Biblio

It is notably challenging to design an efficient and secure signature scheme based on error-correcting codes. An approach to build such signature schemes is to derive it from an identification protocol through the Fiat-Shamir transform. All such protocols based on codes must be run several rounds, since each run of the protocol allows a cheating probability of either 2/3 or 1/2. The resulting signature size is proportional to the number of rounds, thus making the 1/2 cheating probability version more attractive. We present a signature scheme based on double circulant codes in the rank metric, derived from an identification protocol with cheating probability of 2/3. We reduced this probability to almost 1/2 to obtain the smallest signature among code-based signature schemes based on the Fiat-Shamir paradigm, around 22 KBytes for 128 bit security level. Furthermore, among all code-based signature schemes, our proposal has the lowest value of signature plus public key size, and the smallest secret and public key sizes. We provide a security proof in the Random Oracle Model, implementation performances, and a comparison with the parameters of similar signature schemes.

Shamir's Secret Sharing Scheme is well established and widely used. It allows a so-called Dealer to split and share a secret k among n Participants such that at least t shares are needed to reconstruct k, where 0 \textbackslashtextbackslashtextless; t ≤ n. Nothing about the secret can be learned from less than t shares. To split secret k, the Dealer generates a polynomial f, whose independent term is k and the coefficients are randomly selected using a uniform distribution. A share is a pair (x, f(x)) where x is also chosen randomly using a uniform distribution. This scheme is useful, for example, to distribute cryptographic keys among different cloud providers and to create multi-factor authentication. The security of Shamir's Secret Sharing Scheme is usually analyzed using a threat model where the Dealer is trusted to split and share secrets as described above. In this paper, we demonstrate that there exists a different threat model where a malicious Dealer can compute shares such that a subset of less than t shares is allowed to reconstruct the secret. We refer to such subsets as hidden sets. We formally define hidden sets and prove lower bounds on the number of possible hidden sets for polynomials of degree t - 1. Yet, we show how to detect hidden sets given a set of n shares and describe how to create hidden sets while sharing a secret using a modification of Shamir's scheme.

This paper presents an authentication protocol specifically tailored for IoT devices that inherently limits the number of times that an entity can authenticate itself with a given key pair. The protocol we propose is based on a stateful hash-based digital signature system called eXtended Merkle Signature Scheme (XMSS), which has increased its popularity of late due to its resistance to quantum-computer-aided attacks. We propose a 1-pass authentication protocol that can be customized according to the server capabilities to keep track of the key pair state. In addition, we present results when ported to ARM Cortex-M3 and M0 processors.