A Code-based Hybrid Signcryption Scheme

Let us consider the finite field $\mathbb{F}_{q}$. A $q$-ary linear code $\mathcal{C}$ of length $n$ and dimension $k$ over $\mathbb{F}_{q}$ is a vector subspace of dimension $k$ of $\mathbb{F}_{q}^{n}$. It can be specified by a full rank matrix $\mathbf{G}\in\mathbb{F}_{q}^{k\times n}$, called generator matrix of $\mathcal{C}$, whose rows span the code. Namely, $\mathcal{C}=\left\{\textit{{x}}\mathbf{G}\ \text{s.t.}\ \textit{{x}}\in\mathbb{F}_{q}^{k}\right\}$. A linear code can also be defined by the right kernel of matrix $\mathbf{H}\in\mathbb{F}_{q}^{r\times n}$, called parity-check matrix of $\mathcal{C}$, as follows:

The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords.

The weight of a word or vector $\textit{{x}}\in\mathbb{F}_{q}^{n}$, denoted by $wt\left(\textit{{x}}\right),$ is the number of its nonzero positions. Then the minimal weight of a code $\mathcal{C}$ is the minimal weight of all nonzero codewords. In the case of linear code $\mathcal{C}$, its minimal distance is equal to the minimal weight of the code.

Below we recall some hard problems that are relevant to our discussions and analyses presented in this article.

The syndrome decoding problem was proven to be NP-complete in 1978 by Berlekamp et al. [13]. It is equivalent to the following problem.

The following problem is used in the security proof of the underlying signature that we use in this paper. It was first considered by Johansson and Jonsson in [36]. It was analyzed later by Sendrier in [57].

Faugère et al. [30] showed that Problem 4 can be solved in special cases of Goppa codes with high rate.

The following is one of the problems, which the security assumption of our scheme’s underlying signature mechanism relies on.

Problem 5 was shown to be hard in the worst case by Debris-Alazard et al. [22] since it is NP-complete. Below, we recall the subcode equivalence problem which is one of the problems on which the security assumption of our scheme is based. This problem was proven to be NP-complete in 2017 by Berger et al. [10].

The first code-based encryption was introduced in 1978 by R. McEliece [45]. Below (in Figure 1) we give the McEliece scheme Fujisaki-Okamoto transformation [16] which comprises three algorithms: key generation, encryption, and decryption.

The main drawback of the McEliece encryption scheme is its very large key size. To address this issue, many variants of McEliece’s scheme have been proposed, see for example [11, 12, 46, 47, 9, 52]. In order to reduce the size of both public and private keys in code-based cryptography, H. Niederreiter in 1986 introduced a new cryptosystem [49]. Niederreiter’s cryptosystem is a dual version of McEliece’s cryptosystem with some additional properties such that the ciphertext length is relatively smaller. Indeed, the public key in Niederreiter’s cryptosystem is a parity-check matrix instead of a generator matrix. In addition, ciphertexts are syndrome vectors instead of erroneous codewords. However, the McEliece and the Niederreiter schemes are equivalent from the security point of view due to the fact that Problems 1 and 2 are equivalent.

Designing a secure and practical code-based signature scheme is still an open problem. The first secure code-based signature scheme was introduced by Courtois et al. (CFS) [20]. It is a full domain hash (FDH) like signature with two security assumptions: the indistinguishability of random binary linear codes and the hardness of syndrome decoding problem. To address some of the drawbacks of Courtois et al.’s scheme, Dallot proposed a modified version, called mCFS, which is provably secure. Unfortunately, this scheme is not practical due to the difficulties of finding a random decodable syndrome. In addition, the assumption of the indistinguishability of random binary Goppa codes has led to the emergence of attacks as described in [30]. One of the latest code-based signature schemes of this type is called Wave [23]. It is based on generalized ($U,U+V$)-codes. It is secure and more efficient than the CFS signature scheme. In addition, it has a smaller signature size than almost all finalist candidates in the NIST post-quantum cryptography standardization process [5].

Apart from the full domain hash approach, it is possible to design signature schemes by applying the Fiat-Shamir transformation [31] to an identification protocol. To this end, one may use a code-based identification scheme like that of Stern [62], Jain et al. [35], or Cayrel et al. [18]. This approach however leads to a signature scheme with a very large signature size. To address this issue, Lyubashevsky’s framework [40] can apparently be adapted. Unfortunately, almost all code-based signature schemes in Hamming metric designed by using this framework have been cryptanalyzed [15, 54, 55, 32, 41, 60]. The only one which has remained secure so far is a rank metric-based signature scheme proposed by Aragon et al.[1].

In Figure 2, we recall Debris-Alazard et al.’s signature scheme (Wave) which is of our interest for this work. In Wave, the secret key is a tuple of three matrices $\operatorname{\mathsf{sk}}=(\mathbf{S},\mathbf{H}_{\operatorname{\mathsf{sk}}},\mathbf{P})$, where $\mathbf{S}\in\mathbb{F}_{q}^{r\times r}$ is an invertible matrix, $\mathbf{H}_{\operatorname{\mathsf{sk}}}\in\mathbb{F}_{q}^{r\times n}$ is a parity-check matrix of a generalized ($U,U+V$)-code and $\mathbf{P}\in\mathbb{F}_{2}^{n\times n}$ is a permutation matrix. The public key is a matrix $pk=\mathbf{H}_{\operatorname{\mathsf{pk}}}$, where $\mathbf{H}_{\operatorname{\mathsf{pk}}}=\mathbf{S}\mathbf{H}_{\operatorname{\mathsf{sk}}}\mathbf{P}$. Steps for signature and verification processes are given in Figure 2. For additional details, the reader is referred to [24, 23].

Signcryption: A signcryption scheme is a tuple of algorithms $\operatorname{\mathsf{SC}}$=($\operatorname{\mathsf{Setup}}$, $\operatorname{\mathsf{KeyGen}}_{s}$, $\operatorname{\mathsf{KeyGen}}_{r}$, $\operatorname{\mathsf{Signcrypt}}$, $\operatorname{\mathsf{Unsigncrypt}}$) [3] where:

1. $\ast$

   $\operatorname{\mathsf{Setup}}$($1^{\lambda}$) is the common parameter generation algorithm with $\lambda$, the security parameter,

2. $\ast$

   $\operatorname{\mathsf{KeyGen}}_{s}$(resp. $\operatorname{\mathsf{KeyGen}}_{r}$) is a key-pair generation algorithm for the sender (resp. receiver),

3. $\ast$

   $\operatorname{\mathsf{Signcrypt}}$ is the signcryption algorithm and

4. $\ast$

   $\operatorname{\mathsf{Unsigncrypt}}$ corresponds to the unsigncryption algorithm.

For more details on the design of signcryption, the reader is referred to [29] (Chap. 2, Sec. 3, p. 30).

$\operatorname{\mathsf{IND-CCA2}}$ game in signcryption tag-$\operatorname{\mathsf{KEM}}$: It corresponds to a game between a challenger and a probabilistic polynomial-time adversary $\mathcal{A}_{\operatorname{\mathsf{CCA2}}}$ such that the latter tries to distinguish whether a given session key $K$ is the one embedded in an encapsulation or not. During this game, $\mathcal{A}_{\operatorname{\mathsf{CCA2}}}$ has adaptive access to three oracles for the attacked user corresponding to algorithms $\operatorname{\mathsf{Sym}}$, $\operatorname{\mathsf{Encap}}$, and $\operatorname{\mathsf{Decap}}$ [14, 29, 65]. The game is described in Figure 3 below.

During Step 7, the adversary $\mathcal{A}_{\operatorname{\mathsf{CCA2}}}$ is restricted not to make decapsulation queries on $(E,\tau)$ to the decapsulation oracle. The advantage of the adversary $\mathcal{A}$ is defined by:

A signcryption tag-$\operatorname{\mathsf{KEM}}$ is $\operatorname{\mathsf{IND-CCA2}}$ secure if, for any adversary $\mathcal{A}$, its advantage in the $\operatorname{\mathsf{IND-CCA2}}$ game is negligible with respect to the security parameter $\lambda$.

The adversary $\mathcal{F}_{\operatorname{\mathsf{CMA}}}$ wins the $\operatorname{\mathsf{SUF-CMA}}$ game if

and the encapsulation oracle never returns $E$ when he queries on the tag $\tau$. The advantage of $\mathcal{F}_{\operatorname{\mathsf{CMA}}}$ is the probability that $\mathcal{F}_{\operatorname{\mathsf{CMA}}}$ wins the $\operatorname{\mathsf{SUF-CMA}}$ game. A signcryption tag-$\operatorname{\mathsf{KEM}}$ is $\operatorname{\mathsf{SUF-CMA}}$ secure if the winning probability of the $\operatorname{\mathsf{SUF-CMA}}$ game by $\mathcal{F}_{\operatorname{\mathsf{CMA}}}$ is negligible.

For designing our code-based signcryption tag-$\operatorname{\mathsf{KEM}}$ scheme, we use the McEliece scheme as the underlying encryption scheme. More specifically, in order to achieve the $\operatorname{\mathsf{IND-CCA2}}$ security for our schemes, we use McEliece’s scheme with the Fujisaki-Okamoto transformation [33, 16]. The authors of [16] gave an instantiation of this scheme using generalized Srivastava (GS) codes. Indeed, by using GS codes, it seems possible to choose secure parameters even for codes defined over relatively small extension fields. However, Barelli and Couvreur recently introduced an efficient structural attack [6] against some of the candidates in the NIST post-quantum cryptography standardization process. Their attack is against code-based encryption schemes using some quasi-dyadic alternant codes with extension degree $2$. It works specifically for schemes based on GS code called DAGS [4]. Therefore, in our work, we use the Goppa code with the Classic McEliece parameters. As for the underlying signature scheme, we use the code-based Wave [23] as described earlier.

The fact that we use Wave, the sender’s secret key is a generalized ($U,U+V$)-code over a finite field $\mathbb{F}_{q}$ with $q>2$. Its public key is a parity-check matrix of a code equivalent to the previous one. To reduce the public key size, we use a permuted Goppa subcode for the receiver’s public key. Thus, we include the subcode equivalence problem as one of the security assumptions of our scheme. In Fig. 5, we describe the algorithm $\operatorname{\mathsf{Setup}}$ which will provide common parameters for our scheme.

We give key generation algorithms in Figure 6, where we denote the sender key generation algorithm by $\operatorname{\mathsf{KeyGen}}_{s}$ and that of the receiver by $\operatorname{\mathsf{KeyGen}}_{r}$. The receiver algorithm $\operatorname{\mathsf{KeyGen}}_{r}$ returns as signcryption public key a generator matrix $\mathbf{G}_{\operatorname{\mathsf{pk}},r}\in\mathbb{F}_{2}^{\tilde{k}\times n_{r}}$ of a Goppa subcode equivalent. It returns as signcryption secret key the tuple ($g_{r},\Gamma_{r},\mathbf{S}_{r}^{-1},\mathbf{P}_{r}$), where $\Gamma_{r}$ and $g_{r}$ are, respectively, the support and the polynomial of a Goppa code. $\mathbf{S}_{r}\in\mathbb{F}_{2}^{\tilde{k}\times k_{r}}$ is a full rank matrix and $\mathbf{P}_{r}$ a permutation matrix. The sender key generation algorithm $\operatorname{\mathsf{KeyGen}}_{s}$ returns as private key three matrices $\mathbf{S}_{s}\in\mathbb{F}_{3}^{(n_{s}-k_{s})\times(n_{s}-k_{s})}$, $\mathbf{H}_{\operatorname{\mathsf{sk}},s}\in\mathbb{F}_{3}^{(n_{s}-k_{s})\times n_{s}}$ and $\mathbf{P}_{s}\in\mathbb{F}_{2}^{n_{s}\times n_{s}}$, where $\mathbf{S}_{s}\in\mathbb{F}_{3}^{(n_{s}-k_{s})\times(n_{s}-k_{s})}$ is an invertible matrix, $\mathbf{H}_{\operatorname{\mathsf{sk}},s}\in\mathbb{F}_{3}^{(n_{s}-k_{s})\times n_{s}}$ a parity-check matrix of a random generalized ($U,U+V$)-code and $\mathbf{P}\in\mathbb{F}_{2}^{n_{s}\times n_{s}}$ a permutation matrix. The sender public key is a parity-check matrix $\mathbf{H}_{\operatorname{\mathsf{pk}},s}\in\mathbb{F}_{3}^{(n_{s}-k_{s})\times n_{s}}$ of a generalized ($U,U+V$) equivalent code given by $\mathbf{H}_{\operatorname{\mathsf{pk}},s}=\mathbf{S}_{s}\mathbf{H}_{\operatorname{\mathsf{sk}},s}\mathbf{P}_{s}$.

In Figure 7, we give the design of the symmetric key generation algorithm $\operatorname{\mathsf{Sym}}$ of our scheme. The algorithm $\operatorname{\mathsf{Sym}}$ takes as input the bit length $\ell$ of the symmetric encryption key. It outputs an internal state information $\varpi$ and the session key $K$, where $\varpi$ is randomly chosen from $\mathbb{F}_{2}^{\ell}$, and $K$ is computed by using the hash function $\mathcal{H}_{0}$.

Figure 8 provides a description of the encapsulation and decapsulation algorithms of our signcryption tag-$\operatorname{\mathsf{KEM}}$ scheme. We denote the encapsulation algorithm by $\operatorname{\mathsf{Encap}}$ and the decapsulation by $\operatorname{\mathsf{Decap}}$. In the encapsulation algorithm, the sender first performs a particular Wave signature on the message $\textit{{m}}=\tau\|\varpi$, where $\varpi$ corresponds to an internal state information and $\tau$ is the input tag. The signature in the Wave scheme comprises two parts: an error vector $\textit{{e}}\in\mathbb{F}_{3}^{n_{s}}$ and a random binary vector y. In our scheme, z is the hash of a random coin $\textit{{y}}\in\mathbb{F}_{2}^{\kappa}$. The sender then performs an encryption of $\textit{{m}}^{\prime}=\mathcal{H}_{1}(\tau)\|\varpi$. The encryption that we use in our scheme is the $\operatorname{\mathsf{IND-CCA2}}$ secure McEliece encryption scheme with the Fujisaki-Okamoto transformation introduced by Cayrel et al. [16]. During the encryption, the sender adaptively uses the random binary vector y as a random coin. The resulting ciphertext is denoted by c. The output is given by $E=(\textit{{e}},\textit{{c}})$.

In the decapsulation algorithm $\operatorname{\mathsf{Decap}}$, the receiver first performs recovery of the internal state information $\varpi$ by using the algorithm $\operatorname{\mathsf{Decrypt}}$ and the second part of the signature of m. Then it verifies the signature and computes the session $K$ by using $\varpi$.

The algorithm $\operatorname{\mathsf{Decrypt}}$ that we use in the decapsulation algorithm of our scheme is described in Figure 9. It is similar to that described in [16] but we introduce some modifications which are:

1. •

   we use an encoding function $\phi$

2. •

   the output is not only the clear message m, but a pair ($\textit{{m}},\textit{{y}}$) where y is the reciprocal image the error vector $\sigma$ by the encoding function $\phi$

Here we use the signcryption tag-$\operatorname{\mathsf{KEM}}$ described in Section 4.1 for designing a code-based hybrid signcryption. For the data encapsulation, we propose the use of a regular OT-secure symmetric encryption scheme. We denote the symmetric encryption algorithm being used by $\operatorname{\mathsf{SymEncrypt}}$ and the symmetric decryption algorithm by $\operatorname{\mathsf{SymDecrypt}}$.

Figure 10 gives the design of our code-based hybrid signcryption tag-$\operatorname{\mathsf{KEM}}$+$\operatorname{\mathsf{DEM}}$. In this design, algorithms $\operatorname{\mathsf{Setup}}$, $\operatorname{\mathsf{KeyGen}}_{s}$ and $\operatorname{\mathsf{KeyGen}}_{r}$ are the same as those of our signcrytion tag-$\operatorname{\mathsf{KEM}}$. Algorithms $\operatorname{\mathsf{Sym}}$ and $\operatorname{\mathsf{Encap}}$ are those of our signcryption tag-$\operatorname{\mathsf{KEM}}$ in Section 4.1.

In code-based cryptography, the best-known non-structural attacks rely on information-set decoding. The information-set decoding algorithm was introduced by Prange [56] for decoding cyclic codes. After the publication of Prange’s work, there have been several works studying to invert code-based encryption schemes based on information-set decoding (see [2] Section 4.1).

For a given linear code of length $n$ and dimension $k$, the main idea behind the information-set decoding algorithm is to find a set of $k$ coordinates of a garbled vector that are error-free and such that the restriction of the code’s generator matrix to these positions is invertible. Then, the original message can be computed by multiplying the encrypted vector by the inverse of the submatrix.

Thus, those $k$ bits determine the codeword uniquely, and hence the set is called an information set. It is sometimes difficult to draw the exact resistance to this type of attack. However, they are always lower-bounded by the ratio of information sets without errors to total possible information sets, i.e.,

where $\omega$ is the Hamming weight of the error vector. Therefore, well-chosen parameters can avoid these non-structural attacks. In our scheme, we use the parameters of the Wave signature [23] for the sender and those of Classic McEliece [2] for the receiver in the underlying encryption scheme.

In code-based cryptography, usually, the first step in the key recovering attack is to perform a distinguishing attack on the public code in order to identify the family of the underlying code. Once successful, the attacker can then perform any well-known attack against this family of underlying codes to recover the secret key. When the underlying code is a Goppa code, the main distinguishing attack technique consists of evaluating the square code or the square of the trace code of the corresponding public code [30, 44, 48]. Note that this technique usually works for a Goppa code with a high rate. Compared to many other code-based encryption schemes, in which the public code is equivalent to an alternant or a Goppa code, in this work the public code is a permuted Goppa subcode. Thus, in addition to the indistinguishability of Goppa codes, the subcode equivalence problem becomes one of our security assumptions. Moreover, to the best of our knowledge, there is no attack reported in the literature on distinguishing a code equivalent to a Goppa subcode. Therefore, by using the subcode equivalence problem as a security assumption, we can keep our scheme out of the purview of the distinguishing attack even though the underlying code is a Goppa code.

Throughout the rest of our analysis, we assume that the attacker knows that the family of the underlying code is a Goppa code. In our case, the key recovery attack is at two different levels: the first one is on the sender side, and the second one is on the receiver side.

On the receiver side, the key recovery attack consists of the recovery of the Goppa polynomial $g_{r}$ and the support $\gamma_{r}=(\alpha_{0},...,\alpha_{n-1})$ from the public matrix. Therefore, the natural way for this is to perform a brute-force attack: one can determine the sequence $(\alpha_{0},...,\alpha_{n-1})$ from $g_{r}$ and the set $\{\alpha_{0},...,\alpha_{n-1}\}$, or alternatively determine $g_{r}$ from $(\alpha_{0},...,\alpha_{n-1})$. A good choice of parameters can avoid this attack for the irreducible Goppa code the number of choices of $g_{r}$ is given by

By using the parameters of Classic McEliece, we can see that the complexity for performing a brute-force attack to find Goppa polynomial is more than $2^{800}$ for the parameters proposed in [2].

It is also important to note that if the adversary has the knowledge of the underlying Goppa code $\mathcal{C}_{\operatorname{\mathsf{sk}}}$, performing the key recovery attack implies solving a computational instance of a subcode equivalence problem. Indeed, this corresponds to finding the permutation $\sigma$ such that $\sigma(\mathcal{C}_{\operatorname{\mathsf{pk}}})$ is a subcode of $\mathcal{C}_{\operatorname{\mathsf{sk}}}$. We can see that finding the permutation $\sigma$ is equivalent to solving the following system:

where $\mathbf{H}_{\operatorname{\mathsf{sk}},r}$ is a parity-check matrix of the underlying Goppa code $\mathcal{C}_{\operatorname{\mathsf{sk}},r}$, $\mathbf{G}_{\operatorname{\mathsf{sk}},r}$ is the generator matrix of the public code $\mathcal{C}_{\operatorname{\mathsf{pk}}}$ and $\mathbf{X}_{\sigma}=(x_{i,j})$ is the matrix of the unknown permutation $\sigma$. Note that solving (2) is equivalent to solving a variant of permuted kernel problem [37]. A natural way to solve (2) is to use the brute force attack and such an attack is of order $\mathcal{O}(n!)$. However, the adversary could use Georgiades’ technique [34] where its complexity is given in our case by

Recently Paiva and Terada introduced in [51] a new technique for solving (2). The workfactor of their attack applied to our scheme is given by:

From (3) and (4), we can see that a well-chosen set of parameters can avoid the attack of Georgiades as well as that of Paiva and Terada.

In the case of the sender, the key recovery attack consists of first solving the ($U,U+V$) distinguishing problem for finite fields of cardinality $q=3$. Therefore under Assumption 3 and with a well-chosen set of parameters, this attack would fail.

In code-based cryptography, the main approach to a chosen-ciphertext attack against the McEliece encryption scheme consists of adding two errors to the received word. If the decryption succeeds, it means that the error vector in the resulting word has the same weight as the previous one. In our signcryption tag-$\operatorname{\mathsf{KEM}}$ scheme, this implies either recovering the session key $K$ or distinguishing encapsulation of two different session keys from $(\textit{{e}},\textit{{c}},\tau)$. We see that the recovery of the session key $K$ corresponds to the recovery of plaintext in a $\operatorname{\mathsf{IND-CCA2}}$ secure version of McEliece’s cryptosystem (see [16] Subsection 3.2). We now have the following theorem: