Skip to content
BY 4.0 license Open Access Published by De Gruyter June 5, 2023

A code-based hybrid signcryption scheme

  • Jean Belo Klamti EMAIL logo and M. Anwarul Hasan

Abstract

A key encapsulation mechanism ( KEM ) that takes as input an arbitrary string, i.e., a tag, is known as tag- KEM , while a scheme that combines signature and encryption is called signcryption. In this article, we present a code-based signcryption tag- KEM scheme. We utilize a code-based signature and an IND - CCA2 (adaptive chosen ciphertext attack) secure version of McEliece’s encryption scheme. The proposed scheme uses an equivalent subcode as a public code for the receiver, making the NP-completeness of the subcode equivalence problem be one of our main security assumptions. We then base the signcryption tag- KEM to design a code-based hybrid signcryption scheme. A hybrid scheme deploys asymmetric- as well as symmetric-key encryption. We give security analyses of both our schemes in the standard model and prove that they are secure against IND - CCA2 (indistinguishability under adaptive chosen ciphertext attack) and SUF - CMA (strong existential unforgeability under chosen message attack).

MSC 2010: 94A60

1 Introduction

In public-key cryptography, the authentication and confidentiality of communication between a sender and a receiver are ensured by a two-step approach called signature-then-encryption. In this approach, the sender uses a digital signature scheme to sign a message and then encrypt it using an encryption algorithm. The cost of delivering a message in a secure and authenticated way using the signature-then-encryption approach is essentially the sum of the cost of a digital signature and that of encryption.

In 1997, Zheng introduced a new cryptographic primitive called signcryption to provide both authentication and confidentiality in a single logical step [1]. In general, one can expect the cost of signcryption to be noticeably less than that of signature-then-encryption. Zheng’s signcryption scheme is based on the hardness of the discrete logarithm problem. Since Zheng’s work, a number of signcryption schemes based on different hard assumptions have been introduced, see, for example, [112]. Of these, the most efficient ones have followed Zheng’s approach, i.e., used symmetric-key encryption as a black-box component [68]. It has been of interest to many researchers to study how a combination of asymmetric- and symmetric-key encryption schemes could be used to build efficient signcryption schemes in a more general setting.

To that end, Dent in 2004 proposed the first formal composition model for hybrid signcryption [13] and in 2005 developed an efficient model for signcryption KEM s in the outsider- and the insider-secure setting [14,15]. In the outsider-secure setting, the adversary is assumed to be distinct from the sender and receiver, while in the insider-secure setting, the adversary is assumed to be a second party (i.e., either sender or receiver).

To improve the model for the insider-secure setting in hybrid signcryption, Bjørstad and Dent in 2006 proposed a model based on encryption tag- KEM rather than regular encryption KEM [16]. Their model provides a simpler description of signcryption with a better generic security reduction for the signcryption tag- KEM construction. A year after Bjørstad and Dent’s work, Yoshida and Fujiwara reported the first study of multi-user setting security of signcryption tag- KEM s [17], which is a more suitable setting for the analysis of insider-secure schemes.

1.1 Motivation

Most of the aforementioned signcryption schemes are based on the hardness of either the discrete logarithm or the integer factorization problem and would be broken with the arrival of sufficiently large quantum computers. Therefore, it is of interest to design signcryption schemes for the postquantum era. Coding theory has some hard problems that are considered quantum-safe and in this article, we explore the design of code-based signcryption.

The first attempt for code-based signcryption was presented in 2012 by Mathew et al. [18]. After that work, an attribute-based signcryption scheme using linear codes was introduced in 2017 by Song et al. [19]. Code-based signcryption remains an active area of research, specifically to study the design of cryptographic primitives like signcryption schemes that are quantum-safe.

1.2 Contributions

In this article, we present a signcryption tag- KEM scheme using a probabilistic full domain hash (FDH) like code-based signature and a CCA2 secure version of McEliece’s encryption scheme. The underlying code-based signature in our scheme is called Wave introduced by Banegas et al. [20], while the CCA2 secure version of the McEliece scheme is based on the Fujisaki–Okamoto transformation introduced by Cayrel et al. [21]. For the underlying McEliece scheme, we use a generator matrix of permuted Goppa subcodes as receivers’ public keys. With this feature, we are able to reduce the public key size of our scheme and include the subcode equivalence problem as one of your security assumptions. Because of the latter, for the key recovery attack, even if an adversary is able to distinguish whether the underlying code is a Goppa code, it has to solve the subcode equivalence problem, which is NP-complete. Thus, with well-chosen parameters, the most efficient attack against our scheme will be a brute-force attack.

Using the signcryption tag- KEM , we design a code-based hybrid signcryption scheme. Then we give security analyses of these two schemes in the standard model assuming the insider-secure setting. Finally, we give a comparison of the hybrid signcryption with some relevant lattice-based signcryptions in terms of key and ciphertext sizes.

1.3 Organization

This article is organized as follows. In Section 2, we first recall some basic notions of coding theory and then briefly describe relevant encryption and signature schemes that are of interest to this work. Section 3 presents the definition and framework of signcryption and hybrid signcryption, and a brief review of the relevant security model. We present our signcryption and hybrid signcryption schemes in Section 4 and then provide security analyses of the proposed schemes in Section 5. We provide a set of parameters for the hybrid signcryption scheme in Section 6 and then conclude in Section 7.

1.4 Notations

In this article, we use the following notations:

  1. F q : finite field of size q where q = p m is a prime power.

  2. C : F q -linear code of length n .

  3. x : a word or vector of F q n .

  4. wt ( x ) : weight of x .

  5. G (resp. H ): generator (resp. parity-check) matrix of linear code C .

  6. W q , n , t is the set of q -ary vectors of length n and weight t .

  7. sk s (resp. sk r ): sender’s (resp. receiver’s) secrete key for signcryption.

  8. pk s (resp. pk r ): sender’s (resp. receiver’s) public key for signcryption.

2 Preliminaries

In this section, we recall some notions pertaining to coding theory and code-based cryptography.

2.1 Coding theory and some relevant hard problems

Let us consider the finite field F q . A q -ary linear code C of length n and dimension k over F q is a vector subspace of dimension k of F q n . It can be specified by a full rank matrix G F q k × n , called generator matrix of C , whose rows span the code. Namely, C = { x G s.t. x F q k } . A linear code can also be defined by the right kernel of matrix H F q r × n , called parity-check matrix of C , as follows:

C = { x F q n s.t. H x T = 0 } .

The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords.

The weight of a word or vector x F q n , denoted by w t ( x ) , is the number of its nonzero positions. Then the minimal weight of a code C is the minimal weight of all nonzero codewords. In the case of linear code C , its minimal distance is equal to the minimal weight of the code.

Below we recall some hard problems that are relevant to our discussions and analyses presented in this article.

Problem 1

(Binary syndrome decoding problem) Given a matrix H F 2 r × n , a vector s F 2 r , and an integer ω > 0 , find a vector y F 2 n such that wt ( y ) = ω and s = y H T .

The syndrome decoding problem was proven to be NP-complete in 1978 by Berlekamp et al. [22]. It is equivalent to the following problem.

Problem 2

(General decoding problem) Given a matrix G F 2 k × n , a vector y F 2 n , and an integer ω > 0 , find two vectors m F q k and e F q n such that wt ( e ) = ω and y = m G e .

The following problem is used in the security proof of the underlying signature that we use in this article. It was first considered by Johansson and Jonsson in [23]. It was analyzed later by Sendrier in [24].

Problem 3

(Decoding one out of many (DOOM) problem) Given a matrix H F q r × n , a set of vector s 1 , s 2 ,…, s N F q r and an integer ω , find a vector e F q n and an integer i such that 1 i N , wt ( e ) = ω and s i = e H T .

Problem 4

(Goppa code distinguishing problem) Given a matrix G F 2 k × n , decide whether G is a random binary or generator matrix of a Goppa code.

Faugère et al. [25] showed that Problem 4 can be solved in special cases of Goppa codes with high rate.

The following is one of the problems, which the security assumption of our scheme’s underlying signature mechanism relies on.

Problem 5

(Generalized ( U , U + V ) code distinguishing problem). Given a matrix H F q r × n , decide whether H is a parity-check matrix of a generalized ( U , U + V ) code.

Problem 5 was shown to be hard in the worst case by Debris-Alazard et al. [26] since it is NP-complete. Below, we recall the subcode equivalence problem, which is one of the problems on which the security assumption of our scheme is based. This problem was proven to be NP-complete in 2017 by Berger et al. [27].

Problem 6

(Subcode equivalence problem [27]) Given two linear codes C and D of length n and respective dimension k and k , k k , over the same finite field F q , determine whether there exists a permutation σ of the support such that σ ( C ) is a subcode of D .

2.2 Code-based encryption

The first code-based encryption was introduced in 1978 by McEliece [28]. In Figure 1, we give the McEliece scheme Fujisaki–Okamoto transformation [21], which comprises three algorithms: key generation, encryption, and decryption.

Figure 1 
                  McEliece’s scheme with Fujisaki–Okamoto transformation.
Figure 1

McEliece’s scheme with Fujisaki–Okamoto transformation.

The main drawback of the McEliece encryption scheme is its very large key size. To address this issue, many variants of McEliece’s scheme have been proposed, see, for example, [2934]. In order to reduce the size of both public and private keys in code-based cryptography, Niederreiter in 1986 introduced a new cryptosystem [35]. Niederreiter’s cryptosystem is a dual version of McEliece’s cryptosystem with some additional properties such that the ciphertext length is relatively smaller. Indeed, the public key in Niederreiter’s cryptosystem is a parity-check matrix instead of a generator matrix. In addition, ciphertexts are syndrome vectors instead of erroneous codewords. However, the McEliece and the Niederreiter schemes are equivalent from the security point of view due to the fact that Problems 1 and 2 are equivalent.

Code-based hybrid encryption: A hybrid encryption scheme is a cryptographic protocol that features both an asymmetric- and a symmetric-key encryption scheme. The first component is known as key encapsulation mechanism ( KEM ), while the second is called data encapsulation mechanism ( DEM ). The framework was first introduced in 2003 by Cramer and Shoup [36], and later the first code-based hybrid encryption was introduced in 2013 by Persichetti [37] using Niederreiter’s encryption scheme. Persichetti’s scheme was implemented in 2017 by Cayrel et al. [38]. After Persichetti’s work, some other code-based hybrid encryption schemes have been reported, e.g., [39].

2.3 Code-based signature

Designing a secure and practical code-based signature scheme is still an open problem. The first secure code-based signature scheme was introduced by Courtois et al. (CFS) [40]. It is a FDH like signature with two security assumptions: the indistinguishability of random binary linear codes and the hardness of syndrome decoding problem. To address some of the drawbacks of Courtois et al.’s scheme, Dallot proposed a modified version, called mCFS, which is provably secure. Unfortunately, this scheme is not practical due to the difficulties of finding a random decodable syndrome. In addition, the assumption of the indistinguishability of random binary Goppa codes has led to the emergence of attacks as described in [25]. One of the latest code-based signature schemes of this type is called Wave [41]. It is based on generalized ( U , U + V )-codes. It is secure and more efficient than the CFS signature scheme. In addition, it has a smaller signature size than almost all finalist candidates in the NIST postquantum cryptography standardization process [42].

Apart from the FDH approach, it is possible to design signature schemes by applying the Fiat and Shamir transformation [43] to an identification protocol. To this end, one may use a code-based identification scheme like that of Stern [44], Jain et al. [45], or Cayrel et al. [46]. This approach, however, leads to a signature scheme with a very large signature size. To address this issue, Lyubashevsky’s framework [47] can apparently be adapted. Unfortunately, almost all code-based signature schemes in Hamming metric designed by using this framework have been cryptanalyzed [4853]. The only one that has remained secure so far is a rank metric-based signature scheme proposed by Aragon et al. [54].

In Figure 2, we recall Debris-Alazard et al.’s signature scheme (Wave), which is of our interest for this work. In Wave, the secret key is a tuple of three matrices sk = ( S , H sk , P ) , where S F q r × r is an invertible matrix, H sk F q r × n is a parity-check matrix of a generalized ( U , U + V )-code, and P F 2 n × n is a permutation matrix. The public key is a matrix p k = H pk , where H pk = S H sk P . Steps for signature and verification processes are given in Figure 2. For additional details, the reader is referred to [41,55].

Figure 2 
                  Wave signature scheme [41].
Figure 2

Wave signature scheme [41].

3 Signcryption and security model

In this section, we first recall the definition of signcryption followed by the signcryption tag- KEM framework and its security model under the insider setting.

3.1 Signcryption and its tag-KEM framework

Signcryption: A signcryption scheme is a tuple of algorithms SC = ( Setup , KeyGen s , KeyGen r , Signcrypt , Unsigncrypt ) [56], where:

  1. Setup ( 1 λ ) is the common parameter generation algorithm with λ , the security parameter,

  2. KeyGen s (resp. KeyGen r ) is a key-pair generation algorithm for the sender (resp. receiver),

  3. Signcrypt is the signcryption algorithm, and

  4. Unsigncrypt corresponds to the unsigncryption algorithm.

For more details on the design of signcryption, the reader is referred to [57] (Chap. 2, Sec. 3, p. 30).

Signcryption tag- KEM : A signcryption tag- KEM denoted by SCTKEM is a tuple of algorithms [16]:

SCTKEM = ( Setup , KeyGen s , KeyGen r , Sym , Encap , Decap ) ,

where

  1. Setup is an algorithm for generating common parameters.

  2. KeyGen s (resp. KeyGen r ) is the sender (resp. receiver) key generation algorithm. It takes as input the global information I and returns a private/public keypair ( sk s , pk s ) (resp. ( sk r , pk r )) that is used to send signcrypted messages.

  3. Sym is a symmetric key generation algorithm. It takes as input the private key of the sender sk s and the public key of the receiver pk r and outputs a symmetric key K together with internal state information ϖ .

  4. Encap takes as input the state information ϖ together with an arbitrary string τ , which is called a tag, and outputs an encapsulation E .

  5. Decap is the decapsulation/verification algorithm. It takes as input the sender’s public key pk s , the receiver’s private key sk r , an encapsulation E , and a tag τ . It returns either symmetric key K or the unique error symbol .

Hybrid signcryption tag- KEM + DEM : It is simply a combination of a s c t k e m and a regular data encapsulation mechanism ( DEM ).

3.2 Insider security for signcryption tag-KEM

IND - CCA2 game in signcryption tag- KEM : It corresponds to a game between a challenger and a probabilistic polynomial-time (PPT) adversary A CCA2 such that the latter tries to distinguish whether a given session key K is the one embedded in an encapsulation. During this game, A CCA2 has adaptive access to three oracles for the attacked user corresponding to algorithms Sym , Encap , and Decap [16,17,57]. The game is described in Figure 3.

Figure 3 
                  
                     
                        
                           
                           
                              IND
                              
                                 
                                 -
                                 
                              
                              CCA2
                           
                           {\mathsf{IND}}\hspace{0.1em}\text{-}\hspace{0.1em}{\mathsf{CCA2}}
                        
                      game [17].
Figure 3

IND - CCA2 game [17].

During Step 7, the adversary A CCA2 is restricted not to make decapsulation queries on ( E , τ ) to the decapsulation oracle. The advantage of the adversary A is defined by

Adv ( A CCA2 ) = Pr ( b = b ) 1 / 2 .

A signcryption tag- KEM is IND - CCA2 secure if, for any adversary A , its advantage in the IND - CCA2 game is negligible with respect to the security parameter λ .

SUF - CMA game for signcryption tag- KEM : This game is a challenge between a challenger and a PPT adversary (i.e., a forger) CMA . In this game, the forger tries to generate a valid encapsulation E from the sender to any receiver, with adaptive access to the three oracles. The adversary is allowed to come up with the presumed secret key sk r as part of his forgery [17] (Figure 4):

Figure 4 
                  
                     
                        
                           
                           
                              SUF
                              
                                 
                                 -
                                 
                              
                              CMA
                           
                           {\mathsf{SUF}}\hspace{0.1em}\text{-}\hspace{0.1em}{\mathsf{CMA}}
                        
                      game [17].
Figure 4

SUF - CMA game [17].

The adversary CMA wins the SUF - CMA game if

Decap ( pk s , sk r , E , τ )

and the encapsulation oracle never returns E when he queries on the tag τ . The advantage of CMA is the probability that CMA wins the SUF - CMA game. A signcryption tag- KEM is SUF - CMA secure if the winning probability of the SUF - CMA game by CMA is negligible.

Definition 1

A signcryption tag- KEM is said to be secure if it is IND - CCA2 and SUF - CMA secure.

3.3 Generic security criteria of hybrid signcryption tag-KEM+DEM

Security criteria for hybrid signcryption: The security of a hybrid signcryption tag- KEM + DEM depends on those of the underlying signcryption tag- KEM and DEM . However, it is important to note that in the standard model a signcryption tag- KEM is secure if it is both IND - CCA2 and SUF - CMA secure. Therefore, the generic security criteria for hybrid signcryption tag- KEM + DEM is given by the following theorem:

Theorem 1

[16,17] Let HSC be a hybrid signcryption scheme constructed from a signcryption tag- KEM and a DEM . If the signcryption tag- KEM is IND - CCA2 secure and the DEM is one-time secure, then HSC is IND - CCA2 secure. Moreover, if the signcryption tag- KEM is SUF - CMA secure, then HSC is also SUF - CMA secure.

4 Code-based hybrid signcryption

In this section, we first design a code-based signcryption tag- KEM scheme. Then we combine it with a one-time (OT) secure DEM for designing a hybrid signcryption tag- KEM + DEM scheme.

4.1 Code-based signcryption tag-KEM scheme

For designing our code-based signcryption tag- KEM scheme, we use the McEliece scheme as the underlying encryption scheme. More specifically, to achieve the IND - CCA2 security for our schemes, we use McEliece’s scheme with the Fujisaki–Okamoto transformation [21,58]. The authors of ref. [21] gave an instantiation of this scheme using generalized Srivastava (GS) codes. Indeed, by using GS codes, it seems possible to choose secure parameters even for codes defined over relatively small extension fields. However, Barelli and Couvreur recently introduced an efficient structural attack [59] against some of the candidates in the NIST postquantum cryptography standardization process. Their attack is against code-based encryption schemes using some quasi-dyadic alternant codes with extension degree 2. It works specifically for schemes based on GS code called DAGS [20]. Therefore, in our work, we use the Goppa code with the Classic McEliece parameters. As for the underlying signature scheme, we use the code-based Wave [41] as described earlier.

The fact that we use Wave, the sender’s secret key is a generalized ( U , U + V )-code over a finite field F q with q > 2 . Its public key is a parity-check matrix of a code equivalent to the previous one. To reduce the public key size, we use a permuted Goppa subcode for the receiver’s public key. Thus, we include the subcode equivalence problem as one of the security assumptions of our scheme. In Figure 5, we describe the algorithm Setup , which will provide common parameters for our scheme.

Figure 5 
                  Description of the 
                        
                           
                           
                              Setup
                           
                           {\mathsf{Setup}}
                        
                      algorithm for common parameters.
Figure 5

Description of the Setup algorithm for common parameters.

We give key generation algorithms in Figure 6, where we denote the sender key generation algorithm by KeyGen s and that of the receiver by KeyGen r . The receiver algorithm KeyGen r returns as signcryption public key a generator matrix G pk , r F 2 k ˜ × n r of a Goppa subcode equivalent. It returns as signcryption secret key the tuple ( g r , Γ r , S r 1 , P r ), where Γ r and g r are, respectively, the support and the polynomial of a Goppa code. S r F 2 k ˜ × k r is a full rank matrix and P r a permutation matrix. The sender key generation algorithm KeyGen s returns as private key three matrices S s F 3 ( n s k s ) × ( n s k s ) , H sk , s F 3 ( n s k s ) × n s , and P s F 2 n s × n s , where S s F 3 ( n s k s ) × ( n s k s ) is an invertible matrix, H sk , s F 3 ( n s k s ) × n s a parity-check matrix of a random generalized ( U , U + V )-code and P F 2 n s × n s a permutation matrix. The sender public key is a parity-check matrix H pk , s F 3 ( n s k s ) × n s of a generalized ( U , U + V ) equivalent code given by H pk , s = S s H sk , s P s .

Figure 6 
                  Description of the key generation algorithms.
Figure 6

Description of the key generation algorithms.

In Figure 7, we give the design of the symmetric key generation algorithm Sym of our scheme. The algorithm Sym takes as input the bit length of the symmetric encryption key. It outputs an internal state information ϖ and the session key K , where ϖ is randomly chosen from F 2 , and K is computed by using the hash function 0 .

Figure 7 
                  Description of the 
                        
                           
                           
                              Sym
                           
                           {\mathsf{Sym}}
                        
                      algorithm.
Figure 7

Description of the Sym algorithm.

Figure 8 provides a description of the encapsulation and decapsulation algorithms of our signcryption tag- KEM scheme. We denote the encapsulation algorithm by Encap and the decapsulation by Decap . In the encapsulation algorithm, the sender first performs a particular Wave signature on the message m = τ ϖ , where ϖ corresponds to an internal state information and τ is the input tag. The signature in the Wave scheme comprises two parts: an error vector e F 3 n s and a random binary vector y . In our scheme, z is the hash of a random coin y F 2 κ . The sender then performs an encryption of m = 1 ( τ ) ϖ . The encryption that we use in our scheme is the IND - CCA2 secure McEliece encryption scheme with the Fujisaki–Okamoto transformation introduced by Cayrel et al. [21]. During the encryption, the sender adaptively uses the random binary vector y as a random coin. The resulting ciphertext is denoted by c . The output is given by E = ( e , c ) .

Figure 8 
                  Description of the 
                        
                           
                           
                              Encap
                           
                           {\mathsf{Encap}}
                        
                      and 
                        
                           
                           
                              Decap
                           
                           {\mathsf{Decap}}
                        
                      algorithms.
Figure 8

Description of the Encap and Decap algorithms.

In the decapsulation algorithm Decap , the receiver first performs recovery of the internal state information ϖ by using the algorithm Decrypt and the second part of the signature of m . Then it verifies the signature and computes the session K by using ϖ .

The algorithm Decrypt that we use in the decapsulation algorithm of our scheme is described in Figure 9. It is similar to that described in [21], but we introduce some modifications which are:

  • we use an encoding function ϕ ,

  • the output is not only the clear message m , but a pair ( m , y ), where y is the reciprocal image the error vector σ by the encoding function ϕ .

Figure 9 
                  Description of the 
                        
                           
                           
                              Sym
                           
                           {\mathsf{Sym}}
                        
                      algorithm.
Figure 9

Description of the Sym algorithm.

4.1.1 Completeness of our signcryption tag- KEM

Let τ be a tag, ( sk s , pk s ) (resp. sk r and pk r ) be sender’s (resp. receiver’s) key pair generated by the algorithm KeyGen with input 1 λ . Let ( K , ϖ ) Sym ( sk s , pk r ) be a pair of a session key and an internal state information. Let E ( e , c ) be an encapsulation of the internal state information ϖ . Assuming that the encapsulation and decapsulation are performed by an honest user, we have:

  1. The receiver can recover the pair ( τ ϖ , y ) from c and verify successfully that

    e H pk , s T = 2 ( τ ϖ y ) and τ = 1 ( τ ) .

    Otherwise, the receiver performs a successful signature verification of message m τ ϖ signed by an honest user using the dual version of mCFS signature.

  2. Therefore, it can compute the session key K 0 ( ϖ ) .

4.2 Code-based hybrid signcryption

Here, we use the signcryption tag- KEM described in Section 4.1 for designing a code-based hybrid signcryption. For the data encapsulation, we propose the use of a regular OT-secure symmetric encryption scheme. We denote the symmetric encryption algorithm being used by SymEncrypt and the symmetric decryption algorithm by SymDecrypt .

Figure 10 gives the design of our code-based hybrid signcryption tag- KEM + DEM . In this design, algorithms Setup , KeyGen s , and KeyGen r are the same as those of our signcrytion tag- KEM . Algorithms Sym and Encap are those of our signcryption tag- KEM in Section 4.1.

Figure 10 
                  Code-based hybrid signcryption from 
                        
                           
                           
                              s
                              c
                              t
                              k
                              e
                              m
                           
                           sctkem
                        
                      and 
                        
                           
                           
                              DEM
                           
                           {\mathsf{DEM}}
                        
                     .
Figure 10

Code-based hybrid signcryption from s c t k e m and DEM .

5 Security analysis

Before discussing the security of our hybrid scheme, let us consider the following assumptions for our security analysis:

Assumption 1: The advantage of PPT algorithm A to solve the decoding random linear codes problem is negligible with respect to the length n and dimension k of the code.

Assumption 2: The advantage of PPT algorithm A to solve the ( U , U + V ) distinguishing problem is negligible with respect to the length n and dimension k of the code.

Assumption 3: The advantage of PPT algorithm A to solve the subcode equivalence problem is negligible with respect to the length n and dimension k of the code.

Assumption 4: The advantage of PPT algorithm A to solve the DOOM problem is negligible with respect to the length n and dimension k of the code.

Assumption 5: The advantage of PPT algorithm A to solve the Goppa code distinguishing problem is negligible with respect to the length n and dimension k of the code.

5.1 Information-set decoding algorithm

In code-based cryptography, the best-known nonstructural attacks rely on information-set decoding. The information-set decoding algorithm was introduced by Prange [60] for decoding cyclic codes. After the publication of Prange’s work, there have been several works studying to invert code-based encryption schemes based on information-set decoding (see [61] Section 4.1).

For a given linear code of length n and dimension k , the main idea behind the information-set decoding algorithm is to find a set of k coordinates of a garbled vector that are error free and such that the restriction of the code’s generator matrix to these positions is invertible. Then, the original message can be computed by multiplying the encrypted vector by the inverse of the submatrix.

Thus, those k bits determine the codeword uniquely, and hence, the set is called an information set. It is sometimes difficult to draw the exact resistance to this type of attack. However, they are always lower-bounded by the ratio of information sets without errors to total possible information sets, i.e.,

(1) R ISD = n ω k n k ,

where ω is the Hamming weight of the error vector. Therefore, well-chosen parameters can avoid these nonstructural attacks. In our scheme, we use the parameters of the Wave signature [41] for the sender and those of Classic McEliece [61] for the receiver in the underlying encryption scheme.

5.2 Key recovery attack

In code-based cryptography, usually, the first step in the key recovering attack is to perform a distinguishing attack on the public code in order to identify the family of the underlying code. Once successful, the attacker can then perform any well-known attack against this family of underlying codes to recover the secret key. When the underlying code is a Goppa code, the main distinguishing attack technique consists of evaluating the square code or the square of the trace code of the corresponding public code [25,62,63]. Note that this technique usually works for a Goppa code with a high rate. Compared to many other code-based encryption schemes, in which the public code is equivalent to an alternant or a Goppa code, in this work the public code is a permuted Goppa subcode. Thus, in addition to the indistinguishability of Goppa codes, the subcode equivalence problem becomes one of our security assumptions. Moreover, to the best of our knowledge, there is no attack reported in the literature on distinguishing a code equivalent to a Goppa subcode. Therefore, by using the subcode equivalence problem as a security assumption, we can keep our scheme out of the purview of the distinguishing attack even though the underlying code is a Goppa code.

Throughout the rest of our analysis, we assume that the attacker knows that the family of the underlying code is a Goppa code. In our case, the key recovery attack is at two different levels: the first one is on the sender side and the second one is on the receiver side.

On the receiver side, the key recovery attack consists of the recovery of the Goppa polynomial g r and the support γ r = ( α 0 , , α n 1 ) from the public matrix. Therefore, the natural way for this is to perform a brute-force attack: one can determine the sequence ( α 0 , , α n 1 ) from g r and the set { α 0 , , α n 1 } , or alternatively determine g r from ( α 0 , , α n 1 ) . A good choice of parameters can avoid this attack for the irreducible Goppa code the number of choices of g r is given by

1 t d t μ ( d ) q t d .

By using the parameters of Classic McEliece, we can see that the complexity for performing a brute-force attack to find Goppa polynomial is more than 2 800 for the parameters proposed in [61].

It is also important to note that if the adversary has the knowledge of the underlying Goppa code C sk , performing the key recovery attack implies solving a computational instance of a subcode equivalence problem. Indeed, this corresponds to finding the permutation σ such that σ ( C pk ) is a subcode of C sk . We can see that finding the permutation σ is equivalent to solving the following system:

(2) G pk , r X σ H sk , r = 0

where H sk , r is a parity-check matrix of the underlying Goppa code C sk , r , G sk , r is the generator matrix of the public code C pk and X σ = ( x i , j ) is the matrix of the unknown permutation σ . Note that solving (2) is equivalent to solving a variant of permuted kernel problem [64]. A natural way to solve (2) is to use the brute force attack, and such an attack is of order O ( n ! ) . However, the adversary could use Georgiades’ technique [65], where its complexity is given in our case by

(3) O n ! k ˜ ! .

Recently, Paiva and Terada introduced in [66] a new technique for solving (2). The workfactor of their attack applied to our scheme is given by:

(4) WF Attack PaTe = O 2 ( n m t k ˜ n 1 / 5 ) ( log ( n ) 1 ) 0.91 n + log n 2 .

From (3) and (4), we can see that a well-chosen set of parameters can avoid the attack of Georgiades as well as that of Paiva and Terada.

In the case of the sender, the key recovery attack consists of first solving the ( U , U + V ) distinguishing problem for finite fields of cardinality q = 3 . Therefore, under Assumption 3 and with a well-chosen set of parameters, this attack would fail.

5.3 IND-CCA and SUF-CMA security

In code-based cryptography, the main approach to a chosen-ciphertext attack against the McEliece encryption scheme consists of adding two errors to the received word. If the decryption succeeds, it means that the error vector in the resulting word has the same weight as the previous one. In our signcryption tag- KEM scheme, this implies either recovering the session key K or distinguishing encapsulation of two different session keys from ( e , c , τ ) . We see that the recovery of the session key K corresponds to the recovery of plaintext in a IND - CCA2 secure version of McEliece’s cryptosystem (see [21], Subsection 3.2). We now have the following theorem:

Theorem 2

Under Assumptions 1, 3, and 5, the signcryption tag- KEM scheme described in Section 4.1is IND - CCA2 secure.

Proof

Let A CCA2 be a PPT adversary against the signcryption tag- KEM scheme described in Section 4.1 in the signcryption tag- KEM IND - CCA2 game. Let us denote its advantage by ε CCA2 , SCTKEM . For proving Theorem 2, we need to bound ε CCA2 , SCTKEM .

Game 0: This game is the normal signcryption tag- KEM IND - CCA2 game. Let us denote by X 0 the event that the adversary wins Game 0 and Pr ( X 0 ) the probability that it happens. Then we have

Pr ( X 0 ) = ε CCA2 , SCTKEM .

Game 1: This game corresponds to the simulation of the hash function oracle. Indeed, it is the same as Game 0 except that adversary can have access to the hash function oracle: It looks for some pair ( τ , y ) F 2 λ × F 2 κ such that e H s T = 2 ( τ ϖ 1 ( y ) ) . Then, it tries to continue by computing c . We can see that it could succeed at least when the following collisions happen:

1 ( τ ) = 1 ( τ ) and 1 ( τ ϖ 2 ( y ) ) = 2 ( τ ϖ 1 ( y ) ) .

Therefore, if q h is the number of queries allowed and X 1 the event that A CCA2 wins game X 1 , then we have:

Pr ( X 1 ) Pr ( X 0 ) q h n t .

Game 2: This game is the same as Game 1 except that the error vector e in the encapsulation output is generated randomly. We can see that the best to proceed is to split c as ( c 0 c 1 ) and then try to invert either c 0 for recovering the error σ or c 1 for recovering directly the internal state ϖ b . That means that the adversary is able either to solve the syndrome decoding problem or to invert a one-time pad function. Therefore, we have:

Pr ( X 1 ) Pr ( X 2 ) ε SD + ν ( ) ,

where ε SD is the advantage of an adversary against the syndrome decoding problem, ν is a negligible function, and is the bit length of the symmetric encryption.

Game 3: This game is the same as Game 2. However, the change is in the key generation algorithm. Indeed, a random code is chosen as the underlying code instead of Goppa. We can see that this change is indistinguishable. In fact, distinguishing this change corresponds to solving in part the Goppa code distinguishing problem. Thus, we have

Pr ( X 3 ) Pr ( X 2 ) ε GCD ( λ ) ,

where ε GCD ( λ ) is the advantage of a PPT adversary in the Goppa code distinguishing problem and λ the security parameter. If there is a PPT adversary A capable of distinguishing this change, we can use it to construct an adversary A GCD to solve the Goppa code distinguishing problem as follows:

  1. Once receiving an instance G F 2 k × n of a generator matrix of a code C in Goppa code distinguishing problem, A GCD extracts a generator matrix G of a subcode C of C and forward it to A .

  2. A will reply by 1 if the change has happened, i.e., the underlying code is not a Goppa code. It will reply by 0 otherwise.

  3. If A GCD receives 1 from A , it means that C is not a Goppa code and A GCD outputs 0, otherwise it returns 1, i.e., C is a Goppa code.

Game 4: This game is the same as Game 3 except that the public key is a random matrix instead of a generator matrix of a permuted subcode. We can see that this change is indistinguishable according to the subcode equivalence assumption. Thus, we have:

Pr ( X 4 ) Pr ( X 3 ) ε ES ( λ ) ,

where ε ES ( λ ) is the advantage of a PPT adversary in the subcode equivalence problem and λ is the security parameter. Moreover, we can show that if an adversary A CCA2 wins this game, we can use it to construct an adversary A McE for attacking the underlying McEliece scheme in the public key encryption IND - CCA2 game (called PKE.Game in Appendix A). For more details on the underlying McEliece encryption scheme and its IND - CCA2 security proof, the reader is referred to Appendix C. We now proceed as follows:

  • Given the receiver public key pk , which corresponds to a receiver public key signcryption tag- KEM , A McE does the following:

    1. chooses randomly ( ϖ 0 , ϖ 1 ) $ F 2

    2. chooses randomly δ $ { 0 , 1 }

    3. sends the public key pk and ϖ δ to A CCA2

  • Given a tag τ from A CCA2 , A McE :

    1. sends the pair ( 1 ( τ ) ϖ 0 , 1 ( τ ) ϖ 1 ) to the encryption oracle of PKE.Game

    2. forwards c received from the encryption oracle to A CCA2

  • For every decryption query ( c i , τ i ) from A CCA2 :

    1. if c i = c , A McE return to A CCA2 , otherwise it sends c i to the decryption oracle of PKE.Game .

    2. Receiving τ i ϖ i from the decryption oracle:

    1. if τ i 1 ( τ i ) , A McE returns to A CCA2 , otherwise, it returns ϖ i to A CCA2 .

  • When A CCA2 outputs δ ˜ = δ , A McE returns 1, otherwise, it returns 0.

Let ε PKE be the advantage of A McE in the PKE.Game . Note that the target ciphertext c can be uniquely decrypted to 1 ( τ ) ϖ δ . Therefore, any ( c , τ ) other than ( c , τ ) cannot be a valid signcryption ciphertext unless collusion of 1 takes place, i.e., 1 ( τ i ) = 1 ( τ ) . The correct answer to any decryption query with c i = c is . Decryption queries from A CCA2 are correctly answered since c i is decrypted by the decryption oracle of PKE.Game .

When A CCA2 outputs δ ˜ , it means that ϖ δ is embedded in c i otherwise ϖ 1 δ is embedded. It means that the adversary A McE wins game PKE.Game with the same probability as A CCA2 wins Game 4 when collision of 1 has happened. Let X ˜ be the event collision of 1 has happened and X ˜ 4 the event A McE wins the PKE.Game . Let us denote by ε pke the probability of the event X ˜ 4 and ε c o l that of X ˜ . Therefore, we have:

Pr ( X 4 X ˜ ) = Pr ( X ˜ 4 ) Pr ( X 4 ) Pr ( X ˜ 4 ) + Pr ( X ˜ ) .

By putting it all together, we conclude our proof.□

Theorem 3

Under Assumptions 2 and 4, the signcryption tag- KEM scheme described in Section 4.1is SUF - CMA secure.

Proof

Let CMA be an adversary against our signcryption tag- KEM in the SUF - CMA game and ε CMA its advantage. For the forgery of our signcryption, adversary CMA needs to first find a pair ( e , y ) W q , n , ω × F 2 k ˜ such that e H pk , s T = 2 ( τ ϖ y ) . Then, it will try to find r F 2 κ such that 1 ( r ) = y , i.e., it wins in the target pre-image free game (see Appendix B) against the cryptographic hash function 1 . We can see that finding ( e , y ) W q , n , ω × F 2 k ˜ such that e H pk , s T = 2 ( τ ϖ y ) corresponds to the forgery of the underlying Wave signature scheme. Let ε PreIm be the advantage of an adversary in the pre-image free game against a cryptographic hash function. Let A Wave , CMA be an adversary against the Wave signature in the EUF - CMA game and ε Wave , EUF its advantage. Let X be the event that A Wave , CMA wins. Let X ˜ be the event that the adversary is able to find a pre-image x of y by 1 such that x F 2 κ . We have:

Pr ( CMA wins ) = Pr ( X and X ˜ ) Pr ( X ) + Pr ( X ˜ ) ε Wave , EUF + ε PreIm 2 κ .

Note that due to the fact that 1 is a cryptographic hash function, ε PreIm is negligible and that concludes our proof.□

Corollary 1

The signcryption tag- KEM described in Section 4.1is secure.

The aforementioned corollary is a consequence of Theorems 2 and 3. We then have the following.

Proposition 1

Under Assumptions 1, 3, and 5, the hybrid signcryption tag- KEM + DEM scheme described in Section 4.2is IND - CCA2 .

Proof

Proposition 1 is a consequence of Theorem 1. Indeed, under Assumptions 1, 3, and 5, the underlying signcryption tag- KEM is IND - CCA2 secure (Theorem 2). In addition, the symmetric encryption scheme used is OT-secure. Therefore, a direct application of Theorem 1 allows us to achieve the proof.□

Proposition 2

Under Assumptions 2 and 4, the hybrid signcryption tag- KEM + DEM scheme described in Section 4.2 is SUF - CMA secure.

Proof

Under Assumptions 2 and 4, the underlying signcryption tag- KEM is SUF - CMA secure and, therefore, according to the Theorem 1, the proposed hybrid signcryption tag- KEM + DEM is SUF - CMA secure.□

6 Parameter values

For our scheme, we choose parameters such that λ 0 = λ + 2 log 2 ( q sign ) and λ McE of the underlying Wave signature and McEliece’s encryption, respectively, satisfy max ( λ 0 , λ McE ) n r t . According to the sender and receiver keys, the size of our ciphertext is given by

E = e + c + C = 2 n s + n r + k ˜ + 2 .

Table 1 gives suggested values of the parameters of our scheme. These values have been derived using those of Wave [42] and Classic McEliece [61] for NIST PQC Level 1 security. According to the values given in Table 1, the ciphertext size in bits of our scheme is in the order of E = 2.9 × 1 0 4 .

Table 1

Parameter values of the proposed scheme

Parameter n s k U k V ω m t n r k ˜
Value 8,492 3,558 2,047 7,980 12 64 3,488 1,815 512

Table 2 provides key sizes of our scheme in terms of relevant parameters. Then, in Table 3, we give a numerical comparison of key and ciphertext sizes of our scheme with some existing lattice-based hybrid signcryption schemes. The rationale behind comparing our scheme against lattice-based schemes is that no code-based hybrid signcryption scheme exists in the literature and the underlying hard problems in both codes- and lattice-based schemes are considered quantum safe. For the lattice-based schemes in our comparison, the parameters, including plaintext size of 512 bits, are from [9, Table 2]. We can see that for postquantum security level 1, the proposed scheme has the smallest key and ciphertext sizes.

Table 2

Key sizes of the proposed scheme

User Public key Secret key
Receiver’s key size k ˜ n r m ( 2 n r + t k ˜ t ) + k ˜ n r
Sender’s key size r ( n s r ) log 2 ( q ) ( n s ( n s + r ) + r 2 ) log 2 ( q )
Table 3

Size comparison (in bits) of the proposed scheme with the lattice-based schemes of [9, 67,68]

Construction Receiver’s key size Sender’s key size Ciph. size
Pub. key Sec. key Pub. key Sec. key
SC TK [9,67] 8.5 × 1 0 7 4.2 × 1 0 8 8.4 × 1 0 7 4.2 × 1 0 8 5.5 × 1 0 5
SC KEM [9,67] 5.7 × 1 0 7 4.2 × 1 0 8 8.5 × 1 0 7 4.2 × 1 0 8 5.2 × 1 0 5
SC CHK [9,68] 2.8 × 1 0 7 4.2 × 1 0 8 2.8 × 1 0 7 4.2 × 1 0 8 4.5 × 1 0 6
Sato and Shikata [9] 2.8 × 1 0 7 4.2 × 1 0 8 2.8 × 1 0 7 4.2 × 1 0 8 4.0 × 1 0 5
Our scheme 6.3 × 1 0 6 5.0 × 1 0 6 2.6 × 1 0 7 1.7 × 1 0 8 2.1 × 1 0 4

7 Conclusion

In this article, we have proposed a new signcryption tag- KEM based on the coding theory. The security of our scheme relies on known hard problems in coding theory. We have used the proposed signcryption scheme to design a new code-based hybrid signcryption tag- KEM + DEM . We have proven that the proposed schemes are IND - CCA2 and SUF - CMA secure against any PPT adversary. The proposed scheme has a smaller ciphertext size compared to the pertinent lattice-based schemes.

Acknowledgement

The authors would like to thank the anonymous reviewers for their comments on an earlier version of this article.

  1. Funding information: This work was supported by Ripple Impact Fund/Silicon Valley Community Foundation (Grant 2018-188473).

  2. Conflict of interest: The authors state that there is no conflict of interest.

Appendix A PKE.Game

Here, we recall the IND - CCA2 game for PKE called PKE.Game in our scheme. The decryption oracle is denoted by O (Figure A1).

Figure A1 
                  
                     
                        
                           
                           
                              PKE.Game
                           
                           {\mathsf{PKE.Game}}
                        
                     .
Figure A1

PKE.Game .

In Step 4, the adversary A McE is restricted not to make request to O on the ciphertext c . Clear texts m 0 and m 1 must have the same length. A McE wins when b ˜ = b , and its advantage corresponds to the probability that it wins this game, which is denoted by ε pke .

B Target preimage-free

Target preimage-free function is a special case of universal one-way function. An adversary is given ( , y ) (chosen at random in their domain) and then attempts to find x such that ( x ) = y . Let χ λ = { X } be a collection of domains and χ = { χ λ } λ N . Let ˜ λ = { : X { 0 , 1 } λ : X χ λ } and ˜ = { ˜ λ } λ N . Note that X is identified by the description of . Let A PreIm be an adversary playing the following game (Figure A2).

Figure A2 
                  Preimage game.
Figure A2

Preimage game.

A PreIm wins the game when ( x ) = y and the advantage of A PreIm is the probability that it wins Preimage.Game for a given ˜ λ and y { 0 , 1 } λ . We say that ˜ is Target Preimage free with regard to χ when the advantage ε PreIm of A PreIm is negligible.

C Security of the McEliece encryption with Fujisaki–Okamoto transformation

For the IND-CCA security of McEliece’s scheme described in Figure 1, we need the following definition:

Definition 2

( γ -uniformity [21]) A public key encryption scheme Π is called γ -uniform and be the set where the randomness to be used in the (probabilistic) encryption is chosen. For a given key-pair ( pk , sk ) , x be a plaintext and a string y , we define

γ ( y ) = Pr [ r $ : y = pk ( x , r ) ] ,

where the notation pk ( x , r ) makes the role of the randomness r explicit. We say that Π is γ -uniform if, for any key-pair ( pk , sk ) , any plaintext x and any ciphertext y , γ ( x , y ) γ for a certain γ R .

We now can state the following lemma.

Lemma 1

The McEliece scheme with the Fujisaki–Okamoto transformation described in Figure 1is γ uniform with

γ = 1 2 k ˜ n t

Proof

For any vector y F 2 n r , either y is a word at distance t from the code C of generator matrix G pk , r , or it isn’t. When y is not a distance t of C , the probability for it to be a valid ciphertext is equal to 0. Else there is only one choice for r and e such that y = r G pk , r e , i.e.,

Pr ( d ( y , C ) ) = t = 1 2 k ˜ n r t

Theorem 4

Under Assumptions 1, 3, and 5, the McEliece scheme based on a subcode of Goppa code with the Fujisaki–Okamoto transformation described in Figure 1is IND - CCA2 secure.

Proof

In Figure 1, the symmetric encryption used is the XOR function which is a one-time pad. Under Assumptions 1 and 3, the old McEliece encryption scheme is one-way secure. Therefore, according to Theorem 12 of [58], the McEliece scheme with the Fujisaki–Okamoto transformation is IND - CCA2 secure.□

References

[1] Zheng Y. Digital signcryption or how to achieve cost (signature & encryption)≪ cost (signature) + cost (encryption). In: Advances in Cryptology–CRYPTO'97: 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17–21, 1997 Proceedings. Springer; 1997. p. 165–79. 10.1007/BFb0052234Search in Google Scholar

[2] Zheng Y, Imai H. How to construct efficient signcryption schemes on elliptic curves. Inform Process Lett. 1998;68(5):227–33. 10.1016/S0020-0190(98)00167-7Search in Google Scholar

[3] Steinfeld R, Zheng Y. A signcryption scheme based on integer factorization. In: Information Security: Third International Workshop, ISW 2000 Wollongong, Australia, December 20–21, 2000 Proceedings. Springer; 2000. p. 308–22. 10.1007/3-540-44456-4_23Search in Google Scholar

[4] Yang X, Cao H, Li W, Xuan H. Improved lattice-based signcryption in the standard model. IEEE Access. 2019;7:155552–62. 10.1109/ACCESS.2019.2949429Search in Google Scholar

[5] Li F, BinMuhaya FT, Khan MK, Takagi T. Lattice-based signcryption. Concurrency Computation Practice Experience. 2013;25(14):2112–22. 10.1002/cpe.2826Search in Google Scholar

[6] Barreto PS, Libert B, McCullagh N, Quisquater JJ. Signcryption schemes based on the Diffie-Hellman problem. In: Practical Signcryption. Information Security and Cryptography. Berlin, Heidelberg: Springer; 2010. p. 57–69. 10.1007/978-3-540-89411-7_4Search in Google Scholar

[7] Barreto PS, Libert B, McCullagh N, Quisquater JJ. Signcryption schemes based on bilinear maps. In: Practical Signcryption. Information Security and Cryptography. Berlin, Heidelberg: Springer; 2010. p. 71–97. 10.1007/978-3-540-89411-7_5Search in Google Scholar

[8] Dent AW, Malone-Lee J. Signcryption schemes based on the RSA problem. In: Practical Signcryption. Berlin, Heidelberg: Springer; 2010. p. 99–117. 10.1007/978-3-540-89411-7_6Search in Google Scholar

[9] Sato S, Shikata J. Lattice-based signcryption without random oracles. In: Post-Quantum Cryptography: 9th International Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9–11, 2018, Proceedings. Springer; 2018. p. 331–51. 10.1007/978-3-319-79063-3_16Search in Google Scholar

[10] Yan J, Wang L, Wang L, Yang Y, Yao W. Efficient lattice-based signcryption in standard model. Math Problem Eng. 2013;2013:1–18. 10.1155/2013/702539Search in Google Scholar

[11] Le HQ, Duong DH, Roy PS, Susilo W, Fukushima K, Kiyomoto S. Lattice-based signcryption with equality test in standard model. Comput Standard Interfaces. 2021;76:103515. 10.1016/j.csi.2021.103515Search in Google Scholar

[12] Zhao X, Wang X. An efficient identity-based signcryption from lattice. Int J Security Appl. 2014;8(2):363–74. 10.14257/ijsia.2014.8.2.37Search in Google Scholar

[13] Dent AW. Hybrid cryptography. Cryptology ePrint Archive. 2004. Search in Google Scholar

[14] Dent AW. Hybrid signcryption schemes with insider security. In: Information Security and Privacy: 10th Australasian Conference, ACISP 2005, Brisbane, Australia, July 4–6, 2005. Proceedings 10. Springer; 2005. p. 253–66. 10.1007/11506157_22Search in Google Scholar

[15] Dent AW. Hybrid signcryption schemes with outsider security. In: Information Security: 8th International Conference, ISC 2005, Singapore, September 20–23, 2005. Proceedings 8. Springer; 2005. p. 203–17. 10.1007/11556992_15Search in Google Scholar

[16] Bjørstad TE, Dent AW. Building better signcryption schemes with tag-KEMs. In: Public Key Cryptography-PKC 2006: 9th International Conference on Theory and Practice in Public-Key Cryptography, New York, NY, USA, April 24–26, 2006. Proceedings 9. Springer; 2006. p. 491–507. 10.1007/11745853_32Search in Google Scholar

[17] Yoshida M, Fujiwara T. On the security of tag-KEM for signcryption. Electr Notes Theoret Comput Sci. 2007;171(1):83–91. 10.1016/j.entcs.2006.11.011Search in Google Scholar

[18] Mathew KP, Vasant S, Rangan CP. On provably secure code-based signature and signcryption scheme. IACR Cryptol ePrint Archive. 2012;2012:585. Search in Google Scholar

[19] Song Y, Li Z, Li Y, Li J. Attribute-based signcryption scheme based on linear codes. Inform Sci. 2017;417:301–9. 10.1016/j.ins.2017.06.033Search in Google Scholar

[20] Banegas G, Barreto PS, Boidje BO, Cayrel PL, Dione GN, Gaj K, et al. DAGS: Key encapsulation using dyadic GS codes. J Math Cryptol. 2018;12(4):221–39. 10.1515/jmc-2018-0027Search in Google Scholar

[21] Cayrel PL, Hoffmann G, Persichetti E. Efficient implementation of a CCA2-secure variant of McEliece using generalized Srivastava codes. In: Public Key Cryptography-PKC 2012: 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21–23, 2012. Proceedings 15. Springer; 2012. p. 138–55. 10.1007/978-3-642-30057-8_9Search in Google Scholar

[22] Berlekamp E, McEliece R, Van Tilborg H. On the inherent intractability of certain coding problems (corresp.). IEEE Trans Inform Theory. 1978;24(3):384–6. 10.1109/TIT.1978.1055873Search in Google Scholar

[23] Johansson T, Jonsson F. On the complexity of some cryptographic problems based on the general decoding problem. IEEE Trans Inform Theory. 2002;48(10):2669–78. 10.1109/TIT.2002.802608Search in Google Scholar

[24] Sendrier N. Decoding one out of many. In: Post-Quantum Cryptography: 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29–December 2, 2011. Proceedings 4. Springer; 2011. p. 51–67. 10.1007/978-3-642-25405-5_4Search in Google Scholar

[25] Faugère JC, Gauthier-Umana V, Otmani A, Perret L, Tillich JP. A distinguisher for high-rate McEliece cryptosystems. IEEE Trans Inform Theory. 2013;59(10):6830–44. 10.1109/TIT.2013.2272036Search in Google Scholar

[26] Debris-Alazard T, Sendrier N, Tillich JP. The problem with the SURF scheme. 2017. arXiv: http://arXiv.org/abs/arXiv:170608065. Search in Google Scholar

[27] Berger TP, Gueye CT, Klamti JB. A NP-complete problem in coding theory with application to code-based cryptography. In: Codes, Cryptology and Information Security: Second International Conference, C2SI 2017, Rabat, Morocco, April 10–12, 2017, Proceedings-In Honor of Claude Carlet. Springer; 2017. p. 230–7. 10.1007/978-3-319-55589-8_15Search in Google Scholar

[28] McEliece RJ. Jet Propulsion Laboratory. A public-key cryptosystem based on algebraic coding theory. DSN progress Report. 1978:42–4. Search in Google Scholar

[29] Berger TP, Loidreau P. How to mask the structure of codes for a cryptographic use. Des Codes Crypt. 2005;35:63–79. 10.1007/s10623-003-6151-2Search in Google Scholar

[30] Berger TP, Cayrel PL, Gaborit P, Otmani A. Reducing key length of the McEliece cryptosystem. In: Progress in Cryptology-AFRICACRYPT 2009: Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009. Proceedings 2. Springer; 2009. p. 77–97. 10.1007/978-3-642-02384-2_6Search in Google Scholar

[31] Misoczki R, Barreto PS. Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography: 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers 16. Springer; 2009. p. 376–92. 10.1007/978-3-642-05445-7_24Search in Google Scholar

[32] Misoczki R, Tillich JP, Sendrier N, Barreto PS. MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory. IEEE; 2013. p. 2069–73. 10.1109/ISIT.2013.6620590Search in Google Scholar

[33] Barreto PS, Lindner R, Misoczki R. Monoidic codes in cryptography. PQCrypto. 2011;7071:179–99. 10.1007/978-3-642-25405-5_12Search in Google Scholar

[34] Persichetti E. Compact McEliece keys based on quasi-dyadic Srivastava codes. J Math Cryptol. 2012;6(2):149–69. 10.1515/jmc-2011-0099Search in Google Scholar

[35] Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory. Prob Control Inf Theory. 1986;15(2):159–66. Search in Google Scholar

[36] Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J Comput. 2003;33(1):167–226. 10.1137/S0097539702403773Search in Google Scholar

[37] Persichetti E. Secure and anonymous hybrid encryption from coding theory. In: International Workshop on Post-Quantum Cryptography. Springer; 2013. p. 174–87. 10.1007/978-3-642-38616-9_12Search in Google Scholar

[38] Cayrel PL, Gueye CT, Mboup EHM, Ndiaye O, Persichetti E. Efficient implementation of hybrid encryption from coding theory. In: Codes, Cryptology and Information Security: Second International Conference, C2SI 2017, Rabat, Morocco, April 10–12, 2017, Proceedings-In Honor of Claude Carlet 2. Springer; 2017. p. 254–64. 10.1007/978-3-319-55589-8_17Search in Google Scholar

[39] Mathew KP, Vasant S, Rangan CP. Efficient Code-based hybrid and deterministic encryptions in the standard model. In: International Conference on Information Security and Cryptology. Springer; 2013. p. 517–35. Search in Google Scholar

[40] Courtois NT, Finiasz M, Sendrier N. How to achieve a McEliece-based digital signature scheme. In: Advances in Cryptology-ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security Gold Coast, Australia, December 9–13, 2001 Proceedings 7. Springer; 2001. p. 157–74. 10.1007/3-540-45682-1_10Search in Google Scholar

[41] Debris-Alazard T, Sendrier N, Tillich JP. Wave: A new code-based signature scheme. Cryptology ePrint Archive: Report 2018/996; 2018. https://eprint.iacr.org/2018/996/20181022:154324. Search in Google Scholar

[42] Banegas G, Debris-Alazard T, Nedeljković M, Smith B. Wavelet: Code-based postquantum signatures with fast verification on microcontrollers. 2021. arXiv: http://arXiv.org/abs/arXiv:211013488. Search in Google Scholar

[43] Fiat A, Shamir A. How to prove yourself: Practical solutions to identification and signature problems. In: Advances in Cryptology-CRYPTO-86: Proceedings 6. Springer; 1987. p. 186–94. 10.1007/3-540-47721-7_12Search in Google Scholar

[44] Stern J. A new identification scheme based on syndrome decoding. In: Advances in Cryptology–CRYPTO'93: 13th Annual International Cryptology Conference Santa Barbara, California, USA August 22–26, 1993 Proceedings. Springer; 1993. p. 13–21. 10.1007/3-540-48329-2_2Search in Google Scholar

[45] Jain A, Krenn S, Pietrzak K, Tentes A. Commitments and efficient zero-knowledge proofs from learning parity with noise. In: Advances in Cryptology-ASIACRYPT 2012: 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings 18. Springer; 2012. p. 663–80. 10.1007/978-3-642-34961-4_40Search in Google Scholar

[46] Cayrel PL, Véron P, Alaoui SMEY. A Zero-Knowledge Identification Scheme Based on the q-ary Syndrome Decoding Problem. In: Selected areas in cryptography. vol. 6544. Berlin, Heidelberg: Springer; 2010. p. 171–86. 10.1007/978-3-642-19574-7_12Search in Google Scholar

[47] Lyubashevsky V. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In: Advances in Cryptology-ASIACRYPT 2009: 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings 15. Springer; 2009. p. 598–616. 10.1007/978-3-642-10366-7_35Search in Google Scholar

[48] Biasse JF, Micheli G, Persichetti E, Santini P. LESS is more: code-based signatures without syndromes. In: Progress in Cryptology-AFRICACRYPT 2020: 12th International Conference on Cryptology in Africa, Cairo, Egypt, July 20–22, 2020, Proceedings 12. Springer; 2020. p. 45–65. 10.1007/978-3-030-51938-4_3Search in Google Scholar

[49] Persichetti E. Efficient one-time signatures from quasi-cyclic codes: A full treatment. Cryptography. 2018;2(4):30. 10.3390/cryptography2040030Search in Google Scholar

[50] Persichetti E. Improving the efficiency of code-based cryptography. PhD thesis, University of Auckland; 2012. Search in Google Scholar

[51] Fukushima K, Roy PS, Xu R, Kiyomoto S, Morozov K, Takagi T. Random code-based signature scheme (racoss). First round submission to the NIST post-quantum cryptography call. 2017.Search in Google Scholar

[52] Li Z, Xing C, Yeo SL. A new code based signature scheme without trapdoors. Cryptology ePrint Archive. 2020. Search in Google Scholar

[53] Song Y, Huang X, Mu Y, Wu W, Wang H. A code-based signature scheme from the Lyubashevsky framework. Theoret Comput Sci. 2020;835:15–30. 10.1016/j.tcs.2020.05.011Search in Google Scholar

[54] Aragon N, Blazy O, Gaborit P, Hauteville A, Zémor G. Durandal: a rank metric based signature scheme. In: Advances in Cryptology-EUROCRYPT 2019: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19–23, 2019, Proceedings, Part III 38. Springer; 2019. p. 728–58. 10.1007/978-3-030-17659-4_25Search in Google Scholar

[55] Debris-Alazard T, Sendrier N, Tillich JP. Wave: A new family of trapdoor one-way preimage sampleable functions based on codes. In: Advances in Cryptology-ASIACRYPT 2019: 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8–12, 2019, Proceedings, Part I. Springer; 2019. p. 21–51. 10.1007/978-3-030-34578-5_2Search in Google Scholar

[56] Baek J, Steinfeld R, Zheng Y. Formal proofs for the security of signcryption. In: Public Key Cryptography: 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002 Paris, France, February 12–14, 2002 Proceedings 5. Springer; 2002. p. 80–98. 10.1007/3-540-45664-3_6Search in Google Scholar

[57] Yung M. Practical signcryption. Germany: Springer Science & Business Media; 2010. Search in Google Scholar

[58] Fujisaki E, Okamoto T. Secure integration of asymmetric and symmetric encryption schemes. In: Advances in Cryptology-CRYPTO-99: 19th Annual International Cryptology Conference Santa Barbara, California, USA, August 15-19, 1999 Proceedings. Springer; 1999. p. 537–54. 10.1007/3-540-48405-1_34Search in Google Scholar

[59] Barelli E, Couvreur A. An efficient structural attack on NIST submission DAGS. In: Advances in Cryptology-ASIACRYPT 2018: 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part I 24. Springer; 2018. p. 93–118. 10.1007/978-3-030-03326-2_4Search in Google Scholar

[60] Prange E. The use of information sets in decoding cyclic codes. IEEE Trans Inform Theory. 1962;8(5):5–9. 10.1109/TIT.1962.1057777Search in Google Scholar

[61] Bernstein DJ, Chou T, Lange T, von Maurich I, Misoczki R, Niederhagen R, et al. Classic McEliece: conservative code-based cryptography. NIST submissions. 2017. Search in Google Scholar

[62] Pellikaan R, Márquez-Corbella I. Error-correcting pairs for a public-key cryptosystem. In: Journal of Physics: Conference Series. vol. 855. IOP Publishing; 2017. p. 012032. 10.1088/1742-6596/855/1/012032Search in Google Scholar

[63] Mora R, Tillich JP. On the dimension and structure of the square of the dual of a Goppa code. Des Codes Cryptogr. 2023;91(4):1351–72.10.1007/s10623-022-01153-wSearch in Google Scholar

[64] Lampe R, Patarin J. Analysis of some natural variants of the PKP algorithm. Cryptology ePrint Archive. 2011. Search in Google Scholar

[65] Georgiades J. Some remarks on the security of the identification scheme based on permuted kernels. J Cryptol. 1992;5:133–7. 10.1007/BF00193565Search in Google Scholar

[66] Paiva TB, Terada R. Cryptanalysis of the binary permuted kernel problem. In: Applied Cryptography and Network Security: 19th International Conference, ACNS 2021, Kamakura, Japan, June 21–24, 2021, Proceedings, Part II. Springer; 2021. p. 396–423. 10.1007/978-3-030-78375-4_16Search in Google Scholar

[67] Chiba D, Matsuda T, Schuldt JC, Matsuura K. Efficient generic constructions of signcryption with insider security in the multi-user setting. In: Applied Cryptography and Network Security: 9th International Conference, ACNS 2011, Nerja, Spain, June 7–10, 2011. Proceedings. vol. 11. Springer; 2011. p. 220–37. 10.1007/978-3-642-21554-4_13Search in Google Scholar

[68] Nakano R, Shikata J. Constructions of signcryption in the multi-user setting from identity-based encryption. In: Cryptography and Coding: 14th IMA International Conference, IMACC 2013, Oxford, UK, December 17–19, 2013. Proceedings. Springer; 2013. p. 324–43. 10.1007/978-3-642-45239-0_19Search in Google Scholar

Received: 2022-01-07
Revised: 2023-01-05
Accepted: 2023-03-21
Published Online: 2023-06-05

© 2023 the author(s), published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 4.3.2024 from https://www.degruyter.com/document/doi/10.1515/jmc-2022-0002/html
Scroll to top button