McEliece in the world of Escher

1 Department of Telematics, Norwegian University of Science and Technology (NTNU), Trondheim, NORWAY, {danilog, simonas, hakoja}@item.ntnu.no 2 “Ss Cyril and Methodius” University, Faculty of Computer Science and Engineering (FINKI), Skopje, MACEDONIA [email protected] 3 Saint Petersburg State University of Aerospace Instrumentation, Saint Petersburg, RUSSIA, [email protected] Abstract. We present a new family of linear binary codes of length n and dimension k accompanied with a fast list decoding algorithm that can correct up to n2 errors in a bounded channel with an error density ρ. The decisional problem of decoding random codes using these generalized error sets is NP-complete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme. The security analysis of our scheme have four parts: 1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes; 2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code; 3. An analysis of the cost of cheap distinguishing attacks on the generator matrix of the code or on its dual code that have expensive list-decoding properties; 4. We interpret our scheme as multivariate quadratic system and discuss difficulties of solving that system using algebraic approaches such as Gröbner bases. Based on this security analysis we suggest some concrete parameters for the security levels in the range of 280−2128. An additional feature of the decryption process is that it admits massive and trivial parallelization that could potentially make our scheme in hardware as fast as the symmetric crypto primitives.