Semantic security for the McEliece cryptosystem without random oracles

In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt ’05 showing “pseudorandomness” implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme—against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

[1]  Robert J. McEliece,et al.  The theory of information and coding : a mathematical framework for communication , 1977 .

[2]  Robert J. McEliece,et al.  The Theory of Information and Coding , 1979 .

[3]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[4]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[6]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[7]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[8]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[9]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[10]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[11]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[12]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[13]  F. Chabaud,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to Primitive Narrow-Sense BCH Codes of Length~511 , 1995 .

[14]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[15]  Jacques Stern,et al.  An Efficient Pseudo-Random Generator Provably as Secure as Syndrome Decoding , 1996, EUROCRYPT.

[16]  Erez Petrank,et al.  Is code equivalence easy to decide? , 1997, IEEE Trans. Inf. Theory.

[17]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[18]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[19]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[20]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[21]  David Pointcheval,et al.  Chosen-Ciphertext Security for Any One-Way Cryptosystem , 2000, Public Key Cryptography.

[22]  Nicolas Sendrier,et al.  Finding the permutation between equivalent linear codes: The support splitting algorithm , 2000, IEEE Trans. Inf. Theory.

[23]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[24]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[25]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[26]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[27]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[28]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[29]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC , 2001, Public Key Cryptography.

[30]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[31]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[32]  E. Krouk,et al.  Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept , 2007 .

[33]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[34]  Andrei V. Kelarev,et al.  The Theory of Information and Coding , 2005 .

[35]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, EUROCRYPT.

[36]  Kazukuni Kobara,et al.  Privacy Enhanced and Light Weight RFID System without Tag Synchronization and Exhaustive Search , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[37]  Raphael Overbeck,et al.  A Summary of McEliece-Type Cryptosystems and their Security , 2007, J. Math. Cryptol..

[38]  P. Gaborit,et al.  Identity-based identification and signature schemes using correcting codes , 2007 .

[39]  Marc Girault,et al.  Lightweight code-based identification and signature , 2007, 2007 IEEE International Symposium on Information Theory.

[40]  Pierre-Louis Cayrel,et al.  Identity-Based Identification and Signature Schemes using Error Correcting Codes , 2009, Identity-Based Cryptography.

[41]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.