1 Introduction

1.1 Background

Threshold public-key encryption is a variant of public-key encryption (PKE) where the decryption key is distributed to multiple parties as partial decryption keys. A ciphertext is decrypted by a threshold decryption protocol among parties. If more than a certain threshold number of, but not necessarily all, parties execute the protocol, the ciphertext is correctly decrypted. On the other hand, parties below the threshold cannot obtain any information about the plaintext from a ciphertext even if they have their own partial decryption key.

We enjoy the features of threshold PKEs in various applications, for example, e-voting, blockchain, and threshold implementation. In many e-voting systems such as [1, 15, 18, 32], each ballot is encrypted by a threshold PKE. So, voters’ privacy is protected from (a few) curious tally servers, and simultaneously, the voting results can be obtained by all (or most) tally servers jointly decrypting non-private information.

Also, some blockchain applications [33, 48] use threshold PKEs. For example, in [48], to prevent a miner from abusing knowledge from transactions before being added to the chain, encrypted transactions are added to the chain first, and then randomly selected miners jointly decrypt them. The property of threshold PKEs ensures that no one knows the content of transactions before they are added, and also that no one cannot interfere with the publishing of inconvenient transactions. Another interesting application of threshold PKEs is a countermeasure against side-channel attacks, known as “Threshold Implementation” [39]. By implementing the threshold decryption algorithm in a single device (i.e., virtual multiple decryptors run the decryption process in it), key recovery using side-channel information (e.g., power spectrum) becomes significantly hard [10, Section 2.5].

Because of such use of threshold PKEs, the US National Institute of Standards and Technology (NIST) is planning standardization of threshold PKEs [37] in order to encourage implementations of threshold PKEs in the real world.

In the literature, a lot of threshold PKE schemes have been proposed from various computational assumptions, for example, RSA [28], composite residuosity [21], discrete logarithm [23] and Diffie–Hellman [12, 43]. However, these schemes are not secure against quantum computers due to Shor’s algorithm [42], which enables quantum computers to solve factoring and discrete logarithm in polynomial time. To ensure security for the future, it is important to construct post-quantum threshold PKE schemes, which are based on intractable problems even against quantum computers.

Some post-quantum threshold PKE schemes were proposed in the area of lattice-based cryptography [6, 16, 34]. On the other hand, there are no known post-quantum threshold PKEs from other assumptions, e.g., code, multivariate, and isogenies. In case lattice-based assumptions no longer hold, it is desirable to construct post-quantum threshold PKEs from different assumptions as well. In fact, due to the same reason, NIST is still in the process of selecting code-based KEMs in the fourth round of the PQC competition after NIST selected a lattice-based KEM [38]. Therefore, constructing post-quantum threshold PKEs other than lattice-based ones is an important issue.

1.2 Prior work

A naive approach to constructing a post-quantum threshold PKE is computing the decryption algorithm of a non-threshold PKE by multi-party computations (MPCs). Theoretically speaking, for any decryption algorithm, its threshold decryption can be realized by MPCs; but the obtained protocol is impractical in general. Consider the case of hybrid encryption (i.e., KEM-DEM framework) often used to efficiently encrypt long messages. Hybrid encryption leverages the high performance of DEM’s encryption and decryption process to achieve good performance in total. However, replacing the entire decrypting process with an MPC requires DEM decryption to be performed in a threshold fashion, which takes huge costs, especially for long messages, even if the MPC for the KEM is lightweight.

To realize practical post-quantum threshold PKEs, we can use two known generic conversions, Dodis–Katz conversion [24] and Cong et al. conversion (CCMS conversion) [16].

Dodis–Katz conversion transforms an \(\textsf{IND} \text {-}\textsf{CCA} \) secure PKE to an \(\textsf{IND} \text {-}\textsf{CCA} \) secure threshold PKE using the concept of parallel encryption. Parallel encryption is a scheme that divides a plaintext into n pieces and encrypts each piece with a distinct public key of the underlying PKE. In Dodis–Katz threshold PKEs, the ciphertext consists of n ciphertext and a one-time signature with strong \(\textsf{EUF}\text {-}\textsf{CMA}\) security, which is required to achieve \(\textsf{CCA}\) security. To decrypt a ciphertext, each party first recovers the corresponding piece and then recovers the message from the collection of the pieces. Since the decryption process only does local computation (i.e., without MPCs), resulting threshold PKEs are optimal in the sense of computation cost. Also, since the conversion can start from any regular \(\textsf{IND} \text {-}\textsf{CCA} \) secure PKE, we can obtain post-quantum threshold PKEs from various post-quantum assumptions.

Recently, Cong et al. presented an elegant KEM-DEM framework (called CCMS conversion in this paper) that can be used to efficiently convert an \(\textsf{OW} \text {-}\textsf{CPA} \) secure deterministic threshold PKE into an \(\textsf{IND} \text {-}\textsf{CCA} \) secure threshold PKE. CCMS conversion can be considered as a variant of the Fujisaki–Okamoto transformation (FO transformation) proposed by [29] that converts an \(\textsf{OW} \text {-}\textsf{CPA} \) secure probabilistic PKE into an \(\textsf{IND} \text {-}\textsf{CCA} \) one. More precisely, a deterministic encryption function \(\textsf{Enc}_{\textrm{p}}\) is first converted into a probabilistic one as \(\textsf{Enc}_{\textrm{p}}'(\textsf{pk}, \textsf{m}; r) \mathrel {\mathop :}=(\textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m}), r)\), and then applied FO transformation.Footnote 1 In the decryption process of the resulting PKE, the ciphertext validity can be verified simply by checking hash values before decrypting the DEM part. Moreover, it has an attractive property that, if the validity checks are passed, it is still secure even if the session key of DEM becomes public (i.e., all parties know it). From this property, it is sufficient only to compute the decryption of KEM in a distributed fashion, and the decryption of the DEM can be done in the clear. Therefore, once we construct an \(\textsf{OW} \text {-}\textsf{CPA} \) secure (deterministic) PKE equipping an efficient distributed decryption, we can obtain an \(\textsf{IND} \text {-}\textsf{CCA} \) threshold PKE, which is much simpler than constructing an MPC for a more complex decryption algorithm of \(\textsf{IND} \text {-}\textsf{CCA} \) secure PKEs.

Fig. 1
figure 1

The Classic McEliece-based threshold PKE schemes \(\Pi _{\textrm{t}}^{\text {I}}\), \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) and \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\). The arrows (\(\longrightarrow \)) indicate the corresponding conversions. Our proposed conversions are highlighted with underlining

1.3 Our contributions

In this work, to ensure the diversity of post-quantum threshold PKEs, we provide three \(\textsf{IND} \text {-}\textsf{CCA} \) secure code-based threshold PKE schemes, \(\Pi _{\textrm{t}}^{\text {I}}\), \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\), and \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\). These schemes are all based on Classic McEliece [2], one of the candidates in the NIST PQC standardization. Figure 1 shows how they are constructed from (\(\textsf{OW} \text {-}\textsf{CPA} \) secure) Classic McEliece PKE.

The first scheme \(\Pi _{\textrm{t}}^{\text {I}}\) is the concrete instantiation of Dodis–Katz conversion from code-based assumptions. We instantiate it with the \(\textsf{IND} \text {-}\textsf{CCA} \) secure Classic McEliece PKEFootnote 2 and the strong \(\textsf{EUF}\text {-}\textsf{CMA}\) secure Sig 3 signature [8], which is the state-of-the-art signature scheme based on the same post-quantum assumption as Classic McEliece. We reveal that \(\Pi _{\textrm{t}}^{\text {I}}\) has a large ciphertext (about 16 kilobytes for 128-bit securityFootnote 3) since the size of code-based signatures is large.

The second scheme \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) is a new parallel encryption-based construction without signature schemes. To obtain \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\), we start from \(\textsf{OW} \text {-}\textsf{CPA} \) Classic McEliece PKE, convert it into a threshold one (with \(\textsf{OW} \text {-}\textsf{CPA} \) security) using newly-developed parallel encryption, and then enhance its security into \(\textsf{IND} \text {-}\textsf{CCA} \) using CCMS conversion. Since CCMS requires a deterministic PKE, the new parallel encryption must preserve the deterministic property of the underlying PKE, while it does not need to guarantee \(\textsf{CCA}\) security. Our idea to realize such a conversion is; (1) utilizing a simple dividing method instead of a threshold secret sharing scheme used in Dodis–Katz parallel encryption, (2) assigning multiple key pairs to each decryption party to support t out of n setting, and (3) eliminating unnecessary signatures. Thanks to eliminating signatures, \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) drastically reduces the ciphertext length: it is 512 bytes, which is only 3% of the ciphertext length of \(\Pi _{\textrm{t}}^{\text {I}}\). Although \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) provides smaller ciphertext, \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) needs an MPC for computing hash functions during the decryption process. However, it does not need MPCs for the decryption of the \(\textsf{OW} \text {-}\textsf{CPA} \) secure PKE since we use parallel encryption techniques.

The third scheme \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is an MPC-based threshold PKE scheme from code-based assumption. We take the same approach Cong et al. took to construct efficient lattice-based threshold PKEs; prepare \(\textsf{OW} \text {-}\textsf{CPA} \) secure threshold PKEs by building MPCs for key generation and decryption, and convert them into \(\textsf{CCA}\) ones. We build an MPC for computing the decryption algorithm of \(\textsf{OW} \text {-}\textsf{CPA} \) secure Classic McEliece PKE. Most part of the decryption algorithm is a decoding process of the Goppa code, which is done by Patterson’s algorithm. We notice that it is comparatively MPC-friendly because of its algebraic computation. In contrast to other decoding algorithms for e.g., MDPC codes and LRPC codes, Patterson’s decoding algorithm does not use integer comparison or operations on basis vectors, which require heavy MPCs. Almost all parts of Patterson’s decoding can be computed in a distributed fashion by existing MPC techniques, but computing the extended Euclidean Algorithm part is non-trivial. We succeed in constructing an MPC for it using the idea of exploiting the properties of the Subresultant Matrix used in [36]. As a result, we obtain an \(\textsf{OW} \text {-}\textsf{CPA} \) secure threshold Classic McEliece PKE from our new MPCs for the decryption. Then, we convert it into \(\textsf{CCA}\) secure one \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) via CCMS conversion. \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) has the shortest ciphertext length among the three schemes at just 192 bytes. Compared to the regular \(\textsf{CCA}\) secure Classic McEliece PKE, the additional ciphertext length is only 100 bytes. The cons of \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is heavy distributed computation in the decryption process. It invokes a lot of interaction to compute Patterson’s algorithm via MPCs.

1.4 Organization of this paper

This paper is organized as follows. In Sect. 2, we introduce notations and the syntax and the security notions of cryptographic primitives used in this paper. In Sect. 3, we explain the background of code-based cryptography. We explain Classic McEliece PKE/KEM along with the Goppa code and Patterson decoding, and related works about code-based signatures. Then, in the subsequent three sections, we explain the concrete code-based threshold PKE schemes. Section 4 describes the concrete instantiation of Dodis–Katz conversion from code-based assumption. Section 5 explains a new parallel encryption-based threshold PKE. Section 6 explains a new MPC-based threshold PKE from Classic McEliece, including the concrete procedure to compute Patterson’s decoding algorithm in distributed fashions. Finally, in Sect. 7, we compare the three schemes in terms of ciphertext length and computation complexity of threshold decryption. Conclusions are provided in Sect. 8.

2 Preliminaries

2.1 Notations

Let \(\lambda \) be a security parameter. For a non-negative integer n, [n] denotes \(\{1,2,\ldots ,n\}\). \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \) denotes the number of t-combinations for n elements, i.e., \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \mathrel {\mathop :}=\frac{n(n-1) \cdots (n-t+1)}{t(t-1) \cdots 1}\). For finite set X, \(x \leftarrow _{\$}X\) indicates an element \(x \in X\) is chosen uniformly at random. QPT stands for quantum polynomial time.

2.2 Public-key encryption

A public key encryption (PKE) scheme is defined as a triple of algorithms \(\Pi _{\textrm{p}}=(\textsf{KGen}_{\textrm{p}},\textsf{Enc}_{\textrm{p}},\textsf{Dec}_{\textrm{p}})\) with plaintext space \(M_{\textrm{p}}\) and ciphertext space \(C_{\textrm{p}}\). The key generation algorithm \(\textsf{KGen}_{\textrm{p}}\) takes a security parameter \(1^\lambda \) as input and outputs a pair of public key and secret key \((\textsf{pk},\textsf{sk})\). The encryption algorithm \(\textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m})\) computes a ciphertext \(\textsf{ct}\) from a plaintext \(\textsf{m}\in M_{\textrm{p}}\) and the public key \(\textsf{pk}\). Note that we treat a deterministic PKE throughout this paper and thus we suppose that \(\textsf{Enc}_{\textrm{p}}\) is a deterministic algorithm. The decryption algorithm \(\textsf{Dec}_{\textrm{p}}({\textsf{sk}},\textsf{ct})\) recovers a plaintext \(\textsf{m}\in M_{\textrm{p}}\) or returns the special symbol \(\bot \notin M_{\textrm{p}}\).

A probability of decryption failure (for a randomly chosen plaintext) \(\delta _f\) is defined as

$$\begin{aligned} \delta _f \mathrel {\mathop :}=\Pr \left[ \textsf{Dec}_{\textrm{p}}(\textsf{sk},\textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m})) \ne \textsf{m}\right] , \end{aligned}$$

where \((\textsf{pk},\textsf{sk})\leftarrow \textsf{KGen}_{\textrm{p}}(1^\lambda )\) and \(\textsf{m}\leftarrow _{\$}M_{\textrm{p}}\). We say that \(\Pi _{\textrm{p}}\) is \((1-\delta _f)\)-correct. We require that \(\delta _f\) is exponentially small. If \(\delta _f=0\), we say \(\Pi _{\textrm{p}}\) is perfectly correct. When \(\Pi _{\textrm{p}}\) fails to decrypt, there are two types of decryption failures. The first type of decryption failure is two different plaintexts are encrypted to the same ciphertext. We say that \(\Pi _{\textrm{p}}\) is \(\delta _c\)-collision free when

$$\begin{aligned} \Pr \left[ \exists \textsf{m}_1,\textsf{m}_2\in M_{\textrm{p}} \text { s.t. } \textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m}_1)=\textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m}_2) \right] =\delta _c, \end{aligned}$$

where \((\textsf{pk},\textsf{sk})\leftarrow \textsf{KGen}_{\textrm{p}}(1^\lambda )\). If \(\Pi _{\textrm{p}}\) is perfectly correct, then it is 0-collision free. The second type of decryption failure occurs when a valid ciphertext is decrypted to \(\bot \). We define a game called \(\bot \text {-aware}\) in which an adversary \(\mathcal {A}\) given the public key \(\textsf{pk}\) finds a pair of plaintext and ciphertext \(({\tilde{\textsf{m}}},{\tilde{\textsf{ct}}})\) such that \({\tilde{\textsf{ct}}}=\textsf{Enc}_{\textrm{p}}(\textsf{pk},{\tilde{\textsf{m}}})\) but \(\textsf{Dec}_{\textrm{p}}(\textsf{sk},{\tilde{\textsf{ct}}})=\bot \). The advantage of \(\mathcal {A}\) is defined as

$$\begin{aligned} \textsf{Adv}^{\bot \text {-aware}}_{\Pi _{\textrm{p}},\mathcal {A}} \mathrel {\mathop :}=\Pr \left[ {\tilde{\textsf{ct}}}=\textsf{Enc}_{\textrm{p}}(\textsf{pk},{\tilde{\textsf{m}}}) \wedge \textsf{Dec}_{\textrm{p}}(\textsf{sk},{\tilde{\textsf{ct}}})=\bot \right] , \end{aligned}$$

where \((\textsf{pk},\textsf{sk})\leftarrow \textsf{KGen}_{\textrm{p}}(1^\lambda )\). We say that \(\Pi _{\textrm{p}}\) is \(\delta _\bot \)-\({\bot \text {-aware}}\), if the above advantage is \(\delta _\bot \) or less for any QTP adversary \(\mathcal {A}\). If \(\Pi _{\textrm{p}}\) is perfectly correct, it is 0-\(\bot \text {-aware}\).

Moreover, we say that \(\Pi _{\textrm{p}}\) is rigid if it satisfies the following condition [7]: For any \((\textsf{pk},\textsf{sk})\leftarrow \textsf{KGen}_{\textrm{p}}(1^\lambda )\) and \( \textsf{ct}\in C_{\textrm{p}}{\setminus } C_{\textrm{p}}^\bot \),

$$\begin{aligned} \Pr \left[ \textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{Dec}_{\textrm{p}}(\textsf{sk},\textsf{ct}))=\textsf{ct}\right] =1 \end{aligned}$$

holds, where \(C_{\textrm{p}}^\bot \subset (C_{\textrm{p}})\) is the set of all ciphertexts \(\textsf{ct}\in C_{\textrm{p}}\) for which \(\textsf{Dec}_{\textrm{p}}(\textsf{sk},\textsf{ct})=\bot \).

The standard security notion of public key encryption is indistinguishability (\(\textsf{IND}\)) against chosen ciphertext attack (\(\textsf{CCA}\)). This security guarantees that an adversary cannot obtain any information about its plaintext from a ciphertext even if it accesses the decryption oracle. Let \(\mathcal {A}\) be an adversary. Given a public key \(\textsf{pk}\), \(\mathcal {A}\) accesses to the decryption oracle \(O_\textsf{Dec}\), and outputs two plaintexts \(\textsf{m}_0^*,\textsf{m}_1^*\). Then one of the two plaintexts is encrypted to the challenge ciphertext \(\textsf{ct}^* = \textsf{Enc}_{\textrm{p}}(\textsf{pk},\textsf{m}_b^*)\) based on a randomly chosen challenge bit b. \(\mathcal {A}\) is given the challenge ciphertext \(\textsf{ct}^*\) and the access to \(O_\textsf{Dec}\), and it outputs a bit \(b'\). If the advantage of \(\mathcal {A}\), given by

is negligible for all QPT \(\mathcal {A}\), we say that \(\Pi _{\textrm{p}}\) is \(\textsf{IND} \text {-}\textsf{CCA} \) secure.

To design an \(\textsf{IND} \text {-}\textsf{CCA} \) PKE scheme, we sometimes use a PKE scheme with weaker security, called onewayness (\(\textsf{OW}\)) against chosen plaintext attacks (\(\textsf{CPA}\)). \(\textsf{OW} \text {-}\textsf{CPA} \) security ensures that an adversary cannot recover the whole plaintext from a ciphertext. This adversary \(\mathcal {A}\) is given a challenge ciphertext \(\textsf{ct}^*\) whose plaintext \(\textsf{m}^*\) is chosen randomly from the plaintext space \(M_{\textrm{p}}\). Then \(\mathcal {A}\) guesses \(\textsf{m}^*\). The advantage of \(\mathcal {A}\) is defined as follows:

$$\begin{aligned} \textsf{Adv}^{\textsf{OW} \text {-}\textsf{CPA} }_{\Pi _{\textrm{p}},\mathcal {A}} \mathrel {\mathop :}=\left| \, \Pr \left[ \textsf{m}= \textsf{m}^* \right] - \frac{1}{\left| \, M_{\textrm{p}}\, \right| }\, \right| \end{aligned}$$

If the advantage is negligible for all QPT \(\mathcal {A}\), we say that \(\Pi _{\textrm{p}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

2.3 Threshold public-key encryption

A (tn)-threshold public-key encryption scheme is an extension of public-key encryption schemes that equips two multi-party protocols \(\textsf{KGen}_{\textrm{t}}\) and \(\textsf{Dec}_{\textrm{t}}\) instead of algorithms \(\textsf{KGen}_{\textrm{p}}\) and \(\textsf{Dec}_{\textrm{p}}\). Key generation protocol \(\textsf{KGen}_{\textrm{t}}\) is performed by n parties \(P_1,\ldots ,P_n\). At the end of this protocol, all parties agree on a public key \(\textsf{PK}\), and each party \(P_i\) obtains its partial secret key \(\textsf{sk}_i\). We denote the list of the partial secret keys as \(\textsf{SK}=(\textsf{sk}_1,\ldots , \textsf{sk}_n)\). Threshold decryption protocol \(\textsf{Dec}_{\textrm{t}}\) is performed by t or more parties. On input ciphertext \(\textsf{CT}\) as a public input and a partial secret key \(\textsf{sk}_i\) as a private input from \(P_i\), it outputs the plaintext \(\textsf{m}\).

\(\textsf{IND} \text {-}\textsf{CCA} \) and \(\textsf{OW} \text {-}\textsf{CPA} \) for (tn)-threshold PKEs can be defined in the same way as \(\textsf{IND} \text {-}\textsf{CCA} \) and \(\textsf{OW} \text {-}\textsf{CPA} \) for regular PKE schemes. The difference is that the adversary can corrupt \(t-1\) parties of their own choice, which allows them to receive \(t-1\) partial secret keys and intermediate decryption results in response to decryption queries.

2.4 Key encapsulation mechanism

A key encapsulation mechanism (KEM) is defined as a triple of algorithms \(\Pi _{\text {k}}=(\textsf{KGen}_{\textrm{k}},\textsf{Encap},\textsf{Decap})\) with a session key space \(K_{\text {k}}\) and a ciphertext space \(C_{\text {k}}\). \(\textsf{KGen}_{\textrm{k}}(1^\lambda )\) generates a key pair \((\textsf{pk},\textsf{sk})\). The encapsulation algorithm \(\textsf{Encap}(\textsf{pk})\) outputs a session key \(\textsf{k}\in K_{\text {k}}\) and its ciphertext \(\textsf{ct}\in C_{\text {k}}\). The decapsulation algorithm \(\textsf{Decap}({\textsf{sk}},\textsf{ct})\) outputs a session key \(\textsf{k}\). For correctness, \(\textsf{Decap}({\textsf{sk}},\textsf{ct})=\textsf{k}\) holds with overwhelming probability, if \((\textsf{pk},\textsf{sk})\leftarrow \textsf{KGen}_{\textrm{k}}(1^\lambda ), (\textsf{k},\textsf{ct})\leftarrow \textsf{Encap}(\textsf{pk})\).

For the security of KEM, we can define the indistinguishability of session keys, which guarantees that an adversary given a ciphertext cannot obtain any information about the session key. More precisely, an adversary \(\mathcal {A}\) is first given a public key \(\textsf{pk}\). Next \(b\leftarrow _{\$}\{0,1\}\), \((\textsf{ct}^*, \textsf{k}_0)\leftarrow \textsf{Encap}(\textsf{pk})\) and \(\textsf{k}_1\leftarrow _{\$}K_{\text {k}}\) are computed, and \((\textsf{ct}^*, \textsf{k}_b)\) is sent to \(\mathcal {A}\). After that \(\mathcal {A}\) is allowed to send \(\textsf{ct}(\ne \textsf{ct}^*)\) to a decapsulation oracle \(O_{\textsf{Decap}}\) which returns \(\textsf{Decap}(\textsf{sk}, \textsf{ct})\). \(\mathcal {A}\) outputs \(b'\) as the guessing bit of b. If the advantage of \(\mathcal {A}\), defined by

is negligible for all QPT \(\mathcal {A}\), we say \(\Pi _{\text {k}}\) is \(\textsf{IND} \text {-}\textsf{CCA} \) secure.

2.5 Symmetric-key encryption

A symmetric-key encryption (SKE) scheme is defined as a pair of algorithms \(\Pi _{\textrm{s}}=(\textsf{Enc}_{\textrm{s}},\textsf{Dec}_{\textrm{s}})\) along with the key space \(K_{\text {s}}\) and the plaintext space \(M_{\textrm{s}}\). For a randomly chosen symmetric key \(\textsf{k}\in K_{\text {s}}\), a plaintext \(\textsf{m}\in M_{\textrm{s}}\) is encrypted into a ciphertext \(\textsf{ct}\) as \(\textsf{ct}= \textsf{Enc}_{\textrm{s}}(\textsf{k}, \textsf{m})\). The ciphertext is decrypted by \(\textsf{Dec}_{\textrm{s}}\) as \(\textsf{m}= \textsf{Dec}_{\textrm{s}}(\textsf{k}, \textsf{ct})\). For correctness, \(\textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{Enc}_{\textrm{s}}(\textsf{k},\textsf{m}))=\textsf{m}\) holds for all \(\textsf{k}\in K_{\text {s}}\) and \(\textsf{m}\in M_{\textrm{s}}\).

For the security notion of SKE, we give one-time \(\textsf{IND} \text {-}\textsf{CCA} \) and one-time \(\textsf{IND} \text {-}\textsf{CPA} \) [19] securities with the use of the hybrid construction in mind. The following game defines one-time \(\textsf{IND} \text {-}\textsf{CCA} \) security. First, a key is chosen randomly \(\textsf{k}\leftarrow _{\$}K_{\text {s}}\). Next, the adversary \(\mathcal {A}\) outputs a pair of plaintexts \(\textsf{m}_0^*, \textsf{m}_1^*\), and receives \(\textsf{ct}^*\mathrel {\mathop :}=\textsf{Enc}_{\textrm{s}}(\textsf{k}, \textsf{m}_b^*)\), where b is a randomly-chosen challenge bit. After that \(\mathcal {A}\) is allowed to send \(\textsf{ct}(\ne \textsf{ct}^*)\) to a decryption oracle \(O_{\textsf{Dec}_{\textrm{s}}}\) which returns \(\textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{ct})\) any number of times. Finally, \(\mathcal {A}\) outputs \(b'\in \{0,1\}\). If \(\mathcal {A}\)’s advantage

is negligibly small for any QPT adversary \(\mathcal {A}\), then we say that \(\Pi _{\textrm{s}}\) is one-time \(\textsf{IND} \text {-}\textsf{CCA} \) secure. One-time \(\textsf{IND} \text {-}\textsf{CPA} \) security is exactly the same as one-time \(\textsf{IND} \text {-}\textsf{CCA} \) security, except that \(\mathcal {A}\) is not allowed to access the decryption oracle. If the advantage \(\mathcal {A}\) in this setting is negligibly small, then we say that \(\Pi _{\textrm{s}}\) is one-time \(\textsf{IND} \text {-}\textsf{CPA} \) secure.

2.6 Signature scheme

A signature scheme consists of three algorithms, \(\Pi _{\text {sig}} = (\textsf{KGen}_{\text {sig}},\textsf{Sign},\textsf{Verify})\). \(\textsf{KGen}_{\text {sig}}\) takes the security parameter \(1^\lambda \) as input and generates a public (verification) key \(\textsf{vk}\) and a secret (signing) key \(\textsf{sigk}\). \(\textsf{Sign}\) takes a message \(\textsf{m}\) and a signing key \(\textsf{sigk}\) as input, and outputs a signature \(\sigma \). \(\textsf{Verify}\) takes \(\textsf{m}\), \(\sigma \), and \(\textsf{vk}\) as input, and outputs 1 (accept) or 0 (reject). For all \(\textsf{m}\) and \((\textsf{vk}, \textsf{sigk})\leftarrow \textsf{KGen}_{\text {sig}}(1^\lambda )\), \(\Pr \left[ \textsf{Verify}(\textsf{m}, \textsf{Sign}(\textsf{m}, \textsf{sigk}), \textsf{vk}))=1\right] =1\) must hold for correctness.

Signature schemes are often used in cryptographic systems as a building block. In such a case, one-time strong existential unforgeability against chosen message attack (one-time strong \(\textsf{EUF}\text {-}\textsf{CMA}\)) is required in general. Refer [4] for the definition of the one-time strong \(\textsf{EUF}\text {-}\textsf{CMA}\) security.

2.7 Dodis and Katz conversion

Dodis and Katz [24] proposed a generic construction of an \(\textsf{IND} \text {-}\textsf{CCA} \) secure threshold PKE from an \(\textsf{IND} \text {-}\textsf{CCA} \) secure (non-threshold) PKE using parallel encryption technique plus a secret sharing scheme and a one-time signature scheme. We roughly explain the (tn)-threshold PKE converted from a (non-threshold) PKE with labelFootnote 4\(\Pi _{\textrm{p}}=(\textsf{KGen}_{\textrm{p}},\textsf{Enc}_{\textrm{p}},\textsf{Dec}_{\textrm{p}})\) as follows.

In the key generation process, each party \(P_i\) runs \(\textsf{KGen}_{\textrm{p}}\) to generate a key pair \((\textsf{pk}_i,\textsf{sk}_i)\). In the encryption process, a plaintext \(\textsf{m}\) is first divided into n shares \(\textsf{s}_1,\ldots ,\textsf{s}_n\) using a (tn)-secret sharing scheme, and a key pair \((\textsf{vk},\textsf{sigk})\) of the one-time signature scheme is generated. Next, \(\textsf{ct}_i \leftarrow \textsf{Enc}_{\textrm{p}}(\textsf{pk}_i, \textsf{s}_{i}, \textsf{vk})\) is computed for all \(i \in [n]\), where \(\textsf{vk}\) is treated as a label. The ciphertext of \(\textsf{m}\) consists of the list \(\textsf{CT}\mathrel {\mathop :}=(\textsf{ct}_1, \ldots , \textsf{ct}_n)\), \(\textsf{vk}\), and the signature \(\sigma \leftarrow \textsf{Sign}(\textsf{sigk}, \textsf{CT})\). In the decryption process, each \(P_i\) verifies the signature and computes \(\textsf{s}_{i} \leftarrow \textsf{Dec}_{\textrm{p}}(\textsf{sk}_i,\textsf{ct}_i, \textsf{vk})\). Then \(P_i\) broadcasts the share \(\textsf{s}_{i}\) and reconstructs the plaintext \(\textsf{m}\) from the shares \(\{\textsf{s}_i\}_i\) of the secret sharing scheme.

The security of the Dodis–Katz conversion is stated in the following proposition.

Proposition 1

[24, Theorem 1] If the underlying PKE \(\Pi _{\textrm{p}}\) is \(\textsf{IND} \text {-}\textsf{CCA} \) secure and the signature scheme is a one-time strong \(\textsf{EUF}\text {-}\textsf{CMA}\) secure, then the (tn)-threshold PKE from the Dodis–Katz conversion is \(\textsf{IND} \text {-}\textsf{CCA} \) secure.

2.8 Cong et al. conversion

Cong et al. [16] proposed constructions of building \(\textsf{IND} \text {-}\textsf{CCA} \) secure PKEs from \(\textsf{OW} \text {-}\textsf{CPA} \) secure PKEs via the KEM-DEM paradigm. Their notable feature is that \(\textsf{IND} \text {-}\textsf{CCA} \) security of the resulting scheme is guaranteed even if the decryption result of KEM (i.e., the session key for DEM) is revealed. This feature has a great advantage in case the underlying \(\textsf{OW} \text {-}\textsf{CPA} \) PKE (used as a KEM) has an efficient threshold decryption protocol. Their hybrid construction has two versions: \(\textrm{Hybrid}_1\) secure in the random oracle model (ROM), and \(\textrm{Hybrid}_2\) secure in the quantum random oracle model (QROM) in which we are interested.

We recall the second conversion \(\textrm{Hybrid}_2\). (Henceforth, CCMS conversion will refer to \(\textrm{Hybrid}_2\) conversion.) Let \(\Pi _{\textrm{t}}^{\textrm{ow}}=(\textsf{KGen}_{\textrm{t}}^{\textrm{ow}},\textsf{Enc}_{\textrm{t}}^{\textrm{ow}},\textsf{Dec}_{\textrm{t}}^{\textrm{ow}})\) be a \(\textsf{OW} \text {-}\textsf{CPA} \) (tn)-threshold PKE scheme with plaintext space \(M_{\textrm{t}}\), \(\Pi _{\textrm{s}}=(\textsf{Enc}_{\textrm{s}},\textsf{Dec}_{\textrm{s}})\) be an SKE scheme with plaintext space \(M_{\textrm{s}}\), and key space \(K_{\text {s}}\). Let

$$\begin{aligned} \textsf{H}:M_{\textrm{t}}\rightarrow K_{\text {s}}\quad \textsf{H}',\textsf{H}'' : M_{\textrm{t}} \rightarrow M_{\textrm{t}}\\ \textsf{G}:\{0,1\}^*\times M_{\textrm{t}} \rightarrow \{0,1\}^{\ell _g} \end{aligned}$$

be hash functions. The \(\textsf{IND} \text {-}\textsf{CCA} \) secure threshold PKE \(\Pi _{\textrm{t}} = (\textsf{KGen}_{\textrm{t}}, \textsf{Enc}_{\textrm{t}}, \textsf{Dec}_{\textrm{t}})\) from CCMS conversion is described as follows.

  • \(\textsf{KGen}_{\textrm{t}}(1^\lambda )\): It is identical to \(\textsf{KGen}_{\textrm{t}}^{\textrm{ow}}\). The output is \((\textsf{SK}, \textsf{PK}) \leftarrow \textsf{KGen}_{\textrm{t}}^{\textrm{ow}}(1^\lambda )\).

  • \(\textsf{Enc}_{\textrm{t}}(\textsf{PK}, \textsf{m})\): On input a public key \(\textsf{PK}\) and plaintext \(\textsf{m}\in M_{\textrm{s}}\), it computes the ciphertext \(\textsf{CT}=(\textsf{ct}_1,\textsf{ct}_2,\textsf{ct}_3,\textsf{ct}_4)\) as follows:

    $$\begin{aligned}&k\leftarrow _{\$}M_{\textrm{t}},{} & {} \textsf{k}\leftarrow \textsf{H}(k),\quad \mu \leftarrow \textsf{H}'(k) \\&\textsf{ct}_1\leftarrow \textsf{Enc}_{\textrm{t}}^{\textrm{ow}}(\textsf{pk},k),{} & {} \textsf{ct}_2\leftarrow \textsf{Enc}_{\textrm{s}}(\textsf{k},\textsf{m}),\\&\textsf{ct}_3\leftarrow \textsf{G}(\textsf{ct}_2,\mu ),{} & {} \textsf{ct}_4\leftarrow \textsf{H}''(k). \end{aligned}$$
  • \(\textsf{Dec}_{\textrm{t}}(\textsf{SK}, \textsf{CT})\): First, the parties jointly perform \(\textsf{Dec}_{\textrm{t}}^{\textrm{ow}}\) protocol to decrypt \(\textsf{ct}_1\). After the protocol run, they have the secret share of k. Then, they evaluate \(\mu \leftarrow \textsf{H}'(k), \textsf{ct}_3\leftarrow \textsf{G}(\textsf{ct}_2, \mu )\), \(\textsf{ct}_4\leftarrow \textsf{H}''(k)\), and check the validity of \(\textsf{ct}_3\) and \(\textsf{ct}_4\) by jointly performing the MPC for hash functions and the equality check. If the check does not pass, they output \(\bot \) and abort the protocol. Otherwise, they obtain the reconstructed k. Finally, they compute \(\textsf{k}\leftarrow \textsf{H}(k)\) and \(\textsf{m}\leftarrow \textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{ct}_2)\) in the clear, and output \((\textsf{k}, \textsf{m})\).

The security of \(\Pi _{\textrm{t}}\) is stated as follows.

Proposition 2

[16, Theorem 3.2] \(\textsf{G},\textsf{H},\textsf{H}',\textsf{H}''\) are modeled as quantum random oracle. If \(\Pi _{\textrm{t}}^{\textrm{ow}}\) is deterministic, rigid, \(\delta _\bot \)-\(\bot \text {-aware}\), \(\delta _c\)-collision free, \(\textsf{OW} \text {-}\textsf{CPA} \) secure, and has decryption failure probability \(\delta _f\) for a randomly chosen plaintext and \(\Pi _{\textrm{s}}\) is (one-time) \(\textsf{IND} \text {-}\textsf{CPA} \) secure with negligibly small \(\delta _\bot , \delta _c, \delta _f\), then \(\Pi _{\textrm{t}}\) is \(\textsf{IND} \text {-}\textsf{CCA} \) secure.

Efficiency of the decryption protocol The decryption protocol mainly consists of three parts, the PKE decryption part, the validity check part, and the SKE decryption part. The efficiency of the first part depends on the underlying threshold PKE. The last part is lightweight because it is performed in the clear. As for the second part, Cong et al. suggested the use of an MPC-friendly hash function Rescue [3] as a hash function. Note that, although the input of \(\textsf{G}\) can be long, the compression of \(\textsf{ct}_2\) can be done in the normal way (without MPC), and only the compression of the very last part (distributed \(\mu \)) needs to be done in a distributed fashion.

3 Code-based cryptography

In this section, we introduce the Classic McEliece as a typical example of code-based KEM. Further, we describe code-based signature schemes.

3.1 Goppa codes and Patterson decoding

First, we explain the binary Goppa code [30] on which Classic McEliece is based, and its decoding algorithm Patterson’s algorithm [40] implemented in it.

Let \(g(x)=\sum _{i=0}^{t_c} g_ix^i\in \mathbb {F}_{2^m}[x]\) be a monic irreducible polynomial of degree \(t_c\) called Goppa polynomial, and \(\gamma =(\gamma _1,\ldots ,\gamma _{n_c})\in \mathbb {F}_{2^m}^{n_c}\) be \(n_c\) distinct supports such that \(g(\gamma _i)\ne 0\). \((k_c,n_c,t_c)\)-binary Goppa codes are defined by a parity-check matrix

$$\begin{aligned} H&=\{h_{i,j}\}\in \mathbb {F}_{2^m}^{t_c\times n_c},\\ \quad h_{i,j}&=\frac{\gamma _j^{i-1}}{g(\gamma _j)}\,(i=1,\ldots ,t_c,\,j=1,\ldots ,n_c). \end{aligned}$$

Since each element of the matrix H is in \(\mathbb {F}_{2^m}\), H can be expressed as a \((t_c\cdot m)\times n_c\) matrix over \(\mathbb {F}_2\). Denoting \(k_c=n_c-m\cdot t_c\), it means H is a \((n_c-k_c)\times n_c\) binary matrix. In the following, we assume \(t_c\) is an even number.

Patterson’s algorithm is a typical decoding algorithm for binary Goppa codes. For a given receiving word \(v\in \{0,1\}^{n_c}\), it recovers the error e if e’s hamming weight \(\textrm{wt}(e)\) is at most \(t_c\). The output e satisfies \(Hv = He\) and \(\textrm{wt}(e)\le t_c\). In Algorithm 1, we show a slightly modified version of Patterson’s algorithm using the condition that \(t_c\) is an even number and \(\textrm{wt}(e)= t_c\).

Algorithm 1
figure a

Patterson’s algorithm.

3.2 Classic McEliece KEM

Classic McEliece KEM \(\Pi _{\text {k}}^{\textrm{CM}}\) is an \(\textsf{IND} \text {-}\textsf{CCA} \) secure KEM based on the syndrome decoding problem [2]. Its core component is an \(\textsf{OW} \text {-}\textsf{CPA} \) secure public key encryption \(\Pi _{\textrm{p}}^{\textrm{owCM}}=(\textsf{KGen}_{\textrm{p}}^{\textrm{owCM}}, \textsf{Enc}_{\textrm{p}}^{\textrm{owCM}},\textsf{Dec}_{\textrm{p}}^{\textrm{owCM}})\) described as follows. Its plaintext space is \(W_{t_c,n_c}\mathrel {\mathop :}=\{ e\in \mathbb {F}_2^{n_c} \mid \textrm{wt}(e)=t_c \}\).

  • \(\textsf{KGen}_{\textrm{p}}^{\textrm{owCM}}(1^\lambda )\): Generate a random parameter of \((k_c,n_c, t_c)\)-binary Goppa code g(x), \(\gamma \) and its parity check matrix \(H=[I_{n_c-k_c}\mid H_{k_c}]\), where \(I_{n_c-k_c}\) is the \(({n_c-k_c})\times ({n_c-k_c})\) identity matrix. Output \(\textsf{pk}\mathrel {\mathop :}=H_{k_c} \in \mathbb {F}_2^{(n_c-k_c) \times k_c}\) and \(\textsf{sk}\mathrel {\mathop :}=( g(x),\gamma )\).

  • \(\textsf{Enc}_{\textrm{p}}^{\textrm{owCM}}(\textsf{pk},e)\): For a plaintext \(e\in W_{t_c,n_c}\), output its ciphertext \(c=[I_{n_c-k_c}\mid H_{k_c}]\cdot e\in \mathbb {F}_2^{n_c - k_c}\).

  • \(\textsf{Dec}_{\textrm{p}}^{\textrm{owCM}}(\textsf{sk},c)\): For a given ciphertext \(c \in \mathbb {F}_2^{n_c - k_c}\), set \(v\mathrel {\mathop :}=[c\,0\,\ldots \,0]\in \mathbb {F}_2^{n_c}\) by appending \(k_c\) zeros. Find e s.t. \(Hv = He (=c)\) by using some decoding algorithm for the Goppa code. If \(\textrm{wt}(e)=t_c\) and \(c=He\), output e, otherwise output \(\bot \).

By using \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) and a hash function \(\textsf{H}_{\text {cm}}:\{0,1\}\times \{0,1\}^{n_c} \times \{0,1\}^{n_c-k_c} \rightarrow K_{\text {k}} \), Classic McEliece KEM \(\Pi _{\text {k}}^{\textrm{CM}}=(\textsf{KGen}_{\textrm{k}}^{\textrm{CM}}, \textsf{Encap}^{\textrm{CM}}, \textsf{Decap}^{\textrm{CM}})\) is constructed as follows.

  • \(\textsf{KGen}_{\textrm{k}}^{\textrm{CM}}(1^\lambda )\): Generate \((\textsf{sk}',\textsf{pk}')\leftarrow \textsf{KGen}_{\textrm{p}}^{\textrm{owCM}}(1^\lambda )\) and choose \(s\leftarrow _{\$}\{0,1\}^{n_c}\). Output \(\textsf{sk}\mathrel {\mathop :}=(\textsf{sk}', s), \textsf{pk}\mathrel {\mathop :}=\textsf{pk}'\).

  • \(\textsf{Encap}^{\textrm{CM}}(\textsf{pk})\): Randomly choose \(e \leftarrow _{\$}W_{t_c,n_c}\). Compute \(c \leftarrow \textsf{Enc}_{\textrm{p}}^{\textrm{owCM}}(\textsf{pk},e)\) and \(\textsf{k}\leftarrow \textsf{H}_{\text {cm}}(1, e, c)\). Output a ciphertext \(\textsf{ct}\mathrel {\mathop :}=c\) and a session key \(\textsf{k}\).

  • \(\textsf{Decap}^{\textrm{CM}}(\textsf{sk}, \textsf{ct})\): Set \(c \mathrel {\mathop :}=\textsf{ct}\). Compute \(e\leftarrow \textsf{Dec}_{\textrm{p}}^{\textrm{owCM}}(\textsf{sk}, c)\). If \(e\ne \bot \), output \(\textsf{k}\leftarrow \textsf{H}_{\text {cm}}(1, e, c)\). Otherwise output \(\textsf{k}\leftarrow \textsf{H}_{\text {cm}}(0, s, c)\).

\(\Pi _{\text {k}}^{\textrm{CM}}\) is perfectly correct and rigid [2].

3.3 Code-based signature

In the literature, several code-based digital signature schemes have been proposed [8, 14, 17, 22, 26, 31, 45, 46]. Mainly, there are two approaches: hash-then-sign paradigm and a combination of proof-of-knowledge (PoK) and Fiat–Shamir transformation [27]. There are only a few hash-then-sign signature schemes. CFS signature [17] is the initial one. Its security is based on the hardness of the syndrome decoding problem, the same as the Classic McEliece. However, it has several problems such as choosing parameters, signature size, and signing algorithm complexity. Wave [22] is the state-of-the-art hash-then-sign-based code-based signature. It has a short signature (930 bytes for 128-bit security) but a large verification key (3.2 megabytes). On the other hand, a lot of PoK-based code-based signatures [8, 14, 26, 31, 45, 46] have been proposed. These schemes are derived from Stern’s protocols [45], which are based on the syndrome decoding problem. PoK-based code-based signatures have short verification keys (about 100–200 bytes) but large signature sizes (about 15–30 kilobytes).

To our best knowledge, Sig 3 [8] has the shortest verification key plus signature size (165 plus 15,355 bytes) among signature schemes whose security relies on the syndrome decoding problem over \(\mathbb {F}_2\). Moreover, it satisfies strong \(\textsf{EUF}\text {-}\textsf{CMA}\) security, which is required for the Dodis–Katz conversion.

4 Code-based threshold PKE from Dodis–Katz conversion

We can obtain an \(\textsf{IND} \text {-}\textsf{CCA} \) secure code-based threshold PKE by instantiating the Dodis–Katz conversion [24] with a code-based PKE and signature scheme. For completeness, we give a concrete description of the resulting scheme. We call it \(\Pi _{\textrm{t}}^{\text {I}}\). We instantiate the building blocks in the Dodis–Katz conversion as follows:

  • \(\textsf{IND} \text {-}\textsf{CCA} \) secure PKE with label: We use a PKE scheme derived from the Classic McEliece KEM \(\Pi _{\text {k}}^{\textrm{CM}}=(\textsf{KGen}_{\textrm{k}}^{\textrm{CM}}, \textsf{Encap}^{\textrm{CM}}, \textsf{Decap}^{\textrm{CM}})\) and \(\textsf{IND} \text {-}\textsf{CCA} \) secure SKE \(\Pi _{\textrm{s}}=(\textsf{Enc}_{\textrm{s}},\textsf{Dec}_{\textrm{s}})\) via the KEM-DEM paradigm [44]. Let \(K_{\text {s}}\) be the key space of \(\Pi _{\textrm{s}}\). To convert the PKE scheme into a scheme with label, a target collision resistance hash function \(\textsf{H}_{\ell }:\{0,1\}^*\rightarrow \{0,1\}^{\ell _{\text {hash}}}\) is used.

  • Secret sharing scheme: We use Krawczyk’s scheme [35] with Shamir’s scheme [41], in which the secret is encrypted with SKE, and the symmetric key of SKE is shared with Shamir’s scheme.

  • Strong \(\textsf{EUF}\text {-}\textsf{CMA}\) secure signature: We use the Sig 3 scheme \(\Pi ^{\textrm{Sig3}}_{\text {sig}} = (\textsf{KGen}_{\text {sig}}^{\textrm{Sig3}},\textsf{Sign}^{\textrm{Sig3}},\textsf{Verify}^{\textrm{Sig3}})\) proposed by Bidoux et al. [8].

The first code-based threshold PKE scheme \(\Pi _{\textrm{t}}^{\text {I}} = (\textsf{KGen}_{\textrm{t}}^{\text {I}},\textsf{Enc}_{\textrm{t}}^{\text {I}},\textsf{Dec}_{\textrm{t}}^{\text {I}})\) is described as follows. Its plaintext space is \(M_{\textrm{s}}\).

  • \(\textsf{KGen}_{\textrm{t}}^{\text {I}}(1^\lambda )\): Each party \(P_i\) runs \((\textsf{pk}_i, \textsf{sk}_i) \leftarrow \textsf{KGen}_{\textrm{k}}^{\textrm{CM}}(1^\lambda )\) locally, and broadcasts \(\textsf{pk}_i\). Set \(\textsf{PK}\mathrel {\mathop :}=(\textsf{pk}_1,\ldots ,\textsf{pk}_n)\). \(\textsf{sk}_i\) is the partial secret key of \(P_i\).

  • \(\textsf{Enc}_{\textrm{t}}^{\text {I}}(\textsf{PK},\textsf{m})\): Choose \(\textsf{k}\leftarrow _{\$}K_{\text {s}}\). Let \((\textsf{s}_1,\ldots , \textsf{s}_n)\) be a set of Shamir’s shares of \(\textsf{k}\), and compute \(\textsf{ct}_0 \leftarrow \textsf{Enc}_{\textrm{s}}(\textsf{k},\textsf{m})\). Generate a key pair \((\textsf{vk}, \textsf{sigk})\leftarrow \textsf{KGen}_{\text {sig}}^{\textrm{Sig3}}(1^\lambda )\). For all \(i\in [n]\), compute \((\textsf{ct}_{\text {kem},i}, \textsf{k}'_i) \leftarrow \textsf{Encap}^{\textrm{CM}}(\textsf{pk}_i)\), \(\textsf{ct}_{\text {ske},i} \leftarrow \textsf{Enc}_{\textrm{s}}(\textsf{k}'_i,(\textsf{H}_{\ell }(\textsf{vk}), \textsf{s}_{i}))\), and set \(\textsf{ct}_i \mathrel {\mathop :}=(\textsf{ct}_{\text {kem},i}, \textsf{ct}_{\text {ske},i})\). \(\sigma \leftarrow \textsf{Sign}^{\textrm{Sig3}}(\textsf{sigk}, (\textsf{ct}_1,\ldots ,\textsf{ct}_n))\). Output \(\textsf{CT}\mathrel {\mathop :}=(\textsf{ct}_0, \textsf{ct}_1,\ldots , \textsf{ct}_n, \textsf{vk}, \sigma )\).

  • \(\textsf{Dec}_{\textrm{t}}^{\text {I}}(\textsf{SK},\textsf{CT})\): Check whether \(\textsf{Verify}^{\textrm{Sig3}}(\textsf{vk}, (\textsf{ct}_1,\ldots ,\textsf{ct}_n), \sigma ) = 1\). If not, output \(\bot \). Otherwise, each party decrypts \(\textsf{k}'_i \leftarrow \textsf{Decap}^{\textrm{CM}}(\textsf{sk}_i,\textsf{ct}_{\text {kem},i})\) and \((h_i, \textsf{s}_{i}) \leftarrow \textsf{Dec}_{\textrm{s}}(\textsf{k}'_i, \textsf{ct}_{\text {ske},i})\). If \(h_i \ne \textsf{H}_{\ell }(\textsf{vk})\), \(P_i\) outputs \(\bot \). If no party outputs \(\bot \), \(\textsf{k}\) is reconstructed from shares \(\textsf{s}_1,\ldots , \textsf{s}_n\) and \(\textsf{m}\) is recovered as \(\textsf{m}\leftarrow \textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{ct}_0)\).

From Proposition 1, the above scheme is \(\textsf{IND} \text {-}\textsf{CCA} \) secure.

5 Code-based threshold PKE from new conversion

In this section, we propose a new conversion for building an \(\textsf{OW} \text {-}\textsf{CPA} \) secure threshold PKE from a non-threshold \(\textsf{OW} \text {-}\textsf{CPA} \) secure PKE. Combining this new conversion and CCMS conversion, we obtain the second \(\textsf{IND} \text {-}\textsf{CCA} \) secure code-based threshold PKE, called \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\), from a non-threshold \(\textsf{OW} \text {-}\textsf{CPA} \) secure PKE.

As for the new conversion, first, we show how to build an (nn)-threshold PKE, named (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\), and then extend it into a (tn)-threshold PKE. The scheme \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) satisfies the requirements for applying CCMS conversion, so it can be converted into \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) with \(\textsf{IND} \text {-}\textsf{CCA} \) security.

5.1 Deterministic (nn)-threshold PKE (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\)

Our goal is to construct a new threshold PKE scheme that can be applied to CCMS conversion, that is, we want a scheme that is

  • deterministic,

  • rigid,

  • \(\delta _{\bot }\)-\(\bot \text {-aware}\) for negligibly small \(\delta _{\bot }\),

  • \(\delta _c\)-collision free for negligibly small \(\delta _c\),

  • \((1-\delta _f)\)-correct for negligibly small \(\delta _f\),

  • \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

At first glance, Dodis–Katz conversion gives a threshold PKE that has all these properties if we start with a non-threshold one that has all these properties. Unfortunately, this is not correct. Because a threshold secret sharing scheme used in Dodis–Katz conversion generates shares \((\textsf{s}_1,\ldots ,\textsf{s}_n)\) probabilistically, the threshold PKE results in probabilistic. Note that, there is no deterministic threshold secret sharing scheme since a deterministically-computed share leaks some information about the secret.

We overcome this problem by changing the sharing method. Our construction utilizes a simple split to divide a plaintext into n sharesFootnote 5 instead of a threshold secret-sharing scheme. Such a sharing method cannot be used to convert an \(\textsf{IND} \text {-}\textsf{CCA} \) scheme since each share leaks partial information of the shared secret. However, it is sufficient in our setting, as shown below. A plaintext \(\textsf{m}\) of the converted scheme is n times longer than that of the underlying PKE. That is, the plaintext space of \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(M_{\textrm{t}} = (M_{\textrm{p}})^n\).

More concretely, our construction (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}} = (\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}},\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}},\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}})\) is described as follows, where \(\Pi _{\textrm{p}}^{\textrm{ow}}=(\textsf{KGen}_{\textrm{p}}^{\textrm{ow}}, \textsf{Enc}_{\textrm{p}}^{\textrm{ow}}, \textsf{Dec}_{\textrm{p}}^{\textrm{ow}})\) is an underlying PKE.

  • \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(1^\lambda )\): Each party \(P_i\) generates a key pair \((\textsf{pk}_i,\textsf{sk}_i)\leftarrow \textsf{KGen}_{\textrm{p}}^{\textrm{ow}}(1^\lambda )\) and broadcasts \(\textsf{pk}_i\). Let the public key be \(\textsf{PK}\mathrel {\mathop :}=(\textsf{pk}_1,\ldots ,\textsf{pk}_n)\), \(P_i\)’s partial secret key be \(\textsf{sk}_i\).

  • \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{PK}, {\bar{\textsf{m}}})\): The plaintext \({\bar{\textsf{m}}}\in (M_{\textrm{p}})^n\) is split as \({\bar{\textsf{m}}}=(\textsf{m}_1, \textsf{m}_2,\ldots ,\textsf{m}_n)\). The ciphertext is \(\textsf{CT}=(\textsf{ct}_1,\textsf{ct}_2,\ldots ,\textsf{ct}_n)\), where \(\textsf{ct}_i=\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}_i,\textsf{m}_i)\).

  • \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK}, \textsf{CT})\): Given \(\textsf{CT}=(\textsf{ct}_1,\textsf{ct}_2,\ldots ,\textsf{ct}_n)\), each \(P_i\) locally decrypts \(\textsf{ct}_i\) as \(\textsf{m}_i\leftarrow \textsf{Dec}_{\textrm{p}}^{\textrm{ow}}(\textsf{sk}_i,\textsf{ct}_i)\), and broadcasts \(\textsf{m}_i\). If \(\textsf{m}_i= \bot \) for some i, the protocol outputs \(\bot \). Otherwise, the plaintext \({\bar{\textsf{m}}}=(\textsf{m}_1, \textsf{m}_2,\ldots ,\textsf{m}_n)\) is output.

We first show (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

Theorem 1

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure, then (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

Proof

We show that, if there exists an adversary \(\mathcal {A}\) that breaks the \(\textsf{OW} \text {-}\textsf{CPA} \) security of (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\), there exists an adversary \(\mathcal {B}\) that breaks the \(\textsf{OW} \text {-}\textsf{CPA} \) security of \(\Pi _{\textrm{p}}^{\textrm{ow}}\) that uses \(\mathcal {A}\) as a subroutine. Without loss of generality, we assume \(\mathcal {A}\) corrupts the first \(n-1\) parties. Let \(I \mathrel {\mathop :}=\{1,\ldots ,n-1\}\). \(\mathcal {B}\) receives \(\textsf{pk}^*\) and \(\textsf{ct}^* (=\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}^*,\textsf{m}^*))\) as an input. Note that \(\textsf{m}^*\) is chosen randomly from \(M_{\textrm{p}}\). \(\mathcal {B}\) generates \((\textsf{pk}_i,\textsf{sk}_i)\leftarrow \textsf{KGen}_{\textrm{p}}^{\textrm{ow}}(1^\lambda )\) for all \(i\in I\), and sets \(\textsf{pk}_n \mathrel {\mathop :}=\textsf{pk}^*\), and sends \(\textsf{PK}\mathrel {\mathop :}=(\textsf{pk}_1,\ldots ,\textsf{pk}_{n-1},\textsf{pk}_n)\) and \((\textsf{sk}_1,\ldots ,\textsf{sk}_{n-1})\) to \(\mathcal {A}\). Next, \(\mathcal {B}\) randomly chooses \(\textsf{m}_i\leftarrow _{\$}M_{\textrm{p}}\) and computes \(\textsf{ct}_i=\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}_i,\textsf{m}_i)\) for all \(i \in I\). \(\mathcal {B}\) sends \(\textsf{CT}^*\mathrel {\mathop :}=(\textsf{ct}_1,\ldots ,\textsf{ct}_{n-1},\textsf{ct}^*)\) to \(\mathcal {A}\) as the challenge ciphertext. The \(\textsf{OW} \text {-}\textsf{CPA} \) adversary \(\mathcal {A}\) outputs \({\bar{\textsf{m}}}=(\textsf{m}_1,\textsf{m}_2,\ldots ,\textsf{m}_n)\in (M_{\textrm{p}})^n\). \(\mathcal {B}\) outputs \(\textsf{m}_n\) as own output.

If \(\mathcal {A}\) succeeds, \(\textsf{ct}^*=\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}^*,\textsf{m}_n)\) holds. So, \(\mathcal {B}\) also succeeds. However, since \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure, the advantage of \(\mathcal {A}\) is negligible. Thus the advantage of \(\mathcal {B}\) is also negligible, and thus (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure. \(\square \)

We then show that (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) satisfies the required properties for CCMS conversion.

Theorem 2

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is deterministic, rigid, \(\delta _c\)-collision free, \(\delta _{\bot }\)-\(\bot \text {-aware}\), \((1-\delta _f)\)-correct, then (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is deterministic, rigid, \(\delta '_c\)-collision free, \(\delta '_{\bot }\)-\(\bot \text {-aware}\), and \((1-\delta '_f)\)-correct, where \(\delta '_c < n\delta _c\), \(\delta '_{\bot } \le n\delta _{\bot }\), \(\delta '_f < n\delta _f\).

Proof

From the construction, (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is deterministic if \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is deterministic. Further, the other properties follow from Lemmas 1 to 4 below. \(\square \)

Lemma 1

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is rigid, then \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is also rigid.

Proof

Consider \(\textsf{CT}=(\textsf{ct}_1,\ldots ,\textsf{ct}_n)\in C_{\textrm{t}}{\setminus } C_{\textrm{t}}^\bot \), where \(C_{\textrm{t}}\) is a ciphertext space of \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\). Then \(\textsf{Dec}_{\textrm{p}}^{\textrm{ow}}(\textsf{sk}_i, \textsf{ct}_i)\ne \bot \) (i.e., \(\textsf{ct}_i\in C_{\textrm{p}}{\setminus } C_{\textrm{p}}^\bot \)) must hold for all i. (Otherwise, \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) outputs \(\bot \) by the definition of \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\).) Therefore, there exists \(\textsf{m}_i\in M_{\textrm{p}}\) for all \(i\in [n]\) such that \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK},\textsf{CT})=(\textsf{m}_1,\ldots ,\textsf{m}_n)\). Since \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is rigid, \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{PK},\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK},\textsf{CT}))=\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{PK},(\textsf{m}_1,\ldots ,\textsf{m}_n))=(\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}_1,\textsf{m}_1),\ldots ,\textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}_n,\textsf{m}_n))=(\textsf{ct}_1,\ldots ,\textsf{ct}_n)=\textsf{CT}\) holds. \(\square \)

Lemma 2

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \(\delta _c\)-collision free, then \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\delta '_c\)-collision free for \(\delta '_c < n\delta _c\).

Proof

It is clear that for fixed \(\textsf{PK}\), two distinct plaintexts \({\bar{\textsf{m}}} = (\textsf{m}_1,\ldots ,\textsf{m}_n)\) and \(\bar{\textsf{m}'} = (\textsf{m}'_1,\ldots ,\textsf{m}'_n)\) make a collision in \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) if and only if there exists i such that \((\textsf{m}_i,\textsf{m}'_i)\) makes a collision in \(\Pi _{\textrm{p}}^{\textrm{ow}}\) based on \(\textsf{pk}_i\). Therefore, \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) has a collision pair with probability \(1-(1-\delta _c)^n < n\delta _c\). \(\square \)

Lemma 3

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \(\delta _{\bot }\)-\(\bot \text {-aware}\), then \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\delta '_{\bot }\)-\(\bot \text {-aware}\), where \(\delta '_{\bot } \le n\delta _{\bot }\).

Proof

Let \(\mathcal {A}\) be an adversary of \(\bot \text {-aware}\) game for \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\). Consider following adversary \(\mathcal {B}\) of \(\bot \text {-aware}\) game for \(\Pi _{\textrm{p}}^{\textrm{ow}}\).

On input \(\textsf{pk}^*\), \(\mathcal {B}\) randomly chooses \(i^*\in [n]\) and set \(\textsf{pk}_{i^*}\mathrel {\mathop :}=\textsf{pk}^*\). For all \(i(\ne i^*)\), \(\mathcal {B}\) generates key pairs \((\textsf{pk}_i, \textsf{sk}_i)\), and runs \(\mathcal {A}\) on input \(\textsf{PK}\mathrel {\mathop :}=(\textsf{pk}_1,\ldots ,\textsf{pk}_n)\). If \(\mathcal {A}\) outputs \({\bar{\textsf{m}}}=(\textsf{m}_1,\ldots ,\textsf{m}_n)\) and \(\textsf{CT}=(\textsf{ct}_1,\ldots ,\textsf{ct}_n)\), \(\mathcal {B}\) outputs \(\textsf{m}_{i^*}\) and \(\textsf{ct}_{i^*}\).

We assume \(\mathcal {A}\) wins \(\bot \text {-aware}\) game. In this case, the following holds:

$$\begin{aligned}&\textsf{CT}= \textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{PK}, {\bar{\textsf{m}}}) \text { and} \end{aligned}$$
(1)
$$\begin{aligned}&\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK}, \textsf{CT}) =\bot . \end{aligned}$$
(2)

Equation (1) implies \(\forall i: \textsf{ct}_i = \textsf{Enc}_{\textrm{p}}^{\textrm{ow}}(\textsf{pk}_i,\textsf{m}_i)\). Equation (2) implies there exists a non-empty set I such that \(\textsf{Dec}_{\textrm{p}}^{\textrm{ow}}(\textsf{sk}_i,\textsf{ct}_i)=\bot \) holds for \(\forall i\in I\). Therefore, \(\mathcal {B}\) wins the \(\bot \text {-aware}\) game for \(\Pi _{\textrm{p}}^{\textrm{ow}}\) if \(i^*\in I\), that occurs with probability at least 1/n. \(\square \)

Lemma 4

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \((1-\delta _f)\)-correct, then \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \((1-\delta '_f)\)-correct for \(\delta '_f<n\delta _f\).

Proof

\(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK},(\textsf{ct}_1,\ldots ,\textsf{ct}_n))\) fails to decrypt, only if at least one of \(\textsf{Dec}_{\textrm{p}}^{\textrm{ow}}(\textsf{sk}_i,\textsf{ct}_i)\) (\(i\in [n]\)) fails to decrypt. Therefore, \(\delta '_f = 1-(1-\delta _f)^n< n\delta _f\). \(\square \)

This completes the proof of Theorem 2.

5.2 Deterministic (tn)-threshold PKE \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\)

We now extend (nn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) into t-out-of-n setting for any \(t\le n\). The extension is realized by the replicated secret sharing scheme’s technique to turn an (nn)-threshold access structure into a (tn)-threshold one. More precisely, for each \((t-1)\)-subgroup \(G_j (\subset [n])\), a key pair \((\textsf{sk}'_j, \textsf{pk}'_j)\) is generated, and \(\textsf{sk}'_j\) is assigned to all parties \(P_i \in {\bar{G}}_j\), where \({\bar{G}}_j \mathrel {\mathop :}=[n]{\setminus } G_j\). Totally, \(N\mathrel {\mathop :}=\left( {\begin{array}{c}n\\ t-1\end{array}}\right) \) key pairs are generated, and each party is assigned \(d=\left( {\begin{array}{c}n-1\\ t-2\end{array}}\right) \) secret keys \(\textsf{sk}'_j\). If \(t=2\) or \(t=n\), then \(N=n\) holds. For example, in the (2, 3)-setting, there are three key pairs and each \(P_i\) is assigned two \(\textsf{sk}'_j\).

The concrete description of (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}} = (\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}},\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}},\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}})\) is as follows.

  • \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(1^\lambda )\): For each \((t-1)\)-subgroup \(G_j\) of [n], parties in \({\bar{G}}_j\) jointly generate \((\textsf{pk}'_j, \textsf{sk}'_j)\leftarrow \textsf{KGen}_{\textrm{p}}^{\textrm{ow}}(1^\lambda )\), and broadcast \(\textsf{pk}'_j\). Set \(\textsf{PK}\mathrel {\mathop :}=(\textsf{pk}'_1,\ldots , \textsf{pk}'_N\)), where \(N= \left( {\begin{array}{c}n\\ t-1\end{array}}\right) \). Each \(P_i\) sets \(\textsf{sk}_i \mathrel {\mathop :}=\{ \textsf{sk}'_j \mid P_i\in {\bar{G}}_j\}\).

  • \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{PK},{\bar{\textsf{m}}})\): This is identical to \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) of (NN)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\). The ciphertext is \(\textsf{CT}=(\textsf{ct}_1,\ldots ,\textsf{ct}_N)\).

  • \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(\textsf{SK},\textsf{CT})\): Each party \(P_i\) decrypts \(\textsf{ct}_j\) \((P_i\in {\bar{G}}_j)\) by using \(\textsf{sk}'_j\in \textsf{sk}_i\), and broadcasts the plaintext \(\textsf{m}_j\). If t or more parties attend the protocol, \(\textsf{m}_j\) for all \(j \in [N]\) are broadcast. If some of \(\textsf{m}_j\) is \(\bot \), then the protocol outputs \(\bot \), otherwise, \({\bar{\textsf{m}}} \mathrel {\mathop :}=(\textsf{m}_1,\ldots ,\textsf{m}_N)\) is obtained.

The security of (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is stated as follows.

Theorem 3

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure, then (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

Proof

We show that if there exists an adversary \(\mathcal {A}'\) that breaks \(\textsf{OW} \text {-}\textsf{CPA} \) security of (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\), then there exists an adversary \(\mathcal {B}\) that breaks \(\textsf{OW} \text {-}\textsf{CPA} \) security of \(\Pi _{\textrm{p}}^{\textrm{ow}}\).

Corrupting up to \(t-1\) parties, \(\mathcal {A}'\) can get at most \(N-1\) secret keys \(\textsf{sk}'_j\). So, \(\mathcal {A}'\) is given the same knowledge of \(\mathcal {A}\) in the proof of Theorem 1. Therefore, we can construct \(\mathcal {B}\) that breaks \(\textsf{OW} \text {-}\textsf{CPA} \) of \(\Pi _{\textrm{p}}^{\textrm{ow}}\) with the same argument as Theorem 1. \(\square \)

We can show that (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) satisfies the desired properties.

Theorem 4

If \(\Pi _{\textrm{p}}^{\textrm{ow}}\) is deterministic, rigid, \(\delta _c\)-collision free, \(\delta _{\bot }\)-\(\bot \text {-aware}\), and \((1-\delta _f)\)-correct, then (tn)-\(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) is deterministic, rigid, \(\delta '_c\)-collision free, \(\delta '_{\bot }\)-\(\bot \text {-aware}\), and \((1-\delta '_f)\)-correct, where \(\delta '_c < N\delta _c\), \(\delta '_{\bot } \le N\delta _{\bot }\), \(\delta '_f < N\delta _f\).

Proof

The proof is identical to the proof of Theorem 2. \(\square \)

5.3 Second \(\textsf{IND} \text {-}\textsf{CCA} \) secure scheme \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\)

Let \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) be the underlying PKE of \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\). Then \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\) satisfies all requirements for CCMS conversion, and it can be converted into an \(\textsf{IND} \text {-}\textsf{CCA} \) one. We slightly modify CCMS conversion, because \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}\)’s plaintext space \((M_{\textrm{p}})^N=(W_{t_c,n_c})^N\subset \mathbb {F}_2^{Nn_c}\) is a sparse set. More precisely, we change the ranges of \(\textsf{H}'\) and \(\textsf{H}''\) and the domain of the second input of \(\textsf{G}\) from \((W_{t_c,n_c})^N \) to \(\{0,1\}^{N\ell _h}\) for some \(\ell _h\) that satisfies \(2^{\ell _h} \ge |W_{t_c,n_c}|\). With such modification, Proposition 2 can be proven in the same way, except \(|M_{\textrm{p}}|\) is replaced with \(2^{N\ell _{h}}\).Footnote 6 So, our construction uses the following hash functions:

$$\begin{aligned} \textsf{H}&: (W_{t_c,n_c})^N \rightarrow K_{\text {s}}, \\ \textsf{H}', \textsf{H}''&: (W_{t_c,n_c})^N \rightarrow \{0,1\}^{N\ell _h}, \\ \textsf{G}&: \{0,1\}^*\times \{0,1\}^{N\ell _h}\rightarrow \{0,1\}^{\ell _g}. \end{aligned}$$

\(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}} = (\textsf{KGen}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}},\textsf{Enc}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}},\textsf{Dec}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}})\) is described as follows.

  • \(\textsf{KGen}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}(1^\lambda )\): Parties execute \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I}}(1^\lambda )\). The public key is \(\textsf{PK}= (\textsf{pk}'_1,\ldots , \textsf{pk}'_N)\), and \(P_i\) has several \(\textsf{sk}'_i\) as a partial secret key.

  • \(\textsf{Enc}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}(\textsf{PK}, \textsf{m})\): First \({\bar{k}} \mathrel {\mathop :}=(k_1,\ldots ,k_N)\leftarrow _{\$}(W_{t_c,n_c})^N\) is chosen randomly. Next \(\textsf{k}\leftarrow \textsf{H}({\bar{k}})\), \(\mu \leftarrow \textsf{H}'({\bar{k}})\), \(\textsf{ct}_{1,j} \leftarrow \textsf{Enc}_{\textrm{p}}^{\textrm{owCM}}(\textsf{pk}'_j,k_j)\) (\(j\in [N]\)), \(\textsf{ct}_2 \leftarrow \textsf{Enc}_{\textrm{s}}(\textsf{k},\textsf{m})\), \(\textsf{ct}_3 \leftarrow \textsf{G}(\textsf{ct}_2,\mu )\), \(\textsf{ct}_4\leftarrow \textsf{H}''({\bar{k}})\) are computed. Output \(\textsf{CT}= (\textsf{ct}_{1,1},\ldots , \textsf{ct}_{1,N}, \textsf{ct}_2,\textsf{ct}_3,\textsf{ct}_4)\).

  • \(\textsf{Dec}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}(\textsf{SK}, \textsf{CT})\): For \(\textsf{CT}= (\textsf{ct}_{1,1},\ldots , \textsf{ct}_{1,N}, \textsf{ct}_2,\textsf{ct}_3,\textsf{ct}_4)\), each \(P_i\) decrypts \(\textsf{ct}_{1,j}\) (\(P_i\in {\bar{G}}_j\)) as \(k_j\leftarrow \textsf{Dec}_{\textrm{p}}^{\textrm{owCM}}(\textsf{sk}'_j,\textsf{ct}_{1,j})\). For each \(j\in [N]\), one of \(P_i\in {\bar{G}}_j\) (who knows \(k_j\)) distributes \(k_j\) by using a (tn)-threshold secret sharing scheme. At this moment, \({\bar{k}}=(k_1,\ldots ,k_N)\) is shared among all parties. Next, \(\mu \leftarrow \textsf{H}'({\bar{k}}), {\widetilde{\textsf{ct}}}_3\leftarrow \textsf{G}(\textsf{ct}_2, \mu )\) and \({\widetilde{\textsf{ct}}}_4\leftarrow \textsf{H}''({\bar{k}})\) are computed secretly by using MPC for hash functions. Then equality \({\widetilde{\textsf{ct}}}_3 = \textsf{ct}_3\) and \({\widetilde{\textsf{ct}}}_4 = \textsf{ct}_4\) are checked. If the check does not pass, \(\bot \) is output and the protocol is aborted. Otherwise, \({\bar{k}}\) is reconstructed. \(\textsf{k}\leftarrow \textsf{H}({\bar{k}})\) and \(\textsf{m}\leftarrow \textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{ct}_2)\) are locally computed.

6 Code-based threshold PKE from new multi-party decryption protocol

The third code-based threshold PKE is constructed using the same approach Cong et al. used to construct lattice-based threshold PKEs [16]. We design a practical MPC for computing the decryption algorithm of the \(\textsf{OW} \text {-}\textsf{CPA} \) secure Classic McEliece PKE \(\Pi _{\textrm{p}}^{\textrm{owCM}}\), and then convert it to \(\textsf{IND} \text {-}\textsf{CCA} \) one applying CCMS conversion.

Recall that the decryption algorithm consists of three steps: (i) append \(k_c\) zeros to the ciphertext c, (ii) find e such that \(Hv = He = c\) by following Patterson’s decoding algorithm shown in Algorithm 1, and (iii) check if \(\textrm{wt}(e) = t_c\) and \(c = He\). Steps (i) and (iii) are easily computed by MPCs. On the other hand, Patterson’s decoding algorithm in step (ii) includes processes for which efficient MPCs cannot be trivially constructed (Lines 2 and 4). So, we first describe how to design an MPC for Patterson’s decoding algorithm, especially focusing on Lines 2 and 4 (in Sect. 6.1). Next, we explain the MPC for the whole decryption algorithm of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) including steps (i) and (iii) (in Sect. 6.2). Finally, we give the \(\textsf{OW} \text {-}\textsf{CPA} \) secure code-based threshold PKE \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) based on this MPC and the \(\textsf{IND} \text {-}\textsf{CCA} \) one \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) obtained by applying CCMS conversion in Sect. 6.3.

6.1 MPC for Patterson decoding

Of Algorithm 1 (Patterson Decoding), all procedures except Lines 2 and 4 are easily computed by MPCs by using the existing MPC protocols for the equivalence decision with zero [11] and the assignment calculation [20]. So, we first consider concrete (MPC-friendly) procedures for the non-trivial parts Lines 2 and 4.

In both Lines 2 and 4 (Algorithm 1), it solves the following same problem; for given two polynomials g(x), f(x) and the target degree d, find (some of) polynomials a(x), b(x), c(x) such that \(a(x)g(x)+b(x)f(x)=c(x)\) and \(\deg (c) = d\). To solve this problem, instead of the Euclidean algorithm which is not MPC-friendly, we use a new procedure based on the idea used in [36] to design the MPC for a greatest common divisor (GCD) of polynomials. Ours is much simpler than theirs because the degree of c is fixed, i.e., \(\deg (c)=0\) in Line 2 and \(\deg (c)=t_c/2\) in Line 4. Now, we introduce the definition and some properties of a subresultant matrix used in [36], then we describe our procedure.

Let \(g(x)=\sum _{j=0}^{t_c} g_jx^j\) and \(f(x)=\sum _{j=0}^u f_jx^j\) be polynomials over \(\mathbb {F}_{2^m}\) of degree \(t_c\) and u \((u<t_c)\), respectively. The subresultant matrix \(S_i\) \((i\in [u])\) is defined by a \((t_c+u-2i)\times (t_c+u-2i)\) matrix of the form:

$$\begin{aligned} S_i\mathrel {\mathop :}=\begin{bmatrix} g_{t_c} &{} &{} &{} f_u &{} &{} &{}\\ \vdots &{} \ddots &{} &{} \vdots &{} \ddots &{} &{}\\ g_{t_c-u+i+1} &{}\cdots &{} g_{t_c} &{} \vdots &{} &{} \ddots &{}\\ \vdots &{} &{}\vdots &{}f_{u-t_c+i+1}&{} \cdots &{} \cdots &{}f_u\\ \vdots &{} &{}\vdots &{}\vdots &{} &{} &{}\vdots \\ g_{2i-u+1} &{}\cdots &{} g_i &{} f_{2i-t_c+1} &{}\cdots &{}\cdots &{} f_i \end{bmatrix}, \end{aligned}$$

where \(g_j=f_j=0\) \((j<0)\). For this matrix, the following two propositions hold.

Proposition 3

[47] If a polynomial c(x) of degree i appears as a remainder polynomial during the computation of the extended Euclidean algorithm on input g(x) and f(x), \(\det (S_{i})\ne 0\) holds. Otherwise, \(\det (S_{i})=0\).

Proposition 4

[47] If \(\det (S_{i})\ne 0\), the linear system \(S_{i}\cdot y^T = [0\,\ldots \,0\,1]^T\)Footnote 7 has a unique solution \(y=[y_1\,\ldots \,y_{u+t_c-2i}]\), and \(a(x)\mathrel {\mathop :}=y_1x^{u-i-1}+\cdots +y_{u-i}\) and \(b(x)\mathrel {\mathop :}=y_{u-i+1}x^{t_c-i-1}+\cdots +y_{u+t_c-2i}\) satisfy \(a(x)g(x) + b(x)f(x) = c(x)\).

These propositions also work for polynomial f(x) whose exact degree u is unknown but at most \(t_c-1\).

Theorem 5

Let \(S_{i}\) be the subresultant matrix constructed from \(g(x)=\sum _{j=0}^{t_c} g_jx^j\) and \(f(x)=\sum _{j=0}^u f_jx^j\,(u\le t_c-1)\) and let \({\bar{S}}_i\) be the one from g(x) and \(f(x)=\sum _{j=0}^{t_c-1} f_jx^j\,(f_{t_c-1},\ldots ,f_{u+1}=0)\). Then, the following statements hold.

  1. 1.

    \(\det ({\bar{S}}_i)\ne 0\) if and only if \(\det (S_{i})\ne 0\).

  2. 2.

    The polynomials obtained from \({\bar{y}}^T={\bar{S}}_{i}^{-1}\times [0\,\ldots \,0\,1]^T\) and the one form \(y^T=S_{i}^{-1}\times [0\,\ldots \,0\,1]^T\) is equivalent.

Proof

From the definition of a subresultant matrix, we have

$$\begin{aligned} {\bar{S}}_i= & {} \begin{bmatrix}A &{} O\\ B &{} S_{i} \end{bmatrix}, \\ A= & {} \begin{bmatrix} g_{t_c} &{} &{} \\ \vdots &{} \ddots &{} \\ g_{u-2} &{} \cdots &{} g_{t_c} \end{bmatrix}, B = \begin{bmatrix} g_{u-3} &{} \cdots &{} g_{t_c-1} \\ \vdots &{}&{} \vdots \\ g_{2i-t_c+2} &{} \cdots &{} g_{2i-u} \end{bmatrix}, \end{aligned}$$

where O is a zero matrix. As the matrix A is a lower triangular matrix, A is invertible. Therefore, from the property of a partitioned matrix, we have that if \(\det (S_{i})\ne 0\), then

$$\begin{aligned} {\bar{S}}_i^{-1} = \begin{bmatrix} A^{-1} &{} O\\ -S_{i}^{-1}BA^{-1} &{} S_{i}^{-1} \end{bmatrix}, \end{aligned}$$

and if \(\det (S_{i})=0\), then \(\det ({\bar{S}}_i)=0\). Moreover, the value \({\bar{y}}^T={\bar{S}}_{i}^{-1}\times [0\,\ldots \,0\,1]^T\) is value of \(t_c-u-1\) zeros connected to the left of \(y^T=S_{i}^{-1}\times [0\,\ldots \,0\,1]^T\). Thus, the two polynomials a(x) and b(x) obtained from \({\bar{y}}\) are equivalent to the ones from y. \(\square \)

From Theorem 5, we can define the subresultant matrix assuming \(\deg (f) = t_c-1\) even if the exact degree may be \(\deg (f) < t_c-1\). Thus, we can use Propositions 3 and 4 and thus we can describe the concrete procedure of Line 2 as follows.

figure b

Similarly, the procedure of Line 4 is described as follows.

figure c

We now show the MPC for Patterson’s algorithm. Assume that parties share a Goppa polynomial g(x), supports \(\gamma _1,\ldots ,\gamma _{n_c}\), polynomials \((x-\gamma _i)^{-1}\) determined by supports, and the matrix \(T^{-1}\) determined by g(x).Footnote 8 A word \(v \in \{0,1\}^{n_c} \) is given to each party as input. We also assume that a share of a polynomial is expressed as shares of its coefficients over \(\mathbb {F}_{2^m}\). All these shares are generated in \(\mathbb {F}_{2^m}\). By using the procedures above, Lines 2 and 4 in Algorithm 1 can be evaluated in a distributed fashion with MPCs for inverting matrix [5] and polynomial multiplication [36]. Since other lines in  Algorithm 1 also can be computed distributedly, we obtain an MPC for Patterson’s decoding algorithm.

The cost of the MPC for Patterson’s algorithm is \(O(t_c^3+n_ct_c)\) times the invocation of an MPC for multiplication. It is derived from the cost of the MPCs for inverting matrix in Lines 2 and 4 and the assignment calculation in Line 6 on Algorithm 1. We note that at the end of the MPC, the output (i.e., error vector) is shared among the parties.

6.2 MPC for decryption of OW-CPA classic McEliece PKE

We now provide an MPC for the decryption of \(\textsf{OW} \text {-}\textsf{CPA} \) secure Classic McEliece PKE. Given a ciphertext c, the parties can jointly perform \(\textsf{Dec}_{\textrm{p}}^{\textrm{owCM}}(\textsf{sk},c)\) as follows.

  1. 1.

    Each party \(P_i\) sets \(v\mathrel {\mathop :}=[c\,0\,\ldots \,0]\) by appending \(k_c\) zeros.

  2. 2.

    Parties perform the MPC for Patterson’s algorithm shown in Sect. 6.1 on input v and secret key’s share \(\textsf{sk}_i\), and obtain shared error vector \(e=(e_1,\ldots ,e_{n_c})\). (Each \(e_i\) is 0 or 1, but is shared as an element of \(\mathbb {F}_{2^m}\).)

  3. 3.

    Parties jointly compute \(w\mathrel {\mathop :}=\textrm{wt}(e) = \sum _{i=1}^{n_c} e_i\). In this summation, each addition is done by an MPC that simulates a full-adder circuit, but each XOR gate and AND gate are evaluated by the MPC for addition (i.e., local computation) and multiplication in \(\mathbb {F}_{2^m}\), respectively. As the result, each party obtains shares of \(w_1,\ldots ,w_{n_c'}\) where \((w_{n_c'}, \ldots , w_1)_2\) is the binary representation of w and \(n_c'=\lceil \log _2 n_c\rceil +1\).

  4. 4.

    Parties jointly compute \(o_1\mathrel {\mathop :}=\prod _{i=1}^{n_c'} (w_i-t_i+1)\), where \((t_{n_c'},\ldots ,t_1)_2\) is the binary representation of \(t_c\). Clearly, \(o_1=1\) if \(\textrm{wt}(e)=t_c\), \(o_1=0\) otherwise.

  5. 5.

    Each party compute the share of \(e'\mathrel {\mathop :}=He-c =(e'_1,\ldots ,e'_{n_c})\) in \(\mathbb {F}_{2^m}\). Note that only e is shared, so this can be done by linear combinations. In addition, all components of Hec are 0 or 1, so \(e'_i\) are also 0 or 1.

  6. 6.

    Parties jointly compute \(o_2\mathrel {\mathop :}=\prod _{i=1}^{n_c} (e'_i+1)\). Clearly, \(o_2=1\) if \(He = c\), \(o_2=0\) otherwise.

  7. 7.

    Finally parties compute \(o_1 \times o_2\) by running the MPC and reconstruct the product. If the result is 0, \(\bot \) is output, otherwise, reconstruct e and output it.

The number of invocations of an MPC for multiplication in the MPCs other than Patterson’s algorithm is \(O(n_c)\). Therefore, the total cost of the MPC for the decryption mainly comes from evaluating Patterson’s algorithm i.e. \(O(t_c^3+n_{c}t_c)\) as above.

6.3 Third \(\textsf{IND} \text {-}\textsf{CCA} \) secure scheme \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\)

Using the MPC for decryption of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) shown in Sect. 6.2, we obtain the threshold version of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\). We call it \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}} = (\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}},\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}},\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}})\).

  • \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(1^\lambda )\): The parties run the MPC to generate random parameters of \((k_c,n_c, t_c)\)-binary Goppa codes \(g(x), \gamma =\{\gamma _i\}_i\) and it’s parity check matrix \(H=[I_{n_c-k_c}\mid H_{k_c}]\), the inverse matrix \(T^{-1}\) and polynomials \((x-\gamma _i)^{-1}\bmod g(x)\). The public key is \(\textsf{PK}=H_{k_c}\) and \(P_i\)’s partial secret key \(\textsf{sk}_i\) consists of shares of \(g(x),\{\gamma _i\}_i,T^{-1},\{(x-\gamma _i)^{-1}\}_i\).

  • \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{PK}, e)\):This is identical to \(\textsf{Enc}_{\textrm{p}}^{\textrm{owCM}}\). The ciphertext of \(e\in W_{t_c, n_c}\) is \(c \mathrel {\mathop :}=He\).

  • \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{SK}, c)\): Parties run the MPC shown in Sect. 6.2 and get e that satisfies \(He=c\).

We do not describe the details of the key generation protocol, because any algorithm can be evaluated in a distributed fashion using MPCs theoretically. The key generation protocol is performed only once, so some degree of inefficiency is not a practical problem.

We can show \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure and takes over the properties of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\).

Theorem 6

If \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure, then the threshold PKE \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is \(\textsf{OW} \text {-}\textsf{CPA} \) secure.

Proof

The partial secret key of each party is all share values. Further, its key-generation and decryption protocols \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) and \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) leak no additional information to parties other than they should know (i.e., \(P_i\) learns only \(\textsf{PK}\) and its \(\textsf{sk}_i\) during \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\), while the decrypted plaintext \(\textsf{m}\) during \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\)). Therefore, it is easy to construct an adversary algorithm \(\mathcal {B}\) of \(\textsf{OW} \text {-}\textsf{CPA} \) for \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) by using an adversary algorithm \(\mathcal {A}\) of \(\textsf{OW} \text {-}\textsf{CPA} \) for \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) as a subroutine. Therefore, \(\textsf{OW} \text {-}\textsf{CPA} \) security of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) implies \(\textsf{OW} \text {-}\textsf{CPA} \) security of \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\). \(\square \)

Theorem 7

If the MPCs in the threshold decryption do not fail, \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is perfectly correct and rigid.

Proof

Given a valid ciphertext \(c = He\) for some plantext \(e\in W_{t_c,n_c}\), Patterson’s algorithm recovers the error vector e with probability 1. Also, no failure happens during the MPCs from the assumption. Therefore, \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is perfectly correct. Thus \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{SK},c) = e\) always holds, and we have \(\textsf{Enc}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{PK},\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{SK}, c)) = c\) because \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is deterministic. Therefore, \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is rigid. \(\square \)

Theorem 7 implies that CCMS conversion is adaptable to \(\Pi _{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}\). Thus, we obtain the \(\textsf{IND} \text {-}\textsf{CCA} \) secure threshold PKE, called \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}} = (\textsf{KGen}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}},\textsf{Enc}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}},\textsf{Dec}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}})\), described as follows. Its plaintext space is \(M_{\textrm{s}}\).

  • \(\textsf{KGen}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}(1^\lambda )\): The parties run \(\textsf{KGen}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(1^\lambda )\). The public key \(\textsf{PK}=H_{k_c}\) determines \(H=[I_{n_c-k_c}\mid H_{k_c}]\).

  • \(\textsf{Enc}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{PK}, \textsf{m})\): First \(e\in W_{t_c,n_c}\) is chosen randomly. Next \(\textsf{k}\leftarrow \textsf{H}(e)\), \(\mu \leftarrow \textsf{H}'(e)\), \(\textsf{ct}_1 \leftarrow He\), \(\textsf{ct}_2 \leftarrow \textsf{Enc}_{\textrm{s}}(\textsf{k},\textsf{m})\), \(\textsf{ct}_3 \leftarrow \textsf{G}(\textsf{ct}_2,\mu )\), \(\textsf{ct}_4\leftarrow \textsf{H}''(e)\) are computed. Output \(\textsf{CT}= (\textsf{ct}_1,\textsf{ct}_2,\textsf{ct}_3,\textsf{ct}_4)\).

  • \(\textsf{Dec}_{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{SK}, \textsf{CT})\): For \(\textsf{CT}= (\textsf{ct}_1, \textsf{ct}_2,\textsf{ct}_3,\textsf{ct}_4)\), parties first execute \(\textsf{Dec}_{\textrm{t}}^{\mathrm {owI\hspace{-1.2pt}I\hspace{-1.2pt}I}}(\textsf{SK}, \textsf{ct}_1)\). Note that the result e is shared at this moment. If \(\bot \) is output, they abort the protocol and output \(\bot \). Otherwise, \(\mu \leftarrow \textsf{H}'(e), {\widetilde{\textsf{ct}}}_3\leftarrow \textsf{G}(\textsf{ct}_2, \mu )\) and \({\widetilde{\textsf{ct}}}_4\leftarrow \textsf{H}''(e)\) are computed, equality \({\widetilde{\textsf{ct}}}_3 = \textsf{ct}_3\) and \({\widetilde{\textsf{ct}}}_4 = \textsf{ct}_4\) are checked by using MPCs. If the check does not pass, \(\bot \) is output and the protocol is aborted. Otherwise, e is reconstructed. \(\textsf{k}\leftarrow \textsf{H}(e)\) and \(\textsf{m}\leftarrow \textsf{Dec}_{\textrm{s}}(\textsf{k},\textsf{ct}_2)\) are locally computed.

From Proposition 2, \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is \(\textsf{IND} \text {-}\textsf{CCA} \) secure in the QROM.

7 Efficiency comparison

In this section, we compare three \(\textsf{IND} \text {-}\textsf{CCA} \) secure code-based threshold PKEs \(\Pi _{\textrm{t}}^{\text {I}}\), \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) and \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) according to their ciphertext size and communication complexity of threshold decryption. We instantiate the components used in \(\Pi _{\textrm{t}}^{\text {I}}\), \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) and \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) with the parameters for 128-bit security as follows.

  • Classic McEliece \(\Pi _{\text {k}}^{\textrm{CM}}\) and \(\Pi _{\textrm{p}}^{\textrm{owCM}}\): we use the parameter set kem/mceliece348864 in [2].

  • Signature scheme \(\Pi ^{\textrm{Sig3}}_{\text {sig}}\): we use the 128-bit security parameter based on the hardness of the syndrome decoding problem in [8].

  • Hash functions \(\textsf{H}_{\ell }\), \(\textsf{H}_{\text {cm}}\) and \(\textsf{H}\): we use SHAKE-256.

  • Hash functions \(\textsf{H}'\) and \(\textsf{H}''\): we use an MPC-friendly hash VisionFootnote 9 [3]. As the parameters of Vision, the bit-size of the base field \(n_v\), the number of field elements in the state \(m_v\), capacity \(c_v\), and rate \(r_v\), we set \((n_{v_1},m_{v_1},c_{v_1},r_{v_1})=(12,12,2,10)\).

  • Hash function \(\textsf{G}\): we use a combination of SHA-3 and Vision similar to [16]. We set \((n_{v_2},m_{v_2},c_{v_2},r_{v_2})=(12,24,2,22)\).

  • Symmetric-key encryption \(\Pi _{\text {s}}\): We use AES-CTR with \(\ell _{\text {key}} = 256\) bits key (i.e., \(K_{\text {s}}=\{0,1\}^{256}\)). For simplicity, we assume the ciphertext length is identical to the plaintext length, i.e., \(|\textsf{Enc}_{\textrm{s}}(\textsf{k}, \textsf{m})|=|\textsf{m}|\).

From the above parameters, we have:

  • output length of \(\textsf{H}_{\ell }\): \(\ell _{\text {hash}} = 32\) bytes,

  • output length of \(\textsf{H}'\) and \(\textsf{H}''\): \(\ell _h = 64\) bytes.Footnote 10,

  • output length of \(\textsf{G}\): \(\ell _g = 32\) bytes,

  • ciphertext length of \(\Pi _{\text {k}}^{\textrm{CM}}\): \(|\textsf{ct}_{\text {k}}| = 96\) bytes,

  • ciphetrext length of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\): \(|\textsf{ct}_{\textrm{p}}^{\textrm{ow}}| = 96\) bytes,

  • verification key length of \(\Pi ^{\textrm{Sig3}}_{\text {sig}}\): \(|\textsf{vk}| = 165\) bytes,

  • signature length of \(\Pi ^{\textrm{Sig3}}_{\text {sig}}\): \(|\sigma |\) = 15,355 bytes.

Table 1 Comparison of ciphertext overhead in the code-based (tn)-threshold PKEs

Table 1 shows the ciphertext overheads (the ciphertext length minus the plaintext length) of the (2, 3)-threshold PKEs. The ciphertext length of \(\Pi _{\textrm{t}}^{\text {I}}\) comes from n \(\textsf{IND} \text {-}\textsf{CCA} \) PKE ciphertexts, one signature, and one verification key. Due to its large signature (about 15 kB), it is the largest overhead (about 16 kB) among the three threshold PKEs. The ciphertext overhead of \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) consists of \(N=\left( {\begin{array}{c}n\\ t-1\end{array}}\right) \) \(\textsf{OW} \text {-}\textsf{CPA} \) PKE ciphertexts and one hash digest of \(\textsf{G}\) and one hash digest of \(\textsf{H}''\). Note that the digest length of \(\textsf{H}''\) is \(N\cdot \ell _h\). Although its overhead depends on the number of parties, it is much smaller than that of \(\Pi _{\textrm{t}}^{\text {I}}\) since it does not require signature schemes. The ciphertext length of \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) is derived from one \(\textsf{OW} \text {-}\textsf{CPA} \) PKE ciphertext, one digest of \(\textsf{G}\), and one digest of \(\textsf{H}''\). Thanks to the independence of the number of parties and the unnecessity of signatures, \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) has the smallest ciphertext overhead.

Table 2 shows the communication complexity of threshold decryption. We measure it by counting the number of invocations of the MPC for multiplication. The decryption protocol of \(\Pi _{\textrm{t}}^{\text {I}}\) is non-interactive. So, parties need minimum communication costs. \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) can compute the decryption process of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) and that of SKE locally. Therefore, the parties only need to communicate in the MPC of hashing for the validity check of ciphertexts. The MPC of Vision requires \(7\cdot m_v\) multiplications to absorb or extract \(n_v\cdot r_v\) bits in each round. Note that the minimum absorption round is 10 in the parameters above. \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) performs, in addition to the MPC of hashing as in \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\), the MPC for decryption of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\). In Table 2 we evaluate the cost dividing into two parts, one for decryption of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\), the other for hashing for verification. It shows that the MPC for decryption of \(\Pi _{\textrm{p}}^{\textrm{owCM}}\) gives much more impact than that for hashing.

Table 2 Comparison of communication complexity during threshold decryption in the code-based (tn)-threshold PKEs

From the above discussion, we conclude that:

  • \(\Pi _{\textrm{t}}^{\text {I}}\) achieves non-interactive threshold decryption but has much larger ciphertexts due to the impractical code-based signature scheme. So, this construction is not practical.

  • \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) has smaller ciphertext than \(\Pi _{\textrm{t}}^{\text {I}}\) by eliminating the use of a signature scheme. Also, \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) achieves non-interactive decryption of \(\textsf{OW} \text {-}\textsf{CPA} \) secure PKE using parallel encryption. Although MPC for hashing needs to process longer input than \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\), the input length would not impact so much. It means that \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I}}\) is more efficient threshold PKE than \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\). Overall, we can say that this construction has a well-balanced performance.

  • \(\Pi _{\textrm{t}}^{\mathrm {I\hspace{-1.2pt}I\hspace{-1.2pt}I}}\) has the worst efficiency for threshold decryption but the smallest ciphertext length. It also has the smallest public-key length, unlike the other two constructions that need three times longer public keys even in the (2, 3)-setting. Therefore, this construction is the best solution, if decryption parties can devote ample communication cost.

8 Conclusion

In this paper, we have proposed three code-based threshold PKE schemes from Classic McEliece. These three schemes have a trade-off between ciphertext lengths and communication costs of threshold decryption. The first one has a very long ciphertext, but it allows decrypting ciphertexts non-interactively, i.e., without MPCs. The second one has about \(97\%\) shorter ciphertext than the first one, and requires only MPCs for computing hash functions. The third one has the shortest ciphertext but requires heavy MPCs to decrypt a ciphertext. Among the three schemes, the second one has a good balance between ciphertext size and communication complexity.

The first scheme is impractical at this moment because of lengthy ciphertexts. \(96\%\) of the ciphertext length comes from the signature-related data appended to guarantee \(\textsf{CCA}\) security. Recently, code-based signature schemes have been actively studied, and new schemes have been proposed one after another [8, 13, 25]. So, once highly efficient code-based signature schemes with strong one-time \(\textsf{EUF}\text {-}\textsf{CMA}\) security are developed, the first scheme could become fascinating.

We note that the approach we take to construct the second scheme is applicable not only to code-based PKEs but also to any PKEs with some properties. So, we immediately obtain other post-quantum instantiations, once we prepare a PKE with the properties. Unlike the Dodis–Katz conversion, which uses a signature scheme (with strong one-time \(\textsf{EUF}\text {-}\textsf{CMA}\) security), our conversion does not utilize signature schemes. Therefore, our approach allows us to derive a threshold PKE scheme whose ciphertext is only constant times longer than the standard PKE, regardless of whether post-quantum signatures are large.

If we want more short ciphertexts, we can take the third approach but need to design an efficient MPC for decryption. It is an interesting open problem to construct other post-quantum threshold PKEs which utilize efficient threshold decryption.