Modified McEliece PKC Proposed at Asiacrypt 2000 Is Breakable with CPA

1
Modified McEliece PKC Proposed at Asiacrypt 2000
Is Breakable with CPA

• Kazukuni Kobara and Hideki Imai
• The Univ. of Tokyo

2
Security of McEliece

• Based on decoding problem
• Difficulty of decoding arbitrary linear codes
• Conjectured to be NP-Complete
• Independent of IFP and DLP
• On which most of the current PKCs are relying

3
Even If Both IFP and DLP are Broken

• Decoding problem may survive

Year 20XX

• Quantum Computers
• New Algorithms

IFP and DLP
Broken
Decoding problem
4
Sketch of the Security against Known Attacks
For
decryption oracle
knowledge on the plaintext
Chosen Plaintext Attack (CPA)
Infeasible
Computational Complexity
Difficult Problem
Vulnerable Against These Attacks
Feasible
GISD Generalized Information Set Decoding
LB88 FLWC Finding Low-Weight Codeword CS98
5
Applying a Conversion, These Attacks Can Be
Prevented KI01
decryption oracle
knowledge on the plaintext
Chosen Plaintext Attack (CPA)
Infeasible
Computational Complexity
Feasible
For
GISD Generalized Information Set Decoding FLWC
Finding Low-Weight Codeword
GISD Generalized Information Set Decoding
LB88 FLWC Finding Low-Weight Codeword CS98
6
Aim of Modification at Asiacrypt 2000 Loi00
For
decryption oracle
knowledge on the plaintext
Chosen Plaintext Attack (CPA)
Infeasible
Computational Complexity
Feasible
GISD Generalized Information Set Decoding FLWC
Finding Low-Weight Codeword
GISD Generalized Information Set Decoding
LB88 FLWC Finding Low-Weight Codeword CS98
7
We Found New CPAs on the Modified Cryptosystem
decryption oracle
knowledge on the plaintext
Chosen Plaintext Attack (CPA)
Infeasible
Computational Complexity
Feasible
Attack I
Attack II
GISD Generalized Information Set Decoding FLWC
Finding Low-Weight Codeword
GISD Generalized Information Set Decoding
LB88 FLWC Finding Low-Weight Codeword CS98
8
Details will appear in PKC02

• If you are interested in, please contact me.
• kobara_at_iis.u-tokyo.ac.jp