A new signature scheme based on $(U|U+V)$ codes

We present here a new code-based digital signature scheme. This scheme uses $(U|U+V)$ codes, where both $U$ and $V$ are random. We prove that the scheme achieves {\em existential unforgeability under adaptive chosen message attacks} under two assumptions from coding theory, both strongly related to the hardness of decoding in a random linear code. The proof imposes a uniform distribution on the produced signatures, we show that this distribution is easily and efficiently achieved by rejection sampling. Our scheme is efficient to produce and verify signatures. For a (classical) security of 128 bits, the signature size is less than one kilobyte and the public key size a bit smaller than 2 megabytes. This gives the first practical signature scheme based on binary codes which comes with a security proof and which scales well with the security parameter: it can be shown that if one wants a security level of $2^\lambda$, then signature size is of order $O(\lambda)$, public key size is of size $O(\lambda^2)$, signature generation cost is of order $O(\lambda^3)$, whereas signature verification cost is of order $O(\lambda^2)$.