On the one-wayness against chosen-plaintext attacks of the Loidreau's modified McEliece PKC

Abstract

McEliece public-key cryptosystem (PKC) is one of a few alternatives for the current PKCs that are mostly based on either the integer factoring problem (IFP) or the discrete logarithm problem (DLP) that would be solved in polynomial time after the emergence of quantum computers. The security of the McEliece PKC is based on the decoding problem and it is known that it satisfies, with an appropriate conversion, the strongest security notion, i.e., INDistinguishability of encryption against adaptively Chosen-Ciphertext Attacks (IND-CCA2), in the random oracle model under the assumption that the underlying primitive McEliece PKC satisfies a weak security notion of One-Wayness against Chosen-Plaintext Attacks (OW-CPA). OW-CPA is said to be satisfied if it is infeasible for chosen plaintext attacks to recover the whole plaintext of an arbitrarily given ciphertext. Currently, the primitive McEliece PKC satisfies OW-CPA if a parameter n/spl ges/2048 with optimum t and k is chosen since the binary work factor for (n,k,t)=(2048,1278,70) to break it with the best CPA is around 2/sup 106/, which is infeasible even if world-wide computational power is used. While the binary work factor for the next smaller parameter n=1024 is in a gray level of 2/sup 62/, it will be improved by applying Loidreau's modification that employs Frobenius automorphism in Goppa codes. In this paper, we carefully investigate the one-wayness of the Loidreau's modified McEliece PKC against ever known CPAs and new CPAs we propose, and then show that it certainly improves the one-wayness against ever known CPAs but it is vulnerable against our new CPAs. Thus, it is rather harmful to apply the new modification to the McEliece PKC.