ECC2: Error correcting code and elliptic curve based cryptosystem
Introduction
Since the introduction of public key cryptography in 1976 [10], many cryptosystems have been proposed. Most of the commonly used public key cryptosystems are based on the hardness of factoring or the presumed intractability of the discrete logarithm problem. However, with the discovery of Shor Algorithm [43] and the rapid development of quantum computers, the above problems together with many other problems that are thought to be difficult to solve by current electronic computers, may become not hard anymore. Thus, how to build cryptosystems that can resist the attack from quantum computers, i.e. post-quantum cryptosystems, becomes the main concern of the research community. Up to now, the code-based cryptography, lattice-based cryptography, multivariate cryptography, and hash-based cryptography are most commonly known types of post-quantum cryptography. So far as we know, the original McEliece encryption system is a very strong candidate for the future post-quantum standards for public-key encryption.
The code-based McEliece encryption system [27] has already resisted 40 years of cryptanalysis since its invention in 1978. Its security relies on the hardness of decoding a random linear code, and it is one of the best known post quantum cryptosystems. In 1986, Niederreiter [34] presented a variant of the McEliece encryption system. Their works induce a significant amount of research with respective to the construction and cryptoanalysis of code-based encryption cryptosystems such as [3], [6], [13], [15], [32], [41].
Hard problems are the most important basis for constructing public-key encryption systems. There are many hard problems in coding theory, including general decoding problem, syndrome decoding problem, finding the minimum distance of a code, finding the minimum weight codeword and so on. Berlekamp et al. [4] showed that the problems of general decoding and of finding the minimum weight codeword for linear codes are both NP-complete. Besides, Vardy proved that the problem of computing the minimum distance of binary linear code is NP-hard, and the corresponding decision problem is NP-complete according to Vardy [47]. In addition, Guruswami and Sudan [19] demonstrated that maximum likelihood decoding is NP-hard for the family of Reed-Solomon (RS) codes. More recently, it has been identified that for elliptic codes, minimum distance problem and maximum likelihood decoding problem are both NP-hard by Cheng [7]. These hard problems in coding theory provide abundant materials for researchers to construct code-based cryptosystems.
The code-based cryptosystems have many advantages over the other post quantum cryptosystems. For example, it is very fast for both encryption and decryption, and the best known attacks are exponential in the length of the code. However, the large key size required to reach a good security level prevents code-based cryptosystems from wild applications.
Some of the code-based cryptosystems are constructed using algebraic geometry (AG) code. AG codes were proposed by Goppa [16] in 1977. They were introduced into cryptography in 1996 by Janwa and Moreno [23]. The original idea to use AG codes is to decreasing the very large key size of McEliece cryptosystems. Meanwhile, AG codes not only contain the Goppa codes as a subclass but also give much more choices for the designers to vary the field, the curves, and the divisors generating the codes. Moreover, AG codes can be constructed by the divisors other than the generator matrix, which can decrease the storage spaces required for the designed cryptosystems.
Unfortunately, the special structure of AG codes becomes a drawback as well, which incurs in many attacks against cryptosystems based on AG codes. In 1992, Sidelnikov and Shestakov [44] discovered a deterministic polynomial time structural attack against Niederreiter’s proposal using RS codes, i.e. AG codes with genus . In 2007, Minder [30] claimed the cryptosystems using codes defined on elliptic curves with genus are insecure. He and Faure [14] then generalized the work of [30] into hyperelliptic curves with . Their works imply that all cryptosystems based on codes defined on curves with genus g ≤ 2 using the techniques of [23], [27], [34] are not secure. However, their attacks need to find the minimum weight codewords in the giving code in the first step, which is considered to be a hard problem [7] if the code is not a maximum distance separable code. In 2014, Márquez-Corbella et al. proved that the structure of the curve can be recovered from the only knowledge of a generator matrix of the code [25], [26], but the corresponding decoding algorithm is lacked. Recently, Pellikaan et al. [9] proposed a decoding attack using Error-Correcting-Pairing (ECP) decoding algorithm based on their previous work [8], [21], [37]. Their attack is efficient on codes from curves of arbitrary genus. These attacks warn us that AG codes may not be a good choice to construct cryptosystems.
After the investigation into the attacks mentioned above, we find the fact that except for Minder’s attack, all of them take effect only under the assumption that there are no more than errors occur, where d denotes the minimum distance of the code. This may arise from the fact that most decoding algorithms used in building cryptosystems are unique decoding, whose error correcting bound is less than . Guruswami and Sudan [17], [18] proposed a list decoding algorithm for both RS codes and AG codes which can correct more than errors in polynomial time. At the same time, we noticed that the Information Set Decoding (ISD) algorithm which inspired nearly all general decoding algorithms, has a complexity bound connect tightly with the weight of errors [33]. When it comes to Minder’s attack, the key step is to find the minimum weight codewords in the underlying code. This relies on the assumption that the minimum weight codewords can be sampled easily and the evaluated points set is large enough. Thus, as long as we choose suitable parameters, especially the weights of error vectors chosen in the encryption process, we can build a secure elliptic code based cryptosystem.
Our contributions: We reconsider the construction of secure encryption systems based on algebraic geometry code with compact key size. We present such an encryption system using elliptic codes. Firstly, we construct elliptic codes whose minimum weight codewords are hard to sample. Afterwards we build a variant of McEliece encryption system ECC2 with the underlying code. Then we prove our encryption system ECC2 is IND-CPA secure and our implementation shows it performs well on the key size and ciphertext expansion rate.
Organization: The rest of paper is organized as follows. In section 2, we review some preliminaries that will be used later. In section 3, we present our cryptosystem based on elliptic code. In Section 4, we analyse the security of our system and give a rigorous security proof. In section 5, we implement the cryptosystem and analyse its efficiency. At last, Section 6 concludes this paper.
Section snippets
Preliminaries
In this section, we present some notions of coding theory and basic knowledge about code-based cryptography that are prerequisite for the following sections.
A new elliptic code based cryptosystem
In this section, we present our cryptosystem based on elliptic codes and McEliece encryption system. At the beginning, we show an algorithm to generating elliptic codes, which will be used as a subroutine in the construction of our new cryptosystem. Next, we build a basic scheme of encryption. Then we convert it to a more efficient scheme using key-encapsulation mechanism. Subsequently, we show how to transform the basic scheme into the dual Niederriter version.
Security analysis
In this section, we first prove our basic encryption system ECC2 is IND-CPA secure. The security of the KEM/DEM version is provided by the transformation described in [20]. Then we analyse why our scheme can resist the known attacks. Two most important types of attacks against code-based cryptosystems are decoding attacks and structural attacks. Decoding attacks are used to decrypt a given ciphertext, while structural attacks exploit structural weaknesses in the construction and then attempt to
Choice of parameters
In the following tables we use notations
1λ: security level;
q: the prime to generate the finite field;
n: length of the code;
k: dimension of the code;
t0: is the basic weight of error vector;
t1: the added weight of error vector;
t: is the total weight of error vector, which can be decode by a list decoding algorithm;
We give our suggested parameters in Table 1.
As we mentioned before, Guruswami-Sudan list decoding algorithm needs to calculate the pole basis, the zero basis, and
Conclusion
We construct a public-key encryption system ECC2 based on elliptic codes, which can resist all attacks against AG codes as far as we know. The special structure of elliptic codes helps us to decrease the size of secret key. Minder’s attack built on several assumptions such as the minimum weight codeword can be efficiently sampled and the evaluated points set is large enough. In the design of ECC2, we use a construction of elliptic codes that makes all the assumptions above are not valid
CRediT authorship contribution statement
Fangguo Zhang: Conceptualization, Methodology, Formal analysis, Writing - review & editing. Zhuoran Zhang: Investigation, Formal analysis, Writing - original draft, Writing - review & editing. Peidong Guan: Software, Validation, Data curation, Investigation.
Declaration of Competing Interest
None.
Acknowledgements
This work is supported by the National Key R&D Program of China (2017YFB0802500) and the National Natural Science Foundation of China (No.61672550, No.61972429) and the Major Program of Guangdong Basic and Applied Research (2019B030302008).
References (46)
- et al.
On the unique representation of very strong algebraic geometry codes
Des. Codes Cryptograp.
(2014) On the efficient decoding of algebraic-geometric codes
Eurocode
(1992)Information-set decoding for linear codes over Fq. PQC
LNCS, vol. 6061
(2010)- et al.
Efficient root-finding algorithm with application to list decoding of algebraic-geometric codes
IEEE Trans. Inf. Theory
(2001) - et al.
NTS-KEM
NIST Submission
(2017) - et al.
The decoding of algebraic geometry codes
Advances in Algebraic Geometry Codes
(2009) - et al.
Reducing key length of the McEliece cryptosystem
AFRICACRYPT, 2009
(2009) - et al.
On the inherent intractability of certain coding problems
IEEE Trans. Inf. Theory
(1978) - et al.
Attacking and defending the McEliece cryptosystem
PQC 2008
(2008) On the security of some cryptosystems based on error-correcting codes
EUROCRYPT
(1994)
Hard problems of algebraic geometry codes
IEEE Trans. Inf. Theory
A polynomial time attack against algebraic geometry code based public key cryptosystems
ISIT, 2014
Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes
IEEE Trans. Inf. Theory
New directions in cryptography
IEEE Trans. Inf. Theory
List decoding for noisy channels
1957-IRE WESCON Convention Record
Algebraic cryptanalysis of McEliece variants with compact keys
EUROCRYPT 2010
Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes
The 11th International Workshop on Algebraic and Combinatorial Coding Theory
Shorter keys for code based cryptography
WCC’
Codes associated with divisors
Problems of Information Transmission
Improved decoding of reed-solomon and algebraic-geometry codes
IEEE Trans. Inf. Theory
On representations of algebraic-geometric codes for list decoding
Eur. Symp. Algorithms
Maximum-likelihood decoding of Reed-Solomon codes is NP-hard
IEEE Trans. Inf. Theory
A modular analysis of the Fujisaki-Okamoto transformation
TCC 2017
Cited by (7)
Elliptic code-based oblivious polynomial evaluation
2024, Computer Standards and InterfacesTowards provably secure asymmetric image encryption schemes
2023, Information SciencesEfficient List Decoding Applied to ECC <sup>2</sup>
2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Low-Complexity Kötter's Interpolation for List Decoding of Elliptic Codes
2021, IEEE Communications Letters