On IND-CCA1 Security of Randomized McEliece Encryption in the Standard Model

We show that a modification of Nojima et al.’s Randomized McEliece Encryption (RME), where receiver verifies the correctness of the decrypted plaintext, achieves IND-CCA1 security in the standard model. We rely on the two (standard) assumptions used also for RME: hardness of general decoding and Goppa code indistinguishability (sometimes they are jointly referred to as “the McEliece assumptions”), plus an extra assumption on non-falsifiability of the McEliece ciphertexts. The later one implies that an adversary is unable to sample a McEliece ciphertext for which the message and error vector are unknown. This assumption is non-standard, however it represents a win-win argument, in the sense that breaking it would imply efficient sampling of McEliece ciphertexts, which in turn may potentially lead us to a Full Domain Hash code-based signature based on the McEliece PKE—without rejection sampling as in the Courtois-Finiasz-Sendrier signature from Asiacrypt 2001—a long-standing open problem in code-based cryptography.

[1]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[2]  Kirill Morozov,et al.  Code-Based Public-Key Encryption , 2014 .

[3]  Gil Segev,et al.  Chosen-Ciphertext Security via Correlated Products , 2009, SIAM J. Comput..

[4]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[6]  Ron M. Roth,et al.  Introduction to Coding Theory , 2019, Discrete Mathematics.

[7]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[8]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[9]  C. Pandu Rangan,et al.  An Efficient IND-CCA2 Secure Variant of the Niederreiter Encryption Scheme in the Standard Model , 2012, ACISP.

[10]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, CRYPTO.

[11]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[12]  Kirill Morozov,et al.  On the security of the Courtois-Finiasz-Sendrier signature , 2018 .

[13]  Raphael Overbeck,et al.  A Summary of McEliece-Type Cryptosystems and their Security , 2007, J. Math. Cryptol..

[14]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[15]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[16]  Raphael Overbeck,et al.  Code-based cryptography , 2009 .

[17]  Edoardo Persichetti On the CCA2 Security of McEliece in the Standard Model , 2018, ProvSec.

[18]  Helger Lipmaa,et al.  On the CCA1-Security of Elgamal and Damgård's Elgamal , 2010, Inscrypt.

[19]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC , 2001, Public Key Cryptography.

[20]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[21]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[22]  Kouichi Sakurai,et al.  On unconditionally binding code-based commitment schemes , 2017, IMCOM.

[23]  Kazukuni Kobara,et al.  Semantic security for the McEliece cryptosystem without random oracles , 2008, Des. Codes Cryptogr..

[24]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[25]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[26]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[27]  Nico Döttling,et al.  A CCA2 Secure Variant of the McEliece Cryptosystem , 2012, IEEE Transactions on Information Theory.

[28]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.