Efficient Implementation of a CCA2-Secure Variant of McEliece Using Generalized Srivastava Codes [chapter]

Pierre-Louis Cayrel, Gerhard Hoffmann, Edoardo Persichetti
2012 Lecture Notes in Computer Science  
In this paper we present efficient implementations of McEliece variants using quasi-dyadic codes. We provide secure parameters for a classical McEliece encryption scheme based on quasi-dyadic generalized Srivastava codes, and successively convert our scheme to a CCA2secure protocol in the random oracle model applying the Fujisaki-Okamoto transform. In contrast with all other CCA2-secure code-based cryptosystems that work in the random oracle model, our conversion does not require a constant
more » ... ht encoding function. We present results for both 128-bit and 80-bit security level, and for the latter we also feature an implementation for an embedded device. This corresponds to correcting a certain number of errors occurred on the codeword c, represented by an error vector e, that is y = c + e. A unique solution exists if the weight of e is less than or equal to w = d−1 2 , where d is the minimum distance of the code C. This problem is well known and was proved to be NP-complete [7] . Moreover, GDP is believed to be hard on average, and not just on the worst-case instances. The general framework proceeds as follows: Key Generation: Pick a k × n generator matrix G for a w-error correcting linear code with an efficient decoding algorithm over the finite field F q , a k × k invertible matrix S and an n × n permutation matrix P at random, then compute G = SGP , which is another valid generator matrix. The private key consists of G, S, P , and the public key is G .The system parameters n, k, w are also public. Encryption: To encrypt a plaintext x ∈ F k q , compute the corresponding codeword xG and add a random error vector e of weight at most w, obtaining the ciphertext y = xG + e. Decryption: Given a ciphertext y, calculate yP −1 = xG P −1 + eP −1 = xSG + eP −1 , and since the weight of eP −1 is still the same, it is enough to apply the decoding algorithm for the code to retrieve xS and consequently x. The other computational assumption underlying the security is that the k × n matrix G so obtained is computationally indistinguishable from a uniform matrix of the same size, hence an attacker that does not know the private key is faced with solving GDP. Remark The encryption process is dominated by the cost of computing xG , which requires at most k × n field multiplications. Hence this is fast. On the other hand, decryption requires performing a decoding algorithm and is not usually so fast. Therefore, McEliece is most suitable for applications where encryption is required to be fast. This is analogous to RSA using small encryption exponents.
doi:10.1007/978-3-642-30057-8_9 fatcat:7cqur257q5d4hgm7klzw634wyi