Un breve addendum Bayesiano

The authors of the first practical signature scheme, Courtois et al. [14], notice the above problem and reconsider the parameter choices for the underlying Goppa codes. They decide to pick a class of t-error correcting binary irreducible Goppa codes with length n = 2^m and dimension k = n − tm¹. A signature scheme is then parametrised by m and t. For a given

1This used to be a typical choice; Goppa codes of length other than 2^mhave started to be used only recently.

pair (m, t), there exist about 2^mt/t different Goppa codes satisfying the above relations to choose from ([14]).

Courtois et al. [14] accept the fact that, on average, t! decoding attempts must be made in order to successfully decode a random syndrome in F^n−k2 . In order for the signing time to be practical, then, t must be chosen very small. On the other hand, if the code is to achieve the same level of security as the codes used in the McEliece/Niederreiter cryptosystems (where, e.g.

n = 1024 and t = 50), the code’s length n must be taken very large.

Courtois et al. propose the values (n, t) = (2¹⁶, 9) or (n, t) = (2¹⁵, 10).

Luckily, as we see later on, such a large n turns out to be compatible with a practical signature scheme, and, although it affects the size of the signatures public key, this size stays reasonable.

We now give a description of two basic versions of the CFS signature scheme [14, 19].

Definition 4.3.1 (CFS signature scheme – counter version).

Pub-Public parameters: A public cryptographic hash function h : {0, 1}^∗ → F^n−k2 , from the message space {0, 1}^∗ to the syndrome space F^n−k2 . Integers m, t such that there is a t-error correcting binary irreducible Goppa code of length n = 2^m and dimension k = n − tm. Denote the set of all such codes by S.

Setup: Select an (n − k) × k parity-check matrix H in systematic form for a random Γ₂(L, g) ∈ S. Select a random (n − k) × (n − k) invertible matrix M and a random n × n permutation matrix P .

Private key: Goppa polynomial g(X) ∈ F2^m[X] and support L ∈ Fⁿ2^m, the parity-check matrix H ∈ F^(n−k)×n2 for Γ₂(L, g), matrices M ∈ F(n−k)×(n−k)

2 and P ∈ F^n×n2 .

Public key: The (n − k) × n matrix ˆH := M HP . Signing:

1. Given a message m ∈ {0, 1}^∗, create a counter i, set i = 0 and, by concatenating, create (m|i).

2. Compute h(m|i) ∈ F^n−k2 .

3. Apply the Niederreiter’s decryption algorithm from Definition 3.1.2 to h(m|i).

4. If Step 3 fails, set i = i + 1 and go to Step 2. Otherwise, output the signature τ = (i, e), where e ∈ Fⁿ2 is the unique vector of weight ≤ t with ˆHe^T = h(m|i)^T that was found in Step 3.

Verification: Given a message m ∈ {0, 1}^∗ and a signature τ = (i, e), compute s₁ = h(m|i) and s^T₂ = ˆHe^T. If s₁ = s₂, return true, otherwise, return f alse.

In the given CFS description, the successive random choice of syndromes in F^n−k2 is ensured by introducing a hash function h and appending an increasing counter to the message so that the input to h changes with every signing attempt and a new syndrome in F^n−k2 is picked uniformly at random. The rest of the signature may be seen as the reversed Niederreiter system, exactly following the “hash-then-decrypt” paradigm explained in Section 4.2. We refer to the above version of the signature scheme as the

“CFS-counter version”.

Apart from this, Courtois et al. [14] also vaguely mention, and Finiasz [19] explicitly discusses another version of the CFS, namely the “CFS-complete decoding version”. As the name suggests, the idea is to extend the decoding algorithm from Step 3 above so that (almost) any element of F^n−k2 is decodable. One may then omit the counter and only hash a given message. The authors find the smallest δ > 0 such that _t+δⁿ
> 2^n−k and note that most of the syndromes in F^n−k2 must be decodable into vectors in Fⁿ2 of weight at most t + δ. The original decoding algorithm is then combined with an exhaustive search for the extra δ non-zero positions. The signature scheme becomes as follows (taken from [19]).

Definition 4.3.2 (CFS signature scheme – complete decoding version).

Public parameters: All parameters as in Scheme 4.3.1 and a δ > 0 such that _t+δⁿ
> 2^n−k.

Setup: Same as in Scheme 4.3.1.

Signing:

1. Given a message m ∈ {0, 1}^∗, compute h(m) ∈ F^n−k2 . 2. Pick a vector w ∈ Fⁿ2 with wt(w) = δ.

3. Apply the Niederreiter’s decryption algorithm from 3.1.2 to h(m)^T + Hwˆ ^T.

4. If Step 3 fails, go to Step 2. Otherwise, output the signature τ = (w + e), where e ∈ Fⁿ2 is the unique vector of weight ≤ t with ˆHe^T =

h(m)^T + ˆHw^T that was found in Step 3.

Verification: Given a message m ∈ {0, 1}^∗ and a signature τ = (e + w), compute s₁ = h(m) and s^T₂ = ˆH(e + w)^T. If s₁ = s₂, return true, otherwise, return f alse.

Notice that, similarly to the counter version, the complete decoding CFS requires, on average, t! decoding attempts. This is because in Step 3 we basically search through different syndromes in F^n−k2 looking for one that is decodable into a vector of weight t.

The complete decoding CFS version has a slight disadvantage of not being able to sign some small number of messages at all, as there is always a very small probability that a given syndrome h(m) can only be decoded into a vector of weight greater than t + δ. Finiasz [19] then suggests to modify the message and try to sign it again.

To conclude this section, we sum up the main ideas of [14] making the CFS the first successful signature scheme. The authors

• picked a new set of parameters for the underlying Goppa codes,

• came up with a way of sampling random syndromes in F^n−k2 (either by introducing a counter or the complete decoding), and

• applied the “hash-then-decrypt” paradigm to the Niederreiter cryp-tosystem.

Finally, Curtois et al. [14] remark that the CFS scheme is purposely based on the Niederreiter cryptosystem, rather than on the McEliece variant. The reason for this is that in the Niederreiter scheme an efficient signature size compression is possible, while this is not the case in the McEliece system.

Notice that in the Schemes 4.3.1and 4.3.2 the vector e has length n and wt(e) ≤ t where n  t. Thus, as explained in [14], by indexing all the

n

t
possibilities for e, one only needs about log₂ ⁿ_t
 n bits to store e.

For the proposed values (n, t) = (2¹⁶, 9), this translates into log₂ ⁿ_t
≈ 126 bits. On the other hand, a hypothetical signature scheme created from the McEliece system would have as part of the signature a binary word e of length k = n − tm (so that for a public McEliece matrix ˆG, e ˆG would be a codeword in the underlying Goppa code). Such a word contains no redundancy and cannot be compressed. For the above parameters, e would thus require about 2¹⁶− 9 · 16 = 65392 bits.