Provably secure identity-based identification and signature schemes from code assumptions

Code-based cryptography is one of few alternatives supposed to be secure in a post-quantum world. Meanwhile, identity-based identification and signature (IBI/IBS) schemes are two of the most fundamental cryptographic primitives, so several code-based IBI/IBS schemes have been proposed. However, with increasingly profound researches on coding theory, the security reduction and efficiency of such schemes have been invalidated and challenged. In this paper, we construct provably secure IBI/IBS schemes from code assumptions against impersonation under active and concurrent attacks through a provably secure code-based signature technique proposed by Preetha, Vasant and Rangan (PVR signature), and a security enhancement Or-proof technique. We also present the parallel-PVR technique to decrease parameter values while maintaining the standard security level. Compared to other code-based IBI/IBS schemes, our schemes achieve not only preferable public parameter size, private key size, communication cost and signature length due to better parameter choices, but also provably secure.


Introduction
In 1994, Shor published a quantum algorithm [1], which could ruin public key cryptography based information security as we know it today.With the development of quantum computers, NIST (National Institute of Standards and Technology) made a call for quantum resistant algorithms in 2016.Code-based cryptography represents one of few such alternatives supposed to be secure in the post-quantum world.McEliece [2] proposed first code-based public cryptosystem in 1978.Since then, a wide range of code-based cryptographic primitives has been proposed, such as digital signatures, identification protocols and hash functions [3].Moreover, compared to traditional cryptosystems, many of them also show the advantage on fast computation [3,4].
At the same time, public key management is one of the most critical issues on multi-party communications and public key cryptography.In 1984, Shamir [5] introduced identity-based public key cryptography.The key point is that the public key of a user can be his identity id, i.e., public information about that user, such as a name, a phone number, or an e-mail address.
The motivation behind identity-based systems is to largely simplify the management of public keys for the authentication of users.In such systems: 1. Knowledge of a name or emails alone suffices for cryptographic operations such as verification of a digital signature.
2. No need for a public directory, i.e., a database containing public keys or certificates.
3. Trusted authority is needed only during a set-up phase.
Therefore, it is very appealing to make fundamental cryptographic primitives, i.e., identification protocol and digital signature, gain such advantages [6,7] for more practical applications.
Cryptographic identification protocol [6,8] is designed to eliminate the security and privacy issues in traditional identification.For traditional identification, the server checks whether the submitted secret key is identical to the key stored in the database.However, there are increasing concerns on the security of such user-selected passwords, secret key leaking, and the attacks on such databases.In contrast, the identification protocol is a zero-knowledge protocol, so the verifier or the server only knows the public key (or just identity in identitybased systems) of the prover or the user.Through a challenge-response manner, it checks the validity of the prover.
Meanwhile, the digital signature is a well-known cryptographic tool for demonstrating the authenticity of digital messages or documents.When it comes to identity-based digital signature, the verifier only needs to know the name or email address instead of a long and awkward public key of the signer.
In 2009, Cayrel et al. [8] proposed state-of-the-art identity-based identification (IBI) and signature (IBS) schemes from code assumptions, or the mCFS-Stern scheme.It can be regarded as a combination of the CFS signature scheme [9] and the Stern identification protocol [10,11].There are several improved mCFS-Stern schemes are proposed since then.Alaoui et al. [12] uses quasi-dyadic Goppa codes in the user key extraction algorithm to reduce public key size.Cayrel et al. [13] proposes a way to modify the Stern protocol with the q-ary syndrome decoding problem so that the cheating probability of each round reduced from 2  3 to 1 2 , and thus reducing the communication cost and signature length.Aguilar et al. [14] adapt such technique with double circulant codes to optimze mCFS-Stern protocol.
However, with the development of code-based cryptography, security and efficiency issues on the mCFS-Stern scheme have arisen.Firstly, Faugère et al. [15] developed a high rate distinguisher for Goppa codes so that the security proof of mCFS-Stern scheme is invalidated.Secondly, Bleichenbacher [16] showed an attack based on the Generalized Birthday Algorithm [17].It decreases the security level from 2 mt 2 to 2 mt 3 so that increased parameters are required to maintain a required security level, i.e., 2 80 .Thirdly, other improved mCFS-Stern schemes, either using quasi-dyadic Goppa codes [12] or modifying the Stern protocol [13,14], are vulnerable to the very recent structural attack on quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes [18] and could be broken in less than two minutes.

Our contribution
In this paper, we first propose provably secure identity-based identification and signature schemes with the PVR signature [19] technique applied in the user key extraction algorithm.It does not rely on the indistinguishability between a binary Goppa code and a random code, whereas it is required in the CFS signature scheme and has been invalidated by the distinguisher.Moreover, we present the parallel-PVR technique, inspired by the parallel-CFS technique [20].It decreases the value of parameters while maintaining the standard security level, which used to be highly influenced by the Bleichenbacher attack.It also might be of an independent interest in the code-based digital signature.Finally, we adapt the Or-proof technique [7,21] to our schemes so that they are secure against impersonation under active and concurrent attacks (id-imp-ca) instead of passive attacks (id-imp-pa).Currently, our schemes are the only code-based IBI/IBS schemes which are provably secure and they also achieve better efficiency compared to the mCFS-Stern scheme.

Organization
The paper is organized as follows: In Section 2, we provide some preliminaries.We propose basic provably secure IBI/IBS schemes from code assumptions in Section 3. In Section 4, we further optimize our schemes with parallel-PVR and improve their security level.We discuss the parameters in Section 5 and conclude in Section 6.

Preliminaries
We first provide some backgrounds and notions for code-based cryptography and then review the definition of identity-based identification and signature schemes in this section.

Code-based cryptography
Let C denotes a binary linear-error correcting code of length n = 2 m and dimension k, or a The Hamming distance between two words refers to the number of coordinates where they differ.The Hamming weight of a vector x, or wt(x), is the number of non-zero entries.We use the symbol $ to denote the uniformly random selection, and use the symbol k to denote the concatenation.

The Bounded Decoding problem (BD).
Let n and k be two positive integers and n !k.
Find. a word x 2 F n 2 such that wt(x) ω and Hx T = s.The BD problem is showed to be NP-complete in [22].The advantage of a probabilistic polynomial-time (PPT) algorithm solving the BD problem for [n, k] code should be negligible.
2.1.2Randomized courtois-finiasz-sendrier signature scheme.Courtois et al. [9] first proposed a practical code-based signature scheme, or the CFS scheme.Dallot [23] proposed a randomized variant mCFS and proved mCFS is strongly unforgeable under chosen message attack at that time.The scheme works as follows:

Key Generation.
Set t ¼ nÀ k log 2 n .The private key is a (n − k) × n parity check matrix H of a t-error correcting Goppa code, a non-singular matrix Q and a permutation matrix P. The public key is the (n − k) × n matrix H ¼ QHP.

Sign.
1. i $ F nÀ k 2 2. Use the decoding algorithm to decode Q −1 h(mki).h is a cryptographic hash function and m is the signing message.
3. If the decoding result x 0 = ?, go back to step 1.It needs t! decodings on average.
2. If s 0 = s and wt(x) t, then the signature is valid; otherwise return false.
The security reduction of the scheme relies on the indistinguishability between a binary Goppa code and a random code.However, it is invalidated by a high rate distinguisher for Goppa codes [15].Recently, Mathew et al. [19] proposed the PVR signature scheme.which altered the key-construct of the CFS signature and presented a formal proof of PVR without such assumption.Meanwhile, Bleichenbacher [16] showed an attack so that it has to increase the parameters of CFS such as m and t to achieve the same security level.Finiasz proposed the Parallel-CFS [20], which resisted such attack through performing multiple complete-decoding-based signing processes.
2.1.3The stern identification scheme.Stern [10,11] proposed a standard identification scheme based on error-correcting codes.Given a random public (n − k) × n matrix H over F 2 .Each user P receives a secret key x of n bits and wt(x) = t.The public key of P is s = Hx T .To prove to a verifier V that the prover P is the user corresponding to the public key s, P runs the following identification protocol with his secret key x:

Commitment.
P randomly chooses y 2 F n 2 and a permutation σ of {1, 2, Á Á Á, n}.P sends to V the commitments c 1 , c 2 , and c 3 such that: , where h denotes a cryptographic hash function.

Answer
V verifies that c 2 , c 3 have been honestly calculated, and wt(σ(x)) is t.

Repeat.
Repeat the above four steps for γ times so that the expected security level is reached.

Remark. During the verification step, if b equals 1, Hy T can be directly derived from H (y È x) T through: Hy
Theorem 1.The Stern identification protocol (P, V) is a proof of knowledge system with knowledge error 2 3 À Á g [11].

Identity-based identification and signature
In this section, we review the definition and security model for an identity-based identification scheme (IBI) following [6,21].An identity-based signature scheme (IBS) can be derived from IBI through Fiat-Shamir heuristic [24].
It takes 1 κ as input, where κ is the security parameter.It returns a pair of the system public parameters mpk, and the master secret key msk, which is known only to a master entity.

User key extraction algorithm (UKGen).
It takes msk and an identity id 2 {0, 1} Ã as inputs.It returns a user secret key usk [id].
Interactive identification protocol ( " P, " V).The prover P with identity id runs algorithm " P with initial state usk[id], and the verifier V runs " V with (mpk, id).When " V returns 'accept' or 'reject', the protocol ends.

Security models.
There are three security models, i.e., impersonation under passive (id-imp-pa) attacks, active (id-imp-aa), and concurrent (id-imp-ca) attacks.The id-imp-pa secure implies the adversary can query the conversation between P and V while the id-imp-aa/ ca secure implies the adversary acts a malicious V to communicate with P. The id-imp-ca security implies the adversary can concurrently issue proving queries instead of only one interactive query at a time for the id-imp-aa secure.The formal definitions are shown below: An IBI scheme is said to be id-imp-atk secure where atk = pa/aa/ca if any adversary A has a negligible advantage in the following game with a simulator S:

Setup.
S takes a security parameter κ, generates (mpk, msk) MKGen(1 κ ), and gives mpk to A. S initializes three empty user sets: HU, CU, and PS, which stand for honest users, corrupted users, and provers' sessions respectively.

Phase 1.
A adaptively issues following queries:

Initialization query (id).
If id 2 HU [ CU, return ?. Otherwise, run usk[id] UKGen(msk, id), add id into HU, and return whether the above process is successful.

Corruption query (id).
If id = 2 HU, return ?. Otherwise, remove id from HU, add it into CU, and return usk [id].

Conversation query (id). (atk = pa)
If id = 2 HU, return ?. Otherwise, return a transcript of a transaction between P with usk[id] and V with mpk and id.

Proving query (id, s, M in ). (atk = aa/ca)
If id = 2 HU, return ?.If (id, s) = 2 PS, then adds (id, s) to PS where s is a session index.If atk = aa, there should be only a single session at any one time.If atk = ca, A could maintain several sessions concurrently.It picks a random bit τ, and sets a state of the prover st P [(id, s)] (mpk, usk[id], τ).It acts as V to obtains (M out , st P [(id, s)]) from P with (M in ) and st P [(id, s)], where M in and M out are communication messages between P and V.Return M out .

Challenge.
A outputs a target identity id Ã 2 HU, and S removes id Ã from HU to CU.

Condition.
A wins the game if S halts with V outputting 'accept'.The advantage is defined as

2.2.3
Code-based IBI schemes.Cayrel et al. [8] proposed the first IBI/IBS scheme from code assumption with security proof.It combines the mCFS signature scheme and the Stern identification protocol (mCFS-Stern) as follows:

MKGen.
Set mpk and msk as the public parameters and the private key of mCFS scheme respectively.

Interactive identification protocol.
P initialized with x communicates with V with h(idki) through the Stern identification protocol.
Cayrel et al. [8] show the mCFS-Stern scheme is id-imp-pa secure.Moreover, Yang et al. [21] proved the scheme also implies id-imp-aa secure.To achieve id-imp-ca secure, Yang et al. also proposed a new variant of the mCFS-Stern scheme, which introduced the OR-proof technique [7].

Remark. It should be noticed that the user key extraction of the mCFS-Stern scheme cannot resist the Bleichenbacher attack and the security proof relies on the indistinguishability between a binary Goppa code and a random code, which has been already invalidated.
2.2.4 Fiat-Shamir heuristic.According to Bellare et al. [6], identity-based signature (IBS) schemes could be constructed from convertible standard signatures or IBI schemes through Fiat and Shamir Heuristic.Unfortunately, code-based signature schemes, e.g., mCFS signature, are not convertible since no trapdoor samplable relation has been found to fit the key generation of existing signature schemes.Therefore, we adopt the latter method to construct IBS schemes.
Fiat and Shamir [24] proposed a general paradigm to drive a secure signature scheme from an identification scheme.Specifically, given a identification scheme with the commitment α, the challenge bit β, and the response γ, the signature for the message m is the transcript (α, β, γ), where β = h(α, n) and h is a cryptographic hash function.The verifier verifies the signature as V in the identification scheme.The paradigm will be used to derive the IBS schemes from our IBI schemes in the paper without security loss [25].

Provably secure IBI/IBS schemes
In this section, we propose a provably secure identity-based identification scheme, the PVR-Stern scheme.We first describe the scheme in Section 3.1, then we prove the scheme in Section 3.2.

Scheme description
The PVR-Stern scheme is id-imp-pa secure and we adopt the PVR signature technique in the user key extraction so that the security reduction is no longer depending on the indistinguishability between Goppa codes and random codes.We describe the scheme as follows: Master key generation.
1. Based on the input parameter 1 κ , choose parameters n, k, t ¼ nÀ k log 2n , n 0 = n − k + 1, and a cryptographic hash functions G : 3. Select a n × n permutation matrix P.

Select a vector a
9. If H is not full-rank, choose another b to re-generate H until it is full-rank.
User key extraction.
3. If the decoding result x 0 is not found, then go back to select i again.
4. When x 0 is found, x = P T x 0 , where wt(x) is t or less.
5. The user public key is Gði; idÞ, and the corresponding user secret key, usk[id] is x.

Interactive identification protocol.
P initialized with x communicates with V with Gðid k iÞ through the Stern protocol.

Security
Theorem 3. The PVR-Stern scheme is secure under passive attacks in the random oracle model.Proof.The proof adapts the reduction of the mCFS-Stern scheme [8] and PVR signature scheme [19].It shows the advantage of an adversary A is equivalent to the advantage of breaking the BD problem through a series of games.
Let q G ; q E ; q C denote the maximum number of queries to hash oracle, user key extraction oracle and conversation oracle respectively.In each game, we maintain three lists L G ; L E ; L to answer these queries.The list L G stores a tuple ((s, x), a) indexed by (i, id), where i $ F nÀ k 2 , id is an identity and Hx T ¼ s ¼ Gði; idÞ.The list Λ E stores usk[id] = (i, x) indexed by the identity id.The list Λ stores i $ F nÀ k 2 indexed by m 2 {0, 1} Ã .? denotes the there is no value in the list.Game 0 is the standard id-imp-pa game.The master public and secret keys are obtained by the MKGen algorithm.The adversary A could issue initialization, conversation, or proving queries to the hash oracle and the user key extraction oracle.Let X 0 be the event that A wins Game 0. Hence, Pr[X 0 ] = Adv idÀ impÀ pa A ðkÞ. Game 1 simulates the hash oracle for G and the user key extraction oracle.The details of hash oracle simulation and user key extraction oracle simulation are given in Algorithm 1 and 2 respectively.Algorithm 1 Simulation of hash oracle.
If (id, i) is queried to hash oracle G and then Λ(id) is set to i randomly, the incoherence occurs and the user key extraction oracle aborts.Such event happens with the probability q E 2 nÀ k .Let X 1 be the event that A wins Game 1.Therefore, j Pr ½X 0 À Pr ½X 1 j < = q E 2 nÀ k .Game 2 changes user key extraction algorithm, it replaces H with R and H with R 0 , where , and z $ F n 2 .The adversary A can differentiate between Game 3 and Game 2 only if he can distinguish the random matrix R 0 from H. Since a, b, H 0 are secret and b cannot be identified from H [19], such differentiation happens with negligible probability.Hence, instead of depending on the probability to distinguish the Goppa code and the random code, let X 2 be the event that A wins Game 2, Pr[X 2 ] = Pr[X 1 ].
Game 3 selects a random index j $ f1; 2; Á Á Á ; q G þ q E þ q C g as the target identity index.Select a syndrome v $ F nÀ k 2 and a random bit v b .We change the output syndrome of G to (vkv b ) when it comes to the j-th query by the adversary A. Let X 3 be the event that A wins Game 3. The probability space is not modified since Game 4 modifies the winning condition so that if the impersonating identity is not equal to the target identity, then the game is aborted.Let X 4 be the event that A wins Game 4.
Pr ½X 4 ¼ Pr ½X 3 q G þq E þq C .Game 5 answers conversation queries on the target identity in expected polynomial time according to [11].Specifically, in each iteration of the identification protocol, it chooses one out of three cheating strategies randomly where each strategy succeeds with probability 2 3 .Let X 5 be the event that A wins Game 5.The probability space is not modified and thus Pr[X 5 ] = Pr[X 4 ].
Based on Theorem 1, an adversary A impersonating the target identity with advantage .Let C be the simulator for Game 5 using the input of the BD problem: . Since Adv idÀ impÀ pa À Á g .It means a successful adversary A implies a successful adversary against the BD problem.Therefore, the PVR-Stern scheme is idimp-pa secure.
Algorithm 2 Simulation of user key extraction oracle.

IBI/IBS schemes with parallel-PVR
In this section, we propose the parallel-PVR-caStern scheme.Compared to the PVR-Stern scheme, the parallel-PVR-caStern scheme is id-imp-ca secure and decreases the requirement of parameter choice for the same security level.We first describe the scheme in Section 4.1, then we discuss the security of the scheme in Section 4.2.

Scheme description
The parameter choice of the parallel-PVR-caStern scheme depends on the Bleichenbacher attack, which decreases the security level from 2 mt 2 to 2 mt 3 , so we utilize the parallel-PVR signature technique to resist this attack.We convert the original counter-based PVR for the user key generation to complete decoding based PVR, so that we can construct parallel-PVR for better efficiency.Then we improve the security from id-imp-pa/aa secure to id-imp-ca secure through the OR-proof technique since the PVR-Stern scheme is id-imp-ca secure.We describe the scheme as follows: Master key generation.
The master key generation algorithm of parallel-PVR-caStern is identical to that of PVR-Stern except for some additional public parameters: cryptographic hash functions , injective mapping f, parallel degree λ and additional weight δ for complete decoding such that The master secret key msk = (H, P, Q, H 0 ) and the master public parameters mpk ¼ ð H ; n; k; t; n 0 ; l; G 1 ; Á Á Á ; G l ; 0; dÞ.

User key extraction.
For λ signatures for the user identity id in parallel: Apply the decoding algorithm to the s j, i where the result is P T Decode H (Q −1 s j, i ).
6. Once the decodable syndrome s j 0 ,i is found, then we have found a p 0 j 0 ;i such that H 0 t ðp 0 j 0 ;i Þ T ¼ s j 0 ;i .
7. The ith signature for the user identity id is 8. The parallel signature for the user identity id is x = (p j 0 ,1 kÁ Á Ákp j 0 ,λ ).Run the above process twice to generate two different parallel signatures x 0 and x 1 for the user identity id, and toss a coin $.The user public key is ðG 1 ðidÞ k Á Á Á k G l ðidÞÞ and the corresponding user secret key usk[id] is ð$; x $ Þ.

Interactive identification protocol.
For each i 2 {1, 2, Á Á Á, λ}, the prover P is initialized with $; p j 0 ;i 2 x $ to verify H 0 tþd ðp j 0 ;i Þ T ¼ G i ðidÞ, and the verifier V is initialized with the G i ðidÞ.The detail is as follows:

Commitment.
Based on G i ðidÞ and p j 0 ,i , calculate Here id refers to the hash of the user identity as mentioned in the scheme.Otherwise, it sends (0, id) and (1, id) to the external initialization oracle.It tosses a coin $ id and sends it with the id to the external corruption oracle to obtain usk½id ¼ ð$ id ; x $ id Þ.Then it adds id and ðid; $ id ; usk½idÞ to HU and USK respectively.Finally, it tells CV whether the above process is successful.

Corruption.
If id = 2 HU, CV 0 returns ?. Otherwise, CV 0 removes id from HU and adds it into CU.It obtains ðid; $ id ; usk½idÞ from USK and returns usk [id] to CV.

Conversation.
If id = 2 HU, CV 0 returns ?. Otherwise, CV 0 sends (0, id) and (1, id) to the external conversation oracle to obtain the transcript t ¼ ðc 0 1 ; c 0 2 ; c 0 CV outputs a target identity id Ã and the state information st CP .If id Ã = 2 HU, then CV 0 halts.Otherwise, CV 0 gives st CP to CP.Then CV 0 acts as V to interact with CP multiple times so that transcripts of all the possible values of b and ρ are collected.With these transcripts, CV 0 can compute the usk[id Ã ].CV 0 outputs id Ã and corresponding 1 À $ id Ã to challenger.After challenger returns (mpk, id Ã , usk[id Ã ]) to CP 0 , CP 0 acts as P 0 to impersonate id Ã and Since A owns the user secret key x 0 or x 1 of usk[id] and the Reset Lemma [7,27], , where G is a commutative group over which the output challenge is uniformly distributed.Since Adv idÀ impÀ pa F ðkÞ is negligible according to Theorem 3, the PVR-caStern scheme is id-imp-ca secure.
Theorem 5.The parallel-PVR-caStern scheme is secure against impersonation under active and concurrent attacks in the random oracle model.
Proof.Based on Theorem 4, for each i 2 {1, 2, Á Á Á, λ}, the i-th identification is secure under concurrent attacks in the random oracle model.Finiasz [20] has proposed that the parallel signatures keep a practical selection of parameters without the loss of security when the signing message (user identity here) is consistency, i.e., λ different cryptographic hashes for a user identity id constitute the user public key.Hence, since the PVR-caStern scheme is id-imp-ca secure, the parallel-PVR-caStern scheme is id-imp-ca secure.

Parameters and security
We compare the costs and sizes of the mCFS-Stern scheme and our four schemes as shown in Table 1.Our schemes differ in the ability to resist the Bleichenbacher attack (with/without parallel-PVR) and the security level (id-imp-pa/id-imp-ca).The mCFS-Stern scheme is not provably secure while our schemes are all provably secure.

Parameters
For each scheme in the table, the upper row shows the asymptotic sizes and costs, and the lower row presents the estimated costs and sizes with the parameters suggested by [8,16,19,20] to achieve a security level of about 2 80 .Specifically, for the schemes without parallel-PVR, m = log 2 n = 20 and t = 12, otherwise, m = 18, t = 9, λ = 2, and δ = 2.For IBI schemes, the γ for communication cost is 58, and for converted IBS schemes through Fiat-Shamir paradigm, the γ for signature length is 280.

Asymptotic analysis
The asymptotic sizes of parallel-PVR based schemes (tm2 m for mpk size, tm for msk size) are same with the schemes without Parallel-PVR technique.Also, parallel-PVR based schemes seem to cost more for their multiple signature and communication procedure.The asymptotic size of usk generation of parallel-PVR-Stern and parallel-PVR-caStern is λtm, which is λ times of PVR-Stern and PVR-caStern (tm).The situation is similar for the asymptotic cost of usk generation (λt!t 2 m 3 and t!t 2 m 3 ), communication cost (λ2 m γ and 2 m+1 γ) and signature length (λ2 m γ and 2 m γ).

Estimated costs and sizes
However, parallel-PVR based schemes actually decrease the parameters values, especially for m and t since the asymptotic security level is optimized from 2 tm 3 to 2 tm 2 l À 1 2 lþ1 À 1 .It shows that, with parallel-PVR, it improves a lot on mpk size (5MB and 30MB with/without parallel-PVR), msk The mCFS-Stern scheme is the base scheme and our four schemes differ in the ability to resist the Bleichenbacher attack (with/without parallel-PVR) and the security level (id-imp-pa/id-imp-ca).For each scheme in the table, the upper row shows the asymptotic sizes and costs with the code length m, the error correcting capability t, the number of repetition γ, and the degree of parallelism λ.The lower row presents the estimated sizes (in bits) and costs (in the number of computations) with the parameters suggested by [8,16,19,20]. https://doi.org/10.1371/journal.pone.0182894.t001 size (162 bits and 240 bits), usk generation cost (2 38 and 2 49 ), communication cost (2 25 and 2 26  for id-imp-pa secure and 2 26 and 2 27 for id-imp-aa/ca secure) and signature length (18MB and 35MB for id-imp-pa secure and 35MB and 70MB for id-imp-aa/ca secure) with few costs of usk size (324 bits and 240bits).If id-imp-ca secure is required, the communication cost and signature length will be double compared to the lower security level.As a result, with PVR, parallel-PVR and Or-proof techniques, it can be concluded that our schemes improve the efficiency of the mCFS-Stern scheme while maintaining the provable security.It represents an important advancement in the search for an ideal post-quantum identity-based identification and signature schemes.

Conclusion
In this paper, we propose identity-based identification and signature schemes from code assumptions with parallel-PVR.They are not only provably secure against impersonation under active and concurrent attacks but also have better efficiency.
It is worth noting that it still needs lots of works to study more robust assumptions on coding theory and construct broader identity-based cryptosystems from code assumptions.Also, we will make more efforts to achieve better system parameters so that code-based schemes will be more practical.

2 3 À Á g þ 1
for a non-negligible 1 > 0 can convert into a PPT algorithm solving the BD problem

1 ; c 1À $ 2 , and c 1À $ 3 : 1 .c 1 3 Þ
and c $ 3 according to the original Stern identification protocol.P randomly choose b 1À $ ; b 0 1À $ 2 f0; 1; 2g.Based on the values of b 1À $ and b 0 1À $ , select one of three impersonation strategies for Stern protocol listed follow and calculate corresponding c 1À $ If b 1À $ and b 0 1À $ are not 0, change y in the original commitment to y È f t+δ (p j 0 ,i ). 2. If b 1À $ and b 0 1À $ are not 1, change f t+δ (p j 0 ,i ) in the original commitment to a random vector v where wt(v) = t.3.If b 1À $ and b 0 1À $ are not 2, change y È f t+δ (p j 0 ,i ) in the original commitment to y È v where H v T ¼ G i ðidÞ and wt(v) is arbitrary.P sends ðc 0 1 ; to V. Challenge.V randomly sends b 2 {0, 1, 2} to P. Initialization.If id 2 HU [ CU, CV 0 returns ?.
The elements of the set C are called codewords.A generator matrix G of a [n, k] code C is a matrix whose rows form a basis of C. A parity check matrix H of C is an (n − k) × n matrix whose rows form a basis of the orthogonal complement of C. The syndrome of a vector x 2 F n Then it returns t to CV. HU, CV 0 returns ?.If (id, s) = 2 PS, then CV 0 adds (id, s) to PS, picks a random bit τ, retrieves ðid; $ id ; usk½idÞ from USK, and sets a state of the prover st P [(id, s)] (mpk, usk [id], τ).Then CV 0 computes M out based on M in in three cases: If M in is a null string, CV 0 sends ðid; 1 À $ id Þ to the external conversation oracle to obtain the transcript.It extracts the three commitments c 1À $ id and set the remaining transcript to st P[(id, s)].It then computes the commitments c $ id 1 ; c $ id 2 ; c $ id 3 with id and usk[id].Then M