A code-based hybrid signcryption scheme

by   Jean Belo Klamti, et al.
University of Waterloo

A key encapsulation mechanism (KEM) that takes as input an arbitrary string, i.e., a tag, is known as tag-KEM, while a scheme that combines signature and encryption is called signcryption. In this paper, we present a code-based signcryption tag-KEM scheme. We utilize a code-based signature and a CCA2 (adaptive chosen ciphertext attack) secure version of McEliece's encryption scheme. The proposed scheme uses an equivalent subcode as a public code for the receiver, making the NP-completeness of the equivalent subcode problem be one of our main security assumptions. We then base the signcryption tag-KEM to design a code-based hybrid signcryption scheme. A hybrid scheme deploys an asymmetric- as well as a symmetric-key encryption. We give security analyses of both our schemes in the standard model and prove that they are secure against IND-CCA2 (indistinguishability under adaptive chosen ciphertext attack) and SUF-CMA (strong existential unforgeability under chosen message attack).



There are no comments yet.


page 1

page 2

page 3

page 4


On the security of a Loidreau's rank metric code based encryption scheme

We present a polynomial time attack of a rank metric code based encrypti...

Mutual Heterogeneous Signcryption Schemes for 5G Network Slicings

With the emerging of mobile communication technologies, we are entering ...

Chosen-Plaintext Cryptanalysis of a Clipped-Neural-Network-Based Chaotic Cipher

In ISNN'04, a novel symmetric cipher was proposed, by combining a chaoti...

AMOUN: Asymmetric lightweight cryptographic scheme for wireless group communication

Multi-recipient cryptographic schemes provide secure communication, betw...

Cryptanalysis of a Chaos-Based Fast Image Encryption Algorithm for Embedded Systems

Fairly recently, a new encryption scheme for embedded systems based on c...

An Attack on the the Encryption Scheme of the Moscow Internet Voting System

The next Moscow City Duma elections will be held on September 8th with a...

Attack Detection for Networked Control Systems Using Event-Triggered Dynamic Watermarking

Dynamic watermarking schemes can enhance the cyber attack detection capa...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

In public-key cryptography, the authentication and confidentiality of communication between a sender and a receiver are ensured by a two-step approach called signature-then-encryption. In this approach, the sender uses a digital signature scheme to sign a message and then encrypt it using an encryption algorithm. The cost of delivering a message in a secure and authenticated way using the signature-then-encryption approach is essentially the sum of the cost of digital signature and that of encryption.

In 1997, Y. Zheng introduced a new cryptographic primitive called signcryption to provide both authentication and confidentiality in a single logical step [59]. In general, one can expect the cost of signcryption to be noticeably less than that of signature-then-encryption. Zheng’s sincryption scheme is based on the hardness of discrete logarithm problem. Since Zheng’s work, a number of signcryption schemes based on different hard assumptions have been introduced, see for example [59, 60, 55, 57, 36, 7, 8, 28]. Of these, the most efficient ones have followed Zheng’s approach, i.e., used symmetric-key encryption as a black-box component [7, 8, 28]. It has been of interest to many researchers to study how a combination of asymmetric- and symmetric-key encryption schemes could be used to build efficient signcryption schemes in a more general setting.

To this end, Dent in 2004 proposed the first formal composition model for hybrid signcryption [25] and in 2005 developed an efficient model for signcryption KEMs in the outsider- and the insider-secure setting [26, 27]. In the outsider-secure setting the adversary is assumed to be distinct from the sender and receiver, while in the insider-secure setting the adversary is assumed to be a second party (i.e., either sender or receiver). In order to improve the model for the insider-secure setting in hybrid signcryption, Bjørstad and Dent in 2006 proposed a model based on encryption tag-KEM rather than regular encryption KEM [14]. Their model provides a simpler description of signcryption with a better generic security reduction for the signcryption tag-KEM construction. A year after Bjørstad and Dent’s work, Yoshida and Fujiwara reported the first study of multi-user setting security of signcryption tag-KEMs [58] which is a more suitable setting for the analysis of insider-secure schemes.


The aforementioned signcryption schemes are based on the hardness of either the discrete logarithm or the integer factorization problem and would be broken with the arrival of sufficiently large quantum computers. Therefore it is of interest to design signcryption schemes for the post-quantum era. Coding theory has some hard problems that are considered quantum-safe and in this paper we explore the design of code-based signcryption.

The first attempt for code-based signcryption was presented in 2012 by Preetha et al. [39]. After that work, an attribute-based signcryption scheme based on linear codes was introduced in 2017 by Song et al. [53]. Code-based signcryption remains an active area of research, specifically to study the design of cryptographic primitives like signcryption schemes that are quantum-safe.


In this paper we present a signcryption tag-KEM scheme using a probabilistic full domain hash (FDH) like code-based signature and a CCA2 secure version of McEliece’s encryption scheme. The underlying code-based signature in our scheme is called Wave introduced by Debris-Alazard et al. [4], while the CCA2 secure version of the McEliece scheme is based on the Fujisaki-Okamoto conversion introduced by Cayrel et al. [16]. Instead of using only the hardness of the Goppa syndrome decoding problem, we add a second security assumption which is the NP-completeness of the subcode equivalence problem [10]. To this end, we use an equivalent Goppa subcode as the receiver public code. Then, we base our signcryption tag-KEM to design a code-based hybrid signcryption scheme. We also give security analyses of these two schemes in the standard model assuming the insider-secure setting.


This paper is organized as follows. In Section II, we first recall some basic notions of coding theory and then briefly describe relevant encryption and signature schemes that are of interest to this work. Section III has the definition and framework of signcryption and hybrid signcryption, and a brief review of the relevant security model. We present our sigcryption and hybrid sigcryption schemes in Section IV and then provide security analyses of the proposed schemes in Section V. We provide a set of parameters for the hybrid sigcryption scheme in Section VI and then conclude in Section VII.


In this paper we use the following notations:

  • : finite field of size where is a prime power.

  • : -linear code of length .

  • x

    : a word or vector of


  • : weight of x.

  • (resp. ): generator (resp. parity-check) matrix of linear code .

  • is the set of -ary vectors of length and weight .

  • (resp. ): sender’s (resp. receiver’s) secrete key for signcryption.

  • (resp. ): sender’s (resp. receiver’s) public key for signcryption.

Ii Preliminaries

In this section we recall some notions pertaining to coding theory and code-based cryptography.

Ii-a Coding theory and some relevant hard problems

Let us consider the finite field . A -ary linear code of length and dimension over is a vector subspace of dimension of . It can be specified by a full rank matrix , called generator matrix of , whose rows span the code. Namely, . A linear code can also be defined by the right kernel of matrix , called parity-check matrix of , as follows:

The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords.

The weight of a word or vector , denoted by is the number of its nonzero positions. Then the minimal weight of a code is the minimal weight of all nonzero codewords. In the case of linear code , its minimal distance is equal to the minimal weight of the code.

Below we recall some hard problems that are relevant to our discussions and analyses presented in this article.

Problem 1

(Binary syndrome decoding (SD) problem) Given a matrix , a vector , and an integer , find a vector such that and .

The syndrome decoding problem was proven to be NP-complete in 1978 by Berlekamp et al. [13]. It is equivalent to the following problem.

Problem 2

(General decoding (GBD) problem) Given a matrix , a vector , and an integer , find two vectors and such that and .

The following problem is used in the security proof of the underlying signature that we use in this paper. It was first considered by Johansson and Jonsson in [35]. It was analyzed later by Sendrier in [51].

Problem 3

(Decoding One Out of Many (DOOM) problem) Given a matrix , a set of vector , ,…, and an integer , find a vector and an integer such that , and .

Problem 4

(Goppa code distinguishing problem) Given a matrix , decide whether is a random binary or parity-check matrix of a Goppa code.

Faugère et al. [30] showed that Problem 4 can be solved in special cases of Goppa codes with high rate.

The following is one of the problems, which the security assumption of our scheme’s underlying signature mechanism relies on.

Problem 5

(Generalized () code distinguishing problem.) Given a matrix , decide whether is a parity-check matrix of a generalized ()-code.

Problem 5 was shown to be hard in the worst case by Debris-Alazard et al. [22] since it is NP-complete. Below, we recall the subcode equivalence problem which is the second problem on which the security assumptions of our scheme is based. This problem was proven to be NP-complete in 2017 by Berger et al. [10].

Problem 6

(Subcode Equivalence problem [10]) Given two linear codes and of length and respective dimension and , , over the same finite field , determine whether there exists a permutation of the support such that is a subcode of .

Ii-B Code-based encryption

The first code-based encryption was introduced in 1978 by R. McEliece [41]. Below (in Figure 1) we give the McEliece scheme Fujisaki-Okamoto conversion [16] which comprises three algorithms: key generation, encryption, and decryption.

Key generation: Randomly generate a monic irreducible polynomial of degree Select a uniform random set of different elements . Compute a generator matrix of the binary Goppa code from and . Randomly choose a full rank matrix and permutation matrix with . Set and . Encrypt Input: Public key of the receiver and clear text m. Output: A ciphertext c. Compute Compute Compute . Parse Return c Decrypt Input: Receiver’s secret key , a ciphertext c and two hash functions and . Output: A clear message m. Parse c into () Compute Compute , where is a decoding algorithm for Goppa code. Compute Compute If Return Return m

Fig. 1: McEliece’s scheme with Fujisaki-Okamoto conversion

The main drawback of the McEliece encryption scheme is its very large key size. To address this issue, many variants of McEliece’s scheme have been proposed, see for example [11, 12, 42, 43, 9, 46]. In order to reduce the size of both public and private keys in code-based cryptography, H. Niederreiter in 1986 introduced a new cryptosystem [44]. Niederreiter’s cryptosystem is a dual version of McEliece’s cryptosystem with some additional properties such that the ciphertext length is relatively smaller. Indeed, the public key in Niederreiter’s cryptosystem is a parity-check matrix instead of a generator matrix. In addition, ciphertexts are syndrome vectors instead of erroneous codewords. However, the McEliece and the Niederreiter schemes are equivalent from the security point of view due to the fact that Problems 1 and 2 are equivalent.

Code-based hybrid encryption: A hybrid encryption scheme is a cryptographic protocol that features both an asymmetric- and a symmetric-key encryption scheme. The first component is known as Key Encapsulation Mechanism (KEM), while the second is called Data Encapsulation Mechanism (DEM). The framework was first introduced in 2003 by Cramer and Shoup [21] and later the first code-based hybrid encryption was introduced in 2013 by Persichetti [47] using Niederreiter’s encryption scheme. Persichetti’s scheme was implemented in 2017 by Cayrel et al. [17]. After Persichetti’s work, some other code-based hybrid encryption schemes have been reported, e.g., [40].

Ii-C Code-based signature

Designing a secure and practical code-based signature scheme is still an open problem. The first secure code-based signature scheme was introduced by Courtois et al. (CFS) [20]. It is a full domain hash (FDH) like signature with two security assumptions: the indistinguishability of random binary linear codes and the hardness of syndrome decoding problem. To address some of the drawbacks of Courtois et al.’s scheme, Dallot proposed a modified version, called mCFS, which is provably secure. Unfortunately, this scheme is not practical due to the difficulties of finding a random decodable syndrome. In addition, the assumption of the indistinguishability of random binary Goppa codes has led to the emergence of attacks as described in [30]. One of the latest code-based signature schemes of this type is called Wave [23]. It is based on generalized ()-codes. It is secure and more efficient than the CFS signature scheme. In addition, it has a smaller signature size than almost all finalist candidates in the NIST post-quantum cryptography standardization process [5].

Apart from the full domain hash approach, it is possible to design signature schemes by applying the Fiat-Shamir transformation [31] to an identification protocol. To this end, one may use a code-based identification scheme like that of Stern [56], Jain et al. [34], or Cayrel et al. [18]. This approach however leads to a signature scheme with a very large signature size. To address this issue, Lyubashevsky’s framework [37] can apparently be adapted. Unfortunately almost all code-based signature schemes in Hamming metric designed by using this framework have been cryptanalyzed [15, 48, 49, 32, 38, 54]. The only one which has remained secure so far is a rank metric-based signature scheme proposed by Aragon et al.[1].

In Figure 2, we recall Debris-Alazard et al.’s signature scheme (Wave) which is of our interest for this work. In Wave, the secret key is a tuple of three matrices , where

is an invertible matrix,

is a parity-check matrix of a generalized ()-code and is a permutation matrix. The public key is a matrix , where . Steps for signature and verification processes are given in Figure 2. For additional details, the reader is referred to [24, 23].

Input: Public key , secret key , dimension of the generalized ()-code, the dimension of the code , the dimension of the code and the weight of error vectors. Output: Signature: Compute Return
Verification: Compute Compute . If : Return Else: Return valid

Fig. 2: Wave signature scheme [23]

Iii Signcryption and security model

In this section, we first recall the definition of signcryption followed by the signcryption tag-KEM framework and its security model under the insider setting.

Iii-a Signcryption and its tag-KEM framework

Signcryption: A signcryption scheme is a tuple of algorithms SC=(Setup, KeyGen, KeyGen, Signcrypt, Unsigncryt) [3] where:

  1. Setup() is the common parameter generation algorithm with , the security parameter,

  2. KeyGen(resp. KeyGen) is a key-pair generation algorithm for the sender (resp. receiver),

  3. Signcrypt is the signcryption algorithm and

  4. Unsigncrypt corresponds to the unsigncryption algorithm.

For more details on the design of signcryption, the reader is referred to [29] (Chap. 2, Sec. 3, p. 30).

Signcryption tag-KEM: A signcryption tag-KEM denoted by SCTKEM is a tuple of algorithms [14]:


  • Com is an algorithm for generating common parameters.

  • (resp. ) is the sender (resp. receiver) key generation algorithm. It takes as input the global information , and returns a private/public keypair (SCSK, SCPK) (resp. (SCSK, SCPK)) that is used to send signcrypted messages.

  • Sym is a symmetric key generation algorithm. It takes as input the private key of the sender SCSK and the public key of the receiver SCPK, and outputs a symmetric key together with internal state information .

  • Encap takes as input the state information together with an arbitrary string , which is called a tag, and outputs an encapsulation .

  • Decap is the decapsulation/verification algorithm. It takes as input the sender’s public key SCPK, the receiver’s private key SCSK, an encapsulation and a tag . It returns either symmetric key or the unique error symbol .

Hybrid signcryption tag-KEM+DEM: It is simply a combination of a SCTKEM and a regular Data Encapsulation Mechanism (DEM).

Iii-B Insider security for signcryption tag-KEM

IND-CCA2 game in signcryption tag-KEM: It corresponds to a game between a challenger and a probabilistic polynomial-time adversary such that the latter tries to distinguish whether a given session key is the one embedded in an encapsulation or not. During this game, has an adaptive access to three oracles for the attacked user corresponding to algorithms , , and [14, 29, 58]. The game is described in Figure 3 below.

Oracles: is the symmetric key generation oracle with input a public key , and computes (, ) = (SCSK, SCPK). It then stores the value (hidden from the view of the adversary, and overwriting any previously stored values), and returns the symmetric key . is the key encapsulation oracle. It takes an arbitrary tag as input, and checks whether there exists a stored value . If there is not, it returns and terminates. Otherwise it erases the value from storage, and returns . corresponds to the decapsulation/verification oracle. It takes an encapsulation , a tag , any sender’s public key SCPK as input and returns . IND-CCCA2 Game for SCTKEM: , and

Fig. 3: IND-CCA2 game [58].

During Step 7, the adversary is restricted not to make decapsulation queries on to the descapsulation oracle. The advantage of the adversary is defined by:

A signcryption tag-KEM is IND-CCA2 secure if, for any adversary , its advantage in the IND-CCA2 game is negligible with respect to the security parameter .

SUF-CMA game for signcryption tag-KEM: This game is a challenge between a challenger and a probabilistic polynomial-time adversary (i.e., a forger) . In this game, the forger tries to generate a valid encapsulation from the sender to any receiver, with adaptive access to the three oracles. The adversary is allowed to come up with the presumed secret key as part of his forgery [58]:


Fig. 4: SUF-CMA game [58].

The adversary wins the SUF-CMA game if

and the encapsulation oracle never returns when he queries on the tag . The advantage of

is the probability that

wins the SUF-CMA game. A signcryption tag-KEM is SUF-CMA secure if the winning probability of the SUF-CMA game by is negligible.

Definition 1

A signcryption tag-KEM is said to be secure if it is IND-CCA2 and SUF-CMA secure.

Iii-C Generic security criteria of hybrid signcryption tag-KEM+DEM

Security criteria for hybrid signcryption: The security of a hybrid signcryption tag-KEM+DEM depends on those of the underlying signcryption tag-KEM and DEM. However, it is important to note that in the standard model a signcryption tag-KEM is secure if it is both IND-CCA2 and SUF-CMA secure. Therefore, the generic security criteria for hybrid signcryption tag-KEM+DEM is given by the following theorem:

Theorem 1

[58, 14] Let be a hybrid signcryption scheme constructed from a signcryption tag-KEM and a DEM. If the signcryption tag-KEM is IND-CCA2 secure and the DEM is one-time secure, then is IND-CCA2 secure. Moreover, if the signcryption tag-KEM is SUF-CMA secure, then is also SUF-CMA secure.

Iv Code-based hybrid signcryption

In this section, we first design a code-based signcryption tag-KEM scheme. Then we combine it with a one-time (OT) secure DEM for designing a hybrid signcryption tag-KEM+DEM scheme.

Iv-a Code-based signcryption tag-KEM scheme

For designing our code-based signcryption tag-KEM scheme, we use the McEliece scheme as the underlying encryption scheme. More specifically, in order to achieve the CCA2 security for our schemes, we use McEliece’s scheme with the Fujisaki-Okamoto conversion [33, 16]. The authors of [16] gave an instantiation of this scheme using generalized Srivastava (GS) codes. Indeed, by using GS codes, it seems possible to choose secure parameters even for codes defined over relatively small extension fields. However, Barelli and Couvreur recently introduced an efficient structural attack [6] against some of the candidates in the NIST post-quantum cryptography standardization process. Their attack is against code-based encryption schemes using some quasi-dyadic alternant codes with extension degree . It works specifically for schemes based on GS code called DAGS [4]. Therefore, in our work we use the Goppa code with the Classic McEliece parameters. As for the underlying signature scheme, we use the code-based Wave [23] as described earlier.

The fact that we use Wave, the sender’s secret key is a generalized ()-code over a finite field with . Its public key is a parity-check matrix of a code equivalent to the previous one. To address the indistinguishability issue with high rate Goppa code, we use Goppa subcode equivalent for the receiver’s public key. In Fig. 5, we describe the algorithm Com which will provide common parameters for our scheme.

Com Input: () Output: Parameters of sender’s generalized ()-code: code length , dimension of U, dimension of V, dimension of the generalized ()-code, weight of error vector , cardinality of the finite field . Parameters of receiver’s Goppa code: degree of extension of , length of the Goppa code, degree of Goppa polynomial , dimension of Goppa subcode. A cryptographic hash functions A cryptographic hash functions where is the bit length of the symmetric encryption key. A hash function where . A cryptographic hash function An encoding function where is a well chosen parameters such that and is the set of binary vectors of length and Hamming weight .

Fig. 5: Description of Common parameters.

We give key generation algorithms in Figure 6, where we denote the sender key generation algorithm by KeyGenS and that of the receiver by KeyGenR. The receiver algorithm KeyGenR returns as signcryption public key a generator matrix of a Goppa subcode equivalent. It returns as signcryption secret key the tuple (), where and are, respectively, the support and the polynomial of a Goppa code. is a full rank matrix and a permutation matrix. The sender key generation algorithm KeyGenS returns as private key three matrices , and , where is an invertible matrix, a parity-check matrix of a random generalized ()-code and a permutation matrix. The sender public key is a parity-check matrix of a generalized () equivalent code given by .

KeyGenR Input: Integers and . Output: and . Randomly generate a monic irreducible polynomial of degree Select a uniform random set of different elements . Compute a parity-check matrix of the binary Goppa code from and . Randomly choose a full rank matrix and permutation matrix with . Set and . Return and .
KeyGenS Input: Integers and . Output: and Choose randomly a parity-check matrix of a code () over such that dim and dim. Randomly choose a full rank matrix and a monomial matrix . Set and . Return and .

Fig. 6: Description of Common parameters and key generation algorithm.

In Figure 7, we give the design of the symmetric key generation algorithm Sym of our scheme. The algorithm Sym takes as input the bit length of the symmetric encryption key. It outputs an internal state information and the session key , where is randomly chosen from , and is computed by using the hash function .

Sym Input: The bit length of the symmetric encryption key. Output: An internal state information and a session key . Compute Set Return

Fig. 7: Description of the Sym algorithm.

Figure 8 provides a description of the encapsulation and decapsulation algorithms of our signcryption tag-KEM scheme. We denote the encapsulation algorithm by Encap and the decapsulation by Decap. In the encapsulation algorithm, the sender first performs a particular Wave signature on the message , where corresponds to an internal state information and is the input tag. The signature in the Wave scheme comprises two parts: an error vector and a random binary vector y. In our scheme, z is the hash of a random coin . The sender then performs an encryption of . The encryption that we use in our scheme is the IND-CCA2 secure McEliece encryption scheme with the Fujisaki-Okamoto conversion introduced by Cayrel et al. [16]. During the encryption, the sender adaptively uses the random binary vector y as a random coin. The resulting ciphertext is denoted by c. The output is given by .

Encap Input: (, ) with Output: An encapsulation of the internal state information . with Compute Compute Compute Compute Compute Compute Compute , where with an constant weight encoding function. Compute . Parse Return
Decap Input: (, , , ) Output: Session key Parse as . Compute Parse x as () If or : Return Compute Return .

Fig. 8: Description of the Encap and Decap algorithms.

In the decapsulation algorithm Decap, the receiver first performs recovery of the internal state information by using the algoritm Decrypt and the second part of the signature of m. Then it verifies the signature and computes the session by using .

The algorithm Decrypt that we use in the decapsulation algorithm of our scheme is described in Figure 9. It is similar to that described in [16] but we introduce some modifications which are:

  1. we use an encoding function

  2. the output is not only the clear message m, but a pair () where y is the reciprocal image the error vector by the encoding function

Decrypt Input: Secrete the receiver and a ciphertext c . Output: The pair (), where . Parse c into () Compute , where is a decoding algorithm for Goppa code. Compute Compute If Return Return

Fig. 9: Description of the Sym algorithm.

Completeness of our signcryption tag-KEM

Let be a tag, (, ) (resp. ( and )) be sender’s (resp. receiver’s) key pair generated by the algorithm with input . Let (, ):=(, ) be a pair of a session key and an internal state information. Let () be an encapsulation of the internal state information . Assuming that the encapsulation and decapsulation are performed by an honest user, we have:

  • The receiver can recover the pair ( from c and verify successfully that

    Otherwise the receiver performs a successful signature verification of message signed by an honest user using the dual version of mCFS signature.

  • Therefore it can compute the session key .

Iv-B Code-based hybrid signcryption

Here we use the signcryption tag-KEM described in Section IV-A for designing a code-based hybrid signcryption. For the data encapsulation we propose the use of a regular OT-secure symmetric encryption scheme. We denote the symmetric encryption algorithm being used by SymEncrypt and the symmetric decryption algorithm by SymDecrypt.

Figure 10 gives the design of our code-based hybrid signcryption tag-KEM+DEM. In this design, algorithms Com, KeyGen and KeyGen are the same as those of our signcrytion tag-KEM. Algorithms Sym and Encaps are those of our signcryption tag-KEM in Section IV-A.

Signcryption Input: A three tuple (SCSK, SCPK, m) Output: The signcrypted message . Compute (, )=(SCSK, SCPK Compute (, m) Compute (, ) Return
Unsigncryption Input: A three tuple (SCSK, SCPK, ) Output: The clear text m If (SCSK, SCPK, c)= return Compute () Return m

Fig. 10: Code-based hybrid signcryption from SCTKEM and DEM.

V Security analysis

Before discussing the security of our hybrid scheme, let us consider the following assumptions for our security analysis:

Assumption 1: The advantage of probabilistic polynomial-time algorithm to solve the decoding random linear codes problem is negligible with respect to the length and dimension of the code.

Assumption 2: The advantage of probabilistic polynomial-time algorithm to solve the () distinguishing problem is negligible with respect to the length and dimension of the code.

Assumption 3: The advantage of probabilistic polynomial-time algorithm to solve the subcode equivalence problem is negligible with respect to the length and dimension of the code.

Assumption 4: The advantage of probabilistic polynomial-time algorithm to solve the decoding one out of many (DOOM) problem is negligible with respect to the length and dimension of the code.

V-a Information-set decoding algorithm

In code-based cryptography, the best known non-structural attacks rely on information-set decoding. The information-set decoding algorithm was introduced by Prange [50] for decoding cyclic codes. After the publication of Prange’s work, there have been several works studying to invert code-based encryption schemes based on information-set decoding (see [2] Section 4.1).

For a given linear code of length and dimension , the main idea behind the information-set decoding algorithm is to find a set of coordinates of a garbled vector that are error-free and such that the restriction of the code’s generator matrix to these positions is invertible. Then, the original message can be computed by multiplying the encrypted vector by the inverse of the submatrix.

Thus, those bits determine the codeword uniquely, and hence the set is called an information set. It is sometimes difficult to draw the exact resistance to this type of attacks. However, they are always lower-bounded by the ratio of information sets without errors to total possible information sets, i.e.,

where is the Hamming weight of the error vector. Therefore, a well chosen parameters can avoid these non-structural attacks. In our scheme, we use the parameters of the Wave signature [23] for the sender and those of Classic McEliece [2] for the receiver in the underlying encryption scheme.

V-B Key recovery attack

In our case, the key recovery attack is at two different levels: the first one is on the sender side and the second one on the receiver side.

On the receiver side, it consists of the recovery of the Goppa polynomial and the support from the public matrix. Therefore, the natural way for this is to perform a brute-force attack: one can determine the sequence from and the set , or alternatively determine from . A good choice of parameters can avoid this attack for the irreducible Goppa code the number of choices of is given by

By using the parameters of Classic McEliece, we can see that the complexity for performing a brute-force attack to find Goppa polynomial is more than for the parameters proposed in [2]. It is also important to note that performing the recovery attack also implies solving an instance of subcode equivalence problem. According to Assumption 3, solving this problem is hard in the worst case. The best way to solve the subcode equivalence problem is to perform an exhaustive search. Another technique for this is to proceed by solving an algebraic system.

In the case of the sender, the key recovery attack consists of first solving the () distinguishing problem for finite fields of cardinality . Therefore under Assumption 3 and with a well chosen set of parameters this attack would fail.

V-C IND-CCA2 and SUF-CMA security

In code-based cryptography, the main approach to a chosen-ciphertext attack against the McEliece encryption scheme consists of adding two errors to the received word. If the decryption succeeds, it means that the error vector in the resulting word has the same weight as the previous one. In our signcryption tag-KEM scheme, this implies either to recover the session key or distinguish encapsulation of two different session keys from . We see that the recovery of the session key corresponds to recovery of a plaintext in a CCA2 secure version of McEliece’s cryptosystem (see [16] Subsection 3.2). We now have the following theorem:

Theorem 2

Under Assumptions 1 and 3, the signcryption tag-KEM scheme described in Subsection IV-A is IND-CCA2 secure.


Let be a PPT adversary against the signcryption tag-KEM scheme described in Subsection IV-A in the signcryption tag-KEM IND-CCA2 game. Let us denote its advantage by . For proving Theorem 2 we need to bound .

Game 0: This game is the normal signcryption tag-KEM IND-CCA2 game. Let us denote by the event that the adversary wins Game 0 and the probability that it happens. Then we have

Game 1: This game corresponds to the simulation of hash function oracle. Indeed it is the same as Game 0 except that adversary can have access to hash function oracle: It looks for some pair such that . Then, it tries to continue by computing . We can see that it could succeed at least when the following collisions happen:

Therefore, if is the number of queries allowed and the event that wins game , then we have:

Game 2: This game is the same as Game 1 except that the error vector e in the encapsulation output is generated randomly. We can see that the best to proceed is to split c as and then try to invert either for recovering the error or for recovering directly the internal state

. That means that the adversary is able either to solve the syndrome decoding problem or to invert an one-time pad function. Therefore we have:

where is the advantage of an adversary against the syndrome decoding problem, a negligible function and the bit length of the symmetric encryption.

We can show that if the adversary wins this game, we can use it to construct an adversary for attacking the underlying McEliece scheme in the public key encryption IND-CCA2 game (called PKE.Game in Appendix -A). For more details on the underlying McEliece encryption scheme and its IND-CCA2 security proof, the reader is referred to Appendix -C. We now proceed as follows:

  1. Given the receiver public key which corresponds to a receiver public key signcryption tag-KEM, :

    • chooses randomly

    • chooses randomly

    • sends the public key and to

  2. Given a tag from , :

    • sends the pair (,) to the encryption oracle of PKE.Game

    • forwards c received from the encryption oracle to

  3. For every decryption query (, ) from :

    • if , return to

    • Otherwise it sends to the decryption oracle of PKE.Game. Receiving from the decryption oracle:

      • if , it returns to

      • Otherwise, it returns to

  4. When outputs , returns 1. Otherwise, it returns 0.

Let be the advantage of in the PKE.Game. Note that the target ciphertext c can be uniquely decrypted to . Therefore any other than can not be a valid signcryption ciphertext unless a collusion of takes place, i.e., . The correct answer to any decryption query with is . Decryption queries from are correctly answered since is decrypted by the decryption oracle of PKE.Game.

When outputs , it means that is embedded in otherwise is embedded. It means that the adversary wins game PKE.Game with the same probability as wins Game 2 when collision of has happened. Let be the event collision of has happened and the event wins the PKE.Game. Let us denote by the probability of the event and that of . Therefore we have:

By putting it all together, we conclude our proof.

Theorem 3

Under Assumptions 3 and 4, the signcryption tag-KEM scheme described in Subsection IV-A is SUF-CMA secure.


Let be an adversary against our signcryption tag-KEM in the SUF-CMA game and its advantage. For the forgery of our signcryption, adversary needs to first find a pair such that . Then, it will try to find such that , i.e., it wins in the target pre-image free game (see Appendix -B) against the cryptographic hash function . We can see that finding such that corresponds to the forgery of the underlying Wave signature scheme. Let be the advantage of an adversary in the pre-image free game against a cryptographic hash function. Let be an adversary against the Wave signature in the EUF-CMA game and its advantage. Let be the event that wins. Let be the event that adversary is able to find a pre-image x of y by such that . We have:

Note that due to the fact that is a cryptographic hash function, is negligible and that concludes our proof.

Corollary 1

The signcryption tag-KEM described in Subsection IV-A is secure.

The above corollary is a consequence of Theorems 2 and 3. We then have the following.

Theorem 4

Under Assumptions 1–4, the hybrid signcryption tag-KEM+DEM scheme described in Subsection IV-B is IND-CCA2 and SUF-CMA secure.


Under Assumptions 1–3, Theorems 2 and 3 provide mandatory conditions regarding signcryption tag-KEM for a secure hybrid signcryption (see Theorem 1). In addition, the symmetric encryption scheme used is OT-secure and hence a direct application of Theorem 1 allows us to achieve a proof of the theorem.

Vi Parameter values

For our scheme we choose parameters such that and of the underlying Wave signature and McEliece’s encryption, respectively, satisfy . According to the sender and receiver keys, the size of our ciphertext is given by

Table I gives suggested values of the parameters of our scheme. These values have been derived using those of Wave [5] and Classic McEliece [2] for security Level 1 of NIST. According to the values given in Table I, the ciphertext size in bits of our scheme is in the order of .

Value 8492 3558 2047 7980 12 64 3488 1815 512
TABLE I: Parameter values of the proposed scheme.

Table II provides key sizes of our scheme in terms of relevant parameters. Then in Table III we give a numerical comparison of key and ciphertext sizes of our scheme with some existing lattice-based hybrid signcryption schemes. For the lattice based schemes in our comparison, the parameters, including plaintext size of 512 bits, are from [52, Table 2]. We can see that for post-quantum security level 1 the proposed scheme in some cases requires a relatively larger sender key, but in all cases has the smallest receiver key and ciphertext.

User Public key Secret key
Receiver’s key size
Sender’s key size
TABLE II: Key sizes of the proposed scheme.
Construction Receiver’s key size Sender’s key size Ciph. size
Pub. key Sec. key Pub. key Sec. key
[52, 19]
[52, 19]
[52, 45]
Shingo and Junji [52]
Our scheme
TABLE III: Size comparison (in bits) of the proposed scheme with the lattice based schemes of [52, 45, 19].

Vii Conclusion

In this paper, we have proposed a new signcryption tag-KEM based on coding theory. The security of our scheme relies on known hard problems in coding theory. We have used the proposed signcryption schemed to design a new code-based hybrid signcryption tag-KEM+DEM. We have proven that the proposed schemes are IND-CCA2 and SUF-CMA secure against any probabilistic polynomial-time adversary. The proposed scheme has a smaller ciphertext size compared to the pertinent lattice-based schemes.


  • [1] N. Aragon, O. Blazy, P. Gaborit, A. Hauteville, and G. Zémor, “Durandal: a rank metric based signature scheme,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2019, pp. 728–758.
  • [2] M. R. Albrecht, D. J. Bernstein et al., “Classic McEliece: conservative code-based cryptography.” [Online]. Available: https://classic.mceliece.org/nist/mceliece-20201010.pdf
  • [3] J. Baek, R. Steinfeld, and Y. Zheng, “Formal proofs for the security of signcryption,” Journal of Cryptology, vol. 20, no. 2, pp. 203–235, 2007.
  • [4] G. Banegas, P. S. Barreto, B. O. Boidje, P.-L. Cayrel, G. N. Dione, K. Gaj, C. T. Gueye, R. Haeussler, J. B. Klamti, O. N’diaye et al., “Dags: Key encapsulation using dyadic gs codes,” Journal of Mathematical Cryptology, vol. 12, no. 4, pp. 221–239, 2018.
  • [5] G. Banegas, T. Debris-Alazard, M. Nedeljkovic, and B. Smith, “Wavelet: Code-based postquantum signatures with fast verification on ´ microcontrollers,” arXiv preprint arXiv:2110.13488, 2021.
  • [6] E. Barelli and A. Couvreur, “An efficient structural attack on nist submission dags,” in International Conference on the Theory and Application of Cryptology and Information Security. Springer, 2018, pp. 93–118
  • [7] P. S. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Signcryption schemes based on the Diffie–Hellman problem,” in Practical Signcryption. Springer, 2010, pp. 57–69.
  • [8] P. S.