Cryptology ePrint Archive: Report 2008/468
A CCA2 Secure Variant of the McEliece Cryptosystem
Nico Döttling, Rafael Dowsley, Jörn Müller-Quade and Anderson C. A. Nascimento
Abstract: The McEliece public-key encryption scheme has become an interesting alternative to cryptosystems based on number-theoretical problems. Differently from RSA and ElGa- mal, McEliece PKC is not known to be broken by a quantum computer. Moreover, even tough McEliece PKC has a relatively big key size, encryption and decryption operations are rather efficient. In spite of all the recent results in coding theory based cryptosystems, to the date, there are no constructions secure against chosen ciphertext attacks in the standard model – the de facto security notion for public-key cryptosystems.
In this work, we show the first construction of a McEliece based public-key cryptosystem secure against chosen ciphertext attacks in the standard model. Our construction is inspired by a recently proposed technique by Rosen and Segev.
Category / Keywords: Public-key encryption, CCA2 security, McEliece assumptions, standard model
Date: received 4 Nov 2008, last revised 31 May 2012
Contact author: rdowsley at cs ucsd edu
Available format(s): PDF | BibTeX Citation
Note: This is an expanded version accepted to the IEEE Transactions on Information Theory. One author was added. We include new results on the encryption of correlated but different messages. The proofs are now written as sequences of games. Also, we introduced a minor modification to the definition of a toy cryptosystem used in the proof of security (k-repetition PKC) to include explicitly the role of randomness. In the previous version, this was specified in the final proposed McEliece based PKC. This rules out the possibility of any kind of ambiguity in the security proof and answers questions raised by the referees and independently by Edoardo Persichetti (http://eprint.iacr.org/2012/268 and private communication).
Version: 20120601:004321 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]