Related Concepts
Digital Signature; McEliece Public Key Cryptosystem; Niederreiter Encryption Scheme
Definition
In the CFS scheme [1], the digital signature is obtained by applying the decoding procedure of some public error correcting code on a digest of the message to be signed, obtained by a cryptographic hash function. Only the legal user, who knows the hidden algebraic structure of the code, can produce the signature, while anyone can check that the signature is a valid answer to the decoding problem.
Theory
The construction for the McEliece-based signature scheme was proposed by Courtois, Finiasz, and Sendrier in 2001 [1]. Despite its name, this construction is based on Niederreiter’s encryption scheme rather than the original McEliece cryptosystem. It was the first practical code-based digital signature scheme with a security reduction to the Syndrome Decoding Problem.
General Idea
The public key is a binary r ×n matrix H, which is an arbitrary parity check matrix of some t-error correcting irreducible binary Goppa code. In the Niederreiter encryption scheme, the cleartext is a word e of length n and Hamming weight t and the ciphertext is the syndrome s = eH ^{ T } of e. In the signature scheme, the message to be signed is hashed into a digest, a binary word s of length r. The signature will be an error pattern e of minimal Hamming weight such that eH ^{ T } = s. The verification will consist in checking that the error pattern e multiplied by the (transpose of the) public key H ^{ T } is equal to the digest s of the message.
The main difficulty in designing digital signature schemes based on this principle comes from the fact that a random binary string s of length r is unlikely to be a valid cryptogram. In pratice, the minimal weight of an error pattern e such that eH ^{ T } = s will be larger than t and the (secret) algebraic decoding procedure will fail.
Two (similar) solutions exist to work around this problem.
Signature Scheme Using Complete Decoding
- 1.
Compute the digest s of the message.
- 2.
Randomly select a word e _{ δ } of weight δ and compute the new syndrome s′ = e _{ δ } H ^{ T } ⊕ s.
- 3.
Try to decode s′ with the t-error correcting algorithm to obtain e _{ t }.
- 4.
If the decoding succeeds, the signature is the error pattern \({e}_{t} \oplus {e}_{\delta }\) of weight t + δ, otherwise, go back to step 2.
If δ is well chosen, any syndrome can be decoded and any message can be signed. Verification of the signature requires to compute the syndrome \(({e}_{t} \oplus {e}_{\delta }){H}^{T}\) and check that it is equal to the digest s of the document.
Signature Scheme Using a Counter
- 1.
Initialize a counter i to 0.
- 2.
Append the counter i to the message to obtain a digest s _{ i }.
- 3.
Try to decode s _{ i } with the t-error correcting algorithm to obtain e.
- 4.
If the decoding succeeds, the signature is composed of the error pattern e and the value i of the counter, otherwise, increment i and go back to step 2.
Here, the verification of the signature consists in checking that the digest s _{ i } of the message with the counter i appended is equal to the syndrome eH ^{ T }.
Security and Practice
The CFS signature scheme (counter version) for various parameters
(m, t) |
(16, 9) |
(21, 10) |
(22, 9) | ||
---|---|---|---|---|---|
Public key size (in bits) |
tm2^{ m } |
2^{23. 2} |
2^{28. 7} |
2^{29. 6} | |
Security^{a} (binary ops) |
– |
2^{63. 3} |
2^{81. 5} |
2^{81. 5} | |
Signature cost^{a} (binary ops) |
t ^{2} m ^{2} t! |
2^{32. 8} |
2^{37. 2} |
2^{33. 7} | |
Signature length (in bits) |
tm |
144 |
210 |
198 | |
Verification cost^{b} (binary ops) |
t ^{2} m |
1296 |
2100 |
1782 |
Security
As for the McEliece cryptosystem, there are two types of attacks either by recovering the secret key from the public key or by solving an instance of the Syndrome Decoding problem. And as for the McEliece system, the most threatening attacks are decoding attacks.
The best known attack is unpublished and is attributed to Daniel Bleichenbacher. It is a “one out of many” variant of the generalized birthday attack [2] for decoding [3]. It reduces the asymptotic security of the signature scheme from \({2}^{\frac{r} {2} (1+o(1))}\) to \({2}^{\frac{r} {3} (1+o(1))}\) and requires an increase of the parameters (see [4] for a detailed analysis).
Signature Size
One of the strongest features of this signature scheme is the small size of the signatures. The signature is an error pattern (and possibly a counter) which is very sparse and can be stored very compactly. Also, the structure of the signature makes it possible to reduce its size further more. For the original \((n = {2}^{16},\ t = 9)\) parameters it could be reduced to 81 bits at the cost of a slower verification (see [1]), making them the shortest known digital signatures at the time. With a similar construction, parameters \((n = {2}^{21},\ t = 10)\) and \((n = {2}^{22},\ t = 9)\) yield, respectively, signatures of 126 and 115 bits.