I Introduction
In publickey cryptography, the authentication and confidentiality of communication between a sender and a receiver are ensured by a twostep approach called signaturethenencryption. In this approach, the sender uses a digital signature scheme to sign a message and then encrypt it using an encryption algorithm. The cost of delivering a message in a secure and authenticated way using the signaturethenencryption approach is essentially the sum of the cost of digital signature and that of encryption.
In 1997, Y. Zheng introduced a new cryptographic primitive called signcryption to provide both authentication and confidentiality in a single logical step [59]. In general, one can expect the cost of signcryption to be noticeably less than that of signaturethenencryption. Zheng’s sincryption scheme is based on the hardness of discrete logarithm problem. Since Zheng’s work, a number of signcryption schemes based on different hard assumptions have been introduced, see for example [59, 60, 55, 57, 36, 7, 8, 28]. Of these, the most efficient ones have followed Zheng’s approach, i.e., used symmetrickey encryption as a blackbox component [7, 8, 28]. It has been of interest to many researchers to study how a combination of asymmetric and symmetrickey encryption schemes could be used to build efficient signcryption schemes in a more general setting.
To this end, Dent in 2004 proposed the first formal composition model for hybrid signcryption [25] and in 2005 developed an efficient model for signcryption KEMs in the outsider and the insidersecure setting [26, 27]. In the outsidersecure setting the adversary is assumed to be distinct from the sender and receiver, while in the insidersecure setting the adversary is assumed to be a second party (i.e., either sender or receiver). In order to improve the model for the insidersecure setting in hybrid signcryption, Bjørstad and Dent in 2006 proposed a model based on encryption tagKEM rather than regular encryption KEM [14]. Their model provides a simpler description of signcryption with a better generic security reduction for the signcryption tagKEM construction. A year after Bjørstad and Dent’s work, Yoshida and Fujiwara reported the first study of multiuser setting security of signcryption tagKEMs [58] which is a more suitable setting for the analysis of insidersecure schemes.
Motivation
The aforementioned signcryption schemes are based on the hardness of either the discrete logarithm or the integer factorization problem and would be broken with the arrival of sufficiently large quantum computers. Therefore it is of interest to design signcryption schemes for the postquantum era. Coding theory has some hard problems that are considered quantumsafe and in this paper we explore the design of codebased signcryption.
The first attempt for codebased signcryption was presented in 2012 by Preetha et al. [39]. After that work, an attributebased signcryption scheme based on linear codes was introduced in 2017 by Song et al. [53]. Codebased signcryption remains an active area of research, specifically to study the design of cryptographic primitives like signcryption schemes that are quantumsafe.
Contributions
In this paper we present a signcryption tagKEM scheme using a probabilistic full domain hash (FDH) like codebased signature and a CCA2 secure version of McEliece’s encryption scheme. The underlying codebased signature in our scheme is called Wave introduced by DebrisAlazard et al. [4], while the CCA2 secure version of the McEliece scheme is based on the FujisakiOkamoto conversion introduced by Cayrel et al. [16]. Instead of using only the hardness of the Goppa syndrome decoding problem, we add a second security assumption which is the NPcompleteness of the subcode equivalence problem [10]. To this end, we use an equivalent Goppa subcode as the receiver public code. Then, we base our signcryption tagKEM to design a codebased hybrid signcryption scheme. We also give security analyses of these two schemes in the standard model assuming the insidersecure setting.
Organization
This paper is organized as follows. In Section II, we first recall some basic notions of coding theory and then briefly describe relevant encryption and signature schemes that are of interest to this work. Section III has the definition and framework of signcryption and hybrid signcryption, and a brief review of the relevant security model. We present our sigcryption and hybrid sigcryption schemes in Section IV and then provide security analyses of the proposed schemes in Section V. We provide a set of parameters for the hybrid sigcryption scheme in Section VI and then conclude in Section VII.
Notations
In this paper we use the following notations:

: finite field of size where is a prime power.

: linear code of length .

: weight of x.

(resp. ): generator (resp. paritycheck) matrix of linear code .

is the set of ary vectors of length and weight .

(resp. ): sender’s (resp. receiver’s) secrete key for signcryption.

(resp. ): sender’s (resp. receiver’s) public key for signcryption.
Ii Preliminaries
In this section we recall some notions pertaining to coding theory and codebased cryptography.
Iia Coding theory and some relevant hard problems
Let us consider the finite field . A ary linear code of length and dimension over is a vector subspace of dimension of . It can be specified by a full rank matrix , called generator matrix of , whose rows span the code. Namely, . A linear code can also be defined by the right kernel of matrix , called paritycheck matrix of , as follows:
The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords.
The weight of a word or vector , denoted by is the number of its nonzero positions. Then the minimal weight of a code is the minimal weight of all nonzero codewords. In the case of linear code , its minimal distance is equal to the minimal weight of the code.
Below we recall some hard problems that are relevant to our discussions and analyses presented in this article.
Problem 1
(Binary syndrome decoding (SD) problem) Given a matrix , a vector , and an integer , find a vector such that and .
The syndrome decoding problem was proven to be NPcomplete in 1978 by Berlekamp et al. [13]. It is equivalent to the following problem.
Problem 2
(General decoding (GBD) problem) Given a matrix , a vector , and an integer , find two vectors and such that and .
The following problem is used in the security proof of the underlying signature that we use in this paper. It was first considered by Johansson and Jonsson in [35]. It was analyzed later by Sendrier in [51].
Problem 3
(Decoding One Out of Many (DOOM) problem) Given a matrix , a set of vector , ,…, and an integer , find a vector and an integer such that , and .
Problem 4
(Goppa code distinguishing problem) Given a matrix , decide whether is a random binary or paritycheck matrix of a Goppa code.
Faugère et al. [30] showed that Problem 4 can be solved in special cases of Goppa codes with high rate.
The following is one of the problems, which the security assumption of our scheme’s underlying signature mechanism relies on.
Problem 5
(Generalized () code distinguishing problem.) Given a matrix , decide whether is a paritycheck matrix of a generalized ()code.
Problem 5 was shown to be hard in the worst case by DebrisAlazard et al. [22] since it is NPcomplete. Below, we recall the subcode equivalence problem which is the second problem on which the security assumptions of our scheme is based. This problem was proven to be NPcomplete in 2017 by Berger et al. [10].
Problem 6
(Subcode Equivalence problem [10]) Given two linear codes and of length and respective dimension and , , over the same finite field , determine whether there exists a permutation of the support such that is a subcode of .
IiB Codebased encryption
The first codebased encryption was introduced in 1978 by R. McEliece [41]. Below (in Figure 1) we give the McEliece scheme FujisakiOkamoto conversion [16] which comprises three algorithms: key generation, encryption, and decryption.
The main drawback of the McEliece encryption scheme is its very large key size. To address this issue, many variants of McEliece’s scheme have been proposed, see for example [11, 12, 42, 43, 9, 46]. In order to reduce the size of both public and private keys in codebased cryptography, H. Niederreiter in 1986 introduced a new cryptosystem [44]. Niederreiter’s cryptosystem is a dual version of McEliece’s cryptosystem with some additional properties such that the ciphertext length is relatively smaller. Indeed, the public key in Niederreiter’s cryptosystem is a paritycheck matrix instead of a generator matrix. In addition, ciphertexts are syndrome vectors instead of erroneous codewords. However, the McEliece and the Niederreiter schemes are equivalent from the security point of view due to the fact that Problems 1 and 2 are equivalent.
Codebased hybrid encryption: A hybrid encryption scheme is a cryptographic protocol that features both an asymmetric and a symmetrickey encryption scheme. The first component is known as Key Encapsulation Mechanism (KEM), while the second is called Data Encapsulation Mechanism (DEM). The framework was first introduced in 2003 by Cramer and Shoup [21] and later the first codebased hybrid encryption was introduced in 2013 by Persichetti [47] using Niederreiter’s encryption scheme. Persichetti’s scheme was implemented in 2017 by Cayrel et al. [17]. After Persichetti’s work, some other codebased hybrid encryption schemes have been reported, e.g., [40].
IiC Codebased signature
Designing a secure and practical codebased signature scheme is still an open problem. The first secure codebased signature scheme was introduced by Courtois et al. (CFS) [20]. It is a full domain hash (FDH) like signature with two security assumptions: the indistinguishability of random binary linear codes and the hardness of syndrome decoding problem. To address some of the drawbacks of Courtois et al.’s scheme, Dallot proposed a modified version, called mCFS, which is provably secure. Unfortunately, this scheme is not practical due to the difficulties of finding a random decodable syndrome. In addition, the assumption of the indistinguishability of random binary Goppa codes has led to the emergence of attacks as described in [30]. One of the latest codebased signature schemes of this type is called Wave [23]. It is based on generalized ()codes. It is secure and more efficient than the CFS signature scheme. In addition, it has a smaller signature size than almost all finalist candidates in the NIST postquantum cryptography standardization process [5].
Apart from the full domain hash approach, it is possible to design signature schemes by applying the FiatShamir transformation [31] to an identification protocol. To this end, one may use a codebased identification scheme like that of Stern [56], Jain et al. [34], or Cayrel et al. [18]. This approach however leads to a signature scheme with a very large signature size. To address this issue, Lyubashevsky’s framework [37] can apparently be adapted. Unfortunately almost all codebased signature schemes in Hamming metric designed by using this framework have been cryptanalyzed [15, 48, 49, 32, 38, 54]. The only one which has remained secure so far is a rank metricbased signature scheme proposed by Aragon et al.[1].
In Figure 2, we recall DebrisAlazard et al.’s signature scheme (Wave) which is of our interest for this work. In Wave, the secret key is a tuple of three matrices , where
is an invertible matrix,
is a paritycheck matrix of a generalized ()code and is a permutation matrix. The public key is a matrix , where . Steps for signature and verification processes are given in Figure 2. For additional details, the reader is referred to [24, 23].Iii Signcryption and security model
In this section, we first recall the definition of signcryption followed by the signcryption tagKEM framework and its security model under the insider setting.
Iiia Signcryption and its tagKEM framework
Signcryption: A signcryption scheme is a tuple of algorithms SC=(Setup, KeyGen, KeyGen, Signcrypt, Unsigncryt) [3] where:

Setup() is the common parameter generation algorithm with , the security parameter,

KeyGen(resp. KeyGen) is a keypair generation algorithm for the sender (resp. receiver),

Signcrypt is the signcryption algorithm and

Unsigncrypt corresponds to the unsigncryption algorithm.
For more details on the design of signcryption, the reader is referred to [29] (Chap. 2, Sec. 3, p. 30).
Signcryption tagKEM: A signcryption tagKEM denoted by SCTKEM is a tuple of algorithms [14]:
where,

Com is an algorithm for generating common parameters.

(resp. ) is the sender (resp. receiver) key generation algorithm. It takes as input the global information , and returns a private/public keypair (SCSK, SCPK) (resp. (SCSK, SCPK)) that is used to send signcrypted messages.

Sym is a symmetric key generation algorithm. It takes as input the private key of the sender SCSK and the public key of the receiver SCPK, and outputs a symmetric key together with internal state information .

Encap takes as input the state information together with an arbitrary string , which is called a tag, and outputs an encapsulation .

Decap is the decapsulation/verification algorithm. It takes as input the sender’s public key SCPK, the receiver’s private key SCSK, an encapsulation and a tag . It returns either symmetric key or the unique error symbol .
Hybrid signcryption tagKEM+DEM: It is simply a combination of a SCTKEM and a regular Data Encapsulation Mechanism (DEM).
IiiB Insider security for signcryption tagKEM
INDCCA2 game in signcryption tagKEM: It corresponds to a game between a challenger and a probabilistic polynomialtime adversary such that the latter tries to distinguish whether a given session key is the one embedded in an encapsulation or not. During this game, has an adaptive access to three oracles for the attacked user corresponding to algorithms , , and [14, 29, 58]. The game is described in Figure 3 below.
During Step 7, the adversary is restricted not to make decapsulation queries on to the descapsulation oracle. The advantage of the adversary is defined by:
A signcryption tagKEM is INDCCA2 secure if, for any adversary , its advantage in the INDCCA2 game is negligible with respect to the security parameter .
SUFCMA game for signcryption tagKEM: This game is a challenge between a challenger and a probabilistic polynomialtime adversary (i.e., a forger) . In this game, the forger tries to generate a valid encapsulation from the sender to any receiver, with adaptive access to the three oracles. The adversary is allowed to come up with the presumed secret key as part of his forgery [58]:
The adversary wins the SUFCMA game if
and the encapsulation oracle never returns when he queries on the tag . The advantage of
is the probability that
wins the SUFCMA game. A signcryption tagKEM is SUFCMA secure if the winning probability of the SUFCMA game by is negligible.Definition 1
A signcryption tagKEM is said to be secure if it is INDCCA2 and SUFCMA secure.
IiiC Generic security criteria of hybrid signcryption tagKEM+DEM
Security criteria for hybrid signcryption: The security of a hybrid signcryption tagKEM+DEM depends on those of the underlying signcryption tagKEM and DEM. However, it is important to note that in the standard model a signcryption tagKEM is secure if it is both INDCCA2 and SUFCMA secure. Therefore, the generic security criteria for hybrid signcryption tagKEM+DEM is given by the following theorem:
Iv Codebased hybrid signcryption
In this section, we first design a codebased signcryption tagKEM scheme. Then we combine it with a onetime (OT) secure DEM for designing a hybrid signcryption tagKEM+DEM scheme.
Iva Codebased signcryption tagKEM scheme
For designing our codebased signcryption tagKEM scheme, we use the McEliece scheme as the underlying encryption scheme. More specifically, in order to achieve the CCA2 security for our schemes, we use McEliece’s scheme with the FujisakiOkamoto conversion [33, 16]. The authors of [16] gave an instantiation of this scheme using generalized Srivastava (GS) codes. Indeed, by using GS codes, it seems possible to choose secure parameters even for codes defined over relatively small extension fields. However, Barelli and Couvreur recently introduced an efficient structural attack [6] against some of the candidates in the NIST postquantum cryptography standardization process. Their attack is against codebased encryption schemes using some quasidyadic alternant codes with extension degree . It works specifically for schemes based on GS code called DAGS [4]. Therefore, in our work we use the Goppa code with the Classic McEliece parameters. As for the underlying signature scheme, we use the codebased Wave [23] as described earlier.
The fact that we use Wave, the sender’s secret key is a generalized ()code over a finite field with . Its public key is a paritycheck matrix of a code equivalent to the previous one. To address the indistinguishability issue with high rate Goppa code, we use Goppa subcode equivalent for the receiver’s public key. In Fig. 5, we describe the algorithm Com which will provide common parameters for our scheme.
We give key generation algorithms in Figure 6, where we denote the sender key generation algorithm by KeyGenS and that of the receiver by KeyGenR. The receiver algorithm KeyGenR returns as signcryption public key a generator matrix of a Goppa subcode equivalent. It returns as signcryption secret key the tuple (), where and are, respectively, the support and the polynomial of a Goppa code. is a full rank matrix and a permutation matrix. The sender key generation algorithm KeyGenS returns as private key three matrices , and , where is an invertible matrix, a paritycheck matrix of a random generalized ()code and a permutation matrix. The sender public key is a paritycheck matrix of a generalized () equivalent code given by .
In Figure 7, we give the design of the symmetric key generation algorithm Sym of our scheme. The algorithm Sym takes as input the bit length of the symmetric encryption key. It outputs an internal state information and the session key , where is randomly chosen from , and is computed by using the hash function .
Figure 8 provides a description of the encapsulation and decapsulation algorithms of our signcryption tagKEM scheme. We denote the encapsulation algorithm by Encap and the decapsulation by Decap. In the encapsulation algorithm, the sender first performs a particular Wave signature on the message , where corresponds to an internal state information and is the input tag. The signature in the Wave scheme comprises two parts: an error vector and a random binary vector y. In our scheme, z is the hash of a random coin . The sender then performs an encryption of . The encryption that we use in our scheme is the INDCCA2 secure McEliece encryption scheme with the FujisakiOkamoto conversion introduced by Cayrel et al. [16]. During the encryption, the sender adaptively uses the random binary vector y as a random coin. The resulting ciphertext is denoted by c. The output is given by .
In the decapsulation algorithm Decap, the receiver first performs recovery of the internal state information by using the algoritm Decrypt and the second part of the signature of m. Then it verifies the signature and computes the session by using .
The algorithm Decrypt that we use in the decapsulation algorithm of our scheme is described in Figure 9. It is similar to that described in [16] but we introduce some modifications which are:

we use an encoding function

the output is not only the clear message m, but a pair () where y is the reciprocal image the error vector by the encoding function
Completeness of our signcryption tagKEM
Let be a tag, (, ) (resp. ( and )) be sender’s (resp. receiver’s) key pair generated by the algorithm with input . Let (, ):=(, ) be a pair of a session key and an internal state information. Let () be an encapsulation of the internal state information . Assuming that the encapsulation and decapsulation are performed by an honest user, we have:

The receiver can recover the pair ( from c and verify successfully that
Otherwise the receiver performs a successful signature verification of message signed by an honest user using the dual version of mCFS signature.

Therefore it can compute the session key .
IvB Codebased hybrid signcryption
Here we use the signcryption tagKEM described in Section IVA for designing a codebased hybrid signcryption. For the data encapsulation we propose the use of a regular OTsecure symmetric encryption scheme. We denote the symmetric encryption algorithm being used by SymEncrypt and the symmetric decryption algorithm by SymDecrypt.
V Security analysis
Before discussing the security of our hybrid scheme, let us consider the following assumptions for our security analysis:
Assumption 1: The advantage of probabilistic polynomialtime algorithm to solve the decoding random linear codes problem is negligible with respect to the length and dimension of the code.
Assumption 2: The advantage of probabilistic polynomialtime algorithm to solve the () distinguishing problem is negligible with respect to the length and dimension of the code.
Assumption 3: The advantage of probabilistic polynomialtime algorithm to solve the subcode equivalence problem is negligible with respect to the length and dimension of the code.
Assumption 4: The advantage of probabilistic polynomialtime algorithm to solve the decoding one out of many (DOOM) problem is negligible with respect to the length and dimension of the code.
Va Informationset decoding algorithm
In codebased cryptography, the best known nonstructural attacks rely on informationset decoding. The informationset decoding algorithm was introduced by Prange [50] for decoding cyclic codes. After the publication of Prange’s work, there have been several works studying to invert codebased encryption schemes based on informationset decoding (see [2] Section 4.1).
For a given linear code of length and dimension , the main idea behind the informationset decoding algorithm is to find a set of coordinates of a garbled vector that are errorfree and such that the restriction of the code’s generator matrix to these positions is invertible. Then, the original message can be computed by multiplying the encrypted vector by the inverse of the submatrix.
Thus, those bits determine the codeword uniquely, and hence the set is called an information set. It is sometimes difficult to draw the exact resistance to this type of attacks. However, they are always lowerbounded by the ratio of information sets without errors to total possible information sets, i.e.,
where is the Hamming weight of the error vector. Therefore, a well chosen parameters can avoid these nonstructural attacks. In our scheme, we use the parameters of the Wave signature [23] for the sender and those of Classic McEliece [2] for the receiver in the underlying encryption scheme.
VB Key recovery attack
In our case, the key recovery attack is at two different levels: the first one is on the sender side and the second one on the receiver side.
On the receiver side, it consists of the recovery of the Goppa polynomial and the support from the public matrix. Therefore, the natural way for this is to perform a bruteforce attack: one can determine the sequence from and the set , or alternatively determine from . A good choice of parameters can avoid this attack for the irreducible Goppa code the number of choices of is given by
By using the parameters of Classic McEliece, we can see that the complexity for performing a bruteforce attack to find Goppa polynomial is more than for the parameters proposed in [2]. It is also important to note that performing the recovery attack also implies solving an instance of subcode equivalence problem. According to Assumption 3, solving this problem is hard in the worst case. The best way to solve the subcode equivalence problem is to perform an exhaustive search. Another technique for this is to proceed by solving an algebraic system.
In the case of the sender, the key recovery attack consists of first solving the () distinguishing problem for finite fields of cardinality . Therefore under Assumption 3 and with a well chosen set of parameters this attack would fail.
VC INDCCA2 and SUFCMA security
In codebased cryptography, the main approach to a chosenciphertext attack against the McEliece encryption scheme consists of adding two errors to the received word. If the decryption succeeds, it means that the error vector in the resulting word has the same weight as the previous one. In our signcryption tagKEM scheme, this implies either to recover the session key or distinguish encapsulation of two different session keys from . We see that the recovery of the session key corresponds to recovery of a plaintext in a CCA2 secure version of McEliece’s cryptosystem (see [16] Subsection 3.2). We now have the following theorem:
Theorem 2
Under Assumptions 1 and 3, the signcryption tagKEM scheme described in Subsection IVA is INDCCA2 secure.
Proof:
Let be a PPT adversary against the signcryption tagKEM scheme described in Subsection IVA in the signcryption tagKEM INDCCA2 game. Let us denote its advantage by . For proving Theorem 2 we need to bound .
Game 0: This game is the normal signcryption tagKEM INDCCA2 game. Let us denote by the event that the adversary wins Game 0 and the probability that it happens. Then we have
Game 1: This game corresponds to the simulation of hash function oracle. Indeed it is the same as Game 0 except that adversary can have access to hash function oracle: It looks for some pair such that . Then, it tries to continue by computing . We can see that it could succeed at least when the following collisions happen:
Therefore, if is the number of queries allowed and the event that wins game , then we have:
Game 2: This game is the same as Game 1 except that the error vector e in the encapsulation output is generated randomly. We can see that the best to proceed is to split c as and then try to invert either for recovering the error or for recovering directly the internal state
. That means that the adversary is able either to solve the syndrome decoding problem or to invert an onetime pad function. Therefore we have:
where is the advantage of an adversary against the syndrome decoding problem, a negligible function and the bit length of the symmetric encryption.
We can show that if the adversary wins this game, we can use it to construct an adversary for attacking the underlying McEliece scheme in the public key encryption INDCCA2 game (called PKE.Game in Appendix A). For more details on the underlying McEliece encryption scheme and its INDCCA2 security proof, the reader is referred to Appendix C. We now proceed as follows:

Given the receiver public key which corresponds to a receiver public key signcryption tagKEM, :

chooses randomly

chooses randomly

sends the public key and to


Given a tag from , :

sends the pair (,) to the encryption oracle of PKE.Game

forwards c received from the encryption oracle to


For every decryption query (, ) from :

if , return to

Otherwise it sends to the decryption oracle of PKE.Game. Receiving from the decryption oracle:

if , it returns to

Otherwise, it returns to



When outputs , returns 1. Otherwise, it returns 0.
Let be the advantage of in the PKE.Game. Note that the target ciphertext c can be uniquely decrypted to . Therefore any other than can not be a valid signcryption ciphertext unless a collusion of takes place, i.e., . The correct answer to any decryption query with is . Decryption queries from are correctly answered since is decrypted by the decryption oracle of PKE.Game.
When outputs , it means that is embedded in otherwise is embedded. It means that the adversary wins game PKE.Game with the same probability as wins Game 2 when collision of has happened. Let be the event collision of has happened and the event wins the PKE.Game. Let us denote by the probability of the event and that of . Therefore we have:
By putting it all together, we conclude our proof.
Theorem 3
Under Assumptions 3 and 4, the signcryption tagKEM scheme described in Subsection IVA is SUFCMA secure.
Proof:
Let be an adversary against our signcryption tagKEM in the SUFCMA game and its advantage. For the forgery of our signcryption, adversary needs to first find a pair such that . Then, it will try to find such that , i.e., it wins in the target preimage free game (see Appendix B) against the cryptographic hash function . We can see that finding such that corresponds to the forgery of the underlying Wave signature scheme. Let be the advantage of an adversary in the preimage free game against a cryptographic hash function. Let be an adversary against the Wave signature in the EUFCMA game and its advantage. Let be the event that wins. Let be the event that adversary is able to find a preimage x of y by such that . We have:





Note that due to the fact that is a cryptographic hash function, is negligible and that concludes our proof.
Corollary 1
The signcryption tagKEM described in Subsection IVA is secure.
Theorem 4
Under Assumptions 1–4, the hybrid signcryption tagKEM+DEM scheme described in Subsection IVB is INDCCA2 and SUFCMA secure.
Proof:
Under Assumptions 1–3, Theorems 2 and 3 provide mandatory conditions regarding signcryption tagKEM for a secure hybrid signcryption (see Theorem 1). In addition, the symmetric encryption scheme used is OTsecure and hence a direct application of Theorem 1 allows us to achieve a proof of the theorem.
Vi Parameter values
For our scheme we choose parameters such that and of the underlying Wave signature and McEliece’s encryption, respectively, satisfy . According to the sender and receiver keys, the size of our ciphertext is given by
Table I gives suggested values of the parameters of our scheme. These values have been derived using those of Wave [5] and Classic McEliece [2] for security Level 1 of NIST. According to the values given in Table I, the ciphertext size in bits of our scheme is in the order of .
Parameter 


Value  8492  3558  2047  7980  12  64  3488  1815  512 
Table II provides key sizes of our scheme in terms of relevant parameters. Then in Table III we give a numerical comparison of key and ciphertext sizes of our scheme with some existing latticebased hybrid signcryption schemes. For the lattice based schemes in our comparison, the parameters, including plaintext size of 512 bits, are from [52, Table 2]. We can see that for postquantum security level 1 the proposed scheme in some cases requires a relatively larger sender key, but in all cases has the smallest receiver key and ciphertext.
User  Public key  Secret key 

Receiver’s key size  
Sender’s key size 
Vii Conclusion
In this paper, we have proposed a new signcryption tagKEM based on coding theory. The security of our scheme relies on known hard problems in coding theory. We have used the proposed signcryption schemed to design a new codebased hybrid signcryption tagKEM+DEM. We have proven that the proposed schemes are INDCCA2 and SUFCMA secure against any probabilistic polynomialtime adversary. The proposed scheme has a smaller ciphertext size compared to the pertinent latticebased schemes.
References
 [1] N. Aragon, O. Blazy, P. Gaborit, A. Hauteville, and G. Zémor, “Durandal: a rank metric based signature scheme,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2019, pp. 728–758.
 [2] M. R. Albrecht, D. J. Bernstein et al., “Classic McEliece: conservative codebased cryptography.” [Online]. Available: https://classic.mceliece.org/nist/mceliece20201010.pdf
 [3] J. Baek, R. Steinfeld, and Y. Zheng, “Formal proofs for the security of signcryption,” Journal of Cryptology, vol. 20, no. 2, pp. 203–235, 2007.
 [4] G. Banegas, P. S. Barreto, B. O. Boidje, P.L. Cayrel, G. N. Dione, K. Gaj, C. T. Gueye, R. Haeussler, J. B. Klamti, O. N’diaye et al., “Dags: Key encapsulation using dyadic gs codes,” Journal of Mathematical Cryptology, vol. 12, no. 4, pp. 221–239, 2018.
 [5] G. Banegas, T. DebrisAlazard, M. Nedeljkovic, and B. Smith, “Wavelet: Codebased postquantum signatures with fast verification on ´ microcontrollers,” arXiv preprint arXiv:2110.13488, 2021.
 [6] E. Barelli and A. Couvreur, “An efficient structural attack on nist submission dags,” in International Conference on the Theory and Application of Cryptology and Information Security. Springer, 2018, pp. 93–118
 [7] P. S. Barreto, B. Libert, N. McCullagh, and J.J. Quisquater, “Signcryption schemes based on the Diffie–Hellman problem,” in Practical Signcryption. Springer, 2010, pp. 57–69.
 [8] P. S.
Comments
There are no comments yet.