. 591–606Google Scholar
  3. 3.
    Y. Aumann, M.O. Rabin, A proof of plaintext knowledge protocol and applications. Manuscript. June, 2001. Available as slides from 1998 IACR Distinguished Lecture by M.O. Rabin:
  4. 4.
    A. Becker, A. Joux, A. May, A. Meurer, Decoding random binary linear codes in \(2^ {n/20}\): how \(1+1=0\) improves information set decoding, in EUROCRYPT 2012 (2012), pp. 520–536Google Scholar
  5. 5.
    M. Bellare, O. Goldreich, On defining proofs of knowledge, in CRYPTO 1992 (1992), pp. 390–420Google Scholar
  6. 6.
    M. Bellare, M. Fischlin, S. Goldwasser, S. Micali, Identification protocols secure against reset attacks, in EUROCRYPT 2001 (2001), pp. 495–511Google Scholar
  7. 7.
    R. Bendlin, I. Damgård, Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems, TCC 2010 (2010), pp. 201–218Google Scholar
  8. 8.
    E. Berlekamp, R. McEliece, H. van Tilborg, On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24, 384–386 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    D.J. Bernstein, T. Lange, C. Peters, Smaller decoding exponents: ball-collision decoding, in CRYPTO 2011 (2011), pp. 743–760Google Scholar
  10. 10.
    J. Camenisch, I. Damgård, Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes, in ASIACRYPT 2000 (2000), pp. 331–345Google Scholar
  11. 11.
    J. Camenisch, V. Shoup, Practical verifiable encryption and decryption of discrete logarithms, CRYPTO 2003 (2003), pp. 126–144Google Scholar
  12. 12.
    P. Cayrel, P. Véron, S.M. El Yousfi Alaoui, A zero-knowledge identification scheme based on the q-ary syndrome decoding problem, in Selected Areas in Cryptography 2010 (2010), pp. 171–186Google Scholar
  13. 13.
    T. Cover, Enumerative source encoding. IEEE Trans. Inf. Theory 19(1), 73–77 (1973)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes, in AFRICACRYPT 2012 (2012), pp. 19–34. Journal version: Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes. Des. Codes Cryptogr. 78(2), 441–461 (2016)Google Scholar
  15. 15.
    I. Damgård, O. Goldreich, T. Okamoto, A. Wigderson, Honest verifier vs dishonest verifier in public coin zero-knowledge proofs, in CRYPTO 1995 (1995), pp. 325–338Google Scholar
  16. 16.
    D. Engelbert, R. Overbeck, A. Schmidt, A summary of McEliece-type cryptosystems and their security. J. Math. Cryptol. 1, 151–199 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    M.F. Ezerman, H.T. Lee, S. Ling, K. Nguyen, H. Wang, A provably secure group signature scheme from code-based assumptions, in ASIACRYPT (1) (2015), pp. 260–285Google Scholar
  18. 18.
    J. Faugére, A. Gauthier-Umana, V. Otmani, L. Perret, J. Tillich, A distinguisher for high rate McEliece cryptosystems, in Information Theory Workshop (ITW) (2011), pp. 282–286Google Scholar
  19. 19.
    U. Feige, A. Fiat, A. Shamir, Zero knowledge proofs of identity, in STOC 1987 (1987), pp. 210–217. Journal version: U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)Google Scholar
  20. 20.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in CRYPTO 1986 (1986), pp. 186–194Google Scholar
  21. 21.
    M. Finiasz, N. Sendrier, Security bounds for the design of code-based cryptosystems, in ASIACRYPT 2009 (2009), pp. 88–105Google Scholar
  22. 22.
    O. Goldreich, Foundations of Cryptography I: Basic Tools (Cambridge University Press, Cambridge, 2001)CrossRefzbMATHGoogle Scholar
  23. 23.
    S. Goldwasser, D. Kharchenko, Proof of plaintext knowledge for the Ajtai–Dwork cryptosystem, in TCC 2005 (2005), pp. 529–555Google Scholar
  24. 24.
    V. Goppa, A new class of linear error-correcting codes (in Russian). Probl. Peredachi Inf. 6, 24–30 (1970). Russian Academy of SciencesMathSciNetzbMATHGoogle Scholar
  25. 25.
    R. Hu, K. Morozov, T. Takagi, On zero-knowledge identification based on q-ary syndrome decoding, in AsiaJCIS 2013 (2013), pp. 12–18Google Scholar
  26. 26.
    R. Hu, K. Morozov, T. Takagi, Proof of plaintext knowledge for code-based public-key encryption revisited, in ASIACCS 2013 (ACM, 2013), pp. 535–540. Journal version: R. Hu, K. Morozov, T. Takagi, Zero-knowledge protocols for code-based public-key encryption. IEICE Trans. 98-A(10), 2139–2151 (2015)Google Scholar
  27. 27.
    A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and efficient zero-knowledge proofs from learning parity with noise, in ASIACRYPT 2012, LNCS, vol. 7658 (2012), pp. 663–680. Full version: A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and Efficient Zero- Knowledge Proofs from Hard Learning Problems. Cryptology ePrint Archive, Report 2012/513 (2012),
  28. 28.
    J. Katz, Efficient and non-malleable proofs of plaintext knowledge and applications, in EUROCRYPT 2003 (2003), pp. 211–228Google Scholar
  29. 29.
    A. Kawachi, K. Tanaka, K. Xagawa, Concurrently secure identification schemes based on the worst-case hardness of lattice problems, in ASIACRYPT 2008 (2008), pp. 372–389Google Scholar
  30. 30.
    K. Kobara, K. Morozov, R. Overbeck, Coding-based oblivious transfer, in MMICS 2008 (2008), pp. 142–156Google Scholar
  31. 31.
    F. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes (North-Holland, Amsterdam, 1992)zbMATHGoogle Scholar
  32. 32.
    R.J. McEliece, A public-key cryptosystem based on algebraic coding theory, Deep Space Network Progress Report (1978)Google Scholar
  33. 33.
    K. Morozov, Code-based public-key encryption, A Mathematical Approach to Research Problems of Science and Technology, Mathematics for Industry, vol. 5 (Springer, Berlin, 2014), pp. 47–55Google Scholar
  34. 34.
    K. Morozov, T. Takagi, Zero-knowledge protocols for the McEliece encryption, in ACISP 2012 (2012), pp. 180–193Google Scholar
  35. 35.
    H. Niederreiter, Knapsack-type Cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15(2), 159–166 (1986). Russian Academy of SciencesMathSciNetzbMATHGoogle Scholar
  36. 36.
    R. Nojima, H. Imai, K. Kobara, K. Morozov, Semantic security for the McEliece cryptosystem without random oracles. Design. Codes Cryptogr. 49(1–3), 289–305 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    R. Overbeck, N. Sendrier, Code-based cryptography, in Post-Quantum Cryptography, ed. by D.J. Bernstein, J. Buchmann, E. Dahmen (Springer, Berlin, 2009), pp. 95–145CrossRefGoogle Scholar
  38. 38.
    J.N. Pierce, Limit distributions of the minimum distance of random linear codes. IEEE Trans. Inf. Theory 13, 595–599 (1967)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Request for Comments on Post-Quantum Cryptography Requirements and Evaluation Criteria: A Notice by the National Institute of Standards and Technology on 08/02/2016,
  40. 40.
    R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    R. Roth, Introduction to Coding Theory (Cambridge University Press, Cambridge, 2006)CrossRefzbMATHGoogle Scholar
  42. 42.
    N. Sendrier, Encoding information into constant weight codewords, in ISIT’2005 (2005), pp. 435–438Google Scholar
  43. 43.
    M. Stadler, Publicly verifiable secret sharing, in EUROCRYPT 1996 (1996), pp. 190–199Google Scholar
  44. 44.
    J. Stern, A new identification scheme based on syndrome decoding, in CRYPTO 1993 (1993), pp. 13–21. Journal version: J. Stern, A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)Google Scholar
  45. 45.
    P. Véron, Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    K. Xagawa, K. Tanaka, Zero-knowledge protocols for NTRU: application to identification and proof of plaintext knowledge, in ProvSec 2009 (2009), pp. 198–213Google Scholar
  47. 47.
    K. Xagawa, A. Kawachi, K. Tanaka, Proof of plaintext knowledge for the Regev cryptosystems, Technical report C-236, Tokyo Institute of Technology (2007)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.School of ComputingTokyo Institute of TechnologyTokyoJapan

Personalised recommendations