Reference Work Entry

Encyclopedia of Cryptography and Security

pp 342-343

Digital Signature Scheme Based on McEliece

  • Matthieu FiniaszAffiliated withENSTA
  • , Nicolas SendrierAffiliated withProject-Team SECRET, INRIA Paris-Rocquencourt

Related Concepts

Digital Signature; McEliece Public Key Cryptosystem; Niederreiter Encryption Scheme

Definition

In the CFS scheme [1], the digital signature is obtained by applying the decoding procedure of some public error correcting code on a digest of the message to be signed, obtained by a cryptographic hash function. Only the legal user, who knows the hidden algebraic structure of the code, can produce the signature, while anyone can check that the signature is a valid answer to the decoding problem.

Theory

The construction for the McEliece-based signature scheme was proposed by Courtois, Finiasz, and Sendrier in 2001 [1]. Despite its name, this construction is based on Niederreiter’s encryption scheme rather than the original McEliece cryptosystem. It was the first practical code-based digital signature scheme with a security reduction to the Syndrome Decoding Problem.

General Idea

The public key is a binary r ×n matrix H, which is an arbitrary parity check matrix of some t-error correcting irreducible binary Goppa code. In the Niederreiter encryption scheme, the cleartext is a word e of length n and Hamming weight t and the ciphertext is the syndrome s = eH T of e. In the signature scheme, the message to be signed is hashed into a digest, a binary word s of length r. The signature will be an error pattern e of minimal Hamming weight such that eH T = s. The verification will consist in checking that the error pattern e multiplied by the (transpose of the) public key H T is equal to the digest s of the message.

The main difficulty in designing digital signature schemes based on this principle comes from the fact that a random binary string s of length r is unlikely to be a valid cryptogram. In pratice, the minimal weight of an error pattern e such that eH T = s will be larger than t and the (secret) algebraic decoding procedure will fail.

Two (similar) solutions exist to work around this problem.

Signature Scheme Using Complete Decoding

In order to be able to sign any given message, one should be able to decode any syndrome. However, this requires being able to decode error patterns of weight larger than t. An error of weight up to t + δ can be decoded by using an exhaustive search on the δ additional positions in the following way:
  1. 1.

    Compute the digest s of the message.

     
  2. 2.

    Randomly select a word e δ of weight δ and compute the new syndrome s′ = e δ H T s.

     
  3. 3.

    Try to decode s′ with the t-error correcting algorithm to obtain e t .

     
  4. 4.

    If the decoding succeeds, the signature is the error pattern \({e}_{t} \oplus {e}_{\delta }\) of weight t + δ, otherwise, go back to step 2.

     

If δ is well chosen, any syndrome can be decoded and any message can be signed. Verification of the signature requires to compute the syndrome \(({e}_{t} \oplus {e}_{\delta }){H}^{T}\) and check that it is equal to the digest s of the document.

Signature Scheme Using a Counter

Instead of trying to decode any syndrome, one can also try to obtain a decodable syndrome from the hash function. This can be done by appending a counter to the message in the following way:
  1. 1.

    Initialize a counter i to 0.

     
  2. 2.

    Append the counter i to the message to obtain a digest s i .

     
  3. 3.

    Try to decode s i with the t-error correcting algorithm to obtain e.

     
  4. 4.

    If the decoding succeeds, the signature is composed of the error pattern e and the value i of the counter, otherwise, increment i and go back to step 2.

     

Here, the verification of the signature consists in checking that the digest s i of the message with the counter i appended is equal to the syndrome eH T .

Security and Practice

In both schemes (complete decoding or counter), the expected number of decoding attempts is t! , where t is the error-correcting capability of the Goppa code. This practically limits the value of t to 9 or 10. Using small values of t will imply code of very large length (in [1] the length is n = 216 and the error weight is t = 9). As a consequence, the public key will have a large size and the production of a signature will be time consuming. On the bright side, the signatures are very short and the verification is fast (in practice negligible compared with the computation of the message hash).
Digital Signature Scheme Based on McEliece. Table 1

The CFS signature scheme (counter version) for various parameters

 

(m,  t)

(16, 9)

(21, 10)

(22, 9)

 

Public key size (in bits)

tm2 m

223. 2

228. 7

229. 6

 

Securitya (binary ops)

263. 3

281. 5

281. 5

 

Signature costa (binary ops)

t 2 m 2 t!

232. 8

237. 2

233. 7

 

Signature length (in bits)

tm

144

210

198

 

Verification costb (binary ops)

t 2 m

1296

2100

1782

 

The secret Goppa code has length n = 2 m and corrects terrors{ a}lowerbound for the cost of the best known attack [4] { b}thiscomes in addition to the computation of the digest

Security

As for the McEliece cryptosystem, there are two types of attacks either by recovering the secret key from the public key or by solving an instance of the Syndrome Decoding problem. And as for the McEliece system, the most threatening attacks are decoding attacks.

The best known attack is unpublished and is attributed to Daniel Bleichenbacher. It is a “one out of many” variant of the generalized birthday attack [2] for decoding [3]. It reduces the asymptotic security of the signature scheme from \({2}^{\frac{r} {2} (1+o(1))}\) to \({2}^{\frac{r} {3} (1+o(1))}\) and requires an increase of the parameters (see [4] for a detailed analysis).

Signature Size

One of the strongest features of this signature scheme is the small size of the signatures. The signature is an error pattern (and possibly a counter) which is very sparse and can be stored very compactly. Also, the structure of the signature makes it possible to reduce its size further more. For the original \((n = {2}^{16},\ t = 9)\) parameters it could be reduced to 81 bits at the cost of a slower verification (see [1]), making them the shortest known digital signatures at the time. With a similar construction, parameters \((n = {2}^{21},\ t = 10)\) and \((n = {2}^{22},\ t = 9)\) yield, respectively, signatures of 126 and 115 bits.

Copyright information

© Springer Science+Business Media, LLC 2011
Show all