McEliece in the world of Escher

1 Department of Telematics, Norwegian University of Science and Technology (NTNU), Trondheim, NORWAY, {danilog, simonas, hakoja}@item.ntnu.no 2 “Ss Cyril and Methodius” University, Faculty of Computer Science and Engineering (FINKI), Skopje, MACEDONIA simona.samardjiska@finki.ukim.mk 3 Saint Petersburg State University of Aerospace Instrumentation, Saint Petersburg, RUSSIA, bsv@aanet.ru Abstract. We present a new family of linear binary codes of length n and dimension k accompanied with a fast list decoding algorithm that can correct up to n2 errors in a bounded channel with an error density ρ. The decisional problem of decoding random codes using these generalized error sets is NP-complete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme. The security analysis of our scheme have four parts: 1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes; 2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code; 3. An analysis of the cost of cheap distinguishing attacks on the generator matrix of the code or on its dual code that have expensive list-decoding properties; 4. We interpret our scheme as multivariate quadratic system and discuss difficulties of solving that system using algebraic approaches such as Gröbner bases. Based on this security analysis we suggest some concrete parameters for the security levels in the range of 280−2128. An additional feature of the decryption process is that it admits massive and trivial parallelization that could potentially make our scheme in hardware as fast as the symmetric crypto primitives.

[1]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[2]  Stephen B. Wicker,et al.  Cryptanalysis of the Harn and Wang modification of the Xinmei digital signature scheme , 1992 .

[3]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[4]  Pierre-Louis Cayrel,et al.  On Kabatianskii-Krouk-Smeets Signatures , 2007, WAIFI.

[5]  Thomas Johansson,et al.  A New Version of McEliece PKC Based on Convolutional Codes , 2012, ICICS.

[6]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[7]  Roberto Garello,et al.  Quasi-Cyclic Low-Density Parity-Check Codes in the McEliece Cryptosystem , 2007, 2007 IEEE International Conference on Communications.

[8]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[9]  Alexander Barg,et al.  Random codes: Minimum distances and error exponents , 2002, IEEE Trans. Inf. Theory.

[10]  Stephen B. Wicker,et al.  Security of Xinmei digital signature scheme , 1992 .

[11]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[12]  Ammar Bouallegue,et al.  Secure and Fast Digital Signatures using BCH Codes , 2006 .

[13]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[14]  Tanja Lange,et al.  Wild McEliece Incognito , 2011, PQCrypto.

[15]  Wang Xin-mei,et al.  Digital signature scheme based on error-correcting codes , 1990 .

[16]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[19]  Gregory A. Kabatiansky,et al.  A Digital Signature Scheme Based on Random Error-Correcting Codes , 1997, IMACC.

[20]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[21]  Stephen B. Wicker,et al.  A Digital Signature Scheme Based on Linear Error-correcting Block Codes , 1994, ASIACRYPT.

[22]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[23]  Oscar Moreno,et al.  McEliece Public Key Cryptosystems Using Algebraic-Geometric Codes , 1996, Des. Codes Cryptogr..

[24]  Ayoub Otmani,et al.  An Efficient Attack on All Concrete KKS Proposals , 2011, PQCrypto.

[25]  V. Sidelnikov,et al.  A public-key cryptosystem based on binary Reed-Muller codes , 1994 .

[26]  Venkatesan Guruswami,et al.  Improved decoding of Reed-Solomon and algebraic-geometric codes , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[27]  Jeroen Doumen,et al.  On the Security of Digital Signature Schemes Based on Error-Correcting Codes , 2003, Des. Codes Cryptogr..

[28]  Lein Harn,et al.  Cryptanalysis and modification of digital signature scheme based on error-correcting code , 1992 .

[29]  J. Rosenthal,et al.  Using low density parity check codes in the McEliece cryptosystem , 2000, 2000 IEEE International Symposium on Information Theory (Cat. No.00CH37060).

[30]  Daniel J. Bernstein,et al.  Simplified High-Speed High-Distance List Decoding for Alternant Codes , 2011, PQCrypto.

[31]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[32]  Jean-Pierre Tillich,et al.  An Efficient Attack of a McEliece Cryptosystem Variant Based on Convolutional Codes , 2013, PQCrypto.

[33]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[34]  Daniel J. Bernstein List Decoding for Binary Goppa Codes , 2011, IWCC.

[35]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[36]  Philippe Gaborit,et al.  Shorter keys for code-based cryptography , 2005 .

[37]  Leslie G. Valiant,et al.  Fast probabilistic algorithms for hamiltonian circuits and matchings , 1977, STOC '77.

[38]  Selmer M. Johnson A new upper bound for error-correcting codes , 1962, IRE Trans. Inf. Theory.

[39]  Madhu Sudan,et al.  Decoding of Reed Solomon Codes beyond the Error-Correction Bound , 1997, J. Complex..

[40]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..