New Chosen-Plaintext Attacks on the One-Wayness of the Modified McEliece PKC Proposed at Asiacrypt 2000

Abstract

McEliece PKC (Public-Key Cryptosystem), whose security is based on the decoding problem, is one of a few alternatives for the current PKCs that are mostly based on either IFP (Integer Factoring Problem) or DLP (Discrete Logarithm Problem), which would be solved in polynomial-time after the emergence of quantum computers. It is known that the McEliece PKC with an appropriate conversion satisfies (in the random oracle model) the strongest security notion IND-CCA2 (INDistinguishability of encryption against adaptively Chosen-Ciphertext Attacks) under the assumption that breaking OW-CPA (One-Wayness against Chosen-Plaintext Attacks) of the underlying McEliece PKC, i.e. the McEliece PKC with no conversion, is infeasible. Breaking OW-CPA of it is still infeasible if an appropriate parameter, n ≥ 2048 with optimum t and k, is chosen since the binary work factor to break it with the best CPA is around 2106 for (n, k, t) = (2048, 1278, 70). The aim of the modification at Asiacrypt 2000 is to improve it of the next smaller parameter n = 1024 to a safe level 288 from an almost dangerous level 262. If his idea works correctly, we can use the more compact system safely. In this paper, we carefully review the modification at Asiacrypt 2000, and then show that the one-wayness of it is vulnerable against our new CPAs.