# Code-Based Zero-Knowledge Protocols and Their Applications

## Abstract

We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.

## Keywords

Code-based encryption Zero-knowledge Identification Proof of plaintext knowledge Verifiable encryption Signatures## Notes

### Acknowledgements

The author is supported by a Kakenhi Grant-in-Aid for Scientific Research (C) 15K00186 from Japan Society for the Promotion of Science. The author would like to thank anonymous reviewers for their helpful comments.

## References

- 1.C. Aguilar Melchor, P. Cayrel, P. Gaborit, F. Laguillaumie, A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theory
**57**(7), 4833–4842 (2011)MathSciNetCrossRefzbMATHGoogle Scholar - 2.N. Asokan, V. Shoup, M. Waidner, Optimistic fair exchange of digital signatures (Extended Abstract), in
*EUROCRYPT 1998*(1998), pp. 591–606Google Scholar - 3.Y. Aumann, M.O. Rabin, A proof of plaintext knowledge protocol and applications. Manuscript. June, 2001. Available as slides from 1998 IACR Distinguished Lecture by M.O. Rabin: http://www.iacr.org/publications/dl/rabin98/rabin98slides.ps
- 4.A. Becker, A. Joux, A. May, A. Meurer, Decoding random binary linear codes in \(2^ {n/20}\): how \(1+1=0\) improves information set decoding, in
*EUROCRYPT 2012*(2012), pp. 520–536Google Scholar - 5.M. Bellare, O. Goldreich, On defining proofs of knowledge, in
*CRYPTO 1992*(1992), pp. 390–420Google Scholar - 6.M. Bellare, M. Fischlin, S. Goldwasser, S. Micali, Identification protocols secure against reset attacks, in
*EUROCRYPT 2001*(2001), pp. 495–511Google Scholar - 7.R. Bendlin, I. Damgård, Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems,
*TCC 2010*(2010), pp. 201–218Google Scholar - 8.E. Berlekamp, R. McEliece, H. van Tilborg, On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory
**24**, 384–386 (1978)MathSciNetCrossRefzbMATHGoogle Scholar - 9.D.J. Bernstein, T. Lange, C. Peters, Smaller decoding exponents: ball-collision decoding, in
*CRYPTO 2011*(2011), pp. 743–760Google Scholar - 10.J. Camenisch, I. Damgård, Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes, in
*ASIACRYPT 2000*(2000), pp. 331–345Google Scholar - 11.J. Camenisch, V. Shoup, Practical verifiable encryption and decryption of discrete logarithms,
*CRYPTO 2003*(2003), pp. 126–144Google Scholar - 12.P. Cayrel, P. Véron, S.M. El Yousfi Alaoui, A zero-knowledge identification scheme based on the q-ary syndrome decoding problem, in
*Selected Areas in Cryptography 2010*(2010), pp. 171–186Google Scholar - 13.T. Cover, Enumerative source encoding. IEEE Trans. Inf. Theory
**19**(1), 73–77 (1973)MathSciNetCrossRefzbMATHGoogle Scholar - 14.Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes, in
*AFRICACRYPT 2012*(2012), pp. 19–34. Journal version: Ö. Dagdelen, D. Galindo, P. Véron, S.M. El Yousfi Alaoui, P. Cayrel, Extended security arguments for signature schemes. Des. Codes Cryptogr.**78**(2), 441–461 (2016)Google Scholar - 15.I. Damgård, O. Goldreich, T. Okamoto, A. Wigderson, Honest verifier vs dishonest verifier in public coin zero-knowledge proofs, in
*CRYPTO 1995*(1995), pp. 325–338Google Scholar - 16.D. Engelbert, R. Overbeck, A. Schmidt, A summary of McEliece-type cryptosystems and their security. J. Math. Cryptol.
**1**, 151–199 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 17.M.F. Ezerman, H.T. Lee, S. Ling, K. Nguyen, H. Wang, A provably secure group signature scheme from code-based assumptions, in
*ASIACRYPT (1)*(2015), pp. 260–285Google Scholar - 18.J. Faugére, A. Gauthier-Umana, V. Otmani, L. Perret, J. Tillich, A distinguisher for high rate McEliece cryptosystems, in
*Information Theory Workshop (ITW)*(2011), pp. 282–286Google Scholar - 19.U. Feige, A. Fiat, A. Shamir, Zero knowledge proofs of identity, in
*STOC 1987*(1987), pp. 210–217. Journal version: U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol.**1**(2), 77–94 (1988)Google Scholar - 20.A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in
*CRYPTO 1986*(1986), pp. 186–194Google Scholar - 21.M. Finiasz, N. Sendrier, Security bounds for the design of code-based cryptosystems, in
*ASIACRYPT 2009*(2009), pp. 88–105Google Scholar - 22.O. Goldreich,
*Foundations of Cryptography I: Basic Tools*(Cambridge University Press, Cambridge, 2001)CrossRefzbMATHGoogle Scholar - 23.S. Goldwasser, D. Kharchenko, Proof of plaintext knowledge for the Ajtai–Dwork cryptosystem, in
*TCC 2005*(2005), pp. 529–555Google Scholar - 24.V. Goppa, A new class of linear error-correcting codes (in Russian). Probl. Peredachi Inf.
**6**, 24–30 (1970). Russian Academy of SciencesMathSciNetzbMATHGoogle Scholar - 25.R. Hu, K. Morozov, T. Takagi, On zero-knowledge identification based on q-ary syndrome decoding, in
*AsiaJCIS 2013*(2013), pp. 12–18Google Scholar - 26.R. Hu, K. Morozov, T. Takagi, Proof of plaintext knowledge for code-based public-key encryption revisited, in
*ASIACCS 2013*(ACM, 2013), pp. 535–540. Journal version: R. Hu, K. Morozov, T. Takagi, Zero-knowledge protocols for code-based public-key encryption. IEICE Trans.**98-A**(10), 2139–2151 (2015)Google Scholar - 27.A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and efficient zero-knowledge proofs from learning parity with noise, in
*ASIACRYPT 2012*, LNCS, vol. 7658 (2012), pp. 663–680. Full version: A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and Efficient Zero- Knowledge Proofs from Hard Learning Problems. Cryptology ePrint Archive, Report 2012/513 (2012), http://eprint.iacr.org/2012/513 - 28.J. Katz, Efficient and non-malleable proofs of plaintext knowledge and applications, in
*EUROCRYPT 2003*(2003), pp. 211–228Google Scholar - 29.A. Kawachi, K. Tanaka, K. Xagawa, Concurrently secure identification schemes based on the worst-case hardness of lattice problems, in
*ASIACRYPT 2008*(2008), pp. 372–389Google Scholar - 30.K. Kobara, K. Morozov, R. Overbeck, Coding-based oblivious transfer, in
*MMICS 2008*(2008), pp. 142–156Google Scholar - 31.F. MacWilliams, N.J.A. Sloane,
*The Theory of Error-Correcting Codes*(North-Holland, Amsterdam, 1992)zbMATHGoogle Scholar - 32.R.J. McEliece, A public-key cryptosystem based on algebraic coding theory, Deep Space Network Progress Report (1978)Google Scholar
- 33.K. Morozov, Code-based public-key encryption,
*A Mathematical Approach to Research Problems of Science and Technology*, Mathematics for Industry, vol. 5 (Springer, Berlin, 2014), pp. 47–55Google Scholar - 34.K. Morozov, T. Takagi, Zero-knowledge protocols for the McEliece encryption, in
*ACISP 2012*(2012), pp. 180–193Google Scholar - 35.H. Niederreiter, Knapsack-type Cryptosystems and algebraic coding theory. Probl. Control Inf. Theory
**15**(2), 159–166 (1986). Russian Academy of SciencesMathSciNetzbMATHGoogle Scholar - 36.R. Nojima, H. Imai, K. Kobara, K. Morozov, Semantic security for the McEliece cryptosystem without random oracles. Design. Codes Cryptogr.
**49**(1–3), 289–305 (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 37.R. Overbeck, N. Sendrier, Code-based cryptography, in
*Post-Quantum Cryptography*, ed. by D.J. Bernstein, J. Buchmann, E. Dahmen (Springer, Berlin, 2009), pp. 95–145CrossRefGoogle Scholar - 38.J.N. Pierce, Limit distributions of the minimum distance of random linear codes. IEEE Trans. Inf. Theory
**13**, 595–599 (1967)MathSciNetCrossRefzbMATHGoogle Scholar - 39.Request for Comments on Post-Quantum Cryptography Requirements and Evaluation Criteria: A Notice by the National Institute of Standards and Technology on 08/02/2016, http://csrc.nist.gov/groups/ST/post-quantum-crypto/rfc-july2016.html
- 40.R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**21**(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar - 41.R. Roth,
*Introduction to Coding Theory*(Cambridge University Press, Cambridge, 2006)CrossRefzbMATHGoogle Scholar - 42.N. Sendrier, Encoding information into constant weight codewords, in
*ISIT’2005*(2005), pp. 435–438Google Scholar - 43.M. Stadler, Publicly verifiable secret sharing, in
*EUROCRYPT 1996*(1996), pp. 190–199Google Scholar - 44.J. Stern, A new identification scheme based on syndrome decoding, in
*CRYPTO 1993*(1993), pp. 13–21. Journal version: J. Stern, A new paradigm for public key identification. IEEE Trans. Inf. Theory**42**(6), 1757–1768 (1996)Google Scholar - 45.P. Véron, Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput.
**8**(1), 57–69 (1996)MathSciNetCrossRefzbMATHGoogle Scholar - 46.K. Xagawa, K. Tanaka, Zero-knowledge protocols for NTRU: application to identification and proof of plaintext knowledge, in
*ProvSec 2009*(2009), pp. 198–213Google Scholar - 47.K. Xagawa, A. Kawachi, K. Tanaka, Proof of plaintext knowledge for the Regev cryptosystems, Technical report C-236, Tokyo Institute of Technology (2007)Google Scholar