A new paradigm for public key identification

The present article investigates the possibility of designing zero-knowledge identi-cation schemes based on hard problems from coding theory. Zero-knowledge proofs were introduced in 1985, in a paper by Goldwasser, Micali and Rackoo ((16]). Their practical signiicance was soon demonstrated in the work of Fiat and Shamir ((11]), who turned zero-knowledge proofs of quadratic residuosity into eecient means of establishing user identities. In the present paper, we propose a new identiication scheme, based on error-correcting codes, which is zero-knowledge and seems of practical value. Furthermore, we describe several variants, including one which has an identity based character. The security of our schemes depends on the hardness of nding a word of given syndrome and prescribed (small) weight with respect to some randomly generated binary linear error-correcting code. This is, of course, not the rst attempt to design a cryptographic scheme using tools from coding theory. The diierence is that identiication protocols do not follow the public key paradigm based on trap-door functions and described in the seminal Diie-Hellman paper ((8]). Rather, they only require one-way functions, which opens the way to using, in a rather direct manner, simple combinatorial problems of the kind provided by coding theory. The resulting schemes compare favourably to their number-theoretic analogues. 0 Introduction Modern cryptography is concerned with algorithms and schemes which ensure conndentiality, integrity and proof of origin for digital communications. In conventional cryptosystems, these various functionalities are provided in a setting where the transmitter and the receiver share a common key, whose secrecy is requested for proper operation. A major breakthrough took place in 1976 with the appearance of public-key cryptography ((8]). In their paper, Diie and Hellman proposed a new concept, allowing the use of two matching keys, one for encryption and a diierent one for decryption. The main novel character of the concept is that the encryption key need not be kept secret. Shortly afterwards, Rivest, Shamir and Adleman invented the celebrated RSA algorithm ((29]). This algorithm is a public key system making heavy use of operations modulo a large integer n obtained by multiplying together two prime numbers and whose security is related to diiculty of factoring n. Since then, nearly all new cryptographic schemes have been based on hard problems from number 1