An Efficient and Provably Secure Public Key Encryption Scheme Based on Coding Theory Rongxing Lu1, Xiaodong Lin2, Xiaohui Liang1 and Xuemin (Sherman) Shen1∗

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2010) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.274

RESEARCH ARTICLE An efficient and provably secure public key encryption scheme based on coding theory Rongxing Lu1, Xiaodong Lin2, Xiaohui Liang1 and Xuemin (Sherman) Shen1∗

1 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada 2 Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Ontario, L1H 7K4, Canada

ABSTRACT

Although coding-based public key encryption schemes such as McEliece and Niederreiter cryptosystems have been well studied, it is not a trivial task to design an efficient coding-based cryptosystem with semantic security against adaptive chosen ciphertext attacks (IND-CCA2). To tackle this challenging issue, in this paper, we first propose an efficient IND- CCA2-secure public key encryption scheme based on coding theory. We then use the provable security technique to formally prove the security of the proposed scheme is tightly related to the syndrome decoding (SD) problem in the random oracle model. Compared with the previously reported schemes, the proposed scheme is merited with simple construction and fast encryption speed. Copyright © 2010 John Wiley & Sons, Ltd.

KEYWORDS coding-based cryptography; public key encryption; semantic security; chosen-ciphertext attacks; syndrom decoding problem

*Correspondence Xuemin (Sherman) Shen, Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada. E-mail: [email protected]

1. INTRODUCTION size, the security level also grows much faster. Niederreiter cryptosystem [5] is a dual encryption scheme proposed in Post-quantum cryptography (PQC), as a popular cryptog- 1986, which is not only ten times faster than the McEliece raphy terminology aiming at providing ‘Post-Quantum’ cryptosytem in terms of encryption speed, but also equiv- alternative to the currently existing number theory cryp- alent to the McEliece cryptosystem in terms of security. tography [1--3], has obtained great attention in recent Following these two seminal works, over the past years, years. In essence, PQC overlaps many existing cryptogra- many efforts have been put in coding-based cryptography phy branches including coding-based cryptography [4,5], [8--14]. For example, Stern has proposed a coding-based lattice-based cryptography, hash-based cryptography, and zero knowledge identification scheme in 1993 [14]; Cour- multivariate-quadratic-equations cryptography [6]. How- tois, Finiasz, and Sendrier have presented the first practical ever, driven largely by the possible invention of a large coding-based signature scheme in 2001 [10]. More recently, quantum computer in the near future, PQC becomes a how to reduce the public key size and how to secure the new buzz word in cryptography communities and these parameter choice in coding-based cryptography are also non-number theory cryptography branches, especially the deeply explored [15--19]. coding-based cryptography, have brought renewed atten- The semantic security (a.k.a indistinguishability) against tion. adaptive chosen ciphertext attacks (IND-CCA2) is the In coding-based cryptography, there are two well- strongest known notion of security for the public key known public key encryption schemes, namely McEliece encryption schemes. However, in coding-based cryptog- and Niederreiter cryptosystems [4,5]. McEliece cryptosys- raphy, ‘IND-CCA2’ has not been widely discussed. To tem was first proposed in 1978 [4], which represents the best of our knowledge, only a few papers have the first public key encryption scheme based on linear touched this research issue [20--22]. Because McEliece error-correcting codes. Compared with the classical RSA cryptosystem has some special architecture, some gen- cryptosystem [7], the McEliece cryptosystem has two eral IND-CCA2 conversions [23,24], though they achieve advantages: (i) the speeds of both encryption and decryption IND-CCA2 versions of McEliece cryptosystem, may incur algorithms are faster; and (ii) with the increase of the key some redundancy. Therefore, Kobta and Imai have pro-

Copyright © 2010 John Wiley & Sons, Ltd. Public key encryption scheme based on coding theory R. Lu et al. posed two specific conversions to reduce the redundancy parameters params in a polynomial time of κ; we write R [20]. Recently, Nojima et al. [21] have studied the seman- params ←− Setup(κ). tic for the McEliece cryptosystem without random oracles. • The randomized key generation algorithm Kgen takes However, they only achieve the semantic security against the system public parameters params as input, and the chosen plaintext attacks and the tight reductions are returns a pair (pk, sk) consisting of a public key and a also questionable, especially for the Niederreiter cryptosys- corresponding private key in a polynomial time of κ, tem. In Reference [22], Dowsley et al. have also discussed R we write (pk, sk) ←− Kgen(params). the CCA2 secure public key encryption scheme based on • The randomized encryption algorithm Enc takes a pub- the McEliece assumption in the standard model, but their lic key pk, a random number r, and a plaintext M as scheme needs some special constructions. Therefore, how input, and returns a ciphertext C in a polynomial time to design an efficient and IND-CCA2 secure coding-based of κ; we write C ←− Enc(pk, r,M). cryptosystem with/without random oracles is still worth of • The deterministic decryption algorithm Dec takes the investigation. private key sk and a ciphertext C as input, and returns In this paper, we propose an efficient IND-CCA2 secure the corresponding plaintext M or a special symbol ⊥ public key encryption scheme based on coding theory. Con- indicating that the ciphertext was invalid in a poly- cretely, we design our scheme based on the syndrome nomial time of κ; we write x ← Dec(sk, C), where decoding (SD) problem, and use the provable security tech- x∈{M, ⊥}. nique to get a tight reduction in the random oracle model [25]. Compared with Niederreiter cryptosystem, only two All algorithms should satisfy the standard consistency additional hash operations are required in the proposed constraint of public key encryption, i.e., for any message scheme. Thus, our scheme achieves fast encryption speed. M, Dec(sk, C = Enc(pk, r,M)) = M. The remainder of this paper is organized as follows. In Section 2, we formalize the definition of public key encryption and the corresponding security model. In Section 3, we review the coding theory and the complexity assumption, 2.3. Security model the base of our proposed scheme. In Section 4, we present our efficient public key encryption scheme based on coding We recall the standard notion of security of public key theory, following by its formal security proof and parameter encryption schemes in terms of indistinguishability [26]. selection in Section 5 and Section 6, respectively. Finally, Concretely, we consider the security notion for a public key we draw our conclusions in Section 7. encryption scheme is indistinguishable against the adaptive chosen ciphertext attacks, call it the ‘IND-CCA2’ security model for brevity. 2. DEFINITION AND SECURITY Definition 1. (IND-CCA2) Let k and t be integers MODEL and ε a real number in [0, 1], and PKE a secure public key encryption scheme with the security parameter k. 2.1. Notation Let A be an IND-CCA2 adversary, which is allowed to access the decryption oracle OD (and some random ora- OH ,OH , ···, Let N ={1, 2, 3,...} denote the set of natural numbers, cles 1 2 in the random oracle model), against and k∈N be a security parameter. An event is said to be the indistinguishability of PKE. We consider the following random experiment: negligible if it happens with probability less than the inverse − n Expind cca2 k of any polynomial in k.Ifn∈N, then 0 denotes the string of Experiment PKE,A ( ) n zeros. If x, y are strings, then |x| denotes the length of x, n R [x]n denotes the n least significant bits of x,[x] denotes the params ←− Setup(k) n most significant bits of x, and x ⊕ y denotes the bit XOR if |x|=|y|, while if S is a finite set, then |S| is its cardinality, R R and s ←− S indicates the process of selecting s uniformly (pk, sk) ←− Kgen(params) and at random in S.IfA is a randomized algorithm, then y ←− A(x1,x2, ···) denotes the processing of A on inputs OD ,OH ,OH ,··· M ,M , ←− A ( 1 2 ) params, pk x1,x2, ···, and letting y denote its output. ( 0 1 state) ( )

R 2.2. Definition b ←− { 0, 1},Cb ←− Enc(pk, r,Mb)

In general, a public key encryption scheme PKE = OD(,OH ,OH ,···) (Setup, Kgen, Enc, Dec) consists of four algorithms: b ←− A 1 2 (params, pk, Cb, state)

• The randomized setup algorithm Setup takes a security if b = b then return b∗ ← 1 else b∗ ← 0 parameter κ as input, and returns the system public return b∗

We define the success probability of A via pute a word x∈Fn such that hw(x) ≤ t and HxT = s. Note 2 − − that, to ensure the hardness of SD problem, the parameters Succind cca2(k) = 2Pr Expind cca2(k) −1 PKE,A PKE,A should be carefully chosen [27,29,30]. = b = b − 2Pr 1 Definition 2. (SD Assumption) Let C be an [n, k, d]- binary linear code defined by a (n−k) × n binary matrix H k, t, ε d t ≤ d−1 PKE is said to be ( )-IND-CCA2 secure, if no adver- with the minimal distance , and 2 . An adversary A t Succind−cca2 k ≥ ε s∈Fn−k sary running in time has a success PKE,A ( ) . that takes an input of a syndrome 2 , returns a word s∈Fn−k 2 . We consider the following random experiment on SD problem. 3. CODING THEORY AND SD Experiment ExpA COMPLEXITY ASSUMPTION x∈Fn ← A H,s∈Fn−k 2 2 Let F be the finite field with 2 elements {0, 1}, k∈N be a T 2 if hw(x) ≤ t and Hx = s security parameter, and C denote an [n, k]-binary linear code of length n and dimension k, i.e., a subspace of dimension then b ← 1 else b ← 0 k Fn Fn of the vector space 2. Elements of 2 are called words, return b and elements of C are called codewords.An[n, k]-binary We define the corresponding success probability of A in linear code is usually given in the form of a (n−k) × n solving the SD problem via H binary matrix , lines of which form a basis of the code. SD SD x = x ,x , ···,x ∈Fn SuccA = Pr ExpA = 1 We call the syndrome of a word ( 1 2 n) 2 is s = HxT the quantity computed by Let τ∈N and ε∈[0, 1]. We call SD to be (τ, ε)-secure if T no polynomial algorithm A running in time τ has success s = (s1,s2, ···,sn−k) = Hx SuccSD ≥ ε.  h .. h   x  A h11 12 1n 1 Parameters of Goppa Codes: Goppa codes are subfield  h21 h22 .. h2n   x2      subcodes of particular alternant codes. For given integers =  . . . .  ·  .  m, t∈N n = m  . . . .   .  , binary Goppa codes are of length 2 and with k = n−mt Fm,t h(n−k)1 h(n−k)2 .. h(n−k)n xn the dimension of . Let denote the family |F |= 2tm of such Goppa codes, then we have m,t t . Since their algebraic structure can be efficiently hidden and pro- If the quantity s = 0, i.e., HxT = 0, the word x = vide a good t-decoding algorithm, Fm,t are good candidates x ,x , ···,x ∈Fn for constructing efficient cryptographic algorithms. In the ( 1 2 n) 2 is a codeword. The Hamming weight x = x ,x , ···,x ∈Fn next section, we will use the Goppa codes to designed our of a word ( 1 2 n) 2 is referred to the number of its non-zero positions, denoted as hw(x); the Hamming efficient and provably secure public key encryption scheme. x = x ,x , ···,x ∈Fn distance between two words ( 1 2 n) 2 and y = y ,y , ···,y ∈Fn ( 1 2 n) 2 is the number of positions where they differ, and denoted as dH (x, y); and the minimal dis- 4. PROPOSED PUBLIC KEY tance of an [n, k]-binary linear code C is defined by d = ENCRYPTION SCHEME BASED ON minx,y∈C dH (x, y). Then, the [n, k]-binary linear code C is CODING THEORY called [n, k, d] code. All [n, k, d] codes satisfy the Single- ton bound which states that d ≤ n−k + 1 [27]. A binary In this section, we present our public key encryption PKE linear [n, k, d] code is ensured to exist as long as scheme based on coding theory, which can be regarded d−2 as the CCA2 version of Niederreiter cryptosystem [5] and n−1 n−k < 2 mainly consists of four algorithms, namely Setup, Kgen, j Enc, and Dec, as shown in Figure 1. j=0 Setup. Given the security parameter κ, four integers This is called the Gilbert-Varshamov (GV) bound. Note (m, t, k0,k1)∈N are chosen such that the t-decoding in m that, random binary codes are known to meet the GV bound, a Goppa code of length n = k0 + k1 = 2 , of dimension in the sense that the above inequality comes very close to k = 2m−mt has complexity at least 2κ [10]. In addition, two being an equality [28], and no available family of binary secure cryptographic hash functions H1, H2 are also cho- ∗ k0+k1 ∗ codes can be decoded in subexponential time up to the GV sen, where H1 : {0, 1} →{0, 1} and H2 : {0, 1} → k +k bound [27]. {0, 1} 0 1 . In the end, the system parameters params = t ≤ d−1 m, t, k ,k , H , H Syndrome Decoding Problem [27]: Let 2 ,we ( 0 1 1 2) are published. s∈Fn−k params = know that, for any syndrome 2 , there exists at most Kgen. Given the system parameters x∈Fn hw x ≤ t HxT = s m, t, k ,k , H , H one word 2 such that ( ) and .A ( 0 1 1 2), choose a random binary Goppa code s∈Fn−k t n, k, d C G H syndrome 2 is said to be -decodable in the [ ]- 0 from the Goppa code family m,t. Let 0 be a parity C H C t C binary linear code defined by if there exists such a check matrix of 0 and H0 be a -decoding algorithm in 0. word x. The SD problem is stated as follows: given an In addition, a random non-singular mt × mt binary matrix n−k × n H s∈Fn−k U P m × m ( ) binary matrix and a syndrome 2 , com- and a random permutation matrix of size 2 2 are

Figure 1. Proposed public key encryption scheme based on coding theory.

sk = , U, P Game Game also chosen. Set the private key ( H0 ) and the Proof. We define a sequence of games 0, 1, corresponding public key pk as H = UH0P. ··· of modified attacks starting from the actual adversary k Enc. Given a message M∈{0, 1} 1 and the public key A [31,32]. All the games operate on the same underly- k +k H, choose a random number r∈{0, 1} 0 1 , and execute the ing probability space: the system parameters params = following steps: (m, t, k0,k1, H1, H2) and public key H, the coin tosses of A H,s∗∈Fmt . Let ( 2 ) be a random instance of SD problem, we k0+k1 k0 • compute x∈{0, 1} , where x = (0 ||M) ⊕ H1(r), will use these incremental games to reduce the SD instance • α, β α = H x ⊕ β T ∈Fmt B = A compute ( ) such that ( ) 2 , to the adversary against the IND-CCA2 security of the r ⊕ H2(x), ciphertext C = (α, β) in the proposed PKE scheme. • set the ciphertext C = (α, β). Game0 : This is the real attack game. In the game, the adversary A is fed with the system parameters params = Dec. Given a ciphertext C = (α, β) and the private key (m, t, k0,k1, H1, H2) and public key H = UH0P.Inthe , U, P A ( H0 ), the following steps are executed: first phase, the adversary can access to the random ora- O O O cles H1 , H2 and the decryption oracle D for any input. • y = PyT = U−1α A compute H0 ( ), At some point, the adversary chooses a pair of mes- −1 k1 • compute y = y P , x = y ⊕ B, and β ⊕ H2(x) = r, sages (M0,M1)∈{0, 1} . Then, we randomly choose a bit k0 k0 • compute x ⊕ H1(r), if [x ⊕ H1(r)] is 0 , parse x ⊕ b∈{0, 1} and produce the message M = Mb’s ciphertext k H r 0 ||M M = x ⊕ H r C = α ,β A 1( )as0 , i.e., [ 1( )]k1 ; otherwise ( ) as the challenge to the adversary . The chal- output ⊥ indicating an invalid ciphertext. lenge comes from the public key H and one random number k0+k1 T r ∈{0, 1} , and α = H(x ⊕ β ) , β = r ⊕ H2(x ) l0 Compared with Niederreiter cryptosystem [5], only two with x = (0 ||M ) ⊕ H1(r ). In the second stage, the additional hash operations are required. As a result, the adversary A is still allowed to access to the random ora- O O O encryption speed of the proposed scheme is as fast as cles H1 , H2 and the decryption oracle D for any input, Niederreiter cryptosystem. except the challenge C to OD. Finally, the adversary A out- puts a bit b ∈{0, 1}.InanyGamej, we denote by Guessj the event b = b. Then, we have 5. SECURITY PROOF

ε ≤ Succind−cca2 = b = b − In this section, we prove that the proposed scheme is IND- PKE,A 2Pr[ ] 1 CCA2-secure in the random oracle model, where the hash = 2Pr[Guess0] − 1 functions H and H are modelled as random oracles [25]. 1 2 ε Theorem 1. Let A be an adversary against the proposed 1 Pr[Guess0] ≥ + (2) PKE scheme in the random oracle model, where the hash 2 2 functions H1 and H2 behave as random oracles. Assume that A has the success probability Succind−cca2 ≥ ε to break PKE,A Game1 : In this game, we simulate the random oracles the indistinguishability of the ciphertext C = (α, β) within O O O H1 , H2 , and the decryption oracle D, by maintaining the running time τ, after qH ,qH and qD queries to the 1 2 the lists H1-List, H2-List and D-List to deal with the iden- OH OH OD random oracles 1 , 2 and the decryption oracle , tical queries. In addition, we also simulate the way that the ε∈ , τ∈N respectively. Then, there exist [0 1] and as follows challenge C is generated as the challenger would do. The

q2 +qD· qH +qH +qH detailed simulation in this game is described in Figure 2. SD ε 2 D ( 1 2 ) 1 ε = Succ (τ ) ≥ − k +k params, H A 2 2 0 1 Because the distribution of ( ) is unchanged in qD(qD+qH ) (1) 1 A − k ,τ≤ τ + (.) the eye of the adversary , the simulation is perfect, and 2 1 we have such that the SD problem can be solved with probability ε within time τ, where (.) is the time complexity for the Guess = Guess simulation. Pr[ 1] Pr[ 0] (3)

Figure 2. Formal simulation of the IND-CCA2 game against the proposed PKE based on coding theory.

Game O 2 : In this game, we modify the simulation of queried from H1 and behaves uniformly, we can con- k +k the decryption oracle OD by outputting a random message sider x∈{0, 1} 0 1 a uniform random variable as well. So, k M∈{ , } 1 C = α, β x O 0 1 when the ciphertext ( ) has not been the probability that has already been queried to H2 is k +k q + q / 0 1 ‘correctly’ encrypted. bounded to ( D H2 ) 2 , then,

qD(qD + qH ) | Guess − Guess | ≤ 2 Pr[ 2] Pr[ 1] k +k (4) 2 0 1

Game3 : In this game, we modify the simulation of the The two games Game2 and Game1 are perfectly indis- decryption oracle OD without resorting to the random oracle tinguishable unless x is already in OH . Because h is O 2 1 H1 .

The two games Game3 and Game2 are perfectly indis- The two games Game6 and Game5 are perfectly indis- r OH h tinguishable unless is already in 1 . Because 2 is r H k +k tinguishable unless has been asked for 1. We deﬁne this r∈{ , } 0 1 randomly chosen, we consider 0 1 as a uniform event AskH(6), then we have random variable, So, the probability that r has been queried 1 k +k to OH is bounded to (qD + qH )/2 0 1 , then, 1 1 | Guess − Guess | ≤ AskH(6) Pr[ 6] Pr[ 5] Pr[ 1 ] (8)

qD(qD + qH ) h+ x | Guess − Guess | ≤ 1 In this game, 1 is only used in , but does not appear in Pr[ 3] Pr[ 2] k +k (5) 2 0 1 H r+ h+ the computation since 1( ) is not deﬁned to be 1 . Then, the distribution of C = (α,β) doesn’t depend on b.Asa result, we have Game4 : In this game, we modify the rule Dec-noR in the decryption oracle OD simulation without resorting to O 1 the random oracle H1 . Pr[Guess ] = (9) 6 2

Game x h 7 : In this game, instead of defining from 1,we x h x randomly choose firstly and define 1 from . Because x is randomly chosen, we give a random answer for the question x to H2. The two games Game4 and Game3 are perfectly indis- k r, h O h 0 tinguishable unless ( 1) is already in H1 . Because [ 1] k0 is known to the adversary A due to h1 = (0 ||M) ⊕ x,we k h ∈{ , } 1 consider [ 1]k1 0 1 as a uniform random variable, then r O the probability that has been queried to H1 is bounded k q + q / 1 to ( D H1 ) 2 , then,

The two games Game7 and Game6 are perfectly indis- qD(qD + qH ) | Guess − Guess | ≤ 1 x H Pr[ 4] Pr[ 3] k (6) tinguishable unless has been asked for 2. We deﬁne this 2 1 AskH(7) event 2 , then we have Game AskH(7) − AskH(6) ≤ AskH(7) 5 : In this game, we modify the rule Dec-Init in Pr[ 1 ] Pr[ 1 ] Pr[ 2 ] (10) the decryption oracle OD simulation.

k + h = 0 ||M ⊕ x In this game, 1 (0 ) is uniformly dis- tributed, and independently of the view of the adversary A, since x+ hasn’t been revealed. Therefore, we have The two games Game5 and Game4 are perfectly indistinguishable. If (x, h2) is found in H2-List, the answer of qH the decryption oracle OD is the same as that in Game . AskH(7) = 1 1 Pr[ 1 ] k +k (11) 2 0 1 If (x, h2) is not found, i.e., x =⊥, and h2 =⊥, the answer of the decryption oracle OD is returning a random message k1 Game β h M∈{0, 1} as that in Game2. Therefore, we have 8 : In this game, instead of deﬁning from 2, β h+ β we randomly choose and then we deﬁne 2 from .

Pr[Guess5] = Pr[Guess4] (7)

Game6 : In this game, we manufacture the challenge C = (α,β) by ﬁrst choosing the random value of r ahead of time.

Table 1. The sizes of plaintext/ciphertext and public key under the typical McEliece/Niederreiter parameters.

(m, t) n = 2m k = n−mt Plaintext size M Ciphertext size C Public key size H

(10, 50) 1024 bits 524 bits k1 < 1024 bits 1524 bits 62.5 kbytes

(11, 32) 2048 bits 1696 bits k1 < 2048 bits 2400 bits 88 kbytes

(12, 41) 4096 bits 3604 bits k1 < 4096 bits 4588 bits 246 kbytes

In this game, the distribution of C = (α,β)is From the table, we can see that, though the sizes of the unchanged. Therefore, we have public keys are relatively large, the construction of the proposed scheme makes the speed of CCA2-secure encryption AskH(8) = AskH(7) almost as fast as that of McEliece/Nederreiter cryptosys- Pr[ 2 ] Pr[ 2 ] (12) tems. Furthermore, the recent works by Bender et al. [15] and Misoczki and Barreto [19] can be used to reduce the Game9 : In this game, we embed the SD challenge H,s∗∈Fmt α = s∗ sizes of public key coding-based cryptography, which can ( 2 ) in the game by setting . make the coding-based cryptosystems more practical.

7. CONCLUSIONS

Clearly, the distribution of C = (α,β) is still In this paper, we have proposed an efﬁcient public key unchanged. Therefore, we have encryption scheme based on coding theory, and formally shown its IND-CCA2 security in the random oracle model. H Pr[AskH(9)] = Pr[AskH(8)] (13) Since the size of the public key in the proposed scheme 2 2 is relatively large, our future work will focus on reducing AskH(9) the key size [15,19]. In this game, when the event 2 takes place, i.e., there exists an x+∈{0, 1}n such that α = s∗ = H(x+ ⊕ β+ T O x∗ = x+ ⊕ ) has been queried to H2 . Then, such an β+∈{0, 1}n is just the SD challenge. As a result, we have ACKNOWLEDGEMENTS

AskH(9) ≤ SuccSD τ = ε This work was supported in part by the Natural Sciences and Pr[ 2 ] A ( ) (14) Engineering Research Council (NSERC) Strategic Projects Summarizing all the above cases, we have of Canada.

q2 +qD· qH +qH +qH SD ε 2 D ( 1 2 ) 1 ε = Succ (τ ) ≥ − k +k A 2 2 0 1 qD(qD+qH ) (15) 1 REFERENCES − k 2 1 1. Lu R, Lin X, Cao Z, Shao J, Liang X. New (t,n) thresh- and the running time τ ≤ τ + (·), where (·)isthe old directed signature scheme with provable security. time complexity for the simulation. This completes the Information Sciences 2008; 178(3): 756--765. proof. 2. Lin X, Lu R, Ho PH, Shen X, Cao Z. Tua: a novel compromise-resilient authentication architecture 6. SELECTION OF PARAMETERS for wireless mesh networks. IEEE Transactions on Wire- less Communications 2008; 7(4): 1389--1399. Parameter selection is imperative for the security of coding- 3. Lu R, Cao Z. Efﬁcient remote user authentication scheme based cryptography. If the parameters are not properly using smart card. Computer Networks 2005; 49(4): 535-- chosen, a coding-based system could suffer from threaten- 540. ing attacks based on either Information Set Decoding (ISD) 4. McEliece RJ. A public-key cryptosystem based on alge- or Generalized Birthday Algorithm (GBA) [18,33]. Since braic coding theory. DSN Progress Report 114--116, Jet the decryption of the proposed scheme requires knowing Propulsion Laboratory, Pasadena, CA, 1978. one and only one solution for an SD problem, the GBA- 5. Niederreiter H. Knapsack-type cryptosystems and based attacks can be ruled out [18]. Therefore, to resist algebraic coding theory. Problems of Control and Infor- the possible ISD-based attacks, some typical parameters used in McEliece be chosen for the proposed scheme. Then, mation Theory 1986; 15(2): 159--166. the sizes of the public key, plaintext, and ciphertext can be 6. Bernstein DJ, Buchmann J, Dahmen E. Post-Quantum calcuated, as shown in Table 1. Cryptography. Springer: Berlin, Heidelberg, 2009.

7. Rivest RL, Shamir A, Adleman L. A method for obtain- 20. Kobara K, Imai H. Semantically secure mceliece public- ing digital signatures and public-key cryptosystems. key cryptosystems -conversions for mceliece pkc. In Communications of ACM 1978; 21(2): 120--126. PKC’01, Vol. LNCS 1992. Springer-Verlag: Berlin, 8. Canteaut A, Sendrier N. Cryptanalysis of the original 2001; 19--35. mceliece cryptosystem. In ASIACRYPT’98, Vol. LNCS 21. Nojima R, Imai H, Kobara K, Morozov K. Semantic 1514. Springer-Verlag: Berlin, 1998; 187--199. security for the mceliece cryptosystem without random 9. Augot D, Finiasz M, Sendrier N. A family of oracles. Designs, Codes and Cryptography 2008; 49 (1-- fast syndrome based cryptographic hash function. In 3): 289--305. MYCRYPT’05, Vol. LNCS 3715. Springer-Verlag: 22. Dowsley R, Muler-Quade J, Nascimento ACA. A CCA2 Berlin, 2005; 64--83. secure public key encryption scheme based on the 10. Courtois N, Finiasz M, Sendrier N. How to achieve mceliece assumptions in the standard model. In CT- a mceliece-based digital signature scheme. In ASI- RSA’09, Vol. LNCS 5473. Springer-Verlag: Berlin, ACRYPT’01, Vol.LNCS 2248. Springer-Verlag: Berlin, 2009; 240--251. 2001; 157--174. 23. Fujisaki E, Okamoto T. Secure intergration of asymmet- 11. Gaborit P, Girault M. Lightweight code-based identifi- ric and symmetric encryption schemes. In CRYPTO’99, cation and signature. IEEE ISIT’07 Nice, France, July Vol. LNCS 1666. Springer-Verlag: Berlin, 1999; 537-- 2007; 191--195. 554. 12. Gaborit P, Laudaroux C, Sendrier N. Synd: a very 24. Pointcheval D. Chosen-ciphertext security for any one- fast code-based cipher stream with a security reduc- way cryptosystem. In PKC’00, Vol. LNCS 1751. tion. IEEE ISIT’07 Nice, France, July 2007; 186-- Springer-Verlag: Berlin, 2000; 129--146. 190. 25. Bellar M, Rogaway P. Random oracles are practical: a 13. Melchor CA, Cayrel PL, Gaborit P. A new efficient paradigm for designing efficient protocols. In CCS’93. threshold ring signature scheme based on coding the- ACM, Fairfax: Virginia, US, 1993; 92--111. ory. In Post-Quantum Cryptography, Vol. LNCS 5299. 26. Goldwasser S, Micali S. Probabilistic encryption. Jour- Springer-Verlag: Berlin, 2008; 1--16. nal of Computer System Science 1984; 28: 270--299. 14. Stern J. A new identification scheme based on syndrome 27. Barreto PSLM, Misoczki R. A new one-time sig- decoding. In CRYPTO’93, Vol. LNCS 773. Springer- nature scheme from syndrome decoding. Cryptology Verlag: Berlin, 1993; 13--21. ePrint Archive, Report 2010/017, 2010. Available at: 15. Berger T, Cayrel PL, Gaborit P, Otmani A. Reduc- eprint.iacr.org ing key length of the mceliece cryptosystem. In 28. MacWilliams FJ, Sloane NJA. The Theory of Error- AFRICACRYPT’09, Vol. LNCS 5580. Springer-Verlag, Correcting Codes. North-Holland, Amsterdam: New 2009; 77--97. York, Oxford, 1978. 16. Bernstein D, Lange T, Peters C. Attacking and defending 29. Chabaud F, Stern J. The cryptographic security of the the mceliece cryptosystem. In Post-Quantum Cryptog- syndrome decoding problem for rank distance codes. raphy, Vol. LNCS 5299. Springer-Verlag: Berlin, 2008; In ASIACRYPT’96, Vol. LNCS 1163. Springer-Verlag: 31--46. Berlin, 1996; 368--381. 17. Bernstein D, Lange T, Peters C, van Tilborg H. Explicit 30. Berlekamp ER, McEliece RJ, van Tilborg HCA. On the bounds for generic decoding algorithms for code-based inherent intractability of certain coding problems. IEEE cryptography. Preproceedings of WCC 2009; 168-- Transactions on Information Theory 1978; 24: 384--386. 180. 31. Shoup V. OAEP reconsidered. Journal of Cryptology 18. Finiasz M, Sendrier N. Security bounds for the design 2002; 15(4): 223--249. of code-based cryptosystems. In ASIACRYPT’09, 32. Phan DH, Pointcheval D. Chosen-ciphertext security Vol. LNCS 5912. Springer-Verlag: Berlin, 2009; 88-- without redundancy. In ASIACRYPT’03, Vol. LNCS 105. 2894. Springer-Verlag: Berlin, 2003; 1--18. 19. Misoczki R, Barreto P. Compact mceliece keys from 33. Overbeck R, Sendrier N. Code-based cryptography. In goppa codes. In SAC 2009, Vol. LNCS 5867. Springer- Post-Quantum Cryptography. Springer-Verlag: Berlin, Verlag: Berlin, 2009; 376--392. 2009; 95--145.