A CCA2 Secure Variant of the McEliece Cryptosystem

The McEliece public-key encryption scheme has become an interesting alternative to cryptosystems based on number-theoretical problems. Differently from RSA and ElGa- mal, McEliece PKC is not known to be broken by a quantum computer. Moreover, even tough McEliece PKC has a relatively big key size, encryption and decryption operations are rather efficient. In spite of all the recent results in coding theory based cryptosystems, to the date, there are no constructions secure against chosen ciphertext attacks in the standard model - the de facto security notion for public-key cryptosystems. In this work, we show the first construction of a McEliece based public-key cryptosystem secure against chosen ciphertext attacks in the standard model. Our construction is inspired by a recently proposed technique by Rosen and Segev.

💡 Research Summary

This paper presents the first construction of a McEliece-based public-key encryption (PKE) scheme that is provably secure against adaptive chosen-ciphertext attacks (IND-CCA2) in the standard model. The McEliece cryptosystem, based on the hardness of decoding random linear codes, is a promising post-quantum candidate due to its resistance to known quantum algorithms and operational efficiency. However, achieving strong CCA2 security without relying on idealized heuristics like the random oracle model had remained an open problem.

The authors’ breakthrough stems from adapting the “correlated products” framework, introduced by Rosen and Segev for building CCA-secure encryption from lossy trapdoor functions, to the coding-based setting. They define a new primitive called a “k-repetition CPA-secure cryptosystem.” In such a system, k independent public keys are used to encrypt the same message in parallel, and the ciphertext is considered valid only if all k components decrypt to the same message under their respective secret keys. The core technical contribution is proving that a randomized version of the McEliece PKE satisfies this k-repetition CPA security notion.

The proof leverages the two standard assumptions underlying McEliece’s security: (1) the pseudorandomness of the public generator matrices produced by the code sampling algorithm, and (2) the hardness of the Learning Parity with Noise (LPN) problem. A key technical nuance is the use of a Bernoulli error distribution during encryption (where each bit of the error vector is set with probability θ) instead of a fixed Hamming-weight error vector. This modification ensures that the concatenation of error vectors from the k parallel encryptions preserves the necessary statistical properties for the security reduction.

The resulting CCA2-secure scheme works as follows: Key generation runs the standard McEliece key generation k times independently. To encrypt a message, it is encrypted under each of the k distinct public keys. The final ciphertext is the k-tuple of these individual ciphertexts. Decryption attempts to decrypt each component with its corresponding secret key; it accepts the message only if all k decryptions yield the identical result.

The primary cost of this transformation is a linear blow-up by a factor of k in the sizes of the public key, secret key, and ciphertext. However, this establishes a foundational milestone by providing the first CCA2-secure McEliece variant in the standard model. The work is situated alongside concurrent independent work that applied the Rosen-Segev technique to lattice-based cryptography (relying on the LWE problem), highlighting a parallel evolution in post-quantum cryptographic paradigms. This construction significantly advances the theoretical groundwork for code-based cryptography, moving it closer to meeting the stringent security requirements of modern cryptographic applications in a post-quantum future.