On the one-wayness against chosen-plaintext attacks of the Loidreau's modified McEliece PKC

McEliece public-key cryptosystem (PKC) is one of a few alternatives for the current PKCs that are mostly based on either the integer factoring problem (IFP) or the discrete logarithm problem (DLP) that would be solved in polynomial time after the emergence of quantum computers. The security of the McEliece PKC is based on the decoding problem and it is known that it satisfies, with an appropriate conversion, the strongest security notion, i.e., INDistinguishability of encryption against adaptively Chosen-Ciphertext Attacks (IND-CCA2), in the random oracle model under the assumption that the underlying primitive McEliece PKC satisfies a weak security notion of One-Wayness against Chosen-Plaintext Attacks (OW-CPA). OW-CPA is said to be satisfied if it is infeasible for chosen plaintext attacks to recover the whole plaintext of an arbitrarily given ciphertext. Currently, the primitive McEliece PKC satisfies OW-CPA if a parameter n/spl ges/2048 with optimum t and k is chosen since the binary work factor for (n,k,t)=(2048,1278,70) to break it with the best CPA is around 2/sup 106/, which is infeasible even if world-wide computational power is used. While the binary work factor for the next smaller parameter n=1024 is in a gray level of 2/sup 62/, it will be improved by applying Loidreau's modification that employs Frobenius automorphism in Goppa codes. In this paper, we carefully investigate the one-wayness of the Loidreau's modified McEliece PKC against ever known CPAs and new CPAs we propose, and then show that it certainly improves the one-wayness against ever known CPAs but it is vulnerable against our new CPAs. Thus, it is rather harmful to apply the new modification to the McEliece PKC.

[1]  Pierre Loidreau,et al.  Strengthening McEliece Cryptosystem , 2000, ASIACRYPT.

[2]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[3]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[4]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[5]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[6]  V. Sidelnikov,et al.  On insecurity of cryptosystems based on generalized Reed-Solomon codes , 1992 .

[7]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[8]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[9]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[10]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[11]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystem , 2002 .

[12]  Nicolas Sendrier On the Structure of Randomly Permuted Concatenated Code , 1995 .

[13]  Hung-Min Sun Further cryptanalysis of the McEliece public-key cryptosystem , 2000, IEEE Communications Letters.

[14]  N. Sendrier,et al.  Some weak keys in McEliece public-key cryptosystem , 1998, Proceedings. 1998 IEEE International Symposium on Information Theory (Cat. No.98CH36252).

[15]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[16]  Henk Meijer,et al.  Security-related comments regarding McEliece's public-key cryptosystem , 1987, IEEE Trans. Inf. Theory.

[17]  Thomas A. Berson,et al.  Failure of the McEliece Public-Key Cryptosystem Under Message-Resend and Related-Message Attack , 1997, CRYPTO.

[18]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[19]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[20]  Nicolas Sendrier,et al.  The Support Splitting Algorithm , 1999 .

[21]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[22]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.