How to Achieve a McEliece-Based Digital Signature Scheme
McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical signature scheme based on coding theory. Its security can be reduced in the random oracle model to the well-known syndrome decoding problem and the distinguishability of permuted binary Goppa codes from a random code. For example we propose a scheme with signatures of 81-bits and a binary security workfactor of 283.
Keywordsdigital signature McEliece cryptosystem Niederreiter cryptosystem Goppa codes syndrome decoding short signatures
- 2.A. Barg. Handbook of Coding theory, chapter 7-Complexity issues in coding theory. North-Holland, 1999.Google Scholar
- 3.E. R. Berlekamp, R. J. McEliece, and H. C. van Tilborg. On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory, 24(3), May 1978.Google Scholar
- 5.N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-based digital signature scheme. Cryptology ePrint Archive, Report 2001/010, February 2001. http://eprint.iacr.org/ et RR-INRIA 4118.
- 6.K. Kobara and H. Imai. Semantically secure McEliece public-key cryptosystems-Conversions for McEliece PKC-. In PKC’2001, LNCS, Cheju Island, Korea, 2001. Springer-Verlag.Google Scholar
- 7.P. J. Lee and E. F. Brickell. An observation on the security of McEliece’s publickey cryptosystem. In C. G. Günther, editor, Advances in Cryptology-EUROCRYPT’88, number 330 in LNCS, pages 275–280. Springer-Verlag, 1988.Google Scholar
- 10.F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977.Google Scholar
- 11.R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, pages 114–116, January 1978.Google Scholar
- 13.J. Patarin. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In Eurocrypt’96, LNCS, pages 33–48, 1996.Google Scholar
- 14.J. Patarin, L. Goubin, and N. Courtois. 128-bit long digital signatures. In Cryptographers’ Track Rsa Conference 2001, San Francisco, April 2001. Springer-Verlag. to appear.Google Scholar
- 19.J. Stern. A new identification scheme based on syndrome decoding. In D. R. Stinson, editor, Advances in Cryptology-CRYPTO’93, number 773 in LNCS, pages 13–21. Springer-Verlag, 1993.Google Scholar