Elsevier

Information Sciences

Volume 526, July 2020, Pages 301-320
Information Sciences

ECC2: Error correcting code and elliptic curve based cryptosystem

https://doi.org/10.1016/j.ins.2020.03.069Get rights and content

Highlights

  • We reconsider the use of algebraic geometry codes in cryptography.

  • Applying list decoding algorithms to get smaller key size.

  • An algorithm to generate secure elliptic codes which can resist known structure attacks is presented.

  • An IND-CPA variant of post-quantum McEliece cryptosystem is proposed.

Abstract

Code-based cryptography has aroused wide public concern as one of the main candidates for post quantum cryptography to resist attacks against cryptosystems from quantum computation. However, the large key size becomes a drawback that prevents it from wide practical applications although it performs pretty well on the speed of both encryption and decryption. The use of algebraic geometry codes is considered to be a good solution to reduce the key size, but the special structures of algebraic geometry codes results in lots of attacks including Minder’s attack. To cope with the barriers of large key size as well as attacks from the special structures of algebraic codes, we propose a code-based encryption system using elliptic codes. The special structure of elliptic codes helps us to effectively reduce the size of secret key. By choosing the rational points carefully, we build elliptic codes whose minimum weight codeword is hard to sample. Such codes are used in constructing encryption systems such that Minder’s attacks can be resisted. More importantly, we apply the list decoding algorithm in the decryption process thus more errors beyond half of the minimum distance of the code could be corrected, which is the key point to resist other known attacks for algebraic geometry codes based cryptosystems. Our implementation shows that the proposed encryption system performs well on the key size and ciphertext expansion rate.

Introduction

Since the introduction of public key cryptography in 1976 [10], many cryptosystems have been proposed. Most of the commonly used public key cryptosystems are based on the hardness of factoring or the presumed intractability of the discrete logarithm problem. However, with the discovery of Shor Algorithm [43] and the rapid development of quantum computers, the above problems together with many other problems that are thought to be difficult to solve by current electronic computers, may become not hard anymore. Thus, how to build cryptosystems that can resist the attack from quantum computers, i.e. post-quantum cryptosystems, becomes the main concern of the research community. Up to now, the code-based cryptography, lattice-based cryptography, multivariate cryptography, and hash-based cryptography are most commonly known types of post-quantum cryptography. So far as we know, the original McEliece encryption system is a very strong candidate for the future post-quantum standards for public-key encryption.

The code-based McEliece encryption system [27] has already resisted 40 years of cryptanalysis since its invention in 1978. Its security relies on the hardness of decoding a random linear code, and it is one of the best known post quantum cryptosystems. In 1986, Niederreiter [34] presented a variant of the McEliece encryption system. Their works induce a significant amount of research with respective to the construction and cryptoanalysis of code-based encryption cryptosystems such as [3], [6], [13], [15], [32], [41].

Hard problems are the most important basis for constructing public-key encryption systems. There are many hard problems in coding theory, including general decoding problem, syndrome decoding problem, finding the minimum distance of a code, finding the minimum weight codeword and so on. Berlekamp et al. [4] showed that the problems of general decoding and of finding the minimum weight codeword for linear codes are both NP-complete. Besides, Vardy proved that the problem of computing the minimum distance of binary linear code is NP-hard, and the corresponding decision problem is NP-complete according to Vardy [47]. In addition, Guruswami and Sudan [19] demonstrated that maximum likelihood decoding is NP-hard for the family of Reed-Solomon (RS) codes. More recently, it has been identified that for elliptic codes, minimum distance problem and maximum likelihood decoding problem are both NP-hard by Cheng [7]. These hard problems in coding theory provide abundant materials for researchers to construct code-based cryptosystems.

The code-based cryptosystems have many advantages over the other post quantum cryptosystems. For example, it is very fast for both encryption and decryption, and the best known attacks are exponential in the length of the code. However, the large key size required to reach a good security level prevents code-based cryptosystems from wild applications.

Some of the code-based cryptosystems are constructed using algebraic geometry (AG) code. AG codes were proposed by Goppa [16] in 1977. They were introduced into cryptography in 1996 by Janwa and Moreno [23]. The original idea to use AG codes is to decreasing the very large key size of McEliece cryptosystems. Meanwhile, AG codes not only contain the Goppa codes as a subclass but also give much more choices for the designers to vary the field, the curves, and the divisors generating the codes. Moreover, AG codes can be constructed by the divisors other than the generator matrix, which can decrease the storage spaces required for the designed cryptosystems.

Unfortunately, the special structure of AG codes becomes a drawback as well, which incurs in many attacks against cryptosystems based on AG codes. In 1992, Sidelnikov and Shestakov [44] discovered a deterministic polynomial time structural attack against Niederreiter’s proposal using RS codes, i.e. AG codes with genus g=0. In 2007, Minder [30] claimed the cryptosystems using codes defined on elliptic curves with genus g=1 are insecure. He and Faure [14] then generalized the work of [30] into hyperelliptic curves with g=2. Their works imply that all cryptosystems based on codes defined on curves with genus g ≤ 2 using the techniques of [23], [27], [34] are not secure. However, their attacks need to find the minimum weight codewords in the giving code in the first step, which is considered to be a hard problem [7] if the code is not a maximum distance separable code. In 2014, Márquez-Corbella et al. proved that the structure of the curve can be recovered from the only knowledge of a generator matrix of the code [25], [26], but the corresponding decoding algorithm is lacked. Recently, Pellikaan et al. [9] proposed a decoding attack using Error-Correcting-Pairing (ECP) decoding algorithm based on their previous work [8], [21], [37]. Their attack is efficient on codes from curves of arbitrary genus. These attacks warn us that AG codes may not be a good choice to construct cryptosystems.

After the investigation into the attacks mentioned above, we find the fact that except for Minder’s attack, all of them take effect only under the assumption that there are no more than (d1)/2 errors occur, where d denotes the minimum distance of the code. This may arise from the fact that most decoding algorithms used in building cryptosystems are unique decoding, whose error correcting bound is less than (d1)/2. Guruswami and Sudan [17], [18] proposed a list decoding algorithm for both RS codes and AG codes which can correct more than (d1)/2 errors in polynomial time. At the same time, we noticed that the Information Set Decoding (ISD) algorithm which inspired nearly all general decoding algorithms, has a complexity bound connect tightly with the weight of errors [33]. When it comes to Minder’s attack, the key step is to find the minimum weight codewords in the underlying code. This relies on the assumption that the minimum weight codewords can be sampled easily and the evaluated points set is large enough. Thus, as long as we choose suitable parameters, especially the weights of error vectors chosen in the encryption process, we can build a secure elliptic code based cryptosystem.

Our contributions: We reconsider the construction of secure encryption systems based on algebraic geometry code with compact key size. We present such an encryption system using elliptic codes. Firstly, we construct elliptic codes whose minimum weight codewords are hard to sample. Afterwards we build a variant of McEliece encryption system ECC2 with the underlying code. Then we prove our encryption system ECC2 is IND-CPA secure and our implementation shows it performs well on the key size and ciphertext expansion rate.

Organization: The rest of paper is organized as follows. In section 2, we review some preliminaries that will be used later. In section 3, we present our cryptosystem based on elliptic code. In Section 4, we analyse the security of our system and give a rigorous security proof. In section 5, we implement the cryptosystem and analyse its efficiency. At last, Section 6 concludes this paper.

Section snippets

Preliminaries

In this section, we present some notions of coding theory and basic knowledge about code-based cryptography that are prerequisite for the following sections.

A new elliptic code based cryptosystem

In this section, we present our cryptosystem based on elliptic codes and McEliece encryption system. At the beginning, we show an algorithm to generating elliptic codes, which will be used as a subroutine in the construction of our new cryptosystem. Next, we build a basic scheme of encryption. Then we convert it to a more efficient scheme using key-encapsulation mechanism. Subsequently, we show how to transform the basic scheme into the dual Niederriter version.

Security analysis

In this section, we first prove our basic encryption system ECC2 is IND-CPA secure. The security of the KEM/DEM version is provided by the transformation described in [20]. Then we analyse why our scheme can resist the known attacks. Two most important types of attacks against code-based cryptosystems are decoding attacks and structural attacks. Decoding attacks are used to decrypt a given ciphertext, while structural attacks exploit structural weaknesses in the construction and then attempt to

Choice of parameters

In the following tables we use notations

  • 1λ: security level;

  • q: the prime to generate the finite field;

  • n: length of the code;

  • k: dimension of the code;

  • t0: t0=(d1)/2 is the basic weight of error vector;

  • t1: the added weight of error vector;

  • t: t=t0+t1 is the total weight of error vector, which can be decode by a list decoding algorithm;

We give our suggested parameters in Table 1.

As we mentioned before, Guruswami-Sudan list decoding algorithm needs to calculate the pole basis, the zero basis, and

Conclusion

We construct a public-key encryption system ECC2 based on elliptic codes, which can resist all attacks against AG codes as far as we know. The special structure of elliptic codes helps us to decrease the size of secret key. Minder’s attack built on several assumptions such as the minimum weight codeword can be efficiently sampled and the evaluated points set is large enough. In the design of ECC2, we use a construction of elliptic codes that makes all the assumptions above are not valid

CRediT authorship contribution statement

Fangguo Zhang: Conceptualization, Methodology, Formal analysis, Writing - review & editing. Zhuoran Zhang: Investigation, Formal analysis, Writing - original draft, Writing - review & editing. Peidong Guan: Software, Validation, Data curation, Investigation.

Declaration of Competing Interest

None.

Acknowledgements

This work is supported by the National Key R&D Program of China (2017YFB0802500) and the National Natural Science Foundation of China (No.61672550, No.61972429) and the Major Program of Guangdong Basic and Applied Research (2019B030302008).

References (46)

  • Q. Cheng

    Hard problems of algebraic geometry codes

    IEEE Trans. Inf. Theory

    (2008)
  • A. Couvreur et al.

    A polynomial time attack against algebraic geometry code based public key cryptosystems

    ISIT, 2014

    (2014)
  • A. Couvreur et al.

    Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes

    IEEE Trans. Inf. Theory

    (2017)
  • W. Diffie et al.

    New directions in cryptography

    IEEE Trans. Inf. Theory

    (1976)
  • P. Elias

    List decoding for noisy channels

    1957-IRE WESCON Convention Record

    (1957)
  • J.C. Faugẃre et al.

    Algebraic cryptanalysis of McEliece variants with compact keys

    EUROCRYPT 2010

    (2010)
  • C. Faure et al.

    Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes

    The 11th International Workshop on Algebraic and Combinatorial Coding Theory

    (2008)
  • P. Gaborit

    Shorter keys for code based cryptography

    WCC’

    (2005)
  • V.D. Goppa

    Codes associated with divisors

    Problems of Information Transmission

    (1977)
  • V. Guruswami et al.

    Improved decoding of reed-solomon and algebraic-geometry codes

    IEEE Trans. Inf. Theory

    (1999)
  • V. Guruswami et al.

    On representations of algebraic-geometric codes for list decoding

    Eur. Symp. Algorithms

    (2000)
  • V. Guruswami et al.

    Maximum-likelihood decoding of Reed-Solomon codes is NP-hard

    IEEE Trans. Inf. Theory

    (2004)
  • D. Hofheinz et al.

    A modular analysis of the Fujisaki-Okamoto transformation

    TCC 2017

    (2017)
  • Cited by (7)

    • Elliptic code-based oblivious polynomial evaluation

      2024, Computer Standards and Interfaces
    • Efficient List Decoding Applied to ECC <sup>2</sup>

      2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    View all citing articles on Scopus
    View full text