New Chosen-Plaintext Attacks on the One-Wayness of the Modified McEliece PKC Proposed at Asiacrypt 2000

  • Kazukuni Kobara
  • Hideki Imai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2274)


McEliece PKC (Public-Key Cryptosystem), whose security is based on the decoding problem, is one of a few alternatives for the current PKCs that are mostly based on either IFP (Integer Factoring Problem) or DLP (Discrete Logarithm Problem), which would be solved in polynomial-time after the emergence of quantum computers. It is known that the McEliece PKC with an appropriate conversion satisfies (in the random oracle model) the strongest security notion IND-CCA2 (INDistinguishability of encryption against adaptively Chosen-Ciphertext Attacks) under the assumption that breaking OW-CPA (One-Wayness against Chosen-Plaintext Attacks) of the underlying McEliece PKC, i.e. the McEliece PKC with no conversion, is infeasible. Breaking OW-CPA of it is still infeasible if an appropriate parameter, n ≥ 2048 with optimum t and k, is chosen since the binary work factor to break it with the best CPA is around 2106 for (n, k, t) = (2048, 1278, 70). The aim of the modification at Asiacrypt 2000 is to improve it of the next smaller parameter n = 1024 to a safe level 288 from an almost dangerous level 262. If his idea works correctly, we can use the more compact system safely. In this paper, we carefully review the modification at Asiacrypt 2000, and then show that the one-wayness of it is vulnerable against our new CPAs.


Error Vector Code Word Discrete Logarithm Problem Random Oracle Model Plaintext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    C. M. Adams and H. Meijer. “Security-Related Comments Regarding McEliece’s Public-Key Cryptosystem”. In Proc. of CRYPTO’ 87, LNCS 293, pages 224–228. Springer-Verlag, 1988.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway. “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols”. In Proc. of the First ACM CCCS, pages 62–73, 1993.Google Scholar
  3. 3.
    T. Berson. “Failure of the McEliece Public-Key Cryptosystem Under Message-Resend and Related-Message Attack”. In Proc. of CRYPTO’ 97, LNCS 1294, pages 213–220. Springer-Verlag, 1997.Google Scholar
  4. 4.
    A. Canteaut and N. Sendrier. “Cryptoanalysis of the Original McEliece Cryptosystem”. In Proc. of ASIACRYPT’ 98, pages 187–199, 1998.Google Scholar
  5. 5.
    W. Diffie and M. Hellman. “New directions in cryptography”. IEEE Trans. IT, 22(6):644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    S. Goldwasser and S. Micali. “Probabilistic encryption”. Journal of Computer and System Sciences, pages 270–299, 1984.Google Scholar
  7. 7.
    C. Hall, I. Goldberg, and B. Schneier. “Reaction Attacks Against Several Public-Key Cryptosystems”. In Proc. of the 2nd International Conference on Information and Communications Security (ICICS’99), LNCS 1726, pages 2–12, 1999.Google Scholar
  8. 8.
    K. Kobara and H. Imai. “Countermeasure against Reaction Attacks (in Japanese)”. In The 2000 Symposium on Cryptography and Information Security: A12, January 2000.Google Scholar
  9. 9.
    K. Kobara and H. Imai. “Countermeasures against All the Known Attacks to the McEliece PKC”. In Proc. of 2000 International Symposium on Information Theory and Its Applications, pages 661–664, November 2000.Google Scholar
  10. 10.
    K. Kobara and H. Imai. “Semantically Secure McEliece Public-Key Cryptosystems —Conversions for McEliece PKC—rd. In Proc. of PKC’ 01, LNCS 1992, pages 19–35. Springer-Verlag, 2001.Google Scholar
  11. 11.
    P. J. Lee and E. F. Brickell. “An Observation on the Security of McEliece’s Public-Key Cryptosystem”. In Proc. of EUROCRYPT’ 88, LNCS 330, pages 275–280. Springer-Verlag, 1988.Google Scholar
  12. 12.
    R. Lidl and H. Niederreiter. “Finite Fields”, page 13. Cambridge University Press, 1983.Google Scholar
  13. 13.
    P. Loidreau. “Strengthening McEliece Cryptosystem”. In Proc. of ASIACRYPT 2000, pages 585–598. Springer-Verlag, 2000.Google Scholar
  14. 14.
    P. Loidreau and N. Sendrier. “Some weak keys in McEliece public-key cryptosystem”. In Proc. of IEEE International Symposium on Information Theory, ISIT’ 98, page 382, 1998.Google Scholar
  15. 15.
    R. J. McEliece. “A Public-Key Cryptosystem Based on Algebraic Coding Theory”. In Deep Space Network Progress Report, 1978.Google Scholar
  16. 16.
    N. Sendrier. “The Support Splitting Algorithm”. Rapport de recherche: ISSN0249-6399, 1999.Google Scholar
  17. 17.
    P.W. Shor. “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”. SIAM Journal on Computing, 26(5):1484–1509, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    J. Stern. “A method for finding codewords of small weight”. In Proc. of Coding Theory and Applications, LNCS 388, pages 106–113. Springer-Verlag, 1989.Google Scholar
  19. 19.
    H. M. Sun. “Further Cryptanalysis of the McEliece Public-Key Cryptosystem”. IEEE Trans. on communication letters, 4(1):18–19, 2000.CrossRefGoogle Scholar
  20. 20.
    A. Vardy. “The Intractability of Computing the Minimum Distance of a Code”. IEEE Trans. on IT, 43(6):1757–1766, 1997.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Kazukuni Kobara
    • 1
  • Hideki Imai
    • 1
  1. 1.Institute of Industrial ScienceThe University of TokyoTokyoJapan

Personalised recommendations